Offset hunting

[jos]

Well, this part of the forum seems pretty quiet - I guess most XCOM

modders seem to have moved on.

 

I'm continuing on my crazy quest to mod the morale system

In XCOM Apocalypse, and need a little help with Hex-editing.

 

Here's what I want to do:

 

- change the amount of morale points a soldier gets at the beginning

of every mission from 100 (out of 100) to something else.

 

Here's what i've done:

 

- Using a simple Hex-editor i've painfully been through every 100

in TACP.exe, and changed it do a different value. Usually 10.

Sometimes, of course, this crashes the game, so I have to identify

those hexs, and skip over them. There are 700-odd 100 values in that

damn .exe, and if J'ordos were here, i'm sure he'd agree it's a

tedious process.

 

So .... after hours and hours of the above: changing pretty much

every 100 in the .exe, none seem to change what i want.

Even more frustratingly, I did manage to pinpoint the value that

morale is "out of" - but this seems totally useless, and from

testing seems only to control the graphic of the morale bar.

 

So am I doing anything wrong?

From knowledge of the EU and TFTD, should there be a 100 value

to find and change?

Does anyone have any experience of the .exe they can help

me with?

[kyrub]

You certainly did change every "64" (in hexadecimal), not "100", didn't you?

 

 

Other than that, I reccomend disassembling TACP.exe with IDA first, then using Ctrl + I to search the "64" value through the file. You should see something like: mov [......], 64h. Then you try to change the value and see if it changes in the game. This will spare you about 75% of your time.

[j'ordos]

Hey jos, that's some dedication you have Using a hex editor to edit stuff like that (game code) is not a good idea in this case. Hex editing is more suited to finding data, like unit stats etc... that are stored in 'lists', then you can look at the surrounding numbers and eliminate most possibilities. Since you're trying to find code, not data the surrounding numbers could be almost anything. In this case you should use IDA like kyrub suggested. I'd first use apoc'd to identify the current morale var (edit savegames->units (battlescape) ). It's already in there (Current Morale) but I'm not sure if I ever actually tested it. Then you can calculate the 'offset' of that var compared to the start of the units data. So in case of the Current Morale var I have in apoc'd that would be 135540 (current morale) - 135426 (units data start) = 114. In hex that makes 72. Then you can search the IDA database for this number (usually the game accesses the data by loading the base address to a register (eax, ebx, ecx etc) and then adding the offset to that register, so you get something like mov [eax + 72h], 64h, where eax is the start of the units data, which means store the value 100 to that memory address. Sorry if it's not totally clear

What kyrub describes is also a good way. There is one problem though, it could be that the game already loads all unit stats while still in the cityscape (UFO2P.EXE) so you may have to search that exe as well!

[jos]

Ah ha! You guys are still around.

 

Ok, so yes - I know that 64 00 is 100 in ASCII (I did do a little research

before I started, luckily)

And yes - I had already used IDA pro to have a look at TACP.

Unfortunately I have no clue what all that crazy stuff that IDA tells me is!

And I have MUCHO respect for anyone who can interpret any of those hieroglyphics!.

 

So, I've gone back to IDA and followed you guys instructions above.

Now, by doing an immediate value search in IDA it comes up with

only 8 or so 100's (why only 8?!? - when a regular hex editor finds

over 700?!?)

So by double-clicking on the "mov [......], 64h" it takes me to the appropriate hex's

in the hex view. Here's my problem:

 

a) If i change it in IDA i have no idea how to recompile the IDA file back into a

useable .exe. So, i open it in good old FlexHex and ....

b) I can't correlate the offsets! If I go to say, 000182F2 (from the bottom left

location box) in IDA, and then to 000182F2 in Flex hex - there's no 64 00's to

be found! It's almost like I'm looking at different .exe's.

 

Am I missing something obvious, guys?

 

@ j'ordos - so are you basicly saying i should look for 64 and 72 together, and

where the two are next to each other, is probably the value i want?

[j'ordos]

Ah I forgot, IDA has trouble disassembling the apocalypse exe's, I had seb76 guide me through that it uses a 32bit extender which part needs te be cut from the exe before IDA can open it properly. You can do this with https://www.sid6581.net/pmodew/. Give me some time and I'll just upload the databases I have. Because of this you can never just use the offsets from IDA though, you'll have to search for a sequence of bytes to get to the right location in the exe with a hex editor.

edit: yes, if you're lucky you'll be able to find what you need that way!

[jos]

Ah I forgot, IDA has trouble disassembling the apocalypse exe's, I had seb76 guide me through that it uses a 32bit extender which part needs te be cut from the exe before IDA can open it properly. You can do this with https://www.sid6581.net/pmodew/. Give me some time and I'll just upload the databases I have. Because of this you can never just use the offsets from IDA though, you'll have to search for a sequence of bytes to get to the right location in the exe with a hex editor.

edit: yes, if you're lucky you'll be able to find what you need that way!

 

Thanks insidious one!

 

But - the problem is I have no idea how to use PMODE/W - or even what it is!

what should i do with the files once i've downloaded it? Do i copy the files

somewhere into the IDA directory?

 

BTW j'ordos - when using apatcher, the 'guards present during investigations'

seems to have a problem - no matter what i do i can't seem to stop security soldiers

from always being present in buildings when I investigate for alien infiltration.

Whether i say yes, no or 'A' (abort?) they're there.....

[j'ordos]

You should download the pmw133.zip file from that site, extract it's contents and then use PMWBIND.EXE on the apocalypse exe's. Easiest way would be to unzip pmw133.zip to it's own folder and copy UFO2P.EXE (cityscape) and TACP.EXE (battlescape) to this folder. Then you open a cmd window, navigate to this directory and type "PMWBIND.EXE /U TACP.EXE". This should create a file called TACP.LE I think, which you can then open using IDA.

I'll take a look at the apatcher source code to see if I made a mistake, thanks for the report The intended behavior is that Y enables it, N disables it, and A (abort) leaves it as it was.

[jos]

Ok, thanks j'ordos. I've managed to correlate the IDA and hex-editor hex-adresses.

I'll continue my hunt and post any findings here.

 

a) do you have an idea what part of the .exe what i'm looking for might be?

b) is it likely to be in the UFO.exe, or TACP.exe?

[j'ordos]

Since you want to make more extensive changes to the morale system in apocalypse I'd start searching in TACP.EXE. Anything you find in there that has something to do with the morale points will be useful to you . No idea where it would be located though, sorry.

 

edit: Ive done some searching for the value 72 in tacp.exe and I found three possible locations right away. Just do an 'immediate value' search for 0x72 (check find all occurrences) and look for results like mov byte ptr [ebx + 72h], 64h. I can confirm that in the first three results like that the register (ebx/esi/...) points to the units data. Possibly there are three functions to load units, one for aliens, one for xcom troops and one for guards/civilians. Mayeb there are even more, there were a lot of results and I didn't check them all