I unlocked a huge cache of information yesterday after finding a certain hashing routine in the game's code. One of the actor modification packets; 0x179 edits the huge amount of properties that can be set. These range from your basic HP, MP, TP, to stats, to things like what hotbar button 3 is. They seem to be sectioned into different classes or objects, and then hashed into a single integer to be referenced. SU knew some of these ID's from their packets but didn't go farther than what was seen in the packets.

I first began with a memory search using Cheat Engine for "stateAtQuicklyForAll". This is a signal or function that must run to update your main three stats. I assume it's named this way because it's properties that change quickly (IE: using spells quickly changes MP, healing/taking damage quickly changes HP). Anyway, I found a huge chunk of what looked like JSON. Incomplete but it showed me what the "true" names of these properties were.

{
{"stateAtQuicklyForAll",0.3,
{"parameterSave","hp",1,},
{"parameterSave","hpMax",1,},
{"parameterSave","mp",},
{"parameterSave","mpMax",},
{"parameterTemp","tp",},
},
{"stateForAll",1.5,
{"parameterSave","state_mainSkill",},
{"parameterSave","state_mainSkillLevel",},
{"parameterTemp","targetInformation",},
},
{"potencial",1,
{"battleSave","potencial",},
},
{"exp",
{"battleSave","skillLevel",},
{"battleSave","skillLevelCap",},
},
{"bazaar",1,
{"eventSave","bazaar",},
{"eventTemp","bazaarRetail",},
{"eventTemp","bazaarRepair",},
{"eventSave","bazaarTax",},
{"eventSave","repairType",},
{"eventTemp","bazaarMateria",},
},
{"linkshellIcon",1,
{"eventTemp","linkshellIcon",},
},
{"stateAtQuicklyForSelf",1,actor,
{"parameterSave","state_boostPointForSkill",},
},
{"commandDetailForSelf",1,actor,
{"parameterSave","commandSlot_compatibility",},
{"parameterSave","commandSlot_recastTime",},
{"parameterTemp","maxCommandRecastTime",},
{"parameterTemp","forceControl_float_forClientSelf",},
{"parameterTemp","forceControl_int16_forClientSelf",},
},
{"commandEquip",1,actor,
{"parameterSave","giftCommandSlot_commandId",},
{"parameterTemp","otherClassAbilityCount",},
{"parameterTemp","giftCount",},
},
{"battleStateForSelf",1,actor,
{"battleTemp","castGauge_speed",},
{"battleSave","skillPoint",},
{"battleSave","physicalExp",},
{"battleSave","negotiationFlag",},
},
{"timingCommand",1,actor,
{"battleTemp","timingCommandFlag",},
},
{"battleParameter",1,actor,
{"battleTemp","generalParameter",4,},
{"battleTemp","generalParameter",5,},
{"battleTemp","generalParameter",6,},
{"battleTemp","generalParameter",7,},
{"battleTemp","generalParameter",8,},
{"battleTemp","generalParameter",9,},
{"battleTemp","generalParameter",10,},
{"battleTemp","generalParameter",11,},
{"battleTemp","generalParameter",12,},
{"battleTemp","generalParameter",14,},
{"battleTemp","generalParameter",13,},
{"battleTemp","generalParameter",15,},
{"battleTemp","generalParameter",16,},
{"battleTemp","generalParameter",17,},
{"battleTemp","generalParameter",18,},
{"battleTemp","generalParameter",19,},
{"battleTemp","generalParameter",

This chunk wasn't complete because the game overwrites a lot of the memory by the time you see it. However it gave me a lot to work with. First I isolated the packet that caused this to appear in memory. It seems the processing was done in a lua script which called C functions, so I put a breakpoint on lua_pcall and waited till I saw the above appear in memory. After that all I had to do was isolate where a known ID (hp for example) appeared in memory, and then I was able to find the specific function!

I didn't take a look at the algorithm itself yet and decided to first write down all IDs. I have figured out 95% of the IDs that get initialized at login, and looking through other packets I've been able to understand ones I didn't know about before. So with all this knew information I can now:

  • Set all general stats (STR, INT, Fire Resistance, Attack Damage, etc)
  • Set timers for status effects. Once I find how the log messages work, this will be done.
  • Add/Remove journal entries, as well as set guildleves as abandoned and completed
  • Set all action bar slots (all 30)
  • Set Bonus Point stuff
  • Set next combo, ws/spell timers, etc for action bar stuff
  • And a lot more that I haven't played with!