Questions Dealing With ASM
I want to say im still learning how ASM works and i would rather have reasons then just plain information. I learn better from doing it myself but i need some help.
First from my "Test Item" thread im looking for the function that deals with detonation, so i can disable it, leaving a solid item that doesnt disappear. Do i have the correct area coded here?
Is the highlighted call what i need?
Frag
Code:
004B4550 . 83EC 18 SUB ESP,18
004B4553 . D905 24B46800 FLD DWORD PTR DS:[68B424]
004B4559 . 56 PUSH ESI
004B455A . 8BF1 MOV ESI,ECX
004B455C . D9E0 FCHS
004B455E . 8D46 28 LEA EAX,DWORD PTR DS:[ESI+28]
004B4561 . D95C24 10 FSTP DWORD PTR SS:[ESP+10]
004B4565 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004B4567 . D905 28B46800 FLD DWORD PTR DS:[68B428]
004B456D . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
004B4570 . D9E0 FCHS
004B4572 . 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
004B4575 . D95C24 14 FSTP DWORD PTR SS:[ESP+14]
004B4579 . 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
004B457D . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004B4581 . 895424 08 MOV DWORD PTR SS:[ESP+8],EDX
004B4585 . 51 PUSH ECX
004B4586 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004B458A . 52 PUSH EDX
004B458B . 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
004B458F . C74424 20 0000>MOV DWORD PTR SS:[ESP+20],0
004B4597 . E8 1478FFFF CALL Apex0.004ABDB0
004B459C . 8BC8 MOV ECX,EAX ; |
004B459E . E8 BD90FBFF CALL Apex0.0046D660 ; \Apex0.0046D660
004B45A3 . 8B46 18 MOV EAX,DWORD PTR DS:[ESI+18]
004B45A6 . 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+1C]
004B45A9 . 50 PUSH EAX
004B45AA . 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004B45AE . 68 0000803F PUSH 3F800000
004B45B3 . 68 CDCC4C3E PUSH 3E4CCCCD
004B45B8 . 68 0000C843 PUSH 43C80000
004B45BD . 51 PUSH ECX
004B45BE . 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
004B45C2 . 83EC 0C SUB ESP,0C
004B45C5 . 8BD4 MOV EDX,ESP ; |
004B45C7 . 8902 MOV DWORD PTR DS:[EDX],EAX ; |
004B45C9 . 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C] ; |
004B45CD . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX ; |
004B45D0 . 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14] ; |
004B45D3 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX ; |
004B45D6 . 8B56 10 MOV EDX,DWORD PTR DS:[ESI+10] ; |
004B45D9 . 51 PUSH ECX ; |Arg2
004B45DA . 8B0D 682F6700 MOV ECX,DWORD PTR DS:[672F68] ; |
004B45E0 . 52 PUSH EDX ; |Arg1
004B45E1 . E8 CADAFEFF CALL Apex0.004A20B0 ; \Apex0.004A20B0
004B45E6 . 6A 00 PUSH 0
004B45E8 . 6A 00 PUSH 0
004B45EA . 6A 00 PUSH 0
004B45EC . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
004B45F0 . 50 PUSH EAX
004B45F1 . 68 F0415F00 PUSH Apex0.005F41F0 ; ASCII "we_grenade_explosion"
004B45F6 . E8 D576FFFF CALL Apex0.004ABCD0
004B45FB . 8BC8 MOV ECX,EAX ; |
004B45FD . E8 8EDEFDFF CALL Apex0.00492490 ; \Apex0.00492490
004B4602 . E8 A92AFEFF CALL Apex0.004970B0
004B4607 . 8B88 4C110000 MOV ECX,DWORD PTR DS:[EAX+114C]
004B460D . 05 38110000 ADD EAX,1138
004B4612 . 51 PUSH ECX
004B4613 . 8BC8 MOV ECX,EAX
004B4615 . E8 96DAFFFF CALL Apex0.004B20B0
004B461A . 68 00803B45 PUSH 453B8000
004B461F . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004B4623 . 52 PUSH EDX
004B4624 . 8D48 1C LEA ECX,DWORD PTR DS:[EAX+1C]
004B4627 . E8 B4570000 CALL Apex0.004B9DE0
004B462C . 5E POP ESI
004B462D . 83C4 18 ADD ESP,18
004B4630 . C3 RETN
Flash
Code:
004B4350 . 83EC 18 SUB ESP,18
004B4353 . D905 24B46800 FLD DWORD PTR DS:[68B424]
004B4359 . 56 PUSH ESI
004B435A . D9E0 FCHS
004B435C . 8BF1 MOV ESI,ECX
004B435E . D95C24 10 FSTP DWORD PTR SS:[ESP+10]
004B4362 . 8D46 28 LEA EAX,DWORD PTR DS:[ESI+28]
004B4365 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004B4367 . D905 28B46800 FLD DWORD PTR DS:[68B428]
004B436D . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
004B4370 . D9E0 FCHS
004B4372 . 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
004B4375 . D95C24 14 FSTP DWORD PTR SS:[ESP+14]
004B4379 . D905 2CB46800 FLD DWORD PTR DS:[68B42C]
004B437F . 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
004B4383 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004B4387 . D9E0 FCHS
004B4389 . 895424 08 MOV DWORD PTR SS:[ESP+8],EDX
004B438D . D95C24 18 FSTP DWORD PTR SS:[ESP+18]
004B4391 . 51 PUSH ECX
004B4392 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004B4396 . 52 PUSH EDX
004B4397 . 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
004B439B . E8 107AFFFF CALL Apex0.004ABDB0
004B43A0 . 8BC8 MOV ECX,EAX ; |
004B43A2 . E8 C990FBFF CALL Apex0.0046D470 ; \Apex0.0046D470
004B43AA . 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+1C]
004B43A7 . 8B46 18 MOV EAX,DWORD PTR DS:[ESI+18]
004B43AD . 50 PUSH EAX
004B43AE . 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004B43B2 . 68 0000003F PUSH 3F000000
004B43B7 . 68 9A99993E PUSH 3E99999A
004B43BC . 68 0000AF43 PUSH 43AF0000
004B43C1 . 51 PUSH ECX
004B43C2 . 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
004B43C6 . 83EC 0C SUB ESP,0C
004B43C9 . 8BD4 MOV EDX,ESP ; |
004B43CB . 8902 MOV DWORD PTR DS:[EDX],EAX ; |
004B43CD . 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C] ; |
004B43D1 . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX ; |
004B43D4 . 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14] ; |
004B43D7 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX ; |
004B43DA . 8B56 10 MOV EDX,DWORD PTR DS:[ESI+10] ; |
004B43DD . 51 PUSH ECX ; |Arg2
004B43DE . 8B0D 682F6700 MOV ECX,DWORD PTR DS:[672F68] ; |
004B43E4 . 52 PUSH EDX ; |Arg1
004B43E5 . E8 C6DCFEFF CALL Apex0.004A20B0 ; \Apex0.004A20B0
004B43EA . 6A 00 PUSH 0
004B43EC . 6A 00 PUSH 0
004B43EE . 6A 00 PUSH 0
004B43F0 . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
004B43F4 . 50 PUSH EAX
004B43F5 . 68 E0415F00 PUSH Apex0.005F41E0 ; ASCII "fx_explosion01"
004B43FA . E8 D178FFFF CALL Apex0.004ABCD0
004B43FF . 8BC8 MOV ECX,EAX ; |
004B4401 . E8 8AE0FDFF CALL Apex0.00492490 ; \Apex0.00492490
004B4406 . E8 A52CFEFF CALL Apex0.004970B0
004B440B . 8B88 4C110000 MOV ECX,DWORD PTR DS:[EAX+114C]
004B4411 . 05 38110000 ADD EAX,1138
004B4416 . 51 PUSH ECX
004B4417 . 8BC8 MOV ECX,EAX
004B4419 . E8 92DCFFFF CALL Apex0.004B20B0
004B441E . 68 00803B45 PUSH 453B8000
004B4423 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004B4427 . 52 PUSH EDX
004B4428 . 8D48 1C LEA ECX,DWORD PTR DS:[EAX+1C]
004B442B . E8 B0590000 CALL Apex0.004B9DE0
004B4430 . 5E POP ESI
004B4431 . 83C4 18 ADD ESP,18
004B4434 . C3 RETN
The Highlighted Call
Code:
00492490 /$ 83EC 1C SUB ESP,1C
00492493 |. 56 PUSH ESI
00492494 |. 8BF1 MOV ESI,ECX
00492496 |. 8A86 52020000 MOV AL,BYTE PTR DS:[ESI+252]
0049249C |. 84C0 TEST AL,AL
0049249E |. 74 0A JE SHORT Apex0.004924AA
004924A0 |. 8A86 54020000 MOV AL,BYTE PTR DS:[ESI+254]
004924A6 |. 84C0 TEST AL,AL
004924A8 |. 75 09 JNZ SHORT Apex0.004924B3
004924AA |> 33C0 XOR EAX,EAX
004924AC |. 5E POP ESI
004924AD |. 83C4 1C ADD ESP,1C
004924B0 |. C2 1400 RETN 14
004924B3 |> 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
004924B7 |. 53 PUSH EBX
004924B8 |. 8B5C24 30 MOV EBX,DWORD PTR SS:[ESP+30]
004924BC |. 57 PUSH EDI
004924BD |. 53 PUSH EBX ; /Arg2
004924BE |. 50 PUSH EAX ; |Arg1
004924BF |. 8BCE MOV ECX,ESI ; |
004924C1 |. E8 DAEDFFFF CALL Apex0.004912A0 ; \Apex0.004912A0
004924C6 |. 8BF8 MOV EDI,EAX
004924C8 |. 85FF TEST EDI,EDI
004924CA |. 75 09 JNZ SHORT Apex0.004924D5
004924CC |. 5F POP EDI
004924CD |. 5B POP EBX
004924CE |. 5E POP ESI
004924CF |. 83C4 1C ADD ESP,1C
004924D2 |. C2 1400 RETN 14
004924D5 |> 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
004924D9 |. 55 PUSH EBP
004924DA |. 8B6C24 34 MOV EBP,DWORD PTR SS:[ESP+34]
004924DE |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38]
004924E2 |. 51 PUSH ECX
004924E3 |. 53 PUSH EBX
004924E4 |. 55 PUSH EBP
004924E5 |. 57 PUSH EDI
004924E6 |. 52 PUSH EDX
004924E7 |. 8BCE MOV ECX,ESI
004924E9 |. C74424 4C 0000>MOV DWORD PTR SS:[ESP+4C],0
004924F1 |. E8 6AE2FFFF CALL Apex0.00490760
004924F6 |. 84C0 TEST AL,AL
004924F8 |. 74 4D JE SHORT Apex0.00492547
004924FA |. 8B4424 40 MOV EAX,DWORD PTR SS:[ESP+40]
004924FE |. 85C0 TEST EAX,EAX
00492500 |. 76 51 JBE SHORT Apex0.00492553
00492502 |. FF15 5C655E00 CALL DWORD PTR DS:[<&WINMM.timeGetTime>] ; WINMM.timeGetTime
00492508 |. 8B4C24 40 MOV ECX,DWORD PTR SS:[ESP+40]
0049250C |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0049250F |. 03C1 ADD EAX,ECX
00492511 |. 8B4D 04 MOV ECX,DWORD PTR SS:[EBP+4]
00492514 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
00492518 |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
0049251B |. 894C24 1C MOV DWORD PTR SS:[ESP+1C],ECX
0049251F |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00492523 |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
00492527 |. 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
0049252B |. 51 PUSH ECX
0049252C |. 8D8E 30020000 LEA ECX,DWORD PTR DS:[ESI+230]
00492532 |. 897C24 14 MOV DWORD PTR SS:[ESP+14],EDI
00492536 |. 895424 24 MOV DWORD PTR SS:[ESP+24],EDX
0049253A |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
0049253E |. 885C24 2C MOV BYTE PTR SS:[ESP+2C],BL
00492542 |. E8 D9F9FFFF CALL Apex0.00491F20
00492547 |> 5D POP EBP
00492548 |. 5F POP EDI
00492549 |. 5B POP EBX
0049254A |. 33C0 XOR EAX,EAX
0049254C |. 5E POP ESI
0049254D |. 83C4 1C ADD ESP,1C
00492550 |. C2 1400 RETN 14
00492553 |> 8B3F MOV EDI,DWORD PTR DS:[EDI]
00492555 |. 85FF TEST EDI,EDI
00492557 |.^74 EE JE SHORT Apex0.00492547
00492559 |. 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
0049255D |. 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
00492561 |. 52 PUSH EDX
00492562 |. 53 PUSH EBX
00492563 |. 50 PUSH EAX
00492564 |. 55 PUSH EBP
00492565 |. 57 PUSH EDI
00492566 |. 8BCE MOV ECX,ESI
00492568 |. E8 03DCFFFF CALL Apex0.00490170
0049256D |. 5D POP EBP
0049256E |. 5F POP EDI
0049256F |. 5B POP EBX
00492570 |. 5E POP ESI
00492571 |. 83C4 1C ADD ESP,1C
00492574 \. C2 1400 RETN 14
--------------------------------------------------------------------------------------------------------------------
Second ive had a question about giving the Jjang to an admin ugrade. After some looking i found some useful info
ID is Able to Hold Jjang
Code:
00475250 /$ 83B9 5A040000 >CMP DWORD PTR DS:[ECX+45A],2
00475257 |. 75 0D JNZ SHORT Apex0.00475266
00475259 |. 51 PUSH ECX
0047525A |. E8 516B0300 CALL Apex0.004ABDB0
0047525F |. 8BC8 MOV ECX,EAX
00475261 |. E8 FA7DFFFF CALL Apex0.0046D060
00475266 \> C3 RETN
Jjang Usage Function
Code:
0046D060 /$ 6A FF PUSH -1
0046D062 |. 68 9B885D00 PUSH Apex0.005D889B ; SE handler installation
0046D067 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0046D06D |. 50 PUSH EAX
0046D06E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0046D075 |. 51 PUSH ECX
0046D076 |. 56 PUSH ESI
0046D077 |. 57 PUSH EDI
0046D078 |. 68 C4120000 PUSH 12C4
0046D07D |. 8BF9 MOV EDI,ECX
0046D07F |. E8 2B1F1600 CALL Apex0.005CEFAF
0046D084 |. 8BF0 MOV ESI,EAX
0046D086 |. 83C4 04 ADD ESP,4
0046D089 |. 897424 08 MOV DWORD PTR SS:[ESP+8],ESI
0046D08D |. 85F6 TEST ESI,ESI
0046D08F |. C74424 14 0000>MOV DWORD PTR SS:[ESP+14],0
0046D097 |. 74 25 JE SHORT Apex0.0046D0BE
0046D099 |. 8B8F 14020000 MOV ECX,DWORD PTR DS:[EDI+214]
0046D09F |. 68 00F95E00 PUSH Apex0.005EF900 ; ASCII "event_ongame_jjang"
0046D0A4 |. E8 B7930600 CALL Apex0.004D6460
0046D0A9 |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0046D0AD |. 51 PUSH ECX ; /Arg2
0046D0AE |. 50 PUSH EAX ; |Arg1
0046D0AF |. 8BCE MOV ECX,ESI ; |
0046D0B1 |. E8 1A49FFFF CALL Apex0.004619D0 ; \Apex0.004619D0
0046D0B6 |. C706 94F85E00 MOV DWORD PTR DS:[ESI],Apex0.005EF894
0046D0BC |. EB 02 JMP SHORT Apex0.0046D0C0
0046D0BE |> 33F6 XOR ESI,ESI
0046D0C0 |> 6A 01 PUSH 1
0046D0C2 |. 8BCE MOV ECX,ESI
0046D0C4 |. C74424 18 FFFF>MOV DWORD PTR SS:[ESP+18],-1
0046D0CC |. E8 1F3AFFFF CALL Apex0.00460AF0
0046D0D1 |. 56 PUSH ESI ; /Arg1
0046D0D2 |. 8BCF MOV ECX,EDI ; |
0046D0D4 |. C786 C0120000 >MOV DWORD PTR DS:[ESI+12C0],8 ; |
0046D0DE |. E8 7DCEFFFF CALL Apex0.00469F60 ; \Apex0.00469F60
0046D0E3 |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
0046D0E7 |. 5F POP EDI
0046D0E8 |. 5E POP ESI
0046D0E9 |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0046D0F0 |. 83C4 10 ADD ESP,10
0046D0F3 \. C2 0400 RETN 4
Re: Questions Dealing With ASM
My guess would be that the game load the effect, have you tryed to nop the call? What happened? Maybe there is some kind of check, like:
>Has grenade exploded ?
>Yes then draw it / >No then wait for it to explode
That's just hypothesis :)
Re: Questions Dealing With ASM
When you NOP that call all it does is makes the grenade unable to be weilded, it just uses the last working weapon.
Do you have an answer for the second one?
Re: Questions Dealing With ASM
In your called function, there is another call :
Code:
0046D0AD |. 51 PUSH ECX ; /Arg2
0046D0AE |. 50 PUSH EAX ; |Arg1
0046D0AF |. 8BCE MOV ECX,ESI ; |
0046D0B1 |. E8 1A49FFFF CALL Apex0.004619D0 ; \Apex0.004619D0
004924C6 |. 8BF8 MOV EDI,EAX
004924C8 |. 85FF TEST EDI,EDI
004924CA |. 75 09 JNZ SHORT Apex0.004924D5
What are the parameters ? what does it return ? Because right after that, it test the return 'thing' if it's null then it returns from the function.
This looks interesting:
Code:
004924E7 |. 8BCE MOV ECX,ESI
004924E9 |. C74424 4C 0000>MOV DWORD PTR SS:[ESP+4C],0
004924F1 |. E8 6AE2FFFF CALL Apex0.00490760
004924F6 |. 84C0 TEST AL,AL
004924F8 |. 74 4D JE SHORT Apex0.00492547
004924FA |. 8B4424 40 MOV EAX,DWORD PTR SS:[ESP+40]
004924FE |. 85C0 TEST EAX,EAX
00492500 |. 76 51 JBE SHORT Apex0.00492553
After the first call, AL is tested if AL = 0 it jumps to 0x0492547 wich is the end of the function, if AL != 0 then there is another test, if EAX = 0 (would be great if you found out what AL and EAX it might be some kind of bool that tells if timer ended) it jump to 0x0492553, at this point program do move into EDI the value pointed by EDI, and then test it, once again if it's equal, it jumps to the end of the function and sets EAX to 0 so function returns 0.
So at this point you want to know : what's in ESP+4C and ESP+40, how does it affect the game if you nop those conditional jumps or change them to unconditional jumps
Do that, then if it's needed I will give a look to the rest of the function.
Once again I'm all blind doing this, it's up to you to experiment !
