[StrRes.ini] Finding MobsList for later patches.

clintonselke · 07/01/2009, 08:22

step 1) StrRes.ini

look up 100023=You can't stop here!

hex(100023) = 186B7

step 2) Search PUSH 186B7 in olly

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
004F71A1  |.  68 D5070000   PUSH 7D5
004F71A6  |.  68 B7860100   PUSH 186B7
004F71AB  |.  8BCE          MOV ECX,ESI

step 3) Backtrack and look at all functions before it, to find which ones retrieves player coords.
Note: For your current coords, not the ones ur jumping too.
Hint: Track back to make sure ur looking at lines that can eventually end up producing the [System] message, be patience and careful of JMPs. And breakpoint one line after the CALLs for their return values.

Code:

CPU Disasm (EDX,ECX) is your current map coordinate after this CALL.
Address   Hex dump          Command                                  Comments
004F7021  |.  8BCE          MOV ECX,ESI
004F7023  |.  FF50 14       CALL DWORD PTR DS:[EAX+14]
004F7026  |.  6A 01         PUSH 1                                   ; /Arg5 = 1

step 4) Remembering the value of ECX, Breakpoint inside that function call on a DIFFERENT value of ECX. (You may need to breakpoint b4 the function call and trace your way inside of it first.)

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
004F4CC4  /.  8B4424 04     MOV EAX,DWORD PTR SS:[ARG.1]
004F4CC8  |.  8B91 98020000 MOV EDX,DWORD PTR DS:[ECX+298]
004F4CCE  |.  8910          MOV DWORD PTR DS:[EAX],EDX
004F4CD0  |.  8B89 9C020000 MOV ECX,DWORD PTR DS:[ECX+29C]
004F4CD6  |.  8948 04       MOV DWORD PTR DS:[EAX+4],ECX
004F4CD9  \.  C2 0400       RETN 4

This function just found is used for retrieving the map coordinates for ANY mob/player. And it is called continously for all the mobs (DIFFERENT VALUES OF ECX, WHERE ECX IS A POINTER TO YOUR MOB STRUCTURE)

Step 5) After finding a different value of ECX on a breakpoint inside that function, trace your way out again to find the LOOP for the MOBS.

The call to get the mobs coordinates in the MOB LOOP.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
00515904  |.  52            |PUSH EDX
00515905  |.  FF50 14       |CALL DWORD PTR DS:[EAX+14]
00515908  |.  FF75 DC       |PUSH DWORD PTR SS:[EBP-24]              ; /Arg4 => [ARG.EBP-24]

Step 6) Add breakpoints on function calls above it but STILL IN THE LOOP, and find the functions for retrieving the number of mobs and the mob by its index. (LOL, i lied a little bit. The number of mobs will be JUST ABOVE THE BEGINING OF THE LOOP, BUT THE MOB BY INDEX IS INSIDE THE LOOP).

Code:

Gets the number of mobs.
CPU Disasm
Address   Hex dump          Command                                  Comments
0051587D  |.  53            PUSH EBX                                 ; /Arg1
0051587E  |.  8D4B 10       LEA ECX,[EBX+10]                         ; |
00515881  |.  E8 7A0FF0FF   CALL 00416800                            ; \Conquer.00416800

Gets the mob by its index.
CPU Disasm
Address   Hex dump          Command                                  Comments
00515892  |> /8BF3          /MOV ESI,EBX
00515894  |. |8D7D C8       |LEA EDI,[EBP-38]
00515897  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
00515898  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E
00515899  |. |FF75 F0       |PUSH DWORD PTR SS:[EBP-10]              ; /Arg1 => [ARG.EBP-10]
0051589C  |. |8D4D C8       |LEA ECX,[EBP-38]                        ; |
0051589F  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E ; |
005158A0  |. |A5            |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E ; |
005158A1  |. |E8 DD53FFFF   |CALL 0050AC83                           ; \Conquer.0050AC83

NOTE THAT THE VALUE OF ECX IN BOTH THESE CALLS IS THE POINTER TO YOUR NEW MOBS LIST (6502E4 for version 5127+)

This might come in handy after the next patch for mounts.

Jonny999 · 07/01/2009, 23:26

Great guide.

clintonselke · 07/02/2009, 07:45

Just thought i'd add the strategy.

- Find an easy to find function A that uses a function B, that the function C you want to find uses also.
- Once u've found function B from function A, add use a breakpoint to lay asleep inside function B, until the function u want to find (function C) calls it.
- Once function C calls function B and ur breakpoint is triggered, u can trace out to find function C.

So ur finding functions used by functions that you want to find.

Edit: Going deeper and breakpointing inside the size function for a Deque, there seems to be 7 different Deques used in conquer... I haven't bothered to check these 7 yet, but i hope one is for items.

Santa · 02/18/2017, 22:16

I know this is old but this is completely relevant to my issue. So basically I have followed this little guide and have found myself the same two functions but for inventory items. I was able to call the function that returns the # of items without issue (on my first try even, lol) but I am having a hell of a time trying to grab the items base address by index.

Basically this is what I found:

Code:

00492ADA  /$ 55             PUSH EBP
00492ADB  |. 8BEC           MOV EBP,ESP
00492ADD  |. 83EC 1C        SUB ESP,0x1C
00492AE0  |. 53             PUSH EBX
00492AE1  |. 56             PUSH ESI
00492AE2  |. 8BF1           MOV ESI,ECX
00492AE4  |. 57             PUSH EDI
00492AE5  |. 8975 F4        MOV DWORD PTR SS:[EBP-0xC],ESI
00492AE8  |. 8D9E 10100000  LEA EBX,DWORD PTR DS:[ESI+0x1010]
00492AEE  |. 53             PUSH EBX
00492AEF  |. 8D4B 10        LEA ECX,DWORD PTR DS:[EBX+0x10]
00492AF2  |. E8 D0CDFEFF    CALL Conquer.0047F8C7
00492AF7  |. 8365 FC 00     AND DWORD PTR SS:[EBP-0x4],0x0
00492AFB  |. 8945 F8        MOV DWORD PTR SS:[EBP-0x8],EAX
00492AFE  |. 85C0           TEST EAX,EAX
00492B00  |. 7E 33          JLE SHORT Conquer.00492B35
00492B02  |> 8BF3           /MOV ESI,EBX
00492B04  |. 8D7D E4        |LEA EDI,DWORD PTR SS:[EBP-0x1C]
00492B07  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B08  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B09  |. FF75 FC        |PUSH DWORD PTR SS:[EBP-0x4]
00492B0C  |. 8D4D E4        |LEA ECX,DWORD PTR SS:[EBP-0x1C]
00492B0F  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B10  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B11  |. E8 19CE0000    |CALL Conquer.0049F92F
00492B16  |. 8B45 E4        |MOV EAX,DWORD PTR SS:[EBP-0x1C]
00492B19  |. 8B00           |MOV EAX,DWORD PTR DS:[EAX]

Where this section is returning the # of items:

Code:

00492AE8  |. 8D9E 10100000  LEA EBX,DWORD PTR DS:[ESI+0x1010]
00492AEE  |. 53             PUSH EBX
00492AEF  |. 8D4B 10        LEA ECX,DWORD PTR DS:[EBX+0x10]
00492AF2  |. E8 D0CDFEFF    CALL Conquer.0047F8C7

And to call that from my DLL I'm using (Works just fine, naming conventions probably suck):

Code:

MOV EBX, Properties::Inventory_Base_address
PUSH EBX
MOV ECX, Properties::Inventory_Sub_address
CALL Properties::Inventory_Count_Function_address

This next part is the one that I can't seem to get right, getting the Item by its index:

Code:

00492B04  |. 8D7D E4        |LEA EDI,DWORD PTR SS:[EBP-0x1C]
00492B07  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B08  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B09  |. FF75 FC        |PUSH DWORD PTR SS:[EBP-0x4]
00492B0C  |. 8D4D E4        |LEA ECX,DWORD PTR SS:[EBP-0x1C]
00492B0F  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B10  |. A5             |MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00492B11  |. E8 19CE0000    |CALL Conquer.0049F92F

1. It moves into EDI the Inventory_Base_address (as I have it defined)
2. Then populates the stack with a few pointers to different parts of the collection in memory.
3. Pushes the index to the stack.
4. Sets ECX to be equal to the address of the first value set in 2.
5. Few more points to different parts of the collection.
6. Calls the function
7. EAX contains the pointer to the specified item index.

With that, I have tried a few different interations. But this one seems to crash the latest

Code:

MOV EBP,ESP
SUB ESP, 0x1C
PUSH EDI
MOV ESI, Properties::Inventory_Base_address
LEA EDI,DWORD PTR SS:[EBP-0x1C]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
PUSH TIndex
LEA ECX, DWORD PTR SS:[EBP-0x1C]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
CALL Properties::Inventory_Deque_Function_address
MOV _TTReturn, EAX
POP EDI
POP ESI

Following through with Olly makes it seem like I'm so close but just can't quite figure out why it is still crashing.

I have been able to call many other functions from my DLL without issue(after struggling through issues) and I can't seem to figure this one out. I would appreciate any help that you can provide! I'm just using a private server that I have setup (p 5065) to use as a means to learn.

Edit:
I'm a tard. The reason it was crashing was totally un-related to what I was trying to accomplish. Guess I just needed to step away and come back to it. For the curious, its literally just:

Code:

MOV ESI, Properties::Inventory_Base_address
LEA EDI,DWORD PTR SS:[EBP-0x1C]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
PUSH TIndex
LEA ECX, DWORD PTR SS:[EBP-0x1C]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
CALL Properties::Inventory_Deque_Function_address
MOV _TTReturn, EAX