Part I: Disable Requiem’s Animation
Some comrades ask me about possibility of disabling attack animation, so here is a short guide with routines and instruction addresses for patching. All data are valid for En server, patch 378, otherwise you should try patterns for finding necessary code
1. Attack animation
Pattern: A1 ???????? 8945 F0 898D 28FFFFFF 8B4D 08
0050EB30 /$ 55 PUSH EBP
0050EB31 |. 8BEC MOV EBP,ESP
0050EB33 |. 6A FF PUSH -1
0050EB35 |. 68 51F78E00 PUSH 008EF751
0050EB3A |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0050EB40 |. 50 PUSH EAX
0050EB41 |. 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0050EB48 |. 81EC D8000000 SUB ESP,0D8
0050EB4E |. A1 C06C9C00 MOV EAX,DWORD PTR DS:[9C6CC0]
0050EB53 |. 8945 F0 MOV DWORD PTR SS:[LOCAL.4],EAX
0050EB56 |. 898D 28FFFFFF MOV DWORD PTR SS:[LOCAL.54],ECX
0050EB5C |. 8B4D 08 MOV ECX,DWORD PTR SS:[ARG.1]
0050EB5F |. E8 4C230800 CALL 00590EB0
0050EB64 |. 85C0 TEST EAX,EAX
=> [NOP it] 0050EB66 |. 74 05 JE SHORT 0050EB6D
0050EB68 |. E9 41030000 JMP 0050EEAE
0050EB6D |> 8B45 08 MOV EAX,DWORD PTR SS:[ARG.1]
0050EB70 |. 50 PUSH EAX
0050EB71 |. 8D4D D4 LEA ECX,[LOCAL.11]
0050EB74 |. 51 PUSH ECX
..........
0050EBC0 |. 6A 00 PUSH 0 ; /Arg5 = 0
0050EBC2 |. 68 0000803F PUSH 3F800000 ; |Arg4 = 3F800000
0050EBC7 |. 6A 00 PUSH 0 ; |Arg3 = 0
0050EBC9 |. 6A FF PUSH -1 ; |Arg2 = -1
0050EBCB |. 68 B8699200 PUSH OFFSET 009269B8 ; |Arg1 = ASCII "attack"
0050EBD0 |. 8B4D 08 MOV ECX,DWORD PTR SS:[ARG.1] ; |
0050EBD3 |. E8 28850800 CALL 00597100 ; |
0050EBD8 |. 8BC8 MOV ECX,EAX ; |
0050EBDA |. E8 E1880600 CALL 005774C0
2. Death animation
Pattern: FF15 ???????? 8945 F4 8B45 F4 99B9 0A000000
00595CFE |. 8B8D D8FEFFFF MOV ECX,DWORD PTR SS:[LOCAL.74]
00595D04 |. 8B91 44040000 MOV EDX,DWORD PTR DS:[ECX+444]
00595D0A |. 8955 CC MOV DWORD PTR SS:[LOCAL.13],EDX
00595D0D |. 837D CC 00 CMP DWORD PTR SS:[LOCAL.13],0
=> [JMP it] 00595D11 |. 0F85 28040000 JNE 0059613F
00595D17 |. FF15 88AB9100 CALL DWORD PTR DS:[<&MSVCR71.rand>]
00595D1D |. 8945 F4 MOV DWORD PTR SS:[LOCAL.3],EAX
00595D20 |. 8B45 F4 MOV EAX,DWORD PTR SS:[LOCAL.3]
00595D23 |. 99 CDQ
00595D24 |. B9 0A000000 MOV ECX,0A
00595D29 |. F7F9 IDIV ECX
00595D2B |. 8955 F4 MOV DWORD PTR SS:[LOCAL.3],EDX
00595D2E |. C645 FB 01 MOV BYTE PTR SS:[LOCAL.2+3],1
00595D32 |. C645 F3 00 MOV BYTE PTR SS:[LOCAL.4+3],0
00595D36 |. 8B8D D8FEFFFF MOV ECX,DWORD PTR SS:[LOCAL.74]
00595D3C |. E8 FF16FFFF CALL 00587440
00595D41 |. 8845 F3 MOV BYTE PTR SS:[LOCAL.4+3],AL
00595D44 |. 0FB655 F3 MOVZX EDX,BYTE PTR SS:[LOCAL.4+3]
00595D48 |. 85D2 TEST EDX,EDX
00595D4A |. 74 3C JE SHORT 00595D88
00595D4C |. 8B8D D8FEFFFF MOV ECX,DWORD PTR SS:[LOCAL.74]
00595D52 |. E8 D9B1F1FF CALL 004B0F30
00595D57 |. 8945 AC MOV DWORD PTR SS:[LOCAL.21],EAX
00595D5A |. 8B45 AC MOV EAX,DWORD PTR SS:[LOCAL.21]
00595D5D |. 8B48 30 MOV ECX,DWORD PTR DS:[EAX+30]
00595D60 |. 894D A8 MOV DWORD PTR SS:[LOCAL.22],ECX
00595D63 |. 6A 00 PUSH 0 ; /Arg5 = 0
00595D65 |. 68 0000803F PUSH 3F800000 ; |Arg4 = 3F800000
00595D6A |. 6A 00 PUSH 0 ; |Arg3 = 0
00595D6C |. 6A FF PUSH -1 ; |Arg2 = -1
00595D6E |. 68 A4869200 PUSH OFFSET 009286A4 ; |Arg1 = ASCII "die_ragdoll"
00595D73 |. 8B4D A8 MOV ECX,DWORD PTR SS:[LOCAL.22] ; |
00595D76 |. E8 4517FEFF CALL 005774C0
3. Blood and damage animation
Pattern: 8B8D ???????? FF10 ?????? ???????? 0F84 ???????? ?????? E8 ????????
0050F2D0 |. 8B48 14 MOV ECX,DWORD PTR DS:[EAX+14]
0050F2D3 |. 51 PUSH ECX
0050F2D4 |. 8B95 A8FDFFFF MOV EDX,DWORD PTR SS:[EBP-258]
0050F2DA |. 8B02 MOV EAX,DWORD PTR DS:[EDX]
0050F2DC |. 8B8D A8FDFFFF MOV ECX,DWORD PTR SS:[EBP-258]
0050F2E2 |. FF10 CALL DWORD PTR DS:[EAX]
0050F2E4 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0050F2E7 |. 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
=> [JMP it] 0050F2EB |. 0F84 1C070000 JE 0050FA0D
0050F2F1 |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0050F2F4 |. E8 E76E0800 CALL 005961E0
0050F2F9 |. 0FB6C8 MOVZX ECX,AL
0050F2FC |. 85C9 TEST ECX,ECX
0050F2FE |. 74 05 JE SHORT 0050F305
0050F300 |. E9 08070000 JMP 0050FA0D
0050F305 |> 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0050F308 |. FF15 70C79100 CALL DWORD PTR DS:[<&Utils.?GetTypeID@Ga
0050F30E |. 8338 04 CMP DWORD PTR DS:[EAX],4
0050F311 |. 75 0C JNE SHORT 0050F31F
0050F313 |. C785 A4FDFFFF DC699200 MOV DWORD PTR SS:[EBP-25C],OFFSET 009269 ; ASCII "npc_attack"
0050F31D |. EB 0A JMP SHORT 0050F329
0050F31F |> C785 A4FDFFFF E8699200 MOV DWORD PTR SS:[EBP-25C],OFFSET 009269 ; ASCII "pc_normal_attack"
0050F329 |> 8B95 A4FDFFFF MOV EDX,DWORD PTR SS:[EBP-25C]
0050F32F |. 52 PUSH EDX
0050F330 |. 8D4D D0 LEA ECX,[EBP-30]
0050F333 |. FF15 B0A99100 CALL DWORD PTR DS:[<&MSVCP71.??0?$basic_
Part II: Miscellaneous
1. Requiem messages
Just find instruction PUSH 0BB8 and put break point at the beginning of the next function (in example: CALL 007A22C0). You will catch all requiem messages which appearing in during game (location name, “unable to use skills” etc)
00407696 |. 68 B80B0000 PUSH 0BB8
0040769B |. 8B8D 50F0FFFF MOV ECX,DWORD PTR SS:[EBP-0FB0]
004076A1 |. 51 PUSH ECX
004076A2 |. 8B0D C0F99C00 MOV ECX,DWORD PTR DS:[9CF9C0]
004076A8 |. E8 13AC3900 CALL 007A22C0
by Dwar