Part 1: Introduction
⚠️ Disclaimer:
The content on this blog is provided for educational and informational purposes only. I do not encourage, endorse, or support any illegal activity. Any techniques, tools, or concepts discussed are intended solely for learning, research, defensive security, or experimentation in safe, legal environments. Use this information responsibly and at your own risk. The author is not responsible for any misuse or legal consequences that may result from applying what’s written here.
Prerequisites:
Theoretical Knowledge:
- Linear Algebra:
- Comfort with matrix-vector multiplication, dot products, and coordinate spaces
(Model → World → View → Projection)
- Comfort with matrix-vector multiplication, dot products, and coordinate spaces
- Trigonometry
- x86-64 Assembly & SIMD:
- Ability to read assembly with a basic understanding of SSE/AVX instruction sets
Technical Skills:
- Static Analysis: Experience navigating large binaries in IDA Pro or Ghidra.
- Dynamic Analysis & Memory Research: Cheat Engine for finding addresses and tracing functions.
- Importantly: Comfort reasoning through ambiguity.
Tools Used:
- Disassembler: IDA Pro (Ghidra/Binary Ninja are fine alternatives).
- Memory Scanner: Cheat Engine (For finding the “live” variables like FOV or Aspect Ratio).
I will not be covering the “how-to” for basic tool usage.
What’s the point of doing this?
Mainly for:
1. Modding & Engine Fixes:
If you can understand how its built, it opens up the door for modifying its construction to do basically whatever we desire, like:
- Aspect Ratio Correction / Ultra Wide support:
- if a game doesn’t natively support ultra wide or hardcodes their aspect ratio we can simply modify the values (related to 1/tan(fov/2) or Aspect Ratio multiplier/divisor (e.g., changing 1.777 to 2.333) that gets applied to either the X or Y scale). Also corrects games where they use “Vert-“ scaling (where the top/bottom are cut off) and force “Hor+” scaling.
- Frustum Manipulation:
- Extending the Far plane, modifying the Near plane, maybe even switch from standard depth to Reversed-Z buffer (shader logic must also be changed for this)
- Wider FOV:
- Bypassing hardcoded FOV sliders and go beyond the limits imposed by developers
- Temporal Anti-Aliasing (TAA) & DLSS Jitter injection:
- I’ve been working with devs from Luma who add DLSS to games which never had TAA / had only a few jitters. Modern upscalers need sub-pixel offsets to function properly. If you reverse the construction, you can inject a Halton Sequence or other jitter distributions directly into the projection values to ensure the engine renders slightly different pixel positions every frame.
2. Performance Optimization:
- Reversing the construction of the Projection matrix (or other paths in the rendering pipeline) gives you instruction-level insight into how the engine handles its most critical per-frame math and can help tell you if the engine was wasting cycles or if you can write a more efficient inline assembly, though most engines are pretty robust and won’t have fundamental flaws that tank CPU efficiency you can never be too sure. The Dunia Engine used for Far Cry New Dawn seems to have various optimization issues, but that’s a blog post for another day.
Write-Up Outline:
- Part 1: Introduction
- Part 2: What is the Projection Matrix?
- Part 3: Methods to Find The Projection Matrix
- Part 4: Finding and Tracing Projection Construction
- Part 5.1: Reversing Construction of the Projection Matrix (X & Y Scales)
- Part 5.2: Reversing Construction of the Projection Matrix (Depth Mapping)
- Part 6: Reversing Construction of the Inverse Projection Matrix
Snippets of what we will be working with:
IDA C pseudo code:
SIMD Assembly:
Cheat Engine:
The game engine that will be used as an example is Far Cry New Dawn’s Dunia Engine.
These Reverse engineering insights from this engine can be applied to others as well