Category Archives: Game Hacking

gcfuse, With Executable Support

I upgraded my gcfuse utility tonight. The main change was to expose the primary game executable file when browsing a GameCube filesystem. The primary executable is stored as an implicit part of the filesystem, separate from the directory structure. Being able to easily read this file is a useful feature if, for example, someone wishes to get at these executables for the purpose of disassembly.

For example, when mounting the first disc image of one of my few GC games that I have actually completed, Metal Gear Solid:

$ ls -al mount/
total 1
dr-xr-xr-x 4 melanson users         0 Jul 15  2005 .
drwxr-xr-x 7 melanson users       760 Aug 26 21:48 ..
-r--r--r-- 1 melanson users        95 Jul 15  2005 .metadata
dr-xr-xr-x 4 melanson users         0 Jul 15  2005 audio
-r--r--r-- 1 melanson users 426387456 Jul 15  2005 demo.dat
-r--r--r-- 1 melanson users   1988128 Jul 15  2005 metal-gear-solid-the-twin-snakes-exe.dol
-r--r--r-- 1 melanson users      6496 Jul 15  2005 opening.bnr
dr-xr-xr-x 3 melanson users         0 Jul 15  2005 shared
-r--r--r-- 1 melanson users 198715392 Jul 15  2005 stage.dat

The executable file is metal-gear-solid-the-twin-snakes-exe.dol. The filename is a little long, which can happen since it is derived from the game title in the disc metadata, which can be nearly 1000 characters long. The GC executable format is known as DOL, probably short for Dolphin which was the codename of the GameCube during development.

I recognize that I’m likely the only person on the planet who cares about this utility but, hey, it’s my blog and what are blogs for if not to tell the world about the tedious minutiae of an individual’s life?

Related post:

gcfuse

I’m taking useless academic exercises to new heights. I wrote a utility called gcfuse that allows you to mount filesystems replicated, one way or another, from Nintendo GameCube DVDs.


Nintendo GameCube

What on earth for? I’ve heard tales of strange and wonderful FMV formats on those petite GameCube DVDs and I just had to know for myself. One game I’m playing right now is Metroid Prime, which has visuals that certainly appear to be pre-rendered multimedia files. Let’s find out:

$ gcfs metroidprime.gcm gcm/

$ ls gcm/
Audio         Metroid4.pak  NESemu.rel    SlideShow.PAK   metroid5.pak
AudioGrp.pak  Metroid6.pak  NESemuD.rel   TestAnim.Pak    opening.bnr
GGuiSys.pak   Metroid7.pak  NESemuP.rel   Tweaks.Pak
Metroid1.pak  Metroid8.pak  NoARAM.pak    Video
Metroid2.pak  MidiData.pak  SamGunFx.pak  client_pad.bin
Metroid3.pak  MiscData.pak  SamusGun.pak  default.dol

$ ls gcm/Video/
00_first_start.thp            08_GBA_fileselect.thp  attract9.thp
01_startloop.thp              AfterCredits.thp       creditBG.thp
[...]

Right away, a new multimedia format– THP. The GC-Linux project already has documentation about this MJPEG-like format. Samples, of course, are available for your inspection.

3DO Special

At long last, I have finally gathered up all my 3DO titles accumulated over the years and studied them with the help of the Opera filesystem Linux module. Thus marks the triumphant return of my inexplicably popular Multimedia Exploration Journal.


3DO Console

I have been curious about 3DO multimedia for a long time, ever since someone sent me some FILM files that he had found on the 3DO version of Lemmings using a custom tool to read the disc. Early CD-ROM-based consoles rarely had standard FMV API so the developers had to explore the emerging field on their own.

During this investigation, I found a number of the titles were published by Electronic Arts. A number of them used AIFF files for audio and a custom container format for what appears to be Cinepak data.

LucasArts Task Force

Those wacky programmers over at LucasArts have traditionally employed more acronyms than the most bloated of bureaucracies. They started out with SCUMM (Script Creation Utility For Maniac Mansion). Then there was SMUSH and INSANE, 2 other game engines. I think GRIME was another engine, developed for Grim Fandango. I probably have some of those details at least a little incorrect but I’m too lazy to do the research right now, and I know the ScummVM hackers will perform any corrections for me. (Update: Sure enough– check the comments for clarification.)

Why do I care about any of this? A number of games based on the SMUSH engine contain FMV files with the extension .san. This apparently stands for Smush ANimation. Many years ago, shortly after I gained interest in studying game-related multimedia formats, I received a request to study the SAN format. Some reverse engineering work had already been done and put into ScummVM but it was not quite complete and was also quite rough around the edges– the kind of RE work where ASM is more or less converted directly into C. I never could quite make heads or tails of it and sometimes thought it might be easier to just start over with the raw binary.

I think it’s finally time to get serious and and put the SAN format to rest! Who’s with me? Good, now let’s get down to business. First things first, samples! I have organized SAN samples from 11 different titles (although Outlaws and The Dig are represented twice in the count because of their demos): http://www.mplayerhq.hu/MPlayer/samples/game-formats/la-san/. That directory also contains the file TGSMUSH.DLL which is allegedly capably of playing every known variation of SMUSH files.

The SAN files have a pretty straightforward FourCC-chunk format that we multimedia hackers have all seen in dozens of formats before. What coding methods does the format use for audio and video compression? That’s the big question. Not unlike other game-specific FMV formats that evolved over time as their creators refined the concepts (I’m thinking of Westwood VQA and Interplay MVE), SAN went through a few iterations. It apparently employs a range of coding techniques. One audio codec is called VIMA — most likely an abbreviation for variable IMA ADPCM — that Cyril has done an amazing job of documenting. As for video codecs there are a number of codecs and subcodecs at work and the details are still not entirely clear. There is some RLE and there appears to be some vector quantization. Further, based on the RE work already in ScummVM it appears that SAN might use hierarchical VQ, also seen in Sorenson Video 1, as well as gradient blocks, also seen in Gremlin Digital Video (though still not documented in the Wiki).

For your inspection you can find the source for the ScummVM SAN video decoder here: http://omega.xtr.net.pl/misc/smush/. The binary DLL is also available as mentioned previously. Cyril has started a new page on Smush. I think we have all the resources we need to attack this. Let’s see what we can come up with.