foone

foone, 11 months ago

sadly the wii balance board support classes in the engine are just leftovers from the engine's use in other games, and not proof that the developers of Wheel of Fortune (2010, Wii) were far ahead of their time in avant-garde gaming

foone, 11 months ago

except that one isn't used, because it's also in the "ROM bundle" and that one overrides it.

foone, 11 months ago

me "well at least I have a bunch of types from the debug files, so I can finally figure out the types of a bunch of these untyped globals! goodbye, undefined1 PrimDrawer::bPrimBuffer[6144], let's see what you really are!"

Dumped DWARF debugging info: "unsigned char PrimDrawer::bPrimBuffer[6144]"

WELL THAT DIDN'T HELP MUCH

foone, 11 months ago

or click a function and see what arguments it has been called with in traces

foone, 11 months ago

wait. the revolution SDK defines KPADStatus about how I'd expect but then it defines KPADUnifiedWpadStatus which is a union of various things. I wonder if my debugging info is eliding some weird union nonsense going on which explains why everything is so big

foone, 11 months ago

this is the worst thing about reverse engineering.
you pretty much never can assume "well something weird happened randomly"

foone, 11 months ago

man I'm used to weird padding in structures and strange gaps, but 14 kilobytes? Why?

foone, 11 months ago

the struct WiiControllerPack has, at offset 1480, an array of 4 KPADStatus structures.
Each of those is 250 bytes. So this array is over by byte 2440.
So where does the next member start? offset 16888.

foone, 11 months ago

no these all seem to be smaller

what the fuck

foone, 11 months ago

and this quickly gets really confusing because one of the first things the game loads is "[SHARED]\Localization\SharedLoc.loc.prd", which you'd think is in the SharedBundle, and it is!

foone, 11 months ago

that's 14,448 bytes of nothin'.

or maybe, given that it's left out of the debugging info, 3612 separate vtable pointers!

(this is a joke. it can't possibly be that)

foone, 11 months ago

but this same engine is used in a bunch of games, many of which presumably had non-english versions.

foone, 11 months ago

no, there is A Reason why the compiler did this, and you are going to have to find out what it was

foone, 11 months ago

although given my reverse engineering work, it's possible that I may one day reverse this wrong

foone, 11 months ago

there's no code in the game to load the memory location it loads the system bundle out of

foone, 11 months ago

which frankly is an underrated anti-reversing technique. Have multiple copies of important subfiles in separate datafiles and have complex precedence rules to determine which one gets loaded, then ignore all of them for another copy you embedded into the binary

foone, 11 months ago

they embedded it into the executable. That bundle's memory is loaded by the OS loader.

foone, 11 months ago

anyway I don't think they were intentionally trying to make this hard to reverse engineer (if they were, they failed so hard), but it does mean that technically to automatically know what resources will be loaded by the game, you have to solve the halting problem

foone, 11 months ago

well, ROM bundle just means that instead of a filename to mount, you give it a memory pointer + length.
And it parses the bundle out of RAM.

So... I guess it manually loads the bundle from somewhere else? NOPE!

foone, 11 months ago

since you can't just look at the bundle files on disc and interpret what data is in them, as the existence of ROM bundles mean you have to ask the question "will this executable ever call BundleManager::mountBundle(BundleManager*,uchar*,int)?" and that's not possible to automatically know. FORTUNATELY I'm doing this manually and the behavior is deterministic.

foone, 11 months ago

SURPRISE! It's a ROM Bundle!

Wait this is a game shipped on an optical disc, it doesn't have any ROMs?

foone, 11 months ago

anyway, this is only vaguely related, but there needs to be a tool that helps tie dynamic debugging with static debugging.

foone, 11 months ago

You wanna know the weirdest thing this game does with regards to loading bundles?

So, it tries to mount 4 bundles at startup:

The system resources bundle (filename unknown), "SharedAssets.bdg", "Wheel.bdg", and "Patch.bdg".

Now, the disc only contains SharedAssets.bdg, and Wheel.bdg. Patch.bdg is missing, but that's okay, apparently.

But the system resources bundle is vital to having the game boot up. It's not in any file visible in the filesystem. So where is it?

foone, 11 months ago

not that it matters in this case: Wheel of Fortune is a US-only game so the only language it exists in is English

foone, 11 months ago

like, use the dynamic debugging traces to do things like annotate functions with records of how often they get called from different sources