Weird Tome

242 views
Skip to first unread message

mike3

unread,
Jan 29, 2004, 9:24:29 PM1/29/04
to
Hi.

Yes, it's mike3.

I think I've SOLVED the weird tome mystery!

---

To do it, I used ADOM gamma 12 and GDB (GNU Debugger). The crack
proceeded as follows:

I started up GDB with "GDB adomg12.exe". Then, after using some EXE
looking to get the procedure name, I used "disassemble ReadBook". This
produced the following assembler dump:

Dump of assembler code for function ReadBook:
0xc96d8 <ReadBook>: push %ebp
0xc96d9 <ReadBook+1>: mov %esp,%ebp
0xc96db <ReadBook+3>: sub $0xc,%esp
0xc96de <ReadBook+6>: movl $0x0,0xfffffff8(%ebp)
0xc96e5 <ReadBook+13>: mov 0x8(%ebp),%edx
0xc96e8 <ReadBook+16>: mov (%edx),%eax
0xc96ea <ReadBook+18>: cmp $0x202,%eax
0xc96ef <ReadBook+23>: je 0xc98a4 <ReadBook+460>
0xc96f5 <ReadBook+29>: cmp $0x202,%eax
0xc96fa <ReadBook+34>: jg 0xc9718 <ReadBook+64>
0xc96fc <ReadBook+36>: cmp $0x58,%eax
0xc96ff <ReadBook+39>: je 0xc9a54 <ReadBook+892>
0xc9705 <ReadBook+45>: cmp $0x1c2,%eax
0xc970a <ReadBook+50>: je 0xc9968 <ReadBook+656>
0xc9710 <ReadBook+56>: jmp 0xc9a68 <ReadBook+912>
0xc9715 <ReadBook+61>: lea 0x0(%esi),%esi
0xc9718 <ReadBook+64>: cmp $0x289,%eax
0xc971d <ReadBook+69>: je 0xc9a54 <ReadBook+892>
0xc9723 <ReadBook+75>: cmp $0x29e,%eax
0xc9728 <ReadBook+80>: je 0xc9730 <ReadBook+88>
0xc972a <ReadBook+82>: jmp 0xc9a68 <ReadBook+912>
0xc972f <ReadBook+87>: nop
0xc9730 <ReadBook+88>: movl $0x0,0xfffffff8(%ebp)
0xc9737 <ReadBook+95>: push $0xc91a9
0xc973c <ReadBook+100>: call 0x1dd8 <Message>
0xc9741 <ReadBook+105>: add $0x4,%esp
0xc9744 <ReadBook+108>: call 0x22a0 <More>
0xc9749 <ReadBook+113>: push $0xc91ea
0xc974e <ReadBook+118>: call 0x1dd8 <Message>
0xc9753 <ReadBook+123>: add $0x4,%esp
0xc9756 <ReadBook+126>: call 0x22a0 <More>
0xc975b <ReadBook+131>: push $0x2
0xc975d <ReadBook+133>: call 0x1f430 <GetAttribute>
0xc9762 <ReadBook+138>: add $0x4,%esp
0xc9765 <ReadBook+141>: mov %eax,%eax
0xc9767 <ReadBook+143>: cmp $0x31,%eax
0xc976a <ReadBook+146>: jg 0xc9798 <ReadBook+192>
0xc976c <ReadBook+148>: push $0xc921b
0xc9771 <ReadBook+153>: call 0x2204 <You>
0xc9776 <ReadBook+158>: add $0x4,%esp
0xc9779 <ReadBook+161>: push $0xc925d
0xc977e <ReadBook+166>: call 0xc6bac <D>
0xc9783 <ReadBook+171>: add $0x4,%esp
0xc9786 <ReadBook+174>: mov %eax,%eax
0xc9788 <ReadBook+176>: push %eax
0xc9789 <ReadBook+177>: call 0x20b4c <ConfusePC>
0xc978e <ReadBook+182>: add $0x4,%esp


Notice the calls to "ConfusePC" and "GetAttribute". To see if this has
to do with the WT, I proceeded to use "call Message(0xc91a9)". This
gives "This book is filled with strange texts written in weird
letters.(gdb)". That means that this very first code of the ReadBook
gene has to do with the weird tome! And the way the calls are
positioned follows the EXACT SAME SEQUENCE as the weird tome. Later
on, I get to the following interesting point:

0xc9841 <ReadBook+361>: call 0x1dd8 <Message>
0xc9846 <ReadBook+366>: add $0x4,%esp
0xc9849 <ReadBook+369>: call 0x22a0 <More>
0xc984e <ReadBook+374>: push $0xc940f
0xc9853 <ReadBook+379>: call 0x2204 <You>
0xc9858 <ReadBook+384>: add $0x4,%esp
0xc985b <ReadBook+387>: jmp 0xc989c <ReadBook+452> <---
0xc985d <ReadBook+389>: lea 0x0(%esi),%esi
0xc9860 <ReadBook+392>: movl $0xc9424,0xfffffff4(%ebp)
0xc9867 <ReadBook+399>: push $0xc94bb
0xc986c <ReadBook+404>: call 0x2204 <You>
0xc9871 <ReadBook+409>: add $0x4,%esp
0xc9874 <ReadBook+412>: call 0x22a0 <More>
0xc9879 <ReadBook+417>: push $0xc94da
0xc987e <ReadBook+422>: call 0x1dd8 <Message>
0xc9883 <ReadBook+427>: add $0x4,%esp
0xc9886 <ReadBook+430>: call 0x22a0 <More>
0xc988b <ReadBook+435>: mov 0xfffffff4(%ebp),%eax
0xc988e <ReadBook+438>: push %eax
0xc988f <ReadBook+439>: push $0xc9512
0xc9894 <ReadBook+444>: call 0x2204 <You>
0xc9899 <ReadBook+449>: add $0x8,%esp
0xc989c <ReadBook+452>: jmp 0xc9a75 <ReadBook+925>
0xc98a1 <ReadBook+457>: lea 0x0(%esi),%esi

Now, if you see the "You, Message, You" sequence, you can see that it
follows clearly: "You = 'manage to deciper the secret', Message = 'It
describes a means to find the scroll of omnipotence', You = 'You have
to %s to find it.'". When using that "call Message (something)" test,
I confirmed this. Then I used a hex editor to trasnform that jmp
instruciton ino a nop (no operation) one, to allow the segregated-off
code to work. Then I ran the game with a WADOMF'd charcater and got
"You have to ABEF0AH<blah blah blah> to find it.". That means that
either a. the WT is a hoax, or b. it does do something but the code
for it just doesn't exist in ADOM g12 (that would expain the
jump-over). Now the message that is displayed is either gibberish in
case a, or an encrypted message in case b. Right now, I belive that
the WT is nothing, but I still wonder about later versions. Hacking
them will be more difficult. Cryptanalysis of the ciphered message
hasn't yielded any gold yet.

Vladimir Panteleev

unread,
Jan 30, 2004, 3:00:12 PM1/30/04
to
On 29 Jan 2004 18:24:29 -0800, mike3 <mike...@yahoo.com> wrote:

> Hi.
>
> Yes, it's mike3.
>
> I think I've SOLVED the weird tome mystery!
>

> [snip]

I posted a similar article a while ago.
http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&safe=off&threadm=MPG.1a21ffffb3e16b14989bd3%40news.cis.dfn.de&prev=/groups%3Fdq%3D%26num%3D50%26hl%3Den%26lr%3D%26ie%3DUTF-8%26group%3Drec.games.roguelike.adom%26safe%3Doff%26start%3D450

Check it out.

--
Knowledge belongs to the World.
That's why I'm here for.

http://wercorporation.da.ru/

Eurteoff

unread,
Jan 30, 2004, 10:02:15 PM1/30/04
to
mike3 wrote
:>Hi.

>
>Yes, it's mike3.
>
>I think I've SOLVED the weird tome mystery!
>
<snippity do dah, snippity day>
hmmm... i wonder, has every race/class/sign/align/special thing been tested?
maybe if adombot could feed perfect die rolls to adom, and then do testing we
might figure it out...

as for solving the mystery? no, you havent... you havent until you can give
steps to read it, how to find the SoO, and the reading requirements, and the
effects...

oh, and i mean REAL steps:)

btw, you know the dude who signs the scroll in the HMV... has anyone ever
wished for him?

David Chapman

unread,
Jan 31, 2004, 4:49:35 AM1/31/04
to
Eurteoff wrote:
> mike3 wrote
>>> Hi.
>>
>> Yes, it's mike3.
>>
>> I think I've SOLVED the weird tome mystery!
>>
> <snippity do dah, snippity day>
> hmmm... i wonder, has every race/class/sign/align/special thing been
> tested? maybe if adombot could feed perfect die rolls to adom, and
> then do testing we might figure it out...

Maybe you should research that.

--
Isn't the universe an amazing place? I wouldn't
live anywhere else.


Sam Blanning

unread,
Jan 31, 2004, 6:48:05 AM1/31/04
to
Eurteoff wrote:
> mike3 wrote

>> I think I've SOLVED the weird tome mystery!
>>
> as for solving the mystery? no, you havent... you havent until you
> can give steps to read it, how to find the SoO, and the reading
> requirements, and the effects...
>
Yes, he has. He's discovered that it's a red herring, at least in current
versions. He has found the purpose of the Weird Tome - there is none.
Sometimes the mystery is that there is no mystery. Didn't you ever watch
Scooby-Doo?


Malte Helmert

unread,
Jan 31, 2004, 7:27:11 AM1/31/04
to
Sam Blanning wrote:

Although g12 isn't exactly a current version, I support the red herring
theory for 1.1.1.

Malte

mike3

unread,
Feb 1, 2004, 1:52:36 AM2/1/04
to
eurt...@aol.com (Eurteoff) wrote in message news:<20040130220215...@mb-m27.aol.com>...


Phiz. I took a look at the debug dump, and it was an unconditional
jump over the part that would give you the SoO. There is no way to
access it if it is an ALWAYS jump. Once oyu get to the part about
"hinting at some sort of powerful magic", the unconditional jump
always executes and thus it is impossible to view it.

I haven't hacked version 1.1.1 yet, but if that unconditional jump is
still there, then I will know for a FACT that the WT/SoO/RRI is a
whole load of garbage put in the ADOM program by TB to keep people
occupied. Then again, it might be a "stay tuned..." message hinting at
the sequel to ADOM, JADE.

mike3

unread,
Feb 1, 2004, 1:55:09 AM2/1/04
to
"Sam Blanning" <sheilab...@btinternet.com> wrote in message news:<bvg4ll$qak$1...@titan.btinternet.com>...

But I was looking at an old version of ADOM. I'm not going to lay down
a final verdict until I crack ADOM 1.1.1 (the newest version).

Zaxx

unread,
Feb 1, 2004, 6:07:39 AM2/1/04
to

Alhacrast... seeing that it's an anagram for Charlatas, I doubt it would
do anything.


mike3

unread,
Feb 1, 2004, 5:19:54 PM2/1/04
to
"Zaxx" <olivier-benard_f***sp...@wanadoo.fr> wrote in message news:<bvimlm$3gb$1...@news-reader4.wanadoo.fr>...


And the "Lubaf" = "fabul" = "fable". "WT" = "Weird Tome" = "Scroll of
Omnipotence" = "Red Rooster Inn" = "Red Herring" = "HOAX! HOAX! HOAX!"

Jo

unread,
Feb 2, 2004, 3:41:38 PM2/2/04
to

Anyway, I tried wishing for Alhacrast - nothing happens and no message
is given.

anxious triffid

unread,
Feb 2, 2004, 5:30:16 PM2/2/04
to
no...@nowhere.com (Jo) wrote in
news:401eb5e8...@news.west.earthlink.net:

> On 1 Feb 2004 14:19:54 -0800, mike...@yahoo.com (mike3) wrote:
>
>>"Zaxx" <olivier-benard_f***sp...@wanadoo.fr> wrote in message
>>news:<bvimlm$3gb$1...@news-reader4.wanadoo.fr>...
>>> Eurteoff wrote:
>>> > mike3 wrote

>>> > btw, you know the dude who signs the scroll in the HMV... has
>>> > anyone ever wished for him?
>>>
>>> Alhacrast... seeing that it's an anagram for Charlatas, I doubt it
>>> would do anything.
>>
>>
>>And the "Lubaf" = "fabul" = "fable". "WT" = "Weird Tome" = "Scroll of
>>Omnipotence" = "Red Rooster Inn" = "Red Herring" = "HOAX! HOAX! HOAX!"
>
> Anyway, I tried wishing for Alhacrast - nothing happens and no message
> is given.
>

Same for Lubaf - "that is a stupid wish".

mike3

unread,
Feb 18, 2004, 3:11:09 AM2/18/04
to
anxious triffid <anxiousINFEAROFSPAM@anxioustriffid@fserve.co.uk> wrote in message news:<Xns9483E4C52133Can...@195.92.193.157>...<snip>

> >>
> >>And the "Lubaf" = "fabul" = "fable". "WT" = "Weird Tome" = "Scroll of
> >>Omnipotence" = "Red Rooster Inn" = "Red Herring" = "HOAX! HOAX! HOAX!"
> >
> > Anyway, I tried wishing for Alhacrast - nothing happens and no message
> > is given.
> >
>
> Same for Lubaf - "that is a stupid wish".


Yup. You can't wish for something that just plain never even existed.

I'm thinking of trying out the IDA debugger/disassembler on ADOM 1.0.0
or up with a CRC-disabled version/hacked save file with 99 everything
and 100% for all skills, bard, etc. and see where the program stops
when you get to the "fail to decipher it" point and see if that same
unconditional jump I saw in the GDB disasembly of g12 is still there.
If so, then I'll have PROOF POSITIVE that the WT, RRI, SOO, etc. are a
load of crap put in by TB to tease the player.

Reply all
Reply to author
Forward
0 new messages