Login

Boop · 04-14-2009, 09:30 AM

Wow, you're analysis of freeze is a lot more in-depth than my davis one.

cmp dword ptr ss:[esp+28],0E - I tried figuring out what esp+28 is... I have no clue.

John ball:
I saw that too, very strange... I have no idea what it does

.

genevrier · 04-14-2009, 09:37 AM

cmp dword ptr ss:[esp+28],0E
To this, sadly I was wrong...

esp+28 should be the value pushed in here,

Spoiler (Click to View)

that is, certainly the edi pushed in the address 0040AD5F...

Boop · (This post was last modified: 04-14-2009, 09:57 AM by Boop.)

Actually, it is :
Stack SS:[0012F29C]

If you set a breakpoint in olly you can see what ESP+28 evaluates too. I figured out what it does now... It checks what state you are in.

004049A7 >|. 837C24 28 0D CMP DWORD PTR SS:[ESP+28],0D ; Checks if target is frozen

00404A05 >|> 837C24 28 0E CMP DWORD PTR SS:[ESP+28],0E ; Checks if target is lying down.

It kinda makes sense even

. Because if you are lying down, then the ai doesn't do the tornado!

genevrier · 04-14-2009, 10:16 AM

Great work! + fra.txt updated

A question:
Does it means I can stop the program at breakpoints by OllyDbg?

Boop · (This post was last modified: 04-14-2009, 10:30 AM by Boop.)

Yes, If you double click the the "hex" part of the line ( it goes Address | HEX | ASM ), the line will become red. When the lf2 reaches that line it will "break" (a.k.a stop). Then it will show you the value of all the registers on the right side.

genevrier · (This post was last modified: 04-14-2009, 01:54 PM by genevrier.)

mov edx,dword ptr ds:[esi+ebp*4+194]
mov edx,dword ptr ds:[edx+18]

After some testing, I suggest this edx+18 should be the z position. With the produres testing edx+18 deleted, the character perform attacks without concern of z position.
In general, the AIs just don't care about the y position. (I made a character and made him flew upon the sky once. The bandit just stand on his shadow and keep attacking... )

As a pattern, '+10' is the x position and '+18' is the z position, so I guess '+14' would be the y position

=========================================================================

Code:
004049F2  |. |68 FA000000   push 0FA

004049F7  |. |6A 59         push 59

004049F9  |. |E8 92270100   call 00417190 ;Dark box #2

004049FE  |. |83C4 08       add esp,8

00404A01  |. |85C0          test eax,eax                ; a check decides using Icicle (go to c) or not (go to b)

This lines is just so buggy, it always crash the exe after some editing of an AI. (So I marked ';' to ignore this few lines...)

Boop · (This post was last modified: 04-14-2009, 03:03 PM by Boop.)

Yeah, +14 is the Y position. Sorry, it's my mistake... When I was commenting the code I got mixed up with Y and Z :p.

Anyway, here are a few of the missing mov commands and what they do:

mov byte ptr [R+CD],1 = Up
mov byte ptr [R+CE],1 = Down
mov byte ptr [R+CF],1 = Left
mov byte ptr [R+D0],1 = Right

mov byte ptr [R+D1],1 = Attack
mov byte ptr [R+D2],1 = Jump
mov byte ptr [R+D3],1 = Defend

I'm not sure about the rest.

That is where lf2 calls the AI. If you replace the JNZ with a JMP, the AI will do nothing.

ASM-Code:

00419E88  |. 3999 F8060000  |CMP DWORD PTR DS:[ECX+6F8],EBX  ;checks object type(from my testing EBX is always 0)
00419E8E  |. 75 0B          |JNZ SHORT lf2.00419E9B ; jump if incorrect type (if its not a character)
00419E90     55             |PUSH EBP                                ; /Arg2
00419E91     56             |PUSH ESI                                ; |Arg1
00419E92     8BCA           |MOV ECX,EDX                             ; |
00419E94  |. E8 27F6FEFF    |CALL lf2.004094C0                       ; \lf2.004094C0

The AI code is pretty long, and it has sub procedures which make it even longer. I think fully documenting it will be a lot of work :p.

Anyway, I quickly made an AI controller(mostly for fun and to test that all the addresses are right):
[Image: 53388767.jpg]

Download: http://www.mediafire.com/?akmkwjnnzjn

Only tested on lf2.exe 2.0 original (i don't know if it works with no num lock version). Plus, the computer character has to be player 1 or it won't work :p.

genevrier · (This post was last modified: 04-14-2009, 04:13 PM by genevrier.)

It is funny, I have tried to control player 1 character in demo...
[the computer character has to be player 1 or it won't work move] XD
That in stage mode or survival it can make all computer stop. (also in demo)

As I see, computer keeps doing the action (example: move, attack and defense) when I press the 'patch' button. It seems the same phenomenon as if someone tab the windows while a character is in human controlling.

Perhaps what in this thread is possible now (by an external key controller) cool

(joking
http://www.lf-empire.de/forum/showthread.php?tid=1638

Quote:That is where lf2 calls the AI. If you replace the JNZ with a JMP, the AI will do nothing.

Does it means in somewhere around there I can make a human player be controlled by the AI?

Boop · (This post was last modified: 04-14-2009, 04:56 PM by Boop.)

lf2 controls.rar (Size: 520 bytes / Downloads: 107)

I uploaded a cheat engine( http://cheatengine.org/downloads.php ) table with most of the values incase someone is interested :D.

I now understand more addresses:

R+C8 = "holding" left
R+C9 = "holding" right
R+Ca = "holding" attack
R+Cb = "holding" jump
R+CC = "holding" defence

Normally if you put a 1 in "walk left", the ai will start running(the ai controller program writes a 1 then quickly writes a 0 to give an illusion of button pressing :p). But if there is a 1 in R+C8 he will walk, which makes me believe it fakes as if you are "hodling" the button down.

With attack, if you put 1 then he will punch constantly. But if you put a 1 into R+CA he won't punch.

I don't know if that is very clear or not, but it is the best explanation I can give(mostly because I don't fully understand it my self).

Quote:Does it means in somewhere around there I can make a human player be controlled by the AI?

I think all the code above that deals with the player input.

ASM-Code:

00419C13   . 80BA 78534500 >CMP BYTE PTR DS:[EDX+455378],64          ;  check if up is pressed
00419C1A   . 75 14          JNZ SHORT lf2.00419C30
00419C1C   . 8B10           MOV EDX,DWORD PTR DS:[EAX]
00419C1E   . C682 CD000000 >MOV BYTE PTR DS:[EDX+CD],1
00419C25   . 391D 800B4500  CMP DWORD PTR DS:[450B80],EBX
00419C2B   . 74 03          JE SHORT lf2.00419C30
00419C2D   . 8009 80        OR BYTE PTR DS:[ECX],80
00419C30   > 8B56 08        MOV EDX,DWORD PTR DS:[ESI+8]
00419C33   . 80BA 78534500 >CMP BYTE PTR DS:[EDX+455378],64          ;  check if down is pressed

Quick extract. I see that it also uses R+X system. Which means it is possible to control a human character with an external program :p.

genevrier · 04-16-2009, 01:55 PM

I see R+80 in making the state 85 and 86. It is also in the R+X system

It is the facing direction of the character, with: 0 = Right and 1 = Left.

Login
Username:
Password:	Lost Password?
	Remember me