Page 2 of 15 FirstFirst 12345612 ... LastLast
Results 11 to 20 of 146

Thread: Reverse engineering of Wipeout

  1. #11
    Join Date
    Apr 2015
    Location
    France, Paris
    Timezone
    GMT + 1
    Posts
    310

    Default

    Congratulations, you've nailed it

    It's incredible how info. can be hidden on the web yet it's just next to us, (haven't thoroughly checked that repo but I guess it's been helpful to you). I did try to IDA the Amiga version as someone shared it with me, but since it showed only dozen of subs I concluded it was not correct and stopped looking at it. I did look at Demo 1 about a week ago but I wasn't on that IDA thing yet.

    One of the thing I found really immersive when I first seen the experiment was the drawing distance, but while seeing your branch I have to say that it's nice as well though as you've laid is not essential. Now we know what VEW is about we can always do it properly later.

    What is bugging me is whether we'll be able to find all those scenery animations, I don't know if you've paid attention but actually there's a lot, from the rescue ship to those cameras following you etc ... it popped in front of my eyes with the PC version as while the PSX ver. is great, on the PC it's way more detailed.

    Which leads me to this, I finally have a working WOXL with the right speed on Win8.1 + dgVoodoo and there's even 1024*768 basically those patches were around for a while but there's no real clear help for recent Windows; I will inspect better and update a definitive tutorial !

    Otherwise I've found the definitive type of polygons : 23
    It's kinda hard to interpret those disasms, sometimes they're correct sometimes not, for instance some of types we already render do heavily use maths as you'll see in IDA, we can get a general overview however.

    I'll probably spend a last day with IDA then I'll stop because while it's fun, it's really exhaustive and haven't really progressed on the C# side.

    PS just PM-d you right now.

  2. #12
    Join Date
    Apr 2015
    Location
    France, Paris
    Timezone
    GMT + 1
    Posts
    310

    Default

    Hi !

    While started implementing your work and looking for the sizeof(TRS), a GREP search outputted the following:

    Code:
    TOTAL:    29 matches in 29 files  (119 other files without matches are not listed)
    ...
    1 match in C:\Users\Aybe\Documents\Visual Studio 2013\Projects\WXX-Rebirth\.gamedata\WIPEOUT\TRACK14\TRACK.INF
           9  sizeof( Section ) = 156 bytes
    1 match in C:\Users\Aybe\Documents\Visual Studio 2013\Projects\WXX-Rebirth\.gamedata\WIPEOUT\TRACK15\TRACK.INF
           9  sizeof( Section ) = 48 bytes // <-------------------- this one
    1 match in C:\Users\Aybe\Documents\Visual Studio 2013\Projects\WXX-Rebirth\.gamedata\WIPEOUT2\TRACK01\TRACK.INF
           9  sizeof( Section ) = 156 bytes
    ...
    (they're all 156 bytes as you know)

    The TRACK.INF:

    Code:
    TRACK INFO::
    ============
    dbName = /disk2/wipeout/SOFT/TESTS5
    sceneName = V3track_A-Lsave.1-0
    outName = trak1
    total vertex count = 1710
    total polygon count = 1378
    sizeof( Face ) = 20 bytes
    sizeof( Section ) = 48 bytes
    I remember seeing this and I've extracted the TRV of it :

    snap0862.png

    EDIT 1: while plot.ly is cool, I was skeptical of the output and decided to feed my points renderer, makes more sense now !

    snap0864.png snap0863.png snap0865.png

    EDIT 2: It does look like Terramax but when looking at it from bottom :

    snap0866.png

    Here's the track gone through my 'official' renderer
    (the textures might be okay as I haven't yet implemented the fix you've told for Gare d'Europa)
    snap0868.png snap0867.png

    Looks like we have another unfinished track but in WO1 this time ! strange

    Do you have any infos about it or did I miss something (again) from the repository ?

    Thanks

  3. #13
    Join Date
    Apr 2010
    PSN ID
    Xpand122
    Posts
    1,528

    Default

    That's Terramax
    http://wipeout.wikia.com/wiki/Terramax

    it looks slightly different in yours due to perspective distortion.

  4. #14
    Join Date
    Mar 2015
    Posts
    56

    Default

    @aybe : interesting finding. looks like a beta track of terramax that was left out.

    It feel like the CD content of wipeout is actually a full copy of dev working folder, and they then manually deleted what they don't want to show (eg : source files and such), leaving many stuff there by mistake (eg: in wipeout2 TRACK02, there is a LIBRARY.H file). Also, if you look at PS1 DEMO01 CD, in wipeout folder there is even icons of the track editor they used (as CMP file if I remember well).

    About your previous comment, where you mention "scenery animations" : they where probably hardcoded in the exe based on model name (found in PRM file).

    Most are too specific to be specified in data files (eg : cameras must look at player, some other object must rotate around Y axis and such...). That would explain all those string references to these models found in EXE file.

    There is anyway maybe some generic stuff (eg : texture that must rotate for ads panels near tracks ) that we missed out. There is still many unknown fields in PRM files to be discovered.

    These could contains some of these animations.

    --------------------------------------------------------------------------------------

    EDIT : oops, i did not saw your thread, let's give it a try

    about reversing engineering the game : i found some interesting part. This is the one that load the track sections.

    Code:
    int zLoadSections() //start at 0044D8F5
    {
      int result; // eax@2
      __int16 j; // [sp+Ch] [bp-Ch]@3
      __int16 k; // [sp+Ch] [bp-Ch]@6
      __int16 i; // [sp+10h] [bp-8h]@1
      int v4; // [sp+14h] [bp-4h]@1
    
      v4 = *(word_A296D4 + 20);
      for ( i = 0; ; ++i )
      {
        result = word_A296D4;
        if ( *(word_A296D4 + 8) <= i )
          break;
        zReadInt32(v4);
        zReadInt32(v4 + 4);
        zReadInt32(v4 + 8);
        zReadInt32(v4 + 12);
        zReadInt32(v4 + 16);
        zReadInt32(v4 + 20);
        zReadInt16(v4 + 24);
        zReadInt16(v4 + 26);
        for ( j = 0; j < 3; ++j )
        {
          zReadInt16(v4 + 2 * j + 96);
          zReadInt16(v4 + 2 * j + 102);
          zReadInt16(v4 + 2 * j + 108);
          zReadInt16(v4 + 2 * j + 114);
          zReadInt16(v4 + 2 * j + 120);
        }
        //unknow data
        for ( k = 0; k < 4; ++k )
        {
          zReadInt16(v4 + 2 * k + 126);
          zReadInt16(v4 + 2 * k + 134);
        }
        zReadInt16(v4 + 142);
        zReadInt16(v4 + 144);
        zReadInt16(v4 + 146);
        zReadInt16(v4 + 148);
        zReadInt16(v4 + 150);
        zReadInt16(v4 + 152);
        v4 += 156;
      }
      return result;
    }
    it confirms what we already know about TRS. the part in bold (which is 4 times two 16 bits integers) is still mystery.

    I tried to find reference to that special memory zone in code but did not found anything interesting.

    Unfortunatly the game does not run on my machine (because 64 bit OS ?). I tried with the Wipeout2097 PC demo, the installer seems to be 16bit . The exe just hang out (i have to kill the process).

    Would be it possible for you to game in an debugger (eg : ollydbg) and check which part of code read to this address (by putting a memory read breakpoint): *(0x00A296D4 + 20) + 126 ?
    Last edited by tigrou; 17th May 2015 at 05:48 PM.

  5. #15
    Join Date
    Apr 2015
    Location
    France, Paris
    Timezone
    GMT + 1
    Posts
    310

    Default

    Quote Originally Posted by Xpand View Post
    That's Terramax
    http://wipeout.wikia.com/wiki/Terramax

    it looks slightly different in yours due to perspective distortion.
    yes but it is upside down, we'll get a better view once we render the associated scene

    - - - Updated - - -

    @tigrou:

    Yes and I was hoping that there's a debug mode because there's a ptiDebug string but I don't think so -> it's been compiled as release mode and probably everything has been left out but the OutputDebugString calls that either Windgb or IDA will show (the log I've posted).

    For the scenery and animations we'll probably know once we're comfortable enough with the code base, I can't remember but I did find some tiny file and rendered the vertices, it did look like a whirlpool but did not pay much attention then. Looking back this could have been the animation paths of some scene object. Also I really need to get this scene object picker/reporter up, as once we'll know what raw bytes makes a polygon and so on I'm certain we'll progress on these unknown fields.

    I don't know what's going on up here, IDA does not work anymore on the VM apparently of this https://support.microsoft.com/en-us/kb/948854, did revert the snapshot but it didn't help ... the thing is locally I have no mouse so I can hardly use IDA. For this and ollydbg I am looking at it now ...

    Also the tutorial I wrote seems to need an overhaul, I'll see if I can address that within the next days. Just tried again and it works here, remember to :
    • copy CD to a dir
    • in this dir copy setup32.exe and set Win95 compat, install, etc ...
    • then edit the registry to point not to this folder but to your CD drive (note: it seems that a proper rip is needed with subchannels, as I've tried a bare ISO and it won't work)
    • setup dgVooodoo
    • then make sure Wipeout2.exe is run as admin but no Win95 compat


    This is what works here so you should be in-game ...

    Things are getting out of control but we are soon to get the control back

  6. #16
    Join Date
    Apr 2010
    PSN ID
    Xpand122
    Posts
    1,528

    Default

    Quote Originally Posted by aybe View Post
    yes but it is upside down, we'll get a better view once we render the associated scene
    That might just mean the track is mirrored vertically. Have you decompiled any other track to see if that happens with every track? Because that type of thing happens a lot in other games too, including models rotated by 90 degrees in some axis.

  7. #17
    Join Date
    Apr 2015
    Location
    France, Paris
    Timezone
    GMT + 1
    Posts
    310

    Default

    Thus far it's the only folder that we missed, I haven't thoroughly looked at others but from what I remember in the experiment javascript I've seen nothing in the like, i.e. they're all the same.

    Regarding mirroring (EDIT: was thinking of reverse in fact...) that's quite interesting, while trying to play the other way around I found that it is not possible in WO -> jumps. This would definitely be a nice perk in the remake, by now, modifying the track is clearly doable though it remains to be seen whether the UX will play fine.

    - - - Updated - - -

    Quote Originally Posted by tigrou View Post
    @aybe : interesting finding. looks like a beta track of terramax that was left out.

    ....
    Would be it possible for you to game in an debugger (eg : ollydbg) and check which part of code read to this address (by putting a memory read breakpoint): *(0x00A296D4 + 20) + 126 ?
    I finally got hold of the issue : VC Redist 2008

    This is what I found, it seems to be a byte it is checking for:

    Code:
    int sub_44AF32()
    {
      int result; // eax@2
      __int16 i; // [sp+Ch] [bp-8h]@1
      int v2; // [sp+10h] [bp-4h]@1
    
      v2 = *(dword_A25644 + 20);
      for ( i = 0; ; ++i )
      {
        result = dword_A25644;
        if ( *(dword_A25644 + 8) <= i )
          break;
        *(v2 + 4) = *(dword_A25644 + 20) + 156 * *(v2 + 4);
        *(v2 + 8) = *(dword_A25644 + 20) + 156 * *(v2 + 8);
        if ( *v2 != -1 )
          *v2 = *(dword_A25644 + 20) + 156 * *v2;
        v2 += 156;
      }
      return result;
    }
    The addresses you gave were different btw, also I haven't really understood how ollydbg works ... when you press X on that dword, all the subs using do appear ... but their name is not evocative -> I suggest that we do get in synch by using the same environment. I think the VM way is the best since you don't lose mouse facilities. Going to prepare something and get in touch, not today though but sometimes this week. Also, I'll try to rename as much as possible so we get a good start with the IDB. There's only one thing not working in the VM, -> retail version complain there's no 3d card; i'll see if I can make it work.

  8. #18
    Join Date
    Feb 2002
    Location
    Toulouse, France
    Posts
    541

    Default

    Iím pretty impressed by the RE youíve done so far. Keep up the good work guys.

  9. #19
    Join Date
    Apr 2015
    Location
    France, Paris
    Timezone
    GMT + 1
    Posts
    310

    Default

    Thanks, support is really appreciated I'm sure we'll get to it

    - - - Updated - - -

    Slight update,

    The TRACK15 will not load properly with the current code as its PRM has an older format ...

  10. #20
    Join Date
    Apr 2015
    Location
    France, Paris
    Timezone
    GMT + 1
    Posts
    310

    Default

    Hey,

    I'm pretty close to the level of features of the experiment

    snap0872.png

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •