User:32th System/SA Replay Info Collection
Jump to navigation
Jump to search
Alternative method that worked in
Replay header
THIS INFORMATION IS INCOMPLETE
| Address | Type | Name | Description |
|---|---|---|---|
| 0x00 | int | magic_number | "t11r" |
| 0x04 | short | check | Must be 4, otherwise the replay is invalid |
| 0x0c | int | user_offset | Offset at which the plain text user data is located. The magic number for user data is "USER" |
| 0x1c | int | replay_size | Size of the replay data not including header or user information |
Finding replay loading code
These steps should also be possible with any other Touhou game. If saving a replay twice results in a completely different replay (like it's the case in 
Mountain of Faith) this exact method will not work
- Save 2 of the exact same replay with a different name
- Make sure that there are only a few bytes that differ in your replays
- In one of the replays, edit a byte that is different from the other
- Enter the replay menu, your game should crash! If it does, enter the replay menu again, this time run the game with a debugger
- The address at which the game crashes should be in the replay loading function
Alternative method that worked in 
Mountain of Faith
- Put a breakpoint on WriteFile
- Save a replay
- When you hit this breakpoint, look on the stack to find the function that called WriteFile. This is the replay saving function
- Right below it should be the the replay loading function
What I know about decryption so far
Start at replay start + offset after decrypting a byte with initial key AA, add a number specified by function argument decrypt_adder (argument 3 of function Rx581c0), go 2 bytes before the byte just decrypted and repeat until the variable/register (in this case eax) with initial value offset/2 that gets decremented every loop is 0