RHDN Forum Archive - Asm guys, help me out

RHDN Forum Archive

Romhacking

General Romhacking

Asm guys, help me out

Pages: [1]

Author

Topic: Asm guys, help me out (Read 423 times)

D
Guest

Asm guys, help me out

« on: October 26, 2006, 12:09:39 pm »

Code:

004A6EA8 L004A6EA8:
004A6EA8 33D2 xor edx,edx
004A6EAA 8A1518344B00 mov dl,[L004B3418]
004A6EB0 0315E4774B00 add edx,[L004B77E4]
004A6EB6 33C9 xor ecx,ecx
004A6EB8 8A0DE1774B00 mov cl,[L004B77E1]
004A6EBE 03D1 add edx,ecx
004A6EC0 33C9 xor ecx,ecx
004A6EC2 8A0E mov cl,[esi]
004A6EC4 0FAFC8 imul ecx,eax
004A6EC7 8D0C49 lea ecx,[ecx+ecx*2]
004A6ECA 03D1 add edx,ecx
004A6ECC 33C9 xor ecx,ecx
004A6ECE 8A0DE0774B00 mov cl,[L004B77E0]
004A6ED4 03D1 add edx,ecx
004A6ED6 8915E4774B00 mov [L004B77E4],edx
004A6EDC 40 inc eax
004A6EDD 46 inc esi
004A6EDE 83F838 cmp eax,00000038h
004A6EE1 75C5 jnz L004A6EA8
004A6EE3 A1A4774B00 mov eax,[L004B77A4]
004A6EE8 3B05E4774B00 cmp eax,[L004B77E4]
004A6EEE 0F844D010000 jz L004A7041
004A6EF4 6A10 push 00000010h
004A6EF6 6830764A00 push SSZ004A7630_Mystic_Balloon
004A6EFB 68C4764A00 push SSZ004A76C4_Corrupt_game_record_found__Repla
004A6F00 6A00 push 00000000h
004A6F02 E8C105F6FF call jmp_user32.dll!MessageBoxA
004A6F07 C60518344B0003 mov byte ptr [L004B3418],03h
004A6F0E B838000000 mov eax,00000038h
004A6F13 BEA8774B00 mov esi,L004B77A8

How do I hack this to make it always validate instead of going down the Corrupt_game_record msgbox path?

D
Guest

Re: Asm guys, help me out

« Reply #1 on: October 26, 2006, 12:18:25 pm »

Nevermind. I realized right after this post I needed to NOP the last CMP. It works now.

danke
Guest

Re: Asm guys, help me out

« Reply #2 on: October 26, 2006, 12:48:51 pm »

03 unlocked : A800
00 cleared
      38 (default value)

Beating 1 level.
07 unlocked : C001
01 cleared
      +3B
07 unlocked : FB01
02 cleared
      +3E
07 unlocked : 3902
03 cleared
      +41
07 unlocked : 7A02
04 cleared
      +44
07 unlocked : BE02
05 cleared
      +47
07 unlocked : 0503
06 cleared
      +4A
07 unlocked : 4F03
07 cleared
      +4D
07 unlocked : 9C03
08 cleared

...................

0B unlocked : 9E03
05 cleared
      +47
0B unlocked : E503
06 cleared

Basically, the initial 38 is x, so x = x + 3, or x = (stages cleared * 3) + 38
The second byte of the checksum seems to be (levels unlocked)/2, rounded down to the nearest integer.


« Last Edit: October 26, 2006, 12:54:15 pm by danke »

byuu
Guest

Re: Asm guys, help me out

« Reply #3 on: October 27, 2006, 06:14:28 pm »

Quote

Nevermind. I realized right after this post I needed to NOP the last CMP. It works now.

Just to be safe, you might want to leave the CMP alone (or NOP it, whatever, I usually modify the least amount of bytes possible in my hacks) and force the final branch to always occur. I'll admit to not being very well versed with which x86 opcodes set which flags, but one of the above opcodes might clear the zero flag causing the test to "randomly" fail on you if you only disable the CMP opcode. Or maybe not, but just in case:

Code:

004A6EEE 0F844D010000 jz L004A7041

Code:

004A6EEE E96D4D010000 jmp L004A7041

I *might* be wrong with 0f 84 -> e9 6d ... I used nasm and assembled similar code to get that, but it should be correct. Let me know if it isn't.

EDIT: actually, yeah. In this case, you're ok. The first loop will end with the zero flag set, and the mov opcode does not change the flags (at least not zero), so the next jz opcode will always pass.
At any rate, it's better to use code like the above than to disable CMPs, unless you want to examine the opcodes executed prior to make sure your conditional flag is always set the way you need it to be so you don't get random failures.


« Last Edit: October 27, 2006, 06:20:02 pm by byuu »

Pages: [1]