Page 3 of 3

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 1:40 am
by chusski
I think I'm moving forward ...
Well, to see if i understand how your script work....

Arrays of bytes:
aobscanmodule(aob_hp,"The_Swords_of_Ditto.exe", xx xx xx BYTES: ) --->scan module of game looking for the bytes.
registersymbol(aob_hp)---> register the name for the array
alloc(newmem,2048)---> ????
label(returnhere)---> label for do go to ?
label(hp)---> label for do go to ?
registersymbol(hp)---> create array

newmem:---> ????
call dword ptr [eax+04]---> call dword (32btis) ptr (pointer) [eax+04] (i think address +4 ?)
sub esp,04 --->( -04 to address on esp)
mov [hp],eax ---> (move eax address to hp array)
jmp returnhere ---> jump to returnhere label ?
hp: ---> ( label for do go to xx?)
dq 0 ---> ????
aob_hp+B: ---> ???? ( what is + B)?
jmp newmem ---> jump to newmen label
nop ---> (nothing to do )??
returnhere: ---> label for go to

dealloc(newmem) ---> disable label ?
aob_hp+B: ---> ????
//call dword ptr [eax+04]
//sub esp,04
db FF 50 04 83 EC 04 ---> ????
unregistersymbol(aob_hp) ---> delete array ?
unregistersymbol(hp)---> delete arrat ??

If i understand good it:
Create an instruction (aob_hp), redirect byte to this instruction.
The aob_hp ; call eax+04 and move to new array (hp).

thx for help ^^

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 3:37 am
by Garrett Dark

I'm trying to figure out this backtrace and breakpoint stuff too because my scripts are so glitchy because it actually has shared instructions when I thought it was not shared. So I figure maybe I can try to backtrace it to a point when it's not shared to improve my scripts.

Anyways, this video might help you understand backtracing: While it's in English which you say is not your language, maybe you can turn on close captioning on YouTube and get it to translate it to your language to understand.

I also think I found a mistake in your backtracing example you posted (see in red) with selecting the breakpoint and setting the condition:
chusski wrote:
Thu May 09, 2019 2:34 pm
Cake-san wrote:
Thu May 09, 2019 6:27 am
I'm more prefer on using -Find out what "access" this address and choosing the most count when I want to make script that "get" the address.

-Pause the game by either using CE's pause hotkey or go to advanced options click the pause image.
-Show disassembler
-Right click, break and trace instruction. (step over instead of single step) -> Okay
-Ctrl+B -> select your breakpoint, then Ctrl+C or right-click -> set/change condition
-Set your condition eg: simple : ESI == 0x57AD9680
-Okay -> Unpause game

From here on you have to use your backtrace skill. A bit of assembly knowledge & a bit of programming knowledge.
You can try using this backtracing method on CE turorial.Pointer section , to understand it more ;)

-Control+C: ( i select the first one)(its like a HP address
ESI==0x4e9d94b0 "simple"
You said you selected the first one to put the condition "ESI==0x4e9d94b0". I think you're supposed to selected the third one which is the "Break and Trace" and not the "Find Code" first two.

I was testing this out with an instruction which was shared with 6 other addresses, and whenever I set the condition on the first one "find code" and looked at the tracer's first instruction (the original one you're setting the trace on), it always randomly picked one of the other shared addresses and not the one I wanted it to trace. It was only until I picked the third "Break and Trace" and put the condition on that, the tracer showed the one I wanted it to trace.

I hope that makes sense.

EDIT: No maybe I was mistaken. I can't get it work anymore after posting this. :(
EDIT2: Yes, I was correct, I got it working again. The variable (ESI, EBX, etc) has to be uppercase in the conditional to work. I had it lower case the second time I tried which is why it didn't work. :D

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 12:50 pm
by chusski
Tfanks very much,Garrett Dark.

This get more sense. and thx for video, i am loking that all time,tryng to unsrtand, but subtittlesdont work very well to spanish...
Atm i am stuck on learnning how language asm works, and how find point where the address are not shared or where yes it shared...
Tryning with tutorial step 9, but dont have luck atm...

In this game, when we use toggle breakpoint, to see what happens step by step, on the instruction of life, the game is frozen. It should not freeze until you get hit by an enemy, right?

Thx you all guys.

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 3:18 pm
by Garrett Dark

I think this game is too difficult, at least for me. I've tried backtracing several things to try to find a non-shared address, but I keep encountering problems. It's no where as easy as in that video I linked.

There's either so many calls or jumps that I can't backtrace anymore because the tracer won't start to trace anymore, or conditionals don't work anymore so I don't know if it's tracing the correct shared code anymore. Or I hit a "pop" and don't know what to do anymore. ie. If I'm following EAX being address "12345678", I eventually get to a "pop EAX", after the "pop" it's "12345678" and before the "pop" it's completely something different. So where did the "pop" get the "12345678" from? There's no "push EAX" anywhere near, and all the other variables are not anything similar to what I'm looking for.

I'm going to watch some more tutorial videos, but I think I've done as much as I can with this game. It's the most difficult and frustrating game I've tried with CE. So if this is your first game with CE, you're going to have an easier time with most other games.

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 3:53 pm
by chusski
I think, if learm with that, can do all the rest lol.

But yes i am same to you, fustrated. But Cake-san, find the way, for alot of things, with backtrace.
Only need to learm how Cake-san determiner the correct address to script.

That are direction where Cake-san, inject aob : 02413DC7

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 6:13 pm
by Cake-san
My debugger setting, doesn't make much difference as long it doesn't crash the game & do get result.

So let say I already scan my hp address and get that address. Then I find out what access that address and I get this.

I want to backtrace "movsd xmm2,[edi]" , so I copy edi value and show the disassembler, then I pause the game process. If you don't pause the game process, the break point will be hit by other thing that you might don't want. You can also pause the game process using hotkey that you had set on CE setting.

Then I set the break and trace on that instruction.

And set the condition using the edi value that I had copied.

After I had unpaused the game process, I get the result. As you can see my edi value is indeed of what I had set on the condition.

Then, I double-click "esi,eax ", below "ret" and I get this.

So I set another break and trace on instruction below the "jmp" , above the "esi,eax " .

And the result.

Eax contain my hp address after the game run instruction "call dword ptr [eax+04]" , so if you trace that call you can get the hp base address but even if you get the base address, you also will see that the offset is being precalculate.

If you want to know if the instruction is shared or not, you can inject the instruction with "lea eax,[eax]" (depend on which register contain the variable that you seek, can be "lea ebx,[ebx]" or anything else) then, find out what addresses that "lea eax,[eax]" access.

Best regards. :D

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 8:56 pm
by chusski
Great Cake-san , thx veyr much. You are the machine ^^

One question, why you decide go o below the jmp?

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 9:22 pm
by Cake-san
chusski wrote:
Sat May 11, 2019 8:56 pm
Great Cake-san , thx veyr much. You are the machine ^^

One question, why you decide go o below the jmp?
Lol, machine.

I set the breakpoint just after the jmp because it produce the most result which you get to see more.
If I set breakpoint above the jmp, I will not get the result that I want. So, I can set breakpoint anywhere that I want as long as it's below the jmp and above the call that is before "mov esi,eax" to get the result.

Re: The Swords of Ditto 1.04.03

Posted: Sat May 11, 2019 10:13 pm
by chusski
Thx very mucha again Cake-san.
I filaly find HP address.

Want try this methode, with the great explanation, for looking Era level.
I think, its more hard because, Era levels and other cant be increased by the game like a Exp lvl...

At version 1.14 got 5 level pointer. And that pointer, chnagin offset you can find Era , word, sword exp and level.
But i cant find that pointer manually any more at version 1.15.
And same for items on the bag, but 3 levels pointers.

Re: The Swords of Ditto 1.04.03

Posted: Sun May 12, 2019 9:37 am
by Garrett Dark
I'm going to share a little bit of my frustration with backtracing for this game and hitting a point where I don't know what to do. Hopefully this helps people learn or somebody can tell me where I'm messing up.

So I want to find a unique non-shared instruction for Attack and Resistances items give (Fire, Ether, Poison Attack/Defense) so I can make a AOB lookup script to point at it.

Okay so I locate the address of one, Fire Attack. Find out what accesses this address:


So I used the first instruction "movsd xmm0,[ebx]" because it's constantly updating in the Stickers Screen in-game.

I know from my other scripts this first one is shared with all the attack and resistance effects, as seen with "What addresses this instruction accesses" in memory view. (Also outside the sticker screen it goes nuts with tons of other stuff).


4E9A0F40 is Fire Attack, the others I know what they all are. So I begin my backtrace of the first instruction with the conditional "EBX==0x4E9A0F40" so it only filters out when Fire Attack is going through the instructions, as seen on the side with EBX 4E9A0F40 :


I find the return to "02C53876 - add esp,0C" and go to it in Memory View:


I see the "Call 02C34F20" above "add esp,0C", I do some back traces further up but none of them have EBX=4E9A0F40 or anything close. So I keep going back down towards the call until I'm at "Push [esp+18]" above the call and it's still no good. So it must be in that call that changed something to EBX=4E9A0F40 eventually. So I follow the "Call 02C34F20":


So I end up on "sub esp,08" do a backtrace there and nothing. It must be further down when EBX=4E9A0F40. I won't go into detail here, but I had to going into each of those jump "je" or "jne" and such to see if anything was happening in there for EBX=4E9A0F40, and coming back out when there was nothing. But eventually I found inside of a call where EBX=4E9A0F40. So I started to go backwards from the "ret" command of the call I was in to see when EBX did not equal 4E9A0F40, so I can see where EBX got it from so hopefully can follow back to a unique non-shared code:


I got up to here when things started to change for EBX=4E9A0F40, all since the "ret" it was EBX=4E9A0F40 (well 4E9A2760 which is one of the other attack & resistance addresses). On the "02C35305 - mov [esp+10], ebx" it was still EBX=4E9A2760, but then....




...on "02C35302 - add ebx, [esi+04]" EBX changed to 20. On this instruction it still actually EBX=4E9AF40, but shows 20 because the line above it made 20, then 2 before that, and 0 before that.

So this tells me around this code is where ebx got the addresses for attack and resistances. It's the "add ebx,[esi+04]" instruction getting it somehow.

In memory view I do a "what addresses this instruction accesses" and get this (which I changed to show values in hex):


Those values are two of the attack & resistance addresses. However I should note one time I did it, it showed one wrong (not attack & resistance address) and one right address. Also when I leave the sticker screen in-game, I get a ton of "wrong" shared addresses using the instruction:


So this is where I hit a dead end and I'm stuck. I don't know how to go any further back for where the attack & resistances addresses are. The "add ebx,[esi+04]" is somehow getting it, but how do I follow that backwards? I can't use the "add ebx,[esi+04]" instruction because it's too shared. :?

The only other thing I can do is backtrace different instructions from the start, but that's starting over again. :(

EDIT: Backtraced another instruction (this time when attacking with your sword), ended up the same. Got stuck while chasing EDX, and got to an instruction of "add edx,[ecx+eax*8+04]". I can't do anything with that.

Re: The Swords of Ditto 1.04.03

Posted: Sun May 12, 2019 11:19 am
by Cake-san
Garrett Dark wrote:
Sun May 12, 2019 9:37 am
If you can't go backward, then go forward.

Try to inject "02C53876 - add esp,0C"

examle script according to your image:

Code: Select all

mov [temp],esi
mov esi,[esp-C]		// might be esp-c or other value you have to trace where your variable is in the stack
lea esi,[esi]
mov esi,[temp]
add esp,0C
mov al,01
jmp returnhere
dq 0
Then find out what "lea esi,[esi]" is accessing to know either it's a good shared instruction or not.
chusski wrote:
Sat May 11, 2019 10:13 pm
At version 1.14 got 5 level pointer. And that pointer, chnagin offset you can find Era , word, sword exp and level.
But i cant find that pointer manually any more at version 1.15.
And same for items on the bag, but 3 levels pointers.
Well, it's not suprising because the developer can always update the game & game engine and change a few thing and since, I don't have that version 1.14 , so, can't know much.

Re: The Swords of Ditto 1.04.03

Posted: Sun May 12, 2019 5:46 pm
by chusski
Hi gusy,

I find that:(use script pointer from Cake-San table)

I was find the pointer for "Sword Power", its the same that Exp level.
Then if you use; exp array +20 offset = Sword power.

Same for Level with:
World Level = level +10
Ether level = level -40
Objevtive Level = level -1690
Age level = level -20

I am working on the bag items:

At the 1.14 you can fid 1 to 50 items slots by the 3 level pointer.
Level 1 for pointer. Level 2 for Rows. And level 3 for item slots.

I can find with backtrace the items, atm only find addres.
And with this address and backtrace, find the code. but atm i only find shared codes... working on it...

The question are, how i can find the pointers of Rows and slots?
I thinks this are the correct way...
But if try to find normally way to find pointer of the address at Scan, cant find nothing...

On version 1.14 yoru table work:
Get level script and the offset i ask.
Get Hp too work.

Re: The Swords of Ditto 1.04.03

Posted: Mon May 13, 2019 7:54 pm
by chusski
Sloooth07 wrote:
Mon May 06, 2019 2:51 pm
Table for Steam version 1.16.03-202.
  1. World Level
  2. Era
  3. Ether Level
  4. Day
  5. Time (Hour)
  6. Time (Seconds)
  7. Sword Level
  8. Sword Experience Points
  9. Sword Power
  10. Gold
  11. Celestial Fragments
  12. Inventory Editor (Slots 1 to 50)*
*Only for editing/replacing existing items. I've not figured out how to add new items.

Mostly for personal use, will upload new versions if there are new game updates while I'm still playing the game.

  1. 7 May 2019 - Attached Item List
  2. 7 May 2019 - Updated table for v1.15.04-202
  3. 10 May 2019 - Updated table for v1.16.03-202
One day, i was dowload the v1.15.03 table from Sloooth07 and workning with v1.15.02 of the game.
the nice thing, are that table are working with multi level pointer. to find all items, rows and slot. sword power etc..

Know someone how he find that pointers ?
I am trying to find, like to multi level pointers tutorial, but nothing..

Example: if i look for any item quantity (99) , and decrease, i can find the address of items, but if i look for address directly dont find nothig.
Are for something on my findder confing?

Re: The Swords of Ditto 1.04.03

Posted: Tue May 14, 2019 1:53 pm
by Garrett Dark

Thanks, I tried your example script for "add esp,0C", I don't think it was it. ESP, ESP+C or ESP-C were just giving me numbers which didn't appear related to anything, and they were fluctuating anyways.

I tried to trace forward at your suggestion (good idea), but the addresses I was looking for always disappeared at a "pop" instruction. I even went so far to learn about XMM registers and was keeping an eye on them, but they too disappeared eventually. The weird thing is now knowing about the XMM registers, I tried to do a backtrace to the places I got stuck last time with my screenshots to look at them, but I couldn't even get back there. Maybe I messed up, but I tried a few times with backtrace and it seemed like I was ending up somewhere different than before. I couldn't get back to before mentioned "add ebx,[esi+04]" nor "add edx,[ecx+eax*8+04]". It's like the game took a different path or something, or I screwed up.

Anyways after that, I just gave up and finished the game.

If anybody wants to learn about XMM registers, this video explained it to me: It also references a pretty good other video which explains how CPU works which is related to all this:


So after finishing the game, I decided to update my game version to tried out you guys' tables. But it looks like the game updated to v1.16.01-202.

I loaded up my table to see if it still works, pretty much all my scripts still worked except for three, which I fixed for the new version. The pointers from pointer scan were all broken too, as expected. Anyhow I'll include my updated table for the new version. (Anybody new reading this, read my earlier posts in this thread about info on my table, it's fussy because the game is fussy).

If anybody needs to see my notes, I put them in CE's Table Extras. I didn't know that was there until now.

Anywho, on to better and easier games to hack for me. Thanks for the help guys, I learned a lot about backtracing.