 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
eviltidus
How do I cheat?
![]() Reputation: 0
Joined: 20 Feb 2008
Posts: 4
|
 Posted: Wed Mar 17, 2010 9:47 am Post subject: How to make a "experience multiplier" code? |
 |
|
Hi guys.
The question is on the subject, I'd like to know how to make these kind of codes. Well, actually I don't even know if it's doable with cheat engine, and if it is, it should be game specific, but if there is a general way to do it, or if you have some advices to tell me, i'd like to know them. Thanks 
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25828
Location: The netherlands
|
| Posted: Wed Mar 17, 2010 12:31 pm Post subject: |
|
|
Just find the code that assigns experience, and then just shl the value one or multiple times for a multiplication
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
eviltidus
How do I cheat?
![]() Reputation: 0
Joined: 20 Feb 2008
Posts: 4
|
| Posted: Wed Mar 17, 2010 1:57 pm Post subject: |
|
|
Thanks for the answer. I'll try that but... I don't quite get why a shl would make a multiplication. I've read some asm tuts today, and I have some basic knowledge about binary numbers but I don't see any multiplication there. 
Edit: nevermind, I understood that a shl actually made a multiplication.
Edit2: Thanks, I works, but I'd like someone to tell me if my code is good or if it can be improved (I've just learned about asm today so I'm not really confident).
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
0040D7C1:
jmp newmem
nop
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
originalcode:
push bx
mov bx,[esi+0046b2e6]
shl bx,2
add ax,bx
pop bx
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0040D7C1:
add ax,[esi+0046b2e6] |
ax is my current xp, and [esi+0046b2e6] is the number which is added to my xp.
Edit again: There's still something I don't understand.
Why do we have to nop, and what does the
"exit:
jmp returnhere
"
do? Doesn't that make the whole script loop?
|
|
| Back to top |
|
|
Xionanx
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2013
Posts: 22
|
| Posted: Thu Feb 28, 2013 10:57 am Post subject: Necro'ing this thread rather then starting a new one: |
|
|
I have the same issue/question, and the replies to this thread seem to be the only relevant information on the subject I can find anywhere on the internet.
What I am trying to do is multiply the EXP and GOLD awarded at the end of a fight in an RPG to be double/triple/whatever the base would be.
Relevant info on the matter:
This is an emulator (PSXFin 1.13) playing Tales of Phantasia, translated to english using Phantasia Productions english translation patch. I have been able to locate the pointers for EXP, GALD, and even the NPC movement grid for that annoying "Mach Boy" race so I can lock him in place when I race him. I "could" just give myself infinite exp at this point and call it a day, however thats not what I want to do.
Anyway, after locating the EXP pointer, and then looking at the code for when EXP is assigned in battle + after battle I cant seem to locate where or how to slip in a multiplier for the EXP assignments. it seems that every enemy killed adds its EXP to a pool, and then when the battle is won the EXP in the pool is displayed on screen and given to the characters.
The code section here is what I seem to be working with:
| Code: | psxfin.exe+1B9A7 - 89 C2 - mov edx,eax
psxfin.exe+1B9A9 - C1 EA 07 - shr edx,07
psxfin.exe+1B9AC - 81 E2 F8FFFFFF - and edx,FFFFFFF8
psxfin.exe+1B9B2 - 8B 1D C0995800 - mov ebx,[psxfin.exe+1899C0]
psxfin.exe+1B9B8 - 03 53 10 - add edx,[ebx+10]
psxfin.exe+1B9BB - 81 3A 00000000 - cmp [edx],00000000
psxfin.exe+1B9C1 - 74 53 - je psxfin.exe+1BA16
psxfin.exe+1B9C3 - 89 C6 - mov esi,eax
psxfin.exe+1B9C5 - 25 FC030000 - and eax,000003FC
psxfin.exe+1B9CA - 66 3B 42 04 - cmp ax,[edx+04]
psxfin.exe+1B9CE - 77 04 - ja psxfin.exe+1B9D4
psxfin.exe+1B9D0 - 66 89 42 04 - mov [edx+04],ax
psxfin.exe+1B9D4 - 0D 03000000 - or eax,0003
psxfin.exe+1B9D9 - 66 3B 42 06 - cmp ax,[edx+06]
psxfin.exe+1B9DD - 72 04 - jb psxfin.exe+1B9E3
psxfin.exe+1B9DF - 66 89 42 06 - mov [edx+06],ax
psxfin.exe+1B9E3 - 89 F0 - mov eax,esi
psxfin.exe+1B9E5 - 2B 05 C4995800 - sub eax,[psxfin.exe+1899C4]
psxfin.exe+1B9EB - 3D 00C0FFFF - cmp eax,FFFFC000
psxfin.exe+1B9F0 - 78 24 - js psxfin.exe+1BA16
psxfin.exe+1B9F2 - 3D 00400000 - cmp eax,00004000
psxfin.exe+1B9F7 - 79 1D - jns psxfin.exe+1BA16
psxfin.exe+1B9F9 - 8B 04 24 - mov eax,[esp]
psxfin.exe+1B9FC - 55 - push ebp
psxfin.exe+1B9FD - 57 - push edi
psxfin.exe+1B9FE - 8B 0D C0995800 - mov ecx,[psxfin.exe+1899C0]
psxfin.exe+1BA04 - 56 - push esi
psxfin.exe+1BA05 - 50 - push eax
psxfin.exe+1BA06 - 52 - push edx
psxfin.exe+1BA07 - E8 A4910200 - call psxfin.exe+44BB0
psxfin.exe+1BA0C - 5F - pop edi
psxfin.exe+1BA0D - 5D - pop ebp
psxfin.exe+1BA0E - 85 C0 - test eax,eax
psxfin.exe+1BA10 - 74 04 - je psxfin.exe+1BA16
psxfin.exe+1BA12 - 89 C6 - mov esi,eax
psxfin.exe+1BA14 - 58 - pop eax
psxfin.exe+1BA15 - C3 - ret
psxfin.exe+1BA16 - C3 - ret
psxfin.exe+1BA17 - 89 C2 - mov edx,eax
psxfin.exe+1BA19 - C1 EA 07 - shr edx,07
psxfin.exe+1BA1C - 81 E2 F8FFFFFF - and edx,FFFFFFF8
psxfin.exe+1BA22 - 8B 1D C0995800 - mov ebx,[psxfin.exe+1899C0]
psxfin.exe+1BA28 - 03 53 10 - add edx,[ebx+10]
psxfin.exe+1BA2B - 81 3A 00000000 - cmp [edx],00000000
psxfin.exe+1BA31 - 74 53 - je psxfin.exe+1BA86
psxfin.exe+1BA33 - 89 C6 - mov esi,eax
psxfin.exe+1BA35 - 25 F8030000 - and eax,000003F8
psxfin.exe+1BA3A - 66 3B 42 04 - cmp ax,[edx+04]
psxfin.exe+1BA3E - 77 04 - ja psxfin.exe+1BA44
psxfin.exe+1BA40 - 66 89 42 04 - mov [edx+04],ax
psxfin.exe+1BA44 - 0D 07000000 - or eax,0007
psxfin.exe+1BA49 - 66 3B 42 06 - cmp ax,[edx+06]
psxfin.exe+1BA4D - 72 04 - jb psxfin.exe+1BA53
psxfin.exe+1BA4F - 66 89 42 06 - mov [edx+06],ax
psxfin.exe+1BA53 - 89 F0 - mov eax,esi
psxfin.exe+1BA55 - 2B 05 C4995800 - sub eax,[psxfin.exe+1899C4]
psxfin.exe+1BA5B - 3D 00C0FFFF - cmp eax,FFFFC000
psxfin.exe+1BA60 - 78 24 - js psxfin.exe+1BA86
psxfin.exe+1BA62 - 3D 00400000 - cmp eax,00004000
psxfin.exe+1BA67 - 79 1D - jns psxfin.exe+1BA86
psxfin.exe+1BA69 - 8B 04 24 - mov eax,[esp]
psxfin.exe+1BA6C - 55 - push ebp
psxfin.exe+1BA6D - 57 - push edi
psxfin.exe+1BA6E - 8B 0D C0995800 - mov ecx,[psxfin.exe+1899C0]
psxfin.exe+1BA74 - 56 - push esi
psxfin.exe+1BA75 - 50 - push eax
psxfin.exe+1BA76 - 52 - push edx
psxfin.exe+1BA77 - E8 34910200 - call psxfin.exe+44BB0
psxfin.exe+1BA7C - 5F - pop edi
psxfin.exe+1BA7D - 5D - pop ebp
psxfin.exe+1BA7E - 85 C0 - test eax,eax
psxfin.exe+1BA80 - 74 04 - je psxfin.exe+1BA86
psxfin.exe+1BA82 - 89 C6 - mov esi,eax
psxfin.exe+1BA84 - 58 - pop eax
psxfin.exe+1BA85 - C3 - ret
psxfin.exe+1BA86 - C3 - ret
psxfin.exe+1BA87 - 8B 0D BC995800 - mov ecx,[psxfin.exe+1899BC]
psxfin.exe+1BA8D - 23 41 2C - and eax,[ecx+2C]
psxfin.exe+1BA90 - 3B 41 18 - cmp eax,[ecx+18]
psxfin.exe+1BA93 - 79 0E - jns psxfin.exe+1BAA3
psxfin.exe+1BA95 - 23 41 1C - and eax,[ecx+1C]
psxfin.exe+1BA98 - 8B 51 30 - mov edx,[ecx+30]
psxfin.exe+1BA9B - 88 1C 10 - mov [eax+edx],bl
psxfin.exe+1BA9E - E9 04FFFFFF - jmp psxfin.exe+1B9A7
psxfin.exe+1BAA3 - 8B 49 34 - mov ecx,[ecx+34]
psxfin.exe+1BAA6 - 8B 51 04 - mov edx,[ecx+04]
psxfin.exe+1BAA9 - 85 D2 - test edx,edx
psxfin.exe+1BAAB - 74 40 - je psxfin.exe+1BAED
psxfin.exe+1BAAD - 81 C1 20000000 - add ecx,00000020
psxfin.exe+1BAB3 - 39 D0 - cmp eax,edx
psxfin.exe+1BAB5 - 7F EF - jg psxfin.exe+1BAA6
psxfin.exe+1BAB7 - 3B 41 E0 - cmp eax,[ecx-20]
psxfin.exe+1BABA - 78 EA - js psxfin.exe+1BAA6
psxfin.exe+1BABC - 8B 51 E8 - mov edx,[ecx-18]
psxfin.exe+1BABF - F7 C2 02000000 - test edx,0002
psxfin.exe+1BAC5 - 74 26 - je psxfin.exe+1BAED
psxfin.exe+1BAC7 - F7 C2 08000000 - test edx,0008
psxfin.exe+1BACD - 75 0C - jne psxfin.exe+1BADB
psxfin.exe+1BACF - 2B 41 E0 - sub eax,[ecx-20]
psxfin.exe+1BAD2 - 23 41 EC - and eax,[ecx-14]
psxfin.exe+1BAD5 - 03 41 F0 - add eax,[ecx-10]
psxfin.exe+1BAD8 - 88 18 - mov [eax],bl
psxfin.exe+1BADA - C3 - ret
psxfin.exe+1BADB - 55 - push ebp
psxfin.exe+1BADC - 89 7D 08 - mov [ebp+08],edi
psxfin.exe+1BADF - 53 - push ebx
psxfin.exe+1BAE0 - 50 - push eax
psxfin.exe+1BAE1 - 8B 49 F8 - mov ecx,[ecx-08]
psxfin.exe+1BAE4 - 8B 01 - mov eax,[ecx]
psxfin.exe+1BAE6 - FF 50 04 - call dword ptr [eax+04]
psxfin.exe+1BAE9 - 5D - pop ebp
psxfin.exe+1BAEA - 8B 7D 08 - mov edi,[ebp+08]
psxfin.exe+1BAED - C3 - ret
psxfin.exe+1BAEE - 8B 0D BC995800 - mov ecx,[psxfin.exe+1899BC]
psxfin.exe+1BAF4 - 23 41 2C - and eax,[ecx+2C]
psxfin.exe+1BAF7 - 3B 41 18 - cmp eax,[ecx+18]
psxfin.exe+1BAFA - 79 0F - jns psxfin.exe+1BB0B
psxfin.exe+1BAFC - 23 41 1C - and eax,[ecx+1C]
psxfin.exe+1BAFF - 8B 51 30 - mov edx,[ecx+30]
psxfin.exe+1BB02 - 66 89 1C 10 - mov [eax+edx],bx
psxfin.exe+1BB06 - E9 9CFEFFFF - jmp psxfin.exe+1B9A7
psxfin.exe+1BB0B - 8B 49 34 - mov ecx,[ecx+34]
psxfin.exe+1BB0E - 8B 51 04 - mov edx,[ecx+04]
psxfin.exe+1BB11 - 85 D2 - test edx,edx
psxfin.exe+1BB13 - 74 41 - je psxfin.exe+1BB56
psxfin.exe+1BB15 - 81 C1 20000000 - add ecx,00000020
psxfin.exe+1BB1B - 39 D0 - cmp eax,edx
psxfin.exe+1BB1D - 7F EF - jg psxfin.exe+1BB0E
psxfin.exe+1BB1F - 3B 41 E0 - cmp eax,[ecx-20]
psxfin.exe+1BB22 - 78 EA - js psxfin.exe+1BB0E
psxfin.exe+1BB24 - 8B 51 E8 - mov edx,[ecx-18]
psxfin.exe+1BB27 - F7 C2 02000000 - test edx,0002
psxfin.exe+1BB2D - 74 27 - je psxfin.exe+1BB56
psxfin.exe+1BB2F - F7 C2 08000000 - test edx,0008
psxfin.exe+1BB35 - 75 0D - jne psxfin.exe+1BB44
psxfin.exe+1BB37 - 2B 41 E0 - sub eax,[ecx-20]
psxfin.exe+1BB3A - 23 41 EC - and eax,[ecx-14]
psxfin.exe+1BB3D - 03 41 F0 - add eax,[ecx-10]
psxfin.exe+1BB40 - 66 89 18 - mov [eax],bx
psxfin.exe+1BB43 - C3 - ret
psxfin.exe+1BB44 - 55 - push ebp
psxfin.exe+1BB45 - 89 7D 08 - mov [ebp+08],edi
psxfin.exe+1BB48 - 53 - push ebx
psxfin.exe+1BB49 - 50 - push eax
psxfin.exe+1BB4A - 8B 49 F8 - mov ecx,[ecx-08]
psxfin.exe+1BB4D - 8B 01 - mov eax,[ecx]
psxfin.exe+1BB4F - FF 50 08 - call dword ptr [eax+08]
psxfin.exe+1BB52 - 5D - pop ebp
psxfin.exe+1BB53 - 8B 7D 08 - mov edi,[ebp+08]
psxfin.exe+1BB56 - C3 - ret
psxfin.exe+1BB57 - 8B 0D BC995800 - mov ecx,[psxfin.exe+1899BC]
psxfin.exe+1BB5D - 23 41 2C - and eax,[ecx+2C]
psxfin.exe+1BB60 - 3B 41 18 - cmp eax,[ecx+18]
psxfin.exe+1BB63 - 79 0E - jns psxfin.exe+1BB73
psxfin.exe+1BB65 - 23 41 1C - and eax,[ecx+1C]
psxfin.exe+1BB68 - 8B 51 30 - mov edx,[ecx+30]
psxfin.exe+1BB6B - 89 1C 10 - mov [eax+edx],ebx
psxfin.exe+1BB6E - E9 34FEFFFF - jmp psxfin.exe+1B9A7
psxfin.exe+1BB73 - 8B 49 34 - mov ecx,[ecx+34]
psxfin.exe+1BB76 - 8B 51 04 - mov edx,[ecx+04]
psxfin.exe+1BB79 - 85 D2 - test edx,edx
psxfin.exe+1BB7B - 74 40 - je psxfin.exe+1BBBD
psxfin.exe+1BB7D - 81 C1 20000000 - add ecx,00000020
psxfin.exe+1BB83 - 39 D0 - cmp eax,edx
psxfin.exe+1BB85 - 7F EF - jg psxfin.exe+1BB76
psxfin.exe+1BB87 - 3B 41 E0 - cmp eax,[ecx-20]
psxfin.exe+1BB8A - 78 EA - js psxfin.exe+1BB76
psxfin.exe+1BB8C - 8B 51 E8 - mov edx,[ecx-18]
psxfin.exe+1BB8F - F7 C2 02000000 - test edx,0002
psxfin.exe+1BB95 - 74 26 - je psxfin.exe+1BBBD
psxfin.exe+1BB97 - F7 C2 08000000 - test edx,0008
psxfin.exe+1BB9D - 75 0C - jne psxfin.exe+1BBAB
psxfin.exe+1BB9F - 2B 41 E0 - sub eax,[ecx-20]
psxfin.exe+1BBA2 - 23 41 EC - and eax,[ecx-14]
psxfin.exe+1BBA5 - 03 41 F0 - add eax,[ecx-10]
psxfin.exe+1BBA8 - 89 18 - mov [eax],ebx
psxfin.exe+1BBAA - C3 - ret
psxfin.exe+1BBAB - 55 - push ebp
psxfin.exe+1BBAC - 89 7D 08 - mov [ebp+08],edi
psxfin.exe+1BBAF - 53 - push ebx
psxfin.exe+1BBB0 - 50 - push eax
psxfin.exe+1BBB1 - 8B 49 F8 - mov ecx,[ecx-08]
psxfin.exe+1BBB4 - 8B 01 - mov eax,[ecx]
psxfin.exe+1BBB6 - FF 50 0C - call dword ptr [eax+0C]
psxfin.exe+1BBB9 - 5D - pop ebp
psxfin.exe+1BBBA - 8B 7D 08 - mov edi,[ebp+08]
psxfin.exe+1BBBD - C3 - ret
|
What I know is that "0041BB6B - 89 1C 10 - mov [eax+edx],ebx" is the code used to create the pool, as that is what I used to find EXP pointer for the EXP assigned at the end of fights. IE [eax+edx] is the pointer.
So like I said, at this point I'm lost and would love someone to either A) tell me exactly what needs to be done or B) suggest a method on how to find what I'm looking for.
|
|
| Back to top |
|
|
Xionanx
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2013
Posts: 22
|
| Posted: Thu Feb 28, 2013 9:22 pm Post subject: |
|
|
After some more research on the subject I have discovered that the code
| Code: | | 0041BB6B - 89 1C 10 - mov [eax+edx],ebx |
writes to a LOT of different addresses, not just the address for the battle EXP pool.
So what I need to know how to do is:
A) Identify when [eax+edx] = the address pointed to by the pointer
B) Then multiply ebx by XX amount before moving its value into the address. say a shl ebx,2 for a x4 multiplier
C) If [eax+edx] does not equal the address pointed to by the pointer, do nothing.
At least thats how I THINK it should work. Again.. help or suggestions
appreciated.
EDIT: This is what I have so far, but the mov at line 12 is giving error.
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
alloc(fightexpaddress,4)
alloc(currentaddress,4)
label(itmatches)
label(returnhere)
label(originalcode)
label(exit)
newmem:
mov [fightexpaddress],1459EC+00571A5C
mov [currentaddress],edx+eax
push eax
push ebx
mov eax,[currentaddress]
mov ebx,[fightexpaddress]
cmp eax,ebx
je itmatches
pop eax
pop ebx
jmp originalcode
itmatches:
pop eax
pop ebx
shl ebx,2
mov [eax+edx],ebx
jmp psxfin.exe+1b9a7
originalcode:
mov [eax+edx],ebx
jmp psxfin.exe+1B9A7
exit:
jmp returnhere
"psxfin.exe"+1BB6B:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
psxfin.exe+1BB6B:
mov [eax+edx],ebx |
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25828
Location: The netherlands
|
| Posted: Fri Mar 01, 2013 7:56 am Post subject: |
|
|
replace
| Code: |
mov [currentaddress],edx+eax
|
with
| Code: |
push eax //store eax
add eax,edx
mov [currentaddress],eax
pop eax //restore eax
|
Anyhow, this is an emulator so you can't use the normal method of cheating.
I recommend finding out a way to find the base address of the emulated memory and then find out which offset in the emulated memory the address is you want. Often you'll find this to be the same difference.
Now with code injection you can get the base address and then add that specific offset and store it to a known location which you can then use as a base pointer
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Xionanx
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2013
Posts: 22
|
| Posted: Fri Mar 01, 2013 10:45 am Post subject: |
|
|
| Dark Byte wrote: | replace
| Code: |
mov [currentaddress],edx+eax
|
with
| Code: |
push eax //store eax
add eax,edx
mov [currentaddress],eax
pop eax //restore eax
|
Anyhow, this is an emulator so you can't use the normal method of cheating.
I recommend finding out a way to find the base address of the emulated memory and then find out which offset in the emulated memory the address is you want. Often you'll find this to be the same difference.
Now with code injection you can get the base address and then add that specific offset and store it to a known location which you can then use as a base pointer |
If I'm understanding what you wrote right, I thought that is what I had done with alloc alloc(fightexpaddress,4) and then putting the base + pointer in there... or are you talking about something entirely different?
Anyway, I'll see about making the changes you suggested as I have yet to get this code to actually WORK. I can enable it, it injects, but then doesn't appear to actually DO anything, and then when I disabled it, the original code isn't replaced properly and the game crashes... which makes no sense to me... but one step at a time I suppose.
ok, following your advice I was able to trim some fat off this, however it still does nothing at all.. i'm thinking my CMP is always failing and therefor it only ever runs the original code.
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(itmatches)
label(returnhere)
label(originalcode)
label(exit)
newmem:
push ebx
add ebx,1459EC
add ebx,571A5C
push eax
add eax,edx
cmp eax,ebx
je itmatches
jmp originalcode
itmatches:
pop eax
pop ebx
add ebx,ebx
mov [eax+edx],ebx
jmp psxfin.exe+1b9a7
originalcode:
pop eax
pop ebx
mov [eax+edx],ebx
jmp psxfin.exe+1B9A7
exit:
jmp returnhere
"psxfin.exe"+1BB6B:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem,2048) //2kb should be enough
psxfin.exe+1BB6B:
mov [eax+edx],ebx |
EDIT: I think I figured out the problem I need to load the address located at 571A5C rather then the value 571A5C.
EDIT2:
OK, it now WORKS using the following code:
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(itmatches)
label(returnhere)
label(originalcode)
label(exit)
newmem:
push ebx
push eax
mov eax,[00571A5C]
lea ebx,[eax+1459EC]
pop eax
push eax
add eax,edx
cmp eax,ebx
je itmatches
jmp originalcode
itmatches:
pop eax
pop ebx
add ebx,ebx
mov [eax+edx],ebx
jmp psxfin.exe+1B9A7
originalcode:
pop eax
pop ebx
mov [eax+edx],ebx
jmp psxfin.exe+1B9A7
exit:
jmp returnhere
"psxfin.exe"+1BB6B:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem,2048) //2kb should be enough
psxfin.exe+1BB6B:
mov [eax+edx],ebx |
However I now have a new issue:
Every time an enemy in the fight is killed, it calls this function. Apparently somewhere else up the code chain before it gets to my function it loads the current value of [EAX+EDX] and adds it to [EBX] which I am then intercepting and adding to itself before it is then moved back into [EAX+EDX]. (oh, its also called once more when the fight is over before exp is actually assigned to party, it just doesn't SHOW that number on screen)
If that made no sense then this might
EXP = 10
EBX = EXP + KILLED UNIT EXP
(I Intercept at this point)
EBX = EBX + EBX
EXP = EBX
This equation is run every time a monster is killed, which results in WAY higher exp then I was shooting for here.
As an example, using the above model with 4 enemies each giving 10 EXP base, I would want that to become 80 EXP. What it does become is:
(0 + 10)x2 = 20
(20 + 10)x2 = 60
(60 +10)x2 = 140
(140+10x2 = 300 (this is the number shown on screen)
(300+0)x2 = 600 (This is the amount I actually receive)
As you can see, this is a pretty blaring issue lol... Any suggestions?
Also it sill fails to reload the original code properly on disable and crashes the emulator.
EDIT3: Ok, fixed with clever math, bt adding a SUB EBX[EAX+EDX] before the MOV [EAX+EDX],EBX I balance out the equation to get the results I want.
((BASE + EARNED)x2)-BASE)=BASE + EARNEDx2
. | Code: | itmatches:
pop eax
pop ebx
add ebx,ebx
sub ebx,[eax+edx]
mov [eax+edx],ebx
jmp psxfin.exe+1B9A7 |
It works out, trust me, now I just need to do this for GALD which should be a simple matter of copy pasting the above code and just changing the associated addressess.
Also, I still cant disable the script, as it results in a crash. Any help on that would be appreciated.
EDIT4:
OK, I finally have everything working how I want it to work, however I still can't disable the script without it crashing the game. Granted I don't see myself turning it off once its on anyway, but just the same it would be nice to have it toggle on/off properly.
Also, help on optimizing would be appreciated as this is my first real attempt to work with ASM and this is probably not optimal.
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(itmatches)
label(returnhere)
label(originalcode)
label(exit)
newmem:
push ebx
push eax
mov eax,[00571A5C]
lea ebx,[eax+1459EC] //EXP Pointer
pop eax
push eax
add eax,edx
cmp eax,ebx
je itmatches
pop eax
pop ebx
push ebx
push eax
mov eax,[00571A5C]
lea ebx,[eax+1459E8] //GALD Pointer
pop eax
push eax
add eax,edx
cmp eax,ebx
je itmatches
jmp originalcode
itmatches:
pop eax
pop ebx
sub ebx,[eax+edx]
add [eax+edx],ebx //x1
add [eax+edx],ebx //x2
add [eax+edx],ebx //x3
add [eax+edx],ebx //x4
add [eax+edx],ebx //x5 so on and so forth, not optimal I know
jmp psxfin.exe+1B9A7
originalcode:
pop eax
pop ebx
mov [eax+edx],ebx
jmp psxfin.exe+1B9A7
exit:
jmp returnhere
"psxfin.exe"+1BB6B:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem,2048) //2kb should be enough
psxfin.exe+1BB6B:
mov [eax+edx],ebx |
Again, the only REAL problem at this point is why it wont toggle off properly.
EDIT5: NVM, figured that out too, seems I left out a line in the DISABLE section.
| Code: | [DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"psxfin.exe"+1BB6B:
mov [eax+edx],ebx
jmp psxfin.exe+1B9A7
//Alt: db 89 1C 10 E9 34 FE FF FF |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
