Basically, CUser::Attack already has a check for disabling experience loss in a zone (dynamic), however it's not very useful in the case of multiple open zones. So, we'll need to add our own.

In CUser::Attack we'll find the call to CUser::ExpChange at 00496956.
CODE

1. 00496956     E8 CBB7F6FF    CALL 00402126

复制代码

Since the call is 5 bytes long, we'll replace it with a jump to our code-cave (which will also be 5 bytes, as it will be a far jump), which I've got at 00499233:
CODE

1. 00496956     E9 D8280000    JMP 00499233

复制代码

Upon going to the code-cave, we'll need to make sure that we can access the pointer that was used before to get to the current zone. We're just doing this again as a precaution, as there is one case where eax is re-used (so it wouldn't point to the data we want it to anymore).
CODE

1. 00499233     8B87 98800000  MOV EAX,DWORD PTR DS:[EDI+8098]

复制代码

To save bytes, we'll conveniently store the zone ID in CL.
CODE

1. 00499239     8A48 3C        MOV CL,BYTE PTR DS:[EAX+3C]

复制代码

Now we can go through our zone blacklist, starting with Ardream!
Compare the zone ID to 0CA (202 - Ardream).
CODE

1. 0049923C     80F9 CA        CMP CL,0CA

复制代码

If the zone is Ardream, we'll jump to our "don't take experience" case, down below.
CODE

1. 0049923F     74 0C          JE SHORT 0049924D

复制代码

Now we compare the zone ID to 1F (31 - Bifrost).
CODE

1. 00499241     80F9 1F        CMP CL,1F

复制代码

If the zone is Bifrost, we'll jump to our "don't take experience" case, down below.
CODE

1. 00499244     74 07          JE SHORT 0049924D

复制代码

Since the zone is none of the above, we'll call CUser::ExpChange() to do all the experience stuff!
CODE

1. 00499246     E8 DB8EF6FF    CALL 00402126

复制代码

Jump back to the code in CUser::Attack() (this jumps down to the actual jump at the end of the "don't take experience" case below to save bytes).
CODE

1. 0049924B     EB 03          JMP SHORT 00499250

复制代码

This is our "don't take experience" case. This line cleans up the stack (3 DWORDs are passed into CUser::ExpChange(), they were pushed onto the stack but we aren't going to call CUser::Attack(), so we'll take them back off the stack!).
CODE

1. 0049924D     83C4 0C        ADD ESP,0C

复制代码

Jump back to CUser::Attack().
CODE

1. 00499250    ^E9 06D7FFFF    JMP 0049695B

复制代码

Code recap

Jump to code-cave from CUser::Attack():
CODE

1. 00496956     E9 D8280000    JMP 00499233

复制代码

Our code-cave:
CODE

1. 00499233     8B87 98800000  MOV EAX,DWORD PTR DS:[EDI+8098]
   
2. 00499239     8A48 3C        MOV CL,BYTE PTR DS:[EAX+3C]
   
3. 0049923C     80F9 CA        CMP CL,0CA
   
4. 0049923F     74 0C          JE SHORT Ebenezer.0049924D
   
5. 00499241     80F9 1F        CMP CL,1F
   
6. 00499244     74 07          JE SHORT Ebenezer.0049924D
   
7. 00499246     E8 DB8EF6FF    CALL Ebenezer.00402126
   
8. 0049924B     EB 03          JMP SHORT Ebenezer.00499250
   
9. 0049924D     83C4 0C        ADD ESP,0C
   
10. 00499250    ^E9 06D7FFFF    JMP Ebenezer.0049695B

复制代码

Have fun!

Basically, CUser::Attack already has a check for disabling experience loss in a zone (dynamic), however it's not very useful in the case of multiple open zones. So, we'll need to add our own.

In CUser::Attack we'll find the call to CUser::ExpChange at 00496956.
CODE

1. 00496956     E8 CBB7F6FF    CALL 00402126

复制代码

Since the call is 5 bytes long, we'll replace it with a jump to our code-cave (which will also be 5 bytes, as it will be a far jump), which I've got at 00499233:
CODE

1. 00496956     E9 D8280000    JMP 00499233

复制代码

Upon going to the code-cave, we'll need to make sure that we can access the pointer that was used before to get to the current zone. We're just doing this again as a precaution, as there is one case where eax is re-used (so it wouldn't point to the data we want it to anymore).
CODE

1. 00499233     8B87 98800000  MOV EAX,DWORD PTR DS:[EDI+8098]

复制代码

To save bytes, we'll conveniently store the zone ID in CL.
CODE

1. 00499239     8A48 3C        MOV CL,BYTE PTR DS:[EAX+3C]

复制代码

Now we can go through our zone blacklist, starting with Ardream!
Compare the zone ID to 0CA (202 - Ardream).
CODE

1. 0049923C     80F9 CA        CMP CL,0CA

复制代码

If the zone is Ardream, we'll jump to our "don't take experience" case, down below.
CODE

1. 0049923F     74 0C          JE SHORT 0049924D

复制代码

Now we compare the zone ID to 1F (31 - Bifrost).
CODE

1. 00499241     80F9 1F        CMP CL,1F

复制代码

If the zone is Bifrost, we'll jump to our "don't take experience" case, down below.
CODE

1. 00499244     74 07          JE SHORT 0049924D

复制代码

Since the zone is none of the above, we'll call CUser::ExpChange() to do all the experience stuff!
CODE

1. 00499246     E8 DB8EF6FF    CALL 00402126

复制代码

Jump back to the code in CUser::Attack() (this jumps down to the actual jump at the end of the "don't take experience" case below to save bytes).
CODE

1. 0049924B     EB 03          JMP SHORT 00499250

复制代码

This is our "don't take experience" case. This line cleans up the stack (3 DWORDs are passed into CUser::ExpChange(), they were pushed onto the stack but we aren't going to call CUser::Attack(), so we'll take them back off the stack!).
CODE

1. 0049924D     83C4 0C        ADD ESP,0C

复制代码

Jump back to CUser::Attack().
CODE

1. 00499250    ^E9 06D7FFFF    JMP 0049695B

复制代码

Code recap

Jump to code-cave from CUser::Attack():
CODE

1. 00496956     E9 D8280000    JMP 00499233

复制代码

Our code-cave:
CODE

1. 00499233     8B87 98800000  MOV EAX,DWORD PTR DS:[EDI+8098]
   
2. 00499239     8A48 3C        MOV CL,BYTE PTR DS:[EAX+3C]
   
3. 0049923C     80F9 CA        CMP CL,0CA
   
4. 0049923F     74 0C          JE SHORT Ebenezer.0049924D
   
5. 00499241     80F9 1F        CMP CL,1F
   
6. 00499244     74 07          JE SHORT Ebenezer.0049924D
   
7. 00499246     E8 DB8EF6FF    CALL Ebenezer.00402126
   
8. 0049924B     EB 03          JMP SHORT Ebenezer.00499250
   
9. 0049924D     83C4 0C        ADD ESP,0C
   
10. 00499250    ^E9 06D7FFFF    JMP Ebenezer.0049695B

复制代码

Have fun!