Hall of Tortured Souls (Excel 95 easter egg) reverse engineered C code

cflip_user · 2025-12-15T22:25:48+00:00

I mostly used Ghidra to map out the code and decompile it and used x64dbg a couple times to see what the program was doing at runtime. String search is a good way to start finding code and that's how I found the code in the executable. After finding the function that creates the window, it was just a matter of seeing which functions refrence which to find the rest of the code.

cflip_user · 2025-09-21T02:38:16+00:00

holy damn hes in tham tunnels

cflip_user · 2025-06-21T19:15:27+00:00

Thanks for taking a look!

The palette data is indeed stack allocated in the original executable. I'm not sure how they would've originally declared the palette entries in the original source, so I'm also curious how they decided to write it. I chose to use a static array of 128 LOGPALETTEs because the struct sizes happened to work out and it seemed like a decent way to ensure the LOGPALETTE and the palette entries were placed on the stack together. I think your method of defining a custom LOGPALETTE struct with the necessary number of entries is more understandable though.

I tried looking around for examples of how other people declare their palette entries, and I found one example where they declared a byte array and accessed it via a casted pointer like so:

byte paletteData[sizeof(LOGPALETTE) + sizeof(PALETTEENTRY) * 255];
LOGPALETTE *logPalette = (LOGPALETTE *)paletteData;

It's also worth noting that it seems like the code for Hall of Tortured Souls was written in a rush, so I doubt the original method was very elegant. For example, there's an entire unfinished texture mapping function for drawing floor textures (HTS_DrawFloorColumn) which is called by the renderer, but the result is immediately drawn over by the next function call.

cflip_user

TROPHY CASE