| Executable Functions [message #33113] |
Sun, 28 October 2007 23:46  |
 |
Keshire
Messages: 1266
Registered: July 2005
|
Administrator
|
|
|
sub_C05FD0 - zlib crc32 function
sub_CBFB7D - main scripts.bin script parser/engine (over 80kb of code in a SINGLE function...)
sub_CD52D0 - compiled script registering process( best place to add our own stuff into)
sub_5D1FC - hero stats function PC (maybe)
sub_5CE0E6 - hero stats display UI (maybe)
sub_409730 - Enum profile and game save files
sub_99AD80 - open file handler
sub_99A6A0 - open file
sub_4A21F0 - fablesav parser/loader
sub_40D350 - main profile loader, calls below
sub_40BCA0 - profile parser
sub_9F1D20 - boot.ini loader
sub_CE6CF0 - S_GF (Register)
sub_CE75B0 - S_GF (Main)
sub_CE7640
sub_CE7650
sub_CE7670 - S_GF (Story Flow)
sub_CEF3B0 - S_GF (NewQuestCard)
sub_CEF550 - S_GF (Barrowfield)
sub_CEF8E0 - S_GF (Save)
sub_CEF950 - S_GF (Game Flow)
sub_CEF9A0
sub_CEFA00
sub_CEFA20 - S_GFA (Main)
sub_CEFAB0
sub_CEFAC0 - S_GFA (Tutorial)
sub_CEFCC0 - S_GFA (MultiCheck)
sub_CEFFB0 - S_GFA (HealthCheck)
sub_CF0180 - S_GFA (WillCheck)
sub_CF02A0 - S_GFA (RenownCheck)
sub_CF0540
sub_CF0560 - S_GFA (Stats)
sub_CF0640 - S_GFA (Gameflow Assistant)
[Updated on: Mon, 29 October 2007 21:59] Report message to a moderator |
|
|
|
| Re: Executable Functions [message #33165 is a reply to message #33113] |
Mon, 29 October 2007 22:23  |
|
Keshire
Messages: 1266
Registered: July 2005
|
Administrator
|
|
|
DemonDoor_Start .text 00E6E2E0 0000008B R . . . . . .
DemonDoors .text 00E75590 00000036 R . . . . . .
Fisticuffs_Complete .text 00E82190 00000083 R . . . . . .
Fisticuffs_Create .text 00E82220 000002AB R . . . . . .
Fisticuffs_Crowd .text 00E83A20 0000019B R . . . . . .
Fisticuffs_Cutscene .text 00E8A1D0 000000C8 R . . . . . .
Fisticuffs_Introduced .text 00E84B50 00000021 R . . . . . .
Fisticuffs_KHG_Win .text 00E8B020 000006D4 R . . . . . .
Fisticuffs_Main_ .text 00E84B80 0000226C R . . . . . .
Fisticuffs_NPC_Create .text 00E8A2B0 00000CBF R . . . . . .
Fisticuffs_Tyler .text 00E87030 00003107 R . . . . . .
PAAWB_NPC .text 00EC12E0 000000F1 R . . . . . . (Picnic Area After Wasp Battle script)
RPS_BANDIT_ARCHER .text 00EC32F0 000007BB R . . . . . . (Random Population Sim Script Functions)
RPS_BANDIT_GRUNT .text 00EC3AD0 000000D6 R . . . . . .
RPS_Exit .text 00EC1CD0 0000021C R . . . . . .
RPS_Main .text 00EC1850 0000008B R . . . . . .
RPS_Morality .text 00EC1EF0 00000344 R . . . . . .
RPS_NPC .text 00EC1910 0000024C R . . . . . .
RPS_Spawn .text 00EC29F0 00000739 R . . . . . .
RPS_TRADER .text 00EC3130 000000EB R . . . . . .
SM_Main .text 00ED3A90 0000008B R . . . . . . (Statue Master Functions)
SM_Markers .text 00ED3B30 0000057A R . . . . . .
S_QGT .text 00D50600 00000047 R . . . . . .
S_QGT_GuildTrain_Main .text 00D3BB50 0000008B R . . . . . .
S_VPAAWB .text 00EC1780 00000036 R . . . . . .
S_VPAAWB_Main .text 00EC1240 0000008B R . . . . . .
S_VRPS .text 00EC3BC0 00000039 R . . . . . .
S_VSM .text 00ED4A40 00000036 R . . . . . .
ScriptMain .text 00CDE2F0 00000036 R . . . . . .
Script_Global .text 00CE19A0 00000036 R . . . . . .
TH_Cutscene_Triggers .text 00EDED10 00000583 R . . . . . . (Wandering heroes Script Functions)
TH_Main .text 00EDEC70 0000008B R . . . . . .
TH_Scenes .text 00EE1DC0 00000077 R . . . . . .
[Updated on: Mon, 29 October 2007 22:34] Report message to a moderator |
|
|
|
| Re: Executable Functions [message #66458 is a reply to message #33113] |
Tue, 24 April 2012 00:40 |
 |
EternalNoob
Messages: 47
Registered: January 2006
Location: The Pit of Hell
|
|
|
|
Dev Console = 0x009ED190
This has been disabled in some way.
Update:
As far as I can tell, the console is intact, all the routines for initializing it, and it's graphics, etc, exist. (It's all running too, it's just never enabled by the game.)
Unknown = 0x0099EBF0
This takes two visible parameters. It also requires an object reference pointer in the register ECX. (Likely a "this" pointer.)
Update:
I believe this is used by the games "IntelligentPointers", basically, if an object exist, it finds it, otherwise it creates it, and makes a pointer to it, for reference tracking\access, etc,.
Decrease Will:
0x0057B1F1 - (add [esi+58h], eax)
This could be used to remove magic cost, or, to create a multiplier to increase the cost.
Increase\Decrease Gold (Shops, maybe more..)
0x0057B338 - (mov [esi+3Ch], eax)
Static References:
GameDirectory = 0x013BCA10
HInstance = 0x013BD6EC
CThingManager = 0x013B8A1C
GraphicDataBank = 0x013B8A08
MeshDataBank = 0x013B8A04
QuestManager = 0x013B89FC
CGameJoystickManager = 0x013B89A0
CStreamingFontBank = 0x013B8998
CThingObjectDef 0x013B8C14
CInventoryItemDef 0x013B8C18
CUserProfileManager = 0x013B7D4C
CGraphicBankManager = 0x013B837C
CShaderRenderManager = 0x013B8380
CRenderManager = 0x013B8384
CInputManager = 0x013B8388
CFontManager = 0x013B838C
CDisplayManager = 0x013B8390
CSoundManager = 0x013B8394
CGame = 0x013B83D0
CMainGameComponent = 0x013B86A0
CManager@NUISystem = 0x013B8710
CPlayerDef = 0x013B878C
CPlayerGUI = 0x013B8790
CGameDefinitionManager = 0x013B879C
CEngineManager = 0x013BA854
CTCAICreatureWillPowerIndicator = 0x013BA89C
CCameraModeDef = 0x013BA8D8
CSkeletalMorphResourceManager = 0x013BAB10
I haven't verified all of these, they could be static, or the values could be temporarily stored there. (I'll have to keep checking them, and make sure they always stay the same.)
I hit the damn static lottery. :)
These are the layouts of class instances mapped in memory.
CThingManager:
Base = CThingManager (VFTable: 0x01245C44)
Base + 1Ch = CMainGameComponent
Base + 20h = CGameDefinitionManager
Base + 24h = CWorld
Base + 28h = CWorldMap
Base + 30h = CPlayerManager
Base + 8Ch = Unknown
CPlayerManager:
Base = CPlayerManager (VFTable: 0x01231CD0)
Base + 0Ch = CPlayer
Base + 10h = Unknown
Base + 1Ch = Unknown
CPlayer:
Base = CPlayer (VFTable: 0x01231CC4)
Base + 0Ch = CGamePlayerInterface
Base + 34h = CIntelligentPointer@VCThingPlayerCreature
CIntelligentPointer@VCThingPlayerCreature:
Base + 4h = CThingPlayerCreature
CThingPlayerCreature:
Base = CThingPlayerCreature (VFTable: 0x012457FC)
Base + 0B0h = Max Health (Float)
Base + 0B4h = Current Health (Float)
CTCHeroStats:
Base = CTCHeroStats (VFTable: 0x0124F70C)
Base + 4h = CThingPlayerCreature (VFTable: 0x012457FC)
Base + 38h = Unknown
Base + 3Ch = Current Gold
Base + 40h = Highest Amount of Money Ever Had
Base + 48h = Total Money Acquired
Base + 4Ch = Total Money Spent
Base + 58h = Current Will
Base + 5Ch = Max Will
Base + 70h = Renown
Base + FCh = Total Fines
CSystemManager:
Base + 58h = CInputManager
Base + 60h = CDisplayManager
Base + 7Ch = CSoundManager
Base + 84h = CFontManager
CDisplayManager:
Base + 8h = CRenderManager
CDrawPerceivers@NPlayerGui:
Base + 38h = Perceiver Count
CGameCameraManager:
Base + 114h = Unknown
Base + 118h = Unknown
Base + 128h = Unknown
CInventoryItemDef:
Base + 4h = Unknown
[Updated on: Sat, 02 June 2012 18:17] Report message to a moderator |
|
|
|
| Re: Executable Functions [message #66742 is a reply to message #33113] |
Fri, 01 June 2012 08:37 |
|
Keshire
Messages: 1266
Registered: July 2005
|
Administrator
|
|
|
What would be extremely helpful would be able to modify the cdefs loaded in memory so that we can try finding out some of the stuff we don't know about their properties.
Also we want to hook the scripting language into something outside the exe that we can add to.
Apathy Cannot Inspire.
Ambivalence cannot lead.
Loved me. Feared me.
Changed me. Killed me.
Anything would be something.
But nothing is worst of all.
[Updated on: Fri, 01 June 2012 08:39] Report message to a moderator |
|
|
|
| Re: Executable Functions [message #66744 is a reply to message #66742] |
Fri, 01 June 2012 12:14 |
 |
asmcint
Messages: 1360
Registered: April 2010
Location: Behind the beef
|
Moderator
|
|
|
| Quote: |
we want to hook the scripting language into something outside the exe that we can add to.
|
Both EternalNoob and xenn were talking about this at one point. Specifically, hooking it into a dll file. In fact, that conversation, should you feel like reading it, can be found at the following link: http://fabletlcmod.com/forum/index.php?t=msg&th=9150& ;start=0&
Read the site rules, as well as individual thread rules, stickies and announcements, and use search, or you will have smartassy or exasperated ownage rained down upon you by the site's crack team of mods and admins. Also, you can find all you need to get started on modding here.
|
|
|
|
|
|
| Re: Executable Functions [message #71722 is a reply to message #66458] |
Mon, 04 March 2019 15:07 |
blastedt
Messages: 5
Registered: May 2016
Location: Blastedt
|
|
   
|
|
EternalNoob wrote on Tue, 24 April 2012 00:40[
Unknown = 0x0099EBF0
This takes two visible parameters. It also requires an object reference pointer in the register ECX. (Likely a "this" pointer.)
Update:
I believe this is used by the games "IntelligentPointers", basically, if an object exist, it finds it, otherwise it creates it, and makes a pointer to it, for reference tracking\access, etc,.
0x99EBF0 is a string constructor. The game uses something called "CCharString" likely to provide wrapper functions and such. In the following image, Mac code (with built-in labels) is left, with the corresponding PC code is on the right. You can see the 99ebf0 call corresponds to a Mac call of CCharString's constructor (taking a char* and its length). This code is from the Necropolis tablet scripting.
https://i.imgur.com/y4yKcRN.png (Please ignore that I've accidentally named the destructor the same thing - 99ebf0 is the constructor, and 99eae0 is the destructor.)
Similarly, 0x9ed190 *is* related to the console - this is CConsole::Initialise(CConsole*, char, EInputKey, CFontBank*).
Sorry to necro an old thread, but this is pretty much the only existing resource on reverse engineering Fable, and I'd rather add to it than make a redundant thread.
Blastedt
[Updated on: Mon, 04 March 2019 16:57] Report message to a moderator |
|
|
|
|
|
|
|
|
|
] 
Fable: The Lost Chapters Mod Scene
Members
Search
Help
Register
Login
Home
image, by plopk45
