Jump to content
Sign in to follow this  
ztz2019

How to let transportation contains more squads?

Recommended Posts

In normal way, if transportation contains one more squads, it will have bug that only the last squad could exit.

 

But I found the FALLOUT mod seems solved the problem, the vehicle could let all squads evacuate.

 

There's a special V-350 OX in the mission Berne that has 6 slot and contains 3 squads, but if I build it in airfield, it still has the bug, only the last squad evacuated.

 

 

Edited by ztz2019

Share this post


Link to post

What version of Fallout are you using? Didnt know they had mission out for it yet, seems like the mod hasnt updated in over a year or so?

Share this post


Link to post

If all squads are loaded at the same time (via script for example) the evac will work correctly. It only bugs if a squad enters the container with a certain delay.

(See Hampton Roads in TW for reference)

Edited by Lauren

Share this post


Link to post

If all squads are loaded at the same time (via script for example) the evac will work correctly. It only bugs if a squad enters the container with a certain delay.

(See Hampton Roads in TW for reference)

So how to emplement correctly or avoid the bug in normal game?

Share this post


Link to post

I am assuming through the map itself, can't think atm of a way to do it with an ingame script. Having squads enter at the exact time sound like you need to use waypoints/areas to track equal distance and a timer to make them enter at the same time.

Share this post


Link to post

Yeah, sadly. It can work manually if you place both squads REALLY close to the container, but there is nothing you can do to fix the actual problem. You can get rid of squads though as single units work like a charm.

Share this post


Link to post

You can get rid of squads though as single units work like a charm.

Exactly what i will be doing in my mod (if i ever get to it), i never liked the squad thing tbh. The idea would be better if it was more dawn of war like and less the way its now imo. But thats personal prefs i guess.

Share this post


Link to post

It made sense in BFME, but it didn't carry over quite as good for TW imo.

Share this post


Link to post

It made sense in BFME, but it didn't carry over quite as good for TW imo.

Ye but if you look at the dept of units in bfme compared to gen (well gen had more dept aswell with abilities and upgrades) and TW...TW is rather blend. Average you have 1 upgrade per unit and a few unit abilities. Besides the commando you don't really have a hero unit...and the commando doesnt even use some of the hero coding bfme had. BFME was more micro oriented so they used squads to give that feeling of macro. TW is allready macro oriented, yet they still use squads to add more to the macro effect..at the loss of dept development for individual units. A part of me wishes that i started modding bfme back then, it had alot of fun things you could do with it. TW seems all about discovering/reusing some of those fun things....wich ofc can be fun and rewarding in its own way....but sometimes awefully frustrating aswell.

Share this post


Link to post

BFME is quite the same, trust me. It had a lot of Generals behaviors removed etc, some were reimplemented for BFME2 to support mods (like the TankDraw) but they still have bugs (like the TankDraws barrel facing into the wrong direction and that was mostly unfixed in TW).

BFME doesn't really have more options, but different ones. Though I'd say even with a few modules not working TW has the most options (actually TT but no one did a tool support that yet).

Share this post


Link to post

Yeah, sadly. It can work manually if you place both squads REALLY close to the container, but there is nothing you can do to fix the actual problem. You can get rid of squads though as single units work like a charm.

 

:naughty:, there is a way, and I found it, I told you mighty one (or it was a dream? :spin: ) that I would fix this issue...

 

Forgive mighty one, I was joking :scared: , :burn:

 

Let's get serious, you can mess with the exe (actually cnc3game.dat) until you get what you want....

 

Like this:

 

However cuz of the delayed loading, the "call for transport" won't work unless you manually click to load units before the transport lands.

 

UPDATE 17 - 7 - 15

After messing more with the .exe I fixed the delayed loading and so the "call for transport" glitch.

 

Since nobody cares I will post the patches here:

---------------------------------------------------------------------------------------
Camera Mod

ORIGINAL: 74 4B D9 41 0C F3 0F 10 41 08 D8 0D 88 E6 A3 00 F3 0F 59 05 40 CE AA 00 F3 0F 11 45 08 D9 C0
MODDED:   74 4B E9 41 0B A2 02 D9 41 0C D8 0D 88 E6 A3 00 90 90 90 90 90 90 90 90 F3 0F 11 45 08 D9 C0

ORIGINAL: 76 64 D9 47 50 8B 06 8B CE D9 5D FC FF 10 D8 6D FC 0F 57 C0 8D 45 FC
MODDED:   76 64 D9 47 40 8B 06 8B CE D9 5D FC FF 10 D8 6D FC 0F 57 C0 8D 45 FC

ORIGINAL: E8 A5 D3 E1 FF D9 5E 08 80 7D FF 00 75 0E
MODDED:   E8 A5 D3 E1 FF 90 90 90 80 7D FF 00 75 0E

NEW SECTION: 00 00 96 44 00 00 96 43 33 33 B3 3F CD CC B3 42 00 00 c8 44 00 00 96 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 A1 08 F0 15 03 53 8B 1D 78 A2 BE 00 89 83 10 0B 00 00 5B A1 0C F0 15 03 89 41 0C A1 10 F0 15 03 89 41 08 A1 14 F0 15 03 89 41 04 8B 81 88 DB FF FF 3B 05 00 F0 15 03 7F 12 3B 05 04 F0 15 03 7C 14 F3 0F 10 81 88 DB FF FF EB 12 F3 0F 10 05 00 F0 15 03 EB 08 F3 0F 10 05 04 F0 15 03 F3 0F 10 89 88 DB FF FF F3 0F 5E C8 F3 0F 11 89 84 DB FF FF 58 E9 47 F4 5D FD
---------------------------------------------------------------------------------------


---------------------------------------------------------------------------------------
Multi squad load on vehicles Fix (causes call for transport glitch)

ORIGINAL: 8B 79 14 E8 5B 0C FD FF 85 FF 8B E8 0F 84 A5 00 00 00 85 ED
MODDED:   8B 79 14 E8 A9 96 BD 02 85 FF 8B E8 0F 84 A5 00 00 00 85 ED

NEW SECTION: 8B 41 3C 56 31 F6 29 F0 48 8B 49 20 39 0D 18 F0 15 03 74 0D 89 0D 18 F0 15 03 B9 00 00 00 00 EB 0A C7 05 18 F0 15 03 00 00 00 00 51 8B 0D 4C 53 BE 00 81 C1 C0 00 00 00 E8 6B 1B 6B FD 39 F0 74 03 8B 70 08 8B C6 5E C3
---------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------
Call for transport glitch Fix

ORIGINAL: 85 FF 89 7E 04 74 38 8B 07 8B CF FF 50 10 8B 4E 04
MODDED:   85 FF 89 7E 04 E9 06 8B C0 02 90 FF 50 10 8B 4E 04

NEW SECTION: 0F 84 29 75 3F FD 8B 07 8B CF 3D 04 F3 A6 00 75 12 89 3D 1C F0 15 03 89 1D 20 F0 15 03 89 15 24 F0 15 03 83 3D 18 F0 15 03 00 0F 84 CB 74 3F FD 8B 3D 1C F0 15 03 89 7E 04 8B 07 8B CF 8B 1D 20 F0 15 03 8B 15 24 F0 15 03 E9 AD 74 3F FD
---------------------------------------------------------------------------------------

If anyone wants the cnc3game.dat already modded, send me a pm.

Edited by jvm

Share this post


Link to post

I cared :P also sent it to a few people, just didn't write an reply ^^

It's pretty awesome though I've no idea where to place the new section :P

 

I don't have much of an idea of executable bytecode itself.

Edited by Lauren

Share this post


Link to post

What is the chance this will cause desyncs in a multiplayer game?

Share this post


Link to post

I cared :P also sent it to a few people, just didn't write an reply ^^

It's pretty awesome though I've no idea where to place the new section :P

 

I don't have much of an idea of executable bytecode itself.

 

You need to create a new section at the end of cnc3game.dat with something like Stud_PE (the raw offset should be 0x2351000), (the size in this example was 0xB9000)

 

It will look like this: here

 

OR you could find a space inhabited with only null (0x00) as a your code cave.In this case you will need to change same call and jmp values.

 

 

What is the chance this will cause desyncs in a multiplayer game?

 

Dunno, never played a multiplayer game with this version.

 

If you want I could explain step by step what I did (and you will see that it is a real mess, try and error). But it could be quite large the topic (however it will help anyone, this include me, since I usually forget how to do things after a couple of months).

 

A short version (which doesn't have all the details nor explanation)of how this was done is here:

 

my topic: here

 

which redirects to this topic: here

Edited by jvm

Share this post


Link to post

First, some considerations:
1- If you know how to use the cheat engine or similar programs for hacks, it will be helpful to understand what follows.
2- Is important to remember that the instructions like "call" and "jmp", when they make a long jump what you see in the instruction is relative (ie correct), but bytes are absolute (which will only be correct if nothing is changed). Therefore, it is best to look in the assembler instructions, regardless of bytes.
3- Having said that, there is no single way of doing things, the only thing that matters is to keep the theorical sequence of instructions.
4- The fix for loading squads into units, works fine, but is not optimal and needs to be improved, but I don't have the time nor motivation to do it.
5- The camera mod is not complete, missing adjust of floor level with the minimum height allowed.
6- I will be calling "game loop" to all the game instructions that are always executed during gameplay and debugging them makes the game freeze.
7- Also I will be calling "refresh screen" when the game call especial libraries that aren't debuggable at least by cheat engine.
8- To make debugging easier, remember to launch the game with "-win".

 


Let's start with, how to fix the issue when loading multiple squads on a vehicle:

First part (alone causes the call for transport glitch):

As any hack to an .exe file, we need to start by debugging the "exe" until we find the section where the problem lies. For cnc3game.dat (version 1.09) the "game loop" calls a function to start with the loading squads (in both units and structures), here:

cnc3game.Debug::PostStaticInit+14CE2D - FF 50 10              - call dword ptr [eax+10]

Only when "eax" equals 0x00A6F304. That instruction belongs to this routine (which is in the game loop):

cnc3game.Debug::PostStaticInit+14CDE1 - 8B 44 24 04           - mov eax,[esp+04]

...

cnc3game.Debug::PostStaticInit+14CE19 - 74 07                 - je cnc3game.Debug::PostStaticInit+14CE22

cnc3game.Debug::PostStaticInit+14CE1B - 8B 01                 - mov eax,[ecx]

cnc3game.Debug::PostStaticInit+14CE1D - 6A 00                 - push 00

cnc3game.Debug::PostStaticInit+14CE1F - FF 50 14              - call dword ptr [eax+14]

cnc3game.Debug::PostStaticInit+14CE22 - 85 FF                 - test edi,edi

cnc3game.Debug::PostStaticInit+14CE24 - 89 7E 04              - mov [esi+04],edi

cnc3game.Debug::PostStaticInit+14CE27 - 74 38                 - je cnc3game.Debug::PostStaticInit+14CE61

cnc3game.Debug::PostStaticInit+14CE29 - 8B 07                 - mov eax,[edi]

cnc3game.Debug::PostStaticInit+14CE2B - 8B CF                 - mov ecx,edi

cnc3game.Debug::PostStaticInit+14CE2D - FF 50 10              - call dword ptr [eax+10]

cnc3game.Debug::PostStaticInit+14CE30 - 8B 4E 04              - mov ecx,[esi+04]

cnc3game.Debug::PostStaticInit+14CE33 - 85 C9                 - test ecx,ecx

...

cnc3game.Debug::PostStaticInit+14CE65 - C2 0400               - ret 0004

The input values to function seems to be quite random and they don't repeat after a loading. The function called is this one (not game loop):

cnc3game.Debug::PostStaticInit+17C232 - 8B 49 18              - mov ecx,[ecx+18]

cnc3game.Debug::PostStaticInit+17C235 - 53                    - push ebx

cnc3game.Debug::PostStaticInit+17C236 - 55                    - push ebp

cnc3game.Debug::PostStaticInit+17C237 - 56                    - push esi

cnc3game.Debug::PostStaticInit+17C238 - 57                    - push edi

cnc3game.Debug::PostStaticInit+17C239 - 8B 79 14              - mov edi,[ecx+14]

cnc3game.Debug::PostStaticInit+17C23C - E8 5B0CFDFF           - call cnc3game.Debug::PostStaticInit+14CE9C

cnc3game.Debug::PostStaticInit+17C241 - 85 FF                 - test edi,edi

cnc3game.Debug::PostStaticInit+17C243 - 8B E8                 - mov ebp,eax

cnc3game.Debug::PostStaticInit+17C245 - 0F84 A5000000         - je cnc3game.Debug::PostStaticInit+17C2F0

cnc3game.Debug::PostStaticInit+17C24B - 85 ED                 - test ebp,ebp

cnc3game.Debug::PostStaticInit+17C24D - 0F84 9D000000         - je cnc3game.Debug::PostStaticInit+17C2F0

...

cnc3game.Debug::PostStaticInit+17C2F0 - 6A FE                 - push -02

cnc3game.Debug::PostStaticInit+17C2F2 - 58                    - pop eax

cnc3game.Debug::PostStaticInit+17C2F3 - 5F                    - pop edi

cnc3game.Debug::PostStaticInit+17C2F4 - 5E                    - pop esi

cnc3game.Debug::PostStaticInit+17C2F5 - 5D                    - pop ebp

cnc3game.Debug::PostStaticInit+17C2F6 - 5B                    - pop ebx

cnc3game.Debug::PostStaticInit+17C2F7 - C3                    - ret

The first function called is:

cnc3game.Debug::PostStaticInit+17C23C - E8 5B0CFDFF           - call cnc3game.Debug::PostStaticInit+14CE9C

Inside it, there is this (game loop):

cnc3game.Debug::PostStaticInit+14CE9C - 8B 41 3C              - mov eax,[ecx+3C]

cnc3game.Debug::PostStaticInit+14CE9F - 56                    - push esi

cnc3game.Debug::PostStaticInit+14CEA0 - 33 F6                 - xor esi,esi

cnc3game.Debug::PostStaticInit+14CEA2 - 2B C6                 - sub eax,esi

cnc3game.Debug::PostStaticInit+14CEA4 - 74 2B                 - je cnc3game.Debug::PostStaticInit+14CED1

cnc3game.Debug::PostStaticInit+14CEA6 - 48                    - dec eax

cnc3game.Debug::PostStaticInit+14CEA7 - 74 04                 - je cnc3game.Debug::PostStaticInit+14CEAD

...

cnc3game.Debug::PostStaticInit+14CEAD - 8B 49 20              - mov ecx,[ecx+20]

cnc3game.Debug::PostStaticInit+14CEB0 - 3B CE                 - cmp ecx,esi

cnc3game.Debug::PostStaticInit+14CEB2 - 74 19                 - je cnc3game.Debug::PostStaticInit+14CECD

...

cnc3game.Debug::PostStaticInit+14CECD - 8B C6                 - mov eax,esi

cnc3game.Debug::PostStaticInit+14CECF - 5E                    - pop esi

cnc3game.Debug::PostStaticInit+14CED0 - C3                    - ret

When loading squads the first "je" won't jump but the second will always, so the code reduces to:

cnc3game.Debug::PostStaticInit+14CEAD - 8B 49 20              - mov ecx,[ecx+20]

cnc3game.Debug::PostStaticInit+14CEB0 - 3B CE                 - cmp ecx,esi

cnc3game.Debug::PostStaticInit+14CEB2 - 74 19                 - je cnc3game.Debug::PostStaticInit+14CECD

...

cnc3game.Debug::PostStaticInit+14CECD - 8B C6                 - mov eax,esi

cnc3game.Debug::PostStaticInit+14CECF - 5E                    - pop esi

cnc3game.Debug::PostStaticInit+14CED0 - C3                    - ret

And here is the key part [ecx+20] always holds the ID of the transport (even after reloading a saved game, the ID doesn't change). If you start messing and you change this ID for another valid ID, the squad will change course to the new container but it won't enter to it physically (they will be in some sort of limbo).
Anyway in order to make the hack work we must make the jump from the third "je". This can be achieved by setting the ZF (zero flag) or by moving a zero to "ecx" before the comparison.
If that is done, the instructions afterwards will be:

cnc3game.Debug::PostStaticInit+14CEB2 - 74 19                 - je cnc3game.Debug::PostStaticInit+14CECD

cnc3game.Debug::PostStaticInit+14CECD - 8B C6                 - mov eax,esi

cnc3game.Debug::PostStaticInit+14CECF - 5E                    - pop esi

cnc3game.Debug::PostStaticInit+14CED0 - C3                    - ret

//Returns to the function that is not in the game loop

cnc3game.Debug::PostStaticInit+17C241 - 85 FF                 - test edi,edi

cnc3game.Debug::PostStaticInit+17C243 - 8B E8                 - mov ebp,eax

cnc3game.Debug::PostStaticInit+17C245 - 0F84 A5000000         - je cnc3game.Debug::PostStaticInit+17C2F0

cnc3game.Debug::PostStaticInit+17C24B - 85 ED                 - test ebp,ebp

cnc3game.Debug::PostStaticInit+17C24D - 0F84 9D000000         - je cnc3game.Debug::PostStaticInit+17C2F0

cnc3game.Debug::PostStaticInit+17C2F0 - 6A FE                 - push -02

cnc3game.Debug::PostStaticInit+17C2F2 - 58                    - pop eax

cnc3game.Debug::PostStaticInit+17C2F3 - 5F                    - pop edi

cnc3game.Debug::PostStaticInit+17C2F4 - 5E                    - pop esi

cnc3game.Debug::PostStaticInit+17C2F5 - 5D                    - pop ebp

cnc3game.Debug::PostStaticInit+17C2F6 - 5B                    - pop ebx

cnc3game.Debug::PostStaticInit+17C2F7 - C3                    - ret

//This will exit it quite fast and returns to the very beginning

cnc3game.Debug::PostStaticInit+14CE30 - 8B 4E 04              - mov ecx,[esi+04]

cnc3game.Debug::PostStaticInit+14CE33 - 85 C9                 - test ecx,ecx

...

And it will loop, but "eax" won't be 0x00A6F304 in "call dword ptr [eax+10]" (at least not for the same container unit) the immediatly next time:

...

cnc3game.Debug::PostStaticInit+14CE19 - 74 07                 - je cnc3game.Debug::PostStaticInit+14CE22

cnc3game.Debug::PostStaticInit+14CE1B - 8B 01                 - mov eax,[ecx]

cnc3game.Debug::PostStaticInit+14CE1D - 6A 00                 - push 00

cnc3game.Debug::PostStaticInit+14CE1F - FF 50 14              - call dword ptr [eax+14]

cnc3game.Debug::PostStaticInit+14CE22 - 85 FF                 - test edi,edi

cnc3game.Debug::PostStaticInit+14CE24 - 89 7E 04              - mov [esi+04],edi

cnc3game.Debug::PostStaticInit+14CE27 - 74 38                 - je cnc3game.Debug::PostStaticInit+14CE61

cnc3game.Debug::PostStaticInit+14CE29 - 8B 07                 - mov eax,[edi]

cnc3game.Debug::PostStaticInit+14CE2B - 8B CF                 - mov ecx,edi

cnc3game.Debug::PostStaticInit+14CE2D - FF 50 10              - call dword ptr [eax+10]

cnc3game.Debug::PostStaticInit+14CE30 - 8B 4E 04              - mov ecx,[esi+04]

cnc3game.Debug::PostStaticInit+14CE33 - 85 C9                 - test ecx,ecx

...

However the container unit will be "fixed" (it seems permanently, but need more testing), so the true fix is done by the game itself (after that "zero hack") between these two instructions:

cnc3game.Debug::PostStaticInit+14CE30 - 8B 4E 04              - mov ecx,[esi+04]

...

cnc3game.Debug::PostStaticInit+14CE2D - FF 50 10              - call dword ptr [eax+10]

For "eax" to be 0x00A6F304 for the same container unit in "call dword ptr [eax+10]", we will have to wait a "refresh screen", and that is why you can see a delay for the squads when entering to the container.

Ok, enough of theory, how you solve it?

First you need two memory spaces. One for data and the other for the instructions. For improvise reasons my data memory spaces goes from/to:

cnc3game.dat+2D5F018 - 00 00                 - add [eax],al

cnc3game.dat+2D5F01A - 00 00                 - add [eax],al

...

cnc3game.dat+2D5F02D - 00 00                 - add [eax],al

And my code space goes from/to:

cnc3game.dat+2D5F0A8 - 8B 41 3C              - mov eax,[ecx+3C]

...

cnc3game.dat+2D5F0EF - C3                    - ret

Now once that set, let's try to put the "zero". Since the function that needs the "zero", is in the game loop, it would be better not to touch cuz it could break something else. So we will clone it in our code space like this:

cnc3game.dat+2D5F0A8 - 8B 41 3C              - mov eax,[ecx+3C]

cnc3game.dat+2D5F0AB - 56                    - push esi

cnc3game.dat+2D5F0AC - 31 F6                 - xor esi,esi

cnc3game.dat+2D5F0AE - 29 F0                 - sub eax,esi

cnc3game.dat+2D5F0B0 - 48                    - dec eax

cnc3game.dat+2D5F0B1 - 8B 49 20              - mov ecx,[ecx+20]

cnc3game.dat+2D5F0B4 - 39 0D 18F01503        - cmp [cnc3game.dat+2D5F018],ecx

cnc3game.dat+2D5F0BA - 74 0D                 - je cnc3game.dat+2D5F0C9

cnc3game.dat+2D5F0BC - 89 0D 18F01503        - mov [cnc3game.dat+2D5F018],ecx

cnc3game.dat+2D5F0C2 - B9 00000000           - mov ecx,00000000

cnc3game.dat+2D5F0C7 - EB 0A                 - jmp cnc3game.dat+2D5F0D3

cnc3game.dat+2D5F0C9 - C7 05 18F01503 00000000 - mov [cnc3game.dat+2D5F018],00000000

cnc3game.dat+2D5F0D3 - 51                    - push ecx

cnc3game.dat+2D5F0D4 - 8B 0D 4C53BE00        - mov ecx,[cnc3game.dat+7E534C]

cnc3game.dat+2D5F0DA - 81 C1 C0000000        - add ecx,000000C0

cnc3game.dat+2D5F0E0 - E8 6B1B6BFD           - call cnc3game.Debug::PostStaticInit+407492

cnc3game.dat+2D5F0E5 - 39 F0                 - cmp eax,esi

cnc3game.dat+2D5F0E7 - 74 03                 - je cnc3game.dat+2D5F0EC

cnc3game.dat+2D5F0E9 - 8B 70 08              - mov esi,[eax+08]

cnc3game.dat+2D5F0EC - 8B C6                 - mov eax,esi

cnc3game.dat+2D5F0EE - 5E                    - pop esi

cnc3game.dat+2D5F0EF - C3                    - ret

Where is the difference, here:

cnc3game.dat+2D5F0B4 - 39 0D 18F01503        - cmp [cnc3game.dat+2D5F018],ecx

cnc3game.dat+2D5F0BA - 74 0D                 - je cnc3game.dat+2D5F0C9

cnc3game.dat+2D5F0BC - 89 0D 18F01503        - mov [cnc3game.dat+2D5F018],ecx

cnc3game.dat+2D5F0C2 - B9 00000000           - mov ecx,00000000

cnc3game.dat+2D5F0C7 - EB 0A                 - jmp cnc3game.dat+2D5F0D3

cnc3game.dat+2D5F0C9 - C7 05 18F01503 00000000 - mov [cnc3game.dat+2D5F018],00000000

What it does?, the 1º instruction compares the first 4 bytes of our data space (the first time is zero). The 2º will jump to 2D5F0C9 if they are equal (this will only happen if the game already tried to load an squad to this container unit). The 3º, will save the new container ID into the first 4 bytes of our data space. The 4º will put the ZERO in ecx. The fifth will avoid the sixth. And finally the 6º will be executed only if 2º did the jump, meaning that the game is trying a second time to load an squads to the container and that's why the first 4 bytes of our data space should be clear.
Now we need that the game calls our function instead of the original, that is quite simple, we need to replace this:

cnc3game.Debug::PostStaticInit+17C23C - E8 5B0CFDFF           - call cnc3game.Debug::PostStaticInit+14CE9C

With this:

cnc3game.Debug::PostStaticInit+17C23C - E8 A996BD02           - call cnc3game.dat+2D5F0A8


And that's it. Now you have fixed the multi squad load on vehicles, but you added a "call for transport" glitch. This will be "solved" in the second part.
TO BE CONTINUED...

Edited by jvm

Share this post


Link to post

Second part (fixing the call for transport glitch):

Well if you think that the first part was dirty, wait to see what is done here. OMG, I don't know how this even works...

The problem with call for transport is that it won't try to load for a second time the unit into the container. So I decided to see what happens when you select 2 or more squads and press the "call for transport" button while all of them are selected. The result was quite exploitable...

If we recall the game loop that call the function to load squads:

cnc3game.Debug::PostStaticInit+14CDE1 - 8B 44 24 04           - mov eax,[esp+04]

...

cnc3game.Debug::PostStaticInit+14CE19 - 74 07                 - je cnc3game.Debug::PostStaticInit+14CE22

cnc3game.Debug::PostStaticInit+14CE1B - 8B 01                 - mov eax,[ecx]

cnc3game.Debug::PostStaticInit+14CE1D - 6A 00                 - push 00

cnc3game.Debug::PostStaticInit+14CE1F - FF 50 14              - call dword ptr [eax+14]

cnc3game.Debug::PostStaticInit+14CE22 - 85 FF                 - test edi,edi

cnc3game.Debug::PostStaticInit+14CE24 - 89 7E 04              - mov [esi+04],edi

cnc3game.Debug::PostStaticInit+14CE27 - 74 38                 - je cnc3game.Debug::PostStaticInit+14CE61

cnc3game.Debug::PostStaticInit+14CE29 - 8B 07                 - mov eax,[edi]

cnc3game.Debug::PostStaticInit+14CE2B - 8B CF                 - mov ecx,edi

cnc3game.Debug::PostStaticInit+14CE2D - FF 50 10              - call dword ptr [eax+10]

cnc3game.Debug::PostStaticInit+14CE30 - 8B 4E 04              - mov ecx,[esi+04]

cnc3game.Debug::PostStaticInit+14CE33 - 85 C9                 - test ecx,ecx

...

cnc3game.Debug::PostStaticInit+14CE65 - C2 0400               - ret 0004

And the fact that "eax" has to be 0x00A6F304 at "call dword ptr [eax+10]", when you call for transport if you set a debug breakpoint (remember that we are on the game loop, so the first breakpoint should have special condition) at:

cnc3game_original.Debug::PostStaticInit+14CE2B - 8B CF                 - mov ecx,edi

You will see something like this with the value of EAX:

 

0x00A6F304
0x00A6DC84    // n times, with n been the number of members at the squad
...            // some other stuff
0x00A6F304
0x00A6DC84    // n times, with n been the number of members at the squad
...            // repeats as many "call for transport" where done

Dunno what is exactly 0x00A6DC84 for..., so I gamble and decided to make it simple. Why not replace one of these "0x00A6DC84" with another "0x00A6F304" to complete the dual call needed for the hack to work...

And I did it, and it works like a charm. I don't know why on earth it works or how it does..., but it does. It would be nice know, however here I am just a gamer, not a professional (nobody is paying a sh.. for this), so for now we will have to accept this until I or someone else improves this solution.

Enough of experience talk, let's see how to do it. Again we will need two memory spaces. The data will be the same as the previous part:

cnc3game.dat+2D5F018 - 00 00                 - add [eax],al
cnc3game.dat+2D5F01A - 00 00                 - add [eax],al
...
cnc3game.dat+2D5F02D - 00 00                 - add [eax],al

Remember that we already used the first four bytes. Although the code space will be:

cnc3game.dat+2D5F0F0 - 0F84 29753FFD         - je cnc3game.Debug::PostStaticInit+14CE61
...
cnc3game.dat+2D5F139 - E9 AD743FFD           - jmp cnc3game.Debug::PostStaticInit+14CE2D

With that set, let's try to replace one of those "0x00A6DC84" with another "0x00A6F304". The big issue here is that we need to change a part of the game loop, so we will try add few instructions here (otherwise we could get some performance issues). We will replace these:

cnc3game.Debug::PostStaticInit+14CE27 - 74 38                 - je cnc3game.Debug::PostStaticInit+14CE61
cnc3game.Debug::PostStaticInit+14CE29 - 8B 07                 - mov eax,[edi]
cnc3game.Debug::PostStaticInit+14CE2B - 8B CF                 - mov ecx,edi

With these:

cnc3game.Debug::PostStaticInit+14CE27 - E9 068BC002           - jmp cnc3game.dat+cnc3game.dat+2D5F0F0

cnc3game.Debug::PostStaticInit+14CE2C - 90                    - nop

Now we move to "cnc3game.dat+2D5F0F0" and write the following:

cnc3game.dat+2D5F0F0 - 0F84 29753FFD         - je cnc3game.Debug::PostStaticInit+14CE61

cnc3game.dat+2D5F0F6 - 8B 07                 - mov eax,[edi]

cnc3game.dat+2D5F0F8 - 8B CF                 - mov ecx,edi

cnc3game.dat+2D5F0FA - 3D 04F3A600           - cmp eax,00A6F304

cnc3game.dat+2D5F0FF - 75 12                 - jne cnc3game.dat+2D5F113

cnc3game.dat+2D5F101 - 89 3D 1CF01503        - mov [cnc3game.dat+2D5F01C],edi

cnc3game.dat+2D5F107 - 89 1D 20F01503        - mov [cnc3game.dat+2D5F020],ebx

cnc3game.dat+2D5F10D - 89 15 24F01503        - mov [cnc3game.dat+2D5F024],edx

cnc3game.dat+2D5F113 - 83 3D 18F01503 00     - cmp dword ptr [cnc3game.dat+2D5F018],00

cnc3game.dat+2D5F11A - 0F84 CB743FFD         - je cnc3game.Debug::PostStaticInit+14CE2D

cnc3game.dat+2D5F120 - 8B 3D 1CF01503        - mov edi,[cnc3game.dat+2D5F01C]

cnc3game.dat+2D5F126 - 89 7E 04              - mov [esi+04],edi

cnc3game.dat+2D5F129 - 8B 07                 - mov eax,[edi]

cnc3game.dat+2D5F12B - 8B CF                 - mov ecx,edi

cnc3game.dat+2D5F12D - 8B 1D 20F01503        - mov ebx,[cnc3game.dat+2D5F020]

cnc3game.dat+2D5F133 - 8B 15 24F01503        - mov edx,[cnc3game.dat+2D5F024]

cnc3game.dat+2D5F139 - E9 AD743FFD           - jmp cnc3game.Debug::PostStaticInit+14CE2D

What's new:

cnc3game.dat+2D5F0FA - 3D 04F3A600           - cmp eax,00A6F304

cnc3game.dat+2D5F0FF - 75 12                 - jne cnc3game.dat+2D5F113

So why compare eax with "0x00A6F304", cuz if the game wants to load an squad we will need to back up some registers in our data bank in order to make the second call with "0x00A6F304". Then, the back up:

cnc3game.dat+2D5F101 - 89 3D 1CF01503        - mov [cnc3game.dat+2D5F01C],edi

cnc3game.dat+2D5F107 - 89 1D 20F01503        - mov [cnc3game.dat+2D5F020],ebx

cnc3game.dat+2D5F10D - 89 15 24F01503        - mov [cnc3game.dat+2D5F024],edx

Next is time to check if there was a first call (so we check the first four bytes in our data):

cnc3game.dat+2D5F113 - 83 3D 18F01503 00     - cmp dword ptr [cnc3game.dat+2D5F018],00

cnc3game.dat+2D5F11A - 0F84 CB743FFD         - je cnc3game.Debug::PostStaticInit+14CE2D

If not keep the game routine, else read the back up and prepare to make the the second call with "0x00A6F304":

cnc3game.dat+2D5F120 - 8B 3D 1CF01503        - mov edi,[cnc3game.dat+2D5F01C]

cnc3game.dat+2D5F126 - 89 7E 04              - mov [esi+04],edi

cnc3game.dat+2D5F129 - 8B 07                 - mov eax,[edi]

cnc3game.dat+2D5F12B - 8B CF                 - mov ecx,edi

cnc3game.dat+2D5F12D - 8B 1D 20F01503        - mov ebx,[cnc3game.dat+2D5F020]

cnc3game.dat+2D5F133 - 8B 15 24F01503        - mov edx,[cnc3game.dat+2D5F024]

cnc3game.dat+2D5F139 - E9 AD743FFD           - jmp cnc3game.Debug::PostStaticInit+14CE2D


Finally you have fixed the multi squad load on vehicles, without adding any issue. However the worst is about to come, the unholy camera mod. Now it will get really ugly...
TO BE CONTINUED (but not here since it doesn't relate with the topic)...

Edited by jvm

Share this post


Link to post

:naughty:, there is a way, and I found it, I told you mighty one (or it was a dream? :spin: ) that I would fix this issue...

 

Forgive mighty one, I was joking :scared: , :burn:

 

Let's get serious, you can mess with the exe (actually cnc3game.dat) until you get what you want....

 

Like this:

 

However cuz of the delayed loading, the "call for transport" won't work unless you manually click to load units before the transport lands.

 

UPDATE 17 - 7 - 15

After messing more with the .exe I fixed the delayed loading and so the "call for transport" glitch.

 

Since nobody cares I will post the patches here:

---------------------------------------------------------------------------------------
Camera Mod

ORIGINAL: 74 4B D9 41 0C F3 0F 10 41 08 D8 0D 88 E6 A3 00 F3 0F 59 05 40 CE AA 00 F3 0F 11 45 08 D9 C0
MODDED:   74 4B E9 41 0B A2 02 D9 41 0C D8 0D 88 E6 A3 00 90 90 90 90 90 90 90 90 F3 0F 11 45 08 D9 C0

ORIGINAL: 76 64 D9 47 50 8B 06 8B CE D9 5D FC FF 10 D8 6D FC 0F 57 C0 8D 45 FC
MODDED:   76 64 D9 47 40 8B 06 8B CE D9 5D FC FF 10 D8 6D FC 0F 57 C0 8D 45 FC

ORIGINAL: E8 A5 D3 E1 FF D9 5E 08 80 7D FF 00 75 0E
MODDED:   E8 A5 D3 E1 FF 90 90 90 80 7D FF 00 75 0E

NEW SECTION: 00 00 96 44 00 00 96 43 33 33 B3 3F CD CC B3 42 00 00 c8 44 00 00 96 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 A1 08 F0 15 03 53 8B 1D 78 A2 BE 00 89 83 10 0B 00 00 5B A1 0C F0 15 03 89 41 0C A1 10 F0 15 03 89 41 08 A1 14 F0 15 03 89 41 04 8B 81 88 DB FF FF 3B 05 00 F0 15 03 7F 12 3B 05 04 F0 15 03 7C 14 F3 0F 10 81 88 DB FF FF EB 12 F3 0F 10 05 00 F0 15 03 EB 08 F3 0F 10 05 04 F0 15 03 F3 0F 10 89 88 DB FF FF F3 0F 5E C8 F3 0F 11 89 84 DB FF FF 58 E9 47 F4 5D FD
---------------------------------------------------------------------------------------


---------------------------------------------------------------------------------------
Multi squad load on vehicles Fix (causes call for transport glitch)

ORIGINAL: 8B 79 14 E8 5B 0C FD FF 85 FF 8B E8 0F 84 A5 00 00 00 85 ED
MODDED:   8B 79 14 E8 A9 96 BD 02 85 FF 8B E8 0F 84 A5 00 00 00 85 ED

NEW SECTION: 8B 41 3C 56 31 F6 29 F0 48 8B 49 20 39 0D 18 F0 15 03 74 0D 89 0D 18 F0 15 03 B9 00 00 00 00 EB 0A C7 05 18 F0 15 03 00 00 00 00 51 8B 0D 4C 53 BE 00 81 C1 C0 00 00 00 E8 6B 1B 6B FD 39 F0 74 03 8B 70 08 8B C6 5E C3
---------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------
Call for transport glitch Fix

ORIGINAL: 85 FF 89 7E 04 74 38 8B 07 8B CF FF 50 10 8B 4E 04
MODDED:   85 FF 89 7E 04 E9 06 8B C0 02 90 FF 50 10 8B 4E 04

NEW SECTION: 0F 84 29 75 3F FD 8B 07 8B CF 3D 04 F3 A6 00 75 12 89 3D 1C F0 15 03 89 1D 20 F0 15 03 89 15 24 F0 15 03 83 3D 18 F0 15 03 00 0F 84 CB 74 3F FD 8B 3D 1C F0 15 03 89 7E 04 8B 07 8B CF 8B 1D 20 F0 15 03 8B 15 24 F0 15 03 E9 AD 74 3F FD
---------------------------------------------------------------------------------------

If anyone wants the cnc3game.dat already modded, send me a pm.

Well, is it means 2 more squads could enter and exit correctly? If so, could you send me and many thanx.

Share this post


Link to post

Is it for TW?

 

in KW SDK I never had such issue and could add as many squad as I wanted and let them out the same way or just add ability, I still could let 6 squads to get out from the 4 slots lol, a new squad will replace the one that get out

Share this post


Link to post

I was hoping for a recent modified cnc3.dat that has a fix on squads with one additional thing possible, a no-dvd in the optical drive. (but that would be illegal btw)

Edited by zocom7

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×