;####################################################
;
; Analysis of the PINBALL!bdoor_controller function 
; from MS Windows Pinball.
;
; By Mr Speaker
; mrspeaker@gmail.com
; mrspeaker.net
;
; I've find-replaced these to take up less space:
;
;   PINBALL!pbctrl_bdoor_controller = back_door
;   PINBALL!edge_manager 	    = edge_man
;   PINBALL!sound_count 	    = sound
;
;####################################################

0100e1b0 mov  edi,edi			 ; Okay, I don't know whats going on at the
0100e1b2 push ebp			 ; start here. Who cares eh...
0100e1b3 mov  ebp,esp			
0100e1b5 mov  eax,[sound+0x4e4 (01023bbc)]
0100e1ba push esi			 ; Actually, i think it checks if you are
0100e1bb xor  esi,esi			 ; already in cheat mode, then don't bother
0100e1bd cmp  [eax+0x6],esi		 ; checking this routing, just jump straight to
0100e1c0 jne  back_door+0x351 (0100e501) ; Return

; Okay... were into it now...
0100e1c6 mov  eax,[ebp+0x8]		 ; Load the key code value (parameter ebp+08)
0100e1c9 cmp  eax,0x4d			 ; Compare with "M" (0x4d)

0100e1cc jnle back_door+0x1cf (0100e37f) ; Jmp if greater than "M"
0100e1d2 je   back_door+0x19e (0100e34e) ; Jmp if it is "M"

0100e1d8 cmp  eax,0x44			 ; Compare with "D" (0x44)
0100e1db jnle back_door+0x11c (0100e2cc) ; Jmp if greater than "D" (and less than "M")
0100e1e1 je   back_door+0xfd (0100e2ad)  ; Jmp if it is "D"
0100e1e7 sub  eax,0x20			 ; (Subtract 0x20 from key code. if its 0 then...)		
0100e1ea je   back_door+0xe1 (0100e291)	 ; Is it a space?
0100e1f0 sub  eax,0x11			 ; (Subtract 0x10 - that would mean...)	
0100e1f3 je   back_door+0xcd (0100e27d)	 ; Is it a "1"?
0100e1f9 sub  eax,0x10			 ; (subtract another 0x10... it would be...)
0100e1fc jz   back_door+0x9c (0100e24c)	 ; Jmp if its "A" (x41)
0100e1fe dec  eax			 ; (and so on...They do this "subtracting" method alot)
0100e1ff jz   back_door+0x88 (0100e238)	 ; Jmp if its "B" (x42)
0100e201 dec  eax
0100e202 jne  back_door+0x302 (0100e4b2) ; Reset/Return if its not "C" (x43)

; The counter is what keeps track of the "cheat" word.
; For example, for the first word that starts here, typing "c" will set the
; counter to 1. If the next key you press is "i", then it goes down to
; line 0100e2df below. This compares the counter with 1. If it is (which it is), then 
; it increments the counter to 2. So if you find where the counter is compared
; to the number 2, you can trace it back and find which character will make
; it get to that compare. In this case it's "n" - 'cause it makes up the
; word "cinematronics." - These guys made the game, but this cheat does nothing (i think)

	
0100e208 mov  eax,[edge_man+0x14 (01025050)] 		; *Get Counter* (its "c")
0100e20d cmp  eax,esi			     		; Is it the first "C" in string?
0100e20f jnz  back_door+0x70 (0100e220)	     		;   Nope: (jump to else)
0100e211 mov  dword ptr [edge_man+0x14 (01025050)],0x1  ;   Yep: Set counter to 0x1
0100e21b jmp  back_door+0x351 (0100e501)	 	;   Return
							; Else
0100e220 cmp  eax,0xb					;   Is counter = 11?
0100e223 jne  back_door+0x302 (0100e4b2)	 	;     No: Reset counter to 0 and return
0100e229 mov  dword ptr [edge_man+0x14 (01025050)],0xc 	;     Yep: counter increments to 12 
0100e233 jmp  back_door+0x351 (0100e501)		;   Return


; *******  Start of cheat - get here by key "B" *******
0100e238 mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e23d neg  eax				; Clear counter
0100e23f sbb  eax,eax				; 
0100e241 and  eax,0xffffffaf			; 
0100e244 add  eax,0x51				; Set counter to 81 (0x51)
0100e247 jmp  back_door+0x34c (0100e4fc)	; Store the counter and return


; More counter checking... 						
0100e24c mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e251 cmp  eax,0x5
0100e254 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 5
0100e25a cmp  eax,0x3e
0100e25d je   back_door+0x34b (0100e4fb)	; counter++ if counter = 62 (x3e)
0100e263 cmp  eax,0x52
0100e266 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 82 (x52)
0100e26c cmp  eax,0x66
0100e26f je   back_door+0x34b (0100e4fb)	; counter++ if counter = 102 (x66)
0100e275 cmp  eax,0x7a
0100e278 jmp  back_door+0x349 (0100e4f9)	; Is counter 122 on jump? 
						    Yep: Counter++
						    No : Counter = 0

; *******  Start of cheat - get here by key "1"  ******** "1MAX" : table_add_extra_ball
0100e27d mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e282 neg  eax				; Clear counter
0100e284 sbb  eax,eax				; 
0100e286 and  eax,0xffffffc3			; 
0100e289 add  eax,0x3d				; Set Counter to 61
0100e28c jmp  back_door+0x34c (0100e4fc)	; Store counter and return


; more counter checking
0100e291 cmp  dword ptr [edge_man+0x14 (01025050)],0x1a
0100e298 jne  back_door+0x302 (0100e4b2)	; Reset/Return not if counter = 26
0100e29e mov  dword ptr [edge_man+0x14 (01025050)],0x1b ; Increment counter to 27
0100e2a8 jmp  back_door+0x351 (0100e501)	; Return

0100e2ad cmp  dword ptr [edge_man+0x14 (01025050)],0x16
0100e2b4 je   back_door+0x24b (0100e3fb)	; counter++ if counter = 22
0100e2ba cmp  dword ptr [edge_man+0x14 (01025050)],0x17
0100e2c1 je   back_door+0x24b (0100e3fb)	; counter++ if counter = 23
0100e2c7 jmp  back_door+0x302 (0100e4b2)	; Reset/Return


; More key checking
0100e2cc sub  eax,0x45
0100e2cf jz   back_door+0x176 (0100e326)	; Jmp if "E"
0100e2d1 dec  eax
0100e2d2 dec  eax
0100e2d3 jz   back_door+0x162 (0100e312)	; Jmp if its "G" (0x47)
0100e2d5 dec  eax
0100e2d6 jz   back_door+0x14e (0100e2fe)	; Jmp if its "H" (0x48)
0100e2d8 dec  eax
0100e2d9 jne  back_door+0x302 (0100e4b2)   	; Reset/Return if not "I" (0x49)


; More counter checking
0100e2df mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e2e4 cmp  eax,0x1
0100e2e7 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 1
0100e2ed cmp  eax,0xa
0100e2f0 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 10
0100e2f6 cmp  eax,0x15
0100e2f9 jmp  back_door+0x349 (0100e4f9)	; Is counter 21 on jump? 
						;   YES: counter++
						;   NO: counter = 0


; ******* Start of cheat - get here by key "H" ******* : "HIDDEN TEST" : cheat_mode = 1
0100e2fe mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e303 neg  eax				; Reset counter to 0 
0100e305 sbb  eax,eax				; and, um
0100e307 and  eax,0xffffffeb			; stuff.
0100e30a add  eax,0x15				; Sets Counter to 21
0100e30d jmp  back_door+0x34c (0100e4fc)	; Store counter and return


; ******* Start of cheat -get here by key "G" ******* - start of "GMAX" : GravityWellKickoutControl
0100e312 mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e317 neg  eax				;
0100e319 sbb  eax,eax				;
0100e31b and  eax,0xffffff9b			;
0100e31e add  eax,0x65				; Set Counter to 101
0100e321 jmp  back_door+0x34c (0100e4fc)	; Store counter and return

; More counter checking
0100e326 mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e32b cmp  eax,0x3
0100e32e je   back_door+0x34b (0100e4fb)	; counter++ if counter = 3
0100e334 cmp  eax,0x18
0100e337 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 24
0100e33d cmp  eax,0x1c
0100e340 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 28
0100e346 cmp  eax,0x2c
0100e349 jmp  back_door+0x349 (0100e4f9)   	; Is counter 44 on jump? 
						;   YES: counter++
						;   NO: counter =0

; Still more counter checking
0100e34e mov  eax,[edge_man+0x14 (01025050)] 	; Get Counter
0100e353 cmp  eax,0x4
0100e356 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 4
0100e35c cmp  eax,0x3d
0100e35f je   back_door+0x34b (0100e4fb)	; counter++ if counter = 61
0100e365 cmp  eax,0x51
0100e368 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 81
0100e36e cmp  eax,0x65
0100e371 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 101
0100e377 cmp  eax,0x79
0100e37a jmp  back_door+0x349 (0100e4f9) 	; Is counter 121 on jump? 
						;   YES: counter++
						;   NO: counter =0

; More key checking...
0100e37f cmp  eax,0x53				; Is it "S"? (0x53)
0100e382 jnle back_door+0x294 (0100e444)  	; Greater than "S"
0100e388 je   back_door+0x275 (0100e425)	; Equals "S"
0100e38e sub  eax,0x4e
0100e391 jz   back_door+0x256 (0100e406)	; Jmp if "N" (0x4e)
0100e393 dec  eax
0100e394 jz   back_door+0x235 (0100e3e5)	; Jmp if "O" (x4f)
0100e396 dec  eax
0100e397 dec  eax
0100e398 jz   back_door+0x221 (0100e3d1)   	; Jmp if "Q" (x51)
0100e39a dec  eax
0100e39b jne  back_door+0x302 (0100e4b2)	; Reset/Return if not "R" (x52)


; ******* Start of cheat - get here by key "R" ******* "rmax" = bump rank
0100e3a1 mov  eax,[edge_man+0x14 (01025050)]		; *Get Counter* (its "r")
0100e3a6 cmp  eax,esi					; Is it the first "r" in string?
0100e3a8 jnz  back_door+0x209 (0100e3b9)		;    Nope: (jump to else)
0100e3aa mov  dword ptr [edge_man+0x14 (01025050)],0x79 ;    Yep: Set counter = 121
0100e3b4 jmp  back_door+0x351 (0100e501)		;    Return
							; Else
0100e3b9 cmp  eax,0x7					;    Is counter = 7?
0100e3bc jne  back_door+0x302 (0100e4b2)	        ;      No: Reset/Return
0100e3c2 mov  dword ptr [edge_man+0x14 (01025050)],0x8 	;      Yep: counter = 8
0100e3cc jmp  back_door+0x351 (0100e501)		;    Return


; ******* Start of cheat - get here by key "Q" ******* "QUOTES" - does nothing
0100e3d1 mov  eax,[edge_man+0x14 (01025050)]	; Get Counter 
0100e3d6 neg  eax				; Reset counter		
0100e3d8 sbb  eax,eax				;
0100e3da and  eax,0xffffffd7			;
0100e3dd add  eax,0x29				; Set counter to 41	
0100e3e0 jmp  back_door+0x34c (0100e4fc)	; Store counter and return


; more counter checking
0100e3e5 cmp  dword ptr [edge_man+0x14 (01025050)],0x8
0100e3ec jz   back_door+0x24b (0100e3fb)		; counter++ if counter = 8
0100e3ee cmp  dword ptr [edge_man+0x14 (01025050)],0x2a
0100e3f5 jne  back_door+0x302 (0100e4b2)		; Reset/Return if not counter = 42

; checking places come here to increment the counter, then return...
0100e3fb inc  dword ptr [edge_man+0x14 (01025050)]	; counter++
0100e401 jmp  back_door+0x351 (0100e501)		; Return


; And more counter checking
0100e406 mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e40b cmp  eax,0x2
0100e40e je   back_door+0x34b (0100e4fb)	; counter++ if counter = 2
0100e414 cmp  eax,0x9
0100e417 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 9
0100e41d cmp  eax,0x19
0100e420 jmp  back_door+0x349 (0100e4f9)	; Is counter 25 on jump? 
					      	;   YES: counter++
						;   NO: counter =0

; And more counter checking
0100e425 mov  eax,[edge_man+0x14 (01025050)]	; Get Counter
0100e42a cmp  eax,0xc
0100e42d je   back_door+0x34b (0100e4fb)	; counter++ if counter = 12
0100e433 cmp  eax,0x1d
0100e436 je   back_door+0x34b (0100e4fb)	; counter++ if counter = 29
0100e43c cmp  eax,0x2d
0100e43f jmp  back_door+0x349 (0100e4f9)	; Is counter 45 on jump? 
						;   YES: counter++
						;   NO: counter = 0

; More character checking
0100e444 sub  eax,0x54				
0100e447 je   back_door+0x31f (0100e4cf)   	; Jmp if "T" (0x54)
0100e44d dec  eax
0100e44e jz   back_door+0x30a (0100e4ba)	; Jmp if its "U" (x55)
0100e450 sub  eax,0x3
0100e453 jz   back_door+0x2b3 (0100e463)	; Jmp if its "X" (x58)
0100e455 sub  eax,0x66
0100e458 jnz  back_door+0x302 (0100e4b2)	; Reset/Return if not 0xBE (maybe ".")	
0100e45a cmp  dword ptr [edge_man+0x14 (01025050)],0xd 
0100e461 jmp  back_door+0x302 (0100e4b2)	; Reset/Return
/* 
   NOTE: This looks wierd - seems like it WAS a cheat, but now the cmp is never checked.
	 and the cheat was "CINEMATRONICS." - but once you type it in, it ends up just
	 reseting the counter to 0. Poo.
*/

; More counter checking, but nearly at free ball!
0100e463 mov  eax,[edge_man+0x14 (01025050)]		; Get Counter
0100e468 cmp  eax,0x3f
0100e46b jnz  back_door+0x2ce (0100e47e)		; Jmp if counter not 63 (x3f)
0100e46d fld  dword ptr [PINBALL!_real (01002374)] 	; Else, Extra Ball...
0100e473 push ecx
0100e474 fstp dword ptr [esp]
0100e477 call PINBALL!table_add_extra_ball (0100c2f3)	; Woo!
0100e47c jmp  back_door+0x2f6 (0100e4a6)


0100e47e cmp  eax,0x53
0100e481 jnz  back_door+0x2dd (0100e48d)		; jmp if not counter = 83
0100e483 xor  eax,eax					; - whats going on here?
0100e485 inc  eax
0100e486 mov  [edge_man+0x8 (01025044)],eax
0100e48b jmp  back_door+0x331 (0100e4e1)


0100e48d cmp  eax,0x67					
0100e490 jnz  back_door+0xc (0100e49c)			; jmp if not counter = 103
0100e492 push esi					; End of "Gravity Well" cheat...
0100e493 push 0x40
0100e495 call PINBALL!GravityWellKickoutControl (0100dd7a)
0100e49a jmp  back_door+0x2f6 (0100e4a6)		; something, then reset/return

0100e49c cmp  eax,0x7b					
0100e49f jnz  back_door+0x302 (0100e4b2)		; Reset/Return if counter != 123 (x7b)
0100e4a1 call PINBALL!cheat_bump_rank (0100e111)	; Else, Bump Rank

0100e4a6 mov  eax,[edge_man+0x4 (01025040)]		; What does this do?
0100e4ab mov  dword ptr [eax+0x3e],0x1

0100e4b2 mov  [edge_man+0x14 (01025050)],esi		; Reset Counter to 0
0100e4b8 jmp  back_door+0x351 (0100e501)		; Return

; More counter checking
0100e4ba cmp  dword ptr [edge_man+0x14 (01025050)],0x29
0100e4c1 jnz  back_door+0x302 (0100e4b2)		; Reset/Return if not counter = 41
0100e4c3 mov  dword ptr [edge_man+0x14 (01025050)],0x2a ; Set counter = 42
0100e4cd jmp  back_door+0x351 (0100e501)		; Return

; Alright... nearly at cheat mode bit...
0100e4cf mov  eax,[edge_man+0x14 (01025050)]  	; Get Counter
0100e4d4 cmp  eax,0x1e					
0100e4d7 jnz  back_door+0x33c (0100e4ec)	; Jmp if counter not 30 (x1e)
						; Else...
0100e4d9 xor  eax,eax				; Set cheatmode on!
0100e4db inc  eax
0100e4dc mov  [PINBALL!cheat_mode (01024ff8)],eax ; Cheatmode = 1!
0100e4e1 mov  ecx,[edge_man+0x4 (01025040)]	; What does this do?
0100e4e7 mov  [ecx+0x3e],eax
0100e4ea jmp  back_door+0x302 (0100e4b2)	; jmp to reset/return...

; More counter checking
0100e4ec cmp  eax,0x1b
0100e4ef jz   back_door+0x34b (0100e4fb)	; counter++ if counter = 27
0100e4f1 cmp  eax,0x6
0100e4f4 jz   back_door+0x34b (0100e4fb)	; counter++ if counter = 6
0100e4f6 cmp  eax,0x2b				; compare with 43...
0100e4f9 jnz  back_door+0x302 (0100e4b2)	; Reset/Return if not value

; Increment counter and get out...
0100e4fb inc  eax				; Counter++
0100e4fc mov  [edge_man+0x14 (01025050)],eax	; Store Counter

; There we go... end of the function...
0100e501 pop  esi
0100e502 pop  ebp
0100e503 ret  0x4				; We outta here.
