← Back to DevelopmentAging & Mixing viewer.dll generatorProgramsClan filesInternet Information ServiceOllyDbg tutorialsMiscellaneousSkinsLinks / Files

disable_premium_at_bc

← Back to Miscellaneous
Sometimes the users use hair tint to revive themselves at BC.
Here's a way to disable the use of premium items.

The process is really simple. We know that BC items can only be used in BC.
If we can find the piece of code that compares the current field to 33 (0x21) for BC items, we just have to apply it to premium items.

Here's a BC item description in the item table:

OllyDbg - Client side



In bold is what we are interested in. For instance this item is the first in the 080A items.

When you right click on an item ingame, there's a procedure (at the address 00489680) called.
In this procedure, an action is executed depending on the item type.

Here's what happens for 080A items:

OllyDbg - Client side

00489A4A      81FF 00000A08 CMP EDI,80A0000  ; Test if it's the BC items (080A)
00489A50      0F85 09010000 JNE 00489B5F
00489A56      8B3D 28AE8E00 MOV EDI,DWORD PTR DS:[8EAE28]
00489A5C      8BBF 6C010000 MOV EDI,DWORD PTR DS:[EDI+16C]
00489A62      85FF          TEST EDI,EDI
00489A64      7C 14         JL SHORT 00489A7A
00489A66      8B3CBD 58AD8E MOV EDI,DWORD PTR DS:[EDI*4+8EAD58] ; EDI*4+8EAD58, remember that address
00489A6D      83BF 1C140000 CMP DWORD PTR DS:[EDI+141C],21 ; Something is compared to 33 (0x21). Hm, that's the BC field number
00489A74      0F85 B70A0000 JNE 0048A531 ; If it's not BC we go to the end of the procedure


Seems like we just have to grab the last 3 lines and apply them to premium items.

If you take the description of a hair tint pot in the item table, you'll see something like this:

OllyDbg - Client side



In bold the item type (080C).

Here's what we are looking for :

OllyDbg - Client side

00489B83      81F9 00000C08 CMP ECX,80C0000 ; Premium items
00489B89      0F85 A8070000 JNE 0048A337
00489B8F      A1 28AE8E00   MOV EAX,DWORD PTR DS:[8EAE28]
00489B94      33FF          XOR EDI,EDI
00489B96      66:893D 60A00 MOV WORD PTR DS:[306A060],DI
00489B9D      8B80 6C010000 MOV EAX,DWORD PTR DS:[EAX+16C]
00489BA3      3BC7          CMP EAX,EDI
00489BA5      7C 2C         JL SHORT 00489BD3
00489BA7      8B0C85 58AD8E MOV ECX,DWORD PTR DS:[EAX*4+8EAD58]         ; 8EAD58, same address as above but with EAX instead of EDI
00489BAE      39A9 C4000000 CMP DWORD PTR DS:[ECX+0C4],EBP
00489BB4      75 1D         JNE SHORT 00489BD3
00489BB6      8B92 08FEFFFF MOV EDX,DWORD PTR DS:[EDX-1F8]
00489BBC      B8 C4285F00   MOV EAX,OFFSET server.005F28C4
00489BC1      3B10           CMP EDX,DWORD PTR DS:[EAX]
00489BC3      0F84 68090000  JE 0048A531
00489BC9      83C0 04        ADD EAX,4
00489BCC      3D D0285F00    CMP EAX,OFFSET server.005F28D0
00489BD1      7C EE          JL SHORT 00489BC1
00489BD3      89BE 1C9C0300 MOV DWORD PTR DS:[ESI+39C1C],EDI
00489BD9      A1 04480803   MOV EAX,DWORD PTR DS:[3084804]
00489BDE      8BD0          MOV EDX,EAX
00489BE0      69D2 14030000 IMUL EDX,EDX,314


As you can see, at the line 00489BA7, we load the memory address near the field info into ECX. If we do ECX+141C, we will read the field number from the memory.
There's not alot of space available so I'll have to make some space, write a JMP to the KPTTrans section, move the instruction and add the field comparison.
For that paper I'll move the new instructions at 0441B000 in the KPTTrans section

OllyDbg - Client side

00489BA7      8B0C85 58AD8E MOV ECX,DWORD PTR DS:[EAX*4+8EAD58]
00489BAE      E9 4D14F903   JMP 0441B000                ; Here's the JMP to KPTTrans (remplacing the CMP xxx,EBP)
00489BB3      90            NOP
00489BB4      90            NOP                                 ; I also removed the JNE SHORT
00489BB5      90            NOP
00489BB6      8B92 08FEFFFF MOV EDX,DWORD PTR DS:[EDX-1F8]


OllyDbg - Client side

0441B000    83B9 1C140000 2 CMP DWORD PTR DS:[ECX+141C],21      ; Field comparison (same as BC items)
0441B007    0F84 24F506FC   JE 0048A531         ; Jump at the end of the procedure if it's BC field
0441B00D    39A9 C4000000   CMP DWORD PTR DS:[ECX+0C4],EBP              ; The CMP that we removed
0441B013    0F85 BAEB06FC   JNE 00489BD3                        ; The JNE SHORT we remove is now a JNE (it's a big jump now)
0441B019    E9 96EB06FC     JMP 00489BB4                        ; We go back to where we left


You can also refine that procedure for instance, if you want the item to be only used in the 2 towns.

OllyDbg - Client side

0441B000    83B9 1C140000 0 CMP DWORD PTR DS:[ECX+141C],3  ; Is it Ricarten ?
0441B007    74 0E           JE SHORT 0441B017   ; Yes, we go to CMP xx, EBP
0441B009    83B9 1C140000 1 CMP DWORD PTR DS:[ECX+141C],15  ; Is it Phillai ?
0441B010    74 05           JE SHORT 0441B017   ; Yes, we go to CMP xx, EBP
0441B012    E9 1AF506FC     JMP 0048A531        ; Neither Ricarten nor Phillai, jump at the end of procedure
0441B017    39A9 C4000000   CMP DWORD PTR DS:[ECX+0C4],EBP              ; The CMP that we removed
0441B01D    0F85 B0EB06FC   JNE 00489BD3                        ; The JNE SHORT we remove is now a JNE (it's a big jump now)
0441B023    E9 8CEB06FC     JMP 00489BB4                        ; We go back to where we left