[REQ] Rance IX – The Helmanian Revolution

[matpar]

If this is not too much work - maybe some light write-up how this table was done.

[happyTugs]

Hello everyone, here's the release...



Abstract:
This table was tested on version 1.00 of Rance IX using Cheat Engine 7.4. Make sure to toggle "Hook VM" first. Each script does it what it says and must be enabled one at a time.

Since I didn't have a full save, I had to make some guesses regarding which characters occupied the character structure, so let me know if they are wrong.

If you crash, let me know what version of cheat engine you're using, what version of the game you're running, and how to consistently replicate the crash.

This table was tested on version 1.00 using Cheat Engine 7.4.

Rance9.CT

Hook VM First! bye...

(154.55 KiB) Downloaded 3101 times

All the heavy lifting was provided by these cool individuals...

• nunuhara, kichikuou, OPNA2608 toufuguy - Thank you all for your work regarding Alicesoft's proprietary engine and file formats. I would not have been able to make any key analyses without the use of your tools. Thank you so much for sharing your work since I have definitely learned a lot about virtual machine architecture and the System engine. [Link]
• SomeLoliCatGirl - Thank you for the wonderful AIN to bytecode decompiler. Your decompiler helped me tremendously with my analysis because I was able to locate where the bytecode was being interpreted and where it was being stored. As a result, I was able to craft my own custom bytecode injections, and effectively localize myself within the System VM architecture without doing much guessing.
• Tim Blazytko - Great educational video regarding analysis on VM architecture! [Link]
• FamousAnos - Thank you for the save!
• Darkbyte and contributors - Obviously...

I had a lot of fun modding the game; will do a writeup later...

cheers!
happyTugs

[injoker25]

Hi, Thanks for your efforts! i hope you could make this work for CE 7.2, it says i required 7.4 for this i have troubling installing the new version of cheat engine cause my anti virus is going crazy

[needdown0909]

Hi, Thanks for your efforts! i hope you could make this work for CE 7.2, it says i required 7.4 for this i have troubling installing the new version of cheat engine cause my anti virus is going crazy

just turn of your anti-virus or add exception temporarily
that's what i had to do

[happyTugs]

Hi, Thanks for your efforts! i hope you could make this work for CE 7.2, it says i required 7.4 for this i have troubling installing the new version of cheat engine cause my anti virus is going crazy

If you open up the "Hook VM" script, you will see the following line...

Code: Select all

{$LUA}
if syntaxcheck then return end
if getCEVersion() < 7.4 then showMessage("Update Cheat Engine to 7.4.") return end
{$ASM}

Try commenting the if getCEVersion() < 7.4 then showMessage("Update Cheat Engine to 7.4.") return end so that it looks like the following.

Code: Select all

{$LUA}
if syntaxcheck then return end
--if getCEVersion() < 7.4 then showMessage("Update Cheat Engine to 7.4.") return end
{$ASM}

I can mostly guarantee you that Cheat Engine doesn't have any viruses (since I am using it myself); your antivirus flags it as such due to CE's inherent design. Cheat Engine is open-source, and you can read through its source code on GitHub. Also, building Cheat Engine from source is not so difficult; just install Lazarus and build.

If this is not too much work - maybe some light write-up how this table was done.

System is a virtual machine that interprets Alicesoft's proprietary game files (ain, jaf, jam, etc,). The video by Tim Blazytko explained virtual machine architecture incredibly well. Moreover, I also have some experience cracking virtual machines like The Enigma Protector (which if you have cracked 6.0 and above, would you mind sending me some hints? ).

Anyway, you already know you are dealing with some form of obfuscation/virtualization if you are met with this control flow...


This entire graph is a portion of the System interpreter; it's a huge switch-case statement, and each case pertains to a particular bytecode that the System interpreter will execute. The execution units that are assigned to a specific bytecode are commonly referred to as handlers.

A common practice in reversing virtualized malware, or virtual machines is to follow a process called lifting, translating, and repackaging; whereby, the reverse engineer determines exactly what each handler does (lifting), somehow convert the information into a language that the CPU and disassemblers understand (translating), and finally repackaging the binary (repackaging). It's tedious and complicated, but there already are existing tools for the System interpreter like the tools that I had mentioned in my post.

Looking through those tools, I figured out where and how the System interpreter fetches instructions, how these instructions are decoded, and finally writing my own scripts to rewrite how these instructions are executed. This only took me a day or two.

If you look through the links I have sent and understood this far, then you should be able look at my scripts (which I have left the comments in) and determine the messy framework for the exploit. However, I have made it completely extensible, which I think is useful for future/past System games.

Talking about all of this made me realize something fatal in my code...

Code: Select all

jnle @f
  //todo: warn user that thread tried to access shared resource
  mov dword ptr ds:[lock_vm],00
  ret
@@:

If the virtual machine instruction pointer is within range, the following code will return without any stack cleanup, which will result in a crash.
Such case are rare though, but I will fix that in a future release...

cheers!
happyTugs

[wiseblue1989]

No infinite skill use ?

[happyTugs]

No infinite skill use ?

I will start operating on a "like" basis. So, 20 likes on the table before I add anything else.

Otherwise, you can add it yourself, since it's open-source anyway.

[sombra]

thanks for the table @happyTugs !
altho the character stat editor didn't work as i though, the value didnt save, but other option works well!!

[happyTugs]

thanks for the table @happyTugs !
altho the character stat editor didn't work as i though, the value didnt save, but other option works well!!

Which values are you trying to save? They are saving for me, but if you want be sure, then you can save your game immediately after you make an edit.

[wiseblue1989]

No infinite skill use ?

I will start operating on a "like" basis. So, 20 likes on the table before I add anything else.

Otherwise, you can add it yourself, since it's open-source anyway.

most of the guys who joined this forum only wants to download the table and dgaf about like, reaction or comment, well, you gain another one, 6 more to go

[sombra]

thanks for the table @happyTugs !
altho the character stat editor didn't work as i though, the value didnt save, but other option works well!!

Which values are you trying to save? They are saving for me, but if you want be sure, then you can save your game immediately after you make an edit.

yeah so SP is actually special moves uses and special moves uses is range (as in attack range), im using c.e 7.5, is it typo or should i use 7.4?

found it funny when patton suddenly can attack from 5 tile away

[happyTugs]

most of the guys who joined this forum only wants to download the table and dgaf about like, reaction or comment, well, you gain another one, 6 more to go

I am well aware that people "dgaf"; there is nothing wrong with that.

If I so wanted to, I can stop updating this post or delete everything altogether; I also "dgaf".

yeah so SP is actually special moves uses and special moves uses is range (as in attack range), im using c.e 7.5, is it typo or should i use 7.4?

found it funny when patton suddenly can attack from 5 tile away

Oops, it seems I made a typo.

Just rename it for now, and let me know if there is anything else.

cheers!

[pr0dukt]

most of the guys who joined this forum only wants to download the table and dgaf about like, reaction or comment, well, you gain another one, 6 more to go

I am well aware that people "dgaf"; there is nothing wrong with that.

If I so wanted to, I can stop updating this post or delete everything altogether; I also "dgaf".

Yeeeah, don't do that because some pleb w/ no tact mouths off about shit he's assuming. There are still those of us who give plenty of fucks. Hell I have a surplus of fucks to give out tbh.. at any rate, thanks for the table Happytugs. Very helpful.

Also I can also confirm that 'Special Move' modifier is actually 'Attack Range(by spaces), and 'SP' is really "Special Move Uses". I just relabeled them on the table. ain't no thing. ¯\_(ツ)_/¯

I have an odd request but I got myself stuck on a 3 part deployment quest in the story campaign where, for some reason the game allows you to deploy all of your members on the first two parts, thus not needing a third deployment, hwoever now I'm on the 3rd final part with no one left to deploy, which just puts my game in odd bugged standstill. which I don't see how should even be possible, but if i could make characters re-deployable or have a character I haven't collected in story yet added, deploying it might actually get me past this section.. if it's a pain to find the addresses for character availability, forget about it. I'll just start over.. but otherwise adding an option for "full character unlock" or something of that nature to the table would be much obliged.

Cheers.

[happyTugs]

I have an odd request but I got myself stuck on a 3 part deployment quest in the story campaign where, for some reason the game allows you to deploy all of your members on the first two parts, thus not needing a third deployment, hwoever now I'm on the 3rd final part with no one left to deploy, which just puts my game in odd bugged standstill. which I don't see how should even be possible, but if i could make characters re-deployable or have a character I haven't collected in story yet added, deploying it might actually get me past this section.. if it's a pain to find the addresses for character availability, forget about it. I'll just start over.. but otherwise adding an option for "full character unlock" or something of that nature to the table would be much obliged.

Cheers.

Sure, I can take a look in my free time.

What you're asking for is to find some way to redeploy characters, right?

greetz

[Lodian]

hello

if possible, cheat for unlock max (6) item slot would be nice. and rare item list.