Announcement

Collapse
No announcement yet.

Neverwinter Nights 2 - Skill Points

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Neverwinter Nights 2 - Skill Points

    Well, I have a little problem with Neverwinter Nights 2. I can't level up my main character because when the game show the skills screen, the button "Next" to proceed with the leveling up is disabled, because all my skills are set to 99 and the only way to make the button work is set the skills points to 0.
    If I try to add more points to any skill its futile. But If I press the Recomended button, the skill points decrease by 8. But Isn't enough. There's 60 skill points left, and the next button is disabled.
    So I searched with Tsearch the part of the code of the game who substract from my skill points when I press the recomended button:
    Code:
    0081fa3a    297E5C                          sub [esi+0x5C],edi
    0081fa3d    837C242C00                      cmp dword ptr [esp+0x2C],0x0
    0081fa42    748C                            je short 0x0081F9D0
    0081fa44    8B7C242C                        mov edi,[esp+0x2C]
    0081fa48    53                              push ebx
    0081fa49    8BCF                            mov ecx,edi
    0081fa4b    E890950100                      call 0x00838FE0
    0081fa50    0401                            add al,0x1
    0081fa52    8BCF                            mov ecx,edi
    0081fa54    50                              push eax
    0081fa55    53                              push ebx
    Tsearch stopped at the sub at 0081fa3a. I need to hack that sub so instead of substracting 8 it sets to 0 the skill points. I tried a lot of replacements for that sub, but no luck. Game crashes or simply substracts 8 from my skill points.

    Can anyone, please, tell me how I can achieve to set to 0 the skill points everytime I press the Recomended button?.

    Thanks in advance!!!.

    Whipon.

  • #2
    change 0081fa3a to mov [esi+0x5C], 0

    should do the trick, if not your going to need to post more of the code and some debug info if possible

    Comment


    • #3
      Thank you very much. I'll try it right now ______!!!

      Comment


      • #4
        Well, here's all the debug info Tsearch outputs after the breakpoint:
        Code:
        0081fa3a    297E5C                          sub [esi+0x5C],edi
        0081fa3d    837C242C00                      cmp dword ptr [esp+0x2C],0x0
        0081fa42    748C                            je short 0x0081F9D0
        0081fa44    8B7C242C                        mov edi,[esp+0x2C]
        0081fa48    53                              push ebx
        0081fa49    8BCF                            mov ecx,edi
        0081fa4b    E890950100                      call 0x00838FE0
        0081fa50    0401                            add al,0x1
        0081fa52    8BCF                            mov ecx,edi
        0081fa54    50                              push eax
        0081fa55    53                              push ebx
        0081fa56    E8B5950100                      call 0x00839010
        0081fa5b    E970FFFFFF                      jmp 0x0081F9D0
        0081fa60    8B442414                        mov eax,[esp+0x14]
        0081fa64    33FF                            xor edi,edi
        0081fa66    83C001                          add eax,0x1
        0081fa69    66397E5C                        cmp [esi+0x5C],di
        0081fa6d    89442414                        mov [esp+0x14],eax
        0081fa71    0F8529FFFFFF                    jnz 0x0081F9A0
        0081fa77    5D                              pop ebp
        0081fa78    5B                              pop ebx
        0081fa79    8B442410                        mov eax,[esp+0x10]
        0081fa7d    3BC7                            cmp eax,edi
        0081fa7f    5F                              pop edi
        0081fa80    5E                              pop esi
        0081fa81    740A                            je short 0x0081FA8D
        0081fa83    50                              push eax
        0081fa84    FF15A4858C00                    call [0x8C85A4]
        0081fa8a    83C404                          add esp,0x4
        0081fa8d    83C414                          add esp,0x14
        0081fa90    C20800                          retn 0x8
        0081fa93    CC                              int3
        0081fa94    CC                              int3
        0081fa95    CC                              int3
        0081fa96    CC                              int3
        0081fa97    CC                              int3
        0081fa98    CC                              int3
        0081fa99    CC                              int3
        0081fa9a    CC                              int3
        0081fa9b    CC                              int3
        0081fa9c    CC                              int3
        0081fa9d    CC                              int3
        0081fa9e    CC                              int3
        0081fa9f    CC                              int3
        0081faa0    51                              push ecx
        0081faa1    53                              push ebx
        0081faa2    8B5C240C                        mov ebx,[esp+0xC]
        0081faa6    56                              push esi
        0081faa7    8BF1                            mov esi,ecx
        0081faa9    3A5E14                          cmp bl,[esi+0x14]
        Please, forgive my lack of experience, but I couldn't find a simple way of convert to hex the instruction you gave me (mov [esi+0x5C], 0). I tried disassembling some exes to loock for simillar instructions but no luck.

        Is there any program that converts asm code to hex?. I need the instruction in hex so I can poke it in Tsearch.
        Thanks a lot for your info n_n.

        Whipon.

        Comment


        • #5
          use a decent cheat engine, it's called cheat engine it has a proper memory viewer where you can dissemble instructions

          Comment


          • #6
            right sorry for the double post but that instruction i posted wont work, you'll need to write a subroutine, well i'll write one for you and you can inject it into the game using cheat engines "auto assembler script" feature

            create an auto assemble script, select template, and then click "code injection", put in the address of the sub instruction.

            now in the part where it is labelled as your code (newmem) place this bit of code.

            Code:
            push ebx
            mov ebx, [esi+5c]
            mov ebx, 0 //this may need to be changed to mov [ebx], 0  im not sure
            pop ebx

            Comment


            • #7
              Thanks n____n

              Thank you very much. I've heard of Cheat Engine. I think I must give it a try.

              Comment


              • #8
                did this work at all?

                Comment


                • #9
                  Sorry

                  Sorry, I couldn't try it yet. Tonight I'll do it and I'll post the results here. Thank you very much for your help .

                  Comment

                  Working...
                  X