← Back to DevelopmentAging & Mixing viewer.dll generatorProgramsClan filesInternet Information ServiceOllyDbg tutorialsMiscellaneousSkinsLinks / Files

skills_based_on_spirit

← Back to Miscellaneous
Alot of Priestess and Magician skills receive a boost from the player spirit. Usually Spirit/8 is added to the minimum attack power, and Spirit/4 to the maximum.
Let's see how to change that.

For this example, I'll edit Priestess' Vigor Ball formula to Spirit - Spirit * 4.
With a weapon's attack power of 6 - 9 and 260 spirit points, that's how it look unedited :

01.jpg

1. Client side
On the client, we must edit the display value so it matches our new formula. The magic happens here :

OllyDbg - Client side

004AD4F5  |.  8B88 C0000000 MOV ECX,DWORD PTR DS:[EAX+0C0]
004AD4FB  |.  8BC1          MOV EAX,ECX
004AD4FD  |.  99            CDQ
004AD4FE  |.  83E2 07       AND EDX,00000007
004AD501  |.  03C2          ADD EAX,EDX
004AD503  |.  8B5424 1C     MOV EDX,DWORD PTR SS:[LOCAL.131]
004AD507      C1F8 03       SAR EAX,3
004AD50A  |.  03D0          ADD EDX,EAX
004AD50C  |.  8BC1          MOV EAX,ECX
004AD50E  |.  8B4C24 18     MOV ECX,DWORD PTR SS:[LOCAL.132]
004AD512  |.  895424 1C     MOV DWORD PTR SS:[LOCAL.131],EDX
004AD516  |.  99            CDQ
004AD517  |.  83E2 03       AND EDX,00000003
004AD51A  |.  03C2          ADD EAX,EDX
004AD51C      C1F8 02       SAR EAX,2
004AD51F  |.  03C8          ADD ECX,EAX
004AD521  |.  894C24 18     MOV DWORD PTR SS:[LOCAL.132],ECX
 


The instruction SAR does successive divisions by 2. SAR EAX,3 is the same as EAX = EAX / 2 / 2 / 2 = EAX / 8 (that's our Spirit/8). SAR EAX,2 is EAX = EAX/4.

Here's what happens:
* the player spirit is moved into ECX, then to EAX. (EAX=Spirit, ECX=Spirit)
* the weapon minimum attack power is moved to EDX. (EAX=Spirit, ECX=Spirit, EDX=Minimum)
* the spirit is divided by 8. (EAX=Spirit/8, ECX=Spirit, EDX=Minimum)
* the divided spirit is added to the weapon minimum attack power. (EAX=Spirit/8, ECX=Spirit, EDX=Minimum+Spirit/8)
* the player spirit is moved to EAX. (EAX=Spirit, ECX=Spirit, EDX=Minimum+Spirit/8)
* the weapon maximum attack power is moved to ECX. (EAX=Spirit, ECX=Maximum, EDX=Minimum+Spirit/8)
* the new minimum value is moved back to the stack.
* the spirit is divided by 4. (EAX=Spirit/4, ECX=Maximum, EDX=Minimum+Spirit/8)
* the divided spirit is added to the weapon maximum attack power. (EAX=Spirit/4, ECX=Maximum+Spirit/4, EDX=Minimum+Spirit/8)
* the new maximum value is moved back to the stack.

To make it match the new formula, we need to remove the first SAR (filling with NOPs), and convert the second one into a multiplication: IMUL EAX,EAX,4.

OllyDbg - Client side

004AD4F5  |.  8B88 C0000000 MOV ECX,DWORD PTR DS:[EAX+0C0]
004AD4FB  |.  8BC1          MOV EAX,ECX
004AD4FD  |.  99            CDQ
004AD4FE  |.  83E2 07       AND EDX,00000007
004AD501  |.  03C2          ADD EAX,EDX
004AD503  |.  8B5424 1C     MOV EDX,DWORD PTR SS:[LOCAL.131]
004AD507      90            NOP
004AD508      90            NOP
004AD509      90            NOP
004AD50A  |.  03D0          ADD EDX,EAX
004AD50C  |.  8BC1          MOV EAX,ECX
004AD50E  |.  8B4C24 18     MOV ECX,DWORD PTR SS:[LOCAL.132]
004AD512  |.  895424 1C     MOV DWORD PTR SS:[LOCAL.131],EDX
004AD516  |.  99            CDQ
004AD517  |.  83E2 03       AND EDX,00000003
004AD51A  |.  03C2          ADD EAX,EDX
004AD51C      6BC0 04       IMUL EAX,EAX,4
004AD51F  |.  03C8          ADD ECX,EAX
004AD521  |.  894C24 18     MOV DWORD PTR SS:[LOCAL.132],ECX


02.jpg

2. Server side
Now that we edited the display part, we need to edit the actual formula. It's located here :

OllyDbg - Server side

005773F9  |.  66:8B4F 2C    MOV CX,WORD PTR DS:[EDI+2C]
005773FD  |.  66:394F 28    CMP WORD PTR DS:[EDI+28],CX
00577401  |.^ 0F8E C7F0FFFF JLE 005764CE
00577407  |.  66:8B5F 2E    MOV BX,WORD PTR DS:[EDI+2E]
0057740B  |.  66:395F 2A    CMP WORD PTR DS:[EDI+2A],BX
0057740F  |.^ 0F8E B9F0FFFF JLE 005764CE
00577415  |.  0FBF47 32     MOVSX EAX,WORD PTR DS:[EDI+32]
00577419  |.  99            CDQ
0057741A  |.  83E2 07       AND EDX,00000007
0057741D  |.  03C2          ADD EAX,EDX
0057741F  |.  0FBFD1        MOVSX EDX,CX
00577422  |.  8B0CF5 30906B MOV ECX,DWORD PTR DS:[ESI*8+6B9030]
00577429  |.  8B34F5 34906B MOV ESI,DWORD PTR DS:[ESI*8+6B9034]
00577430  |.  03CA          ADD ECX,EDX
00577432  |.  0FBFD3        MOVSX EDX,BX
00577435  |.  C1F8 03       SAR EAX,3
00577438  |.  03C8          ADD ECX,EAX
0057743A  |.  03F2          ADD ESI,EDX
0057743C  |.  03F0          ADD ESI,EAX
0057743E  |.  56            PUSH ESI
0057743F  |.  51            PUSH ECX


Here's what happens:
* the weapon minimum attack power is moved to CX. (CX=Minimum)
* the weapon maximum attack power is moved to BX. (CX=Minimum, BX=Maximum)
* the player spirit is moved to EAX. (CX=Minimum, BX=Maximum, EAX=Spirit)
* the weapon minimum attack power is moved to EDX. (CX=Minimum, BX=Maximum, EAX=Spirit, EDX=Minimum)
* the skill static minimum attack power is moved to ECX. (BX=Maximum, EAX=Spirit, EDX=Minimum, ECX=SkillMin)
* the skill static maximum attack power is moved to ESI. (BX=Maximum, EAX=Spirit, EDX=Minimum, ECX=SkillMin, ESI=SkillMax)
* the weapon minimum attack power is added to the skill static minimum attack power. (BX=Maximum, EAX=Spirit, EDX=Minimum, ECX=SkillMin+Minimum, ESI=SkillMax)
* the weapon maximum attack power is moved to EDX. (BX=Maximum, EAX=Spirit, EDX=Maximum, ECX=SkillMin+Minimum, ESI=SkillMax)
* the player spirit is divided by 8. (BX=Maximum, EAX=Spirit/8, EDX=Maximum, ECX=SkillMin+Minimum, ESI=SkillMax)
* the divided spirit is added to the new minimum attack power. (BX=Maximum, EAX=Spirit/8, EDX=Maximum, ECX=SkillMin+Minimum+Spirit/8, ESI=SkillMax)
* the weapon maximum attack power is added to the skill static maximum attack power. (BX=Maximum, EAX=Spirit/8, EDX=Maximum, ECX=SkillMin+Minimum+Spirit/8, ESI=SkillMax+Maximum)
* the divided spirit is added to the new minimum attack power. (BX=Maximum, EAX=Spirit/8, EDX=Maximum, ECX=SkillMin+Minimum+Spirit/8, ESI=SkillMax+Maximum+Spirit/8)
* the new maximum attack power is pushed into the stack.
* the new minimum attack power is pushed into the stack.

Yep. The formula in the client and in the server aren't the same. The client displays Spirit/8 - Spirit/4 but the server applies Spirit/8 - Spirit/8.

If you move the formula somewhere else, you can correct that, but I won't do it in this example. Instead I'll change my initial formula to Spirit * 2 - Spirit * 2.

3. Client side
We now need two IMULs.

OllyDbg - Client side

004AD507      6BC0 02       IMUL EAX,EAX,2
004AD50A  |.  03D0          ADD EDX,EAX
004AD50C  |.  8BC1          MOV EAX,ECX
004AD50E  |.  8B4C24 18     MOV ECX,DWORD PTR SS:[LOCAL.132]
004AD512  |.  895424 1C     MOV DWORD PTR SS:[LOCAL.131],EDX
004AD516  |.  99            CDQ
004AD517  |.  83E2 03       AND EDX,00000003
004AD51A  |.  03C2          ADD EAX,EDX
004AD51C      6BC0 02       IMUL EAX,EAX,2


03.jpg

4. Server side
Same here, we need an IMUL.

OllyDbg - Server side

00577432  |.  0FBFD3        MOVSX EDX,BX
00577435      6BC0 02       IMUL EAX,EAX,2
00577438  |.  03C8          ADD ECX,EAX


5. Other skills location
* Chain Lightning

OllyDbg - Client side

004AD680  |.  8B89 C0000000 MOV ECX,DWORD PTR DS:[ECX+0C0]
004AD686  |.  8BC1          MOV EAX,ECX
004AD688  |.  99            CDQ
004AD689  |.  83E2 07       AND EDX,00000007
004AD68C  |.  03C2          ADD EAX,EDX
004AD68E  |.  8B5424 1C     MOV EDX,DWORD PTR SS:[LOCAL.131]
004AD692  |.  C1F8 03       SAR EAX,3
004AD695  |.  03D0          ADD EDX,EAX
004AD697  |.  8BC1          MOV EAX,ECX
004AD699  |.  8B4C24 18     MOV ECX,DWORD PTR SS:[LOCAL.132]
004AD69D  |.  895424 1C     MOV DWORD PTR SS:[LOCAL.131],EDX
004AD6A1  |.  99            CDQ
004AD6A2  |.  83E2 03       AND EDX,00000003
004AD6A5  |.  03C2          ADD EAX,EDX
004AD6A7  |.  8B15 B4FC6700 MOV EDX,DWORD PTR DS:[67FCB4]            ; ASCII "ATK Pow:"
004AD6AD  |.  C1F8 02       SAR EAX,2
004AD6B0  |.  03C8          ADD ECX,EAX
004AD6B2  |.  52            PUSH EDX
004AD6B3  |.  8D8424 280100 LEA EAX,[LOCAL.65]
004AD6BA  |.  50            PUSH EAX


OllyDbg - Server side

005791B4  |.  8B5C24 3C     MOV EBX,DWORD PTR SS:[ARG.4]
005791B8  |.  8B04B5 F8A96B MOV EAX,DWORD PTR DS:[ESI*4+6BA9F8]
005791BF  |.  3943 28       CMP DWORD PTR DS:[EBX+28],EAX
005791C2  |.^ 0F8F 76F0FFFF JG 0057823E
005791C8  |.  8B0CB5 20AA6B MOV ECX,DWORD PTR DS:[ESI*4+6BAA20]
005791CF  |.  0FAFC8        IMUL ECX,EAX
005791D2  |.  894B 1C       MOV DWORD PTR DS:[EBX+1C],ECX
005791D5  |.  0FBF6F 2E     MOVSX EBP,WORD PTR DS:[EDI+2E]
005791D9  |.  0FBF57 28     MOVSX EDX,WORD PTR DS:[EDI+28]
005791DD  |.  8B0CF5 A8A96B MOV ECX,DWORD PTR DS:[ESI*8+6BA9A8]
005791E4  |.  8B34F5 ACA96B MOV ESI,DWORD PTR DS:[ESI*8+6BA9AC]
005791EB  |.  03CA          ADD ECX,EDX
005791ED  |.  8BC5          MOV EAX,EBP
005791EF  |.  99            CDQ
005791F0  |.  83E2 07       AND EDX,00000007
005791F3  |.  03C2          ADD EAX,EDX
005791F5  |.  C1F8 03       SAR EAX,3
005791F8  |.  03C8          ADD ECX,EAX
005791FA  |.  0FBF47 2A     MOVSX EAX,WORD PTR DS:[EDI+2A]
005791FE  |.  03F0          ADD ESI,EAX
00579200  |.  8BC5          MOV EAX,EBP
00579202  |.  99            CDQ
00579203  |.  83E2 03       AND EDX,00000003
00579206  |.  03C2          ADD EAX,EDX
00579208  |.  C1F8 02       SAR EAX,2
0057920B  |.  03F0          ADD ESI,EAX
0057920D  |.  56            PUSH ESI
0057920E  |.  51            PUSH ECX


* Diastrophism

OllyDbg - Client side

004AE617  |.  8B88 C0000000 MOV ECX,DWORD PTR DS:[EAX+0C0]
004AE61D  |.  8BC1          MOV EAX,ECX
004AE61F  |.  99            CDQ
004AE620  |.  83E2 07       AND EDX,00000007
004AE623  |.  03C2          ADD EAX,EDX
004AE625  |.  8B5424 1C     MOV EDX,DWORD PTR SS:[LOCAL.131]
004AE629  |.  C1F8 03       SAR EAX,3
004AE62C  |.  03D0          ADD EDX,EAX
004AE62E  |.  8BC1          MOV EAX,ECX
004AE630  |.  8B4C24 18     MOV ECX,DWORD PTR SS:[LOCAL.132]
004AE634  |.  895424 1C     MOV DWORD PTR SS:[LOCAL.131],EDX
004AE638  |.  99            CDQ
004AE639  |.  83E2 03       AND EDX,00000003
004AE63C  |.  03C2          ADD EAX,EDX
004AE63E  |.  C1F8 02       SAR EAX,2
004AE641  |.  03C8          ADD ECX,EAX


OllyDbg - Server side

00578E19  |.  66:8B4F 24    MOV CX,WORD PTR DS:[EDI+24]
00578E1D  |.  66:3B4F 28    CMP CX,WORD PTR DS:[EDI+28]
00578E21  |.^ 0F8C 17F4FFFF JL 0057823E
00578E27  |.  66:8B57 26    MOV DX,WORD PTR DS:[EDI+26]
00578E2B  |.  66:3B57 2A    CMP DX,WORD PTR DS:[EDI+2A]
00578E2F  |.^ 0F8C 09F4FFFF JL 0057823E
00578E35  |.  8B04B5 B0976B MOV EAX,DWORD PTR DS:[ESI*4+6B97B0]
00578E3C  |.  8B4C24 3C     MOV ECX,DWORD PTR SS:[ARG.4]
00578E40  |.  8941 1C       MOV DWORD PTR DS:[ECX+1C],EAX
00578E43  |.  8B83 80B30000 MOV EAX,DWORD PTR DS:[EBX+0B380]
00578E49  |.  3BC5          CMP EAX,EBP
00578E4B  |.  8B0CF5 60976B MOV ECX,DWORD PTR DS:[ESI*8+6B9760]
00578E52  |.  8B34F5 64976B MOV ESI,DWORD PTR DS:[ESI*8+6B9764]
00578E59  |.  74 3C         JE SHORT 00578E97
00578E5B  |.  3B05 309DAC07 CMP EAX,DWORD PTR DS:[7AC9D30]
00578E61  |.  76 28         JBE SHORT 00578E8B
00578E63  |.  8B9B 84B30000 MOV EBX,DWORD PTR DS:[EBX+0B384]
00578E69  |.  8BD3          MOV EDX,EBX
00578E6B  |.  0FAFDE        IMUL EBX,ESI
00578E6E  |.  0FAFD1        IMUL EDX,ECX
00578E71  |.  B8 1F85EB51   MOV EAX,51EB851F
00578E76  |.  F7E2          MUL EDX
00578E78  |.  C1EA 05       SHR EDX,5
00578E7B  |.  03CA          ADD ECX,EDX
00578E7D  |.  B8 1F85EB51   MOV EAX,51EB851F
00578E82  |.  F7E3          MUL EBX
00578E84  |.  C1EA 05       SHR EDX,5
00578E87  |.  03F2          ADD ESI,EDX


* Meteor

OllyDbg - Client side

004AEE16  |.  8B89 C0000000 MOV ECX,DWORD PTR DS:[ECX+0C0]
004AEE1C  |.  8BC1          MOV EAX,ECX
004AEE1E  |.  99            CDQ
004AEE1F  |.  83E2 07       AND EDX,00000007
004AEE22  |.  03C2          ADD EAX,EDX
004AEE24  |.  8B5424 1C     MOV EDX,DWORD PTR SS:[LOCAL.131]
004AEE28  |.  C1F8 03       SAR EAX,3
004AEE2B  |.  03D0          ADD EDX,EAX
004AEE2D  |.  8BC1          MOV EAX,ECX
004AEE2F  |.  8B4C24 18     MOV ECX,DWORD PTR SS:[LOCAL.132]
004AEE33  |.  895424 1C     MOV DWORD PTR SS:[LOCAL.131],EDX
004AEE37  |.  99            CDQ
004AEE38  |.  83E2 03       AND EDX,00000003
004AEE3B  |.  03C2          ADD EAX,EDX
004AEE3D  |.  C1F8 02       SAR EAX,2
004AEE40  |.  03C8          ADD ECX,EAX
004AEE42  |.  894C24 18     MOV DWORD PTR SS:[LOCAL.132],ECX
004AEE46  |.  8B8C24 240200 MOV ECX,DWORD PTR SS:[LOCAL.1]


OllyDbg - Server side

005792C2  |.  8B14B5 08AE6B MOV EDX,DWORD PTR DS:[ESI*4+6BAE08]
005792C9  |.  8B4424 3C     MOV EAX,DWORD PTR SS:[ARG.4]
005792CD  |.  8950 1C       MOV DWORD PTR DS:[EAX+1C],EDX
005792D0  |.  8B83 80B30000 MOV EAX,DWORD PTR DS:[EBX+0B380]
005792D6  |.  3BC5          CMP EAX,EBP
005792D8  |.  8B0CF5 B8AD6B MOV ECX,DWORD PTR DS:[ESI*8+6BADB8]
005792DF  |.  8B34F5 BCAD6B MOV ESI,DWORD PTR DS:[ESI*8+6BADBC]
005792E6  |.  74 3C         JE SHORT 00579324
005792E8  |.  3B05 309DAC07 CMP EAX,DWORD PTR DS:[7AC9D30]
005792EE  |.  76 28         JBE SHORT 00579318
005792F0  |.  8B9B 84B30000 MOV EBX,DWORD PTR DS:[EBX+0B384]
005792F6  |.  8BD3          MOV EDX,EBX
005792F8  |.  0FAFDE        IMUL EBX,ESI
005792FB  |.  0FAFD1        IMUL EDX,ECX
005792FE  |.  B8 1F85EB51   MOV EAX,51EB851F
00579303  |.  F7E2          MUL EDX
00579305  |.  C1EA 05       SHR EDX,5
00579308  |.  03CA          ADD ECX,EDX
0057930A  |.  B8 1F85EB51   MOV EAX,51EB851F
0057930F  |.  F7E3          MUL EBX
00579311  |.  C1EA 05       SHR EDX,5
00579314  |.  03F2          ADD ESI,EDX