Tecchical question about OOVPA finding and SDK versions

[amatthieu]

Prolog:
-------

If I understand well, cxbx replaces all calls to internal libraries routines
(like D3D8 ones) to call to the cxbx DLL, this way, all the cpu code is executed
"has is", and all the specialised tasks (3D, sound) are redirected to cxbx own
implementation.

I suppose the problem with the différents SDK version lies in the fact that the code
of the libraries routines change from version to version and if a function a
identified and hijacked in a given version all the job remains for other SDK versions.

That's why you must have access to the SDK used to compile the xbe to "easily" identify
the differents functions in it and choose the Offset-Value pairs.

Questions:
----------

- How do you find those pairs?
Do you identify the functions with a special sample application which "tags" the functions and
which you decompile to read the asm code? Is it all "by hand?"

- Could we find another technique to find those?
i.e. Don't all these HLE function use commons hardware interuptions? If right, the could be used
to find the adress of the function in a given xbe. With the calls ordrer and the "signature"/arguments
we could identify the code without an SDK bu with a base of xbe using the same XDK version.

- Could we find a way to feed OOVPA dynamically to test pairs at run time?


I hope all the questions and conjecture are not too dumb....

PS: by "we", I mean the people who bother you to see a particular
soft emulated and who would be more than happy to do the dirty job ;-)

[Exophase]

I personally haven't looked at the Cxbx source at all. But linked libraries don't actually end up at fixed values, so you can't identify these functions by their addresses. The number of arguments passed is available, but this isn't enough information to deduce very much.

The best technique (well, only technique) I know of for matching functions is to analyze some or all of the actual binary content of the compiled function itself in the code to see if it matches with an existing function (this could get a little slow, but none of it is real time so...). I've been kinda waiting for an official response regarding this myself, because I'm too intimidated to look at the source (I have an aversion to other people's source code >_<)

- Exo

[caustik]

pretty much the only way to locate these functions is to develop signatures by hand based on SDK versions. this process might be able to be automated (like FLIRT in IDAPro), but that would require the .lib files from the XDK (3911 XDK is nowhere to be found and requires reverse engineering)

[PentiumPro]

"I hope all the questions and conjecture are not too dumb...."

Uh. You sound as far away from dumb as possible buddy.

[jimmsta]

ok... so perhaps you could create some sort of... FAKE xbe that reads the program xbe, and records all anamlies... and... I forget what I was talking about...

[AnyJoe]

I would assume that locating the library functions in compiled code could be automated.

Basically working off the assumption that the library code will only change a small amount between releases of the XDK it should be possible to write an app that compares binary images to find the best match for any given function. The binary images fed into this app would be the extracted libraries from xbe files.

The app would need to be clever, it would have to:
- identify the start and end of a function.
- cope with the order of functions not necessarily being the same.
- cope with code being added/removed/replaced in a function.

Please feel free to flame me if I'm talking bobbins.

[caustik]

you may be able to narrow choices down to a specific set of functions, but human intervention would almost definately be necessary

[PentiumPro]

DUDE!You're right along with caustik almost.Quit putting yourself down!

"Please feel free to flame me if I'm talking bobbins."

[_amatthieu]

Thank you for your feed back.

This aswered almost my question but I have a new batch

- How do you find Offset-Value pairs once you spoted a function?
Do you search the occurence of each instruction and add the least
frequents one until the pair indentifies only this function?
If not, how? Is this done by hand?

- If we reverse enginner a xbe to find the function can we make the following assumptions:
1) All D3D functions are in the D3D section of the exectutable, etc
2) If an execution crashes in the converted xbe (not in cxbc.dll) it occurs inside a
function that havent been correctly redirected to cxbx code.
If right, would it be possible to printout the call stack addresses in the console?

- What about the interruption idea? (trying identify functions by the presence of very special
interuption or instruction sequences)

Thanks again!

[PentiumPro]

I have no idea what the hell he just said. Neato.