Reversing XP updating
Stan Bobovych edited this page Jul 25, 2015
·
8 revisions
XP from actions gets updated here
_thiscall update_xp(void * this, int add_exp)
EAX has add_exp
ECX has this *
GameJABiA.exe+14C470 - 56 - push esi // push exp increase on stack
GameJABiA.exe+14C471 - 8B F0 - mov esi,eax
GameJABiA.exe+14C473 - 32 C0 - xor al,al // zero out eax
GameJABiA.exe+14C475 - 85 F6 - test esi,esi // is esi 0?
GameJABiA.exe+14C477 - 7E 40 - jle GameJABiA.exe+14C4B9 // if esi != 0
GameJABiA.exe+14C479 - 8B 51 10 - mov edx,[ecx+10] // ecx is the character (this pointer - 0x10), get current exp from character datastructure and put it in edx
GameJABiA.exe+14C47C - 81 FA D8590000 - cmp edx,000059D8 // exp >= 23000?
GameJABiA.exe+14C482 - 73 35 - jae GameJABiA.exe+14C4B9 // if yes, return
GameJABiA.exe+14C484 - 03 F2 - add esi,edx // else
GameJABiA.exe+14C486 - 83 79 0C 0A - cmp dword ptr [ecx+0C],0A // level >= 10?
GameJABiA.exe+14C48A - 89 71 10 - mov [ecx+10],esi // copy new exp into character datastructure
GameJABiA.exe+14C48D - 73 2A - jae GameJABiA.exe+14C4B9 // if yes, return
GameJABiA.exe+14C48F - 90 - nop
GameJABiA.exe+14C490 - 8B 51 0C - mov edx,[ecx+0C]
GameJABiA.exe+14C493 - 3B 34 95 84DF7100 - cmp esi,[edx*4+GameJABiA.exe+31DF84] // find xp required for next level
GameJABiA.exe+14C49A - 72 1D - jb GameJABiA.exe+14C4B9
GameJABiA.exe+14C49C - 83 FA 0A - cmp edx,0A
GameJABiA.exe+14C49F - 73 10 - jae GameJABiA.exe+14C4B1
GameJABiA.exe+14C4A1 - 8D 42 01 - lea eax,[edx+01]
GameJABiA.exe+14C4A4 - 89 41 0C - mov [ecx+0C],eax
GameJABiA.exe+14C4A7 - 8B 04 85 ACDF7100 - mov eax,[eax*4+GameJABiA.exe+31DFAC]
GameJABiA.exe+14C4AE - 01 41 14 - add [ecx+14],eax // add training points
GameJABiA.exe+14C4B1 - 83 79 0C 0A - cmp dword ptr [ecx+0C],0A
GameJABiA.exe+14C4B5 - B0 01 - mov al,01
GameJABiA.exe+14C4B7 - 72 D7 - jb GameJABiA.exe+14C490
GameJABiA.exe+14C4B9 - 5E - pop esi
GameJABiA.exe+14C4BA - C3 - ret
_asm{
push esi // push exp increase on stack
mov esi,eax
xor al,al // zero out eax
test esi,esi // is esi 0?
jle jmp1 // if esi != 0 continue else jmp to return
mov edx,DWORD PTR DS:[ecx+0x10] // ecx is the character (this pointer - 0x110), get current exp from character datastructure and put it in edx
cmp edx,0x000059D8 // exp >= 23000?
jae jmp1 // if yes, return
add esi,edx // else
cmp DWORD PTR DS: [ecx+0x0C],0x0A // level >= 10?
mov DWORD PTR DS:[ecx+0x10],esi // copy new exp into character datastructure
jae jmp1 // if yes, return
nop
jmp3:
mov edx,DWORD PTR DS:[ecx+0x0C]
CMP ESI,DWORD PTR DS:[EDX*4+0x71DF84] // find xp required for next level and compare to current level
jb jmp1 // is current xp > xp for next level? if yes then don't jump
cmp edx,0x0A // current level >= 10?
jae jmp2 // if yes then jump
lea eax,DWORD PTR DS:[edx+0x01] // increment level
mov DWORD PTR DS:[ecx+0x0C],eax // store level in character data structure
MOV EAX,DWORD PTR DS:[EAX*4+0x71DFAC] // look up how many training points we get for this level
mov eax, 0x2
add DWORD PTR DS:[ecx+0x14],eax // add 2 training points into character data structure
jmp2:
cmp DWORD PTR DS: [ecx+0x0C],0x0A // current level < 10?
mov al,0x01
jb jmp3 // if yes, then jump
jmp1:
push ecx
call changeCharacterStats // call custom function to increase stats
pop ecx
pop esi
ret
}
Every time character gains XP, a message show up over the character with the number of XP gained.
// Before this 5 was pushed on stack and EBX has " XP" in it
// This parameters determines the color of the text, 5 = blue, 2 = red and teal, 0 = teal and blurry
00416900 55 PUSH EBP
00416901 8BEC MOV EBP,ESP
00416903 83E4 F8 AND ESP,FFFFFFF8
00416906 83EC 0C SUB ESP,0C
00416909 53 PUSH EBX
0041690A 56 PUSH ESI
0041690B 57 PUSH EDI
0041690C 8BF8 MOV EDI,EAX
0041690E 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00416911 50 PUSH EAX
00416912 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00416916 81C7 E8000000 ADD EDI,0E8
0041691C 51 PUSH ECX
0041691D E8 9EC1FFFF CALL GameJABi.00412AC0
00416922 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10]
00416926 8B5F 18 MOV EBX,DWORD PTR DS:[EDI+18]
00416929 8B3F MOV EDI,DWORD PTR DS:[EDI]
0041692B 85F6 TEST ESI,ESI
0041692D 74 04 JE SHORT GameJABi.00416933
0041692F 3BF7 CMP ESI,EDI
00416931 74 05 JE SHORT GameJABi.00416938
00416933 E8 477C2900 CALL GameJABi.006AE57F
00416938 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
0041693C 3BFB CMP EDI,EBX
0041693E 74 23 JE SHORT GameJABi.00416963
00416940 85F6 TEST ESI,ESI
00416942 75 1B JNZ SHORT GameJABi.0041695F
00416944 E8 367C2900 CALL GameJABi.006AE57F
00416949 3B7E 18 CMP EDI,DWORD PTR DS:[ESI+18]
0041694C 75 05 JNZ SHORT GameJABi.00416953
0041694E E8 2C7C2900 CALL GameJABi.006AE57F
00416953 8D47 10 LEA EAX,DWORD PTR DS:[EDI+10]
00416956 5F POP EDI
00416957 5E POP ESI
00416958 5B POP EBX
00416959 8BE5 MOV ESP,EBP
0041695B 5D POP EBP
0041695C C2 0400 RETN 4
// this function seems to be called every time a refresh happends
005A9B10 55 PUSH EBP
005A9B11 8BEC MOV EBP,ESP
005A9B13 83E4 C0 AND ESP,FFFFFFC0
005A9B16 D9EE FLDZ
005A9B18 81EC F4040000 SUB ESP,4F4
005A9B1E 53 PUSH EBX
005A9B1F 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
005A9B22 56 PUSH ESI
005A9B23 57 PUSH EDI
005A9B24 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
005A9B27 83EC 0C SUB ESP,0C
005A9B2A D95424 08 FST DWORD PTR SS:[ESP+8]
005A9B2E 8D4C24 78 LEA ECX,DWORD PTR SS:[ESP+78]
005A9B32 D947 70 FLD DWORD PTR DS:[EDI+70]
005A9B35 D95C24 04 FSTP DWORD PTR SS:[ESP+4]
005A9B39 D91C24 FSTP DWORD PTR SS:[ESP]
005A9B3C E8 AF58E6FF CALL GameJABi.0040F3F0
005A9B41 50 PUSH EAX
005A9B42 8D8424 D0000000 LEA EAX,DWORD PTR SS:[ESP+D0]
005A9B49 50 PUSH EAX
005A9B4A 8D4F 64 LEA ECX,DWORD PTR DS:[EDI+64]
005A9B4D E8 6E31E7FF CALL GameJABi.0041CCC0
case 4 must be enemy hit
005AA0F2 |. /EB 72 JMP SHORT GameJABi.005AA166
005AA0F4 |> |8B4424 78 MOV EAX,DWORD PTR SS:[ESP+78] ; Case 5 of switch 005A9FEC // This is the case for XP increase
005AA0F8 |. |6A 00 PUSH 0 ; /Arg1 = 00000000
005AA0FA |. |C74424 60 2B0>MOV DWORD PTR SS:[ESP+60],2B ; |
005AA102 |. |E8 F9C7E6FF CALL GameJABi.00416900 ; \GameJABi.00416900
005AA107 |. |8B08 MOV ECX,DWORD PTR DS:[EAX]
005AA109 |. |898C24 980000>MOV DWORD PTR SS:[ESP+98],ECX
005AA110 |. |33C9 XOR ECX,ECX
005AA112 |. |83C0 04 ADD EAX,4
005AA115 |> |8B10 /MOV EDX,DWORD PTR DS:[EAX]
005AA117 |. |89948C 9C0000>|MOV DWORD PTR SS:[ESP+ECX*4+9C],EDX
005AA11E |. |41 |INC ECX
005AA11F |. |83C0 04 |ADD EAX,4
005AA122 |. |83F9 02 |CMP ECX,2
005AA125 |.^|72 EE \JB SHORT GameJABi.005AA115
005AA127 |. |BB 14307300 MOV EBX,GameJABi.00733014 ; UNICODE " XP"
005AA12C |. |EB 38 JMP SHORT GameJABi.005AA166
005AA12E |> |8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; Case 4 of switch 005A9FEC
005AA131 |. |8378 04 02 CMP DWORD PTR DS:[EAX+4],2
005AA135 |. |8B4424 78 MOV EAX,DWORD PTR SS:[ESP+78]
005AA139 |. |75 04 JNZ SHORT GameJABi.005AA13F
005AA13B |. |6A 04 PUSH 4
005AA13D |. |EB 02 JMP SHORT GameJABi.005AA141
005AA13F |> |6A 02 PUSH 2 ; /Arg1 = 00000002
005AA141 |> |E8 BAC7E6FF CALL GameJABi.00416900 ; \GameJABi.00416900
005AA146 |. |8B08 MOV ECX,DWORD PTR DS:[EAX]
005AA148 |. |898C24 980000>MOV DWORD PTR SS:[ESP+98],ECX
005AA14F |. |33C9 XOR ECX,ECX
005AA151 |. |83C0 04 ADD EAX,4
005AA154 |> |8B10 /MOV EDX,DWORD PTR DS:[EAX]
005AA156 |. |89948C 9C0000>|MOV DWORD PTR SS:[ESP+ECX*4+9C],EDX
005AA15D |. |41 |INC ECX
005AA15E |. |83C0 04 |ADD EAX,4
005AA161 |. |83F9 02 |CMP ECX,2
005AA164 |.^|72 EE \JB SHORT GameJABi.005AA154
005AA166 |> \8B4424 78 MOV EAX,DWORD PTR SS:[ESP+78] ; Default case of switch 005A9FEC
005AA16A |. 6A 05 PUSH 5 ; /Arg1 = 00000005
005AA16C |. E8 8FC7E6FF CALL GameJABi.00416900 ; \GameJABi.00416900