I want to understand the Enemy List of a Game, so that i can use it for my Bot.
I already have the pointer to this list, and the offset to the Object, but i just cant find a logical way to step through the list.
Here is the "Find next Mob" Funktion, which steps through the monsters and searchs for the nearest mob in my sight.
Code:
009DB880 /$ 55 PUSH EBP 009DB881 |. 8BEC MOV EBP,ESP 009DB883 |. 83EC 44 SUB ESP,44 009DB886 |. 53 PUSH EBX 009DB887 |. 56 PUSH ESI 009DB888 |. 8B75 08 MOV ESI,[ARG.1] 009DB88B |. 8B86 AC000000 MOV EAX,DWORD PTR DS:[ESI+AC] ; Player Pointer 009DB891 |. 8B80 E4030000 MOV EAX,DWORD PTR DS:[EAX+3E4] ; Coordinate Struc 009DB897 |. F3:0F1040 68 MOVSS XMM0,DWORD PTR DS:[EAX+68] ; X Coordinate 009DB89C |. 8B4E 74 MOV ECX,DWORD PTR DS:[ESI+74] 009DB89F |. 8B11 MOV EDX,DWORD PTR DS:[ECX] 009DB8A1 |. 8B52 08 MOV EDX,DWORD PTR DS:[EDX+8] ; Funktions Pointer 7E3720 009DB8A4 |. 83C0 68 ADD EAX,68 ; Rotations Matrix 009DB8A7 |. F3:0F1145 CC MOVSS [LOCAL.13],XMM0 009DB8AC |. F3:0F1040 04 MOVSS XMM0,DWORD PTR DS:[EAX+4] ; X Rotation 009DB8B1 |. F3:0F1145 D0 MOVSS [LOCAL.12],XMM0 009DB8B6 |. F3:0F1040 08 MOVSS XMM0,DWORD PTR DS:[EAX+8] ; Z Rotation 009DB8BB |. 57 PUSH EDI 009DB8BC |. 8D45 C0 LEA EAX,[LOCAL.16] 009DB8BF |. 50 PUSH EAX 009DB8C0 |. F3:0F1145 D4 MOVSS [LOCAL.11],XMM0 009DB8C5 |. FFD2 CALL EDX ; 7E3720 009DB8C7 |. 8D45 C0 LEA EAX,[LOCAL.16] 009DB8CA |. 50 PUSH EAX 009DB8CB |. 8BC8 MOV ECX,EAX 009DB8CD |. 51 PUSH ECX 009DB8CE |. E8 AF8CB1FF CALL <JMP.&d3dx9_42.D3DXVec3Normalize> 009DB8D3 |. 0F57C0 XORPS XMM0,XMM0 009DB8D6 |. 8B86 CC000000 MOV EAX,DWORD PTR DS:[ESI+CC] ; Enemy List is loaded in EAX 009DB8DC |. F3:0F1145 D8 MOVSS [LOCAL.10],XMM0 009DB8E1 |. F3:0F1145 DC MOVSS [LOCAL.9],XMM0 009DB8E6 |. F3:0F1145 E0 MOVSS [LOCAL.8],XMM0 009DB8EB |. 8B18 MOV EBX,DWORD PTR DS:[EAX] ; First List Element in EBX 009DB8ED |. F3:0F1145 F8 MOVSS [LOCAL.2],XMM0 009DB8F2 |. 8945 EC MOV [LOCAL.5],EAX ; Enemy List in Local 5 009DB8F5 |. 895D F4 MOV [LOCAL.3],EBX ; First List Element in Local 3 009DB8F8 |. 3BD8 CMP EBX,EAX 009DB8FA |. 0F84 61020000 JE Maestia.009DBB61 009DB900 |. EB 03 JMP SHORT Maestia.009DB905 009DB902 |> 0F57C0 /XORPS XMM0,XMM0 ; Beginning of the Loop 009DB905 |> 8B7B 10 MOV EDI,DWORD PTR DS:[EBX+10] ; Enemy Pointer <-- I want to know EBX 009DB908 |. 0FB787 8000000>|MOVZX EAX,WORD PTR DS:[EDI+80] ; Now there are some float instructions 009DB90F |. F3:0F1145 F8 |MOVSS [LOCAL.2],XMM0 ; They are not important 009DB914 |. 0FB7D0 |MOVZX EDX,AX 009DB917 |. 66:85C0 |TEST AX,AX 009DB91A |. 75 04 |JNZ SHORT Maestia.009DB920 009DB91C |. 0FB757 7C |MOVZX EDX,WORD PTR DS:[EDI+7C] 009DB920 |> 8B45 08 |MOV EAX,[ARG.1] 009DB923 |. 8BB0 AC000000 |MOV ESI,DWORD PTR DS:[EAX+AC] 009DB929 |. 0FB786 8000000>|MOVZX EAX,WORD PTR DS:[ESI+80] 009DB930 |. 0FB7C8 |MOVZX ECX,AX 009DB933 |. 66:85C0 |TEST AX,AX 009DB936 |. 75 04 |JNZ SHORT Maestia.009DB93C 009DB938 |. 0FB74E 7C |MOVZX ECX,WORD PTR DS:[ESI+7C] 009DB93C |> 66:83F9 05 |CMP CX,5 009DB940 |. 72 43 |JB SHORT Maestia.009DB985 009DB942 |. 66:83FA 05 |CMP DX,5 009DB946 |. 73 3D |JNB SHORT Maestia.009DB985 009DB948 |. 0FB7C8 |MOVZX ECX,AX 009DB94B |. 66:85C0 |TEST AX,AX 009DB94E |. 75 04 |JNZ SHORT Maestia.009DB954 009DB950 |. 0FB74E 7C |MOVZX ECX,WORD PTR DS:[ESI+7C] 009DB954 |> 66:83F9 05 |CMP CX,5 009DB958 |. 72 17 |JB SHORT Maestia.009DB971 009DB95A |. 66:85C0 |TEST AX,AX 009DB95D |. 0FB7C0 |MOVZX EAX,AX 009DB960 |. 75 04 |JNZ SHORT Maestia.009DB966 009DB962 |. 0FB746 7C |MOVZX EAX,WORD PTR DS:[ESI+7C] 009DB966 |> 0FB7C0 |MOVZX EAX,AX 009DB969 |. 83E8 04 |SUB EAX,4 009DB96C |. 66:3BC2 |CMP AX,DX 009DB96F |. EB 23 |JMP SHORT Maestia.009DB994 009DB971 |> 66:85C0 |TEST AX,AX 009DB974 |. 0FB7C0 |MOVZX EAX,AX 009DB977 |. 75 04 |JNZ SHORT Maestia.009DB97D 009DB979 |. 0FB746 7C |MOVZX EAX,WORD PTR DS:[ESI+7C] 009DB97D |> 0FB7C0 |MOVZX EAX,AX 009DB980 |. 66:3BC2 |CMP AX,DX 009DB983 |. EB 0F |JMP SHORT Maestia.009DB994 009DB985 |> 66:85C0 |TEST AX,AX 009DB988 |. 0FB7C0 |MOVZX EAX,AX 009DB98B |. 75 04 |JNZ SHORT Maestia.009DB991 009DB98D |. 0FB746 7C |MOVZX EAX,WORD PTR DS:[ESI+7C] 009DB991 |> 66:3BD0 |CMP DX,AX 009DB994 |> 0F94C0 |SETE AL 009DB997 |. 84C0 |TEST AL,AL 009DB999 |. 0F85 AB010000 |JNZ Maestia.009DBB4A 009DB99F |. 3887 94050000 |CMP BYTE PTR DS:[EDI+594],AL 009DB9A5 |. 0F85 9F010000 |JNZ Maestia.009DBB4A 009DB9AB |. 8BC7 |MOV EAX,EDI 009DB9AD |. E8 BE03E9FF |CALL Maestia.0086BD70 009DB9B2 |. 84C0 |TEST AL,AL 009DB9B4 |. 0F85 90010000 |JNZ Maestia.009DBB4A 009DB9BA |. 0FB787 8000000>|MOVZX EAX,WORD PTR DS:[EDI+80] 009DB9C1 |. 66:85C0 |TEST AX,AX 009DB9C4 |. 0FB7C0 |MOVZX EAX,AX 009DB9C7 |. 75 04 |JNZ SHORT Maestia.009DB9CD 009DB9C9 |. 0FB747 7C |MOVZX EAX,WORD PTR DS:[EDI+7C] 009DB9CD |> 66:83F8 03 |CMP AX,3 009DB9D1 |. 75 42 |JNZ SHORT Maestia.009DBA15 009DB9D3 |. 8B4F 08 |MOV ECX,DWORD PTR DS:[EDI+8] 009DB9D6 |. 894D FC |MOV [LOCAL.1],ECX 009DB9D9 |. 8B0D 2C39CF00 |MOV ECX,DWORD PTR DS:[CF392C] 009DB9DF |. 8D55 FC |LEA EDX,[LOCAL.1] 009DB9E2 |. 52 |PUSH EDX ; /Arg1 009DB9E3 |. 83C1 40 |ADD ECX,40 ; | 009DB9E6 |. 8D45 F0 |LEA EAX,[LOCAL.4] ; | 009DB9E9 |. E8 A2B1A2FF |CALL Maestia.00406B90 ; \Maestia.00406B90 009DB9EE |. 8B45 F0 |MOV EAX,[LOCAL.4] 009DB9F1 |. 8B0D 2C39CF00 |MOV ECX,DWORD PTR DS:[CF392C] 009DB9F7 |. 3B41 44 |CMP EAX,DWORD PTR DS:[ECX+44] 009DB9FA |. 0F84 4A010000 |JE Maestia.009DBB4A 009DBA00 |. 8B40 10 |MOV EAX,DWORD PTR DS:[EAX+10] 009DBA03 |. 85C0 |TEST EAX,EAX 009DBA05 |. 0F84 3F010000 |JE Maestia.009DBB4A 009DBA0B |. 8078 40 02 |CMP BYTE PTR DS:[EAX+40],2 009DBA0F |. 0F85 35010000 |JNZ Maestia.009DBB4A 009DBA15 |> 8B87 E4030000 |MOV EAX,DWORD PTR DS:[EDI+3E4] 009DBA1B |. F3:0F1050 70 |MOVSS XMM2,DWORD PTR DS:[EAX+70] 009DBA20 |. F3:0F5C55 D4 |SUBSS XMM2,[LOCAL.11] 009DBA25 |. F3:0F1040 68 |MOVSS XMM0,DWORD PTR DS:[EAX+68] 009DBA2A |. F3:0F1048 6C |MOVSS XMM1,DWORD PTR DS:[EAX+6C] 009DBA2F |. F3:0F5C4D D0 |SUBSS XMM1,[LOCAL.12] 009DBA34 |. F3:0F5C45 CC |SUBSS XMM0,[LOCAL.13] 009DBA39 |. 83C0 68 |ADD EAX,68 009DBA3C |. 0F28DA |MOVAPS XMM3,XMM2 009DBA3F |. F3:0F59DA |MULSS XMM3,XMM2 009DBA43 |. F3:0F1155 E0 |MOVSS [LOCAL.8],XMM2 009DBA48 |. 0F28D1 |MOVAPS XMM2,XMM1 009DBA4B |. F3:0F59D1 |MULSS XMM2,XMM1 009DBA4F |. F3:0F114D DC |MOVSS [LOCAL.9],XMM1 009DBA54 |. 0F28C8 |MOVAPS XMM1,XMM0 009DBA57 |. F3:0F58DA |ADDSS XMM3,XMM2 009DBA5B |. F3:0F59C8 |MULSS XMM1,XMM0 009DBA5F |. 51 |PUSH ECX 009DBA60 |. F3:0F58D9 |ADDSS XMM3,XMM1 009DBA64 |. F3:0F1145 D8 |MOVSS [LOCAL.10],XMM0 009DBA69 |. F3:0F111C24 |MOVSS DWORD PTR SS:[ESP],XMM3 009DBA6E |. E8 6D30A3FF |CALL Maestia.0040EAE0 009DBA73 |. 8B53 10 |MOV EDX,DWORD PTR DS:[EBX+10] 009DBA76 |. 8B86 C4000000 |MOV EAX,DWORD PTR DS:[ESI+C4] 009DBA7C |. 0382 C4000000 |ADD EAX,DWORD PTR DS:[EDX+C4] 009DBA82 |. 83C4 04 |ADD ESP,4 009DBA85 |. 8945 FC |MOV [LOCAL.1],EAX 009DBA88 |. DB45 FC |FILD [LOCAL.1] 009DBA8B |. 85C0 |TEST EAX,EAX 009DBA8D |. 7D 06 |JGE SHORT Maestia.009DBA95 009DBA8F |. D805 1013C600 |FADD DWORD PTR DS:[C61310] 009DBA95 |> DEE9 |FSUBP ST(1),ST 009DBA97 |. 8D4D D8 |LEA ECX,[LOCAL.10] 009DBA9A |. 51 |PUSH ECX 009DBA9B |. 8BD1 |MOV EDX,ECX 009DBA9D |. D80D 2013C600 |FMUL DWORD PTR DS:[C61320] 009DBAA3 |. 52 |PUSH EDX 009DBAA4 |. D95D FC |FSTP [LOCAL.1] 009DBAA7 |. E8 D68AB1FF |CALL <JMP.&d3dx9_42.D3DXVec3Normalize> 009DBAAC |. D905 1017C600 |FLD DWORD PTR DS:[C61710] 009DBAB2 |. D945 FC |FLD [LOCAL.1] 009DBAB5 |. DFF1 |FCOMIP ST,ST(1) 009DBAB7 |. DDD8 |FSTP ST 009DBAB9 |. 0F87 8B000000 |JA Maestia.009DBB4A 009DBABF |. F3:0F1045 C8 |MOVSS XMM0,[LOCAL.14] 009DBAC4 |. F3:0F5945 E0 |MULSS XMM0,[LOCAL.8] 009DBAC9 |. F3:0F104D C4 |MOVSS XMM1,[LOCAL.15] 009DBACE |. F3:0F594D DC |MULSS XMM1,[LOCAL.9] 009DBAD3 |. F3:0F58C1 |ADDSS XMM0,XMM1 009DBAD7 |. F3:0F104D C0 |MOVSS XMM1,[LOCAL.16] 009DBADC |. F3:0F594D D8 |MULSS XMM1,[LOCAL.10] 009DBAE1 |. F3:0F58C1 |ADDSS XMM0,XMM1 009DBAE5 |. F3:0F100D B465>|MOVSS XMM1,DWORD PTR DS:[BA65B4] 009DBAED |. F3:0F58C1 |ADDSS XMM0,XMM1 009DBAF1 |. 0F2FC1 |COMISS XMM0,XMM1 009DBAF4 |. 77 08 |JA SHORT Maestia.009DBAFE 009DBAF6 |. F3:0F5905 1413>|MULSS XMM0,DWORD PTR DS:[C61314] 009DBAFE |> F3:0F100D 1017>|MOVSS XMM1,DWORD PTR DS:[C61710] 009DBB06 |. F3:0F5C4D FC |SUBSS XMM1,[LOCAL.1] 009DBB0B |. F3:0F5905 F416>|MULSS XMM0,DWORD PTR DS:[C616F4] 009DBB13 |. F3:0F590D 1465>|MULSS XMM1,DWORD PTR DS:[BA6514] 009DBB1B |. F3:0F58C8 |ADDSS XMM1,XMM0 009DBB1F |. F3:0F1005 F016>|MOVSS XMM0,DWORD PTR DS:[C616F0] 009DBB27 |. 0F2FC1 |COMISS XMM0,XMM1 009DBB2A |. F3:0F114D F8 |MOVSS [LOCAL.2],XMM1 009DBB2F |. 77 19 |JA SHORT Maestia.009DBB4A 009DBB31 |. 8B43 10 |MOV EAX,DWORD PTR DS:[EBX+10] 009DBB34 |. 8B48 04 |MOV ECX,DWORD PTR DS:[EAX+4] 009DBB37 |. 8B7D 0C |MOV EDI,[ARG.2] 009DBB3A |. 894D E8 |MOV [LOCAL.6],ECX 009DBB3D |. 8D4D E4 |LEA ECX,[LOCAL.7] 009DBB40 |. F3:0F114D E4 |MOVSS [LOCAL.7],XMM1 009DBB45 |. E8 86B8A2FF |CALL Maestia.004073D0 009DBB4A |> 8D55 F4 |LEA EDX,[LOCAL.3] ; What happens here? ;Does Local 3 gets changed during this LEA instruction? 009DBB4D |. E8 7EDDA5FF |CALL Maestia.004398D0 009DBB52 |. 8B5D F4 |MOV EBX,[LOCAL.3] ; Here gets EBX its new value, but Local 3 has not been changed in this loop ?? 009DBB55 |. 3B5D EC |CMP EBX,[LOCAL.5] 009DBB58 |.^0F85 A4FDFFFF \JNZ Maestia.009DB902 ; Jump to the beginning of the loop
I want to know how Local 3 gets its value.
The first mob is no problem, but how does Local 3 gets changed during the loop?
It looks to me that it doesnt get changed, but if i set a breakpoint to check local 3 it changes its value during the loop.
