Project Fusion

[Boop]

I'm trying to figure out fusion, and since hex editing is becoming a popular topic I thought I'd share what I know to maybe get some help .

0040238D 83F9 07 CMP ECX,7
00402390 |. 74 09 |JE SHORT lf2.0040239B
00402392 83F9 08 CMP ECX,8
00402395 |. 0F85 08030000 |JNZ lf2.004026A3

That is just the first initial check. If we change the ID's from 7-8 to 1-2, it doesnt mean that deep and john could fuse and create frizen. I'm still looking in to it. Help would be great, thanks .

Edit:
004023B8 |. 83BCD5 AC07000>|CMP DWORD PTR SS:[EBP+EDX*8+7AC],2
004023C0 |. 0F85 DD020000 |JNZ lf2.004026A3

That checks to see if they are in state 2.

[xxtomnyxx]

I'm trying to test the number.
Just like you said, ''If we change the ID's from 7-8 to 1-2, it doesnt mean that deep and john could fuse and create frizen.''
But I found that if we change that number, Firen and Freeze couldn't fusion any more.
I think it means threr have another part, or parts, works to confirm if they are ID 7, 8 or not.
Still working on it.

---

I got it!!

0040238D 83F9 07 |cmp ecx,7→→→→→ID x
00402390 |. 74 09 |je short lf2.0040239B
00402392 83F9 08 |cmp ecx,8→→→→→ID y
00402395 |. 0F85 08030000 |jnz lf2.004026A3
0040239B |> 8B88 FC020000 |mov ecx,dword ptr ds:[eax+2FC]
004023A1 |. 3BCB |cmp ecx,ebx
004023A3 |. 894C24 18 |mov dword ptr ss:[esp+18],ecx
004023A7 |. 0F8E F6020000 |jle lf2.004026A3
004023AD |. 8B48 70 |mov ecx,dword ptr ds:[eax+70]
004023B0 |. 8D1449 |lea edx,dword ptr ds:[ecx+ecx*2]
004023B3 |. C1E2 04 |shl edx,4
004023B6 |. 2BD1 |sub edx,ecx
004023B8 |. 83BCD5 AC070000 02 |cmp dword ptr ss:[ebp+edx*8+7AC],2
004023C0 |. 0F85 DD020000 |jnz lf2.004026A3
004023C6 |. 3998 38030000 |cmp dword ptr ds:[eax+338],ebx
004023CC |. 0F85 D1020000 |jnz lf2.004026A3
004023D2 817C24 18 B1000000 cmp dword ptr ss:[esp+18],0B1→→→→→HP has to be lower than 177(0B1)
004023DA |. 7C 0D |jl short lf2.004023E9
004023DC |. 833D 24F24400 01 |cmp dword ptr ds:[44F224],1
004023E3 |. 0F85 BA020000 |jnz lf2.004026A3
004023E9 |> 33C0 |xor eax,eax
004023EB |. 8DAF 94010000 |lea ebp,dword ptr ds:[edi+194]
004023F1 |. 894424 10 |mov dword ptr ss:[esp+10],eax
004023F5 |> 807C07 04 01 |/cmp byte ptr ds:[edi+eax+4],1
004023FA |. 0F85 89020000 ||jnz lf2.00402689
00402400 |. 8B06 ||mov eax,dword ptr ds:[esi]
00402402 |. 8B4D 00 ||mov ecx,dword ptr ss:[ebp]
00402405 BA 0F000000 ||mov edx,0F→→→→→→→ID x + ID y
0040240A |. 8B80 68030000 ||mov eax,dword ptr ds:[eax+368]
00402410 |. 2B90 F4060000 ||sub edx,dword ptr ds:[eax+6F4]
00402416 |. 8B81 68030000 ||mov eax,dword ptr ds:[ecx+368]
0040241C |. 3990 F4060000 ||cmp dword ptr ds:[eax+6F4],edx
00402422 |. 0F85 61020000 ||jnz lf2.00402689
00402428 |. 8B81 FC020000 ||mov eax,dword ptr ds:[ecx+2FC]
0040242E |. 3BC3 ||cmp eax,ebx
00402430 |. 0F8E 53020000 ||jle lf2.00402689
00402436 |. 8B16 ||mov edx,dword ptr ds:[esi]
00402438 |. 8B92 64030000 ||mov edx,dword ptr ds:[edx+364]
0040243E |. 3B91 64030000 ||cmp edx,dword ptr ds:[ecx+364]
00402444 |. 0F85 3F020000 ||jnz lf2.00402689
0040244A |. 3999 38030000 ||cmp dword ptr ds:[ecx+338],ebx
00402450 |. 0F85 33020000 ||jnz lf2.00402689
00402456 3D B1000000 ||cmp eax,0B1→→→→→HP has to be lower than 177(0B1)
0040245B |. 7C 0D ||jl short lf2.0040246A
0040245D |. 833D 24F24400 01 ||cmp dword ptr ds:[44F224],1
00402464 |. 0F85 1F020000 ||jnz lf2.00402689


The red part is what we looked over.

My other notice:

1. They fuse to which ID

00402535 |> 8B12 ||/mov edx,dword ptr ds:[edx]
00402537 |. 83BA F4060000 33 |||cmp dword ptr ds:[edx+6F4],33
0040253E |. 74 19 |||je short lf2.00402559




2. Go to which frame after fusion.

004025BF |> 8B16 ||mov edx,dword ptr ds:[esi]
004025C1 |. C742 70 22010000 ||mov dword ptr ds:[edx+70],122
004025C8 |. 8B06 ||mov eax,dword ptr ds:[esi]



3. How long will they keep fusing.(The unit of time is ''wait''. You have to transform it into decimal. 30 waits is about one second.)

00402629 |. 8B16 ||mov edx,dword ptr ds:[esi]
0040262B |. C782 38030000 94110000 ||mov dword ptr ds:[edx+338],1194
00402635 |. 8B06 ||mov eax,dword ptr ds:[esi]




4. If this number isn't the same as the ID they fuse to, they would never separate after they fused.

004026B4 |. 8B90 68030000 |mov edx,dword ptr ds:[eax+368]
004026BA |. 83BA F4060000 33 |cmp dword ptr ds:[edx+6F4],33
004026C1 |. 0F85 0F050000 |jnz lf2.00402BD6

[Boop]

00402535 |> 8B12 ||/MOV EDX,DWORD PTR DS:[EDX]
00402537 83BA F4060000 >CMP DWORD PTR DS:[EDX+6F4],33 << ID 51, the ID you want to transform into.
0040253E |. 74 19 |||JE SHORT lf2.00402559
00402540 |. 8B5424 18 |||MOV EDX,DWORD PTR SS:[ESP+18]
00402544 |. 40 |||INC EAX
00402545 |. 83C2 04 |||ADD EDX,4
00402548 |. 3BC1 |||CMP EAX,ECX
0040254A |. 895424 18 |||MOV DWORD PTR SS:[ESP+18],EDX
0040254E |.^7C E5 ||\JL SHORT lf2.00402535



004026A3 |> 8B4C24 14 |MOV ECX,DWORD PTR SS:[ESP+14]
004026A7 |. 807C0F 04 01 |CMP BYTE PTR DS:[EDI+ECX+4],1
004026AC |. 0F85 24050000 |JNZ lf2.00402BD6
004026B2 |. 8B06 |MOV EAX,DWORD PTR DS:[ESI]
004026B4 |. 8B90 68030000 |MOV EDX,DWORD PTR DS:[EAX+368]
004026BA 83BA F4060000 >CMP DWORD PTR DS:[EDX+6F4],33 << ID 51 is mentioned again.
004026C1 |. 0F85 0F050000 |JNZ lf2.00402BD6
004026C7 |. 83B8 28030000 >|CMP DWORD PTR DS:[EAX+328],1
004026CE |. 0F85 02050000 |JNZ lf2.00402BD6

Not sure what it's point is. My guess is, it has something to do with what happens after you transform.


Edit: Lol, posting at the same time

[xxtomnyxx]

Here is my alteration.

0040238D　　　cmp ecx,7→→→→→→→→→→→→→→→→→→→→→cmp ecx,0 (template)
00402392　　　cmp ecx,8→→→→→→→→→→→→→→→→→→→→→cmp ecx,6 (Louis)
00402405　　　mov edx,0F(7+8=15)→→→→→→→→→→→→→→→→mov edx,6(0+6=6)
00402537　　　cmp dword ptr ds:[edx+6F4],33(Firzen)→→→→→→→cmp dword ptr ds:[edx+6F4],32 (LouisEX)
004025C1　　　mov dword ptr ds:[edx+70],122(frame 290)→→→→→0F0(frame 240)
0040262B　　　mov dword ptr ds:[edx+338],1194(4500 waits)→→→96(150 waits)
004026BA　　　cmp dword ptr ds:[edx+6F4],33(Firzen)→→→→→→→cmp dword ptr ds:[edx+6F4],32 (LouisEX)

If the red number isn't 32, you could never separate back to template and Louis after you fuse to LouisEX.

[Marshall]

very cool stuff, tomny

[manxeater]

supercool!

YEA!

hail tomny!

+reputation(you probably are the fastest one to gain such reputation)

+thank(applies to thanks too)

there you go

[Silverthorn]

great job, tomny!

Seriously, Silva, you're getting a competitor :P

[xxtomnyxx]

Well, I won't regard Silva as a competitor.
I would regard him as a friend or a person I can learn from.


I was actually just kidding but it's great that there two active HEX-guys in the forums ~Blue