Jump to content

DOS Doom Code Execution


kgsws

Recommended Posts

20 hours ago, URROVA said:

Very complex if i have to program it in assembler. I dont know any shit of assembler :'( but i hope that someday release some compiler for C/C++ or another more friendly language than x86 ASM

This is only an example for now. A proof of concept. C will be used for modding, once i do all the required ASM work.

This is what i am asking, should i do it? Would people even use it?
 

18 hours ago, OpenRift said:

So let me get this straight... This savegame exploit could allow for significantly more complex mods for DOS Doom's exe, without even needing to use dehacked??

Yes. Just launch the game with correct parameters (-file mod.wad -loadgame doomsavH.dsg) and boom.

 

18 hours ago, Doomkid said:

Graf swoops right in with no delay to shit on anything that doesn’t appeal to him personally. How in-character of you, Graf!

Graf is correct. I was thinking exactly the same thing. That is why i am asking here.

 

9 hours ago, Redneckerz said:

Where DoomHack would allow you to change codepointers (Through DeHacked), Doom_Ace (Or whatever its going to be called) allows custom code to be injected.

Even stuff like not returning to the Doom code and running another custom game. Which is not Doom modding anymore of course ...

But yeah, my intention is to allow for new functionality to be added.

 

9 hours ago, Redneckerz said:

But yes - This is complex. And if such possibilities are well, possible, its only really attainable in DOS Doom i can imagine, because you are essentially introducing new code at runtime without affecting the vanilla exe. It would definitely give Vanilla Doom a feature that source ports only can either match with very advanced scripting, or direct source code changes.

That is exactly how my API would work. Like if you would extend the game using its source code.

 

9 hours ago, Redneckerz said:

But lets wait on KGSWS's example of how this works visually. Im convinced that will sell the hack/implementation significantly.

Yeah. I think i can have something ready at the end of the weekend.

I am gonna rework this exploit for Doom2 first though. (that would take a minimal amount of time)

 

9 hours ago, Redneckerz said:

Im more surprised by his doubts since this is as far removed from GZDoom as possible. There are plenty of Vanilla projects out there and in development that would actively welcome such a thing.

Well, this allows you to change so much it won't even be vanilla anymore.

 

9 hours ago, Redneckerz said:

I can imagine this Doom-Ace hack can also work with Doom-Plus aswell. Imagine the possibilities you can have there: Raised static limits + custom code injection in the vanilla core.

Since you can change anything with savegame exploit, you can extend those limits too. Just patch everything at a runtime.

Easy to say though ...

 

6 hours ago, seed said:

Not to mention DOSBox is preferred, when alternatives exist, by nostalgics longing for the '90s feel with all its drawbacks and inconveniences...

This might be worked around by creating useful LE loader. Well, better than my working debugging hack at least.

I guess important is that mods will be 100% compatible with original DOS version and can run under DOS (Freedos).

 

3 hours ago, URROVA said:

I hope that this method of modding will be more accessible for modders, eg somebody creates a program that makes code for adding animated textures, and with this the modders without lots of programming skills can no spend a lot of time trying to learn difficult programming languages like ASM.

 

This method works on doomhacks?

I would make some code generators for new animations, mobj types ... well basically DECORATE converted to C that would be then compiled. And ANIMDEFS ... and stuff.

But that would be later, and it is what i am asking about. My first example would be just C code. And without official API. Just a showcase.

And what do you mean by "doomhacks"?

 

43 minutes ago, Graf Zahl said:

Reality check: All those mods you named work with the entire slate of modern source ports. None of them requires the DOS EXE, and some, like BTSX, even go out of their way to work as smoothly as possible with all modern ports by providing custom MAPINFOs for various ports and tall skies.

 

Which is where the real problem lies: You need to find people who would be willing to work for a project the vast majority of potential users would just shrug off and ignore for technical reasons alone. I've seen these "sensational discoveries" pop up on occasion, people who have a strong attachment to the vanilla EXE getting very excited and seeing a bright future ahead, but once the thing dies off after a few weeks, nothing more will happen, because for the actual artists who need to create the content it holds no interest.

True concerns. Exactly what i was thinking. That is why i specifically asked:
"Would there by any interest at all? Not just playing with it, but seriously creating advanced mods for original DOS doom."

 

33 minutes ago, Cacodemon345 said:

My biggest concern is that this Doom ACE exploit could be used to make custom content with more exclusive features for vanilla DOS Doom and a reduced feature set for other ports.

 

I hope this does not come to be true, because I come here to play stuff on GZDoom, PrBoom+ and other source ports assuming full features.

Yeah.

While GZDoom is very advanced and can do a lot like this exploit allows for DOS DOOM, it would require authors to code the thing twice. And other source ports? I do not know.

 

 

Maybe better LE Loader? This kinda acts as a source-port, without the actual source code. It would still lock you at the stock resolution though (well, rescaled, but ...) and x86 arch.

(Check out EXE Hacking thread i mentioned in top post if you do not know about LE Loader)

Edited by kgsws

Share this post


Link to post

As a curiosity this is cool, but only as such. I run a refurb workshop for a charity and sometimes we are given old computers from that era. It can be kinda fun tracking down Win2K SP4 and obscure device drivers for them, searching to find out what model it is when most of the labels have worn out, etc. But I'd never use them in production or even dev, so we sell them to vintage PC collectors or people who need an old obscure software package to run a 30 year old milling machine or whatever. Or indeed to play Vanilla Doom on bare metal :) In short, there's plenty of room for old-skool stuff like this as curiosities, but I would feel uncomfortable to see the modding space fragmented any further. There are way too many source ports as it is :(

OT: If you like seeing old electronic stuff resurrected from the dead and have Twitter, check out foone and TubeTimeUS.


 

Share this post


Link to post
5 minutes ago, kgsws said:

And what do you mean by "doomhacks"?

Doomhack, ehhh dehacked versions of original doom2.exe

Share this post


Link to post
On 9/29/2020 at 3:13 PM, Graf Zahl said:

Reality check: All those mods you named work with the entire slate of modern source ports. None of them requires the DOS EXE, and some, like BTSX, even go out of their way to work as smoothly as possible with all modern ports by providing custom MAPINFOs for various ports and tall skies.

That's not my point. You said that people who still use DOS "are highly unlikely to ever play any mod" and I'm just stating how false that is. If I misinterpreted your post I'm sorry but I can't see it at all.
 

On 9/29/2020 at 3:13 PM, Graf Zahl said:

I've seen these "sensational discoveries" pop up on occasion, people who have a strong attachment to the vanilla EXE getting very excited and seeing a bright future ahead, but once the thing dies off after a few weeks, nothing more will happen, because for the actual artists who need to create the content it holds no interest.

You surely like to make these kind of assumptions don't you? I'm not neglecting that we are talking about a small group of people or that anything related to it would be less common or frequent. I just don't think this is a problem per se. Projects can be made by even less than that, sometimes by just one person.
 

On 9/29/2020 at 3:23 PM, Cacodemon345 said:

My biggest concern is that this Doom ACE exploit could be used to make custom content with more exclusive features for vanilla DOS Doom and a reduced feature set for other ports.

Doom always had exclusive mods for EDGE, GZDoom, Eternity, Doomsday, etc. It wouldn't be much different here. Converting them to other ports may be a possibility I think, at least in some cases - as I did with D4V by swapping dehacked with decorate to make it more compatible with GZDoom. I know It's not the same thing but I think there are some ways of doing it. 

Edited by Noiser

Share this post


Link to post
2 hours ago, Graf Zahl said:

Reality check: All those mods you named work with the entire slate of modern source ports. None of them requires the DOS EXE, and some, like BTSX, even go out of their way to work as smoothly as possible with all modern ports by providing custom MAPINFOs for various ports and tall skies.

Doom-Plus still exists. Doom32 was specifically crafted for BTSX in mid development. Chocorenderlimits was made after a Vanilla project. As long as there are mod authors  trying to push the original boundaries, new tools will be made that allow that to happen. That's the magic of working in Vanilla.

 

You don't have any of that in GZDoom because its all laid out already for the modder in question. That's why people call it so mod-friendly - because it is. But for some people, pioneering new ground is more interesting to them than to start of with a ready-to-go toolbox (GZDoom).

 

Neither road is wrong or better than the other. So why argue that it is?

2 hours ago, Graf Zahl said:

I've seen these "sensational discoveries" pop up on occasion, people who have a strong attachment to the vanilla EXE getting very excited and seeing a bright future ahead, but once the thing dies off after a few weeks, nothing more will happen, because for the actual artists who need to create the content it holds no interest.

Maybe the next time you raise the OpenGL requirements because GZDoom needs to move on forward you may aswell make sure the thing runs equally well on all major vendors instead of throwing the book at it and either say you don't have a card of that vendor for use or that vendor's driver is particularly shitty.

 

You have no horse in the Vanilla race Graf. So why be bothered criticizing it, when its not the corner where you play Doom? Equally so the opposite would hold true: Nobody gains anything by randomly and consistently trashing on GZDoom for reasons you cannot do anything about. It wouldn't be fair.

 

So why would it be fair for you when it comes to Vanilla Doom? Why would it be fair for you when it comes to Eternity? Because it cannot be any deeper resentment that goes back years.

2 hours ago, Cacodemon345 said:

My biggest concern is that this Doom ACE exploit could be used to make custom content with more exclusive features for vanilla DOS Doom and a reduced feature set for other ports.

 

I hope this does not come to be true, because I come here to play stuff on GZDoom, PrBoom+ and other source ports assuming full features.

I think it would inspire a genre of its own really. A pseudo-port that works with Vanilla exes. Using it would simply be distributing that Savegame file and the modded wad file and that would be it. A new mod framework for Vanilla, really.

 

I believe it will do just fine.

2 hours ago, kgsws said:

Even stuff like not returning to the Doom code and running another custom game. Which is not Doom modding anymore of course ...

But yeah, my intention is to allow for new functionality to be added.

 

That is exactly how my API would work. Like if you would extend the game using its source code.

So this would mean we could quite literally run Doom within Doom. Besides a hilarious thought experiment, that's impressive.

2 hours ago, kgsws said:

Since you can change anything with savegame exploit, you can extend those limits too. Just patch everything at a runtime.

Easy to say though ...

IF everything can be changed like that, then i can see some Frankensteinian contraptions be made that use the stock exe but introduce so many new changes to the stock tech that it requires it. Who is to say you can't introduce new renderer capabilities, all without actually touching the vanilla works?

This reminds me a little of how the Wolf3d community does things - distributing a custom exe, usually based off Wolf4SDL, full of renderer changes. Except that's in-source, whereas this is a Loader-injector.

Ofcourse the interest for this will be there, but the one major factor that will contribute to is visual examples and documentation. When you can demonstrate what this can do and you explain how someone can do things (Heck, in a GUI way even?) then this has everything going for it to go south.

At the same time, i feel i have to say that all of this work is pioneering work in the first place. LE Loader and this Doom Ace are a new intermediate kind of thing that has yet to be really defined. Its not a source port, but it exhibits qualities of it. Its not a executable hack, since it does not directly affect the stock executable. Its not a source modification, because you are injecting custom code.

 

So this is a new playing field really. And that to me is what makes this so exciting.

 

9 minutes ago, Doomkid said:

I don’t even see why any of this has to be an argument. DosBox dooming has appeal to only a niche demographic, so obviously anything being done pertaining to DosBox dooming is going to have only niche appeal. It’s obvious and certainly not worth having a shitfight over.


Graf does have a tendency to be as negative as possible about stuff he isn’t personally interested in though and it becomes grating. The Eternity Engine for example is just some “little project”, and now this.

Vocalizing some of my more dark thoughts here for relevancy, but i can't help but think he stated what he stated because it may take potential folks away from GZDoom?

 

This assumption is not based on reality, but given what this sets out to do and what GZ can deliver, its not the most ill-logical thought to have. The execution however, is. Because this ''Custom script loader'' for better or worse won't suddenly make people jump to vanilla again.

 

If there is any remote comparison, this would be something like ZScript but for Vanilla. Having that there is great, but it does not take away any shine from GZDoom sun with its multitude of script supports and renderer improvements. So i am kinda at odds why Graf tends to belittle other ports/interesting hacks as less prevalent when there is no basis for it.*

 

*And im actually a huge proponent for Graf's work and GZDoom in general, so it makes no sense to me as to why he would do so.

9 minutes ago, Doomkid said:

 

There definitely would be a small but dedicated group who would be highly interested in seeing this further developed. If a lack of mass appeal is the bar for wether or not it’s worth it, then it probably isn’t. So yes, Graf is correct from that one perspective.

But for those who make Vanilla mods this is huge. Someone like Essel would definitely tinker with this just from a ''because i can'' perspective. Someone like Ling or Randy would toy with this aswell. No doubt this requires some significant skill to be done, but that nice that digs this is also the niche that made Doom-Plus a thing.

And there is nothing wrong with Vanilla trickery and pushing the original engine in odd directions. Nobody is harmed from doing this, which makes Graf belitteling of it (and Eternity) even more strange, especially when it reads like Graf used Doom's RNG when making those posts.

Share this post


Link to post
3 hours ago, Cacodemon345 said:

My biggest concern is that this Doom ACE exploit could be used to make custom content with more exclusive features for vanilla DOS Doom and a reduced feature set for other ports.

 

I hope this does not come to be true, because I come here to play stuff on GZDoom, PrBoom+ and other source ports assuming full features.

 

This is such strange concern trolling considering no such DOS mods even exist. Imagine if you saw a thread about a GZDoom mod where a poster says that they were concerned that such projects excluded DOS users, and the poster came to the thread looking for content for DOS Doom. They would be rightly laughed out of the thread for their absurd entitlement.

Share this post


Link to post
2 hours ago, Noiser said:

That's not my point. You said that people who still use DOS "are highly unlikely to ever play any mod" and I'm just stating how false that is. If I misinterpreted your post I'm sorry but I can't see it at all.

This started from Lit saying that more than half of the players don't use a source port. The idea is that the majority of the people who use DOS do that by default, because they don't know about the modding scene and source ports and all that stuff, they've just installed the game from Steam or GOG and play it this way. Obviously anyone who frequents Doomworld is not going to belong to this specific demographic.

 

And also obviously, this is a lot less true now that on Steam the default way to play Doom is through the Unity ports.

Share this post


Link to post

As someone who finds DOSBox really not worth the trouble, I'd use it in heartbeat to try out mods exclusive to this hack that may come about. I can't stand GZDoom either, but I'll still use it if there's a mod I want to try out.

Share this post


Link to post

Huh, I'm waiting till a massive, multi-page-spanning, grinding, OFF-TOPIC debate begins and burns out till the closure of this thread. Tl;DR source ports suck, everybody hail John Carmack and his long hair of interdimensional wisdom and his code that transcends realities. Now back to the save file exploit discussion...

Share this post


Link to post
5 minutes ago, Gustavo6046 said:

Huh, I'm waiting till a massive, multi-page-spanning, grinding, OFF-TOPIC debate begins and burns out till the closure of this thread. Tl;DR source ports suck, everybody hail John Carmack and his long hair of interdimensional wisdom and his code that transcends realities. Now back to the save file exploit discussion...

OP wanted to gauge interest, Graf decided to argue against it on behalf of everyone who uses a source port, I'm here to say that I exclusively use source ports and am very excited about this. Nothing more, nothing less.

Share this post


Link to post
18 minutes ago, maxmanium said:

It seems like Graf always derails these types of threads -- I've seen a few threads either forked or closed completely as a result.

Maybe as a funky experiment see how moddable a GZ savefile is.

 

But onto other matters. Arbitrary custom code injection would be a novel first - without direct permanent source changes.

Share this post


Link to post
36 minutes ago, Dragonfly said:

What a disheartening thread to read. Why whenever DOS / vanilla EXE becomes the subject does the discussion turn into a semi-hostile shitshow? Pack it in, jeez.

Purist bad, apparently

Share this post


Link to post
23 hours ago, kgsws said:

Oh well.

I will try to make something that will show potential of savegame code execution. This will take some time. It will be a custom map.

 

Also, i will replace existing example with something better ASAP. Something like mini-game so even non-Doom people can better understand what happened.

This will be good way to figure out some basics for more advanced modding API.

I am all ears to this, KGSWS :)

Share this post


Link to post

Ok. I was experimenting with GCC and got something. It can be turned into future modding API, if needed.

Try this now. Again in The Ultimate Doom v1.9, no PWADs required.

https://github.com/kgsws/doom_ace/tree/master/savegame

 

I would appreciate if anyone could test this on real hardware. I have only tried DosBox.

 

Keep in mind this is only an code execution example that at least does something ... something obvious. (it's a snake game)

It is not (yet) modding API. It's a beginning.

For anyone interested, see sources on github. Maybe you will find a way to make it better.

 

I am still thinking about custom map example. But that would take a few days. Let's see reactions first.

Share this post


Link to post
35 minutes ago, kgsws said:

Ok. I was experimenting with GCC and got something. It can be turned into future modding API, if needed.

Try this now. Again in The Ultimate Doom v1.9, no PWADs required.

https://github.com/kgsws/doom_ace/tree/master/savegame

 

I would appreciate if anyone could test this on real hardware. I have only tried DosBox.

 

Keep in mind this is only an code execution example that at least does something ... something obvious. (it's a snake game)

It is not (yet) modding API. It's a beginning.

For anyone interested, see sources on github. Maybe you will find a way to make it better.

 

I am still thinking about custom map example. But that would take a few days. Let's see reactions first.

 

Cool! It reminds me some pokemon ACE where some guys programmed a snake only ordering pokemons on a box xD

Edited by URROVA

Share this post


Link to post
39 minutes ago, kgsws said:

Ok. I was experimenting with GCC and got something. It can be turned into future modding API, if needed.

Try this now. Again in The Ultimate Doom v1.9, no PWADs required.

https://github.com/kgsws/doom_ace/tree/master/savegame

 

I would appreciate if anyone could test this on real hardware. I have only tried DosBox.

 

Keep in mind this is only an code execution example that at least does something ... something obvious. (it's a snake game)

It is not (yet) modding API. It's a beginning.

For anyone interested, see sources on github. Maybe you will find a way to make it better.

 

I am still thinking about custom map example. But that would take a few days. Let's see reactions first.

Oh my god holy shit

Share this post


Link to post
1 hour ago, kgsws said:

Once i have found working entrypoint it was really easy, again, thanks to Randy87. Those map files make things a lot faster.

 

No, thank you! Playing snake while watching Doom demos play in the background is not something I would have ever expected to see! I'm very glad someone tackled arbitrary code execution in Doom. There just had to be an exploit somewhere. Doom's highly unchecked save behavior was certainly the hot spot. Now I'm curious if there's some means using a wad file...

Share this post


Link to post

This is neat as hell.

Would've been interesting to see this being discovered in the 90's. The direction source ports took might've been completely different.

Then again, at some point you have to bid adieu to backwards compatibility and worry about the future I suppose. Or just start emulating everything, the DOSbox route.

Share this post


Link to post
13 hours ago, kgsws said:

Ok. I was experimenting with GCC and got something. It can be turned into future modding API, if needed.

Try this now. Again in The Ultimate Doom v1.9, no PWADs required.

https://github.com/kgsws/doom_ace/tree/master/savegame

 

I would appreciate if anyone could test this on real hardware. I have only tried DosBox.

 

Keep in mind this is only an code execution example that at least does something ... something obvious. (it's a snake game)

It is not (yet) modding API. It's a beginning.

For anyone interested, see sources on github. Maybe you will find a way to make it better.

 

I am still thinking about custom map example. But that would take a few days. Let's see reactions first.

So like the Doom 2 savegame posted later, this now does not need a modified WAD anymore for it to work, rather that it only needs a savegame file?

 

Seeing the video and seeing what this does: Fantastic example. There are so many things possible with this - You could recreate Nibbles from Catacombs as its own minigame with a own menu, within Doom, i imagine.

 

That modding API you speak of is definitely the way to-go. 

 

Actually i am at a loss for words. I don't care if this is seen as overreacting - But this is hands down one of, if not the biggest Doom community related development of the year. Yes, even besting FastDoom. Its that impressive.

 

@JadingTsunami you may want to see this considering your efforts with VULD. Its obviously a different branch of Vanilla modding, but i have the feeling this will make you feel equally giddy. :)

 

6 hours ago, Randy87 said:

 

No, thank you! Playing snake while watching Doom demos play in the background is not something I would have ever expected to see! I'm very glad someone tackled arbitrary code execution in Doom. There just had to be an exploit somewhere. Doom's highly unchecked save behavior was certainly the hot spot. Now I'm curious if there's some means using a wad file...

Randy, equally from my end thank you for those IDA Databases and proving that new behavior is possible with a modified savegame file. Except for Ling it (the IDA db) was rather ignored back in the day, but its great to see that been put to such splendid use.

It almost feels like how the history of computing came to be: Someone has a theory, posts a proof-of-concept, throws in a paper, and others use that idea to achieve new goals. Its brilliant to see in motion.

3 hours ago, Revae said:

This is neat as hell.

Would've been interesting to see this being discovered in the 90's. The direction source ports took might've been completely different.

Then again, at some point you have to bid adieu to backwards compatibility and worry about the future I suppose. Or just start emulating everything, the DOSbox route.

REKKR 2 with Doom ACE exploits, when? :P

Share this post


Link to post
16 hours ago, Randy87 said:

Doom's highly unchecked save behavior was certainly the hot spot. Now I'm curious if there's some means using a wad file...

I was looking for early execution exploits in WAD but no luck so far. Of course there is R_RenderBSPNode, but that would just mess up everything. If usable at all.

Other option is spechit overflow, probably by overwriting colfunc. But that would make a mess too.

And neither of these options are as early as i would like to.

 

7 hours ago, Redneckerz said:

So like the Doom 2 savegame posted later, this now does not need a modified WAD anymore for it to work, rather that it only needs a savegame file?

Savegame only indeed. But that is only important for snake example. You would want to include your mod in WAD file anyway.

By the way, Doom2 exploit actually runs a few instructions from sector 0. Yes. An executable code in sector data. (you can checkout readme.md on github)

 

I have updated loader to load code from WAD file.

Now i am slowly working on proper example mod. Starting with easy stuff. It won't be that fast for a few days (work) so most of features will be added at weeked.

I can post periodic updates. Or should i rather not spam this thread? Maybe screenshots won't tell much, it looks like any source port :)

 

Snímek z 2020-10-04 19-14-24.png

Edited by kgsws

Share this post


Link to post
46 minutes ago, kgsws said:

I have updated loader to load code from WAD file.

Now i am slowly working on proper example mod. Starting with easy stuff. It won't be that fast for a few days (work) so most of features will be added at weekend.

I can post periodic updates. Or should i rather not spam this thread? Maybe screenshots won't tell much, it looks like any source port :)

 

Snímek z 2020-10-04 19-14-24.png

 

Nice! I'm also quite curious about how adding looking up/down (Like HERETIC has it.) would work out. However I'm really terrible at programming at the moment, but I could look around how I'd imagine it. I usually play WASD keys so I mount up at 'Q' key and down at 'E' key. As for changing those controls, perhaps adding a menu option like "Other Controls" might work.

 

Then again, keep up the great work!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...