Hooking item creation functions
Once I reverse engineered most of the item data structures, I wanted to store the items in lists. First step was to search for all the places where weapons.txt was being used. One function looked like this:
005A5BCB . 51 PUSH ECX
005A5BCC . 68 4C2D7300 PUSH GameJABi.00732D4C ; ASCII "configs/weapons.txt"
005A5BD1 . 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
005A5BD5 . 55 PUSH EBP
005A5BD6 . 52 PUSH EDX
005A5BD7 . BB 01000000 MOV EBX,1
005A5BDC . E8 8FD8E5FF CALL GameJABi.00403470
005A5BE1 . 83C4 0C ADD ESP,0C
005A5BE4 . 50 PUSH EAX ; |Arg2
005A5BE5 . 56 PUSH ESI ; |Arg1
005A5BE6 . E8 55020200 CALL GameJABi.005C5E40 ; \GameJABi.005C5E40
From that point, I traced through the functions till I could see one of the weapons in memory. For example, the first few bytes for AK 47 look like this:
00 00 00 00 01 00 00 00 0F 01 00 00 01 00 00 00 88 0E 00 00 CC 10 00 00 01 00 00 00 00 00 00 00
Once I found the function where the data structure for the weapons was filled in, I made a return hook in which I recorded the weapon in a list. Here is where the return hook went:
0052E323 |. 5F POP EDI
0052E324 |. 5E POP ESI
0052E325 |. 8BC3 MOV EAX,EBX
0052E327 |. 5B POP EBX
0052E328 \. C2 0800 RETN 8
This hook gets executed for each weapon during game loading time.
I repeated the same process for weapon attachments.
0052E566 . E8 F5000000 CALL GameJABi.0052E660
0052E56B . 8BC6 MOV EAX,ESI
0052E56D . 5E POP ESI
0052E56E . C2 0800 RETN 8
Clothing
.text:005A5C22 push eax
.text:005A5C23 push offset aConfigsClothin ; "configs/clothings.txt"
.text:005A5C28 lea ecx, [esp+54h+var_38]
.text:005A5C2C push ebp
.text:005A5C2D push ecx
.text:005A5C2E or ebx, 2
.text:005A5C31 call sub_403470
.text:005A5C36 add esp, 0Ch
.text:005A5C39 push eax
.text:005A5C3A push esi
.text:005A5C3B call sub_5C6560
.text:005A5C40 jmp short loc_5A5C44
Search for patter:02 00 00 00 CE 04
0052E3BB . 8BC6 MOV EAX,ESI
0052E3BD . 5E POP ESI
0052E3BE . C2 0800 RETN 8