I'm having trouble getting The Italian Job (2001) to start properly when running it in a window. I tried enabling the DirectX8 version hook but it didn't work. Running the game without DxWnd works fine.
This game is strange because it seems to use a bunch of different exe files (86) in the code\exes\ folder rather than just using TIJ.exe by itself. Any insight is appreciated.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This must be an interesting case.
I saw some time ago that it was a difficult case, but then I must have forgotten about it.
Now I'm trying again, with little success. Before getting involved with the bunch of files of the code\exes subfolder, the game has problems of its own also within TIJ.exe alone.
First of all let me say that the game is copy protected with Win10 incompatible protection, so it needs a crack, but (according with Avira) there is a viral cracked exe. I grabbed a second one, and this was reported as clean, so if you're in doubt I can provide my copy of it.
As you said, the game works perfectly without DxWnd but doesn't work with it.
Looking at the logs and the files, there are at least two peculiarities:
DirectDraw8 device created with D3DCREATE_PUREDEVICE+HARDWARE_VERTEXPROCESSING flags (it is a problem? Who knows ...)
a peculiar binkw32.dll library with functions dedicated to D3D8.
.
So, let's begin ....
Last edit: gho 2017-03-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
-
2017-03-24
The demo works fine on my side by using the settings below, don't ever try to minimize on racing mode or you will end up in pain..
The game crack shows one strange problem, maybe depending on the cracking operation.
TIJ.exe links USER32.DLL and references ChangeDisplaySettingsA, the call that changes the screen resolution and color depth.
DxWnd is supposed to intercept this call, but running the program step-by-step, when you get to that instruction (see red-higlighted line) the called address seems to belong to apphelp.dll and DxWnd doesn't intercept it.
Following the call inside you get into something that looks like a shim, but I can't find a way to bypass it even copying the exe. Perheps the crack introduced a self-shimming inside the code? I'm really puzzled, it's the first time I see such a thing!
Some interesting stuff here: https://www.vogons.org/viewtopic.php?f=8&t=41047
In particular it confirms that the many exes are one mission each and they can be played singularly. So, if you're not too interested in the main frontend and some raccording movie, you can hook these files. The only trick to make them working is to set video initial resolution to the actual resolution of your desktop (1980 x 1020 in my case..). Oh, my! There are 99 stages!!!
Beware! It seems that the stage executables are attempting to communicate with the father process by messages that, when launched by DxWnd, are sent who knows where causing all sort of problems (windows resized, change of focus, program actiations, a sort of informatic poltergeist!).
Be ready to stop the game or to call for a shutdown!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yeah, I get the same results too. It's unfortunate that each mission must be hooked and launched individually, and task switching is pretty much useless too.
Last edit: mikuaddict 2017-03-27
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The picture shows the strange internal rerouting of several essential routines to apphelp module (as far as DxWnd is concerned, EnumDisplaySettingsA, ChangeDisplaySettingsA, Direct3DCreate8) that masks these calls to DxWnd and block the windowing process.
?
Here is something odd. The TIJ.exe has a stripped OFT, so DxWnd tries to guess the function pointers by means of the serialized algorytm, considering each API following the DLL name.
But in this game the trick doesn't work because there are not NULL characters between the function names, as yo can see in the hexdump of the PE. The result is a bogus call detection, as shown in the log.
Is there some tool able to rebuild a valid OFT?
I see that there is an order in the sequence: each call name is separated from the following by 3 bytes: the first 0x00 is the string terminator, then a 2 bytes WORD who knows for what, and then immediately after the next function name. That should be enough to try to decode the OFT.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Progress: now the PE navigation is patched, DwWnd can hook all necessary methods BUT the auto-hooked ChangeDisplaySettingsA. Result: the game still runs fullscreen. But no more crashes and I can even see the D3D8 operations log.
We're so close ....
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
ChangeDisplaySettingsA was hooked: finally the game starts and doesn't change screen resolution.
Now some work has to be done to properly hook Direct3DCreate8, that shows some problem when hot-patched. Also the window management is not ok (window size & position). One step at a time ....
Ah, much better! Finished? No, not yet, but we're getting closer.
The only problem is that to get this result I had to put my hands into the IAT scan routines that are the very hart of DxWnd, so let's hope in no regressions for "normal" games!
Ehi! Here is a small and easy riddle.
Guess what is working now that wasn't working at all with previous release of DxWnd?
I mean, apart from "The Italian Job"....
A little hint? here it is.
Back to "The Italian Job", here is the few things that still should be fixed:
right now (at least to me) the game starts with a black window, though you can hear the sound in the background. If you minimize and restore the window, the intro movies and all the rest are rendered. There must be something in the screen initialization that should be fixed.
though theorically not necessary, it would be very convenient to apply a hooking schema to all the 99 missions in a single configuration, possibly inheriting the father's one. 100 entries for a single (and, let me say, a little dull) game are quite too much.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
-
2017-03-26
um, do you think allowing to add/drag'n drop multiple .exe files is a good idea? New panel will came up after setting a previous one.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No, simply because after adding 100 mission executables in a single drag&drop operation you'd have to personalize each one of them by setting the custom initial screen resolution.
Better make something more automatic, though I'm still trying to figure it out what to do.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Whoever is trying to test this game should be aware of one technicality:
the game, the mission executables in particular, seems to use a damned trick to send itself mouse clicks (through the send_input USER32 function) probably for the purpose of being sure to be in the top Z-order level and always over the launcher TIJ.exe.
But bringing the program into a window causes the indesiderable effect of sending clicks here and there, easily intercepted by other programs and producing an incredible chaos on the desktop!
I'm adding a dxWnd flag to prevent this to happen, also because in windowed mode this trick is perfectly useless.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Here it is, a better beta version with the "No mouse event generation" flag and the updated exports.
It will be interesting to see if the new IAT browsing will be still compatible with all other games or we must be ready for some disaster!
Anyway this game teached me one important lesson. An italian fellow like me should never attempt to drive in a United Kingdom city: I keep getting the wrong lane, and the police is always behind me!
We can stop the hunt: I got a game that doesn't get properly hooked by the current schema, and that's "Wall Street Trader 2000". So, this is more or less the picture:
When opening a IAT you can find either
* two consecutive .DLL entries - that's what I called the sequential schema
* sequences of DLLs with their respective API names - that the regular schema
In both cases, you can have OFT pointers or not. OFT is a pointer to the API name, so that you don't bother what sequency type you have, you go straight to the function name.
In case the OFT is stripped, you can navigate the function names in the sequential case, but thee are two variants of regular schema:
* packed: each api name is followed by 1 0x00 byte as string terminator and 2 bytes (a word) holding the hint field, then the next function name (es. The Italian Job)
* aligned: similar to the previous one, but the api name is followed by either one or two 0x00 so that the hint field is aligned to a word boundary (es. Wall Street Trader 2000)
In conclusion, since is not so easy or adviseable to scan the IAT to guess what is the used schema, I fear I'll have to add another very obscure flag to the "Hook" section to tell the "pached" and "aligned" schemas apart.
@aqrit: you appear now and then in unpredictable way, but here I'd really like to get your opinion, mainly on the following questions:
* are there other different schemas?
* is there a reliable way to make a forecast?
Last edit: gho 2017-03-27
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The result (until something new happens...):
code for sequential scanning (used by "Al Unser Jr. Arcade Racing") is left untouched and can be detected looking for consecutive .DLL strings
Stripped OFT: 99.99% of the cases have the same schema (called WORD align), apiname, string terminator, possibly one more NULL byte for word padding and two bytes for the hint (possibly 0). the code was changed, in theory (and in practice for Zork) should provide a better hooking.
Stripped OFT: 1 game (The Italian Job crack) has no byte padding, in this case you HAVE TO set the BYTE alignement flag to have it working properly.
So, in conclusion, a lot of new flags, but in reality only one game (The Italian Job crack) requires a non default setting.
Is there an option to make any of the other exeutables the game open be in a window too? I thought 'Hook child WindowProc' would do it... Also, DxWnd seems to mess up the timming on the indivdual stage executables. :( (https://www.youtube.com/watch?v=clvuqpHW0EE )
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sadly no, DxWnd has problems hooking pathnames with wildcards, so right now the only option is to hook each single executable individually. Or at least a fewof them, 'cause the game sucks a little and it is likely that one gets tired of it in a while.
Last edit: gho 2017-06-02
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm having trouble getting The Italian Job (2001) to start properly when running it in a window. I tried enabling the DirectX8 version hook but it didn't work. Running the game without DxWnd works fine.
This game is strange because it seems to use a bunch of different exe files (86) in the code\exes\ folder rather than just using TIJ.exe by itself. Any insight is appreciated.
This must be an interesting case.
I saw some time ago that it was a difficult case, but then I must have forgotten about it.
Now I'm trying again, with little success. Before getting involved with the bunch of files of the code\exes subfolder, the game has problems of its own also within TIJ.exe alone.
First of all let me say that the game is copy protected with Win10 incompatible protection, so it needs a crack, but (according with Avira) there is a viral cracked exe. I grabbed a second one, and this was reported as clean, so if you're in doubt I can provide my copy of it.
As you said, the game works perfectly without DxWnd but doesn't work with it.
Looking at the logs and the files, there are at least two peculiarities:
.
So, let's begin ....
Last edit: gho 2017-03-24
The demo works fine on my side by using the settings below, don't ever try to minimize on racing mode or you will end up in pain..
Last edit: 2017-03-24
The game crack shows one strange problem, maybe depending on the cracking operation.
TIJ.exe links USER32.DLL and references ChangeDisplaySettingsA, the call that changes the screen resolution and color depth.
DxWnd is supposed to intercept this call, but running the program step-by-step, when you get to that instruction (see red-higlighted line) the called address seems to belong to apphelp.dll and DxWnd doesn't intercept it.
Following the call inside you get into something that looks like a shim, but I can't find a way to bypass it even copying the exe. Perheps the crack introduced a self-shimming inside the code? I'm really puzzled, it's the first time I see such a thing!
how about using injected suspended mode for both menu and mission .exe?
Some interesting stuff here: https://www.vogons.org/viewtopic.php?f=8&t=41047
In particular it confirms that the many exes are one mission each and they can be played singularly. So, if you're not too interested in the main frontend and some raccording movie, you can hook these files. The only trick to make them working is to set video initial resolution to the actual resolution of your desktop (1980 x 1020 in my case..). Oh, my! There are 99 stages!!!
Last edit: gho 2017-03-24
Beware! It seems that the stage executables are attempting to communicate with the father process by messages that, when launched by DxWnd, are sent who knows where causing all sort of problems (windows resized, change of focus, program actiations, a sort of informatic poltergeist!).
Be ready to stop the game or to call for a shutdown!
Yeah, I get the same results too. It's unfortunate that each mission must be hooked and launched individually, and task switching is pretty much useless too.
Last edit: mikuaddict 2017-03-27
The picture shows the strange internal rerouting of several essential routines to apphelp module (as far as DxWnd is concerned, EnumDisplaySettingsA, ChangeDisplaySettingsA, Direct3DCreate8) that masks these calls to DxWnd and block the windowing process.
?
Here is something odd. The TIJ.exe has a stripped OFT, so DxWnd tries to guess the function pointers by means of the serialized algorytm, considering each API following the DLL name.
But in this game the trick doesn't work because there are not NULL characters between the function names, as yo can see in the hexdump of the PE. The result is a bogus call detection, as shown in the log.
Is there some tool able to rebuild a valid OFT?
Last edit: gho 2017-03-25
I see that there is an order in the sequence: each call name is separated from the following by 3 bytes: the first 0x00 is the string terminator, then a 2 bytes WORD who knows for what, and then immediately after the next function name. That should be enough to try to decode the OFT.
Progress: now the PE navigation is patched, DwWnd can hook all necessary methods BUT the auto-hooked ChangeDisplaySettingsA. Result: the game still runs fullscreen. But no more crashes and I can even see the D3D8 operations log.
We're so close ....
ChangeDisplaySettingsA was hooked: finally the game starts and doesn't change screen resolution.
Now some work has to be done to properly hook Direct3DCreate8, that shows some problem when hot-patched. Also the window management is not ok (window size & position). One step at a time ....
Last edit: gho 2017-03-25
Ah, much better! Finished? No, not yet, but we're getting closer.
The only problem is that to get this result I had to put my hands into the IAT scan routines that are the very hart of DxWnd, so let's hope in no regressions for "normal" games!
Ehi! Here is a small and easy riddle.
Guess what is working now that wasn't working at all with previous release of DxWnd?
I mean, apart from "The Italian Job"....
A little hint? here it is.
Last edit: gho 2017-03-25
Back to "The Italian Job", here is the few things that still should be fixed:
um, do you think allowing to add/drag'n drop multiple .exe files is a good idea? New panel will came up after setting a previous one.
No, simply because after adding 100 mission executables in a single drag&drop operation you'd have to personalize each one of them by setting the custom initial screen resolution.
Better make something more automatic, though I'm still trying to figure it out what to do.
Whoever is trying to test this game should be aware of one technicality:
the game, the mission executables in particular, seems to use a damned trick to send itself mouse clicks (through the send_input USER32 function) probably for the purpose of being sure to be in the top Z-order level and always over the launcher TIJ.exe.
But bringing the program into a window causes the indesiderable effect of sending clicks here and there, easily intercepted by other programs and producing an incredible chaos on the desktop!
I'm adding a dxWnd flag to prevent this to happen, also because in windowed mode this trick is perfectly useless.
Here it is, a better beta version with the "No mouse event generation" flag and the updated exports.
It will be interesting to see if the new IAT browsing will be still compatible with all other games or we must be ready for some disaster!
Anyway this game teached me one important lesson. An italian fellow like me should never attempt to drive in a United Kingdom city: I keep getting the wrong lane, and the police is always behind me!
We can stop the hunt: I got a game that doesn't get properly hooked by the current schema, and that's "Wall Street Trader 2000". So, this is more or less the picture:
When opening a IAT you can find either
* two consecutive .DLL entries - that's what I called the sequential schema
* sequences of DLLs with their respective API names - that the regular schema
In both cases, you can have OFT pointers or not. OFT is a pointer to the API name, so that you don't bother what sequency type you have, you go straight to the function name.
In case the OFT is stripped, you can navigate the function names in the sequential case, but thee are two variants of regular schema:
* packed: each api name is followed by 1 0x00 byte as string terminator and 2 bytes (a word) holding the hint field, then the next function name (es. The Italian Job)
* aligned: similar to the previous one, but the api name is followed by either one or two 0x00 so that the hint field is aligned to a word boundary (es. Wall Street Trader 2000)
In conclusion, since is not so easy or adviseable to scan the IAT to guess what is the used schema, I fear I'll have to add another very obscure flag to the "Hook" section to tell the "pached" and "aligned" schemas apart.
@aqrit: you appear now and then in unpredictable way, but here I'd really like to get your opinion, mainly on the following questions:
* are there other different schemas?
* is there a reliable way to make a forecast?
Last edit: gho 2017-03-27
The result (until something new happens...):
code for sequential scanning (used by "Al Unser Jr. Arcade Racing") is left untouched and can be detected looking for consecutive .DLL strings
Stripped OFT: 99.99% of the cases have the same schema (called WORD align), apiname, string terminator, possibly one more NULL byte for word padding and two bytes for the hint (possibly 0). the code was changed, in theory (and in practice for Zork) should provide a better hooking.
Stripped OFT: 1 game (The Italian Job crack) has no byte padding, in this case you HAVE TO set the BYTE alignement flag to have it working properly.
So, in conclusion, a lot of new flags, but in reality only one game (The Italian Job crack) requires a non default setting.
Is there an option to make any of the other exeutables the game open be in a window too? I thought 'Hook child WindowProc' would do it... Also, DxWnd seems to mess up the timming on the indivdual stage executables. :( (https://www.youtube.com/watch?v=clvuqpHW0EE )
Sadly no, DxWnd has problems hooking pathnames with wildcards, so right now the only option is to hook each single executable individually. Or at least a fewof them, 'cause the game sucks a little and it is likely that one gets tired of it in a while.
Last edit: gho 2017-06-02
What about the timming issue? Can that be fixed? ( https://www.youtube.com/watch?v=clvuqpHW0EE )