Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 ... 193 194 [195] 196 197 ... 244

Author Topic: DFHack 50.14-r1.1  (Read 893229 times)

lethosor

  • Bay Watcher
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2910 on: May 02, 2021, 03:32:21 pm »

Ah, thanks for tracking that down. Sounds like something that confused me when I saw it, but I don't use the script often and didn't realize it was a bug.

This is something that is best reported in the issue tracker. I opened a report here: https://github.com/DFHack/dfhack/issues/1844
Logged
DFHack - Dwarf Manipulator (Lua) - DF Wiki talk

There was a typo in the siegers' campfire code. When the fires went out, so did the game.

Bumber

  • Bay Watcher
  • REMOVE KOBOLD
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2911 on: May 05, 2021, 04:07:14 pm »

Alternatively, you could start with a breakpoint on a known function (exported symbol or virtual method).

How do you find known functions? I don't see anything under IDA's function list. Are they listed with the structs? Are they at known fixed addresses?
Logged
Reading his name would trigger it. Thinking of him would trigger it. No other circumstances would trigger it- it was strictly related to the concept of Bill Clinton entering the conscious mind.

THE xTROLL FUR SOCKx RUSE WAS A........... DISTACTION        the carp HAVE the wagon

A wizard has turned you into a wagon. This was inevitable (Y/y)?

Clément

  • Bay Watcher
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2912 on: May 05, 2021, 05:46:08 pm »

vtable addresses are in symbols.xml. I guess the rtti scripts are supposed to find them too, but I've never used them.
Logged

Bumber

  • Bay Watcher
  • REMOVE KOBOLD
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2913 on: May 06, 2021, 06:28:12 pm »

vtable addresses are in symbols.xml. I guess the rtti scripts are supposed to find them too, but I've never used them.

Not sure how to use that to locate the right addresses in IDA. I tried adding a Win64 hex value in symbols.xml to the start address of the DF module, but that doesn't seem to lead to the right place. Is there a way to automatically load that data into the disassembler?

I just noticed that running DF from IDA loads a lot more info than attaching to process. Not sure if it's useful info for DF, though, and it assigns certain data as XMM instead of the quad words I need.
Logged
Reading his name would trigger it. Thinking of him would trigger it. No other circumstances would trigger it- it was strictly related to the concept of Bill Clinton entering the conscious mind.

THE xTROLL FUR SOCKx RUSE WAS A........... DISTACTION        the carp HAVE the wagon

A wizard has turned you into a wagon. This was inevitable (Y/y)?

lethosor

  • Bay Watcher
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2914 on: May 06, 2021, 11:03:32 pm »

My guess is that Clément was referring to one of the ms_rtti*.idc scripts from df_misc (but I don't know exactly which one - perhaps ms_rtti64.idc for 64-bit DF?)
Logged
DFHack - Dwarf Manipulator (Lua) - DF Wiki talk

There was a typo in the siegers' campfire code. When the fires went out, so did the game.

Bumber

  • Bay Watcher
  • REMOVE KOBOLD
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2915 on: May 07, 2021, 01:37:06 am »

My guess is that Clément was referring to one of the ms_rtti*.idc scripts from df_misc (but I don't know exactly which one - perhaps ms_rtti64.idc for 64-bit DF?)

Yeah, but I'm not sure what running it actually accomplishes.
« Last Edit: May 07, 2021, 01:40:01 am by Bumber »
Logged
Reading his name would trigger it. Thinking of him would trigger it. No other circumstances would trigger it- it was strictly related to the concept of Bill Clinton entering the conscious mind.

THE xTROLL FUR SOCKx RUSE WAS A........... DISTACTION        the carp HAVE the wagon

A wizard has turned you into a wagon. This was inevitable (Y/y)?

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: DFHack 0.47.05-r1
« Reply #2916 on: May 07, 2021, 10:21:34 am »

The primary purpose of the "ms_rtti64" script is to apply names to all of the vtable objects in the disassembly, so that if you find code that creates a virtual object you'll be able to immediately recognize what it is.

In other words, it'll change this:
Code: [Select]
.text:00000001407ED382                 lea     rax, off_140F20958into this:
Code: [Select]
.text:00000001407ED382                 lea     rax, ??_7item_chainst@@6B@ ; const item_chainst::`vftable'
The most important thing to do, after running codegen_c_hdr.pl and importing the resulting header file, is to run ruby.exe dump_df_globals.rb --idc "..\path\to\Dwarf Fortress.exe" and then copy all of the MakeName(...) calls and paste them into the IDA "Execute Script" window (File -> Script Command, or Shift+F2). Once you do that (and press "Run"), all of the global variables will be named and the various global structures will be instantiated in-place, so when you look through the code you'll be able to see all of the names instead of just meaningless numbers.

In other words, it'll change this:
Code: [Select]
.text:000000014042E4B8                 movzx   eax, cs:byte_141699288
.text:000000014042E4BF                 xor     r12d, r12d
.text:000000014042E4C2                 cmp     cs:byte_14167EC63, r12b
.text:000000014042E4C9                 movzx   ecx, cs:word_141C3D260
.text:000000014042E4D0                 cmovnz  eax, r12d
.text:000000014042E4D4                 mov     cs:byte_141699288, al
.text:000000014042E4DA                 test    cx, cx
.text:000000014042E4DD                 jz      short loc_14042E502
.text:000000014042E4DF                 cmp     cx, di
.text:000000014042E4E2                 jnz     loc_14042F407
.text:000000014042E4E8                 cmp     cs:byte_141C3D368, r12b
.text:000000014042E4EF                 jnz     loc_14042F407
.text:000000014042E4F5                 cmp     cs:byte_141C3D360, r12b
.text:000000014042E4FC                 jnz     loc_14042F407
into this:
Code: [Select]
.text:000000014042E4B8                 movzx   eax, cs:_pause_state
.text:000000014042E4BF                 xor     r12d, r12d
.text:000000014042E4C2                 cmp     cs:_debug_nopause, r12b
.text:000000014042E4C9                 movzx   ecx, cs:_ui.main.mode
.text:000000014042E4D0                 cmovnz  eax, r12d
.text:000000014042E4D4                 mov     cs:_pause_state, al
.text:000000014042E4DA                 test    cx, cx
.text:000000014042E4DD                 jz      short loc_14042E502
.text:000000014042E4DF                 cmp     cx, di
.text:000000014042E4E2                 jnz     loc_14042F407
.text:000000014042E4E8                 cmp     cs:_ui.squads.in_kill_order, r12b
.text:000000014042E4EF                 jnz     loc_14042F407
.text:000000014042E4F5                 cmp     cs:_ui.squads.in_move_order, r12b
.text:000000014042E4FC                 jnz     loc_14042F407
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.

Garfunkel

  • Bay Watcher
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2917 on: May 08, 2021, 09:13:37 am »

How do I run the script to remove uninteresting dead units from mut 'u'nits list?
Logged

lethosor

  • Bay Watcher
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2918 on: May 08, 2021, 10:58:22 am »

How do I run the script to remove uninteresting dead units from mut 'u'nits list?
If you're asking for the name of the script, it's "fix/dead-units". To run it, just enter that in the DFHack console.
Logged
DFHack - Dwarf Manipulator (Lua) - DF Wiki talk

There was a typo in the siegers' campfire code. When the fires went out, so did the game.

Bumber

  • Bay Watcher
  • REMOVE KOBOLD
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2919 on: May 08, 2021, 09:00:29 pm »

paste them into the IDA "Execute Script" window (File -> Script Command, or Shift+F2). Once you do that (and press "Run"), all of the global variables will be named and the various global structures will be instantiated in-place, so when you look through the code you'll be able to see all of the names instead of just meaningless numbers.

There's no indication that the Run button has done anything after I press it. Script Command window doesn't close, no log output. Is this expected?

Is there an easy place to look to verify if it worked? Skimming through, I don't see much readable labeling besides the strings that are loaded just by loading DF with IDA (e.g., aDwarfMode ; "Dwarf mode") and non-DF stuff like "basic_ostream" and "cs:memmove".

There's no "_pause_state" in the names window, so I think that's a good indicator it didn't work. There are no names at all when attaching to DF (rather than running it from IDA) and the script is used.





That range of addresses doesn't exist in IDA, with nothing visible between the end of "debug001" and the beginning of "debug038":
Code: [Select]
debug001:000000007FFE0FFF debug001 ends
debug001:000000007FFE0FFF
debug038:0000007700000000 ; ===========================================================================
« Last Edit: May 09, 2021, 02:47:11 am by Bumber »
Logged
Reading his name would trigger it. Thinking of him would trigger it. No other circumstances would trigger it- it was strictly related to the concept of Bill Clinton entering the conscious mind.

THE xTROLL FUR SOCKx RUSE WAS A........... DISTACTION        the carp HAVE the wagon

A wizard has turned you into a wagon. This was inevitable (Y/y)?

Garfunkel

  • Bay Watcher
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2920 on: May 09, 2021, 05:41:31 am »

How do I run the script to remove uninteresting dead units from mut 'u'nits list?
If you're asking for the name of the script, it's "fix/dead-units". To run it, just enter that in the DFHack console.
Thanks a lot, that worked!
Logged

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: DFHack 0.47.05-r1
« Reply #2921 on: May 09, 2021, 12:59:05 pm »





That range of addresses doesn't exist in IDA, with nothing visible between the end of "debug001" and the beginning of "debug038":
Code: [Select]
debug001:000000007FFE0FFF debug001 ends
debug001:000000007FFE0FFF
debug038:0000007700000000 ; ===========================================================================
I suppose I should've mentioned beforehand: if you want those scripts to work, you must not attach to an existing process (as you would with a debugger). Instead, you need to run IDA, go to File -> Open, select the EXE file, let it finish analyzing it, and then run those scripts. You can attach to a running EXE afterwards if you want, but I would strongly recommend saving before doing so (and not saving it afterwards).
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.

Bumber

  • Bay Watcher
  • REMOVE KOBOLD
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2922 on: May 11, 2021, 04:55:22 pm »

Okay, I've got that working, it seems.

Watch points don't seem to interrupt when their value is changed. They don't even show the change until DF is interrupted. I set a hardware breakpoint for when a value of interest in the plants.all vector is written to, but it seems to interrupt even when just read. This is unfortunate because it looks like the vector is iterated even while the game is paused.

Another annoyance is that while I can turn the whole vector into qwords by using the array option in the right-click menu, they're all treated as one address when I do. Is there a better way to handle things than searching for the sequence of bytes that contain the address of the plant struct of interest, and turning just that into a qword?

This function seems to be of interest, but it doesn't use anything that's named:
Spoiler (click to show/hide)

The code under loc_140CF1080 is what's iterating and triggering the interrupts.
« Last Edit: May 11, 2021, 05:01:00 pm by Bumber »
Logged
Reading his name would trigger it. Thinking of him would trigger it. No other circumstances would trigger it- it was strictly related to the concept of Bill Clinton entering the conscious mind.

THE xTROLL FUR SOCKx RUSE WAS A........... DISTACTION        the carp HAVE the wagon

A wizard has turned you into a wagon. This was inevitable (Y/y)?

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: DFHack 0.47.05-r1
« Reply #2923 on: May 12, 2021, 07:33:07 am »

This function seems to be of interest, but it doesn't use anything that's named:
If you don't see any named addresses then you missed a step somewhere, because there should be 3 named addresses in there:
Code: [Select]
.text:0000000140CF1009                 cmp     eax, cs:_world.map.x_count
.text:0000000140CF100F                 jge     loc_140CF11A2
.text:0000000140CF1015                 test    cx, cx
.text:0000000140CF1018                 js      loc_140CF11A2
.text:0000000140CF101E                 movsx   eax, cx
.text:0000000140CF1021                 cmp     eax, cs:_world.map.y_count
.text:0000000140CF1027                 jge     loc_140CF11A2
.text:0000000140CF102D                 mov     r8, cs:_world.map.column_index
Just below that, it's necessary to manually annotate various structure offsets:
1. Select the Structures window by pressing Shift+F9
2. Press the Insert key, click "Add standard structure", and locate the structure you want to add
3. In the main disassembly view, select an instruction containing an offset and press "t", then select the structure you think it's referencing

In this case, I selected ".text:0000000140CF105E                 mov     rcx, [r8+1A68h]" and marked it as a "map_block_column" offset (since the code immediately above it indexes into _world.map.column_index) and got ".text:0000000140CF105E                 mov     rcx, [r8+map_block_column.plants.ptr]" (and the same with the next instruction, getting "[r8+map_block_column.plants.endptr]"). Below, I determined that "r11" refers to a "plant" object and "rbx" refers to a "plant_tree_info" object.

From my own analysis, the function you found appears to be "df::plant *getPlantAtCoords(int x, int y, int z)" - the code immediately below "loc_140CF1080" checks for an exact coordinate match (e.g. for shrubs), the code just above "loc_140CF115B" checks if it's part of a tree branch, and the code below "loc_140CF115B" checks if it's a tree root.
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.

Bumber

  • Bay Watcher
  • REMOVE KOBOLD
    • View Profile
Re: DFHack 0.47.05-r1
« Reply #2924 on: May 14, 2021, 08:39:47 am »

I started over from compiling DFHack, and I still don't see them. (DFHack version says "release" now instead of "development build 0.47.05-r1-130-g1c32783d" because I didn't use develop branch this time.)

1. Built DFHack, RelWithDebInfo, on a fresh install of "df_47_05_win".
2. Ran codegen_c_hdr.pl on codegen.out.xml to produce codegen.h.
3. Ran ruby.exe dump_df_globals.rb --idc "..\path\to\Dwarf Fortress.exe" to produce MakeName statements.
4. Open Dwarf Fortress.exe in IDA Freeware 7.0, wait for it to finish analysis.
5. File -> Load File -> Parse C header file..., select codegen.h.
6. File -> Script file..., select ms_rtti64.idc, wait for script to finish.
7. File -> Script command..., paste in MakeName statements. Confirm _pause_state exists in Names window.
8. Save the project.
9. Filter for sub_140CF0F90 in the function menu and double-click it. No named addresses present.

I can add the structure map_block_column to the Structures window. Right-clicking the value gives an option for [r8+map_block_column.plants.ptr]. (The 't' option doesn't appear in this menu, but the shortcut works while the offset's selected. UX annoyance.) Right-clicking on the next one gives the option [r8+map_block_column.plants.endptr], so IDA seems to be pretty smart about that.

I'm still stuck with:
Code: [Select]
.text:0000000140CF1009                 cmp     eax, dword ptr cs:xmmword_141D69550+4instead of "cs:_world.map.x_count", though.

There's no result for "x_count" in the Names window. It's not in the MakeName output, which has only 159 lines.

I found an "x_count" in codegen.h in the "T_map" struct. I assume that's not going to help.

There are zero results for "getPlantAtCoords" on the internet (including your post and mine,) so that's kind of puzzling. (Tried Google, DuckDuckGo, and GitHub. At least Bay12Forums can find my post.)
« Last Edit: May 14, 2021, 09:07:10 am by Bumber »
Logged
Reading his name would trigger it. Thinking of him would trigger it. No other circumstances would trigger it- it was strictly related to the concept of Bill Clinton entering the conscious mind.

THE xTROLL FUR SOCKx RUSE WAS A........... DISTACTION        the carp HAVE the wagon

A wizard has turned you into a wagon. This was inevitable (Y/y)?
Pages: 1 ... 193 194 [195] 196 197 ... 244