Th08/Binary hacks
< Th08
Jump to navigation
Jump to search
Development of this patch has moved to GitHub. Please use the Issues page there to discuss possible improvements or additions to this patch, or simply send a pull request. For now, the existing wiki pages of this patch will remain for the sake of documentation, but they are no longer functional. |
Bugs
Safe sprintf (call)(sprintf_call ) |
||
---|---|---|
Description | Same hack as for th07. Almost binary identical, even. | |
Address |
|
|
Code | 50 e8 [strings_vsprintf] 8985 78ffffff push eax
call [strings_vsprintf]
mov dword ptr ss:[ebp-88],eax
|
Safe sprintf (replace pointer)(sprintf_rep ) |
||
---|---|---|
Description | Same hack as for th07. Almost binary identical, even. Adding a push eax so that we can re-use it for spell cards. | |
Address |
|
|
Code | 8b85 78ffffff 50 mov eax,dword ptr ss:[ebp-88]
push eax
|
Spells
Spell card alignment(spell_align ) |
||
---|---|---|
Description | Same as the th07 version. | |
Address |
|
|
Code | ffb5 78ffffff e8 [GetTextExtent] 83c0 04 50 db04e4 58 90 90 90 90 90 90 90 90 90 90 90 push dword ptr ss:[ebp-88]
call [GetTextExtent]
add eax, 4
push eax
fild dword ptr ss:[esp]
pop eax
nop (*0xb)
|
Music Room
Prepare Music Room title fetching(music_title_prepare ) |
||
---|---|---|
Description | Before the address of the title string is calculated, the game checks the music unlock table for that track. By merely changing the target register for the track number used in this comparison, it is kept there until the end of the function. Why should we have two or more breakpoints, then? | |
Address |
|
|
Code | 8b55 f0 8b4d d0 837c91 0c 00 mov edx,dword ptr ss:[ebp-0x10]
mov ecx,dword ptr ss:[ebp-0x30]
cmp dword ptr ds:[edx*4+ecx+0x0c],0
|
Prepare Music Room title fetching ("Now playing")(music_title_nowplaying_prepare ) |
||
---|---|---|
Description | Same here. | |
Address |
|
|
Code | 8b50 74 69c2 92020000 mov edx,dword ptr ds:[eax+0x74]
imul eax,edx,0x292
|
Rewrite Music Room comment render calls(music_cmt_rewrite ) |
||
---|---|---|
Description | The easy way of just inserting three breakpoints, one for each parameter, doesn't really work here. We would either overwrite the spoiler message as well, or be limited to 64 bytes due to the strncpy. We cannot remove that either, because at least track #6 has one line that's exactly 64 bytes long, with no terminating null byte. This would cause a slight glitch, displaying two lines in one.
|
|
Address |
|
|
Code | 53 8b9d 58ffffff 8b43 74 8b55 f8 3b43 78 74 07 837c83 0c 00 74 28 69f0 92020000 03b3 84000000 6bca 42 8db431 82000000 6a 10 59 8d7d b0 f3:a5 8d7d b0 9090909090 eb 07 8b3c95 ac7a4c00 69c2 a4020000 838c03 00570000 02 89f8 5b eb 4f 9090909090909090 9090909090909090 9090909090909090 9090909090909090 9090909090909090 9090909090909090 9090909090909090 9090909090909090 9090909090909090 90909090909090 push ebx ; Turn EBX into a scratch register
mov ebx,dword ptr ss:[ebp-0x0a8] ; EBX = structure
mov eax,dword ptr ds:[ebx+0x74] ; EAX = track
mov edx,dword ptr ss:[ebp-8] ; EDX = line
cmp eax,dword ptr ds:[ebx+0x78]
je +7
cmp dword ptr ds:[eax*4+ebx+0x0c],0 ; Unlocked?
je +0x28 ; No
imul esi,eax,0x292 ; ESI = track offset
add esi,dword ptr ds:[ebx+0x84]
imul ecx,edx,0x42 ; ECX = line offset
lea esi,[esi+ecx+0x82] ; ESI = original comment string
push 10
pop ecx ; ECX = 10
lea edi,[ebp-0x50]
rep movs [edi], [esi] ; strncpy(edi, esi, 0x40)
lea edi,[ebp-0x50] ; Reset EDI
nop (*5) ; Insert breakpoint here
jmp +7
mov edi,dword ptr ds:[edx*4+0x4c7aac] ; EDI = spoiler message
imul eax,edx,0x2a4 ; OR something
or dword ptr ds:[eax+ebx+0x5700],2
mov eax,edi ; Clean up
pop ebx
jmp short +0x4f
nop (*0x4f)
|
Compatibility
Reset English patch font size(unpatch_font ) |
||
---|---|---|
Address |
|
|
Code | 8d4400 fe lea eax, [eax+eax-2]
|