#Re-finding sigs so that I can update someone's mod to 1.0.4

Theres a specific mod that secreC made that would be very useful (unhardcoded toolkit) and because of how niche the mod is the only one who would update it would be secreC. But he's busy with life and I don't want to drag him back into updating this just for me. So I want to take this into my own hands and try and update it for him.

But the issue is I'm not exactly sure where to start with this. I know the ghidra interface and how to work it a bit. But stuff like re-finding the signatures and updating the asm hooks are a bit hard to wrap my head around (especially since I'm not the one who made the mod in the first place). Any guidance on this would be really appreciated.

Generally, you will want 2 ghidra projects - one for older version and another for a newer. Take the pattern, find it in the old version, then find that same function and code in the new version (obviously, it can't find the old pattern, but perhaps it can find the pattern for the function, or for a function that calls that function, or something like that). Then just make a new sig for the new version.

Of course if it's an actual injection of assembly code, it gets more complicated as you might have to fix the code, in which case the only way to do it would be to figure out what the old one was doing and make some changes. Maybe the registers have changed, or the order of the operations, or something.

I see, that makes sense. For the second thing. How would I know that it's code injection? Is there some specific thing I have to look out for to tell the difference between them?

Well, with a sigscan pattern reloaded 2 just finds some location in the game's memory (in code, in our case). The mod then does something with that location, ranging from function hooks to raw memory edit. Check what the address found is used for. If it's an assembly hook, you will know, because it will have some assembly code being injected with an aptly named function.

Alright, for determining the sigs. Would it be all addresses? As in only addresses that use utils.SigScan or is it also the ones like this for example:

                "48 8D 05 ?? ?? ?? ?? 49 83 C2 08",
                "48 8D 2D ?? ?? ?? ?? 85 FF",
            };```

Or am I just reading this incorrectly?

Also thank you btw, I really do appreciate this.

Addresses are just locations in the memory. These are patterns to find those addresses, because between different game version actual addresses change, but the code itself usually doesn't, and so you can find it using the same pattern (unless the code itself does change, like what happened with 1.0.4 update).
What you have here is an array of patterns, used to find several addresses and then do something with them.

Each pattern can find one or several addresses, they're basically just a sequence of bytes, it goes through the game's memory and tries to find these bytes going in that specific order (with ?? being wildcards, meaning it can be anything)

Wherever it finds that sequence of bytes, that would be the address it's looking for, which can then be used for hooks or something else.

So if im reading this correctly. utils.SigScan("48 89 5C 24 ?? 57 48 83 EC 20 48 63 FA 48 8B D9 39 B9 ?? ?? ?? ??", "lmapImageLoadAdr", So then the address here would be lmapImageLoadAdr right?

Yes, whatever lmapImageLoadAdr is, it's trying to find it here

Alright, that makes a ton more sense now. Since I don't have their labeling, how would I go about finding the addresses? Would I use the patterns or is it just a guessing game based on the code?

Just take tha patters and find them in an older ghidra project, and then try to find that code in the new version as described here

Alright, nice. I'll poke around now and see what I can come up with. Again, thank you for this.

I'll give an example, seeing as I kinda need to update my own mod anyway

So for example, I have this.
Failed to find pattern for LEA_1407afc81. Pattern: 4C 8D 05 ?? ?? ?? ?? 8B 4A ??
I search for 4C 8D 05 ?? ?? ?? ?? 8B 4A ?? pattern in older ghidra project (for version 1.0.3b) (search memory or S hotkey), and find it (image 1).
So I go to the start of the function and make a sig for it (with a makesig ghidra script, don't know if you have it). I search for that sig in the new version, and can't find it. Too bad. I find usages of that function in the old version, go to the first one. Can't find a pattern for it or the instruction either, but, close to the function call that I can't find, there's a use of a string "Participate::PrepareSkill" (image 2).
In the old version, there's only one usage of this string, so figures it's the same in the new one. Find the string (Search > For Strings), find the one that has a usage, go to where it's used, and here we are - similar code (image 3).
Now, find that code in the old version of the function and in the new one (with the help of the decompiled code, for example). As you can see (image 4 and 5), the code is pretty similar overall, but still a little different, which is why it was unable to find the pattern.
Now, in my case, I use the address to make a simple assembly hook that replaces the address for the LEA instruction. I create an assembly hook for this address that looks like this:

"use64",
$"mov r8, {(ulong)pActiveSkillData}" // new location in memory that I created

So, seeing as the instruction I'm searching for didn't actually change (it's still LEA and the register is still R8), all I need to do here it to replace my old pattern with the newly generated one.
Now repeat for.. 79 other addresses.. ugh.

This actually explains so much. I'll have to cross the assembly code bridge when I get there but honestly it's not as bad as I thought it would be (though of course I'm just jinxing it but oh well). I didn't know there was a script, do you know where you got it?

But other than that I think I get it. I truly do thank you for this. Sorry im saying thank you so much. But you have no idea how long I've been waiting to finally figure this out. And i'll get to help out people with it too which is amazing.

Someone shared it or mentioned it, I don't rememeber anymore. It's here
https://github.com/nosoop/ghidra_scripts/blob/master/makesig.py

Nice.

You can also read through my Ghidra thread if you want, as I fumbled through learning it
https://discordapp.com/channels/746211612981198989/1232789241256218644

Oh right, now that I have a better understanding. I can read it, lets go. So i'll go through the sigs and see if I have any other questions or something after that.

hmm, so it seems I can't find anything with the patterns on 1.0.3b. Even the pattern in your example. I have the dump from here. I'm not sure why Arkadia's would be any different since this is way before the 1.0.4 update dropped. I assume I'm just doing something wrong but I'm not exactly sure.

Hm, hard to say. How are you searching for them? Search as hex string iirc and in all blocks

Yeah thats what I did. still came up with nothing.

Like this? I tried both hex and string.

Wrong format

"Hex"

okay so it just lied. I tried this multiple times before but I guess now it works. Thanks though.

oh yeah rq how do you use the script? I have it in the scripts folder and can use it in ghidra but what exactly do I do? Do I just select the function then run the script?

Yeah, click somewhere in a function and just run it. It will ask you whether you want to make a sig for the function or for the specific instruction you clicked on

Ah ok. Makes sense, one last question. Some of the patterns are actually still there in 1.0.4. Are they just fine how they are and I shouldn't mess with them?

Yeah, only some of the patterns will be broken, the majority should be fine (depends on case by case of course)

Alright cool just wanted to make sure. Thanks again, hopefully I shouldn't have any more issues for now.

so im looking it over again today. He actually pushed out all of the stuff he had lying around (because before this he was gonna do a major rewrite). So not it doesn't look too bad. Well not as bad as it was before. So while I do that he also mentioned "maybe update registers used in asm hooks". And I'm just wondering how I'd go about that if they do need updating? (also sorry about before, I just didn't really know what you meant. Since I guess it was too vague for me.)

Depends on the code. It's possible that the register used in the code have changed, and if it did, you may have to change it in your asm hook as well. That was not the case in my example, but for example look at image 2 and 3, the second line to be specific. Here, what used to be setting some value in a struct to 0, now is setting a register to 0. The code is still doing the same thing overall, but in a different way.

Oh okay, that makes sense. Thank you.

hmm, what search settings did you use for the sigs? I'm trying to retrace your steps. And I have the sig you have (FUN_1407afb90). But like earlier. No matter what settings I use it can't find it (it is there I checked because I found it through the pattern). The picture is what I have now. I'm probably just doing something stupid again. But oh well.

I know it's not a string but any of the other ones wont work. I guess technically I can copy the hex that it generates. nvm

You should be searching for the pattern, with format being "Hex". Though in this case you can also just go to the address with Goto (G hotkey), address is 1407afb90

ohhhhhhh

okay, thank you.

Another question. So im doing one of the sigs that I made with the script FUN_14135c2f0. The pattern isn't there. But the sig is I think. Do I do anything specific with it or am I just reading it incorrectly?

oh right this is the address.

so I found this part near the pattern in 1.0.3b. How exactly would I search for this? Is it a string or something similar?

This seems to be an array of strings (or at least of addresses of strings). Go to the array, then go to any element of it (string itself). Then find that string in the new version and it's usage

To here right? I've been trying all of these and they don't bring up any searches on 1.0.3b. Granted that could just be me fumbling the search (I did do string this time).

This is an array of addresses, double click on one of it's elements to go to that address, that would be one of the strings you can search for

of course my stupid ass didn't click on all of them.

this should be a\ string right?

the PTR one

You can always check

Yeah, i've been trying different combinations of it when searching in 1.0.3b and it doesn't show up when searched.

You can just double click on it though and see where it leads. Going by the label, this is a pointer to a string

Phew. Okay, so for reference the string was like this. "field/panel/lmap/map_l_kichijoji.dds" I didn't actually click in my head to try it. So that mu fault. But finally yes it does exist in 1.0.4.

i know it's not shibuya but they're all spec'd like this.

alright perfect I think I found the pattern I need in 1.0.4. So then I make a sig for it then put that new sig into the code along with the pattern?

Uhhh, I think you're confusing some terms or something

Sig and pattern is the same thing

yeah mb I just realized

Is there anything specific I need to do to build the mod after I'm done? Or do I build it normally like any other program? Im using visual studio code.

https://reloaded-project.github.io/Reloaded-II/ProjectSetup/#building-your-mod

It basically builds the mod into your r2 mods folder

Ah I see, they really should link these docs in the server. The only way I've found them is on the github (so that could just be a me issue).

do address arrays always lead to strings or can there be ones that don't have strings?

It's just an array of addresses, they can lead to anything - strings, values, structs, functions, whatever

Alright, i'll keep trying at this.

So i've been trying to figure this out for a couple hours now. I must be missing something. Because this pattern only has an address array with no other data or strings in it to my knowledge. And all of the patterns surrounding it all have the same thing DAT_141a23e60 for example with differing numbers. I'm just not sure what I'm missing. And i've checked the addresses attached to it. And they also don't have any strings or any real landmarks to use. I hope im just blind and it's here somewhere.

I should really figure out darkmode

I think I'm gonna sleep on it. I mean I haven been learning this the whole day so maybe that's effecting me not seeing it?

You can try to make a sig for the start of a function, or for some random place in it that may be unchanged in the new version. Or for the function that calls it or something. Or for one of the functions that also use that DATa

Basically anything that can lead you to that function in a new version

I was trying that a bunch. But I guess I did try making a sig for everything. I'll try it tomorrow. Thank you.

did you ever figure out the answer to this?

in relation to searching with the top bar

Search in program text, maybe only tick operands or something

Thank you. Yeah every single pattern that I've tried after the first one I did. has lead to the DAT situation so I just need to try everything at this point.

Searching for a literal won't be the answer, I'm pretty sure of that lol

There can be thousands of uses

Im in that kind of phase where you have next to nothing to go on and you need to try everything. But yeah you're right. Just been going through your old thread right now and trying to find any scraps of info I can find. I wont give up.

that logger that got posted in that thread. How robust is it? As in would I be able to bruteforce it if I know the general area the right pattern could be in?

What do you mean by "bruteforce"?

trying every single pattern even vaguely near it using that thing you talked about before here?

like making a sig for 1.0.4 near enough. Then branching out of that sig.

oh right, cause it'd just be logging it. And I wouldn't really get any info from it. nvm

You can just make sigs around it and search for them in new ghidra project

thats what I mean. That currently isn't enough. And I was thinking I could use that to get close enough to then bruteforce the right answer. But even if I were to trigger it theres no telling it'd be the correct pattern when I get to it.

Have you tried sigs for the functions that calls the function you need?

How'd that work? Cause wouldn't that just be too large of a call cause it's only supposed to be just one pattern? Or is my brain too fried

would this work?

No, like, functions call each other. So in the old project, find what functions call the function you need, make sigs for them and search for those sigs in the new project. Or maybe those functions have strings in them or something easily identifiable

You can theoretically keep going up the call tree until you find something

I see, i'll try that. Thank you again.

I just needed to sleep on it. Im working through these sigs now quite nicely.

Finally, all of the sigs should be done. Now I just have to debug it. Again, thank you light. I really do appreciate this.

Sure. How many were there?

Around 7-8 I think. Most of them were actually fine. I was just overthinking it tbh. Once I got into the zone it went by pretty fast. But I now understand the pain you guys go through modding this game.

Granted I haven't actualy been able to test it. But I feel confident in the sigs. And/or willing to accept defeat when they're wrong.

I see. I have close to a hundred, which is why I'm trying to dodge the problem hard

Doing them by hand will be a bit much lmao

I could help you if you want? It's only fair since you helped me so much.

Nah, no need. I've mostly succeeded at cheating and not having to deal with it. Mostly. And the rest is related to tool development

Alright, but if you ever need someone to do grunt work like this. I'm your guy.