Author Topic: FF8 EXE - Debug/Empty Section & Battle Results section  (Read 2653 times)

Sega Chief

  • *
  • Posts: 4086
  • These guys is sick
    • View Profile
Hi all,

Is there a handy tract of space in the FF8 exe for new code that can be used? I know there's a debug section of sorts in there somewhere, but for FF7's exe a similar region needed to have read/write permissions re-enabled before it could be used.

If anyone's interested in what it's for, I'm planning to try and write something that restricts Limit Breaks to 4 uses per battle (across party) with the first being Crisis Level 4, then decrementing each time until it hits 0 and 'locks' the use of Limits for the rest of the battle. I'm going to put a jump to it where the check for crisis level 4 is (49431E).

As for resetting the counter, I'm a little less sure of where to put it but was thinking the battle results screen as even when escaping that screen tends to come up. Does anyone know where that section starts from?

Maki

  • 0xBAADF00D
  • *
  • Posts: 621
  • 0xCCCCCCCC
    • View Profile
Re: FF8 EXE - Debug/Empty Section & Battle Results section
« Reply #1 on: 2018-08-15 17:05:07 »
You are looking for so-called "code caves". Quick scan for memory in runtime yelds these adresses of at least 64 bytes of memory padding that you can use for code injection:

Code: [Select]
00400298
00403A30
00469548
004823FB
00484C23
00487384
0048A25C
0048A2FE
0048E4A9
00491267
004913CF
004B3AD7
004B5761
004CAB0A
00505E51
00506255
0050A713
0056AAF3
00667B10
00670E38
006757F8
006E5F39
008454C1
00B68783

These are applicable for FF8 2000 PC release with 1.1 patch. There's no big difference in Steam version for that.
In future you can use Cheat Engine>Memory View>Tools>Scan for code caves


As for resetting the counter, I'm a little less sure of where to put it but was thinking the battle results screen as even when escaping that screen tends to come up. Does anyone know where that section starts from?

The easiest what comes to my mind is checking if engine_state == 8 (this is battle mode). If not, then reset counter, if yes, then ignore. Anyway, here are the main function to note:
FFBattleInitSystem (called from FFModuleHandler and FFBattleTransitionModule)- it's at 0047CE00 (0007CE00). More specifically:

Code: [Select]
FFBattleInitSystem+1E   66 83 3D C6 8F CD 01 08                 cmp     _StateGlobal, 8where _stateGlobal (global variable) is at 01CD8FC6 in .data in-memory

There's also:
FFBattleExitSystem called from FFModuleHandler and FFBattleTransitionModule that sets previous renderer screen-space and is located at:
0x0047CEE0 (0x0007CEE0)

@edit
About the R/W, it's true, but only if you need to store some local. Here are some 64 bytes regions with R/W: (but use them rather for storing what you need instead of code)
Code: [Select]
00B6D0A8 <- I recommend this one, it's section between imports for PE and strings that are allocated on 256 bytes
00B6D1B2
00B6D2B7
00B6D3C1
00B6D4BE
00B6D5C4
00B6D6C7
00B76918
00B7CDA8
00B7CF13
00B7D10B
00B7D18B
00B7D20B
00B7D2A7
00B7D507
00B7D6A7
00B7D713
00B7D90B
00B7D98B
00B7DA0B
00B7DC23
00B7DE1B
00B7DE9B
00B7DF1B
00B8A53B
00B8B3A7
00B8C1F3
00B8C2F7
00B8C3FB
00B8C514
00B8C618
00B8C71C
00B8C832
00B8C936
00B8CA3A
00B8CB53
00B8CC57
00B8CD5B
00B8CE73
00B8CF77
00B8D07B
00B8D192
00B8D296
00B8D39A
00B8DCCA
00B96EE4
00B976AF
00B97885
00B97A05
00B97B85
00B97DA4
00B97F25
00B980A5
00B98225
00B98563
00B986E3
00B9888E
00B98A0F
00B98B8F
00B98D0F
00B98E8F
00B9A50D
« Last Edit: 2018-08-15 17:27:29 by Maki »

Sega Chief

  • *
  • Posts: 4086
  • These guys is sick
    • View Profile
Re: FF8 EXE - Debug/Empty Section & Battle Results section
« Reply #2 on: 2018-08-15 21:26:47 »
.

All right, I'll have a go with this over the next few days; thanks for the info.