1. For downloading SimTools plugins you need a Download Package. Get it with virtual coins that you receive for forum activity or Buy Download Package - We have a zero Spam tolerance so read our forum rules first.

    Buy Download Package Now!
  2. Do not try to cheat our system and do not post an unnecessary amount of useless posts only to earn credits here. We have a zero spam tolerance policy and this will cause a ban of your user account. Otherwise we wish you a pleasant stay here! Read the forum rules
  3. We have a few rules which you need to read and accept before posting anything here! Following these rules will keep the forum clean and your stay pleasant here. Do not following these rules will lead to permanent exclusion from this website: Read the forum rules.

Wings of Prey Plugin assist

Discussion in 'SimTools DIY Version' started by sgtjay5, Dec 23, 2013.

  1. eaorobbie

    eaorobbie Well-Known Member Staff Member SimTools Developer Gold Contributor

    Joined:
    May 26, 2009
    Messages:
    2,593
    Occupation:
    CAD Detailer
    Location:
    Ellenbrook, Western Australia
    Balance:
    19,571Coins
    Ratings:
    +1,647 / 22 / -2
    My Motion Simulator:
    2DOF, DC motor, JRK, SimforceGT, 6DOF
    Cheers will give it a whirl, I was in swingarm mode will test in cockpit mode.
  2. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    Hope your tests are going well. I'm still trying to locate a better yaw and looking for a better roll. In the roll value, when the game starts, it seems like it throws random numbers, but when you start to make a roll movement, the random numbers cease and the correct values are shown.

    Incidentally, I found the static address for Thrust and threw it into Extra3, just in case someone wants to use it. If thrust was set at 52%, the value shown was 5.2xxxxx, so I multiplied it by 10 to bring the decimal over so it could show 52.
    • Like Like x 1
    Last edited: Dec 28, 2013
  3. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    Hi, @sgtjay5
    Can you check if there is data on 'Yaw' and 'Extra1', 'Extra2', 'Extra3' on you WoP 1.0.5.1?

    I work with Wings of Prey version 1.0.4.7. And I found some data. Now to 'Yaw' slot plug-in send Azimuth angle, and to Extra slots - coordinates X,Y(altitude) and Z

    Attached Files:

    • Like Like x 2
  4. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    Hi prilad,
    Unfortunately, I was not able to get any data in tuning center, except for yaw, but the data in yaw does not reflect yaw. I believe it is just a random number generated by the game and never changed during gameplay. Were you able to get any data using the previously provided plugin? I'm still working on getting more precise telemetry data, but here is my latest one if you want to try with your version. I like keeping it spelled "Pray" so I can keep them separated and not confuse myself any more than I already am.

    FYI: I just updated the plugin I posted earlier. I accidentally left a roll address in there I was testing.

    Attached Files:

    Last edited: Dec 30, 2013
  5. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    Hi, sgtjay5. I have tested your plugin but can't receive any data from game.
    But I hope I found some data... Can you check my new version?
    I hope you should see 6 values ;) - Spins and Coordinates (in Extra slots)

    Attached Files:

  6. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    Hi prilad,
    Happy New Year! I tested your new version, but I do not get anything in tuning center. Perhaps since your version of WoP is 1.0.4.7 and mine is 1.0.5.1, they use different addresses. Would you be able to upgrade to the latest patch?
  7. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    Hi, sgtjay5.
    Now I have installed WoP 1.0.5.1 and have changed plugin. Test it please :cheers
    And Happy New Year !!!

    Attached Files:

    • Like Like x 1
  8. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    Awesome prilad. Looks like we have data! It also looks like we're finding the same stuff. I as well found the altitude and your heave, sway, and surge. As for the altitude, on mine, I converted it to feet from meters, which I also converted speed. For heave, sway, and surge, I found that if you land the plane, move the joystick around, it will give you data in those addresses. I found that out on my today doing some tests. I actually have a different address for heave and it seems to work better. I'll post my latest plugin if you can test it. I'm still looking for a better yaw, sway, and surge for mine. Extra2 is the converted altitude and Extra3 is thrust. Good work.

    Attached Files:

  9. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    Hi, sgtjay5.
    Unfortunately, I have not any data with your plugin. If you can test it on other computer - try. I have two PC and tested my plugin on both...

    Regards
  10. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    Hi, fellows...
    Uph, I hope I nearly finished WoP plugin. Can anybody to test it before I publish it?
    It must work with WoP 1.0.5.1.

    Regards...

    Attached Files:

  11. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    Sweet! I'll test it once I get back to my computer in a few hours. I'll also test my version of the plugin with another computer. Question(s): Did any of the addresses I provided earlier in the thread work for you? If not, can you provide me with an address, say Roll or speed? I want to compare and I'm interested to see why I thought the addresses I provided were static, besides the fact that cheat engine stated they were and have stayed the same over a year with numerous restarts and hardware changes. Well, good job and thanks for any help you can provide.
  12. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    Unfortunately none of your addresses is not faithful. :(

    There are two difficulties in finding true variable addresses in the memory process - find the right value of the variable and then find a pointer to it.

    I, like you, I was searching for data using Cheat Engine and very actively using the debug and interrupt points. Maybe later I'll try to write how I found data in this game.

    Regards,
    Ale
    • Like Like x 3
  13. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    Nice work! We have pitch, roll, yaw, speed, CoodrX, altitude, and CoordZ. For pitch, I see that when climbing, your value is in the negative. Is this intentional? I was thinking an ascent would be a positive pitch. For heave, sway, and surge, do you want it to read the reaction of flight stick or the reaction of the G forces put on plane? If you want the reaction of the flight stick, then your good to go. If you want the reaction of the G forces put on the plane, then I think more searching is needed. I'm just thinking that if I'm flying high and some AAA blows my wing off and I begin to swirl down to the ground, minus roll, pitch, and yaw data, there will be no motion data, unless you move the stick. Well, you guys know more about this than I do. Anyways, good job @prilad !

    Also, I'm in the process of checking my addresses again in my version of the plugin on other computers. For mine, I'm staying with alt(ft), thrust, and speed(mph) for my extras. The heading though, that still eludes me.
  14. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    Yes, @sgtjay5 ,
    I have inverted Pitch value. Now it positive when plane goes up.
    About Heave, Sway and Surge 'forces' - I can't found real G-forces values, but found some values like 'angle speed' (?). At this moment, it's all the data for which I found pointers. To be honest, I'm tired of doing it ...:cool:
    • Like Like x 1
  15. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    LOL. Take a break my friend. Good job.
  16. prilad

    prilad Well-Known Member SimAxe Beta Tester SimTools Developer

    Joined:
    Apr 29, 2012
    Messages:
    381
    Location:
    Dubna, Russia
    Balance:
    8,990Coins
    Ratings:
    +482 / 1 / -0
    My Motion Simulator:
    3DOF, DC motor, Arduino
    How to find sim data in the game? “Wings of Prey” search example.

    This is my first attempt of searching data in the game. And I want to share my experience of searching on the example of "Wings of Prey" (v. 1.0.5.1). Step by step.

    I want to warn that the most difficult part is a search for adequate data values in a game memory. I had to do it by trial and error, eliminating a large number of "wrong" data. For example - addresses of many variables changed when the viewpoint changes in the game (depending on whether - whether the camera is in the cockpit or out).

    As you know - in most cases, addresses of parameters in game's memory are not constants. But in any case there is a pointer to the data area. And address of this pointer must be fixed in the memory process. And our task is to find this base address. Let's get started.

    All you need for beginning:

    - Basic knowledge of assembly language for Intel processors. (http://en.wikipedia.org/wiki/Assembly_language#Assembler)
    - Program “CheatEngine” (http://www.cheatengine.org/).
    - And a lot of patience, of course…

    When the game is running, run CheatEngine and connect it to process "acess.exe" (this is a main file of "Wings of Prey")

    we’ll search the memory address of “altitude”, because we can see its value on the game’s screen. Its value is 1848. With CheatEngine we found a lot of this numbers in the memory. After many unsuccessful attempts, we decided to stay at the address H104F227C. And found code, which write data to this address. It must be only one address, like on following screenshot.

    WoP_1.jpg

    The next step – open the Memory Viewer window in CheatEngine (press button “Show disassembler”) and toggle breakpoint on opcode, which write data to address H104F227C. As you can see this opcode is

    movq [ebx+000000A4],xmm0

    It mean, that destination address stored in ebx register ( ebx = H104f21D4 ).
    And H104f21D4 +H000000A4 give us our destination address H104F227C

    WoP_2.jpg

    As you may have guessed, all our next steps will be made to find a place from where this number puts to ebx register. There are a lot of ways to search. The most effective to "Execute until return” (Shift+F8) from current subprogram, and search the place where opcode modified the destination register.

    On the next screenshot you can see, that we found the opcode, where register ebx is modified. Remember that all numbers in HEX format.

    lea ebx,[edi+74]

    It means that next point to search is edi register which contains value H104F2160.

    WoP_3.jpg

    Step by step… Step by step…
    Yes, next we found the opcode, where register edi is modified.

    mov edi,ecx

    And we see what we are write, because ecx contains number H104F2160.
    Step by step… Step by step…

    WoP_4.jpg

    Die nächste Bushaltestelle… Ups, sorry fellas, I three month works in Osnabruk and this words imprinted in my memory…

    This is our next stop and opcode, which modified ecx

    mov ecx,[ebx+000003C0]

    In this place ebx contains value H10512420.

    WoP_5.jpg

    Next steps we will pass without screenshots. And quite more quickly, because destination is near

    acess.exe+13451A - mov ebx,[ebp+08]

    This opcode is very similar to getting data from the stack upon entry to the subroutine. So we just need to know where the data is placed on the stack? Here is this place:

    acess.exe+135776 - push edi
    acess.exe+135777 - call acess.exe+134510


    Next search point – register edi. We can found next opcode

    acess.exe+135538 - mov edi,[ebp+08]

    But when we try to toggle breakpoint on this opcode, program will not stop on this line. I think it means that this register modified only when program started. And that is exactly what we need. Let's try to find a place in memory where the value may be written to the register. For this we again use search by CheatEngine. We should search value H10512420. And we found this address – H00BE1B68. After many rechecking we can say that this is the address where is the pointer to searching data.


    WoP_6.jpg

    SUMMARY:

    We found main (static) memory address, from which we can read the variable base adress.

    Searching history:

    acess.exe+1DA32E – movq [ebx+000000A4],xmm0 - this opcode write ALTITUDE value to H104F227C

    acess.exe+0C596A – lea ebx,[edi+74] - this opcode write to ebx destination address

    acess.exe+0C586B – mov edi,ecx - this opcode write to ebi

    acess.exe+1347B0 – mov ecx,[ebx+000003C0] -this opcode write to ecx (remember offset H3C0)

    acess.exe+13451A - mov ebx,[ebp+08]

    acess.exe+135776 - push edi
    acess.exe+135777 - call acess.exe+134510


    acess.exe+135538 - mov edi,[ebp+08]

    But how to get access to altitude value in VB application? Step by step ))

    Private Const _BasePtrAddr As UInteger = &HBE1B68 ' acess.exe ver 1.0.5.1
    Private _BasePtr As UInteger 'This is the memory offset
    Private _BaseAddr As UInteger 'This is the memory offset


    ‘First read 4 bytes from our _BasePtrAddr to _BasePtr
    _BasePtr = GetInt32(ProcessName, CUInt(_BasePtrAddr)) 'This read data from H00BE1B68

    ‘Next read 4 bytes from _BasePtr to _BaseAddr (remember offset H3C0 ???)
    _BaseAddr = GetInt32(ProcessName, CUInt(_BasePtr + &H3C0))

    ‘Next read float value from _BaseAddr to Altitude (offset H118 = H0A4 + H074)
    Altitude = GetSingle(_ProcessName, CUInt(_BaseAddr + &H118))

    VB_1.jpg


    VB_2.jpg

    Code:
        'memory hook functions
        Public Function GetSingle(ByVal hProcess As String, ByVal dwAddress As UInteger) As Single
            Try
                Dim proc As Process = Process.GetProcessesByName(hProcess)(0)
                Dim winhandle As Integer = CInt(CType(OpenProcess(&H1F0FFF, 1, proc.Id), IntPtr))
                Dim buffer As Byte() = New Byte(3) {}
                buffer.ToArray()
                ReadProcessMemory(winhandle, CInt(dwAddress), buffer, 4, 0)
                Dim MySingle As Single = BitConverter.ToSingle(buffer, 0)
                Return MySingle
            Catch ex As Exception
                Return Nothing
            End Try
        End Function
    
        Public Function GetInt32(ByVal hProcess As String, ByVal dwAddress As UInteger) As UInteger
            Try
                Dim proc As Process = Process.GetProcessesByName(hProcess)(0)
                Dim winhandle As Integer = CInt(CType(OpenProcess(&H1F0FFF, 1, proc.Id), IntPtr))
                Dim buffer As Byte() = New Byte(3) {}
                buffer.ToArray()
                ReadProcessMemory(winhandle, CInt(dwAddress), buffer, 4, 0)
                Dim MyUInt32 As UInteger
                MyUInt32 = BitConverter.ToUInt32(buffer, 0)
                Return MyUInt32
            Catch ex As Exception
                Return &HFFFFFFF
            End Try
        End Function
    
    • Like Like x 8
    Last edited: Jan 6, 2014
  17. yobuddy

    yobuddy Well-Known Member Staff Member Moderator SimAxe Beta Tester SimTools Developer Gold Contributor

    Joined:
    Feb 9, 2007
    Messages:
    3,318
    Occupation:
    Computer Technician
    Location:
    Portland, Oregon - USA
    Balance:
    25,024Coins
    Ratings:
    +3,368 / 10 / -0
    • Like Like x 1
  18. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    I think I just teared up up a little. Must be dust or something. Outstanding job @prilad !
  19. sgtjay5

    sgtjay5 Member

    Joined:
    Dec 21, 2013
    Messages:
    39
    Balance:
    687Coins
    Ratings:
    +19 / 0 / -0
    My Motion Simulator:
    2DOF, DC motor, Arduino
    While I've been waiting for some test parts to come in, I decided to work on my version of the plugin a little more. For my sim, all I really need is pitch and roll, but I decided to fill in all the blanks, just in case someone wants to make something with it. That would be awesome. Well, here is what I've come up with if someone could test it out.

    -----------------------------------------------------------------------

    Roll: Roll left is negative. Roll right is positive.

    Pitch: Pitch up is positive. Pitch down is negative.

    Heave: Values corresponding to gravity above and below. Think of diving in from a really high altitude, then at the last minute before hitting the ground, you pull up. The positive G force will push you down. So downward G force is positive G's and the upward G force is negative G's, like free-floating or the beginning of a steep dive.

    Yaw: I chose to use the heading instead of the yaw rate since roll and pitch were positional. I may choose to switch it out later.

    Sway: This value corresponds to the yaw and rotational force on the pilot. The faster the pilot rolls or rotates along the yaw axis, the bigger the sway value gets. I'm still not 100% on this one.

    Surge: This value corresponds to the frontal force on the pilot. For example, when the throttle is pushed all the way forward from a lower position, the frontal force on the pilot increases and vice versa. Since the aircraft is usually always moving forward, I haven't seen this go negative yet.

    Extra1: This is the IAS, or Indicated Air Speed in mph.

    Extra2: This is the altimeter in feet.

    Extra3: This is the thrust percentage.

    -----------------------------------------------------------------------

    I also decided to keep it spelled Pray instead of Prey, just to differentiate different versions. If someone could test it, that would be awesome. Also, if anybody thinks something should be changed or a better value should be found, let me know. Thanks guys.

    -sgtjay5

    Attached Files: