RVLution

[RetroHelix]

Hi,
I was trying to analyze the image format (*.WTM, magic WTMD) of the game Arc Rise Fantasia. Actually I started some years ago and never moved on. Here is what I found out back in the days (posted it over at Xentax under the name Polefish):

Code: Select all

Offset Size Description
0x06 2byte Palette Offset - offset to Palette Data
0x08 2byte Width
0x0A 2byte Height
0x0C 1byte Imageformat - RGB565/RGBA8/CI4/CI4... see yagcd for more info
0x12 2byte Data Offset - offset to image Data
0x15 1byte paletteformat
and some more information like headersize and magicbytes...


This was enough to take a look at the most images of the game. But I was only able to work this out because the imageformat is very similar to the standard TPL image format. Since there are still some images that I cant convert I want to find out more about the format by looking at the code in IDA. And here is my problem. I was not able to make out the routine that loads the image. I was trying the following:
Letting the game run till a WTM image is loaded and pause the game. Searching the RAM for the magicbytes (WTMD) and setting a memorybreakpoint at the address. By breaking at this address I would be able to see which routine is loaded with Dolphin.
But I don't even find the magicbytes... Searching a dump of the MEM2 will give me many results. The memorysearch in Dolphin yields nothing at all. And in MEM1 I can't find any traces of an imagefile with Dolphin nor by searching the dumped RAM.

So how can I find out which the routine to load up the WTM is to load it up in IDA?
Cheers.

PS. Are the memory breakpoints in dolphin for MEM1 only or MEM1and MEM2?

[MalStar1000]

Piracy is not supported on RVlution (which includes Dolphin.) Also, I doubt anyone here knows a lot about that game because I have never heard of it.

[Kamek64]

That's not piracy but reverse engineering a game like Treeki did with NSMBW.

[Mario64]

Discussion of Dolphin and help with Wiiscrubber if you have the disc is permitted. Release of ISO's, discussion of how to get them, is not permitted.
Don't be blunt if someone says the word 'ISO'.
ISO.

[RetroHelix]

Its the procedure in general I'm eager to know and what is piracy about Dolphin? I just take this as is, so dont discuss about it pls. At least not in this thread.

[CanadaX21]

Discussion of Dolphin and help with Wiiscrubber if you have the disc is permitted. Release of ISO's, discussion of how to get them, is not permitted.
Don't be blunt if someone says the word 'ISO'.
ISO.

I would never help anyone with wiiscrubber, it's such a terrible program, especially compared to Wiimms tools

[Treeki]

A couple things you can try... assuming you've already loaded the game binary into IDA.


- Search the Strings window for relevant stuff. This can be a bit of a jackpot occasionally, you'll probably find filenames - which can lead you to code which uses them - and maybe even assert/warning messages relating to the code you're looking for.

- Use the "immediate value" search to look for code that loads 0x5754 or 0x4d44 (WT and MD). PowerPC loads values 16 bits at a time (using lis/ori or lis/addi pairs) so you cannot search for both.


Not sure if you'll have much luck with Dolphin's memory breakpoints - I always had trouble with them :(

[RetroHelix]

Searching for the string in IDA was the first thing I did It found mostly file names and I was not able to make anything out of this. But you can find quite much gametext and some references to the cpp files that were used for some gamemeachnics.
I did not know about the immediate value search. Just tried it but no results. Thats a bit strange imo. Does this mean the game is not checking the magicnumber at all?
I gave up on Doplhins memorysearch already but I liked the idea of finding the routine through a breakpoint on memory (read about it on Delroth's blog http://blog.delroth.net/2011/06/reverse ... er-part-1/).
Loading a WTM image is one of the first things the game does (the wiimote warning screen Sys/strapA_us.wtm) but since there is so much other stuff to process, stepping trough is no option.
I thought I could fiddle out how the image loading works if I had the right routine in front of me but if I'm not even able to find it... I surely have to learn more about the whole thing first
The static analysis (just looking at the imagedata and trying out everything that comes to my mind) is more for me