\\This document lists .EXE addresses for editing//
Offsets
Section Virtual Address Raw Address Delta
.text 00401000 00000400 00400C00
.rdata 007B6000 003B4C00 00401400
.data 007BA000 003B8A00 00401600
.rsrc 00F51000 0059BA00 009B5600
Add Resist to displayed Statuses
41C4C0 = 90 90 90 90 90 90
41C5B9 = 90 90 90 90 90
6E17FB = B9 20 00 00 00
6DD2A4 = B9 20 00 00 00
Enemy Phys. Defence Doubled Here at Battle Start:
5D08CE
and MDEF:
5D08DF
Special Effects
Procedure MdefBug_6C51DE; stdcall; //fixed by NFITC1
Begin
asm
mov eax,[ebp-08]
mov ecx,[eax*4+$919928]
imul ecx,ecx,$84
xor edx,edx
mov dl,[ecx+$DBFDA9]
imul edx,edx,$24
xor eax,eax
mov al,[edx+$DBCCE3]
mov[ebp-04],eax
end;
Could use to rewire Spirit's value in MDEF and perhaps Vit as
well if it's close by.
Multi-hit: 5DC913 (exact line where edx is set to multi-hit value)
5dd415 - Dragon Force effect
5dd1a6 - Howling Moon effect
5dd183 - Lunatic High effect
5dd158 - Hero Drink effect
However, the correct text will also need adding back if not present
(Luksy's touphScript will need an update too if not adding back with hex)
For example, to add Resist back
91E94A = 32 45 53 49 53 54 FF
Where the text list is loaded for materia type
0070B3A6
6F59FB Corrupts text
Check 99e350 to locate special wep formulas
05DC901 = battle special formula jump
Missing Score
5DFD2E
99e350 (99E308 + 48
Kills variance
005DE80E nop that for X1
Divisor that affects the 'enemies killed = damage' formula
This changes it from
[((Enemies killed by Vincent)/128)+10]/16
to
[((Enemies killed by Vincent)/16)+10]/16
0x1DC929 07 -> 04
savemap stuff done by a defunct earth harp script.
Dips into cait and vince scripts. Could use these
if comparing young cloud/seph to cait/vince for hacks.
byte_DC00A5 = 1;
byte_DC00A4 = 6;
byte_DC00B2 = 1;
byte_DC00B3 = -1;
dword_DC00E0 = 0xFF FF FF;
byte_DC0129 = 1;
byte_DC0128 = 7;
byte_DC0136 = 1;
byte_DC0137 = -1;
dword_DC0164 = 0xFF FF FF
Potential Leads on Kernel Equip stat calcs
704FD3
005ce8eb
005cb65c
Starts 6C51FC
Based on this, I need to somehow make it take the 3rd and 4th slot
and deduct from it rather than add. As it stands, I can't deduct
as this does it by stat rather than slot.
6C5229: Affects Strength
6C524F: Affects Vitality
6C5275: Affects Magic
6C5298: Affects Spirit
6C52BB: Affects Dexterity
6C52DE: Affects Luck
006C5529 - accesses the chunk of enhance sword associated with stat boosts,
maybe isolate this down to only the stat value itself?
006C524F: First Weapon Stat Add
6C56E3 - Armour: 2nd Stat
Command Addresses
5C8FB0:
5C8FC6:
5C8FDF:
5C904D:
5C9150:
5C928E:
5C92A7:
5C930A:
5C930F:
5C93A1: Morph [false]
5C9C67 (START) - SUBTRACT 8
Copies memory from 99CE0C
Copy 16
Copies 99CE0C again
compares dword ptr ecx for 3
Jump to 5C9DB7 is not less (returned false)
Copies 99CE0C
Copies eax,[edx]
Signed multiple by 18
Adds 9A8E54 to eax
Copies eax
Copies ecx
xor edx, edx
Copy dl,ecx
Copy 99CE0C
Copy edx,eax
[some stuff]
Push 05
Call 5CA766
Subtract 8 from esp
Then eax gets a signed divide of 2, 6 times (12)
No change when modified
[Some memory copy stuff for 99CE0C]
Multiply by 2, 2 times
5C80A7: seems to be a loop here for a divide once by 2
Animation related (see below)
5C80E5: Signed divide by 2, 8 times here
Seems to affect animation; cloud hops forward and back
but does nothing when changed to 2.
5C80F7: multiple by 2, once
5D17E1: Signed divide by 2, 4 times
Changing it lower reduces damage instead of increasing it.
Changing it higher seems no effect. Something else?
5D9DF9: Multiply by 2, CL times
5DC1F5: dIVIDE BY 2, 3 times
No
433675: Divide by 2, 5 times
No
5CA76F: divide by 2, 3 times
No
Potential lead on Flash (and other command addresses)
[On making it so that statuses don't get added to Flash]:
This can be done at 5CA65F. I just need to change it to make ecx = 1 regardless.
So only death will be used with Flash. Nothing else.
Access Menu while in the Sub
E045E4: Set to 2
Sadness Calculation
005DE970
imul eax, eax, 03 (03 = 30%, change to desired value)
Passive EXP Gain
Use a hex editor on ff7.exe to change the values at 0x1C6301 from-
(need to examine this in-game to determine what's happening here,
I suspect it's an offset? Gotta find out what these values represent)
Code: [Select]
D1 F8
to
Code: [Select]
33 C0
That will give 0 exp to every out of battle character.
{New physical accuracy
#Hit% = Accuracy_of_Attack- Target's_Evade
5DDD47 = 90 90
5DDD81 = 90 90 90
Tifa's Reels
Address 0x51D4D0
1, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
1, 0, 2, 2, 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 1, 0, 2, 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
1, 1, 1, 0, 2, 2, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 1, 1, 0, 0, 2, 0, 2, 0, 1, 1, 1, 1, 1, 1, 1
1, 1, 1, 1, 0, 0, 2, 0, 2, 0, 0, 1, 1, 1, 1, 1
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 1, 1, 1, 0, 0, 0, 2, 0, 0, 0, 0, 1, 1, 1, 1
Enemy Defence Doubled Here (suspected to not matter as it is overwritten by formula)
PDEF: 5D08CE
MDEF: 5D08DF
[Status Colours] - 8FE150 (4FD500) or does it start earlier??
In Order:
\\4FD550//
BF D9 4C : Yellow
E8 D9 4C : Yellow
Guess: Peerless? Seems to be short.
If longer then starts from:
\\4FD558//
11 DA 4C : Green
3A DA 4C : Green
63 DA 4C : Green
8C DA 4C : Green
Guess: Poison
\\4FD563//
C0 CF 4C,
E9 CF 4C,
00 12 DC
[Poison Hacks]
This one allows enemies to be damaged by Poison element even if they're
immune to the Poison status = Tested
0x433765 (0x032B65) 74 -> EB
This one converts Poison 'tick' damage into other elements:
0x5C9FCB (0x1C93CB): It's traditionally set to 0010h.
Set that to any element mask you want. 0000h would be non-elemental.
[Materia Effects: Editing]
These values start here:
0x8FEEC8 (0x4FD8C8
And apparently ends here: 0x8FF017 (this is where elements are stored)
Starts with: 00, then first number, each separated by 00 (+) or an FF (-)
The way it works is that it has the Positive/Negative modifier first, followed by
the value. So Tier 11 looks like this:
F6 FF F6 FF F6 FF F6 FF 00 00 00 00 FB FF FB FF
If the number is unchanged (like Dex and Lck here) then 00 is used for the value
and the modifier. Note that FF denotes negative AND -1; don't get confused!
FF -1
FE -2
FD -3
FC -4
FB -5
FA -6
F9 -7
F8 -8
F7 -9
F6 -10
F5 -11
F4 -12
F3 -13
F2 -14
F1 -15
F0 -16
EF -17
EE -18
ED -19
EC -20
EB -21
EA -22
E9 -23
E8 -24
E7 -25
E6 -26
E5 -27
E4 -28
E3 -29
E2 -30
E1 -31
E0 -32
DF -33
DE -34
DD -35
DC -36
CE -50
CD -51
CC -52
CB -53
CA -54
C9 -55
C8 -56
C7 -57
C6 -58
C5 -59
C4 -60
C3 -61
C2 -62
C1 -63
C0 -64
A0 -96
9F -97
9E -98
9D -99
9C -100
Can keep going, the memory leak 15 shows that it can go as high as 128; any higher
and it might creep into the negative values; I guess they meet each other in the
middle at an equal split of Hex's maximum value: 256 (128 each way in other words).
[Truly Random Encounters]
CurrentRandEncLUT = (GameTimerFraction >> 2) AND 255
//this manipulation is required to get the full range in a byte
because the fraction is increased by 1092 each tic.
[Vincent Mug Glitch Fix]
1. Open the ff7/battle/battle.lgp file in a hex editor.
2. Search for the case-sensitive ascii string "SHAB" without quotes.
3. Search for the byte sequence 17h 1Ch from the point you found the SHAB.
4. The byte preceding the 17h should be 12h.
My mostly-unaltered battle.lgp file has this at address 0x3A7D7F2.
5. Change this 12h to something less. I tried 0Ch and it looks nice.
[Command Materia Editing]
So this hack is to have commands not replace each other when they're unlocked
on Command Materia (for instance, having Sense and Morph on the same Materia).
Commands will still appear as greyed out in the menu, but a fix for that is
below this primary fix.
Segment starts at 0x5CEC0B (0x1CE00B)
Address for the Edit: 1CE023
0F 8C BB 00 00 00
8B 55 08
81 E2 FF 00 00 00
6B D2 14
8B 45 F8
33 C9
8A 8C 02 6E DF DB 00
81 F9 FF 00 00 00
74 1C
8B 55 08
81 E2 FF 00 00 00
6B D2 14
8B 45 F8
8A 8C 02 6E DF DB 00
51
E8 84 00 00 00
EB AF
90 90 90
This fixes the palette, telling the game to display each
command with Palette 1 (white)
Address at: 0x5CEC85 (0x1CE085)
Start edit at: 1CE08A
7D 52
8B 4D 08
81 E1 FF 00 00 00
6B C9 14
8B 55 F8
8B 45 F4
8B 75 F8
8A 8C 31 6E DF DB 00
88 4C 50 1A
33 D2
8B 55 F8
3B 55 FC
7D 0D
8B 55 F8
8B 45 F4
C6 44 50 1B 01
EB 0B
8B 55 F8
8B 45 F4
C6 44 50 1B 00
EB AD
90 90 90 90
90 90 90 90
90 90 90 90
90 90
[Long Range enemy attacks]
Note: Short-Range flag required for short-range attacks if this enabled
It selectively blacklists the 20h command from receiving
long-range consideration. Changing the command index checked to
something out of range would be ideal:
[Subtract 400C00 for FF7.EXE address?]
Address at 0x5DE704 (1DDB04):
0x5DE704: 83 78 28 20 -> 83 78 28 50
[Mega-All doesn't grant Slash-All]
Could be handy for using 2x-Cut with Mega-All.
Address at 0x5CD049 (0x1CC449): change 74 to E9
[CAUSED CRASH WHEN LOADING SAVE]
Update: Another source claims: it's EB not E9
[Tent Adjustment - NFITC1]
Tents heal for 10,000HP and MP by default, capped by MaxHP/MP.
Function at 0x6CBA6A (2CAD76)
Code: [Select]
0x003164B5 : 68 10 27 00 00 --for HP
0x003164C6 : 68 10 27 00 00 --for MP
These translate into "PUSH 10000" which is in big-endian format.
Changing it to, say:
Code: [Select]
0x003164B5 : 68 88 13 00 00 --for HP
0x003164C6 : 68 F4 01 00 00 --for MP
Would restrict tents to heal no more than 5000 HP and 500 MP.
So the value you push will limit the healing it will do. I'm not
going to go into how to do this. It requires a hex editor and an
understanding of endianness.
That's the SIMPLE way to do it. If you wanted to get REALLY complicated
you could re-write the whole tent function (or redirect it) to do
something different. The function's range is between 0x717010 and
0x717123.
[Slot 1 Commands like Slash-All get their own slot]
These edits will make them no longer override the top slot.
Slash-All: 0x1CE2FD: FD -> C1
2x-Cut: 0x1CE30A: F0 -> B4
Flash: 0x1CE317: E3 -> A7
4x-Cut: 0x1CE324: D6 -> 9A
But they still override each other in their new slots, but at least
Attack is left alone.
[Materia Master Disabled]
1. Disable the Weapon AP materia birth sub call:
Change 0X005CAF12 (0x001CA312) from
E8 68 12 10 00 83 C4 04
to
EB 06 90 90 90 90 90 90
2. Disable the Armor AP materia birth sub call:
Change 0x005CB0C5 (0x001CA4C5) from
E8 B5 10 10 00 83 C4 04
to
EB 06 90 90 90 90 90 90
[Item Menu Modification]
[Values are slightly off]
Power: 0x315F31; default 1
Guard: 0x315F80; default 1
Magic: 0x315FD0; default 1
Mind: 0x31601F; default 1
Speed: 0x31606E; default 1
Luck: 0x3160BB; default 1
[Correct values when game is running]
716B30 #str
716B7E #vit
716BCE #mag
716C1E #spr
716C6C #spd
716CB9 #lck
Potion (amount of HP to restore): 0x316184 ; default 64h, limit FFh
Hi-Potion (amount of HP to restore): 0x316212 ; default 1F4h, stored as word, limit 7FFFh (overflow could result otherwise)
Ether (amount of MP to restore): 0x3162A3 ; default 64h, limit FFh
Turbo Ether (amount of MP to restore): 0x316331 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Phoenix Down (amount of HP to restore): 0x3163C8 ; default 2, power of two to divide MHP by (eg. MHP / 2^[X] ), technically a bit-shift right, more below
Tent (amount of HP to restore): 0x3164B6 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Tent (amount of MP to restore): 0x3164C7 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
X-Potion (amount of HP to restore): 0x316570 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Elixir (amount of HP to restore): 0x316613 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Elixir (amount of MP to restore): 0x316627 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Megalixir (amount of HP to restore): 0x316715 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Megalixir (amount of MP to restore): 0x316726 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
{Menu potion, hi-potion, x-potion, ether, turbo ether to 25, 100, 1000, 10, 100
00716D83 = 6A 19
00716E11 = 6A 64 90 90 90
0071716F = 68 E8 03 00 00
00716EA2 = 6A 0A
00716F30 = 6A 64
{menu HP, MP
#6CBA6A
#6cbbbf
[Potential Sense Fix]
The HP requirement for Sense is at offset 0x1C9515. Easy to find in a hex-editor
and with proper testing. I just searched for 75 30 (= 30000 ; and I know the
bytes are reversed in a hex editor).
65,535 is the max here through Hex.
[Cait Sith & Vincent's Initial Data]
Cait Sith's is at offset 0x520c10 (120010, while Vincent's is at
offset 0x520c94 (120094).
If you want to edit them (to alter their starting stats, equipment, materia, ...), you can use the Wiki Savemap, "Table 2 : Character Record" section.
Some addresses :
Cait Sith's Level : 0x520c11 (120011) (1 byte)
Cait Sith's CurrentHP : 0x520c3c (12003C) (2 bytes)
Cait Sith's Base HP : 0x520c3e (12003E) (2 bytes)
Cait Sith's Current MP : 0x520c40 (120040) (2 bytes)
Cait Sith's Base MP : 0x520c42 (120042) (2 bytes)
Cait Sith's stats* : 0x520c12 (120012) (1 byte each)
Cait Sith's weapon : 0x520c2c (12002C) (1 byte)
Cait Sith's armor : 0x520c2d (12002D) (1 byte)
Cait Sith's accessory : 0x520c2e (12002E) (1 byte)
Materia on his weapon : 0x520c50 (120050) (4 bytes for each materia slot -
first byte is the materia ID, and
the next 3 bytes are its AP)
Materia on his armor : 0x520c70 (120070)
Vincent's Level : 0x520c95 (120095) (1 byte)
Vincent's CurrentHP : 0x520cc0 (1200C0) (2 bytes)
Vincent's Base HP : 0x520cc2 (1200C2) (2 bytes)
Vincent's Current MP : 0x520cc4 (1200C4) (2 bytes)
Vincent's Base MP : 0x520cc6 1200C6) (2 bytes)
Vincent's stats* : 0x520c96 (120096) (1 byte each)
Vincent's weapon : 0x520cb0 (1200B0) (1 byte)
Vincent's armor : 0x520cb1 (1200B1) (1 byte)
Vincent's accessory : 0x520cb2 (1200B2) (1 byte)
Materia on his weapon : 0x520cd4 (1200D4) (4 bytes for each materia slot -
first byte is the materia ID, and
the next 3 bytes are its AP)
Materia on his armor : 0x520cf4 (120000)
* Stats are listed in this order : strength, vitality, magic, spirit, dexterity, luck.
[Master Fist: Damage Modifier Locations]
At 0x5DFB93 (0x1DEF93 in the exe) there is the dword that contains statuses
that will increase the multiplier by 1. The original value of this is 0400029Ah.
At 0x5DFBAE (0x1DEFAE in the exe) there is the dword that contains statuses
that will increase the multiplier by 2. The original value of this is 00202000h
-) Additional: Damage Calcs/Modifiers in general, migrating effects:
I am now 100% convinced (because I see the code now) that those "not used"
special effects are used by the AX damage functions. I won't bother spelling
the code out, but the "Special Effect" value gets set depending on what the
Damage calculation value is:
calc effect
A0 -> 0A
A1 -> 0B
A2 -> 0C
A3 -> 0D
A4 -> 1E
A5 -> 1F
A6 -> 20
A7 -> 21
A8 -> 22
A9 -> 0
AA -> 0
AB -> 0
So this brings two exciting revelations.
1. Regular attacks can "safely" be given some of these multipliers so certain
enemies can be more powerful with more MP or HP or so.
(Already done through PC, I believe)
2. A9 - AB can be assigned (via exe editing) one of the other special effects
to add more variety to the attacks.
(This is interesting, could create new damage formulas; needs the exe patch).
Guesses:
5DFB93: Master Fist
5DFBEE: Powersoul Formula (can adjust modifiers at least for damage)
Confirmed; triggers Breakpoint
5DFC52: Does not trigger Breakpoint when Yoshiyuki is used
5DFD5B: Does not trigger Breakpoint when Ultima Weapon is used
5DFDC0:
\\Menu Module Positions & SP Box//
Main Menu: 6A9EA (roughly)
SP String Code
6CAB19 = 6A 68 #push 68 (Y draw for gil/time box)
6CA9C8 = C745F43A010000 #mov [ebp-0C],0000013A (Y coord for gil/time box)
6CAB11 = E9 EA912400 #jmp 00913D00
913D00 = E8 FE1DDEFF #call 006F5B03
68 CDCC4C3E #push 3E4CCCCD
6A 07 #push 07
68 00001509 #push 0915000 (Pointer for Text 'SP': 30 33 FF)
8D 4D F4 #mov ecx,[ebp-0C]
83 C1 46 #add ecx,46 (X coord)
51 #push ecx
8B 55 FC #mov edx,[ebp-04]
83 C2 06 #add edx,06 (Y coord)
52 #push edx
E8 DF1DDEFF #call 006F5B03
83 C4 14 #add esp,14
e9 EA6DDBFF #jmp 006CAB16
915000 = 33 30 FF #Pointer address for string: 'SP'
Main Menu Avatar's X Axis
006CAC20
Main Menu Avatar's Y Axis
006CAC16
Main Menu The Word Limit Level X Axis
006CADF8
Main Menu The Word Limit Level Y Axis
006CADF1
Main Menu Limit Level Number X Axis
006CAE3A
Main Menu Limit Level Number Y Axis
006CAE33
Main Menu Limit Level Bar outside X Axis
006CADAE
Main Menu Limit Level Bar outside Y Axis
006CADA7
Main Menu Limit Level Bar inside X Axis
006CAD51
Main Menu Limit Level Bar inside Y Axis
006CAD4A
Main Menu The Word Next Level X Axis
006CADD3
Main Menu The Word Next Level Y Axis
006CADCC
Main Menu Next Level Bar outside X Axis
006CAD80
Main Menu Next Level Bar outside Y Axis
006CAD79
Main Menu Next Level Bar inside X Axis
006CAC60
Main Menu Next Level Bar inside Y Axis
006CAC59
Main Menu The Word HP X Axis Ish
006C64C4
Main Menu The Word HP Y Axis
006C64CF
Main Menu HP Bar X Axis
006C62C0
Main Menu = HP Bar Y Axis
006C62CA
Main Menu HP Bar Length
006C62D1
Main Menu HP Bar Width
006C62D7
Main Menu Max HP X Axis
006C6551
Main Menu Max HP Y Axis
006C654A
Main Menu Current HP X Axis
006C6516
Main Menu Current HP Y Axis
006C650F
Main Menu HP / Symbol X Axis
006C6646
Main Menu HP / Symbol Y Axis
006C663F
Main Menu The Word MP X Axis Ish
006C6563
Main Menu The Word MP Y Axis
006C656E
Main Menu MP Bar X Axis
006C6336/006C6339
Main Menu MP Bar Y Axis
006C6340/006C6343
Main Menu MP Bar Length
006C634A
Main Menu MP Bar Width
006C6350
Main Menu Max MP Y Axis
006C65E9
Main Menu Max MP X Axis
006C65F0
Main Menu Current MP Y Axis
006C65AE
Main Menu Current MP X Axis
006C65B5
Main Menu MP / Symbol X Axis
006C661B
Main Menu MP / Symbol Y Axis
006C6614
Main Menu Max MP Colour
006C65CF
Main Menu Word MP Colour
006C6561
Main Menu Level Number X Axis
006C64B2
Main Menu Level Number Y Axis
006C64AB
Main Menu The Word LV X Axis Ish
006C646B
Main Menu The Word LV Y Axis
006C6476
Main Menu LV/HP/MP Letter Spacing
006F6375
Main Menu character stats X
006CABFB
Main Menu Character Stats Y
006CABF4
!Affects Main Menu!
Status Character 'LV' X/Y
6C6473
Status Character Level Value X/Y
6C64AB
Status Character 'HP'
6C64C2
Status Character 'MP'
6C6561
Status Character '/'
6C6614
(standalone, doesn't affect main)
Status Character Avatar
7037E8
Status Character Command Box Snapshot
703B17
Status Character Materia Snapshot
703B29
Status Character Stats (whole thing)
703B3B
Status Character Gauges, EXP, etc.
7056C7, 705657 (around that area)
Status Menu
704E1D: Parameters of stats
007078BF is the Equip Window's stat list.
What a pain in the ass.. those strings are written in like 15 places
like the entire string table
707903: Number of arrows drawn
707910: Symbol of arrow
707924: X of arrows
Materia Menu Findings
Starts 709EB6
Savemap itself: DBFD34
Materia starts from: DC04B4
Member Slot: DD1638
Party Member ID: DD163C
70E2CB is where Arrange functions..hm
70DC80 is where it equips materia.. that's a key point
70ADBC is definitely where it populates the materia list.. somewhere right after that.
70ADBC: Offset that accesses the list, sticks a copy in DD12B0 ended with FF
709FBB: Calls 5CB2CC, bunch of savemap reads for party member 1 (DC0230)
Address Module Disassembly Hi Summary
------------------------------------------------------------------------------------------------------------------------------
0067DDC6 ff7.exe mov edx,dword ptr ss:[ebp-AC34] 15 Equipped Before This Point
006803DA ff7.exe add byte ptr ds:[eax],al 0 Entry to Menu 2 Pointer Storage
006C545B ff7.exe push ebp 3 Materia Equip
006C546E ff7.exe cmp ecx,FF 3 Equip Check
006C5622 ff7.exe cmp dword ptr ss:[ebp-20],4 4 Equip Check - When True, Jump to Equip
006CB8D5 ff7.exe ret 1 Equip Return 6CDBBD Two
006CC73A ff7.exe call <ff7.sub_6CC9D3> 1 Equip Call
006CC9D2 ff7.exe ret 0 Equip Return - 67DD90 Final
006CC9D3 ff7.exe push ebp 4 Equip Jump
006CDBC3 ff7.exe ret 4 Equip Return 6CC73A Three
006F5B03 ff7.exe push ebp 0 Menu Function
006F5B05 ff7.exe in al,dx 0 Access Violation
006F5B17 ff7.exe cmp dword ptr ss:[ebp+10],0 0 Equip String holder '%QUIPS"
00709EB6 ff7.exe push ebp 0 Build Materia List
00709F37 ff7.exe push A 0 Materia List Size
00709F38 ff7.exe or ch,byte ptr ds:[edx+1] 0 Materia Menu List
0070ADBC ff7.exe cmp dword ptr ds:[ecx*4+DC04B4],FFFFFFFF 0 Move Cursor to Materia List and Populate
0070AE09 ff7.exe mov eax,dword ptr ds:[DD1364] 0 Cursor
0070CC23 ff7.exe cmp dword ptr ds:[920FA0],8 0 Arrange Button
0070CFCC ff7.exe call <ff7.sub_70AC24> 0 Calls Materia List and mouse position
0070D1ED ff7.exe cmp dword ptr ds:[DD12BC],0 0 Check/Arrange (No Materia Selected)
0070DC80 ff7.exe mov eax,dword ptr ds:[eax*4+DC04B4] 0 Equipping Materia
0070DCAB ff7.exe jmp ff7.70DD1D 4 Jump to put on Materia
0070DD24 ff7.exe call <ff7.sub_6C545B> 0 Materia Equip Function Jump
0070E213 ff7.exe ret 1 Equip Return 6CB872 One
0070E2CB ff7.exe push ff7.DC04B4 0 Arrange
0076216F ff7.exe mov eax,dword ptr ds:[E3A7D0] 0 Entry point Menu
00DC04B3 ff7.exe push dword ptr ds:[ecx] 0 Materia List Start
00DC04B4 ff7.exe xor dword ptr ds:[edi+75310004],edx 0 Materia List Start
WIP Materia Restriction
0070AE21 | 89 0D B0 12 DD 00 | mov dword ptr ds:[DD12B0],ecx |
After this point, the Materia ID and the Character ID are known
DD12B0 - Pointer to Materia ID
DD163C - Pointer to Character ID
400E1C - Debug flag 60
400E1F - Debug flag E0
D14900 - Debug area
D14901 - Color Enable/Disable
// Old Data
0070C7BA | 83 3C 95 B4 04 DC 00 FF | cmp dword ptr ds:[edx*4+DC04B4],FFFFFFF | Check Materia List Validity
0070C7C2 | 74 57 | je ff7.70C81B |
0070C7C4 | 68 CD CC 4C 3E | push 3E4CCCCD |
0070C7C9 | 6A 07 | push 7 | ***** Materia Text Color
// New Data
0070C7BA | E9 49 81 60 00 | jmp ff7.D14908 | Check Materia List Validity
0070C7BF | 90 | nop |
0070C7C0 | 90 | nop |
0070C7C1 | 90 | nop |
0070C7C2 | 90 | nop |
0070C7C3 | 90 | nop |
0070C7C4 | 90 | nop |
0070C7C5 | 90 | nop |
0070C7C6 | 90 | nop |
0070C7C7 | 90 | nop |
0070C7C8 | 90 | nop |
0070C7C9 | 90 | nop | ***** Materia Text Color
0070C7CA | 90 | nop |
// Debug Data
00D14900 | 90 | nop | Debug Area - Real
00D14901 | 90 | nop |
00D14902 | 90 | nop |
00D14903 | 90 | nop |
00D14904 | 90 | nop |
00D14905 | 90 | nop |
00D14906 | 90 | nop |
00D14907 | 90 | nop |
00D14908 | 81 3C 95 B4 04 DC 00 FF | cmp dword ptr ds:[edx*4+DC04B4],FFFFFFF |
00D14913 | 0F 84 02 7F 9F FF | je ff7.70C81B |
00D14919 | 68 CD CC 4C 3E | push 3E4CCCCD |
00D1491E | 80 3C 95 B4 04 DC 00 31 | cmp byte ptr ds:[edx*4+DC04B4],31 | Is it fire Materia? Disable
00D14926 | 75 07 | jne ff7.D1492F |
00D14928 | 6A 00 | push 0 |
00D1492A | E9 90 7E 9F FF | jmp ff7.70C7BF |
00D1492F | 6A 07 | push 7 |
00D14931 | E9 89 7E 9F FF | jmp ff7.70C7BF |
// Old Data
0070DC3B | 8B 15 3C 16 DD 00 | mov edx,dword ptr ds:[DD163C] |
// New Data
0070DC2A | E9 D9 6C 60 00 | jmp ff7.D14908 |
0070DC2F | 90 | nop |
// Debug Data
00D14938 | 80 3D B0 12 DD 00 31 | cmp byte ptr ds:[DD12B0],31 | 31:'1'
00D1493F | 0F 84 EB 92 9F FF | je ff7.70DC30 |
00D14945 | 8B 15 3C 16 DD 00 | mov edx,dword ptr ds:[DD163C] |
00D1494B | E9 F0 92 9F FF | jmp ff7.70DC40 |
[Rollercoaster Propellor super-points issue]
This is for the xbin.bin from coaster.lgp; dunno if the .exe editor can get it.
DLPB got this one.
10b84c=00
10b8ac=00
[Snowboard Times issue]
Apparently the times were changed from NTSC Versions, so this corrects it.
For the regular .exe, DLPB.
00524E70=20
00524E71=CB
00524E72=00
00524E73=00
00524E74=F0
00524E75=D2
00524E76=00
00524E77=00
00524E78=C0
00524E79=DA
00524E7A=00
00524E7B=00
00524E7C=60
00524E7D=EA
00524E7E=00
00524E7F=00
00524E80=E8
00524E81=FD
00524E82=00
00524E83=00
00524E84=E0
00524E85=28
00524E86=01
00524E87=00
00524E88=90
00524E89=5F
00524E8A=01
00524E8B=00
00524E8C=FF
00524E8D=FF
00524E8E=FF
00524E8F=FF
00524E90=D0
00524E91=01
00524E92=01
00524E93=00
00524E94=70
00524E95=11
00524E96=01
00524E97=00
00524E98=28
00524E99=1D
00524E9A=01
00524E9B=00
00524E9C=E0
00524E9D=28
00524E9E=01
00524E9F=00
00524EA0=80
00524EA1=38
00524EA2=01
00524EA3=00
00524EA4=A0
00524EA5=86
00524EA6=01
00524EA7=00
00524EA8=C0
00524EA9=D4
00524EAA=01
00524EAB=00
00524EAC=FF
00524EAD=FF
00524EAE=FF
00524EAF=FF
00524EB0=70
00524EB1=11
00524EB2=01
00524EB3=00
00524EB4=F8
00524EB5=24
00524EB6=01
00524EB7=00
00524EB8=80
00524EB9=38
00524EBA=01
00524EBB=00
00524EBC=08
00524EBD=4C
00524EBE=01
00524EBF=00
00524EC0=18
00524EC1=73
00524EC2=01
00524EC3=00
00524EC4=B0
00524EC5=AD
00524EC6=01
00524EC7=00
00524EC8=D0
00524EC9=FB
00524ECA=01
00524ECB=00
00524ECC=FF
00524ECD=FF
00524ECE=FF
00524ECF=FF
[Kranmer's Trainer Dump]
Most are like GS codes, but you never know.
Full In-Game menu
00DC08F8 = FF FF
No Random Battles
00DBCAD9 = 0
Constant Random Battles
00DBCAD9 = FF
Inf/Max Gil
00DC08B4 = FF B4 34 7F
Set Game Played Time To 0
00DC08B8 = 00 00
----------------------------------------------------
TELEPORT/INSTANT BATTLE/RENAME/PHS/SHOP/IN-GAME MENU/MINI-GAME anywhere
00CC0D89 =
00 = Normal Field
01 = Fade to black (use this for teleport plus the next 2 bytes)
02 = Battle swirl (use this for instant battle plus the next 2 bytes)
03 = UNKNOWN
04 = Makes screen flash but somtimes plays movies
05 = Plays Ending Movie and Credits
06 = Rename Screen
07 = PHS
08 = Weapon Shop
09 = In-Game Menu (use this to get out of shop or phs or rename screen)
0A = UNKNOWN
0B = UNKNOWN
0C = MiniGame
You can find a list of teleport locations and values inside the zip which can be downloaded here
http://forums.qhimm.com/index.php?topic=10556.msg147396#msg147396
----------------------------------------------------
Character slot 1
00DC0230 =
00 = Cloud
01 = Barrett
02 = Tifa
03 = Aeris
04 = Red XIII
05 = Yuffie
06 = Cait Sith
07 = Vincent
08 = Cid
09 = Young Cloud (only while activated or if used before Kalm Flashback)
0A = Sephiroth (only while activated or if used before Kalm Flashback)
FF = Blank
Character slot 2
00DC0231 = SAME AS ABOVE
Character slot 3
00DC0232 = SAME AS ABOVE
----------------------------------------------------
Activate character instead of the following character (use this to replace different characters with sephiroth or young cloud)
Cloud
00DBFD8C =
Barrett
00DBFE10 =
Tifa
00DBFE94 =
Aries
00DBFF18 =
Red XIII
00DBFF9C =
Yuffie
00DC0020 =
Cait Sith
00DC00A4 =
Vincent
00DC0128 =
Cid
00DC01AC =
09 = Young Cloud
0A = Sepiroth
----------------------------------------------------
Sephiroth Instead of Vincent Code
Sephiroth In Slot3
00DC0232 = 0A
Activate Sephiroth Instead of Vincent
00DC0128 = 0A
Sephiroth's Name
00DC0136 = 01 41 33 45 50 48 49 52 4F 54 48 FF
----------------------------------------------------
\\\Misc-Dump: Data that'll likely be unused///
Functions Found\Hooked
IncreaseHP = 0x006CBA6A [DWORD formationIndex, WORD amount]
DecreaseHP = 0x006CB9D2 [DWORD formationIndex, DWORD amount]
IncreaseMP = 0x006CBBBF [DWORD formationIndex, WORD amount]
DecreaseMP = 0x006CBB27 [DWORD formationIndex, DWORD amount]
RestoreHPMP = 0x0061F793 [] // Full Heal Party
AddItems = 0x006CBFFA [DWORD item:amount]
RemoveItems = 0x006CBE5F [DWORD item:amount]
IncreaseGil = 0x006CBCB9 [DWORD amount]
DecreaseGil = 0x006CBC7C [DWORD amount]
GetCurrentGil = 0x006CBCE9 []
GetCharacterData = 0x006CB98E [DWORD formationIndex]
DebugOutput = 0x00664E30 [char* string]
IsMenuOpen = 0x0063BC9D []
CurrentMenu = 0x006C6AEE [DWORD menu]
Found WIP\Untested
ShowMessage = 0x00631586 [WORD unk1, WORD unk2]
SaveGame = 00720F6E [DWORD unk1:slot? filename?]
LoadGame = 007210BC [DWORD unk1:slot? filename?]
GetCharacterBySlot [Derive from GetCharacterData?]
GetItemCount = 0x006CBF57 [DWORD index] - Needs adjusted to return counts.
GetRandomBattleRate = 0x00767C55 []
Misc Addresses
Battle Timer Variable = 0x009AE17C // Times how long each battle took.
Turn Timer Variable = 0x009AE180 // Measures how long each battle participants
turn took. (Enemies, and allies.. This only accounts for the time the animations,
etc, take to play out, it doesn't count time spent in the menu's, etc,.)
Battle IsTargeting Variable = 0x009A8B08 // This is equal to 0, if you aren't
targeting something, 1 if you are. ie, if you select a command, and a target
icon appears, this will be equal to 1.
Battle Escape Variable = 0x009AAD06 // This is the counter that determines when
you escape, the longer you try, the larger this number gets, after it hits a
certain value, you escape. (This value will slowly decrease after you stop
trying to escape.)
Pressed Key Variable = 0x009A85D4 // Works with keys the game actually uses,
doesn't seem to register other keys. (This also responds to gamepad input.)
Menu Open Variable = 0x00CFFB8C // Equals 1 while the menu is open.
(Triangle menu.)