Support modifying configs in prebuilt hacktice ROM in memory

Author: aglab2

Hacktice/Config.cs

@@ -53,6 +53,7 @@ public class Config
         [MarshalAs(UnmanagedType.ByValArray, SizeConst = 28)]
         public byte[] customText;
 
+        // since version 1.5
         public byte _pad1;
         public byte _pad0;
         public byte softReset;

Hacktice/Emulator.cs

@@ -4,19 +4,41 @@
 using System.Diagnostics;
 using System.Linq;
 using System.Runtime.InteropServices;
+using System.Windows.Forms.VisualStyles;
 
 namespace Hacktice
 {
     internal class Emulator
     {
         private Process _process;
         private ulong _ramPtrBase = 0;
+
         private IntPtr _ptrRam;
-        private IntPtr _ptrCanary;
-        private IntPtr _ptrVersion;
-        private IntPtr _ptrStatus;
+
+        /*
+         Hacktice header has 20 bytes in size and consists of
+         +0 - Canary.HackticeMagic
+         +4 - Encoded version in uint
+         +8 - Hacktice state as one of Canary.HackticeStatus*
+         +12 - Pointer in N64 RAM to hacktice config
+         +16 - Pointer in N64 RAM to hacktice savestate
+         */
+        const int HackticeHeaderSize = 20;
+        private IntPtr? _ptrHackticeHeader;
+        private byte[] _hackticeHeader = new byte[HackticeHeaderSize];
+        private byte[] _ram; // just a cache
+
+        const int ConfigHeaderSize = 8;
+        const int RAMSize = 0x400000;
+
         private IntPtr _ptrOnFrameHook;
-        private IntPtr _ptrPtrConfig;
+
+        public int HackticeCanary { get { return BitConverter.ToInt32(_hackticeHeader, 0); } }
+        public Version HackticeVersion { get { return new Version(BitConverter.ToInt32(_hackticeHeader, 4)); } }
+        public int HackticeStatus { get { return BitConverter.ToInt32(_hackticeHeader, 8); } }
+
+        uint HackticeConfigVPtr { get { return BitConverter.ToUInt32(_hackticeHeader, 12); } }
+        uint HackticeSavestateVPtr { get { return BitConverter.ToUInt32(_hackticeHeader, 16); } }
 
         static readonly string[] s_ProcessNames = {
             "project64", "project64d",
@@ -151,12 +173,7 @@ public PrepareResult Prepare()
                 MagicManager mm = new MagicManager(_process, romPtrBaseSuggestions.ToArray(), ramPtrBaseSuggestions.ToArray(), offset);
                 _ramPtrBase = mm.ramPtrBase;
                 _ptrRam = new IntPtr((long)_ramPtrBase);
-                // valid only for the binary case
-                uint binaryHackticeOffset = 0x4E010;
-                _ptrCanary = new IntPtr((long)(_ramPtrBase + binaryHackticeOffset));
-                _ptrVersion = new IntPtr((long)(_ramPtrBase + binaryHackticeOffset + 0x4));
-                _ptrStatus = new IntPtr((long)(_ramPtrBase + binaryHackticeOffset + 0x8));
-                _ptrPtrConfig = new IntPtr((long)(_ramPtrBase + binaryHackticeOffset + 0xc));
+                // only for binary
                 _ptrOnFrameHook = new IntPtr((long)(_ramPtrBase + 0x3805D4));
                 return PrepareResult.OK;
             }
@@ -225,41 +242,104 @@ public void WriteToEmulator(uint romAddr, byte[] data)
             }
         }
 
-        public int ReadHackticeCanary()
+        public bool LooksLikeN64VPtr(uint vptr)
         {
-            return _process.ReadValue<int>(_ptrCanary);
+            if (0 == (0x80000000 & vptr))
+                return false;
+
+            uint physAddr = vptr & 0x7fffffff;
+            return physAddr < 0x800000;
         }
 
-        public long ReadOnFrameHook()
+        bool LooksLikeHackticeHeader()
         {
-            return _process.ReadValue<long>(_ptrOnFrameHook);
+            if (!HackticeVersion.IsReasonable())
+                return false;
+
+            if (!LooksLikeN64VPtr(HackticeConfigVPtr))
+                return false;
+
+            if (!LooksLikeN64VPtr(HackticeSavestateVPtr))
+                return false;
+
+            // not checking for state but it is fine
+            return true;
         }
 
-        public int ReadHackticeStatus()
+        bool RefreshHackticeHeaderAndCheckIfValid()
         {
-            return _process.ReadValue<int>(_ptrStatus);
+            if (!Ok())
+                return false;
+
+            _process.FetchBytes(_ptrHackticeHeader.Value, HackticeHeaderSize, _hackticeHeader);
+            if (HackticeCanary != Canary.HackticeMagic)
+                return false;
+
+            bool ok = LooksLikeHackticeHeader();
+            if (ok)
+            {
+                _ram = null;
+            }
+
+            return ok;
+        }
+
+        public bool RefreshHacktice()
+        {
+            if (_ptrHackticeHeader.HasValue)
+            {
+                // refresh the pointers and check if it is still reasonable
+                if (RefreshHackticeHeaderAndCheckIfValid())
+                    return true;
+
+                _ptrHackticeHeader = null;
+            }
+
+            if (!(_ram is object))
+            {
+                _ram = new byte[RAMSize];
+            }
+            _process.FetchBytes(_ptrRam, RAMSize, _ram);
+
+            foreach (var location in MemFind.All(_ram, Canary.HackticeMagic))
+            {
+                // attempt all locations and find if any is reasonable
+                _ptrHackticeHeader = new IntPtr((long)(_ramPtrBase + (ulong)location));
+                if (RefreshHackticeHeaderAndCheckIfValid())
+                    return true;
+            }
+
+            // it is over
+            return false;
         }
 
         public bool Ok()
         {
             return !_process.HasExited;
         }
 
-        public void Write(Config cfg)
+        private static bool LooksLikeConfigHeader(byte[] header)
         {
-            _process.ReadValue(_ptrPtrConfig, out uint configVPtr);
-            if (0 == (0x80000000 & configVPtr))
-                throw new ArgumentException("Bad config field");
+            uint magic = BitConverter.ToUInt32(header, 0);
+            if (magic != Canary.ConfigMagic)
+                return false;
 
-            uint configOff = configVPtr & 0x7fffffff;
-            var configMagicPtr = new IntPtr((long)(_ramPtrBase + configOff));
-            _process.ReadValue(configMagicPtr, out uint magic);
-            if (magic != 0x48434647)
-                throw new ArgumentException($"Bad config magic {magic:X}");
+            int size = BitConverter.ToInt32(header, 4);
+            if (size <= 8 || size > 0x10000)
+                return false;
 
-            var configSizePtr = new IntPtr((long)(_ramPtrBase + configOff + 4));
-            _process.ReadValue(configSizePtr, out int hackticeConfigSize);
+            return true;
+        }
 
+        public void Write(Config cfg)
+        {
+            var configOff = HackticeConfigVPtr & 0x7fffffff;
+            var ptrConfigHeader = new IntPtr((long)(_ramPtrBase + configOff));
+            var configHeader = _process.ReadBytes(ptrConfigHeader, ConfigHeaderSize);
+            if (!LooksLikeConfigHeader(configHeader))
+                throw new ArgumentException($"Bad config");
+
+            int hackticeConfigSize = BitConverter.ToInt32(configHeader, 4);
             var size = Marshal.SizeOf(typeof(Config));
             int writeSize = Math.Min(size, hackticeConfigSize);
             if (0 == writeSize)
@@ -277,30 +357,21 @@ public void Write(Config cfg)
 
         public Config ReadConfig()
         {
-            _process.ReadValue(_ptrPtrConfig, out uint configVPtr);
-            if (0 == (0x80000000 & configVPtr))
-                throw new ArgumentException("Bad config field");
-
-            uint configOff = configVPtr & 0x7fffffff;
-            var configMagicPtr = new IntPtr((long)(_ramPtrBase + configOff));
-            _process.ReadValue(configMagicPtr, out uint magic);
-            if (magic != 0x48434647)
-                throw new ArgumentException($"Bad config magic {magic:X}");
-
-            var configSizePtr = new IntPtr((long)(_ramPtrBase + configOff + 4));
-            _process.ReadValue(configSizePtr, out int hackticeConfigSize);
-            if (0 == hackticeConfigSize)
-                throw new ArgumentException($"Config size cannot be 0");
+            // We might read more than needed but that is OK as the size is constant
+            var readSize = 8 + Marshal.SizeOf(typeof(Config));
+            var configOff = HackticeConfigVPtr & 0x7fffffff;
+            var ptrConfig = new IntPtr((long)(_ramPtrBase + configOff));
+            var configBytes = _process.ReadBytes(ptrConfig, readSize);
+            if (!LooksLikeConfigHeader(configBytes))
+                throw new ArgumentException($"Bad config");
 
-            // We might be reading more than required. It is OK because we will cut unnecessary fields and marshalling won't complain
             var size = Marshal.SizeOf(typeof(Config));
-            var configPtr = new IntPtr((long)(_ramPtrBase + configOff + 8));
-            var configBytes = _process.ReadBytes(configPtr, size);
             var ptr = Marshal.AllocHGlobal(size);
-            Marshal.Copy(configBytes, 0, ptr, size);
+            Marshal.Copy(configBytes, ConfigHeaderSize, ptr, size);
             var config = (Config) Marshal.PtrToStructure(ptr, typeof(Config));
             Marshal.FreeHGlobal(ptr);
 
+            int hackticeConfigSize = BitConverter.ToInt32(configBytes, 4);
             if (hackticeConfigSize <= (int) Marshal.OffsetOf<Config>("_pad1"))
             {
                 config.SetCustomText("PRACTICE");
@@ -313,21 +384,19 @@ public Config ReadConfig()
             return config;
         }
 
-        public Version ReadVersion()
-        {
-            _process.ReadValue(_ptrVersion, out int version);
-            return new Version(version);
+        public uint ReadRAMHeader()
+        { 
+            return _process.ReadValue<uint>(_ptrRam);
         }
 
-        private uint ReadRAMHeader()
+        public long OnFrameHook()
         {
-            return _process.ReadValue<uint>(_ptrRam);
+            return _process.ReadValue<long>(_ptrOnFrameHook);
         }
 
         public bool IsDecomp()
         {
-            uint hdr = ReadRAMHeader();
-            return Canary.BinaryRamMagic != hdr;
+            return Canary.BinaryRamMagic != ReadRAMHeader();
         }
 
         public void WriteHackticeDetours(uint fn, int repeats)

Hacktice/MagicManager.cs

@@ -58,7 +58,6 @@ public enum AllocationProtect : uint
 
         public MagicManager(Process process, long[] romPtrBaseSuggestions, long[] ramPtrBaseSuggestions, int offset)
         {
-            GC.Collect();
             this.process = process;
 
             bool isRomFound = false;

Hacktice/Patcher.cs

@@ -69,11 +69,6 @@ public void Apply()
             _rom[0x57ec1] = 0x4d;
         }
 
-        static bool IsReasonable(Version version)
-        {
-            return version.major < 10 && version.minor < 100 && version.patch < 1000;
-        }
-
         public Version FindHackticeVersion()
         {
             foreach (var location in MemFind.All(_rom, (uint) ((int) Canary.HackticeMagic).ToBigEndian()))
@@ -85,7 +80,7 @@ public Version FindHackticeVersion()
                         continue;
 
                     var version = new Version(BitConverter.ToInt32(_rom, location + 4).ToBigEndian());
-                    if (IsReasonable(version))
+                    if (version.IsReasonable())
                         return version;
                 }
                 catch (Exception) { }

Hacktice/ProcessExtensions/ProcessExtension.cs

@@ -182,6 +182,16 @@ public static bool ReadBytes(this Process process, IntPtr addr, int count, out b
             return true;
         }
 
+        public static bool FetchBytes(this Process process, IntPtr addr, int count, byte[] bytes)
+        {
+            SizeT read;
+            if (!WinAPI.ReadProcessMemory(process.Handle, addr, bytes, (SizeT)bytes.Length, out read)
+                || read != (SizeT)bytes.Length)
+                return false;
+
+            return true;
+        }
+
         public static bool ReadPointer(this Process process, IntPtr addr, out IntPtr val)
         {
             return ReadPointer(process, addr, process.Is64Bit(), out val);

Hacktice/Tool.cs

@@ -150,8 +150,7 @@ private string GetHackticeName()
         {
             try 
             {
-                var version = _emulator.ReadVersion();
-                return $"hacktice v{version}";
+                return $"hacktice v{_emulator.HackticeVersion}";
             }
             catch (Exception)
             {
@@ -231,12 +230,7 @@ private void UpdateEmulatorState()
             }
             else
             {
-                try
-                {
-                    version = _emulator.ReadVersion();
-                }
-                catch (Exception)
-                { }
+                version = _emulator.HackticeVersion;
             }
 
             SafeInvoke(delegate {
@@ -310,40 +304,28 @@ private void PrepareHacktice()
             State newState = State.ROM;
             try
             {
-                {
-                    int val = _emulator.ReadHackticeCanary();
-                    if (val != Canary.HackticeMagic)
-                    {
-                        return;
-                    }
-                }
-                {
-                    long val = _emulator.ReadOnFrameHook();
-                    if (val != Canary.OnFrameHookMagic)
-                    {
-                        return;
-                    }
-                }
+                if (!_emulator.RefreshHacktice())
+                    return;
 
                 newState = State.HACKTICE_CORRUPTED;
                 {
-                    int val = _emulator.ReadHackticeStatus();
-                    if (val == Canary.HackticeStatusInit)
+                    int status = _emulator.HackticeStatus;
+                    if (status == Canary.HackticeStatusInit)
                     {
                         newState = State.HACKTICE_INJECTED;
                         return;
                     }
-                    if (val == Canary.HackticeStatusActive)
+                    if (status == Canary.HackticeStatusActive)
                     {
-                        newState = _emulator.ReadVersion() == _payloadVersion ? State.HACKTICE_RUNNING : State.HACKTICE_RUNNING_CAN_UPGRADE;
+                        newState = _emulator.HackticeVersion == _payloadVersion ? State.HACKTICE_RUNNING : State.HACKTICE_RUNNING_CAN_UPGRADE;
                         return;
                     }
-                    if (val == Canary.HackticeStatusDisabled)
+                    if (status == Canary.HackticeStatusDisabled)
                     {
                         newState = State.HACKTICE_UPGRADE_DISABLED;
                         return;
                     }
-                    if (val == Canary.HackticeStatusUpgrading)
+                    if (status == Canary.HackticeStatusUpgrading)
                     {
                         newState = State.HACKTICE_UPGRADE_DATA_WRITTEN;
                         return;
@@ -358,7 +340,7 @@ private void PrepareHacktice()
 
         private bool IsEmulatorReady()
         {
-            return EmulatorState >= State.ROM && _emulator.Ok();
+            return EmulatorState > State.ROM && _emulator.Ok();
         }
 
         private void EmulatorStateUpdate(object state)

Hacktice/Version.cs

@@ -104,5 +104,10 @@ public string ToString(string format, IFormatProvider formatProvider)
         {
             return $"{major.ToString(format, formatProvider)}.{minor.ToString(format, formatProvider)}.{patch.ToString(format, formatProvider)}";
         }
+
+        public bool IsReasonable()
+        {
+            return major < 10 && minor < 100 && patch < 1000;
+        }
     }
 }