Some values which I've discovered (for the DOS4GW version, add subtract 0x21E34 to get the DOS32A offset):
Texture heap size:
0xF06F7 (32A:CE8C3) (default value: 0x001B1000) ~ 6 MB. The original heap unlocked versions set this to 0x00C04000 (~48 MB). The DOS32A version allows this to be set over a a gigbyte, possibly two. Note: Dosbox-Rendition currently default to 512 MB, so there's currently a hardcoded limit.
0xF027B (32A:CE447)(GPU VRAM size), this is superseded by the acutal amount of VRAM (for RReady 16 MB) default: 0x000039F0 (~14 MB = 16 MB of VRAM)
0xF076B (32A:CE937) (Speedy3D command buffer size maybe) Lowering this to an insanely low value causes the game to run slow and crash. default value: 0x00060000. I tried increasing it to see if ICR2 would run faster, but it didn't seem to. Also There's an upper limit to this.
The Dosbox window indicates what the texture heap and VRAM sizes are. If it's been redirected to a file (using '>') it should be in that file.
This value exists in the file but for the life of me I can't figure out how to get ghidra to find it. It works with an older version of IDAPro designed for DOS, which I have, but it has window corruption and other issues.
The hex string to search for is 0x04000000 but it returns no matches in both a memory search and a program search.
@checkpoint10 could you tell an old fogey how to use this thing?
[EDIT]
I know for a fact that these values are accessed indirectly:
mov eax, [address] where the address stored 0x04000000.
(07-22-2025, 09:42 PM)sharangad Wrote: [ -> ]This value exists in the file but for the life of me I can't figure out how to get ghidra to find it. It works with an older version of IDAPro designed for DOS, which I have, but it has window corruption and other issues.
The hex string to search for is 0x04000000 but it returns no matches in both a memory search and a program search.
@checkpoint10 could you tell an old fogey how to use this thing?
[EDIT]
I know for a fact that these values are accessed indirectly:
mov eax, [address] where the address stored 0x04000000.
I am still learning the basics of Ghidra. But if I'm looking for a hex sequence I would be going to Search Memory and do a Search All. Here is what I found the hex string you were looking for.
![[Image: attachment.php?aid=2443]](https://www.icr2.net/forum/attachment.php?aid=2443)
(07-23-2025, 03:13 AM)checkpoint10 Wrote: [ -> ] (07-22-2025, 09:42 PM)sharangad Wrote: [ -> ]This value exists in the file but for the life of me I can't figure out how to get ghidra to find it. It works with an older version of IDAPro designed for DOS, which I have, but it has window corruption and other issues.
The hex string to search for is 0x04000000 but it returns no matches in both a memory search and a program search.
@checkpoint10 could you tell an old fogey how to use this thing?
[EDIT]
I know for a fact that these values are accessed indirectly:
mov eax, [address] where the address stored 0x04000000.
I am still learning the basics of Ghidra. But if I'm looking for a hex sequence I would be going to Search Memory and do a Search All. Here is what I found the hex string you were looking for.
My version of Ghidra has a different seasrch memory dialog, and it didn't find anything when I typed in 04000000. Maybe I've got done something wrong. Setting the scan value "equals" is exactly the same.
![[Image: Ghidra.png]](https://nirvtek.com/downloads/Ghidra.png)
Ghidra version 11.4.
I use Ghidra 10.2.2 because there is an add-on that allows me to open the particular format that the DOS .EXE file is in. See below link for what I use - the latest release supports 10.2.2. As I recall, the add-on didn't work with 11.4 and I was unable to get 11.4 to load the .EXE file properly otherwise.
https://github.com/yetmorecode/ghidra-lx...me-ov-file
Could someone tell me which version of the mid-ohio track that jxeboy used? I had a user on Youtube say he couldn't find that specific track with clouds in the sky. All the available ones for download have clear blue skies.
Off-topic and asked in the Rendition thread.
(07-23-2025, 09:54 AM)checkpoint10 Wrote: [ -> ]I use Ghidra 10.2.2 because there is an add-on that allows me to open the particular format that the DOS .EXE file is in. See below link for what I use - the latest release supports 10.2.2. As I recall, the add-on didn't work with 11.4 and I was unable to get 11.4 to load the .EXE file properly otherwise.
https://github.com/yetmorecode/ghidra-lx...me-ov-file
That works much much better! I was running IDA Pro (DOS) in a Win98 VM and dealing with random display corruption. All the Rendition code is clearly visible here.
(07-23-2025, 09:54 AM)checkpoint10 Wrote: [ -> ]I use Ghidra 10.2.2 because there is an add-on that allows me to open the particular format that the DOS .EXE file is in. See below link for what I use - the latest release supports 10.2.2. As I recall, the add-on didn't work with 11.4 and I was unable to get 11.4 to load the .EXE file properly otherwise.
https://github.com/yetmorecode/ghidra-lx...me-ov-file
How do you save or export an exe once it's been modified? I don't see any option to export patched bytes.
[EDIT] There is an option to save as a PE (EXE) binary but it fails because Ghidra doesn't know how to export to an LE/LX PE.
[EDIT2] Or some way to work out the file offset at the instruction.
(07-23-2025, 08:53 PM)sharangad Wrote: [ -> ]How do you save or export an exe once it's been modified? I don't see any option to export patched bytes.
[EDIT] There is an option to save as a PE (EXE) binary but it fails because Ghidra doesn't know how to export to an LE/LX PE.
[EDIT2] Or some way to work out the file offset at the instruction.
I've never tried to modify and save an EXE with Ghidra. I just look for the same hex sequences using HxD and edit it there. It works fine for me since I'm just looking for hardcoded values and changing them, but probably not suitable for anything more complicated.