Quick Modding/Hacking Answers Thread

To play nicely with the stack, i.e. so that the functions you are calling DON'T touch/mess up your local variables.

It's also so that you can call a function and it'll know to return to where it's called from, whereas if you JMP back and forth, the code block you are JMPing to can only JMP back to one spot. So the function can easily be called from multiple spots.

This information would be really useful to me if I could FIGURE OUT MY ISSUE WITH OLLY.

By the way F_Link, I couldn't open up the other debugger because of the 7-zip format. Cause, parental controls.

Anyone got another disassembler I could possibly use?

 

parental controls.

I hate to be the bearer of bad news, but I think that those parental controls *might* have to do with your olly problems. Maybe.

 

I hate to be the bearer of bad news, but I think that those parental controls *might* have to do with your olly problems. Maybe.

Yeaaah, it always gives me a message when I open up olly saying "you do not have administrator privlages".

But my issue is that it crashes when I try to save my changes to the executable. So why would parental controls mess that up instead of just preventing me from opening up olly at all?

 

one is a "read" event and one is a "write" event

 

one is a "read" event and one is a "write" event

Shit, does that mean that other disassemblers would have the same issue?

Guess I can't really get into assembly until I get my own computer...

Spoiler

F*ck it, i'll just become a master of TSC with little knowledge of assembly, like enlightened.

Spoiler

So parental controls apparently blocks it, but on my schools computers, it just lets me do it without any issues???

 

just ask your parents if you can install an assembler and prompt for them to put in the password for you.

It's not that hard.

 

If you rewrite an NPC's AI function, and the new function is longer (in bytes, not commands) than the old function, then yes, it'll overwrite into whichever function is next (which is likely the next NPC), since you're trying to put a longer function into a smaller space.

FUUUUUUUUUUUUUUUUU
NOW I HAVE TO GO BACK AND TRY TO RECOPY THE ENTIRE TABLE BACK

I had thought it would recognise that and automatically make more space in the exe (like increasing the size of the exe)
Or something like that...
BTW is there a better way of copying data instead of just typing it in?

Also if someone could tell me a place in the exe with loads of free space, that would help, because I'm kinda desperate for space now...
Would places like 493874 ~ 493C3B work? Since they look really plain to me... Would they work as 'free space?'

What about 49A7C0 ~ 4BEFFE? Since that looks like simply a ton of ADD BYTE PTR DS:[EAX],AL

And one more thing.

Why is there always some DB 00, DB 01 etc and things like INT 3 between NPC offsets?

 

Is there seriously no way to make the executable bigger?
Surely there's some kind of program that can do that.

Yeah, 1.5 MB is nothing; even ollydbg takes over 2 MB in space!


I'm still wondering if 499B3E ~ 4BEFFE is free space, or is that the place Cave Story stores in-game values?

 

If you highlight whatever code you want to copy, you can right click, and in one of the menus that shows up there should be an option to "binary copy". This will store the code you highlighted to your clipboard as the hex values of that code. After doing this, you can highlight another selection of code (or empty space) and do a binary paste to paste the code to that spot. This will screw up JMP and CALL commands, as Olly tries to find the relative equivalent for where the JMP or CALL used to go. For example if in the original code the JMP jumped from
424EAA to 424EAF and you moved that command to 424E00, the new JMP would try to jump to 424E05 instead of 424EAF.

I believe the section at the very end of the executable is free space for extra code. 48B905 is where I usually start coding new stuff though there's not a ton of room.

 

Is there seriously no way to make the executable bigger?
Surely there's some kind of program that can do that.

Inserting space into the middle of the .exe would mess up a lot of CALL statements, and maybe some JMPs (if you had some custom code). And also I think you would have to edit the exe's header, to let it know that the "code" part of the executable is bigger.

But fixing all those CALL statements might not be a trivial task. Executables were not exactly designed to be easily edited after they're compiled from their source code.

 

Yeah, I'm sorta desperate for a large amount of free space, and I don't want to keep putting JMPs after every tiny bit of space.

Also why does everyone only read half my posts?

 

How does one separate the "take damage function" and the "lose exp function"?

I want to make it so that you don't lose exp when you take damage.

 

because maybe at one point in the game he would either need the PC to take damage or have them lose EXP.

 

So can someone help me on how to actually do it?

 

Here's the code for damage:
PUSH [VALUE]
CALL 00419910
ADD ESP,4
So the damage code is in 419910.
Now let's check the data.

Spoiler

Address Hex dump Command
00419910 /$ 55 PUSH EBP
00419911 |. 8BEC MOV EBP,ESP
00419913 |. 83EC 08 SUB ESP,8
00419916 |. A1 E8E14900 MOV EAX,DWORD PTR DS:[49E1E8]
0041991B |. 83C8 02 OR EAX,00000002
0041991E |. 75 05 JNE SHORT 00419925
00419920 |. E9 23020000 JMP 00419B48
00419925 |> 0FB60D C8E649 MOVZX ECX,BYTE PTR DS:[49E6C8]
0041992C |. 85C9 TEST ECX,ECX
0041992E |. 74 05 JE SHORT 00419935
00419930 |. E9 13020000 JMP 00419B48
00419935 |> 6A 01 PUSH 1
00419937 |. 6A 10 PUSH 10
00419939 |. E8 026D0000 CALL 00420640
0041993E |. 83C4 08 ADD ESP,8
00419941 |. 0FB615 38E649 MOVZX EDX,BYTE PTR DS:[49E638]
00419948 |. 83E2 FE AND EDX,FFFFFFFE
0041994B |. 8815 38E64900 MOV BYTE PTR DS:[49E638],DL
00419951 |. C605 C8E64900 MOV BYTE PTR DS:[49E6C8],80
00419958 |. 833D 4CE64900 CMP DWORD PTR DS:[49E64C],1
0041995F |. 75 02 JNE SHORT 00419963
00419961 |. EB 0A JMP SHORT 0041996D
00419963 |> C705 70E64900 MOV DWORD PTR DS:[49E670],-400
0041996D |> 0FBF45 08 MOVSX EAX,WORD PTR SS:[ARG.1]
00419971 |. 0FBF0D CCE649 MOVSX ECX,WORD PTR DS:[49E6CC]
00419978 |. 2BC8 SUB ECX,EAX
0041997A |. 66:890D CCE64 MOV WORD PTR DS:[49E6CC],CX
00419981 |. 8B15 50E64900 MOV EDX,DWORD PTR DS:[49E650]
00419987 |. 81E2 80000000 AND EDX,00000080
0041998D |. 74 1C JE SHORT 004199AB
0041998F |. 0FBF05 CEE649 MOVSX EAX,WORD PTR DS:[49E6CE]
00419996 |. 85C0 TEST EAX,EAX
00419998 |. 7E 11 JLE SHORT 004199AB
0041999A |. 0FBF0D CEE649 MOVSX ECX,WORD PTR DS:[49E6CE]
004199A1 |. 83E9 01 SUB ECX,1
004199A4 |. 66:890D CEE64 MOV WORD PTR DS:[49E6CE],CX
004199AB |> 8B15 50E64900 MOV EDX,DWORD PTR DS:[49E650]
004199B1 |. 83E2 04 AND EDX,00000004
004199B4 |. 74 22 JE SHORT 004199D8
004199B6 |. A1 689C4900 MOV EAX,DWORD PTR DS:[499C68]
004199BB |. 6BC0 14 IMUL EAX,EAX,14
004199BE |. 8B88 D09B4900 MOV ECX,DWORD PTR DS:[EAX+499BD0]
004199C4 |. 2B4D 08 SUB ECX,DWORD PTR SS:[ARG.1]
004199C7 |. 8B15 689C4900 MOV EDX,DWORD PTR DS:[499C68]
004199CD |. 6BD2 14 IMUL EDX,EDX,14
004199D0 |. 898A D09B4900 MOV DWORD PTR DS:[EDX+499BD0],ECX
004199D6 |. EB 23 JMP SHORT 004199FB
004199D8 |> A1 689C4900 MOV EAX,DWORD PTR DS:[499C68]
004199DD |. 6BC0 14 IMUL EAX,EAX,14
004199E0 |. 8B4D 08 MOV ECX,DWORD PTR SS:[ARG.1]
004199E3 |. D1E1 SHL ECX,1
004199E5 |. 8B90 D09B4900 MOV EDX,DWORD PTR DS:[EAX+499BD0]
004199EB |. 2BD1 SUB EDX,ECX
004199ED |. A1 689C4900 MOV EAX,DWORD PTR DS:[499C68]
004199F2 |. 6BC0 14 IMUL EAX,EAX,14
004199F5 |. 8990 D09B4900 MOV DWORD PTR DS:[EAX+499BD0],EDX
004199FB |> 8B0D 689C4900 MOV ECX,DWORD PTR DS:[499C68]
00419A01 |. 6BC9 14 IMUL ECX,ECX,14
00419A04 |. 83B9 D09B4900 CMP DWORD PTR DS:[ECX+499BD0],0
00419A0B |. 0F8D DA000000 JGE 00419AEB
00419A11 |. 8B15 689C4900 MOV EDX,DWORD PTR DS:[499C68]
00419A17 |. 6BD2 14 IMUL EDX,EDX,14
00419A1A |. 83BA CC9B4900 CMP DWORD PTR DS:[EDX+499BCC],1
00419A21 |. 0F8E AC000000 JLE 00419AD3
00419A27 |. A1 689C4900 MOV EAX,DWORD PTR DS:[499C68]
00419A2C |. 6BC0 14 IMUL EAX,EAX,14
00419A2F |. 8B88 CC9B4900 MOV ECX,DWORD PTR DS:[EAX+499BCC]
00419A35 |. 83E9 01 SUB ECX,1
00419A38 |. 8B15 689C4900 MOV EDX,DWORD PTR DS:[499C68]
00419A3E |. 6BD2 14 IMUL EDX,EDX,14
00419A41 |. 898A CC9B4900 MOV DWORD PTR DS:[EDX+499BCC],ECX
00419A47 |. A1 689C4900 MOV EAX,DWORD PTR DS:[499C68]
00419A4C |. 6BC0 14 IMUL EAX,EAX,14
00419A4F |. 8B88 CC9B4900 MOV ECX,DWORD PTR DS:[EAX+499BCC]
00419A55 |. 83E9 01 SUB ECX,1
00419A58 |. 894D F8 MOV DWORD PTR SS:[LOCAL.2],ECX
00419A5B |. 8B15 689C4900 MOV EDX,DWORD PTR DS:[499C68]
00419A61 |. 6BD2 14 IMUL EDX,EDX,14
00419A64 |. 8B82 C89B4900 MOV EAX,DWORD PTR DS:[EDX+499BC8]
00419A6A |. 8945 FC MOV DWORD PTR SS:[LOCAL.1],EAX
00419A6D |. 8B4D FC MOV ECX,DWORD PTR SS:[LOCAL.1]
00419A70 |. 6BC9 0C IMUL ECX,ECX,0C
00419A73 |. 8B15 689C4900 MOV EDX,DWORD PTR DS:[499C68]
00419A79 |. 6BD2 14 IMUL EDX,EDX,14
00419A7C |. 8B45 F8 MOV EAX,DWORD PTR SS:[LOCAL.2]
00419A7F |. 8B8C81 603649 MOV ECX,DWORD PTR DS:[EAX*4+ECX+493660]
00419A86 |. 038A D09B4900 ADD ECX,DWORD PTR DS:[EDX+499BD0]
00419A8C |. 8B15 689C4900 MOV EDX,DWORD PTR DS:[499C68]
00419A92 |. 6BD2 14 IMUL EDX,EDX,14
00419A95 |. 898A D09B4900 MOV DWORD PTR DS:[EDX+499BD0],ECX
00419A9B |. 0FBF05 CCE649 MOVSX EAX,WORD PTR DS:[49E6CC]
00419AA2 |. 85C0 TEST EAX,EAX
00419AA4 |.^ 7E 2B JLE SHORT 00419AD1
00419AA6 |. 8B0D 689C4900 MOV ECX,DWORD PTR DS:[499C68]
00419AAC |. 6BC9 14 IMUL ECX,ECX,14
00419AAF |. 83B9 C89B4900 CMP DWORD PTR DS:[ECX+499BC8],0D
00419AB6 |.^ 74 19 JE SHORT 00419AD1
00419AB8 |. 6A 02 PUSH 2
00419ABA |. 6A 0A PUSH 0A
00419ABC |. 8B15 58E64900 MOV EDX,DWORD PTR DS:[49E658]
00419AC2 |. 52 PUSH EDX
00419AC3 |. A1 54E64900 MOV EAX,DWORD PTR DS:[49E654]
00419AC8 |. 50 PUSH EAX
00419AC9 |. E8 C211FFFF CALL 0040AC90
00419ACE |. 83C4 10 ADD ESP,10
00419AD1 |>^ EB 13 JMP SHORT 00419AE6
00419AD3 |> 8B0D 689C4900 MOV ECX,DWORD PTR DS:[499C68]
00419AD9 |. 6BC9 14 IMUL ECX,ECX,14
00419ADC |. C781 D09B4900 MOV DWORD PTR DS:[ECX+499BD0],0
00419AE6 |>^ E9 10FFFFFF JMP 004199FB
00419AEB |> 8B55 08 MOV EDX,DWORD PTR SS:[ARG.1]
00419AEE |. F7DA NEG EDX
00419AF0 |. 52 PUSH EDX
00419AF1 |. 68 58E64900 PUSH OFFSET 0049E658
00419AF6 |. 68 54E64900 PUSH OFFSET 0049E654
00419AFB |. E8 F0C00000 CALL 00425BF0
00419B00 |. 83C4 0C ADD ESP,0C
00419B03 |. 0FBF05 CCE649 MOVSX EAX,WORD PTR DS:[49E6CC]
00419B0A |. 85C0 TEST EAX,EAX
00419B0C |. 7F 3A JG SHORT 00419B48
00419B0E |. 6A 01 PUSH 1
00419B10 |. 6A 11 PUSH 11
00419B12 |. E8 296B0000 CALL 00420640
00419B17 |. 83C4 08 ADD ESP,8
00419B1A |. C605 38E64900 MOV BYTE PTR DS:[49E638],0
00419B21 |. 6A 40 PUSH 40
00419B23 |. 68 00140000 PUSH 1400
00419B28 |. 8B0D 58E64900 MOV ECX,DWORD PTR DS:[49E658]
00419B2E |. 51 PUSH ECX
00419B2F |. 8B15 54E64900 MOV EDX,DWORD PTR DS:[49E654]
00419B35 |. 52 PUSH EDX
00419B36 |. E8 15560500 CALL 0046F150
00419B3B |. 83C4 10 ADD ESP,10
00419B3E |. 6A 28 PUSH 28
00419B40 |. E8 4B7E0000 CALL 00421990
00419B45 |. 83C4 04 ADD ESP,4
00419B48 |> 8BE5 MOV ESP,EBP
00419B4A |. 5D POP EBP
00419B4B \. C3 RETN

EDIT: Looks like it removes XP as well; I think that you'll have to decipher the random stuff above for the XP I'm too lazy
EDIT: Also I think that the format thing doesn't work in this forum. Ceebs fixing it

If you want to remove HP without XP, you could always set a LI+ 000/ to add negative 1 health
or LI+00/9 for -2, LI+00/8 for -3, LI+00/7 for -4 etc.

Or you could remember the true negative values but I'm too lazy to check that either.​

 

Does adding more maps to the game through cave editor (the most recent version, 0.99d, I believe) mess with the .exe file at all? I've run into a problem where after adding a few extra maps, the scripts don't work right on the higher numbered ones.

 

do not add extra maps with cave editor