But trying to make a multiplier for this game, be it money or exp, is confusing the heck out of me. I can ghetto workaround the need for a multiplier directly changing values or what have you, but I'd like to understand what's going on and improve, so... i'm reaching out hoping someone can help me understand what's happening. We'll focus on money as I try to explain my confusion/difficulty because exp has some other weirdness with how it's split/distributed to a party.
Finding money is easy, 4 bit, quick search, easy change. Do a find-what-writes, only one thing does when i shop, fight and win some money, whatever; it's always
Code: Select all
mov [rdi+000000E0],eax
Code: Select all
27C38DFE6FB - 05 04030150 - add eax,50010304 { 1342243588 }
27C38DFE700 - 00 00 - add [rax],al
27C38DFE702 - 00 00 - add [rax],al
27C38DFE704 - 00 00 - add [rax],al
27C38DFE706 - 00 00 - add [rax],al
27C38DFE708 - 00 00 - add [rax],al
27C38DFE70A - 00 00 - add [rax],al
27C38DFE70C - 00 00 - add [rax],al
27C38DFE70E - 00 00 - add [rax],al
27C38DFE710 - 55 - push rbp
27C38DFE711 - 48 8B EC - mov rbp,rsp
27C38DFE714 - 48 83 EC 30 - sub rsp,30 { 48 }
27C38DFE718 - 48 89 7D F8 - mov [rbp-08],rdi
27C38DFE71C - 48 8B F9 - mov rdi,rcx
27C38DFE71F - 48 89 55 F0 - mov [rbp-10],rdx
27C38DFE723 - 48 63 8F E0000000 - movsxd rcx,dword ptr [rdi+000000E0]
27C38DFE72A - 03 4D F0 - add ecx,[rbp-10]
27C38DFE72D - 33 D2 - xor edx,edx
27C38DFE72F - 41 B8 FFC99A3B - mov r8d,3B9AC9FF { 0.00 }
27C38DFE735 - 90 - nop
27C38DFE736 - 49 BB 401D1F127C020000 - mov r11,0000027C121F1D40 { (686588744) }
27C38DFE740 - 41 FF D3 - call r11
27C38DFE743 - 89 87 E0000000 - mov [rdi+000000E0],eax
there's one a little above where i can show on one page, but it adds a huge number to eax where i only gained 150 bits (money), so it can't/shouldn't be that.
However, I can see one line that after a google, seems likely to be key to the issue. The one where it says "call r11". Please help me if my google has failed me, but "call r11" makes it move to the opcode at address r11. Hypothetically that should just be the part of the code where things are happening, so I should go there to see what's going on. Back in my "find what writes to" i can see in the more information page "R11=0000027C121F1D40", so it should be going to that address. Right click in memory viewer, Go to address, 27C121F1D40, aaand... i'm taken to this:
Code: Select all
27C121F1D40 - 48 83 EC 28 - sub rsp,28 { 40 }
27C121F1D44 - 48 89 34 24 - mov [rsp],rsi
27C121F1D48 - 48 89 7C 24 08 - mov [rsp+08],rdi
27C121F1D4D - 4C 89 7C 24 10 - mov [rsp+10],r15
27C121F1D52 - 4C 8B F9 - mov r15,rcx
27C121F1D55 - 48 8B FA - mov rdi,rdx
27C121F1D58 - 49 8B F0 - mov rsi,r8
27C121F1D5B - 44 3B FF - cmp r15d,edi
27C121F1D5E - 40 0F9C C0 - setl al
27C121F1D62 - 48 0FB6 C0 - movzx rax,al
27C121F1D66 - 48 0FB6 C0 - movzx rax,al
27C121F1D6A - 85 C0 - test eax,eax
27C121F1D6C - 74 05 - je 27C121F1D73
27C121F1D6E - 4C 8B FF - mov r15,rdi
27C121F1D71 - EB 1B - jmp 27C121F1D8E
27C121F1D73 - 44 3B FE - cmp r15d,esi
27C121F1D76 - 40 0F9F C0 - setg al
27C121F1D7A - 48 0FB6 C0 - movzx rax,al
27C121F1D7E - 48 0FB6 C0 - movzx rax,al
27C121F1D82 - 40 88 44 24 18 - mov [rsp+18],al
27C121F1D87 - 85 C0 - test eax,eax
27C121F1D89 - 74 03 - je 27C121F1D8E
27C121F1D8B - 4C 8B FE - mov r15,rsi
27C121F1D8E - 44 89 7C 24 20 - mov [rsp+20],r15d
27C121F1D93 - 49 8B C7 - mov rax,r15
27C121F1D96 - 48 8B 34 24 - mov rsi,[rsp]
27C121F1D9A - 48 8B 7C 24 08 - mov rdi,[rsp+08]
27C121F1D9F - 4C 8B 7C 24 10 - mov r15,[rsp+10]
27C121F1DA4 - 48 83 C4 28 - add rsp,28 { 40 }
27C121F1DA8 - C3 - ret
27C121F1DA9 - 00 00 - add [rax],al
27C121F1DAB - 00 00 - add [rax],al
27C121F1DAD - 00 00 - add [rax],al
27C121F1DAF - 00 01 - add [rcx],al
27C121F1DB1 - 04 01 - add al,01 { 1 }
27C121F1DB3 - 00 04 42 - add [rdx+rax*2],al
27C121F1DB6 - 00 00 - add [rax],al
27C121F1DB8 - 00 00 - add [rax],al
27C121F1DBA - 00 00 - add [rax],al
Code: Select all
27C38DFC407 - BA 01000000 - mov edx,00000001 { 1 }
27C38DFC40C - 66 90 - nop 2
27C38DFC40E - 49 BB 401D1F127C020000 - mov r11,0000027C121F1D40 { (686588744) }
27C38DFC418 - 41 FF D3 - call r11
27C38DFC41B - 4C 8B F8 - mov r15,rax
27C38DFC41E - 49 8B 46 68 - mov rax,[r14+68]
27C38DFC422 - 48 63 88 A0000000 - movsxd rcx,dword ptr [rax+000000A0]
27C38DFC429 - 41 03 CF - add ecx,r15d
27C38DFC42C - 89 88 A0000000 - mov [rax+000000A0],ecx
Is there anyone who can break down if i'm misunderstanding something with how it works to begin with, or how that bit of code after the "call r11" actually works? I'm not even certain i've properly understood what call r11 is doing, and because it never seems to change the eax i was after I don't know where to begin...