guytis Posted December 27, 2019 Posted December 27, 2019 (edited) Hi, here is the 100% decompiled CItem::EnchantItem function Config::ExceptionMailing: it is never false L2Server.exe C4 In case anyone needs it. bool CItem::EnchantItem(CItem *scroll, CItem *pItem, User* pUser) { pUser_ = pUser; pItem_ = pItem; scroll_ = scroll; if ( !pItem_ ) { return false; } pSID = pItem_->d.pSID; nEnchantLevel = pSID->nEnchantLevel; SlotType = (pSID->nSlotType >> 15) & 1; if ( !(pItem_->vtable->base.Config::ExceptionMailing)) { if ( nEnchantLevel < 3 ) goto SUCCESS; if ( nEnchantLevel >= 20 ) { prob = 0.0; } else { if ( SlotType ) chance = WeaponEnchantTable[nEnchantLevel] * 100.0; else chance = ArmorEnchantTable[nEnchantLevel] * 100.0; prob = 100.0 - chance; } if ( nEnchantLevel >= 15 ) prob = prob * 0.5; random = rand(); dice = 100.0 - 0.0; if ( nEnchantLevel < 20 && prob >= random / 32767.0 * (100.0 - 0.0) + 0.0 ) { CLog::Add(&g_winlog, LOG_REQUEST, L"armor enchant success, prev enchanted[%d], dice[%f], prob[%f]", nEnchantLevel, random / 32767.0 * dice + 0.0, prob); goto SUCCESS; } CLog::Add(&g_winlog, LOG_REQUEST, L"armor enchant fail, prev enchanted[%d], dice[%f], prob[%f]", nEnchantLevel, random / 32767.0 * dice + 0.0, prob); goto FAIL; } pII = pItem_->d.pII; if ( pII->nCrystalType < CrystalC || !LOBYTE(pII->magicWeapon) ) { prob_1 = 70.0; if ( nEnchantLevel < 3 ) goto SUCCESS; if ( nEnchantLevel >= 15 ) prob_1 = 35.0; random_1 = rand(); if ( prob_1 >= random_1 / 32767.0 * (100.0 - 0.0) + 0.0 ) { CLog::Add(&g_winlog, LOG_REQUEST, L"weapon enchant success, prev enchanted[%d], dice[%f], prob[%f]", nEnchantLevel, random_1 / 32767.0 * (100.0 - 0.0) + 0.0, prob_1); goto SUCCESS; } CLog::Add(&g_winlog, LOG_REQUEST, L"weapon enchant fail, prev enchanted[%d], dice[%f], prob[%f]", nEnchantLevel, random_1 / 32767.0 * (100.0 - 0.0) + 0.0, prob_1); goto FAIL; } prob_2 = 40.0; if ( nEnchantLevel >= 3 ) { if ( nEnchantLevel >= 15 ) prob_2 = 20.0; random_2 = rand(); if ( prob_2 >= random_2 / 32767.0 * (100.0 - 0.0) + 0.0 ) { CLog::Add(&g_winlog, LOG_REQUEST, L"magic weapon enchant success, prev enchanted[%d], dice[%f], prob[%f]", nEnchantLevel, random_2 / 32767.0 * (100.0 - 0.0) + 0.0, prob_2); goto SUCCESS; } CLog::Add(&g_winlog, LOG_REQUEST, L"magic weapon enchant fail, prev enchanted[%d], dice[%f], prob[%f]", nEnchantLevel, random_2 / 32767.0 * (100.0 - 0.0) + 0.0, prob_2); FAIL: etcType = scroll_->d.pII->etcType; if ( etcType == EtcItemBlessedScrollEnchantWeapon || etcType == EtcItemBlessedScrollEnchantArmor ) { User::SendSystemMessage(pUser_->socket, id_1517__Fallo_en_el_encantamiento_blessed_El_valor_del_encantamiento_del_item_se_convirtio_a_0); CDB::RequestEnchantItem(&g_CDB, scroll_, pItem_, 0, pUser_); } else { CSocket::Send(pUser_->socket, "cdddddd", 100i64); CDB::RequestEnchantItemFail(&g_CDB, scroll_, pItem_, pUser_); } goto END; } SUCCESS: if ( nEnchantLevel ) { CSocket::Send(pUser_->socket, "cdddddd", 100i64); } else { v25 = 3; v24 = 1; CSocket::Send(pUser_->socket, "cdddd", 100i64, 62i64, v24, v25, pItem_->d.pSID->nItemID); } CDB::RequestEnchantItem(&g_CDB, scroll_, pItem_, nEnchantLevel + 1, pUser_); END: return false; } WeaponEnchantTable dq 0 ; DATA XREF: CItem__EnchantItem+27B↑r .rdata:0000000000A06B88 align 20h .rdata:0000000000A06BA0 dq 0.3333333333333333 .rdata:0000000000A06BA8 dq 0.6666666666666666 .rdata:0000000000A06BB0 dq 0.75 .rdata:0000000000A06BB8 dq 0.8 .rdata:0000000000A06BC0 dq 0.8333333333333334 .rdata:0000000000A06BC8 dq 0.8571428571428571 .rdata:0000000000A06BD0 dq 0.875 .rdata:0000000000A06BD8 dq 0.8888888888888888 .rdata:0000000000A06BE0 dq 0.9 .rdata:0000000000A06BE8 dq 0.9090909090909091 .rdata:0000000000A06BF0 dq 0.9166666666666666 .rdata:0000000000A06BF8 dq 0.9230769230769231 .rdata:0000000000A06C00 dq 0.9285714285714286 .rdata:0000000000A06C08 dq 0.9333333333333333 .rdata:0000000000A06C10 dq 0.9375 .rdata:0000000000A06C18 dq 0.9411764705882353 .rdata:0000000000A06AE0 ArmorEnchantTable dq 0 ; DATA XREF: CItem__EnchantItem:loc_628E83↑r .rdata:0000000000A06AE8 dq 0 .rdata:0000000000A06AF0 dq 0 .rdata:0000000000A06AF8 dq 0.3333333333333333 .rdata:0000000000A06B00 dq 0.6666666666666666 .rdata:0000000000A06B08 dq 0.75 .rdata:0000000000A06B10 dq 0.8 .rdata:0000000000A06B18 dq 0.8333333333333334 .rdata:0000000000A06B20 dq 0.8571428571428571 .rdata:0000000000A06B28 dq 0.875 .rdata:0000000000A06B30 dq 0.8888888888888888 .rdata:0000000000A06B38 dq 0.9 .rdata:0000000000A06B40 dq 0.9090909090909091 .rdata:0000000000A06B48 dq 0.9166666666666666 .rdata:0000000000A06B50 dq 0.9230769230769231 .rdata:0000000000A06B58 dq 0.9285714285714286 .rdata:0000000000A06B60 dq 0.9333333333333333 .rdata:0000000000A06B68 dq 0.9375 .rdata:0000000000A06B70 dq 0.9411764705882353 .rdata:0000000000A06B78 dq 0.9444444444444444 Edited December 27, 2019 by guytis Quote
Nevermind25 Posted December 28, 2019 Posted December 28, 2019 really good share, i dont understand why there is exeptionmailing. I ve trying to find magic critical damage multipler address with IDA but i cant find it you have idea? or know the address where is that value? Quote
guytis Posted December 28, 2019 Author Posted December 28, 2019 3 hours ago, Nevermind25 said: really good share, i dont understand why there is exeptionmailing. I ve trying to find magic critical damage multipler address with IDA but i cant find it you have idea? or know the address where is that value? yes 0x69B2FD v12= ??? double CAttackAction::CalcDamage(double dPAttack, double dRandDamageBonus, double dPDefend, double dShieldDefense, double dAttrBonus, double dCriticalBonus, double dCriticalDamageBonusPer, double dCriticalDamageBonusDiff) { defsh = 1.0; if ( dShieldDefense + dAttrBonus >= 1.0 ) defsh = dShieldDefense + dAttrBonus; return (dRandDamageBonus * dPDefend * dCriticalDamageBonusPer * dCriticalDamageBonusDiff + v12) * 70.0 / defsh * dCriticalBonus; } Quote
Nevermind25 Posted December 30, 2019 Posted December 30, 2019 v12 is dPAtack i think, it matches to the dmg formula shared in older forums, so this function is for Phisical damage only I'm searching for Magic Critical, to down the damage power from x4 to another value i want, let me know if you find it :) Quote
guytis Posted December 30, 2019 Author Posted December 30, 2019 5 hours ago, Nevermind25 said: v12 is dPAtack i think, it matches to the dmg formula shared in older forums, so this function is for Phisical damage only I'm searching for Magic Critical, to down the damage power from x4 to another value i want, let me know if you find it :) I am not very sure and the function is not very well decompiled ... 0x7A8C20 in some other skills there is also like the CSkillEffect_i_hp_drain void __stdcall CSkillEffect_i_m_attack::Instant(CSkillEffect_i_m_attack *this, CCreature *pCreature, CCreature *pTarget, CSkillInfo *pSkillInfo, CSkillAction *pAction, double distance) { CSkillInfo *pSkillInfo_; // r13 CCreature *pTarget_; // rdi CCreature *pCreature_; // rsi CSkillEffect_i_m_attack *this_; // r15 __int64 v10; // r12 __int64 v11; // r8 __int64 v12; // rcx __int64 v13; // rax __int64 v14; // rax double fMAtk_F; // xmm6_8 CCreature *pTarget__1; // rbp CDoor *door; // r14 __int64 *v18; // rbx CreatureSharedData *pSD; // r11 double fMAtk; // xmm14_8 double StatWIT; // xmm15_8 int attributeType; // eax unsigned int level; // ebx User *pUser; // rax __int64 v25; // r8 __int64 v26; // r8 User *pUser_1; // rax User *pUser_2; // rax User *pUser_3; // rax double v30; // r8 __int64 v31; // rax int dmgFlag; // [rsp+20h] [rbp-128h] double _unkn610; // [rsp+160h] [rbp+18h] pSkillInfo_ = pSkillInfo; pTarget_ = pTarget; pCreature_ = pCreature; this_ = this; if ( !(dword_E418450 & 1) ) { dword_E418450 |= 1u; dword_E41844C = guard(L"CSkillEffect_i_m_attack::Instant()"); } v10 = TlsIndex; v11 = *(*(__readgsqword(0x58u) + 8i64 * TlsIndex) + 311640i64); v12 = g_CallStackIndex[v11 + 0x100000]; g_CallStackIndex[v11 + 0x100000] = v12 + 1; g_CallStackName[0][v12 + 1000 * v11] = L"CSkillEffect_i_m_attack::Instant()"; if ( pTarget_ ) { if ( pTarget_->vtable->base.base.base.IsCreature(pTarget_) || (pTarget_->vtable->base.CCreature__GetLevel)(pTarget_) || (pTarget_->vtable->base.sub_29)(pTarget_) || (pTarget_->vtable->base.sub_33)(pTarget_) ) { if ( !pTarget_->vtable->base.base.base.IsCreature(pTarget_) || (*&pTarget_->vtable->gap1D8[120])(pTarget_) ) { fMAtk_F = 0.0; pTarget__1 = 0i64; door = 0i64; v18 = (&unk_1112190 + 320008 * *(*(__readgsqword(0x58u) + 8 * v10) + 311640i64)); if ( *(v18 + 80000) >= 10000 ) CLog::Add(&g_winlog, LOG_ERROR, L"Lock stack is small?? -_-;;; kuooo"); v18[4 * *(v18 + 80000)] = 0i64; v18[4 * *(v18 + 80000) + 1] = 0i64; v18[4 * *(v18 + 80000) + 2] = L".\\SkillFxFunc.cpp"; v18[4 * *(v18 + 80000) + 3] = 1766i64; _InterlockedIncrement(v18 + 80000); CriticalSection::Lock(pCreature_->d.lpSharedDataLock, L"d:\\work\\l2server\\creature.h", 1349); pSD = pCreature_->d.pSD; fMAtk = pSD->fMAtk; if ( LOBYTE(pSD->bSpiritshot) ) fMAtk_F = fMAtk * pSD->dSpiritShotPower; StatWIT = pCreature_->vtable->CCreature::GetBaseStatWIT(pCreature_); _unkn610 = *&pCreature_->d._unkn610; CCreature::ReadUnlock(pCreature_); if ( pTarget_->vtable->base.base.base.IsCreature(pTarget_) ) { pTarget__1 = pTarget_; CCreature::ReadLock(pTarget_, L".\\SkillFxFunc.cpp", 1779); attributeType = pSkillInfo_->d.attributeType; if ( attributeType >= 0 && attributeType < 34 ) CCreature::GetAttributeBonus(pTarget_, pCreature_); pTarget_->vtable->CCreature::GetBaseStatWIT(pTarget_); level = (pTarget_->vtable->CCreature::GetLevel)(pTarget_); CCreature::ReadUnlock(pTarget_); } else if ( (pTarget_->vtable->base.sub_26)(pTarget_) ) { door = (pTarget_->vtable->base.sub_38)(pTarget_); CriticalSection::Lock(door->d.pLock, L".\\SkillFxFunc.cpp", 1793); (door->vtable->base.unknown_libname_2001_120)(door); level = 0; CriticalSection::Unlock(door->d.pLock, 0i64, 0); } else { level = LODWORD(_unkn610); } if ( StatWIT * 0.5 * pCreature_->d.magicCriticalRatePER + pCreature_->d.magicCriticalRateDIFF > rand() / 32767.0 * (100.0 - 0.0) + 0.0 && pCreature_->vtable->base.base.base.IsUser(pCreature_) ) { pUser = (pCreature_->vtable->base.base.base.MemoryObject__CastUser)(pCreature_); User::SendSystemMessage_0(pUser->_unkn2700[5], id_1280__Golpe_Critico_Magico); } sub_916C50(fMAtk + fMAtk_F); if ( pTarget_->vtable->base.base.base.IsUser(pTarget_) ) (pCreature_->vtable->base.base.base.MemoryObject__CastCreature)(pCreature_); if ( (this_->base->CSkillEffect_i__CheckResisted)(this_, level, v25, pSkillInfo_->d.nMagicLevel, COERCE_DOUBLE(*&StatWIT), 7.0, -130.0, 95.0, 0i64, 0i64, COERCE_DOUBLE(*&_unkn610)) || (this_->base->CSkillEffect_i__CheckResisted)(this_, level, v26, pSkillInfo_->d.nMagicLevel, COERCE_DOUBLE(*&StatWIT), 7.0, -100.0, 95.0, 1.0, 0i64, COERCE_DOUBLE(*&_unkn610)) ) { if ( pCreature_->vtable->base.base.base.IsUser(pCreature_) ) { pUser_1 = (pCreature_->vtable->base.base.base.MemoryObject__CastUser)(pCreature_); *&dmgFlag = 0i64; CSocket::Send(pUser_1->socket, "cdd", 100i64);// id_158__Tu_ataque_ha_fallado = 0x9E, } if ( pTarget_->vtable->base.base.base.IsCreature(pTarget_) && pTarget__1->vtable->base.base.base.IsUser(pTarget__1) ) { if ( pCreature_->vtable->base.base.base.IsUser(pCreature_) ) { (pCreature_->vtable->base.base.base.MemoryObject__CastUser)(pCreature_); pUser_2 = (pTarget__1->vtable->base.base.base.MemoryObject__CastUser)(pTarget__1); dmgFlag = 1; CSocket::Send(pUser_2->socket, "cdddS", 100i64);// id_159__Has_resistido_el_hechizo_de_s1 = 0x9F, } else if ( (pCreature_->vtable->base.sub_8)(pCreature_) ) { pUser_3 = (pTarget__1->vtable->base.base.base.MemoryObject__CastUser)(pTarget__1); dmgFlag = 1; CSocket::Send(pUser_3->socket, "cdddd", 100i64);// id_159__Has_resistido_el_hechizo_de_s1 = 0x9F, } } } if ( pTarget_->vtable->base.base.base.IsCreature(pTarget_) ) { LOBYTE(dmgFlag) = 1; (pTarget__1->vtable->CCreature::GotDamageBy)(pTarget__1, pCreature_, *&v30, 1i64, *&dmgFlag); } else if ( (pTarget_->vtable->base.sub_26)(pTarget_) ) { (door->vtable->base.unknown_libname_2001_118)(door, pCreature_); } v31 = *(*(__readgsqword(0x58u) + 8 * v10) + 311640i64); --g_CallStackIndex[v31 + 0x100000]; } else { v14 = *(*(__readgsqword(0x58u) + 8 * v10) + 311640i64); --g_CallStackIndex[v14 + 0x100000]; } } else { v13 = *(*(__readgsqword(0x58u) + 8 * v10) + 311640i64); --g_CallStackIndex[v13 + 0x100000]; } } else { --g_CallStackIndex[v11 + 0x100000]; } } Quote
Anarchy Posted December 30, 2019 Posted December 30, 2019 9 hours ago, Nevermind25 said: v12 is dPAtack i think, it matches to the dmg formula shared in older forums, so this function is for Phisical damage only I'm searching for Magic Critical, to down the damage power from x4 to another value i want, let me know if you find it :) .text:00000000007A882A movlpd xmm13, cs:qword_9CCFB0 .text:00000000007A9071 movlpd xmm10, cs:qword_9CCFB0 .text:00000000007A98DA movlpd xmm9, cs:qword_9CCFB0 .text:00000000007AA14B movlpd xmm10, cs:qword_9CCFB0 .text:00000000007AFED5 movlpd xmm12, cs:qword_9CCFB0 .text:00000000007B274E movlpd xmm9, cs:qword_9CCFB0 have fun Quote
Nevermind25 Posted December 31, 2019 Posted December 31, 2019 with little steps i found this, for sure im wrong because i have no much idea 545280 sub_545280 proc near ; CODE XREF: sub_81DF00+6EC↓p .text:0000000000545280 ; sub_81DF00+74C↓p ... .text:0000000000545280 movlpd xmm2, cs:qword_988780 .text:0000000000545288 movlpd xmm1, cs:qword_9CCFB0 .text:0000000000545290 lea eax, [rcx-1] .text:0000000000545293 cvtsi2sd xmm0, eax .text:0000000000545297 mulsd xmm0, cs:qword_9CCFA8 .text:000000000054529F subsd xmm2, xmm0 .text:00000000005452A3 comisd xmm2, xmm1 .text:00000000005452A7 ja short loc_5452AD .text:00000000005452A9 movsd xmm2, xmm1 .text:00000000005452AD .text:00000000005452AD loc_5452AD: ; CODE XREF: sub_545280+27↑j .text:00000000005452AD divsd xmm2, cs:qword_98E5A0 .text:00000000005452B5 xorpd xmm0, xmm0 .text:00000000005452B9 lea rdx, unk_9CCB50 .text:00000000005452C0 movsxd rcx, ecx .text:00000000005452C3 mov eax, [rdx+rcx*4] //<-- HERE IS? .text:00000000005452C6 sub eax, [rdx+rcx*4-4] .text:00000000005452CA cvtsi2sd xmm1, eax .text:00000000005452CE mulsd xmm1, xmm2 .text:00000000005452D2 subsd xmm0, xmm1 .text:00000000005452D6 retn .text:00000000005452D6 sub_545280 Quote
Anarchy Posted December 31, 2019 Posted December 31, 2019 oh boy you're definitely wrong, what i posted is the exact addresses you need to edit, they are all "mov xmm*, 4.0" lemme show a specific example from one of them, 0x7A882A then way way way further down in that function xmm13 is used as the multiplier to the damage value this is why it pays to know the asm rather than just pressing F5 in ida and looking at c-like code cuz you'd be hard press to spot this in all of that crap, but if you know the asm you know exactly what to look for so what you need to do to edit the crit rate from 4.0 to some other value, is you need to change all of those addresses I put in the previous post .text:00000000007A882A movlpd xmm13, cs:qword_9CCFB0 .text:00000000007A9071 movlpd xmm10, cs:qword_9CCFB0 .text:00000000007A98DA movlpd xmm9, cs:qword_9CCFB0 .text:00000000007AA14B movlpd xmm10, cs:qword_9CCFB0 .text:00000000007AFED5 movlpd xmm12, cs:qword_9CCFB0 .text:00000000007B274E movlpd xmm9, cs:qword_9CCFB0 overwrite the address they're pulling the 4.0 modifier from with the address to your own modifier double, if you're using vanganth's you'd do it like this double dMageCritPowerModifier = 2.0; g_HookManager.WriteRelativeAddress(0x7A882A, 3, &dMageCritPowerModifier, 0); 3 Quote
Nevermind25 Posted December 31, 2019 Posted December 31, 2019 thank you, i really need to study ASM 1 Quote
HwoarangX Posted December 31, 2019 Posted December 31, 2019 sry for my stupid question, its enchant system? with that i can give each +1 enchant its own success rate? Quote
Nevermind25 Posted December 31, 2019 Posted December 31, 2019 7 hours ago, Anarchy said: double dMageCritPowerModifier = 2.0; g_HookManager.WriteRelativeAddress(0x7A882A, 3, &dMageCritPowerModifier, 0); im trying but is not simple as you put xD double g_MagicCriticalMultipler = 4.0; g_MagicCriticalMultipler = GetPrivateProfileDouble(_T("SkillFactory"), _T("MagicCriticalMultipler"), 4.0, g_ConfigFile); g_HookManager.WriteRelativeAddress(0x7A882A, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7A9071, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7A98DA, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7AA14B, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7AFED5, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7B274E, 3, &g_MagicCriticalMultipler, 0); when i launch a magic critical server stops working or crash linerror GuardInfo : IOThread [0][47] (good): void IOThread_common(void *arglist) Lock Stack : IOThread [1][0] (ahehe): void IOThread_common(void *arglist) -> void CIOObject::TimerDispatch(bool bRootLoop) -> void CThreadLocalTimer::Dispath -> void CCreatureController::TimerExpired(int id) -> inline void AddExecutable(MemoryObject *Matrix, Native Func, CExecutionArgument* Arg) -> add exec - func call -> ASYNCHRONOUS_SERIALIZE_IMPL1(CCreatureController, AsyncTimerExpired, int, id) -> bool CSkillAction2::OnTick() -> skillaction_ontick_SKL_HITTIME -> skillaction_ontick_SKL_HITTIME_2 -> skillaction_ontick_SKL_HITTIME_2_3 -> CSkillInfo::ActivateSkill -> CSkillEffect_i_m_attack::Instant() Lock Stack : IOThread [2][16] (good): void IOThread_common(void *arglist) Lock Stack : IOThread [3][16] (good): void IOThread_common(void *arglist) Lock Stack : ListenThread [13][31] (good): void ListenThread_common() -> unsigned __stdcall WaitThread(void *) Lock Stack : MainThread [12][592] (good): Lock Stack : GuardInfo end Quote
Anarchy Posted January 1, 2020 Posted January 1, 2020 post the full linerror, just callstack is a bit useless Quote
guytis Posted January 1, 2020 Author Posted January 1, 2020 (edited) 23 hours ago, Nevermind25 said: im trying but is not simple as you put xD double g_MagicCriticalMultipler = 4.0; g_MagicCriticalMultipler = GetPrivateProfileDouble(_T("SkillFactory"), _T("MagicCriticalMultipler"), 4.0, g_ConfigFile); g_HookManager.WriteRelativeAddress(0x7A882A, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7A9071, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7A98DA, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7AA14B, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7AFED5, 3, &g_MagicCriticalMultipler, 0); g_HookManager.WriteRelativeAddress(0x7B274E, 3, &g_MagicCriticalMultipler, 0); when i launch a magic critical server stops working or crash linerror GuardInfo : IOThread [0][47] (good): void IOThread_common(void *arglist) Lock Stack : IOThread [1][0] (ahehe): void IOThread_common(void *arglist) -> void CIOObject::TimerDispatch(bool bRootLoop) -> void CThreadLocalTimer::Dispath -> void CCreatureController::TimerExpired(int id) -> inline void AddExecutable(MemoryObject *Matrix, Native Func, CExecutionArgument* Arg) -> add exec - func call -> ASYNCHRONOUS_SERIALIZE_IMPL1(CCreatureController, AsyncTimerExpired, int, id) -> bool CSkillAction2::OnTick() -> skillaction_ontick_SKL_HITTIME -> skillaction_ontick_SKL_HITTIME_2 -> skillaction_ontick_SKL_HITTIME_2_3 -> CSkillInfo::ActivateSkill -> CSkillEffect_i_m_attack::Instant() Lock Stack : IOThread [2][16] (good): void IOThread_common(void *arglist) Lock Stack : IOThread [3][16] (good): void IOThread_common(void *arglist) Lock Stack : ListenThread [13][31] (good): void ListenThread_common() -> unsigned __stdcall WaitThread(void *) Lock Stack : MainThread [12][592] (good): Lock Stack : GuardInfo end Edited January 1, 2020 by guytis Quote
guytis Posted January 1, 2020 Author Posted January 1, 2020 double g_MagicCriticalMultipler = 4.0; void SetMagicCriticalMultipler() { g_HookManager.WriteRelativeAddress(0x7A882A, 5, &g_MagicCriticalMultipler, 0); //CSkillEffect_i_hp_drain::Instant() g_HookManager.WriteRelativeAddress(0x7A9071, 5, &g_MagicCriticalMultipler, 0); //CSkillEffect_i_m_attack::Instant() g_HookManager.WriteRelativeAddress(0x7A98DA, 5, &g_MagicCriticalMultipler, 0); //CSkillEffect_i_m_attack_by_hp::Instant() g_HookManager.WriteRelativeAddress(0x7AA14B, 5, &g_MagicCriticalMultipler, 0); //CSkillEffect_i_m_attack_by_dist::Instant() g_HookManager.WriteRelativeAddress(0x7AFED5, 5, &g_MagicCriticalMultipler, 0); //CSkillEffect_i_death_link::Instant() g_HookManager.WriteRelativeAddress(0x7B274E, 5, &g_MagicCriticalMultipler, 0); //CSkillEffect_i_m_attack_over_hit::Instant() } Quote
guytis Posted January 1, 2020 Author Posted January 1, 2020 On 12/31/2019 at 9:36 AM, Anarchy said: oh boy you're definitely wrong, what i posted is the exact addresses you need to edit, they are all "mov xmm*, 4.0" lemme show a specific example from one of them, 0x7A882A then way way way further down in that function xmm13 is used as the multiplier to the damage value this is why it pays to know the asm rather than just pressing F5 in ida and looking at c-like code cuz you'd be hard press to spot this in all of that crap, but if you know the asm you know exactly what to look for so what you need to do to edit the crit rate from 4.0 to some other value, is you need to change all of those addresses I put in the previous post .text:00000000007A882A movlpd xmm13, cs:qword_9CCFB0 .text:00000000007A9071 movlpd xmm10, cs:qword_9CCFB0 .text:00000000007A98DA movlpd xmm9, cs:qword_9CCFB0 .text:00000000007AA14B movlpd xmm10, cs:qword_9CCFB0 .text:00000000007AFED5 movlpd xmm12, cs:qword_9CCFB0 .text:00000000007B274E movlpd xmm9, cs:qword_9CCFB0 overwrite the address they're pulling the 4.0 modifier from with the address to your own modifier double, if you're using vanganth's you'd do it like this double dMageCritPowerModifier = 2.0; g_HookManager.WriteRelativeAddress(0x7A882A, 3, &dMageCritPowerModifier, 0); Do you know if there is any arrangement that can be made and that this appears in F5? Quote
.thumb.png.5c190666deb16a41b04ad295fcff684f.png)
.thumb.jpg.df37ccc61247adee70593b8554a525b2.jpg)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.