Alice Averlong🏳️⚧️ugh. I'm gonna have to set up a wiki page for this.
in addition to the one on Wikipedia, which needs fixing
Monopoly (2010) for the PSP:
"Pipeworks bundle v1.13 (little endian)"
Yep.
checking Wii U games is harder.
Their Wii U port of Wheel of Fortune is "Pipeworks bundle v1.30 (big endian)".
Their Wii U port of Wheel of Fortune is "Pipeworks bundle v1.30 (big endian)".
they made a free-to-play match-three game with a Godzilla license in 2014. Let's check...
Nope, unity.
Boogie for the PS2 (2007): "Pipeworks Bundle File version 1.4"
Night at the Museum: Battle of the Smithsonian, 2009, Wii:
"Pipeworks bundle v1.03 (big endian)"
Godzilla: Unleashed, 2007, wii:
"Pipeworks Bundle File version 1.4"
I suspect this game doesn't use the whole engine, and may just use the bundle files. It has a non-standard layout.
One similar to Destroy All Monsters Melee, in fact, which makes me think they reused some code.
NHRA Drag Racing - Countdown to the Championship, 2007, PSP:
"Pipeworks Bundle File version 1.4"
"Pipeworks Bundle File version 1.4"
I'm definitely going to need to do more research to figure out which ones of these are really using "Pipeworks engine" vs which ones are just reusing their bundle format.
oh hey it's not just games.
uDraw Studio: Instant Artist, 2009, Wii:
"Pipeworks bundle v1.30 (big endian)"
uDraw Studio: Instant Artist, 2009, Wii:
"Pipeworks bundle v1.30 (big endian)"
interestingly, PRINCE OF PERSIA RIVAL SWORDS (2007), wii, seems to be no. Completely different internal structure.
oh, probably because they just handled porting it. Ubisoft made the PSP version.
I grabbed the wrong Zumba game for Wii (there's FIVE), but if anyone wants to try hacking Zumba Fitness Core by 2012, it shouldn't be hard: the game is scripted in unencrypted Lua files.
Wreck-It Ralph (2012, Wii) seems to be a new engine. Not Pipeworks
Godzilla: Save the Earth (2004), for PS2, uses "Pipeworks Bundle File version 1.3".
1.3! This is the earliest game I've seen using Pipeworks, and it's got a surprisingly late version number. Weird!
okay now I've got the right Zumba game. Zumba Fitness, 2010, Wii:
"Pipeworks bundle v1.20 (big endian)"
"Pipeworks bundle v1.20 (big endian)"
I found a reference on their 2003 homepage that their Destroy All Monsters game uses the "Spigot Engine".
I don't think that's the same engine as what I've been calling "Pipeworks".
I don't think that's the same engine as what I've been calling "Pipeworks".
I'm going through assorted linkedins. Looking for someone saying "I used to work at Pipeworks on the Foobar engine".
The closest I've seen is Terry Fernham, who says they were "[r]esponsible for tools and technology included in the core custom game engine on multiple platforms."
The closest I've seen is Terry Fernham, who says they were "[r]esponsible for tools and technology included in the core custom game engine on multiple platforms."
I guess I'm gonna call it Pipeworks Core for now.
oh huh! According to the 2011 version of their website, they helped develop part of the Xbox and Xbox 360 boot roms. Neato.
yeah. Nothing. Just "internal" and "custom" and "core".
Spigot. I think it's still called Spigot.
Ian Sabine's linked-in said he "Maintained and updated Spigot engine".
He's credited on Charm Girls Club: Pajama Party, Jeopardy, and Wheel of Fortune, all of which use the same engine.
Ian Sabine's linked-in said he "Maintained and updated Spigot engine".
He's credited on Charm Girls Club: Pajama Party, Jeopardy, and Wheel of Fortune, all of which use the same engine.
for what it's worth, there's no references to Spigot in the executable that I can find, and this thing is positively lousy with debugging metadata and strings.
there is a reference to something called the RockNRoll engine, but I'm pretty sure that's just the collision engine.
interesting find: the "Colossal Kaiju Combat" games licensed the Spigot engine from Pipeworks. So if they are showing some of the same files, then it's gotta be Spigot.
Time to find out. 5$ to find out
"Pipeworks bundle v1.30 (little endian)"
It's got the .pvd/.pvm files and everything.
This is 100% the same engine.
THIS IS FUCKING SPIGOT
wait
this giant monster fighting game...
uses MYSQL!?
this giant monster fighting game...
uses MYSQL!?
anyway they remembered to strip the debugging info for the Kaiju game, so that's not as useful to reverse. Still, it's a nice comparison to have: it's an example of the x86 version of the same engine. Maybe I can still make use of this.
also, side note, the list of games on their wikipedia page is missing a few on their games lists, like if you hit it at 2013, you also get "Gremlins Gizmo" and "Plantsville", alongside the other ones we know about and the typo'd GeoStorm (not Geo-Storm)
they're also credited with uDraw Studio, but their own list says they made uDraw Studio AND uDraw Instant Artist.
Started building a wiki page listing all the versions and such.
hey found another game missing from wikipedia!
Plantville, which they made for Siemens, is an edutainment game about factory management from 2011.
Plantville, which they made for Siemens, is an edutainment game about factory management from 2011.
I could also go through all these games and make sure their build info is on TCRF but that's maybe too much work
here's the really fun part:
they clearly were fine with licensing out their spigot engine, given that they licensed it to that kaiju game.
How many other games did they license it to, and it just never was mentioned anywhere?
brb downloading all Wii, PS2, PS3, PSP, Xbox, Xbox 360, and Windows games.
I'm gonna need more floppy disks
So they made a few demos (for the xbox) with Microsoft prior to announcing their "first" Spigot game. I don't think those demos were ever released, they were just shown as promos for the Xbox.
It's possible that's where Spigot came from. Maybe they built the engine for that, then reused it for their Godzilla game.
if I see one more place where this code is like "(if x!=0 && x!=0xFFFFFFFF)"...
LEARN TO USE ONE SENTINEL AND STOP PRETENDING -1 IS A POINTER
interestingly their Wii game "Gremlins: Gizmo" calls itself "GForce" internally, not to be confused with G-Force for the Wii, which they didn't make and doesn't use the Spigot engine.
(yes, I had to check)
okay so you know how I said there was some debug symbols left in, in one of their games?
as far as I can tell, it's not just one of their games.
it's all of their games (at least the wii ones)
as far as I can tell, it's not just one of their games.
it's all of their games (at least the wii ones)
(there's a possibility this is required for how their scripting engine works, but I'm not sure yet)
oh goody.
if a for loop only does like 8 iterations, the compiler unrolls it into something that decompiles as a do-while loop with a bunch of breaks. I hate it
if a for loop only does like 8 iterations, the compiler unrolls it into something that decompiles as a do-while loop with a bunch of breaks. I hate it
why does their implementation of strlwr check every character for being smaller than 256?
that... what?
this is ascii. like, actual 8-bit chars.
that... what?
this is ascii. like, actual 8-bit chars.
so I've got a TON of VTables and in theory I could convince Ghidra how they work and then use the RTTI info to fully extract the class tree, but in reality Ghidra has no idea what the types are and it's going to take longer to assign them than it would to write my own code that just spelunks the running RAM of the program, probably.
and I need to figure out some way to document this class tree that's a step below "starting a full decompilation project".
maybe I need to look into scripting, instead of pressing the "y" button over a thousand times
well I think I've hung ghidra
it turns out trying to get and then print a list of all symbols in a game this fucking debuggered is a bad idea
disassembling and decompiling 11 megabytes of PowerPC binaries: easy
printing a bunch of text to a window: HARD
printing a bunch of text to a window: HARD
okay I got it to clear the window and start responding again.
there are 1244 RTTI structures in this binary, out of the 128 thousand symbols I accidentally tried to print
oh hey this is jython, which does that magical getter eliding thing, where you can do "x.fooBar" instead of "x.getFooBar()"
40 minutes later I have it done once
now to do it 1243 more times
I should have just pushed "y"
now to do it 1243 more times
I should have just pushed "y"
this is the code I finally ran:
symbols=list(getCurrentProgram().getSymbolTable().getDefinedSymbols())
rttis=[s for s in symbols if s.getName().endswith('__RTTI')]
RTTIVTableHeader=getDataTypes("RTTIVTableHeader")[0]
def makeRTTI(symbol):
start=rttis[0].programLocation.address
end=start.add(8)
clearListing(start,end)
createData(start,RTTIVTableHeader)
[makeRTTI(x) for x in rttis]
it didn't work. I'm not sure why. but it didn't.
hmm. it's doing weird things where if I try to do it to ~2400 RTTIs, it fails. but if I pick one out and do it solely, it works.
check out the code: it's saying "rttis[0]" when it means "symbol". I'm a fool
found another game that uses the Spigot engine, that Pipeworks didn't make!
It's Monster High: Ghoul Spirit (2011, Wii)
It's Monster High: Ghoul Spirit (2011, Wii)
SpeakerToManagers@foone
Not to put too fine a point on it, told you. I once stress-tested an OS (IBM version of Unix) by compiling a C++ program with 3 nested levels of templates. The mangled symbols exceeded 512 chars long, and it killed the kernel stone dead. Turned out they’d put the compiler symbol table in a fixed size 16 kB kernel block.
Not to put too fine a point on it, told you. I once stress-tested an OS (IBM version of Unix) by compiling a C++ program with 3 nested levels of templates. The mangled symbols exceeded 512 chars long, and it killed the kernel stone dead. Turned out they’d put the compiler symbol table in a fixed size 16 kB kernel block.
0xC0DEC0DE07EA
Jevin Sweval@foone save your sanity and use one of the plugins that lets you use Python 3 instead of 2!
https://github.com/justfoxing/ghidra_bridge
https://github.com/mandiant/Ghidrathon
https://github.com/jpleasu/ghidraal
@jevinskie I'm from the past, you're lucky I'm using python and not writing this in BASIC
Lucyinchat@foone
Isn't that just "yes"?
Isn't that just "yes"?
lp0 on fire 
/usr/bin/yes
William D. Jones
DDR@foone wat.
How do you even get that through an optimising compiler?
@ddr I don't know. Possibly it's just being decompiled incorrectly. I don't know enough PowerPC assembly to tell.
Charlotte 
/Cinny 
@foone it’s c, strlwr accepts an int which is either a value that fits in a char or EOF
@charlotte this strlwr takes a char*, not an int.
maybe it's not the standard strlwr, just a badly named function
maybe it's not the standard strlwr, just a badly named function
@foone i confused it with tolower(). but i would assumme that strlwr just runs tolower in a loop
Peter Bindels@foone Something like a Duff's Device?
Good. Now fix the decompiler.
Pierre Bourdon@foone if you know some that aren't in https://wiki.dolphin-emu.org/index.php?title=Category:Ships_with_debugging_symbols we'd love to know :)
@delroth Will do!
Although, haven't ya'll done a comprehensive survey of Wii/GC games? Seems you could script extracting the .elf and then using readelf to check for debug symbols without too much difficulty.
@foone GC/Wii games don't typically come with ELF files :-) The standard executable format for those consoles (DOL) doesn't have any kind of symbol section. The Wii SDK has some amount of dynamic linking support (REL files) but only imports/exports have symbols there (think DLLs).
So usually when we find symbols it's either weird game engines with their own executable format, or forgotten files on the disc image master (e.g. "framework.map" in Zelda: The Wind Waker).
@delroth oh, okay.
The games I've been digging into all have elf files. I wonder if they're doing something weird like implementing their own ELF loader in the DOL?
The games I've been digging into all have elf files. I wonder if they're doing something weird like implementing their own ELF loader in the DOL?
@foone either that, or dead files that were actually converted to DOL but still kept on the disc image for whatever reason (someone forgot to `make clean`). I've seen both, usually more of the latter.
Sometimes you can get lucky and the ELFs are even debug builds!
https://wiki.dolphin-emu.org/index.php?title=Ships_with_Debugging_Symbols has a bit more details for each game.
Or, sometimes the developers forget a Windows version of the game on disc... https://tcrf.net/Pikmin/Windows_Executable
@delroth oh I didn't think about that! I'll have to test to see if the elf is even getting used, or if it's just useless data. They definitely left some other build artifacts on the disk (some .bat files and some logs from their archiver), so it wouldn't surprise me if it's just an error
@delroth huh, yep. The elf file is completely superflous, the game runs fine without it. good to know!
Although now I'm wondering if the .elf and .dol files are definitely in sync. I may be reversing an old version of the code!