Assembly Debugging of MKX, findings.

Post Reply
User avatar
thethiny
Immortal
Posts: 2253
Joined: Fri Jan 17, 2014 12:08 pm
Side: Light
PSN: thethiny
XBox Live: thethiny
Location: Earthrealm
Contact:

Assembly Debugging of MKX, findings.

Post by thethiny »

I was researching the idea of an alternative to the DLC Manager, which is to swap the files to support Legit Steam users and more than 11 Skins per character. Well first of all, Custom Player loading didn't work (Force a player) because it keeps on looping forever and forever (security measures to prevent modders like me from debugging, lol). 2nd of all, I couldn't bypass the 11 skins limit because of the same issue mentioned.

Anyways, here's the documentation:

Code: Select all

find the address that writes the current play
IF the current address holds what the user asked for, replace it with the 
file he wants changed.


The game loads first and last costumes when highlighting a char.
Check if it loads past 11

_________
What writes to that area:
7FF93F36C89C - 49 8B C8  - mov rcx,r8
7FF93F367251 - 41 88 03  - mov [r11],al
7FF93F36726A - 41 88 1B  - mov [r11],bl


The character to load is stored at r8+r11
r11 stores the character loaded.
So we must modify r8+r11 at breakpoint of r11.

r11 currently has A2BB0F9C13
r8 has 923
I must know where does r11 get its value from. (R11 changes every run, R8 has the same value at instruction call)

Okay so the values are acutally obtained from a different area (This area has CHAR_name.xxx and the area mentioned above has the .uncompressed value)
7FF93F367251 - 41 88 03  - mov [r11],al ;al has a character

Instruction addresses didn't change when runs changed.

In order to do a patcher, we need to access where [r11] is pointing when we 
select a character, then we go to that location and check 
"if string matches our string, change it to load a custom file".

The order of operation is:
mov al,[r8+r11] ; This copies the file to load letter by letter into AL.
mov [r11],al ; This copies the letter into the location in memory known currently as [r11]
inc r11; r11 is incremented by 1 so it goes to the next character.
The rest are commands to repeat for every letter.

Our goal here is to modify the content of [r8+r11] to suit our needs.


All readings happen at A2BB0FA55E+3

Update:
The value it takes is from R8+r11 when R8 is 920
We need to change this value, if it affects the chosen character, then we found
our goal, if it doesn't, then that means that we still need to find out what
gives this value its string.


Update 2:
Found
7FF714F3CA95 - 0F29 41 80  - movaps [rcx-80],xmm0 ; It gets the string from xmm0 to load and it puts it into rcx-80
;xmm0 ~ xmm7 are floating point registers than are 128bit and can store strings, they're SSE registers.
Our value is stored at xmm0 at this exact second :D

Our Address is:
MK10.exe+138CA95 - 0F29 41 80            - movaps [rcx-80],xmm0
MK10.exe+138CA99 - 0F28 42 A0            - movaps xmm0,[rdx-60]
MK10.exe+138CA9D - 0F29 49 90            - movaps [rcx-70],xmm1
MK10.exe+138CAA1 - 0F28 4A B0            - movaps xmm1,[rdx-50]
MK10.exe+138CAA5 - 0F29 41 A0            - movaps [rcx-60],xmm0
MK10.exe+138CAA9 - 0F28 42 C0            - movaps xmm0,[rdx-40]
MK10.exe+138CAAD - 0F29 49 B0            - movaps [rcx-50],xmm1
MK10.exe+138CAB1 - 0F28 4A D0            - movaps xmm1,[rdx-30]
MK10.exe+138CAB5 - 0F29 41 C0            - movaps [rcx-40],xmm0
MK10.exe+138CAB9 - 0F28 42 E0            - movaps xmm0,[rdx-20]
MK10.exe+138CABD - 0F29 49 D0            - movaps [rcx-30],xmm1
MK10.exe+138CAC1 - 0F28 4A F0            - movaps xmm1,[rdx-10]
MK10.exe+138CAC5 - 0F29 41 E0            - movaps [rcx-20],xmm0
MK10.exe+138CAC9 - 0F29 49 F0            - movaps [rcx-10],xmm1

Write the value to load into [RCX-80] from xmm0 (..\Asset\CHAR_XX)
Write into xmm0 [RDX-60] (In case there are more letters)
Write the value to load into [RCX-70] from xmm1 (XXXXXXXXXX_X.xxx)
write into xmm1 [RDX-50] (In case there are more letters)
this goes all the way until [RCX - 10] So the maximum length is 32*8 characters with path.

The first values of xmm0 and xmm1 are:
MK10.exe+138CA80 - 0F28 02               - movaps xmm0,[rdx]
MK10.exe+138CA83 - 0F28 4A 10            - movaps xmm1,[rdx+10]
Which are @AAE80FCBB0 (unsure if changes or not)
These values are also gotten from [r8+r11] which points to almost the end of the file

Then RCX and RDX change
MK10.exe+138CA87 - 48 8D 89 80000000     - lea rcx,[rcx+00000080] : (float)0.1347
MK10.exe+138CA8E - 48 8D 92 80000000     - lea rdx,[rdx+00000080] : (float)0.1347
tl;dr
The game reads the string to load from the TOC by using the xmm0 and xmm1 registers, they are then transferred into a location in the memory 16 chars by 16 (maximum 16*8). Then this processed is done like 23~29 times for unknown reasons, and it keeps on storing it in the memory and reading it later. I believe it is because it reads that CHAR file and then it reads the contents which has the same value and stores it for later use. Dunno.


Image

All of my Mortal Kombat 11 Mods are now unified under a Single Thread. Click The Image to go to the thread.
Post Reply

Return to “Mortal Kombat X PC Modding Tutorials and Discussions”