Breaking Videogames
For those who can't play a video game without dissecting it
Project maintained by banyaszvonat Hosted on GitHub Pages — Theme by mattgraham
(Unfortunately, this is not yet conclusive. You’ll notice I forgot to add a null byte after
weapon_physcannon, which could offset the first field. Additionally, while the format relies on data descriptions compiled into the application, but something tells me theeinexecvcould’ve been interpreted as the type of the following field.)
So, my speculation turned out to be wrong, and the engine does rely on data maps after all. The ETABLE string visible in the error is passed in as an argument to CRestore::ReadFields, by CEntitySaveRestoreBlockHandler::ReadRestoreHeaders, where it’s declared as a literal:
At the time this error message occurs, the engine is processing the Entities block. A string related to this can also be seen on the stack:
As for why this rules out type fields? I can give the following reasons:
- As mentioned,
ReadFieldstakes the type to expect as a parameter. - The save file is processed by block, and each
SaveRestoreBlockHandlerusesSaveandRestoreto implicitly define the structure of their blocks. It passes in the type description parameter toReadFields, so by the time it’s called, both the address to read from and the expected type is known. And finally: - Trust me bro
However, scrolling through the stack area that’s no longer allocated reveals something interesting:
The engine had already gone over the Python block, and moved on to the entities block. Yet the buffer pointer is seemingly in the Python block:
These are in the Python block… right? Right?
I am glad I didn’t speculate on the anatomy of a VALV container yet. Let’s do that now. If you recall:
.sav file
|
|-> .sav block "foo.hl1"
| |
| |-> zlib stream |
| |-> zlib stream |---> VALV container
| |-> zlib stream | |
| |-> VALV block "Foo"
| |-> VALV block "Bar"
Given that names like weapon_physcannon and worldspawn in fact correspond to ingame entities, I think there is a possibility that the headers are split from the contents of the block. Zooming in, perhaps the container looks like this:
VALV container
|
|-> Block name "Foo"
|-> Header "Foo"
|-> Block name "Bar"
|-> Header "Bar"
|-> "Foo" block data
|-> "Bar" block data
At this point, this is just a guess.