Th08/Binary hacks

From Touhou Patch Center
Jump to navigation Jump to search

Bugs

Safe sprintf (call)
(sprintf_call)
Description Same hack as for th07. Almost binary identical, even.
Address
v1.00d0x4663d7, 0x4664ed
Code
50
e8 [strings_vsprintf]
8985 78ffffff
push eax
call [strings_vsprintf]
mov dword ptr ss:[ebp-88],eax
Safe sprintf (replace pointer)
(sprintf_rep)
Description Same hack as for th07. Almost binary identical, even. Adding a push eax so that we can re-use it for spell cards.
Address
v1.00d0x466407, 0x4665c7
Code
8b85 78ffffff
50
mov eax,dword ptr ss:[ebp-88]
push eax

Spells

Spell card alignment
(spell_align)
Description Same as the th07 version.
Address
v1.00d0x466585
Code
ffb5 78ffffff
e8 [GetTextExtent]
83c0 04
50
db04e4
58
90 90 90 90 90 90
90 90 90 90 90
push dword ptr ss:[ebp-88]
call [GetTextExtent]
add eax, 4
push eax
fild dword ptr ss:[esp]
pop eax
nop (*0xb)

Music Room

Prepare Music Room title fetching
(music_title_prepare)
Description Before the address of the title string is calculated, the game checks the music unlock table for that track. By merely changing the target register for the track number used in this comparison, it is kept there until the end of the function. Why should we have two or more breakpoints, then?
Address
v1.00d0x449ac4
Code
8b55 f0
8b4d d0
837c91 0c 00
mov edx,dword ptr ss:[ebp-0x10]
mov ecx,dword ptr ss:[ebp-0x30]
cmp dword ptr ds:[edx*4+ecx+0x0c],0
Prepare Music Room title fetching ("Now playing")
(music_title_nowplaying_prepare)
Description Same here.
Address
v1.00d0x4490ce
Code
8b50 74
69c2 92020000
mov edx,dword ptr ds:[eax+0x74]
imul eax,edx,0x292
Rewrite Music Room comment render calls
(music_cmt_rewrite)
Description The easy way of just inserting three breakpoints, one for each parameter, doesn't really work here. We would either overwrite the spoiler message as well, or be limited to 64 bytes due to the strncpy. We cannot remove that either, because at least track #6 has one line that's exactly 64 bytes long, with no terminating null byte. This would cause a slight glitch, displaying two lines in one.


Thus, a rewrite is needed. This only removes the copy of the spoiler message so that thcrap's string lookup can work as expected.
Address
v1.00d0x448eec
Code
53
8b9d 58ffffff
8b43 74
8b55 f8
3b43 78
74 07
837c83 0c 00
74 28
69f0 92020000
03b3 84000000
6bca 42
8db431 82000000
6a 10
59
8d7d b0
f3:a5
8d7d b0
9090909090
eb 07
8b3c95 ac7a4c00
69c2 a4020000
838c03 00570000 02
89f8
5b
eb 4f
9090909090909090
9090909090909090
9090909090909090
9090909090909090
9090909090909090
9090909090909090
9090909090909090
9090909090909090
9090909090909090
90909090909090
push ebx                              ; Turn EBX into a scratch register
mov ebx,dword ptr ss:[ebp-0x0a8]      ; EBX = structure
mov eax,dword ptr ds:[ebx+0x74]       ; EAX = track
mov edx,dword ptr ss:[ebp-8]          ; EDX = line
cmp eax,dword ptr ds:[ebx+0x78]
je +7
cmp dword ptr ds:[eax*4+ebx+0x0c],0   ; Unlocked?
je +0x28                              ; No
imul esi,eax,0x292                    ; ESI = track offset
add esi,dword ptr ds:[ebx+0x84]
imul ecx,edx,0x42                     ; ECX = line offset
lea esi,[esi+ecx+0x82]                ; ESI = original comment string
push 10
pop ecx                               ; ECX = 10
lea edi,[ebp-0x50]
rep movs [edi], [esi]                 ; strncpy(edi, esi, 0x40)
lea edi,[ebp-0x50]                    ; Reset EDI
nop (*5)                              ; Insert breakpoint here
jmp +7
mov edi,dword ptr ds:[edx*4+0x4c7aac] ; EDI = spoiler message
imul eax,edx,0x2a4                    ; OR something
or dword ptr ds:[eax+ebx+0x5700],2
mov eax,edi                           ; Clean up
pop ebx
jmp short +0x4f
nop (*0x4f)

Compatibility

Reset English patch font size
(unpatch_font)
Address
v1.00dRx3fa07
Code
8d4400 fe
lea eax, [eax+eax-2]