Damage Inc. & Prime Target Reversing

Have a question, suggestion, or comment about Aleph One's features and functionality (Lua, MML, the engine itself, etc)? Post such topics here.

Damage Inc. & Prime Target Reversing

Post Apr 19th '14, 03:47

damage2.png

Damage.png

damage3.png


I've been working on this very infrequently for the past few months. Today I started going through the original M2 source release and matching up C generated by Hexrays with the C from the release. I doubt this will ever be of any use. Even once all of the structures are defined the final product will still look pretty filthy, and nobody likes Damage anyway. I haven't even played past the first level. But I think it will be interesting for the people who want to see the differences between Damage and M2's engines.

https://www.dropbox.com/s/d1br2rr5jq90muf/damage.idb

There's my IDA db.
Last edited by Asylum on Jul 3rd '14, 00:23, edited 1 time in total.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Apr 19th '14, 09:09

Damage was one of my favourite games when I was a child. I haven't played since, but I remember the squad management being the ultimate form of AI in computer games... I won't play it again since I don't want to spoil those good memories.

Also it contained a wolf howl sample that I have heard *everywhere* since. It's featured at the beginning of Kavinsky & Lovefoxxx's "Nightcall" from the Drive OST. I suppose it's one of those samples.
Johnman

Post Apr 19th '14, 17:38

Most of the deviations from the original source I've seen so far are in code associated with AI/monsters.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Apr 25th '14, 01:42

dmg1.png

dmg2.png


Went back to this today. Just looked over what I have so far and apparently I only have about 30% of the functions named. Started setting breakpoints to locate ally-related functions. Some unused monster_data fields are utilized in Damage. Physics models are not used in Damage. all of that is hardcoded. Found the code relating to jumping (just uses monster_accelerate) but not the code for crouching.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post May 6th '14, 00:24

this looks quite interesting. I always thought that Damage Inc. would have been just the greatest with just one little difference: as a Marathon scenario :P
Just imagine commandeering a squad of Marathon Defence Drones, BoBs or for greater firepower some W.A.S.P.-Gev's (-->picture those are from the 3rd party M1 add-on "dogs of pfhor": 2 marines in a Hovercraft equipped with grenades, rockets and a handheld MA-75). Your little army to surgically take out a pfhor army that is endagering your favourite outpost.

To my recollection apart from the physics models they also took out the ability of teleportation.
User avatar

Bobwithkeycard
AMS-Tower

Post May 20th '14, 21:28

Made a lot of progress today. If I keep returning to this from time to time I could probably produce something that a compiler would accept. I would say my progress is at about 30%. It was probably compiled with many compiler optimizations enabled, which makes the code a lot more difficult to interpret. The generated assembly code confuses Hex-Rays very often.

The dropbox link has been updated to have my most recent db.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location


Post May 31st '14, 17:24

My hard drive died on me two days ago. It wasn't a major setback for this project, but many of my other projects were affected. The bad news is that I lost a lot of progress between my last dropbox update and the crash. The good news is that I've already pretty much recovered all of that progress due to the absence of any side projects to distract me.

The first recompilable release, when it comes, will probably be only compilable under VC++ (it will probably have some inline assembly, and GCC's syntax for inline assembly is atrocious). It'll be Windows-only of course, as a port isn't really within the scope of this project (I doubt that this will be merged with Aleph One.)
If I do port it it will use SDL and be a straight port.
Attachments
progress.png
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 2nd '14, 09:12

I would love for Damage Inc. to be ported to Aleph One along with a nice floating HUD. Damage inc was part of my child hood next to Marathon, Descent, and Quake 2.
natranr

Post Jul 2nd '14, 16:02

If a port to Aleph One is done it won't be done by me.

Also this is kinda on hold at the moment.

I'm still going back to the db every so often and making a couple of corrections or other small changes. It's not really full on hardcore ISIS jiihad at the moment. it's a little more laid back, like Al-Qaeda jiihad. Or I guess you could say it's a Marathon, not a sprint.

I played up to the second level a couple of weeks ago and realized how much more advanced the engine is compared to M2. The first thing that comes to mind is that when you walk into mapobjects they actually MOVE. Crazy right??

Actually I think that's the only thing I noticed. But imagine the possibilities if that was integrated into Aleph One! With the help of lua scripting you could implement a huge chessboard map with chess pieces, and play chess IN MARATHON! You wouldn't even have to get up from your computer to call an acquaintance and invite them over to play chess with you, then wait for them to arrive. You could do all of that from the metaserver lobby!
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 2nd '14, 16:32

Also, if somebody could upload the Mac binary for Prime Target for me that would be fantastic.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 3rd '14, 00:38

I have some pretty good news: Hopper sent me the mac binary for Prime Target, and after perusing the assembly I've found that there are far fewer functions that will need to be reversed for Prime Target. Since the source of Prime Target was used to make Damage I figured it would make sense to reverse them side-by-side. I can use the Hex-Rays decompiler for the x86 windows binary of Damage, and then compare the assembly of that function with the assembly of the mac PPC binary of Prime Target, and if they're close enough i can use the same code for both.

And of course, at least 80% of both of the engines code are the same as M2's.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 3rd '14, 17:46

ohboyohboy, someone said prime target
good luck with this, we really need more jiihad styled chess matches in marathon, heh :P Hope the squad members will stick to the rules when it comes down to it.

Anyway, looking forward to what comes of your project :)

p.s. sorry to hear about your hard drive crash. maybe put backups in mobile defense drones orbiting your home. you know, just to be on the safe side. (make sure the drones are turned on, though)
User avatar

Bobwithkeycard
AMS-Tower

Post Jul 3rd '14, 18:45

I just wrote a quick script for IDA Pro that would count the number of subroutines in a database with the default name prefix, which allows me to get a rough count of how many functions are unknown/not named/not reversed.

I ran the script with my Prime Target db and my Damage db. Here are the results:

Prime Target: 1588 functions
Damage Incorporated: 1709 functions

Note that I've barely named any of the functions in my Prime Target db. This should give you a pretty good idea of how massive Damage for Windows is compared to Prime Target for Mac. There are other factors involved as well, like the code generation of the Wacom compiler for Windows compared to the (CodeWarrior??) compiler for Mac PPC. Also, I suspect that the Windows port was messily done. And wacom's linker seems to have linked in many unused library functions.

Those numbers I gave above probably look very intimidating. They are, and I definitely did not expect them to be that high! To compare the current progress on Damage with what I started with I just re-disassembled it. And the original subcount...

Prime Target: 1714 functions
Damage Incorporated: 1958 functions

And yes I did get around a hundred Prime Target functions named yesterday, but only because they did nothing but return the result of an system call (I think they're system calls on PPC Mac OS, but I'm not really a Mac person. They're some kind of extern.). And I only really named a small number of them, because doing all of it by hand would take forever. I'm going to write a script to do it eventually.

I will be busy for a while, but I will be working on this on and off. Prime Target will likely be done before Damage is complete, but the Prime Target source release will not be runnable on modern OS' directly after the release. I have no plans for it beyond the reversing yet.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 3rd '14, 18:53

Bobwithkeycard wrote:ohboyohboy, someone said prime target
good luck with this, we really need more jiihad styled chess matches in marathon, heh :P Hope the squad members will stick to the rules when it comes down to it.

Anyway, looking forward to what comes of your project :)

p.s. sorry to hear about your hard drive crash. maybe put backups in mobile defense drones orbiting your home. you know, just to be on the safe side. (make sure the drones are turned on, though)


I recently sedated myself with narcotic painkillers acquired from the seediest neighborhood in the area and performed surgery on myself to implant a usb in my wrist, with the dongle jutting outwards. I am keeping all backups on that usb from now on.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 3rd '14, 19:20

To put thing in perspective concerning the number of functions, I used the script on the executable for the third consecutive _halo game and it returned 12,759 functions.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 4th '14, 05:25

I just recently found Prime Target on a Mac abandonware site and started working on getting sheepshaver up and running to play it. Though it would be great if they could be ported to Aleph One. How hard would it be to port them after you reverse them?
natranr

Post Jul 4th '14, 08:33

Asylum wrote:I recently sedated myself with narcotic painkillers acquired from the seediest neighborhood in the area and performed surgery on myself to implant a usb in my wrist, with the dongle jutting outwards. I am keeping all backups on that usb from now on.


glad to hear that you're committed to the project. I recommend staying away from stimpacks that come bundled with old copies of starcraft, though..so that might have been a good call

good luck with this horde of functions [MUp]
User avatar

Bobwithkeycard
AMS-Tower

Post Jul 5th '14, 03:14

Current Unnamed Function count for Damage: 1,312

I took the time to undefine all of the unused library functions the wacom's linker crammed into the exe. Also, I checked the Mac version and it contained debugging information with the names of every function in Damage. This is a huge step forward, and it's also responsible for the function count dropping by 400 over the course of a few hours. So what I guess this means is that it will actually be DAMAGE that is completed first, then Prime Target. Prime Target will actually take longer since we have no debugging info for it. But it would not take as long as Damage would have taken without debugging info.

https://www.dropbox.com/s/psaxe7p20ewdz ... 1%20PM.png

So now I sit in front of my computer and rename all of the functions left by hand. Only 1,312 to go!
And then after that I have to do a lot of cleaning. And renaming. And defining.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 5th '14, 17:31

Current unnamed function count for Damage: 1,215.

I modified the script that I had been using to find the number of unnamed functions so that it could also tell me how many functions are not referenced by code or data in the program. The numbers are:

225 functions unreferenced in any code (i.e not called)
118 functions unreferenced in both code and data (totally unused, worthless).

I'm considering modifying the script to remove all of these functions. The only problem is that some of them were originally a part of Damage, but the compiler inlined all of the calls to them. I've confirmed this by comparing with the Mac version. Actually, this seems like a really bad reason to leave 225 useless functions cluttering up the database.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 5th '14, 17:51

Damage Unnamed Function Count: 1,028.

After running the modified script the database became much cleaner. When I scroll through the list of functions now I see a 1:1 ratio of named functions to unnamed functions. I'm pretty sure that some functions that actually are used were undefined when I ran the script, but that's okay because I'll come across the references to them (if they are referenced meaningfully) and I'll just redefine them.

I might be posting updates too frequently and giving more details than most readers would care to read, but this is less for the benefit of users on this forum and more for the benefit of people who are interesting in reverse-engineering. also I love to talk about this stuff but never get a chance to talk about it.

ANYWAY we're getting closer!
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 5th '14, 22:18

I enjoy every post in this thread. Keep up the good work.
User avatar

Zott
Earth

Post Jul 6th '14, 16:46

Damage Unnamed Function Count: 879

It's slowed a bit because I've begun finding some interesting parts of the code. I did some backtracking to the entry point and worked from there, so now a large portion of the startup code has correctly typed and named functions, with the right number of arguments and the right types for those as well. Named a lot of global variables too.

I'll update this post later with some more info and pretty pictures and flowcharts. I know you guys crave the flowcharts.
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 7th '14, 00:12

I just realized I was double posting again, but i had already uploaded the files and didnt feel like doing that again.

screenie1.png

screenie2.png

screenie3.png


I started working on the structures new to Damage. These are small screenshots of the progress on that. Two I've named: swinging_door_data and squadie_data. swinging_door_data is a pretty shitty name unfortunately, since the structure is also used for sliding doors *i think*. It can be renamed at any time without a problem though.

So the way the new doors are implemented is that they are map objects instead of platforms. the permutation field of the object_data structure determines what kind of door they are. Haven't gotten much further into that.

As for squadmates, that's a little foggier right now. Squadies are monsters, so they are described with monster_data structures, but there is also info relating to them in the player_data structure. There's also another global variable pointing to an array of structures that also relate to squadies. I decided to name this one "squadies". So far the only fields of it that I've documented are the squadies current weapon and the resource id for their name string.
838 functions.

EDIT: 666 functions remaining!
(●__●)(͡° ͜ʖ ͡°)(●__●)
User avatar

Asylum
Location

Post Jul 9th '14, 01:32

So once Damage Inc. has been reversed and ported to Aleph One, will we be able to make it so when you use the map to command the marines that the gun would stop going off when you click.
natranr

Next

Return to Aleph One Discussion



Who is online

Users browsing this forum: No registered users