The BLSMM Thread [now with DLL Loading!]

[simmaster07 1,220]

meister1235, blue lightning, and I have been analyzing memory, investigating files, and other inter-relationships to find functions, other secrets, etc. and have created BLSMM (pronounced, Blissum... or blossom). Be warned, here be dragons.

Contents

1. Functions and Strings
2. DLL Loading
3. GZWin* Commands

Functions and Strings

Strings, with extra cheats DLL

Strings, without extra cheats DLL

Extracted method/class names

Original thread

Extracted LUA Script

Sorted function list

These are strings and functions the game uses in memory, also containing various names for classes, methods, and variables.

Loading DLLs

Based off of prior research made by various members (specifically builderman and Buggi), we've made a DLL that loads Windows Explorer when loaded, and Task Manager when detached from the SimCity 4 process. Because SimCity 4 is written in unmanaged code, the DLL had to be written in unmanaged code in order for it to load without throwing an error. The DLL was made using standard C/C++ libraries and system() calls.

The DLL was written and compiled with Microsoft's Visual C++ 2010 Express IDE and consists of only three files that are actually used: Stdafx.h and SC4 DLL.h/.cpp.

Stdafx.h

SC4 DLL.h

SC4 DLL.cpp <-- Main code

However, SC4 loads any DLL with an entry point (DllMain), and waits for the DLL to finish working before it continues loading. The DLL is detached before the program continues. The source code AND DLL are attached to this post.

Note: You'll probably need the Visual C++ 2010 Redistributable if nothing happens. [32-bit] [64-bit]

Update: Attached a version that beeps instead of using system calls. High-pitch on load, lower-pitch when unloaded. This is better for people who don't use windowed mode.

GZWin* Commands

With the Extra Cheats DLL Buggi released, entering "demolish 0" in the cheat box will demolish whatever is in the northwesternmost tile. No other value appear to be valid; they cause the game to CTD (crash-to-desktop). The GZWin commands in the string list are accepted as well, though only GZWinMessageBox gives a result. The rest cause the game to CTD as well.

---

To be continued...

SC4 DLL.zip

SC4 DLL (Beep).zip

[b22rian 153]

quite interesting guys

im sure you will find a lot between the 3 of you intelligent young men.

brian

[simmaster07 1,220]

Originally posted by: b22rian

quite interesting guys

im sure you will find a lot between the 3 of you intelligent young men.

brianquote>

Thanks for the words of encouragement, Brian! In fact, I just finished uploading an executable DLL for SC4 (best to run SC4 in windowed mode, though) that launches Explorer when loaded and Task Manager when unloaded.

[un1 40]

Congrats on the modding discovery!

Great job nelson for finally figuring it out!

[Sniper296 83]

Some nice finds, good job.

[Vahr 341]

I've made a template of sorts to allow for easier creation of DLLs for SC4. I'll attach it here once I get Nelson to read and check over it, and give any suggestions if needed.

Misc Stuff: With the Extracheats.dll, entering "demolish 0" in the cheat box demolishes whatever occupies the northwesternmost tile. No other values are valid, it seems, as they cause the game to CTD. Many GZWin commands are accepted in the cheat box. Currently only GZWinMessageBox gives a result, the rest cause CTDs (its fitting for GZWinDestroy though )

[warrior 169]

Wow you guys got dlls to work!!!!. I'm not going to pretend to understand even half of what this thread is about, but do you think you could get the console (output) of the game to show up and work? There are a few commands which are accepted and don't CTD that look as if though give outout somewhere.

The only other 2 people that have done anything like this are Daeley and GoaSkin, I'm not sure if they could be of help to you?

[Vahr 341]

Hmm, well, the problem is that SC4 unloads the DLL, unless its of a certain architecture (which we don't know what it is yet, and there's a good chance that the "SimCity SDK" would be required to be able to work in that architecture), so it won't stay to do anything lasting, save for maybe call up another program or shuffle plugins around. We'll have to look into the exe more in order to do that.

Aaaand more info on GZWin*

GZWinMessageBox: Creates a little message box (hence the name) with the defined info: MAINTEXT, TITLE, BUTTONsID

BUTTONsIDs:

0, nothing: OK

1: OK, CANCEL

2: RETRY, CANCEL

3: YES, NO

4: YES, NO, CANCEL

5: ABORT, RETRY, IGNORE

GZWinSelectListboxItem: Not Valid Cheat

GZWinSetWindowText: Doesn't seem to do anything, but might rename the window (ie on Queries). Cannot be tested due to how the game freezes the play area when a query is open.

GZWinClickButton: Not Valid Cheat

GZWinGenerateInputEvent: Doesn't seem to do anything visible. Seems to do stuff with keys. Causes CTD when entered "GZWinGenerateInputEvent cursorKey up left" (obtained from string extract)

GZWinEnableUserInput: Doesn't seem to do anything visible.

GZWinDestroyWindow: CTD (or close, unsure). Generates blank minidump file in Exception Reports.

GZWinShowWindow: CTD. Generates blank minidump file in Exception Reports

GZWinMoveWindow: Doesn't seem to do anything visible. Only takes 1 argument, ranging from 0 to 2

GZWinCreateWindow: Not Valid Cheat

GZWinWaitForWindow: Doesn't seem to do anything visible.

GZWinIsWindowPresent: Doesn't seem to do anything visible.

GZWinMoveCursorToWindow: Seems to nudge the cursor over in a random direction a small amount. Takes 1 argument, ranging from 0 to 2.

GZWinMoveCursorToPosition: Seems to move the cursor in a random direction in varying amounts. Takes unknown number of arguments. Arguments do not seem to affect cursor movement. Syntax: X position Y position STATIC200 STATICtrue

Origion: 0,0 - top left corner of window. Example: GZWinMoveCursorToPosition 50 50 200 true. Its a tad finicky though, it only works part of the time.

[warrior 169]

So DLLs would be able to create a window which shows before the game has loaded the plugins and asks the user if they want to use Diagonal bridges or not, and then depending on the answer disable or enable the terrain mod that is needed for them.

btw, Buggi posted this a while ago, it is apparently part of the extra cheats dll source code (Buggi dissapeared gain before he posted anything more)

https://www.sc4devotion.com/forums/index.php?topic=5376.msg169954#msg169954

[simmaster07 1,220]

Still trying to figure out who to contact about how to get this SDK (if we can, anyways)...

EDIT: Hope.

[Vahr 341]

Yeah, I'm aware about the XtraCheatsDLL source code. Though its useless without a proper SDK. Interesting to look at though.

And yes, its possible to have such a thing where it asks you if you want X or Y loaded. I also was thinking of a runtime NAM Controller compiler, so separate raw text "controllers" can be maintained, one per project, and simply be combined into one controller file at runtime.

EDIT: More cheats

SetViewTarget: Moves camera to 0,0,0 (northwest corner)

ToxicSpill X, Y: Creates a toxic spill disaster at cell X, Y

RegionBitmapLoad (in region view): Opens the region render window

PauseAnimation: Accepted, does nothing. Probably for during AnimationRecorder recordings

StepAnimation: See PauseAnimation

FullScreenRefresh: Refreshes the view.

ToggleDrivingPanel: Toggles the dashboard during UDI

MaximizeDrivingPanel: Makes dashboard appear

MinimizeDrivingPanel: Makes dashboard minimize

PlaceBuilding: Accepted. Places a building (probably); syntax unknown

PlaceFlora: See PlaceBuilding

LoadCity "CITYNAME" (Region view): Loads the city with the name CITYNAME

LoadRegion "REGIONNAME" (Region view): Loads the region with the name REGIONNAME

SetExpandedToolTips: Toggles expanded tool tips

ToggleTerrainContourDisplay: Toggles contour markings

Cancel: Cancles whatever tool you're holding at the moment.

[Vahr 341]

Here's the template solution/source code for making DRiLLs (Dynamic Runtime Linked Libraries, we just stuck an i in there to make it say "drill"), attached. Everything you need to know is in Core.cpp.

Eventually, once we figure out DLLs that SC4 keeps, we'll call them Dynamic Sticky Linked Librares, DiStiLL (Again with the adding of irrelelvant letters to make it read a word, in this case "distill")

SC4 DLL Template.zip

[meister1235 92]

it is VERY great that you guys know now how to start a dll file in the pluginsfolder

and i'm soo happy because all start with my strings again ^^

meister

i found a sections where are the commandline arguments are written [linky]

EDIT: i found some lua script in my memory and i think this is the main lua script from the game [linky]

[simmaster07 1,220]

There's now a live example on the STEX of what's possible with pre-game DLL calls. The automated backup process is powered by an external program, which the DLL calls using the system() function.

[simmaster07 1,220]

After a month with no news, here's an email I got from Paul Pedriana (SC4 lead dev) a few days ago. It isn't much, but at least he responded to my email.

Nelson ______ | Tue, Sep 21, 2010 at 5:32 PM

Hey Paul,

I sent an email to Ocean Quigley a day or two ago to figure out who to contact about this, since the customer support representatives weren't much of a help. Ocean told me to send a note to you. If I recall correctly, you were the lead developer for SC4. You see, in the 7 years SC4's been on the market, the community's already come up with brilliant mods and buildings. We just figured out how to get the game to load DLLs, but we need some type of SDK to get it to stay in memory.

So my question is if it would be possible to release this SDK, or who else to talk to about having it released. We've come so far when it comes to modding capabilities, and for our efforts to be in vain would be a large disappointment to the community.

-Nelson

---

Pedriana, Paul | Wed, Oct 20, 2010 at 7:02 PM

Hi Nelson.

We just figured out how to get the game to load DLLs, but we need some type of SDK to get it to stay in memory

quote>

Can you explain what you mean by getting it to stay in memory?

Thanks.

Paul

---

Nelson _____ | Mon, Oct 25, 2010 at 4:20 PM

To: "Pedriana, Paul"

Well, we know (or at least assume) SC4 has a list of functions that can be overridden or modified in some way, but there's no way to do so. When the Extra Cheats DLL was released, a piece of the source was released, though it relied on classes we also figured needed some sort of SDK to work. Lastly, when we figured out how to get SC4 to load DLLs, we also learned that the game unloads the DLL if there isn't a function of a certain type present. Once again, we needed an SDK to define the enumerated type.

quote>

EDIT:

Pedriana, Paul | Mon, Oct 25, 2010 at 7:13 PM

To: Nelson _____

I just met with Ocean today, coincidentally.

Are you saying that you made an SC4 plug DLL and SC4 recognizes it and tries to load it but decides it isn't right and doesn't use it?

Paul

---

Nelson _____ | Mon, Oct 25, 2010 at 9:31 PM

To: "Pedriana, Paul"

Exactly. It loads up the DLL, runs whatever's in DllMain->DLL_PROCESS_ATTACH, then doesn't use it and detaches from it.

quote>

[simmaster07 1,220]

BREAKING:

The function it calls is GZDllGetGZCOMDirector. Look for that in the attached source code, in particular in the cGZCOMLibrary::Load function.

Paul

quote>

 

EmptyPluginCOMDirector.cpp
GZCOM.cpp
GZCOM.h
RZCOMDirector.cpp
RZCOMDirector.h

In other words, we may now be able to create DLLs that SC4 keeps in memory, thus expanding our modding capabilities. I'll talk to Paul about overrideable functions.

[meister1235 92]

hi,

i wanted to make my list public which show some informations about the lua script.

if you want to add something or correct me please do it

meister

[meister1235 92]

I have a kinda GREAT succes at debugging SC4.

I've got the first message,s from the SC4 process, which go to the debugger.

This are only error messages but this is a good start and i hope i'll get better messages in the futur.

Here you can find the log

[meister1235 92]

This weekend i was able to enable a keycode at SC4. If you use it there will apper a firework in the middle of your city. And you can start several fireworks at the same time.

[cmdp123789 710]

Wow some years later.. Any news? And I'm sorry to bump an old thread...

[Alan Doherty 13]

I know that this article is incredibly old, but I was doing some work on reverse engineering Sim City 3000 a while back and Paul kindly sent over some files from the Rizzo framework. Attaching them for archiving purposes, might give more insight into anybody still working on this or looking through here in the future.

IGZCompression.h

RZFastCompression.h

RZFastCompression.cpp

[OrSpeeder 72]

Alan Doherty... Thanks! (I've been scrouging stuff all over the net!)

 

Some more stuff Paul "leaked": Paul is the creator of EASTL, that was used just after SC4 was finished (if you are wondering, SC4 itself use STLPORT, you can see the game has a segment named "SETLPORT_", that is short (segments can't be named more than 8 characters) for "STLPORT_NO_INIT" that is a ugly hack to force MSVC to use STLPORT iostream functions (MSVC iostream functions crash STLPORT... I suspect EASTL also crash MSVC if it let default iostream).

 

So, EA used Webkit, that is GPL, and was forced to release their Webkit GPL, this include some supporting libraries to compile EA Webkit, this include a file named "refcount.h" that is actually a hacked file from "EACOM/refcount" according to the comments, but can be easily regognized as part of the rizzo/gonzo framework.

On that .h there is a source, and explanation, for a function that appears on Buggi's partial source for the cheats dll, it explains (and provides source) for the function AsPPVoidParam.

 

Now a link to that: https://github.com/xebecnan/EAWebkit/blob/master/EAWebKitSupportPackages/EATextEAWebKit/local/include/EAText/internal/EATextRefCount.h

 

Also the source there explains lots of design decisions that I am sure applies to the rest of SC4 (like the memory manager system).

[OrSpeeder 72]

Ressurecting this thread again.

 

I found out the game has much more cheats than we know, and maybe it has a internal lot editor, and maybe a exemplar editor too, also it has a script editor for networks, with a debugger, you can find the interface for the network script debugger with the Reader, the GZPersistResourceKey (also known as TGI) is 0x00000000,0x96a006b0,0xcba9ef16

 

The cheat box is actually a "SystemSupport" command box, and can do many things.

 

I decided to start with something simple, since we already knew that "Demolish" (with a D, yes, not d), already worked, I went to check how much arguments it take... and found out it takes 5 arguments.

The first 4 are numbers, the fifth I don't know, but it controls if the animation for demolition is a normal one, or a explosion.

So after some trial and error, I found out that the Demolish command number arguments are the coordinates for a rectangle, for example "demolish 0 0 10 10" demolished everything from the top left of the map (0, 0) to 10, 10 on the map.

 

Some other commands worthy researching:

The entire list of commands for the "Tool Command Support"

PlaceNetwork < first argument seemly is the network name (example: "Rail" or "Road" or "Avenue") I don't found anything else about it unfortunately, but it does work.

PlaceNetworkIntersection < ???

PlaceLot < similar to the LotPlop command, but opens the plopping window with more arguments, and it checks information in the class that is seemly a in-game lot editor... Also this command don't close the cheat box when it fails, making you think it is a invalid command, but it is not, it actually works, but I don't found out the correct arguments yet.

PlaceZone < ???

Demolish < I mentioned before.

GetViewTarget < I don't even checked what is this

SetViewTarget < I also don't checked.

 

Entire list of commands for "Misc Command Support"

 

ListCommands < dummied out  

SetDebugLevel < sets debug level, it does work even when it refuses to close the dialog box, but I don't found out yet what debug levels actually exist, and what they do.

 

CreateGZLog << take as argumenta filename, it creates a file to be used later.

GZLog < dummied out

SetGZLogLevel < works, and do something, but I dunno what.

Assert < I don't tried

RZCheckHeap < I don't tried

ExecuteScript < seemly this can run a arbitrary Lua Script, but I am unsure yet how to test this, since I don't found out yet howto make Lua do something.

GetDateAndTime < gets date and time... and puts somewhere I don't found out yet.

GetTimerDate < same as above...

GetFrameCount < ditto

GetFrameRate < ditto

ExecuteCheat < confusing command, I have no idea what it do

WaitForMessage2 < I don't checked

CancelWaitForMessage2 < ditto

GetPathDirectory < get SC4 path and store "somewhere"

GetPathFileName < ditto

GetDirectory < ditto

GetRandomNumber < calculates a random floating number, stores "somewhere"

GetRandomInteger < ditto, but for integers

TakeSnapshot < don't tried

GameDelay < don't tried

GamePause < don't tried

ReadRegistry < don't tried, and I would not mess with that, seemly it is related to Windows Registry

WriteRegistry < ditto

ViewWebBrowser < opens a web browser, but I can't get it to work, but that is not a surprise, since clicking on the button to open Sim City 4 site on the main menu don't work either.

SendMessage < sends a message in the internal messaging system between classes, don't mess with this.

GetAppState < ???

SetScriptAutoYield < ?????

CreateException < creates a C++ exception, also known as: crash your game.

GetPopupModalDialogsSafe < ???

GetPopupModalDialogsEnabled << gets if popup modal dialogs are enabled, store it "somewhere"

SetPopupModalDialogsEnabled << sets the option to enable modal dialogs... I have no idea what this do.

GetOccupantCount < ???

GetMemInfo < gets lots of information and... I have no idea what it do with it.

 

There is also the GZWin commands mentioned earlier in the thread, they are all valid cheats, it is just a matter of us not knowing how to use them yet... for example I $%&^!ed up my PC with the cursor command   of interest in the GZWin commands is the  GZWinCreateWindow  command, it creates a window based on the "UI" file, probably it is to allow you to test if the UI you created is correct, unfortunately I don't found out how to make it work, if you type the arguments wrong, it does not even close the cheat box, making you think it doesn't work, it does work, but I don't found out how to point the arguments properly yet (I know it takes at least 3 arguments, that one of them is the Instance part of the UI File Persist Resource Key, and other argument is the "ID" of the GZWinGen tag (example, the quit dialog has instance number 0x6a553aa4 and ID is 0xaa921f4f according to the reader). But I don't found out yet how to properly input this (hexadecimal? decimal? 0x on the text? uppercase? lowercase? etc.. etc...)