Reverse Engineering Arcaea
Before starting
This page is being actively worked on. Content shown below may be unfinished, unpolished, out of date, or inaccurate.
This guide is NOT beginner-friendly and you will have to figure out a lot of things yourself. Only proceed if you know what you are doing.
About modifying instructions/NOPing
A frequent thing you will be told to do throughout this guide is to NOP or edit an instruction. There are two main ways of doing so:
-
Overwriting its hex address using a hex editor. This will requires a converter that allows converting ARM instruction to hex address and vice versa. As with NOPing an instruction, overwrite its hex address with
1F 20 03 D5for ARM64 or00 F0 20 E3for ARM32. This is the recommended method. -
Using Keypatch. This is the simplest method to directly modifying an instruction without having to touch the hex editor. Unfortunately, Keypatch has not been updated to IDA Pro 8.x (yet), and even with older versions of IDA Pro setting it up and get it to work can be quite a pain.
Removing hash verification
Info
Allows making changes to the game files. Only for pre-5.4.0 and Chinese versions.
In the Functions sub-window on the left, right click on Function name and choose Quick filter, then search for .exit (Android) or _exit (iOS).
Double-click onto it, and on the IDA View sub-window, press SPACE to switch to graph view. You will be presented with something like this, click onto the highlighted button to bring up the xref (cross-reference) window.
Choose the first (Android) or second (iOS) xref entry.
Note
In case neither of entries contains what is shown below, trying looking at other entries too. Please do note that if you are modding a version of Arcaea that uses content bundle (5.4.0+), you will not be able to find it as it does not exist.
There are 9 xref entries consisting of 6 B.NE and 3 CBNZ instructions, NOP all of them until there are none left.
There are 6 xref entries consisting of 3 B.NE and 3 CBNZ instructions, NOP all of them until there are none left.
Removing lock icon
Info
Remove the lock icon on locked packs. Purely for aesthetic purposes.
Press SHIFT + F12, then ALT + T and search for lock_icon. Double-click onto it and xref it. After that, press TAB or F5 to view its pseudo-code, you will see something like this:
Find this structure and highlight v132 (name may be different), then xref it, Choose the first entry.
Double-click onto the function call to view its pseudo-code. Focus on this part.
Highlight it then switch back to the IDA View sub-window. With synchronization enabled, modify MOV W8, 0 to MOV W8, 1. Repeat this for both of the variables. After doing so, all v3 variables should have 1 as its value.
Removing beyond restrictions
Info
Allows playing Beyond (BYD) difficulty on charts that have it.
I. Remove network required for playing beyond
Go to Strings sub-window, Alt + T to search for You no longer string, double-click, xref the string, scroll up until you find the SUBS opcode like this in the image:
Open the Keypatcher (Ctrl + Alt + K), modify the #3 to #5 and press Enter.
II. Display Beyond difficulty
Go to Strings sub-window, Alt + T to search for songs/songlist string, double-click, xref the first string, press Alt + T and type temp until you found this:
Click the CMP opcode and open the Keypatcher, modify the #3 to #5 and press Enter.
III. Display the Start button
Go to Strings sub-window, Alt + T to search for start.png string, double-click, xref the string and find the SUBS opcode like this in the image:
Click the SUBS opcode and open the Keypatcher, modify the #3 to #5 and press Enter.
IV. Scan 3.aff in the apk
Go to Strings sub-window, Alt + T to search for songs/songlist string, scroll up a bit to find the dl_ string, xref the string until you found like this:
Click the CMP opcode and open the Keypatcher, modify the #3 to #5 and press Enter.
And you're done with Android!
Press SHIFT + F12, then ALT + T and search for world_unlock. Continue doing so until you found exactly this:
Double-click onto it and xref it. Choose the last entry.
Scroll down a little bit until you found this.
Change CMP W8, #3 to CMP W8, #5.
While on the IDA View sub-window, press ALT + T and search for dl_, tick Find all occurrences and then search. Wait patiently until it completes.
Choose the first entry.
Find this part and repeat the same steps as above.
Return to the Strings sub-window and search for You no longer have enough, find exactly this and xref into it.
Scroll up until you found this part, then repeat the same as above.
Return to the Strings sub-window and search for layouts/songselect/start.png, xref it. After that, find this part and repeat the same steps as above.
Patching scenecontrol
Info
Make special charts effects (6 lanes, camera view, green arcs, etc..) work.
In the Strings sub-window, search for 9821191, xref, F5 to open the Pseudocode sub-window and scroll down until you found this:
I. ArcNote (Still wondering what does it do)
Double-click the highlighted address, Alt + T and search 148. Tab to switch to IDA-View and see something like this:
| Pseudocode | IDA-View |
|---|---|
Click on the LDRB.W opcode, open the Keypatcher and type nop.w. Do the same thing with CBZ opcode but use nop.
II. Camera
Switch to Pseudocode view, Ctrl + T to search the next value 148. Tab to switch to IDA-View and see something like this:
| Pseudocode | IDA-View |
|---|---|
Click on the first LDRB.W opcode, open the Keypatcher and type nop.w. Do the same thing with BEQ.W opcode.
III. Scenecontrol
Switch to Pseudocode view, Ctrl + T to search the next value 148. Tab to switch to IDA-View and see something like this:
| Pseudocode | IDA-View |
|---|---|
Click on the LDRB.W opcode, open the Keypatcher and type nop.w. Do the same thing with CBNZ opcode but use nop.
IV. Arcahv string check
While at the Scenecontrol in Pseudocode view, scroll down until you see this:
Switch to IDA-View, use the Keypatcher and nop.w the BEQ.W opcode.
| Before | After |
|---|---|
V. Green arc
Switch to Pseudocode view, scroll down until you found this:
Double-click the highlighted address, switch to IDA-View. Click on LDRB.W opcode, use the Keypatcher and nop.w it. After that, use the Keypatcher again to modify the #2 to #10 or any number higher than 3 (3 is white arc but they haven't used it. Not the wide skynote in HIVEMIND -INTERLINKED- ). Do the same thing with the second #2.
| Before | After |
|---|---|
VI. The Switch (this will be used for others as well)
I literally don't know why lowiro do this but ok
In the Strings sub-window, press ALT + T and search for gameend, double-click, xref and scroll up until you found this:
Double-click the highlighted address, switch to Hex View, F2 to edit and type 4F F0 01 (no spacing) then save it. It should be like this after editing:
Hex View
| Before | After |
|---|---|
IDA-View
| Before | After |
|---|---|
VII. Remove Skynote and Arc restrictions (over y2.1)
Note: Not recommended having these 2 modded because it'll mess up a part in Singularity VVVIP. See here: https://youtu.be/3SBjWP2JEXc?t=93.
a. Skynote
Xref The Switch, switch to IDA-View and scroll up a bit until you found this:
Use the Keypatcher and nop.w it.
b. Arc
In the Pseudocode view, scroll up, xref The Skynote first address, scroll up again, xref the first address, switch to IDA-View, AND scroll down until you see this:
Click the 550.0, switch to Hex View, click the value 80, press F2 to edit and type ef6749 then save it. It should be like this after editing:
Hex View
| Before | After |
|---|---|
IDA-View (You'll need to press F5 again to see the magic)
| Before | After |
|---|---|
And there we go! Android is done.
In the Strings sub-window, search for 9821191, xref, F5 to open the Pseudocode sub-window and scroll down until you found this:
I. ArcNote (Still wondering what does it do)
Double-click the highlighted address, Alt + T and search 264. Tab to switch to IDA-View and see something like this:
| Pseudocode | IDA-View |
|---|---|
Click on the LDRB opcode, open the Keypatcher and type nop. Do the same thing with CBZ.
II. Camera
Switch to Pseudocode view, Ctrl + T to search the next value 264. Tab to switch to IDA-View and see something like this:
| Pseudocode | IDA-View |
|---|---|
Click on the first LDRB opcode, open the Keypatcher and type nop. Do the same thing with BEQ opcode.
III. Scenecontrol
Switch to Pseudocode view, Ctrl + T to search the next value 264. Tab to switch to IDA-View and see something like this:
| Pseudocode | IDA-View |
|---|---|
Click on the LDRB opcode, open the Keypatcher and type nop. Do the same thing with CBNZ opcode.
IV. Arcahv string check
lowiro removed this in iOS and Android arm64 so let's ignore.
V. Green arc
Switch to Pseudocode view, scroll down until you found this:
Double-click the highlighted address, switch to IDA-View. Click on LDRB opcode that have #0x108, use the Keypatcher and nop it. After that, modify the first CMP opcode to #32. After that, patch CINC W1, W8, NE opcode to CINC W1, W1, NE opcode.
| Before | After |
|---|---|
VI. The Switch (this will be used for others as well)
I literally don't know why lowiro do this but ok
In the Strings sub-window, press ALT + T and search for gameend, double-click, xref and scroll up until you found this:
Double-click the highlighted address, switch to Hex View, F2 to edit and type 20 00 80 52 (no spacing) then save it. It should be like this after editing:
Hex View
| Before | After |
|---|---|
IDA-View
| Before | After |
|---|---|
VII. Remove Skynote and Arc restrictions (over y2.1)
Note: Not recommended having these 2 modded because it'll mess up a part in Singularity VVVIP. See here: https://youtu.be/3SBjWP2JEXc?t=93.
a. Skynote
Xref The Switch, switch to IDA-View and scroll up a bit until you found this:
Use the Keypatcher to nop for the FMOV and TBZ W20 opcode.
b. Arc
In the Pseudocode view, scroll up, xref The Skynote first address, scroll up again, xref the first address, switch to IDA-View, AND scroll up until you see this:
Click the ADRP, switch to Hex View, click the second hex byte value, press F2 to edit change a digit then save it (it varies in each version of the game). It should be like this after editing:
Hex View
| Before | After |
|---|---|
IDA-View
| Before | After |
|---|---|
And there we go! iOS is done.
Removing world mode restrictions
Info
Unlocks all world mode charts (even byds as well i think because it counts as a world song but it just the visual, you'll need to mod the other 3 to make it playable offline).
In the Strings sub-window, search for this song is, xref the second one, F5 to open the Pseudocode sub-window and scroll up until you found this:
| Xref | Pseudocode |
|---|---|
Double-click to go to the highlighted address, click the first line in Pseudocode sub-window, press Tab to move to IDA-View, switch to Hex View, press F2 and type 01 20 70 47 (no spacing) (which is MOV R0, #1 and BX LR).
IDA-View
| Before | After |
|---|---|
Hex View
| Before | After |
|---|---|
In the Strings sub-window, search for this song is, xref the first one, F5 to open the Pseudocode sub-window and scroll up until you found this:
| Xref | Pseudocode |
|---|---|
Double-click to go to the highlighted address, click the first line in Pseudocode sub-window, press Tab to move to IDA-View, switch to Hex View, press F2 and type 20 00 80 52 C0 03 5F D6 (no spacing) (which is MOV W0, #1 and RET).
IDA-View
| Before | After |
|---|---|
Hex View
| Before | After |
|---|---|
Once you're done, press F2 again to save it.
All done!
And there you have it. Good luck modding. Post-5.4.0 will be written sooner or later.