[Help] Batman Arkham City - Call Unrealscript Function with Params

[OddIt]

I've done my research of what to call but I lack the know-how to pull it off.

I want to try local co-op by spawning in another player controller. Problem is this stuff is locked down tight, even with the cheat engine tools to enable the console command (found on fearless revolution Batman Arkham City - Enable Console/Commands), the one command I really wanted was stripped out: DebugCreatePlayer 1

Now, that particular function calls a very important unrealscript function that wasn't stripped out of the game:
Engine.GameViewportClient
--> event LocalPlayer CreatePlayer(int ControllerId, out string Error, bool bSpawnActor)

I don't care about the string or what it returns or even what the function returns, I just need to call the unrealscript "event" CreatePlayer and pass the correct params:
CreatePlayer(1, "", TRUE);
OR more likely
CreatePlayer(1, pointerToEmptyString, TRUE);

Because that will create player 2 for me. The rest of the game logic should spawn in this player 2 the very same way calling DebugCreatePlayer works.

That's what I need to call and with those parameters.

Note: There is a child class that may (or may not) need to be targeted to invoke the function instead:
BmGame.RGameViewportClient

The instance of the class should exist in-game which is when I'd try to invoke the function.

Any help is greatly appreciated!

[OddIt]

So I've been trying to follow along tutorials by Sunbeam.

Currently I've got the game running... then enabled the "GNames & GObjects Dumper" ... then when in game and playing as batman pressed forward slash next to numpad to get it to dump correct files.

Found files in C:\Program Files (x86)\Steam\steamapps\common\Batman Arkham City GOTY\Binaries\Win32

Opened in Notepad++
Now I searched (Ctrl+F) for GameViewport and clicked Find All in Current Document.

I see a few things inside ObjectsDump.txt, specifically:

Code: Select all

UObject[019949] CreatePlayer       0x18C1A0A0 ( Function Engine.GameViewportClient.CreatePlayer    )
UObject[019950] InsertIndex        0x18C250E0 ( IntProperty GameViewportClient.CreatePlayer.InsertIndex )
UObject[019951] NewPlayer          0x18C25140 ( ObjectProperty GameViewportClient.CreatePlayer.NewPlayer )
UObject[019952] ReturnValue        0x18C251A0 ( ObjectProperty GameViewportClient.CreatePlayer.ReturnValue )
UObject[019953] bSpawnActor        0x18C25200 ( BoolProperty GameViewportClient.CreatePlayer.bSpawnActor )
UObject[019954] OutError           0x18C25260 ( StrProperty GameViewportClient.CreatePlayer.OutError )
UObject[019955] ControllerId       0x18C252C0 ( IntProperty GameViewportClient.CreatePlayer.ControllerId )

I'm really proud of myself for getting this far!

[OddIt]

So I've been reading a bunch of things from Made by Sunbeam and among them was the Unrealscript Byte Code Table

And I noticed the hex byte code for the out parameter was 48.

And that 16 is the EndFunctionParms ) which seems to tell it to stop looking for more parameters for this function call....

That 2A Is None (Unreal scripts equivalent of NULL)

That 04 is where it signals to Return what comes after.

And that 53 signals EndOfScript (I assume exit function)

I'd prefer a way to just force the game the run the specified function without altering existing functions and their byte code.... but maybe that's not an option ??? I honestly don't know at this point and really need some help from the gurus.

[OddIt]

Well I'm stuck, I was following multiple tutorials by SunBeam and can't replicate finding toggling on and off GodMode. I assume the Offset would be 0x40 like Transformers War for Cybertron but unsure as when I enter god into the console command to toggle it on and off, nothing appears to change....




Notes:
Commands
god
getall BmGame.RPlayerController bGodMode


In Cheat Engine go to Memory Viewer
In memory viewer -> Ctrl+G to Go To Address for bGodMode

But I'm encountering too much trouble.... and too much frustration from my own ignorance.

[OddIt]

So it seems the offset when looking at BoolProperty in MemoryViewer is 0x3E ... I was experimenting further with bGodMode and it appears I hit the jackpot with [Display Type -> 2 Byte Hex] then found "01C0".... The value of the bGodMode is either false at 09 or true at 0B .... when I changed it in applied these values in cheat engine I could confirm via `getall BmGame.RPlayerController bGodMode` the value would change between true and false.. didn't seem to matter if I had the box checked or not..... also addresses are 4 bytes not 8 in the dump so important to remember that too.

Additionally it seems I could narrow it down further by using the binary type with a length of 1 and a startbit of 1. So the value would be 0 (false) or 1 (true) for godmode. Again didn't matter if I checked the box or not it'd be applied.

[OddIt]

Omg this is almost EXACTLY the kind of thing I'm looking for!!!

Although everything is not native anymore, the UObjects (UFunctions, etc.) got cooked Even if UE Explorer can't deserialize properly, I was able to find "Console.Open.InputKey" and "Console.Typing.InputKey" UFunctions. Hot-patching the FName_Index in the bytecode allowed me to use the Console without anymore "say"-ing

Since there wasn't any update in effect and everyone has the same files, here's the way to do it:

Code: Select all

1B 83 6E 00 00 00 00 00 00 00

^ Scan for that as "Array of byte". You'll find 2 occurrences. Change both to:

Code: Select all

1B 5F 46 00 00 00 00 00 00 00

In case you're wondering WTF we just did.. well, we swapped the FName_Index in the bytecode for the 2 functions so instead of executing "Engine.Console.ShippingConsoleCommand" UFunction (with id 0x6E83), the Console will run "Engine.Console.ConsoleCommand" UFunction (whose id is 0x465F). The base function just runs Console commands; doesn't do any "say"

EDIT: Installing BioShock Infinite for a quick revisit. Wanna see if the Console is really in or not

I'll need to think about this a bit more to see if it's viable for calling a function with the parameters I mentioned earlier....

[OddIt]

Looking at PC BmGame.upk in UE Explorer at some class object properties... I can see script offset for classes like GameViewportClient is 0x40 and variables seem to show some things....

Taking a look at the properties of GameViewportClient.CreatePlayer function itself inside Engine ....

Class=Function(-26)
ScriptOffset=0x42
Default=CreatePlayer(14144)
ExportTable=CreatePlayer(141431)
Outer=GameViewportClient(14238)
Locals (The Params I need to adjust)

• int - UProperty - ControllerId(14143)
• string - OutError(14142)
• bool - UProperty - bSpawnActor(14141)

No idea what any of this means yet...

[OddIt]

Ok, so fantastic news, it appears I can uncompress Engine.upk via Gildors Decompressor and then the game can actually load that, plus it doesn't appear to be checked in the BatmanAC.exe for hash.....

And after searching very carefully in UE Explorer I could open up the decompressed Batman AC Engine.upk file, go to the CreateInitialPlayer function itself in the tree view, then right click CreateInitialPlayer -> View Disassembled Tokens .... then scroll to byte code near end of CreateInitialPlayer:

1C 40 37 00 00 25 48 55 37 00 00 28 16
CreatePlayer(0, OutError, false)

And then with the knowledge of swapping certain bytes from that xcom unrealscript code table I should get:
BATMAN AC
1C 40 37 00 00 26 48 55 37 00 00 27 16
CreatePlayer(1, OutError, true)

I just need to inject this hex into a certain place, probably right after creating player 1.

[OddIt]

Well, it does appear to check something..... damn, I really thought I had it.... well, it does appear I could mess with the final exec function ClearProgressMessages() in cheat engine like how that one Kena function got overridden

Added a script that kills the timed abort UFunction (makes it return nothing) for a challenge encounter:

Challenge Timer: Kill Encounter Timed Abort
The script will use a wrapper I wrote for the internal StaticFindObject function to retrieve the address of an UFunction:

Code: Select all

Function BP_WaveManager_Curse_Base.BP_WaveManager_Curse_Base_C:Timed Abort Encounter

This UFunction executes compiled UnrealScript bytecode. The compiled script is at offset 0x60 from the function address. What I did in there was to patch the start of the bytecode to these bytes: 04 0B 53. What these bytes translate to: https://wiki.fearlessrevolution.com/ind ... Code_Table.

04 = Return
0B = Nothing
53 = EndOfScript

So now.. when the timer hits 00:00, the challenge itself won't die. The only success condition now becomes reaching the goal (e.g.: killing 15 enemies).

Then I could call `ClearProgressMessages` function in the console.... still going to see if I can get away with it the altered Engine.upk way.

[OddIt]

Ok, so it appears I can alter Engine.upk as long as I don't add or remove bytes, just override.... this works for me since ClearProgressMessages should have enough bytes for me to quit it early... so if I find that particular function address and then insert that string variable and then that create player 1 code, then do the return nothing [04 0B] ... not sure if I need the end script or not, seems like 0B does the trick.....

[OddIt]

I searched for

Code: Select all

0F 00 53 37 00 00 25

Which represents ControllerId = 0 (near the start of the CreateInitialPlayer function)

Then began altering hex at after it at starting at [Offset 350D6D] with the following:

Code: Select all

14 2D 00 51 37 00 00 77 1C 40 37 00 00 00 53 37 00 00 48 55 37 00 00 28 16 2A 16
1C 40 37 00 00 26 48 55 37 00 00 27 16
04 2D 00 51 37 00 00
04 3A 54 37 00 00
53

This should translate to:

Code: Select all

bResult = CreatePlayer(ControllerId, OutError, false) != none
CreatePlayer(1, OutError, true)
return bResult
return ReturnValue
[EndScript]

Which hopefully will do just that.



Edit: It failed, game error with Bad import index.... Well crap... maybe I have to start up the game then add in this hex in cheat engine.... very rough.

[OddIt]

Alright, new plan, the code does seem to allow me to just gently modify CreateInitialPlayer()......

So I'm going to change a few lines like bFoundInitialGamepad = true; will become bFoundInitialGamepad = false;
Then later for ControllerId = 0; I'll change it to ControllerId = 1;

This should allow it to create player 1 and player 2.

The offsets in decompressed Engine.upk are:
350D95 --> bFoundInitialGamepad = true
350DDD --> ControllerId = 0

And the values I need to swap will be true(27) with false(28) and IntZero (25) with IntOne (26)

So values must be changed at certain offsets:
350D9C --> 28
350DE3 --> 26



Should I be correct about this.... the scenario will be if both controllers are connected, this should make 2 players. Additionally I will assume this won't through an error when booting up the game.

[OddIt]

That actually worked.... however player 2 is not using their own camera,both players are using player 1 camera.....

To try to fix this I'll alter 350E66 to be true (27) so second player is spawned (I assume this will take care of it)

Additionally to get vertical splitscreen requires using the F10 console and entering the following command:
set GameViewportClient DesiredSplitscreenType eSST_2P_VERTICAL

[OddIt]

Hm, didn't work, well, I'll have to examine the code further.....

[SunBeam]

I found that most of the time, speaking loudly (or in writing) does help with progression You're on a roll here, hehe.

Still haven't understood what's your aim, but in general, patching bytecode is not just about copy-pasting. The blank .upk data contains IDs to objects which then get converted into pointers, when loaded in memory. Those IDs are constants for the VERSION of the game you're playing, but if the game updates, they might change. With the example you referred here (viewtopic.php?p=329832#p329832), notice I am saying "UFunction (with id 0x6E83)" -- so I know the ID. In your hex arrays you surely have data that would get translated in-game, when upk is loaded, that you fucked up, hence the errors. You can find the IDs also with the help of the dumper (they're the values in front of the object name, either in Names or UObjects txt files). Hope this helps.

As for calling UFunctions with args, I haven't managed to do that yet because you need to grab the FFrame that's used (UnrealScript stack) internally. You can't just run the function in a thread separately, from CE. Also note that UE3 is single-threaded, so everything you do needs to be in main thread. Since there's no sync, if you run -let's say ProcessEvent- from a thread of your own, there's big chances game will crash. Probably not instantly, but it will.

As for learning what commands do, UE Explorer can help with deserialization and understanding of the code in a pseudo-C form. Then you can use the dumped data (Names, Objects) to find the UObject in question (e.g.: God UFunction) and read the bytescript buffer from it Then you can patch away.