Object-oriented: Spellvamp

[Suzuya]

Hi,
First of all, I ask someone to delete my first thread named "Hitting target with skills causes attacker lose HP", because it's useless. I was working on spellvamp there, and I managed to do some kind of it (ball had to die, to transfer hp to it's owner), but now my spellvamp is object-oriented, and works properly (I think, so you can check). Here's the code (it's kinda long and complicated ^^):

Spoiler (Click to View)

ASM-Code: itr_effect_fall proc   mov eax,dword ptr ss:[esp+0Ch] mov eax,dword ptr ds:[eax+2Ch] ;effect cmp eax,74 je spellvamp

Spoiler (Click to View)

ASM-Code: spellvamp: mov eax,dword ptr ds:[esi+edi*4+194h] mov edx,dword ptr ds:[eax+368h] cmp dword ptr ds:[edx+6F8h],3 ;type je r3 cmp dword ptr ds:[edx+6F8h],0 ;type jne p2   MOV EAX,DWORD PTR SS:[ESP+0Ch] MOV EDX,DWORD PTR DS:[EAX+28h] ;respond MOV ECX,DWORD PTR DS:[EDI*4+ESI+194h] ;target   push edi       cmp DWORD PTR DS:[ECX+2FCh],edx ;hp target jge x20 mov edx,DWORD PTR DS:[ECX+2FCh] x20: sub DWORD PTR DS:[ECX+2FCh],edx     push ebx push eax mov eax,edx mov ebx,3 ;percent, attacker will gain dhp (33%) xor edx,edx div ebx mov edx,eax pop eax pop ebx   MOV ECX,DWORD PTR DS:[EBX*4+ESI+194h]   add DWORD PTR DS:[ECX+300h],edx           MOV EAX,DWORD PTR SS:[ESP+0Ch] MOV ECX,DWORD PTR DS:[EDI*4+ESI+194h] MOV EDX,DWORD PTR DS:[EBX*4+ESI+194h]   MOV eax,DWORD PTR DS:[EDX+308h]   mov edi,eax     MOV ECX,DWORD PTR DS:[EDI*4+ESI+194h]       cmp byte ptr ds:[esi+edi+4],0 je x22   cmp edi,500 je x22   cmp DWORD PTR DS:[ECX+2FCh],0 ;target's hp jle x22     MOV EAX,DWORD PTR SS:[ESP+0Ch]   MOV ECX,DWORD PTR DS:[EDI*4+ESI+194h] ;target MOV EDX,DWORD PTR DS:[EBX*4+ESI+194h] ;attacker MOV EDX,DWORD PTR DS:[EDX+300h]         add DWORD PTR DS:[ECX+2FCh],edx ;hp target     cmp DWORD PTR DS:[ECX+2FCh],500 jle x21 mov DWORD PTR DS:[ECX+2FCh],500 x21: MOV EDX,DWORD PTR DS:[EBX*4+ESI+194h] ;attacker mov DWORD PTR DS:[EDX+300h],0 ;dhp attacker               x23:   pop edi       MOV ECX,DWORD PTR DS:[EDI*4+ESI+194h] MOV EDX,DWORD PTR DS:[EBX*4+ESI+194h] mov eax,dword ptr ds:[esi+edi*4+194h] jmp dword ptr [ef_r1]     x22: mov DWORD PTR DS:[EDX+70h],40 jmp x23

Of course, initial frame of ball should have state 311, like this from my previous thread if you don't have special MAX_MP function, which I'll be trying to implement (thanks Silva).

In this code when ball hit's opponent, it stores in dark red hp damage it dealt, so when target has less hp than damage of ball, then it stores his all hp, but damage dealt is divided by 3, so you get 33% spellvamp (ofc you can change value). After that, the ball hits his owner, healing him, and then again it hits target with nothing, but it has to apply visual effect. :p

By the way, don't use injury in this itr, because injury is applied before all this code, so then I should heal him for the amount he was hit, which could cause him to revive, so use "respond" as injury (or change effect 74 to something like 74xxx).

[hkmnhkmn]

Hi there! I was really amazed by your work and I really appreciated that you shared your work and also your other threads! Thank you so much So I was wondering if it is possible to put these codes directly into the LF2.exe since I wasn't using the dll. I'm kind of new to hex editing and I have a few questions
So I was not very clear about the mov eax,dword ptr ds:[esi+edi*4+194h] part, whether I can directly input this code into the LF2.exe during editing or should I change it to something else? Because it seems that it is slightly different with the rest of the codes (normally without the *4 thing)
And also are those large spacing between each set of code required? Like for example

mov eax,dword ptr ds:[esi+edi*4+194h]
mov edx,dword ptr ds:[eax+368h]
cmp dword ptr ds:[edx+6F8h],3
je r3
cmp dword ptr ds:[edx+6F8h],0
jne p2
MOV EAX,DWORD PTR SS:[ESP+0Ch]
MOV EDX,DWORD PTR DS:[EAX+28h]
MOV ECX,DWORD PTR DS:[EDI*4+ESI+194h]
push edi
cmp DWORD PTR DS:[ECX+2FCh],edx
jge x20
mov edx,DWORD PTR DS:[ECX+2FCh]
....

So is it like this? i understand that the r3,p2,etc should be changed back into the corresponding address. I'm just a little cofused about problems other then this to solve before coding it into the exe, thanks!

[Suzuya]

Hi, finally someone posting under my post (except Silva, but I was feeling lonely here :/)
I think it is possible, to put the code directly in .exe, but it's much easier for me to do it through .ddl (I must say I can't even write the code in .exe, I just use ollydbg to check the addresses, cause since yesterday I'm able to find the part of code and implement it to the .dll ;d).

These large spacing are for my understandability of the code, of course you can remove all of it.

About p2 and r3, I accidentally didn't post where it comes from, so here's it is:

r3: jmp dword ptr [ef_r3]
p2: JMP ik8_pos2

About mov eax,dword ptr ds:[esi+edi*4+194h]...
I'm not 100% sure how this works, cause I'm not some kind of expert or anything, but this means (for me), that eax is storing target.

mov eax,dword ptr ds:[esi+ebx*4+194h] - this one means, that eax is storing attacker.

Also I've found out, that when I change ebx or edx to something else (some other value of another object written in like mp bar [308h]), then I can get access to this object:

mov eax,dword ptr ds:[esi+edi*4+194h] ;store target in eax
mov edx,dword ptr ds:[eax+308h] ;get from target's mp bar object number and store in edx
mov edi,edx ;store object number in edi
mov eax,dword ptr ds:[esi+edi*4+194h] ;this is the 1st line, but this time it stores object number from mana

With all this wisdom I was able to do what I was able to do. ;d

Also, I don't write the code to deal with weapons, so they may act weird. ;d
Now I'm trying to write object number in another address, but I don't know which one is not used by anything, so I don't ruin something.