Reverse Engineering Thread

Well, in this thread I will post my progresses in the Reverse Engineering/ Patching process of DOW... Stay tuned

@@Thud: I got the attach, thank you! By tomorrow or the day after we will have a view of the possible changes in W40KMod.dll

Great! I might even ask if it were possible to create a NoCD outta the v1.30 EXE as I hate using the damn CDs each time on startup. The slow whinning sound I can do without. If not, no biggie. Just hate companies that keep forcing the CD/DVD even long since the game was purchased.

The actual code in version 1.3 is this:

push esi
call sub_F207A1A
mov ebx, eax
test ebx, ebx
jz @@prerequisite_not_met_for_building

...

This translated into C code means:

temp=sub_F207A1A(current_object);
if(temp==NULL)
printf("Bla bla cannot...");
else
// Go on like normal!

If we dig deeper into sub_F207A1A, we find:

mov ecx, [esp+arg_0]
test ecx, ecx
jnz short loc_F207A26
xor eax, eax
jmp short locret_F207A2E

loc_F207A26:
push 78h
call EntityBlueprint::QInfo(uint)
locret_F207A2E:
retn 4

Again, if we translate the above code into C we obtain:

if(Current_Building!=NULL)
{
return EntityBlueprint::QInfo(0x78,this);
// Probably 0x78 --> Building code
}
else
return NULL;

This barely means that the sub_F207A1A, that I previously identified as the Cannot..., is just a member function for the building object that just acts as a simple wrapper to EntityBlueprint::QInfo that takes as a parameter the current object (this*) and the (supposed) building code, 0x78h.

A quick scan to the uses of the EntityBlueprint::QInfo(...) reveals that such a function might be what we are interested into....

Very interesting stuff... (Although my ASM isn't very good - C much better)

And I thought LUA was tough going! Jeez...

(should have stuck to AMOS, ah, happy days)

Flenser

Edited by Flenser, 20 June 2005 - 04:11 PM.

And I thought LUA was tough going! Jeez...

(should have stuck to AMOS, ah, happy days)

Flenser

<{POST_SNAPBACK}>

That's right! The days of Amiga are really unforgettable... I still play my Shadow Of The Beast

BTW: Anybody has an idea of the internal structure of the various objects? I mean, I suppose that everithing in the game is an object that inherits from a more general parent (standard C++ inheritance)... Any info about the fields and methods of the parent object???

Also, the code for the Blueprint::QInfo is the following. As everybody can see, it is really probable that prerequisite checking is done in this procedure, that is called by a dedicated method of each game object (building, unit...).

class Blueprint::BPInfo const * __thiscall Blueprint::QInfo(unsigned int)const
.text:051A1089
.text:051A1089 arg_0 = dword ptr 4
.text:051A1089
.text:051A1089 mov eax, [ecx+8]
.text:051A108C mov ecx, [ecx+0Ch]
.text:051A108F lea ecx, [eax+ecx*8]
.text:051A1092 jmp short loc_51A10A0
.text:051A1092
.text:051A1094 ; ---------------------------------------------------------------------------
.text:051A1094
.text:051A1094 loc_51A1094:
.text:051A1094 mov edx, [eax+4]
.text:051A1097 cmp edx, [esp+arg_0]
.text:051A109B jz short loc_51A10A9
.text:051A109B
.text:051A109D add eax, 8
.text:051A10A0
.text:051A10A0 loc_51A10A0:
.text:051A10A0 cmp eax, ecx
.text:051A10A2 jnz short loc_51A1094
.text:051A10A2
.text:051A10A4 xor eax, eax
.text:051A10A6
.text:051A10A6 locret_51A10A6:
.text:051A10A6 retn 4
.text:051A10A6
.text:051A10A9 ; ---------------------------------------------------------------------------
.text:051A10A9
.text:051A10A9 loc_51A10A9:
.text:051A10A9 mov eax, [eax]
.text:051A10AB jmp short locret_51A10A6
.text:051A10AB
class Blueprint::BPInfo const * __thiscall Blueprint::QInfo(unsigned int)const endp

@@Thudo: Pleez, send me also the SimEngine.dll from the 1.20 version, thanks.

Edited by Polaris, 20 June 2005 - 04:37 PM.

Can only send SimEngine.dll as the damn forums don't allow attachments that large.. Grrr.. I have to find another way to send War40kMod.dll to you. Does Hotmail accept .ace files and won't purge them? Hell.. I'd give ya Gmail if you want? Soooooooo much better than that Hotmail crap! Have 2.5gb quota now and is rising each day!!!

Edited by thudo, 20 June 2005 - 05:28 PM.

Ok, I got the SimEngine.dll file... And I can confirm that the class Blueprint::BPInfo const * __thiscall Blueprint::QInfo(unsigned int)const is completely unchanged from 1.20 to 1.30. :(

But maybe the caller is changed... Thudo, instead of RARing, try to ZIP and resend the W40KMod.dll... Maybe the stupid MSN/TrendMicro antivirus will not catch it

I ace'd it.. You want me to zip it again? hehe.. this is all over the place.. hehe..

TuD.

LOL Even the ace was caught as virus LOLOLOLOLOLOLOL

AgggrrhH! I resent it as a zip and the filename inside needed to be renamed to .dll. This is just nuts..

I am getting really bored! Pleez wait while I set up a safe place for you to send

Sent to your new address. Let me know and I'll send you a gmail account. Anyone else want one? I can give, oh..

50 ! !! ! of them out ! ! ! ! ! !



e.

Finally I got the file... This is a very interesting demonstration of TrendMicro antivirus smartness in detecting real virus

LOL

In the evening I'll post my new discoveries

Fast analysis of the W40KMod.dll from the 1.20 version reveal no difference in the code sections that I had previously identified as responsible for the incorrect AI behaviour.

This is disappointing, but I will get on till complete success.

Next step will be an advanced compare between disassembly listings of W40KMod.dll in its version 1.20 and 1.30 to spot interesting locations to investigate.

Thanks Polaris for your investigative reporting. Keep us informed as you go along your sleuth work.

Running the file compare on ~12 millions of assembler lines of code did not highlight anything interesting.

So, before I start tracing the whole DLL from the very entrypoint I have a small question. Is there the possibility of making the LUA interpreter verbose?

I mean, there is some switch that allows to have human readable output of the inner mechanics of the LUA interpreter? If so, by tracking the output messages from the prereq system we could attempt to track back to the actual code.

Running the file compare on ~12 millions of assembler lines of code did not highlight anything interesting.

So, before I start tracing the whole DLL from the very entrypoint I have a small question. Is there the possibility of making the LUA interpreter verbose?

I mean, there is some switch that allows to have human readable output of the inner mechanics of the LUA interpreter? If so, by tracking the output messages from the prereq system we could attempt to track back to the actual code.

<{POST_SNAPBACK}>

The prereq system output can be seen in part in my post in the main forum titled "Prereqs in v1.2". The main prereq output comes from the LUA function

prereq = CpuPrerequisites( cpu_manager.cpu_player, unit_stats:GetSquadName(), CpuPrerequisites.BT_Squad )

It may also work with building, addon and research names and types, but I have not tried that, just squads.

The data put in 'prereq' is userdata, which LUA cannot do anything with other than stick it on the stack, so if you know how to dump that output or access it from within the C code then you could track it.

Paragraph 3.8 of this LUA reference manual might help.

Flenser

Edited by Flenser, 22 June 2005 - 12:12 PM.

Flenser, could you please add the

cpu_manager.debug = true

code line to your previous code that lists prerequsites:

function BuildOrderStrategy:Prereq()

   local race = cpu_manager.cpu_player:GetPlayerRace()
   
   for unit_stats in cpu_manager.stats:GetUnitStats(race) do
       local prereq = CpuPrerequisites( cpu_manager.cpu_player, unit_stats:GetSquadName(), CpuPrerequisites.BT_Squad )
       aitrace("Prerequisites for "..unit_stats:GetSquadName() )
   
       for i in prereq:GetUnfulfilledPrerequisites() do
   
       aitrace("Type of data: "..type (i) )
       aitrace("Name: "..i.name )
       aitrace("Build Type: "..i.btype )
       aitrace("Prereq Fulfilled?: "..tostring( i.prereq_fulfilled ) )
   
       end
   
   end

end

and post here the results for anyone of the races?

Edited by Polaris, 22 June 2005 - 01:46 PM.