Fallout 2 memory offsets

A

Andy-Spacetrain

First time out of the vault
Okay, here are the offsets I know. If anyone would like to me help find the equivalents in other versions, please do, and post your finds on this topic.

[UK 1.02]

pipboy = $4971C1
citypatch = $4BF56B
nomovie = $44E840
malestart = $5002E8
femalestart = $5002F0
maledefault = $5002D8
femaledefault = $5002E0
startmap = $519518
DAT Name = $502424
Mod name = $50EA74
Start Year = $4A351C (2 bytes)
Start month = $4A3532
Start day = $4A3506
World X = $51DE7C (2 bytes)
World Y = $51DE80 (2 bytes)

[US 1.02]

pipboy = $497011
citypatch = $4BF3BB
nomovie = $44E690
malestart = $5002E8
femalestart = $5002F0
maledefault = $5002D8
femaledefault = $5002E0
startmap = $5194C8
DAT Name= $5023C8
Mod name = $50EA18
Start Year = $4A336C (2 bytes)
Start month = $4A3382
Start day = 4A3356
World X = $51DE2C (2 bytes)
World Y = $51DE30 (2 bytes)

*EDIT* These are the memory addresses, not the file offsets.
 
I am confused as to what those numbers are. Are they locations in the master.dat file for certain values?
 
You can run a hex editor and open the Fallout2.exe if you want to view the values. The patcher just chnages them in memory. For example the vault-boy mod I made uses the fo2 virtual patcher to change the value of the default male model to that of the vault-boy FRM I converted from fallout tactics.
 
Corpse said:
They are hex offsets on the exe file.
Click to expand...

These appear to be memory addresses not hex offsets in the exe.
Andy's loader creator loads the exe then patches it in memory.
I think these are the in memory addresses after loading the exe.

Edit: Some of the exe offsets are here.
 
I was able to derive the Fallout2.exe file offsets by subtracting 411A00 hex from each of Andy's numbers. I put the exe offsets here for the US 1.02d version. I looked in the Fallout2.exe to find the actual values at those addresses. The text values make sense, but I'm confused about the enable/disable (pipboy, city limit, movies) and also the date numbers.

Andy, can you explain what you do at the addresses for enabling/disabling features, and what the formula is for the dates? For example I see 84A8 hex as starting year. In decimal that is 33930. Are you applying some kind of bitmask, or subtracting something? And the month appears to be zero?

I'm also wondering why these date addresses don't match the ones that platon posted here.

Somebody said that the horrigan cut scene trigger was hard coded in the executable. Anyone know where?
 
Unfortunately, taking 411A00 hex away from the hex ofsets only works for some. I tried it myself. I did have all the equivalent hex offsets, they are all in my EXE Patcher program, but I lost my hard-disk will all the source code on :? I did manage to find all the memory addresses by looking at the output from my FVP Ini maker program.
I guess, if you're willing to find them, you could patch the fallout2.exe with my EXE Patcher, and then use something like WinHex to compare the original fallout2.exe with the patched one. Logically, the offsets who's bytes differ, would be the patched ones.

As for reading the information from the memory directly...for the 2 byte numbers, (year, world X, world Y) you need to switch the right byte to the left hand side, for example 0xDAF4 would be 0xF4DA, then you can convert it to denary using a calculator. Everything else should be simple. Also, whn day and month are stored, they are one less than they appear (month 3 is April).

To apply the PIPBoy patch, you need to change the byte at the given offset to 0xEB, to apply the city limit patch, you also need to change the byte at the given offset to 0xEB, to apply the no movie patch you need to change the byte at the given offset to 0xC3. In simple...

PIPBoy: 0xEB
CityLimit: 0xEB
NoMovie: 0xC3

*EDIT*

Another good way to find th offsets in the EXE would be to view the bytes in memory at an offset, and copy say 20 bytes after the offset, then search for the same 20 bytes in the exe file. When you find a match, you've got your equivalent offset.
 
During production of BGE, we were solving problem of adding new reputation GVARs and associating town numbers to them. Here is the solution.

[US 1.02]
gvarnumber1 = $51854C (2 bytes)
(2 bytes of free space)
townnumber1 = $518550 (2 bytes)
(2 bytes of free space)
gvarnumber2 = $518554 (2 bytes)
(2 bytes of free space)
etc..

To maximum of 19 new towns. Research credits goes to Mynah(from Team X) and his Reputation GVARs editor.
PS: Don't forget about byte switching rule. :wink:
 
Hello, it seems that there is no informations available about how to change the starting position on the worldmap.
(If I remember well, the world viewport xy in the modification faq is just the position of the top left corner of the window on the worldmap)
It happens I have this information. If it has already been told, I apologize, but it won't be a bad thing to give it again.
So, here are the offsets/virtual addresses you have to change in order to change the player's starting pos on the worldmap:

VAs:
0x4BC990: xpos
0x4BC995: ypos

0x4BCC08: xpos
0x4BCC0D: ypos

offsets:
0xACD90: xpos
0xACD95: ypos

0xAD008: xpos
0xAD00D: ypos

The values are four-bytes integer but if I were you I wouldn't use more than two bytes ;)
Also, don't forget that the x86 cpu is little-endian so you have to put the bytes in reverse order.

As you can see, there is two different locations to change for x an for y. The reason for that is that what we change here is the code of two functions, one is executed at startup, the other when a game ends (I don't remember which is which).
The original values are the coordinates of Arroyo on the worldmap.

Hope this can be of some help for someone here.
 
Thanks Ravachol for the info. I would like to find offsets for damage algorithm in Fallout2. I discovered two years ago an algorithm, I mean I know how damage is calculated in Fallout2 including damage modifiers of ammo and damage resistance/treshold of armours.
I would be glad see where/how I could fix/change the engine to repair armour piercing ammo bug.

If you want see true alghoritm of calculate damage in fallout read my post about it in this topic:

http://www.nma-fallout.com/forum/viewtopic.php?t=10861&start=0

date of the post is: Wed May 25, 2005
the author is:_Cubik (my old name ;)

If you could find and describe neccessary offsets for fixing the ammo algoritm I would be very glad :)

I do not know how to hack files, unfortuantelly :( so I couldn't do this myself.

Or at least write is this possible or not, please
 
Well technically, almost everything is possible althought the ammount of work needed for some hacks might not be worth the trouble.
If I can find enough time to look for the damage calculation algorithm, i'll try to do it.

btw, could I have more details on what exactly is this "armour piercing ammo bug"? I mean, how does it work now and how should it work...
 
Thanks Ravachol :)
I will prepare fixed algorithm and I will write this here. Wait few days maybe I will do it today.
 
Hi, I located the damage calculation function in the exe... that was the easy part, now I have to understand how it works to be able to fix it.
I already understand more or less some parts and I probably don't have to understand everything it does but there's still some reversing to do.

bye.
 
That is great! I am so happy you found this! I am working on new algoritm similiar to this original, and if I finish it I will write you.

However, could you describe offsets of the damage calculating in exe that you found?

EDIT:
I have done new algorithm, but I must make more tests on it.
New algorithm uses the same modifiers of ammo and armour so I think fixing will be not much hard.
 
good work guys, this could make a massive difference to the game, if you could also post the new and the old alogorism it would be usefull for some people to know :)
 
So far, the formula for calculating damages is:

(((base_damage*dam_mult/dam_div)/2)*cbt_diff_mod)/100-dmg_tresh-(((((base_damage*dam_mult/dam_div)/2)/cbt_diff_mod)/100-dmg_tresh)*ammo_dr_adj)/100

base_damage is a random number in range of weapon damages plus an eventual bonus if you have a bonus for ranged attack and you're using a ranged weapon (the bonus is equal to 2* the level of the perk).

dam_mult is the damages multiplier from the weapon's ammo plus another value passed to the function. This value is almost always 2, I suspect it only changes when you make a critical hit.

dam_div is the damages diviser from the ammo.

cbt_diff_mod is changed by difficulty level:
always 100 when the player attacks
75 if playing wimpy
100 if playing normal
125 if playing rough

dmg_tresh is the target'sz damage treshold for the type of damages it concerns.

ammo_dr_adj is the ammo DR adjustement.

Thought it's not definitive, I may have missed something, I'll have to double check.

Some damages can be added after this with the living anatomy perk and the pyromaniac perk.

The interesting part in the function is here:
Code: 
BEGTEXT:004249EC cumuldamages:                           ; CODE XREF: damages_computation+2A9j
BEGTEXT:004249EC                 mov     edx, [attack_data+4]
BEGTEXT:004249EF                 mov     eax, [attack_data+Attack_data.who]
BEGTEXT:004249F1                 mov     ebx, [esp+34h+bonus_ranged]
BEGTEXT:004249F5                 call    random_damage   ; input:
BEGTEXT:004249F5                                         ; eax: who
BEGTEXT:004249F5                                         ; edx: ?
BEGTEXT:004249F5                                         ; output:
BEGTEXT:004249F5                                         ; eax: damages in weapon range
BEGTEXT:004249FA                 add     ebx, eax        ; damages=random_damage+bonus_ranged
BEGTEXT:004249FC                 imul    ebx, [esp+34h+dam_mult] ; damages*=dam_mult
BEGTEXT:00424A01                 test    ebp, ebp
BEGTEXT:00424A03                 jz      short loc_424A10
BEGTEXT:00424A05                 mov     edx, ebx
BEGTEXT:00424A07                 mov     eax, ebx
BEGTEXT:00424A09                 sar     edx, 31
BEGTEXT:00424A0C                 idiv    ebp             ; damages/=dam_div
BEGTEXT:00424A0E                 mov     ebx, eax
BEGTEXT:00424A10
BEGTEXT:00424A10 loc_424A10:                             ; CODE XREF: damages_computation+24Bj
BEGTEXT:00424A10                 mov     edx, ebx
BEGTEXT:00424A12                 mov     eax, ebx
BEGTEXT:00424A14                 sar     edx, 31
BEGTEXT:00424A17                 sub     eax, edx
BEGTEXT:00424A19                 sar     eax, 1          ; damages/=2
BEGTEXT:00424A1B                 mov     edx, [esp+34h+cbt_diff_mod]
BEGTEXT:00424A1F                 imul    edx, eax        ; damages*=cbt_diff_mod
BEGTEXT:00424A22                 mov     ebx, 100
BEGTEXT:00424A27                 mov     eax, edx
BEGTEXT:00424A29                 sar     edx, 31
BEGTEXT:00424A2C                 idiv    ebx             ; damages/=100
BEGTEXT:00424A2E                 mov     edx, [esp+34h+dmg_tresh]
BEGTEXT:00424A32                 mov     ebx, eax
BEGTEXT:00424A34                 sub     ebx, edx        ; damages-=dmg_tresh
BEGTEXT:00424A36                 test    ebx, ebx
BEGTEXT:00424A38                 jle     short loc_424A54
BEGTEXT:00424A3A                 mov     edx, [esp+34h+ammo_dr_adj]
BEGTEXT:00424A3E                 imul    edx, ebx        ; damages2=damages*ammo_dr_adj
BEGTEXT:00424A41                 mov     [esp+34h+var_4], 100
BEGTEXT:00424A49                 mov     eax, edx
BEGTEXT:00424A4B                 sar     edx, 31
BEGTEXT:00424A4E                 idiv    [esp+34h+var_4] ; damages2/=100
BEGTEXT:00424A52                 sub     ebx, eax
BEGTEXT:00424A54
BEGTEXT:00424A54 loc_424A54:                             ; CODE XREF: damages_computation+280j
BEGTEXT:00424A54                 test    ebx, ebx        ; damages-=damages2
BEGTEXT:00424A56                 jle     short loc_424A5A
BEGTEXT:00424A58                 add     [damages], ebx
BEGTEXT:00424A5A
BEGTEXT:00424A5A loc_424A5A:                             ; CODE XREF: damages_computation+29Ej
BEGTEXT:00424A5A                 mov     eax, [esp+34h+nbhit]
BEGTEXT:00424A5E                 inc     ecx
BEGTEXT:00424A5F                 cmp     ecx, eax
BEGTEXT:00424A61                 jl      short cumuldamages

For those who can read this: as you can see it's a loop, damage calculation can be done multiple times in burst mode, the number of time it's executed is passed to the function. I suppose it's the number of bullets that hit the target.

There's interesting code around this but it's here that damage calculation is really done.
 
You must log in or register to reply here.
Back
Top