(Link to AcmlmWiki) Offline: thank ||bass
Register | Login
Views: 13,040,846
 Main | Memberlist | Active users | Calendar | Chat | Online users
Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album 		05-31-24 10:58 AM
Acmlm's Board - I3 Archive - - Posts by blackhole89
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
User Post
(restricted)
(restricted)
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-18-06 12:21 PM, in Any good Zelda 1 level editors Link
http://board.acmlm.org/thread.php?id=228
http://board.acmlm.org/thread.php?id=228
http://board.acmlm.org/thread.php?id=228
http://board.acmlm.org/thread.php?id=228
http://board.acmlm.org/thread.php?id=228

Read the stickies.

;;;
(restricted)
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-19-06 07:18 PM, in Chrono Trigger: Crimson Echoes Demo 2 Released! Link
I must say this is pretty impressive, especially seeing as it is the first considerable Chrono Trigger hack released after all the time.

One thing though... I am stuck in 11998 BC. Where exactly should I go after defeating Dalton's golem for the first time?
I generally suggest you build more hang-ups for the plot procession. Out of the time I played it, I spent at least 50% trying to remember one-time NPC dialogues or guessing where the story would continue.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-21-06 10:51 AM, in DirectX API calls in assembler, step-by-step. Link
What would one need this for?
The particular goal I had in mind when working this out was looking up the call of a specific Direct3D call in the disassembly of a Ragnarok Online client (I wanted to hack it to change the scene's background colour, so it was a call to IDirect3DDevice::Clear). But of course, you can ultimately do all you want with it, up to writing your own DirectX applications in assembler.

What tools does one need?
- A C/C++ header of whatever DirectX API you are working on. In the example I give here, it is d3d.h.
- The disassembler of your choice. I recommend IDA or SoftICE (google for that one).
- A program that can search using either wildcards or regular expressions. This is not necessary, but might come in very handy if you have to handle larger amounts of code.

So how would this be done?
First off, disassemble your binary to a text file or, if you use an integrated environment like IDA, just disassemble it.

Next, let's assume you are, like me, looking for a call of IDirect3DDevice::Clear.

Let's assume our application uses the IDirect3DDevice7 interface. There are multiple ways to guess the version of the interface used (like looking up DLL dependencies), but version 7 seems to be the most common nowadays anyway.

Open up your header - in our case, it's d3d.h - and look up your interface definition; find the function you are looking for in it.


DECLARE_INTERFACE_(IDirect3DDevice7, IUnknown)
{
/*** IUnknown methods ***/
STDMETHOD(QueryInterface)(THIS_ REFIID riid, LPVOID * ppvObj) PURE;
STDMETHOD_(ULONG,AddRef)(THIS) PURE;
STDMETHOD_(ULONG,Release)(THIS) PURE;

/*** IDirect3DDevice7 methods ***/
STDMETHOD(GetCaps)(THIS_ LPD3DDEVICEDESC7) PURE;
STDMETHOD(EnumTextureFormats)(THIS_ LPD3DENUMPIXELFORMATSCALLBACK,LPVOID) PURE;
STDMETHOD(BeginScene)(THIS) PURE;
STDMETHOD(EndScene)(THIS) PURE;
STDMETHOD(GetDirect3D)(THIS_ LPDIRECT3D7*) PURE;
STDMETHOD(SetRenderTarget)(THIS_ LPDIRECTDRAWSURFACE7,DWORD) PURE;
STDMETHOD(GetRenderTarget)(THIS_ LPDIRECTDRAWSURFACE7 *) PURE;
STDMETHOD(Clear)(THIS_ DWORD,LPD3DRECT,DWORD,D3DCOLOR,D3DVALUE,DWORD) PURE;
[...]

As you see, Clear is the 11th method from above. Memorize this number.
It takes 6 parameters. Memorize that too.

At this point, you should know Microsoft's COM interfaces all work in a similar way: when you initialize them using a DLL's API function, your small container structure is given a pointer to a virtual function table ("void *vf_ptr" in most implementations, but that doesn't matter). It points at an array of function pointers to the single interface functions somewhere in memory. x86 pointers are, natively, 32 bits - 4 bytes - long, so you can expect the pointer to Clear - remember it was the 11th method in the interface definition? - to be at (11-1)*4 = 40d = 28h. (We subtract 1 from 11 because the first method is at (vf_ptr+0).)

Sadly, the way vf_ptr takes throughout the application is very different from one binary to another, so we can't realistically trace it. Nevertheless, the only way in x86 architecture to call an offset relative to a pointer is the opcode FF xx yy - call dword ptr [register xx + yy].

The next problem is the fact the compiler could have used any register to store vf_ptr in for the call. This is where the wildcard function of your disassembly viewer comes in handy: Search for call dword ptr [*+28h] (where * is the wildcard).
You will get a number of hits, of which some might be not what you are looking for. A relatively safe way to figure out whether you have actually stumbled upon a DirectX API call is checking the number of push operations done before the call.

Note that
- push operations for a function call can go quite far back in the code flow.
- It is also worth checking whether the type of arguments plus one matches (in this example, we expect 7 push operations). The additional argument is from the this pointer which is always added as a first argument to DirectX interface calls.
- The order of the pushed arguments is reversed, so a call to f(a,b,c) looks like
push c
push b
push a
call f

In the beforementioned example, we will stumble upon the following piece of code at some point.


.text:00404CB9 xor eax, eax
.text:00404CBB mov [ebp+var_10], eax
.text:00404CBE mov [ebp+var_C], eax
.text:00404CC1 push eax
.text:00404CC2 mov eax, [ebp+arg_0]
.text:00404CC5 mov [ebp+var_8], edx
.text:00404CC8 mov edx, [ecx+8]
.text:00404CCB mov ecx, [ecx+3Ch]
.text:00404CCE push 3F800000h
.text:00404CD3 jmp short loc_404D26
.text:00404CD3 push eax
.text:00404CD4 nop
.text:00404CD5 lea eax, [ebp+var_10]
.text:00404CD8 push 3
.text:00404CDA mov [ebp-4], edx
.text:00404CDD mov edx, [ecx]
.text:00404CDF push eax
.text:00404CE0 push 1
.text:00404CE2 push ecx
.text:00404CE3 call dword ptr [edx+28h]

As you see, the number of preceding push operations matches 7. Furthermore, the first argument obviously is a this pointer, as we know edx, which stores our vf_ptr here, is [ecx]; in x86 assembly, [ecx] means nothing else than "the contents of memory at the address in ecx".
The two DWORDs are pushed as immediates, 1 and 3; the LPD3DRECT is passed from eax. Let's trace back eax's way.

.text:00404CB9 xor eax, eax
.text:00404CBB mov [ebp+var_10], eax
.text:00404CD5 lea eax, [ebp+var_10]
.text:00404CDF push eax

As everybody knows, XORing something with itself effectively sets it to zero; this seemingly exotic procedure is very common among x86 compilers.
For some reason, it is stored to var_10 on the stack while other arguments are being processed; before being pushed, it is retrieved from it again. Hence, we are passing 0 (NULL) as the LPD3DRECT parameter, thus clearing the entire viewport.

For the D3DCOLOR value, we pass something passed as an argument to the surrounding subroutine.

The D3DVALUE, which is just Direct3D API alias for IEEE 32-bit single-precision floating-point numbers, is passed as 3F800000h; if you have the free time and will to, you can get a hex editor and verify it is the DWORD representation of 1.0f, but as it is, you just will have to believe me on this one.

As the last DWORD, our previously nulled eax is pushed.

With this information, we can reconstruct the call that happened there to something like the following:

(ourd3dinterfacepointer)->Clear(1,NULL,3,arg_0,1.0f,0);

Based on this information, you could place hooks in that code and modify virtually anything about the call; in my modification of the client, I hooked in a piece of code that sets the D3DCOLOR to the value of the location in the binary's virtual address space where the current scene's fog colour is stored.

Hopefully this will actually be of use to someone... half of my motivation to post this was to give an example of what this new forum section is good for, as I was the one who suggested it being added in the first place.

-- blackhole89.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-22-06 01:24 PM, in Editor Database Thread (like the hack db one) Link
Keep the number of stickies low. More of them won't exactly contribute to a single one being read.

This could easily be merged with the other sticky, and will be so.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-22-06 01:28 PM, in Is there a *insert game* editor? - THIS IS NOT AN EDITOR REQUEST THREAD / Editor DB Link
Merged in http://board.acmlm.org/thread.php?id=5353. As said in there, it is better to keep the number of stickies low. Remember second incarnation's SMW hacking?
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-22-06 03:22 PM, in Is there a *insert game* editor? - THIS IS NOT AN EDITOR REQUEST THREAD / Editor DB Link
AlexAR: Added.

Darkdata: Not sure about this thread also applies to common editing tools beyond specific game editors.. but I guess it could be uploaded if you put it in the above-used format to save me work.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-22-06 03:26 PM, in icq hack Link
Now somebody with besaid messenger should possibly verify if that method actually works...

Meanwhile, watch your grammar at least a bit. I don't mind minor internet-style stuff, but this was a real pain to read.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-22-06 04:35 PM, in Wi-Fi Connection Hacking Link
Moved to General Hacking as this doesn't really involve ROMs or hacking thereof.
(restricted)
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-23-06 10:48 AM, in My hacks may no longer be used as a base. Link
SMAS graphics are overused, and they were long before your time. It is not like there was anything special or protectionworthy behind the ripping of them; others did that before you, and uploaded their graphics rips to the ExGFX workshop or used them silently. You were just the first one to have the idea of publically releasing them with drumrolls and using that to advance to a quasi-messiah of highly generic SMW hacks, whether you intended to or not.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-23-06 10:50 AM, in Hack links... Link
Or still use it.

Or don't use SMAS graphics at since they have been overused ever since. Everybody using it doesn't mean it is good... it only means it is simple to do. Why has it been ages since I last saw a hack with graphics ripped from another game than SMAS or even entirely self-made ones?
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-23-06 01:16 PM, in Cave Story .org to SNES N-SPC conversion. Link
I have been working on it for a while, and decided to release the testing converter I wrote during research... basically, it allows you to convert .org music from Cave Story to N-SPC, the format nearly all Nintendo-homebrewn SNES games use for their music data, specifically hardcoded to the offsets of DJ Bouche's SMAS music hack for Super Mario World in this case.

The remaining details are on the page below.

http://twilightro.kafuka.org/~blackhole89/org2nspc.php

If anybody is interested in a larger amount of cave story soundtrack conversions done with that tool, let me know by reply.

Heck... I think this would be my very first ROM hacking related software release...

-- blackhole89.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-23-06 01:44 PM, in New SMB lvl is completed Link
Do not announce your hacks without having material (i.e. screenshots) you can show. Even the most colourful description of what you are planning to do does NOT count.

Alastor will add that to his announcement later.

For now: DON'T.

Closed.
(restricted)
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-24-06 04:39 AM, in Wi-Fi Connection Hacking Link
Originally posted by BGNG
Round 1; May 02, 2006, 6:14:50 PM CDT 
000000  16 03 00 00 2F 01 00 00  2B 03 00 44 57 A5 13 5F  ..../...+..DW.._
000010  A2 6A B6 69 45 39 7A 1D  AE 83 6A 12 9E 24 6E 9E  .j.iE9z...j..$n.
000020  6B 64 20 A0 9F 58 AB 27  F7 CE BE 00 00 04 00 04  kd ..X.'........
000030  00 05 01 00 00                                    .....

Round 2; May 02, 2006, 6:13:47 PM CDT 
000000  16 03 00 00 2F 01 00 00  2B 03 00 44 57 A1 4D AD  ..../...+..DW.M.
000010  10 23 0E 31 4D C6 F3 81  54 61 A0 85 61 13 C2 40  .#.1M...Ta..a..@
000020  D9 33 DA A2 06 BC 47 03  BA EA 78 00 00 04 00 04  .3....G...x.....
000030  00 05 01 00                                       ....

The offset 0Bh in both records holds the quite precise timestamp of the time you noted for recording this ... in little-endian format.

The following 28, random-seeming hexadecimal numbers *might* be the public key for an RSA encoding... to see whether they actually are, I'd need to see the server's reaction. Either way, the number they give isn't prime, and has no lower factors, which means it probably is a product of two numbers roughly the same size. Though, an 896-bit encryption isn't something I would call quite common...

(edited by blackhole89 on 05-24-06 02:33 PM)
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-24-06 05:08 AM, in If The World Were To End Tommorow... Link
I would probably browse the internet for 22 hours, then find myself a nice spot to watch as the whole bullshit goes down the ***.
Or make a plane trip via Romania, Brazil and the United States and get rid of various ex-Acmlmboarders who I think a board ban was far not enough as a punishment for.
Or just mount a plane to the states or Canada and meet random people I know from the internet.
blackhole89
Moronic Thread Bodycount: 17
(since 2006-08-21 09:50 EST)
F5 F5 F5 F5 F5


 





Since: 12-31-69
From: Dresden/SN/DE

Last post: 6313 days
Last view: 6311 days
Skype
Posted on 05-24-06 11:46 AM, in ASM... Link
Precisely.

*threadclose no jutsu*
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Acmlm's Board - I3 Archive - - Posts by blackhole89


ABII

Acmlmboard 1.92.999, 9/17/2006
©2000-2006 Acmlm, Emuz, Blades, Xkeeper

Page rendered in 0.045 seconds; used 429.98 kB (max 556.80 kB)