Sanitarium HD Patcher On GitHub

Just a quick update: I've open sourced my Sanitarium HD Patcher. The code and latest release can now be found on GitHub! Enjoy!

Tiled2Unity Auto Import

I have created a new project! It works alongside Tiled2Unity to ease importing Tiled maps into Unity. It is: Tiled2UnityAutoImport.

Sanitarium HD Patcher

It is now available! Please find v0.1.0 here. This version will only work with executables with MD5 of 0A09F1956FCA274172B0BB90AA5F08A7. If people turn out to have...

Sanitarium HD Patcher On GitHub

09 Dec 2015

Just a quick update: I've open sourced my Sanitarium HD Patcher. The code and latest release can now be found on GitHub! Enjoy!

Tiled2Unity Auto Import

31 May 2015

I have created a new project! It works alongside Tiled2Unity to ease importing Tiled maps into Unity. It is: Tiled2UnityAutoImport.

In a nutshell, it hooks into Unity's asset importing flow and automatically runs Tiled2Unity when new/modified tmx maps are found. More details can be found in the project's README.

Sanitarium HD Patcher

07 Feb 2015

It is now available! Please find v0.1.0 here. This version will only work with executables with MD5 of 0A09F1956FCA274172B0BB90AA5F08A7. If people turn out to have other versions I'll try to get hold of the exes and get them supported. Enjoy!

UPDATE: Permanent page at /sanitariumhd.

New Year's Resolution Patch

01 Feb 2015

I guess that title would have worked better a month ago.

Anyhow. I've always been fascinated by software reverse engineering and general binary hackery, but had never really thought of a project to try it out on. Then I remembered the Fallout High Resolution Patch and the Infinity Engine Widescreen Mod, which apply cracking/patching techniques to allow old games designed at 1990s resolutions to run at glorious 1080p. I decided to do something similar.

Targeting

I wanted a target for which no fan patch already existed. I was browsing GOG, and saw that the game Sanitarium had recently been added. I remembered that I already had a copy installed on my PC - perfect! Target acquired.

Hacking Commences

The first step was to figure out what resolution the game runs at out of the box. To do this, I took a screenshot of the game running windowed (command line param -w, if you're interested), and highlighted the rectangle excluding the standard windows border stuff. I'm sure there are more scientific ways to tell the size of a window, but this worked for me.

Original window

I deduced the game to be rendering at a 90s-classic 640x480. I opened up game in the trusty debugger, OllyDBG, and began investigating the heck out of it.

I searched for the number constant 480, set a breakpoint on each reference and ran the game. One of these was hit very early on in the initialization, and was proceded by a reference to 640 - strong candidate! (ignore the fact that the offsets are from patched - I'd already backed up the original executable)

Reference to 640x480

I used Olly to patch the 640/480 values to 1280/720 respectively, and ran the game. The window was now 720p, with the main menu occupying the upper-left corner, but once in game it was rendering a much larger visible area. See below for comparison

Original playfield

720p playfield

If you're familiar with the game you'll notice that all the game objects outside of the 640x480 camera the game is expecting aren't drawn. I'll address this later, but at this point I got ambitious(/distracted). The changes made in Olly can be saved out as a modified .exe, which can be used in the future. This would technically let me distribute the patched executable, allowing the wider internet to play the game at high-res. However, there are a couple of drawbacks:

  • It's pretty illegal: the modified version would still contain all the original code generated by the copyright holder
  • It's pretty inflexible: everyone using my modified executable would be stuck with the resolution I chose. Also if further changes were required a new modified executable would have to be obtained Solution: patch the executable in memory right before running it, just as Olly does.

Rolling a debugger

A quick bit of googling showed me that in order to modify executable code on the fly in Windows you basically have to write a debugger. This sounded very intimidating. I continued my research and it turned out to be conceptually very simple. All that's required is a C++ project to do the following:

  • Make a call to CreateProcess, passing the DEBUG_PROCESS flag. This starts a child process owned by your executable, which sends debugger-relevant events to your code.
  • While you're interested in these debugger events, call WaitForDebugEvent/ContinueDebugEvent. The only event I needed was CREATE_PROCESS_DEBUG_EVENT, so I handled that in a (very small) switch statement. When this event arrives I make a call DebugSetProcessKillOnExit, passing in false, so after my patch is applied my program can close, leaving the game process to live on. I then...
  • ...apply the patches. This is the part I assumed would be complex, but boils down to one Win32 API call.

The target's executable code is memory mapped to an offset from a base address. For 32 bit Windows programs, this address is 0x00400000. I referred to the patches I made in Olly to get the address which needed to be modified. As can be seen in the screenshot of the debugger, we started with a PUSH 1E0, followed by a PUSH 280 (480 and 640 in hexadecimal). The compiled x86 machine code for PUSH [some 4 byte value] is 68 [some 4 byte value in little-endian] - 68 E001000 in our exaple. In this case, and most cases we'll need to deal with, we can leave the PUSH (68) part untouched, and only change the operand (E001000). The program I wrote takes the desired resolution (x and y) as command line arguments and parses them as an unsigned 16 bit integer. We can then take a pointer to one of these values, cast it to a pointer to a byte, and treat it as a little-endian 2-byte array, like so:

uint16_t resY = parseInt(resYString);
uint8_t* resYBytes = (uint8_t*)&resY;

The PUSH 1E0 happens at 0x0041A5FF. We can leave the first byte as 68 for PUSH, and just modify the 2 bytes at 0x0041A600/0x0041A601, to the 2 bytes of resYBytes. To do this we can use WriteProcessMemory, passing the offset we found with Olly as the lpBaseAddress param, the 2 byte array representing the dimension (e.g. resYBytes) as lpBuffer, and then the size to write as 2. That's basically all there is to it. Once the patch for setting resolution width and height are applied, my program closes and lets the game carry on as normal.

Culling me softly

As I mentioned earlier, even with the resolution patches applied there are still some objects inside the newly-embiggened viewport which are not being drawn. Jumping back into Olly, I continued searching for 640/480. This lead me to the area of code below:

Some rect math

To ease both rendering and logic load, games often skip (or cull) objects which aren't visible. I could see some calls to functions operating on Rects (IntersectRect/OffsetRect), and figured this could be the logic for culling offscreen objects, still using the hardcoded 640x480. Applying a couple more patches to bring these up to 720p I was presented with this:

Less culling

Note the extra dudes in the bottom right. Amazing! I then jumped over to my project and made the code a bit more generic, using a std::map<uint32_t, const uint8_t*> to store arrays of bytes to be patched in, indexed by their memory address. And that's where I'm at. There is still one pretty glaring issue:

Smudging with camera pan

Previously the camera was restricted so it would never draw beyond the edge of the level. Now we're drawing a bigger area around the player, empty space is visible. It looks like the surface the game draws to isn't cleared every frame, leaving the remnants of the previous frame hanging around. I'll need to figure out a way to clear it before the background is drawn to it, then we should be all set!

I also still need to add some validation of command line arguments, and I'll make a follow up post with it (and hopefully the full source code) attached once it's ready.

Redesign!

27 Aug 2014

I've spent the last couple of days redesigning this page in preparation for a big plan I've been cooking. More as it develops!