Engine reversing/exploration

[Timeslip]

Several fields are always zero; I presume they're used in-game, but haven't looked at that yet.

They're just the name and description of the perks/skills/whatever. They're 0 to start with because fallout loads them all from the message files to support multiple languages.

Edit: and to fill in those unknowns for you, the 3rd field of traits, perks and stats (and 4th of skills) is the image frame id, and the last field of skills is non-zero if the xp gain from use should be multiplied by the 5th argument to the show_skill_use_messages function.

 

[Magnus]

This looks interesting! I'm thinking of adding Enhanced Knockback to big shotguns. I remember that trying to give the Ripper laser damage to make it cut people in half didn't work, now I know why.

Incidentally, coming from someone with an IN of < 10, is there any way to edit this info and recompile it? The perks, for example, would be good patch candidates.

Also, is the player unarmed damage handled in the engine, or can you just edit the proto files?

 

[Josan12]

This looks interesting! I'm thinking of adding Enhanced Knockback to big shotguns.

AFAIK it doesn't work on ranged weapons, but Kanhef will prob be able to confirm.

I remember that trying to give the Ripper laser damage to make it cut people in half didn't work, now I know why.

Yeah - i am hoping and praying Timeslip or Kanhef will be able to figure out how to allow melee weapons to cause death animations ... *prays to Timeslip and Kanhef*

 

[Kanhef]

I encourage people to experiment and see what happens. At worst you'll have to reinstall the game, which isn't that big a deal. Timeslip seems to have figured a lot of this out already, so I hope I'm posting new information.

Until it's added to sfall, you can change perks and such by editing Fallout2.exe with a hex editor. Make a backup first, of course. The offsets will be different, and data will probably be stored little-endian, but the contents and order in data blocks will be the same. I'll try to find the offsets for the data I've mentioned so far soon.

For general melee damage, you can edit the protos or save.dat . If you mean the damage bonus for skilled unarmed attacks, that's in the engine, in the item_w_damage function. It looks like the code is around 0x688f0; Timeslip should be able to confirm that. Note that each of the damage bonus values (3, 5, 7, 9, 10, 12) is only used once, so changing the haymaker will also affect the palm strike, snap kick, and hip kick. I haven't found the other properties (critical chance, piercing, AP, stat/skill requirements) yet, since each is in a different function.

I'll keep working on the death animations. In the meantime, here's some more special-case code:

item_w_compute_ammo_cost - this doubles the ammo useage of items 399 and 407, which are the super cattle prod and mega power fist respectively. This is why they use two energy cells per attack without having any burst mode settings.

Weapon Knockback is used only at the very end of compute_damage, and causes some value to be divided by 5 instead of by 10. If the player has the Stonewall perk and fails a check (50% chance), it is multiplied by 1.5 . If the player passes the check, this entire section is skipped. So it's completely independent of weapon type.

 

[Blackened]

It's proven that shooting someone and knocking him back is not realistic with the weapons from our time. The knockback perk should be added only to the weapon(s) that shoot with great strength. Shotgun and Sawed-Off Shotgun are just normal shotguns, I don't think it would be realistic for them to have knockback.

But, anyway, the game is very unrealistic (like all games, actually), so it wouldn't hurt adding knockback to any weapon you wish. It would be realistic on everything with Explosive damage, the Pulse Rifle/Pistol, the EMP grenade, the Alien Blaster (since it's unknown what technology does it uses), maybe on the Jackhammer, even on Gauss weapons, but I'm not sure of the exact way they work - it's described on wikipedia, I think it was some sort of electromagnetic field.

 

[Timeslip]

Until it's added to sfall, you can change perks and such by editing Fallout2.exe with a hex editor. Make a backup first, of course. The offsets will be different, and data will probably be stored little-endian, but the contents and order in data blocks will be the same. I'll try to find the offsets for the data I've mentioned so far soon.

sfall has allowed you to change the perk table for yonks. (via a perks.ini file, which also lets you add new entries to the table.) You can't use it to change the trait/skill/stat tables directly, (there may have been functions to set stat min/max, can't remember...) but you can still use the WriteXXX functions to save having to do any hex editing. I'm not at home at the minute, so I can't post the offsets you need, but I'll edit them in when I get back.

Edit: Ack, forgot I said I'd post them. Ah well, better late than never:

perk_data: 519DCC
skill_data: 51D118
trait_data: 51DB84
stat_data: 51D53C
pc_stat_data: 51D8CC

For general melee damage, you can edit the protos or save.dat . If you mean the damage bonus for skilled unarmed attacks, that's in the engine, in the item_w_damage function. It looks like the code is around 0x688f0; Timeslip should be able to confirm that.

I'm occupied trying for proper 32 bit colour again. Once I get that working or give up again, I'll take a look.

But, anyway, the game is very unrealistic (like all games, actually), so it wouldn't hurt adding knockback to any weapon you wish.

sfall also lets you modify this already. There's functions for setting custom multipliers or fixed absolute values on individual weapons, as well as two settings per critter for when they're attacking or a target.

 

[Continuum]

I'm occupied trying for proper 32 bit colour again. Once I get that working or give up again, I'll take a look.

Since you're messing with graphics... Any chances to hack this past-gen crap and remove tile size restriction (but this would require to hack a Mapper, otherwise you won't be able to build any map from larger tiles ) or give a possibility to totally disable utter broken highlight "feature" on scenery/walls?

Tile problem:

Default tile (80x36):

Custom tile (for example 3x3 tile in one piece):

or can be even bigger - 4x4 or 5x5 (or 5x3, or 4x1), for example, since engine will be able to handle it.

Highlight problem:

Anyway, here's that utter broken highlight feature in action:



I did some testing and here's a result:

- red dots: engine will start to highlight (left screenie),
- green dots: nothing, no fucking highlight (right screenie).

Anyway, I was playing with different Frames Offset and nothing, the same results. So, three "back" hexes are safe, but three "front" hexes aren't. Here's the area where engine is starting to highlight (closer to blocking hex = increased effect):

 

[Lexx]

Yes, we totally need to get rid of the tile size limit (floor and roof tiles).

Even if we still would need to add invisible fake-tiles to tell the game that we are under a roof, etc.

 

[Continuum]

Yeah, it's even more important than 32 bit colors, I'd say. 228 colors aren't a problem for me. Not to mention that 99,9% of FO's graphics will be still running in 8 bit mode. No advantages. But this shitty restriction with tiles is a totally different story... it's preventing very well from doing any larger, good looking floors/roofs because of TONS of fucking small and unique pieces you must make (split it/add to game/etc.). Or you must doing workarounds with scenery that acts as a tiles, which is causing a problems with highlight feature! WTF?

 

[Kanhef]

A couple more things that I haven't seen documented before:

Dynamite does 30-50 damage. Plastic Explosives (or any other non-Dynamite explosive item) does 40-80 damage. The Demolition Expert perk adds 10 to the upper and lower bounds, effectively a +10 damage bonus.

The logic for random encounters is rather complicated, but I found a section that's a bit more intelligible and interesting in _wmRndEncounterPick. A random number is rolled between zero and some upper bound determined by the encounter table somehow. (Luck - 5) is added, then +5 on Easy difficulty or -5 on Hard. The Explorer perk gives a +2 bonus; Ranger and Scout each add 1. So the perk descriptions are correct in saying that they increase the chance of finding special encounters, and the Outdoorsman skill is not a factor.

 

[Atom]

Hello there, NMA.

Some of my findings might be relevant to already mentioned issues (there is much more, but it'll take time to write it all down. I'll try to do this when I find some spare time). All of the code is from PC version:

1. Weapon Knockback, and it's behaviour with various weapons

CPU Disasm
Address   Hex dump          Command                                  Comments
00424AD0  |.  837C24 04 06  CMP DWORD PTR SS:[LOCAL.15],6
00424AD5  |.  74 1A         JE SHORT 00424AF1
00424AD7  |.  837E 08 00    CMP DWORD PTR DS:[ESI+8],0
00424ADB  |.  74 14         JE SHORT 00424AF1
00424ADD  |.  8B56 04       MOV EDX,DWORD PTR DS:[ESI+4]
00424AE0  |.  8B46 08       MOV EAX,DWORD PTR DS:[ESI+8]
00424AE3  |.  E8 98370500   CALL _item_w_subtype                     ; [FALLOUT2._item_w_subtype
00424AE8  |.  83F8 02       CMP EAX,2
00424AEB  |.  0F85 B1000000 JNE compute_damage_end                   ; bail out if non-explode and real weapon type != 2
00424AF1  |>  8B4424 14     MOV EAX,DWORD PTR SS:[LOCAL.11]
00424AF5  |.  8B40 64       MOV EAX,DWORD PTR DS:[EAX+64]
00424AF8  |.  C1E8 18       SHR EAX,18
00424AFB  |.  83F8 01       CMP EAX,1                                ; already knocked down?
00424AFE  |.  0F85 9E000000 JNE compute_damage_end
00424B04  |.  8B4424 14     MOV EAX,DWORD PTR SS:[LOCAL.11]
00424B08  |.  BA 00400000   MOV EDX,4000
00424B0D  |.  8B40 64       MOV EAX,DWORD PTR DS:[EAX+64]
00424B10  |.  E8 979B0000   CALL _critter_flag_check                 ; [fallout2.flag_read
00424B15  |.  85C0          TEST EAX,EAX                             ; knockdown flag test
00424B17  |.  0F85 85000000 JNE compute_damage_end

Then the knockbacking section follows.

compute_damage_end is actually 00424BA2. LOCAL.15 (stack variable +4) holds the damage type, 6 is explode. Item subtype 2 means melee weapon. As one can see, entire knockback section is skipped when real weapon is not of melee type and not explode type, OR one of the checks: critter is already knocked; critter is unknockable is passed.
What knockback section does is updating [offset_attack_struct+34] to the certain value (damage/10; weapon knockback perk makes it damage/5; stonewall makes check if (rnd(0,100) \lt 50) and sets 0 in case of success; also, stonewall divides the total value by 2, no matter the throw result). This value is then used by action_knockback to determine the number of hexes travelled by the target.


2. Weapon Enhanced Knockout (yep, there's no such thing like Enhanced Knockback)
This works pretty much as Kanhef described and with any weapon type.


3. Weapon perks, concerning ToHit
If I'm not mistaken somehow, this works like this: http://fonlinedocs.netii.net/tohit2.c
I was testing this reversed formula in FO2, and it worked fine.


4. Special unarmed attacks
+critical chance is actually "partial slayer". +50% chance means that non-critical hit have 50% chance to be upgraded. Also, The code (starting at 42394A) is bugged: only two of the attacks are checked, the rest of the upgrading code (for other attacks) is there, but is skipped. However, this can be easily fixed by changing jump addresses.

CPU Disasm
Address   Hex dump          Command                                  Comments
0042394A  |> \8B56 04       MOV EDX,DWORD PTR DS:[ESI+4]             ; = attack type
0042394D  |.  83FA 10       CMP EDX,10                               ; next: special unarmed attacks, upgrade to critical, BUGGED!
00423950  |.  74 09         JE SHORT 0042395B
00423952  |.  83FA 09       CMP EDX,9
00423955  |.  0F85 B2000000 JNE special_no_upgrade

Then the upgrade code follows, ending just before special_no_upgrade (423A04).

[edit] Ah yeah, forgot to add something already written down: http://fonlinedocs.netii.net/fo2calg.pdf - critical failures behaviour. The tables themselves:

fallout2.exe at file offset 0x1065A0
row: weapon type (critfail list), column: critfail severity
0x00000000 0x00800000 0x00800000 0x02000800 0x00002000
0x00000000 0x00800000 0x00400000 0x00001000 0x00000100
0x00000000 0x00000200 0x00400000 0x00001000 0x00200000
0x00800000 0x00800200 0x00C00000 0x00001000 0x00900000
0x00000400 0x00400000 0x00400800 0x00001000 0x00100000
0x00800000 0x00000400 0x00200000 0x00001000 0x02900000
0x00000000 0x00800000 0x00001000 0x00200000 0x00940000

0x00000100 hit self
0x00000200 lost rest of ammo
0x00000400 fired dud shot
0x00000800 hurt self
0x00001000 hit randomly
0x00002000 crippled random limb
0x00040000 on fire
0x00100000 weapon exploded
0x00200000 weapon destroyed
0x00400000 weapon dropped
0x00800000 lost next turn
0x02000000 knocked down

 

[Kanhef]

The function ai_search_inven_weap is where critters choose which weapon to use. For any quadruped, with the exception of Goris, it immediately returns, preventing them from using weapons.

ai_search_inven_armor is used to select the best armor. It only works for party members, so other critters will not wear any armor they are carrying. It also returns immediately for anyone that is not a biped. Armors are compared by the sum of their AC and all DR/DT values.

gdControl seems to control most of the NPC 'combat control' settings. A special-case check prevents Marcus from wearing armor.

Bypassing these checks has some interesting consequences. Dogmeat or K-9 with a mega power fist is brutal (at max level, 17 AP and +20 melee damage, 19 and +21 respectively - 5 attacks for 40-60 damage each and 6 attacks for 41-61). NPCs that normally can't wear armor have 'built-in' resistances, usually equivalent to metal or combat armor, depending on level; this stacks with anything else you give them. Wearing power armor, they're just about indestructible: normal DTs of 16-22, DR 70-80%.

The problem is that since they're not supposed to equip items, there's no dialogue option to make them remove anything. The only way to get equipment back is to give them something better. The dogs will have to stay behind at NCR. Still, it's a lot of fun.

----
Just finished working my way through perk_can_add(), which was more complicated than expected. Apparently the skill requirements, as well as primary stats, can be negative, turning them into a maximum value rather than a minimum. Also, if a 'skill' has the 0x04000000 bit set, it checks a global variable instead. Not sure how useful that is, the best I can think of is to make some perks depend on reputation or karma ranks.

 

[Glovz]

any other interesting updates?

 

[Glovz]

4. Special unarmed attacks
+critical chance is actually "partial slayer". +50% chance means that non-critical hit have 50% chance to be upgraded. Also, The code (starting at 42394A) is bugged: only two of the attacks are checked, the rest of the upgrading code (for other attacks) is there, but is skipped. However, this can be easily fixed by changing jump addresses.

CPU Disasm
Address   Hex dump          Command                                  Comments
0042394A  |> \8B56 04       MOV EDX,DWORD PTR DS:[ESI+4]             ; = attack type
0042394D  |.  83FA 10       CMP EDX,10                               ; next: special unarmed attacks, upgrade to critical, BUGGED!
00423950  |.  74 09         JE SHORT 0042395B
00423952  |.  83FA 09       CMP EDX,9
00423955  |.  0F85 B2000000 JNE special_no_upgrade

Then the upgrade code follows, ending just before special_no_upgrade (423A04).

Was this ever addressed in sfall?

 

[Glovz]

bump

 

[Haenlomal]

4. Special unarmed attacks
+critical chance is actually "partial slayer". +50% chance means that non-critical hit have 50% chance to be upgraded. Also, The code (starting at 42394A) is bugged: only two of the attacks are checked, the rest of the upgrading code (for other attacks) is there, but is skipped. However, this can be easily fixed by changing jump addresses.

CPU Disasm
Address   Hex dump          Command                                  Comments
0042394A  |> \8B56 04       MOV EDX,DWORD PTR DS:[ESI+4]             ; = attack type
0042394D  |.  83FA 10       CMP EDX,10                               ; next: special unarmed attacks, upgrade to critical, BUGGED!
00423950  |.  74 09         JE SHORT 0042395B
00423952  |.  83FA 09       CMP EDX,9
00423955  |.  0F85 B2000000 JNE special_no_upgrade

Then the upgrade code follows, ending just before special_no_upgrade (423A04).

Was this ever addressed in sfall?

Not that I can see. I've dig a bit deeper into the code and can see the problem. I'll issue a fix for it shortly after double checking sfall again to make sure that nothing has been done -- wouldn't want double fixing to occur, after all.

-- The Haen.

Edit: A fix has now been committed to sfall for this issue. So expect to see it in the next sfall release.

 

[JimTheDinosaur]

Was wondering: does anybody still have the function lists/architecture Kanhef made saved somewhere? Links are dead unfortunately. I always feel a bit guilty making completely uninformed requests to Timeslip, so I'd like to get at least a bit of a feel for how the .exe does things.

 

[Atom]

@JimTheDinosaur
Here are the original files:
http://rotators.fodev.net/atom/F2_function_list.txt
http://rotators.fodev.net/atom/F2_function_structure.txt

 

[phobos2077]

I'm shocked, how did you guys managed to generate a list of function names? It's too big to be filled manually
I'm using IDA disassembler (it has cool features like pseudocode), but all game-related functions are unnamed. There are no information to restore their names in EXE, as far as I know, so... how in hell did you managed that?
(I wanted to attach this list to my debugger database somehow, but looks like that the offsets in F2_function_structure.txt are wrong (they are not actual offsets from the "canon" fallout2.exe that sfall uses).

Please, help me understand this.

Ok, I think I got it. It turns out mapper actually includes debug information with almost all functions having names: http://return0.pisem.net/script.html
Sadly, I can't apply all this automatically to fallout2.exe, but at least I can see how stuff works in mapper.

Edit:
For those who interested, MAPPER2.EXE decompiled in C using IDA (w/ 95% functions having meaningfull names): https://yadi.sk/d/QbT9VnD8aA9wQ
As you may now, mapper2 contains whole game code inside, so you can use this to see how actual game works.

 

[darkf]

I'm shocked, how did you guys managed to generate a list of function names? It's too big to be filled manually
I'm using IDA disassembler (it has cool features like pseudocode), but all game-related functions are unnamed. There are no information to restore their names in EXE, as far as I know, so... how in hell did you managed that?
(I wanted to attach this list to my debugger database somehow, but looks like that the offsets in F2_function_structure.txt are wrong (they are not actual offsets from the "canon" fallout2.exe that sfall uses).

Please, help me understand this.

Ok, I think I got it. It turns out mapper actually includes debug information with almost all functions having names: http://return0.pisem.net/script.html
Sadly, I can't apply all this automatically to fallout2.exe, but at least I can see how stuff works in mapper.

Edit:
For those who interested, MAPPER2.EXE decompiled in C using IDA (w/ 95% functions having meaningfull names): https://yadi.sk/d/QbT9VnD8aA9wQ
As you may now, mapper2 contains whole game code inside, so you can use this to see how actual game works.

Yes, the site you linked gives an IDA script to populate Mapper symbols.
It's worth noting that the pseudocode is fairly useless for all but small, contained branches, or for getting a five-foot overview. It doesn't seem to like the calling convention that the game uses. (For the record, I don't either. The code Watcom generated is absolutely terrible by today's standards. It annoys me to read it.)