S

Slither

Professional Whatever From Lasagna
Joined
Last seen
Messages
4,481
Reaction score
0

Profile posts Postings About

  • duncathan
    Laughing #2403 is laughing.
    (Please start our adventure already, all this bad roleplaying [some on my part as well] is making my head hurt.)
    Tpcool
    I don't own a company. Heh.
    And you make too many avatars. That's right, you heard me.
    Lace
    It is the standard to return into eax (and I believe this is what every function is cs does), but it is not necessarily always true.

    And not [ebp-8], but [ebp+8]. That's where the offset to weapondata (or entitydata etc) is stored.
    Lace
    Yeah the jz b was a typo.

    As for
    So will [4A5AE0]+4 always be stored to [EBP-C] (by always I mean after 421900 is called)?
    Click to expand...
    No. It's a local variable and you can't access it from other locations (because at the end of a function you pop ebp). And keep in mind that it puts the value in when you mov, so it isn't like [ebp-c] is bound to [4a5ae0]+4 (it doesn't automatically update).
    And does that mean that [4A5AE0]+8 will be stored to [EBP-10]?
    Click to expand...
    No, and it would be kinda silly to think so. Pretend I have an array of dwords, and I set a[0] to be 4. This does not mean that a[1] = 8. It's the same concept.

    Also so what's with the stuff in the compendium such as "WeaponData.something +0C"? Does that mean that when you're checking for the value of that part of the weapondata it will be stored in [EBP+C]?
    I'm sorry, that might've been hard to understand.
    Click to expand...
    Close but no cigar.
    Weapondata.something +c means that weapondata.something can be acquired by doing
    Code: 
      mov eax,[ebp+8]
  mov ecx,[eax+c]
    ecx and eax can obviously be replaced with any 32 bit register
    Lace
    ebp points to the base of the stack. [ebp-stuff] is a local variable, which means it's accessible by this code and not any other (sidenote: [ebp+stuff] is an argument that was pushed before calling this function).

    So when the code says
    Code: 
    MOV EDX,DWORD PTR DS:[4A5AE0]
ADD EDX,4
PUSH EDX
CALL 0x421900
ADD ESP,4
MOV DWORD PTR SS:[EBP-0C],EAX
    it's taking the first parameter of ITJ ([4a5ae0]+4 = scriptpointer+4 = the first parameter), turning it from ascii to a number (via 421900), and then saving it into the local variable [ebp-c].

    Later in the code, when it says
    Code: 
    MOV ECX,DWORD PTR SS:[EBP-0C]
PUSH ECX
CALL 0x401f20
    it's taking the local variable (which was previously designated as item number) and then calling 0x401f20 with it.

    We can look at the code for more usage stuff:
    Code: 
    PUSH ECX
CALL 0x401f20
ADD ESP,4
TEST EAX,EAX
JZ SHORT 00423A3C
    so if flag z is set (if eax == false) it skips over the conditional.

    To put this as explicitly as possible:
    Code: 
      push v_itemnumber
[B]A[/B] call 401f20
  add esp,4
  test eax,eax
  jz [b]C[/b]
[B]B[/B] ...
[B]C[/B] ...
    would skip over code B and go to code C if you do not have the item v_itemnumber (obviously in hex).

    Kapiche?
    Lace
    Okay, so from here you can tell that it takes the item number ([ebp-c]) and calls 0x401f20 with it. It then checks if eax is zero or not. By simple extrapolation, we can figure out that 0x401f20 checks if you have an item or not!

    You can use a similar process to figure out anything moony that tsc does. I have faith in you!
    Lace
    Well let's do a bit of detective work, mkay?
    Firstly, find <ITJ. This shouldn't be that hard (report back when you do find it).
  • Loading…
  • Loading…
Top