# 01 — Runner Architecture & Export Pipeline

## Appended payload model

5.3a does **not** compile GML to machine code. Export pipeline:

1. IDE serializes project state → unified `.gmd` binary stream. ([03-gmd-format](03-gmd-format.md))
2. ZLIB compress the stream.
3. Apply rudimentary XOR obfuscation. ([02-encryption](02-encryption.md))
4. Locate pristine pre-compiled Delphi 5 runner `.exe` stub on host.
5. Append obfuscated blob directly to **EOF** of the stub.

Result: self-contained `.exe` = `[Delphi runner machine code][appended payload]`.

## Runtime bootstrap

When user launches the game `.exe`:

1. OS loader places Delphi runner in memory.
2. Runner reads its own `.exe` from disk.
3. Seeks past machine-code section to EOF offset where payload begins.
4. Loads payload into virtual memory.
5. Reverses XOR obfuscation.
6. Decompresses ZLIB blocks.
7. Instantiates GML VM, interprets assets. ([05-gml-vm](05-gml-vm.md))

This is the structural fact that makes both static and dynamic decompilation viable. See [02-encryption](02-encryption.md) for the cryptographic flaw.

## Historical context

| Version | Export model |
|---|---|
| 1.1 – 3.3 | Standalone `.gmr` + separate runner (jar-style) |
| 4.0 – 5.3a | Appended payload on Delphi runner stub *(this doc)* |
| 6.0+ | Same model + heavier secondary encryption |
| Studio | `data.win` chunk archive + YYC native option |

## CLI / batch limitations

5.3a IDE = **GUI only**. No native `-export`, `-build`, or headless flags. Legacy automation relied on UI-scripting hacks (Windows Script Host, VBScript clicking simulators).

**Implication**: any RE pipeline must operate on generated binaries, not the IDE. Cannot script the IDE itself.

## See also

- [02-encryption](02-encryption.md) — the XOR oracle vulnerability
- [03-gmd-format](03-gmd-format.md) — what's inside the payload
- [09-tool-gmd-recovery](09-tool-gmd-recovery.md) — exploits this architecture
- [15-extraction-pipeline](15-extraction-pipeline.md)