News:

Herr Otto Partz says you're all nothing but pipsqueaks!

Main Menu

Variable options storred in active memory,

Started by Daniel3D, November 08, 2021, 12:20:12 PM

Previous topic - Next topic

Daniel3D

Is there a way to find out how, what and where stunts stores temporary information.
I'm referring to the Global variables.
I can see they are set in some cases, like here at the end of seg000:
set_default_car proc far

    mov     gameconfig.game_playercarid, 43h ; 'C'
loc_146E9:
    mov     gameconfig.game_playercarid+1, 4Fh ; 'O'
loc_146EE:
    mov     gameconfig.game_playercarid+2, 55h ; 'U'
loc_146F3:
    mov     gameconfig.game_playercarid+3, 4Eh ; 'N'
loc_146F8:
    mov     gameconfig.game_playermaterial, 0
loc_146FD:
    mov     gameconfig.game_opponenttype, 0
loc_14702:
    mov     gameconfig.game_opponentmaterial, 0
loc_14707:
    mov     gameconfig.game_playertransmission, 1
loc_1470C:
    mov     gameconfig.game_opponentcarid, 0FFh
locret_14711:
    retf
set_default_car endp
seg000 ends


Curiously, the player car is set by the four letters of the car individually.
But the opponent car id is a single value. 0FFh. (255 in decimal, but it could mean something else)
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

llm

#1
Quote from: Daniel3D on November 08, 2021, 12:20:12 PM
Is there a way to find out how, what and where stunts stores temporary information.

your question is way to broad/vague - do you mean a strategie to find that stuff or a tool?
if i understand your "question" correct - by reading the assembler code - there is no highlevel way of understanding the code/data relations
in IDA Pro there are references to variables feature but that won't help to get a good overview - assembler code is just too much able to do
crude things - so there nearly no standard way (the main reason for inventing C and the successors - assembler code is just too hard to read/follow)



Daniel3D

What I'm after is how the settings are stored like, graphics detail, selected track, car and opponent. And all the static information that is needed when you click let's drive.

I know that it is a broad question. I can't explain it better.
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

Daniel3D

Quote from: Daniel3D on November 08, 2021, 12:20:12 PM
Curiously, the player car is set by the four letters of the car individually.
But the opponent car id is a single value. 0FFh. (255 in decimal, but it could mean something else)
When selecting a opponent car all 4 id are set just like for the player.
The first is set to 0FF when no opponent is set to the first car value. This is an empty character in ASCII.

So nothing special about it.
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

llm

Quote from: Daniel3D on November 08, 2021, 06:24:18 PM
What I'm after is how the settings are stored like, graphics detail, selected track, car and opponent. And all the static information that is needed when you click let's drive.

I know that it is a broad question. I can't explain it better.

you need to fully understand the code - there is no easy way - and reversed AND assembler makes that 10 times harder - because 1 line in C can be 10 lines or more in assembler

there is no easy way - except writing comments until the story is clear

thats why reversing is so damn hard - even for real developers

Daniel3D

I will never be a real developer. Just not possible.
But I can figure things out. Often by testing my idea against somebody. Often I'm close, sometimes I am right. It's not always useful but still.
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

Duplode

#6
Quote from: Daniel3D on November 08, 2021, 12:20:12 PM
Is there a way to find out how, what and where stunts stores temporary information.

If you mean finding where some structure you know the layout is in live memory, a typical strategy is finding some sequence of bytes in the structure that you know for sure or can control, and which is unlikely to appear anywhere else, then use a debugger to search for it. For instance, these notes, which describe what I used to do to get lap traces for Cartography before repldump was created, should give you an idea of how it might be done.

Quote from: Daniel3D on November 08, 2021, 12:20:12 PM
But the opponent car id is a single value. 0FFh. (255 in decimal, but it could mean something else)

0FFh fairly often turns out to actually be -1, represented in memory in two's complement, and -1 is used fairly often as a special value to indicate something has not been set.

Edit: I had forgotten to mention that layouts for known structures are nicely laid out in structs.inc, or externs.h in the C code.

llm

Quote from: Daniel3D on November 08, 2021, 08:11:54 PM
I will never be a real developer. Just not possible.
But I can figure things out. Often by testing my idea against somebody. Often I'm close, sometimes I am right. It's not always useful but still.

Im cool with that, try to come up with some smaller direct questions snd i will help were i can

Daniel3D

Quote from: llm on November 09, 2021, 07:10:58 AM
Quote from: Daniel3D on November 08, 2021, 08:11:54 PM
I will never be a real developer. Just not possible.
But I can figure things out. Often by testing my idea against somebody. Often I'm close, sometimes I am right. It's not always useful but still.

Im cool with that, try to come up with some smaller direct questions snd i will help were i can
Haha, I will try.

In the process of replacing the entire menu I first want to build a sort of side loader.
A program outside the stunts executable that can start driving with options set there and not in stunts.
But I have no idea if it is possible without touching the game itself.
Sort of a hijack program.
So I try to find out what the requirements are for such thing.
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

llm

Quote from: Daniel3D on November 09, 2021, 08:05:02 AM
In the process of replacing the entire menu I first want to build a sort of side loader.
A program outside the stunts executable that can start driving with options set there and not in stunts.
But I have no idea if it is possible without touching the game itself.
Sort of a hijack program.
So I try to find out what the requirements are for such thing.

so you want to change executable data before starting the game?

first problem: not every data is already in the correct state before starting - some routines will (maybe) change data, so it could be that your prepared data
gets just overwritten by some initialization process


Daniel3D

#10
I know. All car, player and opponent variables are set during startup. Also with the speedtest the record FPS is set but also graphic options like scenery off.

So that's why I chose the word hijack.

Maybe with loading a background program first that executes a script with a hotkey. Or even a console?
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

Daniel3D

It doesn't add anything to the game of course. But it might give insight we can use if we want to replace the menus.
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

llm

#12
Quote from: Daniel3D on November 09, 2021, 08:47:37 AM
I know. All car, player and opponent variables are set during startup. Also with the speedtest the record FPS is set but also graphic options like scenery off.

So that's why I chose the word hijack.

Maybe with loading a background program first that executes a script with a hotkey. Or even a console?

due to its DOS nature that needs to be a TSR (Terminate and stay resident) program - also not trivial to implement (https://github.com/uzimonkey/shot/blob/master/shot.asm)

my idea is to use Dosbox as a backend to implement new stuff - this way it can be done with normal Windows/Linux - C/C++ and allows full access to the game in every stage (something like my StuntsVM but better quality) - but i don't think that you're able to implement the base for that and im too limited in time

i would call that thing StuntsBox - a Dosbox-Fork that exists only for porting/extending Stunts more easily (could be based on the Bright-Eyes project: https://github.com/Henne/Bright-Eyes) - he extended Dosbox that way that you can intercept/overwrite function calls and memory changes etc. at every position in game
or this project: https://www.reddit.com/r/REGames/comments/qmqq3g/systematic_method_to_reverse_engineer_and_rewrite/)

but that is not compatible with pure DOS - but i would throw away that burden until its pure C - then it can be again compiled for DOS

Daniel3D

Beautifull,..
But indeed way beyond my league.
Quote from: llm on November 09, 2021, 10:50:00 AM
i would call that thing StuntsBox - a Dosbox-Fork that exists only for porting/extending Stunts more easily (could be based on the Bright-Eyes project: https://github.com/Henne/Bright-Eyes) - he extended Dosbox that way that you can intercept/overwrite function calls and memory changes etc. at every position in game
That sounds exactly like i have in mind.

But although extremely interesting, it may be easier to rewrite (parts of) Deseg and seg000. I think that the whole menu is in those two.
of course first find non symbolic offsets and the other things you mentioned.

Thanks for the info. I have a lot to read and ponder upon.

StuntsBox could be a good idea anyway, also for reverse engineering maybe?
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

llm

Quote from: Daniel3D on November 09, 2021, 11:28:32 AM
But although extremely interesting, it may be easier to rewrite (parts of) Deseg and seg000. I think that the whole menu is in those two.
of course first find non symbolic offsets and the other things you mentioned.

its not too extreme - building Dosbox Staging (with VS2019) from source takes you ~20min and hook into exe starts etc is easy because
if its only the same executable the offsets never change etc.

Quote from: Daniel3D on November 09, 2021, 11:28:32 AM
StuntsBox could be a good idea anyway, also for reverse engineering maybe?

the best for 16Bit reverse engineering - hope to start that some time and do the port completey in this environment - means everyone can use there primary development system as usual