Th095/Binary hacks

From Touhou Patch Center
Jump to: navigation, search

Bugs

Fix buffer overflow in menu spell name rendering (replace pointer)
(overflow_spell_menu_rep)
Address
v1.02a0x44406b
Code
  1. 8b55 18
  1. mov edx, [ebp+0x18]
Fix buffer overflow in in-game spell name rendering (replace pointer)
(overflow_spell_ingame_rep)
Address
v1.02a0x443ef7
Code
  1. 53
  2. 90 90 90 90 90 90
  1. push ebx
  2. nop (*6)

Spells

Spell ID fetching

In this game, this needs to be done separately for every menu cursor move.

One assignment optimization, and we end up with more than enough space to calculate the spell ID in the same manner as th125 does on its own.

menu_entry, menu_scene and menu_level differ only in the registers used, replay needs to take a slightly different approach.

Fetch spell card number (menu entry)
(spell_fetch_id_menu_entry)
Address
v1.02a0x44897a
Code
  1. 89d0
  2. 8b8d f4feffff
  3. 8d1489
  4. 8d1450
  5. 6bc0 30
  6. 90 90 90 90
  1. mov eax, edx                      ; edx = scene
  2. mov ecx, dword ptr ss:[ebp-0x10c] ; ecx = level
  3. lea edx,[ecx*4+ecx]
  4. lea edx,[edx*2+eax]
  5. imul eax, eax, 0x30               ; insert breakpoint here
  6. nop (*4)
Fetch spell card number (level switch)
(spell_fetch_id_menu_level)
Address
v1.02a0x449ee6
Code
  1. 89c1
  2. 8b95 dcfdffff
  3. 8d0492
  4. 8d0441
  5. 6bc9 30
  6. 90 90 90 90
  1. mov ecx, eax                      ; ecx = scene
  2. mov edx, dword ptr ss:[ebp-0x224] ; edx = level
  3. lea eax,[edx*4+edx]             
  4. lea ecx,[eax*2+ecx]             
  5. imul ecx, ecx, 0x30               ; insert breakpoint here
  6. nop (*4)
Fetch spell card number (scene switch)
(spell_fetch_id_menu_scene)
Address
v1.02a0x44a965
Code
  1. 89ca
  2. 8b85 40fdffff
  3. 8d0c80
  4. 8d0c4a
  5. 6bd2 30
  6. 90 90 90 90
  1. mov edx, ecx                      ; edx = scene
  2. mov eax, dword ptr ss:[ebp-0x2c0] ; eax = level
  3. lea ecx,[eax*4+eax]
  4. lea ecx,[ecx*2+edx]
  5. imul edx, edx, 0x30               ; insert breakpoint here
  6. nop (*4)
Fetch spell card number (replay)
(spell_fetch_id_menu_replay)
Address
v1.02a0x434474
Code
  1. 8b5d ec
  2. 8b43 20
  3. 0fbe48 02
  4. 0fbe50 03
  5. 8d1c89
  6. 8d1c5a
  1. mov ebx, dword ptr ss:[ebp-0x14]
  2. mov eax, dword ptr ss:[eax+0x20]
  3. movsx ecx, byte ptr ds:[eax+0x2]
  4. movsx edx, byte ptr ds:[eax+0x3]
  5. lea ebx, [ecx*4+ecx]
  6. lea ebx, [ebx*2+edx]
  7. ; insert breakpoint here

Alignment

Spell card alignment (menu)
(spell_align_menu)
Description 106 bytes removed from the original function, awesome! And yes, I insist on shipping 104 (+2) NOPs, because large-scale code destruction is both satisfying and clarifying for other hackers. ☺
Address
v1.02a0x443fb0
Code
  1. 8b55 0c
  2. 8b82 44020000
  3. d940 34
  4. d848 38
  5. d835 38534900
  6. d840 08
  7. ff35 b0444c00
  8. ff75 18
  9. e8 [GetTextExtentForFont]
  10. d1e8
  11. 50
  12. db04e4
  13. 58
  14. eb 68
  15. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  16. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  17. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  18. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  19. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  20. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  21. 90 90 90 90 90 90 90 90
  1. mov edx,dword ptr ss:[ebp+0C]
  2. mov eax,dword ptr ds:[edx+244]
  3. fld dword ptr ds:[eax+34]
  4. fmul dword ptr ds:[eax+38]
  5. fdiv dword ptr ds:[th095.495338]
  6. fadd dword ptr ds:[eax+8]
  7. push dword ptr ds:[th095.4c44b0] ; spell font
  8. push dword ptr ss:[ebp+18]
  9. call [GetTextExtentForFont]
  10. shr eax,1 ; center alignment
  11. push eax
  12. fild dword ptr ss:[esp]
  13. pop eax
  14. jmp short + 0x68
  15. nop (*0x68)
Spell card alignment (in-game)
(spell_align)
Description The massive code destruction continues, this time with a whopping 159 bytes removed from the original function.
Address
v1.02a0x443e0f
Code
  1. 8b55 0c
  2. 8b82 44020000
  3. d940 34
  4. d848 38
  5. d840 08
  6. 8b5d 18
  7. ff35 b0444c00
  8. 53
  9. e8 [GetTextExtentForFont]
  10. 83c0 04
  11. 50
  12. db04e4
  13. 58
  14. e9 96000000
  15. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  16. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  17. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  18. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  19. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  20. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  21. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  22. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  23. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
  24. 90 90 90 90 90 90
  1. mov edx,dword ptr ss:[ebp+0C]
  2. mov eax,dword ptr ds:[edx+244]
  3. fld dword ptr ds:[eax+34]
  4. fmul dword ptr ds:[eax+38]
  5. fadd dword ptr ds:[eax+8]
  6. mov ebx,dword ptr ss:[ebp+18]
  7. push dword ptr ds:[th095.0x4c44b0] ; spell font
  8. push ebx
  9. call [GetTextExtentForFont]
  10. add eax,4
  11. push eax
  12. fild dword ptr ss:[esp]
  13. pop eax
  14. jmp +0x96
  15. nop (*0x96)

Music Room

Prepare Music Room comment parameter fetching
(music_cmt_prepare)
Description Three breakpoints, one for track number, line number and string each, are just too much. So let's rewrite this to have all of these values in registers at one place.
Address
v1.02a0x4515f0
Code
  1. 89c1
  2. c1e1 09
  3. 8d940a 00200000
  4. 8b4d dc
  5. c1e1 06
  6. 01ca
  7. 8b4d dc
  8. 52
  9. 90 90 90 90 90 90 90
  1. mov ecx,eax                     ; We start out with the track number in EAX
  2. shl ecx,9
  3. lea edx,[ecx+edx+2000]          ; EAX = track string buffer
  4. mov ecx,dword ptr ss:[ebp-0x24] ; ECX = line number
  5. shl ecx,6
  6. add edx,ecx                     ; EDX += line string offset
  7. mov ecx,dword ptr ss:[ebp-0x24] ; ECX = line number (again, for breakpoint)
  8. push edx                        ; insert breakpoint here
  9. nop (*7)

Compatibility

Reset English patch small font size
(unpatch_font_small)
Address
v1.02a0x41c7f3
Code
  1. 6a 00
  2. 6a 1e
  1. push 0
  2. push 1e
Reset English patch spell scaling thingy
(unpatch_spell_scale)
Description The English patch does something to make spell titles look bad.

This undoes said "something".

Was too lazy to research exactly what this is.
Address
v1.02a0x443ded, 0x443f97
Code
  1. 0f
  1. ??