jan/rrt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Tighten function map confidence wording

Browse source
This commit is contained in:
Jan Petykiewicz 2026-04-06 21:51:23 -07:00
commit 860d1aed90
1 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
artifacts/exports/rt3-1.06/function-map.csv
View file

@ -527,7 +527,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
0x00469070,87,multiplayer_session_event_publish_status_value,shell,unknown,inferred,ghidra-headless,3,Session-event callback that publishes one status value into the destination text builder passed in the third stack argument. It first compares the supplied index against the live session count from `0x006d40d0`; out-of-range entries publish the fixed fallback text at `0x005c87a8`; in-range entries publish integer `100` through 0x0058cd40 when event code EDX is `0x18`; publish the string at `0x00521d40+0x08` when EDX is `0x15`; and otherwise fall back to the same fixed text token.,ghidra + rizin + llvm-objdump + strings
0x004690d0,15,multiplayer_session_event_publish_fixed_status_text,shell,unknown,inferred,ghidra-headless,3,Session-event callback that appends the fixed status text token at `0x005c87a8` into the destination text builder passed in the second stack argument. This is the smallest text-publisher sibling in the same callback family and shares the same append helper 0x0058bce0 used by 0x00469070.,ghidra + rizin + llvm-objdump
0x004690f0,106,multiplayer_session_event_seed_control_id_list,shell,unknown,inferred,ghidra-headless,3,Session-event callback that seeds a byte-list builder with the fixed control-id set `3 1 8 10 11 19 4 5` when the callback status in EDX is zero. It appends each id through 0x0058bcb0 into the destination builder passed in the first stack argument and returns immediately when the callback status is nonzero.,ghidra + rizin + llvm-objdump
0x00469160,26,multiplayer_session_event_query_session_count,shell,unknown,inferred,ghidra-headless,4,Session-event callback helper that returns the live session count from `0x006d40d0` through 0x00521670 only when the callback mode in EDX equals `1`; all other modes return zero. This looks like the count-query slot in the same registration table.,ghidra + rizin + llvm-objdump
0x00469160,26,multiplayer_session_event_query_session_count,shell,unknown,inferred,ghidra-headless,4,Session-event callback helper that returns the live session count from `0x006d40d0` through 0x00521670 only when the callback mode in EDX equals `1`; all other modes return zero. This is the count-query slot in the same registration table.,ghidra + rizin + llvm-objdump
0x00469180,3,multiplayer_session_event_noop_8byte_stub,shell,unknown,inferred,ghidra-headless,4,Three-byte no-op callback stub in the Multiplayer.win session-event registration table. It returns immediately with `ret 8` and does not touch any state.,ghidra + rizin + llvm-objdump
0x00469190,8,multiplayer_session_event_latch_status_code,shell,unknown,inferred,ghidra-headless,4,Small session-event callback helper that stores the incoming status code from EDX into `0x006cd974` and returns. The registration branch later clears the same global before transport teardown or retry reset.,ghidra + rizin + llvm-objdump
0x004691a0,45,multiplayer_session_event_notify_owner_and_queue_action8,shell,unknown,inferred,ghidra-headless,3,Session-event callback wrapper that first notifies the current Multiplayer.win owner through multiplayer_notify_window_owner. When the callback status in EDX is zero it then queues request id `8` through multiplayer_set_pending_session_substate with the same payload pointer; otherwise it returns after the owner notification only.,ghidra + rizin + llvm-objdump
@ -583,7 +583,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
0x00502220,813,paint_terrain_load_selected_gmt_surface,shell,cdecl,inferred,ghidra-headless,4,Loads or refreshes the currently selected .gmt-backed preview surface for the PaintTerrain tool family rooted at 0x006d14bc and tied to the PaintTerrain.win or GroundTerrain.tga branch. The routine validates the selected filename suffix copies selected strings into the active record updates tool status bytes and counters formats several shell text fields through 0x00540120 and finishes by decoding a 256x256 image through 0x0053f830 and surface_init_rgba_pixel_buffer.,ghidra + rizin + llvm-objdump + strings
0x00502550,456,paint_terrain_refresh_status_panel,shell,cdecl,inferred,ghidra-headless,3,Refreshes the PaintTerrain tool status or selection panel after the active .gmt surface changes. The helper reads the PaintTerrain singleton at 0x006d14bc consults shell selection globals and lookup tables formats several text or numeric fields through 0x00540120 and toggles the side flag at 0x006d14a8 before returning.,ghidra + rizin + llvm-objdump + strings
0x00502720,144,paint_terrain_tool_init_globals,shell,thiscall,inferred,ghidra-headless,4,Initializes the PaintTerrain shell tool singleton rooted at 0x006d14bc. The constructor seeds the tool vtable and default fields registers the active instance globally and is selected directly from shell_transition_mode alongside the neighboring terrain-edit tool constructor at 0x004ee3a0.,ghidra + rizin + llvm-objdump + strings
0x0047d810,182,placed_structure_remove_route_entry_key_and_compact,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Removes one matching `u16` route-entry key from the six-byte route-entry list rooted at `[this+0x462]/[this+0x466]`. The helper scans the current list, copies surviving six-byte entries into a newly allocated compacted buffer, frees the old buffer, stores the replacement pointer back into `[this+0x466]`, and decrements the route-entry count at `[this+0x462]`. Current grounded caller is the linked-site refresh or teardown branch at `0x0040e102`, so this now looks like the keyed remove-and-compact companion to the linked site's route-entry list rather than another generic free helper.","objdump + caller xrefs + callsite inspection + route-entry-list compaction correlation"
0x0047d810,182,placed_structure_remove_route_entry_key_and_compact,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Removes one matching `u16` route-entry key from the six-byte route-entry list rooted at `[this+0x462]/[this+0x466]`. The helper scans the current list, copies surviving six-byte entries into a newly allocated compacted buffer, frees the old buffer, stores the replacement pointer back into `[this+0x466]`, and decrements the route-entry count at `[this+0x462]`. Current grounded caller is the linked-site refresh or teardown branch at `0x0040e102`, so this is the keyed remove-and-compact companion to the linked site's route-entry list rather than another generic free helper.","objdump + caller xrefs + callsite inspection + route-entry-list compaction correlation"
0x0047d8e0,346,placed_structure_load_dynamic_side_buffers_from_stream,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Deserializes the variable-size side buffers on one placed-structure record from the caller-supplied persistence stream. The helper reads tagged blocks through `0x00531360` and `0x00531150`, repopulates the six-byte route-entry list at `[this+0x462]/[this+0x466]`, the three five-byte-per-site arrays rooted at `[this+0x24]` from count `[this+0x30]`, the five eight-byte proximity-bucket arrays counted at `[this+0x590..0x5a0]` and rooted at `[this+0x5a4..0x5b4]`, and the trailing twelve-byte scratch band at `[this+0x34]/[this+0x38]`, then clears `[this+0x5bd]` and re-enters `0x00407780`. Current direct caller is the collection-level load pass at `0x00481464`. The real body begins at `0x0047d8e0` even though current recovered calls target the preceding padding slot `0x0047d8d0`.","objdump + caller xrefs + callsite inspection + stream-layout correlation"
0x0047dcd0,64,placed_structure_clear_proximity_bucket_lists,map,thiscall,inferred,objdump + caller xrefs + data-layout inspection,3,"Clears the five proximity-bucket arrays rooted at `[this+0x5a4..0x5b4]`, zeroes the corresponding per-bucket counts at `[this+0x590..0x5a0]`, and resets the total proximity-entry count at `[this+0x5b8]`. Current grounded callers are the linked-site teardown pass at `0x00480590` and the sibling route-anchor refresh family at `0x00480719`, so this now reads as the common clear step for the nearby-site bucket family rather than a generic free helper.","objdump + caller xrefs + data-layout inspection + proximity-bucket correlation"
0x0047dd10,130,placed_structure_remove_site_id_from_proximity_bucket_lists,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Removes one matching site id from every proximity bucket rooted at `[this+0x590..0x5b8]`. The helper scans all five bucket arrays, matches the supplied site id against the first dword of each eight-byte entry, compacts the surviving tail when needed, decrements the per-bucket count, and decrements the total count at `[this+0x5b8]`. Current direct caller is the collection sweep at `0x004814e9`, which makes this the remove-one-site companion to the nearby-site bucket append path rather than a broader route helper.","objdump + caller xrefs + callsite inspection + proximity-bucket correlation"
@ -592,9 +592,9 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
0x00482d80,128,runtime_query_cached_local_exe_version_string,simulation,thiscall,inferred,objdump + local disassembly + string inspection,3,"Returns one cached local executable version string formatted from the same `RT3.EXE` version-info source used by `0x00482d10`. On first use the helper queries the packed local version dword through `0x0055d9c0`, formats it with the literal pattern `%d.%02d` at `0x005ced5c`, allocates one small shell string object at `0x006cec24`, and returns that cached string on later calls. Current grounded callers include `multiplayer_session_event_publish_registration_field` `0x0046a6c0` and the later shell text path at `0x00503254`, which makes this the clearest current local version-string owner.","objdump + local disassembly + string inspection + caller xrefs + version-resource correlation"
0x00482e00,70,runtime_query_hundredths_scaled_build_version,simulation,thiscall,inferred,objdump + caller xrefs + local disassembly,3,"Shared rounded hundredths-scaled build-version query used by route, company, train, and world-side logic. In the ordinary local path the helper consults the cached local executable version float from `runtime_query_cached_local_exe_version_float` `0x00482d10`, adds the fixed offset `0.0001`, multiplies by `100.0`, and rounds the result through the CRT helper at `0x005a10d0`, which makes the local outputs line up with integer build values such as `0x67/0x68/0x69/0x6a == 1.03/1.04/1.05/1.06`. When the multiplayer-side runtime rooted at `0x006cd8d8` is active, or when the local scenario-state gate at `0x004349a0` reports a later mode, it instead delegates to the multiplayer companion path at `0x0046a4b0`, which can reuse a cached network-side integer at `0x006cd96c` or scan live session-peer version fields before falling back to the same local executable-version path. Current grounded callers include the city-connection route builder `0x00402cb0`, the auxiliary tracker pair-metric dispatcher `0x004a65b0`, and numerous neighboring world-side maintenance branches. This is no longer best-read as a gameplay progress or era index: the recovered threshold pattern is a shared executable or session build-version gate.","objdump + caller xrefs + local disassembly + multiplayer-fallback correlation + version-resource correlation + threshold-correlation"
0x004801a0,105,placed_structure_is_linked_transit_site_reachable_from_company_route_anchor,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Boolean gate between one linked transit site and one company-side route anchor. The helper first requires the current placed structure to pass the station-or-transit gate `0x0047fd50`, then requires its linked-instance class test through `0x0040c990 == 1`. It resolves the caller-supplied company id through the live company collection `0x0062be10`, asks that company for one cached route-anchor entry id through `company_query_cached_linked_transit_route_anchor_entry_id` `0x00401860`, resolves the site's own route-entry anchor through collection `0x006cfca8`, and finally re-enters `0x0048e3c0` to test whether the two route-entry anchors lie in the same reachable route-side family. Current grounded caller is `company_rebuild_linked_transit_site_peer_cache` `0x004093d0`, where this helper gates whether a foreign linked transit site can still participate in the current company's peer cache.","objdump + caller xrefs + callsite inspection + linked-transit reachability correlation"
0x00480590,371,placed_structure_teardown_linked_site_runtime_state_before_removal,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Tears down the mutable runtime side of one linked placed-structure record before collection removal. The helper clears the route-style scratch lane through `0x004077e0`, clears the proximity buckets through `placed_structure_clear_proximity_bucket_lists` `0x0047dcd0`, frees the trailing scratch buffer at `[this+0x34]`, clears the route-link list through `0x0047f320`, detaches or invalidates the current route-entry anchor at `[this+0x08]` through the route-entry collection `0x006cfca8`, recomputes the current grid-keyed owner lane through `0x0042bbf0`, frees the three per-site byte arrays at `[this+0x24..0x2c]`, clears this record's indexed byte in the corresponding arrays of every later placed-structure record in `0x006cec20`, and finally re-enters the scenario-side follow-on at `0x00436040` with the current site id. Current direct caller is `placed_structure_collection_remove_linked_site_record` `0x004813d0`, so this now looks like the linked-site teardown pass rather than another route-anchor refresh helper.","objdump + caller xrefs + callsite inspection + linked-site teardown correlation"
0x00480590,371,placed_structure_teardown_linked_site_runtime_state_before_removal,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Tears down the mutable runtime side of one linked placed-structure record before collection removal. The helper clears the route-style scratch lane through `0x004077e0`, clears the proximity buckets through `placed_structure_clear_proximity_bucket_lists` `0x0047dcd0`, frees the trailing scratch buffer at `[this+0x34]`, clears the route-link list through `0x0047f320`, detaches or invalidates the current route-entry anchor at `[this+0x08]` through the route-entry collection `0x006cfca8`, recomputes the current grid-keyed owner lane through `0x0042bbf0`, frees the three per-site byte arrays at `[this+0x24..0x2c]`, clears this record's indexed byte in the corresponding arrays of every later placed-structure record in `0x006cec20`, and finally re-enters the scenario-side follow-on at `0x00436040` with the current site id. Current direct caller is `placed_structure_collection_remove_linked_site_record` `0x004813d0`, so this is the linked-site teardown pass rather than another route-anchor refresh helper.","objdump + caller xrefs + callsite inspection + linked-site teardown correlation"
0x00480bb0,1535,placed_structure_refresh_linked_site_display_name_and_route_anchor,map,thiscall,inferred,objdump + caller xrefs + callsite inspection + RT3.lng strings,3,"Single-site post-create or post-edit refresh helper reached from `placed_structure_finalize_creation_or_rebuild_local_runtime_state` `0x0040ef10` when the current placed structure keeps one linked site id at `[this+0x2a8]`. The helper operates on that linked placed-structure record, optionally rebuilds one route-entry anchor at `[this+0x08]` through `route_entry_collection_try_build_path_between_optional_endpoint_entries` `0x004a01a0` with both optional endpoint-entry ids unset and literal policy byte `2`, then binds the chosen route entry back to the site through `0x0048abc0` and re-enters `aux_route_entry_tracker_collection_refresh_route_entry_group_membership` `0x004a45f0` so the auxiliary tracker family at `0x006cfcb4` can regroup around the refreshed anchor. Current caller correlation makes that byte the strongest current match for the broader linked-site route-anchor rebuild lane, as opposed to the narrower direct endpoint-anchor creation or replacement lane that neighboring repair branches drive through literal byte `1` into `0x00493cf0`. It also rebuilds the display-name buffer at `[this+0x46b]`: when the current site coordinates resolve a city or region entry through `0x0044a830` it copies that entry name from `[entry+0x356]`, optionally appends one civic suffix from RT3.lng ids `585..588` `Township`, `New`, `Modern`, and `Renaissance`, and on special linked-instance class branches appends `589` `Service Tower` or `590` `Maintenance Facility` with per-city counters instead. When no city entry resolves it falls back to `591` `Anytown`. The ordinary non-special branch also rotates through RT3.lng ids `578..584` `Junction`, `Crossing`, `Depot`, `Corners`, `Exchange`, `Point`, and `Center` via the static table at `0x005f2cf8`. After trimming trailing spaces it conditionally re-enters `placed_structure_route_link_collection_recompute_all_endpoint_pair_state` `0x004682c0` when the narrower station-or-transit gate `0x0047fd50` passes, clears or seeds adjacent city-side cached state through `0x004358d0` and `0x00420650`, and returns. Current direct caller is `0x0040f626`, so this now looks like the linked-site display-name and route-anchor refresh beneath placed-structure finalization rather than another city-connection owner.","objdump + caller xrefs + callsite inspection + RT3.lng strings + route-anchor correlation + linked-site refresh correlation + linked-site policy-byte split correlation + tracker-regrouping correlation"
0x00481390,55,placed_structure_collection_allocate_and_construct_linked_site_record,map,thiscall,inferred,objdump + caller xrefs + constructor inspection,3,"Small allocator wrapper over the live placed-structure collection at `0x006cec20`. The helper allocates one fresh collection entry id through `0x00518900`, resolves the new record through `0x00518140`, and then hands the new id plus the caller-supplied anchor site id and coordinate pair into `placed_structure_construct_linked_site_record_from_anchor_and_coords` `0x00480210`. Current direct caller is `placed_structure_construct_entry_from_candidate_and_world_args` `0x0040f6d0`, where the returned id is published into `[site+0x2a8]` when the backing candidate subtype byte `[candidate+0x32]` is `1`. This now looks like the allocator wrapper for the linked-site records used by the later policy-`1` and policy-`2` route-anchor refresh families rather than another anonymous collection helper.","objdump + caller xrefs + constructor inspection + linked-site correlation"
0x00481390,55,placed_structure_collection_allocate_and_construct_linked_site_record,map,thiscall,inferred,objdump + caller xrefs + constructor inspection,3,"Small allocator wrapper over the live placed-structure collection at `0x006cec20`. The helper allocates one fresh collection entry id through `0x00518900`, resolves the new record through `0x00518140`, and then hands the new id plus the caller-supplied anchor site id and coordinate pair into `placed_structure_construct_linked_site_record_from_anchor_and_coords` `0x00480210`. Current direct caller is `placed_structure_construct_entry_from_candidate_and_world_args` `0x0040f6d0`, where the returned id is published into `[site+0x2a8]` when the backing candidate subtype byte `[candidate+0x32]` is `1`. This is the allocator wrapper for the linked-site records used by the later policy-`1` and policy-`2` route-anchor refresh families rather than another anonymous collection helper.","objdump + caller xrefs + constructor inspection + linked-site correlation"
0x004813d0,91,placed_structure_collection_remove_linked_site_record,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Removes one linked-site record from the live placed-structure collection. The helper resolves the supplied site id through `0x006cec20`, derives one station-or-transit or linked-instance-class latch through `0x0047de00 -> 0x0040c990`, runs `placed_structure_teardown_linked_site_runtime_state_before_removal` `0x00480590`, and then removes the collection entry through `0x00518a30`. When scenario field `[0x006cec78+0x4c93]` is clear and the removed record passed the narrower latch, it also re-enters the company-wide follow-on at `0x00429c10`. Current direct caller is the subtype-`1` destruction path around `0x0040f626`.","objdump + caller xrefs + callsite inspection + linked-site removal correlation"
0x00481430,72,placed_structure_collection_load_dynamic_side_buffers_from_stream,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Collection-level load pass for the variable-size side buffers on placed-structure records. When the shell or world-side stream slot at `[0x006cec74+0x1c7]` is present, the helper walks the live placed-structure collection at `0x006cec20`, resolves each record by id, and re-enters `placed_structure_load_dynamic_side_buffers_from_stream` `0x0047d8e0` on it. Current direct caller is the wider post-load world-side refresh path at `0x00433b93`.","objdump + caller xrefs + callsite inspection + stream-load correlation"
0x00481480,64,placed_structure_collection_append_site_into_all_proximity_bucket_lists,map,thiscall,inferred,objdump + caller xrefs + callsite inspection,3,"Walks the live placed-structure collection at `0x006cec20` and asks every record to consider one caller-supplied peer site for proximity-bucket insertion. The helper resolves each live record and re-enters `placed_structure_append_nearby_transit_site_distance_bucket_entry` `0x0047fdb0` with the supplied peer placed-structure pointer. Current direct callers are the subtype-`4` update paths at `0x0040ec73` and `0x0040fa11`, so this now reads as the add-peer sweep for the nearby-site bucket family rather than another generic collection iterator.","objdump + caller xrefs + callsite inspection + proximity-bucket correlation"
@ -1033,7 +1033,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
0x0059d8d0,15,multiplayer_transport_has_registered_name,shell,cdecl,inferred,ghidra-headless,3,Boolean wrapper over multiplayer_transport_lookup_registered_name. It returns true when the caller string resolves to one registered-name entry in the transport-side table and false otherwise. Current grounded caller is multiplayer_transport_submit_names_query_with_callback.,ghidra + rizin + llvm-objdump
0x0059d8e0,64,multiplayer_transport_try_read_registered_name_header_block,shell,cdecl,inferred,rizin,4,Looks up one registered-name entry and when the header-valid flag at `[entry+0x154]` is set copies the 7-dword header block at `[entry+0x138]` into the caller buffer and returns true. Otherwise it returns false without mutating the destination.,rizin + llvm-objdump
0x0059d920,48,multiplayer_transport_set_registered_name_header_block,shell,cdecl,inferred,rizin,4,Looks up one registered-name entry copies 7 caller-supplied dwords into the header block at `[entry+0x138]` and sets the paired valid flag at `[entry+0x154]` to one.,rizin + llvm-objdump
0x0059d950,112,multiplayer_transport_set_registered_name_status_text,shell,cdecl,inferred,rizin,3,Looks up one registered-name entry frees the prior heap string at `[entry+0x158]` and replaces it with a heap copy of the caller text or the shared empty string when the caller passes null. The helper currently looks like the main per-name status or topic text setter for the registered-name store.,rizin + llvm-objdump
0x0059d950,112,multiplayer_transport_set_registered_name_status_text,shell,cdecl,inferred,rizin,3,Looks up one registered-name entry frees the prior heap string at `[entry+0x158]` and replaces it with a heap copy of the caller text or the shared empty string when the caller passes null. This is the main per-name status or topic text setter for the registered-name store.,rizin + llvm-objdump
0x0059d9c0,32,multiplayer_transport_mark_registered_name_dirty,shell,cdecl,inferred,rizin,3,Looks up one registered-name entry and sets the dword dirty or active flag at `[entry+0x15c]` to one.,rizin + llvm-objdump
0x0059d9e0,32,multiplayer_transport_get_registered_name_dirty,shell,cdecl,inferred,rizin,3,Looks up one registered-name entry and returns the current dword dirty or active flag stored at `[entry+0x15c]` or zero when the entry is absent.,rizin + llvm-objdump
0x0059da00,64,multiplayer_transport_set_registered_name_display_text,shell,cdecl,inferred,rizin,3,Looks up one registered-name entry copies up to 0x80 bytes of caller text into the embedded buffer at `[entry+0x160]` through string_copy_bounded_zerofill and clears the trailing byte flag at `[entry+0x1df]`. This is a second inline text field distinct from the heap string at `[entry+0x158]`.,rizin + llvm-objdump

Can't render this file because it is too large.