|
| Thread: Hex editing guide | |
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
posted April 12, 2015 12:15 PM |
bonus applied by Galaad on 02 Aug 2017. |
|
[Tutorial] Hex editing
Mod note: +QP awarded for good contributions to the forum.
Dear community.
For anyone interested in Hex editing this page will provide information on:
- Learning how to do it
- List of useful tools and external links
- List of Heroes V currently found Hex addresses
Anyone who wants to contribute with articles, tools or know-how you are welcomed to do so!
USEFUL SOFTWARE AND LINKS
====================================================================
This is a list of Software that can aid your modding efforts.
1. FlexHex
2. Notepad++ Hex pluggin good for reading and editting hex. Nothing special besides that.
3. Free Hex editor.
4. Cheat Engine! - very good software that gets the HEX values from memory while playing the game. Basically it can be used to get the addresses of certain things while playing. It comes with some handy tutorials as well.
5. IDA v 7.x
Very powerful software for decompiling. Used by enterprise companies. Unfortunately it is paid. There is a freeware version but it lacks many features.
6. NTCore software - Transforms 32 bit exe files into 64 bit ones. This is how MMH55_64.exe was created. Make sure the software is run as administrator.
7. Ghidra - https://ghidra-sre.org - good for disassembly, made by NSA
====================================================================
HELPFUL ASSEMBLER THIRD PARTY TOOLS
====================================================================
1. List of x86 machine instructions that can be identified in binaries.
2. Cheat Engine auto assembler commands
3. Online hex converter - www.scadacore.com
4. Hexademical/ ASCII to decimal
5. https://godbolt.org - Compiler explorer. Translates code into assembly.
====================================================================
LEARNING HEX EDITING
====================================================================
The name 'hex' comes from 'hexadecimal': a standard numerical format for representing binary data. Learn more about meaning and origins.
Hex editing is the way of manipulating a binary file, which data is stored in hex format (this can be any Might and Magic game .exe file). To expand you knowledge with some basic hex editing theory read this 5-minute article.
Now when you know what hex code and hex editing operations lets ditch into some practice. Grab and install Cheat Engine. Cheat engine is the software that helps with reading and modifying binary files. The software has a 10-step tutorial which teaches in practice all important skills that you need to know about hex editing. In a matter of fact the tutorial even explains some advanced practices.
1. What is stack in X86 architecture.
2. Stanford University lessons on hex calculations and understanding (Advanced)
3. Paul Hsieh's x86 Assembly tips and tricks - www.azillionmonkeys.com
4. Aggregate magic algorithms
5. Simply FPU - a co-processor functions guide.
6. Assembly switch statement lesson
====================================================================
COMMUNITY KNOWLEDGE
====================================================================
Links to all heroescommunity.com guides that relate to hex editing:
1. HEX editting the level cap by BAD
2. Heroes 3 WOG - Hex editing
3. Deflaktor's patching app
====================================================================
LIST OF KNOWN HEROES V HEX ADDRESSES
====================================================================
Specific Heroes V addresses and how their values affect the gameplay behaviour.
- Various hex address discovered by Deflaktor
- 00A5227A - regards diplomacy chance. (thanks to lotihoti)
- from 00A20860 to 00a20878 - You can see the formula for the calendar of the game (28*nMonth+7*nWeek+nDay)
- 00473A20 (MMH55_64.exe) - Creature spellpower formula -> 21*logbase10(10+10 * stack size/weekly growth)-22
- 004B25F5 (MMH55_64.exe) - all +50% amp artifacts, 5 times fmul called referring to constant 1.5, 4 of them are confirmed to be the 4 elements artifacts.
- 004B21DF (MMH55_64.exe) - empowered spells are the thing in the bottom of this that call that same constant 1.5 (also somewhere near the bottom of it i think is the subroutine that among other things regulates exorcism vs summoned units and also cold death effect that kills 1 extra creature)
- 004B6C39 (MMH55_64.exe) - damage bonus for soulfire fireball, at this address is the command adding 1 to the spellpower if the stack was upgraded.
- 007B1D90 to 007B2CB0 - Game menu, Multiplayer lobby section where people chose colour, faction and bonus. This is the starting place for 9th city implementation as this is the first call the game makes for city choice.
- 00AA9890 - start of the function that regards hero damage choice depending on his level and tier. Currently hero can choose from 8 damage types (tiers) which value is based in defaultstats.xdb. It will be nice if that value can be expanded to 10. Find more about this here.
- Deflaktor's hex dump - includes addresses for War Machines -
Tent healing, enlightenment, healing tent specialization, max artifact count, Academy Mini artifacts value offsets, NCF exe offsets, Permanent endless turns offsets, Castles tower damage offsets, ATB start of the battle random variation offsets, Archmage "energychannel" ability value offset, Hero movement and movement abilities offset (pathfinding, Tracker)
- tripling the cost of mass spells while keeping empowered spells same cost for Qunatomas EXE
find this: (searching for the first 15-20 entries should be enough to be unique)
83 EC 2C 53 55 57 8B DA 8B F9 E8 D1 F6 FF FF 8B E8 85 ED 74 04 8B CD EB 0F 8B CF E8 10 F8 FF FF 85 C0 8B C8 75 02 8B CF E8 A3 5E 06 00 85 C0 75 09 5F 5D 5B 83 C4 2C C2 04 00 85 DB 56 8B B0 90 00 00 00 74 1D 81 FF C8 00 00 00 75 15 8B 03 8B CB FF 50 20 8B F0 E8 E5 1D FA FF 0F AF B0 3C 08 00 00 85 ED 75 0B 8B CF E8 C3 F7 FF FF 85 C0 74 02 03 F6 8B 54 24 40 8B CE E8 F2 F5 15 00 8B F0 8B CF 89 74 24 10 E8 45 5E 06 00 85 C0 0F 84 C9 00 00 00 83 B8 88 00 00 00 06 0F 85 BC 00 00 00 85 DB 0F 84 9E 00 00 00 8B 13 68 BC 00 00 00 8B CB FF 92 78 01 00 00 85 C0 7E 52 E8 80 1D FA FF DB 44 24 10 D9 05 40 8D E0 00 83 EC 08 05 AC 06 00 00 D8 E9 D9 5C 24 04 D9 05 08 1A E5 00 D8 60 24 D8 C9 D9 1C 24 DD D8 E8 F3 08 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 10 D9 6C 24 10 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 03 6A 4B 8B CB FF 90 94 01 00 00 84 C0 74 29 8B 13 8B CB FF 52 20 8B F8 83 C7 01 E8 12 1D FA FF 8B C8 81 C1 50 09 00 00 8D 47 FF 99 F7 79 08 0F AF 41 0C 03 41 04 2B F0 33 C0 85 F6 0F 9E C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00 85 DB 0F 84 2C 01 00 00 83 FF 20 75 1D 8B 03 6A 0D 8B CB FF 90 94 01 00 00 84 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 13 8B CB FF 52 74 6A 2F 8B C8 E8 0A AC FB FF 85 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 03 6A 31 8B CB FF 90 94 01 00 00 84 C0 0F 84 84 00 00 00 8B CF E8 6E F6 FF FF 85 C0 74 79 E8 75 1C FA FF D9 05 40 8D E0 00 8B 13 8B F0 81 C6 A8 08 00 00 B9 09 00 00 00 8D 7C 24 18 F3 A5 D8 64 24 24 D9 5C 24 14 8B CB FF 52 20 89 44 24 40 68 00 00 80 3F DB 44 24 44 68 00 00 00 3F D8 4C 24 30 D8 6C 24 1C D9 5C 24 48 8B 44 24 48 50 E8 A5 DE B4 FF DA 4C 24 10 D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 13 6A 2A 8B CB FF 92 78 01 00 00 85 C0 74 41 DB 44 24 10 83 EC 08 D9 05 40 8D E0 00 D8 E9 D9 5C 24 04 D8 0D 0C 7C E2 00 D9 1C 24 E8 70 07 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 33 C0 85 F6 0F 9C C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00 CC CC CC CC
replace it with this:
83 EC 2C 53 55 57 8B DA 8B F9 E8 D1 F6 FF FF 8B E8 85 ED 74 04 8B CD EB 0F 8B CF E8 10 F8 FF FF 85 C0 8B C8 75 02 8B CF E8 A3 5E 06 00 85 C0 75 09 5F 5D 5B 83 C4 2C C2 04 00 85 DB 56 8B B0 90 00 00 00 74 1D 81 FF C8 00 00 00 75 15 8B 03 8B CB FF 50 20 8B F0 E8 E5 1D FA FF 0F AF B0 3C 08 00 00 85 ED 74 03 8D 34 76 8B CF E8 C0 F7 FF FF 85 C0 74 03 8d 34 36 8B 54 24 40 8B CE E8 EE F5 15 00 8B F0 8B CF 89 74 24 10 E8 41 5E 06 00 85 C0 0F 84 C9 00 00 00 83 B8 88 00 00 00 06 0F 85 BC 00 00 00 85 DB 0F 84 9E 00 00 00 8B 13 68 BC 00 00 00 8B CB FF 92 78 01 00 00 85 C0 7E 52 E8 7C 1D FA FF DB 44 24 10 D9 05 40 8D E0 00 83 EC 08 05 AC 06 00 00 D8 E9 D9 5C 24 04 D9 05 08 1A E5 00 D8 60 24 D8 C9 D9 1C 24 DD D8 E8 EF 08 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 10 D9 6C 24 10 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 03 6A 4B 8B CB FF 90 94 01 00 00 84 C0 74 29 8B 13 8B CB FF 52 20 8B F8 83 C7 01 E8 1E 1D FA FF 8B C8 81 C1 50 09 00 00 8D 47 FF 99 F7 79 08 0F AF 41 0C 03 41 04 2B F0 33 C0 85 F6 0F 9E C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00 85 DB 0F 84 2C 01 00 00 83 FF 20 75 1D 8B 03 6A 0D 8B CB FF 90 94 01 00 00 84 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 13 8B CB FF 52 74 6A 2F 8B C8 E8 06 AC FB FF 85 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 03 6A 31 8B CB FF 90 94 01 00 00 84 C0 0F 84 84 00 00 00 8B CF E8 6A F6 FF FF 85 C0 74 79 E8 71 1C FA FF D9 05 40 8D E0 00 8B 13 8B F0 81 C6 A8 08 00 00 B9 09 00 00 00 8D 7C 24 18 F3 A5 D8 64 24 24 D9 5C 24 14 8B CB FF 52 20 89 44 24 40 68 00 00 80 3F DB 44 24 44 68 00 00 00 3F D8 4C 24 30 D8 6C 24 1C D9 5C 24 48 8B 44 24 48 50 E8 A1 DE B4 FF DA 4C 24 10 D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 13 6A 2A 8B CB FF 92 78 01 00 00 85 C0 74 41 DB 44 24 10 83 EC 08 D9 05 40 8D E0 00 D8 E9 D9 5C 24 04 D8 0D 0C 7C E2 00 D9 1C 24 E8 6C 07 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 33 C0 85 F6 0F 9C C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00
By Marco!
- quadripling Mass spell mana for Qunatomas EXE - Replace the above default value with this:
83 EC 2C 53 55 57 8B DA 8B F9 E8 D1 F6 FF FF 8B E8 85 ED 74 04 8B CD EB 0F 8B CF E8 10 F8 FF FF 85 C0 8B C8 75 02 8B CF E8 A3 5E 06 00 85 C0 75 09 5F 5D 5B 83 C4 2C C2 04 00 85 DB 56 8B B0 90 00 00 00 74 1D 81 FF C8 00 00 00 75 15 8B 03 8B CB FF 50 20 8B F0 E8 E5 1D FA FF 0F AF B0 3C 08 00 00 85 ED 74 03 C1 E6 02 8B CF E8 C0 F7 FF FF 85 C0 74 03 8D 34 36 8B 54 24 40 8B CE E8 EE F5 15 00 8B F0 8B CF 89 74 24 10 E8 41 5E 06 00 85 C0 0F 84 C9 00 00 00 83 B8 88 00 00 00 06 0F 85 BC 00 00 00 85 DB 0F 84 9E 00 00 00 8B 13 68 BC 00 00 00 8B CB FF 92 78 01 00 00 85 C0 7E 52 E8 7C 1D FA FF DB 44 24 10 D9 05 40 8D E0 00 83 EC 08 05 AC 06 00 00 D8 E9 D9 5C 24 04 D9 05 08 1A E5 00 D8 60 24 D8 C9 D9 1C 24 DD D8 E8 EF 08 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 10 D9 6C 24 10 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 03 6A 4B 8B CB FF 90 94 01 00 00 84 C0 74 29 8B 13 8B CB FF 52 20 8B F8 83 C7 01 E8 1E 1D FA FF 8B C8 81 C1 50 09 00 00 8D 47 FF 99 F7 79 08 0F AF 41 0C 03 41 04 2B F0 33 C0 85 F6 0F 9E C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00 85 DB 0F 84 2C 01 00 00 83 FF 20 75 1D 8B 03 6A 0D 8B CB FF 90 94 01 00 00 84 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 13 8B CB FF 52 74 6A 2F 8B C8 E8 06 AC FB FF 85 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 03 6A 31 8B CB FF 90 94 01 00 00 84 C0 0F 84 84 00 00 00 8B CF E8 6A F6 FF FF 85 C0 74 79 E8 71 1C FA FF D9 05 40 8D E0 00 8B 13 8B F0 81 C6 A8 08 00 00 B9 09 00 00 00 8D 7C 24 18 F3 A5 D8 64 24 24 D9 5C 24 14 8B CB FF 52 20 89 44 24 40 68 00 00 80 3F DB 44 24 44 68 00 00 00 3F D8 4C 24 30 D8 6C 24 1C D9 5C 24 48 8B 44 24 48 50 E8 A1 DE B4 FF DA 4C 24 10 D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 13 6A 2A 8B CB FF 92 78 01 00 00 85 C0 74 41 DB 44 24 10 83 EC 08 D9 05 40 8D E0 00 D8 E9 D9 5C 24 04 D8 0D 0C 7C E2 00 D9 1C 24 E8 6C 07 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 33 C0 85 F6 0F 9C C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00
By Marco!
- quadripling all mass spells mana cost except mass dispel which gets only doubled for Qunatomas EXE
Replace this 83 EC 2C 53 55 57 8B DA 8B F9 E8 D1 F6 FF FF 8B E8 85 ED 74 04 8B CD EB 0F 8B CF E8 10 F8 FF FF 85 C0 8B C8 75 02 8B CF E8 A3 5E 06 00 85 C0 75 09 5F 5D 5B 83 C4 2C C2 04 00 85 DB 56 8B B0 90 00 00 00 74 1D 81 FF C8 00 00 00 75 15 8B 03 8B CB FF 50 20 8B F0 E8 E5 1D FA FF 0F AF B0 3C 08 00 00 85 ED 75 0B 8B CF E8 C3 F7 FF FF 85 C0 74 02 03 F6 8B 54 24 40 8B CE E8 F2 F5 15 00 8B F0 8B CF 89 74 24 10 E8 45 5E 06 00 85 C0 0F 84 C9 00 00 00 83 B8 88 00 00 00 06 0F 85 BC 00 00 00 85 DB 0F 84 9E 00 00 00 8B 13 68 BC 00 00 00 8B CB FF 92 78 01 00 00 85 C0 7E 52 E8 80 1D FA FF DB 44 24 10 D9 05 40 8D E0 00 83 EC 08 05 AC 06 00 00 D8 E9 D9 5C 24 04 D9 05 08 1A E5 00 D8 60 24 D8 C9 D9 1C 24 DD D8 E8 F3 08 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 10 D9 6C 24 10 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 03 6A 4B 8B CB FF 90 94 01 00 00 84 C0 74 29 8B 13 8B CB FF 52 20 8B F8 83 C7 01 E8 12 1D FA FF 8B C8 81 C1 50 09 00 00 8D 47 FF 99 F7 79 08 0F AF 41 0C 03 41 04 2B F0 33 C0 85 F6 0F 9E C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00 85 DB 0F 84 2C 01 00 00 83 FF 20 75 1D 8B 03 6A 0D 8B CB FF 90 94 01 00 00 84 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 13 8B CB FF 52 74 6A 2F 8B C8 E8 0A AC FB FF 85 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 03 6A 31 8B CB FF 90 94 01 00 00 84 C0 0F 84 84 00 00 00 8B CF E8 6E F6 FF FF 85 C0 74 79 E8 75 1C FA FF D9 05 40 8D E0 00 8B 13 8B F0 81 C6 A8 08 00 00 B9 09 00 00 00 8D 7C 24 18 F3 A5 D8 64 24 24 D9 5C 24 14 8B CB FF 52 20 89 44 24 40 68 00 00 80 3F DB 44 24 44 68 00 00 00 3F D8 4C 24 30 D8 6C 24 1C D9 5C 24 48 8B 44 24 48 50 E8 A5 DE B4 FF DA 4C 24 10 D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 13 6A 2A 8B CB FF 92 78 01 00 00 85 C0 74 41 DB 44 24 10 83 EC 08 D9 05 40 8D E0 00 D8 E9 D9 5C 24 04 D8 0D 0C 7C E2 00 D9 1C 24 E8 70 07 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 33 C0 85 F6 0F 9C C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00 CC CC CC CC CC CC CC CC CC
with this:
83 EC 2C 53 55 57 8B DA 8B F9 E8 D1 F6 FF FF 8B E8 85 ED 74 04 8B CD EB 0F 8B CF E8 10 F8 FF FF 85 C0 8B C8 75 02 8B CF E8 A3 5E 06 00 85 C0 75 09 5F 5D 5B 83 C4 2C C2 04 00 85 DB 56 8B B0 90 00 00 00 74 1D 81 FF C8 00 00 00 75 15 8B 03 8B CB FF 50 20 8B F0 E8 E5 1D FA FF 0F AF B0 3C 08 00 00 83 fd 1a 74 12 85 ED 74 03 C1 E6 02 8B CF E8 BB F7 FF FF 85 C0 74 03 8D 34 36 8B 54 24 40 8B CE E8 E9 F5 15 00 8B F0 8B CF 89 74 24 10 E8 3C 5E 06 00 85 C0 0F 84 C9 00 00 00 83 B8 88 00 00 00 06 0F 85 BC 00 00 00 85 DB 0F 84 9E 00 00 00 8B 13 68 BC 00 00 00 8B CB FF 92 78 01 00 00 85 C0 7E 52 E8 77 1D FA FF DB 44 24 10 D9 05 40 8D E0 00 83 EC 08 05 AC 06 00 00 D8 E9 D9 5C 24 04 D9 05 08 1A E5 00 D8 60 24 D8 C9 D9 1C 24 DD D8 E8 EA 08 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 10 D9 6C 24 10 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 03 6A 4B 8B CB FF 90 94 01 00 00 84 C0 74 29 8B 13 8B CB FF 52 20 8B F8 83 C7 01 E8 1B 1D FA FF 8B C8 81 C1 50 09 00 00 8D 47 FF 99 F7 79 08 0F AF 41 0C 03 41 04 2B F0 33 C0 85 F6 0F 9E C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00 85 DB 0F 84 2C 01 00 00 83 FF 20 75 1D 8B 03 6A 0D 8B CB FF 90 94 01 00 00 84 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 13 8B CB FF 52 74 6A 2F 8B C8 E8 01 AC FB FF 85 C0 74 0D 8B C6 99 2B C2 D1 F8 8B F0 89 74 24 10 8B 03 6A 31 8B CB FF 90 94 01 00 00 84 C0 0F 84 84 00 00 00 8B CF E8 65 F6 FF FF 85 C0 74 79 E8 6C 1C FA FF D9 05 40 8D E0 00 8B 13 8B F0 81 C6 A8 08 00 00 B9 09 00 00 00 8D 7C 24 18 F3 A5 D8 64 24 24 D9 5C 24 14 8B CB FF 52 20 89 44 24 40 68 00 00 80 3F DB 44 24 44 68 00 00 00 3F D8 4C 24 30 D8 6C 24 1C D9 5C 24 48 8B 44 24 48 50 E8 9C DE B4 FF DA 4C 24 10 D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 8B 13 6A 2A 8B CB FF 92 78 01 00 00 85 C0 74 41 DB 44 24 10 83 EC 08 D9 05 40 8D E0 00 D8 E9 D9 5C 24 04 D8 0D 0C 7C E2 00 D9 1C 24 E8 67 07 B3 FF D9 7C 24 40 0F B7 44 24 40 80 CC 0C 89 44 24 14 D9 6C 24 14 DB 5C 24 10 8B 74 24 10 D9 6C 24 40 33 C0 85 F6 0F 9C C0 83 E8 01 23 C6 5E 5F 5D 5B 83 C4 2C C2 04 00
by Marco!
- allow for damage in the center for other global spells as well, but they deal 0 dmg by default, can be changed at will from xdb
Replace 75 0E 8B 54 24 20 57 8B C8 E8 C4 79 E6 FF EB 06 with 90 90 8B 54 24 20 57 8B C8 E8 C4 79 E6 FF EB 06
Center damage of the spell will be zero unless set in specific spell XDB file.
- Make Empowered Armageddon and Word of Light spells gain benefits from Ignite and Master of Fire perk
Replace 8B 43 04 83 F8 0A 75 45 8B F7 E8 49 with 8B 43 04 83 F8 15 74 45 8B F7 E8 49
- Make Empowered Armageddon,Word of Light and Curse of the Netherworld spells gain benefits from Ignite and Master of Fire perk
Replace 75 45 8B F7 E8 49 F0 FF FF 84 C0 74 1C 8B 44 24 with 90 90 8B F7 E8 49 F0 FF FF 84 C0 74 1C 8B 44 24
- How-to post from sfidanza that regards adding new creatures to TOE thread, it explains how new objects classes, creatures, artifacts are added to the game.
sfidanza said:
@Gnoll_Mage: I don't know how crazypill found out the first time for the HoF exe, and I mostly looked for about the same bits in ToE. I can explain briefly what you have to look at, but not really why.
First, there are a number of tables which lengths are specified. Look inside data.pak/types.xml for <dbid>: those are the entry points mostly for the tables GameMechanics/RefTables/. Each has a different lengths, and they are of two types: lengths lower than 128 are stored in a signed short (1 byte - for values between -127 and 128), while lengths higher than 128 use a long integer (4 bytes).
Lengths seem to be specified at two places in the .exe, but let's focus on the first one. 1-byte values are given in a block like
"FF 6A xx 8D 44" (where xx is the value)
and 4-bytes values are given in a block like:
"FF 68 xx xx xx xx 8D 44" (where xx xx xx xx is the value in little endian)
As I explained in the first post, "little endian" means the bytes are reversed: 300 is 012C in hexadecimal, and is written "2C 01 00 00" in the exe.
If you looked in types.xml for <dbid>, you have noticed that there are 29 such tables. Now, the "8D 44" suffix in the exe is actually part of a longer block:
"8D 44 24 24 50 8D 4C 24 1C 51 68"
and if you look for it in H5_Game.exe, you'll see that it also appears 29 times. Now that you know how to recognize 1-byte and 4-bytes values, you can match each occurrence to its table.
Of course, that's only half the story. At the second place where the length are specified, all of them are written with 4 bytes, and appear in blocks like:
"B8 xx xx xx xx C3 CC CC"
There might be multiple hits of those. For example, "B8 B4 00 00 00 C3 CC CC" appears 2 times. But the one we're looking should be in an area with other such blocks around for other lengths.
These explanations certainly do not explain the why, only a part of the how. But understanding the why is even more technical, and requires using a disassembler, which is illegal in various countries.
Now, some of you here like to barely read a technical post, obviously do not make the effort of understanding what it means, but believe that it solves everything. It does not.
====================================================================
ASSEMBLY FUNCTIONS POSSIBLE MEANING
====================================================================
(*(int (__thiscall **)(int, signed int))(*(_DWORD *)a1 + 376))(a1, X) -does hero a1 have skill X
*(float *)(number_of_creatures_maybe() + 1696) -read from file percentage from mentoring
(*(int (__thiscall **)(int))(*(_DWORD *)a1 + 424))(a1) -amount of XP hero a1 has
424))( -hero morale
420))( -hero luck
there is an ongoing collision between XP and morale on number 424
412))( -shots left maaaybe
404))( -hero defense maaaybe ??
400))( -hero attack probably (all of the above might be creature stats actually)
464)) -daily mana gained related
572))( -hero spellpower i really hope, mastery ?
(*(int (__thiscall **)(int *, int, wchar_t *))(*a4 + 568))(a4, a5, a6) -level of the magic skill relevant for smth maaaybe
(*(int (__thiscall **)(int))(*(_DWORD *)v25 + 44))(v25) -ability charges left
(*(int (__thiscall **)(int, signed int, int))(*(_DWORD *)a2 + 412))(a2, (signed int)v6, a3) -add v6 XP to hero a2 (idk what a3 is), so its basically XP related
(unsigned __int8)(*(int (__thiscall **)(int, signed int))(*(_DWORD *)a1 + 208))(a1, X) -does hero a1 have spell X ???
(*(int (__thiscall **)(int, signed int))(*(_DWORD *)a1 + 376))(a1, X) -does hero a1 have skill X ???
*(float *)(number_of_creatures_maybe() + 1472) -read from file hp per mana consume corpse
(*(int (__thiscall **)(void *))(*(_DWORD *)X + 556))(X) -number of health in a corpse X (or maybe unit)
(*(int (__thiscall **)(int))(*(_DWORD *)X + 792))(X) -does hero have artifact X
(*(int (__thiscall **)(int))(*(_DWORD *)a1 + 140)) -lost track, smth around glob spells i think
(unsigned __int8)(*(int (__thiscall **)(int, signed int))(*(_DWORD *)v2 + 648))(v2, X) -does hero v2 have specialisation X
(unsigned __int8)(*(int (__thiscall **)(int, signed int))(*(_DWORD *)(*(_DWORD *)(*(_DWORD *)(v7 + 4) + 8) + v7 + 4) + 648))(*(_DWORD *)(*(_DWORD *)(v7 + 4) + 8) + v7 + 4, X)
(VERY) unreliable mode: ON
(*(int (__thiscall **)(int, signed int))(*(_DWORD *)v4 + 116))(v4, 21); -hero commanding the unit 21 (hopefully)
(*(int (__thiscall **)(int))(*(_DWORD *)v4 + 32))(v4) -level of hero v4
(*(int (**)(void))(*(_DWORD *)this + 604))() -hero race
( *(_DWORD *)(v10 + 172) == 283 -is it spell 283
(*(int (__thiscall **)(_DWORD, signed int))(*(_DWORD *)a2 + 644))(a2, 44) -does a2 (whatever it is) have skill 44
(*(int (__thiscall **)(int, signed int))(*(_DWORD *)a1 + 640))(a2, 44) -creature abilities
(unsigned __int8)(*(int (__thiscall **)(int, signed int))(*(_DWORD *)a1 + 640))(a1, 114)
(*(int (__thiscall **)(_DWORD, signed int))(*(_DWORD *)v4 + 640))(v4, 19)
(*(int (__thiscall **)(int))(*(_DWORD *)v6 + 420))(v6) -hero luck
(*(int (__thiscall **)(int, signed int))(*(_DWORD *)v5 + 40))(v5, 202); -spell effect 202
(*(void (__thiscall **)(int, signed int, signed int, int, _DWORD, _DWORD))(*(_DWORD *)v5 + 596)) -return changed stat to creature, or hero, mostly are reductions
(*(int (__thiscall **)(int))(*(_DWORD *)a1 + 112)) -is creature not yet a corpse
(*(int (__thiscall **)(int, signed int))(*(_DWORD *)v11 + 812))(v11, 2) -something related to number of creatures presumably
(*(int (__thiscall **)(int))(*(_DWORD *)v7 + 28))(v7) -unit tier
(*(int (__thiscall **)(void *))(*(_DWORD *)v4 + 108))(v4) -targeted unit
(*(int (__thiscall **)(int))(*(_DWORD *)v18 + 116)) -returns hero
(*(int (**)(void))(*(_DWORD *)this + 116))
*(float *)(number_of_creatures_maybe() + 1876) -how good is master of ice
(*(void (__thiscall **)(int, _DWORD))(*(_DWORD *)v3 + 388))(v3, LODWORD(v9)) -set ATB value of v3 to v9
(*(int (__thiscall **)(int))(*(_DWORD *)v3 + 380))(v3) -return ATB of v3
*(_DWORD *)(v5 + 28) -what creature ID is selected creature
*(_DWORD *)(sub_8C4F00(*(_DWORD *)(v5 + 28)) + 220) -creature size
(*(int (__thiscall **)(int))(*(_DWORD *)a2 + 116)) check above dont listen -initiative (of unit or warmachine ?)
(*(int (__thiscall **)(int))(*(_DWORD *)v6 + 800))(v6) -has hero artifact set (to learn lvl 4 spells specific instance)
(*(int (__thiscall **)(int, int, int))(*(_DWORD *)v5 + 404))(v5, a4, a3) -returns unit defense (or maybe any stat depending or arg's)
*(_DWORD *)(a3 + 68) -creature tier maaaybe
(*(int (**)(void))(*(_DWORD *)this + 604))() == 6 -this specific instance is related to elemental vision
(unsigned __int8)(*(int (__thiscall **)(int, signed int))(*(_DWORD *)v14 + 252))(v14, 4) -hopefully, is this unit a shooter
*(_DWORD *)(v1 + 136) -race of hero v1, 6 is orc
*(_DWORD *)(v4 + 212) -spell element
*(_DWORD *)(v6 + 4) -returns current spell's ID
(*(int (__thiscall **)(int))(*(_DWORD *)v19 + 116))(v19) -returns hero leading unit v19 mayybe
(*(void (__thiscall **)(void *, void *, int, int, signed int, int, int))(*(_DWORD *)a2 + 592))(a2, v56, a6, a8, a7, v39, v13) cast a spell
what is 188
(*(int (__thiscall **)(int))(*(_DWORD *)v5 + 32))(v5) -avatar of death mana related
(*(int (__thiscall **)(int *, int))(v3 + 468))(v2, v4) -total HP of a stack
256))( -related to rune 256, check all rune numbers in similar fashion
(*(_DWORD *)LODWORD(v61) + 416)) -health of one creature
(*(int (__thiscall **)(int *, int, wchar_t *))(*a4 + 568))(a4, a5, a6) -mastery of the spell
572))( -spellpower
how_much_damage_health_more((int)v10, v14, v59) -arguments are spell ID, then mastery, third is unknown
(*(int (__thiscall **)(int))(*(_DWORD *)(*(_DWORD *)(*(_DWORD *)(v7 + 4)
+ 8) + v7 + 4) + 564))(*(_DWORD *)(*(_DWORD *)(v7 + 4) + 8) + v7 + 4) -hero level ?? most likely confirmed
(unsigned __int8)(*(int (__thiscall **)(int, signed int))(*(_DWORD *)(*(_
DWORD *)(*(_DWORD *)(v7 + 4) + 8) + v7 + 4) + 648))(*(_DWORD *)(*(_DWORD *)(v7 + 4) + 8) + v7 + 4, X) -does hero have specialisation X
====================================================================
CREDITS
====================================================================
- Deflaktor - being the lead assembly advisor for the community
- Marco - he is active assembly contributor since beginning April 2019 but his job done so far is genius... and not yet shared in this post due to the fast pace of development.
- Lotihoti - Numerous findings
- BAD and Sfindanza - the old generation of assembly contributors. Paved the stepping stone for everyone else that came across.
|
|
lotihoti
Famous Hero
|
|
posted April 12, 2015 04:59 PM |
|
Edited by lotihoti at 20:02, 12 Apr 2015.
|
I love this idea - may some advanced hex editors can give some hints.
I will try this stuff out
Edit:
What i found so far:
On Adress 00A5227A you can change the chance for diplomacy...
Found another adress where you can edit another skill - but i forgot to take a note - have to search it again
I have no intel proz :/ cant get bdvm
|
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
|
posted April 13, 2015 09:13 AM |
|
|
@lotihoti, great! I will add this to the first post ;]
How did you find it?
|
|
lotihoti
Famous Hero
|
|
posted April 13, 2015 11:27 AM |
|
Edited by lotihoti at 11:28, 13 Apr 2015.
|
I used cheat engine - Memory view and scrolled through.
Saw many things there, but then: diplomacy Chance +20.
I changed the value to 99 - saved - restarted the game and got diplomacy ingame. Almost every neutral creature wanted to join my army.
Found it by accident xD
|
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
|
posted April 13, 2015 12:15 PM |
|
|
Great! Adding it to the proposed software!
|
|
lotihoti
Famous Hero
|
|
posted April 13, 2015 01:09 PM |
|
|
With cheat engine you can scan files too. Not only process.
It even convertes some of the code into Textform. In some hours i will continue to scan the exe.
|
|
magnomagus
Admirable
Legendary Hero
modding wizard
|
|
posted April 13, 2015 08:29 PM |
|
|
Here is a copy of a post from sfidanza in addding creatures to TOE thread, it explains how new objects classes, creatures, artifacts are added to the game.
Quote:
@Gnoll_Mage: I don't know how crazypill found out the first time for the HoF exe, and I mostly looked for about the same bits in ToE. I can explain briefly what you have to look at, but not really why.
First, there are a number of tables which lengths are specified. Look inside data.pak/types.xml for <dbid>: those are the entry points mostly for the tables GameMechanics/RefTables/. Each has a different lengths, and they are of two types: lengths lower than 128 are stored in a signed short (1 byte - for values between -127 and 128), while lengths higher than 128 use a long integer (4 bytes).
Lengths seem to be specified at two places in the .exe, but let's focus on the first one. 1-byte values are given in a block like
"FF 6A xx 8D 44" (where xx is the value)
and 4-bytes values are given in a block like:
"FF 68 xx xx xx xx 8D 44" (where xx xx xx xx is the value in little endian)
As I explained in the first post, "little endian" means the bytes are reversed: 300 is 012C in hexadecimal, and is written "2C 01 00 00" in the exe.
If you looked in types.xml for <dbid>, you have noticed that there are 29 such tables. Now, the "8D 44" suffix in the exe is actually part of a longer block:
"8D 44 24 24 50 8D 4C 24 1C 51 68"
and if you look for it in H5_Game.exe, you'll see that it also appears 29 times. Now that you know how to recognize 1-byte and 4-bytes values, you can match each occurrence to its table.
Of course, that's only half the story. At the second place where the length are specified, all of them are written with 4 bytes, and appear in blocks like:
"B8 xx xx xx xx C3 CC CC"
There might be multiple hits of those. For example, "B8 B4 00 00 00 C3 CC CC" appears 2 times. But the one we're looking should be in an area with other such blocks around for other lengths.
These explanations certainly do not explain the why, only a part of the how. But understanding the why is even more technical, and requires using a disassembler, which is illegal in various countries.
Now, some of you here like to barely read a technical post, obviously do not make the effort of understanding what it means, but believe that it solves everything. It does not.
|
|
AlexSpl
Responsible
Supreme Hero
|
|
posted April 13, 2015 08:55 PM |
|
Edited by AlexSpl at 21:22, 13 Apr 2015.
|
Quote:
Now, the "8D 44" suffix in the exe is actually part of a longer block:
"8D 44 24 24 50 8D 4C 24 1C 51 68"
and if you look for it in H5_Game.exe, you'll see that it also appears 29 times.
Kinda naive interpretation. These - "8D 44 24 24 | 50 | 8D 4C 24 1C | 51 ..." - are called machine, or processor, instructions and can be disassembled as the following assembler commands:
lea eax, [esp+24h]
push eax
lea ecx, [esp+1Ch]
push ecx
...
It seems they are supposed to pass arguments to some function.
I recommend to play with this freeware tool https://www.hex-rays.com/products/ida/support/download_freeware.shtml for further understanding.
|
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
|
posted April 14, 2015 02:34 PM |
|
|
@Alex that software can get us a lot of answers! I am adding it to the top post.
@magnomagus I will add those as well 
|
|
lotihoti
Famous Hero
|
|
posted April 14, 2015 07:42 PM |
|
|
Hey there!
Currently working on runic machines.
May someone can explain this? If i only can understand this xD (willing to learn btw! xD )
|
|
magnomagus
Admirable
Legendary Hero
modding wizard
|
|
posted April 14, 2015 08:29 PM |
|
|
Runic machines is in defaultstats, no need to use hex editing
|
|
lotihoti
Famous Hero
|
|
posted April 14, 2015 09:41 PM |
|
|
OPS xD
Your right - i wanted to edit frency too... and some other stuff - but then i need to understand this stuff first.
Anyone that can explain using some other words what happens during this game text?
|
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
|
posted May 24, 2015 08:14 PM |
|
|
Hi!
I try to modify the formula for creature spell damage.
I took where BAD left. You can find some info the this address
00E48C1C dd 1.2 //double 64
And I found one indeed.
Here it is
Looking a few dozen rows below 00E48F28 I see this:
I wonder how I can change the 2.777777 modifier. It seems to part of a formula and I want to check which one and how it will change the game.
How can I do that? it seems in this mod of interpretation I cannot do edits. I use IDA dissasembler.
|
|
Bogdanov89
Hired Hero
|
|
posted September 01, 2017 03:27 PM |
|
|
|
thx for the guides
|
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
|
posted May 31, 2018 11:17 PM |
|
|
|
Deflaktor
Responsible
Known Hero
|
|
posted June 01, 2018 12:20 AM |
bonus applied by Galaad on 08 Feb 2019. |
|
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
|
posted June 01, 2018 07:25 AM |
bonus applied by Galaad on 04 Jul 2019. |
Edited by Galaad at 01:34, 04 Jul 2019.
|
Thanks Deflaktor!
Long time no see. It was in the to-do list but somehow I never did it.
I did not know about this resource of yours. Thanks again!
P.S.
 !UPDATE!
Numerous hex guides and disassembly data added.
Thanks Deflaktor!
Extra +QP awarded for continued, long time support.
____________
Join our official discord channel | NCF Utility Beta
|
|
Deflaktor
Responsible
Known Hero
|
|
posted June 16, 2019 02:31 PM |
|
|
I would like to add Ghidra to this list.
Ghidra is very well suited for disassembly and decompilation of the EXE.
____________
My Heroes5 Dump /// My Heroes5 Patcher
|
|
dredknight
Honorable
Supreme Hero
disrupting the moding industry
|
|
posted June 16, 2019 02:43 PM |
|
|
|
equator
Tavern Dweller
|
posted June 25, 2022 06:50 PM |
|
|
First off, newbie modder wanna be here So, I read the tutorial and was particularly interested in fixing the warlock-armageddon bug:
"- Make Empowered Armageddon and Word of Light spells gain benefits from Ignite and Master of Fire perk
Replace 8B 43 04 83 F8 0A 75 45 8B F7 E8 49 with 8B 43 04 83 F8 15 74 45 8B F7 E8 49"
In version 3.1 exe I couldn't find those bytes to replace. Could someone provide the address line for this or just elaborate how to fix it? Seems like I'm missing something here...
____________
|
| |
|
|
