34 replies to this topic

[Oshizu]

Hello everyone,

 

I've got a question if you don't mind...

Has anybody ever tried to alter/modify/hook game.dat for overcoming limits like Create-A-Hero for custom factions or perhaps different stuff?

 

I feel like we could perhaps in future expand our game altering abilities and start bending engine to our will perhaps

Unfortunely i myself haven't had any revolutionary progress with game.dat modification itself yet...

 

There are few things that interest me myself in game.dat modding:

- Workaround for 'Token '%s' is not a valid member of the index list' due to Create-A-Hero new faction (I know that we can choose CaH for custom faction through keyboard trick yet i'd like to have it fixed and pretty way).

- Altering Command Points Factor or Starting Resources tabels at Skirmish Menu. Edain Mode is currently replacing command points factor which gamemode presets for altered gameplay yet unfortunely they are currently limited to 7 gamemodes due to engine limits (7 Command Point Factors Types)...

Edited by Oshizu, 31 January 2015 - 12:39 AM.

[Mathijs]

It's been attempted (the BFME1 game.dat, at least), to no success.

 

Maybe someday. 

[Oshizu]

In that case i may be first one in BFME2/ROTWK who may perhaps succeed (I wish...)

I've attempted myself some stuff with game.dat since yesterday yet unfortunely without source code, .pdb file access nor debug symbols in game.dat there was not much success... Or atleast not much of it... It was more like trial and error... And progress is slow...

 

I've managed tho, to discover and research some stuff with help of IDA Disassembler and Cheat Engine...

Successfully i've located function responsible for shutting down game with error when custom faction was tried to be listed as usable by Create-A-Hero (Thankfully to IDA i were able to get something more readable for human rather than assembly or hex code)

For comparion here's pseudo-code of that function:

int __cdecl sub_42B914(const char *ArgList, const char **a2, int a3, char a4)
{
  const char **v4; // esi@1
  int v5; // edi@3
  int v7; // [sp+8h] [bp-8h]@7

  v4 = a2;
  *(_BYTE *)a3 = 0;
  if ( !a2 || !*a2 )
  {
    sub_42F3C1((int)&v7, 2, "INTERNAL ERROR! scanIndexList: No name list provided!");
LABEL_12:
    CxxThrowException(&v7, &unk_D17000);
  }
  v5 = 0;
  do
  {
    if ( !_stricmp(*v4, ArgList) )
    {
      *(_BYTE *)a3 = 1;
      return v5;
    }
    ++v4;
    ++v5;
  }
  while ( *v4 );
  if ( a4 )
  {
    sub_42F3C1((int)&v7, 3, "Token '%s' is not a valid member of the index list", ArgList);
    goto LABEL_12;
  }
  return 0;
}

And here's the same code displayed in assembly...
It looks kinda spooky but thankfully i have already some assembly knowledge so i'm not at dead end (Yet!):

; int __cdecl sub_42B914(char *ArgList, int, int, char)
sub_42B914      proc near               ; CODE XREF: sub_42B999+16p
                                        ; sub_4B5E05+62p ...

var_8           = dword ptr -8
ArgList         = dword ptr  8
arg_4           = dword ptr  0Ch
arg_8           = dword ptr  10h
arg_C           = byte ptr  14h

                push    ebp
                mov     ebp, esp
                push    ecx
                push    ecx
                mov     eax, [ebp+arg_8]
                push    esi
                mov     esi, [ebp+arg_4]
                test    esi, esi
                push    edi
                mov     byte ptr [eax], 0
                jz      short loc_42B977
                cmp     dword ptr [esi], 0
                jz      short loc_42B977
                xor     edi, edi

loc_42B92F:                             ; CODE XREF: sub_42B914+33j
                push    [ebp+ArgList]   ; Str2
                push    dword ptr [esi] ; Str1
                call    ds:__imp__stricmp
                test    eax, eax
                pop     ecx
                pop     ecx
                jz      short loc_42B967
                add     esi, 4
                inc     edi
                cmp     dword ptr [esi], 0
                jnz     short loc_42B92F
                cmp     [ebp+arg_C], 0
                jz      short loc_42B973
                push    [ebp+ArgList]   ; ArgList
                lea     eax, [ebp+var_8]
                push    offset aTokenSIsNotAVa ; "Token '%s' is not a valid member of the"...
                push    3               ; int
                push    eax             ; int
                call    sub_42F3C1
                add     esp, 10h
                jmp     short loc_42B98A
; ---------------------------------------------------------------------------

loc_42B967:                             ; CODE XREF: sub_42B914+2Aj
                mov     eax, [ebp+arg_8]
                mov     byte ptr [eax], 1
                mov     eax, edi

loc_42B96F:                             ; CODE XREF: sub_42B914+61j
                pop     edi
                pop     esi
                leave
                retn
; ---------------------------------------------------------------------------

loc_42B973:                             ; CODE XREF: sub_42B914+39j
                xor     eax, eax
                jmp     short loc_42B96F
; ---------------------------------------------------------------------------

loc_42B977:                             ; CODE XREF: sub_42B914+12j
                                        ; sub_42B914+17j
                push    offset aInternalErrorS ; "INTERNAL ERROR! scanIndexList: No name "...
                lea     eax, [ebp+var_8]
                push    2               ; int
                push    eax             ; int
                call    sub_42F3C1
                add     esp, 0Ch

loc_42B98A:                             ; CODE XREF: sub_42B914+51j
                push    offset unk_D17000
                lea     eax, [ebp+var_8]
                push    eax
                call    _CxxThrowException
sub_42B914      endp

Function shown above seems to be responsible for crash when CaH file is analysed and Token 'Rohan' or any other newly made faction is not found on it's index list which i've yet to find... Tho this function is rather userful warning than game crasher imo. I've attempted preventing game from executing CxxThrowException aswell as sub_42F3C1 which worked as part of crash dialog to get around error but unfortunely it resulted in game.dat crashing. So one way or another if EA wouldn't add this security we get simply game.dat has stopped working from new faction in CaH. And we'd never know why? Now we've got atleast a hint... (Unless that game.dat crash was caused by some mistake of mine?)

To progress further in my goal i've started to do some stuff for altering game in C++ to experiment around more and learn more from code...

This is current version of my C++ Library which was suppose to hook 'Token is not valid' error containing function and tell me what data it passes. And eventually i started to alter myself that data. I've made also dll injector with help of internet which was suppose to put that library into actual game.dat game process. I plan to rebuild that C++ Library injector into game launcher in future perhaps for running altered game engine if things wil go nice and i'il succeed in modifying it?

 

Anyways here's the code:

#include "stdafx.h"
#include <Windows.h>
#include <detours.h>
#include "stdio.h"
#include <string.h>

#define ADDRESS 0x42B914 //0x42B914
//#define ADDRESS2 0x42B95D
//#define ADDRESS3 0x42B982
//#define ADDRESS4 0x42B993
int (__cdecl* originalFunction)(char *ArgList, char **a2, int a3, char a4);

#define _CRT_SECURE_NO_DEPRECATE

//declares
#define NOP 0x90
//declares

void nop_(PVOID address, int bytes)
{
    DWORD d, ds;
    VirtualProtect(address, bytes, PAGE_EXECUTE_READWRITE, &d);
    memset(address, NOP, bytes);VirtualProtect(address,bytes,d,&ds);
}  

void WriteLogFile(char *ArgList, char **a2)  
{
  FILE* pFile = fopen("testlogs_preview.txt", "a");
  fprintf(pFile, "ArgList: %s a2: %s\n", ArgList, *a2);
  fclose(pFile);
}

/*

 *a2 - name of the table
 ArgList - content of the table
 Example:
-ArgList: Isengard a2: Men
-ArgList: Mordor a2: Men
-ArgList: Wild a2: Men
-ArgList: Angmar a2: Men

*/
int hookedFunction(char *ArgList, char **a2, int a3, char a4)
{
    WriteLogFile(ArgList, a2);
    return originalFunction(ArgList, a2, a3, a4);
}

BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
        originalFunction = (int(__cdecl*)(char *ArgList, char **a2, int a3, char a4))DetourFunction((PBYTE)ADDRESS, (PBYTE)hookedFunction); //Magic
        //nop_((PBYTE)ADDRESS2, 5);
        //nop_((PBYTE)ADDRESS3, 5);
        //nop_((PBYTE)ADDRESS4, 5);
        break;
    }
    return TRUE;
}

Small Slice Of Log File from CaH crash related function:

...
ArgList: GAME a2: SHELL
ArgList: Fortress a2: NONE
ArgList: THIS_TERRIORITY a2: THIS_TERRIORITY
ArgList: Barracks a2: NONE
ArgList: Armory a2: NONE
ArgList: Resource a2: NONE
ArgList: WORLD a2: TACTICAL
ArgList: CREEP a2: OBSTACLE
ArgList: SUMMONED a2: OBSTACLE
ArgList: CREATE_A_HERO a2: OBSTACLE
ArgList: COMMANDCENTER a2: OBSTACLE
ArgList: SHIP a2: OBSTACLE
ArgList: ATTRIBUTE a2: ATTRIBUTE
ArgList: ATTRIBUTE a2: ATTRIBUTE
ArgList: Men a2: Men
ArgList: Elves a2: Men
ArgList: Dwarves a2: Men
...

Full File Can Be Found Here If Your Curious: http://pastebin.com/raw.php?i=9GJkhz5S

From what i've observed above ArgList seems to be used for token itself and *a2 is id of index list or pointer to it perhaps...
I've experimented way too many times to describe it here, yet i guess i'il share the best results which i had:

int hookedFunction(char *ArgList, char **a2, int a3, char a4)
{
    WriteLogFile(ArgList, a2);
    if(!strcmp(ArgList, "Rohan"))
    {
        sprintf(ArgList, "Elves");
        return originalFunction(ArgList, a2, a3, a4);
    }
    return originalFunction(ArgList, a2, a3, a4);
}

Above code managed to stop game to crash game.dat or display crash dialog if there was invalid token 'Rohan' meant to be passed.
Yet unfortunely result of that code was that game never received any info about CaH usability in Rohan faction.. So it was like it never happened... We could manage to use it somehow tho as anti-engine crasher in future if somebody screwed up CaH in mod ?

I've found also some awesome stuff in game.dat's diassembled binary
I'il link it on pastebin tho because it'd make my post way too long:
http://pastebin.com/raw.php?i=RuDxfEiV

It seems to be few strings which compiler left. They atleast show us how source code of bfme2 could looked like which is kinda nice.

It'd be way easier to edit game by source code rather than assembly/hex/C++ workarounds way

 

Sorry if i've forgot to mention some stuff or wrote unclearly. It's almost 23AM in my country

 

What i'm hoping for tho is removing some of engine's limits or providing way to overcome them in future. I'm not sure tho if i'il be able to do it. It's going to be tough tho... If it wasn't only end of my past-christmas holidays (School starts back on monday )

Currently i'm planning to name it BFME2X basing on EA's source code folder of game.

 

And for people who are perhaps curious how i managed to browse some of game.dat stuff or want to try luck themselves here it is:

- Visual C++ 2010

- Visual C++ Detours 1.6?

- IDA Diassembler 6.1

- Cheat Engine (This program tends to be more userful than i though it will be. It allows editing game data/code on assembly level while it's running)

 

Anyways that's probably it for today's post

I hope that tommorow perhaps i'il be able to locate index table in game.dat by getting address of *a2 in hooked function..

Edited by Oshizu, 31 January 2015 - 01:59 AM.

[Ridder Geel]

I myself have not attempted this, but I look forward to seeing if you get somewhere with it!

[Valheru]

Fix the game's Host Advantage Delay and everyone will love you. Funnily enough its not present in CnC Generals, EA fucked it up somewhere in the BFME Franchise

[Oshizu]

Thanks,

It may take a while to get better hold of engine itself aswell as creating some easy-to-use api for modders

I'd need to figure out how '-mod' commandline works if i'd want to api related configs be in mod's location probably...

 

So far as start of API i've managed to make C++ function called 'Sage_Crash(const char* message)'

Allows you to display crash message, kinda useless yet good for training skill in further parts of Assembly/C++ travel

 

And for one more thingy i've managed to find index list which as i assumed before may be the table on which CaH checks factions...

I disbelived that it was it since there was no 'Men' faction on it but fortuenly it is it

Either 'Men' faction does not shows up there because it's in game.dat of bfme2 not expansion pack or either because my dissasembler failed at some part..

Anyways for test i've removed 'Arnor' from that faction list and guess what?

It resulted in game crashing like this:

Now more than likely adding custom faction like 'Rohan' or 'MotE' as an example from RJ-Rise would fix the game crash issue...

Tho from what i've seen there's not much space left in the factions table so i may be unable to do it... In worst case i'il need to replace some faction (I hope there are unused factions in there like tutorial or Observer) and in a little better case i'il need to create new factionlist table and redirect engine there

 

So far i know how to remove an address (NOPPING)

I need to yet figure out how to replace it and i shall proceed then further...

 

One way or another progress so far is better than i expected it to be 

- Cheers

Edited by Oshizu, 31 January 2015 - 03:15 PM.

[Mathijs]

Where on earth did you just pop out from?

 

Great to have someone like you here. Keep us updated!

[Oshizu]

Thanks

 

I am right now myself kinda pretty surprised, i didn't expect it to work out...
I'VE MANAGED TO ADD ONE MORE FACTION TO CaH LIST WITHOUT SACRIFACING ANY OTHER

I've replaced 'Neutral' faction on 'factions list' with 'Rohan'

Screenie:

The current way it works, naming your faction 'Rohan' and using my pre-launch game program it should allow it to be listed faction...

And therefore CaH shouldn't crash if you put Rohan in UsableFaction part...

Now i shall celebrate

And soon more than likely work on one of those plans:
1st Plan:

- Learn how does -mod parameter works

- Locate location given by -mod

- Make program search for config in data/ini/custom_cah_factions.ini

- Replace 'neutral' with faction typed in file

2nd Plan:

- Create my own faction table in game.dat

- Redirect game to use it instead of stock one

- Put in there 100 dummy names like customfaction01, customfaciton02

- Execute plan 1st while allowing config to use first 100 lines typed in as faction names

- Infinite possiblities for CaH factions

 

I could more than likely execute 1st plan and then do public release of BFME2X 0.01v with it and at later time work on Plan B

 

Anyways that's it for now, i guess...

Hopefully i've mentioned everything i wanted...

- Cheers

Edited by Oshizu, 31 January 2015 - 05:16 PM.

[Ridder Geel]

Nice, nice, impressive

[Oshizu]

I've managed moment ago to get new faction into table (Seems like assembly/hex programming is simplier and less complex than i though).
Rohan and MotE in RJ-Rise now are working
 
I may upload youtube video in hour or two perhaps... First i'il see if i'm able to put more factions into table (There are some more than likely unused offsets for strings below faction table.. I'il see if it they are really unused... If they are not then we may gain 7 - 8 more spaces for CaH faction

                                        ; void *off_DA3AC0
40 88 BF 00                             off_DA3AC0      dd offset off_BF8840    ; DATA XREF: sub_61A85A+5Bo
                                                                                ; sub_61A85A+9Bo ...
38 88 BF 00                                             dd offset aElves        ; "Elves"
90 85 BF 00                                             dd offset aDwarves      ; "Dwarves"
2C 88 BF 00                                             dd offset aIsengard     ; "Isengard"
24 88 BF 00                                             dd offset aMordor       ; "Mordor"
88 85 BF 00                                             dd offset aWild         ; "Wild"
1C 88 BF 00                                             dd offset aAngmar       ; "Angmar"
FC BE BF 00                                             dd offset aArnor        ; "Arnor"
F4 BE BF 00                             off_DA3AE0      dd offset aNeutral_1    ; DATA XREF: sub_93C576+38o
                                                                                ; sub_93DCE5+38o ...
                                                                                ; "Neutral" // Repalced with Rohan
00 00 00 00                                             align 8 // Free space currently used by MotE
84 15 BD 00                                             dd offset aNone         ; "NONE" // Mystery Strings
7C 15 BD 00                                             dd offset aHold         ; "HOLD" // Mystery Strings
74 15 BD 00                                             dd offset aKill         ; "KILL" // Mystery Strings
6C 15 BD 00                                             dd offset aSpawn_0      ; "SPAWN" // Mystery Strings
00                                                      db    0 // Free Space
00                                                      db    0 // Free Space
00                                                      db    0 // Free Space
00                                                      db    0 // Free space
84                                                      db  84h ; ä // Junk code which may be used for something? 
15                                                      db  15h // I wouldn't risk removing it for use in CaH yet
BD                                                      db 0BDh ; Ż
00                                                      db    0
5C                                                      db  5Ch ; \
15                                                      db  15h
BD                                                      db 0BDh ; Ż
00                                                      db    0
4C                                                      db  4Ch ; L
15                                                      db  15h
BD                                                      db 0BDh ; Ż

Update: Unfortunely after checking uses of  "NONE", "HOLD", "KILL", "SPAWN" in code, it seems like we won't be able to remove and their space which gives us also access to four more free spaces. Thankfully "Neutral" seems to be only accessed in one function which does not seems to do much rather than strings related stuff which eventually links to other functions that are related to statistics. But that's all there is to it. So i hope there won't be much issues with this one... One way or another it will be best if i'il manage somehow to create new factions table at different location. It may be painful tho to redirect all functions which used it to new one... There's 19 of them total

Edited by Oshizu, 31 January 2015 - 06:46 PM.

[Elric]

Looks promising and I am also intrigued by this! Good luck m8 and Ill keep watching this grow!

[Oshizu]

I've uploaded video showing how currently stuff works if anybody's curious:
Youtube Video

In future i'm planning to create actual some kind of launcher program which does everything. Runs Game with or without mod settings and applies game.dat alters instead of current console based app which waits for game.dat process to appear, after it does it hooks stuff and closes itself after everything is done...

Edited by Oshizu, 31 January 2015 - 09:34 PM.

[Elric]

awesome stuff m8!

[Oshizu]

As for today's progress it is currently possible to use CaH on five new factions and perhaps sixth one if you replace neutral...

I'il try to add one more possible faction so there will be six without observer mod and seven with it and then more than likely start working on config file for modders

 

Tho there might be some unexpected behaviour like bugs or crashes in worst case...

I don't think there will be any tho.

 

Edit:

 

It was fast, it seems like i've managed to add sixth faction to CaH Table already...

I'il be away for few hours more than likely...

When i'il get back i'il work on possiblity of reading '-mod' parameter and searching for config from mod's location and using it for allowing selected factions to have CaH... More than likely it may be impossible to remove CaH from some factions ilke Men since it seems to be already built in game.dat of BFME2 not expansion pack?

 

Example Config:

Elves
Dwarves
Isengard
Mordor
Wild
Angmar
Arnor
Hobbits
Gondor
Rohan
MotE

You should be able to add in config atleast 14 factions and 15th as replacement of Neutral

Stock config will go like this:

Elves
Dwarves
Isengard
Mordor
Wild
Angmar
Arnor

You won't be able to replace 'Neutral' in it tho

It will be naturally replaced if you use 15th place in config

 

And that's probably it for explanation how i want config to work

I'm not sure if i'il be able to make it work like this though

I guess time will show

Edited by Oshizu, 01 February 2015 - 02:24 PM.

[Elric]

Awesome! can't wait to use that config! Rohan + Arnor all the way!

[Echo]

Though I do not mod for BFME 2, this looks really good. Keep it up

 

Fix the game's Host Advantage Delay and everyone will love you. Funnily enough its not present in CnC Generals, EA fucked it up somewhere in the BFME Franchise

 

Yup, should you be able to fix that... I can't imagine how great BFME would become. It would revitalize this game in every aspect.

[Oshizu]

Coming back with some progress today

 

So far i've managed to get bfme2x to read file from bfme2-witchking folder called 'cahfactions_custom.ini'

Then grab from it faction names and use them in table...

 

Currently everything seems to work expect for replacing 'Neutral' with another faction if 7th faction on table list is used...

I'm planning to rewrite some stuff tho, the actual method of storing faction names is rather unsafe and may cause crash if faction name is too long....

I'il attempt to get game.dat to use memory from bfme2x library instead of factions which should hopefully make using config safer

 

Edit:

 

New version should support 16 letter faction names and 5 CaH slots while 5th one being replacement for 'Neutral' on faction list which is more than likely unused one way or another...

 

It may be mandatory to test stuff in-game to make sure nothing breaks by current modifications...

And by doing that i mean hours of gameplay to make sure none crash occurs. Oh well i guess i'il have lovely afternoon

 

 

Edit 2:

 

I'm uploading also second preview video of BFME2X it should be done in around two hours...

 

Edit 3:

Here it is: Youtube Video

Edited by Oshizu, 02 February 2015 - 05:15 PM.

[Echo]

Do you think (from what you've already learned in game.dat), that it is possible to add BFME 2 coding possibilities such as modules, or even BFME 2 engine to the BFME 1 game.dat?

[Oshizu]

It is possible but would be rather problematic and would take perhaps months of experimenting...

Since unpacked and diassembled game.dat file is barely readable due to compilation settings which are set by default from what i think in Visual C++ to not link symbols

Every function in game.dat is named sub_46193211 and alike... Only hints are strings and debug stuff without which code wouldn't work so was compiled and eventual hints would be running cheat engine attached to game.dat to see what x does and what y affects...

 

I have not digged deep into engine yet to be absolute correct about my assumptions posted here tho.

 

And as for news part: I am currently having rather problematic situation.  Game.dat file i used for creating BFME2X was 'modded no-dvd one' due to fact i broke my disc reader months ago i had to use that kind of for playing game. As a result i were working with different game.dat file rather than original one.

Yet thankfully recently i've found some way to make game think i have my bfme2 rotwk cd in so i were able to play with original game.dat which has shown me that current BFME2X is incompatible with it...

 

Tho that wouldn't be such a big problem since i can update hex addresses n' offsets in few minutes but it seems like original game.dat is compressed and therefore i'm barely able to get data from it comparing to no-dvd one. Creator of no-dvd mod for game.dat decompressed it already so one way or another it rather helped than hurt. If i'd get my hands on original game.dat first i'd probably be unable to do anything at all...

 

I'm currently working and attempting to decompress game.dat myself in various ways and debuggers no progress so far.

When i'il succeed tho i'il make public release of BFME2X with test feature of cah factions

 

In worst case BFME2X would require no-dvd game.dat to work which i'm going to try to avoid at all cost!

There are many alternate solutions like:

- Using modded game.dat for easier understanding of BFME Code and original one for finding somehow function/code equal to game.dat modded one

- Unpacking game.dat

Tho if i'm going to go with first solution i'il need to rewrite code to use it's own space instead of game.dat's one for storing new stuff like custom factions names and such

 

I guess that's it for now

- Cheers

Edited by Oshizu, 03 February 2015 - 10:24 PM.

[Ridder Geel]

Oh you mean decompile/use it to figure out what kinds of modules there are and what you can add as input in them?