Untitled


\\This document lists .EXE addresses for editing//

Offsets
Section   Virtual Address   Raw Address   Delta
.text     00401000          00000400      00400C00
.rdata    007B6000          003B4C00      00401400
.data     007BA000          003B8A00      00401600
.rsrc     00F51000          0059BA00      009B5600

Add Resist to displayed Statuses
41C4C0 = 90 90 90 90 90 90
41C5B9 = 90 90 90 90 90
6E17FB = B9 20 00 00 00
6DD2A4 = B9 20 00 00 00


Enemy Phys. Defence Doubled Here at Battle Start:
5D08CE
and MDEF:
5D08DF


Special Effects

Procedure MdefBug_6C51DE; stdcall; //fixed by NFITC1
Begin

  asm
  mov eax,[ebp-08]
  mov ecx,[eax*4+$919928]
  imul ecx,ecx,$84
  xor edx,edx
  mov dl,[ecx+$DBFDA9]
  imul edx,edx,$24
  xor eax,eax
  mov al,[edx+$DBCCE3]
  mov[ebp-04],eax
  end;
Could use to rewire Spirit's value in MDEF and perhaps Vit as
well if it's close by.

Multi-hit: 5DC913 (exact line where edx is set to multi-hit value)

5dd415 - Dragon Force effect
5dd1a6 - Howling Moon effect
5dd183 - Lunatic High effect
5dd158 - Hero Drink effect


However, the correct text will also need adding back if not present
(Luksy's touphScript will need an update too if not adding back with hex)

For example, to add Resist back

91E94A = 32 45 53 49 53 54 FF


Where the text list is loaded for materia type
0070B3A6

6F59FB Corrupts text

Check 99e350 to locate special wep formulas

05DC901 = battle special formula jump

Missing Score
 5DFD2E

99e350  (99E308 + 48

Kills variance
005DE80E  nop that for X1


Divisor that affects the 'enemies killed = damage' formula
This changes it from
[((Enemies killed by Vincent)/128)+10]/16

to

[((Enemies killed by Vincent)/16)+10]/16
0x1DC929   07  ->  04


savemap stuff done by a defunct earth harp script.
Dips into cait and vince scripts. Could use these
if comparing young cloud/seph to cait/vince for hacks.
byte_DC00A5 = 1;
byte_DC00A4 = 6;
byte_DC00B2 = 1;
byte_DC00B3 = -1;
dword_DC00E0 = 0xFF FF FF;
byte_DC0129 = 1;
byte_DC0128 = 7;
byte_DC0136 = 1;
byte_DC0137 = -1;
dword_DC0164 = 0xFF FF FF


Potential Leads on Kernel Equip stat calcs

704FD3
005ce8eb
005cb65c

Starts 6C51FC

Based on this, I need to somehow make it take the 3rd and 4th slot
and deduct from it rather than add. As it stands, I can't deduct
as this does it by stat rather than slot.

6C5229: Affects Strength

6C524F: Affects Vitality

6C5275: Affects Magic

6C5298: Affects Spirit

6C52BB: Affects Dexterity

6C52DE: Affects Luck


006C5529 - accesses the chunk of enhance sword associated with stat boosts,
		maybe isolate this down to only the stat value itself?

006C524F: First Weapon Stat Add

6C56E3 - Armour: 2nd Stat


Command Addresses

5C8FB0:

5C8FC6:

5C8FDF:

5C904D:

5C9150:

5C928E:

5C92A7:

5C930A:

5C930F:

5C93A1: Morph [false]


5C9C67 (START) - SUBTRACT 8
	Copies memory from 99CE0C
	Copy 16
	Copies 99CE0C again
	compares dword ptr ecx for 3
	Jump to 5C9DB7 is not less (returned false)
	Copies 99CE0C
	Copies eax,[edx]
	Signed multiple by 18
	Adds 9A8E54 to eax
	Copies eax
	Copies ecx
	xor edx, edx
	Copy dl,ecx
	Copy 99CE0C
	Copy edx,eax
	[some stuff]

	Push 05
	Call 5CA766
	Subtract 8 from esp
	Then eax gets a signed divide of 2, 6 times (12)
		No change when modified
	[Some memory copy stuff for 99CE0C]

	Multiply by 2, 2 times

	5C80A7: seems to be a loop here for a divide once by 2
		Animation related (see below)

	5C80E5: Signed divide by 2, 8 times here
		Seems to affect animation; cloud hops forward and back
		but does nothing when changed to 2.


	5C80F7: multiple by 2, once

	5D17E1: Signed divide by 2, 4 times
		Changing it lower reduces damage instead of increasing it.
		Changing it higher seems no effect. Something else?

	5D9DF9: Multiply by 2, CL times

	5DC1F5: dIVIDE BY 2, 3 times
		No

	433675: Divide by 2, 5 times
		No

	5CA76F: divide by 2, 3 times
		No

Potential lead on Flash (and other command addresses)
[On making it so that statuses don't get added to Flash]:
This can be done at 5CA65F.  I just need to change it to make ecx = 1 regardless.
So only death will be used with Flash.  Nothing else.

Access Menu while in the Sub
E045E4: Set to 2

Sadness Calculation
005DE970
imul eax, eax, 03 (03 = 30%, change to desired value)


Passive EXP Gain
Use a hex editor on ff7.exe to change the values at 0x1C6301 from-

(need to examine this in-game to determine what's happening here,
I suspect it's an offset? Gotta find out what these values represent)

Code: [Select]
D1 F8
to
Code: [Select]
33 C0
That will give 0 exp to every out of battle character.


{New physical accuracy
#Hit% = Accuracy_of_Attack-  Target's_Evade
5DDD47 = 90 90
5DDD81 = 90 90 90


Tifa's Reels
Address 0x51D4D0
1, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
1, 0, 2, 2, 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 1, 0, 2, 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
1, 1, 1, 0, 2, 2, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 1, 1, 0, 0, 2, 0, 2, 0, 1, 1, 1, 1, 1, 1, 1
1, 1, 1, 1, 0, 0, 2, 0, 2, 0, 0, 1, 1, 1, 1, 1
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 1, 1, 1, 0, 0, 0, 2, 0, 0, 0, 0, 1, 1, 1, 1


Enemy Defence Doubled Here (suspected to not matter as it is overwritten by formula)
PDEF: 5D08CE
MDEF: 5D08DF


[Status Colours] - 8FE150 (4FD500) or does it start earlier??
In Order:

\\4FD550//
BF D9 4C : Yellow
E8 D9 4C : Yellow
Guess: Peerless? Seems to be short.
	If longer then starts from:

\\4FD558//
11 DA 4C : Green
3A DA 4C : Green
63 DA 4C : Green
8C DA 4C : Green
Guess: Poison


\\4FD563//
C0 CF 4C,
E9 CF 4C,
00 12 DC


[Poison Hacks]

This one allows enemies to be damaged by Poison element even if they're
	immune to the Poison status = Tested
0x433765 (0x032B65)  74 -> EB

This one converts Poison 'tick' damage into other elements:
0x5C9FCB (0x1C93CB): It's traditionally set to 0010h.
Set that to any element mask you want. 0000h would be non-elemental.


[Materia Effects: Editing]

These values start here:
0x8FEEC8 (0x4FD8C8
And apparently ends here: 0x8FF017 (this is where elements are stored)

Starts with: 00, then first number, each separated by 00 (+) or an FF (-)

The way it works is that it has the Positive/Negative modifier first, followed by
the value. So Tier 11 looks like this:

F6 FF F6 FF F6 FF F6 FF 00 00 00 00 FB FF FB FF

If the number is unchanged (like Dex and Lck here) then 00 is used for the value
and the modifier. Note that FF denotes negative AND -1; don't get confused!


FF -1
FE -2
FD -3
FC -4
FB -5
FA -6
F9 -7
F8 -8
F7 -9
F6 -10
F5 -11
F4 -12
F3 -13
F2 -14
F1 -15
F0 -16
EF -17
EE -18
ED -19
EC -20
EB -21
EA -22
E9 -23
E8 -24
E7 -25
E6 -26
E5 -27
E4 -28
E3 -29
E2 -30
E1 -31
E0 -32
DF -33
DE -34
DD -35
DC -36
CE -50
CD -51
CC -52
CB -53
CA -54
C9 -55
C8 -56
C7 -57
C6 -58
C5 -59
C4 -60
C3 -61
C2 -62
C1 -63
C0 -64

A0 -96
9F -97
9E -98
9D -99
9C -100


Can keep going, the memory leak 15 shows that it can go as high as 128; any higher
and it might creep into the negative values; I guess they meet each other in the
middle at an equal split of Hex's maximum value: 256 (128 each way in other words).


[Truly Random Encounters]

CurrentRandEncLUT = (GameTimerFraction >> 2) AND 255
//this manipulation is required to get the full range in a byte
because the fraction is increased by 1092 each tic.


[Vincent Mug Glitch Fix]

1. Open the ff7/battle/battle.lgp file in a hex editor.
2. Search for the case-sensitive ascii string "SHAB" without quotes.
3. Search for the byte sequence 17h 1Ch from the point you found the SHAB.
4. The byte preceding the 17h should be 12h.
	My mostly-unaltered battle.lgp file has this at address 0x3A7D7F2.
5. Change this 12h to something less. I tried 0Ch and it looks nice.


[Command Materia Editing]

So this hack is to have commands not replace each other when they're unlocked
on Command Materia (for instance, having Sense and Morph on the same Materia).
Commands will still appear as greyed out in the menu, but a fix for that is
below this primary fix.

Segment starts at 0x5CEC0B (0x1CE00B)

Address for the Edit: 1CE023
0F 8C BB 00 00 00
8B 55 08
81 E2 FF 00 00 00
6B D2 14
8B 45 F8
33 C9
8A 8C 02 6E DF DB 00
81 F9 FF 00 00 00
74 1C
8B 55 08
81 E2 FF 00 00 00
6B D2 14
8B 45 F8
8A 8C 02 6E DF DB 00
51
E8 84 00 00 00
EB AF
90 90 90


This fixes the palette, telling the game to display each
command with Palette 1 (white)

Address at: 0x5CEC85 (0x1CE085)

Start edit at: 1CE08A
7D 52
8B 4D 08
81 E1 FF 00 00 00
6B C9 14
8B 55 F8
8B 45 F4
8B 75 F8
8A 8C 31 6E DF DB 00
88 4C 50 1A
33 D2
8B 55 F8
3B 55 FC
7D 0D
8B 55 F8
8B 45 F4
C6 44 50 1B 01
EB 0B
8B 55 F8
8B 45 F4
C6 44 50 1B 00
EB AD
90 90 90 90
90 90 90 90
90 90 90 90
90 90


[Long Range enemy attacks]

Note: Short-Range flag required for short-range attacks if this enabled

It selectively blacklists the 20h command from receiving
long-range consideration. Changing the command index checked to
something out of range would be ideal:

[Subtract 400C00 for FF7.EXE address?]
Address at 0x5DE704 (1DDB04):

0x5DE704: 83 78 28 20  ->  83 78 28 50


[Mega-All doesn't grant Slash-All]

Could be handy for using 2x-Cut with Mega-All.

Address at 0x5CD049 (0x1CC449): change 74 to E9
[CAUSED CRASH WHEN LOADING SAVE]
Update: Another source claims: it's EB not E9


[Tent Adjustment - NFITC1]

Tents heal for 10,000HP and MP by default, capped by MaxHP/MP.

Function at 0x6CBA6A (2CAD76)

Code: [Select]
0x003164B5 : 68 10 27 00 00  --for HP
0x003164C6 : 68 10 27 00 00  --for MP

These translate into "PUSH 10000" which is in big-endian format.
Changing it to, say:

Code: [Select]
0x003164B5 : 68 88 13 00 00  --for HP
0x003164C6 : 68 F4 01 00 00  --for MP

Would restrict tents to heal no more than 5000 HP and 500 MP.
So the value you push will limit the healing it will do. I'm not
going to go into how to do this. It requires a hex editor and an
understanding of endianness.

That's the SIMPLE way to do it. If you wanted to get REALLY complicated
you could re-write the whole tent function (or redirect it) to do
something different. The function's range is between 0x717010 and
0x717123.


[Slot 1 Commands like Slash-All get their own slot]

These edits will make them no longer override the top slot.

Slash-All:   0x1CE2FD: FD -> C1
2x-Cut:      0x1CE30A: F0 -> B4
Flash:       0x1CE317: E3 -> A7
4x-Cut:      0x1CE324: D6 -> 9A

But they still override each other in their new slots, but at least
Attack is left alone.


[Materia Master Disabled]

1. Disable the Weapon AP materia birth sub call:
Change 0X005CAF12 (0x001CA312) from
E8 68 12 10 00 83 C4 04
to
EB 06 90 90 90 90 90 90

2. Disable the Armor AP materia birth sub call:
Change 0x005CB0C5 (0x001CA4C5) from
E8 B5 10 10 00 83 C4 04
to
EB 06 90 90 90 90 90 90


[Item Menu Modification]
[Values are slightly off]
Power: 0x315F31; default 1
Guard: 0x315F80; default 1
Magic: 0x315FD0; default 1
Mind:  0x31601F; default 1
Speed: 0x31606E; default 1
Luck:  0x3160BB; default 1
[Correct values when game is running]
716B30		#str
716B7E		#vit
716BCE		#mag
716C1E		#spr
716C6C		#spd
716CB9		#lck
Potion       (amount of HP to restore): 0x316184 ; default 64h, limit FFh
Hi-Potion    (amount of HP to restore): 0x316212 ; default 1F4h, stored as word, limit 7FFFh (overflow could result otherwise)
Ether        (amount of MP to restore): 0x3162A3 ; default 64h, limit FFh
Turbo Ether  (amount of MP to restore): 0x316331 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Phoenix Down (amount of HP to restore): 0x3163C8 ; default 2, power of two to divide MHP by (eg. MHP / 2^[X] ), technically a bit-shift right, more below
Tent         (amount of HP to restore): 0x3164B6 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Tent         (amount of MP to restore): 0x3164C7 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
X-Potion     (amount of HP to restore): 0x316570 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Elixir       (amount of HP to restore): 0x316613 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Elixir       (amount of MP to restore): 0x316627 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Megalixir    (amount of HP to restore): 0x316715 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)
Megalixir    (amount of MP to restore): 0x316726 ; default 2710h, stored as word, limit 7FFFh (overflow could result otherwise)


{Menu potion, hi-potion, x-potion, ether, turbo ether to 25, 100, 1000, 10, 100
00716D83 = 6A 19
00716E11 = 6A 64 90 90 90
0071716F = 68 E8 03 00 00
00716EA2 = 6A 0A
00716F30 = 6A 64

{menu HP, MP
#6CBA6A
#6cbbbf


[Potential Sense Fix]

The HP requirement for Sense is at offset 0x1C9515. Easy to find in a hex-editor
and with proper testing. I just searched for 75 30 (= 30000 ; and I know the
bytes are reversed in a hex editor).

65,535 is the max here through Hex.


[Cait Sith & Vincent's Initial Data]

Cait Sith's is at offset 0x520c10 (120010, while Vincent's is at
offset 0x520c94 (120094).

If you want to edit them (to alter their starting stats, equipment, materia, ...), you can use the Wiki Savemap, "Table 2 : Character Record" section.

Some addresses :

Cait Sith's Level : 0x520c11 (120011) 		(1 byte)
Cait Sith's CurrentHP : 0x520c3c (12003C) 	(2 bytes)
Cait Sith's Base HP :  0x520c3e (12003E) 	(2 bytes)
Cait Sith's Current MP : 0x520c40 (120040) 	(2 bytes)
Cait Sith's Base MP : 0x520c42 (120042) 	(2 bytes)
Cait Sith's stats* : 0x520c12 (120012) 		(1 byte each)
Cait Sith's weapon : 0x520c2c (12002C) 		(1 byte)
Cait Sith's armor : 0x520c2d (12002D) 		(1 byte)
Cait Sith's accessory : 0x520c2e (12002E)	(1 byte)
Materia on his weapon : 0x520c50 (120050)	(4 bytes for each materia slot -
						first byte is the materia ID, and
						the next 3 bytes are its AP)
Materia on his armor : 0x520c70 (120070)

Vincent's Level : 0x520c95 (120095)		(1 byte)
Vincent's CurrentHP : 0x520cc0 (1200C0)		(2 bytes)
Vincent's Base HP :  0x520cc2 (1200C2)		(2 bytes)
Vincent's Current MP : 0x520cc4 (1200C4)	(2 bytes)
Vincent's Base MP : 0x520cc6 1200C6)		(2 bytes)
Vincent's stats* : 0x520c96 (120096)		(1 byte each)
Vincent's weapon : 0x520cb0 (1200B0)		(1 byte)
Vincent's armor : 0x520cb1 (1200B1)		(1 byte)
Vincent's accessory : 0x520cb2 (1200B2)		(1 byte)
Materia on his weapon : 0x520cd4 (1200D4)	(4 bytes for each materia slot -
						first byte is the materia ID, and
						the next 3 bytes are its AP)
Materia on his armor : 0x520cf4	(120000)

* Stats are listed in this order : strength, vitality, magic, spirit, dexterity, luck.


[Master Fist: Damage Modifier Locations]

At 0x5DFB93 (0x1DEF93 in the exe) there is the dword that contains statuses
that will increase the multiplier by 1. The original value of this is 0400029Ah.

At 0x5DFBAE (0x1DEFAE in the exe) there is the dword that contains statuses
that will increase the multiplier by 2. The original value of this is 00202000h

-) Additional: Damage Calcs/Modifiers in general, migrating effects:
I am now 100% convinced (because I see the code now) that those "not used"
special effects are used by the AX damage functions. I won't bother spelling
the code out, but the "Special Effect" value gets set depending on what the
Damage calculation value is:

calc      effect
A0 -> 0A
A1 -> 0B
A2 -> 0C
A3 -> 0D
A4 -> 1E
A5 -> 1F
A6 -> 20
A7 -> 21
A8 -> 22
A9 -> 0
AA -> 0
AB -> 0

So this brings two exciting revelations.
1. Regular attacks can "safely" be given some of these multipliers so certain
enemies can be more powerful with more MP or HP or so.
(Already done through PC, I believe)

2. A9 - AB can be assigned (via exe editing) one of the other special effects
to add more variety to the attacks.
(This is interesting, could create new damage formulas; needs the exe patch).

Guesses:
5DFB93: Master Fist

5DFBEE: Powersoul Formula (can adjust modifiers at least for damage)
	Confirmed; triggers Breakpoint

5DFC52: Does not trigger Breakpoint when Yoshiyuki is used

5DFD5B: Does not trigger Breakpoint when Ultima Weapon is used

5DFDC0:


\\Menu Module Positions & SP Box//

Main Menu: 6A9EA (roughly)

SP String Code
6CAB19 = 6A 68	#push 68 (Y draw for gil/time box)

6CA9C8 = C745F43A010000 #mov [ebp-0C],0000013A (Y coord for gil/time box)

6CAB11 = E9 EA912400	#jmp 00913D00

913D00 = E8 FE1DDEFF	#call 006F5B03
	 68 CDCC4C3E	#push 3E4CCCCD
	 6A 07		#push 07
	 68 00001509	#push 0915000 (Pointer for Text 'SP': 30 33 FF)
	 8D 4D F4	#mov ecx,[ebp-0C]
	 83 C1 46	#add ecx,46 (X coord)
	 51		#push ecx
	 8B 55 FC	#mov edx,[ebp-04]
	 83 C2 06	#add edx,06 (Y coord)
	 52		#push edx
	 E8 DF1DDEFF	#call 006F5B03
	 83 C4 14	#add esp,14
	 e9 EA6DDBFF	#jmp 006CAB16

915000 = 33 30 FF	#Pointer address for string: 'SP'


Main Menu Avatar's X Axis
006CAC20

Main Menu Avatar's Y Axis
006CAC16

Main Menu The Word Limit Level X Axis
006CADF8

Main Menu The Word Limit Level Y Axis
006CADF1

Main Menu Limit Level Number X Axis
006CAE3A

Main Menu Limit Level Number Y Axis
006CAE33

Main Menu Limit Level Bar outside X Axis
006CADAE

Main Menu Limit Level Bar outside Y Axis
006CADA7

Main Menu Limit Level Bar inside X Axis
006CAD51

Main Menu Limit Level Bar inside Y Axis
006CAD4A

Main Menu The Word Next Level X Axis
006CADD3

Main Menu The Word Next Level Y Axis
006CADCC

Main Menu Next Level Bar outside X Axis
006CAD80

Main Menu Next Level Bar outside Y Axis
006CAD79

Main Menu Next Level Bar inside X Axis
006CAC60

Main Menu Next Level Bar inside Y Axis
006CAC59

Main Menu The Word HP X Axis Ish
006C64C4

Main Menu The Word HP Y Axis
006C64CF

Main Menu HP Bar X Axis
006C62C0

Main Menu = HP Bar Y Axis
006C62CA

Main Menu HP Bar Length
006C62D1

Main Menu HP Bar Width
006C62D7

Main Menu Max HP X Axis
006C6551

Main Menu Max HP Y Axis
006C654A

Main Menu Current HP X Axis
006C6516

Main Menu Current HP Y Axis
006C650F

Main Menu HP / Symbol X Axis
006C6646

Main Menu HP / Symbol Y Axis
006C663F

Main Menu The Word MP X Axis Ish
006C6563

Main Menu The Word MP Y Axis
006C656E

Main Menu MP Bar X Axis
006C6336/006C6339

Main Menu MP Bar Y Axis
006C6340/006C6343

Main Menu MP Bar Length
006C634A

Main Menu MP Bar Width
006C6350

Main Menu Max MP Y Axis
006C65E9

Main Menu Max MP X Axis
006C65F0

Main Menu Current MP Y Axis
006C65AE

Main Menu Current MP X Axis
006C65B5

Main Menu MP / Symbol X Axis
006C661B

Main Menu MP / Symbol Y Axis
006C6614

Main Menu Max MP Colour
006C65CF

Main Menu Word MP Colour
006C6561

Main Menu Level Number X Axis
006C64B2

Main Menu Level Number Y Axis
006C64AB

Main Menu The Word LV X Axis Ish
006C646B

Main Menu The Word LV Y Axis
006C6476

Main Menu LV/HP/MP Letter Spacing
006F6375

Main Menu character stats X
006CABFB

Main Menu Character Stats Y
006CABF4

!Affects Main Menu!
Status Character 'LV' X/Y
6C6473

Status Character Level Value X/Y
6C64AB

Status Character 'HP'
6C64C2

Status Character 'MP'
6C6561

Status Character '/'
6C6614

(standalone, doesn't affect main)
Status Character Avatar
7037E8

Status Character Command Box Snapshot
703B17

Status Character Materia Snapshot
703B29

Status Character Stats (whole thing)
703B3B

Status Character Gauges, EXP, etc.
7056C7, 705657 (around that area)

Status Menu
704E1D: Parameters of stats


007078BF is the Equip Window's stat list.
What a pain in the ass.. those strings are written in like 15 places
like the entire string table

707903: Number of arrows drawn
707910: Symbol of arrow
707924: X of arrows


Materia Menu Findings
Starts 709EB6
Savemap itself: DBFD34
Materia starts from: DC04B4
Member Slot: DD1638
Party Member ID: DD163C
70E2CB is where Arrange functions..hm
70DC80 is where it equips materia.. that's a key point
70ADBC is definitely where it populates the materia list.. somewhere right after that.

70ADBC: Offset that accesses the list, sticks a copy in DD12B0 ended with FF
709FBB: Calls 5CB2CC, bunch of savemap reads for party member 1 (DC0230)

Address		Module			Disassembly				Hi  Summary
------------------------------------------------------------------------------------------------------------------------------
0067DDC6	ff7.exe			mov edx,dword ptr ss:[ebp-AC34]          15 Equipped Before This Point
006803DA	ff7.exe			add byte ptr ds:[eax],al                 0  Entry to Menu 2 Pointer Storage
006C545B	ff7.exe			push ebp                                 3  Materia Equip
006C546E	ff7.exe			cmp ecx,FF                               3  Equip Check
006C5622	ff7.exe			cmp dword ptr ss:[ebp-20],4              4  Equip Check - When True, Jump to Equip
006CB8D5	ff7.exe			ret                                      1  Equip Return 6CDBBD Two
006CC73A	ff7.exe			call <ff7.sub_6CC9D3>                    1  Equip Call
006CC9D2	ff7.exe			ret                                      0  Equip Return - 67DD90  Final
006CC9D3	ff7.exe			push ebp                                 4  Equip Jump
006CDBC3	ff7.exe			ret                                      4  Equip Return 6CC73A Three
006F5B03	ff7.exe			push ebp                                 0  Menu Function
006F5B05	ff7.exe			in al,dx                                 0  Access Violation
006F5B17	ff7.exe			cmp dword ptr ss:[ebp+10],0              0  Equip String holder '%QUIPS"
00709EB6	ff7.exe			push ebp                                 0  Build Materia List
00709F37	ff7.exe			push A                                   0  Materia List Size
00709F38	ff7.exe			or ch,byte ptr ds:[edx+1]                0  Materia Menu List
0070ADBC	ff7.exe			cmp dword ptr ds:[ecx*4+DC04B4],FFFFFFFF 0  Move Cursor to Materia List and Populate
0070AE09	ff7.exe			mov eax,dword ptr ds:[DD1364]            0  Cursor
0070CC23	ff7.exe			cmp dword ptr ds:[920FA0],8              0  Arrange Button
0070CFCC	ff7.exe			call <ff7.sub_70AC24>                    0  Calls Materia List and mouse position
0070D1ED	ff7.exe			cmp dword ptr ds:[DD12BC],0              0  Check/Arrange (No Materia Selected)
0070DC80	ff7.exe			mov eax,dword ptr ds:[eax*4+DC04B4]      0  Equipping Materia
0070DCAB	ff7.exe			jmp ff7.70DD1D                           4  Jump to put on Materia
0070DD24	ff7.exe			call <ff7.sub_6C545B>                    0  Materia Equip Function Jump
0070E213	ff7.exe			ret                                      1  Equip Return 6CB872 One
0070E2CB	ff7.exe			push ff7.DC04B4                          0  Arrange
0076216F	ff7.exe			mov eax,dword ptr ds:[E3A7D0]            0  Entry point Menu
00DC04B3	ff7.exe			push dword ptr ds:[ecx]                  0  Materia List Start
00DC04B4	ff7.exe			xor dword ptr ds:[edi+75310004],edx      0  Materia List Start


WIP Materia Restriction

0070AE21 | 89 0D B0 12 DD 00        | mov dword ptr ds:[DD12B0],ecx           |
After this point, the Materia ID and the Character ID are known

DD12B0 - Pointer to Materia ID
DD163C - Pointer to Character ID
400E1C - Debug flag 60
400E1F - Debug flag E0
D14900 - Debug area
D14901 - Color Enable/Disable

// Old Data
0070C7BA | 83 3C 95 B4 04 DC 00 FF  | cmp dword ptr ds:[edx*4+DC04B4],FFFFFFF | Check Materia List Validity
0070C7C2 | 74 57                    | je ff7.70C81B                           |
0070C7C4 | 68 CD CC 4C 3E           | push 3E4CCCCD                           |
0070C7C9 | 6A 07                    | push 7                                  | ***** Materia Text Color

// New Data
0070C7BA | E9 49 81 60 00           | jmp ff7.D14908                          | Check Materia List Validity
0070C7BF | 90                       | nop                                     |
0070C7C0 | 90                       | nop                                     |
0070C7C1 | 90                       | nop                                     |
0070C7C2 | 90                       | nop                                     |
0070C7C3 | 90                       | nop                                     |
0070C7C4 | 90                       | nop                                     |
0070C7C5 | 90                       | nop                                     |
0070C7C6 | 90                       | nop                                     |
0070C7C7 | 90                       | nop                                     |
0070C7C8 | 90                       | nop                                     |
0070C7C9 | 90                       | nop                                     | ***** Materia Text Color
0070C7CA | 90                       | nop                                     |

// Debug Data
00D14900 | 90                       | nop                                     | Debug Area - Real
00D14901 | 90                       | nop                                     |
00D14902 | 90                       | nop                                     |
00D14903 | 90                       | nop                                     |
00D14904 | 90                       | nop                                     |
00D14905 | 90                       | nop                                     |
00D14906 | 90                       | nop                                     |
00D14907 | 90                       | nop                                     |
00D14908 | 81 3C 95 B4 04 DC 00 FF  | cmp dword ptr ds:[edx*4+DC04B4],FFFFFFF |
00D14913 | 0F 84 02 7F 9F FF        | je ff7.70C81B                           |
00D14919 | 68 CD CC 4C 3E           | push 3E4CCCCD                           |
00D1491E | 80 3C 95 B4 04 DC 00 31  | cmp byte ptr ds:[edx*4+DC04B4],31       | Is it fire Materia? Disable
00D14926 | 75 07                    | jne ff7.D1492F                          |
00D14928 | 6A 00                    | push 0                                  |
00D1492A | E9 90 7E 9F FF           | jmp ff7.70C7BF                          |
00D1492F | 6A 07                    | push 7                                  |
00D14931 | E9 89 7E 9F FF           | jmp ff7.70C7BF                          |

// Old Data
0070DC3B | 8B 15 3C 16 DD 00        | mov edx,dword ptr ds:[DD163C]           |

// New Data
0070DC2A | E9 D9 6C 60 00           | jmp ff7.D14908                          |
0070DC2F | 90                       | nop                                     |

// Debug Data
00D14938 | 80 3D B0 12 DD 00 31     | cmp byte ptr ds:[DD12B0],31             | 31:'1'
00D1493F | 0F 84 EB 92 9F FF        | je ff7.70DC30                           |
00D14945 | 8B 15 3C 16 DD 00        | mov edx,dword ptr ds:[DD163C]           |
00D1494B | E9 F0 92 9F FF           | jmp ff7.70DC40                          |


[Rollercoaster Propellor super-points issue]

This is for the xbin.bin from coaster.lgp; dunno if the .exe editor can get it.
DLPB got this one.

10b84c=00
10b8ac=00


[Snowboard Times issue]

Apparently the times were changed from NTSC Versions, so this corrects it.
For the regular .exe, DLPB.

00524E70=20
00524E71=CB
00524E72=00
00524E73=00
00524E74=F0
00524E75=D2
00524E76=00
00524E77=00
00524E78=C0
00524E79=DA
00524E7A=00
00524E7B=00
00524E7C=60
00524E7D=EA
00524E7E=00
00524E7F=00
00524E80=E8
00524E81=FD
00524E82=00
00524E83=00
00524E84=E0
00524E85=28
00524E86=01
00524E87=00
00524E88=90
00524E89=5F
00524E8A=01
00524E8B=00
00524E8C=FF
00524E8D=FF
00524E8E=FF
00524E8F=FF
00524E90=D0
00524E91=01
00524E92=01
00524E93=00
00524E94=70
00524E95=11
00524E96=01
00524E97=00
00524E98=28
00524E99=1D
00524E9A=01
00524E9B=00
00524E9C=E0
00524E9D=28
00524E9E=01
00524E9F=00
00524EA0=80
00524EA1=38
00524EA2=01
00524EA3=00
00524EA4=A0
00524EA5=86
00524EA6=01
00524EA7=00
00524EA8=C0
00524EA9=D4
00524EAA=01
00524EAB=00
00524EAC=FF
00524EAD=FF
00524EAE=FF
00524EAF=FF
00524EB0=70
00524EB1=11
00524EB2=01
00524EB3=00
00524EB4=F8
00524EB5=24
00524EB6=01
00524EB7=00
00524EB8=80
00524EB9=38
00524EBA=01
00524EBB=00
00524EBC=08
00524EBD=4C
00524EBE=01
00524EBF=00
00524EC0=18
00524EC1=73
00524EC2=01
00524EC3=00
00524EC4=B0
00524EC5=AD
00524EC6=01
00524EC7=00
00524EC8=D0
00524EC9=FB
00524ECA=01
00524ECB=00
00524ECC=FF
00524ECD=FF
00524ECE=FF
00524ECF=FF


[Kranmer's Trainer Dump]

Most are like GS codes, but you never know.

Full In-Game menu
00DC08F8 = FF FF

No Random Battles
00DBCAD9 = 0

Constant Random Battles
00DBCAD9 = FF

Inf/Max Gil
00DC08B4 = FF B4 34 7F

Set Game Played Time To 0
00DC08B8 = 00 00
----------------------------------------------------
TELEPORT/INSTANT BATTLE/RENAME/PHS/SHOP/IN-GAME MENU/MINI-GAME anywhere
00CC0D89 =
00 = Normal Field
01 = Fade to black (use this for teleport plus the next 2 bytes)
02 = Battle swirl (use this for instant battle plus the next 2 bytes)
03 = UNKNOWN
04 = Makes screen flash but somtimes plays movies
05 = Plays Ending Movie and Credits
06 = Rename Screen
07 = PHS
08 = Weapon Shop
09 = In-Game Menu (use this to get out of shop or phs or rename screen)
0A = UNKNOWN
0B = UNKNOWN
0C = MiniGame


You can find a list of teleport locations and values inside the zip which can be downloaded here
http://forums.qhimm.com/index.php?topic=10556.msg147396#msg147396
----------------------------------------------------
Character slot 1
00DC0230 =
00 = Cloud
01 = Barrett
02 = Tifa
03 = Aeris
04 = Red XIII
05 = Yuffie
06 = Cait Sith
07 = Vincent
08 = Cid
09 = Young Cloud (only while activated or if used before Kalm Flashback)
0A = Sephiroth (only while activated or if used before Kalm Flashback)
FF = Blank

Character slot 2
00DC0231 = SAME AS ABOVE

Character slot 3
00DC0232 = SAME AS ABOVE
----------------------------------------------------
Activate character instead of the following character (use this to replace different characters with sephiroth or young cloud)
Cloud
00DBFD8C =

Barrett
00DBFE10 =

Tifa
00DBFE94 =

Aries
00DBFF18 =

Red XIII
00DBFF9C =

Yuffie
00DC0020 =

Cait Sith
00DC00A4 =

Vincent
00DC0128 =

Cid
00DC01AC =

09 = Young Cloud
0A = Sepiroth
----------------------------------------------------
Sephiroth Instead of Vincent Code
Sephiroth In Slot3
00DC0232 = 0A

Activate Sephiroth Instead of Vincent
00DC0128 = 0A

Sephiroth's Name
00DC0136 = 01 41 33 45 50 48 49 52 4F 54 48 FF
----------------------------------------------------


\\\Misc-Dump: Data that'll likely be unused///


Functions Found\Hooked

IncreaseHP = 0x006CBA6A [DWORD formationIndex, WORD amount]
DecreaseHP = 0x006CB9D2 [DWORD formationIndex, DWORD amount]
IncreaseMP = 0x006CBBBF [DWORD formationIndex, WORD amount]
DecreaseMP = 0x006CBB27 [DWORD formationIndex, DWORD amount]
RestoreHPMP = 0x0061F793 [] // Full Heal Party

AddItems = 0x006CBFFA [DWORD item:amount]
RemoveItems = 0x006CBE5F [DWORD item:amount]

IncreaseGil = 0x006CBCB9 [DWORD amount]
DecreaseGil = 0x006CBC7C [DWORD amount]
GetCurrentGil = 0x006CBCE9 []

GetCharacterData = 0x006CB98E [DWORD formationIndex]
DebugOutput = 0x00664E30 [char* string]

IsMenuOpen = 0x0063BC9D []
CurrentMenu = 0x006C6AEE [DWORD menu]


Found WIP\Untested

ShowMessage = 0x00631586 [WORD unk1, WORD unk2]

SaveGame = 00720F6E [DWORD unk1:slot? filename?]
LoadGame = 007210BC [DWORD unk1:slot? filename?]

GetCharacterBySlot [Derive from GetCharacterData?]

GetItemCount = 0x006CBF57 [DWORD index] - Needs adjusted to return counts.

GetRandomBattleRate = 0x00767C55 []

Misc Addresses

Battle Timer Variable = 0x009AE17C // Times how long each battle took.

Turn Timer Variable = 0x009AE180 // Measures how long each battle participants
turn took. (Enemies, and allies.. This only accounts for the time the animations,
etc, take to play out, it doesn't count time spent in the menu's, etc,.)

Battle IsTargeting Variable = 0x009A8B08 // This is equal to 0, if you aren't
targeting something, 1 if you are. ie, if you select a command, and a target
icon appears, this will be equal to 1.

Battle Escape Variable = 0x009AAD06 // This is the counter that determines when
you escape, the longer you try, the larger this number gets, after it hits a
certain value, you escape. (This value will slowly decrease after you stop
trying to escape.)

Pressed Key Variable = 0x009A85D4 // Works with keys the game actually uses,
doesn't seem to register other keys. (This also responds to gamepad input.)

Menu Open Variable = 0x00CFFB8C // Equals 1 while the menu is open.
(Triangle menu.)