Menu.exe memory dump: F5 easter egg

Menu.exe from the Twilight DOS has provided some easter eggs such as menu options and DrUnK mode… but there’s still more. After creating a memory-dump of the Twilight executable, we found the following funny easter-egg… you can trigger that by hitting ALT+F5.

From the memory

“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()-=_+|[]{};’:”,./<>?  Search Again Use F2/F3 or Shift-F2/F3 to start a search first! Warning You pushed ALT-F5. Don’t do that again. Final Warning Hey, I warned you! Don’t push ALT-F5 again! Really Final Warning OK, one more time and you’re out! ALT-F5 overflow. I warned you… :-) [installed=%d] [err=%d] [%.2x, %.2x] @ù#[-$T#-]@ù     `ú ùù -ÄÄÄÄ~Äþ-   ~T|wilight ~I|nstaller ~V|2.44   ~-þÄ`ÄÄÄÄ—ù úú    @ù#[-$T#-]@ù  `[F1]~ Help   `[Enter]~ Select   `[/]~ Select Drive   `[Tab]~ Read Docs   `[Esc]~ Quit  /C /LOW /? Twilight Installer V2.44 (C) 1996 by Twilight Crew”

This is what happens

screenshot 2014 01 31 019

Hitting ALT-F5

screenshot 2014 01 31 020

Hitting ALT-F5 again…

screenshot 2014 01 31 021

And again…

screenshot 2014 01 31 022

And we’re finally rewarded for our actions:

screenshot 2014 01 31 023

 

Dosbox debug options explained

To dump the memory of DOS applications you can use Dosbox Debug (tutorial). When running as administrator (or a privileged account) you can debug applications using:

DEBUG MENU.EXE

screenshot 2014 01 31 005

Now the debugger window appears next to the application window. The application will run with F5. After running a binary memory dump can be made with MEMDUMPBIN 1000000. This will dump all Twilight’s menu messages (for all windows and menu options) in a textfile in the dosbox folder. The file is called memdump.bin and will open with a text editor.

For example:

screenshot 2014 01 31 011

Menu.exe contains many many many status messages, but most of them are functional and can be reached using the menu’s option.

Menu.exe was built with Borland C++ – Copyright 1991 Borland Intl. References to S3 Trio64, IBM and Compaq are also in the dump, most likely from the debugger itself.

Leave a Reply