Results 1 to 9 of 9
  1. #1
    Join Date
    Oct 2006
    Posts
    763

    Thumbs down Neverwinter Nights 2 - Skill Points

    Well, I have a little problem with Neverwinter Nights 2. I can't level up my main character because when the game show the skills screen, the button "Next" to proceed with the leveling up is disabled, because all my skills are set to 99 and the only way to make the button work is set the skills points to 0.
    If I try to add more points to any skill its futile. But If I press the Recomended button, the skill points decrease by 8. But Isn't enough. There's 60 skill points left, and the next button is disabled.
    So I searched with Tsearch the part of the code of the game who substract from my skill points when I press the recomended button:
    Code:
    0081fa3a    297E5C                          sub [esi+0x5C],edi
    0081fa3d    837C242C00                      cmp dword ptr [esp+0x2C],0x0
    0081fa42    748C                            je short 0x0081F9D0
    0081fa44    8B7C242C                        mov edi,[esp+0x2C]
    0081fa48    53                              push ebx
    0081fa49    8BCF                            mov ecx,edi
    0081fa4b    E890950100                      call 0x00838FE0
    0081fa50    0401                            add al,0x1
    0081fa52    8BCF                            mov ecx,edi
    0081fa54    50                              push eax
    0081fa55    53                              push ebx
    Tsearch stopped at the sub at 0081fa3a. I need to hack that sub so instead of substracting 8 it sets to 0 the skill points. I tried a lot of replacements for that sub, but no luck. Game crashes or simply substracts 8 from my skill points.

    Can anyone, please, tell me how I can achieve to set to 0 the skill points everytime I press the Recomended button?.

    Thanks in advance!!!.

    Whipon.

  2. #2
    Join Date
    Oct 2006
    Posts
    97

    Default

    change 0081fa3a to mov [esi+0x5C], 0

    should do the trick, if not your going to need to post more of the code and some debug info if possible

  3. #3
    Join Date
    Oct 2006
    Posts
    763

    Wink

    Thank you very much. I'll try it right now ______!!!

  4. #4
    Join Date
    Oct 2006
    Posts
    763

    Thumbs down

    Well, here's all the debug info Tsearch outputs after the breakpoint:
    Code:
    0081fa3a    297E5C                          sub [esi+0x5C],edi
    0081fa3d    837C242C00                      cmp dword ptr [esp+0x2C],0x0
    0081fa42    748C                            je short 0x0081F9D0
    0081fa44    8B7C242C                        mov edi,[esp+0x2C]
    0081fa48    53                              push ebx
    0081fa49    8BCF                            mov ecx,edi
    0081fa4b    E890950100                      call 0x00838FE0
    0081fa50    0401                            add al,0x1
    0081fa52    8BCF                            mov ecx,edi
    0081fa54    50                              push eax
    0081fa55    53                              push ebx
    0081fa56    E8B5950100                      call 0x00839010
    0081fa5b    E970FFFFFF                      jmp 0x0081F9D0
    0081fa60    8B442414                        mov eax,[esp+0x14]
    0081fa64    33FF                            xor edi,edi
    0081fa66    83C001                          add eax,0x1
    0081fa69    66397E5C                        cmp [esi+0x5C],di
    0081fa6d    89442414                        mov [esp+0x14],eax
    0081fa71    0F8529FFFFFF                    jnz 0x0081F9A0
    0081fa77    5D                              pop ebp
    0081fa78    5B                              pop ebx
    0081fa79    8B442410                        mov eax,[esp+0x10]
    0081fa7d    3BC7                            cmp eax,edi
    0081fa7f    5F                              pop edi
    0081fa80    5E                              pop esi
    0081fa81    740A                            je short 0x0081FA8D
    0081fa83    50                              push eax
    0081fa84    FF15A4858C00                    call [0x8C85A4]
    0081fa8a    83C404                          add esp,0x4
    0081fa8d    83C414                          add esp,0x14
    0081fa90    C20800                          retn 0x8
    0081fa93    CC                              int3
    0081fa94    CC                              int3
    0081fa95    CC                              int3
    0081fa96    CC                              int3
    0081fa97    CC                              int3
    0081fa98    CC                              int3
    0081fa99    CC                              int3
    0081fa9a    CC                              int3
    0081fa9b    CC                              int3
    0081fa9c    CC                              int3
    0081fa9d    CC                              int3
    0081fa9e    CC                              int3
    0081fa9f    CC                              int3
    0081faa0    51                              push ecx
    0081faa1    53                              push ebx
    0081faa2    8B5C240C                        mov ebx,[esp+0xC]
    0081faa6    56                              push esi
    0081faa7    8BF1                            mov esi,ecx
    0081faa9    3A5E14                          cmp bl,[esi+0x14]
    Please, forgive my lack of experience, but I couldn't find a simple way of convert to hex the instruction you gave me (mov [esi+0x5C], 0). I tried disassembling some exes to loock for simillar instructions but no luck.

    Is there any program that converts asm code to hex?. I need the instruction in hex so I can poke it in Tsearch.
    Thanks a lot for your info n_n.

    Whipon.

  5. #5
    Join Date
    Oct 2006
    Posts
    97

    Default

    use a decent cheat engine, it's called cheat engine it has a proper memory viewer where you can dissemble instructions

  6. #6
    Join Date
    Oct 2006
    Posts
    97

    Default

    right sorry for the double post but that instruction i posted wont work, you'll need to write a subroutine, well i'll write one for you and you can inject it into the game using cheat engines "auto assembler script" feature

    create an auto assemble script, select template, and then click "code injection", put in the address of the sub instruction.

    now in the part where it is labelled as your code (newmem) place this bit of code.

    Code:
    push ebx
    mov ebx, [esi+5c]
    mov ebx, 0 //this may need to be changed to mov [ebx], 0  im not sure
    pop ebx

  7. #7
    Join Date
    Oct 2006
    Posts
    763

    Smile Thanks n____n

    Thank you very much. I've heard of Cheat Engine. I think I must give it a try.

  8. #8
    Join Date
    Oct 2006
    Posts
    97

    Default

    did this work at all?

  9. #9
    Join Date
    Oct 2006
    Posts
    763

    Smile Sorry

    Sorry, I couldn't try it yet. Tonight I'll do it and I'll post the results here. Thank you very much for your help .

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Finding out those break points
    By KingOfHeart in forum School of Hacking
    Replies: 5
    Last Post: 01-22-2011, 04:58:27 PM
  2. Machine used to unlock XBox 360 Achievement Points
    By dlevere in forum Recent Generation Hacking
    Replies: 0
    Last Post: 02-28-2007, 07:30:28 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •