|
|
purerogue3
Famous Hero
|
posted December 19, 2025 12:02 AM |
|
|
So at hota.dll+14E211 the amount of gold added is at [esi+8] and in CE esi=00199438
-what is this number?
|
|
AlexSpl
Responsible
Supreme Hero
|
|
posted December 19, 2025 06:52 PM |
|
Edited by AlexSpl at 18:55, 19 Dec 2025.
|
Hard to tell not seeing a corresponding code. Basically, [reg + offset] represents a field with the offset offset within a class instance.
For example,
class playerData
{
public:
char color; // 0x000
char numHeroes; // 0x001
int currHero; // 0x004
THeroID heroes[8]; // 0x008
THeroID recruits[2]; // 0x028
unsigned char startingNumHeroes; // 0x030
int personality; // 0x034
type_point puzzle_guess; // 0x038
char extraPuzzlePieces; // 0x03C
char iDeathCountDown; // 0x03D
char numTowns; // 0x03E
char currTown; // 0x03F
char towns[72]; // 0x040
unsigned char placement_help_enabled; // 0x088
std::vector<int> shipyards; // 0x08C
int resources[7]; // 0x09C
unsigned long MysticalGardenFlags; // 0x0B8
unsigned long MagicSpringFlags; // 0x0BC
unsigned long DeadGuyFlags; // 0x0C0
unsigned long LeanToFlags; // 0x0C4
unsigned long dpid; // 0x0C8
char cName[21]; // 0x0CC
unsigned char isLocal; // 0x0E1
unsigned char isHuman; // 0x0E2
int quickCombat; // 0x0E4
int constructed_combo_arts_bitset; // 0x0E8
AI ai; // 0x0EC
float artifact_value; // 0x164
// 0x168
};
Here, if the address of the playerData instance is stored in esi, then [esi+0x9C] represents int resources[7] field (particularly, wood, as it has the index of 0).
In HotA.dll you may encounter inner/temporary classes/structures/arrays or even shifted fields. So, look at the structure at the given address and try to make sense of it.
|
|
Icewolf11
Tavern Dweller
|
|
posted January 04, 2026 06:07 PM |
|
|
I really could use some help.
In patch 1.7.2 Hota changed some building requirements for Rampart and Dungeon.
I would love to change that back to how it was originally, but I just couldn't figure out how to do it.
Supposedly you have to hexedit in the Hota.dll but I don't know how to find the right spot or even the right Dwords to search for said spot to edit.
I really like what hota did to the game in general, but I very much dislike this change and it just frustrates me that I can't change it.
Maybe someone more knowledgable could help me find the offsets I need to change so the building requirements go back to normal?
|
|
SilverPegasus
Tavern Dweller
|
|
posted January 06, 2026 07:53 AM |
|
|
Hello everyone!
I have question regarding artifacts that were added in Hota (Shield of Naval Glory, Crown of the Five Seas, Ring of Oblivion etc.).
I would like to change statistics they provide for the hero..
Do You know their exact location in Hota.dll or Hota.dat, or provide example of the strings responsible for it (I am using older verson of Hota)?
Initially, I have thought that they folow similar pattern as original artifacts, but it seems that they have different hex setup with whch I am not familiar with.
I would like to thank You for all Your input regarding this thread, I have learned a lot of valuable things regarding programming, as well as how Heroes 3 works. Kudos!
____________
|
|
Phoenix4ever
Legendary Hero
Heroes is love, Heroes is life
|
|
posted January 11, 2026 08:01 AM |
|
|
|
Has anyone found where to edit the spell probabilities of Cove, Factory and Bulwark?
|
|
CsArOs
Hired Hero
|
|
posted January 11, 2026 06:20 PM |
|
|
@Phonix4Ever
casspells10, casspells11 and casspells12 include all spell probabilities one by one for each of the new towns, written in hex, one byte per spell.
|
|
Phoenix4ever
Legendary Hero
Heroes is love, Heroes is life
|
|
posted January 11, 2026 07:14 PM |
|
|
|
Thanks CsArOs, but what are casspells?
|
|
Laserstorm
Hired Hero
|
|
posted January 12, 2026 03:53 AM |
|
|
I'm currently in need of someone's programmer skills. This past weekend, I've been trying to get BTB's Preemptive Retaliation ability to work properly. The damage and mechanics behind it work fine. The issue is that the Defender doesn't 'swing' in the right direction. With the original code from BTB, the Defender would retaliate in the opposite direction of the Attacker. For example, if the Attacker attacked from top-right, the Defender would 'attack' bottom-right and vice-versa. In addition, the Defender will not turn around to face the Attacker either. For example, if the Defender is facing right and the Attacker attacks behind them from the upper left, the Defender will retaliate towards the lower right. If the Attacker attacks directly behind, the Defender retaliates straight ahead. The inline edits related to this code don't work as they crash the game the moment you enter into a battle. BTB claims the Defender retaliating in the wrong direction is not an issue he has personally experienced, but I have tested this with the Heroes 3 Shadow of Death version in the past and got the same result. With a small edit, I was able to at least make it to where the Defender only retaliates downwards when attacked, but this still isn't a solution. I know it has to be possible as the Bounty Hunter's also have a similar ability as well. I just can't seem to make it happen.
Here is the code in question for anyone willing to help.
81 7E 34 B9 00 00 00 CMP [ESI+34], B9 Checks if Defender is ID 185.
75 41 JNE +41 Jump to displaced code if not the creature.
8A 96 87 00 00 00 MOV DL, [ESI+87] Load Defender's state flags.
F6 C2 08 TEST DL, 08 Check: Is the unit in "Defend" mode?
74 36 JZ +36 Exit if not defending.
8A 97 86 00 00 00 MOV DL, [EDI+86] Load Attacker's ability flags.
F6 C2 01 TEST DL, 01 Check: Does attacker block retaliations?
75 2B JNZ +2B Exit if retaliation is blocked.
80 BE 54 04 00 00 00 CMP BYTE [ESI+454], 00 Check: Retaliations remaining?
74 22 JZ +22 Exit if 0.
FF 8E 54 04 00 00 DEC [ESI+454] Consume Defender's retaliation charge.
FF 87 54 04 00 00 INC [EDI+454] Grant Attacker a retaliation charge (Ensures counter-hit).
FF 86 57 04 00 00 INC [ESI+457] Set MSB of Retaliation DWORD for Defender.
FF 87 57 04 00 00 INC [EDI+457] Set MSB of Retaliation DWORD for Attacker.
8B 47 38 MOV EAX, [EDI+38] Orientation Fix Step 1: Get Attacker's Hex.
89 45 08 MOV [EBP+08], EAX Orientation Fix Step 2: Set Attacker's Hex as Target.
57 56 5F 5E PUSH EDI; PUSH ESI; POP EDI; POP ESI Identity Swap: Defender becomes Attacker.
8B 4E 44 MOV ECX, [ESI+44] Displaced code (Load stack data).
8B 56 38 MOV EDX, [ESI+38] Displaced code (Load stack data).
C3 RET
|
|
CsArOs
Hired Hero
|
|
posted January 13, 2026 12:58 PM |
|
Edited by CsArOs at 13:37, 13 Jan 2026.
|
Phoenix4ever said:
Thanks CsArOs, but what are casspells?
Entries in the Hota.dat file.
Editing the post to avoid double-posting.
@AlexSPL I'm not really sure how you got that value for the slow formula. Im missing some initial step, it seems. How do you open the exe in IDA while its running and see the changes as they occur? How do you know the value of [0x699420] (all I see in cheat engine is 00 00 b8 05 at that offset... is that it?) and "index" in this formula?:
[0x699420] + 0x54CC + 0x548 * (21 * side + index) + 0xC4
How do you "attach to the hota process"? I only used the IDA as a reference guide with the H3API and NH3API before and Im not sure how to use it this way.
Also when I open the cheat engine at the address calculated (0x5b8 + 0x54cc + 0x548 * 21 * ( 1 + 04 (griffin?) ) + 0xc4 = 0x285D0 (or 3C2B0 if the 21 is hex) all I see are ??, as in address doesnt exist, seemingly. Adding 699420h instead of the 5b8 doesnt produce anything legible either. How should I calculate it correctly? I just want to recreate your exact example in the new hota.
|
|
phoenix4ever
Legendary Hero
Heroes is love, Heroes is life
|
|
posted January 13, 2026 02:43 PM |
|
|
CsArOs said:
Entries in the Hota.dat file.
Hmm okay, I searched for casspells as a text string and a few results came up.
Does it start from 39315 in HotA.dat? (I am not sure I quite understand the data here though.)
|
|
AlexSpl
Responsible
Supreme Hero
|
|
posted January 13, 2026 03:30 PM |
|
|
Quote:
[0x699420] + 0x54CC + 0x548 * (21 * side + index) + 0xC4
[0x699420] is the combatManager address, so if you see 00 00 b8 05, then your combatManager is at 0x05B80000.
0x54CC is the offset of army Armies[2][21] field.
0x548 is the size of class army.
So, if you want to access a particular army instance, you have to calculate its offset.
For example, if I want to access the stack #2 (index = 2, indices start from 0) of the defender (side = 1), I have to look at the address [0x699420] + 0x54CC + 0x548 * (21 * 1 + 2).
0xC4 is the offset of the speed field within class army. But it is always the original speed of a creature. Actual speed is calculated by multiplying original speed by float slowPenalty (+0x4C8) in the case of Slow.
|
|
CsArOs
Hired Hero
|
|
posted January 13, 2026 05:44 PM |
|
Edited by CsArOs at 17:45, 13 Jan 2026.
|
@Phoenix4Ever
casspells10 is for Cove, casspells11 for Factory, casspells12 for Bulwark.
@AlexSpl
Okay, I opened the Cheat Engine again and with your calculation I got address of 57bd450 this time, corresponding to speed 6 (matches what griffins have). I checked the speed value, at 57bd450 - 0xc4 + 0x4c8, and its 00 00 80 3f, which in IEEE754 matches slow of 50%. Now how do I get to the +1 bonus from there? I dont know how to set up this type of breakpoint in Cheat Engine or how to open it to alter dynamically in IDA. Its also unclear to me which value holds "actual" speed (after hota formula), since the initial value nor the multiplier are actually useful for me here... How do I get the slow formula in the new hota.dll?
|
|
phoenix4ever
Legendary Hero
Heroes is love, Heroes is life
|
|
posted January 13, 2026 07:06 PM |
|
|
CsArOs said:
casspells10 is for Cove, casspells11 for Factory, casspells12 for Bulwark.
So far so good, but if we start at casspells10 I have these numbers:
63 61 73 73 70 65 6c 6c 73 31 30 17 and then 00 00 00.
I don't understand these numbers, I would have expected numbers like 03, 05, 0a etc...
|
|
CsArOs
Hired Hero
|
|
posted January 13, 2026 07:51 PM |
|
Edited by CsArOs at 19:51, 13 Jan 2026.
|
Phoenix4Ever,
Casspells10 looks like this:
63 61 73 73 70 65 6C 6C 73 31 30 17 00 00 00 43 61 73 74 6C 65 73 5C 63 61 73 73 70 65 6C 6C 73 31 30 2E 73 74 72 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 46 00 00 00 05 08 02 03 02 03 00 0A 00 0A 04 04 04 04 08 1E 32 04 00 0A 1E 02 05 0A 00 02 00 03 02 05 02 03 03 04 0A 0A 00 05 05 00 05 0A 00 05 04 08 05 04 0A 0A 05 04 04 0A 05 05 05 00 05 05 04 08 00 0A 04 0A 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
we start with just the strings (cassspells10....Castlescasspells10.str). I put them in italics above.
Then we have 0146 (underlined). This is where the actual spells list is defined - its length to be specific, length of 46h.
We then have the actual probabilities (in bold above).
|
|
phoenix4ever
Legendary Hero
Heroes is love, Heroes is life
|
|
posted January 13, 2026 08:55 PM |
|
|
Sorry if I am a little dense, but what do you mean "just the strings"?
The numbers you highlighted in bold are the actual probabilities, if I understand you correctly, then these are the ones I should worry about, I suppose.
It's mostly because of Disguise, which is completely useless VS AI and Summon Boat, which all heroes start with in my map, because it is absolutely necessary, so I was thinking of replacing them with spells that actually does something. 
|
|
CsArOs
Hired Hero
|
|
posted January 14, 2026 12:13 PM |
|
|
@Phoenix4ever
Those are strings, as in strings encoded in ascii. If you put these numbers into ascii to text you will get the string, as described (f.e. "casspells10").
If its map-specific, perhaps a better solution would be to ban a spell on the map? 
|
|
phoenix4ever
Legendary Hero
Heroes is love, Heroes is life
|
|
posted January 14, 2026 12:35 PM |
|
|
Okay, I have a column with text besides the rows of numbers and there I found casspells and not through the string, but oh well.
Actually banning spells is not a good solution, if you notice all towns don't have the same chance of learning Summon Boat and Disguise, so just banning them will also mess with spell probabilities, besides my map is the only map I play now a days.
I was thinking of turning the Summon Boat chance into Bloodlust and Curse instead for example, since Curse can be quite hard to learn and we know Fire Magic is already not the best.
But I will probably think a bit more about this...
|
|
Laserstorm
Hired Hero
|
|
posted January 16, 2026 08:29 PM |
|
|
I have made some progress with the Preemptive Retaliation ability. By inverting the attack direction for the Defender, the creature now properly attacks up or down depending on where the Attacker is. However, the creature still does not turn to face the Attacker when Retaliating. This is what I have so far.
81 7E 34 B9 00 00 00 CMP DWORD PTR [ESI+34], 0xB9 ; Is Juggernaut? <--Just a creature placeholder
75 4D JNZ +77 bytes (to Restore) ; FIX: Now lands on 8B 4E 44
8A 96 87 00 00 00 MOV DL, [ESI+87] ; Load Flags
F6 C2 08 TEST DL, 08 ; Is Defending?
74 42 JZ +66 bytes (to Restore) ; FIX: Now lands on 8B 4E 44
80 BE 54 04 00 00 00 CMP BYTE PTR [ESI+454], 00 ; Retaliations left?
74 39 JZ +57 bytes (to Restore) ; FIX: Now lands on 8B 4E 44
; --- Preemptive Logic ---
FF 8E 54 04 00 00 DEC DWORD PTR [ESI+454] ; Juggernaut Retals -1
FF 87 54 04 00 00 INC DWORD PTR [EDI+454] ; Attacker Retals +1
FF 86 57 04 00 00 INC DWORD PTR [ESI+457] ; Flag: Has Retaliated
FF 87 57 04 00 00 INC DWORD PTR [EDI+457] ; Flag: Has Retaliated
This section below inverts the Attack direction to fix the up and down misalignment.
8B 45 08 MOV EAX, [EBP+08] ; Load Direction
04 03 ADD AL, 03 ; Rotate 180
3C 06 CMP AL, 06 ; Wrap check
7C 02 JL +2 ; Modulo skip
2C 06 SUB AL, 06 ; Modulo 6
89 45 08 MOV [EBP+08], EAX ; Store rotated Dir
This section below is the troublemaker. This is where the code is supposed to get the Defender to turn around to face the attacker but it does not.
3C 03 CMP AL, 3 ; --- TURN LOGIC ---
0F 9D C2 SETGE DL ; Leftish check
88 56 16 MOV [ESI+16], DL ; Update Logical Facing
C6 86 F0 00 00 00 01 MOV BYTE PTR [ESI+F0h], 1 ; Set Mirror Flag
Rest of the Code:
57 PUSH EDI ; Identity Swap
56 PUSH ESI
5F POP EDI
5E POP ESI
; --- RESTORE BLOCK (ALL JUMPS LAND HERE) ---
8B 4E 44 MOV ECX, [ESI+44] ; Restore ECX
8B 56 38 MOV EDX, [ESI+38] ; Restore EDX
C3 RET ; Safe Exit
Does anyone know how the game calculates which direction the creatures face when engaging in combat? I feel like it should be a relatively simple fix.
|
|
CsArOs
Hired Hero
|
|
posted January 17, 2026 03:10 PM |
|
|
@AlexSpl
Perhaps you have missed my question earlier - how do you open the IDA to show you the addresses in-memory, and to be able to set up a breakpoint like that? I want to edit the slow function in the new hota (1.8.0). Can you please help me?
|
|
AlexSpl
Responsible
Supreme Hero
|
|
posted January 18, 2026 01:41 AM |
|
Edited by AlexSpl at 01:42, 18 Jan 2026.
|
0. Run IDA with administrator rights.
1. Debugger -> Select debugger.../Switch debugger... -> Local Windows debugger.
2. Debugger -> Attach to process... -> {Choose HotA process}.
3. Go to the calculated address and set your breakpoint.
4. Continue running the game (F9).
|
| |
|
|
This Popular Thread is pages long: 
