Some code of the key combinations for the AIs

[Boop]

Wow, you're analysis of freeze is a lot more in-depth than my davis one.

cmp dword ptr ss:[esp+28],0E - I tried figuring out what esp+28 is... I have no clue.

John ball:
I saw that too, very strange... I have no idea what it does .

[genevrier]

cmp dword ptr ss:[esp+28],0E
To this, sadly I was wrong...

esp+28 should be the value pushed in here,

Spoiler (Click to View)

0040AD4A |> \8B4424 34 mov eax,dword ptr ss:[esp+34]
0040AD4E |. 8B4C24 38 mov ecx,dword ptr ss:[esp+38]
0040AD52 |. 8B5424 30 mov edx,dword ptr ss:[esp+30]
0040AD56 |. 50 push eax
0040AD57 |. 8B4424 14 mov eax,dword ptr ss:[esp+14]
0040AD5B |. 51 push ecx
0040AD5C |. 52 push edx
0040AD5D |. 53 push ebx
0040AD5E |. 50 push eax
0040AD5F |. 57 push edi
0040AD60 |. 55 push ebp
0040AD61 |. 8BCE mov ecx,esi
0040AD63 |. E8 D88CFFFF call 00403A40

that is, certainly the edi pushed in the address 0040AD5F...

[Boop]

Actually, it is :
Stack SS:[0012F29C]

If you set a breakpoint in olly you can see what ESP+28 evaluates too. I figured out what it does now... It checks what state you are in.

004049A7 >|. 837C24 28 0D CMP DWORD PTR SS:[ESP+28],0D ; Checks if target is frozen

00404A05 >|> 837C24 28 0E CMP DWORD PTR SS:[ESP+28],0E ; Checks if target is lying down.

It kinda makes sense even . Because if you are lying down, then the ai doesn't do the tornado!

[genevrier]

Great work! + fra.txt updated

A question:
Does it means I can stop the program at breakpoints by OllyDbg?

[Boop]

Yes, If you double click the the "hex" part of the line ( it goes Address | HEX | ASM ), the line will become red. When the lf2 reaches that line it will "break" (a.k.a stop). Then it will show you the value of all the registers on the right side.

[genevrier]

mov edx,dword ptr ds:[esi+ebp*4+194]
mov edx,dword ptr ds:[edx+18]

After some testing, I suggest this edx+18 should be the z position. With the produres testing edx+18 deleted, the character perform attacks without concern of z position.
In general, the AIs just don't care about the y position. (I made a character and made him flew upon the sky once. The bandit just stand on his shadow and keep attacking... )

As a pattern, '+10' is the x position and '+18' is the z position, so I guess '+14' would be the y position

=========================================================================

Code:

004049F2  |. |68 FA000000   push 0FA
004049F7  |. |6A 59         push 59
004049F9  |. |E8 92270100   call 00417190 ;Dark box #2
004049FE  |. |83C4 08       add esp,8
00404A01  |. |85C0          test eax,eax                ; a check decides using Icicle (go to c) or not (go to b)

This lines is just so buggy, it always crash the exe after some editing of an AI. (So I marked ';' to ignore this few lines...)

[Boop]

Yeah, +14 is the Y position. Sorry, it's my mistake... When I was commenting the code I got mixed up with Y and Z :p.

Anyway, here are a few of the missing mov commands and what they do:

mov byte ptr [R+CD],1 = Up
mov byte ptr [R+CE],1 = Down
mov byte ptr [R+CF],1 = Left
mov byte ptr [R+D0],1 = Right

mov byte ptr [R+D1],1 = Attack
mov byte ptr [R+D2],1 = Jump
mov byte ptr [R+D3],1 = Defend

I'm not sure about the rest.


That is where lf2 calls the AI. If you replace the JNZ with a JMP, the AI will do nothing.

ASM-Code: 00419E88 |. 3999 F8060000 |CMP DWORD PTR DS:[ECX+6F8],EBX ;checks object type(from my testing EBX is always 0) 00419E8E |. 75 0B |JNZ SHORT lf2.00419E9B ; jump if incorrect type (if its not a character) 00419E90 55 |PUSH EBP ; /Arg2 00419E91 56 |PUSH ESI ; |Arg1 00419E92 8BCA |MOV ECX,EDX ; | 00419E94 |. E8 27F6FEFF |CALL lf2.004094C0 ; \lf2.004094C0

The AI code is pretty long, and it has sub procedures which make it even longer. I think fully documenting it will be a lot of work :p.

Anyway, I quickly made an AI controller(mostly for fun and to test that all the addresses are right):


Download: http://www.mediafire.com/?akmkwjnnzjn

Only tested on lf2.exe 2.0 original (i don't know if it works with no num lock version). Plus, the computer character has to be player 1 or it won't work :p.

[genevrier]

It is funny, I have tried to control player 1 character in demo...
[the computer character has to be player 1 or it won't work move] XD
That in stage mode or survival it can make all computer stop. (also in demo)

As I see, computer keeps doing the action (example: move, attack and defense) when I press the 'patch' button. It seems the same phenomenon as if someone tab the windows while a character is in human controlling.

Perhaps what in this thread is possible now (by an external key controller) (joking
http://www.lf-empire.de/forum/showthread.php?tid=1638

That is where lf2 calls the AI. If you replace the JNZ with a JMP, the AI will do nothing.

Does it means in somewhere around there I can make a human player be controlled by the AI?

[Boop]

  lf2 controls.rar (Size: 520 bytes / Downloads: 86)

I uploaded a cheat engine( http://cheatengine.org/downloads.php ) table with most of the values incase someone is interested :D.

I now understand more addresses:

R+C8 = "holding" left
R+C9 = "holding" right
R+Ca = "holding" attack
R+Cb = "holding" jump
R+CC = "holding" defence

Normally if you put a 1 in "walk left", the ai will start running(the ai controller program writes a 1 then quickly writes a 0 to give an illusion of button pressing :p). But if there is a 1 in R+C8 he will walk, which makes me believe it fakes as if you are "hodling" the button down.

With attack, if you put 1 then he will punch constantly. But if you put a 1 into R+CA he won't punch.

I don't know if that is very clear or not, but it is the best explanation I can give(mostly because I don't fully understand it my self).

Does it means in somewhere around there I can make a human player be controlled by the AI?

I think all the code above that deals with the player input.

ASM-Code: 00419C13 . 80BA 78534500 >CMP BYTE PTR DS:[EDX+455378],64 ; check if up is pressed 00419C1A . 75 14 JNZ SHORT lf2.00419C30 00419C1C . 8B10 MOV EDX,DWORD PTR DS:[EAX] 00419C1E . C682 CD000000 >MOV BYTE PTR DS:[EDX+CD],1 00419C25 . 391D 800B4500 CMP DWORD PTR DS:[450B80],EBX 00419C2B . 74 03 JE SHORT lf2.00419C30 00419C2D . 8009 80 OR BYTE PTR DS:[ECX],80 00419C30 > 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8] 00419C33 . 80BA 78534500 >CMP BYTE PTR DS:[EDX+455378],64 ; check if down is pressed

Quick extract. I see that it also uses R+X system. Which means it is possible to control a human character with an external program :p.

[genevrier]

I see R+80 in making the state 85 and 86. It is also in the R+X system
It is the facing direction of the character, with: 0 = Right and 1 = Left.