Jump to content

DOS Doom Code Execution

kgsws

By kgsws
in Doom General

Recommended Posts

kgsws   

kgsws
Posted (edited)

TL;DR:

Try this in The Ultimate Doom v1.9 (original DOS, this specific version only)
https://github.com/kgsws/doom_ace/tree/master/savegame

Or try this in Doom 2 v1.9 (original DOS, this specific version only)

https://github.com/kgsws/doom_ace/tree/doom2/savegame


And now full version.

About a week ago i was thinking that it could be interesting to have original DOS doom mods that would allow more advanced changes, like dehacked. But without modifying the EXE.
After toying with DOS executable and basically achieving same as xttl did in EXE hacking thread (LE loader, but for Linux) i had nice way to debug any potential exploits.

First i was thinking about PWAD only, but that was not so straightforward so i moved to save game file. And yes, there is a simple way to exploit the game.
I have put everything on github, here https://github.com/kgsws/doom_ace/ and created readme to at least explain something.

And now my plan.
I can image starting custom mods like "doom -loadgame H -file mod.wad". This way exploit is triggered right away. (you can use file named doomsavH.dsg)
Savegame would only contain basic loader and custom code will be in "mod.wad" actually. This would be raw x86 executable code.
Such lump would be compiled using GCC and makefile and could contain everything. New animations, new code pointers, custom menus. Even engine bug fixes.

Now i have a few questions.
Is it worth it? Would there by any interest at all? Not just playing with it, but seriously creating advanced mods for original DOS doom.
Which Doom version? Right now it only works in The Ultimate Doom 1.9, i have hypothetical way to exploit other versions though.


And few additions.
If there is interest i can upload my LE loader (source code). It is quite a hack and only runs The Ultimate Doom executable right now, but it does emulate mode 13h unchained (and stuff, using custom SIGSEGV handler). Also, it is incomplete. (game can be finished though)

Special appreciation to Randy87 for providing their EXE MAP files way back in 2016.

 

Edited by kgsws
60

Share this post

Link to post
  • Replies 272
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

kgsws
kgsws

TL;DR: Try this in The Ultimate Doom v1.9 (original DOS, this specific version only) https://github.com/kgsws/doom_ace/tree/master/savegame Or try this in Doom 2 v1.9 (original DOS, this spe

kgsws
kgsws

First thing my code does is that it enables autorun. In a way where you can walk by pressing 'run' key. Binding any key is quite simple but also time consuming (locationg all key checks). Ra

Doomkid
Doomkid

Graf swoops right in with no delay to shit on anything that doesn’t appeal to him personally. How in-character of you, Graf!   I think this is awesome, I’d love to see it pursued more! After

Posted Images

Redneckerz   

Redneckerz
Posted (edited)

I.... just... can't.. this is taking the Randy87 savehack magik and pushing it ever further beyond.

 

Are you Goku by any means?

 

@kgsws: Are you the same person that made this and specifically this? Because if so, i tip my fedora hat off.

 

Hell, i already tip it off for this alone.

So, humor me if i am understanding this right:

  • You use a Loader similar to LE Loader to load a modified Savegame file.
  • This Savegame has Loader code and calls LE Loader.
  • Savegame also includes exploit code which could change any and all game related code, massively boosting vanilla complexity potentially.

If that is the case, then this Doom Ace hack is the biggest f*ing discovery since DEHEXTRA was made a standard, and even more impressive than DeHacked.

@Doomkid Please take note! Your inner Zappa must be tingling reading this!

 

7 hours ago, kgsws said:

Now i have a few questions.
Is it worth it?

tenor.gif

Quote

Would there by any interest at all? Not just playing with it, but seriously creating advanced mods for original DOS doom.

tenor.giftenor.gif

If properly documented, and if this stuff does not meddle too much with illegal code affecting the host system, this could be the best thing since sliced bread.

 

Quote

Which Doom version? Right now it only works in The Ultimate Doom 1.9, i have hypothetical way to exploit other versions though.

Ideally Doom 2 since that's what most of the modders use. But TUD is already a good vantage point.

 

Quote

And few additions.
If there is interest i can upload my LE loader (source code). It is quite a hack and only runs The Ultimate Doom executable right now, but it does emulate mode 13h unchained (and stuff, using custom SIGSEGV handler). Also, it is incomplete. (game can be finished though)

Special appreciation to Randy87 for providing their EXE MAP files way back in 2016.

 

By all means, do so! There is always a desire to push Vanilla more, and especially, in the most unusual of ways. Doom_Ace, if i understand it well, is exactly the thing i love about the limitations of Doom and the workarounds that come from it.

I am not even sarcastic with my enthusiasm - This could be HUGE.

Edited by Redneckerz
16

Share this post

Link to post

Graf Zahl   

Graf Zahl
Posted

Is it worth it to make mods that only work with DOS Doom in a world where >99% of all users play with some source port that would not be able to run this?

I have my doubts. This looks like something worth doing for the fun of it but don't expect to find an audience.

 

10

Share this post

Link to post

Chip   

Chip
Posted
7 minutes ago, Graf Zahl said:

>99% of all users play with some source port

I know this is already a hyperbole, but I don't even think 1/2 of the DOOM players play with source port. I think this is a cute idea, and I think Kgsws should go for it!

7

Share this post

Link to post

Eric Claus   

Eric Claus
Posted
1 minute ago, LiT_gam3r said:

I know this is already a hyperbole, but I don't even think 1/2 of the DOOM players play with source port. I think this is a cute idea, and I think Kgsws should go for it!

 

I play with Crispy Doom generally and I still approve this message.

8

Share this post

Link to post

Redneckerz   

Redneckerz
Posted
29 minutes ago, Graf Zahl said:

Is it worth it to make mods that only work with DOS Doom in a world where >99% of all users play with some source port that would not be able to run this?

tenor.gif

 

Besides Vanilla Doom is still a thing.

9

Share this post

Link to post

kgsws   

kgsws
Posted
1 hour ago, Redneckerz said:

 Are you the same person that made this and specifically this? Because if so, i tip my fedora hat off.

Yes to both. I made KGZDoom waaay back when i was migrating from Pascal to C. It was really hacky implementation.

1 hour ago, Redneckerz said:

So, humor me if i am understanding this right

Not exactly. Just load the save game in original DOS EXE, that's all.

LE loader is just my tool for debugging. I can use native GDB in Linux this way.

1 hour ago, Redneckerz said:

If that is the case, then this Doom Ace hack is the biggest f*ing discovery since DEHEXTRA was made a standard, and even more impressive than DeHacked.

This still applies though. It is possible to modify anything. Add anything you are able to code.

1 hour ago, Redneckerz said:

Ideally Doom 2 since that's what most of the modders use. But TUD is already a good vantage point.

I have just confirmed (at least in DOS BOX) that this can work in every version. By placing some code in VGA RAM (that would be just a first stage).

It would still need EXE version detection for useful modding API. Because offsets are all over the place between different versions.

 

16 minutes ago, Graf Zahl said:

Is it worth it to make mods that only work with DOS Doom in a world where >99% of all users play with some source port that would not be able to run this?

I have my doubts. This looks like something worth doing for the fun of it but don't expect to find an audience.

 

Exactly my thoughts. Even though this can greatly enhance original DOOM, it still relies on DOS environment. And since it's a code execution exploit, it would be almost impossible (and potentially unsafe) to implement it properly in any source port.

For now it was, and still is, fun. But creating usable modding API is another thing. It could also be fun, though.

(It would also enable modders to support original DOS along with source port, if they choose to code everything twice.)

 

 

Well, i'm gonna have to create more advanced example, with custom map and effects otherwise impossible with dehacked to demonstrate the potential.

9

Share this post

Link to post

Noiser   

Noiser
Posted (edited)

That's awesome dude! I would totally mess with it. It's not like people couldn't get an emulator anyway.

Edited by Noiser
0

Share this post

Link to post

Redneckerz   

Redneckerz
Posted
29 minutes ago, kgsws said:

Yes to both. I made KGZDoom waaay back when i was migrating from Pascal to C. It was really hacky implementation.

!!!! I loved KGZDoom and preserved it on the Wiki page. Hacky implementation or not, it was very novel! Real glad that you are here!

29 minutes ago, kgsws said:

Not exactly. Just load the save game in original DOS EXE, that's all.

So its really Savegame hack with loader code? Because that's even better news!

29 minutes ago, kgsws said:

This still applies though. It is possible to modify anything. Add anything you are able to code.

You were mentioning a advanced example - I agree. On paper i can see where your mind goes to in regards to the execution of this idea and it would be completely something (But restricted to pure Vanilla/DOSBox) but it needs a visual explanation, i feel.

 

Honestly a bit scared for what this can do for Vanilla mappers.

29 minutes ago, kgsws said:

I have just confirmed (at least in DOS BOX) that this can work in every version. By placing some code in VGA RAM (that would be just a first stage).

It would still need EXE version detection for useful modding API. Because offsets are all over the place between different versions.

That would be grand and certainly increase the versatility of it all.

 

If needed be, i can test things out for you in DOSBox.

0

Share this post

Link to post

Linguica   

Linguica
Posted

Very interesting work! Is this the first "real" ACE for DOS Doom? In any event I don't expect this to be of any "practical" use but that is not a reason to not pursue it.

15

Share this post

Link to post

Eric Claus   

Eric Claus
Posted (edited)
7 hours ago, Linguica said:

Very interesting work! Is this the first "real" ACE for DOS Doom? In any event I don't expect this to be of any "practical" use but that is not a reason to not pursue it.

 

I think experimentation is always good

Edited by Eric Claus
0

Share this post

Link to post

wallabra   

wallabra
Posted
1 hour ago, Graf Zahl said:

Is it worth it to make mods that only work with DOS Doom in a world where >99% of all users play with some source port that would not be able to run this?

 

If this works, it will be a very good reason to go back to DOS Doom. It'll make audience on its own.

 

Better yet - it's not a moving target, like, say, ZDoom/ZScript?

 

There are a lot of inconveniences with modding that requires an advanced source port, especially when said source port changes all the time and keeps breaks compatibility like a wrecking ball. Good software development is not a race, it's a marathon, and sometimes it turns out you already fell.

0

Share this post

Link to post

URROVA   

URROVA
Posted (edited)

wow... with this you can make CS bomb mode on vanilla doom? xD

 

very good! But very complex too :)

 

Very complex if i have to program it in assembler. I dont know any shit of assembler :'( but i hope that someday release some compiler for C/C++ or another more friendly language than x86 ASM

Edited by URROVA
2

Share this post

Link to post

Wagi   

Wagi
Posted
2 hours ago, Graf Zahl said:

Is it worth it to make mods that only work with DOS Doom in a world where >99% of all users play with some source port that would not be able to run this?

 

Yes, it absolutely is, for the same reason that people make Tool Assisted Speedruns that completely break a game. Making old games do shit they're not supposed to do is cool. It's not like you're going to get an angry mob coming after you just because somebody's ACE exploit doesn't work in GZDoom.

15

Share this post

Link to post

OpenRift   

OpenRift
Posted

So let me get this straight... This savegame exploit could allow for significantly more complex mods for DOS Doom's exe, without even needing to use dehacked??

0

Share this post

Link to post

Doomkid   

Doomkid
Posted

Graf swoops right in with no delay to shit on anything that doesn’t appeal to him personally. How in-character of you, Graf!

 

I think this is awesome, I’d love to see it pursued more! After seeing code execution in Super Mario World, I always wondered if something similar would be possible in vanilla Doom..

31

Share this post

Link to post

Redneckerz   

Redneckerz
Posted (edited)
12 hours ago, URROVA said:

wow... with this you can make CS bomb mode on vanilla doom? xD

 

very good! But very complex too :)

 

Very complex if i have to program it in assembler. I dont know any shit of assembler :'( but i hope that someday release some compiler for C/C++ or another more friendly language than x86 ASM

Up to very recent it was not even known that Savegame files could be hacked/exploited in such a way. The stuff done by Randy, Xttl, Ling and now KGSWS is definitely pioneering yet another branch of Doom hacking unforseen.

 

Where DoomHack would allow you to change codepointers (Through DeHacked), Doom_Ace (Or whatever its going to be called) allows custom code to be injected. Meaning the possibilities could be endless to extend the vanilla engine. Smoother animations. Easier to implement colored lighting (Now technically already possible with a tweaked COLORMAP, but i reckon that if custom code is possible, anything can go within the Doom constraints ofcourse), better and alternative monsters support, and more.

 

But yes - This is complex. And if such possibilities are well, possible, its only really attainable in DOS Doom i can imagine, because you are essentially introducing new code at runtime without affecting the vanilla exe. It would definitely give Vanilla Doom a feature that source ports only can either match with very advanced scripting, or direct source code changes.

 

And that to me is the exciting thing, another leash of life on original technology from 1997.

11 hours ago, Wagi said:

 

Yes, it absolutely is, for the same reason that people make Tool Assisted Speedruns that completely break a game. Making old games do shit they're not supposed to do is cool. It's not like you're going to get an angry mob coming after you just because somebody's ACE exploit doesn't work in GZDoom.

One thing i am honestly surprised is how many bug reports are still filed for GZDoom. No program is ever bugfree, but with GZ, i am surprised that the amount of bugs remains so significant in numbers.

 

That along with the paradigm that AMD support is less than stellar because of how those cards tackle GZ in general (I remain unconvinced that the performance drop is that significant, esp compared to comparable engines, hence the need for a reference test against OGL parameters). There are three GPU vendors in the PC space. GZ should perform more or less equally on each of them and not that one of them has a significant performance deficit purely because of how that vendor's driver addresses the program.

10 hours ago, OpenRift said:

So let me get this straight... This savegame exploit could allow for significantly more complex mods for DOS Doom's exe, without even needing to use dehacked??

That is indeed the case. It goes far beyond DeHacked/DoomHack. DoomHack changes the static values in the Doom executable (the code pointers/states), whereas Doom Ace exploits a savegame file to load/inject custom code inside the vanilla executable through a custom wad. The static values are completely bypassed and custom code can be run at runtime. This could mean big things for Vanilla, on the offset that it requires a Savegame file and a specialized WAD file to enable this thing.

 

But lets wait on KGSWS's example of how this works visually. Im convinced that will sell the hack/implementation significantly.

10 hours ago, Doomkid said:

Graf swoops right in with no delay to shit on anything that doesn’t appeal to him personally. How in-character of you, Graf!

 

I think this is awesome, I’d love to see it pursued more! After seeing code execution in Super Mario World, I always wondered if something similar would be possible in vanilla Doom..

Im more surprised by his doubts since this is as far removed from GZDoom as possible. There are plenty of Vanilla projects out there and in development that would actively welcome such a thing.

 

Heck, ideally id love to see vanilla authors use executable hacks like Doom32 or Doom-plus more as a subgenre of Vanilla stuff. Ofcourse, this will abstain the audience from being able to run in pure Vanilla since you now require an exe hack, so Doom-Ace is significant news in that department aswell, because you are still able to run this in the original engine. You just need a Savegame file and a modified WAD to implement any changes.

 

I can imagine this Doom-Ace hack can also work with Doom-Plus aswell. Imagine the possibilities you can have there: Raised static limits + custom code injection in the vanilla core. It could be a whole new genre of Doom works: Not a source port, not even a exe hack in the defined sense of Doom, but some kind of code sideloader that does not affect Vanilla whatsoever.

 

That's a instant Cacoward right there. I am not even Doomkidding. If this does what it says on the tin, its easily one of the biggest achievements this year that deserves widespread media attention.

Edited by Redneckerz
slight clarity.
3

Share this post

Link to post

Graf Zahl   

Graf Zahl
Posted
14 hours ago, LiT_gam3r said:

I know this is already a hyperbole, but I don't even think 1/2 of the DOOM players play with source port. I think this is a cute idea, and I think Kgsws should go for it!

 

Yes, the other half will probably use the Unity version, not Doom2.exe. But you are forgetting something else: Those who really still use the DOS Exe aside from those making an explicit choice are highly unlikely to ever play any mod.

 

4

Share this post

Link to post

seed   

seed
Posted

Not to mention DOSBox is preferred, when alternatives exist, by nostalgics longing for the '90s feel with all its drawbacks and inconveniences...

 

So no, the majority of the base does use ports, a part will use the Unity remaster now, and nostalgics DOSBox.

3

Share this post

Link to post

URROVA   

URROVA
Posted (edited)

I hope that this method of modding will be more accessible for modders, eg somebody creates a program that makes code for adding animated textures, and with this the modders without lots of programming skills can no spend a lot of time trying to learn difficult programming languages like ASM.

 

This method works on doomhacks?

Edited by URROVA
0

Share this post

Link to post

Noiser   

Noiser
Posted (edited)
8 hours ago, Graf Zahl said:

Yes, the other half will probably use the Unity version, not Doom2.exe. But you are forgetting something else: Those who really still use the DOS Exe aside from those making an explicit choice are highly unlikely to ever play any mod.

[citation needed]

Sorry, I don't see any correlation between the two. People who play on DOS simply like to play on DOS. By that logic, you could say that they would never touch custom content like Memento Mori or BTSX, which is not true. Just recently someone appeared playing Rowdy Rude 2 on DOSBOX, a highly modified mod with custom enemies and weapons. The same for REKKR, Doom Zero, my own mod or many other vanilla projects. I know it because I'm always seeing that. The nostalgic feeling is on the engine itself, not on levels or mods.

Also, being able to improve modding means there will be more content for it, maybe even brand new games like REKKR, which is always a good thing. Ignoring the commercial aspect, I would compare that to games like Xeno Crisis or Tanglewood, two Sega Genesis projects from 2019. It's a niche public but they surely exist, even by younger people who are curious about retro engines.

Edited by Noiser
5

Share this post

Link to post

Graf Zahl   

Graf Zahl
Posted
1 hour ago, Noiser said:

[citation needed]

Sorry, I don't see any correlation between the two. People who play on DOS simply like to play on DOS. 

 

Way to go to (intentionally) misread my statement! So please go back, read it again, and make sure to take it in completely!

 

 

1 hour ago, Noiser said:

By that logic, you could say that they would never touch custom content like Memento Mori or BTSX, which is not true. Just recently someone appeared playing Rowdy Rude 2 on DOSBOX, a highly modified mod with custom enemies and weapons. The same for REKKR, Doom Zero, my own mod or many other vanilla projects. I know it because I'm always seeing that. The nostalgic feeling is on the engine itself, not on levels or mods.

Also, being able to improve modding means there will be more content for it, maybe even brand new games like REKKR, which is always a good thing. Ignoring the commercial aspect, I would compare that to games like Xeno Crisis or Tanglewood, two Sega Genesis projects from 2019. It's a niche public but they surely exist, even by younger ones who are curious about retro engines.

 

Reality check: All those mods you named work with the entire slate of modern source ports. None of them requires the DOS EXE, and some, like BTSX, even go out of their way to work as smoothly as possible with all modern ports by providing custom MAPINFOs for various ports and tall skies.

 

Which is where the real problem lies: You need to find people who would be willing to work for a project the vast majority of potential users would just shrug off and ignore for technical reasons alone. I've seen these "sensational discoveries" pop up on occasion, people who have a strong attachment to the vanilla EXE getting very excited and seeing a bright future ahead, but once the thing dies off after a few weeks, nothing more will happen, because for the actual artists who need to create the content it holds no interest.

 

2

Share this post

Link to post

Cacodemon345   

Cacodemon345
Posted

My biggest concern is that this Doom ACE exploit could be used to make custom content with more exclusive features for vanilla DOS Doom and a reduced feature set for other ports.

 

I hope this does not come to be true, because I come here to play stuff on GZDoom, PrBoom+ and other source ports assuming full features.

2

Share this post

Link to post

wallabra   

wallabra
Posted (edited)
17 minutes ago, Cacodemon345 said:

My biggest concern is that this Doom ACE exploit could be used to make custom content with more exclusive features for vanilla DOS Doom and a reduced feature set for other ports.

 

I hope this does not come to be true, because I come here to play stuff on GZDoom, PrBoom+ and other source ports assuming full features.

 

Yes, that is a good point. I think this is the real issue here, in this instance. Not "audience".

Edited by Gustavo6046
0

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...