Register    Login    Search   View active topics    FAQ

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Assembly Debugging of MKX, findings.
 Post Posted: Mon Jun 27, 2016 5:53 pm 
User avatar

Joined: Fri Jan 17, 2014 12:08 pm
Posts: 1211
Location: Earthrealm
Skype: thethiny (Steam)
Side: Light
PSN: thethiny
XBox Live: thethiny
I was researching the idea of an alternative to the DLC Manager, which is to swap the files to support Legit Steam users and more than 11 Skins per character. Well first of all, Custom Player loading didn't work (Force a player) because it keeps on looping forever and forever (security measures to prevent modders like me from debugging, lol). 2nd of all, I couldn't bypass the 11 skins limit because of the same issue mentioned.

Anyways, here's the documentation:
find the address that writes the current play
IF the current address holds what the user asked for, replace it with the
file he wants changed.

The game loads first and last costumes when highlighting a char.
Check if it loads past 11

What writes to that area:
7FF93F36C89C - 49 8B C8  - mov rcx,r8
7FF93F367251 - 41 88 03  - mov [r11],al
7FF93F36726A - 41 88 1B  - mov [r11],bl

The character to load is stored at r8+r11
r11 stores the character loaded.
So we must modify r8+r11 at breakpoint of r11.

r11 currently has A2BB0F9C13
r8 has 923
I must know where does r11 get its value from. (R11 changes every run, R8 has the same value at instruction call)

Okay so the values are acutally obtained from a different area (This area has and the area mentioned above has the .uncompressed value)
7FF93F367251 - 41 88 03  - mov [r11],al ;al has a character

Instruction addresses didn't change when runs changed.

In order to do a patcher, we need to access where [r11] is pointing when we
select a character, then we go to that location and check
"if string matches our string, change it to load a custom file".

The order of operation is:
mov al,[r8+r11] ; This copies the file to load letter by letter into AL.
mov [r11],al ; This copies the letter into the location in memory known currently as [r11]
inc r11; r11 is incremented by 1 so it goes to the next character.
The rest are commands to repeat for every letter.

Our goal here is to modify the content of [r8+r11] to suit our needs.

All readings happen at A2BB0FA55E+3

The value it takes is from R8+r11 when R8 is 920
We need to change this value, if it affects the chosen character, then we found
our goal, if it doesn't, then that means that we still need to find out what
gives this value its string.

Update 2:
7FF714F3CA95 - 0F29 41 80  - movaps [rcx-80],xmm0 ; It gets the string from xmm0 to load and it puts it into rcx-80
;xmm0 ~ xmm7 are floating point registers than are 128bit and can store strings, they're SSE registers.
Our value is stored at xmm0 at this exact second :D

Our Address is:
MK10.exe+138CA95 - 0F29 41 80            - movaps [rcx-80],xmm0
MK10.exe+138CA99 - 0F28 42 A0            - movaps xmm0,[rdx-60]
MK10.exe+138CA9D - 0F29 49 90            - movaps [rcx-70],xmm1
MK10.exe+138CAA1 - 0F28 4A B0            - movaps xmm1,[rdx-50]
MK10.exe+138CAA5 - 0F29 41 A0            - movaps [rcx-60],xmm0
MK10.exe+138CAA9 - 0F28 42 C0            - movaps xmm0,[rdx-40]
MK10.exe+138CAAD - 0F29 49 B0            - movaps [rcx-50],xmm1
MK10.exe+138CAB1 - 0F28 4A D0            - movaps xmm1,[rdx-30]
MK10.exe+138CAB5 - 0F29 41 C0            - movaps [rcx-40],xmm0
MK10.exe+138CAB9 - 0F28 42 E0            - movaps xmm0,[rdx-20]
MK10.exe+138CABD - 0F29 49 D0            - movaps [rcx-30],xmm1
MK10.exe+138CAC1 - 0F28 4A F0            - movaps xmm1,[rdx-10]
MK10.exe+138CAC5 - 0F29 41 E0            - movaps [rcx-20],xmm0
MK10.exe+138CAC9 - 0F29 49 F0            - movaps [rcx-10],xmm1

Write the value to load into [RCX-80] from xmm0 (..\Asset\CHAR_XX)
Write into xmm0 [RDX-60] (In case there are more letters)
Write the value to load into [RCX-70] from xmm1 (
write into xmm1 [RDX-50] (In case there are more letters)
this goes all the way until [RCX - 10] So the maximum length is 32*8 characters with path.

The first values of xmm0 and xmm1 are:
MK10.exe+138CA80 - 0F28 02               - movaps xmm0,[rdx]
MK10.exe+138CA83 - 0F28 4A 10            - movaps xmm1,[rdx+10]
Which are @AAE80FCBB0 (unsure if changes or not)
These values are also gotten from [r8+r11] which points to almost the end of the file

Then RCX and RDX change
MK10.exe+138CA87 - 48 8D 89 80000000     - lea rcx,[rcx+00000080] : (float)0.1347
MK10.exe+138CA8E - 48 8D 92 80000000     - lea rdx,[rdx+00000080] : (float)0.1347

The game reads the string to load from the TOC by using the xmm0 and xmm1 registers, they are then transferred into a location in the memory 16 chars by 16 (maximum 16*8). Then this processed is done like 23~29 times for unknown reasons, and it keeps on storing it in the memory and reading it later. I believe it is because it reads that CHAR file and then it reads the contents which has the same value and stores it for later use. Dunno.

Under the US Copyright Law, I am given full ownership of anything I create or do, hence I own ownership of my mods. I hereby give these mods for FREE to anyone who is willing to download them for any purpose under the condition that they do not try to sell them or gain benefits in any way, and if they're going to upload a video or showcase them, they MUST provide a download link to this mod (hence the term Free). Credit not necessary but don't claim as your own or somebody else's.

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

 Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

  Design by Mighty Gorgon