Offsets

But but but but but...

Who would want a hack that starts only when you save game o.o

It is for changing saved data (a.k.a. hex edit save file, load game with a 1000hp Quote ), not making a mod out of profile.dat.

 

PAY ATTENTION TO THIS THREAD PEOPLE!!!!!

I usually fail at finding RAM offsets, but I managed to find one! Yay!

Quotes X-velocity = $49E66C
Quotes Y-velocity = $49E670

now I just need to find Y-velocity somehow and I can continue my plan.... heh heh heh found it (and by found I mean guessed)

 

Not sure if this is known yet or not, but $DE78 (or is 0xDE78 better?) is the "Fade Out" color, which is used as the background color for the opening cutscene and after the fade out animation.

aoejafoujie!!!!!
O_O
After a thousand hours of searching, the grail is found!

 

aoejafoujie!!!!!
O_O
After a thousand hours of searching, the grail is found!

And this, my good friends, is why you should read the stickies.

 

And this, my good friends, is why you should read the stickies.

I just made a sticky.

 

Quotes X-velocity = $49E66C
Quotes Y-velocity = $49E670

Oooh! This is a good find but...the offsets only seem to go up to 48BFFF and when I ctrl + G it, I get a whole lot of commands without values. Am I perhaps looking in the wrong place?

 

Yep, you are looking in the ROM (your executable) when you should be looking in RAM (the saved data as the game is running)

So you can access that data the same way as you do other data, except instead of using a register + an offset, you use the offset directly

So say you wanted to make a gun that gives quote an upwards boost when you fire, you could use:

MOV EAX,[49E670]
ADD EAX,1000
MOV [49E670],EAX

note: I have no idea if 1000 would be a good number. You could end up creating a weapon that sends you into the stratosphere.

 

A couple more:


Quotes x-position = $49E654
Quotes y-position = $49E658

 

$499B40 - Inventory
$499C68 - Selected Weapon
$499C6C - Selected Item
$49E1C4 - Flash RGB Color
$49E638 - Player Flags (0x04 = Walking)
$49E650 - Equipment Flags
$49E6CC - Current Health
$49E6CE - Number of Whimsical Stars
$49E6D0 - Max Health
$49E6DC - Oxygen (x10)
$49E6E8 - Booster Energy
$49E6F4 - Nikumaru Counter Time

Note that these were figured out by Runelancer not by me. (Most of them are already posted around the forum somewhere)

 

why would you post those and not the rest?
(also found by runelancer)

00401FA0 dk_SubAmmoFromSelected(int AmmoAmount)
00402020 dk_AddAmmoToSelected(int AmmoAmount)
0040B800 dk_LoadImageFileA(A8, Ac)
0040BAC0 dk_LoadImageFileB(A8, Ac)
0040BFD0 dk_LoadImageFileC(A8, Ac)
00410D80 dk_FileLenght(char* FileName)
00410EE0 dk_CenterWindow(HWND hWindow)
00413570 dk_MessageQueue()
00416AA0 dk_GetPlayerXY(int *X, int *Y)
00419890 dk_ResetSelectedWeapon()
004198C0 dk_LevelDownFrom3()
00419C60 dk_GainHP(int HPAmount)
00480FFD dk_fopen(char* FileName, char* FileMode)

0048b8be API_VerQueryValue
0048b8c4 API_GetFileVersionInfo
0048b8ca API_GetFileVersionInfoSize
0048c038 API_GetPixel
0048c03c API_SetPixel
0048c040 API_DeleteObject
0048c100 API_GetModuleFileName
0048c1b8 API_GetWindowRect
0048c1e0 API_PeekMessage
0048c1e4 API_GetMessage
0048c1e8 API_TranslateMessage
0048c1ec API_DispatchMessage
0048c1f0 API_DeleteMenu

0048f040 WeaponIconXOffset [icon and text; 0x10 is centered]
0048f914 GraphicScale [Part of the data which handles different resolutions.]
0048f91c FullscreenRect [Rect which covers the screen. Render onto this.]
0048f924 RenderWidth [Which X to stop rendering on.]
0048f928 RenderHeight [Which Y to stop rendering on.]
00493464 Timer1000Init [Set to 0x00 once init.]
00493618 KeyForNextWeapon [which key is "next weapon"]
0049361C KeyForPrevWeapon [which key is "previous weapon"]
00493620 KeyForMenu [which key is "menu"]
00493624 KeyForMinimap [which key is "minimap"]
00493628 KeyForJump [which key is "jump"]
0049362C KeyForShoot [which key is "shoot"]
00493630 KeyForLeft [which key is "left"]
00493634 KeyForUp [which key is "up"]
00493638 KeyForRight [which key is "right"]
0049363C KeyForDown [which key is "down"]
004937b0
00499b40 Inventory[0x00] 0x04 x 0x20 in size.
00499bc0 InventoryViewType [ Checking weapons 0x00 or items? 0x01 ]
00499bc4 InventoryLabelPos [ Relative height of --Arms-- and --Item-- labels. ]
00499bc8 WeaponData[0x00].ID +00 0x14 in size.
00499bcb WeaponData[0x00].ShotID +04
00499bcc WeaponData[0x00].Level +08
00499bd0 WeaponData[0x00].Energy +0c
00499bd4 WeaponData[0x00].MaxAmmo +10
00499bd8 WeaponData[0x00].Ammo +14
...
? WeaponData[0x??]
00499c68 SelectedWeaponID
00499c6c SelectedItemID
00499c70 MenuRectFlash [Wether the rectangle is white or black, for the flash effect.]
00499c78 BackgroundSizeX
00499c7C BackgroundSizeY
00499C88 BackgroundMode
00499c90 GlobalWaterDepth [How deep the water is - think "core battle." Not visual, just effect-wise.]
00499C98 WeaponObj[0x00].Collision +0x00 [01:WallL 02:WallR 04:WallT 08:WallB 10: 20: 40: 80: ] x 0x80
00499C9C WeaponObj[0x00].ShotID +0x04 [6=GunLv3, 8=FireballLv2... Hell, see table.]
00499CA0 WeaponObj[0x00].Flags +0x08 [01:??? 02:??? 04:Ignore_Wall 08:Climb_Slope 10:??? 20:??? 40:??? 80:???]
00499CA4 WeaponObj[0x00].InUse +0x0C [0x80: in use]
00499CA8 WeaponObj[0x00].X +0x10
00499CAC WeaponObj[0x00].Y +0x14
00499CB0 WeaponObj[0x00].MoveX +0x18
00499CB4 WeaponObj[0x00].MoveY +0x1C
00499CB8 WeaponObj[0x00].??? +0x20
00499CBC WeaponObj[0x00].??? +0x24
00499CC0 WeaponObj[0x00].WasSetup +0x28 [handles wether the setup phase is over or not.]
00499CC4 WeaponObj[0x00].??? +0x2C
00499CC8 WeaponObj[0x00].??? +0x30
00499CCC WeaponObj[0x00].FrameID +0x34
00499CD0 WeaponObj[0x00].Direction +0x38
00499CD4 WeaponObj[0x00].Display_L +0x3C
00499CD8 WeaponObj[0x00].Display_U +0x40
00499CDC WeaponObj[0x00].Display_R +0x44
00499CE0 WeaponObj[0x00].Display_D +0x48
00499CE4 WeaponObj[0x00].Distance +0x4C [how far it has travelled]
00499CE8 WeaponObj[0x00].??? +0x50
00499CEC WeaponObj[0x00].MaxDistance +0x54 [how long the "particle" lives]
00499CF0 WeaponObj[0x00].Damage +0x58
00499CF4 WeaponObj[0x00].NumImpacts +0x5C
00499CF8 WeaponObj[0x00].??? +0x60
00499CFC WeaponObj[0x00].??? +0x64
00499D00 WeaponObj[0x00].??? +0x68
00499D04 WeaponObj[0x00].??? +0x6C
00499D08 WeaponObj[0x00].??? +0x70
00499D0C WeaponObj[0x00].??? +0x74
00499D10 WeaponObj[0x00].??? +0x78
00499D14 WeaponObj[0x00].??? +0x7C
...
0049BC18 WeaponObj[0x3F]
-
0049BCA8 EffectObj[0x00].InUse +0x00 0x44 in len
0049BCAC EffectObj[0x00].ID +0x04
0049BCB0 EffectObj[0x00].Mode +0x08
0049BCB4 EffectObj[0x00].X +0x0C
0049BCB8 EffectObj[0x00].Y +0x10
0049BCBC EffectObj[0x00].MoveX +0x14
0049BCC0 EffectObj[0x00].MoveY +0x18
0049BCC4 EffectObj[0x00].WasInit +0x1C
0049BCC8 EffectObj[0x00]. +0x20 ; Unused?
0049BCCC EffectObj[0x00].FrameID +0x24 ; This is the actual frame to display, from the rects.
0049BCD0 EffectObj[0x00].FrameTimer +0x28
0049BCD4 EffectObj[0x00].XOffset +0x2C
0049BCD8 EffectObj[0x00].YOffset +0x30
0049BCDC EffectObj[0x00].Display_L +0x34
0049BCE0 EffectObj[0x00].Display_U +0x38
0049BCE4 EffectObj[0x00].Display_R +0x3C
0049BCE8 EffectObj[0x00].Display_D +0x40
-
0049CDA8 ScreenOffsetX
0049CDAC ScreenOffsetY
0049CDB0 Rect_Fullscreen.L
0049CDB4 Rect_Fullscreen.U
0049CDB8 Rect_Fullscreen.R
0049CDBC Rect_Fullscreen.D

0049D368 HFontObject [Handle to the game's font.]
0049D374 Fullscreen_Width
0049D378 Fullscreen_Height
0049D37C DirectDrawObj [Instance of the Direct Draw object, once created.]
0049d380 DD7_SurfaceA [LPDIRECTDRAW7SURFACE* to the main display.]
0049d384 DD7_SurfaceB [LPDIRECTDRAW7SURFACE* to the main display.]
+14: Blt
+44: GetDC
+64: Lock
+68: ReleaseDC
0049D388 ImageResSurface [LPDIRECTDRAW7SURFACE* to image resources. 0x?? x 0x04]
0049D428 WinRect.L [window rect, used once only]
0049D42C WinRect.U
0049D430 WinRect.R
0049D434 WinRect.D
0049D438 LastTickCount
0049D43C CurrentTickCount
0049d440 RECT_ScreenCopy [RECT struct used to copy the screen.]
0049D450 DDBLTFX_ScreenCopy [DDBLTFX struct used to copy the screen.]
0049D4B4 BlitRect4B4.L [Used at one place only.]
0049D4B8 BlitRect4B4.U
0049D4BC BlitRect4B4.R
0049D4C0 BlitRect4B4.D
0049D4C4 BlitRect4C4.L [Used at one place only.]
0049D4C8 BlitRect4C4.U
0049D4CC BlitRect4C4.R
0049D4D0 BlitRect4C4.D
0049D4D4 BlitRect4D4.L [Used at one place once.]
0049D4D8 BlitRect4D4.U
0049D4DC BlitRect4D4.R
0049D4E0 BlitRect4D4.D
0049D4E4 BlitRect4E4.L [Used at one place once.]
0049D4E8 BlitRect4E4.U
0049D4EC BlitRect4E4.R
0049D4F0 BlitRect4E4.D
0049d514 RECT_Clear [RECT struct used to clear the screen.]
0049D528 DDBLTFX_Clear [DDBLTFX struct used to clear the screen.]
0049D610 ???, x 0x0018
0049D628 ???, x 0x0500
0049DB30 ???, x 0x0268
0049DD98 ???, x 0x0008
0049DDA0 EventFlags x 03E8, 1 bit each so 8000 flags.
0049E190 OccasionalFlash If set to true, the screen flashes occasionally.
0049E1C4 FlashColor [Color of the flash, RGB]
0049E1DC SoftQuakeDuration [How long the screen shakes for. Soft shake.]
0049E1E0 HardQuakeDuration [How long the screen shakes for. Hard shake.]
0049E1E4 CursorPosition [Cursor position ID, maybe just for the title screen...]
0049E1E8 GameState [0: title, 3: normal play, 4 game over/black fade, 5 event, 7 status screen; &2=accepts input]
0049E1EC GameTime
0049E1F0 DirectInputObj [Instance of the Direct Input object, once created.]
0049E210 Key_Held See Key Table.
0049E214 Key_Pressed See Key Table.
0049E218 LastKeyHeld
0049E328 FullExePath [Full path to the executable.]
0049E37C (last possible flag...)
0049E44C AppInstance
0049E458 AppWinHandle
0049e464 ShowFPS [Set to non-zero to have an FPS counter.]
0049E468 CanAcceptInput [Set to 0 when focus is lost. Locks keyboard when unset.]
0049e46C Timer1000Time [Final Time the 1000 timer took to complete.]
0049e470 Timer1000Elapsed [Time elapsed during the 1000 tick counter's countdown.]
0049e474 Timer1000Ticks [Timer updated every 1000 ticks.]
0049E5B8 ???, x 0x0080 MPJ array, indexed by map ID...
0049E638 PlayerFlags [0x01 Inspecting | 0x02 Removed | 0x04 Walking | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 Visible]
0049E640 DirectionFaced
0049E644 IsFacingUp [0x01 Facing Up]
0049E648 IsFacingDown [0x01 Facing Down]
0049E64C InFishBattle [When 0x01, move around screen in bubble like in fish battle]
0049E650 EquippedItems
0049E654 PlayerXPosition [In pixels]
0049E658 PlayerYPosition [In pixels]
0049E66C VelocityX [how much current/wind is affecting the player. X axis.]
0049E670 VelocityY [how much current/wind is affecting the player. Y axis.]
0049E67C QuoteHitRect.L [used to determine quote's solidity]
0049E680 QuoteHitRect.U
0049E684 QuoteHitRect.R
0049E688 QuoteHitRect.D
0049E68C QuoteSizeRect.L [used to determine quote's size]
0049E690 QuoteSizeRect.U
0049E694 QuoteSizeRect.R
0049E698 QuoteSizeRect.D
0049E6AC WeaponSrcRect.L [used to render quote's weapon]
0049E6B0 WeaponSrcRect.U
0049E6B4 WeaponSrcRect.R
0049E6B8 WeaponSrcRect.D
0049E6C0 LvBarFlashesLeft [how many flashes before the bar stops flashing]
0049E6C4 ExpToGained [how much exp remains to be gained - reset to 0 after using]
0049E6CC CurrentHealth
0049E6CE NumWhimStars
0049E6D0 MaxHealth
0049E6D4 YellowHealthBar [health bar value - the yellow part]
0049E6D8 YellowHealthBarTimer [yellow health bar updated each 0x1E ticks]
0049E6DC Oxygen (x10)
0049E6E8 JetpackEnergy
0049E6F4 NikumaruTime

004A4DA8 TimerHandle [Handle to a timeSetEvent timer.]
004A4DAC IsTimerActive [Set to 0x01 if the timeSetEvent timer is active.]
004A5500 ???, x 0x0040
004a5568 SoundBufferArray [Series of 4 byte pointers to IDirectSoundBuffer objects, one per sound ID.]
004A57E8 DirectSoundObj [Instance of the Direct Sound object, once created.]
004a57f0 CurrentMapID
004a57f4 CurrentSongID
004a57fc PreviousSongID [backup to revert to the last song played]

004A5800 WhimsicalStar [3 elements [68 bytes]: 004A5800 - 004A58CB]
+0C XPosition
+10 YPosition
+14 XVelocity
+18 YVelocity
004a58cc CurrentStarID [which whimsical star is being updated currently]

004a5ad8 PCurrentScript [Where the current script is loaded]
004a5ae0 ScriptPosition [Which position into the current script file we're at]
004a5ae4 TextColumn [which column text is written at]
004A5B0C FaceID [which face is being displayed]
004A5F98 ???, x 0x0280
004a6220 Event[0x00].InUse +0x00 [0x00000080 if used] x 0xAC length and 0x200 events? Goes up to 4BBA20..
004a6224 Event[0x00].State +0x04 ; Flags: 01:HitWallL 02:? 04:HitWallR 08:? 10:? 20:? 40:? 80:?
004a6228 Event[0x00].X +0x08
004a622C Event[0x00].Y +0x0C
004a6230 Event[0x00].MoveX +0x10
004a6234 Event[0x00].MoveY +0x14
004a6248 Event[0x00].NPCID +0x28
004a6250 Event[0x00].EventID +0x30 ; As set in Sue's Workshop.
004a626C Event[0x00].Direction +0x4C
004a6274 Event[0x00].Display_L +0x54
004a6278 Event[0x00].Display_U +0x58
004a627C Event[0x00].Display_R +0x5C
004a6280 Event[0x00].Display_D +0x60
004A6284 Event[0x00].FrameTimer +0x64
004A6288 Event[0x00].FrameID +0x68 ; This is the actual frame to display, from the rects.
004A628C Event[0x00].ObjectTimer +0x6C
004A6294 Event[0x00].ScriptState +0x74
004A6298 Event[0x00].ScriptTimer +0x78
004A629C Event[0x00].Hitbox_L +0x7C
004A62A0 Event[0x00].Hitbox_U +0x80
004A62A4 Event[0x00].Hitbox_R +0x84
004A62A8 Event[0x00].Hitbox_D +0x88
004A62C4 Event[0x00].Damage +0xA4
..
004bba34 NPCStruct[0x00].Flags +0x00 x 0x18
004bba36 NPCStruct[0x00].Health +0x02
004bba38 NPCStruct[0x00].Tileset +0x04
004bba39 NPCStruct[0x00].DeathSnd +0x05
004bba3A NPCStruct[0x00].HurtSnd +0x06
004bba3B NPCStruct[0x00].DeathAnim +0x07
004bba3C NPCStruct[0x00].Exp +0x08
004bba40 NPCStruct[0x00].Damage +0x0C
004bba44 NPCStruct[0x00].HitBox[4] +0x10
004bba48 NPCStruct[0x00].DisplayBox[4] +0x14

004BBA58 ???, x 0x0D70 boss data?

004bd02c HeapHandle
004be044 PCommandLine

 

Wtf, where did you get that list?

 

rune.
thought you'd have them though.
=P

 

oops, forgot part:

ROM

0x0048C4D8 0x01 x 0x08 b ROM_ImageTag The tag-text "(C)Pixel" used to protect images.
0x0048F048 0x?? x 0x2C b ROM_WeaponData Weapon info.
0x0048F048 0x00 Damage
0x0048F049 0x01 Num Impacts
0x0048F04C 0x04 MaxDistance
0x0048F050 0x08 Behavior Flags [01:??? 02:??? 04:Ignore_Wall 08:Climb_Slop 10:??? 20:??? 40:??? 80:???]
0x0048F054 0x0C
0x0048F058 0x10
0x0048F05C 0x14
0x0048F060 0x18
0x0048F064 0x1C Pos Offset L
0x0048F068 0x20 Pos Offset U
0x0048F06C 0x24 Pos Offset R
0x0048F070 0x28 Pos Offset D
0x0048F8C0 0x?? x 0x04 b ROM_PEffects Pointer to the effects (puff, spark..)
0x0048F93C 0x01 x 0x04 b ROM_PImageTag Pointer to the tag-text.
0x0048F940 0x57 x 0x?? b ROM_SoundData Sounds 0x0001161A is the code which loads it. Function pushes the address and the sound ID.
0x00493640 0x01 x 0x04 b ROM_PClassName Pointer to class name. 0x00012331 is the code which loads it.
0x00493660 0x04 x ?? b ROM_WeaponExpTables Weapon exp tables. Weapon 0, Lv 1, 2, 3; Weapon 1, Lv 1, 2, 3... etc.
0x004937B0 0xC8 x ?? b ROM_MapHeaders Map headers.
0x004937B0 0x00 TilesetName
0x004937D0 0x20 MapFileName
0x004937F0 0x30 BGType
0x004937F4 0x44 BGImageFile
0x00493814 0x64 SpriteFileA
0x00493834 0x84 SpriteFileB
0x00493854 0xA4 BossID
0x00493855 0xA5 Name
0x004981E8 0x2A x 0x04 b Pointer to songs L00420F48 loads it. Seems to be names, but swapping them works? Weird.
0x00498548 0x0169 x 0x04 b ROM_PEnemyCode Pointer to enemy code.
0x00498AEC 0x0A x 0x04 b ROM_PBossCode Pointer to boss code.

 

wait...

RAM = Nothing interesting for you I guess Also not for me.

that is simply not true. it's a lie!

 

Found an offset:

For npc's and their assembly....

+0xA4: Entity Damage

It can be changed in the assembly code during runtime, found it while looking at the assembly for the horizontal moving block that's seen in the labrynth.

0044554A  |> 8B15 3CE64900  MOV EDX,DWORD PTR DS:[49E63C]            ;  Check's if quote's going to be crushed
00445550  |. 83E2 04        AND EDX,4
00445553  |. 74 23          JE SHORT doukutsu.00445578
00445555  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00445558  |. 0FB748 50      MOVZX ECX,WORD PTR DS:[EAX+50]
0044555C  |. 81C9 80000000  OR ECX,80                                ;  sets flag?
00445562  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
00445565  |. 66:894A 50     MOV WORD PTR DS:[EDX+50],CX
00445569  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0044556C  |. C780 A4000000 >MOV DWORD PTR DS:[EAX+A4],64             ;  Set's npc damage to 100 (64)
00445576  |. EB 21          JMP SHORT doukutsu.00445599
00445578  |> 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
0044557B  |. 0FB751 50      MOVZX EDX,WORD PTR DS:[ECX+50]
0044557F  |. 81E2 7FFFFFFF  AND EDX,FFFFFF7F
00445585  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00445588  |. 66:8950 50     MOV WORD PTR DS:[EAX+50],DX
0044558C  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
0044558F  |. C781 A4000000 >MOV DWORD PTR DS:[ECX+A4],0
00445599  |> 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
0044559C  |. 8B42 10        MOV EAX,DWORD PTR DS:[EDX+10]
0044559F  |. 83C0 20        ADD EAX,20                               ;  add 20 to x-speed
004455A2  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
004455A5  |. 8941 10        MOV DWORD PTR DS:[ECX+10],EAX            ;  store x-speed
004455A8  |> 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
004455AB  |. 817A 10 000200>CMP DWORD PTR DS:[EDX+10],200            ;  compare x-velocity and 200
004455B2  |. 7E 0A          JLE SHORT doukutsu.004455BE
004455B4  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
004455B7  |. C740 10 000200>MOV DWORD PTR DS:[EAX+10],200            ;  x-velocity is 200
004455BE  |> 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
004455C1  |. 8179 10 00FEFF>CMP DWORD PTR DS:[ECX+10],-200           ;  compare x-velocity and -200
004455C8  |. 7D 0A          JGE SHORT doukutsu.004455D4

 

Oh hey that explains why not all entities damage can be changed properly in the npc table. Cool!

 

cool gir.
very nice.

 

Just a small note about that offset, incase anyone tries to use it.

It should be noted that it is stored as +000000A4, rather than just +A4.

Using the latter caused ollydebug to not recognize it, so the offset +000000A4 is more appropriate as far as documentation goes.

 

no worries, they're the same thing, oly's just messed.

 

In runelancer's notes, he has 2 offsets listed for frames and npcs. They are:
+0x64: FrameNum
+0x68: FrameID

They are both wrong. +64 is actually the frame timer, and +68 is what stores the frame number. The updated offsets would be:

+0x64: FrameTimer
+0x68: FrameNum

I found this out whilst trying to get an entity of mine to properly display it's frames. View the code of entity 14 (Santa's key) if you want to mess with these values/test/confirm them.