Reverse engineering JABIA character config
At 0x567E12, spotted usage of string ShotgunAdept, put breakpoint, hit breakpoint when loaded save game
00551040 /$ 81EC E0000000 SUB ESP,0E0
00551046 |. 53 PUSH EBX
00551047 |. 55 PUSH EBP
00551048 |. 8BAC24 EC00000>MOV EBP,DWORD PTR SS:[ESP+EC]
0055104F |. 56 PUSH ESI
00551050 |. 57 PUSH EDI
00551051 |. 68 D8B47200 PUSH GameJABi.0072B4D8 ; ASCII "characters.txt"
00551056 |. 51 PUSH ECX
00551057 |. 50 PUSH EAX
00551058 |. 51 PUSH ECX
00551059 |. 8D5424 28 LEA EDX,DWORD PTR SS:[ESP+28]
0055105D |. 52 PUSH EDX
0055105E |. E8 DD24EBFF CALL GameJABi.00403540
Scanned for 9500 (Barry's hiring fee) before loading save, and after, found a new address that contained this value. Looking around, i saw barry's data structure.
Next time, I put breakpoints on a few function calls and stepped through the code to find where the data structure was created
0055121D |. 51 |PUSH ECX ; /Arg3
0055121E |. 52 |PUSH EDX ; |Arg2
0055121F |. 50 |PUSH EAX ; |Arg1 // pointer to struct
00551220 |. 8D8424 9000000>|LEA EAX,DWORD PTR SS:[ESP+90] ; |
00551227 |. E8 C4670100 |CALL GameJABi.005679F0 ; \GameJABi.005679F0 // after this data structure is in memory
0055122C |. EB 02 |JMP SHORT GameJABi.00551230
0055122E |> 33C0 |XOR EAX,EAX
Changing this value in memory changed the value in the game. Number of bytes between structs is 472.
00567E0A |. 50 |PUSH EAX ; /Arg1
00567E0B |. 8BCB |MOV ECX,EBX ; |
00567E0D |. E8 4E9BF7FF |CALL GameJABi.004E1960 ; \GameJABi.004E1960
00567E12 |. B8 E0CC7200 |MOV EAX,GameJABi.0072CCE0 ; ASCII "ShotgunAdept"
00567E17 |. 8D7C24 34 |LEA EDI,DWORD PTR SS:[ESP+34]
00567E1B |. E8 10A5F2FF |CALL GameJABi.00492330
00567E20 |. 8B7C24 54 |MOV EDI,DWORD PTR SS:[ESP+54]
00567E24 |. 8B8F 74010000 |MOV ECX,DWORD PTR DS:[EDI+174]
00567E2A |. 2B8F 70010000 |SUB ECX,DWORD PTR DS:[EDI+170]
00567E30 |. 81C7 64010000 |ADD EDI,164
00567E36 |. C1F9 02 |SAR ECX,2
00567E39 |. 83F9 03 |CMP ECX,3
00567E3C |. 73 19 |JNB SHORT GameJABi.00567E57
00567E3E |. 8D5424 58 |LEA EDX,DWORD PTR SS:[ESP+58]
00567E42 |. 52 |PUSH EDX ; /Arg1
00567E43 |. 894424 5C |MOV DWORD PTR SS:[ESP+5C],EAX ; |
00567E47 |. E8 44010000 |CALL GameJABi.00567F90 ; \GameJABi.00567F90
00567E4C |. EB 09 |JMP SHORT GameJABi.00567E57
00567E4E |> 6A 00 |PUSH 0 ; /Arg1 = 00000000
00567E50 |. 8BCB |MOV ECX,EBX ; |
00567E52 |. E8 899AF7FF |CALL GameJABi.004E18E0 ; \GameJABi.004E18E0
00567E57 |> 6A 00 |PUSH 0 ; /Arg1 = 00000000
00567E59 |. 8BCB |MOV ECX,EBX ; |
00567E5B |. E8 8099F7FF |CALL GameJABi.004E17E0 ; \GameJABi.004E17E0
00567E60 |. 84C0 |TEST AL,AL
00567E62 |.^0F85 88FCFFFF \JNZ GameJABi.00567AF0
This is the bottom of the loop where each character's config is read and data structure filled. Putting a breakpoint on the JNZ and watching the memory with CheatEngine, I could see the struct being filled. This was especially handy to figure out how traits were set. It's through a pointer to a list.
00567E7B |. 8BC7 MOV EAX,EDI
00567E7D |. 5F POP EDI
00567E7E |. 5E POP ESI
00567E7F |. 5D POP EBP
00567E80 |. 5B POP EBX
00567E81 |. 83C4 40 ADD ESP,40
00567E84 \. C2 0C00 RETN 0C // pointer to character config struct in EAX
After hooking return, printing address of each parsed config, used cheat engine to cross reference and figure out fields.
Turns out, the JABIA character data structure has a pointer to the character config data structure at offset 0xc.