DOSBox Static Addresses

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
User avatar
Dread_Pony_Roberts
Table Makers
Table Makers
Posts: 521
Joined: Sun Dec 09, 2018 8:46 am
Reputation: 385

Re: DOSBox Static Addresses

Post by Dread_Pony_Roberts »

That is correct

User avatar
ludo1800
Noobzor
Noobzor
Posts: 6
Joined: Sun Jul 21, 2019 3:37 pm
Reputation: 1

Re: DOSBox Static Addresses

Post by ludo1800 »

Hmmmm, I try to launch with the standard version of DOSBOX...
It launches... I get the menu "Start / Settings / exit", I get the intro video, but if I press [Escape], I'm out, the program closes itself. And if I let the video going to its end, I get stuck with the image of Driscoll in his room, only [Escape] works and ends the program...

I'm affraid I still need a little help ;) !

User avatar
Dread_Pony_Roberts
Table Makers
Table Makers
Posts: 521
Joined: Sun Dec 09, 2018 8:46 am
Reputation: 385

Re: DOSBox Static Addresses

Post by Dread_Pony_Roberts »

Hmm, that's odd. It worked fine for me.

Now that I think of it, you could probably take gog's shortcuts and link them to your own DOSBox.exe. I would put the DOSBox's folder in the game's folder and change the DOSBox's folder name to something like (DOSBOX SAFE). That should future proof it so you can cheat away.

I created the rest before I thought of that method. You can continue reading if that method doesn't work or you want to learn a bit more about how DOSBox works. If nothing works then it could be your DOSBox itself that is not working.

I'll give you a shortcut and config that should work albion so we can try to troubleshoot the problem.

The shortcut should look like
"(path to DOSBox)\DOSBox.exe" -conf "(path to conf)\dosbox_albion.conf"
You can add (-noconsole -c exit) to the end of the shortcut, this will remove the console and exit when you press the exit button in the game. It is best to not add this until you know that the game works, otherwise it will exit when the game crashes and you won't have a console to see what's happening.

The config should look like
# This is the configurationfile for DOSBox 0.74. (Please use the latest version of DOSBox)
# Lines starting with a # are commentlines and are ignored by DOSBox.
# They are used to (briefly) document the effect of each option.

[sdl]
# fullscreen: Start dosbox directly in fullscreen. (Press ALT-Enter to go back)
# fulldouble: Use double buffering in fullscreen. It can reduce screen flickering, but it can also result in a slow DOSBox.
# fullresolution: What resolution to use for fullscreen: original or fixed size (e.g. 1024x768).
# Using your monitor's native resolution with aspect=true might give the best results.
# If you end up with small window on a large screen, try an output different from surface.
# windowresolution: Scale the window to this size IF the output device supports hardware scaling.
# (output=surface does not!)
# output: What video system to use for output.
# Possible values: surface, overlay, opengl, openglnb, ddraw.
# autolock: Mouse will automatically lock, if you click on the screen. (Press CTRL-F10 to unlock)
# sensitivity: Mouse sensitivity.
# waitonerror: Wait before closing the console if dosbox has an error.
# priority: Priority levels for dosbox. Second entry behind the comma is for when dosbox is not focused/minimized.
# pause is only valid for the second entry.
# Possible values: lowest, lower, normal, higher, highest, pause.
# mapperfile: File used to load/save the key/event mappings from. Resetmapper only works with the defaul value.
# usescancodes: Avoid usage of symkeys, might not work on all operating systems.

fullscreen=true
fulldouble=false
fullresolution=original
windowresolution=original
output=surface
autolock=true
sensitivity=100
waitonerror=true
priority=higher,normal
mapperfile=mapper-0.74.map
usescancodes=true

[dosbox]
# language: Select another language file.
# machine: The type of machine tries to emulate.
# Possible values: hercules, cga, tandy, pcjr, ega, vgaonly, svga_s3, svga_et3000, svga_et4000, svga_paradise, vesa_nolfb, vesa_oldvbe.
# captures: Directory where things like wave, midi, screenshot get captured.
# memsize: Amount of memory DOSBox has in megabytes.
# This value is best left at its default to avoid problems with some games,
# though few games might require a higher value.
# There is generally no speed advantage when raising this value.

language=
machine=svga_s3
captures=capture
memsize=16

[render]
# frameskip: How many frames DOSBox skips before drawing one.
# aspect: Do aspect correction, if your output method doesn't support scaling this can slow things down!.
# scaler: Scaler used to enlarge/enhance low resolution modes.
# If 'forced' is appended, then the scaler will be used even if the result might not be desired.
# Possible values: none, normal2x, normal3x, advmame2x, advmame3x, advinterp2x, advinterp3x, hq2x, hq3x, 2xsai, super2xsai, supereagle, tv2x, tv3x, rgb2x, rgb3x, scan2x, scan3x.

frameskip=0
aspect=false
scaler=normal2x

[cpu]
# core: CPU Core used in emulation. auto will switch to dynamic if available and appropriate.
# Possible values: auto, dynamic, normal, simple.
# cputype: CPU Type used in emulation. auto is the fastest choice.
# Possible values: auto, 386, 386_slow, 486_slow, pentium_slow, 386_prefetch.
# cycles: Amount of instructions DOSBox tries to emulate each millisecond.
# Setting this value too high results in sound dropouts and lags.
# Cycles can be set in 3 ways:
# 'auto' tries to guess what a game needs.
# It usually works, but can fail for certain games.
# 'fixed #number' will set a fixed amount of cycles. This is what you usually need if 'auto' fails.
# (Example: fixed 4000).
# 'max' will allocate as much cycles as your computer is able to handle.
#
# Possible values: auto, fixed, max.
# cycleup: Amount of cycles to decrease/increase with keycombo.(CTRL-F11/CTRL-F12)
# cycledown: Setting it lower than 100 will be a percentage.

core=auto
cputype=auto
cycles=max
cycleup=1000
cycledown=1000

[mixer]
# nosound: Enable silent mode, sound is still emulated though.
# rate: Mixer sample rate, setting any device's rate higher than this will probably lower their sound quality.
# Possible values: 44100, 48000, 32000, 22050, 16000, 11025, 8000, 49716.
# blocksize: Mixer block size, larger blocks might help sound stuttering but sound will also be more lagged.
# Possible values: 1024, 2048, 4096, 8192, 512, 256.
# prebuffer: How many milliseconds of data to keep on top of the blocksize.

nosound=false
rate=44100
blocksize=1024
prebuffer=80


[midi]
# mpu401: Type of MPU-401 to emulate.
# Possible values: intelligent, uart, none.
# mididevice: Device that will receive the MIDI data from MPU-401.
# Possible values: default, win32, alsa, oss, coreaudio, coremidi, none.
# midiconfig: Special configuration options for the device driver. This is usually the id of the device you want to use.
# See the README/Manual for more details.

mpu401=intelligent
mididevice=default
midiconfig=

[sblaster]
# sbtype: Type of Soundblaster to emulate. gb is Gameblaster.
# Possible values: sb1, sb2, sbpro1, sbpro2, sb16, gb, none.
# sbbase: The IO address of the soundblaster.
# Possible values: 220, 240, 260, 280, 2a0, 2c0, 2e0, 300.
# irq: The IRQ number of the soundblaster.
# Possible values: 7, 5, 3, 9, 10, 11, 12.
# dma: The DMA number of the soundblaster.
# Possible values: 1, 5, 0, 3, 6, 7.
# hdma: The High DMA number of the soundblaster.
# Possible values: 1, 5, 0, 3, 6, 7.
# sbmixer: Allow the soundblaster mixer to modify the DOSBox mixer.
# oplmode: Type of OPL emulation. On 'auto' the mode is determined by sblaster type. All OPL modes are Adlib-compatible, except for 'cms'.
# Possible values: auto, cms, opl2, dualopl2, opl3, none.
# oplemu: Provider for the OPL emulation. compat might provide better quality (see oplrate as well).
# Possible values: default, compat, fast.
# oplrate: Sample rate of OPL music emulation. Use 49716 for highest quality (set the mixer rate accordingly).
# Possible values: 44100, 49716, 48000, 32000, 22050, 16000, 11025, 8000.

sbtype=sb16
sbbase=220
irq=7
dma=1
hdma=5
sbmixer=true
oplmode=auto
oplemu=default
oplrate=44100

[gus]
# gus: Enable the Gravis Ultrasound emulation.
# gusrate: Sample rate of Ultrasound emulation.
# Possible values: 44100, 48000, 32000, 22050, 16000, 11025, 8000, 49716.
# gusbase: The IO base address of the Gravis Ultrasound.
# Possible values: 240, 220, 260, 280, 2a0, 2c0, 2e0, 300.
# gusirq: The IRQ number of the Gravis Ultrasound.
# Possible values: 5, 3, 7, 9, 10, 11, 12.
# gusdma: The DMA channel of the Gravis Ultrasound.
# Possible values: 3, 0, 1, 5, 6, 7.
# ultradir: Path to Ultrasound directory. In this directory
# there should be a MIDI directory that contains
# the patch files for GUS playback. Patch sets used
# with Timidity should work fine.

gus=false
gusrate=44100
gusbase=240
gusirq=5
gusdma=3
ultradir=C:\ULTRASND

[speaker]
# pcspeaker: Enable PC-Speaker emulation.
# pcrate: Sample rate of the PC-Speaker sound generation.
# Possible values: 44100, 48000, 32000, 22050, 16000, 11025, 8000, 49716.
# tandy: Enable Tandy Sound System emulation. For 'auto', emulation is present only if machine is set to 'tandy'.
# Possible values: auto, on, off.
# tandyrate: Sample rate of the Tandy 3-Voice generation.
# Possible values: 44100, 48000, 32000, 22050, 16000, 11025, 8000, 49716.
# disney: Enable Disney Sound Source emulation. (Covox Voice Master and Speech Thing compatible).

pcspeaker=true
pcrate=44100
tandy=auto
tandyrate=44100
disney=true

[joystick]
# joysticktype: Type of joystick to emulate: auto (default), none,
# 2axis (supports two joysticks),
# 4axis (supports one joystick, first joystick used),
# 4axis_2 (supports one joystick, second joystick used),
# fcs (Thrustmaster), ch (CH Flightstick).
# none disables joystick emulation.
# auto chooses emulation depending on real joystick(s).
# (Remember to reset dosbox's mapperfile if you saved it earlier)
# Possible values: auto, 2axis, 4axis, 4axis_2, fcs, ch, none.
# timed: enable timed intervals for axis. Experiment with this option, if your joystick drifts (away).
# autofire: continuously fires as long as you keep the button pressed.
# swap34: swap the 3rd and the 4th axis. can be useful for certain joysticks.
# buttonwrap: enable button wrapping at the number of emulated buttons.

joysticktype=auto
timed=true
autofire=false
swap34=false
buttonwrap=false

[serial]
# serial1: set type of device connected to com port.
# Can be disabled, dummy, modem, nullmodem, directserial.
# Additional parameters must be in the same line in the form of
# parameter:value. Parameter for all types is irq (optional).
# for directserial: realport (required), rxdelay (optional).
# (realport:COM1 realport:ttyS0).
# for modem: listenport (optional).
# for nullmodem: server, rxdelay, txdelay, telnet, usedtr,
# transparent, port, inhsocket (all optional).
# Example: serial1=modem listenport:5000
# Possible values: dummy, disabled, modem, nullmodem, directserial.
# serial2: see serial1
# Possible values: dummy, disabled, modem, nullmodem, directserial.
# serial3: see serial1
# Possible values: dummy, disabled, modem, nullmodem, directserial.
# serial4: see serial1
# Possible values: dummy, disabled, modem, nullmodem, directserial.

serial1=dummy
serial2=dummy
serial3=disabled
serial4=disabled

[dos]
# xms: Enable XMS support.
# ems: Enable EMS support.
# umb: Enable UMB support.
# keyboardlayout: Language code of the keyboard layout (or none).

xms=true
ems=true
umb=true
keyboardlayout=auto

[ipx]
# ipx: Enable ipx over UDP/IP emulation.

ipx=false

[autoexec]
mount c ".."
imgmount d "..\game.ins" -t iso -fs iso
c:
albion.exe
exit


GOG splits up their configs by having a base config and other configs that contain different autoexecs, this is why you find their shortcuts containing two configs like ("C:\Games\GOG Games\Albion\DOSBOX\DOSBox.exe" -conf "..\dosbox_albion.conf" -conf "..\dosbox_albion_single.conf" -noconsole -c exit). The purpose is to make them more modular so they can have a settings.config, single.config, and so on. I personally don't like it because I think it's a bit too confusing, that is why I merged them in this config.

User avatar
ludo1800
Noobzor
Noobzor
Posts: 6
Joined: Sun Jul 21, 2019 3:37 pm
Reputation: 1

Re: DOSBox Static Addresses

Post by ludo1800 »

Well...
I confess to be on something else at this time (WoW)...
I'll try to check this more seriously later...
Again, thanks for the tips...

User avatar
Csimbi
RCE Fanatics
RCE Fanatics
Posts: 878
Joined: Sat Apr 29, 2017 9:04 pm
Reputation: 1203

Re: DOSBox Static Addresses

Post by Csimbi »

You know, you could just use [Link] and save/load tables there.
That was the best tool at the time (24 or so years ago) and even though it's long dead, it does still work under DOSBox very well...

User avatar
SunBeam
Administration
Administration
Posts: 4703
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4287

Re: DOSBox Static Addresses

Post by SunBeam »

These days everyone wants to "learn how to do it" on the superficial level (e.g.: open this, click here, do that, works) and not "WHY DO I DO IT LIKE THIS?". So there you go, knowledge goes to waste and a handful of people can actually explain WHY they do things they do. But don't let me stop you, continue this way ;)

User avatar
Marc
Table Makers
Table Makers
Posts: 378
Joined: Mon Mar 26, 2018 2:35 pm
Reputation: 377

Re: DOSBox Static Addresses

Post by Marc »

In case someone needs it: there is another version of DosBox (0.74G) which is being used for example in Lands of Lore 1+2 from GoG.

Code: Select all

DosBox 0.74G:	0x1D442D0
Works as a charm with Lands of Lore 1. But in Lands of Lore 2, the game itself dynamically changes the memory addresses every time a savegame is loaded.

So I tried
  • a code injection - but the found assembler code changes too manyaddresses
  • an aob-to-data scan - but no working datablock found to attach
  • a pointer-scan with mem_mapped activated in the scanner settings and 32-bit-alignment plus static addresses deactivated in the pointer scanner - found some pathes and changed the addresses to membase+x Offset. On the next loading of the savegame, the pointers pointed to the wrong adresses.
Any hints on that matter?

User avatar
Csimbi
RCE Fanatics
RCE Fanatics
Posts: 878
Joined: Sat Apr 29, 2017 9:04 pm
Reputation: 1203

Re: DOSBox Static Addresses

Post by Csimbi »

Have you guys heard of Game Wizard Pro?
Works fine under DOSBox and you can save/load tables just fine.

User avatar
Marc
Table Makers
Table Makers
Posts: 378
Joined: Mon Mar 26, 2018 2:35 pm
Reputation: 377

Re: DOSBox Static Addresses

Post by Marc »

I even own a bought license lots of years ago :)

Problem is, we can not put GameWizard into a cheat table - and as far as I know, GW does not help against games which have dynamic memory allocation.... and I don't know how to mangle this thing into one of the GoG Builds, by the way.

daninthemix
Expert Cheater
Expert Cheater
Posts: 245
Joined: Tue Jul 18, 2017 6:31 pm
Reputation: 79

Re: DOSBox Static Addresses

Post by daninthemix »

Anyone got the base addresses for .74-3 ?

User avatar
mgr.inz.Player
Cheater
Cheater
Posts: 37
Joined: Fri Mar 03, 2017 8:41 am
Reputation: 42

Re: DOSBox Static Addresses

Post by mgr.inz.Player »

Steps to find pointer to Video Memory:
- launch DOSBox on default settings
- attach CE to DOSBox process
- do first scan for 4byte hex value: 1FCD1FC9
- if more than one result found, press ENTER few times inside main dosbox window (whole text should scroll only once)
- do next scan, 4byte hex value: 1F201FBA

- there should be only one address found, add it to table
- right click it and choose pointerscan
- pointerscan settings: max offset = 128, max level = 1

Image
(0B6EF020, yours will be different)

It will find few pointers, add all of them to the table.

Restart dosbox, attach CE to dosbox, pick any valid pointer you want.



the trick is:
dosbox initially show welcome text, the first two chars in first line are ╔ (C9) and ═ (CD)
this is C9 1F CD 1F in dosbox memory

if you scroll text a little, first two chars in first line will be ║ (BA) and space(20)
this is BA 1F 20 1F in dosbox memory

White text on blue background - 1F



For DOSBox 0.74-3 pointers to video memory are:

["DOSBox.exe"+019074D4]+0
["DOSBox.exe"+01918BDC]+0
["DOSBox.exe"+01918BE0]+0
["DOSBox.exe"+01918BFC]+0
["DOSBox.exe"+01918C00]+0




For other games I'm using this

Code: Select all

[ENABLE]
{$Lua}
for i,v in ipairs(enumMemoryRegions()) do
  if v.RegionSize==0x1001000 and v.AllocationProtect==4 then
    unregisterSymbol('GameMemoryStart') registerSymbol('GameMemoryStart',v.BaseAddress+20)
  end
end
{$Asm}

[DISABLE]
{$Lua}
unregisterSymbol('GameMemoryStart')
{$Asm}
as main script.

It finds 16MB+4KB memory region address and creates user symbol pointing to this address.

EDIT:
If you want to find a pointer, just right click "GameMemoryStart" and choose "pointer scan for this address", max level 1. Of course make few pointer rescans too.
Last edited by mgr.inz.Player on Sun May 10, 2020 5:57 pm, edited 1 time in total.

User avatar
Marc
Table Makers
Table Makers
Posts: 378
Joined: Mon Mar 26, 2018 2:35 pm
Reputation: 377

Re: DOSBox Static Addresses

Post by Marc »

Awesome, especially the Lua Script :wub:

Many thanks for sharing that!

User avatar
mgr.inz.Player
Cheater
Cheater
Posts: 37
Joined: Fri Mar 03, 2017 8:41 am
Reputation: 42

Re: DOSBox Static Addresses

Post by mgr.inz.Player »

@Marc 8-)

Tested few dosbox versions.

This code will register user symbol VideoMemory pointing to video memory:

Code: Select all

[ENABLE]
{$Lua}
for i,v in ipairs(enumMemoryRegions()) do
  if v.RegionSize==0x201000 and v.AllocationProtect==4 then
    unregisterSymbol('VideoMemory') registerSymbol('VideoMemory',v.BaseAddress+0x20)
  end
end
{$Asm}

[DISABLE]
{$Lua}
unregisterSymbol('VideoMemory')
{$Asm}

User avatar
Marc
Table Makers
Table Makers
Posts: 378
Joined: Mon Mar 26, 2018 2:35 pm
Reputation: 377

Re: DOSBox Static Addresses

Post by Marc »

Very nice, thanks again!

Just noticed:
in the first version you are checking for

Code: Select all

if v.RegionSize==0x1001000 and v.AllocationProtect==4 then
whereas in the other version you are checking for

Code: Select all

if v.RegionSize==0x2001000 and v.AllocationProtect==4 then
The code 0x1 does not seem to trigger with 0.74-2.1, the 0x2 does. (tried with Darksun 1 from GoG)

Hmmm. Joined them :D

Code: Select all

[ENABLE]
{$Lua}
for i,v in ipairs(enumMemoryRegions()) do
  if (v.RegionSize==0x2001000 or v.RegionSize==0x2001000) and v.AllocationProtect==4 then
    unregisterSymbol('GameMemoryStart') registerSymbol('GameMemoryStart',v.BaseAddress)
    unregisterSymbol('VideoMemory') registerSymbol('VideoMemory',v.BaseAddress+20)
  end
end
{$Asm}

[DISABLE]
{$Lua}
unregisterSymbol('GameMemoryStart')
unregisterSymbol('VideoMemory')
{$Asm}

User avatar
mgr.inz.Player
Cheater
Cheater
Posts: 37
Joined: Fri Mar 03, 2017 8:41 am
Reputation: 42

Re: DOSBox Static Addresses

Post by mgr.inz.Player »

Probably it depends on used configuration file (xms=true/false ems=true/false umb=true/false)

Found memory regions with specific regions size values:

Image

- 0x1001000 - it is 16781312 bytes (which is 16388KB, and that is 16MB plus 4KB) - Game Memory

- 0x201000 - it is 2101248 bytes (which is 2052KB, and that is 2MB plus 4KB) - Video Memory.

- there's also 0x402000 and it is 4202496 bytes (which is 4104KB, and that is 4MB plus 8KB) - Game Other Memory

Regions starts at address 0x20 bytes before pointers used in the first post (Dst symbol). This is why I add 0x20, so this registered symbol will be "compatible" with already found offsets.

Looks like DosBox allocates those regions in above order.

You can experiment with those registered symbols. Here is my attached table

EDIT:
CT file from CE7.1
Attachments
dosbox.CT
(7.21 KiB) Downloaded 321 times
Last edited by mgr.inz.Player on Sun May 10, 2020 9:25 pm, edited 2 times in total.

Post Reply

Who is online

Users browsing this forum: No registered users