Steed Patch Discussion Thread

Page 1 of 2 1 2
07/16/2009 19:00 ookamocka#1
well since we got a new patch where everything changed as i've already assumed would happen, i decided i'd make all in one thread about discussing changes in the new patch

i'm searching for all the new values again, i'll post up wat i find as i find it, if u find ne thing, feel free to post it :)
07/18/2009 21:23 clintonselke#2
Getting pointer to your own structure
CALL 0051BC20 (after this call a pointer to ur structure is in EAX)

Maybe something can be done w/ this 0x0051BC20 address by calling it with AutoIt / AHK (CreateRemoteProcessEx), and retrieving the return value for the macro programmers.

Role Stuff (For Players, Yourself, NPCs & Monsters)
int RoleID = *(int*)(RoleBase + 0x88)
char* RoleName = (char*)*(int*)(RoleBase + 0x10C);
int RoleX = *(int*)(RoleBase + 0x2C8);
int RoleY = *(int*)(RoleBase + 0x2CC);
bool RoleIsAlive = (*(char const*)(RoleBase + 0x58) != 0x20);

Mob Stuff
Code:
EBX: 00692054

Get the number of items:

CPU Disasm
Address   Hex dump          Command                                  Comments
0053C864  |.  53            PUSH EBX                                 ; /Arg1
0053C865  |.  8D4B 10       LEA ECX,[EBX+10]                         ; |
0053C868  |.  E8 E3D4FAFF   CALL 004E9D50                            ; \Conquer.004E9D50

Get item by index:

CPU Disasm
Address   Hex dump          Command                                  Comments
0053C879  |> /8BF3          /MOV ESI,EBX
0053C87B  |. |8D7D C8       |LEA EDI,[EBP-38]
0053C87E  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
0053C87F  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
0053C880  |. |FF75 F0       |PUSH DWORD PTR SS:[EBP-10]              ; /Arg1 => [ARG.EBP-10]
0053C883  |. |8D4D C8       |LEA ECX,[EBP-38]                        ; |
0053C886  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E ; |
0053C887  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E ; |
0053C888  |. |E8 2D33FFFF   |CALL 0052FBBA                           ; \Conquer.0052FBBA
Jump Function
Code:
Jump(X,Y) function:

CPU Disasm
Address   Hex dump          Command                                  Comments
004BF2F6  |.  FF75 E0       PUSH DWORD PTR SS:[EBP-20]               ; /Arg2 => [ARG.EBP-20]
004BF2F9  |.  FF75 DC       PUSH DWORD PTR SS:[EBP-24]               ; |Arg1 => [ARG.EBP-24]
004BF2FC  |.  E8 1FC90500   CALL 0051BC20                            ; |
004BF301  |.  8BC8          MOV ECX,EAX                              ; |
004BF303  |.  E8 83540500   CALL 0051478B                            ; \Conquer.0051478B
Skill Functions
Code:
Skill(SkillID, TargetID): (Self Target for staminer skill also)

CPU Disasm
Address   Hex dump          Command                                  Comments
004DA6B6  |> \50            PUSH EAX                                 ; |Arg2
004DA6B7  |.  8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]            ; |
004DA6BA  |.  FFB0 A8CA0A00 PUSH DWORD PTR DS:[EAX+0ACAA8]           ; |Arg1
004DA6C0  |.  E8 5B150400   CALL 0051BC20                            ; |
004DA6C5  |.  8BC8          MOV ECX,EAX                              ; |
004DA6C7  |.  E8 63D70700   CALL 00557E2F                            ; \Conquer.00557E2F

CPU Stack
Address   Value      ASCII Comments
0012ED9C  /000003E9  ..   ; Arg1 = 3E9
0012EDA0  |00065066  fP.  ; Arg2 = 65066
0012EDA4  |00000000  ....  ; Arg3 = 0


Skill(SkillID, X, Y):

CPU Disasm
Address   Hex dump          Command                                  Comments
004DA333  |.  FF75 10       PUSH DWORD PTR SS:[EBP+10]               ; /Arg3 => [ARG.EBP+10]
004DA336  |.  8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]            ; |
004DA339  |.  FF75 0C       PUSH DWORD PTR SS:[EBP+0C]               ; |Arg2 => [ARG.EBP+0C]
004DA33C  |.  FFB0 A8CA0A00 PUSH DWORD PTR DS:[EAX+0ACAA8]           ; |Arg1
004DA342  |.  E8 D9180400   CALL 0051BC20                            ; |
004DA347  |.  8BC8          MOV ECX,EAX                              ; |
004DA349  |.  E8 0ED50700   CALL 0055785C                            ; \Conquer.0055785C

CPU Stack
Address   Value      ASCII Comments
0012ED9C  /00001F41  A..  ; Arg1 = 1F41
0012EDA0  |000001B5  ..   ; Arg2 = 1B5
0012EDA4  |000001D3  ..   ; Arg3 = 1D3
Loot Function
Code:
LootItem(ItemID, X, Y):

CPU Disasm
Address   Hex dump          Command                                  Comments
004BEE01  |> \50            PUSH EAX                                 ; /Arg3 => [ARG.EBP-88]
004BEE02  |.  51            PUSH ECX                                 ; |Arg2 => [ARG.EBP-8C]
004BEE03  |.  FF75 10       PUSH DWORD PTR SS:[EBP+10]               ; |Arg1 => [ARG.EBP+10]
004BEE06  |.  8BCE          MOV ECX,ESI                              ; |
004BEE08  |.  E8 5CA40100   CALL 004D9269                            ; \Conquer.004D9269

CPU Stack
Address   Value      ASCII Comments
0012EB98  /00062BCD  +.   ; Arg1 = 62BCD
0012EB9C  |0000024B  K..  ; Arg2 = 24B
0012EBA0  |0000030B  ..  ; Arg3 = 30B
Find role by ID function (used by melee function)
Code:
FindRoleByID(int* numPair, int roleId, 1)

Code
00577CE3  |. 6A 01          PUSH 1
00577CE5  |. 8D45 E4        LEA EAX,DWORD PTR SS:[EBP-1C]
00577CE8  |. FFB6 B4010000  PUSH DWORD PTR DS:[ESI+1B4]
00577CEE  |. BF 48206900    MOV EDI,Conquer.00692048
00577CF3  |. 8BCF           MOV ECX,EDI
00577CF5  |. 50             PUSH EAX
00577CF6  |. E8 0942FCFF    CALL <Conquer.RolePtrFromID>

Stack
0012EF70   0012EFB0
0012EF74   00067436
0012EF78   00000001

Start of code.
0053BF04 > $ B8 F83C6000    MOV EAX,Conquer.00603CF8                 ;  RolePtrFromID(int* pair, int roleID, 1)
0053BF09   . E8 C2130600    CALL Conquer.0059D2D0
0053BF0E   . 83EC 18        SUB ESP,18
Melee function (Takes 4 parameters, the first two from the last function, the last two both 1s)
Code:
begining of melee function:

0051691E > $ B8 37076000    MOV EAX,Conquer.00600737                 ;  Attack(a,b,c,d)
00516923   . E8 A8690800    CALL Conquer.0059D2D0
00516928   . 81EC 40060000  SUB ESP,640
Reading the ground
Code:
ECX = 006903D0

CPU Disasm
Address   Hex dump          Command                                  Comments
00514985  |> \FF75 0C       PUSH DWORD PTR SS:[EBP+0C]               ; /Arg2 => [ARG.EBP+0C]
00514988  |.  8BCE          MOV ECX,ESI                              ; |
0051498A  |.  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; |Arg1 => [ARG.EBP+8]
0051498D  |.  E8 B122FDFF   CALL 004E6C43                            ; \Conquer.004E6C43

Ground spot object pointer in EAX... then

CPU Disasm
Address   Hex dump          Command                                  Comments
005149B6  |.  FF75 F0       PUSH DWORD PTR SS:[EBP-10]               ; /Arg1 => [ARG.EBP-10]
005149B9  |.  8BCE          MOV ECX,ESI                              ; |
005149BB  |.  E8 2635FDFF   CALL 004E7EE6                            ; \Conquer.004E7EE6
005149C0  |.  83F8 01       CMP EAX,1

When pushing ground pointer back on the stack, it sees if u can jump there.
07/18/2009 21:40 ookamocka#3
i've actually found something really interesting, i've found the colors to the steeds...

Quote:
Maroon:

* R - 255
* G - 150
* B - 0


White:

* R - 0
* G - 255
* B - 150


Black:

* R - 150
* G - 0
* B - 255



if you have a rare breed stead, please send me a private message so i can get the EXACT color and post it here, ty

as a side note, i noticed that for example white does not always subtract the same ammount of color value, for example, if ur horse has 255 in red, it does not subtract the same ammount as if it had 10... i also haven't tested if different +'s give different ammount of value, my guess would be that the higher the +, the more it effects the color, but i am not sure... after a bit more testing, i'll get back to you

EDIT: something that i just discovered... all horses start off with 405 total colors, but if u breed another horse into it, the total reduces by 1, so if u start off with 405, breed it 5 times, the total of the color will then be 400... for example, my horse if u add up all the colors only = 390... he is... 106:152:132 (Sapphire)
i'm trying to find the pointer to it right now though since it's a dynamic value XD
07/18/2009 21:58 ookamocka#4
HorsePtrAddrs: 00689A16

Offsets:

These Values are the color values when u put both horses into the horse composition screen... i'll make a program in a sec really quick for this . . .

R_old: +EF9A
B_old: +EFA2
G_old: +EFAA

R_new: +EF9E
B_new: +EFA6
G_new: +EFAE
07/18/2009 22:19 ookamocka#5
here u go, simple program that shows u the original and new color values, both horses must be places into the composition screen to work, don't use this at the same time as w/ my CODisappear, since it'll most likely conflict...
07/18/2009 23:17 dark_side592#6
yeah...the melee bot isn't working any moreeeeeee:((((((
07/19/2009 02:13 IAmHawtness#7
Quote:
Originally Posted by clintonselke View Post
Getting pointer to your own structure
CALL 0051BC20 (after this call a pointer to ur structure is in EAX)

Maybe something can be done w/ this 0x0051BC20 address by calling it with AutoIt / AHK (CreateRemoteProcessEx), and retrieving the return value for the macro programmers.

Role Stuff (For Players, Yourself, NPCs & Monsters)
int RoleID = *(int*)(RoleBase + 0x88)
char* RoleName = (char*)*(int*)(RoleBase + 0x10C);
int RoleX = *(int*)(RoleBase + 0x2C8);
int RoleY = *(int*)(RoleBase + 0x2CC);
bool RoleIsAlive = (*(char const*)(RoleBase + 0x58) != 0x20);
int RoleXJumpDest = *(int*)(RoleBase + 0x1B8);
int RoleYJumpDest = *(int*)(RoleBase + 0x1BC);


Edit:

Quote:
Originally Posted by ookamocka View Post
here u go, simple program that shows u the original and new color values, both horses must be places into the composition screen to work, don't use this at the same time as w/ my CODisappear, since it'll most likely conflict...
You know the RGB addresses aren't static, right? 'Cause your program isn't reading the right values with me.
07/19/2009 08:40 clintonselke#8
Quote:
Originally Posted by ookamocka View Post
HorsePtrAddrs: 00689A16
. . .
The address seems rather low in value, maybe its static relative to the address of a DLL used by conquer. So it will work & work on one computer, and not work on another.

Might not be hard for ya to make static.

IF the address appears in the color GREEN in CE, then add it too the list and try to get that "somedll.dll+offset" thing to appear by double clicking the address (i think).

then... take your address 00689A16 minus the offset.

I.E. DllBase = 00689A16 - offset (offset from somedll.dll+offset).

Then search for this DllBase value inside conquer.exe using CE or something.
(E.g. DllBase = [DllBaseAddr] where DllBaseAddr lies inside the static address space of conquer.exe)

Then u'll have HorsePtrAddrs = [DllBaseAddr] + offset

or in c syntax: HorsePtrAddrs = *(int*)DllBaseAddr + offset
07/19/2009 14:21 Alexios#9
@ookamocka

Did you search for the below? It is directly from mounttype.dat(or whatever it is called).

Code:
[3000000000]
Color1=255
Color2=150
Color3=0
armor=8010000
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=0
Title=Maroon~Steed
IconId=30000000

[3000004500]
Color1=0
Color2=255
Color3=150
armor=8014500
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=0
Title=White~Steed
IconId=30000045

[3000002400]
Color1=150
Color2=0
Color3=255
armor=8012400
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=0
Title=Black~Steed
IconId=30000024
----------------------------------------------------------------------

[3000004000]
Color1=187
Color2=135
Color3=201
armor=8014000
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=1
Title=Lava~Steed = Spitfire
IconId=30000040

[3000004100]
Color1=62
Color2=63
Color3=184
armor=8014100
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=1
Title=Frost~Steed = Frostbite
IconId=30000041

[3000004200]
Color1=148
Color2=156
Color3=137
armor=8014200
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=1
Title=Flame~Steed = Blazehoof
IconId=30000042

[3000004300]
Color1=147
Color2=134
Color3=122
armor=8014300
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=1
Title=Spotted~Steed = Spotted Steed
IconId=30000043

[3000004400]
Color1=142
Color2=39
Color3=46
armor=8014400
Showrate=100
Offset=50
Sound1=sound/Rpet_up_down.wav
Sound2=sound/Rpet_up_down.wav
Sound3=sound/Rpet_up_down.wav
Rare=1
Title=Zebra = Zebra
IconId=30000044
07/19/2009 15:23 IAmHawtness#10
My notes about the horse colors:

Code:
//horse composition

004646e0 - mov ecx,[esi+70] // [esi+70] = Address of Red (after composing)

[Address of red after + 0x8] = Address of blue (after composing)

[Address of red after + 0x10] = Address of Green (after composing)


0046464f - 89 4e 6c - mov [esi+6c],ecx // [esi+6c] = Address of current red

[Address of current red + 0x8] = Address of current green

[Address of current red + 0x10] = Address of current blue
07/22/2009 08:02 ookamocka#11
to everyone, yes i realize that the address is dynamic, and apparently what i found wasn't the correct pointer, i'll look into it again whenever i get the chance... which is like never these days XD lol
07/22/2009 21:51 ookamocka#12
Quote:
Originally Posted by IAmHawtness View Post
My notes about the horse colors:

Code:
//horse composition

004646e0 - mov ecx,[esi+70] // [esi+70] = Address of Red (after composing)

[Address of red after + 0x8] = Address of blue (after composing)

[Address of red after + 0x10] = Address of Green (after composing)


0046464f - 89 4e 6c - mov [esi+6c],ecx // [esi+6c] = Address of current red

[Address of current red + 0x8] = Address of current green

[Address of current red + 0x10] = Address of current blue
ya, i already figured that much, but how do u find what esi is?
07/23/2009 00:08 IAmHawtness#13
Quote:
Originally Posted by ookamocka View Post
ya, i already figured that much, but how do u find what esi is?
Haven't traced back that long. I just re-write the functions into telling me what the esi is, storing it in a static location.
07/23/2009 00:16 AMIA.#14
Quote:
كووووووووووول
Cool
07/23/2009 07:27 ookamocka#15
w00ts took a little bit of time, but i found the proof that TQ is floor'ing the equation... floor(x*.9) + floor(y*.1) = z...

00464669 IMUL EAX,EAX,5A
0046466C PUSH 64
0046466E XOR EDX,EDX
00464670 POP EDI
00464671 MOV ECX,EDI
00464673 DIV ECX

first 2 and the last lines are the important ones... this is for red, just the floor(x*.9) part, the .1 part and all other colors are the same/similar (.1 will be IMUL EAX,EAX,A)

so if EAX = 0xFF (i.e. that Red is 255)

then...

0xFF * 0x5A = 0x59A6 (i.e. 22950)
0x59A6 / 0x64 = E5 (i.e. 22950/100=229)

same thing as

floor(255*.9) = 229


this is the exact formula TQ uses in their code... so for now on if u see someone post x*.9+y*.1=z . . . CORRECT THEM! :rtfm: this is proof :rolleyes:
Page 1 of 2 1 2