EEex icon indicating copy to clipboard operation
EEex copied to clipboard
verified publisher icon Bubb13

docs for linux?

Open gatperdut opened this issue 11 months ago • 3 comments

Hello! I've been using extensively the eeex docs at readthedocs.io to port tapahob's radar overlay to linux, though writing it from scratch. I got the windows parts figured out (system calls and event hooks mostly) but I've really hit a wall with the memory layout.

I've been using gdb to examine parts of the 64 bit process (it's the steam version) and can find CGameSprite and its reference inside CGameObjectArrayEntry without problem, but beyond that it's a mystery. Can't find the first array element (the address where CGameObjectArray lives, I assume) despite trying a few scripts to move back in sizeof(CGameObjectArrayEntry) steps and examining what's there. Also tried reaching the array start by looking at other values, like gold, or a character's xp, so I can work my way back to it without success. At some point, while pulling from the thread, the references stop matching or can't be found. ASLR is disabled.

Long story short, I wanted to ask if you have any any sort of documentation for the linux version that could help me out. I suspect it's the memory layout not matching the one from eeex, since it's the windows version.

gatperdut avatar Feb 13 '25 19:02 gatperdut

Hello. This is the same problem I ran into when trying to port EEex to Linux. The memory layout isn't known for the Linux binaries – however, they do have function / global symbols. If you were so inclined to track everything down, you could use Ghidra (or another reverse engineering tool) to search for uses of a field in the Windows binary. From the hits you could then navigate to a corresponding Linux function that you know uses the field, and try to analyze its contents to find the correct field offset.

Bubb13 avatar Feb 13 '25 19:02 Bubb13

Thanks, I wouldn't have thought of that approach. but oh gawd my eyes, ghidra. got bg2 almost running within it with gdb, with the hopes of setting a breakpoint somewhere and see if I can find a pattern across multiple executions. Just needs to set the current working directory properly... the console shows "can't find engine.lua, can't find chitin" (with double exclamation marks :/)

gatperdut avatar Feb 14 '25 14:02 gatperdut

I think(?) I figured out the addresses for BG2 64bit under linux, steam version.

The number of entities seems to live as a half-word (2 bytes) under 0x55555613F776. It's 2001 greater than the actual value, though, as mentioned below. For example, right at the start of the game Irenicus' dungeon it's 2226, for 225 "real" entities.

The consecutive elements of CGameObjectArrayEntry (16 bytes each) seem to live under 0x5555560BF780, with the first 2001 entries being junk as far as I can tell, which is consistent with what I saw in the radar code.

That gives a good first entry at 0x5555560BF780 + 16 * 2001 = 0x5555560c7490.

Each one looks something like this:

0x00000000000007d0 0x000055555b74f850

First 2 bytes are an id, the next 6 are padding, the other 8 are the pointer to the object.

A couple of things that 🤨:

  1. The addresses are absolute instead of an offset. With ASLR disabled, the heap is mapped consistently like this: 0x555558ed2000-0x55555e954000 (by looking at /proc//maps), with the end address moving forward as more space is needed, I assume. But the start is always 0x555558ed2000. Is that only true for my machine?
  2. The addresses are not within the heap!

gatperdut avatar Feb 16 '25 09:02 gatperdut

Closing this out since this was resolved externally, (congrats on the release of BGPartner)!

Bubb13 avatar May 15 '25 01:05 Bubb13