The state of Warsaw

Well with Battlefield 4 by one of my most favorite studio’s Digital Illusions CE (better known as DICE) releasing within 24 hours has released.. I think I should share some information here, just to be nice to everyone involved.

Before we begin, I’d like to say that this will sound very similar to Halo’s format (Blam Engine) way of explaining things. From content like images and sounds being called raw, metadata being called meta, and Ebx, and other “describing” formats being called tags. From my observations they have seemed to take a more centralized approach to storing all of their information. They have moved all of the raw data, and certain central ebx files into the cascat format. The cascat format had been used in Battlefield 3 base, but it seems like it was neglected after release. Cas stands for Content Addressable Storage and how it pretty much looks is, you have a catalog file which contains offsets, file sizes, and a SHA1 hash of all of the data inside. (And by all of the data, I mean each file that is within a cas file has a SHA1) The way that I have reversed it, it appears that you contact for certain things a CAS handler class which will then look up the file, raw, whatever that is in it based on SHA1. In Battlefield 3, these SHA’s were not in any kind of order and that caused the game to take forever to load on original maps even if you had an SSD because it was re-computing SHA1’s or looking them up in a unorganized manner. This problem most likely still exists in Battlefield4, unless the cas building tool sorted the hashes before hand. I have not actually looked into if hashes have been sorted.

In the BF4 Alpha Trial, Frankelstner noticed there was a different ebx header for the ebx data. Ebx data is Binary XML in a nutshell. I took a look into the matter and a quick IDA review showed that some of the information in the header had changed sizes, by that I mean it went from a 32bit integer, to a 16bit integer in certain locations. Quick modification to previous source code got us pass that. Even better yet, upon analyzing the dumped Alpha Trial executable, I noticed that certain things that I could rely on for finding the ebx process function had changed, the most notable is the string “Bad EBX Partition Header” or something similar to that. So that got me a bit interested. After a few hours up comparing functions to the previous ebx reading code I was able to find and update most of the functions. DICE still uses a giant switch statement (Thanks Hex-Rays ๐Ÿ™‚ ) as a partition reader, which whoever wrote that should be spanked (not really, but its frustrating to reverse). But there was something different about it all.

In Venice (Battlefield 3) and Medal of Honor Warfighter and previous Frostbite 2 based games, the ebx reading code (binary xml) is called StreamingPartition blank, where blank would be Reader, Array, etc. In Warsaw (Battlefield 4) its just called EbxPartition blank, where blank means the same as before. There are minor changes throughout but it caused me to separate some of the code into 2 different sections within “IceEditor”. There is a reason I put IceEditor in quotes for now. Along with ebx code changing certain things in the header, having a 64-bit alignment also became an issue. Its not a major issue because well screw alignment.

tl;dr; IceEditor is now called Project Rime and will probably be a open source project near its completion. Since once all of the base framework is finished it won’t be that hard to properly add support for new games using the Frostbite engine. There will also be backward compatible support eventually if someone wants to step up for the project. (BC2, BC1 support) There has been many many hours lost in reformatting without backing up the project, source control servers deciding to go poop and losing all data. lada lada.

Server and domain migration.

Hello everyone, I just wanted to say I have moved blog.allenthinks.com to kiwidog.me. All of the links on the website have been replaced and should still exist and work as planned. If there are any mistakes with downloads etc not working or any issues at all please let me know through the contact me page, or on Facebook page. Please if there is ANYTHING at all wrong let me know.

All current projects process.

Here we go again! This is pretty much an update on what I have been doing over the last few months. Long story short, “real life” sucks. There is nothing but a bunch of work and school keeping me busy. I currently don’t have internet, television, or phone in my current apartment due to it being temporary for the next few weeks. Then I’m moving into a more “permanent” residence.

VeniceFX Progress:

  • All players now sync correctly (less/no jumpiness via spectating at a distance)
  • All sounds work properly when in free-cam mode
  • Spectator mode re-implemented
  • Xbox 360 controller support should work…(untested, no controller)
  • Fixed bug preventing spectating a player
  • Commands can be saved in a text document in BF3’s root directory for tweaking VeniceFX colors/plugins/commands
  • Fixed click breaking everything
  • Removal of the need of the Alt-Tab “fix”
  • Ray-casting added to “jump” to a player
  • First person spectating is experimental and may not work/crash
  • Updated to work with the latest release.
  • v4 uses 100% engine functionsย (using 100% engine functions means the code base shrank a great deal)
  • Spectator text is now pretty ๐Ÿ™‚

VeniceUnleashed:

  • Soon “TM”
  • Closer to completion than not
  • Still being worked on
  • Sorry for not more information

IceEditor:

  • Backend code base has been re-designed to be closer to official DICE
  • Will probably be re-done one more time to support BC2 and BF4
  • Light BF4 support added
  • More ITexture/Data->Raw formats added (Now supports DXT1,2,3,5, ARGB8)
  • Decompiling original map support added
  • Decompiling some patch’s support added
  • Delta patching experimental code first success.
  • Decompiling a map broke once more
  • UI re-design. (Thanks to rukqoa)
  • SHADOW implementation
A very early build of the metro style IceEditor
A very early build of the metro style IceEditor

Any other questions or concerns, just leave a comment below.

VeniceFX Public Beta v3.3b Is Released for End Game Patch!

Update for VeniceFX v4.0:Hello everyone, I just have a status update about VeniceFX. Everything should be 100% working with most bugs fixed for the 4.x release of VeniceFX which will probably be the last build to be created. In theory VeniceFX 4.x+ should be backwards and forward compatible with any update. But only tested and developed for the latest patch. (End Game 1.0)

  • Alt-Tab Fix Required – Fixed
  • Clicking the mouse breaks freecam – Fixed
  • Random loss of keyboard device – Fixed
  • Xbox 360 Controller Crash – Fixed
  • DirectX 11 Tweaks (Wireframe + Shaders) Re-Implemented
  • Proxy Module is auto-loaded, or injected with the VeniceFXLoader tool
  • Non-Structural Auto-Updater Created

Welcome everyone again, if you are viewing this page you have seen/been told about the previous version of VeniceFX or the great boost in support for Spectator Mode or Free Flying Camera. Well thanks to all who donated to the project, here is a beta release! Most all of the features have been implemented or planned to be implemented. I want to get this build out there for the people who have been waiting for a long time. Thanks to the people who did intermediate beta testing when new builds were created. Please if there are any issues/bugs that are not already noted, leave me a comment on the post and I will take a look at it. If you crash (which you shouldn’t I haven’t had crashes at all) please let me know what you were doing at the time of the crash.

VeniceFX v3

Please I ask, just read the readme. But if you don’t want to do that, here are some highlights from it.

Changelog for V3.3b:
* Updated for End Game Patch
	- No New Features

VeniceFX v3.3b Beta (March 5-2013 Patch)

Continue reading VeniceFX Public Beta v3.3b Is Released for End Game Patch!

Unlocking Brink’s Console on Xbox 360

Xbox 360 Brink Unlocked Console

Brink, one of the newer id Tech games running under the engine idTech4 still keeps to the original roots of the idTech engine. I had a hunch that the console would be easily unlocked with just a keyboard. Well they did better than that to leave a console fully enabled in the game…or did they?

I started to mess around with Brink, reversing the engine and comparing it to the previous idTech games. They are very similar with huge improvements and very good work done by the guys at id software. Just for personal use I wanted to be able to run my console commands just like on the PC version.

The console command that gets pushed through the engine to “show” the console is “com_allowConsole” or “com_allowFullConsole”. With experimenting with this engine, I found out that the button binds are re-loaded from a .cfg file within the files inside of the games archives. I did not to very much research into the game archives, BUT all hope is not lost. If you were to search for the string “com_allowFullConsole” you can find where a cvar list is generated with defaults and pointers to game code to execute similar to Call of Duty (Quake 3 Engine). The engines are similar in the way that they handle cvars.

Continue reading Unlocking Brink’s Console on Xbox 360

Call of Duty Series Console Unlocking on All Platforms

DOGBIT.IN Call of Duty Console

Since Call of Duty 4 was released on PC, I wished that there would be some way or form to enable console for the Xbox 360 and PlayStation 3 platforms. There were findings in the way of removing the RSA Security checks on the executable on both platforms when the appropriate tools were released publicly. Mainly that method was used for cheating, unlocking everything online and changing leaderboard stats. This is not what I wanted to be done. Some cool things did come out of it like a CoDJumper mod and a few other zombie mods but most of the time it was just for “10th Prestige Lobbies” and for cheating.

In early of 2007 Infinity Ward and Activision Released a open public beta of Call of Duty 4 for the masses to play, then pulled the servers after the beta went down. This left a collector that wanted to play the game again unable due to the LIVE servers being taken down and getting signed out of live when they wanted to play.

Continue reading Call of Duty Series Console Unlocking on All Platforms

Call of Duty: Modern Warfare 2 Debug Output

Some patches were created to have all of the debug output that gets suppressed in the retail versions of Call of Duty to get spit out over a custom console. This is just an output that was created. The patch is also included with the debug output. You will need xorloser’s xextool and TheFallen93’s xepatcher tools to compile this patch on to a clean xex. The patches were created by kiwidog (http://allenthinks.com)

Here is the patch.

# ============================================================================
#   Call of Duty Modern Warfare 2 Multiplayer Debug Output Patches by kiwidog
# ============================================================================
		.globl _start
_start:
		.set DisableChecks, 0x821AF044
		.set InstallHook,	0x8227EB58
		.set Hook,			0x820C8390
		.set DbgPrint,		0x8242CCA4
# ============================================================================
#	Hook
# ============================================================================
		.long Hook-0x8000
		.long (9f - 0f) / 4
0:
		mflr	%r23
		mr		%r3, %r4
		li		%r4, 0
8:		bl		DbgPrint-((8b-0b)+Hook)		
		mtlr	%r23
		blr
9:
# ============================================================================
#	Disable RSA/Sha256 Checks
# ============================================================================
		.long DisableChecks-0x8000
		.long (9f - 0f) / 4
0:
		li	%r3,	1
9:
# ============================================================================
#	Install Hook
# ============================================================================
		.long InstallHook-0x8000
		.long (9f - 0f) / 4
0:
		bl		Hook-InstallHook
9:
# ============================================================================
		.long 0xffffffff
		.end
# ============================================================================

Have fun and good luck ๐Ÿ˜‰

Continue reading Call of Duty: Modern Warfare 2 Debug Output

A Ghetto C++ Patching Library

I noticed that when most people patch their modules that they have some issues, like they will have to precompile all of their works then copy memcpy the precompiled byte array over (with VirtualProtect and other goodies). I was wanting a method that would be a little bit more hackish but would make testing patches easier in the long run. I started messing around with __declspec( naked ) and this is what it got me.

__declspec( naked ) void mPatch()
{
// Insert Assmebly Code Below
__asm
{
// Add Assembly Here
nop;
}

// Do not erase, its for protection
__asm
{
INT 3;
INT 3;
INT 3;
INT 3;
}
}

DWORD calcPatchSize(void* funcBase, DWORD timeoutSize)
{
for (DWORD i = 0; i < timeoutSize; i+=4)
if (*(DWORD*)((DWORD)funcBase + i) == 0xCCCCCCCC)
return i;
return 0;
}

Continue reading A Ghetto C++ Patching Library

VeniceFX – Progress Update 2, 3 & 4

As many of you may have seen, I started working with DirectX 11 and Battlefield 3 to create some modified textures etc. Primarily for movie/machinima makers. The project has changed from TeamCanineConfig to venicefx for the updated framework and using quite a few engine features in Frostbite 2. Here are a few videos that show off the features so far.

EDIT: The newest video of VeniceFX is up, it will use everything through console commands. Thanks DICE for re-implementing that ๐Ÿ˜‰


Continue reading VeniceFX – Progress Update 2, 3 & 4

Battlefield Bad Company (Frostbite Legacy) File Research

I will try to do my best to update this with most of my newest research as I continue on with the project. I plan on making beloved Mod Tools for Bad Company 2. So far we can remove the “safe play area” so you can go exploring outside of the map with no problems. I do think something similar will be done for Battlefield 3 (Frostbite 2 Engine) but you never know. So far from what I can tell most of the files are way different and look just like raw data at a glance. (I will post/talk about my Battlefield 3 Venice Mod Tools at a later date).

It seems like no body has really taken a crack at the game files. Or if they did, its incorrect except for 1 or 2 items, which won’t cut it at all. So far my current tool does not extract all the files that are found inside of the fbrb archive. It extracts the majority of them which is a hell lot more than what I can say for other bms scripts. (~39 Files :: ~10MB of data???? wtf, versus ~348 Files :: ~90MB of Data)

        struct fbrb_header
        {
            public char[] m_magic; // "FbRB"
            public int m_firstFileSize;
        }

        struct fbrb_containerHeader
        {
            public int m_version;
            public int m_fileNameTableSize;
            // String Data Here
            public int m_numFiles;
            // Not part of struct, adding for ease
            public List szItems;
        }

        struct containerHeader_Item
        {
            public int m_fileNameOffset;
            public int m_fileFlags;
            public int m_fileDataOffset; // Inside Data Container
            public int m_fileDataSize; // Inside Data Container
            public int m_fileDataSize_1; // Unknown
            public int m_fileTypeOffset; // Read As String to Figure out what kind
            // Not part of struct, adding for ease
            public string szFileType;
            public string szFileName;
        }

Thats all for now folks.