Jade Dynasty Offset Help

plepvp · 09/06/2011, 10:51

Ok Ladies and Gentlemen,

I know this is probably the wrong forum to ask about a different game but since they are by the same company, I figured someone might have played this game, is well-versed in offset searching and can help me out.

So basically, if you have played JD, you know about espers. So what I'd like to know is, can anyone share a hint or two on how to go about finding the offset for the "esper slot"? I am not talking about skill slot, I am talking about the slot that you put your esper into. I've already tried several ways to find this address and have not been able to succeed.

So, any suggestion or clue that can shed some light would be appreciated. Thanks.

PS: Simple search by taking out esper and putting it back in with unknown initial value / 4 bytes search using changed/unchanged method does not work. I've attempted this at least a dozen time using different critieria.

Sᴡoosh · 09/06/2011, 18:21

I have no clue about JD (I found it to be a rather boring game back then

), but is this thing a part of inventory?

If so, find inventory struct and move in indexes of 4 bytes until you find the ID or name.

plepvp · 09/06/2011, 21:49

Quote:

Originally Posted by Sᴡoosh

I have no clue about JD (I found it to be a rather boring game back then ), but is this thing a part of inventory?

If so, find inventory struct and move in indexes of 4 bytes until you find the ID or name.

Hi Swoosh, unfortunately this isn't a part of inventory. This is a part of equipped items (e.g. Armor, Boot, Helm, Weapon,....etc.).

PS: I have no problem finding the inventory struct, but this equip slot struct is a pain to find.

Sᴡoosh · 09/06/2011, 22:28

Equip struct is probably +4 or -4 bytes from Inventory

Item ID offset of Equipment should be same as inventory.

plepvp · 09/06/2011, 23:51

Quote:

Originally Posted by Sᴡoosh

Equip struct is probably +4 or -4 bytes from Inventory

Item ID offset of Equipment should be same as inventory.

So,

1. Find Inv Struct Offset
2. +4 or -4 Offset Address

I think I'll give that a try.

I actually have one question. If I found the address to be EAX+EBX*4
How am I supposed to get a point to that? Since EBX can change.

Sigh.....found the offset, but game crashed before I can find its relationship with base address. Urgh....lost all progress.

Sigh.....found the offset, but game crashed before I can find its relationship with base address. Urgh....lost all progress.

Interest07 · 09/07/2011, 10:35

EAX + EBX * 4

Most likely means it is simply in an array with EBX as index. So just first look for whatever item is in slot 0, that makes it easier to search for offsets. In PWI this is the weapon.

Then after you find that, simply fill in whatever was the value of EBX instead of 0 as you found it the first time. EBX is unlikely to ever be different for something as static as an equipment slot.

Naturally this is pure speculation as I have never even downloaded this game, but that's how things tend to work out

Quote:

Originally Posted by plepvp

So,

1. Find Inv Struct Offset
2. +4 or -4 Offset Address

I think I'll give that a try.

I actually have one question. If I found the address to be EAX+EBX*4
How am I supposed to get a point to that? Since EBX can change.

Sigh.....found the offset, but game crashed before I can find its relationship with base address. Urgh....lost all progress.

Sigh.....found the offset, but game crashed before I can find its relationship with base address. Urgh....lost all progress.

plepvp · 09/07/2011, 16:20

yeah, actually, I figured that out.

I found the esper slot address. But...lol...as I said, game crashed before I could get it's relationship with base address. So I kinda lost all progress. Had to do it again later today.

Hopefully I'll have more success today. Although I'll still have to reverse the mem region so I can figure out what each segment stands for. Sigh....lots to do, lots to do.

plepvp · 09/09/2011, 05:55

OK, I've hit a bit of a snag, so if someone can shed some light on how to go about figuring these out. That'd be helpful.

mov ecx,[ecx+0C]
lea ecx,[ecx+eax*4]
mov eax,[ecx]

Above is what I got. Now how the hell am I supposed to figure out the offset when the registers were all overwritten?

Any help appreciated.

Interest07 · 09/09/2011, 10:05

Quote:

Originally Posted by plepvp

OK, I've hit a bit of a snag, so if someone can shed some light on how to go about figuring these out. That'd be helpful.

mov ecx,[ecx+0C]
lea ecx,[ecx+eax*4]
mov eax,[ecx]

Above is what I got. Now how the hell am I supposed to figure out the offset when the registers were all overwritten?

Any help appreciated.

Well, you trace back the opcode further to see what ecx is before this

in PWI ecx would come from the playerPointer + 0xCAC.

mov ecx, [someRegister + someOffset] <-- this might not happen in the same function as your other code, so be sure to check what calls the function containing your opcode

................

some code

................

[ecx + 0x10] <--- contains the size of your inventory
mov ecx,[ecx+0C] <--- sets ecx to the start of a list of pointers, all offset by 4 * index
lea ecx,[ecx+eax*4] <--- eax is the index, it sets ecx equal to the what ecx was + eax * 4. Note that lea means you don't resolve a pointer but simply perform arithmetics on pointers / addresses
mov eax,[ecx] <--- eax now contains the beginning of the item struct

plepvp · 09/09/2011, 10:32

Actually, I figured it out.
I just went and set a BP @ the first line and then just follow the registers.

Thanks for the explanation though. I now see why that lea is there.

I now have the pointer to the Esper slot and the inventory struct.

Unfortunately, PWE took extra care to prevent any change made to the ID of the esper. So I couldn't see the details of the esper on client side. All it does is gives ITEM FAIL msg. Oh well.