RVGL Reverse Engineering
Welcome to the RVGL Reverse Engineering post! Here i will be documenting the progress on the the code for RVGL via Ghydra (A reverse engineering software), for future projects.
19 February 2026:
Yesturday i had a huge breakthrough in rvgl.exe code. I had found the main loop of the game and the setup code.
List of function i had found:
- Intro 'Made by the RVGL Team' source code.
- How the program reads the .inf track file.
- How the program reads the .txt parameters car file.
- How the program reads the frontend files.
- Single Player setup code.
- Multiplayer setup code.
- Re-Volt UI setup and main code.
- Replay code.
- How the program reads cups.
RVGL Reverse Engineering
RVGL Reverse Engineering
From LJP
Re: RVGL Reverse Engineering
New discoveries on 2026-02-20
Learned how most SDL2.dll functions (Mostly Analized)
SDL2.dll is for:
Window Management
Input (Keyboard, Mouse or Controller)
OpenGL Context Creation
Event Loop
SDL2.dll size: 2.13MB
libGLESv2.dll is fully analyzed
libGLESv2.dll is for:
All Rendering Calls
Context Management (TLS-Based)
libGLESv2.dll size: 6.9MB
OpenAL32.dll is mostly analized
OpenAL32.dll is for:
The Audio System
OpenAL32.dll size: 1.71MB
libenet-7.dll is mostly analyzed
libenet-7 is for:
Networking and Multiplayer
libdiscord-rpc.dll is mostly analyzed
libdiscord-rpc.dll is for:
Discord Rich Presence (Displays your RVGL activity)
- Made the Game Loop Structure, with a few functions like:
The Main Entry Point function that:
Parse command-line arguments
Init SDL subsystems
Load resources (like tracks, cars, ex.)
and Set game state function pointer.
Main game loop (while !quit):
- Discovered Function that Processes SDL events (input)
libGLESv2.dll is fully analyzed. Here are full detials:
Type: Google ANGLE (Almost Native Graphics Layer Engine)
Purpose: Translate OpenGL ES Calls
Things discovered in libGLESv2.dll:
- Global TLS Index (Purpose: Stores Windows TLS slot index for GL Contexts)
- Context Architecture
Key functions (that are mapped now):
GetCurrentContext() - Purpose: Main Context getter (called by ALL 601 functions)
TlsGetValue_Wrapper() - Purpose: Wraps Windows TlsGetValue
CreateContext() - Purpose: Allocates 32-bye handle, and calls init
ValideContext() - Purpose: Checks context_lost_flag and handles errors
InitializeHandle() - Purpose: Initializes 32-byte handle structure
IsContextLost() - Purpose: Returns info (byte) at a specific address
Core GL functions discovered:
glDrawArrays (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glDrawElements (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glClear (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glUseProgram (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glBindTexture (False to all)
glBindBuffer (False to all)
(Context Flow Diagram will be soon available.)
RVGL.exe Analysis:
- Entry Point and Initialization is Discovered
- Main Entry Function is Discovered
- Command-Line Arguments are Discovered (All commands that can be used in Launch Parameters of the RVGL Launcher)
- Game State System Discovered (w/ Game State Function Pointer)
- Event Processing Loop Discovered
- Discovered how SDL Event Types are Handled. (Funny enough, every build includes "Finger Events" for mobile.)
- Discovered Key Bindings (I think, im not sure on this one.)
- Discovered SDL Event Processing Functions:
> Main event loop (Processes all events)
> Touch Handler (Multi Touch for mobile, very unoptimized, is included in every build)
> Window Focus gain (Mouse button 0x0c handler)
> Window focus loss (Mouse button 0x0d handler)
> Update function (I haven't looked at that one yet, but its called often and has unknown purpose)
- Discovered multiple Global flags, including:
> Game Quit flag
> Game state function
> Window State
> Multiple other unknown state flags that i have to analyze)
Car system discovered:
- The car system (full code for reading parameters.txt)
- .prm (binary - not yet analyzed)
- carbox.bmp, and texture.bmp
(Thankfully found the goldmine for car parameters reading - it includes mostly all stats that can be modified, but how it impacts the game isnt fully analyzed yet
Key car loading functions mostly analyzed, including:
Load all cars, Initialize cars, Parse parameters.txt (read through and parse), Finalize car loading, Read string parameters, read byte parameters, read integer values.
Track system discovered:
File structure:
.inf is fully analyzed
.w is not yet analyzed
other file formats aren't found yet.
Track .inf structure is also fully analyzed and how it reads. (i need to analyze how it impacts the game though)
Track loading functions that i have discovered:
Load all tracks info (from main menu - main track scanning loop)
Load the track .inf file - parse single track's .inf file
Other functions include: Check directory exists, and check file exists.
Other init functions are not yet analyzed. i have to analyze those addresses...
going back to RVGL.exe main:
Multiple Game Loop functions are analyzed/discovered:
Event Proccessor - Handles SDL events (input, window, touch) - Analyzed fully
Pause Handler - Called When Window is minimized/in background - Not yet analyzed
Splash/Logo State - Initial Game State (Dev Logos) - Analyzed Fully
Racing Game Loop - Main Racing State - Not yet analyzed
Multiplayer State - Lobby/Multiplayer Mode - Almost analyzed...
Other unknown state that i need to analyze...
And the Replay state that i need to analyze.
- I still need to analyze a bit of Rendering Functions.
Memory Addresses & Data structures discovered:
Game State that are analyzed fully:
- Current Game State Function Pointer
- Game Quit
- The A and D key flags
Window & Display critical global variables that are analyzed fully:
- Window Minimized Flag
- SDL Window Pointer
- Window Width
- Window Height
- Multisample Level
Game Settings (Launch Parameters and more) that are discovered:
- No sound flag (-nosound)
- No Joystick flag (-nojoy)
- No Gamma flag (-nogamma)
- No User Profiles flag (-nouser)
- Texture Info Flag (what size of textures you pc can handle) (-texinfo)
- Large Replays Flag (-largereplays)
- Edit (window) scale? (-editscale)
Touch Inputs are discovered but are not analyzed ( almost 0 knowledge, just ideas)
Network is somewhat analyzed, but i wont put it out yet, because im not sure yet about the variables and their info)
Profile variables are somewhat analyzed, but same as network, im not sure and i have to analyze it more
I have multiple hook points i can get, starting off in libGLESv2.dll:
- Hook all GL Calls with one function, and then log, modify or inject custom data.
- Hook specific rendering, so i could intercept draw calls, count triangles and replace geometry
- I can also hook texture binding so i could replace all textures.
- i can hook shader usage and inject more custom shaders.
Here are multiple RVGL.exe hooks i can put:
- Hook game state function pointer, so i could inject custom logic after game state runs, also includes custom rendering and debug overlays.
- Hook event processing, so i could add custom input handling, shortcuts and debug commands
- Hook car loading, so i could modify car stats directly, add custom physics or add hidden cars
- Hook track loading, so i can add custom challenges
**This took me ages to write lol
** Expect some things not to be correct.
Learned how most SDL2.dll functions (Mostly Analized)
SDL2.dll is for:
Window Management
Input (Keyboard, Mouse or Controller)
OpenGL Context Creation
Event Loop
SDL2.dll size: 2.13MB
libGLESv2.dll is fully analyzed
libGLESv2.dll is for:
All Rendering Calls
Context Management (TLS-Based)
libGLESv2.dll size: 6.9MB
OpenAL32.dll is mostly analized
OpenAL32.dll is for:
The Audio System
OpenAL32.dll size: 1.71MB
libenet-7.dll is mostly analyzed
libenet-7 is for:
Networking and Multiplayer
libdiscord-rpc.dll is mostly analyzed
libdiscord-rpc.dll is for:
Discord Rich Presence (Displays your RVGL activity)
- Made the Game Loop Structure, with a few functions like:
The Main Entry Point function that:
Parse command-line arguments
Init SDL subsystems
Load resources (like tracks, cars, ex.)
and Set game state function pointer.
Main game loop (while !quit):
- Discovered Function that Processes SDL events (input)
libGLESv2.dll is fully analyzed. Here are full detials:
Type: Google ANGLE (Almost Native Graphics Layer Engine)
Purpose: Translate OpenGL ES Calls
Things discovered in libGLESv2.dll:
- Global TLS Index (Purpose: Stores Windows TLS slot index for GL Contexts)
- Context Architecture
Key functions (that are mapped now):
GetCurrentContext() - Purpose: Main Context getter (called by ALL 601 functions)
TlsGetValue_Wrapper() - Purpose: Wraps Windows TlsGetValue
CreateContext() - Purpose: Allocates 32-bye handle, and calls init
ValideContext() - Purpose: Checks context_lost_flag and handles errors
InitializeHandle() - Purpose: Initializes 32-byte handle structure
IsContextLost() - Purpose: Returns info (byte) at a specific address
Core GL functions discovered:
glDrawArrays (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glDrawElements (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glClear (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glUseProgram (Validation Function Discovered?: True, Implementation Function Discovered?: True)
glBindTexture (False to all)
glBindBuffer (False to all)
(Context Flow Diagram will be soon available.)
RVGL.exe Analysis:
- Entry Point and Initialization is Discovered
- Main Entry Function is Discovered
- Command-Line Arguments are Discovered (All commands that can be used in Launch Parameters of the RVGL Launcher)
- Game State System Discovered (w/ Game State Function Pointer)
- Event Processing Loop Discovered
- Discovered how SDL Event Types are Handled. (Funny enough, every build includes "Finger Events" for mobile.)
- Discovered Key Bindings (I think, im not sure on this one.)
- Discovered SDL Event Processing Functions:
> Main event loop (Processes all events)
> Touch Handler (Multi Touch for mobile, very unoptimized, is included in every build)
> Window Focus gain (Mouse button 0x0c handler)
> Window focus loss (Mouse button 0x0d handler)
> Update function (I haven't looked at that one yet, but its called often and has unknown purpose)
- Discovered multiple Global flags, including:
> Game Quit flag
> Game state function
> Window State
> Multiple other unknown state flags that i have to analyze)
Car system discovered:
- The car system (full code for reading parameters.txt)
- .prm (binary - not yet analyzed)
- carbox.bmp, and texture.bmp
(Thankfully found the goldmine for car parameters reading - it includes mostly all stats that can be modified, but how it impacts the game isnt fully analyzed yet
Key car loading functions mostly analyzed, including:
Load all cars, Initialize cars, Parse parameters.txt (read through and parse), Finalize car loading, Read string parameters, read byte parameters, read integer values.
Track system discovered:
File structure:
.inf is fully analyzed
.w is not yet analyzed
other file formats aren't found yet.
Track .inf structure is also fully analyzed and how it reads. (i need to analyze how it impacts the game though)
Track loading functions that i have discovered:
Load all tracks info (from main menu - main track scanning loop)
Load the track .inf file - parse single track's .inf file
Other functions include: Check directory exists, and check file exists.
Other init functions are not yet analyzed. i have to analyze those addresses...
going back to RVGL.exe main:
Multiple Game Loop functions are analyzed/discovered:
Event Proccessor - Handles SDL events (input, window, touch) - Analyzed fully
Pause Handler - Called When Window is minimized/in background - Not yet analyzed
Splash/Logo State - Initial Game State (Dev Logos) - Analyzed Fully
Racing Game Loop - Main Racing State - Not yet analyzed
Multiplayer State - Lobby/Multiplayer Mode - Almost analyzed...
Other unknown state that i need to analyze...
And the Replay state that i need to analyze.
- I still need to analyze a bit of Rendering Functions.
Memory Addresses & Data structures discovered:
Game State that are analyzed fully:
- Current Game State Function Pointer
- Game Quit
- The A and D key flags
Window & Display critical global variables that are analyzed fully:
- Window Minimized Flag
- SDL Window Pointer
- Window Width
- Window Height
- Multisample Level
Game Settings (Launch Parameters and more) that are discovered:
- No sound flag (-nosound)
- No Joystick flag (-nojoy)
- No Gamma flag (-nogamma)
- No User Profiles flag (-nouser)
- Texture Info Flag (what size of textures you pc can handle) (-texinfo)
- Large Replays Flag (-largereplays)
- Edit (window) scale? (-editscale)
Touch Inputs are discovered but are not analyzed ( almost 0 knowledge, just ideas)
Network is somewhat analyzed, but i wont put it out yet, because im not sure yet about the variables and their info)
Profile variables are somewhat analyzed, but same as network, im not sure and i have to analyze it more
I have multiple hook points i can get, starting off in libGLESv2.dll:
- Hook all GL Calls with one function, and then log, modify or inject custom data.
- Hook specific rendering, so i could intercept draw calls, count triangles and replace geometry
- I can also hook texture binding so i could replace all textures.
- i can hook shader usage and inject more custom shaders.
Here are multiple RVGL.exe hooks i can put:
- Hook game state function pointer, so i could inject custom logic after game state runs, also includes custom rendering and debug overlays.
- Hook event processing, so i could add custom input handling, shortcuts and debug commands
- Hook car loading, so i could modify car stats directly, add custom physics or add hidden cars
- Hook track loading, so i can add custom challenges
**This took me ages to write lol
** Expect some things not to be correct.
From LJP