ETW Runtime Memory Stucture Documention

[.Mitch.]

This thread will be a place for myself and T.C. to document our progress on our ETW/NTW memory hook and documentation on the memory locations and structure of the running processes memory, as well as discuss its theory and implementation. If you have anything to input, please do.The thread may look bleak, but progress is actually quite astounding, theoretical implementation of what we can already do/know could mean quite astounding things. We will no doubt update everyone at a later point.

Byte locations relative to units base address

76 - Unit Size
80 - Full Unit Size
ETW:100/NTW:108 - Move Points
ETW:112 - Unit Experience
NTW:264 - Length of units custom name


ETW:232 - 235: Unit stats pointer. (Numbers at this pointer are little-endian)

+172: Four byte integer, Unit Accuracy

+176: Four byte integer, Unit Reloading

+192: Four byte integer, Unit Charge Bonus

+236: Boolean, Resistant to morale shocks

+236: Four byte integer, Unit Ammunition

BETA POINTER:

I've confirmed another pointer at the Primary Address. This one seems to relate to units_tables, and we've named it Beta pointer for now. It's structure is a little harder to understand than the Alpha pointer (unit_stats_land). The Beta pointer begins at byte 72 in the primary pointer. As usual, four byte little-endian.

There doesn't seem to be a header in these files, which is understandable as there is no difference between a naval entry and a land entry in units_tables.

From the beginning of the memory at the Beta Address:

Byte 36 - Four byte int, recruit time
Byte 40 - Four byte int, unit upkeep cost
Byte 72 - four byte int, unit limit

There's also a lot more pointers here, probably to the string based data you see in units_tables in PFM.

Want to help?

Spoiler Alert, click show to read: 

Documentation Tutorial

Things you'll need:

• Winhex / any decent hex editor
• Cheat Engine
• A grasp of hexadecimal numbers and the difference between data types (bools, ints, shorts, longs, strings)

Begin by creating a folder called "Logs" in your ETW data directory. Then replace the scripting.lua for the grand campaign (data/campaigns/main) with the one attached to this post. This scripting has a feature which will document the address of any unit, character or settlement you click on in the campaign map. The address will be documented in a text file in the Logs directory which you just created.

Begin by starting up Empire, preferably with no mods, and go straight into a campaign.
Then click on something and get it's address - for the moment we are focusing on units, so make sure that the log entry for "Entity" says "Pointer<UNIT>" as in the next picture (red is correct, blue is incorrect).



Note that clicking on an army always reveals the address of the unit/character in command of the army, so if you are having trouble getting a unit pointer remove any characters from the army (eg generals)

You then need to open Empire's memory in Winhex. See the picture below for the "Open RAM" button.



Once you have opened your system RAM, find Empire's process (it will have the name Empire, you'll have to scroll down a bit) and open the section called "Primary memory".

Now you need to navigate to the location in memory listed by the pointer. Do this by clicking on "Position" -> "Go To Offset", as shown in the next picture.



Make sure you select relative to beginning, not current offset.

You will then be brought to the position in memory which the pointer listed. As you will see, Primary Unit Pointers always start with the bytes 68 45 4A 01, or as seen in the interpreter "hEJ ". They end with 00 00 00 8C, if there is another Primary pointer following them (IDK what they end in if there isn't another Primary pointer following them). So now, highlight the bytes representing the Primary pointer (you should see where another PP starts by looking for "hEJ ". Then right click, select "Edit" -> "Copy Block" -> "Into New File"

You can see below a highlighted Primary unit pointer being right clicked - note the first four bytes and last four bytes.

Once you have copied the Primary pointer into a new file, you can compare it with other Primary pointers quite easily. It also makes it easy to work your way through the bytes and find the values we have identified (list kept in first post of this thread).

What you then need to do, is open Cheat Engine. Follow the tutorial presented the first time you run it, though as far as the step 3 (that's all you need that is relevant to this task).

Once you know how, you can then scan for values - use the "Memory Scan Options" to scan between the start and end of a specific Primary pointer. If you begin with an "unknown initial value scan", then proceed onto an "unchanged value" scan, you should get a good list of results. Using this method, change any values that you think represent in-game stats, and check in game to see if the change has registered. If you verify an unknown value, make a post here and let us know! If you see the OP you will also find out where the Alpha Address/Pointer is located (see my last post on the previous page for info on this). We don't know much about the data stored at the Alpha Address, but we do know some of the interesting stats (such as ammo) are stored there.