Hex Editing - Guide

From Heroes 3 wiki
Revision as of 13:19, 1 November 2024 by Csaros (talk | contribs) (→‎Heroes)
Jump to navigation Jump to search
This page is a work-in-progress. Details listed here may not be 100% accurate.

The following article describes some basics of hex edition. Offsets (and code itself in some locations) may vary based on game version.

Heroes of Might and Magic III is coded in Assembly x86. Each byte (a set of 2 hexadecimal characters) corresponds to either a function, or a value for an already determined function. The only exception is byte 0x90, which is non-coding and may be used to f.e. fill empty space.

Upper majority of creature stats, abilities, etc. is coded within the *.exe. While it may not be readable or understandable to a layman, in short time one can comprehend a lot of the code and find reason and rhyme in it (or at least, parts of it).

To open (and edit) the *.exe files, one needs a hex editor, f.e. frhed or another similar software. I recommend ImHex, as it comes with a handy disassembler function built in, as well as a base converter, and similar useful tools.

Some data is located with the *.lod files. To open them, you need to use MMArchive.

Basics

Majority of HotA Horn of the Abyss additions are not directly in the h3hota.exe (or h3hota HD.exe), but instead in Hota.dat (and partly in HotA.dll).

Numbers

All (or almost all) numbers are written in Little Endian - the bytes are placed in reverse order. As an example, 0xA624C (0x before a number signifies it's hexadecimal) in Little Endian is written as 4C 62 0A 00. Note, that the system recognizes that a number is negative based on the fact that it's greater than half the number range: greater than 0x80 for a single byte, and greater than 0x80000000 for a 4-byte value.

Some numbers use a IEE-754 coding. It is recommended to use a calculator for such values, such as the one available on save-editor.com.

Keep in mind that most (but, surprisingly, not all) lists start at 0, not at 1, so the first element is element 0 and not element 1.

QWORD and DWORD pointers are Little Endian representations of an address within the *.exe file, with 0x400000 added to them because of the way the game reads the code. Therefore if you want the DWORD pointer to find 0x27e484, you write it as 84 e4 67 00. DWORDs use IEE-754, while QWORDs use an 8-byte double-precision IEE-754 value.

Values followed by zeroes in the same block are 4-byte numbers - this essentially increases their available number range from (in decimal) 0-127 to 0-2147483647.

Heroes

Heroes are very easy to edit. Hero data is stored in two sets, one containing general hero data and the other containing only hero specialties. Heroes are generally ordered by their faction (Castle, Rampart, Tower, etc.) and then their class (might or magic). Following standard heroes, are all campaign heroes.

Hero Data

Hero data is written as follows:

GG000000 RR000000 HH000000 SO000000 OL000000 ST000000 TL000000 SB000000 SP000000 U1000000 U2000000 U3000000 PS000000 PL000000 R0 AS CO 00,

where:

  • GG = Gender: 00 is male, 01 is female.
  • RR = Race. These are listed alphabetically, from Demon to Vampire. This has no in-game effect or visibility and the extensions preferred to default everyone to human, except Gelu who gets to be an elf.
  • HH = Class. Classes go in order of factions, and within a faction the might class is listed first. Therefore 00 = Knight, 01 = Cleric, 02 = Ranger, 03 = Druid, etc. Note, that HotA classes essentially "follow" this encoding.
  • SO = First skill (ref. ID).
  • OL = First skill's proficiency level (00 = Basic, * 01 = Advanced, 02 = Expert).
  • ST = Second skill (ref. ID). If there is no second skill, instead, FFFFFFFF is used, replacing ST and the zeroes following it.
  • TL = Second skill level. If there is no second skill, 00 is used (Basic).
  • SB = Spell Book. 00 = absent, 01 = present.
  • SP = Spell (ref. ID). If no spell is present, FFFFFFFF is used instead.
  • U1, U2, U3 = Starting army unit reference IDs.
  • PS = Small Portrait DWORD pointer, which leads to plain text name of the portrait in the H3bitmap.lod.
  • PL = Large Portrait, same as above.
  • R0 = allowed in RoE maps by default. 00 = false, 01 = true.
  • AS = Present by default in all non-RoE maps. 00 = false, 01 = true.
  • CO = Campaign-only. 00 = false, 01 = true.

Hero Specialties

Hero specialties are written one by one in the same order as heroes appear in, starting from 0x00278420.

The specialties look as follows:

TT000000 ID000000 AA000000 DD000000 DM000000 U4000000 U5000000

TT - Specialty type. The following specialty types exist:

  • 00 = Skill specialty (+5% skill effect per level)
  • 01 = Basic Unit specialty (+1 speed, +1 Attack and Defense every <unit level> levels)
  • 02 = Resource (+1 gems per day, etc.)
  • 03 = Spell (+3% efficiency per level for most spells, sometimes special bonuses instead)
  • 04 = Static Unit specialty (static bonus to attack, defense, damage, speed, or any combination of them), f.e. Xeron, Kalt, Haart Lich, etc.
  • 05 = Speed (Sir Mullich only)
  • 06 = Unit Upgrade specialty (Gelu, Dracon, Bidley, etc.)
  • 07 = Dragon Specialty (Mutare, Mutare Drake)
  • 08 = Frederick's Automaton Explosion specialty.

Note, that setting the first byte (TT000000) to FFFFFFFF will ensure the hero has no specialty. This is only used for Adrienne (yes, she technically has no hero specialty).


ID = Reference ID of the specialized in Skill, Unit, Resource or Spell. (Not needed for Dragon and Speed specialties, where it is 00 and an unnecessary, unused 02, respectively).

AA = Attack bonus for Static Unit specialists (and Mutare).

DD = Defense bonus for Static Unit specialists (and Mutare).

DM = Damage bonus for Static Unit specialists (and probably Mutare).

U4 = Second unit (ref. ID) that can be upgraded (only used by Unit Upgrade specialists; otherwise left as 00. Note, that using the same unit twice for Unit Upgrade specialty essentially removes second unit from being upgradable; meanwhile using 00 sets the ID to Pikemen.)

U5 = Resulting unit ref. ID from the upgrade (only for Unit Upgrade specialists).

Note, that using a Unit Upgrade specialist, reference ID of unupgraded creatures ought to be used. F.e., Gelu references Archers and Wood Elves, but code naturally allows also for their upgrades to be improved with his specialty. This does not occur the other way around; specifying ID or U2 as an upgraded creature, will make the upgrade impossible for unupgraded creatures.

Note, that many "possible" specialties don't exist and simply won't do anything; examples include Tactics specialty, Teleport specialty, etc.

Editing HotA Heroes

Hota heroes are coded in the HotA.dat, in the following order: (names written in quotes are coded in plain text)

07 000000 "hero<ref_id>" 12 000000 "Heroes\hero_<ref_id>.str" FACTION "#large_portrait_file_name.pcx" 0c000000 "#small_portrait_file_name.pcx" XX 000000 "Specialty_Name" YY 000000 "Specialty Bonus: Object" ZZ000000 "{Full Object}" 0d 0a 0d 0a (number of 0a 0d repetitions may differ) "specialty_description" PP000000 "HeroName" QQQQQQQQ "Biography" 00000000 01 5c 0000 (number of zeroes may vary) GG000000 RR000000 HH000000 SO000000 OL000000 ST000000 TL000000 SB000000 SP000000 U1000000 U2000000 U3000000 PS000000 PL000000 R0 AS C0 00 00000000 00000000 1m000000 1M000000 2m000000 2M000000 3m000000 3M000000 08000000 I8000000 TT000000 ID000000 AA000000 DD000000 DM000000 U4000000 U5000000, where:

  • FACTION = 09 000000 00000000 0b 000000 for Cove heroes and 09 000000 00000000 00000000 07 000000 for Factory heroes,
  • #large_portrait_file_name.pcx, #small_portrait_file_name.pcx: # and the appropriate file name, f.e. #HPLP06.pcx
  • XX = ???
  • Specialty_Name is f.e. "Sea Dogs" or "Nix".
  • YY = ???
  • Specialty Bonus: Object refers to the following types of text: "Spell Bonus: Air Shield", "Creature Bonus: Sea Dogs", etc.
  • ZZ = ???
  • {Full Object} is a text in curly parentheses {} stating again the specialty, f.e. "{Estates}", or "{Pirates, Corsairs and Sea Dogs}".
  • specialty_description: Plain text description.
  • PP = Hero's name's length.
  • QQQQQQQQ = ???, seems to be some sort of an ID as it seems to be unique for each hero; it is not, however, the reference ID. All QQ values are around 300 (dec).
  • 1m = minimum number of the first creature type in hero's starting army
  • 1M = maximum number of the first creature type in hero's starting army
  • 2m = minimum number of the second creature type in hero's starting army
  • 2M = maximum number of the second creature type in hero's starting army
  • 3m = minimum number of the third creature type in hero's starting army
  • 3M = maximum number of the third creature type in hero's starting army
  • I8 = reference ID + 8 for heroes before ref ID 178 and reference ID + 7 for heroes after ref ID 178 (essentially, 0xb9 is skipped)

Heroes in HotA.dat start at 0x23dd and end at 0x9886. Note, that for editing text itself it's best to use programs such as HotA Editor, instead of a direct hex-editing.

Altering Hero specialties

00 - Skill Specialty

The code for skill specialties works as follows: XXXXXXXX D805 YYYYYYYY D8 4D FC where XXXXXXXX is a DWORD pointer to a 5% value (in IEEE-754), YYYYYYYY is a DWORD pointer to a value of 1 (again, in IEEE-754)

How it works =

The number of levels is multiplied by the XXXXXXXX DWORD pointer, added to the YYYYYYYY DWORD pointer and then the skill bonus is multiplied by it (D8 4D FC).

If we want to change the % gain per level, we only need to change the XX value. If we want to instead make the bonus additive (say x% per level, regardless of how much skill itself adds), we can replace the D805YYYYYYYY with 909090909090 (NOP) and replace the D8 4D FC with D8 45 FC.

Therefore it is possible to have a different bonus for one skill than another.

Offsets

The offsets for each skill specialty bonus are as follows:

Archery - 0x0E4420
Armorer - 0x0E45C9
Diplomacy - 0x0E483C
Eagle Eye - 0x0E46E0
Estates - 0x0E464F
First Aid - 0x0E4BD9
Intelligence - 0x0E4B69
Leadership - 0x0E3C81
Learning - 0x0E4AF9
Logistics - 0x0E4F1E
Luck - 0x0E3A2B
Mysticism - 0x0E41FE
Necromancy - 0x0E3F92
Offense - 0x0E4569
Resistance - 0x0E499C
Scouting - 0x0E432E
Sorcery - 0x0E5B61
Exceptions

Specialties for integer-bonuses (Luck, Logistics, Scouting) only have their effect when a full integer is gained from their % bonus.

Diplomacy specialty only affects surrender costs.

Learning specialty is fully over-writen by the Hota.dll.

01 - Unit Specialty

The scaling factor for a unit specialty is a DWORD pointing to a 5% value (in IEEE-754), located at 0x0e6548.

Setting the unit IDs to an upgraded unit will ensure only the upgraded units are affected by the specialty.

Ballista and Cannon specialty are Unit specialties.

02 - Resource Specialty

The amount of resources obtained from a gold specialty is saved at 0x0E4681 (as 350).

The code for other resource specialties is possible to edit, but it checks for each resource together and then adds 1 to their growth (therefore its only possible to make all resource specialists increase resource gain by 2, unless a complete re-write of the function is performed).

03 - Spell Specialists

Spell specialty types

Spell specialty type table starts at 0x0e6358 (with Fire Wall specialty). Each consecutive byte is then the next spell by spell ID (Firewall, Earthquake, Magic Arrow, etc.) up to Slayer. Each spell specialty can take 6 types:

00 - +100% damage (Luna). Note that Hota.dll overwrites this +100% damage with a much more sensible 25%.
01 - +50% damage (Ciele).
02 - Tier bonus A (+3/+3/+2/+2/+1/+1/+0), such as Weakness specialty or Haste specialty.
03 - Static bonus +2 (Aenain)
04 - This one is only used by Fortune (Daremyth, Melodia). In contrary to what BTB claims, it sets the value of the spells effect to 3, regardless of spell's level.
05 - Tier bonus B (+4/+3/+2/+1/+0/+0/+0), only used by Coronius as far as I know.
06 - Scaling bonus.

If a spell does not belong to the spell table, the scaling bonus is applied (for example this applies to the Hypnotize specialist, Astral).

But what if we want to change the specialty type for a spell like Hypnotize?

We can extend the table by changing 0x0e6296 (equal to 0x2a by default) to a different value, which corresponds to the number of spells in the table -1. If we extend the table, the next specialties will be those for the next spells by spell ID. We have a total of 13 bytes of nop (90), so the last spell specialty we can code this way is Summon Air Elemental. Remember to update all specialties created this way! You shouldn't just leave the nops (90) in the middle of the table!

"But what about Victoria, the Land Mine specialist?", you may ask. Well, I'm here to give answers:

The command lea eax, [esi-0Dh] located at 0x0e6291 finds the spell ID of firewall (0d) and chooses it as the first spell on the list of specialties (remember? The one that starts at 0x0e6358?). By changing it to lea eax, [esi-0Bh], we can change the first spell ID to 0x0B, or Land Mine. Notice, that this reduces the last spell specialty to Summon Earth Elemental, but I doubt anyone will miss the Summon Water Elemental and Summon Air Elemental specialties.

Next, we have to increase the number of spells in the list by 2 (located at 0x0e6296), and then move the entire spell specialty table, 2 bytes each, because now it starts at 0x0e6358 with Land Mine (and still follows by spell ID).

"And what about Eovacius? And Zilare?"

Haven't looked at them yet but I believe they may be hard-coded.

The specialty types can be changed by altering their commands. Each specialty type (00, 01, and so on) have a DWORD pointer to their appropriate code located in a 28-byte long table starting at 0x0e633c.

Changing Tier bonuses

Let's say we want to make Olema's Weakness specialty remotely usable, but we still want it to be a tier-based specialty. We can change the bonuses the spell provides for each unit tier in a 28-byte long table that starts at 0x23eaa8. Each 4 bytes corresponds to the next unit level.

A similar table for Coronius' specialty type starts at 0x23eac4 (immediately afterwards) and works the same way.

Changing the static bonus

At 0x0e62e6 the value 0x02 determines the static bonus (such as the one Disrupting Ray specialists get).

Changing the scaling bonus

At 0x0e631f the DWORD pointer finds an IEEE-754 double precision value for 3% (base game). Replacing this pointer with another one finds a different % bonus.

If you don't want the scaling specialties to divide their bonus by unit level, replace f7 f9 at 0xe630b with 90 90 (nop-ing out the division).

Specialties that don't work

Several specialties don't work because no specialty type can increase their bonus:

  • Curse
  • Anti-Magic
  • Dispel
  • Slow ???, but it would probably be way too strong anyway;
  • Berserk
  • Blind
  • Teleport
  • Remove Obstacle.

04 - Unit (static)

Only Xeron is specified to add speed thanks to his static unit specialty. This is (most likely) saved at the following address: 0x4b1b3 ???.

Setting the unit IDs to an upgraded unit will ensure only the upgraded units are affected by the specialty.

05 - Speed specialty

Sir Mullich's unit specialty amount (0x02) is located at 0x0E6669.

06 - Unit Upgrade specialty

These specialties calculate the upgrade cost automatically, with the same function that calculates upgrade costs in all other cases. If "unupgraded" unit is more expensive than the upgraded one, the message about necessary costs wil appear, but no cost will be stated and the conversion will be free.

Setting the unit IDs to an upgraded unit will ensure only the upgraded units are affected by the specialty.

07 - Dragon specialty

I believe Mutare's bonus is specified within her specialty block.

Editing HotA Creatures

While most statistics of base game creatures can be edited rather effortlessly (using MMArchive to unpack H3bitmap.lod or HotA_lng.lod), HotA creatures cannot be edited this way. Their data is stored at the beginning of HotA.dat, as follows:

08 000000 "most<ref_id>" 17 000000 "Monsters\monster<ref_id>.str" 09 000000 00000000 04 000000 "name_abbreviation" KK000000 "<animation_filename>.def" L1000000 "Monster_name (singular)" L2000000 "Monster name (plural)" 00000000 00000000 00000000 00000000 01 74 0000 TT 000000 UL 000000 0c556700 00556700 NNNNNNNN 80da9e03 60da9e03 30da9e03 WC000000 MC000000 OC000000 SC000000 CC000000 GeC000000 GC000000 FV000000 AV000000 GV000000 HG000000 HP000000 SP000000 AT000000 DF000000 DmgL000000 DmgH000000 SH000000 SN000000 OO000000 mm000000 MM000000 RR000000 VV000000 WW000000 XX000000 YY000000 ZZ000000

  • monst<ref_id> is monster's reference id in decimal, f.e. monst154
  • name_abbreviation is a 4 letter abbreviation of the monster name. Never appears anywhere ever again. Note that not all abbreviations are just beginning or consonants, f.e. Haspids are written as "aspi" and nix as "nixx". This abbreviation doesn't seem to have to be unique, as Sea Serpent and Haspids have the same 4 letters here. It is worth pointing out, that base game creatures also use 4-letter abbreviations in a similar table located in h3hota HD.exe around 0x275500
  • KK is the length of the animation_filename + 4 (and therefore the length of the entire "animation_filename.def"
  • <animation_filename>.def is the file name of the set of animations, saved as .def in HotA.lod or HotA.lod.
  • L1 is the length of the monster name (singular)
  • L2 is the length of the monster name (plural)
  • 0x74 codes as "t" in ASCII
  • TT is the reference id of the town the monster belongs to. 0x09 for Cove, 0x0a for Factory, FFFFFFFF for Neutrals and I bet if HotA ever releases a new town, it will have 0x0b as its faction code.
  • UL is the unit level -1 (sidenote: this is an example of numbers being used in a list with a zero-based numbering). FFFFFFFF for monsters with no level (f.e. Citadel / Castle Towers)
  • 0c556700 (and 00556700) point to a similar table with creature sprite, text and other references in h3hota HD.exe and is probably used to insert the HotA.dat's creature table into this part of the exe.
  • NNNNNNNN is equal to 0x10 for all Cove creatures (except the Sea Dog), Leprechauns and Satyrs, but can take different values: f.e. 65040200 for Cannon, 14100100 for Sea Dogs, 12040000 for Fangarms, 00040200 for Steel Golems... I don't know what these values represent, especially since they have such different magnitudes. (Perhaps they're a bitwise monster description being encoded into bytes.) ???
  • 80da9e03, 60da9e03, 30da9e03 - ???
  • WC is the cost of wood necessary to recruit the creature
  • MC is the cost of mercury necessary to recruit the creature
  • OC is the cost of ore necessary to recruit the creature
  • SC is the cost of sulfur necessary to recruit the creature
  • CC is the cost of crystals necessary to recruit the creature
  • GeC is the cost of gems necessary to recruit the creature
  • GC is the cost of gold necessary to recruit the creature. Note that all aforementioned cost values have 4 bytes to play with, so the maximum unit cost is 2147483647 gold (or of any resource).
  • FV is the Fight Value
  • AV is the AI Value
  • GV is the Growth
  • HG is the Horde Growth
  • HP is, surprisingly, hit points
  • SP is speed
  • AT is attack
  • DF is defense
  • DmgL is low end of the damage range
  • DmgH is the high end of the damage range
  • SH is the number of shots per battle
  • SN is the number of spell casts per battle
  • mm - minimum number of units when randomly spawned by the map generator
  • MM - maximum number of units when randomly spawned by the map generator.

QQ, RR, VV, WW, XX, YY, ZZ - ???. Sometimes they take up 28 (!) bytes (such as for Ayssids), and sometimes don't appear at all. I suspect they reference some sort of abilities the creatures have, or their descriptions.

When using custom functions or editing original code, note that all HotA (as well as some SoD monsters) have reference ID above 80, and therefore cannot be checked for using a simple check command, such as 83 FA ID. Instead, you have to use a longer command that accepts a 4-byte value (for EDX that would be 81 FA ID000000).

Editing Creature Abilities

Magic Channel (Familiars)

Magic channel's applicable unit ID is defined at 0x1a24f6. The game uses a frankly ridiculous method of dividing by 5 (let's just say that it purposefully calls and uses a value 1717986919 to calculate 20%). Btb2 analyzed it and found a way to alter the percentage to 50% or 100% (by ignoring the horrible function before it and simply taking the mana value or moving it by 1 byte). Replace:

  • 0x1A24B4 -> 8b 55 98 d1 ea (for 50%, since d1 ea is a single bitwise shift to the right
  • 0x1A24b4 -> 8b 55 98 90 90 (no division).

Let's take a look at the function. The following offset reads:

  • 0x1A249F: b8 *67666666* c7 45 1c 02000000 f7 e9 8b 4d 9c *d1 fa* 8b c2 c1 e8 1f 03 d0

The b8 XXXXXXXX (bolded above) function calls a hexadecimal value (note that it's in Little Endian) and saves it. The code then uses "d1 fa" (emboldened above) to divide edx by 2 before it is further used. C1 E8 1F is simply a division by 2^31 of the value. Yes, that is why the rounding may be a bit off for Magic Channel. Now let's consider replacing:

  • 67666666 with our custom value (for now let's imagine it's 56555555)
  • d1 fa with 90 90 (two nop or non-coding functions, so we basically removed this part of the code)

The result is... Division by 3. Now the Magic Channel grants 33% mana return.

To obtain a different value, we need to replace XXXXXXXX with another number. This has to be (2^33 / D) +1, where D is our divisor (3 for 1/3, 5 for 1/5, etc.). The 2^33 is multiplied with the variable (mana cost), but is then divided by 2^31 and moves by two bits elsewhere to account for the differences. The number is greater than the quotient by 1, to avoid the rounding downwards removing 1 mana point incorrectly. Note, that XXXXXXXX cannot be equal to or greater than 00000080 (0x80000000), as then the value will be negative.

The function also calls 0x1A2498 for the minimum mana value for which Magic Channel may apply. This is equal to the value of D (0x05 in base game, 0x03 in the example above).

Editing Buildings

Building names and descriptions (excluding HotA) are saved in BldgSpec.txt and BldgNeut.txt. Building requirements can be altered by changing their dependency tables. Address of each dependency table is located at:

  • 0x0EB816 - Castle
  • 0x0EB8B3 - Rampart
  • 0x0EB971 - Tower
  • 0x0EBA39 - Inferno
  • 0x0EBA48 - Necropolis
  • 0x0EBA5C - Dungeon
  • 0x0EBA70 - Stronghold
  • 0x0EBA84 - Fortress
  • 0x0EBA98 - Conflux

Note, that some building requirements are changed in HotA.dll. While it shouldn't be too difficult to determine their location in that file, (look for appropriate DWORDs in HotA.dll) for now these offsets are unknown. The requirement table for Cove and Factory may be coded differently and as far as I know, haven't been found yet.

Building costs can be changed in Building.txt.

HotA buildings

Building names and descriptions for HotA are saved in HotA.dat and can be edited as a text edit using f.e. the aforementioned HotA Editor.

Building costs for HotA are saved in HotA.dat. The building names appear before the building costs. Each building cost contains of 28 bytes, each 4 bytes representing a 4-byte little endian number of cost for each resource (Wood, Mercury, Ore, Sulfur, Crystal, Gems, Gold). Note, that some buildings have text and description, but no written cost (either replaced with 0s or simply not having any space devoted to them). An example is Mana Generator. For now it is not known how to edit the cost of these buildings (and therefore the cost of the Mana Generator remains a mystery).

Resource Silos

Resource Silo yield tables are located at 0x288F04. Each resource value is mentioned for each town, one by one, in 4-byte values (order of resources is Wood, Mercury, Ore, Sulphur, Crystal, Gems, Gold) with towns going in order.

Cove's Resource Silo simply copies the one from the Dungeon, while Factory copies Rampart.

The Resource Silo table is called for in exe a few times, but HotA.dll overwrites all (or most) of these calls at 0xd37ae and 0xd37ce. As of 12:19, 19 September 2024 (UTC), it is not known how to alter the Resource Silo values for Cove and Factory. No specific offset or function have been identified. ???.

Artifacts

All stats given by artifacts are written into a table at 0x23e758, 4 bytes for each artifact (Attack, Defense, Power, Knowledge).

The artifact traits are specified in artraits.txt, while artifact pick-up events are defined in artevent.txt (both in Hota_lng.lod).

Interference amount of the Plate of the Dying Light is specified as a IEE-754 floating point value at 0x1d40c8 in Hota.dll

Combination Artifacts

Combination artifact's components are specified at a few functions, starting at 0x04c63d. For further reading see BTB2's guide (linked below, as External Link #3). Be aware! BTB2's guide is either wrong or outdated! His method of removing components seems to work correctly, however, most likely due to HotA putting their combination artifacts in HotA.dll to push them in between base game combination artifacts, or for another reason, his method of increasing the number of items does NOT work.

However, not all is lost. There's 8 bytes of nop (90) commands starting at 0x4c8c8, and we can use them to add an extra item (to showcase it, I'll present a code for adding an extra item to the Ring of the Magi's requirements. This seems a safe method, since only a short push is used, and therefore I advise changes to 3-piece combination artifacts to simply copy this method and swap Ring of the Magi with their edited artifact).

0x4c85b 6a XX (ref item ID) -> eb 6d (jump 109 bytes forward)
0x4c8c8 90909090 90909090 -> eb 06..(skip following code)...6a XX (ref item ID) 6a YY (2nd ref item ID).....eb 8d (jump backwards 115 bytes)

Replace emboldened text with your appropriate artifact IDs. Remember to also update the number of components (in this example at 0x04C861).

Note, that the method described above only works for a jump of 125 bytes or less. Gladly, there's a few other empty spaces that can be used for adding extra components:

  • 0x4c25c (11 bytes of nop)
  • 0x4c2d6 (10 bytes)
  • 0x4c347 (9 bytes)
  • 0x4c3c7 (9 bytes)
  • 0x4c622 (14 bytes)
  • 0x4c8c8 (8 bytes)
  • 0x4ca15 (11 bytes)
  • 0x4d008 (8 bytes)

Simply use the available space within 125 bytes of the definition of any of the original components. If this can't be done, swap your artifact with another, which can be edited.

Note, that if you're using HotA, it's much safer to just edit appropriate artifact reference IDs and add other appropriate components (or replace the resulting artifact) by editing Hota.dat (see: Artifacts - artsinfo0

Making new Combination Artifacts

For now it is wholly unknown how to do it. HotA devs seem to now their way around it.??? See below.

What might work is repeating a function identical to that of another artifact with different properties using some empty space. Requires further testing.

HotA Artifacts

Hota's new artifacts are coded in the Hota.dat. To edit their properties, you need to edit their text (or use hexadecimal values for ASCII to match their text in hex editing). Artifacts are coded as follows:

artsinfo0

This part of the file includes partial data on all HotA artifacts, written as follows:

#Artifact Name
<ref_ID>
X Y Z # Description:
P Q R # Dif abl, S points
-1

Note, that the ref_ID above is written in decimal system.

The X Y Z applies a buff to the artifact, seemingly by coding first the bonus type with X, amount with Y and optional specification with Z.

  • 0 - Increase Attack / Defense
  • 1 - Add Spell Power
  • 2 - Add Knowledge
  • 7 - Different Ability, Y = AI value ??? (it's described as "points")
  • 8 - Movement artifact?
  • 13 - Restrict spells; Y = 1 for Cloak of Silence, 4 for Ring of Oblivion
  • 16 - Add daily resource growth, Y = amount, Z = resource type (0 = wood, 6 = gold)
  • 24 - Enemy morale bonus
  • 25 - Enemy luck bonus

The P Q R are coded in the same way as above and refer to a second ability.

However, the method above seems to suggest some artifacts have different bonuses than they actually possess: Ironfist of the Ogre doesn't increase either attack or defense; Trident of Dominion increases attack by 6, etc.

This part of the file also includes definitions of all combo artifacts and their components. F.e. Diplomat's Cloak:

# Diplomat's Cloak
12 141 3 66 67 68
  • 12 is the number of the combination artifact (including SoD ones)
  • 141 is the decimal reference ID of the Diplomat's Cloak
  • 3 is the number of components
  • 66 67 68 are the reference IDs of components (decimal)

Note, that this can be used to effectively alter any base-game combination artifact! Simply add a line before these artifact definitions

# Sample Text
N RIF C R+ R++ R+++ R++++,

where N is the number of combination artifact (counting the way they're placed in the .exe code), RIF is the reference ID of the final artifact, R+, R++ and so on are the additional components. To showcase adding an extra requirement to the Ring of the Magi (since a similar concept was used above) and replacing the Ring of the Magi with the AB blade and requiring a Sword of Hellfire:

# Armageddon's Blade
10 128 1 11

(11 is the reference ID of the new item - Sword of Hellfire).

Sadly, new combination artifacts can't simply be added this way.

art<ref_ID>

art<ref_ID> entries in HotA.dat (as visible in the Hota.editor.exe) can be used to alter an artifact's name, adventure map event text, description, slot type and rarity class (treasure, minor, major, relic). Here is also the true artifact bonus data coded. Note that the Reference ID is in decimal.

gold_price # cost - (cost of 0 is used if an artifact cannot normally appear, f.e. if it's a Combination Artifact.
slot # slot type (0 - none, 1 - head, 2 - shoulders, 3 - neck, 4 - right hand, 5 - left hand, 6 - torso, 7 - ring, 8 - feet, 9 - misc, 10 - ballista, 11 - ammo cart, 12 - first aid tent, 13 - catapult, 14 - spell book)
class # type (1 - none, 2 - treasure, 4 - minor, 8 - major, 16 - relic)
0 # disabled as defaults (0 - no, 1 - yes)
0 # add new spells (0 - no, 1 - yes)
0 # attack bonus (_int8_)
0 # defense bonus (_int8_)
0 # spell power bonus (_int8_)
0 # knowledge bonus (_int8_)

Creature Banks

Creature bank definitions in h3hota HD.exe start at 0x2702A0. They are coded as follows:

U1000000 U2000000 U3000000 U4000000 FFFFFFFF 00000000 00000000 00000000,

where U1, U2, U3 and U4 are Unit IDs for guards ( U2 U3 U4 etc are optional). Note, that the 12 bytes of 00 do not appear after the last defined creature bank (Dragon Utopia).

Afterwards, the reward creatures (and creatures only!) are defined as follows:

FFFFFFFF R1000000 R2000000 R3000000

Where R1 is the reward creature for the first bank, R2 for the second, and so on.

The order the banks appear in is as follows:

  1. Cyclops Stockpile
  2. Dwarven Treasury
  3. Griffin Conservatory
  4. Imp Cache
  5. Medusa Stores
  6. Naga Bank
  7. Dragon Fly Hive
  8. Shipwreck
  9. Derelict Ship
  10. Crypt
  11. Dragon Utopia.

Note, that after changing these values, you still have to edit the remaining bank data in CrBanks.txt.

HotA banks, except for the Ancient Altar, are all defined within the Hota.dat file, as crbank21, 22, and so on.

The Pyramid

The pyramid is defined separately:

0xa3fa2:6a 02 6a 14 6a 7d (52 8d4508 53 50) 6a 74;
0xa3fb6: 28 00 00 00

Where:

  • 02 is the number of stacks of Diamond Golems
  • 14 is the number of Diamond Golems (in total)
  • 7d is the unit ID of Diamond Golems,
  • 74 is the unit ID of Gold Golems and
  • 28 is the number of Gold Golems.

BTB2 suggested replacing Diamond Golems with Mummies - this however, requires using a creature ID above 80, and therefore a long push (6B 8D000000 for mummies). However, to do that we would need to use some empty space. He suggested removing the -2 Luck on empty Pyramid subroutine. I decided to instead use some empty space I got from a different change, keeping the -2 Luck penalty. The result is as follows:

0x0A3FA6 → ebdf (jumps to overwrite -2 luck on empty Pyramid),
0x0A3F82 → e9 89c10100 (jump to free space 0xc0110)
68 8d000000 (Mummies)
EB 1A 90 90 (jump back to A3FA8),
0xc0110 (Free) → 8a 87 1b 01 00 00 04 fe 88 87 1b 01 00 00 (displaced code: -2 Luck on empty Pyramid),
0xc011d (Free) → E9 6b3efeff(jump to 0x0A3F8F (end of F8E))

Note, that this method assumes you have empty space at 0xc0110 (by forcing rumors to always show rumors defined by the mapmaker). If you have empty space elsewhere, simply move the function, altering the jumps appropriately.

Editing h3hota_maped

All heroes are defined one by one in the h3hota_maped starting from 0x186800.

GG000000 RR000000 HH000000 SO000000 OL000000 ST000000 TL000000 SB 000000 SP000000 U1000000 U2000000 U3000000 PS000000 PL000000 R0 AS CO 00

Note, that some HotA heroes use some data from HotA.dat

Game Mechanics

Starting Resources

Table with the starting resources starts at 0x278170. Each 4 bytes are the next resource (Wood, Mercury, Ore, Sulfur, Crystal, Gems, Gold). Each 28 bytes is the next difficulty - Easy, Normal, Expert, etc. At 0x2781FC the AI resources start and follow the same order of resources and difficulties. The whole table thus takes 280 bytes.

Starting Bonuses

Gold Bonus

The starting gold bonus chooses a random value between the value written at 0x0C0002 and the value at 0x0BFFFD, and then multiplies it by 100. To change the multiplication, simply edit 0x0C000B (multiplying by 25) and 0x0C0016 (moving the value by 2 bits, so multiplying it by 4).

Resource Bonuses

The starting resource bonuses use DWORD pointers to find their appropriate code to run:

  • Wood and Ore - AF FF 4B 00
  • Crystals - D6 FF 4B 00
  • Gems - E1 FF 4B 00
  • Mercury - EC FF 4B 00
  • Sulfur - F4 FF 4B 00

These DWORD pointers are located at the following addresses:

  • Castle - 0x0C01B4
  • Rampart - 0x0C01B8
  • Tower - 0x0C01BC
  • Inferno - 0x0C01C0
  • Necropolis - 0x0C01C4
  • Dungeon - 0x0C01C8
  • Stronghold - 0x0C01CC
  • Fortress - 0x0C01D0
  • Conflux - 0x0C01D4

Note, that you need to edit ScnrStar.def to reflect any altered resources.

The amount for each rare resource is most likely determined by the function at 0xc009e: ???

minimum: c745f0 33333333 (mov [ebp-0x10], 0x33333333) c745f0 3333EB3F (mov [ebp-0x1c], 0x3feb3333)
break between the two: eb 0e (jmp 0x0e)
maximum: c745f0 66666666 (mov [ebp-0x10], 0x66666666) c745f0 6666E63F (mov [ebp-0x10], 0x3FE66666)

The amount of wood and ore are most likely specified at 0xbffaf: BA 0a000000 (mov edx, 0x0a) B9 05000000 (mov ecx, 0x05)

Movement point reminder

The movement point reminder is located at 0x9c91. It checks if movement points are 0 (using a 2-byte test eax, eax) and then proceeds to different code if movement points are (or not) zero. If one wants to change it to a higher number (to avoid reminding of movement for heroes that can't actually move anymore), the following code can be used:

0x9c91:       a1 c8876900 mov eax, [0x6987c8] e9 849d0d00 (jump to some arbitrary free space) 90909090
free space:  3d XY000000 cmp eax, XY - compare movement points with value XY.
   7F 0A jg 0x0a - jump 10 bytes if the value is greater.
   A1 C4 5d 6A 00 - displaced code
   e9 6f62f2ff - jump to 0x9c9f (or 49C9F)
   e9 a462f2ff - jump to 0x9cd9 (or 49CD9).


External links

  1. heroescommunity.com - Editing heroes in memory - Includes a large number of various Reference IDs
  2. heroescommunity.com - How to edit Hota? - Thread with majority of useful information, scrambled across 112 forum pages.
  3. BTB2's hacking guide - primarily detailing creation of his own mod, but including tips, explanations and some of the Reference IDs
  4. void_17's database - this database describes most or all of the functions in the base game of heroes 3.