Dumping Native Functions

[projectmercy]

Has anyone decompiled any of the native libs for the game? I'm trying to find some visibility into UXGAbility_Targeted::execCalcHitChance(), UXGAbility_Targeted::execCalcCriticalChance() and the perk array functions that go with it. While I can just throw numbers at the outgoing result, it would be a more tedious trial and error method to do it. I know Long War has fixed a few issues by just adjusting the values on the way in/out of those functions, so it made me wonder if anyone had already done the heavy lifting.

 

Thanks for any info,

 

PM

 

[Krazyguy75]

Not as far as I know. The long war folks did some work in the area, and I think at one point someone completely replaced a native function, but other than that I'm not sure.

[tracktwo]

I've done a little bit when trying to figure out some of the stuff related to how the native functions build the list of available voice packs. It's quite a bit more difficult than regular uscript modding, though. You need a solid understanding of the x86 instruction set and what compiled c++ code looks like. And statically analyzing the binary is extremely difficult because of all the virtual function calls, the only non-hair pulling way to do it is likely to step through it in a debugger.

 

As a quick starting point, I did this:

 

- Used the free version of IDA Pro to analyze xcomew.exe. Build the list of strings - be sure to include unicode strings - and search for XGAbility_TargetedexecCalcHitChance. There is a string AXGAbility_TargetedexecCalcHitChance, referenced by what appears to be a big table of string function names to function pointers. But I don't think this is what is used at runtime - after starting the game and attaching a debugger a breakpoint to that function was never hit. I suspect this is a data structure used during engine initialization to build up the mappings of native function entry points to their actual code and is not used again after initialization. However, there is also an assertion/error string they left in: "AXGAbility_Targeted::CalcHitChance: Tried to call when Role < ROLE_Authority, returning -1. Ability=%s, AbilityID=%d, AbilityType=%d.". This is referenced from one function, and you can get the function disassembly from there. You can also work backwards from that string to find the printf-style arguments passed in to find the ability id and type. IDA cross-references FTW.

 

- IDA reports this function starts at offset 836F30, and the module has a base offset of 400000. Subtracting the two gives a relative offset of 436F30 to the function entry point.

 

- Ran the game and attached WinDbg to the running process. Use lm to get the list of modules and find the memory range for XComEW.exe. Add 436F30 to the start address to find the in-memory address of the function. Disassembled that location and verified it was the same disassembly as I was looking at in IDA. Great, I've located the function in memory. Set a breakpoint there and continue.

 

- In game I teleported a soldier with TeleportToCursor. After showing up at the new tile the breakpoint was hit a number of times. I just continued execution each time and eventually the game returned to a main loop and I regained control. (BTW, if you only have one monitor, run the game in windowed mode with mouse unlocked so you can easily step through/continue in the debugger without having fullscreen issues in the game)

 

I didn't step through the function itself, but that will likely get you in the neighborhood.

Edited June 12, 2015 by tracktwo

[projectmercy]

Thanks for looking into it Tracktwo. I'm not super interested in trying to decompile it at this point, as I have other options (just reverse engineering it via logs in the UE script). If someone had actually dumped them previously I wouldn't mind leveraging their work; but I'm far too lazy to do it myself. If I run into a place I can't do that though, it's nice to have this info to get me going.

 

Thanks,

 

PM