Topic: Hex Editing of Starfleet executables  (Read 209571 times)

0 Members and 1 Guest are viewing this topic.

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Hex Editing of Starfleet executables
« on: December 26, 2014, 06:13:03 pm »
I've figured out the offsets for several variables in the game, including weapons' accuracy, damage, and a few energy costs. I've also fixed the F11 hover bug (the top-layer target info has one extra character which makes it illegible).

My question is this...

Should this information be kept secret?

We, the fans of this great series, modify the shiplists, scripts, strings, textures, sounds, models, etc. But nobody, AFAIK, has released a modified Starfleet.exe.

I don't think it is a violation of the EULA to tinker with assembly-level code and freely let others try it. Nobody can play SFC with a stand-alone 8MB modified exe. As long as the checksum and CRC are enforced, I think fair play can be ensured. (Although nowadays SFC is 99% single-player, so this is barely an issue.)

Thoughts?

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #1 on: December 26, 2014, 07:58:54 pm »
I am not using any special tools. HxD is a free hex editor. At first, the data in a Starfleet executable looks totally meaningless -- just a bunch of stuff like E9 E2 04 00 F0 E2 08 00. [Shrug]

But then you find gems like this: 09 08 07 06 05 05 04 03 02 01 01

What is that?

If it were 09 08 07 06 05 04 03 02 01 00, it could be a count down, a list, or anything generic. But the former series is far too specific to be anything random.

You need to learn how to read numbers in hexadecimal form. (It temporarily hurt my brain learning this!) If you're looking for a ten, that may be written as a "0A" byte. (It may be written as "0A 00 00 00" for a 4-byte integer. Why not "00 00 00 0A"? That's little-endian format. Yes, another brain twister to resolve.) The Windows calculator in programmer mode can do part of this for you, once you understand the concept. HxD has a search function that finds little-endian values.

Let's say I want to find the damage that Large Drones do. That's 24, right? I need to search for 24 in hexadecimal format. That's 16 plus 8, which is "18" in hexadecimal (don't say eighteen, say one-eight). But if I search for "18", I'll find several thousand of them! I need to be more specific and use the clues that are found in human-readable hex. And also try 4-byte (32-bit) values like "18 00 00 00" which greatly narrows down the search.

Scattered throughout the .exe are strange words like AVtDrone, AVtPhoton, AVtHellbore, etc. These can be helpful indicators of what's nearby.

I began exploring the Starfleet2CE.exe because I wanted to fix the misleading version number in the splash screen. 2.6.6.0 was wrong, it should be 2.6.7.0. Okay, I found that 7 times in the code! One of them must affect the splash screen. Trial and error found the relevant address to be 0065FA28. You can change 2.6.6.0. to A.D.A.M. if you want. (Use the human-friendly right column of the HxD screen to more easily change alphabetical stuff.)   
« Last Edit: April 18, 2017, 04:05:51 am by TarMinyatur »

Offline Corbomite

  • Commander
  • *
  • Posts: 2939
Re: Hex Editing of Starfleet executables
« Reply #2 on: December 26, 2014, 08:07:23 pm »
According to Frey, the SFC2 series is considered abandoned, so as long as you don't try to make money from it you should be alright to modify it any way you like.

Offline Javora

  • America for Americans first.
  • Commander
  • *
  • Posts: 3006
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #3 on: December 26, 2014, 09:43:39 pm »
Huh, I wonder just how far we can change the game with this?  For that matter if we can reverse engineer SFC OP to fix the multiplayer.  Any info we can get might also help Exeter.

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #4 on: December 26, 2014, 11:10:55 pm »
Javora, there is no theoretical limit to what can be done through editing Starfleet2OP.exe. However, it gets extremely difficult to do anything sophisticated by changing a few bytes here or there. Such as improving the AI's logic.

Exeter has the C++ code for EAW and CE. He has the easy (and sane) way to change the values of variables and such. I have no idea how to address complicated things, such as Gamespy's networking stuff in Orion Pirates.

I can make the Suicide Overload Fusion Beam do 2x damage (instead of 3x damage). That's easy.

I might be able to display the scanner damage on the HUD (which has always been unknown). That's not easy but I want to do that.

Stuff like expanding the player slots from 6 to 8? Probably close to impossible.

If anyone gets onboard the Hex Editing of the game. Let me know. It would be a shame to duplicate our efforts. I already have a good chunk documented. I guess I'm waiting to see if anyone can present an argument that it is not a good idea to experiment with the executable.

Offline Javora

  • America for Americans first.
  • Commander
  • *
  • Posts: 3006
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #5 on: December 27, 2014, 07:31:28 am »
Thanks Tar, I guess I was being a little to optimistic about cracking into SFC OP as it seems that no one has that particular code.   I was thinking if we can figure out what OP has that is over and above SFC II then we can port it over to SFC CE.  Oh well it's still a great idea Tar.

Offline Corbomite

  • Commander
  • *
  • Posts: 2939
Re: Hex Editing of Starfleet executables
« Reply #6 on: December 27, 2014, 10:35:36 am »
Exeter basically refused to even look at the old code due to its apparent lack of organization and poor formatting. He prefered to start from scratch in all areas with the exception of graphics, in which he is not an expert.  Maybe you can get him to change his mind.

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #7 on: December 27, 2014, 11:46:03 am »
2.679 is the latest unofficial patch. A 2.690 mauler/bolt mod is available too.
« Last Edit: January 27, 2017, 08:18:22 pm by TarMinyatur »

Online Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13072
Re: Hex Editing of Starfleet executables
« Reply #8 on: December 27, 2014, 03:56:05 pm »
Slow missiles back to speed 8 :)
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #9 on: December 27, 2014, 04:01:05 pm »
StarfleetOP.exe is similar. The tables are usually followed by the name of the system, such as AVtAntiDroneRack@@ or AVtDisruptorTube@@.

Look at address 445AE4 to get started with AMDs. The other weapon systems follow.

Adam, you could mod the Heavy Phaser-A to start at 30 (?) damage for a TNG ship, instead of mounting Phaser-4's, for example. It's all up to you.

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #10 on: December 27, 2014, 04:12:52 pm »
Slow missiles back to speed 8 :)

I haven't found the speed variables. (SFBMode=1 will give you Speed-8 Drones and Speed-32 Plasma in Community Edtion.)

I've looked for obvious hexadecimal representations of 40, 36, 34, 32, 24, 22, 20, 16, 12, 8 in various sequences...no luck yet.

Offline Corbomite

  • Commander
  • *
  • Posts: 2939
Re: Hex Editing of Starfleet executables
« Reply #11 on: December 27, 2014, 04:18:38 pm »
Slow missiles back to speed 8 :)

I haven't found the speed variables. (SFBMode=1 will give you Speed-8 Drones and Speed-32 Plasma in Community Edtion.)

I've looked for obvious hexadecimal representations of 40, 36, 34, 32, 24, 22, 20, 16, 12, 8 in various sequences...no luck yet.

Have you tried switching to SFB mode and seeing what changes? It might take some searching, but it will be in there if it is swapped out.

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #12 on: December 27, 2014, 06:29:34 pm »
Slow missiles back to speed 8 :)

I haven't found the speed variables. (SFBMode=1 will give you Speed-8 Drones and Speed-32 Plasma in Community Edtion.)

I've looked for obvious hexadecimal representations of 40, 36, 34, 32, 24, 22, 20, 16, 12, 8 in various sequences...no luck yet.

Have you tried switching to SFB mode and seeing what changes? It might take some searching, but it will be in there if it is swapped out.

I don't think the executable is self-modifying. The speed of plasma may be determined at runtime. The value of 36 (as a float or integer) is found several times, but changing those to 60 (one-by-one) didn't result in ultra-fast torpedoes. Maybe the speed is actually 36.000001? That would have a different representation in float format and would be laborious to search for. But it makes no sense to set the speed to anything mysterious. Dave or Zach or Erik would have typed 36.0f in the C++ code.

Your logic is good, Corbomite. But I don't know how to detect the difference in memory between SFBMode=0 and SFBMode=1 with regard to seeking weapon speed. Perhaps if I view the .exe while it is running, then maybe I can find the location of Plasma's speed on the heap. I'll check out the game with a debugger.

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #13 on: December 27, 2014, 07:02:41 pm »
The Fusion Beam (and, in fact, all weapons) can be given a byte value between zero (00) and 255 (FF) for its damage.

Assuming you're using StarfleetOP.exe...

Search for AVtFusionCannon. You should find it near address 456580.

Just above that in the "open" area, are the Fusion Tables.

             ----------------Range-----------------
             0     1     2   3-10  11-15  16-24
4564A4: 0D    08   06   04     03      02        // This is the damage of the Fusion Table if you "roll" a 1.
            13     8     6    4       3        2        // This is the damage in regular numbers.

4564AA: 0B   08    05    03     02      01        // Damage if you "roll" a 2.
            11    8      5      3      2       1         // Damage in regular numbers.
etc.

So if you wanted to make Standard Fusions do a flat 32 points of damage ("20" in hexadecimal) across its entire range, you could do this:

4564A4: 20 20 20 20 20 20
4564AA: 20 20 20 20 20 20
etc. (for the other four rows, i.e. for "rolls" of 3, 4, 5, and 6)

Then you get to the Overload Table.

(View the attachment for the first row of Fusion Table for StarfleetOP.exe.)
« Last Edit: April 18, 2017, 04:08:51 am by TarMinyatur »

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #14 on: December 27, 2014, 10:29:22 pm »
Well, Adam, it only took 15 years! Someone must have "cracked" the code a long time ago, simply because it isn't terribly hard to do. I never wanted to modify weapon accuracy or damage, so I never bothered. I assumed that 14DegreesEast/Taldren had encrypted the charts and other sensitive mechanical data.

If you try, however, to give a weapon extended range (or remove a myopic zone) you will not succeed. The weapons' limitations are defined elsewhere. The 1-byte charts are only used to determine damage. They do nothing to influence AI behavior. The AI will probably "think" that a Phaser-3 is just a little pea shooter, even if you modify it to deal out 50 damage.

Merry Christmas.

(Interesting ESG find this morning.)
 
(I found the locations of the numbers that define Range Brackets. A Disruptor4, for example, can theoretically fire up to a distance of 256 k.)
« Last Edit: December 28, 2014, 04:37:39 am by TarMinyatur »

Offline TarMinyatur

  • Lt.
  • *
  • Posts: 938
  • Gender: Male
Re: Hex Editing of Starfleet executables
« Reply #15 on: December 28, 2014, 03:35:20 pm »
Adam, the range brackets can indeed be changed.

The programmers used floating point numbers. They also multiplied SFB's units by ten. So when we think of Range 30, they wrote 310.0f. Why not 300.0f? That would not enable the decimal values of 30.01 to 30.99 to be valid ranges. So it is 310.0f non-inclusive.

View the attachment for the first range bracket for the Disruptor.

738BF8: 00 00 21 41  // This the highlighted value for 10.0f.

Floating-point number bytes are weird. Figuring them by hand is hard. I downloaded a free IEEE Calculator to help me. But I have to rearrange them for little-endianness.

00 00 21 41 is first rearranged to 41 21 00 00 and then condensed to 41210000, which you can put in a special calculator to get an ordinary number. In this case it is 10.

Examples are always helpful...

Common floats in little-endian format:
960 = 00 00 70 44
800 = 00 00 48 44
680 = 00 00 2A 44
640 = 00 00 20 44
610 = 00 80 18 44
480 = 00 00 F0 43
440 = 00 00 DC 43
410 = 00 00 CD 43   
400 = 00 00 C8 43
390 = 00 00 C3 43
360 = 00 00 B4 43
330 = 00 00 A5 43
310 = 00 00 9B 43
250 = 00 00 7A 43
240 = 00 00 70 43
230 = 00 00 66 43
160 = 00 00 20 43
120 =00 00 F0 42
110= 00 00 DC 42
90 = 00 00 B4 42
60 = 00 00 70 42
55 = 00 00 5C 42
50 = 00 00 48 42
45 = 00 00 34 42
40 = 00 00 20 42
36 = 00 00 10 42
35 = 00 00 0C 42
30 = 00 00 F0 41
25 = 00 00 C8 41
20 = 00 00 A0 41
15 = 00 00 70 41
10 = 00 00 20 41
 5 = 00 00 A0 40

The ADD is unusual. It won't fire beyond 3.99 even if its max range is set to "00 00 70 42" (60.0f), for example.

So search for floats which are 10x the numbers you seek.
 
Plasma speed (36) might be stored as 360.0f. Slow Drone speed (16) might be stored as 160.0f. (Edit: Nope. But I may have found the location of certain Weapon Arcs, such as 15, 55, 120, 210, 240, 270, 310, 330, and 360.)
« Last Edit: December 28, 2014, 04:50:35 pm by TarMinyatur »

Offline Corbomite

  • Commander
  • *
  • Posts: 2939
Re: Hex Editing of Starfleet executables
« Reply #16 on: December 28, 2014, 04:42:45 pm »
I'll be happy if you can just give the TRL and TRH a real graphic to point to, but that may not be in that file.

Offline Corbomite

  • Commander
  • *
  • Posts: 2939
Re: Hex Editing of Starfleet executables
« Reply #17 on: December 28, 2014, 05:05:55 pm »
Speaking of TR beams, does anyone remember how to code them into the shiplist? It's been so long since I turned them on I've forgotten. I've tried all the combinations that I can think of and nothing. IIRC they show up with the PPD icon.

Offline Corbomite

  • Commander
  • *
  • Posts: 2939
Re: Hex Editing of Starfleet executables
« Reply #18 on: December 28, 2014, 06:27:10 pm »
Thanks. The HP display won't matter as I'm putting them on non-player races. I'd be surprised if it controls the sprites file at all though.

Offline Corbomite

  • Commander
  • *
  • Posts: 2939
Re: Hex Editing of Starfleet executables
« Reply #19 on: December 28, 2014, 07:52:41 pm »
The TB texture would be best, but since it doesn't do damage I can't see why TB's would be in there at all except for range. You never know though. PHA for TRBL and PHB for TRBH would suffice though as long as those Phasers retain their graphic as well.