Notice that in this lesson, I use the notation E_X. E_X can refer to EDX, ECX, or EAX, depending on which register has the NPC pointer stored into it.
Today we're finally going to perform a couple of real NPC hacks. Speedy Behemoth Go to the egg corridor. Now, observe the behavior of the behemoths. Not too interesting right? They're definitely not very dangerous for our Mr. Traveler, Quote.
Now close Cave Story and bring up OllyDbg. Jump to address 426AF0, which is the address of the behemoth code. We're going to make these monsters a bit faster. Scroll down until you find this bit of code here: 00426D35 MOV DWORD PTR DS:[EAX+10],-100 00426D3C JMP SHORT 00426D48 00426D3E MOV ECX,DWORD PTR SS:[EBP+8] 00426D41 MOV DWORD PTR DS:[ECX+10],100Notice the [E_X+10] part? That will control the X-velocity of the NPC, as we saw in the table in the previous lesson. Since the behemoth moves only horizontally in this case, we only need to mess with X-velocity to make it go faster. Change the code to this: 00426D35 MOV DWORD PTR DS:[EAX+10],-500 00426D3C JMP SHORT 00426D48 00426D3E MOV ECX,DWORD PTR SS:[EBP+8] 00426D41 MOV DWORD PTR DS:[ECX+10],500Now the Behemoths should move much faster, since the velocities have been increased by a factor of 5. Notice that -500 is selected as the X-velocity if the behemoth is traveling left. If traveling right, 500 is selected as the X-velocity. Near the beginning of the NPC behavior code, you should notice some CMP instructions comparing [EBP-0E4] with 1, 2, and 3, then jumping based on what the [EBP-0E4] equal to. Though it seems that we have no idea what [EBP-0E4] could possibly be used for, we can still do some experimentation to find out. If you scroll down more, you'll see that in addition to the velocities of 100 (or 500, since you changed them), you'll see some more instructions storing -400 and 400 into [E_X+10]. Does this mean that the behemoth has a second type of speed? Of course. Whenever the behemoth becomes enraged, it will obviously move faster, at the velocities of -400 and 400 instead of a mild 100 or -100. Also, if you look at the jumping code for CMPing [EBP-0E4], you'll notice that one of them jumps goes directly to rage mode. Like this: So, [EBP-0E4] must be a custom variable controlling whether or not the behemoth is "angered" or not. Notice that since EBP is a register used to modify things around the middle of the stack, [EBP-0E4] is just some number stored in the middle of the stack. Wrath of the Behemoth [EBP-0E4] just controls how the behemoth behaves. Let's just take that out entirely. Instead of allowing the game to check for [EBP-0E4], instead, we'll just jump straight to the "enraged mode" code. That will simply cause the behemoth to be enraged forever, even if you don't shoot it first. Since we do not want the CMP table there, just NOP out the six instructions starting at 426D01 and ending right before 426D24. (Don't actually erase the instruction at 426D24, just NOP out the one before it). Then, at 426D01, just put in one JMP 426E4B . That instruction will jump directly to 426E4B, which is where the "enraged" code is.
This is the result:
Previous Lesson: NPC Hacking 2 Next Lesson: Redefining Registers Table of Contents |