We could use that Lord Ramza. :3
Okay. I have the files:
FFX&X-2_LAUNCHER.exe is:
Visual C# (That's cool)
FFX&X-2_Will.exe,
FFX.exe,
FFX-2.exe:
Std Compile, C++ compiler - MS Visual Studio 2012 [DebuG] [ Win Vista ]
The MAGIC files in
/magicFiles/FFX and
FFX2 are in fact:
Microsoft Visual C++ ver. ~6.0~7.10 - Linker 11 - Visual 2012
Even MANIFEST survived:
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEFLAGSMASK 0x3F
FILEFLAGS 0x0
FILEOS VOS_NT_WINDOWS32
FILETYPE VFT_DLL
FILESUBTYPE 0x0
{
BLOCK "StringFileInfo"
{
BLOCK "000004b0"
{
VALUE "CompanyName", "SQUARE ENIX CO., LTD."
VALUE "FileDescription", "FFX magic_0003"
VALUE "FileVersion", "1.0.0.0"
VALUE "LegalCopyright", "© 2001-2004,2013-2016 SQUARE ENIX CO., LTD."
VALUE "OriginalFilename", "magic_0003.dll"
VALUE "ProductName", "magic_0003"
VALUE "ProductVersion", "1.0.0.0"
}
}
BLOCK "VarFileInfo"
{
VALUE "Translation", 0x0, 1200
}
}
Export of magic_0003.dll (FFX):
Functions counter : 0002 decimal - 0002 hex
0001 - magic_0003.dll 0001 GetEffectOverlayTable . . . . 00006C90
0002 - magic_0003.dll 0002 InitMagicPRX . . . . . . 00006CB0
+has written debugger info
Can't say more now. Need to put this to both ILSpy and IDA.
EDIT2: VBF files has "SRYK" header.
FFX&X-2_LAUNCHER.exe/String:PathConfig
[PathConfig, <?xml version="1.0" encoding="utf-8" ?>
<Paths>
<IniFile>GameSetting.ini</IniFile>
<FFX>FFX.exe</FFX>
<FFXParam></FFXParam>
<FFX2>FFX-2.exe</FFX2>
<FFX2Param></FFX2Param>
<SideStory>FFX.exe</SideStory>
<SideStoryParam>_ECalm</SideStoryParam>
<LastMission>FFX-2.exe</LastMission>
<LastMissionParam>FFX2_LASTMISSION</LastMissionParam>
<Credit>FFX&X-2_Will.exe</Credit>
<CreditParam></CreditParam>
</Paths>]
EDIT:
As Lord Ramza mentioned, there is whole code for VBF called "VBFtool".
Voids are:
VBFTool/VirtuosBigFileReader/
*byte[] GetFileContents(string path)
*void LoadBigFileFile(string path)
Example:
Program.LoadVBFData("MetaMenu/PS3Data/MenuMetaMenu/metamenu.ogg
Paths are MD5 hashed!
Though fear not. All files has to be written somewhere or at least their locations.
Now I'll take a look at those magic files.
Update:
PDB path:
R:\hg_code\ffx_magic_w32\source\ps3\ffx\magic\magic_0003\Release\magic_0003.pdb
The PS3 version of this file has .sprx extension.
Okay. I put the EXEs onto IDA, and .... we're home.
Full paths to files and whole game code is in some custom phyre format. I'm not sure yet, I have no info about phyre, but there are A LOT of debug strings for Phyre:Scripting language and extreme amount of debug strings, I mean EXTREME (Imagine FFVIII debug info and multiply it by 10).
Example:
.rdata:00B39DA8 00000054 C /FFX_Data/GameData/PS3Data/map/luca/luca01/fp/tex/GCM/13888_19_0_0_128_64.dds.phyre
.rdata:00B3A658 0000004E C /FFX_Data/GameData/PS3Data/yonishi_data/dat_et/bat_eff/et_tex/tex/TexList.txt
.rdata:00B3E35C 00000018 C Need update TextureName
.rdata:00B3E398 0000000F C RenderAfterVFX
.rdata:00B3EE90 00000017 C USE_CHARACTER_LIGHTING
.rdata:00B3F41C 00000019 C CharacterSwitching: %.2f
.rdata:00B3F438 00000005 C azit
.rdata:00B3F440 00000005 C bika
.rdata:00B3F448 00000005 C bjyt
.rdata:00B3F450 00000005 C bltz
.rdata:00B3F458 00000005 C bsil (...)
.rdata:00B3F594 00000023 C MapSwitching: %.2f fps\nMap Name:%s
.rdata:00B3F5B8 0000000E C Debug Output:
.rdata:00B3F5C8 0000000F C Material Name:
.rdata:00B3F5D8 0000000A C Group ID:
.rdata:00B3F5E4 0000000E C Animation ID:
.rdata:00B3F5F4 0000000F C Current Frame:
.rdata:00B3F604 0000000A C AutoPlay:
.rdata:00B3F618 00000007 C %s%s%d
.rdata:00B3F624 00000026 C Character Texture Animation: %.2f fps
.rdata:00B3F64C 0000000D C Motion Mode:
.rdata:00B3F65C 00000006 C Loop:
.rdata:00B3F664 00000006 C Next:
.rdata:00B3F66C 00000011 C Animation Count:
.rdata:00B3F680 0000001E C Character Animation: %.2f fps
.rdata:00B3F6A0 00000010 C Character Name:
.rdata:00B3F6B0 0000000A C Map Name:
.rdata:00B3F6BC 00000019 C Character Polygon Count:
.rdata:00B3F6D8 0000000F C Battle Enable:
.rdata:00B3F6E8 00000014 C ClothSystem Enable:
.rdata:00B3F6FC 0000000B C UI Enable:
.rdata:00B3F708 00000010 C MiniMap Enable:
.rdata:00B3F718 00000010 C Show 4:3 Frame:
.rdata:00B3F728 0000001F C Thunder Plain Treasure Enable:
.rdata:00B3F748 0000000E C Game Section:
.rdata:00B3F758 00000016 C Saveload fake slot :
.rdata:00B3F770 00000014 C Disable CRC check:
.rdata:00B3F784 00000016 C Achievements Reset :
and loads of more!
Debug outputter subroutine:
.text:006B4CC0 (Unfortunately IDA claims it's unused. Also this sub-routine has no frame info)
The game has no OutputDebugString import... :/
Okay. Looks like we would have to create our own text display. Example listening:
sub_BF4270:
Taking uint_32 Size of *Src is:
../../../FFX_Data/GameData/PS3Data/chr/wep/w041/w041.ahwin32
The entry is dynamic. Therefore memory hotpatching at startup is impossible without pointer use.
Okay. I got this:
FF8.exe:
.text:00C255F0
Is:
.text:00C255F0 sub_C255F0 proc near ; DATA XREF: .rdata:012FE164o
.text:00C255F0
.text:00C255F0 arg_0 = dword ptr 8
.text:00C255F0 arg_4 = dword ptr 0Ch
.text:00C255F0
.text:00C255F0 push ebp
.text:00C255F1 mov ebp, esp
.text:00C255F3 push [ebp+arg_4]
.text:00C255F6 push offset aS_19 ; "%s"
.text:00C255FB call ds:printf <--- Here we have printf std output
.text:00C25601 add esp, 8
.text:00C25604 cmp [ebp+arg_0], 4
.text:00C25608 jnz short loc_C2561A
.text:00C2560A call ds:IsDebuggerPresent <---
.text:00C25610 test eax, eax
.text:00C25612 jz short loc_C2561A
.text:00C25614 call ds:DebugBreak <---
.text:00C2561A
.text:00C2561A loc_C2561A: ; CODE XREF: sub_C255F0+18j
.text:00C2561A ; sub_C255F0+22j
.text:00C2561A pop ebp
.text:00C2561B retn 8
.text:00C2561B sub_C255F0 endp
Okay. I already called AllocConsole, but still the game's printf doesn't show me what it has inside... :/
stdout has to be redirected to console. I found a solution:
freopen("CONOUT$", "w", stdout)
Might try, still a lot of code injection.