#Modifying title screen background color using cheat engine + anything else for forever and ever

exactly

and man it's so hard to find steam features

"refresh game steam"
"oh you mean Re:Fresh on steam right?"

NO

anyways i'm listening to some video about lovecraft while going through each reference to the IsFemc function

im gonna be mad if IsFemc isn't GET_PROTAG_GENDER

There are a few ways you could do it. I normally am just quick enough, the game takes a little bit to actually start (you can do stuff while it's not actually open, when it's just the reloaded consult) so imo it's not hard to do if you're ready.
If that's not working though you can start a process with cheat engine (or any debugger really) and it'll immediately break

oh wait you're right

It's probably not

if you click the reloaded window while it's loading and cause it to pause it freezes the game lol

i forgot about that

You could also add a thread.sleep in your mod's constructor to just make it take longer

lfgo

how do i do that last thing haha

The button you press to attach to the game has a button for creating a new process in the window where you'd normally select the exe

ok the stalling of the reloaded window only manages to freeze the main menu being loaded

It's a little plus or something I think

right

Or maybe a folder icon

i do not see that

oh the folder?

Maybe

I'm just going off my memory

I'm not at home

Send a screenshot of the window if you can't find it

Press the looking glass thing (top left) that you'd normally use to attach to the game

It's in that window that pops up

under processes?

Ah you press file

Then the option is somewhere in that menu

that's the worst looking button ever

wow

so create process?

oh and then i just open P3P.exe?

Yeah

Yeah

damn

it didn't immediately break :/

😕

It should...

Where did you place the break??

is it the reloaded part?

is reloaded doing something

i didn't place a break

Oh you mean It didnt stop

but it clearly did seeing as the memory viewer shows the break controls

Gotcha gotcha

You don't place any, it won't execute. It'll just be in a debugger on the first instruction of the program

Yeah that's right

oh for real?

Then place the break point or whatever where you wanted it and run

ohhhh

ok

weird it kept going

Then whatever code you were putting it on didn't get run

You've got the wrong thing...

Where did you breakpoint??

it literally puts me there when i add the process so i got no idea

right here

But what function is that one??

this?

i have no idea what i'm looking at

it's a seemignly named function though

so it clearly has a purpose

Oh that's the entry nice

which a named reference

i love when i send a screenshot utterly confused and y'all are like "oh that you're on the right track"

somehow this makes sense to y'all

The entry you can tell it's like the first first function the program runs

oh then why does it not break then wtf

Lmao

i blame reloaded

how do i remove the thing that still launches the reloaded window when opening through steam?

Yeah that's weird, It should stop

Unless you placed the break inside the if or smth It could not run

But It should

it was not reloadeds fault :/

good to know

still doesn't stop

do i need to record a video of what i'm doing

I don't see the problem, it did break at the start at it was meant to. You just never put a breakpoint yourself on whatever function you need from the sound of things

ok gimme a second ima record a video

Oh so It did break then??

That's what that screenshot is

It's in the debugger at the entry

you're kidding me

the break point stops everything but the loading icon card

until i click on the game, then it advances and stops again on the next thing to load

So the breakpoint does work, you've just got the wrong thing?

somehow it's not the first thing the game loads

i guess

I'm pretty sure init and init_free are the first things loaded

I take it this isn't in them?

menu still frozen, only advances a little bit when clicked

i actually don't know if those files are in there one second

Oh wait

The game is advancing without you clicking run?

yeah

Oh that shouldn't happen

when i click onto the game it advances slightly

fantastic

Disable reloaded asi loader whatever

cursed? or am i dumb?

i did i deleted it

Then that makes no sense to me

i could empty my tash can

Nothing should happen until you press run

It being on the reloaded process is the only thing I can think of that'd cause that

ok i know what's happening

breakpoint isn't working

it's just pausing when i tab out

Yeah

because persona essentials disables that 😔

Are you sure you don't have multiple instances of the game open or something

Cheat engine has got something in a break point

it's somehow in my background processes

I think that's the one that's broken

oh that's just a part of cheat engine

went away when i closed cheat engine

Maybe the window hasn't even been created yet

yeah it's definitely a part of cheat engine

closed down cheat engine, went away, opened it back up and readded the exe, it's back again

It's not a part of cheat engine, cheat engine is just attached to it

well it's definitely the window having not been created yet

because i'm pretty sure cheat engine is supposed to launch the game

oh wait does that mean the breakpoint is working working and thus not creating the window?

Yes

You need to let it run for it to actually finish launching

Presumably when you press run the game will appear

yup

ok so

that entry thing is the first first first thing that runs

Yes

Oh that'd make total sense

yeah

i just don't really know how to branch out from that

would anything be accessing that address or writing to it?

from what i saw in ghidra it doesn't seem like anything meaningful is stored there

It's the beginning of everything

Everything the exe does starts from there

right

like i sorta understand the significance

but the only way i really know how to jump from one address to another is the what accesses / writes to this address in cheat engine

do i just click the LAB_15C333054 and see where it goes

and keep jumping till i find what i need in ghidra?

What are you actually trying to do?

stop it from crashing when the card is loaded

otherwise the config menu is pink and everything else is good

Starting from main might eventually get you where you want but that would take an eternity to go through everything is does

I remember seeing some error message when it crashed for me. Do you get that?

do i get the error?

like a crash log?

or "do you understand" haha

No like an error in the console

Does one get printed?

I have a mod that adds back some error logging to the game, I'm not sure if that's what caused it

it appears so

Ah ok

as the reloaded log ends before any files are loaded

Well maybe that error is useful, very possibly not

Well I think the next thing to do would be to look at a crash dump to see why it's crashing

man i hate doing that

watch it be something dumb about writing to too long of an address

where are dumps stored again? it's not crashdat yeah?

Yeah it should be

For the psp at least the error log for the Pink first spinning card was not very useful unfortunately

It's in the game's folder

got it

god bless everything search

ok so that's the last time the game crashed

and you open in visual studio yeah?

Yeah

that was my second guess

protected memory apparently

(At least that's what I use, ik there's others but I've never bothered learning)

Fun

does that mean i'm boned?

how do you get around protected memory?

It probably means something is 0 that shouldn't be

Same error as PSP actually

I doubt it's actually a memory protection error

something is 00 that shouldn't be?

Far more likely that it's just reading from the wrong address

is it the instructions i had to nope out due to a mismatch in byte size?

It Will take you to a draw function if you go to the pc when crashed

Well in my case I had the pc but here doesnt look like it's showing up

You can see where it broke

oh how do i do that lol

In vs you need to press run with native (or mixed both seem to work)

Then wait an eternity while it loads a bunch of stuff

oh hey there's an address

exception unhandled at

0x00000001403DBF16

Well have a look at that in Ghidra

Hopefully it's something obvious

genuinely not a clue

Yeah that location 308 definitely isn't an address

it says sprKey?

Could you send a screenshot

A draw function right??? Same as psp

Tbh I don't really remember much about the spr structure

I never got deep enough to fix the crash with spr emulator 😦

Looks like a sprite is messed up or something

I was able to fix It in psp which could work on pc looking it's the same error

Maybe it didn't finish loading or something like that

How'd you fix it?

by noping out a reference to a path i'm pretty sure

this i think

Yeah, should be ablo to find It placing a breakpoint at the acceses of the femc flag at the init functions

init functions as in plural

how does one find the other ones besides entry lol

please tell me they're all next to each other

That's not really how functions work

a man can dream

It's all up to the compiler where they go.

It'll put them wherever it wants, sometimes related functions may end up next to each other but you should consider it luck more than anything. The location of code isn't something you should count on

there's gotta be a different way to fix it

(Obviously it's not literally random, the compiler has some logic that decides where things go but that's black magic. May as well think of it as random)

What do you see if you look at the function that called that?

the function that called that address?

Yeah

Vs should show you a call stack

yeah?

Somewhere in the bottom right I think

i see it

it just has the same address i got from the unhandled exception error

1403DBF16

There should be multiple addresses...

oh lol

Yeah the address below that is what called it

And so on

Try looking at them in Ghidra and see if there's anything interesting

nothing here i don't think

seems like a whole lotta nothing

I think you need to do further out

Looks like that's probably just some function that draws sprites

I mean some of the functions that gets executed at the start

all of the addresses related to P3P.exe

But knowing there is a isFemc here which in my case have a Bit check, you should be able to put a breakpoint in Bitcheck

That while it's stopped in the entry

Then run the program and find out where it is doing some kind of BitCheck

Problem is if the program runs BitCheck for something else at the start that is not the isFemc flag

But you can try

adding a break point to the return in bitcheck did nothing to stop the game

so i'm assuming what you said is correct

Nothing??

oh wait there we go

now it froze

Lfgo

ok so launch the game normally and tab out asap

don't launch through cheat engine itself

it didn't jump anywhere though

is that normal?

Wdym jump??

usually when it breaks and stops it jumps to where it was being accessed from, no?

All right, it's in the return right??

yeah

should it go somewhere else lol

Yeah, lets check where this call is coming from

ok still no jump

but i got it to add a break point before the card loads

do i add a what accesses this memory address check now lol

I would check how It looks in ghidra for now

the exact same

because i knew where to add the break point at

this is the bit check function

Great, I would look into the return of the assembly code

Like to know which bit we are checking or the function that checks the bit

oh how would one do that

Stepping in the return of where it stops

Just like yesterday

back to the same spot as before

with the test eax, eax

Yeah but might not be same function

Lets check the Code in ghidra

it appears to be the exact same function from yesterday

This is the just after the entry right??

what?

i have no idea if it's after the entry 😭

i just added a break point to the bit check function

did a few jumps

same spot

same function :/

I mean

You alt tab just when opening the game so It doesnt go on

Then you place the breakpoint on the bitcheck

which i did?

Okay that's what you did in this case then

yeah lol

Okay okay thought you might be somewhere else

no yeah i did a bunch of jumps, got to the same test eax, eax thing

went into ghidra

traced that function back

Wdym a bunch of jumps??

sorry

step intos*

Oh ic ic

yeah

it appears to be the same function from before

so the bit check in the beginning is returning the value here

for some reason

which seems to be comparing the value of a bunch of stuff

How many functions call this function??

how would i get that number

Like the xrefs

13

Not many apparently

is that a good or a bad thing lmao

Good because it's a function not called by a bunch of stuff

So might be close to something

oh so i just gotta check each one

Nah nah no need lol

I just thought you force the defaultmc value here

And see if that fixes the crash

nah i force it at this top address

14010f600

right here

replace the MOVZX with mov EAX, 640

And that crashes the game correct??

yeah

but also colors the config screen pink

where?

i don't see a place where it checks the gender bit flag

Okay then, what if we place a breakpoint at the ret of this function and see when It is being called at the start???

or where it accesses that address

sure ill try that

Since it's the one causing the issue

Lets test that

Maybe we get to same function for pc

ok that froze the game

That's a good sign

that also accesses the same test eax, eax address

i guess it all comes back to that

Same exact address??

the return returns the value there

oh wait no

different address

You sure it's same one??

same structure

14010F39B

Nice good sign

At the end of the day it's making a book with the test so most likely the same structure Will be done when this function shows up

Uuuh this is looking similar to my function!!!

this actually looks pretty close

yeah that's what i'm saying haha

not exactly the same but like

almost there?

Lets force the default MC path here

How does the jump looks like??

Like the branch after the test eax

so double click the lab thing?

Oh wait Its in the ghidra view, I'm blind lmao

It would be the jump here

yeah the JNZ?

i clicked that

What we are gonna do to try to fix it is nop the jnz from here

So that in never jumps

Forcing the mc path

ok done

unpause the game?

Is the pink patch on??

oh no whoops

Let's check it with the pink patch

But remember nopping the instruction again, the 14010f39d

damn it crashes anyways

not even paused

Didnt paused??

yeah when you tab out it pauses

crashed anyways

yeah no i can't get the game to freeze with the mod enabled

Maybe it's crashing too fast??

yeah

and im spam clicking to tab out

nothing

i think i should go to bed

it's 2:20 AM

do you own P3P PC?

Unfortunately no 😭

damn

sad times

Yup

i would love to keep going at this but i am exhausted and i'm starting to act stupid

Can only try to help through chat lol

but lemme get the gist of what to do when i get up

i need to nope out a path to force the femc

not do what i did and force the isFemc byte to always be the femc value of 640

Well to force the default mc path but just in this function

yeah

too bad there's probably a million functions with test eax, eax that are super close to what we need

Well yeah, but not so many at the start of the game, which is what we looking for

yeah

And this one is looking sus

So maybe we are in the good way

guess i can't launch with reloaded if i wanna be able to freeze at the start

no matter what i guess it has persona essentials enabled

Maybe you can patch it directly??

even with all my mods disabled

Like the nop

Include it in the patch

like with an inaba exe patch?

Yeah right??

project for the morning

Yeaah, lets see what this does

Gn!!

i will say the function isn't exactly the same

it's very close but the math should be the same regardless of language

Yeah, but could be decompilation shenanigans

so it's not the same function

@nocturne trench don't tell me that the math could change with assembly languages 😭

math is math

lemme check the function

what we're looking for for reference

ok i'm looking at this closer and it's stupidly close

Could very well change

Yeah right??

like look at that very bottom part

basically the same

Uuuuh we are on the same page

You can name the tags if you want

Just like mines if you wanna keep the info in the code

there's no two returns though

but god are they close

this is kinda pissing me off because now i'm interested but man am i tired

But there are two gotos that go to a return in here

that's true

maybe the math does change from assembly languages

fuck man

ok 30 more minutes is all i'm giving this

Yeah we are so close, it's tilting lmao

2 minutes while i get water and a drink

Nicee

What math are you referring to?

Guess he is refering to the pointer references

But yeah from psp to pc they will 100% change

Ah right

If the structs changed then yeah

back

Could be possible in some manner

ok so this should be the same function then yeah

so what did you end up doing to it?

you noped out what again?

the path to the crashing thing?

so this?

I nopped the circled path, most precisely the if (iVar3 != 0) goto FEMC_CRASHING_PATH

i wonder why it's == 0 now

that's the confusing part

So not this watch out

not that?

Nope, thats from later

I'm nopping just after the isFemc function right??

so that?

gonna be honest i don't think our IsFemc functions are the same

Yup, that if (iVar1 ==0 from the top)

ok

so

this hurts my head just a little

one second

i need to make a sigscan of this address for the cheat

figure out how it looks by doing exactly that in cheat engine

and then copy the code + the offset as a patch to inaba exe patch

ez

i think

Don't know how it works for pc

But I will trust

XDDD

uh

i don't think my pattern includes my address for the part i need to nope out

am i crazy or is it just not there

oh that's cool it got cut off

ugh

how go i get the full thing

or like from my current position

trying to do from cursor position spits out this error

whoops

forgot to send the photo haha

Oh right, some function changed name in ghidra 11 or something like that

I forgot, you need to fix the makesig script

Replace yours with this, it should work then

sounds easy enough

oh

thank you

ok let's hope this does it

awesome

no more lengthy signatures

takes much longer >.>

Is it patching now??

i think that's correct?

i'm a little worried about the pattern being less

oh that's why

so 7 byte replacement for a 8 byte pattern?

that feels wrong?

Wait what it is being nopped here??

In ghidra for reference

the lab you told me to nope out

But that's the tag, I meant the jump to that tag

oh

This I meant

so the 74 12 just below it?

wait what?

highlight the correct part lol

so nope out which part?

this?

or this?

Like, select the part I rounded in the code

or the JNZ

The jnz iirc

But you can select it in the ghidra code and it will show up in the assembly

yeah i gotchu

ok i think i got it

lemme test in game

OH MY

IT

IT WORKS

LFGOOOO

I SAW THE PINK CARD

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOH

dude im geeking

and i made it in the time limit

god damn

this is crazy

We cookin rn hahaha

ok i gotta get a screenshot of the pink card

im so happy oml

Hehehe you can rest easy now 😉

yup

thank you all for sticking with this

i need to take a break from all of this before i tackle the other stuff like player advantage and analyze UI

Only thing is you should not force the pink in all the stuff but rather write the femc flag

Because rn it's probably forcing pink everywhere

But we fixed this which is so nice 👍

yeah ill have to figure that out

i could just tell people not to enable when playing as MC

since the only issue it seems is that it makes you kotone when loading a male save

Would be a more radical solution

But it's up to you

There are not so many places that write the gender in the title screen tbh

In my psp where just 3 or 4, it's commented in there

Getting something here

Seems it's all static addresses for these colors, they are all set in the binary

So guess I gotta find the femc colors in there to find the reference to femc ones

Looks offseting the blue colors to 0x64 seems to do the trick, blue and pink colors seem to be separated like that

Got the whole menu to pink!! You can see it's not affecting default mc at the end of the video

This is the new cheat for this

oh

that ain't supposed to happen

how would i trace back the color of this

searching for the hex code does nothing

You can look for Garu string in the memory and place a breakpoint when read

That should lead you to the function that draws that menu

Lol that's weird

there's actually a function called BtlMenuRenderTitle that i put a break point in

seemingly stopped the loading of the UI

i did step into a few times and it took me to this

don't think this is what i need

Nah it's just executing functions in memory

otherwise the function looks like this

Yeah same stuff, it's too general

You should look for the specific one

should i check the xrefs?

there's only 4

Nah, that'd take you to more general stuff

By the way when the XREF has an address and (*) it means it is a memory reference to that function

The other ones are functions that call the functions you are inspecting

It has the name of the function and the line that calls the function you are in

ok im in a new encounter, i need to look for the skill and add a break point to see what's caling it?

1400c0c10

Well, good luck with this I'm gonna sleep rn 💤

That could be a way to find it

just keeps taking me to the checkfordebugger part

Like having these strings on screen give us an advantage

Because we know the menu is printing that, which lead us close to the other coloring/drawing

right

i'm getting nowhere with this bash stuff 😔

should i look for the MAX HP and MAX SP values too?

yeah no adding a break point before the skill name isn't doing anything

it's probably pulling from somewhere else

only 3 references to cowardly maya in the games memory

adding a break point before each one does nothing to stop the game

ugh

no idea what happened

but P3P (even vanilla with no mods) now crashes when i load tartarus

ok i guess it's just one save

how do i pull saves down from the cloud

https://discord.com/channels/746211612981198989/1270544081310978139

welp i can't do any testing until i solve this

so that's fun

Found the colors for the yes/no of aoa

Did you save with some mod or something?? So weird

nope just loaded the save

it made me kotone

then i tried to load tartarus

perma broke after that

That's weird, not very sure what could cause it

Because if you didn't save or anything it shouldnt be affecting the save

Well here's current cheat with this

damn you're finding much more than me

forgot about that one even existing

i wanna figure out how to fix that kotone overwriting the male save thing

so i can keep this mod enabled because it's sick

do you have examples of the functions that do so?

they all rely on BitSet right? so i should check references to that in ghidra?

or is it bitcheck?

Yeaaah it's BitSet

You should be able to find most of them just placing a breakpoint at the return and looking where it's coming from

In PSP there were these:

_L 0x20004A04 0x34040001 # Set femc flag just before loading card shows up
_L 0x20199588 0x00000000 # Nop branch to avoid crash at the start
_L 0x2001D86C 0x34040001 # Set femc flag just before loading card shrinks down
_L 0x202594C4 0x34040001 # Set femc flag just after hitting "New Game"
_L 0x2025A1A0 0x34040001 # Set femc flag just after hitting "Load Game"

So these are the cases you can look for, most likely there won't be more than in the psp

oh right i can do that

The first ones maybe are more tricky since they set it just when launching the game before the card

ok lemme reinstall cheat engine

Although the second one is when the card is gonna disappear that it shrinks down

Did you uninstall it??

yeah i was frustrated because my save broke haha

But you can't uninstall peak...

damn getting it to freeze before the card loads is so hard

it's so fast

damn you fast PC

We need a slower pc lol

Well can't help you very much, it's quite late here

Hope you find the stuff

damn it didn't freeze

are you sure we add a break point at the return?

can you show me which return you put it on?

or where you add the break point?

oh right you just said you can't

haha sorry

yeah no the game ain't freezing no matter where i put the breakpoint in BitSet

i feel like i don't understand how breakpoints work 😔

it never freezes like y'all says it should

yeah no it doesn't freeze

yeah im hella confused

i can't get it to freeze like it should

if it doesn't freeze i can't step out / step into

am i doing something wrong?

like am i too slow? is it not accessing bitSet?

ok it's definitely BitSet

there's 151 xrefs

ugh this shit sucks

so i can't get it to freeze

should i try to go through all 151 xrefs?

lol i was on the 1.1 exe since i reinstalled the game

got it to break

150D04D99

current address

ok for some reason it seems to continue past the loading card for the BitSet

but it still freezes

so the card isn't handled by BitSet

do i just keep clicking StepInto until i find what i need?

ok so not step into

it just leads me to the bitset function

ok breaking on the first bit set does nothing 😔

unless im just stupid

i can't get it to take me anywhere meaningful

and it seems to happen after the card loads which isn't right

so there's gotta be something happening before the return right?

am i just breaking in the wrong spot?

i click process > load file whatever it's called

the game insta breaks

so i add a breakpoint at the return of bitset here

then click run

the game loads the card, then stops after the card disappears

so clearly the card is something else

how would i get to where it's grabbing a value with BitSet?

i can't figure out the step into / step over / step out

ok i think i get it now

i need to let it run through each BitSet until i find what i need at the beginning of the game

because it's stopped at the first use of BitSet and i can't continue through each

so i need to click run, step into, copy the current address and go into ghidra and see what's there

oh i went through all the BitSets

and i got nothing from em

this is a dead end i think 😔

ima definitely need swine up in this because i'm pretty sure i did everything right

lemme summarize

i opened the process via the exe in cheat engine which insta breaks, added a break point to 150D04D99 which doesn't break before the card loads but after it disappears

then i went through each BitSet reference by clicking Step Into, if it lead nowhere i clicked Run which took me to the next BitSet reference

none of them had anything meaningful

i'm just confused as to why the card was able to load while there was a breakpoint at BitSet, it might mean it's being handled by something else, but what?

Don't tell me you want through all the BitSets

That's nuts

Like maybe because of compilation It wasnt strictly calling BitSet

But thing is the game is setting the flag

So you could try BitSet

But if that didnt work you could try to add a breakpoint when the femc flag is written

Which is the behaviour we are looking for

well i only went through all the bitsets called at the beginning of the game

i definitely didn't go through every BitSet

for some reason, despite adding a breakpoint to bitset, the game continues past the loading of the card and only stops once it disappears

so there's something else that handles the card i assume

otherwise i was completely stumped and got basically nowhere @graceful pawn

You could try this then, maybe It is handled by another function that does the write in pc case

what is the femc flag again?

the byte? or the bool?

is it the IsFemc thing?

or is it the DAT?

DAT_1433636cc

oh yeah there we go

we did talk about it

Yeaah the DAT isFemc function uses I mean

weird

adding a break point to the DAT address did nothing

hell it's even 00

a bunch of stuff does access that address though

about 6

You should add a breakpoint but when that address is written

Written I meant XDD

i did do that and nothing stopped

i can try again

Something has to write to that address tho

If nothing writes to it then how is the default mc address set to the mc??

alright ill try that

i forget that break on write and hardware break points are different

Yeah, that's important, keep an eye on that

oh sweet that did it

150D27003

How does it look in ghidra??

like nothing

took me to the same function i was looking at before

What about skipping this write and going for the next write it does?

so press run?

Yup

150502003

How is it looking??

like more nothing

the card in game loaded btw

so it's gotta be the one before this

Did this show up when the card was about to shrink??

nah it looks like it was still spinning

is the shrinking part what i'm looking for?

I mean if you press run again it instantly shrinking?

Yeah, we looking for the first part and then the shrinking

if i press run again it insta stops and takes me somewhere else

Let's see where is it taking us

This looks like setting default values for all the flags zeroing stuff

probably

Interesting, so this is writing to the isFemcFlag

yeah?

does it seem familiar?

Let me take a look

What about going to the ret to see where is this function call from??

Also what are the XREFS of this function??

2 xrefs

140259282

That's interesting, might be a function only called at the start then

Looks like a function initializing lots of stuff to me

Have a similar one in psp

return goes to this

1514114A5

back to the init function

By the way, is there some way to get the ghidra project??

oh yeah

just get 11.0 and download this

Would be cool to take a look into it while we investigate

download this

Thanks!!

np

lemme know if you find anything haha

All right, will be setting it up

But yeah that way I might find some similar functions hopefully

And comment the stuff we find

Ok so what is the isFemc flag address again??

Was it 1433636cc??

yeah i think so

youc an also search for the IsFemc label itself

left it named like this then

True 😅

Okay so interesting stuff

We can see the only function that writes directly into it is this one you found

So we can say it forces default mc value

Since there's one real reference to this function we could safely set the femc flag here

Okay so lets analyze this

First it's doing an AND with the current value of isFemc with 0xffffff7f

right

and that value is either 256 or 640

640 for femc

im assuming it's doing some math to get to 4104 / 4103?

0xffffff7f is 11111111 11111111 11111111 01111111 in binary

So it's leaving the other values as they are and setting that one into 0

Which might be the flag we are looking for to set into 1 right?

yeah when the game starts up the byte at that address is 00 00

but when the game progresses it becomes 00 01

that 01 might then be the OR with 0x100 right?

i believe so

Okay so to do this we might set that bit into a 1

wait where are we looking at?

which address are you at?

We looking into this operation here 14025927c

This one

oh right ok

you think that's the set protag gender?

alright

so what, we need to change the value it grabs to something else?

That's what it looks like right??

yeah

The other is setting a 1 so most likely be the other byte you talked about

right

Okay so what we must do is an or to set that bit

ok that makes sense

With 0x80 since it is 00000000 00000000 00000000 10000000

so i need to change the mov to set the value?

oh wait

replace the 0x100 with 0x80?

Nooo, we gotta replace the and operation

ohhhhh

So we gotta load the 0x80 instead of 0xffffff7f

oh

And do the or instead of the and

that part appears to be be the BTR part just above

Looks like it right??

Then probably it's just changing to BTS 0x7??

Dont know these instructions but looking at the other one would make sense

Will look the instruction set

x86 is so convoluted lol, in mips there are not so many instructions

so i would change the function at that address to bts eax, 07?

ok that did nothing

but no crash

Hmm, how is the isFemc address looking??

Oh hold on think we didnt do the stuff lol

not much

oh sorry lol

jumped the gun there haha

We didnt look the rest of the assembly hahaha

oh lol

Okay so should be or eax, 0x80 I guess??

at 140259260?

Oh no hold on

ok lol

These are the other bit operations in the upper part

So it must be doing it with btr and bts but how...

Okay so it should be the bts eax, 0x7 it seems

How does it look in memory when applied tho??

at what address

i can apply it real quick

Like the isFemc address just when we apply the OR

yeah

Just to see what value it is

at 140259274?

Well just after doing that yeah

nothing really changes

should i click run?

Not run yet but step into

To see what it does to the value

15C333025

just the entry function

Nah I meant seeing how the femc address changed

oh

you said step into

When the bts was done

oh so click run then

No because run will skip the whole thing

Step into is next instruction no??

yeah but it just took me to entry so i didn't get to see what it did to the value

Weird, then the step into might not be the thing

Don't know cheat engine naming of stuff 😅

Then its step in right??

Or over

Doesnt really matter then

i think it's step over

15C333025

But there's no function so shouldnt apply

yeah

step over also takes me to the entry function

But how is it jumping the rest of the code??

I dont get that

I meant a single click into step into

yeah i know

And it's taking you there??

What the hell 😅

Let it run and see if it goes to that function again then

did i mention i launched the game via cheat engine so it insta breaks

should i add a break point?

Yeah you could do that as well

ok it stopped after the card loaded

step into?

After it loaded??

took a few step intos

Wasnt this before it was showing up?

1514114A5

took me there

Okay so maybe this is being done when it shrinks then??

probably

Do you notice it turning pink when it shrinks??

lemme see

ill have to click run again

Yup

nope

stays blue

also blue

Hmmm, maybe this function is not that useful then

.

Or we are setting the value wrong

But dont think so

i think it might be the second thing

Well there is something we can do to check

Just after setting the value with bts

this is just changing to bts from btr, right?

We can place a breakpoint in isFemc to see where it is goinf

we're looking at the same isFemc right?

Yeah, should be

1433636cc?

breakpoint?

hardware breakpoint or break on write?

or break on access?

A hardware breakpoint

alright

and modify the code at the same time?

Yeah, to see how the isFemc flag looks

ok double done

run?

Where are you now, on the bts??

yeah

Okay so run yeah

loaded past the card

didn't turn pink when shrunk

yeah everything loaded fine, no stopping

Hmmm, how does it know the card color??

Well we can also watch at the reads of the isFemc flag then

alright

and no breakpoint?

just let it play out?

or break on access?

oh that was fast

break on access yeah, just after the bts

break on access stopped before the card loaded

1433636CD

literally nothing

Well we knew this one already

somehow quite literally nothing

150D27003

more nothing

150502003

this one stopped after the card loaded

eh?

run one more time?

Hold a minute, I'm checking stuff with ghidra, it's quite slow with a project this big lol

no worries lol

But spoiler alert

This might not be nothing lol

how so

Wrong decompilation, we know instructions are there because the game does execute them

And this is looking interesting

It's making bitsets into our isFemc flag

oh?????????

that's interesting

True

Only thing I wanna know is where this function starts

ok how do i give you that info

Looking at ghidra we could infer that this is the start of the function

Given the references to this address

right

i can also go into cheat engine and click selcet current function

I had an idea

Do you see that btr EAX, 0x7 right??

What if we change it into bts...