Hacking Little Busters CE, I would like some advice on a width problem with english text

[Patrick Evers Bjoerkman]

Hello my name is Patrick and I have been working for a while on an english patch for LB CE for PSP. I have reverse engineered the scripts and imageformats of the game, but I have an issue that I used at least 3 months trying for solve and so.. here are the details.
Below is an image from the game showind a test dialog message I have written in Shift-JIS:

The space between the letters are what I have been trying to fix. Writing ASCII won't work since it will eventually make the game crash. I believe the ASCII letters are interpreted in some way as commands which ends up making the game crash (I have also trying using unicode, so that every letter consisted of two bytes like normal shiftjis characters, but that didn't solve the issue).
I concluded after trying numous combinations that I would have to hack the program itself rather than the game files.
From this point a friend gave me a post from this site with the same issue called "
Zettai Zetsumei Toshi 3" link:http://gbatemp.net/threads/zettai-zetsumei-toshi-3.345409/page-3
Using "010 editor" I found that one byte had been changed, namely 0x8030 had been changed to 0x8000,
so I tried changing all 0x8030 to 0x8000 in the LB eboot, but that didn't change anything.
From this point I tried debugging using PPSSPP and found that when the game crashes with ASCII text, the game crashed (captured by visual studio though JIT debugging)

with this message:

First-chance exception at 0x0dd4f50b in PPSSPPWindows.exe: 0xC0000005: Access violation writing location 0x0880005c.[/FONT]
[FONT=arial]Unhandled exception at 0x0dd4f50b in PPSSPPWindows.exe: 0xC0000005: Access violation writing location 0x0880005c.[/FONT]
[FONT=arial]

With a fragment of the disassembly (the last instruction makes it crash) looking like this:

0DD4F45C  ja          0DD4F46D[/FONT]
[FONT=arial]0DD4F45E  mov        dword ptr ds:[1138E98h],89E0C84h[/FONT]
[FONT=arial]0DD4F468  jmp        07820004[/FONT]
[FONT=arial]0DD4F46D  mov        eax,dword ptr ds:[1138B70h][/FONT]
[FONT=arial]0DD4F473  and        eax,3FFFFFFFh[/FONT]
[FONT=arial]0DD4F479  mov        esi,dword ptr [eax+8800008h][/FONT]
[FONT=arial]0DD4F47F  mov        edi,dword ptr ds:[1138B84h][/FONT]
[FONT=arial]0DD4F485  add        edi,0FFFFDB98h[/FONT]
[FONT=arial]0DD4F48B  lea        edi,[edi+8][/FONT]
[FONT=arial]0DD4F48E  cmp        esi,edi[/FONT]
[FONT=arial]0DD4F490  mov        dword ptr ds:[1138B60h],edi[/FONT]
[FONT=arial]0DD4F496  mov        dword ptr ds:[1138B64h],esi[/FONT]
[FONT=arial]0DD4F49C  je          0DD4F4D0[/FONT]
[FONT=arial]0DD4F4A2  mov        eax,dword ptr ds:[1138B70h][/FONT]
[FONT=arial]0DD4F4A8  and        eax,3FFFFFFFh[/FONT]
[FONT=arial]0DD4F4AE  mov        esi,dword ptr [eax+880000Ch][/FONT]
[FONT=arial]0DD4F4B4  mov        dword ptr ds:[1138B60h],esi[/FONT]
[FONT=arial]0DD4F4BA  sub        dword ptr ds:[1138EB4h],5[/FONT]
[FONT=arial]0DD4F4C1  jmp        0DD4F4E8[/FONT]
[FONT=arial]0DD4F4C6  add        dword ptr [esp+ecx-62h],ecx[/FONT]
[FONT=arial]0DD4F4CA  or          cl,ch[/FONT]
[FONT=arial]0DD4F4CC  push        ebx[/FONT]
[FONT=arial]0DD4F4CD  or          ebp,dword ptr [ebp-4BD27C07h][/FONT]
[FONT=arial]0DD4F4D3  mov        ss,word ptr [ebx][/FONT]
[FONT=arial]0DD4F4D5  add        dword ptr ds:[5079CE9h],eax[/FONT]
[FONT=arial]0DD4F4DB  add        byte ptr [ecx],al[/FONT]
[FONT=arial]0DD4F4DD  cwde[/FONT]
[FONT=arial]0DD4F4DE  or          al,9Eh[/FONT]
[FONT=arial]0DD4F4E0  or          cl,ch[/FONT]
[FONT=arial]0DD4F4E2  cmp        eax,90F9AD0Bh[/FONT]
[FONT=arial]0DD4F4E7  int        3[/FONT]
[FONT=arial]0DD4F4E8  ja          0DD4F4F9[/FONT]
[FONT=arial]0DD4F4EA  mov        dword ptr ds:[1138E98h],89E0C4Ch[/FONT]
[FONT=arial]0DD4F4F4  jmp        07820004[/FONT]
[FONT=arial]0DD4F4F9  mov        esi,dword ptr ds:[1138B64h][/FONT]
[FONT=arial]0DD4F4FF  mov        eax,dword ptr ds:[1138B60h][/FONT]
[FONT=arial]0DD4F505  and        eax,3FFFFFFFh[/FONT]
[FONT=arial]0DD4F50B  mov        dword ptr [eax+8800008h],esi

Now I also tried making a map of all the methods a change of dialog message invokes.

And have been trying to change random integers I could find. I have also tried changing random integers I could find in IDA Pro, but nothing made a difference.

So far my only idea of what I can do is to take all these methods and try changing integers I find anywhere in them, but even that won't garantee anything and will take a long while.

I guess I would just like to hear from you if you have any idea what I could try at this point? Is what I am currently doing the only way to do this?

 

[neoxephon]

Well, without even looking at the game yet, I can tell you that you are going about it all wrong.

Every game is programmed differently. Especially when it is from completely different developers. The character spacing fix for Zettai Zetsumei Toshi 3 will not be the same for this game. You should not be replacing every instance of an opcode in the EBOOT. A PSP game has a ton of functions, each affecting different parts of the game.

You should be placing a breakpoint on some text and take the time to debug the opcodes, to pinpoint which opcode(s) control the character widths. And then you only modify those specific opcode(s), not every single instance of them.

As to why it is not accepting single-byte characters, if I get a free moment I'll take a look and see if I see anything, no guarantees though.

 

[Patrick Evers Bjoerkman]

Yeah I know all games are programmed differently, its just that I hoped that there would be a tendency to use the same spacing value. While I was able to reverse engineer the game files, working on this seems alot more difficult. In any case, to do like you said (debug) I guess I should find a string with the least refferences in IDA PRO, find them in PPSSPP and debug from there. I'll start doing that right away.

 

[thexyz]

If I understood your problem correctly, you can replace text using shift-jis encoding, but it looks bad; so you're trying to use ASCII/"Unicode" (I'm assuming UCS-2) but this crashes the game. Is that correct?

I can look into it if you send me a partial patch that has first few opening lines replaced with english text (shift-jis, so that the game doesn't crash).

 

[Patrick Evers Bjoerkman]

The partial patch can be found on my blog: patr0805.wordpress.com
However here is a partial part of it, containing the script translated to shiftjis english.
http://hardmech.com/Script.zip

You can also use my tool if you want to test around with the script:
http://sourceforge.net/projects/rlpaktool/

If you do that, remember to uncheck the checkbox "autoconvert to shiftJIS" if you want the text to be ASCII.

Thanks

 

[Patrick Evers Bjoerkman]

I have found that it doesn't like too many commands and ASCII spaces in the dialog, removing the spaces in a string and the game won't crash by ASCII. I have now tried "$007　$S016" instead of a space, but that only worked if the string didn't get too long in a dialog message. To reproduce the crashing issue, make the first 4 dialog be ASCII text and you will see that if you click square on the controller/Keyboard you will see the game' feature of showing a list of the dialog you have seen, the second you leave this screen, the game crashes.

Here is the script file with the first 3 lines being ASCII i n case you would like to see it for yourself:
http://hardmech.com/ascii.zip

I'll continue searching for the right integer to change though debug as adviced earlier.

 

[Patrick Evers Bjoerkman]

Could anyone explain this behavor to me? I have found that the text "Return to title menu" is assigned to a2 by addiu $a2, $t3, addressToReturnTitleText. Later I see this instruction: sw a2,0x4(sp). According to PPSSPP the value is now 0BFFF4A0, so I calculated that sw must have stored a2 at the memory address 0x0BFFF4A0 + 0x4 -> 0x0BFFF4A4, but when I go to that location in the ramdump that address exceeds the size of the ram and in the memoryview I see neither the text "Return to title menu" or its pointer from a2 at that location (I right clicked on the CPR sp and clicked "go to memory view" where this address existed, but none of the hex data was recognizable as either pointer or text from a2)
Could someone explain this to me?

 

[thexyz]

Could anyone explain this behavor to me? I have found that the text "Return to title menu" is assigned to a2 by addiu $a2, $t3, addressToReturnTitleText. Later I see this instruction: sw a2,0x4(sp). According to PPSSPP the value is now 0BFFF4A0, so I calculated that sw must have stored a2 at the memory address 0x0BFFF4A0 + 0x4 -> 0x0BFFF4A4, but when I go to that location in the ramdump that address exceeds the size of the ram and in the memoryview I see neither the text "Return to title menu" or its pointer from a2 at that location (I right clicked on the CPR sp and clicked "go to memory view" where this address existed, but none of the hex data was recognizable as either pointer or text from a2)
Could someone explain this to me?

Your explanation is not really clear, I suggest you attach a screenshot with the debugger and memory view pane open.

 

[Patrick Evers Bjoerkman]

The first image is from IDA Pro, I have taken the "return to menu" text.

I go to the same address in PPSSPP

After clicking step-into until I see something mess with a2, the first instruction to do that is sw.

But I can see nothing recognizable in the memoryview at the location of sp+4

 

[thexyz]

There's $a2 stored at $sp+4, it's stored in little-endian format so you see it in memory dump in reverse: EC 68 9C 08

 

[Patrick Evers Bjoerkman]

Silly me for having overlooked that, thanks for the answer

 

[thexyz]

So I tried to trace it yesterday and I ended up in this amazing function sub_88287D0:

And in the end I just gave up because I don't know enough about this game's script format to be able to make any sense of it, sorry.

You can breakpoint it and see that it gets called on every text box; then if you nop the call the text disappears which means somewhere here it probably draws the text, or calls another function that does it.