Windows CE/CDDA: Need some testers

Discussion in 'Sega Dreamcast Development and Research' started by SiZiOUS, Feb 10, 2018.

  1. SiZiOUS

    SiZiOUS Rapidly Rising Member

    Joined:
    Mar 27, 2009
    Messages:
    93
    Likes Received:
    89
    Hello there,

    So after successfully repairing my Set 5 with the help here, I finally achieved a first version of a project I started back in 2014: Finding a solution for making Windows CE games with working CDDA ...

    This is my attempt to create a working CDDA patch for Puzzle Bobble 4, 18 years after its original release. This patch is for the following release: Puzzle Bobble 4 v1.000 (2000)(Cyberfront - Taito)(NTSC)(JP)[!]. I choose this one because it was the only one GDI I had when I started the project. This is a nice game by the way.

    If you have some time and courage, please be my guest to test that patch for me. It's better to test with the real hardware but it can be useful to test it in emulators too, just to know. I only tested throught my Set 5 and everything seems to be fine, at least for a public alpha.

    At this time, the patch is only compatible with Puzzle Bobble 4 v1.000 (2000)(Cyberfront - Taito)(NTSC)(JP)[!]. So please test it only with that release, thanks.

    Instructions:
    1. Download the patch here or directly attached to this post.
    2. Grab the full GDI of Puzzle Bobble 4 v1.000 (2000)(Cyberfront - Taito)(NTSC)(JP)[!] and extract its content somewhere.
    3. Retrieve the ./GD_ROOT/WINCE/PB4.EXE file and copy it into the patch directory.
    4. Grab xdelta3 binary here and copy it into the patch directory. Rename the xdelta3 binary to xdelta3.exe.
    5. Execute the patch.cmd and move the modified PB4.EXE into the ./GD_ROOT/WINCE/ folder and overwrite the existing one.
    6. Copy track04.raw until track25.raw files where is located the gddaconv.cmd file.
    7. Grab the sox binary here. Extract it at the same location of the gddaconv.cmd file.
    8. Double-click on the gddaconv.cmd file. You'll get track04.wav until track25.wav. Move all these *.wav files into ./GD_ROOT/GDDA/ folder.
    9. Make a selfboot disc with the modified content. You don't need to add the original CDDA tracks.
    10. Test the game, ideally with the real hardware.
    Oh and by the way, please be sure to extract the GDDAHOOK.DLL file into the ./GD_ROOT/WINCE/ folder...

    The expected result is... just working music like the real GD-ROM. Don't hesitate to post your results here!

    Speaking about technic, I used IAT hook technics to make this patch. This would be useful for this project and maybe that one too. I plan to release the source code too, but not now.

    Thank you very much in advance for your tests and for your interest!

    BR,
    SiZ!
     

    Attached Files:

  2. Mrneo240

    Mrneo240 Robust Member

    Joined:
    Sep 15, 2017
    Messages:
    213
    Likes Received:
    126
    Excellent news!

    Also good choice on a first game to make the patch for, the binary was really easy to dig around in.

    Any chance of posting the technique you used for this?
     
  3. SiZiOUS

    SiZiOUS Rapidly Rising Member

    Joined:
    Mar 27, 2009
    Messages:
    93
    Likes Received:
    89
    Yeah, that's a second reason I choose this game first, because the game was "small".

    I made a hook on the DeviceIoControl API to intercept GDDA calls, and I redirect these to my custom code. I made a "GDDA Emulator" which instead of playing GDDA tracks, play WAVEs files instead. Don't worry, in few weeks, I'll post the source code on GitHub. But I need to cleanup it before release because currently it's a real mess. :)

    And by the way, my attempt was also to publish some code to show how to hack Windows CE games, because we have almost nothing on this, and it always can be useful.
     
    PrOfUnD Darkness likes this.
  4. darcagn

    darcagn Site Supporter 2013, Site Supporter 2014

    Joined:
    May 13, 2007
    Messages:
    453
    Likes Received:
    79
    Well the GDDA audio does play! However, after I beat the first level I played, the game froze. I rebooted the console and it froze again after I beat the second level I played.

    Selfboot methodology:
    1- Extracted GDI/IP.BIN/sortfile using gditools by FamilyGuy.
    2- Burned audio padding up to LBA 45000 using cdrecord.
    3- Followed your steps.
    4- Used bincon.exe by Dopefish to bincon 0WINCEOS.BIN.
    5- Used binhack32 by FamilyGuy to hack IP.BIN and set SegaOS.
    6- Modified sortfile to add GDDA files directly after the dummy file and before the rest of the GD-ROM contents.
    7- Made data ISO using mkisofs.
    8- Burned last session with cdrecord.

    Boots right up, everything seems fine, with the exception of freezing when completing a level.
     
    SiZiOUS and -=FamilyGuy=- like this.
  5. SiZiOUS

    SiZiOUS Rapidly Rising Member

    Joined:
    Mar 27, 2009
    Messages:
    93
    Likes Received:
    89
    Hello darc,

    First of all, thanks for your test and sorry for the waste of a CD-R. :(
    So there is differences of behaviour between retail Dreamcast and the Set 5. Indeed, I don't have this problem when I test the patch throught the Set 5, with GD Workshop in Emulator mode.

    May you test something else for me? Can you launch a game session and press the Start button to set the game in pause, this should stop the music. Press the Start button again and the music should continue at the same point.

    This afternoon I think I'll be able to test the game with my retail Dreamcast modified with GDEMU, because I'm going to retrive it (as I lent it).

    Thank you in advance for your tests! :)
     
  6. yzb37859365

    yzb37859365 Spirited Member

    Joined:
    Jul 14, 2013
    Messages:
    166
    Likes Received:
    109
    I use the demul simulator test is music, but the music occasionally Zizi Zizi's voice came out,
    If you don't put the wav file into it without music, but also will not have the voice of Zizi
     
    SiZiOUS likes this.
  7. PrOfUnD Darkness

    PrOfUnD Darkness Familiar Face

    Joined:
    Mar 13, 2004
    Messages:
    1,086
    Likes Received:
    32
    Wow this sounds really interesting!
     
  8. fafadou

    fafadou Peppy Member

    Joined:
    Aug 3, 2016
    Messages:
    314
    Likes Received:
    84
    Very nice sizious as all of your project.

    I hope it works with sega rally 2 and its particular code for cdda.

    Tell us again if you have a lack of testers. I can do some with demul but my dreamcast is still broken for now.
     
  9. pitito

    pitito Member

    Joined:
    Mar 8, 2015
    Messages:
    21
    Likes Received:
    2
    This is great news, thank you very much Sizious for the advances. Soon we can enjoy 0winceos + CDDA :)
     
  10. SiZiOUS

    SiZiOUS Rapidly Rising Member

    Joined:
    Mar 27, 2009
    Messages:
    93
    Likes Received:
    89
    Hello to all and thank you about your interest for this project.

    I have a little progress. I found this old thread on Dreamcast-Talk speaking about this big project. A thing I didn't know is there is some Windows CE games that works well like Worms Armaggeddon. I've wrongly supposed that no WinCE game worked at all but this isn't the case.

    So I took Worms and analyzed the game. I hijacked the DeviceIoControl API like I've done for Puzzle Bobble 4 and guess what? The API calls are identical. What I've found too is Worms Armaggeddon was compiled under an older WinCE version (1.0 I guess) so its ROM image (0WINCEOS.BIN) is very different from Puzzle Bobble 4.

    So my guess about the issue of the API call fail is maybe located in the ROM image (0WINCEOS.BIN) but I don't know what's wrong at least for now...

    The question is... do you know another WinCE game where the CDDA works, like Worms Armaggeddon?
     
    fafadou likes this.
  11. darcagn

    darcagn Site Supporter 2013, Site Supporter 2014

    Joined:
    May 13, 2007
    Messages:
    453
    Likes Received:
    79
    fafadou likes this.
  12. fafadou

    fafadou Peppy Member

    Joined:
    Aug 3, 2016
    Messages:
    314
    Likes Received:
    84
    Maybe worms world party is the same call as worms armagedon ?
     
  13. SiZiOUS

    SiZiOUS Rapidly Rising Member

    Joined:
    Mar 27, 2009
    Messages:
    93
    Likes Received:
    89
    I finally opened the source of my GD-DA emulator for Windows CE. It's available on GitHub. To work with that project, you'll need the Windows CE SDK for Dreamcast Ver. 2.1, with Visual Studio 6.0 installed.

    This project is far to be finished, as I discovered a memory leak (which finally cause the Dreamcast to stop, so I think it's the identified "freeze bug"). Plus, I dissassembled my Katana Dev.Box as I will ask an electronic professional to remove the embedded ML2032 battery (replacing it with a 2032 socket). This was already done by @Jackhead (in his famous thread: Sega Katana, SILENT please!).

    Oh and by the way, it seems that the Pause/Resume (IOCTL_CDROM_PAUSE_AUDIO / IOCTL_CDROM_RESUME_AUDIO of the DeviceIoControl API) command is indeed part of the problem. I hijacked the API under Worms Armaggeddon and these commands are quitely never passed. In Puzzle Bobble 4, these commands are always (regulary) executed. So maybe it's the reason why in Puzzle Bobble 4, the music is starting from the beginning over and over. But everything works fine in Worms Armaggeddon.
     
    pool7, pitito, zouzzz and 3 others like this.
  14. Mrneo240

    Mrneo240 Robust Member

    Joined:
    Sep 15, 2017
    Messages:
    213
    Likes Received:
    126
    ill dig late, im currently helping mr rizzo man. lol
     
    SiZiOUS likes this.
  15. yzb37859365

    yzb37859365 Spirited Member

    Joined:
    Jul 14, 2013
    Messages:
    166
    Likes Received:
    109
    Ask a question about a wince game by this post



    I want to insert a piece of code written in WinCE's game. Now I know that I need to insert it into a DLL file, but wince's game is more special. It seems that the address is not very well written. JMP jumps to my program and can't jump in.

    Think JMP to the other address of this DLL or jump into 0WINCEOS. Do you know how to write it?

    thank you~
     
  16. Mrneo240

    Mrneo240 Robust Member

    Joined:
    Sep 15, 2017
    Messages:
    213
    Likes Received:
    126
    I believe each dll loads it's in own memory space. You can't jump from the dll to game code and vice versa. You'd have add a function call from the game to the dll.

    Also dlls don't have to live at the same memory location every time.
     
  17. yzb37859365

    yzb37859365 Spirited Member

    Joined:
    Jul 14, 2013
    Messages:
    166
    Likes Received:
    109
    So I'm troubled, the original DLL file space is not enougho_O
     
  18. Mrneo240

    Mrneo240 Robust Member

    Joined:
    Sep 15, 2017
    Messages:
    213
    Likes Received:
    126
    Which dll in which game?
     
  19. SiZiOUS

    SiZiOUS Rapidly Rising Member

    Joined:
    Mar 27, 2009
    Messages:
    93
    Likes Received:
    89
    Your best bet is to use the same technic I've used: IAT hooking.

    If you just need to execute some custom code at the game's startup, then the simplest method is to physically patch the IAT in the game's binary and put your custom DLL in the \WINCE folder. Then your DLL needs to implement all the API of the replaced DLL plus a DllMain function containing your custom code. The DllMain is a function executed once by the Windows CE kernel at startup. Usually, I choose the MAPLEDEV.DLL as this DLL only contains MapleCreateDevice and MapleEnumerateDevices APIs. Finally, your custom MAPLEDEV.DLL will contains 3 functions : the 2 API mentioned plus that DllMain function. So, after compiling your custom DLL, you'll need to name it as you want (e.g. CUSTOM.DLL), copy it in the \WINCE folder, then patch the game's executable to references CUSTOM.DLL instead of MAPLEDEV.DLL. To do that you just need to hex-edit the MAPLEDEV.DLL string and replace it with CUSTOM.DLL.

    If you need to patch some more API in different DLL, then you'll use my iathook library which is in my repository. The best demonstration use case is the main.cpp from the gddahook project. In that file, you'll see the 2 Maple API but no DllMain: in that specific case, if you need to patch the IAT at runtime, then you can't do it within DllMain. I spent several weeks around this problem. In that case, the best thing to do is to call a custom InstallHook function inside a hijacked API. You'll see all of these technics in the main.cpp file on GitHub.

    Don't hesitate to tell me if something is missing. Maybe I should write something on all these technics.
     
  20. TerdFerguson

    TerdFerguson ls ~/

    Joined:
    Apr 27, 2015
    Messages:
    587
    Likes Received:
    272
    @SiZiOUS you should give that technique of yours a try with hooking the dll init code from the hl2 beta leak src into hldc

    as far as i know this is the first documented case of successful code hooking using wce

    or maybe just a general wce hooking 'template' program ;)
     
    fafadou likes this.

Share This Page