Amineri Posted March 20, 2013 Share Posted March 20, 2013 (edited) Okay, so the title is a little confusing. But I learned a new trick today. I was trying to call a function called ItemIsAccessory, which is defined in XcomGame.upk (in XGTacticalCore), but is never called in that upk. It is called in XcomStrategyGame.upk, but the call ID is not the same. So here is the trick I figured out. The call ID used is based on the position of the function name in a big alphabetical list of all function names in the entire upk. Here's what I did:1) In UE Explorer, I found another function name that was close to mine (close in alphabetical order). In this case it was ItemIsWeapon. This function is called, and had call ID 1B F9 3E 00 00 00 00 00 00 38. 2) Go to the "Tables" tab in UE explorer, and scroll down until you find your two function names. In my case, the list read:...ItemIdxItemIsAccessory <---ItemIsArmorItemIsShipWeaponItemIsWeapon <---ItemNameiTemp... 3) Since ItemIsAccessory is 3 positions above ItemIsWeapon, its call ID is three lower. The 1B token doesn't count here, it starts with the address after that. I'll list a few so you can see:1B F6 3E 00 00 00 00 00 00 38 -- ItemIsAccessory1B F7 3E 00 00 00 00 00 00 38 -- ItemIsArmor1B F8 3E 00 00 00 00 00 00 38 -- ItemIsShipWeapon1B F9 3E 00 00 00 00 00 00 38 -- ItemIsWeapon <-- started counting from here Super snazzy, I think ^_^ Edited March 20, 2013 by Amineri Link to comment Share on other sites More sharing options...
Yzaxtol Posted March 20, 2013 Share Posted March 20, 2013 It's all greek to me, but Good Job, it sounds like an awesome discovery. Link to comment Share on other sites More sharing options...
anUser Posted March 20, 2013 Share Posted March 20, 2013 Bravissimo!! Great finding!Time to start making a list of usless functions to gather up space for useful stuff.I'm looking forward to see an implementation of it removing grenades after use I wonder if variables are stored in a similar way, and if this finding could lead to the creation of new object or function local variables.Also it'd be great if this list can be extracted somehow so we know it's hex representation beforehand. Does UE Explorer tell that? Link to comment Share on other sites More sharing options...
Amineri Posted March 20, 2013 Author Share Posted March 20, 2013 @anUser Unfortunately, as best I can tell UE Explorer does not display the reference value to the class methods and variables (although it must surely have them internally in order to decompile). Perhaps it is in a place that I haven't seen, or perhaps a future version will let us see it. Link to comment Share on other sites More sharing options...
EliotVU Posted March 20, 2013 Share Posted March 20, 2013 @anUser Unfortunately, as best I can tell UE Explorer does not display the reference value to the class methods and variables (although it must surely have them internally in order to decompile). Perhaps it is in a place that I haven't seen, or perhaps a future version will let us see it.It does: 0x00000000 : CharToCorpse :UFunction => CharToCorpse(72) 0x00000000 : ExportSize :Int32 => 230 0x00000000 : NetIndex :UIntProperty => iChar(71) 0x00000004 : NameIndex :String => None 0x0000000C : NextField :UScriptStruct => XGUnitVisibilityInformation(69) Super ScriptText 0x00000018 : Children :UIntProperty => iChar(71) CppText 0x00000020 : Line :UInt32 => 1712 0x00000024 : TextPos :UInt32 => 41209 0x00000028 : ByteScriptSize :Int32 => 179 0x0000002C : DataScriptSize :Int32 => 167 0x000000D7 : NativeToken :UInt16 => 0 0x000000D7 : OperPrecedence :Byte => 0 0x000000DA : FunctionFlags :FunctionFlags => Defined, Static, Public 0x000000DE : FriendlyNameIndex :UNameTableItem => CharToCorpse This is the structure of function CharToCorpse. If you look at "Children" you'll see that it points to iChar which is an UIntProperty, this is one of the local/parameter of that function, when you look at iChar you should then look at "NextField" which is the next local/parameter of the function until it points to "None". Link to comment Share on other sites More sharing options...
Amineri Posted March 20, 2013 Author Share Posted March 20, 2013 Sorry if I'm being dense, but I feel as though I am missing something. With your example ChartoCorpse(), defined in XGGameData(). It is not neccessarily that I want to see the local parameters of that function (although that would be useful at times, to be sure). My thing is ... suppose I want to call CharToCorpse() from somewhere (XCOM has set up some replication info functions to allow access across classes and even upks ... not sure if this is standard programming practice for the Unreal Engine). Currently, the only way I know of finding the hex reference to CharToCorpse() is to find some other place it is called. For CharToCorpse, it is called in XGSummaryUI().CollectArtifactsFromDeadAliens(). The decompiled call is eCaptive = class'XGGameData'.static.CharToCaptive(byte(kAlien.GetCharacter().m_kChar.iType)); Looking through the hex buffer, I find that the hex reference for CharToCorpse() is (1B) 21 10 00 00 00 00 00 00. This is what allows me to build another call. Looking through the UE Explorer UI, the only other place I see that reference is in the Buffer/TableBuffer here: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 98 FE FF FF 00 00 00 00 B2 00 00 00 21 10 00 00 . . . . . . . . . . . . ! . . .00000010 00 00 00 00 00 00 00 00 00 00 00 00 04 00 07 00 . . . . . . . . . . . . . . . .00000020 E6 00 00 00 75 58 46 00 00 00 00 00 00 00 00 00 . . . . u X F . . . . . . . . .Is this what you referenced above, or is there another place that this information is accessible? This would be particularly handy for a function like ItemIsShipWeapon(), defined in XGTacticalGameCore(). ItemIsShipWeapon is defined but never called (well, it is called in XcomStrategyGame.upk, but pretend for a minute ...). Functions like this are handy because they can be rewritten to add new functionality, but it can be tricky figuring out what the hex reference is so that they can be called. To give an idea of how I'm using this -- the most complicated call I've had to cobble together from pieces of other calls (so far) is:STORAGE().RemoveItem(kSoldier.m_kChar.kInventory.arrLargeItems[0]);which ended up as a 71 byte hex chunk. I absolutely couldn't make the modlets I'm making without UE Explorer ... I'm just trying to figure out how to use it better. Any tips in this area would be very much appreciated. Link to comment Share on other sites More sharing options...
EliotVU Posted March 20, 2013 Share Posted March 20, 2013 (edited) 0x00000000 : CharToCorpse :UFunction => CharToCorpse(72) 0x00000000 : ExportSize :Int32 => 230 0x00000000 : NetIndex :UIntProperty => iChar(71) You could just look at the first 4 bytes of the object you want the index of. The first 4 bytes represent the NetIndex variable which usually points to what came before it, like in the above example CharToCorpse is index 72 and the NetIndex is 71 if you increment by one you get the index 72. This may differ from engine version but works like described most of the times. Edited March 20, 2013 by EliotVU Link to comment Share on other sites More sharing options...
anUser Posted March 20, 2013 Share Posted March 20, 2013 I'm still failing to see how can I get the hex code for a function call given that I only knew function's name, class and package, without actually having to find a call to that function within some other function and then copy-pasting it's hex representation. Hence that I asked for that list UE Explorer seems to use internally, actually I'm asking for the shortest/fastest way from point A) I've got a function name, to point B) I've got the hex code to call that function. I think there has been some missunderstanding, I hope this makes it clear. If what I'm asking has already been answered and the missunderstanding is mine then I beg you excuse me, for I totaly fail to understand it. Link to comment Share on other sites More sharing options...
Recommended Posts