Sherief, FYI

Tony Hawk's Pro Cleanup

Tony Hawk’s Pro Skater 2 was one of the first games I played as a kid, and while visting family my sister mentioned how she misses that game which I so happened to have installed on my laptop — so naturally, we decided to hook that up to the TV and replay the career mode. But this time on Windows 10, even with the latest “cumulative patch”, we were faced with a title bar that’s always on top and won’t go away in fullscreen mode:

THPS 2 before pic, with title bar

Naturally, I decided to go in and fix it no matter the disproportionate cost. I’m familiar enough with the Win32 API to know that title bars and borders are a result of window style flags (and extended flags) passed to CreateWindow or CreateWindowEX. The game is old enough that I thought it probably uses the ANSI versions of Win32 functions, so I launched the game via x32dbg, the 32-bit component of the excellent x64dbg debugger and set a breakpoint on CreateWindowExA and BINGO:

x32dbg breaking at CreateWindowExA

Let’s take a closer look at the arguments passed to CreateWindowExA, specifically the first argument (extended style) and the fourth argument (style):

CreateWindowExA arguments

So extended style is 0, style is 0x10C00000 — let’s refer to the Window Styles reference and it looks like these map to WS_VISIBLE | WS_CAPTION. Some googling later, it turned out the right fix was to replace that with WS_VISIBLE | WS_POPUP. It’s easy to verify this at the breakpoint by modifying the value on the stack and letting the code resume execution, and that did turn out to be the fix:

THPS 2 after pic, without title bar

But no one else is gonna break and modify the x86 stack for this, so let’s patch the binary. Going one level up in the stack, back to the address at [esp], and investigate the disassembly:

THPS2 disassembly

There it is, the 0x68 opcode for push followed by the 0x10C00000 immediate in little-endian. Since THawk2.exe is loaded at offset 0x00400000 and the code is at 0x004F5009, subtracting the base load address yields an offset of 0xF5009. I open the binary in HxD and go to that offset and there’s the x86 opcode as expected:

THPS2 opcode

Now to patch it, keeping in mind that the constant is in little-endian:

THPS2 opcode post-patch

And we’re done. No more title bar. Off to Skate Heaven!