The PES6 Game Physics Mod is a Win32 DLL that injects itself into theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/angelballay/pes6_game_physics_mod/llms.txt
Use this file to discover all available pages before exploring further.
pes6.exe process and intercepts the game’s pass physics integrator through two x86 JMP hooks. When the DLL is loaded, DllMain spawns a background monitor thread (MainThread) that waits one second for the game to settle, resolves the executable base address via GetModuleHandleA, and then installs both hooks in sequence. From that point forward, every pass event flows through a pipeline: Hook A captures the passer and receiver memory pointers along with their grid-cell coordinates, Hook B intercepts the EDI register that carries the raw pass power value, delegates the value to CalculateModifiedEDI(), and feeds the result into the game’s original call_78020 ball-writing routine. A hotkey polling thread (HotkeyToggle) allows toggling the entire system at runtime with Ctrl+Shift+P, and an optional Kitserver D3D Present hook renders an on-screen status message when that overlay is available.
Module layout
| Module | Responsibility |
|---|---|
dllmain.cpp | DLL entry point; spawns MainThread, installs both hooks via InstallContextHook / InstallPowerHook, enables the mod, starts HotkeyToggle, and runs the 1-second monitor loop that logs context and power events |
PassContext | Hook A at pes6.exe+1A5905 — captures ESI (passer) and EDX (receiver) into g_savedPasser / g_savedReceiver, increments g_ctxCount, and provides ReadPassContextDistance / ReadPassGeometryDot for geometry queries |
PassPower | Hook B at pes6.exe+1A637B — saves EDI, calls CalculateModifiedEDI() via cdecl, restores computed EDI, runs the original call_78020 push sequence, then restores the original EDI |
PassPowerConfig | Defines the PassPowerConfig struct and the global g_passConfig instance holding all tuning parameters: inertia band limits, distance boost lookup tables, soft-floor targets, awkward-angle rescue thresholds, and EDI caps |
MemoryPatch | Provides CheckBytes() for pre-install byte validation and WriteJump() for writing a relative 0xE9 JMP patch with NOP padding and FlushInstructionCache |
ModState | Thread-safe on/off toggle backed by InterlockedExchange (writes) and InterlockedCompareExchange (reads); when enabled, sets ball mass at 0x00B8AE70 to 198.0f; when disabled, resets to 188.0f |
HotkeyToggle | Background thread that polls GetAsyncKeyState for Ctrl+Shift+P and calls TogglePhysicsModEnabled() |
KitserverOverlay | Optional hook into the Kitserver D3D Present chain; renders an on-screen message indicating whether the mod is active |
Logger | File-append debug log; used by all modules via WriteLog / LogFormat |
Data flow
Pass event fired
PES6 executes the pass initiation code path at
pes6.exe+1A5905. The CPU arrives at the hooked site with ESI pointing to the passer’s memory structure and EDX pointing to the receiver’s structure.Hook A — context capture
Hook_Context_1A5905 stores ESI → g_savedPasser and EDX → g_savedReceiver, increments g_ctxCount, calls LogPassGeometryOnly (debug only), then re-executes the original call pes6.exe+1A1570 and mov ebx, eax before jumping back to pes6.exe+1A590C.Geometry available
The monitor thread (and later
CalculateModifiedEDI) can now call ReadPassContextDistance to obtain the Manhattan grid-cell distance, and ReadPassGeometryDot to obtain the normalized dot product between the pass direction vector and the ball-relative-to-passer vector.Hook B — power interception
When PES6 reaches
pes6.exe+1A637B, EDI holds the raw pass power value. Hook_Power_1A637B saves EDI, pushes it as the sole argument, and calls CalculateModifiedEDI() via the cdecl calling convention.CalculateModifiedEDI()
Classifies the situation (mod enabled check, ball inertia band, strong-pass threshold, context freshness, distance, geometry) and returns a rescaled power value. All boosts are additive; the value is never reduced below
ediOriginal.Subsystems
Hook Pipeline
Two naked-assembly JMP hooks — one at
+1A5905 for context capture, one at +1A637B for power interception — form the backbone of the entire mod. Neither hook modifies game state beyond the EDI value used by call_78020.PassContext
Reads player cell coordinates at
+0x204 / +0x205 for Manhattan distance, logic positions at +0xE0/E4/E8 for real-world geometry, and the ball base via [pes6.exe+7CCE94] for dot-product direction analysis.PassPower & Config
CalculateModifiedEDI orchestrates inertia classification, distance boost lookup tables, soft floors, and awkward-angle rescue paths. All numeric constants live in g_passConfig for easy tuning without recompilation.MemoryPatch
CheckBytes validates every expected byte before touching memory. WriteJump sets PAGE_EXECUTE_READWRITE, writes the 0xE9 opcode plus a 32-bit relative offset, pads remaining bytes with 0x90 NOPs, flushes the instruction cache, and restores the original page protection.ModState
A single
volatile LONG protected by InterlockedExchange (writes) and InterlockedCompareExchange (reads) provides a lock-free enabled/disabled flag. Toggling also writes a new ball mass float (198.0f / 188.0f) directly into the game’s physics memory at 0x00B8AE70.HotkeyToggle & Overlay
A dedicated polling thread watches for the Ctrl+Shift+P chord and flips
ModState. The optional Kitserver overlay hook surfaces the current mod state on-screen during gameplay without requiring a log viewer.