search

0xDC00 / agent

Universal script based text hooker (powered by FRIDA).
https://discord.gg/sWeFsmJYJc
181 stars 7 forks source link

Query regarding ExecutionWatch #2

Closed ZDTL closed 3 years ago

ZDTL commented 3 years ago

So, I tried to find the D-Code of Tantei Bokumetsu 1.0.2 and was successful. I also had a pattern from before so it was easy to judge.

Now I am trying to find out the D-Code for Buddy Mission Bond (https://vndb.org/v30145) 1.0.1

It has shift_jis encoding.

I tried to follow your steps and found out 4 addresses G307P8N2at The third address showed instructions when I moved to the dialog B from A.

It had these many instructions with low count (address is different because CE crashed but I followed the same steps from before) cheatengine-x86_64-SSE4-AVX2_kBotcMLuPY

For the time being, I selected the 4th one because it had similar pattern from your tutorial (movzx, byte ptr).

But I don't know where to stop. Is it [eax, address] ? cheatengine-x86_64-SSE4-AVX2_Hrl8sn40js

So I have two questions regarding your explanation in wiki:

**1. How do I find out the TerminatedPattern for a particular game?

  1. In Step 3 from your tutorial where I am checking instructions, how do I decide the range of addresses to copy from memory viewer?**
0xDC00 commented 3 years ago
  1. Terminated Normal case https://en.wikipedia.org/wiki/Null-terminated_string:
    • utf-8, shift_jis: 00
    • utf-16: 0000
    • utf-32: 00000000

Ex:

line1
line2

=> 00000000 6C696E65 310A6C69 6E653200 00000000 line1.line2..... But some games use '00' for line break (instead 0A), the sequence will become: 00000000 6C696E65 31006C69 6E653200 00000000 line1.line2.....

If we use 00 for terminated (instead 0000), we only get 6C696E653100 <=> line1.

3 the game use custom-terminated.

  1. The length can be any, just make sure your pattern matches only one result. Looks like this game needs manual debugging to find a good hook.