Hello. Right now I need some information on hex-editing savegames - - a character data structure in savegames, since that's what I'm currently doing. - or just info on adding feats to characters already in game. My problem is quite simple. I managed to hex-add a feat in savegame, so now i know it's possible. But I'm afraid it will break something in game vars/scripts/etc. Anyone did that successfully and tested for a full game run?
Hey Andys, The character data structure isn't an easy one to describe because it uses a flexible file format called "object file format", which is also used for game mobile and static objects, as well as generated characters, and this format is far from self-explanatory and relies too much on stuff that is hardcoded in the DLL and not available anywhere else, so it's hard to understand the data types and boundaries in those files. I've been working on decyphering the object file format for over a year by now and got quite far (right now I have a working test version of a codec that can encode and decode object file format with almost every imaginable data in mind), although it's not solid yet and not ready for a public demonstration. A limited version of the codec is implemented in ToEEWB, but that one will only work with a limited set of fields relevant for mobile and static objects and it doesn't support directly editing characters from saved game files. I'd like to know more about how far you are (e.g. what exactly you know and how you added a feat, and what file in the saved game you modified, and so on). I may be able to help you out later on. - Agetian
Well, I just like to break/edit/mod games, sometimes even before playing them normally. Noob in TOEE editing though, so not much to contribute except this "experiment". OK, here's what I did - 1. Tried out-of-save player editor (TCEv0.8 UnoffBuild), noticed dump file it created when opening player file and found there a feats section. 2. Opened save game (.tfaf) in hexed, found my player char there (name and current exp nearby), and tried to find some feats values there. 3. Found it. No relation to player file. Feats were written before player name, though format was the same. So I could change existing feats. I think that wouldn't create any problems in game. 4. adding a new one. Quote from dump file created by TCE - Code: Section 6 at offset 0x00000295 (Feats) Start code = 0x00000001 = 1 Item size = 0x00000004 = 4 Num. items = 0x00000001 = 1 Identifier = 0x00001B9E = 7070 Item[00] = 0x0000010B = 267 Trailer = 0x00000002 = 2 Flags = 0x0000000000000001 Well, I wondered what was that. So I tried a crazy thing and it worked... Here are some dumps for reference. (I will use field names from this structure for explanations) A. player file Code: 00 00 00 00│00 [COLOR="Red"]01 04 00│00 00 01 00│00 00 9E 1B ☺♦ ☺ Ю← 00 00 0B 01│00 00 02 00│00 00 01 00│00 00 00 00 ♂☺ ☻ ☺ 00 00[/COLOR] 72 01│00 00 01 04│00 00 00 06│00 00 00 9F r☺ ☺♦ ♠ Я 1B 00 00 08│00 00 00 08│00 00 00 04│00 00 00 04 ← ◘ ◘ ♦ ♦ 00 00 00 08│00 00 00 04│00 00 00 02│00 00 00 0E ◘ ♦ ☻ ♫ C0 04 00 00│00 00 00 1C│00 00 00 01│05 00 00 00 └♦ ∟ ☺♣ 41 6E 64 79│73 00 11 00│00 00 06 00│00 00 01 04 Andys ◄ ♠ ☺♦ B. original savegame. Code: 00 00 00 [COLOR="Red"]01│04 00 00 00│01 00 00 00│8E 1B 00 00 ☺♦ ☻ О← 0B 01 00 00│02 00 00 00│01 00 00 00│00 00 00 00 ♂☺ ☻ ☺ ☺ 00[/COLOR] 72 01 00│00 01 04 00│00 00 06 00│00 00 A0 1B r☺ ☺♦ ♠ а← 00 00 08 00│00 00 08 00│00 00 04 00│00 00 04 00 ◘ ◘ ♦ ♦ 00 00 08 00│00 00 04 00│00 00 02 00│00 00 0E C0 ◘ ♦ ☻ ♫└ 04 00 00 00│00 00 1C 00│00 00 01 08│00 00 00 01 ♦ ∟ ☺◘ ☺ 00 00 00 9E│1B 00 00 03│14 00 00 00│00 00 00 02 Ю← ♥¶ ☻ 00 00 00 01│00 00 00 00│00 00 00 01│05 00 00 00 ☺ ☺♣ 41 6E 64 79│73 00 11 00│00 00 06 00│00 00 01 04 Andys ◄ ♠ ☺♦ C. Modified Save (my changes are underlined) Code: 00 00 00 [COLOR="Red"]01│04 00 00 00│[u]02[/u] 00 00 00│8E 1B 00 00 ☺♦ ☻ О← 0B 01 00 00│[U]0c 01[/U] 00 00│[u]01[/u] 00 00 00│[U]03[/U] 00 00 00 ♂☺ ☻ ☺ ☺ 00[/COLOR] 72 01 00│00 01 04 00│00 00 06 00│00 00 A0 1B r☺ ☺♦ ♠ а← 00 00 08 00│00 00 08 00│00 00 04 00│00 00 04 00 ◘ ◘ ♦ ♦ 00 00 08 00│00 00 04 00│00 00 02 00│00 00 0E C0 ◘ ♦ ☻ ♫└ 04 00 00 00│00 00 1C 00│00 00 01 08│00 00 00 01 ♦ ∟ ☺◘ ☺ 00 00 00 9E│1B 00 00 03│14 00 00 00│00 00 00 02 Ю← ♥¶ ☻ 00 00 00 01│00 00 00 00│00 00 00 01│05 00 00 00 ☺ ☺♣ 41 6E 64 79│73 00 11 00│00 00 06 00│00 00 01 04 Andys ◄ ♠ ☺♦ Note - 1. "Trailer" and "Flags" get shifted 1 dword to the right, Trailer:=1 (was 2), Flags:=3 (was 1, will explain these two later), added - feat #0x10c (power attack), zero dword is overwriten (this one is something to worry about. I have no idea if it's important or not) D. Dump after load and save in another slot. Code: 00 00 00 02│00 00 00 3F│00 00 00 00│00 00 00 [COLOR="Red"]01 ☻ ? ☺ 04 00 00 00│02 00 00 00│AC 1B 00 00│0B 01 00 00 ♦ ☻ м← ♂☺ 0C 01 00 00│02 00 00 00│03 00 00 00│00 00 00 00 ♀☺ ☻ ♥ 00[/COLOR] 72 01 00│00 01 04 00│00 00 06 00│00 00 AD 1B r☺ ☺♦ ♠ н← 00 00 08 00│00 00 08 00│00 00 04 00│00 00 04 00 ◘ ◘ ♦ ♦ 00 00 08 00│00 00 04 00│00 00 02 00│00 00 0E C0 ◘ ♦ ☻ ♫└ 04 00 00 00│00 00 1C 00│00 00 01 08│00 00 00 01 ♦ ∟ ☺◘ ☺ 00 00 00 AE│1B 00 00 03│14 00 00 00│00 00 00 02 о← ♥¶ ☻ 00 00 00 01│00 00 00 00│00 00 00 01│05 00 00 00 ☺ ☺♣ 41 6E 64 79│73 00 11 00│00 00 06 00│00 00 01 04 Andys ◄ ♠ ☺♦ The whole feat structure is appended by a new dword zero. That's why I think that TOEE takes my added feat for a valid one and saves it as normal (with dword zero at the end) ... Oh, and my char really has Power Attack after loading modified game. "Trailer" and "Flags" Everything below is related to dump C. When I leave Trailer at 2 (as originally), TOEE crashes on load. When I leave Flags at 1, TOEE wouldn't read my new feat. It WILL see an additional feat, but zero one (Acrobatics). For 3-feat player chars it equals 7. Something like flags for reading/not reading feat values? I didn't test it with high-level chars though. Well, thats all I got. Hope it helps and reply me if you see it breaks something in game Maybe I'll play once with this and see for myself... but free time is really scarce //==== hmm.. i just noticed that it's not a "dword zero"... it is a part of Flags var.
Wow, great job there Andys - you actually learned about the sizeable array type of structure in the object file format. It's something that I studied for a long time and got implemented in the object codec when I created the ToEEWB. So... The first part is the sizeable array header: Start Code = 0x01: - not exactly the start code, it's just a one-byte flag which, if set (=0x01), means that the sizeable array is actually present. If it's reset (=0x00), then no sizeable array follows and the data is considered null. Item size = 4: - exactly, the size of an individual element in the sizeable array. Could be 4 (32bit), 8 (64bit), or 24 (for object handles). Maybe other values are possible. Num.items = 2: - exactly, the number of items in a sizeable array. Identifier = 7243: - yup, a handle of the sizeable array structure in memory. Doesn't matter when on disk, but matters in memory. Therefore, if you directly edit the memory it's not recommended that you change this. On disk this can be anything, it'll get recreated anyway. Next follow the items: Items - Yup, the items follow the header, one after one. Next follows the bitfield: Trailer = 2: - it's not a trailer, it's a number of 32bit blocks to follow (the size of the bitfield to follow). It means that there will be exactly 64bits of data in the bitfield afterwards (two chunks 32 bits each) Flags = 3: - well, it's not exactly flags, it's just a bitfield defining which elements are actually present in the sizeable array. So, if it's 3 it means that the first two bits in the 64bit bitfield will be set, and it means that the two items in the sizeable array will have indices 0 and 1. I hope this makes sense. And that concludes the sizeable array. Sizeable arrays are very common in ToEE and they can sometimes be a pain in the butt to figure out since some are packed in a variety of ways (say, size of an element is 64bit, but it actually gets split later into two 32bit values, one of which is parsed as a series of 4 bytes 8bits each, etc.). Modification of SARs should be careful - do not change the handle when editing in memory, and make sure you make modifications to both the num. elements and the bitfield (and possibly the 'trailer' if necessary) in order to make the array configuration valid. Hope this helps. - Agetian
Thanks Now I feel pretty safe. At least I know what I'm doing, not just blindly changing values and praying.
Oh boy. For my first post here, I'm engaging in thread necromancy. I don't know if anyone else cracked the secret code for adding feats, but I just did. The trick is in what Agetian called the Flags. This also changes depending on the number of feats the character has. I haven't gone too crazy experimenting, but it seems to hold up in several examined save files. In any case, the two bytes of the Flag are equal to 2^number of feats - 1. For those of you less mathematically inclined: 1 - 0100 2 - 0300 3 - 0700 4 - 0F00 5 - 1F00 6 - 3F00 7 - 7F00 8 - FF00 9 - FF01 10 - FF03
Interesting. I've been hex-editing my saves quite a lot. One thing I got stuck on was trying to find the data for NPC party members. You can find PC party members by searching for names or experience points, but I couldn't locate the NPCs that way. Not a big deal, really, but I'd like to know just the same. :nerd:
