Battle mode: troop limit change

[Ikran Ahiyìk]

Hello I'm new here, but let's get started.

It's about the 10 and 30 limit of troops in Battle mode. I've read this thread and tried,

> http://www.lf-empire.de/forum/showthread.php?tid=2364

using Cheat Engine successfully (temporarily - I didn't patch it) removed the limit, and found some addresses. However, what I really want is to change it rather than remove it, since I don't want the numbers ever reach 3 digits, or keep the convenient way to change the troop numbers back to 0, or whatever. Following the address and open with Olly I see something close...

ASM-Code: 0043958C 890C85 80D34400 MOV DWORD PTR DS:[EAX*4+44D380],ECX 00439593 890C85 741B4500 MOV DWORD PTR DS:[EAX*4+451B74],ECX 0043959A 75 16 JNZ SHORT lf2hexed.004395B2 0043959C 8BC8 MOV ECX,EAX 0043959E 0FAFCD IMUL ECX,EBP 004395A1 03CF ADD ECX,EDI 004395A3 8D0C8D F8D54400 LEA ECX,DWORD PTR DS:[ECX*4+44D5F8] 004395AA 8D72 09 LEA ESI,DWORD PTR DS:[EDX+9] 004395AD E9 75000000 JMP lf2hexed.00439627 004395B2 83FA 02 CMP EDX,2 004395B5 75 13 JNZ SHORT lf2hexed.004395CA 004395B7 8BC8 MOV ECX,EAX 004395B9 0FAFCD IMUL ECX,EBP 004395BC 03CF ADD ECX,EDI 004395BE 8D0C8D 50D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D650] 004395C5 8D72 1C LEA ESI,DWORD PTR DS:[EDX+1C] 004395C8 EB 5D JMP SHORT lf2hexed.00439627 004395CA 83FA 03 CMP EDX,3 004395CD 75 26 JNZ SHORT lf2hexed.004395F5 004395CF 8BC8 MOV ECX,EAX 004395D1 0FAFCD IMUL ECX,EBP 004395D4 83FF 04 CMP EDI,4 004395D7 7D 0E JGE SHORT lf2hexed.004395E7 004395D9 03CF ADD ECX,EDI 004395DB 8D0C8D 10D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D610] 004395E2 8D72 07 LEA ESI,DWORD PTR DS:[EDX+7] 004395E5 EB 40 JMP SHORT lf2hexed.00439627 004395E7 8D0C8D 20D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D620] 004395EE BE 0A000000 MOV ESI,0A <<<<<<<<<<<<<<<< 004395F3 EB 32 JMP SHORT lf2hexed.00439627 004395F5 83FA 04 CMP EDX,4 004395F8 75 25 JNZ SHORT lf2hexed.0043961F 004395FA 8BC8 MOV ECX,EAX 004395FC 0FAFCD IMUL ECX,EBP 004395FF 3BFA CMP EDI,EDX 00439601 7D 0E JGE SHORT lf2hexed.00439611 00439603 03CF ADD ECX,EDI 00439605 8D0C8D 68D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D668] 0043960C 8D72 1A LEA ESI,DWORD PTR DS:[EDX+1A] 0043960F EB 16 JMP SHORT lf2hexed.00439627 00439611 8D0C8D 78D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D678] 00439618 BE 1E000000 MOV ESI,1E <<<<<<<<<<<<<<<< 0043961D EB 08 JMP SHORT lf2hexed.00439627 0043961F 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+34] 00439623 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34] 00439627 85DB TEST EBX,EBX 00439629 74 03 JE SHORT lf2hexed.0043962E 0043962B 8301 01 ADD DWORD PTR DS:[ECX],1 0043962E 833D BC134500 00 CMP DWORD PTR DS:[4513BC],0 00439635 74 12 JE SHORT lf2hexed.00439649 00439637 8301 05 ADD DWORD PTR DS:[ECX],5 0043963A 8B19 MOV EBX,DWORD PTR DS:[ECX] 0043963C 3BDE CMP EBX,ESI 0043963E 7E 09 JLE SHORT lf2hexed.00439649 00439640 8D6E 05 LEA EBP,DWORD PTR DS:[ESI+5] 00439643 3BDD CMP EBX,EBP 00439645 7D 02 JGE SHORT lf2hexed.00439649 00439647 8931 MOV DWORD PTR DS:[ECX],ESI ;Set the value to maximum <- if D is pressed, in a condition that would make the final value exceed the maximum (eg. 26-29 reserves) 00439649 833D B8134500 00 CMP DWORD PTR DS:[4513B8],0 00439650 74 03 JE SHORT lf2hexed.00439655 00439652 8301 FF ADD DWORD PTR DS:[ECX],-1 00439655 8B19 MOV EBX,DWORD PTR DS:[ECX] 00439657 85DB TEST EBX,EBX 00439659 7D 04 JGE SHORT lf2hexed.0043965F 0043965B 8931 MOV DWORD PTR DS:[ECX],ESI ;Set the value to maximum <- if J is pressed while the value is originally 0 0043965D EB 0A JMP SHORT lf2hexed.00439669 0043965F 3BDE CMP EBX,ESI 00439661 7E 06 JLE SHORT lf2hexed.00439669 00439663 C701 00000000 MOV DWORD PTR DS:[ECX],0 ;Set the value to 0 <- if A or D is pressed while the value is already full 00439669 8B7424 18 MOV ESI,DWORD PTR SS:[ESP+18] 0043966D 3BFE CMP EDI,ESI 0043966F 8BCF MOV ECX,EDI 00439671 7E 02 JLE SHORT lf2hexed.00439675

(edit: copied more instructions into here)

I'd guess the two lines marked "<<<<", 4395EE and 439618, are what I'm looking for. Now I want 10/30 to be changed to 60/90, so I edit the two numbers to 3C and 5A. However, in executing this edited LF2, the limits are still 10/30. I don't know why, and this is the reason why I post here. Could anybody help checking it out please...?

P.S. I've tried to edit something other that that: line 43962B, 1 into 2, and then it worked for being 2 troops added every time I press A, for all troops on the screen.

---

SOLVED

---

OK. Problem solved. Details below:

I don't know why exactly, but it worked.
There are 6 limits totally. 4 of them are for the 4 rows in the preparation screen, i.e. Bandits to Marks "In Screen" as Row 1, their Reserve as Row 2, Monks to milks (not beers!) "In Screen" as Row 3 and their Reserve as Row 4. The addresses of the 4 rows are 4395AA, 4395C5, 4395E2 and 43960C. Another 2 are... my originally marked lines... beers - the remaining, at 4395EE and 439618.
It's obvious for how to edit the beer limits. Let's move on to the other boxes, the 4 Rows. The trickier part (just addition in fact...) is that they do not record the number directly, but added the value of EDX, which is 1, 2, 3 or 4 at the positions. To change the limits basically just have to take care of this EDX too. For "In Screen" refers to below, if I want it to be 99, I should actually note down 98 which is 62 in hex, and so on for the others.

A better organized view:

4395AA - Default: 9 (9) - "In Screen" limits subtracted by 1, for id: 30-34, 39 (Bandit, Hunter, Jack, Sorcerer, Justin, Mark)
4395C5 - Default: 1C (28) - Reserve limits subtracted by 2, for entities same as above
4395E2 - Default: 7 (7) - "In Screen" limits subtracted by 3, for id: 35-37, 122 (Monk, Jan, Knight, milk)
4395EE - Default: 0A (10) - "In Screen" limits, for id: 123 (beer)
43960C - Default: 1A (26) - Reserve limits subtracted by 4, for entities same as 4395E2
439618 - Default: 1E (30) - Reserve limits, for id: 123 (beer)

ASM-Code: 00439589 83FA 01 CMP EDX,1 ;Where the "1" from. See below. 0043958C 890C85 80D34400 MOV DWORD PTR DS:[EAX*4+44D380],ECX 00439593 890C85 741B4500 MOV DWORD PTR DS:[EAX*4+451B74],ECX 0043959A 75 16 JNZ SHORT lf2hexed.004395B2 0043959C 8BC8 MOV ECX,EAX 0043959E 0FAFCD IMUL ECX,EBP 004395A1 03CF ADD ECX,EDI 004395A3 8D0C8D F8D54400 LEA ECX,DWORD PTR DS:[ECX*4+44D5F8] 004395AA 8D72 09 LEA ESI,DWORD PTR DS:[EDX+9] ;The number 9 here is the limit of "In Screen" troops (Row 1) subtracted by 1. 004395AD E9 75000000 JMP lf2hexed.00439627 004395B2 83FA 02 CMP EDX,2 ;Where the "2" from. See below. 004395B5 75 13 JNZ SHORT lf2hexed.004395CA 004395B7 8BC8 MOV ECX,EAX 004395B9 0FAFCD IMUL ECX,EBP 004395BC 03CF ADD ECX,EDI 004395BE 8D0C8D 50D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D650] 004395C5 8D72 1C LEA ESI,DWORD PTR DS:[EDX+1C] ;The number 28 (1C) here is the limit of Reserved (Row 2) troops subtracted by 2. 004395C8 EB 5D JMP SHORT lf2hexed.00439627 004395CA 83FA 03 CMP EDX,3 ;Where the "3" from. See below. 004395CD 75 26 JNZ SHORT lf2hexed.004395F5 004395CF 8BC8 MOV ECX,EAX 004395D1 0FAFCD IMUL ECX,EBP 004395D4 83FF 04 CMP EDI,4 004395D7 7D 0E JGE SHORT lf2hexed.004395E7 004395D9 03CF ADD ECX,EDI 004395DB 8D0C8D 10D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D610] 004395E2 8D72 07 LEA ESI,DWORD PTR DS:[EDX+7] ;The number 7 here is the limit of "In Screen" troops (Row 3) subtracted by 3. 004395E5 EB 40 JMP SHORT lf2hexed.00439627 004395E7 8D0C8D 20D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D620] 004395EE BE 0A000000 MOV ESI,0A ;This is the "In Screen" beer limit 0A (10). 004395F3 EB 32 JMP SHORT lf2hexed.00439627 004395F5 83FA 04 CMP EDX,4 ;Where the "4" from. See below. 004395F8 75 25 JNZ SHORT lf2hexed.0043961F 004395FA 8BC8 MOV ECX,EAX 004395FC 0FAFCD IMUL ECX,EBP 004395FF 3BFA CMP EDI,EDX 00439601 7D 0E JGE SHORT lf2hexed.00439611 00439603 03CF ADD ECX,EDI 00439605 8D0C8D 68D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D668] 0043960C 8D72 1A LEA ESI,DWORD PTR DS:[EDX+1A] ;The number 26 (1A) here is the limit of Reserved (Row 4) troops subtracted by 4. 0043960F EB 16 JMP SHORT lf2hexed.00439627 00439611 8D0C8D 78D64400 LEA ECX,DWORD PTR DS:[ECX*4+44D678] 00439618 BE 1E000000 MOV ESI,1E ;This is the Reserve beer limit 1E (30). 0043961D EB 08 JMP SHORT lf2hexed.00439627 0043961F 8B4C24 34 MOV ECX,DWORD PTR SS:[ESP+34] 00439623 8B7424 34 MOV ESI,DWORD PTR SS:[ESP+34] 00439627 85DB TEST EBX,EBX

[A-Man]

Open that exe again and try adding troops by fives (I think it was by pressing jump Defend). Does the limit change? The snippet you posted seems to direct you to 00439637 where what ECX points to (which is probably the number of troops) is added by 5. If I was right, then there might be another part with similar numbers you should change.

Edit: V: Oh yeah thanks.

[AmadisLFE]

@^ Anytime

A-Man pressing Defend makes Army + by 5 not Jump, Jump - army by 1.

[Ikran Ahiyìk]

Thanks for help.

No, even both the 10/30 are changed, when I come across the limit by pressing D, J or A they're still 10/30.
I guess you're right there MUST be some other values... but as a newbie it's very hard for me to find them out... Use Cheat Engine maybe? I find that it allows me to edit the assembly codes too as Olly, what different is CE realize my assembles right after they are done with LF2 running... amazing.

---

I've edited the first post: includes more related instructions, and describes three processes related to the limit.

---

Edit: It seems that the two lines I marked do nothing to the limits actually, or because ESI is loaded from somewhere else. I've tried to change its value, or even delete the MOV ESI,0A thing, but Cheat Engine still reports the value of ESI is 0A (10) or 1E (30). OK when it's up to loading data from other address, I surrender...

I think there should be an alternative way to achieve, if I change my demand into 99/99 instead of 60/90. With a single value I could just change all the ESI's into 63 (99), as the process of pressing D, J and A are all found. However, I still want to know what's ESI really doing there, so I wouldn't implement this.

---

Solved. Thanks for attention... (I still have a brunch of questions to be came up with haha) This would be archived and you could take the solution as a reference.

[A-Man]

The solution is very interesting indeed .

Edit: It seems that the two lines I marked do nothing to the limits actually, or because ESI is loaded from somewhere else. I've tried to change its value, or even delete the MOV ESI,0A thing, but Cheat Engine still reports the value of ESI is 0A (10) or 1E (30). OK when it's up to loading data from other address, I surrender...

I think there should be an alternative way to achieve, if I change my demand into 99/99 instead of 60/90. With a single value I could just change all the ESI's into 63 (99), as the process of pressing D, J and A are all found. However, I still want to know what's ESI really doing there, so I wouldn't implement this.

That's probably because LEA works quite differently from MOV. While MOV would've copied the fixed constant value from [EDX+9] to ESI, LEA only stores a reference to the value in that address; in other words, any changes that happens to the address [EDX+9] after the LEA operation did affect the value of ESI as well. The process is kinda complex with all that LEAs going again and again. Good job finding that out XD.