Th095/Binary hacks

From Touhou Patch Center
Jump to navigation Jump to search

Bugs

Fix buffer overflow in menu spell name rendering (replace pointer)
(overflow_spell_menu_rep)
Address
v1.02a0x44406b
Code
8b55 18
mov edx, [ebp+0x18]
Fix buffer overflow in in-game spell name rendering (replace pointer)
(overflow_spell_ingame_rep)
Address
v1.02a0x443ef7
Code
53
90 90 90 90 90 90
push ebx
nop (*6)

Spells

Spell ID fetching

In this game, this needs to be done separately for every menu cursor move.

One assignment optimization, and we end up with more than enough space to calculate the spell ID in the same manner as th125 does on its own.

menu_entry, menu_scene and menu_level differ only in the registers used, replay needs to take a slightly different approach.

Fetch spell card number (menu entry)
(spell_fetch_id_menu_entry)
Address
v1.02a0x44897a
Code
89d0
8b8d f4feffff
8d1489
8d1450
6bc0 30
90 90 90 90
mov eax, edx                      ; edx = scene
mov ecx, dword ptr ss:[ebp-0x10c] ; ecx = level
lea edx,[ecx*4+ecx]
lea edx,[edx*2+eax]
imul eax, eax, 0x30               ; insert breakpoint here
nop (*4)
Fetch spell card number (level switch)
(spell_fetch_id_menu_level)
Address
v1.02a0x449ee6
Code
89c1
8b95 dcfdffff
8d0492
8d0441
6bc9 30
90 90 90 90
mov ecx, eax                      ; ecx = scene
mov edx, dword ptr ss:[ebp-0x224] ; edx = level
lea eax,[edx*4+edx]             
lea ecx,[eax*2+ecx]             
imul ecx, ecx, 0x30               ; insert breakpoint here
nop (*4)
Fetch spell card number (scene switch)
(spell_fetch_id_menu_scene)
Address
v1.02a0x44a965
Code
89ca
8b85 40fdffff
8d0c80
8d0c4a
6bd2 30
90 90 90 90
mov edx, ecx                      ; edx = scene
mov eax, dword ptr ss:[ebp-0x2c0] ; eax = level
lea ecx,[eax*4+eax]
lea ecx,[ecx*2+edx]
imul edx, edx, 0x30               ; insert breakpoint here
nop (*4)
Fetch spell card number (replay)
(spell_fetch_id_menu_replay)
Address
v1.02a0x434474
Code
8b5d ec
8b43 20
0fbe48 02
0fbe50 03
8d1c89
8d1c5a
mov ebx, dword ptr ss:[ebp-0x14]
mov eax, dword ptr ss:[eax+0x20]
movsx ecx, byte ptr ds:[eax+0x2]
movsx edx, byte ptr ds:[eax+0x3]
lea ebx, [ecx*4+ecx]
lea ebx, [ebx*2+edx]
; insert breakpoint here

Alignment

Spell card alignment (menu)
(spell_align_menu)
Description 106 bytes removed from the original function, awesome! And yes, I insist on shipping 104 (+2) NOPs, because large-scale code destruction is both satisfying and clarifying for other hackers. ☺
Address
v1.02a0x443fb0
Code
8b55 0c
8b82 44020000
d940 34
d848 38
d835 38534900
d840 08
ff35 b0444c00
ff75 18
e8 [GetTextExtentForFont]
d1e8
50
db04e4
58
eb 68
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90
mov edx,dword ptr ss:[ebp+0C]
mov eax,dword ptr ds:[edx+244]
fld dword ptr ds:[eax+34]
fmul dword ptr ds:[eax+38]
fdiv dword ptr ds:[th095.495338]
fadd dword ptr ds:[eax+8]
push dword ptr ds:[th095.4c44b0] ; spell font
push dword ptr ss:[ebp+18]
call [GetTextExtentForFont]
shr eax,1 ; center alignment
push eax
fild dword ptr ss:[esp]
pop eax
jmp short + 0x68
nop (*0x68)
Spell card alignment (in-game)
(spell_align)
Description The massive code destruction continues, this time with a whopping 159 bytes removed from the original function.
Address
v1.02a0x443e0f
Code
8b55 0c
8b82 44020000
d940 34
d848 38
d840 08
8b5d 18
ff35 b0444c00
53
e8 [GetTextExtentForFont]
83c0 04
50
db04e4
58
e9 96000000
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90
mov edx,dword ptr ss:[ebp+0C]
mov eax,dword ptr ds:[edx+244]
fld dword ptr ds:[eax+34]
fmul dword ptr ds:[eax+38]
fadd dword ptr ds:[eax+8]
mov ebx,dword ptr ss:[ebp+18]
push dword ptr ds:[th095.0x4c44b0] ; spell font
push ebx
call [GetTextExtentForFont]
add eax,4
push eax
fild dword ptr ss:[esp]
pop eax
jmp +0x96
nop (*0x96)

Music Room

Prepare Music Room comment parameter fetching
(music_cmt_prepare)
Description Three breakpoints, one for track number, line number and string each, are just too much. So let's rewrite this to have all of these values in registers at one place.
Address
v1.02a0x4515f0
Code
89c1
c1e1 09
8d940a 00200000
8b4d dc
c1e1 06
01ca
8b4d dc
52
90 90 90 90 90 90 90
mov ecx,eax                     ; We start out with the track number in EAX
shl ecx,9
lea edx,[ecx+edx+2000]          ; EAX = track string buffer
mov ecx,dword ptr ss:[ebp-0x24] ; ECX = line number
shl ecx,6
add edx,ecx                     ; EDX += line string offset
mov ecx,dword ptr ss:[ebp-0x24] ; ECX = line number (again, for breakpoint)
push edx                        ; insert breakpoint here
nop (*7)

Compatibility

Reset English patch small font size
(unpatch_font_small)
Address
v1.02a0x41c7f3
Code
6a 00
6a 1e
push 0
push 1e
Reset English patch spell scaling thingy
(unpatch_spell_scale)
Description The English patch does something to make spell titles look bad.

This undoes said "something".

Was too lazy to research exactly what this is.
Address
v1.02a0x443ded, 0x443f97
Code
0f
??