Qhimm.com Forums
Miscellaneous Forums => Scripting and Reverse Engineering => Topic started by: dziugo on 2012-08-17 09:23:21
-
List of files/archives that changed:
flevel.lgp:
ancnt1 - Fixes Vincent at the end of Disc1 (his leg is up when Aeris...)
ancnt4 - Fixes Vincent
blackbgb - End of Disc 1/Disc 2 changed to End of Part 1/Part 2 ("Please do not open the CD drive" is tossed since there are no CDs now)
frcyo - Names of greens changed: Gysahl vs Gizzard, Krakka vs Karaka, Pahsana vs Pasana, Curiel vs Kurie, Mimett vs Memit (possibly something more)
fr_e - unknown
fship_4 - Highwind flying instructions -> "[ASSIST] to move ahead" vs "[OK] to move ahead", "[ASSIST] toggle map" vs "[ASSIST] to strafe"
las0_8 - Split in The Northern Crater - fixing choices for "I'm going Left/Right" (original team sometimes used simple spaces instead of tabs/choices)
las2_1 - Same as obove, fixing choices for Up, Down, also, a little Easter Egg ;p
lastmap - unknown
uutai1 - unknownThe easter egg: Unused text "012345678901234" changed to "Secret Cow Level" (Diablo? Anyone?? No? Okay :( )
condor.lgp - textures
eunit00.tex - Removing Playstation symbols from the buttons, this one is most likely for the low-res, so unused
eunit00d.tex - Renaming buttons (the Playstation symbols vs B1,B2,B3,B4)
Also, the port team was called "dotemu", and is a 3rd party. The name of the new dll graphics driver is: new_dll_graphics_driver (duh! ;p)
Great job they've done.
-
The 'secret cow level' thing is actually... used.
http://www.youtube.com/watch?v=yHIbkv2QbBQ
-
I'd be surprised if it wasn't used for anything now ;p
-
blackbgb - End of Disc 1/Disc 2 changed to End of Part 1/Part 2 ("Please do not open the CD drive" is tossed since there are no CDs now)
I think that is the map that crashes touphscript, so perhaps they fucked up there.
-
I didn't notice the Left/Right Up/Down thing. I'll share my other findings here.
fr_e -- In the "chance" group script (I didn't write down which one) they change an 8 frame wait to a 1 frame wait.
lastmap -- In script 3 of group "AD3", it now uses script 1 of group "disp".
Such minor changes. I haven't played either of these parts of the game so I haven't "noticed" a change. Still have no idea about uutai1, nor why the frcyo filesize is so different.
-
did they fix some bugs? like the Magic Defense bug of the Wizard Bracelet?
-
did they fix some bugs? like the Magic Defense bug of the Wizard Bracelet?
If the exe didn't change, then no.
-
If the exe didn't change, then no.
I wouldn't say that. Their driver latches onto the game the same way Aali's driver does, and he was able to fix the mdef bug without changing the exe. All you strictly need to do is have the fix somewhere else, such as somewhere in AF3DN.P, and have the driver patch it in at runtime.
-
The driver definitely supersedes (my favourite word of late) some of the original data. Most of it is untouched though. They did the bare minimum, so I wouldn't be surprised to see the defence bug still there.
-
The lack of changes to the exe itself is pretty compelling evidence that no-one has the original source any more.
-
How do you lose the source code to one of, if not the, greatest game of all time? How can they be so lax and useless for such a big company. The mind BOGGLES.
-
cant remember where i read this but probably here.
final fantasy 7 was remade for ps3 years ago. its kept behind glass that says "break if bad **** happens"
im gonna say source code is behind this glass as well
-
I didn't notice the Left/Right Up/Down thing. I'll share my other findings here.
fr_e -- In the "chance" group script (I didn't write down which one) they change an 8 frame wait to a 1 frame wait.
lastmap -- In script 3 of group "AD3", it now uses script 1 of group "disp".
Such minor changes. I haven't played either of these parts of the game so I haven't "noticed" a change. Still have no idea about uutai1, nor why the frcyo filesize is so different.
Hello and welcome to the board! Thank you very much for posting your findings.
did they fix some bugs? like the Magic Defense bug of the Wizard Bracelet?
They did fix that one for sure, and chocobo crash too. Probably many more.
I wouldn't say that. Their driver latches onto the game the same way Aali's driver does, and he was able to fix the mdef bug without changing the exe. All you strictly need to do is have the fix somewhere else, such as somewhere in AF3DN.P, and have the driver patch it in at runtime.
Seconded. It's patched on run.
-
Is there an easy way to work out which values it is patching at runtime? Maybe they found out a few that we missed?
-
Is there an easy way to work out which values it is patching at runtime? Maybe they found out a few that we missed?
Dump the running exe and compare to the exe file. There are over 2k changed bytes - some of them are functions replaced, but some are single byte-tweaks. While fixing things (I'm using chocobo patch as an example), they NOP-ed not only the faulty instructions, but also surrounding ones, because they were not needed. A+ job, or they didn't want it to look like rip-off ;) You'd have to go one by one over the modifications to find unknown fixes.
-
Can you get me the full list of changed addresses and values so I can check it out? I don't have the exe or the ability to run the game anyway. 8)
-
Can you get me the full list of changed addresses and values so I can check it out? I don't have the exe or the ability to run the game anyway. 8)
Since it's already done: runtime patch changes (http://dziugo.republika.pl/ff7/v106/ff7_en_1_06_runtime_patches.txt). Counting minutes till you give up ;)
Edit:
File taken down, not to troll anyone anymore.
-
excellent. Now can you do me one more thing? Change those into 1.02 ff7.exe addresses also? I have a good documentation here so I can at least get clsoe to where some of these are being used.
-
excellent. Now can you do me one more thing? Change those into ff7.exe addresses also? I have a good documentation here so I can at least get clsoe to where some of these are being used.
Info is in the file. It's a simple math.
Edit:
I'll copy it here for convenience:
For virtual addresses add 0x401000
For ff7_en.exe addresses add 0x1000
-
So it is. I will get on it.
edit: another thing. What is the point of them nopping the unused functions in chocobo races? That won't do anything will it? No speed up or anything?
-
So it is. I will get on it.
edit: another thing. What is the point of them nopping the unused functions in chocobo races? That won't do anything will it? No speed up or anything?
It might speed up, yes, but not much (noone would notice). NOP is actually an "xchg eax, eax" command (exchanges values of the same registry, thus resulting in no changes), so it doesn't require memory access. The NOPed instructions did use memory access, so they were slower. The memory would already be in processor's cache though. Academic problem I guess.
Most likely it was just being safe - why introducing entropia when you can choose not to? ;p Jedwin's patch NOPed the instruction, but still saved *something* as a result - a value from the previous block. I've tried to establish what was missing there, why the address would be unaccessible now, and it most likely was a source-code comment made - leaving out the unneeded part, forgetting about this little fragment that still tried to access it.
-
I am placing break points all over. So far the ones I am seeing are related to some sort of input being nopped? Like at 0041F5DC
in memory for 1.02 exe.
I will map as many of these in excel and upload to google soon.
edit:
0061F6D4 (1.02 0021EAD4) seems to be related to a value you changed. This is changed in my 9999hp patcher and here in this list.
lots of 10 27 (10000) changed to 30 75 (12405) . What is it doing?
-
It seems the new driver has GYPT??? Is this an oversight from you Dziugo? or whoever uploaded this change log?
[also likely that the 9999 patch is here too in this list which it shouldnt be]
Starting memory address 006767D9 for example. until 00676833
If so I need a comparison with a clean 1.02 and from memory (without aalis driver) with new ff7.
That will narrow down precisely what "fixes" this new game has made.
edit
it also seems that this is a comparison between the exes? I need the comparison with memory since all these values have gotten in the way.... I have tons of aali driver changes here which are injected at runtime and are not visible in 1.02 exe(unless they are in same place as aalis with new driver?)
edit 2:
I have dumped original 1.02 memory. Now awaiting Covarr and to do ff7_en.
edit 3:
I have dumped the original 1.02 memory with the new ff7 memory, and compared the .text area. There are 879 bytes of difference. The reason your list is larger is because you compared memory with aali's driver active and your own code (like gypt) active.
edit 4:
253 of the 879 bytes I have checked so far are jumps to the new driver and pointers to new code in new exe. I will post excel when I am ready :)
edit 5:
The following is WIP of new addresses and use in code. I will do as much as I can.
It is already looking like working out what is fixed from this is not likely...
depends how it has all been implemented. We will see.
https://docs.google.com/spreadsheet/ccc?key=0AlJH_wU1qqN4dEFDeUtFMWtiZkF3WVB3OUZSd3dGdEE#gid=1
edit 6: Note. They haven't used Qhimm's chocobo fix. No. They've used Aali's. Aali's driver nops the same ones as this "new" game. Other areas have also been blatantly stolen 1:1 or used to work out their own problems. They have definitely looked at Aali's driver when making their own. No doubt. You only need to look at the changes in the database above and compare the memory to a 1.02 using aali's driver.
-
It seems the new driver has GYPT??? Is this an oversight from you Dziugo? or whoever uploaded this change log?
[also likely that the 9999 patch is here too in this list which it shouldnt be]
Starting memory address 006767D9 for example. until 00676833
Oops ;) Yes, it contained most of the YAMP patches, sorry as it was not intended :evil:
If so I need a comparison with a clean 1.02 and from memory (without aalis driver) with new ff7.
That will narrow down precisely what "fixes" this new game has made.
edit
it also seems that this is a comparison between the exes? I need the comparison with memory since all these values have gotten in the way.... I have tons of aali driver changes here which are injected at runtime and are not visible in 1.02 exe(unless they are in same place as aalis with new driver?)
It was a comparison between ff7_en.exe (the original one - dump was taken ?two days ago? when I haven't yet tried the YAMP patches) and the ff7_en.exe running with most of the YAMP patches applied. Like it was said before, it was supposed to be a list of the changes done at runtime - not a list of changes between 1.02 and 1.05/1.06.
edit 2:
I have dumped original 1.02 memory. Now awaiting Covarr and to do ff7_en.
edit 3:
I have dumped the original 1.02 memory with the new ff7 memory, and compared the .text area. There are 879 bytes of difference. The reason your list is larger is because you compared memory with aali's driver active and your own code (like gypt) active.
You mean the updated Aali's driver for the new release? Yeah, of course I used that ;) Didn't use Aali's driver (ever), so there were only YAMP changes.
edit 4:
253 of the 879 bytes I have checked so far are jumps to the new driver and pointers to new code in new exe. I will post excel when I am ready :)
Yeah, that's why I moved to other stuff when I started checking what've changed ;) 879 bytes changed still sounds like much.
edit 5:
The following is WIP of new addresses and use in code. I will do as much as I can.
It is already looking like working out what is fixed from this is not likely...
depends how it has all been implemented. We will see.
https://docs.google.com/spreadsheet/ccc?key=0AlJH_wU1qqN4dEFDeUtFMWtiZkF3WVB3OUZSd3dGdEE#gid=1
edit 6: Note. They haven't used Qhimm's chocobo fix. No. They've used Aali's. Aali's driver nops the same ones as this "new" game. Other areas have also been blatantly stolen 1:1 or used to work out their own problems. They have definitely looked at Aali's driver when making their own. No doubt. You only need to look at the changes in the database above and compare the memory to a 1.02 using aali's driver.
If I were to make a chocobo fix, I'd have done it the same way (NOP the whole block), as that would be just common sense.
Other than that: OMG
And: Great job!
Edit:
Let's do some more digging before making any conclusions. Others are welcome to make their input too, I'll try not to troll anyone with fake changes from this point ;) (sorry again)
-
Yeah, it could well be that they just ended at the same conclusions... but I am a little suspicious :P
I will carry on documenting the new exe today. Can you tell me which addresses are to do with the mdef fix?
-
Yeah, it could well be that they just ended at the same conclusions... but I am a little suspicious :P
I will carry on documenting the new exe today. Can you tell me which addresses are to do with the mdef fix?
The one made by NFITC1 (YAMP based) is around 006C51DE - Aali's driver supposedly patches it differently, never cared to look how (I see 006C5154 address in your list, maybe there?).
-
very likely... it does use the menu system at a lot (when setting equip/materia etc).
The new game jumps to its driver there too.
-
Ok, I've installed the Aali's driver. The new version is a rip-off.
Here is the dump of the destination jump of the MDef fix (from Aali's):
Address Hex dump Command Comments
1004A190 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
1004A194 8B0D 485A0910 MOV ECX,DWORD PTR DS:[10095A48]
1004A19A 0FB69401 F8040000 MOVZX EDX,BYTE PTR DS:[EAX+ECX+4F8]
1004A1A2 A1 B85B0910 MOV EAX,DWORD PTR DS:[10095BB8]
1004A1A7 8B0490 MOV EAX,DWORD PTR DS:[EDX*4+EAX]
1004A1AA 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
1004A1AE 83FA 03 CMP EDX,3
1004A1B1 77 5D JA SHORT 1004A210
1004A1B3 FF2495 14A20410 JMP DWORD PTR DS:[EDX*4+1004A214]
1004A1BA 8B15 485C0910 MOV EDX,DWORD PTR DS:[10095C48]
1004A1C0 69C0 84000000 IMUL EAX,EAX,84
1004A1C6 0FBE4C08 70 MOVSX ECX,BYTE PTR DS:[ECX+EAX+70]
1004A1CB 6BC9 2C IMUL ECX,ECX,2C
1004A1CE 0FB64411 04 MOVZX EAX,BYTE PTR DS:[EDX+ECX+4]
1004A1D3 C3 RETN
1004A1D4 69C0 84000000 IMUL EAX,EAX,84
1004A1DA 0FBE4408 71 MOVSX EAX,BYTE PTR DS:[ECX+EAX+71]
1004A1DF 8B0D 4C5C0910 MOV ECX,DWORD PTR DS:[10095C4C]
1004A1E5 8D04C0 LEA EAX,[EAX*8+EAX]
1004A1E8 0FB64481 02 MOVZX EAX,BYTE PTR DS:[EAX*4+ECX+2]
1004A1ED C3 RETN
1004A1EE 833D 14CA0810 00 CMP DWORD PTR DS:[1008CA14],0
1004A1F5 74 19 JE SHORT 1004A210
1004A1F7 69C0 84000000 IMUL EAX,EAX,84
1004A1FD 0FBE4408 71 MOVSX EAX,BYTE PTR DS:[ECX+EAX+71]
1004A202 8D14C0 LEA EDX,[EAX*8+EAX]
1004A205 A1 4C5C0910 MOV EAX,DWORD PTR DS:[10095C4C]
1004A20A 0FB64490 03 MOVZX EAX,BYTE PTR DS:[EDX*4+EAX+3]
1004A20F C3 RETN
1004A210 33C0 XOR EAX,EAX
1004A212 C3 RETN
From dOTEMU:
Address Hex dump Command Comments
1000EB20 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
1000EB24 8B0D A4B00210 MOV ECX,DWORD PTR DS:[1002B0A4]
1000EB2A 0FB69401 F8040000 MOVZX EDX,BYTE PTR DS:[EAX+ECX+4F8]
1000EB32 A1 68B10210 MOV EAX,DWORD PTR DS:[1002B168]
1000EB37 8B0490 MOV EAX,DWORD PTR DS:[EDX*4+EAX]
1000EB3A 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
1000EB3E 83FA 03 CMP EDX,3
1000EB41 77 5D JA SHORT 1000EBA0
1000EB43 FF2495 A4EB0010 JMP DWORD PTR DS:[EDX*4+1000EBA4]
1000EB4A 8B15 74B10210 MOV EDX,DWORD PTR DS:[1002B174]
1000EB50 69C0 84000000 IMUL EAX,EAX,84
1000EB56 0FBE4C08 70 MOVSX ECX,BYTE PTR DS:[ECX+EAX+70]
1000EB5B 6BC9 2C IMUL ECX,ECX,2C
1000EB5E 0FB64411 04 MOVZX EAX,BYTE PTR DS:[EDX+ECX+4]
1000EB63 C3 RETN
1000EB64 69C0 84000000 IMUL EAX,EAX,84
1000EB6A 0FBE4408 71 MOVSX EAX,BYTE PTR DS:[ECX+EAX+71]
1000EB6F 8B0D 78B10210 MOV ECX,DWORD PTR DS:[1002B178]
1000EB75 8D04C0 LEA EAX,[EAX*8+EAX]
1000EB78 0FB64481 02 MOVZX EAX,BYTE PTR DS:[EAX*4+ECX+2]
1000EB7D C3 RETN
1000EB7E 833D 706E0210 00 CMP DWORD PTR DS:[10026E70],0
1000EB85 74 19 JE SHORT 1000EBA0
1000EB87 69C0 84000000 IMUL EAX,EAX,84
1000EB8D 0FBE4408 71 MOVSX EAX,BYTE PTR DS:[ECX+EAX+71]
1000EB92 8D14C0 LEA EDX,[EAX*8+EAX]
1000EB95 A1 78B10210 MOV EAX,DWORD PTR DS:[1002B178]
1000EB9A 0FB64490 03 MOVZX EAX,BYTE PTR DS:[EDX*4+EAX+3]
1000EB9F C3 RETN
1000EBA0 33C0 XOR EAX,EAX
1000EBA2 C3 RETN
-
Yup. They've basically been looking at Aali's driver to make their own!
-
Hmm... Considering that the Aali's work is not actually a driver (it's a rendering engine), they
mindlessly ripped even that were surely inspired even by the name.
-
Yeah, I did think that too when I first saw it. That even the name was the same. So far I have found no real fixes that we don't already have. Those differences there are, seem to be mostly concerned with how their driver changes the key config screen.
There are a few other driver jumps that aali doesn't jump with though.
[17:03] <Aali> you think this is news to me?
[and in response to the question if he had been asked for his driver]
[17:21] <Aali> there was no funny business from their side
[17:21] <Aali> enough said
So there we have it. The new driver is really just aali's driver in large part :) Heavily based on it (at the least), and the fixes used too.
This means there are unlikely to be any new fixes with this "new driver". Which is a real shame because I had hoped there would be some stuff we could use from the new game. But that's Enix for you these days. Quick fix. Quick buck. They can't even be bothered using their own work these days when it comes to FF7.
I suppose that also means they may have the source code, but just couldn't be arsed.
-
Yeah, I did think that too when I first saw it. That even the name was the same. So far I have found no real fixes that we don't already have. Those differences there are, seem to be mostly concerned with how their driver changes the key config screen.
There are a few other driver jumps that aali doesn't jump with though.
So there we have it. The new driver is really just aali's driver in large part :) Heavily based on it (at the least), and the fixes used too.
This means there are unlikely to be any new fixes with this "new driver". Which is a real shame because I had hoped there would be some stuff we could use from the new game. But that's Enix for you these days. Quick fix. Quick buck. They can't even be bothered using their own work these days when it comes to FF7.
I suppose that also means they may have the source code, but just couldn't be arsed.
Yes, that woud be possible - they might still have it and just decided not to give it out to 3rd party.
-
Could it be that they only found the FFVII PSX sourcecode in their basement?
-
Could it be that they only found the FFVII PSX sourcecode in their basement?
That reminds me; anyone tried to reverse the whole pc engine back to code before with any success?
Guess it can't be done until every single thing in the engine has been figured out?
Still can't believe that they scrap the original code.
Maybe the other company just approached them and said they "could do something to make it work on the newest windows" and they just went along to make a quick buck like everyone has been saying. And no sources were shared.
-
Could it be that they only found the FFVII PSX sourcecode in their basement?
Unlikely, else the fixes would be integral to the executable.
That reminds me; anyone tried to reverse the whole pc engine back to code before with any success?
FF7.exe is an x86 binary. There are x86 disassemblers. Draw your own conclusions.
-
In light of the fact this driver is likely to have exact same fixes as aalis driver does, I will leave the excel document I made as is. If anyone wants to add to it or work with it, let me know and I will clear you for editing.