Reverse Engineering RollerCoaster Tycoon | How does it work?

Hi all! Thanks for the great comments and feedback, having watched it back I'm inclined to agree the background music is a bit egregious. Still figuring UA-cam out so will be rebalancing things in the next video. Thanks again for watching (:
I have another low-level video you might enjoy as well - ua-cam.com/video/9_n6CBoEZwg/v-deo.html

Awesome video, my only criticism is the looping audio in the background. That tune seven minutes in was too much lol

I used to play this for hours and hours as a kid. Got a CD in a cereal box. This was a blast from the past. Man life goes by quick. I loved this game *loved* it its up there with all the . Didn't know a *single* guy made this in assembly. Wow. Just wow. Needs way more publicity for that.

From what I understand of the author is that he is a prodigy in assembly language for the x86 architecture. I’m pretty sure voodoo and other weird juju was invoked because for the code to run as smoothly as it did on old hardware even without fancy 3d graphics cards, made this code some of the most amazing code written for the intel platform in the history of the platform. Of all games, excel, you name it, this is the pinnacle of advanced and efficient coding for performance and size. Of course, he later had a breakdown and disappeared from the world for a while so was it worth it? Probably….cause I think the anxiety came from dealing with publishers who wanted him to update and re-invent the magic over and over again for different venues and versions of RCT.

this man as knowledgeable as he is had us listen to the same song for 40 minutes.
criminal.

Very nice informative video on various strategies for reverse engineering. When working on the beginnings of OpenRCT2, I found it useful to look at the source code for the very first version of OpenTTD 0.1 as the engine was very similar, and therefore many of the structures, and patterns, were the same as RCT1, and RCT2. For some games, you can quite often get lucky and find a debug version of the game or a port that have left the symbol names in which makes it so much easier to identify what each function does. For example, when working on OpenLoco, we found that the Android port contained the function names, which helped us understand the binary a bit more. I am surprised about RCT1 loading in the code segments, I wonder if that is unique to the particular version you have. This was certainly not the case for RCT2.

RCT is such an amazing piece of software, maybe even classified as a work of art because of its playability even after so many years.
Thanks for digging into it. There's a lot to unpack here and the work you've done is as impressive as the code you debugged.

Amazing to watch - and you have a great way of organizing thought and taking one by the hand to follow along. Never thought I'd watch an entire video of reverse engineering 20yo code. Came for the legend, stayed for the insights you provide! subbed!

roller coaster tycoon is absolutely amazing :D

Just watched the full video not realizing it only had ~200 views. This is amazing! Really enjoyed watching through

I think you explain everything very logically and it is easy to follow. Perhaps a tutorial on how to start on reverse engineering, the tools, the registers, the stack etc and what they mean would be really good. Maybe even solving a few crackmes.

Great video! In case it helps, the 40-byte BITMAPINFOHEADER structure seen in the hex dump defines a top-down 1280 * 1024 8-bit buffer which gives a total back-buffer size of 1,310,720 bytes. Immediately following the 40-byte header is a 256-entry palette of RGB(A) quads, and the image data itself is a one byte lookup per pixel into this palette array. For debugging this sort of data, the .bmp format is essentially a DIB with an additional 14-byte BITMAPFILEHEADER header, so just dump that along with the DIB header, palette and image data into a file and it should be a valid image.

Never had anyone explain the decompile process before and it's fantastic. Thanks. Especially on one of my favourite games ever.

Your videos are really enjoyable to watch. Very well explained and enlightening.

I love this video and your other breakdown content. I'm not in the field, understand maybe 10% or what you're doing, but it's really fun watching the process. Just wanted to let you know that this video format has more general appeal than just as an instructional video for specialists.

please continue this lovely series!

Such a nice walk down the memory lane when I used SofICE 386 to crack games... I remember I was able to convince my boss at work that it was useful at work and he bought it... No Ghidra back then.... Awesome content, kudos...😎

15:35 - Probably the best thing about windows is this dedication to not breaking the APIs. It's why you're able to just run rollercoaster tycoon decades and several windows versions later. It's outstanding really.

Amazing vidoes, looks like im going to binge watch all your content!

DirectX is a famous user of COM, so you will not be making much progress without learning that. As for the strings, the game is localizable. All user interfacing strings are stored in a locale specific function. This is very common for commercial programs.

Cheers bro loved this game, bit of a developer myself so loving watching this deep dive! really appreciate it! good work!

Really interesting video. I've not done debugging of DOS games for a good number of years, so seeing what tools are now available is fantastic. Would love to see more videos like this - it might be a niche topic, but one that's absolutely fascinating.

Great video. Have done some reverse engineering of Z80 and 6502 games, that gets complicated and time consuming enough with only a handful of 8-bit registers, 16-bit addresses and maybe only 24kb of code.
It's very satisfying to piece together the puzzle but ultimately quite a waste of time, at least with programming I get a game at the end of it!

Fascinating to watch. I have a very limited understanding of x86 so it's very impressive to watch you go over it.

Great narration, was so much fun to watch. Wish I could use a debugger that well.
I'd love to see you tackle Operation Neptune (or any of the Super Solvers), Oregon Trail II, or DinoPark Tycoon.

Great work! Espacially that you kept in the dead end about DirectX is a nice example, of how this stuff actually works. It's not like opening a binary an after 10 minutes you understand it (like other show of in their videos). Most of the time it's a lot of confusion, poking around and at some point you find the actual path to your goal. :)

Absolutely loved this! Getting to know a bit more about the inner workings of one of my favorite games is awesome. I'd personally love to see Factorio reverse-engineered, specifically because it as you probably know is crazily optimized, where one is able to have stupendous amounts of machines, belts, trains, bots, etc. all running at once. Maybe reverse-engineering its update loop could be interesting for a video? :-)

Extremely interesting!
You really got me interested in programming.

This is fascinating! Ever since I heard a few years ago that it was written entirely in assembly, I’ve been incredibly curious as to what Ghidra would do trying to disassemble it back in to C! I’m only a couple of minutes in to the video, but I’m looking forward to see the answer!

Bro 've never seen this level of quality put into reverse enginierin video♥

This video is great! It helped me understand the reverse engineering process better. Thank you :)

You have far to few subscribers for the quality of your content. Keep it up!

Great work. That was fun to watch

If you haven't discovered it yet, Ghidra also has a dark theme now, in the settings on the main small window where you import files into your project 🤙Great video!

I’d love to see something like this for simgolf, but in any case thanks for this videp! Very entertaining and educational :)

Instant sub - was praying this would happen!

I really loved the video and analysis, thanks doing it.
The only thing I was not a fan of was the music in the background, I don't think it added anything to the video.
But that's a minor complain to an otherwise great video.

i love content like this, thank you!

Thank you for this demonstration. I've personally never played that game, but have played variations of Sim City, as well as Sim Tower. And the Sims. Either way, I'm also a Delphi developer, and as unfamiliar as I am with assembly, I understood a great deal of this. Such as handling bitmaps. I was yelling "RGB!" at my TV when you had 3 grayscale images side by side.

Great vid! I’d love to see you dive into an old Future Crew demo! Unreal or Second Reality…?

In the beginning, when you were looking for strings, I noticed that each string was preceded by the sequence { 0x0a, 0x8e }. Now it could be that this is some prefix used to indicate what kind of object follows, but it could also be part of the string itself, which could be the reason you were unable to find any references to it.
0x0a is the ASCII code for newline. What then remains is the mystery of what this 0x8e character code is (other than the ASCII code for a A with diacritics). It could be a marker or something like that. Back in the day it was not unheard of to indicate, for instance, the hotkey for a specific action by prefixing the character in the string with an unprintable character that would then be interpreted by the render / handler function to see if that key was pressed, filtering out the prefix byte.

I hope more video about game Reverse Engineering! Really cool

Great Video, but why did you chose to disassemble the DirectX renderer, that must have been I assume added later to the game with all the windows baggage, on top of the original render that ran under dos and was probably much simpler?

Would be interested to see what you make of 3D Lemmings. It was also written entirely in x86 but without DirectX

Here are some ideas for topics:
- How does TTDPatch change the original TTD executable to allow for mammoth trains?
(TTDPatch pretty much relies on reverse engineered knowledge, I have no idea if this knowledge has been documented anywhere.)
- How does The Settlers II handle it's palette color cycling?
(The game reads PBM formatted LBM files = Amiga IFF that supports including palette cycling information, and the game's palette file has this information, but the game seems to have it hardcoded and thus ignores the file data.)

great video, one of my favs too from my childhood. One criticism i have though is your resolution! it was hard at times to see what you're doing at times when you don't zoom in... found myself actually zooming in in the browser!

Great video - please do tiberian sun next 😀

It looks like the screenbuffer image is still an 8bit indexed color image, not 8 bit RGB as it used to be done in DOS games. The DirectX call was probably added later in development to just get info on the variations of players screens.

WOW I thought this channel at 73K SUBS not 7.3 bravo my new fav channel

Imagine being the person who programmed the game and watching someone piece together how you did.

Way back in the day I saw the website of guy that was 18 max and he had coded three 3D games fully in x86 assembly. In that day I could barely make a cube appear in a GLUT window and I was so puzzled why we needed to pop and push all these matrices, made no sense to me. It really disheartened me lol. I'm a Java dev nowadays but your videos make me want to learn x64 assembly and understand all that, seems cool. Not sure what I would do with that knowledge though ^^ Cool video

Really great vids, and these not only takes me back to mis-spent 5th form and college days, 1985?- 1988, building cheats for games using pokes, or jumps to other sections of code.
So, theres three games for me, to reverse engineer:
Origional Doom II,
Firebirds Elite using vector graphics animation and rendering
finally, Cannon Folder, rendering and scroll techniques.

Great Video!

your videos are amazing

Wow, this is very cool!

too much with the music...otherwise great

Cool, iMac 1998 changed the computer's design.
What apps do you and did you program in your day job which seems to be computer engineering or computer science.
God bless.

Awesome video.learnt a lot

Loved Tycoon as a kid, the only annoying part was getting charged extra when you built rides on top of trees and scenery.

This is really neat. I know next to nothing about x86 and this was easy to understand and enlightening.
RE: Text being loaded dynamically, I would be shocked if that wasn’t to make localization easier. That way you only need to load one language’s worth of strings, and the program itself can call the same address for the same intended string. This is generally the way it’s done to this day, and similar audio is done for localized VO.

Another quality video.

I would like to see more on this. I would also like to see something on DrainStorm(2D Tile Based game, with ammo/abilities and special levels where defeat onslaughts of enemies) if you ever get the chance.

You're a legend, de-compilation looks just as difficult as it is. xD

22:10 "Going back to our DirectX 5 tutorials" *proceeds to head to the actual code instead of a tutorial*
😂 I guess the code can be counted as a tutorial, if you're tenacious enough. loved this video mate

Love low level stuff , thanks

Awesome video! Would love some time stamps for those of us that get lost easily

eax*4+X makes sense for getting a 32-bit value from a pointer to X. It's probably an array of pointers, like a char[][] in C (but obv he wrote it in asm)

Seeing assembly code interacting with COM objects is just crazy.
Is it known, why the author went this way instead of going with a higher level language?

lovely video

Just leaving a comment and a like because I quickly realised the video wasn’t about what I expected and am moving on (I’m not into coding at all). Didn’t want the algorithm to think it’s because it wasn’t a good video. Cheers!

Great video, awesome memories about the game. Came to complain about the music though, but I see I'm not the only one that got distracted and a little annoyed by it ;-)

EnBigguned is my new favourite word.

the guy that created that game is one of the best programmers to ever lived

One of my other tricks is to run a profiler liker superluminal against it to see what interesting functions get called a lot

A lot of older games run software rendering when in windowed mode, and only used direct X when in full screen.

Regarding the all-caps, I think it is due to it being a preprocessor macro. They use those a lot to alias types (like here, where you have a long pointer - LP)

Do you take requests?
I tried looking into what made A-10 Cuba! tick, but I'm shit at it.

Any chance you can tell from the disassembled code if it was written by hand or if it's compiled?

Dynamic linking might be causing the holes in your memory map?

When C and C++ are considered high level you know how far we've come

I'd love to see you decompile the isometric city building game Pharaoh, by Sierra Studios.

This brings back memories of spending hours in SoftIce, trying to NOP game CD checks. Soo much respect for Chris Sawyer for doing all this in ASM.

thankyou! that was some gangsta shiiii t . unlocked a new stream of consciouness .

Would love to see you deep dive on a genesis game like Sonic or Streets Of Rage. Just cos I grew up with them 😄. I have no idea how it would work with it running through an emulator so would be interesting to see

It does say ExeLock Executable File Protector in the beginning when you start searching for strings. It would have been a lot easier to search for a cracked and unpacked executable.

Dam, really interesting video

You should totally do this for Warcraft 2 and Starcraft!

Love this! Please do Sims Original :D

very interesting video

dude you're like a british me
its awesome

Could you make a video on reverse engineering a NDS game? Preferably one that hasn't been done before like pokemon. I'd love to see your process for something like that. I'm working on my own project with Cooking Mama 2 but I'm struggling a little bit. Wish me luck.

I'll admit that attempt at decoding the DIB header (which is the same as a BMP header, actually) gave me a good chuckle :P You got it almost right, but at the same time, not quite...
But anyway, the image is 1280×1024, you got that right (the -1024 height means that the image is top-down instead of bottom-up), but the 8 bits per pixel value was literal. Not 8 bits per component! This image is a paletted image; you'll find the palette itself in the DIB header, a bit further down. Each pixel is a one-byte index into that palette data. The palette data itself is RGB triplets, as 32-bit values (where the fourth byte is ignored, although some tools mistakenly treat it as alpha).
If you're curious about that "planes = 1" field, I'm curious about it too... I don't know what it was intended for, but in practice it's a "must be 1" field.

Sorry if it's already been said, but can you not set your screen resolution to 640x480/1024x768 etc for recording videos? To enlarge text

12:40 Vegeta, what does the scouter say about ax's power level?

Will there be another one? So far you only found the final presentation code that is doing StretchDIBits followed by a GDI flush. How was the frame data actually created? Each object on screen?

Good video

As someone who just does standard software design this is really wild. I often thought games were very much just like really advanced websites with functions, classes and images but clearly not. Watched the whole video and understood basically nothing! 😂 enjoyed it all the same though

Please do a video on Star Control II 🙏

I actually enjoyed the background music, but overall the video was too quiet. Nevertheless, very interesting! Subscribed.

There's actually a much better way to dump memory, with scylla in x32dbg. You pause the game and dump the memory and you can also dump all the heap allocations.
You can also make a tool to dump all of it, yourself. You can then import these heap allocations into your dumped ghidra decomp, and see the actual data that was being pointed to. You can even type the data, etc.