Show posts
Notice:
1.Reverse engineering violates EULA. This is for knowledge-sharing purposes only.
2.I'm Chinese and some of my expressions may be incorrect/unprecise.
Basic Introduction:
Assembly is built upon machine code; C/C++ is built upon assembly; RGSS is built upon C/C++. It's normally difficult to change one level's behavior from a higher level but relatively simple from a lower level.
So, reverse engineer RGSS, figure out what's going on, and make some patches. Problem solved.
Implementation:
First of all, Learn about IA32 assembly, WIN32API and other things. Then,
1.Find a breach point. For example, api call, memory access, strings, ...
2.Debug, run and test. Figure out the logic.
3.Patch on the key location. WriteProcessMemory will do.
Done.
Examples:
All examples are for RMXP, but should be very similar to VX/VA.
1.Disable what F12 does.
Since it's triggered by F12, we can try conditional breakpoints on GetKeyState/GetAsyncKeyState, and it works. We get this:
push 7B ; argument, keycode for F12
call GetAsyncKeyState
test ax,ax
jge gotoreturn ; if F12 not triggered, return
xxxx ; Resets the game
gotoreturn:
ret
Simply change jge to jmp, Reset will never be reached.
2.Disable 10s hangup
Search for "Hangup", ->
push eax
push "Hangup"
call xxx
mov [xxx],eax
It's like some kind of registration in ruby, so search for references. Distinguish the results. The rest should be easy. Patch, test and run, again patch.
3.Background running
It's about window procedure and messages, WM_ACTIVATEAPP. Should be easy.
4.Disable alt+enter
Again window procedure. Accelerators. Should be easy.
5.Load font
RGSS called EnumFontFamiliesExA and maintained a list at startup. So if we first call AddFontResource and then call EnumFontFamiliesExA as RGSS did with the new font specified, the new font will be added and usable.
End:
With good preparation, things should be just smooth and clear.
Because key addresses in different versions of RGSS .dlls is different, the exact code of patching is not given. It's just the idea.
1.Reverse engineering violates EULA. This is for knowledge-sharing purposes only.
2.I'm Chinese and some of my expressions may be incorrect/unprecise.
Basic Introduction:
Assembly is built upon machine code; C/C++ is built upon assembly; RGSS is built upon C/C++. It's normally difficult to change one level's behavior from a higher level but relatively simple from a lower level.
So, reverse engineer RGSS, figure out what's going on, and make some patches. Problem solved.
Implementation:
First of all, Learn about IA32 assembly, WIN32API and other things. Then,
1.Find a breach point. For example, api call, memory access, strings, ...
2.Debug, run and test. Figure out the logic.
3.Patch on the key location. WriteProcessMemory will do.
Done.
Examples:
All examples are for RMXP, but should be very similar to VX/VA.
1.Disable what F12 does.
Since it's triggered by F12, we can try conditional breakpoints on GetKeyState/GetAsyncKeyState, and it works. We get this:
push 7B ; argument, keycode for F12
call GetAsyncKeyState
test ax,ax
jge gotoreturn ; if F12 not triggered, return
xxxx ; Resets the game
gotoreturn:
ret
Simply change jge to jmp, Reset will never be reached.
2.Disable 10s hangup
Search for "Hangup", ->
push eax
push "Hangup"
call xxx
mov [xxx],eax
It's like some kind of registration in ruby, so search for references. Distinguish the results. The rest should be easy. Patch, test and run, again patch.
3.Background running
It's about window procedure and messages, WM_ACTIVATEAPP. Should be easy.
4.Disable alt+enter
Again window procedure. Accelerators. Should be easy.
5.Load font
RGSS called EnumFontFamiliesExA and maintained a list at startup. So if we first call AddFontResource and then call EnumFontFamiliesExA as RGSS did with the new font specified, the new font will be added and usable.
End:
With good preparation, things should be just smooth and clear.
Because key addresses in different versions of RGSS .dlls is different, the exact code of patching is not given. It's just the idea.