Anyways, here's the documentation:
Code: Select all
find the address that writes the current play
IF the current address holds what the user asked for, replace it with the
file he wants changed.
The game loads first and last costumes when highlighting a char.
Check if it loads past 11
_________
What writes to that area:
7FF93F36C89C - 49 8B C8 - mov rcx,r8
7FF93F367251 - 41 88 03 - mov [r11],al
7FF93F36726A - 41 88 1B - mov [r11],bl
The character to load is stored at r8+r11
r11 stores the character loaded.
So we must modify r8+r11 at breakpoint of r11.
r11 currently has A2BB0F9C13
r8 has 923
I must know where does r11 get its value from. (R11 changes every run, R8 has the same value at instruction call)
Okay so the values are acutally obtained from a different area (This area has CHAR_name.xxx and the area mentioned above has the .uncompressed value)
7FF93F367251 - 41 88 03 - mov [r11],al ;al has a character
Instruction addresses didn't change when runs changed.
In order to do a patcher, we need to access where [r11] is pointing when we
select a character, then we go to that location and check
"if string matches our string, change it to load a custom file".
The order of operation is:
mov al,[r8+r11] ; This copies the file to load letter by letter into AL.
mov [r11],al ; This copies the letter into the location in memory known currently as [r11]
inc r11; r11 is incremented by 1 so it goes to the next character.
The rest are commands to repeat for every letter.
Our goal here is to modify the content of [r8+r11] to suit our needs.
All readings happen at A2BB0FA55E+3
Update:
The value it takes is from R8+r11 when R8 is 920
We need to change this value, if it affects the chosen character, then we found
our goal, if it doesn't, then that means that we still need to find out what
gives this value its string.
Update 2:
Found
7FF714F3CA95 - 0F29 41 80 - movaps [rcx-80],xmm0 ; It gets the string from xmm0 to load and it puts it into rcx-80
;xmm0 ~ xmm7 are floating point registers than are 128bit and can store strings, they're SSE registers.
Our value is stored at xmm0 at this exact second :D
Our Address is:
MK10.exe+138CA95 - 0F29 41 80 - movaps [rcx-80],xmm0
MK10.exe+138CA99 - 0F28 42 A0 - movaps xmm0,[rdx-60]
MK10.exe+138CA9D - 0F29 49 90 - movaps [rcx-70],xmm1
MK10.exe+138CAA1 - 0F28 4A B0 - movaps xmm1,[rdx-50]
MK10.exe+138CAA5 - 0F29 41 A0 - movaps [rcx-60],xmm0
MK10.exe+138CAA9 - 0F28 42 C0 - movaps xmm0,[rdx-40]
MK10.exe+138CAAD - 0F29 49 B0 - movaps [rcx-50],xmm1
MK10.exe+138CAB1 - 0F28 4A D0 - movaps xmm1,[rdx-30]
MK10.exe+138CAB5 - 0F29 41 C0 - movaps [rcx-40],xmm0
MK10.exe+138CAB9 - 0F28 42 E0 - movaps xmm0,[rdx-20]
MK10.exe+138CABD - 0F29 49 D0 - movaps [rcx-30],xmm1
MK10.exe+138CAC1 - 0F28 4A F0 - movaps xmm1,[rdx-10]
MK10.exe+138CAC5 - 0F29 41 E0 - movaps [rcx-20],xmm0
MK10.exe+138CAC9 - 0F29 49 F0 - movaps [rcx-10],xmm1
Write the value to load into [RCX-80] from xmm0 (..\Asset\CHAR_XX)
Write into xmm0 [RDX-60] (In case there are more letters)
Write the value to load into [RCX-70] from xmm1 (XXXXXXXXXX_X.xxx)
write into xmm1 [RDX-50] (In case there are more letters)
this goes all the way until [RCX - 10] So the maximum length is 32*8 characters with path.
The first values of xmm0 and xmm1 are:
MK10.exe+138CA80 - 0F28 02 - movaps xmm0,[rdx]
MK10.exe+138CA83 - 0F28 4A 10 - movaps xmm1,[rdx+10]
Which are @AAE80FCBB0 (unsure if changes or not)
These values are also gotten from [r8+r11] which points to almost the end of the file
Then RCX and RDX change
MK10.exe+138CA87 - 48 8D 89 80000000 - lea rcx,[rcx+00000080] : (float)0.1347
MK10.exe+138CA8E - 48 8D 92 80000000 - lea rdx,[rdx+00000080] : (float)0.1347
The game reads the string to load from the TOC by using the xmm0 and xmm1 registers, they are then transferred into a location in the memory 16 chars by 16 (maximum 16*8). Then this processed is done like 23~29 times for unknown reasons, and it keeps on storing it in the memory and reading it later. I believe it is because it reads that CHAR file and then it reads the contents which has the same value and stores it for later use. Dunno.