A Community discussion forum for Halo Custom Edition, Halo 2 Vista, Portal and Halo Machinima

Home  Search Register  Login Member ListRecent Posts
»Forums Index »Halo Custom Edition (Bungie/Gearbox) »Halo CE General Discussion »[Tutorial] Fix your copy of Guerilla.exe

Author Topic: [Tutorial] Fix your copy of Guerilla.exe (7 messages, Page 1 of 1)
Moderators: Dennis

Joined: Jun 27, 2009

Jesus is a friend to the vindictive sociopath

Posted: Aug 2, 2018 09:05 PM    Msg. 1 of 7       
(for those of you who are not in my Discord server and didn't get the message there)

As you may know, Guerilla lets you add more than two magazines->magazines blocks in the .weapon tag type, which, if you inadvertently mis-click or make a mistake, can make you lose your work.

Here's how to fix that.

1) Open Guerilla.exe in a hex editor.
2) Go to offset 0x5D35D8.
3) Change from 0x08 to 0x02.

Result: Maximum of 2 magazines->magazines blocks, instead of 8. Adding more than 2 blocks crashes Guerilla.
Note that Kornman's version of Guerilla obfuscates the .exe data, so nothing on fixing that yet...

Later, I'll tell you how to "unlock" all the blocks, like Kornman did with his modified version of Guerilla.

-Helpful Poster-
Joined: Feb 24, 2007

Posted: Aug 2, 2018 10:31 PM    Msg. 2 of 7       

That's a half decent post.
Edited by Maniac1000 on Aug 2, 2018 at 10:33 PM

Joined: Jun 27, 2009

Jesus is a friend to the vindictive sociopath

Posted: Aug 2, 2018 11:11 PM    Msg. 3 of 7       
To "unlock" all the values like Kornman did with his version, all you have to do is look for the block strings that end with an asterisk (*) and replace the asterisk (0x2A) with a zero terminator byte (0x00). The simplest approach for doing this in bulk is to search the particular memory region for 0x2A00 and replace it with 0x0000.

I'm also working on fixing Guerilla to not crash with comment strings less than max length in its comment block in .scenario tag types. Kornman didn't fix that problem with his version.

All these improvements warrant my simply releasing a fixed version of Guerilla, which I'll see about doing once I've got them all applied on my end.

-Helpful Poster-
Joined: Feb 24, 2007

Posted: Aug 2, 2018 11:14 PM    Msg. 4 of 7       
Sounds great, thanks for the info.

Joined: Jun 27, 2009

Jesus is a friend to the vindictive sociopath

Posted: Aug 3, 2018 02:36 AM    Msg. 5 of 7       
I'm going to use this time to browse the executable's bytes. I'll do a video tutorial on how to read the structures. I want to take the time to go ahead and take all the tag file definitions directly from guerilla.exe to compare them to what I've already done.

This should help anyone with prospects of doing the same:

1) Guerilla.exe (and Kornman's version of Guerilla) both load Read/Write/Execute starting at address 0x400000 by default. If you open it in Cheat Engine and look at the Memory Regions window, you'll see that. Pointer addresses in the assembly are all going to take into account the fact that the .exe is in memory starting at 0x400000 (by default). So subtract 0x400000 from all pointers when looking at guerilla.exe in a hex editor and converting from pointer to file data offset. You don't have to do this if you are simply viewing the virtual memory of the application in Cheat Engine.

2) Make a new tag in Guerilla and search for a label string. Then search for a pointer to that string. That will take you to the metadata (struct element) definition for that entry. Here is a struct for metadata entries:

struct halo_metadata_entry
enum datatypes type;
char* label;
int32_t array_size; // size of array of bytes, or 0

where "enum datatypes" is something like, according to my observations and as shown in guerilla's data:

enum datatypes

3) There are also block definitions and data definitions, somewhat similar in structure. Here is what a block definition struct looks like:

struct halo_guerilla_array_block
char* block_name;
bool is_extended; // whether it contains sub-arrays, sub-data, or dependencies
int32_t maximum_chunks;
int32_t chunk_size;
uint8_t pad[4];
// etc.

A data definition struct is similar, except that where you had "maximum_chunks" in the above, you have the maximum bytes number.

You can find a chunk definition address by making a tag in Guerilla and saving it to disk, then looking at the structure address therein. It will be something around 0x9C0000. For example, the actv .actor_variant colors block definition is at address 0x9c944c.

That should get you started with looking through the guerilla.exe data.

edited for spelling mistakes :B
Edited by sparky on Aug 3, 2018 at 02:37 AM

Add text fields to Guerilla:
Edited by sparky on Aug 3, 2018 at 02:45 PM

Joined: Nov 4, 2015

This site brings me pain.

Posted: Aug 4, 2018 01:42 AM    Msg. 6 of 7       
https://github.com/gbMichelle/HEK-SHARP/blob/master/src/tags/tagdef/hekdef/tagdefShared.hpp structs. Ignore line 63 to 92.

https://docs.google.com/spreadsheets/d/1h_Z4-FoLH29ASLDadhXSsAhhozakyygBDtEY1JoWqIU/edit?usp=sharing info for your enum stuff.

There is more in that code base. There actually is a primitive version of a definition writer that was meant to be hooked up to read JSON files for easily editable tag definitions across guerilla, tool, and sapien.

Keep up the more focused posts.

Joined: Jun 27, 2009

Jesus is a friend to the vindictive sociopath

Posted: Aug 4, 2018 10:14 AM    Msg. 7 of 7       

Interesting to see that someone has interpreted parts of the guerilla.exe in their own way.

I'm in the process of writing a console program to parse the tag definitions out of guerilla.exe and print them into source code. It's only for my use, and for the use of some people who asked to use it who are in my Discord server. I already did the work, it's a matter of comparing and checking against what is in guerilla.exe.

#define MEMREGION 0x400000	// subtract this from all pointer values to obtain file data offset
#define GUERILLA_DEFS_INDEX 0x5b8d88 // the actual file data offset start for mode tag

What you posted regards offset GUERILLA_DEFS_INDEX into guerilla.exe.

It is interesting how this web site and forum has rules against reverse-engineering, and yet all of the content was made in whole or part through some amount of reverse-engineering. It is literally breaking the EULA to modify a byte in the guerilla.exe file, so I guess the majority of this forum and web site contents should be deleted.

It's like making a rule to burn books. Papieren bitte!

struct entry_number_field
enum datatypes type;
char* name;
uint8_t pad[4];
struct entry_struct_field
enum datatypes type;
char* name;
void* definition;
struct entry_pad_field
enum datatypes type;
char* name;
uint32_t size;
struct entry_dependency_field
enum datatypes type;
char* name;
uint32_t* tpns_length;
struct entry_array
char* name;
uint32_t is_deep; // (has sub-arrays, sub-data, or dependencies)
uint32_t max_count;
uint32_t max_bytes; // with tag class, excludes 64 bytes of header
uint8_t pad[4];
void* data_start;
struct tag_def
char* file_extension;
int32_t unknown;
char class[4];
int32_t superclass;
int32_t version;
void* extra; // pointer to some extra data
struct entry_array* data_start;

ban me


Previous Older Thread    Next newer Thread

Time: Wed November 13, 2019 8:37 AM 500 ms.
A Halo Maps Website