Help Changing Eth bonus from 50 to 33% or close to it (1.10)

[PureRage]

Greetings fellow modders. I come to you in desperation as I've exhausted every idea I can come up with to solve this issue.

The whole eth bonus % section as far as I can see is the following

Code: Select all

D2Common:
---------------------------------------------------
000558D0 56 PUSH ESI
000558D1 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
000558D5 85F6 TEST ESI,ESI
000558D7 75 1E JNZ SHORT 000558F7
000558D9 68 06070000 PUSH 706
000558DE 68 D439DE6F PUSH 6FDE39D4
000558E3 68 5831DE6F PUSH 6FDE3158
000558E8 E8 65EA0200 CALL 00084352
000558ED 83C4 0C ADD ESP,0C
000558F0 6A FF PUSH -1
000558F2 E8 78EB0200 CALL 0008446F
000558F7 6A 01 PUSH 1
000558F9 68 00004000 PUSH 400000
000558FE 56 PUSH ESI
000558FF E8 7C2E0000 CALL 00058780
00055904 6A 2D PUSH 2D
00055906 56 PUSH ESI
00055907 E8 D4830000 CALL 0005DCE0
0005590C 6A 00 PUSH 0
0005590E 6A 00 PUSH 0
00055910 85C0 TEST EAX,EAX
00055912 0F84 BA000000 JE 000559D2
00055918 6A 15 PUSH 15 ; min dmg stat
0005591A 56 PUSH ESI
0005591B E8 10220200 CALL 00077B30
00055920 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
00055923 99 CDQ
00055924 2BC2 SUB EAX,EDX
00055926 D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%
00055928 50 PUSH EAX
00055929 6A 15 PUSH 15 ; min dmg stat
0005592B 56 PUSH ESI
0005592C E8 7F210200 CALL 00077AB0
00055931 6A 00 PUSH 0
00055933 6A 00 PUSH 0
00055935 6A 16 PUSH 16 ; max dmg stat
00055937 56 PUSH ESI
00055938 E8 F3210200 CALL 00077B30
0005593D 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
00055940 99 CDQ
00055941 2BC2 SUB EAX,EDX
00055943 D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
00055945 50 PUSH EAX
00055946 6A 16 PUSH 16 ; max dmg stat
00055948 56 PUSH ESI
00055949 E8 62210200 CALL 00077AB0
0005594E 6A 00 PUSH 0
00055950 6A 00 PUSH 0
00055952 6A 17 PUSH 17 ; secondary min dmg stat
00055954 56 PUSH ESI
00055955 E8 D6210200 CALL 00077B30
0005595A 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
0005595D 99 CDQ
0005595E 2BC2 SUB EAX,EDX
00055960 D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
00055962 50 PUSH EAX
00055963 6A 17 PUSH 17 ; secondary min dmg stat
00055965 56 PUSH ESI
00055966 E8 45210200 CALL 00077AB0
0005596B 6A 00 PUSH 0
0005596D 6A 00 PUSH 0
0005596F 6A 18 PUSH 18 ; secondary max dmg
00055971 56 PUSH ESI
00055972 E8 B9210200 CALL 00077B30
00055977 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
0005597A 99 CDQ
0005597B 2BC2 SUB EAX,EDX
0005597D D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
0005597F 50 PUSH EAX
00055980 6A 18 PUSH 18 ; Secondary max dmg stat
00055982 56 PUSH ESI
00055983 E8 28210200 CALL 00077AB0
00055988 6A 00 PUSH 0
0005598A 6A 00 PUSH 0
0005598C 68 9F000000 PUSH 9F ; throw min dmg stat
00055991 56 PUSH ESI
00055992 E8 99210200 CALL 00077B30
00055997 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
0005599A 99 CDQ
0005599B 2BC2 SUB EAX,EDX
0005599D D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
0005599F 50 PUSH EAX
000559A0 68 9F000000 PUSH 9F ; throw min dmg stat
000559A5 56 PUSH ESI
000559A6 E8 05210200 CALL 00077AB0
000559AB 6A 00 PUSH 0
000559AD 6A 00 PUSH 0
000559AF 68 A0000000 PUSH 0A0 ; throw max dmg stat
000559B4 56 PUSH ESI
000559B5 E8 76210200 CALL 00077B30
000559BA 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
000559BD 99 CDQ
000559BE 2BC2 SUB EAX,EDX
000559C0 D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
000559C2 50 PUSH EAX
000559C3 68 A0000000 PUSH 0A0 ; throw max dmg stat
000559C8 56 PUSH ESI
000559C9 E8 E2200200 CALL 00077AB0
000559CE 5E POP ESI
000559CF C2 0400 RETN 4
000559D2 6A 1F PUSH 1F ; AC stat
000559D4 56 PUSH ESI
000559D5 E8 56210200 CALL 00077B30
000559DA 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
000559DD 99 CDQ
000559DE 2BC2 SUB EAX,EDX
000559E0 D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
000559E2 50 PUSH EAX
000559E3 6A 1F PUSH 1F ; AC stat
000559E5 56 PUSH ESI
000559E6 E8 C5200200 CALL 00077AB0
000559EB 5E POP ESI
000559EC C2 0400 RETN 4
000559EF 90 NOP

After the NOP at the bottom, a new section of code exists, so I basically have 1 byte to play with if I don't move the function.
As a test I tried the following for the AC stat to get 125% bonus as there is a spare byte to play with at the bottom.
Changing

Code: Select all

SAR EAX,1

to

Code: Select all

SAR EAX,2

(this requires the extra byte)
to divide by 2 twice (25% of EAX)
then rewriting the follow up code to RETN 4.

I then change

Code: Select all

LEA EAX,DWORD PTR DS:[EAX+EAX*2]

to

Code: Select all

LEA EAX,DWORD PTR DS:[EAX+EAX*4]

to get 125%

Testing in game shows this works

The problem I have is I need to get around a 1/3 bonus so I would want to do something similar to this:

Code: Select all

LEA EAX,DWORD PTR DS:[EAX+EDI*4] ; value in EAX +(EDI*4) (3/8 of base)+(1/4*4) = 1+(3/8) 
CDQ
SUB EAX,EDX
SAR EAX,2 ; divide base value of stat by 2, twice (1/4)
MOV EAX,EDI ; copy 1/4 of stat into EDI (EDI = 1/4) ; EDI simply as an example. I'd have to use an unused register
SAR EAX,1 ; divide 1/4 of stat by 2 one time (EAX = 1/8)
ADD EAX,EDI ; add EDI (1/4) to EAX (1/8). EAX = 1/8+1/4 (3/8)

Obviously this requires much more space that I don't have so I need to jump.

If we forget about the above code for now and any problems it may contain (It's mostly theory of how to reach roughly 133%). I have a more pressing issue.

I tried simply jumping from the AC section too, rewriting the code and jumping back, but again I crash when spawning an eth item.

Original with Jump for AC bonus only:

Code: Select all

000559CF C2 0400 RETN 4 ; End of previous function block for weapons
000559D2 6A 1F PUSH 1F ; AC stat (I change this to JMP 000XXXXX)
000559D4 56 PUSH ESI
000559D5 E8 56210200 CALL 00077B30
000559DA 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
000559DD 99 CDQ
000559DE 2BC2 SUB EAX,EDX
000559E0 D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
000559E2 50 PUSH EAX
000559E3 6A 1F PUSH 1F ; AC stat
000559E5 56 PUSH ESI
000559E6 E8 C5200200 CALL 00077AB0
000559EB 5E POP ESI
000559EC C2 0400 RETN 4 ; I jump back here from the end of the new function location

Rewritten code starting at the address I jumped too

Code: Select all

000XXXXX 6A 1F PUSH 1F ; AC stat < The jump from the original leads here
000XXXXX 56 PUSH ESI
000XXXXX E8 56210200 CALL 00077B30
000XXXXX 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; calc to return eth bonus (50% +(50%*2))
000XXXXX 99 CDQ
000XXXXX 2BC2 SUB EAX,EDX
000XXXXX D1F8 SAR EAX,1 ; divide by 2, 1 time for 50%,
000XXXXX 50 PUSH EAX
000XXXXX 6A 1F PUSH 1F ; AC stat
000XXXXX 56 PUSH ESI
000XXXXX E8 C5200200 CALL 00077AB0
000XXXXX 5E POP ESI
000XXXXX C2 0400 RETN 4   ; Here I jump back to the end of the original code block, so JMP 000559EC

I even tried jumping from the very top of the function I posted first, rewriting the entire thing in free space then jumping to the end of the original, but the same thing happens.

Any idea what is going wrong with jumping out for more space, rewriting the code then jumping back in this instance?
I've used this method many times when I need to edit something but require more space.

Any help is hugely appreciated, as I'm finding myself thinking about wtf is going on all the time, even out with the dog or going to the shop etc.

[devurandom]

I then change

Code: Select all

LEA EAX,DWORD PTR DS:[EAX+EAX*2]

to

Code: Select all

LEA EAX,DWORD PTR DS:[EAX+EAX*4]

to get 125%

Greetings,

I could be wrong but, it looks like that's loading a table value, or a table handler,
where it may work for some instances but not the next.

Cheers

[PureRage]

You may be right, but it seemed to me that the calc is actually doing the adustment. As you can see SAR EAX,1 is dividing EAX (base value of stat) by 2 once to get 50%. My nowledge of assembly is still full of holes so what I assume to be a logical answer could be completely wrong as I've beenout of the modding scene for a few years now. Here is the logic I used to determine what was going on:

[EAX+EAX*2] =50% + (50%*2) = 150% of the base stat

If I change the SAR EAX,1 to SAR EAX,2 (making EAX 25%) then change that calc to [EAX+EAX*4] the result is 25%+(25%*4) = 125%, and that is the bonus I get in game (only works for AC as it's the only place I have a spare byte to change SAR EAX,1 to SAR EAX,2). If I had a spare byte for each of the weapon stats (min/max damage, min/max throw, etc. everything would be peachy.

The main issue is not being able to jump to new space to rewrite the code then jump back. Even jumping > rewriting the exact code > jumping back to the end results in a crash. I'm mostly looking for a reason that jumping to and from free space for this section of code results in a crash. Now I'm thinking perhaps there are calls to certain parts of the original code from other .dll's that I will need to patch, but I'm not certain.

My method may be more complicated than is required and I'd love to read about a simpler solution to the problem if anyone can come up with one.

I could live with a 25% bonus on eth items if jumping to free space to SAR EAX,2 each stat wouldn't cause a crash every time.

[devurandom]

I was wrong, It has to do with Ollydbg code analysis.

My version displays this:

Code: Select all

$+559DA  8D0440        LEA EAX,[EAX*2+EAX]

Your version displays this:

Code: Select all

000559DA 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]

It's definitely not a table lookup, just a bad debug analysis.


EDIT;

First code example was wrong, I worked through this on 1.13d then back ported to 1.10


New edit gives exactly 4/3 bonus (133%) to Eth armo

Code: Select all

change:

6FD959DA    8D0440           LEA EAX,[EAX*2+EAX]
6FD959DD    99               CDQ
6FD959DE    2BC2             SUB EAX,EDX
6FD959E0    D1F8             SAR EAX,1

to: 

6FD959DA    E9 8E7B0300      JMP 6FDCD56D   ; jumps to new code
6FD959DF    90               NOP
6FD959E0    90               NOP
6FD959E1    90               NOP

add:

6FDCD56D      8D0485 00000000  LEA EAX,[EAX*4]
6FDCD574      99               CDQ
6FDCD575      29D0             SUB EAX,EDX
6FDCD577      52               PUSH EDX
6FDCD578      53               PUSH EBX
6FDCD579      66:BA 0000       MOV DX,0
6FDCD57D      66:BB 0300       MOV BX,3
6FDCD581      66:F7F3          DIV BX
6FDCD584      5B               POP EBX
6FDCD585      5A               POP EDX
6FDCD586    ^ E9 5784FCFF      JMP 6FD959E2           ; jumps back to old code

[PureRage]

TY sir. I'll gave that a try tonight and get back to you!

[devurandom]

Its only a 1 byte difference, so it may be possible to use that 1 byte nop, and then you wouldn't have to make any any jumps.

Cheers

[PureRage]

The 1 byte is at the bottom of the entire eth function so I could only edit eth armor bonuses. There is no space in the above code for weapons.

I have made progress though thanks to your input. Your jump position was exactly the issue. However the AND EAX,2C command resulted in a 100def item having 11 def when ethereal.

Jumping from the CDQ I done the following:

Code: Select all

00090133   99               CDQ
00090134   2BC2             SUB EAX,EDX
00090136   C1F8 02          SAR EAX,2
00090139   C3          RETN

Instead of Jumping though, I simply use CALL 00090133
Now I can just call that code for each itemtype.

I do still need to adjust the [EAX+EAX*2] to [EAX+EAX*4] for each stat but that's no problem.
So now I have 25% + (25%*4) for a total bonus of 125% ethereal bonus, confirmed by a 100 def armor having 125 as eth.

Many thanks!

[devurandom]

My first code example was wrong.. I just worked through all that in 1.13d.
See my edited example in above post to get exactly a 4/3 bonus to eth armor.

Tested on Ethereal Armet. Socketing gave 297 defense which is 133% bonus.

Cheers

[PureRage]

That works like a dream for armor. My 100 AC helm results in 133 AC when eth
I simply do a CALL in place of the original LEA EAX,DWORD PTR DS:[EAX+EAX*4]

As the function for weapon stats is exactly the same as it is for armor, I done the same for each weapon stat. Adding a CALL to the new % adjustment code. However, all weapons still get the 50% bonus.
I'm extremely confused where this is coming from as the original code to grant that 50% is null and void now with the new CALL. The code is identical to the armor code but weapons show as a 50% bonus.

Is there something D2Client related to weapons I need to update? Strikes me as very odd that there would be something like that for weapons, but not armor. Any advice?

Here's the adjusted code:

Code: Select all

000558D0   56               PUSH ESI
000558D1   8B7424 08        MOV ESI,DWORD PTR SS:[ESP+8]
000558D5   85F6             TEST ESI,ESI
000558D7   75 1E            JNZ SHORT 000558F7
000558D9   68 06070000      PUSH 706
000558DE   68 D439DE6F      PUSH 6FDE39D4
000558E3   68 5831DE6F      PUSH 6FDE3158
000558E8   E8 65EA0200      CALL 00084352
000558ED   83C4 0C          ADD ESP,0C
000558F0   6A FF            PUSH -1
000558F2   E8 78EB0200      CALL 0008446F
000558F7   6A 01            PUSH 1
000558F9   68 00004000      PUSH 400000
000558FE   56               PUSH ESI
000558FF   E8 7C2E0000      CALL 00058780
00055904   6A 2D            PUSH 2D
00055906   56               PUSH ESI
00055907   E8 D4830000      CALL 0005DCE0
0005590C   6A 00            PUSH 0
0005590E   6A 00            PUSH 0
00055910   85C0             TEST EAX,EAX
00055912   0F84 BA000000    JE 000559D2
00055918   6A 15            PUSH 15
0005591A   56               PUSH ESI
0005591B   E8 10220200      CALL 00077B30
00055920   E8 0EA80300      CALL 00090133
00055925   90               NOP
00055926   90               NOP
00055927   90               NOP
00055928   50               PUSH EAX
00055929   6A 15            PUSH 15
0005592B   56               PUSH ESI
0005592C   E8 7F210200      CALL 00077AB0
00055931   6A 00            PUSH 0
00055933   6A 00            PUSH 0
00055935   6A 16            PUSH 16
00055937   56               PUSH ESI
00055938   E8 F3210200      CALL 00077B30
0005593D   E8 F1A70300      CALL 00090133
00055942   90               NOP
00055943   90               NOP
00055944   90               NOP
00055945   50               PUSH EAX
00055946   6A 16            PUSH 16
00055948   56               PUSH ESI
00055949   E8 62210200      CALL 00077AB0
0005594E   6A 00            PUSH 0
00055950   6A 00            PUSH 0
00055952   6A 17            PUSH 17
00055954   56               PUSH ESI
00055955   E8 D6210200      CALL 00077B30
0005595A   E8 D4A70300      CALL 00090133
0005595F   90               NOP
00055960   90               NOP
00055961   90               NOP
00055962   50               PUSH EAX
00055963   6A 17            PUSH 17
00055965   56               PUSH ESI
00055966   E8 45210200      CALL 00077AB0
0005596B   6A 00            PUSH 0
0005596D   6A 00            PUSH 0
0005596F   6A 18            PUSH 18
00055971   56               PUSH ESI
00055972   E8 B9210200      CALL 00077B30
00055977   E8 B7A70300      CALL 00090133
0005597C   90               NOP
0005597D   90               NOP
0005597E   90               NOP
0005597F   50               PUSH EAX
00055980   6A 18            PUSH 18
00055982   56               PUSH ESI
00055983   E8 28210200      CALL 00077AB0
00055988   6A 00            PUSH 0
0005598A   6A 00            PUSH 0
0005598C   68 9F000000      PUSH 9F
00055991   56               PUSH ESI
00055992   E8 99210200      CALL 00077B30
00055997   E8 97A70300      CALL 00090133
0005599C   90               NOP
0005599D   90               NOP
0005599E   90               NOP
0005599F   50               PUSH EAX
000559A0   68 9F000000      PUSH 9F
000559A5   56               PUSH ESI
000559A6   E8 05210200      CALL 00077AB0
000559AB   6A 00            PUSH 0
000559AD   6A 00            PUSH 0
000559AF   68 A0000000      PUSH 0A0
000559B4   56               PUSH ESI
000559B5   E8 76210200      CALL 00077B30
000559BA   E8 74A70300      CALL 00090133
000559BF   90               NOP
000559C0   90               NOP
000559C1   90               NOP
000559C2   50               PUSH EAX
000559C3   68 A0000000      PUSH 0A0
000559C8   56               PUSH ESI
000559C9   E8 E2200200      CALL 00077AB0
000559CE   5E               POP ESI
000559CF   C2 0400          RETN 4
000559D2   6A 1F            PUSH 1F
000559D4   56               PUSH ESI
000559D5   E8 56210200      CALL 00077B30
000559DA   E8 54A70300      CALL 00090133
000559DF   90               NOP
000559E0   90               NOP
000559E1   90               NOP
000559E2   50               PUSH EAX
000559E3   6A 1F            PUSH 1F
000559E5   56               PUSH ESI
000559E6   E8 C5200200      CALL 00077AB0
000559EB   5E               POP ESI
000559EC   C2 0400          RETN 4

And the CALL:

Code: Select all

00090133   3E:8D0485 000000>LEA EAX,DWORD PTR DS:[EAX*4]
0009013B   99               CDQ
0009013C   2BC2             SUB EAX,EDX
0009013E   52               PUSH EDX
0009013F   55               PUSH EBP
00090140   66:BA 0000       MOV DX,0
00090144   66:BB 0300       MOV BX,3
00090148   66:F7F3          DIV BX
0009014B   5B               POP EBX
0009014C   5A               POP EDX
0009014D   C3               RETN

[devurandom]

I'd recommend doing the JMP patch instead of CALL patch in this case, for simpler stack management.

Armor has a different code than weapons, its why ethereal Armor can get bugged and weapons do not.. You'd have to find the code that handles weapons. Maybe Necrolis or Kingpin will chime in with an offset for that.

Edit:

I think I found it:

Search D2Common for all command sequences like this

Code: Select all

LEA EAX,[EAX*2+EAX]
CDQ
SUB EAX,EDX
SAR EAX,1
PUSH EAX
PUSH 15

Code: Select all

LEA EAX,[EAX*2+EAX]
CDQ
SUB EAX,EDX
SAR EAX,1
PUSH EAX
PUSH 16

One sets the stats for min damage at 150%, the other sets stats for max damage at 150%.
There are 2 instances of each that hit breakpoints in D2Common, when socketing eth weapons.

[PureRage]

Thank you sir, I quickly skimmed the file and found those sections. I should be able to get everything in working order now thanks to your assistance!

[devurandom]

Thanks for sharing the offsets, I don't have to go digging for them now.

The code is not elegant, its just quick an dirty fix, but I don't think there's any items in the game that need larger than word size register for defense, so it should work ok.