Messages

451

Releases / Re: [FF8PC 2000/Steam] Unofficial bad UV texture patch

« on: 2015-08-27 22:10:32 »

These are changes for steam english (FF8_en.exe):
http://pastebin.com/WnRA19mM
For all other versions (2000 PC and all languages handling I'm doing byte search and some routine to edit bytes whatever version it is)

And here's the main source code:
https://github.com/MaKiPL/FF8-Bad-Texture-PATCHER/blob/master/FF8_TexturePatcher/Form1.cs

I'm going to get some sleep now. I'll prepare the instructions for launcher soon.

452

Scripting and Reverse Engineering / Re: FF8 PC and Steam - bad UV's?

« on: 2015-08-27 20:30:32 »

Square was, well.... weird. They did some weird things that we still can't understand, like putting G.Fs in three different archives with no reason, or some other newest sound revolutions (like the game uses hardcoded in EXE sound offsets instead of querying audio.fmt, but it still does work with this sometimes - nonsense). Here, the developer tried to overcome the bug that happens during the conversion. The game optimisation forces lossy conversion. (max CLUT color is 31 bit, so 255/31 = 8,1..., at some point you're inaccurate for at least 1-2 in colour. Something similiar happens in world map UV. Float is 4 bytes long, but world map coordinates are saved upon one byte. Engine needs to resolve 0.0-1.0 UV format from 0-255 variables. The programmers though about "brilliant" idea to workout some glitches that were appearing because of loosy conversion and they did several conditions to test, if the face UV is out of bounds (and if they were, they added or substracted 2 from this variable). I don't know why someone released a game with such a bug in code.

BTW> I don't remember if I wrote this before, but PSOne image has two wmx.obj. One is 100% identical to PC version, and second is 71% similar. Another Square "WTF?".

453

Releases / [PC+R+Switch] Unofficial bad UV texture patch [powered by DLPB tools]

« on: 2015-08-27 19:58:58 »

Description:
This does just what you can see on image above. Fixes bad PC version UV mapping.

Compatibility: Works with all FF8 versions (2000+Steam) multilanguage + any currently available mods
                                 If you're having problems, please proceed with manual patching tutorial.
Requirements: .NET Framework 4 (for ready patcher) or DLPB's Tools 2.0 for manual patching

ASM hack source: http://pastebin.com/WnRA19mM

*Old patcher deleted due to the fact it corrupted the EXEs and overwrote backup. I'm so sorry for destroying your backups. Please, use manual patching for Steam or above for 2000 version.

STEAM 2013 Version:
MANUAL PATCHING TUTORIAL: (STEAM)
(Big thanks to Cities.Burn.Quick for writing this tutorial)
(Use this if above fails. This applies for English version only, however you can find FF8 2000 HEXT instructions at the bottom of this post)

 1. Backup the FF8_EN.exe file from your Final Fantasy VIII Steam directory (steamapps/common/FINAL FANTASY VIII/) just in case.

2. Download DLPB's Tools 2.0.

3. Unzip the file anywhere on your PC.

4. Open the "HextEdit" folder and move your FF8_EN.exe file from your Steam directory to the HexEdit root folder. The root folder contains another folder named HE_in, the HexEdit.exe, a Readme.rtf, and a test.file (which you should delete).

5. Open the HE_in folder and delete the example Hext instructions.

6. Create a new Notepad text document in the HE_in folder, name it "FF8_EN" or "FF8" and paste:

Code: [Select]

FF8_EN.exe
153CC0 = 00
153CCA = 00
153CD8 = 00
153CE2 = 00
153CF2 = 00
153CFC = 00
153D0C = 00
153D16 = 00
153D26 = 00
153D30 = 00
153D38 = 00
153D42 = 00

7. Save your FF8_EN.txt.

8. Go back to the HextEdit root and run the HextEdit.exe application, press enter when prompted.

9. Once HextEdit finishes it will create a HextEdit.txt. Open this file and insure it reads...

Code: [Select]

---------------------------
FF8_EN.txt (FF8_EN.exe)

Changed: 12
Replaced: 0

No errors.

___________________________

10. If newly created HextEdit.txt has the same output, it was patched successfully.

11. Move your FF8_EN.exe from the HextEdit root back to your Steam directory. Overwrite if need be.

12. Run game and enjoy your newly patched FF8 world map!


PC 2000 release version:
Download and run with launcher:
Download:  https://www.dropbox.com/s/zaq4gqquaop00kn/FF8_UVPatchLauncher.7z?dl=0

-=Alternative files (HEXT instructions for DLPB's tools)=-
FF8 2000 English: https://www.dropbox.com/s/zaq4gqquaop00kn/FF8_UVPatchLauncher.7z?dl=0
FF8 Steam English: http://pastebin.com/W72H6yep

Remastered:
UV patch is now built-in in demaster patch! No need to work with the code manually. Find more details here: http://forums.qhimm.com/index.php?topic=19432.0
If you are experienced user you can try manually patching the DLL:
Dotemu by compiling their new DLL they got the ASLR working by default- that renders above method with DLPB not working- the address in memory is changing every time you open the application. You can either disable ASLR with my script: https://github.com/MaKiPL/ASLR_disabler and then patch as in Steam 2013 with IMAGE_BASE of the dll or patch the DLL directly:

Code: [Select]

FFVIII_EFIGS.dll+8A2CB2 - add byte ptr [esi+08],00
FFVIII_EFIGS.dll+8A2CB8 - add byte ptr [esi+08],00
FFVIII_EFIGS.dll+8A2D17 - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2D1D - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2D6D - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2D73 - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2DC5 - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2DCB - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2E1B - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2E21 - add byte ptr [esi+0C],00
FFVIII_EFIGS.dll+8A2E6F - add byte ptr [esi+04],00
FFVIII_EFIGS.dll+8A2E75 - add byte ptr [esi+04],00
above are dynamic addresses to memory- so if you have a patcher that is capable of understanding above instructions (example is Cheat Engine) then you can jump right into the memory view and assemble as above. However if you want to update the EXE manually, then here are the codes (basically FFVIII_EFIGS.dll in above example is ~0x10000000):
Example in EXE at address 0x8A20B5 there should be 02, change that to 00

Code: [Select]

0x8A20B5 - 00
0x8A20BB - 00
0x8A211A - 00
0x8A2120 - 00
0x8A2170 - 00
0x8A2176 - 00
0x8A21C8 - 00
0x8A21CE - 00
0x8A221E - 00
0x8A2224 - 00
0x8A2272 - 00
0x8A2278 - 00

Nintendo Switch
Unfortunately you have to own jailbreaked(?) switch. You have to get the file GuardianEFIGS.nro and edit with your favourite HEX editor those addresses:
Example:: 0xE04E38 which is now E2 1B 1F 32 should be 1F 20 03 D5
Below are all the addresses which you should update:

Code: [Select]

0xE04E38 = 1F2003D5
0xE04E58 = 1F2003D5

0xE04E98 = 1F2003D5
0xE04EB8 = 1F2003D5

0xE04EFC = 1F2003D5
0xE04F1C = 1F2003D5

0xE04F5C = 1F2003D5
0xE04F7C = 1F2003D5

0xE04FC0 = 1F2003D5
0xE04FE0 = 1F2003D5

0xE05008 = 1F2003D5
0xE05028 = 1F2003D5


454

Scripting and Reverse Engineering / Re: FF8 PC and Steam - bad UV's?

« on: 2015-08-27 15:16:57 »

Looks cool now, huh?
I grabbed the PSOne emulator memory, parsed it to file and streamed over to FF8 steam memory. This came up. What does it mean? Their load engine is somehow messed up. WMX dumped from PSOne to FF8 resulted in the same messed up UVs.
The problem is when the engine loads the data from file.

1.Engine loads given segment
2.Process some bad things on UV
3.Reads new processed segment
4.This processed segment remains in memory

If you'll write 0x9000 segment straight to memory, then you'd get correct world map segment. That's good, I can search now for the instruction that destroys the textures. 

EDIT:
FF8DISC1.IMG holds TWO worldmaps (sic!)
First one is at 0x108800 and second one is at 0x108800+(0x9000*835).
The one at 0x108800 is 100% similiar to the one in PC version (that's what my simple tool says)
Okay. The second one at 0x108800+(0x9000*835) is 71,52009% similiar.

Here's the proof:
https://youtu.be/-VMHtCKtj3s

Sorry for music and segment scattering. See 1:37

UPDATE (18:32)
This opcode in steam version accesses ALL* loaded uv's segments in game:
FF8_EN.exe+153D47 - mov [eax-01],cl

@UPDATE (23:00) : Well, not ALL, just copies from CL register. The UV messing engine uses CL, DL and BL registers (Byte register), so this could be only... U1 for example... Next OP is as far as I remember dl copy, so...

Link to patch: http://forums.qhimm.com/index.php?topic=16327

455

FF8 Tools / Re: [FF8] Import/export sounds - FF8Audio (1.1)

« on: 2015-08-20 22:12:03 »

He meant the second 4 byte in FMT archive.
0x00 = file size
0x04 = offset

I know the file is dynamic.

Here's the EDI register, that holds sound ID:

Code: [Select]

FF8.exe+69D88 - lea edi,[edi+edi*2]
Offsets are hardcoded inside .data in FF8.exe

456

General Discussion / Re: request/question

« on: 2015-08-20 18:37:57 »

vBinDiff, Hex Workshop, even Total Commander. There are many file difference analyzers. The best is HexWorkshop as it works on patterns.

457

FF8 Tools / Re: [FF8] Import/export sounds - FF8Audio (1.1)

« on: 2015-08-20 18:35:08 »

If you're running out of time, then could you send me the source so I can add the offset list code. Thanks!


UPDATE:
This is where Engine pushes ECX register on stack, which (ECX) holds audio.dat sound offset to be read:

Code: [Select]

FF8.exe+69DD8 - push ecxSoon after a CALL is given to READ file:

Code: [Select]

FF8.exe+69DDB - call FF8.exe+6E780
And here's the play sound function:

Code: [Select]

FF8.exe+69E26 - E8 B5450000           - call FF8.exe+6E3E0NOPing this will mute sound.

Stream opens audio.dat and reads byte array with given offset and length.

With this I need to find when length is stored and if it does have some ID. We need this for MAG files to find out when it calls for sound.

458

General Discussion / Re: FFVII on IOS Appstore

« on: 2015-08-19 14:50:07 »

There are no PSOne emulators for iOS or what?

459

Scripting and Reverse Engineering / Re: [FF8] battle.fs/MAG files, r0win, b0wave and a9btlfnt.bft

« on: 2015-08-18 15:25:59 »

Try to replace second witch with any other enemy. It appears invisible (casting potion will show them), and replicated by THREE. Works with any enemy. How the game know to replicate enemy by 3? What's hidden in this FF8!?



I monitored variables on sorceress battle. Here's what I got:

This opcode:

Code: [Select]

FF8_EN.exe+8870B - mov [eax],edx

Accesses:
Memory: FF8_EN.exe+1928DA4 [01D28DA4]  (Holds kill count of sorceress)
Memory: 01D28D98 (Holds whole count of sorceress, ex actual sorceress count, ex if you kill one, this raises, when second gets on stage, this count raises)

@UPDATE: Yes. Just tested. The game checks if 01D28D98 is 12, if yes, then next summon is witch_worm. Either the game gets in infinite loop if you either freeze 01D28D98 or NOP (90h) the FF8_EN.exe+1928DA4


Battle stages are divided to three segments:

1. Ground
2. Background
3. Sky sphere

The game takes one segments and deforms it. That's why only the objects deforms and not ground or sky. On final worm_witch, the engine loads shaking camera animation and moves segment 3 on X axis. Thanks to memory hack I forced game to fight with normal witch on final stage. I froze witch count to 1 and kept killing them. This way, the segment 3 was moving on all stages which was kinda funny. I recorder video. I'll upload this and update this post.

460

Completely Unrelated / Re: windows 10

« on: 2015-08-17 22:37:56 »

I had no issues with sound.

461

Completely Unrelated / Re: windows 10

« on: 2015-08-16 22:10:46 »

Don't upgrade to win10. I did and now my PC is possessed by cyberDemon. It turns on by itself on 3:33 even if I disabled turning on due to updates and many other things. It watches me sleeping. That's creepy.

462

Completely Unrelated / Re: windows 10

« on: 2015-08-16 21:43:59 »

hey

i am getting non stop crackling nosies now when i try to run any emulators on windows 10

how can i fix this problem

A friend of mine had this issue on technical preview after updating sound card drivers. In his case those noises were global. Try to run emulator as Windows 7 or see if there are updates to your device. Oh, by the way "Have you tried turning it off and on again? "

463

Scripting and Reverse Engineering / Re: [FF8] battle.fs/MAG files, r0win, b0wave and a9btlfnt.bft

« on: 2015-08-15 17:12:52 »

Aaaand. Together with Kaspar01, the sorceress battles is no more unknown.

Their battle thing IS NOT in their .DAT files neither in scene.out, that little devil is HARDCODED to game's EXE. The game code manages whole sorceress battle structure. The level structure is at 0BE00037 in memory of Steam edition, dumped and read as ASCII resolved this:

Code: [Select]

smPcRead::\ff8\data\eng\kernel.bin
smPcRead::\ff8\data\eng\sysfnt.tdw
smPcRead::\ff8\data\eng\icon.tim
smPcRead::\ff8\data\eng\namedic.bin
smPcRead::\ff8\data\eng\wm2field.tbl
smPcRead::\ff8\data\eng\menu\mngrphd.bin
smPcRead::CD:\DISK1
smPcRead::\ff8\data\eng\field\mapdata\maplist
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.mim
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.pmp
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.pvp
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.id
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.map
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.ca
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.inf
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.rat
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.mrt
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.msd
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.pmd
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.jsm
0 = ::FUNC_ISPARTY(0)
0 = ::FUNC_ISPARTY(0)
0 = ::FUNC_ISPARTY(0)
smPcRead::\ff8\data\eng\field\mapdata\te\test1\test1.pcb
smPcRead::\ff8\data\eng\battle\A0STG137.X
smPcRead::\ff8\data\eng\battle\B0WAVE.DAT
smPcRead::\ff8\data\eng\battle\C0M116.DAT
smPcRead::\ff8\data\eng\battle\D0C001.DAT
smPcRead::\ff8\data\eng\battle\D0W000.DAT
smPcRead::\ff8\data\eng\battle\A0STG018.X
smPcRead::\ff8\data\eng\battle\A8DEF.TIM
smPcRead::\ff8\data\eng\battle\A0STG107.X
smPcRead::\ff8\data\eng\battle\A8DEF.TIM
smPcRead::\ff8\data\eng\battle\A0STG057.X
smPcRead::\ff8\data\eng\battle\A8DEF.TIM
smPcRead::\ff8\data\eng\battle\A0STG012.X
smPcRead::\ff8\data\eng\battle\A8DEF.TIM
smPcRead::\ff8\data\eng\battle\A0STG106.X
smPcRead::\ff8\data\eng\battle\A8DEF.TIM
smPcRead::\ff8\data\eng\battle\A0STG007.X
                         
Thanks to kaspar01 for spending time on watching witches gameplay and providing complete list of stages. 100% match.

464

Scripting and Reverse Engineering / Re: FF8 PC and Steam - bad UV's?

« on: 2015-08-15 12:19:32 »

I took a look at how engine treats texture and I see that it doesn't read TIM texture in real-time. What I want to write is: The engine loads .TIM texture, converts it to probably 24BPP bitmap and reads that bitmap. The error is probably bad 4BPP to 24BPP texture conversion. That one pixel indeed can be lost or added in this conversion process.

I replaced road TIM with train texture (byte to byte) and the road disappeared. That's really weird.

Here:


The .TIM texture has also origin X Y.

Thanks to this texture we can see what's really happening here.

465

Troubleshooting / Re: character models and background and menus reverted(FF8/steam)

« on: 2015-08-15 09:01:46 »

Crash by unexpected exception?

466

Scripting and Reverse Engineering / Re: FF8 PC and Steam - bad UV's?

« on: 2015-08-14 19:04:06 »

The problem is in game code. It is not related to files itself.

Fix is to find and produce Jump to instructions where you correct the scale variables over registers. The problem is- which register at which state holds texture size. Another fix is to prepare corrected textures made upon bugged code.

467

Scripting and Reverse Engineering / Re: Reverse engineering FF7R

« on: 2015-08-13 16:28:09 »

If we're talking about FFXIII-2, then here's:

Code: [Select]

ffxiii2img.exe+7543C6 - movaps [edx],xmm2
This opcode is related to position hack. NOP it and fly whatever you want.
Also this:

Code: [Select]

ffxiii2img.exe+77A88B - movaps xmm0,[eax-10] - NOP'ing deletes distance to interaction object, so you can interact everything on level whatever you are. Took me... 30 minutes? Things like money, HP etc. are one of the easiest things. The more difficult thing would be format reverse.

Hey, isn't it too early to talk about reversing a game that wasn't even released?

Who is interested in reverse engineering FF7R, and/or developing tools for it?
I am. I would look at files when FF7R get released. Especially maps/props models. Strategies for that? Well, as soon as it gets PC release I could work with memory and see which file it stores, then realtime manipulate it, to see what gets changed in drawing.

468

Scripting and Reverse Engineering / Re: [FF8] battle.fs/MAG files, r0win, b0wave and a9btlfnt.bft

« on: 2015-08-12 16:36:03 »

Sorceress battles are my the most unknown. There are like ~12 enemies. This makes no sense to scene.out, also the stages are changing. I'm confused.

469

Troubleshooting / Re: FF 8 PC - controller support lost while using Aali's custom driver

« on: 2015-08-11 07:44:09 »

If you're using DualShock, then you could install DS3Tool. This software makes possible to map controller buttons (also Xbox360, not only DualShock) to keyboard keys. This way you can control whole computer (even mouse) with controller.

470

FF8 Tools / Re: [FF8] Battle Structure Editor - Cactilio (v0.1)

« on: 2015-08-09 14:28:29 »

Fixed level byte is currently known. See wiki. Cactillo IS able to edit this level. See in top right corner.

471

Releases / Re: [FF8PC-Steam] Rebirth Flame - Character Texture Replacement (v1.1)

« on: 2015-08-07 15:33:53 »

Wow, that Ifrit looks brilliant!

472

Misc. Tools / Re: [FFX] Skill editor - Ronso (v0.1.0.0)

« on: 2015-08-07 15:31:41 »

(...)that it scans all readable process memory for patterns that seem to be at a static offset to the skill / string data and works from there. If it is started and these patterns are not where they are supposed to in reference to the stored address, it will attempt to rescan the memory for them.

That's a really smart one! Good job! Scanning for pattern and finding addresses dynamically) is going to work in most cases on different versions and emulators (There are some less popular emulator there, but pcsx2 is the best one ATM).

473

Scripting and Reverse Engineering / Re: [FF8] battle.fs/MAG files, r0win, b0wave and a9btlfnt.bft

« on: 2015-08-07 12:59:50 »

@Update:
Okay. I found quad count.
0x234c (9036) in mag094_b.1s0 - 192
192*24=4608
And... There's 4608 of pattern-like bytes in this file. After that unknown data is represented. For 192 face indices, there has to be many vertices. The only "big" unknown data is before face indices.

0x12 represents 3423h which is 9012d. There are 9012 bytes of data and some padding before face indices. Does file store total bytes count instead of number of data? That's totally different. 9012/8 is leaving a floating point number. Divided by 6 is giving non-point value. I'll run a Point cloud visualization on given data. Keep updated.

#UPDATE: Point cloud represented plain surface with some glitched points.

#UPDATE2: Quads max face indice index is 211. That means, there must be atleast 211 vertices.

Okay. Naming cracked:
mag094_b.XyN
where:
X- Sequence number
y- Data type
N- ID number
Example:
mag094_b.2s2 is Sequence number two (read below about Siren's sequences), second geometry model (s2)

Siren sequences:
1- Sea is flooding enemy
2- Siren is playing on harp
3- "ending" point where there's effect of echo like rings on enemies.

MILESTONE! I got this. 1sN files are having header with offsets to data portions!

Case mag094_b.1s0:

Code: [Select]

offset point_offset         data
1 1 header?
4 13664 UNKNOWN
8 12 Probably vertices? (with weight)
12 9012 Just a bit before quad data

I tried memory hacking and wipping out mag094_b.2s3, I left only header (containing pointers) and null'ied everything else. NOTHING. But when I try to delete whole file (so in fact 12B header) the game doesn't hop to sequence 2 and stops in infinite loop at the latest keypoint in sequence 1. Mhm... ;/

Okay. I got this:
Okay, almost every time in naming XyN where y is 's' the file build is:

First 4 bytes: count of pointers
Next 4bytes*count_of_pointers = pointers (for 4 bytes)
INDEX is NOT zero! That means, if count_of_pointers = 01 00 00 00 then real count is ==1, 06 00 00 00 is 6 (six) pointers and 00 00 00 00 is zero pointers (in some cases in data 00 means 1, that's what I mean)

474

Misc. Tools / Re: [FFX] Skill editor - Ronso (v0.1.0.0)

« on: 2015-08-06 20:20:18 »

Correct me, if I'm wrong, but isn't the process memory changing regarding emulator and or plugins used? I mean, isn't the memory drastically changing if you use any other software to emulate game? Also, things like that are locked to specific game images. NTSC and PAL version memory addresses can be totally different, am I wrong?

475

Scripting and Reverse Engineering / [FF8] battle.fs/MAG files, r0win, b0wave and a9btlfnt.bft

« on: 2015-08-02 21:47:07 »

[obsolete, of course!] :3

This is the only leftovers undocumented that are in battle.fs, after that we would 100% finish battle.fs

=MAG files=
So... Let's say something about MAG files. Those are chaotically managed files, can contain various extension and has no normal formula... I found TIM texture in file like mag115_h.13 and also in mag161_a.dat (See? Extension is not important here). Just recently when I began to looking at files I found QUAD model in one file:
mag094_b.1s0 (Uses the same QUAD format as Battle stages- identical)

also 16B pattern in:
mag094_b.2e0 (starting at 0x298c). There's probably 4B padding before that.
There is 2 149 such triangle-like things. (0xbbe4 a next the same pattern starts)

mag094 is Siren G.F. attack.

I know Kaspar was looking at G.Fs.



=r0win.dat=
This file is responsible for whole winning sequence. I found AKAO frames in it, probably camera movement and whole logic. Game runs into infinite loop when you delete file and win battle. Hud disappears, you can't do anything. Nothing happens. Battle music plays. Nothing.

=b0wave.dat=
I don't know completely what this file is.
When deleted and enters battle, the enemy nor player is loaded and even no battle logic. The stage just plays anim and nothing happens. So, this may be the route:
1.Engine loads stage+music
2.Stage plays opening camera animation
3.b0wave.dat is loading battle core data
4.When you win, r0win.dat handles what comes next

=a9btlfnt.bft=
As above. Nothing happens when deleted.

Feel free to write any notes you have.

@update to MAG:
I deleted mag094_b.2e0 and the game gets into infinite loop after the sea sinks the enemy. The sea is flowing thru enemy, camera is fixed, nothing happens. This means, that the MAG files are sequenced. One part of file is loaded after it passes another part of sequence is loaded. This way programmers probably saved some memory.