Th14/Binary hacks

From Touhou Patch Center
Jump to: navigation, search

Bugs

Fix buffer overflow in spell name rendering (replace pointer)
(buffer_overflow_spell)
Description The strcpy is replaced by spell_align; this replaces the pointer accordingly.
Address
v0.01a0x47a7a4
v0.01b0x47a2f4
v1.00a0x47de24
v1.00b0x47dd24
Code
  1. 8b45 20
  2. 90
  1. mov eax, [ebp+0x20]
  2. nop
Safe sprintf (short, call)
(sprintf_call)
Address
v0.01b0x47a159, 0x47a379
v1.00a0x47dc89, 0x47dea9
v1.00b0x47db89, 0x47dda9
Code
  1. 50
  2. e8 [strings_vsprintf]
  3. 8944e4 34
  1. push eax
  2. call [strings_vsprintf]
  3. mov dword ptr ss:[esp+0x34],eax
Safe sprintf (long, call)
(sprintf_long_call)
Address
v1.00b0x40bb2e, 0x40bdde
Code
  1. 50
  2. e8 [strings_vsprintf]
  3. 8985 fcfeffff
  1. push eax
  2. call [strings_vsprintf]
  3. mov dword ptr ss:[ebp-0x104],eax
Safe sprintf (short, replace pointer)
(sprintf_rep)
Address
v0.01b0x47a1c8, 0x47a40b
v1.00a0x47dcf8, 0x47df3b
v1.00b0x47dbf8, 0x47de3b
Code
  1. 8b44e4 28
  1. mov eax,dword ptr ss:[esp+0x28]
Safe sprintf (long, replace pointer)
(sprintf_long_rep)
Address
v1.00b0x40bb3d, 0x40bded
Code
  1. 8b
  1. mov ???,dword ptr ss:[ebp-

Logging

Restore the game's built-in logging
(log_restore)
Description Very useful for debugging.
Address
v0.01b0x4075d0
v1.00b0x4075c0
Code
  1. e9 [log_printf]
  1. jmp [log_printf]

Textbox size

Correct text length calculation for the DDC variety of Fairy Wars-style text boxes
(ddc_textbox_size)
Description In theory, this is the same hack as for th128..

However, th14 starts to use MMX instructions to calculate the size of the text box... and for some reason, thcrap's GetTextExtent clears out the xmm2 register containing the multiplication factor, resulting a box with "length zero".

After removing that unnecessary strlen(), we end up with plenty of space to read the value for xmm2 back from the original, constant position in memory.

This also leaves space for another fix. In case the text length calculation results in a width smaller than 28 pixels (this happens for example with Hime's "You!"), the original code would create an infinitely long text box, due to the width being treated as unsigned. Thus, we clear out eax in this case.
Address
v0.01a0x431590, 0x4317b0
v0.01b0x430b70, 0x430d98
Code
  1. 53
  2. e8 [GetTextExtent]
  3. f30f1015 
    v0.01ad0ea4b00
    v0.01bb8e64b00
    v1.00a882e4c00
  4. 83e8 1c
  5. 73 03
  6. 31c0
  7. 90
  1. push ebx
  2. call [GetTextExtent]
  3. movss xmm2,dword ptr ds:[th14.4bead0]
  4. sub eax,1ch
  5. jae +3
  6. xor eax,eax
  7. nop
Correct text length calculation for the DDC variety of Fairy Wars-style text boxes
(ddc_textbox_size_full)
Description Same hack as for the trial, just using xmm1 instead.
Address
v1.00a0x4327f0, 0x4329e7
v1.00b0x4327f0, 0x4329e7
Code
  1. 53
  2. e8 [GetTextExtent]
  3. f30f100d 
    v1.00a882e4c00
    v1.00b781a4c00
  4. 83e8 1c
  5. 73 03
  6. 31c0
  7. 90
  1. push ebx
  2. call [GetTextExtent]
  3. movss xmm1,dword ptr ds:[th14.4c2e88]
  4. sub eax,1ch
  5. jae +3
  6. xor eax,eax
  7. nop

Spells

Prepare deferred spell name fetching
(spell_name_fetch)
Address
v0.01a0x41cc0b
v0.01b0x41cd7b
v1.00a0x41cefb
v1.00b0x41cefb
Code
  1. 8b4d 0c
  2. 51
  3. 31c9
  4. 51
  5. 51
  6. 51
  1. mov ecx, dword ptr ss:[ebp+0c]
  2. push ecx                       ; insert breakpoint here
  3. xor ecx
  4. push ecx
  5. push ecx
  6. push ecx
Spell card alignment
(spell_align)
Description Kill the strcpy (buffer overflow) and strlen, shift up/optimize part of the original code (because less code is always better), and fudge around so that it looks nice. Fairly straightforward.
Address
v0.01a0x47a6f2
v0.01b0x47a242
v1.00a0x47dd72
v1.00b0x47dc72
Code
  1. 8b45 1c
  2. 8d1c00
  3. 8b46 1c
  4. c1e8 0b
  5. 83e0 01
  6. 8944e4 14
  7. ff35 
    v0.01a3c8f4f00
    v0.01b209d4f00
    v1.00afcf54f00
    v1.00b1cd64f00
  8. ff75 20
  9. e8 [GetTextExtentForFont]
  10. 83c0 08
  11. d1e0
  12. 8b56 2c
  13. eb 1e
  14. 90 90 90 90 90 90 90 90
  15. 90 90 90 90 90 90 90 90
  16. 90 90 90 90 90 90 90 90
  17. 90 90 90 90 90 90
  1. mov eax, dword ptr ss:[ebp+1c]
  2. lea ebx, [eax+eax]
  3. mov eax, dword ptr ds:[esi+1c]
  4. shr eax, 0b
  5. and eax, 00000001
  6. mov dword ptr ss:[esp+14], eax
  7. push dword ptr ds:[th14.font_spell] ; spell font
  8. push dword ptr ss:[ebp+20]
  9. call [GetTextExtentForFont]
  10. add eax, 8
  11. shl eax, 1
  12. mov edx, dword ptr ds:[esi+2c]
  13. jmp short +0x1e
  14. nop (*0x1e)

Player data

Remove spell "alignment" in the result screen
(result_spell_align)
Description For some reason, ZUN feels the need to do some alignment calculations based on the string length. Why.
Address
v0.01b0x47a3ac
v1.00a0x47dedc
v1.00b0x47dddc
Code
  1. 8944e4 14
  2. 8b43 08
  3. 31d2
  4. eb 19
  5. 90 90 90 90 90
  6. 90 90 90 90 90
  7. 90 90 90 90 90
  8. 90 90 90 90 90
  9. 90 90 90 90 90
  1. mov dword ptr ss:[esp+0x14], eax
  2. mov eax,dword ptr ds:[ebx+8]
  3. xor edx,edx
  4. jmp short +0x19
  5. nop (*0x19)

Music Room

Prepare music room title fetching
(music_title_prepare)
Description Oh no, a constant memory address. -.-
Address
v1.00b0x46235d
Code
  1. 8b4ce4 1c
  2. 51
  3. 31c0
  4. 50
  5. 50
  6. 50
  7. 50
  8. 68 ffffff00
  9. 56
  10. ff35 cc564f00
  11. 90
  1. mov ecx,dword ptr ss:[esp+0x1c]
  2. push ecx                          ; insert breakpoint here
  3. xor eax,eax                       ; eax = theme number
  4. push eax                          ; ecx = theme string
  5. push eax
  6. push eax
  7. push eax
  8. push 0xffffff
  9. push esi
  10. push dword ptr ds:[th14.0x4f56cc]
  11. nop

Workaround for the broken update notification functionality in 2014-01-03

Update notification for 2014-01-03 (jump)
(thcrap_migrate_jump)
Address
v1.00bRx87453
Code
  1. e9 599b0200
  1. jmp th14.004b0fb1
Update notification for 2014-01-03 (check and message)
(thcrap_migrate_msg)
Address
v1.00bRxb0f3c
Code
  1. 41206e65772076657273696f6e2028323031342d30312d32372920
  2. 6f662074686520257320697320617661696c61626c652e0a
  3. 0a
  4. 49742063616e20626520646f776e6c6f616465642066726f6d0a
  5. 0a
  6. 09687474703a2f2f746870617463682e6e65742f
  7. 50726f6a6563743a446f776e6c6f616400
  8. 00
  9.  
  10. e8 [PROJECT_VERSION]
  11. 3d 27011420
  12. 7d 17
  13. e8 [PROJECT_NAME]
  14. 50
  15. 68 3c0f4b00
  16. 6a 40
  17. 6a 00
  18. e8 [log_mboxf]
  19. 83c4 10
  20.  
  21. e8 6d1cfeff
  22. e9 7a64fdff
  1. "A new version (2014-01-27) "
  2. "of the %s is available.\n"
  3. "\n"
  4. "It can be downloaded from\n"
  5. "\n"
  6. "	http: //thpatch.net/"
  7. "Project:Download"
  8.  
  9.  
  10. call [PROJECT_VERSION]
  11. cmp eax, 0x20140127
  12. jge short +17
  13. call [PROJECT_NAME]
  14. push eax
  15. push th14.004b0f3c
  16. push 40
  17. push 0
  18. call [log_mboxf]
  19. add esp, 10
  20. ; Original code below
  21. call th14.00492c46
  22. jmp th14.00487458