maddo/Crusader_Decomp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Crusader_Decomp/docs/retail-debugger-entry-options.md
MaddoScientisto a9153546ae Research
2026-04-12 14:45:08 +02:00

24 KiB
Raw Blame History

Retail Usecode Debugger Entry Options

This note consolidates the current best entry-path analysis for the hidden retail usecode debugger in live CRUSADER.EXE.

Question:

  • What is the lowest-modification path that could realistically get the hidden debugger menu working?
  • Can ordinary usecode or a -u startup override reach it without another fragile executable patch?
  • If retail still cannot do it cleanly, what should the next comparison pass in No Regret and JP No Remorse look for?

Short Answer

Current best answer:

  • No zero-modification retail entry path is currently evidenced.
  • -debug, -laurie, jassica16, ~, and Ctrl+Q still do not provide a proven bootstrap into the hidden debugger.
  • The hidden debugger UI is real and usable, but it expects a live seg1408 break-state object at 1478:659c/659e and valid current-unit/runtime context.
  • The cleanest non-EXE exploration path is now the -u usecode-root override, but current evidence still does not show a script-visible way to construct the break-state object or write 1478:659c/659e.
  • The smallest structurally defensible executable patch is still the current interpreter-callsite-retarget family, but that remains more complex than a one-site tweak and therefore is not the preferred next move unless cross-build comparison fails.
  • The best next investigation is a comparison pass in REGRET.EXE and JP /ja/CRUSADER.EXE looking specifically for a surviving writer/bootstrap path for 1478:659c/659e, a constructor caller for 1408:0000, or a direct caller to the seg109 wrappers.

New Live-Ghidra Findings From This Pass

1. The missing retail bootstrap is still missing

Fresh live data-use recovery on 1478:659c still shows reads only.

Current confirmed reader families:

  • Interpreter_NextUsecodeOp at multiple sites including 1418:049e, 1418:04b1, 1418:0519, and several later helper windows
  • usecode_debugger_open_for_current_unit at 13a0:00af / 13a0:0165
  • usecode_debugger_format_expression_to_shared_buffer at 13a0:03db / 13a0:03f4
  • usecode_debugger_handle_event at 13a0:1e13, 13a0:1e3b, 13a0:1e5d, 13a0:20b2, 13a0:20b6
  • one additional seg109 local helper FUN_13a0_1791

What is still missing:

  • no recovered retail writer to 1478:659c/659e
  • no recovered retail caller of 1408:0000 Create
  • no recovered direct caller of 13a0:0086 usecode_debugger_open_for_current_unit
  • no recovered direct caller of 13a0:020d usecode_debugger_open_modal

That keeps the current retail model unchanged:

  • the seg109 UI is real
  • the seg1408 break-state object is real
  • the interpreter callback lane is real
  • but retail still looks like an orphaned debugger subsystem whose bootstrap/entry wiring was removed or compiled out

2. The UI wrappers are valid, but they are not safe cold-entry targets

Fresh decompile reads tighten the wrapper roles:

13a0:0086 usecode_debugger_open_for_current_unit

  • immediately calls usecode_debugger_gump_create(..., mode=1)
  • pulls the current unit name from Remorse::UsecodeDebuggerBreakState::CurrentEntryGetUnitName(_DAT_1478_659c)
  • resolves a usecode path under s_usecode
  • loads the corresponding unit file into the debugger pane
  • centers on current_line - 1
  • then enters Dispatch_ModalGump

Implication:

  • this wrapper is closest to the original intended debugger experience
  • but it absolutely expects a valid debugger object and current-entry state first

13a0:020d usecode_debugger_open_modal

  • also calls usecode_debugger_gump_create, but with generic mode 0
  • skips current-unit preload and line-centering
  • enters the same modal debugger gump

Implication:

  • this is the safer force-open target than 13a0:0086
  • but it still assumes the surrounding caller/context is sane enough for the debugger gump to live

3. usecode_debugger_gump_create proves the debugger control bundle is complete once the gump exists

Fresh decompile of 13a0:19b1 usecode_debugger_gump_create now gives the cleanest current constructor summary.

Verified behavior:

  • allocates a 0x50-byte root gump object when this == null
  • builds the debugger menubar and child panes
  • initializes the shared watch table
  • resolves the base usecode path with Filespec_GetFullPath(0, s_usecode, 0, 0)
  • registers the debugger/control event bundle through NewGump_1360_0f2a

Recovered registered event set from this pass:

  • 0x13d
  • 0x443
  • 0x142
  • 0x141
  • 0x143
  • 0x23f
  • 0x43e
  • 0x41f
  • 0x417
  • 0x431
  • 0x411
  • 0x410
  • 0x441
  • 0x421
  • 0x22d

Current direct callers are still only:

  • 13a0:009b from usecode_debugger_open_for_current_unit
  • 13a0:0256 from usecode_debugger_open_modal

This strengthens one important boundary:

  • 0x410 is a real debugger-gump event once the debugger UI has already been created
  • it is not evidence that retail gameplay already has a reachable path that creates the gump

4. 0x410 remains parallel debugger UI state, not the debugger bootstrap itself

usecode_debugger_handle_event at 13a0:1df3 still confirms the same split, but the current decompile makes it easier to summarize.

Verified cases include debugger-style commands for:

  • open file
  • resume / break-next / single-step state changes
  • go to line
  • watch / inspect / clear watches
  • change global memory
  • find / search again
  • local breakpoint/debug actions

Relevant 0x410 detail:

  • incoming event 0x410 is rewritten to local state 0x0e
  • case 0x0e clears one local selection/watch slot and refreshes debugger state

Implication:

  • the debugger's own event machine knows what to do with 0x410
  • but only after the debugger gump already exists and is registered
  • this does not give us a new no-patch retail entry path by itself

5. Retail still preserves a substantial debugger UI and command surface once the gump exists

The latest live CRUSADER.EXE decompile pass makes the surviving retail debugger capability map much clearer.

What retail can still do once a valid debugger object and gump already exist:

  • usecode_debugger_build_menubar still builds the full hidden debugger menu bar with File, Run, Breakpoints, Search, and Data menus.
  • usecode_debugger_translate_registered_event still translates the registered debugger/control event bundle into the local debugger command ids consumed by usecode_debugger_handle_event.
  • usecode_debugger_handle_event still implements real debugger actions rather than decorative UI stubs: open file, run, break-next, single-step, go to line, watch, inspect, change global, search, search again, break to TDP, and watch clearing.
  • usecode_debugger_source_pane_draw_visible_lines still clamps the source viewport, highlights the current line, scans the breakpoint table for visible marks, and draws the loaded source rows from the .unk buffer.
  • usecode_debugger_source_pane_handle_pointer_event still converts pointer position into source line and column state and also drives scroll-style commands when the pointer is above or below the pane.
  • the child-pane split is now clearer in retail than in the earlier first-pass mirror list: one pane is the loaded source view, while the sibling 13a0:16ee/1791/193f lane is a separate watch-pane create/draw/click surface.

The live retail file-loading path is now also much clearer than before.

  • usecode_debugger_source_pane_load_file resets local source-pane cursor state, destroys any previous source buffer, allocates a fresh source-buffer object from the requested path, updates the pane's line-count field, and refreshes the child widgets.
  • usecode_debugger_source_buffer_create_from_path and usecode_debugger_source_buffer_open_from_path still build a dedicated far-memory file object, normalize the requested path, open the file, and pass it into the text-loader path.
  • usecode_debugger_source_buffer_load_text still reads the whole file into far memory, rejects obviously non-text inputs, and hands the buffer to usecode_debugger_source_buffer_split_lines_in_place.
  • usecode_debugger_source_buffer_split_lines_in_place still walks the loaded text, zero-terminates newline boundaries in place, and populates the per-line pointer table later consumed by draw, click, search, and goto-line logic.
  • usecode_debugger_source_buffer_get_line_ptr is still the shared accessor used by source draw, pointer handling, find/find-next, and source-pane command handling.

Retail source navigation helpers are now closed well enough to describe the pane behavior directly.

  • usecode_debugger_set_line_selection clamps the requested line against the loaded file range, clears transient cursor state, optionally updates the anchor line, and forces a redraw.
  • usecode_debugger_center_on_line stores the target current line, computes a top-of-window line from the visible row count, and then delegates to usecode_debugger_set_line_selection.
  • this means retail still preserves the ordinary source-browser workflow expected from the strings: load file, jump to line, center on current line, search through lines, and redraw the viewport around the active selection.

The watch-pane side is also more concrete now.

  • usecode_debugger_watch_pane_create still allocates a real watch child gump and installs the watch-pane vtable.
  • usecode_debugger_watch_pane_draw still iterates the shared 10-slot watch table at 1478:5580, asks the break-state callback table to format each populated watch entry, and highlights the selected row.
  • usecode_debugger_watch_pane_handle_click still converts pointer Y position into a watch-row index, updates the selected watch slot, and triggers a repaint.
  • that is stronger evidence for interactive watch list still survives than the earlier weaker watch-related strings still exist wording.

Current safest interpretation:

  • retail did not merely keep a few string tables or unused menu labels
  • retail still keeps a functioning debugger front-end shell with real search, breakpoint, watch, inspect, and source-view logic
  • the main missing piece is still how execution ever reaches that shell with valid live state

6. Retail callback and reachability limits are still the decisive difference from Regret

The same live pass also tightened the what retail still cannot do side.

Current direct-caller state in live CRUSADER.EXE:

  • usecode_debugger_open_for_current_unit still has no recovered callers
  • usecode_debugger_open_modal still has no recovered callers
  • Remorse::UsecodeDebuggerBreakState::Create at 1408:0000 still has no recovered callers
  • usecode_debugger_handle_event is still only reached through usecode_debugger_translate_registered_event and usecode_debugger_forward_child_event

Current callback state is still the key retail blocker too:

  • Remorse::UsecodeDebuggerBreakState::OnBreakTriggeredNoop at 1408:046f is still the live slot-0 callback
  • Remorse::UsecodeDebuggerBreakState::VtableSlot1ReturnZero at 1408:0474 is still the live slot-1 callback
  • unlike Regret, retail still has no recovered bootstrap that rewires the break-state object onto a live frontend-aware vtable

So the retail-versus-Regret split is now even sharper:

  • both builds preserve a large debugger UI/event subsystem
  • retail still lacks the recovered object bootstrap and live callback target that would naturally open the debugger on break
  • Regret keeps both the writer/bootstrap path and the vtable upgrade that turns break-state callback slot 0 into a real open_for_current_unit launch path

That is why retail still reads as functional debugger shell plus dormant break-state object, while Regret reads as same shell plus a surviving end-to-end open-on-break path.

One practical refinement from the latest retail pass is that the shell is not merely a static menu/window skeleton.

  • the file-open path still reaches a real far-memory source-buffer loader
  • the search path still walks live source lines through usecode_debugger_source_buffer_get_line_ptr
  • the goto-line path still updates line selection through the same source-pane helpers used by current-line centering
  • the watch path still stores, formats, selects, clears, and redraws real watch rows

So the remaining barrier is still entry/bootstrap, not lack of interior debugger behavior after entry.

What This Means For Usecode As An Entry Path

Current Best Read

The -u retail override is now the best non-EXE exploration tool, but not yet a proven debugger-entry solution.

Why it still matters:

  • startup_apply_u_override_if_present at 1420:0cdf is a real startup hook
  • it is called from Init_Everything at 1048:05d3
  • it swaps the single live usecode runtime root rather than layering a second source
  • that replacement root is then consumed by ordinary compiled paths like Usecode_ItemCallEvent, UsecodeProcess_CreateProcess, and Interpreter_NextUsecodeOp

So -u gives a practical route to:

  • replace scripted behavior with minimal executable modification
  • test whether a data-driven/usecode-side path can indirectly reach an otherwise hidden compiled control lane

But the current negative evidence is still stronger than the hopeful side:

  • no recovered usecode intrinsic or compiled helper currently reads like open usecode debugger
  • no recovered usecode-visible primitive currently reads like construct debugger break state
  • no recovered usecode-visible primitive currently writes 1478:659c/659e
  • current script/event scans still do not show a plain usecode literal/ordinal trail for event 0x410

Current safest conclusion:

  • a -u archive replacement is the least invasive experimental platform
  • it is not yet an evidence-backed direct debugger unlock

Best Script-Side Host Families If We Try -u

If the next step is an asset-only experiment, the best current targets remain:

  • MONITNS / monitor-computer families
  • SURCAMNS / SURCAMEW
  • NPCTRIG

Why these are stronger than a generic chest or one-off gadget:

  • they already sit near real modal UI / camera / event-control behavior
  • they are more plausible bridges into a hidden control/event lane than ordinary loot or animation scripts

What they still do not currently prove:

  • direct debugger construction
  • direct seg109 wrapper calls
  • direct 1478:659c/659e bootstrap

So the immediate asset-only goal should be framed narrowly:

  • not open the debugger from usecode directly
  • but test whether any scripted family can reach a compiled control path closer to the hidden debugger than the currently known public gumps

Ranked Entry Options By Modification Cost

1. Zero-modification retail route

Current status: no proven path.

Still ruled out by current evidence:

  • -debug
  • -laurie
  • jassica16
  • ~
  • Ctrl+Q / event 0x410

Why:

  • they toggle debug/cheat/display behavior
  • they do not currently create the seg1408 break-state object or enter the seg109 wrappers

2. Asset-only route via -u replacement EUSECODE.FLX

Current status: lowest-modification practical experiment, but unproven as a debugger route.

Advantages:

  • no retail EXE byte changes required
  • fully reversible by swapping the override directory/archive
  • reaches normal compiled usecode consumers

Limitations:

  • still no direct evidence that usecode can create/write the required debugger state
  • more likely to find an indirect bridge than a direct open debugger primitive

Current recommendation:

  • prefer this over new ad hoc retail EXE patching if the goal is only to test indirect control-flow ideas

3. Minimal executable route: interpreter-callsite-retarget family

Current status: still the smallest structurally defensible retail patch family.

Why it remains the floor:

  • one-site retarget ideas fail because they do not also create/store the debugger object
  • direct shared-callback patching is too global and has already caused startup failures
  • direct cold-calls into the UI wrappers use the wrong stack/context

What the current viable family still needs:

  • lazy create-or-reuse of the seg1408 break-state object
  • store into 1478:659c/659e
  • preserve deferred interpreter timing
  • sanitize wrapper arguments before the seg109 UI entry

So even the best retail EXE path is still not a tiny one-byte/two-byte unlock.

4. Cross-build bootstrap recovery

Current status: best next investigation.

Why this is now preferred over more retail patch fishing:

  • if No Regret or JP No Remorse kept any surviving debugger bootstrap, it could collapse the retail problem from invent a new path to port or mimic one missing write/call
  • that is more likely to produce a truly minimal modification than another speculative retail patch chain

Retail Ghidra Naming Backlog

The current note corpus now supports a tighter retail seg109 naming batch than the live authoring summary currently reflects.

These are the most important retail debugger-side helpers to promote explicitly in the active CRUSADER.EXE database before any new patch design work:

  • 13a0:2882 = usecode_debugger_build_menubar
  • 13a0:088f = usecode_debugger_source_pane_create
  • 13a0:0ae8 = usecode_debugger_source_pane_init_view_from_break_state
  • 13a0:0ba7 = usecode_debugger_source_pane_handle_command
  • 13a0:0f16 = usecode_debugger_source_pane_handle_pointer_event
  • 13a0:1088 = usecode_debugger_source_line_copy_for_display
  • 13a0:1118 = usecode_debugger_source_pane_draw_visible_lines
  • 13a0:1413 = usecode_debugger_source_pane_clamp_viewport
  • 13a0:15ac = usecode_debugger_source_pane_load_file
  • 13a0:16ee = usecode_debugger_watch_pane_create
  • 13a0:1791 = usecode_debugger_watch_pane_draw
  • 13a0:193f = usecode_debugger_watch_pane_handle_click
  • 13a0:1c2c = usecode_debugger_translate_registered_event
  • 13a0:1dc6 = usecode_debugger_forward_child_event
  • 13a0:2c2e = usecode_debugger_source_buffer_create_from_path
  • 13a0:2ca0 = usecode_debugger_source_buffer_destroy
  • 13a0:2d14 = usecode_debugger_source_buffer_open_from_path
  • 13a0:2e0a = usecode_debugger_source_buffer_load_text
  • 13a0:2f4f = usecode_debugger_source_buffer_split_lines_in_place
  • 13a0:301d = usecode_debugger_source_buffer_get_line_ptr

Why this batch matters before more patching:

  • it converts the remaining patch-target area from anonymous FUN_13a0_xxxx bodies into named UI, event, and source-buffer lanes
  • it reduces the chance of patching the wrong helper when the debugger gump is already on-screen but still miswired
  • it makes runtime-only experiments easier to reason about because the gump lifecycle, source loading, and event forwarding chain become legible in-session

The current strongest provenance for this retail batch is the combined retail 000b:* -> 13a0:* table in ne-segment1.md plus the one-to-one structural match against the now-closed Regret 1398:* family.

One live correction from the follow-up rename pass matters here: retail 13a0:16ee/1791/193f reads as a watch-pane constructor/draw/click trio, while the source-pane lane remains centered on 13a0:088f/0ae8/0ba7/0f16/1088/1118/1413/15ac. So the Regret-side structural match is still valuable, but the retail child-pane split is now sharper than the earlier first-pass list implied.

Practical Alternatives To Manual Hex Patching

The current blocker is no longer we do not know what to patch. It is the delivery path needs to stop depending on blind byte edits.

1. Runtime-only proof via DOSBox-X debugger or equivalent live memory tooling

This is now the cleanest first confirmation path.

Use it to:

  • keep the retail executable on disk unchanged
  • patch or seed the debugger object only in live memory
  • prove whether a create/store/open sequence is sufficient before committing to any permanent binary patch

What this should target first:

  • seeding 1478:659c/659e with a valid debugger-state object
  • reusing the existing interpreter callback lane at 1418:049e..04b5
  • testing whether 13a0:020d or the vtable callback path can open a stable debugger gump once state exists

This is especially attractive because it turns the current question from did we edit the NE file correctly? into does the runtime model itself actually work?

2. Scripted patch application to a writable clone, not manual hex editing

If a permanent retail patch is still wanted, the next step should be a reproducible patcher, not another manual byte-edit round.

That means:

  • keep a dedicated writable clone of the executable
  • store each patch as address + expected old bytes + new bytes + reason
  • apply it through a scriptable patcher that validates the original bytes before writing
  • regenerate the same patch on demand instead of hand-transcribing offsets each time

This can be done with PowerShell or Python against raw file offsets even if Ghidra export remains unreliable.

3. Use Ghidra only for analysis and verified byte plans

The current evidence does not support treating Ghidra export as the final patch-delivery mechanism for this lane.

What still works well:

  • identify the correct callsite and byte budget in Ghidra
  • annotate the patch rationale in-session
  • test the control-flow hypothesis on a writable target
  • then convert the verified result into an external patch manifest or launcher-side patcher

That keeps Ghidra in the role it is good at here: reverse-engineering and patch design, not blind final-binary distribution.

4. Keep -u as the low-risk data-side experiment surface

The -u override still does not solve the missing bootstrap, but it remains valuable for adjacent experiments that do not require byte writes.

Use it for:

  • testing whether scripted monitor/camera/control families can get closer to debugger-adjacent compiled paths
  • validating source-file and unit-name assumptions without touching the executable
  • separating data-side idea failed from patching workflow failed

It should stay in the toolbox, but it should not be mistaken for a direct replacement for the missing retail bootstrap.

Current Recommendation

If the goal is the minimum modification that still has a realistic chance to work, the order should now be:

  1. Promote the retail seg109 naming backlog above so the remaining debugger lanes are explicit in Ghidra.
  2. Use runtime-only memory seeding on a clean executable to prove or kill the bootstrap theory without committing file changes.
  3. Compare REGRET.EXE and JP /ja/CRUSADER.EXE for any surviving debugger bootstrap/writer that can replace a custom retail bootstrap.
  4. Keep -u / replacement EUSECODE.FLX as the preferred low-risk experiment surface for any script-side proxy ideas.
  5. Do not resume broader retail executable patching unless the runtime proof or cross-build pass yields one clear small patch plan that can be applied by script to a writable clone.

That ranking fits both the new live evidence and the user's practical constraint that complex retail patch attempts have already been unstable.

Cross-Build Exploration Note

When this moves to No Regret and JP No Remorse, the focused targets should be:

  1. any write to the debugger global pointer equivalent of 1478:659c/659e
  2. any caller of 1408:0000 Create or its build-specific equivalent
  3. any direct caller of usecode_debugger_open_for_current_unit
  4. any direct caller of usecode_debugger_open_modal
  5. any non-stub debugger vtable slot replacing retail 1408:046f / 1408:0474
  6. any command-line or cheat/debug hotkey path that lands near the seg109 wrappers or seg1408 constructor
  7. any usecode/runtime path that seeds current-unit state for the debugger without using the orphaned retail bootstrap

Bottom Line

Retail No Remorse still looks like it shipped with a real hidden usecode debugger whose UI, event dispatcher, and break-state object all survived, but whose bootstrap path did not.

That means the lowest-modification currently evidenced route is no longer "guess one more retail patch". It is:

  • first, look for the missing bootstrap in sibling builds,
  • second, use -u and a replacement EUSECODE.FLX only as a low-risk exploration surface,
  • and only third, return to the interpreter-callsite-retarget patch family if the cross-build pass gives no smaller bootstrap to port.