### Topic: HEX Editing SFC3 - How to? (Also found Easter Eggs?)  (Read 3007 times) var addthis_config = {"data_track_clickback":true};

0 Members and 1 Guest are viewing this topic.

• Posts: 11
##### HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« on: January 12, 2015, 01:15:38 am »
Soo I'm playing around with my SFC3 installation and wanted to see if I could find some information in the sfc3.exe file, maybe do a bit of tampering for fun.

One interesting bit I have found which I anticipate might be edited by someone far more capable than myself is a line in the hex code directing to "master.gamespy.com" at position 571210h within the code. I am curious if it may be edited to redirect to a different server, in hopes of re-awakening "game servers".

Primarily, I am interested if anyone has any known hex values they might share that could be tampered with. However, the rest of this post covers some interesting tidbits I have already found.

So far, I haven't been able to locate much that I might find useful... However I think I may have found some rather hilarious easter eggs hidden within the code, such as the following:
Holy Frijoles
Not-So-Holy Beans
The musical fruit
Post no bills
Go straight to Hell
Excuse me!
Sam Itches?
Hole Space Anomalies Batman
Don't Look Into the light!
Oh my, what will we do

I am sure there are plenty more within the code. I found these items nearby names of weapons and items. No idea if they're some sort of encryption for information they didn't want easily accessible/changed, or if they are literally easter eggs within the code. Any ideas?
« Last Edit: January 12, 2015, 01:34:54 am by shade1129 »

• Posts: 11
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #1 on: January 12, 2015, 02:02:04 am »
Weapon Arcs listed in the HEX code. (Unknown if these are effectively modifiable currently)
Code: [Select]
120_300 60_240 120_3600_240 240_90 270_120 240_60 300_120 210_30 330_150 60_300 240_120 90_270 270_90 180_360 0_180 270_360 180_270 90_180 0_90 300_60 180_30060_180 240_360 120_240 0_120 165_195 345_15 330_30 270_330 210_270 150_210 90_150 30_90 300_360 240_300 180_240 120_180 60_120 0_60 0_360 NONE
Altering Shuttle Names - Shuttles are hardcoded and seemingly impossible to add additional shuttles. (Credit to JanB)
Code: [Select]
I found how to change the names of the hardocded shuttles (no way to add extra ones though), to do this you have to search for "Klingon Shuttle", but you have to compensate a change in file length so all the sections afterwards stay in the right place, you do this with null characters ("00" in hex, "." in text): so for example you have to change "Cardassian Shuttle" to "Dominion Shuttle.." however, if you add content after the end of the file that's fine (I just haven't found anything useful to put there yet).

Altering "missing" WeaponFX (Credit to JanB)
Code: [Select]
From looking at the hex code I've also deduced that the missing texture that controls the Romulan disruptor is called "fx_mauler_beam", if you create a .bmp file with that name in your assets/textures folder you can manipulate the R-disruptor.
Editing strategic map colors (Credit to JanB)
Code: [Select]
I've been able to change the colors of the empires on the map by looking up their color codes.

Altering the ship class labels - Such as SH, DD, CL, CA, DN, BB, etc (Credit to JanB)
Code: [Select]
I found a piece of code that is related to which classes appear in the vessel library, this is also linked to the list of hardcoded shuttles and the map symbols for different classes (so why destroyers and light cruisers both have the "CL" symbol on a map), if in that code you switch "SH" and "DD" the destroyers become hardcoded (with the shuttle names), if you switch CA and DD then destroyers have the "CA" symbol on the map and heavy cruisers get the "CL" symbol. This is a piece of code that contains "CL..DD..SH.." right after the part with the firing arcs.
Altering Race Logos (Credit to JanB)
Code: [Select]
In the sprites.q3 file i found how to switch around the race logos you see when you want to capture a ship.
Anything above that seems vague will be updated if/when more specifics are listed. I'm no expert, myself, but am happy to do the grunt work of organizing, and in some cases, testing findings.
« Last Edit: January 12, 2015, 08:40:07 am by shade1129 »

#### JanB

• Posts: 103
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #2 on: January 12, 2015, 06:04:44 am »
I'm a bit ahead of you. I found how to change the names of the hardocded shuttles (no way to add extra ones though), to do this you have to search for "Klingon Shuttle", but you have to compensate a change in file length so all the sections afterwards stay in the right place, you do this with null characters ("00" in hex, "." in text): so for example you have to change "Cardassian Shuttle" to "Dominion Shuttle.." however, if you add content after the end of the file that's fine (I just haven't found anything useful to put there yet). From looking at the hex code I've also deduced that the missing texture that controls the Romulan disruptor is called "fx_mauler_beam", if you create a .bmp file with that name in your assets/textures folder you can manipulate the R-disruptor. I've been able to change the colors of the empires on the map by looking up their color codes. I found a piece of code that is related to which classes appear in the vessel library, this is also linked to the list of hardcoded shuttles and the map symbols for different classes (so why destroyers and light cruisers both have the "CL" symbol on a map), if in that code you switch "SH" and "DD" the destroyers become hardcoded (with the shuttle names), if you switch CA and DD then destroyers have the "CA" symbol on the map and heavy cruisers get the "CL" symbol. This is a piece of code that contains "CL..DD..SH.." right after the part with the firing arcs. In the sprites.q3 file i found how to switch around the race logos you see when you want to capture a ship.

To answer your question about game servers, it's probably some combination of editing the SFC3.exe and the files in the MetaAssets folder that will do the trick, though with this game you never know how much is hard-hardcoded or dependent on some linked variable that you cannot change without crashing the whole game. So hope for the best, expect the worst.

It might be useful for you to follow this tread here: http://www.dynaverse.net/forum/index.php/topic,163394152.200.html

EDIT: on the race colors, you can find their values when you open one of the maps in the MetaAssets folder with a text editor or hex editor. For example 0066f5 (you'll find it as 0x0066f5 in the file) is Federation blue. The map files contain these colors for viewing in the map editor, the true ingame colors are set in SFC3.exe, but luckily use the same values. I found 3 different colors for each race: the color their sectors have on the strategic map, the color they're ships, planets and station names have when you are about to attack them from the strategic map and the color of the info on their empire under the help menu in conquest mode.
« Last Edit: January 27, 2015, 07:34:43 am by JanB »

• Posts: 11
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #3 on: January 12, 2015, 08:19:12 am »
Ah those are some cool tidbits you point out there, JanB. I did notice that thread you reference (found it when I was searching for hex editing info). Can't say I read it all before, I have now. IMO it may be beneficial to separate SFC2 from SFC3, thread wise. Being that the majority of that thread is SFC2 related, I'd like to spark SFC3 specific discussion in this thread.

You bring up a good point about the game servers question I was pondering. I posted rather prematurely after finding that initial part of the code.. Going further, I noticed several references to GameSpy and it's servers. It is a matter I would love to investigate further, however due to my limited understanding, I am unsure how to approach replacing those calls, or more specifically, how to emulate the needed programming, server-side. I'd gladly test any ideas until my face turns blue if anyone has further insight into these values/their corresponding functions. (I fully understand that's a lot to ask, I'm hopeful there are some as eager as myself to attain this goal still out there)

For ease of readability, I'll concatenate discoveries in my second post. (Unless anyone has objections)

Thanks!

• Posts: 11
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #4 on: January 12, 2015, 12:39:52 pm »
In particular, I'd like to also find values that might relate to the recharge speed of weapons, the ranges of weapons, and the regeneration of borg vessels.

#### Javora

• America for Americans first.
• Commander
• Posts: 2822
• Gender:
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #5 on: January 12, 2015, 08:55:05 pm »
Shortly before Gamespy closed down I suggested that we reach out to them and try to get a copy of Gamespy's server side program.  Not sure if that went anywhere but in light of this discovery it would have been nice if someone followed through.  Sadly we may never know now.

• Posts: 11
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #6 on: January 13, 2015, 01:12:56 am »
That would have been awesome, Javora! It's a shame no one did =(

I just downloaded a packet sniffer, wanted to see if there might be any clues in the packets the game sends when trying to contact the gamespy server. Unfortunately my inexperience in this field shines yet again, completely unsure what the packets "contain".

"2085","45.721222000","192.168.1.65","192.168.1.254","SSDP","175","M-SEARCH * HTTP/1.1 "

That's what the packets are listed as, the information within, the packet tool I was using wouldn't let me copy, but again, if there are any "experts" in this field who are curious, I might be able to get more info.

#### JanB

• Posts: 103
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #7 on: January 13, 2015, 06:23:12 pm »
NOTE: this post has been made obsolete by new information: http://www.dynaverse.net/forum/index.php/topic,163394174.msg1123048179.html#msg1123048179

Wow, I finally got somewhere with the shuttle problem in SFC3. A program called Ida Pro was very helpful and now I've managed to give Species 8472 it's own shuttle and I've decoupled the Ferengi shuttle from the Federation shuttle. Unfortunately this did mean forcing the pirates and Rakellians to use the same shuttle as the Ferengi (they're now coupled), but I'm sure it's not a stretch for pirates to use bought Ferengi shuttles and most people find Species 8472 more interesting for a mod than they do the Rakellians (you could also raceswap if you don't use Species 8472 and want a unique Rakellian shuttle). Neutral vessels now use the Ferengi/pirate/Rakellian shuttle isntead of the Federation shuttle. All the other races keep the shuttle they already had.

Here's how you do it:

- open up SFC3.exe (I worked with version v354b) with a hex editor and navigate to offset 000061B08 (that's the hexadecimal address)

- REPLACE the following 27 bits:

48 74 34 48 74 2A 48 74 20 48 48 74 15 48 48 74 0A 48 75 39 BB 78 66 94 00 EB 21

has to become

48 74 34 48 74 2A 48 74 20 48 74 0F 48 74 13 48 78 3B 79 00 BB 78 66 94 00 EB 21

- now look for the string "Klingon Shuttle" (without the parentheses), you'll find the area where the shuttle names are defined.

- change the names as you see fit, but that you compensate with null characters (. in text, 00 in hex) for longer or shorter names, for example replace "Rakellian Shuttle" with "Dominion Shuttle." and ".Pirate Shuttle" with "Ferengi Shuttle". there are limits to how far you can move the names before they start to interfere with each other and once you're out of null characters you can't choose longer names. Just play with it and you'll see.
« Last Edit: January 16, 2015, 09:50:21 am by JanB »

#### JanB

• Posts: 103
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #8 on: January 13, 2015, 10:18:52 pm »
My next project: getting rid of the 65000 game points limit. 65000 is 477DE800 in hexadecimal, which would probably be used like 00E87D47 by the game engine. I can only find two instances, one crashes the game when changed, the other doesn't do anything and according to IDA they're both just coincidences (they don't form their own byte words). There are variables called "skirmmaxpoints", etc... but they haven't led me anywhere for the time being.

#### TarMinyatur

• Lt.
• Posts: 933
• Gender:
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #9 on: January 13, 2015, 11:38:17 pm »
65,000 could be stored in double-precision: 0x40EFBD0000000000 --> 00 00 00 00 00 00 BD EF 40

It could be stored as a 4-byte integer too: 0x0000FDE8 --> E8 FD 00 00

#### JanB

• Posts: 103
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #10 on: January 14, 2015, 07:41:55 am »
Thanks Tar! Although I don't think any of the SFC games use double precision floats for variables, they indeed do use 4-byte integers. One of the E8 FD 00 00 I found is at at offset 00095DF0 and that one is the skirmish game points limit, I've set it to 999999 (3F 42 0F 00) and it works, so mission accomplished!

#### TarMinyatur

• Lt.
• Posts: 933
• Gender:
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #11 on: January 14, 2015, 01:24:01 pm »
You're welcome, Jan.

I've only found two variables that definitely use double-precision in Community Edition: Hellbore hold costs, 2.5d for normal and 4.5d for overload. I guess Khoros and Magnum may have used a few doubles in their excellent patches.

#### JanB

• Posts: 103
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #12 on: January 16, 2015, 09:48:45 am »
I've managed to make the ultimate shuttle mod (IDA Pro is fantastic!): every race, from Federation to Neutral now has its own shuttle, they'll look for the following objects in the defaultloadout file:

Federation: Federation Shuttle
Klingon: Klingon Shuttle
Romulan: Romulan Shuttle
Borg: Borg Shuttle
Species 8472: Species 8472 Shuttle
Cardassian: Cardassian Shuttle
Ferengi: Ferengi Shuttle
Rakellian: Rakellian Shuttle
Pirate: Pirate Shuttle
Neutral: Neutral Shuttle

You can change these names by opening the attached SFC3exe with a hex editor and searching for the right string. For example say you have a mod with the Dominion instead of Species 8472: you open SFC3exe with a hex editor, search for the string "Species 8472 Shuttle" (without the parentheses) and when you find it you replace it with "Dominion Shuttle....", where the dots (make sure they are represented as 00) are used as padding to make sure everything in the exe file stays in the right place.

I've attached the new SFC3exe, as a bonus it also sets the default game points limit in skirmish from 65000 to 999999.

Have fun!

P.S. Always make back ups before messing with the game and make sure to credit me (JanB) if you use thise modified exe in your mod.

P.S. Now that we know new functions can be created in empty portions of the exe, basically anything is possible, including adding new weapons, but I'm probably going to leave that for someone else to do.

#### JanB

• Posts: 103
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #13 on: January 26, 2015, 10:35:09 pm »
I went to work with the race logos again after I got too trustrated looking for the weapon textures controls.

Anyway, I figured out how to work with the textures in sprites.q3m at least the 16 bit ones. A crude Dominion logo (48x48, 16bit) I made can be seen in the attachment.

I'll try to explain the process through the example of this race logo in SFC3.

At offset 03 5F AE EB of the SFC3 sprites.q3 you'll find the following bytes: 2A 0E 00 00 99 00 00 00 00 00 00 00 00 00 0C 2D 00 00 A7 D7 44 03 FF 00 01 00 these control the Federation race logo. 2A 0E is just a name for this particular logo and I'm not sure what all the other bytes do but I do know that A7 D7 44 03 is the address of the image (in reverse, because little-endian, you'll find it at offset 03 44 D7 A7), 0C 2D (again, this is 2D 0C = 11532) is the size of the image plus its "header" in bytes (if you add that to the offset of the image you get the offset of the next image in sprites.q3).

Now since we do not want to move stuff in sprites.q3 we are going to add a new image to the end of the file and direct the control byte address to it. We can create crude images ourselves even without access to the custom color palette of the sprites.q3 file (see EDIT 2, below). We now to add 22 null characters (00) to the end of sprites.q3 (this will come in handy later). The next byte would be byte 03 61 5C AC so we go back to our 2A 0E control area and change A7 D7 44 03  into AC 5C 61 03. In crude drawing style we just need 48x48 pixels x2 (because 16bit colors take two bytes) = 4608 bytes for the image itself, plus 20 bytes for the header, but the game will want more (probably related to the custom color palette thing), so we actually need something like 4800 bytes, plus 20 bytes for the header. So in the 2A 0E control section we change 2D 0C into D4 12.

Now we must set up the header. Starting from byte 03 61 5C AC we type in: 30 00 30 00 18 00 18 00 00 00 10 00 FF 00 01 00 C0 12 00 00 The 30 00 30 00 part tells the game the image is 48 by 48 pixels, the 18 00 18 00 part tells the game to center the image at its center (24,24), 10 00 tells the game it's a 16but image, 01 tells the game to use some form of RLE compression that happens to work for our scheme (sadly, just choosing 00 doesn't make the game accept normal, uncompressed bitmap images), the C0 12 part just means 4800 bytes will follow the header (if you set this too low the bottom part of the image won't be rendered, it has to be larger than 48x48x2=4608).

We're now ready to construct the actual image. We must select 4800 bytes of data from somewhere in the sprites.q3 file (or any other binary file), copy and paste it behind the header we just made, then turn all the bytes into FF (FF FF makes a pixel black, not the usual 16bit color palette, but we can work with it). Because we've conveniently placed 22 null characters between the original end of the file and the image header the beginning of the image will align with the right side of the screen when we set the number of columns in our hex editor to 96. We can now start to "paint" our image: the first two bytes beyond the header are the pixel in the upper left corner of the image, every row of 96 bytes is exactly one row of 48 pixels in our image. I found that 0F 0F gives greenish color, and 0D 0D a blueish color, these are the only colors I used to create the image in the attachment.

And we're done!

EDIT: I found that FF 30 gives a nicer Dominion shade of purple, replace 0D 0D with it. Also 1F 00 works as deep blue, when you need that for another image.

EDIT 2: I found a program that produces images that can almost directly be put into sprites.q3. GIMP (available for Windows and Linux) allows you to export images as 16 bit BMPs with the X1 R5 G5 B5 advanced option. With compression set to 00 or 01, sprites.q3 will accept this, including the color palette, but you still have to vertically flip the image first and you have to move the color palette generated by GIMP to the back of the data. For a 64x64 16bit bitmap GIMP produces a file of 8330 bytes, you can work on it with a hex editor. The first 54 bytes are a bitmap header that you should not copy into sprites.q3 (which uses the custom 20 byte header header system I explained above), the next 84 bytes are the color palette, you should cut this and paste it at the back of the file. The actual data consists of 8192 bytes. Copy everything except the header (so 8276 bytes and paste it after the custom header you made at the end of sprites.q3. Of course the header should be adjusted for a 64x64 image size, centered at 32,32. The data size should be set to 8276 bytes (so for example change the C0 12 from the above example into 54 20). The compression byte should be set to either 00 or 01, but not 02. The control section (2A 0E in our example) needs to be updated too, so going with our example, turn D4 12 into 68 20.

This should work for all the 16bit images in sprites.q3, and in principle all 8bit images (some of the map icons and buttons, I believe) could be replaced by 16bit images if those are placed at the back of sprites.q3.

The result of this latest successful experiment can be seen in the second attachment, enjoy!
« Last Edit: January 27, 2015, 05:06:28 pm by JanB »

#### TarMinyatur

• Lt.
• Posts: 933
• Gender:
##### Re: HEX Editing SFC3 - How to? (Also found Easter Eggs?)
« Reply #14 on: January 27, 2015, 01:44:52 am »
Nice work, Jan.