User:32th System/SA Replay Info Collection

From Touhou Patch Center
Jump to: navigation, search

Replay header


Address Type Name Description
0x00 int magic_number "t11r"
0x04 short check Must be 4, otherwise the replay is invalid
0x0c int user_offset Offset at which the plain text user data is located. The magic number for user data is "USER"
0x1c int replay_size Size of the replay data not including header or user information

Finding replay loading code

These steps should also be possible with any other Touhou game. If saving a replay twice results in a completely different replay (like it's the case in Icon th10.png Mountain of Faith) this exact method will not work

  • Save 2 of the exact same replay with a different name
  • Make sure that there are only a few bytes that differ in your replays
  • In one of the replays, edit a byte that is different from the other
  • Enter the replay menu, your game should crash! If it does, enter the replay menu again, this time run the game with a debugger
  • The address at which the game crashes should be in the replay loading function

Alternative method that worked in Icon th10.png Mountain of Faith

  • Put a breakpoint on WriteFile
  • Save a replay
  • When you hit this breakpoint, look on the stack to find the function that called WriteFile. This is the replay saving function
  • Right below it should be the the replay loading function

What I know about decryption so far

Start at replay start + offset after decrypting a byte with initial key AA, add a number specified by function argument decrypt_adder (argument 3 of function Rx581c0), go 2 bytes before the byte just decrypted and repeat until the variable/register (in this case eax) with initial value offset/2 that gets decremented every loop is 0