FF8 EXE - Debug/Empty Section & Battle Results section

[Sega Chief]

Hi all,

Is there a handy tract of space in the FF8 exe for new code that can be used? I know there's a debug section of sorts in there somewhere, but for FF7's exe a similar region needed to have read/write permissions re-enabled before it could be used.

If anyone's interested in what it's for, I'm planning to try and write something that restricts Limit Breaks to 4 uses per battle (across party) with the first being Crisis Level 4, then decrementing each time until it hits 0 and 'locks' the use of Limits for the rest of the battle. I'm going to put a jump to it where the check for crisis level 4 is (49431E).

As for resetting the counter, I'm a little less sure of where to put it but was thinking the battle results screen as even when escaping that screen tends to come up. Does anyone know where that section starts from?

 

[makipl]

You are looking for so-called "code caves". Quick scan for memory in runtime yelds these adresses of at least 64 bytes of memory padding that you can use for code injection:

Code: [Select]

0040029800403A3000469548004823FB00484C23004873840048A25C0048A2FE0048E4A900491267004913CF004B3AD7004B5761004CAB0A00505E51005062550050A7130056AAF300667B1000670E38006757F8006E5F39008454C100B68783

These are applicable for FF8 2000 PC release with 1.1 patch. There's no big difference in Steam version for that.
In future you can use Cheat Engine>Memory View>Tools>Scan for code caves

As for resetting the counter, I'm a little less sure of where to put it but was thinking the battle results screen as even when escaping that screen tends to come up. Does anyone know where that section starts from?

The easiest what comes to my mind is checking if engine_state == 8 (this is battle mode). If not, then reset counter, if yes, then ignore. Anyway, here are the main function to note:
FFBattleInitSystem (called from FFModuleHandler and FFBattleTransitionModule)- it's at 0047CE00 (0007CE00). More specifically:

Code: [Select]

FFBattleInitSystem+1E   66 83 3D C6 8F CD 01 08                 cmp     _StateGlobal, 8

where _stateGlobal (global variable) is at 01CD8FC6 in .data in-memory

There's also:
FFBattleExitSystem called from FFModuleHandler and FFBattleTransitionModule that sets previous renderer screen-space and is located at:
0x0047CEE0 (0x0007CEE0)

@edit
About the R/W, it's true, but only if you need to store some local. Here are some 64 bytes regions with R/W: (but use them rather for storing what you need instead of code)
Code: [Select]

00B6D0A8 <- I recommend this one, it's section between imports for PE and strings that are allocated on 256 bytes00B6D1B200B6D2B700B6D3C100B6D4BE00B6D5C400B6D6C700B7691800B7CDA8 00B7CF1300B7D10B00B7D18B00B7D20B00B7D2A700B7D50700B7D6A700B7D71300B7D90B00B7D98B00B7DA0B00B7DC2300B7DE1B00B7DE9B00B7DF1B00B8A53B00B8B3A700B8C1F300B8C2F700B8C3FB00B8C51400B8C61800B8C71C00B8C83200B8C93600B8CA3A00B8CB5300B8CC5700B8CD5B00B8CE7300B8CF7700B8D07B00B8D19200B8D29600B8D39A00B8DCCA00B96EE400B976AF00B9788500B97A0500B97B8500B97DA400B97F2500B980A500B9822500B9856300B986E300B9888E00B98A0F00B98B8F00B98D0F00B98E8F00B9A50D

 

[Sega Chief]

.

All right, I'll have a go with this over the next few days; thanks for the info.