10070
"Activate Player Scripts"
Auto Assembler Script
[ENABLE]
aobscanmodule(update_stats,witcher3.exe,F3 0F 11 34 88 83 FB)
alloc(newmem,$1000,update_stats)
alloc(player_ptr,8)
alloc(health,1)
alloc(stamina,1)
alloc(toxicity,1)
alloc(adrenaline,1)
alloc(breath,1)
alloc(one_hit,1)
alloc(max_all,1)
label(code)
label(return)
label(is_npc)
label(check_health)
label(check_stamina)
label(check_toxicity)
label(check_adrenaline)
label(check_breath)
label(zero_stat)
label(max_stat)
newmem:
cmp byte ptr [max_all],1
je max_stat
cmp dword ptr [rax+2C],8
je check_health
cmp dword ptr [rax+20],3
jne is_npc
mov [player_ptr],rax
check_health:
cmp dword ptr [rax+rcx*4+8],0
jne check_stamina
cmp byte ptr [health],1
jne code
jmp max_stat
check_stamina:
cmp dword ptr [rax+rcx*4+8],2
jne check_toxicity
cmp byte ptr [stamina],1
jne code
jmp max_stat
check_toxicity:
cmp dword ptr [rax+rcx*4+8],3
jne check_adrenaline
cmp byte ptr [toxicity],1
jne code
jmp zero_stat
check_adrenaline:
cmp dword ptr [rax+rcx*4+8],4
jne check_breath
cmp byte ptr [adrenaline],1
jne code
jmp max_stat
check_breath:
cmp dword ptr [rax+rcx*4+8],6
jne code
cmp byte ptr [breath],1
jne code
jmp max_stat
is_npc:
cmp rcx,0
jne code
cmp [rax+rcx*4],3F800000
je code
cmp byte ptr [one_hit],1
jne code
jmp zero_stat
zero_stat:
xorps xmm6,xmm6
jmp code
max_stat:
movss xmm6,[rax+rcx*4+4]
jmp code
code:
movss [rax+rcx*4],xmm6
jmp return
update_stats:
jmp newmem
return:
registersymbol(update_stats)
registersymbol(player_ptr)
registersymbol(health)
registersymbol(stamina)
registersymbol(toxicity)
registersymbol(adrenaline)
registersymbol(breath)
registersymbol(one_hit)
registersymbol(max_all)
[DISABLE]
update_stats:
db F3 0F 11 34 88
unregistersymbol(update_stats)
unregistersymbol(player_ptr)
unregistersymbol(health)
unregistersymbol(stamina)
unregistersymbol(toxicity)
unregistersymbol(adrenaline)
unregistersymbol(breath)
unregistersymbol(one_hit)
unregistersymbol(max_all)
dealloc(newmem)
dealloc(player_ptr)
dealloc(health)
dealloc(stamina)
dealloc(toxicity)
dealloc(adrenaline)
dealloc(breath)
dealloc(one_hit)
dealloc(max_all)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D95AA3
"witcher3.exe"+D95A7F: 8B D3 - mov edx,ebx
"witcher3.exe"+D95A81: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D95A84: 0F 29 74 24 30 - movaps [rsp+30],xmm6
"witcher3.exe"+D95A89: F3 0F 10 74 24 68 - movss xmm6,[rsp+68]
"witcher3.exe"+D95A8F: E8 7C E5 FF FF - call witcher3.exe+D94010
"witcher3.exe"+D95A94: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D95A97: 74 2B - je witcher3.exe+D95AC4
"witcher3.exe"+D95A99: 48 98 - cdqe
"witcher3.exe"+D95A9B: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+D95A9F: 48 8B 47 60 - mov rax,[rdi+60]
// ---------- INJECTING HERE ----------
"witcher3.exe"+D95AA3: F3 0F 11 34 88 - movss [rax+rcx*4],xmm6
// ---------- DONE INJECTING ----------
"witcher3.exe"+D95AA8: 83 FB 06 - cmp ebx,06
"witcher3.exe"+D95AAB: 75 17 - jne witcher3.exe+D95AC4
"witcher3.exe"+D95AAD: 8B 05 65 E7 CF 01 - mov eax,[witcher3.exe+2A94218]
"witcher3.exe"+D95AB3: 48 8D 54 24 20 - lea rdx,[rsp+20]
"witcher3.exe"+D95AB8: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D95ABB: 89 44 24 20 - mov [rsp+20],eax
"witcher3.exe"+D95ABF: E8 BC 0F 2B FF - call witcher3.exe+46A80
"witcher3.exe"+D95AC4: 0F 28 74 24 30 - movaps xmm6,[rsp+30]
"witcher3.exe"+D95AC9: 48 8B 5C 24 60 - mov rbx,[rsp+60]
"witcher3.exe"+D95ACE: 48 83 C4 40 - add rsp,40
}
10071
"Unlimited Health"
Auto Assembler Script
[ENABLE]
health:
db 1
[DISABLE]
health:
db 0
10072
"Unlimited Stamina"
Auto Assembler Script
[ENABLE]
stamina:
db 1
[DISABLE]
stamina:
db 0
10073
"Unlimited Toxicity"
Auto Assembler Script
[ENABLE]
toxicity:
db 1
[DISABLE]
toxicity:
db 0
10074
"Unlimited Adrenaline"
Auto Assembler Script
[ENABLE]
adrenaline:
db 1
[DISABLE]
adrenaline:
db 0
10075
"Unlimited Breath"
Auto Assembler Script
[ENABLE]
breath:
db 1
[DISABLE]
breath:
db 0
10076
"One Hit Kills"
Auto Assembler Script
[ENABLE]
one_hit:
db 1
[DISABLE]
one_hit:
db 0
10160
"Maximize Everything (Enemies Too!)"
Auto Assembler Script
[ENABLE]
max_all:
db 1
[DISABLE]
max_all:
db 0
256
"Player Pointers"
1
257
"Current Vitality"
Float
player_ptr
0
258
"Maximum Vitality"
Float
player_ptr
4
10101
"Health Type"
4 Bytes
player_ptr
8
259
"Current Stamina"
Float
player_ptr
C
260
"Maximum Stamina"
Float
player_ptr
10
263
"Stamina Type"
4 Bytes
player_ptr
14
261
"Current Toxicity"
Float
player_ptr
18
262
"Maximum Toxicity"
Float
player_ptr
1C
264
"Toxicity Type"
4 Bytes
player_ptr
20
265
"Current Adrenaline"
Float
player_ptr
24
266
"Maximum Adrenaline"
Float
player_ptr
28
267
"Adrenaline Type"
4 Bytes
player_ptr
2C
268
"Current Breath"
Float
player_ptr
30
269
"Maximum Breath"
Float
player_ptr
34
270
"Breath Type"
4 Bytes
player_ptr
38
272
"Current ???"
Float
player_ptr
3C
273
"Maximum ???"
Float
player_ptr
40
271
"??? Type"
4 Bytes
player_ptr
44
10241
"Time of Day"
Auto Assembler Script
[ENABLE]
aobscanmodule(time,witcher3.exe,01 47 08 83 7F)
alloc(newmem,$1000,time)
label(code)
label(return)
label(time_save)
label(time_ptr)
newmem:
code:
mov [time_ptr],rdi
time_save:
readmem(time,7)
jmp return
time_ptr:
dq 0
time:
jmp newmem
nop
nop
return:
registersymbol(time)
registersymbol(time_save)
registersymbol(time_ptr)
[DISABLE]
time:
readmem(time_save,7)
unregistersymbol(time)
unregistersymbol(time_save)
unregistersymbol(time_ptr)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+22BD65
"witcher3.exe"+22BD46: 0F 5B C0 - cvtdq2ps xmm0,xmm0
"witcher3.exe"+22BD49: 0F 2E C1 - ucomiss xmm0,xmm1
"witcher3.exe"+22BD4C: 74 12 - je witcher3.exe+22BD60
"witcher3.exe"+22BD4E: 0F 14 C9 - unpcklps xmm1,xmm1
"witcher3.exe"+22BD51: 0F 50 C1 - movmskps ecx,xmm0
"witcher3.exe"+22BD54: 83 E0 01 - and eax,01
"witcher3.exe"+22BD57: 2B C8 - sub ecx,eax
"witcher3.exe"+22BD59: 66 0F 6E C9 - movd xmm1,ecx
"witcher3.exe"+22BD5D: 0F 5B C9 - cvtdq2ps xmm1,xmm1
"witcher3.exe"+22BD60: F3 48 0F 2C C1 - cvttss2si rax,xmm1
// ---------- INJECTING HERE ----------
"witcher3.exe"+22BD65: 01 47 08 - add [rdi+08],eax
"witcher3.exe"+22BD68: 83 7F 1C 00 - cmp dword ptr [rdi+1C],00
// ---------- DONE INJECTING ----------
"witcher3.exe"+22BD6C: F3 0F 10 4F 0C - movss xmm1,[rdi+0C]
"witcher3.exe"+22BD71: F3 0F 2C C1 - cvttss2si eax,xmm1
"witcher3.exe"+22BD75: 66 0F 6E C0 - movd xmm0,eax
"witcher3.exe"+22BD79: 0F 5B C0 - cvtdq2ps xmm0,xmm0
"witcher3.exe"+22BD7C: F3 0F 5C C8 - subss xmm1,xmm0
"witcher3.exe"+22BD80: F3 0F 11 4F 0C - movss [rdi+0C],xmm1
"witcher3.exe"+22BD85: 0F 84 C8 00 00 00 - je witcher3.exe+22BE53
"witcher3.exe"+22BD8B: 48 89 5C 24 30 - mov [rsp+30],rbx
"witcher3.exe"+22BD90: 48 89 6C 24 38 - mov [rsp+38],rbp
"witcher3.exe"+22BD95: 33 ED - xor ebp,ebp
}
Toggle Activation
115
0
9863
"[ ] keys"
4 Bytes
time_ptr
8
Increase Value
221
600
0
Increase Value
18
221
3600
1
Decrease Value
18
219
3600
2
Decrease Value
219
600
3
Toggle Activation
106
4
Increase Value
17
221
60
5
Decrease Value
17
219
60
6
127
"Teleport"
Auto Assembler Script
[Enable]
alloc(teleport_1,32,witcher3.exe)
aobscanmodule(teleport_aob1,witcher3.exe,48 8B 4F 78 F2 0F 10 78 10)
registersymbol(teleport_aob1)
label(returnhere_teleport_1)
label(saveLocation)
label(saveLocation_status)
registersymbol(saveLocation_status)
label(saved_X)
registersymbol(saved_X)
label(saved_Y)
registersymbol(saved_Y)
label(saved_Z)
registersymbol(saved_Z)
label(goToSaved)
label(goToSaved_status)
registersymbol(goToSaved_status)
label(goToWaypoint)
label(goToWaypoint_status)
registersymbol(goToWaypoint_status)
label(waypoint_1)
aobscanmodule(waypoint_aob1,witcher3.exe,F2 0F 10 44 24 28 F2 0F 11 43 20)
registersymbol(waypoint_aob1)
label(returnhere_waypoint_1)
label(waypoint_X)
registersymbol(waypoint_X)
label(waypoint_Y)
registersymbol(waypoint_Y)
label(waypoint_Z)
registersymbol(waypoint_Z)
label(noClip)
label(noClip_status)
registersymbol(noClip_status)
label(noClip_Z)
registersymbol(noClip_Z)
//--------------------------------------------------//
teleport_1:
cmp [saveLocation_status],1
je saveLocation
cmp [goToSaved_status],1
je goToSaved
cmp [goToWaypoint_status],1
je goToWaypoint
cmp [noClip_status],1
je noClip
movsd xmm7,[rax+10]
fld [rax+14]
fstp [noClip_Z]
jmp returnhere_teleport_1
//--------------------------------------------------//
saveLocation:
movsd xmm7,[rax+10]
fld [rax+4]
fstp [saved_X]
fld [rax+C]
fstp [saved_Y]
fld [rax+14]
fstp [saved_Z]
mov [saveLocation_status],0
jmp returnhere_teleport_1
saveLocation_status:
dd 1
saved_X:
dd 0
saved_Y:
dd 0
saved_Z:
dd 0
//--------------------------------------------------//
goToSaved:
movsd xmm7,[rax+10]
fld [saved_X]
fstp [rax+4]
fld [saved_Y]
fstp [rax+C]
fld [saved_Z]
fstp [rax+14]
mov [goToSaved_status],0
jmp returnhere_teleport_1
goToSaved_status:
dd 0
//--------------------------------------------------//
goToWaypoint:
movsd xmm7,[rax+10]
fld [waypoint_X]
fstp [rax+4]
fld [waypoint_Y]
fstp [rax+C]
fld [waypoint_Z]
fstp [rax+14]
mov [goToWaypoint_status],0
jmp returnhere_teleport_1
goToWaypoint_status:
dd 0
//--------------------------------------------------//
noClip:
movsd xmm7,[rax+10]
fld [noClip_Z]
fstp [rax+14]
jmp returnhere_teleport_1
noClip_status:
dd 0
noClip_Z:
dd 0
//--------------------------------------------------//
waypoint_1:
movsd [rbx+20],xmm0
fld [rbx-C]
fstp [waypoint_X]
fld [rbx+24]
fstp [waypoint_Y]
jmp returnhere_waypoint_1
waypoint_X:
dd 0
waypoint_Y:
dd 0
waypoint_Z:
dd (float)0
//--------------------------------------------------//
teleport_aob1+4:
jmp teleport_1
returnhere_teleport_1:
waypoint_aob1+6:
jmp waypoint_1
returnhere_waypoint_1:
[Disable]
teleport_aob1+4:
db F2 0F 10 78 10
unregistersymbol(teleport_aob1)
dealloc(teleport_1)
unregistersymbol(saveLocation_status)
unregistersymbol(saved_X)
unregistersymbol(saved_Y)
unregistersymbol(saved_Z)
unregistersymbol(goToSaved_status)
unregistersymbol(goToWaypoint_status)
unregistersymbol(noClip_status)
unregistersymbol(noClip_Z)
waypoint_aob1+6:
db F2 0F 11 43 20
unregistersymbol(waypoint_aob1)
unregistersymbol(waypoint_X)
unregistersymbol(waypoint_Y)
unregistersymbol(waypoint_Z)
134
"Save Location"
4 Bytes
saveLocation_status
Set Value
17
103
1
0
135
"Go To Saved"
4 Bytes
goToSaved_status
Set Value
17
104
1
0
10248
"Go To Waypoint"
4 Bytes
goToWaypoint_status
Set Value
17
105
1
0
172
"No Clip"
Auto Assembler Script
[Enable]
noClip_status:
dd 1
[Disable]
noClip_status:
dd 0
133
"See Coordinates"
1
130
"Saved X"
Float
saved_X
131
"Saved Y"
Float
saved_Y
132
"Saved Z"
Float
saved_Z
10249
"Waypoint X"
Float
waypoint_X
10250
"Waypoint Y"
Float
waypoint_Y
10251
"Waypoint Z"
Float
waypoint_Z
173
"No Clip Z"
Float
noClip_Z
Increase Value
103
.005
0
Decrease Value
105
.005
1
9
"Unlimited Inventory/Gold"
Auto Assembler Script
[ENABLE]
aobscanmodule(inventory,witcher3.exe,41 29 6C FA 54)
inventory:
db 90 90 90 90 90
registersymbol(inventory)
[DISABLE]
inventory:
db 41 29 6C FA 54
unregistersymbol(inventory)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+706190
"witcher3.exe"+70616A: 4C 63 F7 - movsxd r14,edi
"witcher3.exe"+70616D: 49 8B FE - mov rdi,r14
"witcher3.exe"+706170: 48 69 FF 88 00 00 00 - imul rdi,rdi,00000088
"witcher3.exe"+706177: 42 0F B6 44 17 70 - movzx eax,byte ptr [rdi+r10+70]
"witcher3.exe"+70617D: 42 8B 5C 17 60 - mov ebx,[rdi+r10+60]
"witcher3.exe"+706182: C0 E8 02 - shr al,02
"witcher3.exe"+706185: A8 01 - test al,01
"witcher3.exe"+706187: 74 13 - je witcher3.exe+70619C
"witcher3.exe"+706189: 42 39 6C 17 54 - cmp [rdi+r10+54],ebp
"witcher3.exe"+70618E: 76 0C - jna witcher3.exe+70619C
// ---------- INJECTING HERE ----------
"witcher3.exe"+706190: 42 29 6C 17 54 - sub [rdi+r10+54],ebp
// ---------- DONE INJECTING ----------
"witcher3.exe"+706195: BA 03 00 00 00 - mov edx,00000003
"witcher3.exe"+70619A: EB 55 - jmp witcher3.exe+7061F1
"witcher3.exe"+70619C: 4A 8B 4C 17 70 - mov rcx,[rdi+r10+70]
"witcher3.exe"+7061A1: 0F B6 C1 - movzx eax,cl
"witcher3.exe"+7061A4: C0 E8 05 - shr al,05
"witcher3.exe"+7061A7: A8 01 - test al,01
"witcher3.exe"+7061A9: 75 08 - jne witcher3.exe+7061B3
"witcher3.exe"+7061AB: C0 E9 06 - shr cl,06
"witcher3.exe"+7061AE: F6 C1 01 - test cl,01
"witcher3.exe"+7061B1: 74 11 - je witcher3.exe+7061C4
}
10243
"Unlimited Durability"
Auto Assembler Script
[ENABLE]
aobscanmodule(durability,witcher3.exe,F3 0F 10 41 64 EB)
alloc(newmem,$1000,durability)
label(code)
label(return)
newmem:
code:
mov [rcx+64],(float)500
movss xmm0,[rcx+64]
jmp return
durability:
jmp code
return:
registersymbol(durability)
[DISABLE]
durability:
db F3 0F 10 41 64
unregistersymbol(durability)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+715E4B
"witcher3.exe"+715E31: 5F - pop rdi
"witcher3.exe"+715E32: C3 - ret
"witcher3.exe"+715E33: 85 C9 - test ecx,ecx
"witcher3.exe"+715E35: 78 DB - js witcher3.exe+715E12
"witcher3.exe"+715E37: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+715E3A: 7D D6 - jnl witcher3.exe+715E12
"witcher3.exe"+715E3C: 48 63 C1 - movsxd rax,ecx
"witcher3.exe"+715E3F: 48 69 C0 88 00 00 00 - imul rax,rax,00000088
"witcher3.exe"+715E46: 49 03 C1 - add rax,r9
"witcher3.exe"+715E49: 74 C7 - je witcher3.exe+715E12
// ---------- INJECTING HERE ----------
"witcher3.exe"+715E4B: F3 0F 10 40 64 - movss xmm0,[rax+64]
// ---------- DONE INJECTING ----------
"witcher3.exe"+715E50: EB C8 - jmp witcher3.exe+715E1A
"witcher3.exe"+715E52: CC - int 3
"witcher3.exe"+715E53: CC - int 3
"witcher3.exe"+715E54: CC - int 3
"witcher3.exe"+715E55: CC - int 3
"witcher3.exe"+715E56: CC - int 3
"witcher3.exe"+715E57: CC - int 3
"witcher3.exe"+715E58: CC - int 3
"witcher3.exe"+715E59: CC - int 3
"witcher3.exe"+715E5A: CC - int 3
}
10067
"Unlimited Consumables"
Auto Assembler Script
[ENABLE]
aobscanmodule(consumables,witcher3.exe,89 48 04 48 8B 5C 24 40)
alloc(newmem,$1000,consumables)
label(code)
label(return)
newmem:
test ecx,ecx
je code
mov [rax+04],ecx
code:
mov rbx,[rsp+40]
jmp return
consumables:
jmp newmem
nop
nop
nop
return:
registersymbol(consumables)
[DISABLE]
consumables:
db 89 48 04 48 8B 5C 24 40
unregistersymbol(consumables)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6F75E3
"witcher3.exe"+6F75BB: 48 C1 E1 07 - shl rcx,07
"witcher3.exe"+6F75BF: 49 03 C9 - add rcx,r9
"witcher3.exe"+6F75C2: 74 22 - je witcher3.exe+6F75E6
"witcher3.exe"+6F75C4: 8B 44 24 58 - mov eax,[rsp+58]
"witcher3.exe"+6F75C8: 48 8D 54 24 24 - lea rdx,[rsp+24]
"witcher3.exe"+6F75CD: 41 B0 01 - mov al,01
"witcher3.exe"+6F75D0: 89 44 24 24 - mov [rsp+24],eax
"witcher3.exe"+6F75D4: E8 07 3D 00 00 - call witcher3.exe+6FB2E0
"witcher3.exe"+6F75D9: C7 00 02 00 00 00 - mov [rax],00000002
"witcher3.exe"+6F75DF: 8B 4C 24 20 - mov ecx,[rsp+20]
// ---------- INJECTING HERE ----------
"witcher3.exe"+6F75E3: 89 48 04 - mov [rax+04],ecx
"witcher3.exe"+6F75E6: 48 8B 5C 24 40 - mov rbx,[rsp+40]
// ---------- DONE INJECTING ----------
"witcher3.exe"+6F75EB: 48 8B 74 24 50 - mov rsi,[rsp+50]
"witcher3.exe"+6F75F0: 48 83 C4 30 - add rsp,30
"witcher3.exe"+6F75F4: 5F - pop rdi
"witcher3.exe"+6F75F5: C3 - ret
"witcher3.exe"+6F75F6: CC - int 3
"witcher3.exe"+6F75F7: CC - int 3
"witcher3.exe"+6F75F8: CC - int 3
"witcher3.exe"+6F75F9: CC - int 3
"witcher3.exe"+6F75FA: CC - int 3
"witcher3.exe"+6F75FB: CC - int 3
}
152
"Set Weight Limit to 10,000"
Auto Assembler Script
[ENABLE]
{$lua}
function find(name)
local aob = AOBScan("48 8B 05 * * * * 48 8B D9 48 85 C0 75 05 E8 * * * * 8B 13 48 8B 0D * * * * E8 * * * * 48 85 C0")
local address = getAddress(aob[0])
address = readPointer(address + readInteger(address + 3) + 7)
aob.Destroy()
aob = nil
--local address = readPointer("witcher3.exe+27f17f8")
address = readPointer(address + 0x11830)
for id = 1, 120500 do
local lookup = readString(readPointer(readPointer(address + id * 8)), 64, true)
if lookup == name then
return id
end
end
end
local id = find("encumbrance")
local b = dwordToByteTable(id)
local aob = AOBScan(b[1],b[2],b[3],b[4],0,0,0,0,0,0,0,0,0,0,112,66,0,0,112,66)
writeFloat(aob[0] .. "+C", 10000)
aob.Destroy()
aob = nil
{$asm}
{
aobscan(weight,0BAA0000 00000000 00000000 00007042 00007042 FF000000)
weight+C:
dd (float)999999
registersymbol(weight)
}
[DISABLE]
{$asm}
{
weight+C:
db 00 00 70 42
unregistersymbol(weight)
}
9978
"Ignore Crafting Material Requirements"
Auto Assembler Script
[ENABLE]
aobscanmodule(crafting2,witcher3.exe,41 8B 40 04 89 42 04 C3)
crafting2:
db 31 C0 90 90
registersymbol(crafting2)
[DISABLE]
crafting2:
db 41 8B 40 04
unregistersymbol(crafting2)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+9BA865
"witcher3.exe"+9BA858: CC - int 3
"witcher3.exe"+9BA859: CC - int 3
"witcher3.exe"+9BA85A: CC - int 3
"witcher3.exe"+9BA85B: CC - int 3
"witcher3.exe"+9BA85C: CC - int 3
"witcher3.exe"+9BA85D: CC - int 3
"witcher3.exe"+9BA85E: CC - int 3
"witcher3.exe"+9BA85F: CC - int 3
"witcher3.exe"+9BA860: 41 8B 00 - mov eax,[r8]
"witcher3.exe"+9BA863: 89 02 - mov [rdx],eax
// ---------- INJECTING HERE ----------
"witcher3.exe"+9BA865: 41 8B 40 04 - mov eax,[r8+04]
"witcher3.exe"+9BA869: 89 42 04 - mov [rdx+04],eax
// ---------- DONE INJECTING ----------
"witcher3.exe"+9BA86C: C3 - ret
"witcher3.exe"+9BA86D: CC - int 3
"witcher3.exe"+9BA86E: CC - int 3
"witcher3.exe"+9BA86F: CC - int 3
"witcher3.exe"+9BA870: 41 8B 00 - mov eax,[r8]
"witcher3.exe"+9BA873: 89 02 - mov [rdx],eax
"witcher3.exe"+9BA875: 41 8B 40 04 - mov eax,[r8+04]
"witcher3.exe"+9BA879: 89 42 04 - mov [rdx+04],eax
"witcher3.exe"+9BA87C: 41 8B 40 08 - mov eax,[r8+08]
"witcher3.exe"+9BA880: 89 42 08 - mov [rdx+08],eax
}
10041
"Always Win Gwent (only enable during a game)"
Auto Assembler Script
[ENABLE]
aobscanmodule(gwent,witcher3.exe,42 89 04 B9 8B 4C 24 30)
alloc(newmem,$1000,gwent)
label(code)
label(return)
newmem:
cmp r15,1
jne code
xor eax,eax
code:
mov [rcx+r15*4],eax
mov ecx,[rsp+30]
jmp return
gwent:
jmp newmem
nop
nop
nop
return:
registersymbol(gwent)
[DISABLE]
gwent:
db 42 89 04 B9 8B 4C 24 30
unregistersymbol(gwent)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+164DE82
"witcher3.exe"+164DE63: FF 49 18 - dec [rcx+18]
"witcher3.exe"+164DE66: 75 05 - jne witcher3.exe+164DE6D
"witcher3.exe"+164DE68: E8 83 EC D7 FF - call witcher3.exe+13CCAF0
"witcher3.exe"+164DE6D: 44 88 2F - mov [rdi],r13l
"witcher3.exe"+164DE70: EB 14 - jmp witcher3.exe+164DE86
"witcher3.exe"+164DE72: 44 88 2F - mov [rdi],r13l
"witcher3.exe"+164DE75: EB 35 - jmp witcher3.exe+164DEAC
"witcher3.exe"+164DE77: 48 8B 4E 18 - mov rcx,[rsi+18]
"witcher3.exe"+164DE7B: 8B 44 24 40 - mov eax,[rsp+40]
"witcher3.exe"+164DE7F: C6 07 01 - mov byte ptr [rdi],01
// ---------- INJECTING HERE ----------
"witcher3.exe"+164DE82: 42 89 04 B9 - mov [rcx+r15*4],eax
"witcher3.exe"+164DE86: 8B 4C 24 30 - mov ecx,[rsp+30]
// ---------- DONE INJECTING ----------
"witcher3.exe"+164DE8A: 8B C1 - mov eax,ecx
"witcher3.exe"+164DE8C: 83 E0 1F - and eax,1F
"witcher3.exe"+164DE8F: 3C 09 - cmp al,09
"witcher3.exe"+164DE91: 7E 19 - jle witcher3.exe+164DEAC
"witcher3.exe"+164DE93: C1 E9 09 - shr ecx,09
"witcher3.exe"+164DE96: F6 C1 01 - test cl,01
"witcher3.exe"+164DE99: 48 8D 4C 24 30 - lea rcx,[rsp+30]
"witcher3.exe"+164DE9E: 74 07 - je witcher3.exe+164DEA7
"witcher3.exe"+164DEA0: E8 EB 86 FC FF - call witcher3.exe+1616590
"witcher3.exe"+164DEA5: EB 05 - jmp witcher3.exe+164DEAC
}
19
"Unlimited Buff Duration"
Auto Assembler Script
[ENABLE]
aobscanmodule(duration,witcher3.exe,F3 0F 5C 44 24 50 F3 0F 11 03)
duration:
db 90 90 90 90 90 90
registersymbol(duration)
[DISABLE]
duration:
db F3 0F 5C 44 24 50
unregistersymbol(duration)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+17F9B9F
"witcher3.exe"+17F9B7D: 48 8B 47 30 - mov rax,[rdi+30]
"witcher3.exe"+17F9B81: 48 8B D7 - mov rdx,rdi
"witcher3.exe"+17F9B84: 0F B6 08 - movzx ecx,byte ptr [rax]
"witcher3.exe"+17F9B87: 48 FF C0 - inc rax
"witcher3.exe"+17F9B8A: 48 89 47 30 - mov [rdi+30],rax
"witcher3.exe"+17F9B8E: 8B C1 - mov eax,ecx
"witcher3.exe"+17F9B90: 48 8B 0F - mov rcx,[rdi]
"witcher3.exe"+17F9B93: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+17F9B97: 48 FF 47 30 - inc [rdi+30]
"witcher3.exe"+17F9B9B: F3 0F 10 03 - movss xmm0,[rbx]
// ---------- INJECTING HERE ----------
"witcher3.exe"+17F9B9F: F3 0F 5C 44 24 50 - subss xmm0,[rsp+50]
// ---------- DONE INJECTING ----------
"witcher3.exe"+17F9BA5: F3 0F 11 03 - movss [rbx],xmm0
"witcher3.exe"+17F9BA9: 48 85 F6 - test rsi,rsi
"witcher3.exe"+17F9BAC: 74 04 - je witcher3.exe+17F9BB2
"witcher3.exe"+17F9BAE: F3 0F 11 06 - movss [rsi],xmm0
"witcher3.exe"+17F9BB2: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"witcher3.exe"+17F9BB7: 48 83 C4 20 - add rsp,20
"witcher3.exe"+17F9BBB: 5F - pop rdi
"witcher3.exe"+17F9BBC: 5E - pop rsi
"witcher3.exe"+17F9BBD: 5D - pop rbp
"witcher3.exe"+17F9BBE: C3 - ret
}
10246
"Mouseover Item Pointer"
Auto Assembler Script
[ENABLE]
aobscanmodule(mouseover,witcher3.exe,48 8B 39 8B 41 08 45)
alloc(newmem,$1000,mouseover)
label(code)
label(return)
label(mouseover_ptr)
newmem:
code:
mov [mouseover_ptr],rcx
mov rdi,[rcx]
mov eax,[rcx+08]
jmp return
mouseover_ptr:
dq 0
mouseover:
jmp code
nop
return:
registersymbol(mouseover)
registersymbol(mouseover_ptr)
[DISABLE]
mouseover:
db 48 8B 39 8B 41 08
unregistersymbol(mouseover)
unregistersymbol(mouseover_ptr)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+984225
"witcher3.exe"+98420B: CC - int 3
"witcher3.exe"+98420C: CC - int 3
"witcher3.exe"+98420D: CC - int 3
"witcher3.exe"+98420E: CC - int 3
"witcher3.exe"+98420F: CC - int 3
"witcher3.exe"+984210: 48 89 5C 24 10 - mov [rsp+10],rbx
"witcher3.exe"+984215: 48 89 6C 24 18 - mov [rsp+18],rbp
"witcher3.exe"+98421A: 48 89 7C 24 20 - mov [rsp+20],rdi
"witcher3.exe"+98421F: 41 56 - push r14
"witcher3.exe"+984221: 48 83 EC 30 - sub rsp,30
// ---------- INJECTING HERE ----------
"witcher3.exe"+984225: 48 8B 39 - mov rdi,[rcx]
"witcher3.exe"+984228: 8B 41 08 - mov eax,[rcx+08]
// ---------- DONE INJECTING ----------
"witcher3.exe"+98422B: 33 ED - xor ebp,ebp
"witcher3.exe"+98422D: 48 8D 0C 80 - lea rcx,[rax+rax*4]
"witcher3.exe"+984231: 48 8B DA - mov rbx,rdx
"witcher3.exe"+984234: 4C 8D 34 8F - lea r14,[rdi+rcx*4]
"witcher3.exe"+984238: 49 3B FE - cmp rdi,r14
"witcher3.exe"+98423B: 0F 84 93 00 00 00 - je witcher3.exe+9842D4
"witcher3.exe"+984241: 48 89 74 24 40 - mov [rsp+40],rsi
"witcher3.exe"+984246: 48 39 2B - cmp [rbx],rbp
"witcher3.exe"+984249: 74 2F - je witcher3.exe+98427A
"witcher3.exe"+98424B: 8B 43 08 - mov eax,[rbx+08]
}
46
"Base Address"
String
0
0
1
mouseover_ptr
0
140
"Item ID"
4 Bytes
+58
141
"Item Type"
4 Bytes
+5c
77
"Quantity"
4 Bytes
+54
47
"Durability"
Float
+64
9869
"Stat Properties"
1
9871
"Number of Properties (do not touch any more)"
4 Bytes
mouseover_ptr
20
9870
"Property List"
String
0
0
1
mouseover_ptr
0
18
9872
"Property 1"
4 Bytes
+0
9873
"Property 2"
4 Bytes
+4
9874
"Property 3"
4 Bytes
+8
9875
"Property 4"
4 Bytes
+c
9890
"Property 5"
4 Bytes
+10
9891
"Property 6"
4 Bytes
+14
9892
"Property 7"
4 Bytes
+18
9893
"Property 8"
4 Bytes
+1c
9883
"Type Properties"
1
9884
"Number of Properties (do not touch any more)"
4 Bytes
mouseover_ptr
38
9885
"Property List"
String
0
0
1
mouseover_ptr
0
30
9886
"Property 1"
4 Bytes
+0
9887
"Property 2"
4 Bytes
+4
9888
"Property 3"
4 Bytes
+8
9889
"Property 4"
4 Bytes
+c
9894
"Property 5"
4 Bytes
+10
9895
"Property 6"
4 Bytes
+14
9896
"Property 7"
4 Bytes
+18
9897
"Property 8"
4 Bytes
+1c
9898
"More Properties"
1
9899
"Number of Properties (do not touch any more)"
4 Bytes
mouseover_ptr
48
9900
"Property List"
String
0
0
1
mouseover_ptr
0
40
9901
"Property 1 Identifier"
4 Bytes
+0
9902
"Property 1 ???"
4 Bytes
+4
9903
"Property 1 Value"
4 Bytes
+8
9904
"Property 2 Identifier"
4 Bytes
+c
9905
"Property 2 ???"
4 Bytes
+10
9906
"Property 2 Value"
4 Bytes
+14
9907
"Property 3 Identifier"
4 Bytes
+18
9908
"Property 3 ???"
4 Bytes
+1c
10066
"Property 3 Value"
4 Bytes
+20
10044
"Unknown Properties"
1
10045
"Number of Properties (do not touch any more)"
4 Bytes
mouseover_ptr
28
10046
"Property List"
String
0
0
1
mouseover_ptr
0
20
10047
"Property 1"
4 Bytes
+0
10048
"Property 2"
4 Bytes
+4
10049
"Property 3"
4 Bytes
+8
10050
"Property 4"
4 Bytes
+c
10051
"Property 5"
4 Bytes
+10
10052
"Property 6"
4 Bytes
+14
10053
"Property 7"
4 Bytes
+18
10054
"Property 8"
4 Bytes
+1c
147
"Unknown Offsets"
1
86
"+8"
4 Bytes
mouseover_ptr
8
137
"+58"
1
4 Bytes
mouseover_ptr
58
138
"+5C"
4 Bytes
mouseover_ptr
5C
139
"+60"
4 Bytes
mouseover_ptr
60
142
"+70"
4 Bytes
mouseover_ptr
70
143
"+78"
2 Bytes
mouseover_ptr
78
144
"+7A"
Byte
mouseover_ptr
7A
146
"+7B"
Byte
mouseover_ptr
7B
145
"+7A"
2 Bytes
mouseover_ptr
7A
10254
"Loot Item Pointer"
Auto Assembler Script
[ENABLE]
aobscanmodule(loot,witcher3.exe,45 8B 54 C9 54)
alloc(newmem,$1000,loot)
label(code)
label(return)
label(loot_ptr)
newmem:
cmp rcx,0
jne code
mov r10,loot_ptr
mov [r10],r9
xor r10,r10
code:
mov r10d,[r9+rcx*8+54]
jmp return
loot_ptr:
dq 0
loot:
jmp newmem
return:
registersymbol(loot)
registersymbol(loot_ptr)
[DISABLE]
loot:
db 45 8B 54 C9 54
unregistersymbol(loot)
unregistersymbol(loot_ptr)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+740D77
"witcher3.exe"+740D5D: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+740D60: 72 EE - jb witcher3.exe+740D50
"witcher3.exe"+740D62: EB 18 - jmp witcher3.exe+740D7C
"witcher3.exe"+740D64: 85 C9 - test ecx,ecx
"witcher3.exe"+740D66: 78 14 - js witcher3.exe+740D7C
"witcher3.exe"+740D68: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+740D6B: 7D 0F - jnl witcher3.exe+740D7C
"witcher3.exe"+740D6D: 48 63 C1 - movsxd rax,ecx
"witcher3.exe"+740D70: 48 8D 0C C0 - lea rcx,[rax+rax*8]
"witcher3.exe"+740D74: 48 03 C9 - add rcx,rcx
// ---------- INJECTING HERE ----------
"witcher3.exe"+740D77: 45 8B 54 C9 54 - mov r10d,[r9+rcx*8+54]
// ---------- DONE INJECTING ----------
"witcher3.exe"+740D7C: 48 85 FF - test rdi,rdi
"witcher3.exe"+740D7F: 74 03 - je witcher3.exe+740D84
"witcher3.exe"+740D81: 44 89 17 - mov [rdi],r10d
"witcher3.exe"+740D84: 48 8B 5C 24 38 - mov rbx,[rsp+38]
"witcher3.exe"+740D89: 48 8B 74 24 40 - mov rsi,[rsp+40]
"witcher3.exe"+740D8E: 48 83 C4 20 - add rsp,20
"witcher3.exe"+740D92: 5F - pop rdi
"witcher3.exe"+740D93: C3 - ret
"witcher3.exe"+740D94: CC - int 3
"witcher3.exe"+740D95: CC - int 3
}
155
"Base Address"
String
0
0
1
loot_ptr
0
156
"Item ID"
4 Bytes
+58
194
"Item Type"
4 Bytes
+5C
157
"Quantity"
4 Bytes
+54
158
"Durability"
Float
+64
9909
"Stat Properties"
1
9910
"Number of Properties (do not touch any more)"
4 Bytes
loot_ptr
18
9911
"Property List"
String
0
0
1
loot_ptr
0
10
9912
"Property 1"
4 Bytes
+0
9913
"Property 2"
4 Bytes
+4
9914
"Property 3"
4 Bytes
+8
9915
"Property 4"
4 Bytes
+c
9916
"Property 5"
4 Bytes
+10
9917
"Property 6"
4 Bytes
+14
9918
"Property 7"
4 Bytes
+18
9919
"Property 8"
4 Bytes
+1c
9920
"Type Properties"
1
9921
"Number of Properties (do not touch any more)"
4 Bytes
loot_ptr
38
9922
"Property List"
String
0
0
1
loot_ptr
0
30
9923
"Property 1"
4 Bytes
+0
9924
"Property 2"
4 Bytes
+4
9925
"Property 3"
4 Bytes
+8
9926
"Property 4"
4 Bytes
+c
9927
"Property 5"
4 Bytes
+10
9928
"Property 6"
4 Bytes
+14
9929
"Property 7"
4 Bytes
+18
9930
"Property 8"
4 Bytes
+1c
9931
"Unknown Properties"
1
9932
"Number of Properties (do not touch any more)"
4 Bytes
loot_ptr
28
9933
"Property List"
String
0
0
1
loot_ptr
0
20
9934
"Property 1"
4 Bytes
+0
9935
"Property 2"
4 Bytes
+4
9936
"Property 3"
4 Bytes
+8
9937
"Property 4"
4 Bytes
+c
9938
"Property 5"
4 Bytes
+10
9939
"Property 6"
4 Bytes
+14
9940
"Property 7"
4 Bytes
+18
9941
"Property 8"
4 Bytes
+1c
12
"Adjust Camera Position"
Auto Assembler Script
[ENABLE]
aobscanmodule(cam_dist_nop,witcher3.exe,89 46 58 8B 43 10)
cam_dist_nop:
db 90 90 90
registersymbol(cam_dist_nop)
aobscanmodule(cam_dist,witcher3.exe,F3 0F 10 5E 58 45)
alloc(newmem,$1000,cam_dist)
alloc(cam_dist_ptr,4)
alloc(cam_ver_ptr,4)
alloc(cam_hor_ptr,4)
label(code)
label(return)
cam_dist_ptr:
dd (float)3.5
cam_ver_ptr:
dd (float)0.2
cam_hor_ptr:
dd (float)0
newmem:
code:
movss xmm3,[cam_hor_ptr]
movss [rsi+60],xmm3
movss xmm3,[cam_ver_ptr]
movss [rsi+68],xmm3
movss xmm3,[cam_dist_ptr]
movss [rsi+58],xmm3
jmp return
cam_dist:
jmp code
return:
registersymbol(cam_dist)
registersymbol(cam_dist_ptr)
registersymbol(cam_ver_ptr)
registersymbol(cam_hor_ptr)
[DISABLE]
cam_dist_nop:
db 89 46 58
unregistersymbol(cam_dist_nop)
cam_dist:
db F3 0F 10 5E 58
unregistersymbol(cam_dist)
unregistersymbol(cam_dist_ptr)
unregistersymbol(cam_ver_ptr)
unregistersymbol(cam_ver_ptr)
dealloc(newmem)
dealloc(cam_dist_ptr)
dealloc(cam_ver_ptr)
dealloc(cam_hor_ptr)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+CBF937
"witcher3.exe"+CBF906: 89 03 - mov [rbx],eax
"witcher3.exe"+CBF908: 8B 87 D8 02 00 00 - mov eax,[rdi+000002D8]
"witcher3.exe"+CBF90E: F3 41 0F 11 08 - movss [r8],xmm1
"witcher3.exe"+CBF913: 89 43 10 - mov [rbx+10],eax
"witcher3.exe"+CBF916: E8 75 A9 00 00 - call witcher3.exe+CCA290
"witcher3.exe"+CBF91B: 8B 03 - mov eax,[rbx]
"witcher3.exe"+CBF91D: F3 0F 10 1D 93 59 FC 00 - movss xmm3,[witcher3.exe+1C852B8]
"witcher3.exe"+CBF925: F3 44 0F 10 3D 42 43 4E 01 - movss xmm15,[witcher3.exe+21A3C70]
"witcher3.exe"+CBF92E: 41 0F 28 C2 - movaps xmm0,xmm10
"witcher3.exe"+CBF932: F3 41 0F 5C C3 - subss xmm0,xmm11
// ---------- INJECTING HERE ----------
"witcher3.exe"+CBF937: 89 46 58 - mov [rsi+58],eax
"witcher3.exe"+CBF93A: 8B 43 10 - mov eax,[rbx+10]
// ---------- DONE INJECTING ----------
"witcher3.exe"+CBF93D: 45 0F 57 DB - xorps xmm11,xmm11
"witcher3.exe"+CBF941: F3 0F 59 F0 - mulss xmm6,xmm0
"witcher3.exe"+CBF945: F3 0F 59 F8 - mulss xmm7,xmm0
"witcher3.exe"+CBF949: F3 44 0F 59 C0 - mulss xmm8,xmm0
"witcher3.exe"+CBF94E: 89 87 D8 02 00 00 - mov [rdi+000002D8],eax
"witcher3.exe"+CBF954: F3 44 0F 59 E0 - mulss xmm12,xmm0
"witcher3.exe"+CBF959: EB 07 - jmp witcher3.exe+CBF962
"witcher3.exe"+CBF95B: 44 89 B7 D8 02 00 00 - mov [rdi+000002D8],r14d
"witcher3.exe"+CBF962: F3 0F 10 54 24 50 - movss xmm2,[rsp+50]
"witcher3.exe"+CBF968: F3 0F 10 8F 70 02 00 00 - movss xmm1,[rdi+00000270]
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+CBF5E4
"witcher3.exe"+CBF5BE: 48 85 C9 - test rcx,rcx
"witcher3.exe"+CBF5C1: 74 06 - je witcher3.exe+CBF5C9
"witcher3.exe"+CBF5C3: 48 8B 41 10 - mov rax,[rcx+10]
"witcher3.exe"+CBF5C7: EB 03 - jmp witcher3.exe+CBF5CC
"witcher3.exe"+CBF5C9: 49 8B C6 - mov rax,r14
"witcher3.exe"+CBF5CC: 4C 8B A8 80 06 00 00 - mov r13,[rax+00000680]
"witcher3.exe"+CBF5D3: 48 8D 55 A0 - lea rdx,[rbp-60]
"witcher3.exe"+CBF5D7: 48 8D 4E 40 - lea rcx,[rsi+40]
"witcher3.exe"+CBF5DB: E8 30 E3 40 FF - call witcher3.exe+CD910
"witcher3.exe"+CBF5E0: 48 8D 4D E0 - lea rcx,[rbp-20]
// ---------- INJECTING HERE ----------
"witcher3.exe"+CBF5E4: F3 0F 10 5E 58 - movss xmm3,[rsi+58]
// ---------- DONE INJECTING ----------
"witcher3.exe"+CBF5E9: 45 0F 57 DB - xorps xmm11,xmm11
"witcher3.exe"+CBF5ED: 0F 57 1D 1C 61 FB 00 - xorps xmm3,[witcher3.exe+1C75710]
"witcher3.exe"+CBF5F4: F3 0F 10 40 10 - movss xmm0,[rax+10]
"witcher3.exe"+CBF5F9: F3 0F 10 48 14 - movss xmm1,[rax+14]
"witcher3.exe"+CBF5FE: F3 0F 10 50 18 - movss xmm2,[rax+18]
"witcher3.exe"+CBF603: F3 0F 59 C3 - mulss xmm0,xmm3
"witcher3.exe"+CBF607: F3 0F 59 CB - mulss xmm1,xmm3
"witcher3.exe"+CBF60B: F3 0F 59 D3 - mulss xmm2,xmm3
"witcher3.exe"+CBF60F: F3 0F 58 46 20 - addss xmm0,[rsi+20]
"witcher3.exe"+CBF614: F3 0F 58 4E 24 - addss xmm1,[rsi+24]
}
13
"Camera Distance"
Float
cam_dist_ptr
10149
"Camera Vertical"
Float
cam_ver_ptr
10159
"Camera Horizontal"
Float
cam_hor_ptr
10259
"Override FOV"
Auto Assembler Script
[ENABLE]
aobscanmodule(fov,witcher3.exe,8B 87 EC 00 00 00 C6)
fov:
db 90 B8
dd (float)60
registersymbol(fov)
[DISABLE]
fov:
db 8B 87 EC 00 00 00
unregistersymbol(fov)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D3F9EA
"witcher3.exe"+D3F9CA: 44 89 46 08 - mov [rsi+08],r8d
"witcher3.exe"+D3F9CE: 8B 40 0C - mov eax,[rax+0C]
"witcher3.exe"+D3F9D1: 89 46 0C - mov [rsi+0C],eax
"witcher3.exe"+D3F9D4: E8 A7 42 8F 00 - call witcher3.exe+1633C80
"witcher3.exe"+D3F9D9: 8B 08 - mov ecx,[rax]
"witcher3.exe"+D3F9DB: 89 4E 10 - mov [rsi+10],ecx
"witcher3.exe"+D3F9DE: 8B 48 04 - mov ecx,[rax+04]
"witcher3.exe"+D3F9E1: 89 4E 14 - mov [rsi+14],ecx
"witcher3.exe"+D3F9E4: 8B 40 08 - mov eax,[rax+08]
"witcher3.exe"+D3F9E7: 89 46 18 - mov [rsi+18],eax
// ---------- INJECTING HERE ----------
"witcher3.exe"+D3F9EA: 8B 87 EC 00 00 00 - mov eax,[rdi+000000EC]
// ---------- DONE INJECTING ----------
"witcher3.exe"+D3F9F0: C6 46 1C 01 - mov byte ptr [rsi+1C],01
"witcher3.exe"+D3F9F4: 89 46 30 - mov [rsi+30],eax
"witcher3.exe"+D3F9F7: F3 0F 10 57 64 - movss xmm2,[rdi+64]
"witcher3.exe"+D3F9FC: F3 0F 10 47 6C - movss xmm0,[rdi+6C]
"witcher3.exe"+D3FA01: F3 0F 10 5F 60 - movss xmm3,[rdi+60]
"witcher3.exe"+D3FA06: F3 0F 10 4F 68 - movss xmm1,[rdi+68]
"witcher3.exe"+D3FA0B: F3 0F 58 97 C4 00 00 00 - addss xmm2,[rdi+000000C4]
"witcher3.exe"+D3FA13: F3 0F 58 87 CC 00 00 00 - addss xmm0,[rdi+000000CC]
"witcher3.exe"+D3FA1B: F3 0F 58 9F C0 00 00 00 - addss xmm3,[rdi+000000C0]
"witcher3.exe"+D3FA23: F3 0F 58 8F C8 00 00 00 - addss xmm1,[rdi+000000C8]
}
10260
"FOV"
Float
fov+2
10162
"Maximize All Status Bars (Health/Stamina/Etc.)"
Auto Assembler Script
[ENABLE]
aobscanmodule(max_bar,witcher3.exe,F3 0F 10 04 88 F3 0F 5E)
alloc(newmem,$1000,max_bar)
label(code)
label(return)
newmem:
code:
movss xmm0,[rax+rcx*4+4]
movss [rax+rcx*4],xmm0
jmp return
max_bar:
jmp code
return:
registersymbol(max_bar)
[DISABLE]
max_bar:
db F3 0F 10 04 88
unregistersymbol(max_bar)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D958B2
"witcher3.exe"+D95890: E8 7B E7 FF FF - call witcher3.exe+D94010
"witcher3.exe"+D95895: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D95898: 74 23 - je witcher3.exe+D958BD
"witcher3.exe"+D9589A: 48 98 - cdqe
"witcher3.exe"+D9589C: 0F 57 C0 - xorps xmm0,xmm0
"witcher3.exe"+D9589F: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+D958A3: 48 8B 46 60 - mov rax,[rsi+60]
"witcher3.exe"+D958A7: F3 0F 10 4C 88 04 - movss xmm1,[rax+rcx*4+04]
"witcher3.exe"+D958AD: 0F 2E C8 - ucomiss xmm1,xmm0
"witcher3.exe"+D958B0: 74 13 - je witcher3.exe+D958C5
// ---------- INJECTING HERE ----------
"witcher3.exe"+D958B2: F3 0F 10 04 88 - movss xmm0,[rax+rcx*4]
// ---------- DONE INJECTING ----------
"witcher3.exe"+D958B7: F3 0F 5E C1 - divss xmm0,xmm1
"witcher3.exe"+D958BB: EB 08 - jmp witcher3.exe+D958C5
"witcher3.exe"+D958BD: F3 0F 10 05 FB C3 EE 00 - movss xmm0,[witcher3.exe+1C81CC0]
"witcher3.exe"+D958C5: 48 85 FF - test rdi,rdi
"witcher3.exe"+D958C8: 74 04 - je witcher3.exe+D958CE
"witcher3.exe"+D958CA: F3 0F 11 07 - movss [rdi],xmm0
"witcher3.exe"+D958CE: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+D958D3: 48 8B 74 24 40 - mov rsi,[rsp+40]
"witcher3.exe"+D958D8: 48 83 C4 20 - add rsp,20
"witcher3.exe"+D958DC: 5F - pop rdi
}
10036
"Money Pointer (not usable with unlimited inventory)"
Auto Assembler Script
[ENABLE]
aobscanmodule(money,witcher3.exe,29 71 64 BA 03 00 00 00)
alloc(newmem,$1000,money)
alloc(money_ptr,8)
label(code)
label(return)
newmem:
code:
mov [money_ptr],rcx
sub [rcx+64],esi
mov edx,00000003
jmp return
money:
jmp code
nop
nop
nop
return:
registersymbol(money)
registersymbol(money_ptr)
[DISABLE]
money:
db 29 71 64 BA 03 00 00 00
unregistersymbol(money)
unregistersymbol(money_ptr)
dealloc(newmem)
dealloc(money_ptr)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6E60E6
"witcher3.exe"+6E60C6: 48 8B C7 - mov rax,rdi
"witcher3.exe"+6E60C9: 48 C1 E0 07 - shl rax,07
"witcher3.exe"+6E60CD: 4A 8D 0C 00 - lea rcx,[rax+r8]
"witcher3.exe"+6E60D1: 42 0F B6 44 00 7A - movzx eax,byte ptr [rax+r8+7A]
"witcher3.exe"+6E60D7: 8B 59 70 - mov ebx,[rcx+70]
"witcher3.exe"+6E60DA: C0 E8 02 - shr al,02
"witcher3.exe"+6E60DD: A8 01 - test al,01
"witcher3.exe"+6E60DF: 74 0F - je witcher3.exe+6E60F0
"witcher3.exe"+6E60E1: 39 71 64 - cmp [rcx+64],esi
"witcher3.exe"+6E60E4: 76 0A - jna witcher3.exe+6E60F0
// ---------- INJECTING HERE ----------
"witcher3.exe"+6E60E6: 29 71 64 - sub [rcx+64],esi
"witcher3.exe"+6E60E9: BA 03 00 00 00 - mov edx,00000003
// ---------- DONE INJECTING ----------
"witcher3.exe"+6E60EE: EB 3F - jmp witcher3.exe+6E612F
"witcher3.exe"+6E60F0: 44 0F B7 41 7A - movzx r8d,word ptr [rcx+7A]
"witcher3.exe"+6E60F5: 41 0F B6 C0 - movzx eax,r8l
"witcher3.exe"+6E60F9: C0 E8 05 - shr al,05
"witcher3.exe"+6E60FC: A8 01 - test al,01
"witcher3.exe"+6E60FE: 75 0A - jne witcher3.exe+6E610A
"witcher3.exe"+6E6100: 41 C0 E8 06 - shr r8l,06
"witcher3.exe"+6E6104: 41 F6 C0 01 - test r8l,01
"witcher3.exe"+6E6108: 74 11 - je witcher3.exe+6E611B
"witcher3.exe"+6E610A: 41 B1 01 - mov cl,01
}
10038
"Purchase an item to retrieve the pointer"
008000
1
10037
"Money Value"
4 Bytes
money_ptr
64
294
"Change Unit Animation Speeds"
Auto Assembler Script
[ENABLE]
aobscanmodule(freeze,witcher3.exe,F3 44 0F 11 04 08 8B)
alloc(newmem,$1000,freeze)
alloc(freeze_geralt,4)
alloc(freeze_other,4)
alloc(freeze_activate,1)
label(code)
label(return)
label(is_player)
label(is_other)
freeze_activate:
db 0
freeze_geralt:
dd (float)1.0
freeze_other:
dd (float)0.0
newmem:
cmp byte ptr [freeze_activate],1
jne code
//cmp rax,2954
//je is_other
//cmp rax,7370
//je is_other
//cmp rax,14728
//je is_other
//cmp rax,14140
//je is_other
//movss [rax+rcx],xmm8
//jmp is_player
cmp rax,55370
je is_player
cmp rax,550F0
je is_player
cmp rax,76E0
je is_player
cmp rax,7620
je is_player
is_other:
mulss xmm8,[freeze_other]
jmp code
is_player:
mulss xmm8,[freeze_geralt]
code:
movss [rax+rcx],xmm8
jmp return
freeze:
jmp newmem
nop
return:
registersymbol(freeze)
registersymbol(freeze_geralt)
registersymbol(freeze_other)
registersymbol(freeze_activate)
[DISABLE]
freeze:
db F3 44 0F 11 04 08
unregistersymbol(freeze)
unregistersymbol(freeze_geralt)
unregistersymbol(freeze_other)
unregistersymbol(freeze_activate)
dealloc(newmem)
dealloc(freeze_geralt)
dealloc(freeze_other)
dealloc(freeze_activate)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+47FDF6
"witcher3.exe"+47FDC8: 49 8B 80 80 00 00 00 - mov rax,[r8+00000080]
"witcher3.exe"+47FDCF: 48 8B F1 - mov rsi,rcx
"witcher3.exe"+47FDD2: 0F 29 74 24 40 - movaps [rsp+40],xmm6
"witcher3.exe"+47FDD7: 48 8B 48 28 - mov rcx,[rax+28]
"witcher3.exe"+47FDDB: 8B 86 F0 00 00 00 - mov eax,[rsi+000000F0]
"witcher3.exe"+47FDE1: 0F 29 7C 24 30 - movaps [rsp+30],xmm7
"witcher3.exe"+47FDE6: 44 0F 29 44 24 20 - movaps [rsp+20],xmm8
"witcher3.exe"+47FDEC: 44 0F 28 C3 - movaps xmm8,xmm3
"witcher3.exe"+47FDF0: 4D 8B F0 - mov r14,r8
"witcher3.exe"+47FDF3: 4C 8B FA - mov r15,rdx
// ---------- INJECTING HERE ----------
"witcher3.exe"+47FDF6: F3 44 0F 11 04 08 - movss [rax+rcx],xmm8
// ---------- DONE INJECTING ----------
"witcher3.exe"+47FDFC: 8B 9E 00 01 00 00 - mov ebx,[rsi+00000100]
"witcher3.exe"+47FE02: 48 03 D9 - add rbx,rcx
"witcher3.exe"+47FE05: 48 8B 43 18 - mov rax,[rbx+18]
"witcher3.exe"+47FE09: 48 85 C0 - test rax,rax
"witcher3.exe"+47FE0C: 74 06 - je witcher3.exe+47FE14
"witcher3.exe"+47FE0E: 48 8B 68 20 - mov rbp,[rax+20]
"witcher3.exe"+47FE12: EB 02 - jmp witcher3.exe+47FE16
"witcher3.exe"+47FE14: 33 ED - xor ebp,ebp
"witcher3.exe"+47FE16: 8B 86 80 01 00 00 - mov eax,[rsi+00000180]
"witcher3.exe"+47FE1C: 8B BE 10 01 00 00 - mov edi,[rsi+00000110]
}
Toggle Activation
0
10077
"1.0=Normal, 0.5=Half, 0.0=Frozen"
008000
1
295
"Apply Effect [Ctrl-T]"
Auto Assembler Script
[ENABLE]
freeze_activate:
db 1
[DISABLE]
freeze_activate:
db 0
Toggle Activation
17
84
0
296
"Geralt Speed"
Float
freeze_geralt
10078
"Other Speed"
Float
freeze_other
10240
"Set Experience Multiplier"
Auto Assembler Script
[ENABLE]
{$lua}
if syntaxcheck then return end
--8B44245001038B034885F674028906488B5C24404883C420415E5F5EC3
local aob = AOBScan("8B44245001038B034885F674028906488B5C24404883C420415E5F5EC3")
registerSymbol("xp_gain", aob[2], true)
aob.Destroy()
aob = nil
autoAssemble([[
alloc(newmem,$1000,xp_gain)
alloc(xp_mult,4)
label(code)
label(return)
xp_mult:
dd (float)2.0
newmem:
push r8
sub r8,r9
cmp r8,4
pop r8
jne code
fild [rsp+50]
fmul [xp_mult]
fistp [rsp+50]
code:
mov eax,[rsp+50]
add [rbx],eax
jmp return
xp_gain:
jmp newmem
nop
return:
registersymbol(xp_mult)
]])
{$asm}
[DISABLE]
xp_gain:
db 8B 44 24 50 01 03
unregistersymbol(xp_mult)
unregistersymbol(xp_gain)
dealloc(newmem)
dealloc(xp_mult)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+1877A8C
"witcher3.exe"+1877A6A: 48 0F 45 D8 - cmovne rbx,rax
"witcher3.exe"+1877A6E: 48 8B 47 30 - mov rax,[rdi+30]
"witcher3.exe"+1877A72: 48 8B D7 - mov rdx,rdi
"witcher3.exe"+1877A75: 0F B6 08 - movzx ecx,byte ptr [rax]
"witcher3.exe"+1877A78: 48 FF C0 - inc rax
"witcher3.exe"+1877A7B: 48 89 47 30 - mov [rdi+30],rax
"witcher3.exe"+1877A7F: 8B C1 - mov eax,ecx
"witcher3.exe"+1877A81: 48 8B 0F - mov rcx,[rdi]
"witcher3.exe"+1877A84: 41 FF 14 C6 - call qword ptr [r14+rax*8]
"witcher3.exe"+1877A88: 48 FF 47 30 - inc [rdi+30]
// ---------- INJECTING HERE ----------
"witcher3.exe"+1877A8C: 8B 44 24 50 - mov eax,[rsp+50]
"witcher3.exe"+1877A90: 01 03 - add [rbx],eax
// ---------- DONE INJECTING ----------
"witcher3.exe"+1877A92: 8B 03 - mov eax,[rbx]
"witcher3.exe"+1877A94: 48 85 F6 - test rsi,rsi
"witcher3.exe"+1877A97: 74 02 - je witcher3.exe+1877A9B
"witcher3.exe"+1877A99: 89 06 - mov [rsi],eax
"witcher3.exe"+1877A9B: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"witcher3.exe"+1877AA0: 48 83 C4 20 - add rsp,20
"witcher3.exe"+1877AA4: 41 5E - pop r14
"witcher3.exe"+1877AA6: 5F - pop rdi
"witcher3.exe"+1877AA7: 5E - pop rsi
"witcher3.exe"+1877AA8: C3 - ret
}
10239
"Experience Multiplier"
Float
xp_mult
186
"Retrieve Item Name"
Auto Assembler Script
[ENABLE]
//"witcher3.exe"+106E0
//witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+E7C0
// find the address of the function
aobscanmodule(item_name,witcher3.exe,40 53 48 83 EC 20 48 8B 05 * * * * 48 8B D9 48 85 C0 75 05 E8 * * * * 8B 13 48 8B 0D * * * * E8)
registersymbol(item_name)
// create pointer variables for id and name
alloc(item_id_ptr,8)
alloc(item_name_ptr,8)
registersymbol(item_id_ptr)
registersymbol(item_name_ptr)
// create custom thread function
alloc(get_item_name,$1000)
get_item_name:
mov rcx,item_id_ptr
call item_name
mov [item_name_ptr],rax
retn
registersymbol(get_item_name)
[DISABLE]
unregistersymbol(item_name)
unregistersymbol(item_id_ptr)
unregistersymbol(item_name_ptr)
dealloc(item_id_ptr)
dealloc(item_name_ptr)
unregistersymbol(get_item_name)
dealloc(get_item_name)
190
"Enter the Item ID"
4 Bytes
item_id_ptr
196
"Enter the Item ID (hex)"
1
4 Bytes
item_id_ptr
192
"Call Function"
Auto Assembler Script
[ENABLE]
createthread(get_item_name)
[DISABLE]
createthread(get_item_name)
191
"Found Item Name"
String
64
1
1
item_name_ptr
0
10111
"Lookup Variable"
Auto Assembler Script
[ENABLE]
aobscanmodule(lookup_var,witcher3.exe,41 8B 00 89 02 C3)
alloc(newmem,$1000,lookup_var)
alloc(lookup_value,4)
alloc(lookup_found,80)
alloc(lookup_address,8)
label(code)
label(return)
label(_loop)
label(_add)
label(_end)
label(_addr)
newmem:
cmp r8,[lookup_address]
jne _addr
nop
_addr:
cmp r8,3000000
jl code
mov eax,[r8]
cmp eax,[lookup_value]
jne code
push rbx
lea rbx,[lookup_found]
xor rax,rax
_loop:
cmp [rbx+rax*8],0
je _add
cmp [rbx+rax*8],r8
je _end
inc rax
cmp rax,A
jl _loop
jmp _end
_add:
mov [rbx+rax*8],r8
_end:
pop rbx
code:
mov eax,[r8]
mov [rdx],eax
jmp return
lookup_var:
jmp newmem
return:
registersymbol(lookup_var)
registersymbol(lookup_value)
registersymbol(lookup_found)
registersymbol(lookup_address)
[DISABLE]
lookup_var:
db 41 8B 00 89 02
unregistersymbol(lookup_var)
unregistersymbol(lookup_value)
unregistersymbol(lookup_found)
unregistersymbol(lookup_address)
dealloc(newmem)
dealloc(lookup_value)
dealloc(lookup_found)
dealloc(lookup_address)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+2D910
"witcher3.exe"+2D906: C3 - ret
"witcher3.exe"+2D907: CC - int 3
"witcher3.exe"+2D908: CC - int 3
"witcher3.exe"+2D909: CC - int 3
"witcher3.exe"+2D90A: CC - int 3
"witcher3.exe"+2D90B: CC - int 3
"witcher3.exe"+2D90C: CC - int 3
"witcher3.exe"+2D90D: CC - int 3
"witcher3.exe"+2D90E: CC - int 3
"witcher3.exe"+2D90F: CC - int 3
// ---------- INJECTING HERE ----------
"witcher3.exe"+2D910: 41 8B 00 - mov eax,[r8]
"witcher3.exe"+2D913: 89 02 - mov [rdx],eax
// ---------- DONE INJECTING ----------
"witcher3.exe"+2D915: C3 - ret
"witcher3.exe"+2D916: CC - int 3
"witcher3.exe"+2D917: CC - int 3
"witcher3.exe"+2D918: CC - int 3
"witcher3.exe"+2D919: CC - int 3
"witcher3.exe"+2D91A: CC - int 3
"witcher3.exe"+2D91B: CC - int 3
"witcher3.exe"+2D91C: CC - int 3
"witcher3.exe"+2D91D: CC - int 3
"witcher3.exe"+2D91E: CC - int 3
}
10119
"Reset Found Addresses"
Auto Assembler Script
[ENABLE]
lookup_found:
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
[DISABLE]
lookup_found:
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
dq 0
10197
"Lookup Address"
1
8 Bytes
lookup_address
10117
"Float Types"
1
10113
"Lookup Value"
Float
lookup_value
10142
"============================================================"
1
10112
"Found 1"
Float
lookup_found
0
10120
"Found 2"
Float
lookup_found+8
0
10121
"Found 3"
Float
lookup_found+10
0
10122
"Found 4"
Float
lookup_found+18
0
10123
"Found 5"
Float
lookup_found+20
0
10124
"Found 6"
Float
lookup_found+28
0
10125
"Found 7"
Float
lookup_found+30
0
10126
"Found 8"
Float
lookup_found+38
0
10127
"Found 9"
Float
lookup_found+40
0
10128
"Found 10"
Float
lookup_found+48
0
10129
"Integer Types"
1
10130
"Lookup Value"
1
4 Bytes
lookup_value
10143
"============================================================"
1
10131
"Found 1"
1
4 Bytes
lookup_found
0
10132
"Found 2"
1
4 Bytes
lookup_found+8
0
10133
"Found 3"
1
4 Bytes
lookup_found+10
0
10134
"Found 4"
1
4 Bytes
lookup_found+18
0
10135
"Found 5"
1
4 Bytes
lookup_found+20
0
10136
"Found 6"
1
4 Bytes
lookup_found+28
0
10137
"Found 7"
1
4 Bytes
lookup_found+30
0
10138
"Found 8"
1
4 Bytes
lookup_found+38
0
10139
"Found 9"
1
4 Bytes
lookup_found+40
0
10140
"Found 10"
1
4 Bytes
lookup_found+48
0
10187
"Enable Debug Console"
Auto Assembler Script
[ENABLE]
aobscanmodule(console,witcher3.exe,48 83 EC 28 48 8B 05 ? ? ? ? 0F B6 90)
registersymbol(console)
aobscanmodule(global_console_debug,witcher3.exe,48 89 05 ? ? ? ? EB 07 48 89 35 ? ? ? ? 48)// 8B 47 60)
registersymbol(global_console_debug)
//witcher3.ScaleForm::Render::Matrix4x4<float>::SetIdentity+6B5833
aobscanmodule(use_console,witcher3.exe,FF 90 * * * * 84 C0 0F 95 C0 48 83 C4 38 C3)
alloc(newmem,$1000,use_console)
alloc(use_console_backup,6)
label(code)
label(return)
use_console_backup:
readmem(use_console,6)
newmem:
cmp r8,71 //IK_F2
jne code
cmp r9,02 //IACT_Release
jne code
mov r8,C0
mov r9,01
code:
mov rax,global_console_debug
xor rcx,rcx
mov ecx,[rax+3]
add rcx,rax
add rcx,7
mov rcx,[rcx]
mov rax,1
//call qword ptr [rax+00000408]
call console
jmp return
use_console:
jmp newmem
nop
return:
registersymbol(use_console)
registersymbol(use_console_backup)
[DISABLE]
use_console:
readmem(use_console_backup,6)
unregistersymbol(use_console)
unregistersymbol(use_console_backup)
dealloc(newmem)
unregistersymbol(console)
unregistersymbol(global_console_debug)
{
console - 48 83 EC 28 - sub rsp,28
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD24- 48 8B 05 7D137702 - mov rax,[witcher3.exe+29A0028]
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD2B- 0FB6 90 28010000 - movzx edx,byte ptr [rax+00000128]
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD32- 38 15 881FAA01 - cmp [witcher3.exe+1CD0C40],dl
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD38- 76 07 - jna witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD41
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD3A- 32 C0 - xor al,al
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD3C- 48 83 C4 28 - add rsp,28
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD40- C3 - ret
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD41- 41 8D 80 5EFFFFFF - lea eax,[r8-000000A2]
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD48- 83 F8 01 - cmp eax,01
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD4B- 77 0D - ja witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD5A
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD4D- 41 83 F9 01 - cmp r9d,01
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD51- 0F94 C0 - sete al
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD54- 88 81 87000000 - mov [rcx+00000087],al
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD5A- 41 8D 80 60FFFFFF - lea eax,[r8-000000A0]
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD61- 83 F8 01 - cmp eax,01
witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD64- 76 06 - jna witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+22CD6C
}
{
global_console_debug - 48 89 05 09CACC01 - mov [witcher3.exe+29B0D00],rax
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC77- EB 07 - jmp witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC80
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC79- 48 89 35 00CACC01 - mov [witcher3.exe+29B0D00],rsi
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC80- 48 8B 87 E8551000 - mov rax,[rdi+001055E8]
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC87- 48 89 45 C7 - mov [rbp-39],rax
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC8B- 48 85 C0 - test rax,rax
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC8E- 74 17 - je witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDCA7
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC90- 48 8B 0D 11BDCB01 - mov rcx,[witcher3.exe+29A0028]
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC97- 48 8D 55 C7 - lea rdx,[rbp-39]
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDC9B- 48 81 C1 E8010000 - add rcx,000001E8
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDCA2- E8 892136FF - call witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity+44530
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDCA7- 48 8B 8F 00571000 - mov rcx,[rdi+00105700]
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDCAE- 48 8B 01 - mov rax,[rcx]
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDCB1- FF 50 68 - call qword ptr [rax+68]
witcher3.Scaleform::Render::Matrix2x4<float>::Prepend+BDCB4- 48 8B 8F E8551000 - mov rcx,[rdi+001055E8]
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6B77A3
"witcher3.exe"+6B778A: CC - int 3
"witcher3.exe"+6B778B: CC - int 3
"witcher3.exe"+6B778C: CC - int 3
"witcher3.exe"+6B778D: CC - int 3
"witcher3.exe"+6B778E: CC - int 3
"witcher3.exe"+6B778F: CC - int 3
"witcher3.exe"+6B7790: 48 83 EC 38 - sub rsp,38
"witcher3.exe"+6B7794: F3 0F 10 44 24 60 - movss xmm0,[rsp+60]
"witcher3.exe"+6B779A: 48 8B 01 - mov rax,[rcx]
"witcher3.exe"+6B779D: F3 0F 11 44 24 20 - movss [rsp+20],xmm0
// ---------- INJECTING HERE ----------
"witcher3.exe"+6B77A3: FF 90 08 04 00 00 - call qword ptr [rax+00000408]
// ---------- DONE INJECTING ----------
"witcher3.exe"+6B77A9: 84 C0 - test al,al
"witcher3.exe"+6B77AB: 0F 95 C0 - setne al
"witcher3.exe"+6B77AE: 48 83 C4 38 - add rsp,38
"witcher3.exe"+6B77B2: C3 - ret
"witcher3.exe"+6B77B3: CC - int 3
"witcher3.exe"+6B77B4: CC - int 3
"witcher3.exe"+6B77B5: CC - int 3
"witcher3.exe"+6B77B6: CC - int 3
"witcher3.exe"+6B77B7: CC - int 3
"witcher3.exe"+6B77B8: CC - int 3
}
10223
"# Activate All Skills # BROKEN #"
Auto Assembler Script
[ENABLE]
{$lua}
--(2) 0F B6 03 88 07 48 8B 5C 24 30
--(3) 8B 44 24 38 39 44 24 40 0F 94 C0
unregisterSymbol("all_skills1")
unregisterSymbol("all_skills2")
local aob = AOBScan("0F B6 03 88 07 48 8B 5C 24 30")
registerSymbol("all_skills1", aob[1], true)
aob.Destroy()
aob = AOBScan("8B 44 24 38 39 44 24 40 0F 94 C0")
registerSymbol("all_skills2", aob[2], true)
aob.Destroy()
aob = nil
autoAssemble([[
alloc(newmem,2048,all_skills1)//"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+4F783)
alloc(newmem2,2048,all_skills2)//"witcher3.exe"+18A5470)
alloc(skill_lookup,1)
alloc(skill_id,400)
alloc(skill_count,8)
registersymbol(skill_id)
registersymbol(skill_count)
label(again)
label(found)
label(returnhere)
label(originalcode)
label(exit)
label(returnhere2)
label(originalcode2)
label(exit2)
newmem:
push rdi
xor rax,rax
mov rdi,skill_id
again:
cmp rbx,[rdi+rax*8]
je found
inc rax
cmp rax,[skill_count]
jl again
jmp originalcode
found:
mov byte ptr [skill_lookup],1
originalcode:
pop rdi
movzx eax,byte ptr [rbx]
mov [rdi],al
exit:
jmp returnhere
newmem2:
mov eax,[rsp+38]
cmp byte ptr [skill_lookup],1
jne originalcode2
mov byte ptr [skill_lookup],0
mov [rsp+40],eax
originalcode2:
//mov eax,[rsp+38]
cmp [rsp+40],eax
exit2:
jmp returnhere2
all_skills1://"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+4F783:
jmp newmem
returnhere:
all_skills2://"witcher3.exe"+18A5470:
jmp newmem2
nop
nop
nop
returnhere2:
]])
{$asm}
[DISABLE]
all_skills1://"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+4F783:
movzx eax,byte ptr [rbx]
mov [rdi],al
all_skills2://"witcher3.exe"+18A5470:
mov eax,[rsp+38]
cmp [rsp+40],eax
unregistersymbol(skill_id)
unregistersymbol(skill_count)
dealloc(newmem)
dealloc(newmem2)
dealloc(skill_lookup)
dealloc(skill_id)
dealloc(skill_count)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+44883
"witcher3.exe"+44867: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4486C: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44870: 5F - pop rdi
"witcher3.exe"+44871: C3 - ret
"witcher3.exe"+44872: 0F B7 03 - movzx eax,word ptr [rbx]
"witcher3.exe"+44875: 66 89 07 - mov [rdi],ax
"witcher3.exe"+44878: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4487D: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44881: 5F - pop rdi
"witcher3.exe"+44882: C3 - ret
// ---------- INJECTING HERE ----------
"witcher3.exe"+44883: 0F B6 03 - movzx eax,byte ptr [rbx]
"witcher3.exe"+44886: 88 07 - mov [rdi],al
// ---------- DONE INJECTING ----------
"witcher3.exe"+44888: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4488D: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44891: 5F - pop rdi
"witcher3.exe"+44892: C3 - ret
"witcher3.exe"+44893: CC - int 3
"witcher3.exe"+44894: CC - int 3
"witcher3.exe"+44895: CC - int 3
"witcher3.exe"+44896: CC - int 3
"witcher3.exe"+44897: CC - int 3
"witcher3.exe"+44898: CC - int 3
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+1877A10
"witcher3.exe"+18779EF: 48 FF C0 - inc rax
"witcher3.exe"+18779F2: 4C 8D 44 24 38 - lea r8,[rsp+38]
"witcher3.exe"+18779F7: 48 89 43 30 - mov [rbx+30],rax
"witcher3.exe"+18779FB: 8B C1 - mov eax,ecx
"witcher3.exe"+18779FD: 48 8B 0B - mov rcx,[rbx]
"witcher3.exe"+1877A00: 48 8B D3 - mov rdx,rbx
"witcher3.exe"+1877A03: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+1877A07: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+1877A0B: 48 85 FF - test rdi,rdi
"witcher3.exe"+1877A0E: 74 0D - je witcher3.exe+1877A1D
// ---------- INJECTING HERE ----------
"witcher3.exe"+1877A10: 8B 44 24 38 - mov eax,[rsp+38]
"witcher3.exe"+1877A14: 39 44 24 40 - cmp [rsp+40],eax
// ---------- DONE INJECTING ----------
"witcher3.exe"+1877A18: 0F 94 C0 - sete al
"witcher3.exe"+1877A1B: 88 07 - mov [rdi],al
"witcher3.exe"+1877A1D: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+1877A22: 48 8B 6C 24 48 - mov rbp,[rsp+48]
"witcher3.exe"+1877A27: 48 83 C4 20 - add rsp,20
"witcher3.exe"+1877A2B: 5F - pop rdi
"witcher3.exe"+1877A2C: C3 - ret
"witcher3.exe"+1877A2D: CC - int 3
"witcher3.exe"+1877A2E: CC - int 3
"witcher3.exe"+1877A2F: CC - int 3
}
10228
"Lookup Skill Slot 1 Address"
Auto Assembler Script
[ENABLE]
{$lua}
--autoAssemble([[
--aobscan(skill_slot1,FF FF FF FF FF FF FF FF * 00 00 00 * 01 00 00 * 00 00 00 * 00 00 00 * 00 00 00 * 00 00 00 FF FF FF FF * 00 00 00)
--registersymbol(skill_slot1)
--]])
local aob = AOBScan("FF FF FF FF FF FF FF FF * 00 00 00 * 01 00 00 * 00 00 00")-- * 00 00 00 * 00 00 00 * 00 00 00 FF FF FF FF * 00 00 00")
local skill_id = getAddress("skill_id")
for i=0,aob.Count-1 do
local found = getAddress(aob[i]) + 12
writeQword(skill_id + i * 8, found)
end
writeInteger("skill_count", aob.Count)
aob.Destroy()
assert(false)
{$asm}
[DISABLE]
10227
"Skill Slot 1 Address"
1
8 Bytes
skill_id
17
"Ignore This"
1
14
"Activate Status Scripts"
Auto Assembler Script
[ENABLE]
aobscanmodule(status,witcher3.exe,F3 0F 11 34 88 83 FB)
alloc(newmem,$1000,status)
//alloc(health,1)
alloc(stamina,1)
label(code)
label(return)
label(isstamina)
newmem:
cmp rcx,3
je isstamina
jmp code
isstamina:
cmp byte ptr [stamina],1
jne code
inc rcx
movss xmm6,[rax+rcx*4]
dec rcx
jmp code
code:
movss [rax+rcx*4],xmm6
jmp return
status:
jmp newmem
return:
registersymbol(status)
registersymbol(stamina)
[DISABLE]
status:
db F3 0F 11 34 88
unregistersymbol(status)
unregistersymbol(stamina)
dealloc(newmem)
dealloc(stamina)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D96063
"witcher3.exe"+D9603F: 8B D3 - mov edx,ebx
"witcher3.exe"+D96041: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D96044: 0F 29 74 24 30 - movaps [rsp+30],xmm6
"witcher3.exe"+D96049: F3 0F 10 74 24 68 - movss xmm6,[rsp+68]
"witcher3.exe"+D9604F: E8 7C E5 FF FF - call witcher3.exe+D945D0
"witcher3.exe"+D96054: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D96057: 74 2B - je witcher3.exe+D96084
"witcher3.exe"+D96059: 48 98 - cdqe
"witcher3.exe"+D9605B: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+D9605F: 48 8B 47 60 - mov rax,[rdi+60]
// ---------- INJECTING HERE ----------
"witcher3.exe"+D96063: F3 0F 11 34 88 - movss [rax+rcx*4],xmm6
// ---------- DONE INJECTING ----------
"witcher3.exe"+D96068: 83 FB 06 - cmp ebx,06
"witcher3.exe"+D9606B: 75 17 - jne witcher3.exe+D96084
"witcher3.exe"+D9606D: 8B 05 95 D0 CF 01 - mov eax,[witcher3.exe+2A93108]
"witcher3.exe"+D96073: 48 8D 54 24 20 - lea rdx,[rsp+20]
"witcher3.exe"+D96078: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D9607B: 89 44 24 20 - mov [rsp+20],eax
"witcher3.exe"+D9607F: E8 3C 02 2B FF - call witcher3.exe+462C0
"witcher3.exe"+D96084: 0F 28 74 24 30 - movaps xmm6,[rsp+30]
"witcher3.exe"+D96089: 48 8B 5C 24 60 - mov rbx,[rsp+60]
"witcher3.exe"+D9608E: 48 83 C4 40 - add rsp,40
}
16
"Unlimited Stamina"
Auto Assembler Script
[ENABLE]
stamina:
db 1
[DISABLE]
stamina:
db 0
3
"Grenades"
Auto Assembler Script
[ENABLE]
"witcher3.exe"+17F78D4:
db 90 90 90 90
[DISABLE]
"witcher3.exe"+17F78D4:
db 2B 44 24 40
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+17F78D4
"witcher3.exe"+17F78B2: 4C 8D 44 24 40 - lea r8,[rsp+40]
"witcher3.exe"+17F78B7: 48 89 43 30 - mov [rbx+30],rax
"witcher3.exe"+17F78BB: 8B C1 - mov eax,ecx
"witcher3.exe"+17F78BD: 48 8B 0B - mov rcx,[rbx]
"witcher3.exe"+17F78C0: 48 8B D3 - mov rdx,rbx
"witcher3.exe"+17F78C3: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+17F78C7: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+17F78CB: 48 85 FF - test rdi,rdi
"witcher3.exe"+17F78CE: 74 0A - je witcher3.exe+17F78DA
"witcher3.exe"+17F78D0: 8B 44 24 38 - mov eax,[rsp+38]
// ---------- INJECTING HERE ----------
"witcher3.exe"+17F78D4: 2B 44 24 40 - sub eax,[rsp+40]
"witcher3.exe"+17F78D8: 89 07 - mov [rdi],eax
// ---------- DONE INJECTING ----------
"witcher3.exe"+17F78DA: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+17F78DF: 48 8B 6C 24 48 - mov rbp,[rsp+48]
"witcher3.exe"+17F78E4: 48 83 C4 20 - add rsp,20
"witcher3.exe"+17F78E8: 5F - pop rdi
"witcher3.exe"+17F78E9: C3 - ret
"witcher3.exe"+17F78EA: CC - int 3
"witcher3.exe"+17F78EB: CC - int 3
"witcher3.exe"+17F78EC: CC - int 3
"witcher3.exe"+17F78ED: CC - int 3
"witcher3.exe"+17F78EE: CC - int 3
}
6
"Inventory"
Auto Assembler Script
[ENABLE]
aobscanmodule(inventory,witcher3.exe,46 8B 54 08 64)
alloc(newmem,$1000,"witcher3.exe"+6F1D01)
label(code)
label(return)
newmem:
code:
mov r10d,[rax+r9+64]
jmp return
inventory:
jmp code
return:
registersymbol(inventory)
[DISABLE]
inventory:
db 46 8B 54 08 64
unregistersymbol(inventory)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6F1D01
"witcher3.exe"+6F1CE6: 48 83 EA 80 - sub rdx,-80
"witcher3.exe"+6F1CEA: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+6F1CED: 72 F1 - jb witcher3.exe+6F1CE0
"witcher3.exe"+6F1CEF: EB 15 - jmp witcher3.exe+6F1D06
"witcher3.exe"+6F1CF1: 85 C9 - test ecx,ecx
"witcher3.exe"+6F1CF3: 78 11 - js witcher3.exe+6F1D06
"witcher3.exe"+6F1CF5: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+6F1CF8: 7D 0C - jnl witcher3.exe+6F1D06
"witcher3.exe"+6F1CFA: 48 63 C1 - movsxd rax,ecx
"witcher3.exe"+6F1CFD: 48 C1 E0 07 - shl rax,07
// ---------- INJECTING HERE ----------
"witcher3.exe"+6F1D01: 46 8B 54 08 64 - mov r10d,[rax+r9+64]
// ---------- DONE INJECTING ----------
"witcher3.exe"+6F1D06: 48 85 FF - test rdi,rdi
"witcher3.exe"+6F1D09: 74 03 - je witcher3.exe+6F1D0E
"witcher3.exe"+6F1D0B: 44 89 17 - mov [rdi],r10d
"witcher3.exe"+6F1D0E: 48 8B 5C 24 38 - mov rbx,[rsp+38]
"witcher3.exe"+6F1D13: 48 8B 74 24 40 - mov rsi,[rsp+40]
"witcher3.exe"+6F1D18: 48 83 C4 20 - add rsp,20
"witcher3.exe"+6F1D1C: 5F - pop rdi
"witcher3.exe"+6F1D1D: C3 - ret
"witcher3.exe"+6F1D1E: CC - int 3
"witcher3.exe"+6F1D1F: CC - int 3
}
38
"Experience"
Auto Assembler Script
[ENABLE]
aobscanmodule(xp,witcher3.exe,01038B034885F6)
registersymbol(xp)
[DISABLE]
unregistersymbol(xp)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+17F8160
"witcher3.exe"+17F813E: 48 8B 47 30 - mov rax,[rdi+30]
"witcher3.exe"+17F8142: 48 8B D7 - mov rdx,rdi
"witcher3.exe"+17F8145: 0F B6 08 - movzx ecx,byte ptr [rax]
"witcher3.exe"+17F8148: 48 FF C0 - inc rax
"witcher3.exe"+17F814B: 48 89 47 30 - mov [rdi+30],rax
"witcher3.exe"+17F814F: 8B C1 - mov eax,ecx
"witcher3.exe"+17F8151: 48 8B 0F - mov rcx,[rdi]
"witcher3.exe"+17F8154: 41 FF 14 C6 - call qword ptr [r14+rax*8]
"witcher3.exe"+17F8158: 48 FF 47 30 - inc [rdi+30]
"witcher3.exe"+17F815C: 8B 44 24 50 - mov eax,[rsp+50]
// ---------- INJECTING HERE ----------
"witcher3.exe"+17F8160: 01 03 - add [rbx],eax
"witcher3.exe"+17F8162: 8B 03 - mov eax,[rbx]
"witcher3.exe"+17F8164: 48 85 F6 - test rsi,rsi
// ---------- DONE INJECTING ----------
"witcher3.exe"+17F8167: 74 02 - je witcher3.exe+17F816B
"witcher3.exe"+17F8169: 89 06 - mov [rsi],eax
"witcher3.exe"+17F816B: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"witcher3.exe"+17F8170: 48 83 C4 20 - add rsp,20
"witcher3.exe"+17F8174: 41 5E - pop r14
"witcher3.exe"+17F8176: 5F - pop rdi
"witcher3.exe"+17F8177: 5E - pop rsi
"witcher3.exe"+17F8178: C3 - ret
"witcher3.exe"+17F8179: CC - int 3
"witcher3.exe"+17F817A: CC - int 3
}
40
"Mouseover"
Auto Assembler Script
[ENABLE]
aobscanmodule(mouseover,witcher3.exe,F3 0F 10 40 74 EB)
alloc(newmem,$1000,mouseover)
label(code)
label(return)
newmem:
code:
movss xmm0,[rax+74]
jmp return
mouseover:
jmp code
return:
registersymbol(mouseover)
[DISABLE]
mouseover:
db F3 0F 10 40 74
unregistersymbol(mouseover)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6F5035
"witcher3.exe"+6F501E: 5F - pop rdi
"witcher3.exe"+6F501F: C3 - ret
"witcher3.exe"+6F5020: 85 C9 - test ecx,ecx
"witcher3.exe"+6F5022: 78 DB - js witcher3.exe+6F4FFF
"witcher3.exe"+6F5024: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+6F5027: 7D D6 - jnl witcher3.exe+6F4FFF
"witcher3.exe"+6F5029: 48 63 C1 - movsxd rax,ecx
"witcher3.exe"+6F502C: 48 C1 E0 07 - shl rax,07
"witcher3.exe"+6F5030: 49 03 C1 - add rax,r9
"witcher3.exe"+6F5033: 74 CA - je witcher3.exe+6F4FFF
// ---------- INJECTING HERE ----------
"witcher3.exe"+6F5035: F3 0F 10 40 74 - movss xmm0,[rax+74]
// ---------- DONE INJECTING ----------
"witcher3.exe"+6F503A: EB CB - jmp witcher3.exe+6F5007
"witcher3.exe"+6F503C: CC - int 3
"witcher3.exe"+6F503D: CC - int 3
"witcher3.exe"+6F503E: CC - int 3
"witcher3.exe"+6F503F: CC - int 3
"witcher3.exe"+6F5040: CC - int 3
"witcher3.exe"+6F5041: CC - int 3
"witcher3.exe"+6F5042: CC - int 3
"witcher3.exe"+6F5043: CC - int 3
"witcher3.exe"+6F5044: CC - int 3
}
41
"Mouseover 2"
Auto Assembler Script
[ENABLE]
aobscanmodule(mouseover,witcher3.exe,F3 0F 10 47 74 0F 2F C2)
alloc(newmem,$1000,mouseover)
label(code)
label(return)
newmem:
code:
movss xmm0,[rdi+74]
jmp return
mouseover:
jmp code
return:
registersymbol(mouseover)
[DISABLE]
mouseover:
db F3 0F 10 47 74
unregistersymbol(mouseover)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6EAB2E
"witcher3.exe"+6EAB06: F3 0F 10 8B C4 00 00 00 - movss xmm1,[rbx+000000C4]
"witcher3.exe"+6EAB0E: 0F 57 D2 - xorps xmm2,xmm2
"witcher3.exe"+6EAB11: 0F 2F CA - comiss xmm1,xmm2
"witcher3.exe"+6EAB14: 77 18 - ja witcher3.exe+6EAB2E
"witcher3.exe"+6EAB16: F3 0F 10 05 42 61 59 01 - movss xmm0,[witcher3.exe+1C80C60]
"witcher3.exe"+6EAB1E: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+6EAB23: 48 8B 74 24 38 - mov rsi,[rsp+38]
"witcher3.exe"+6EAB28: 48 83 C4 20 - add rsp,20
"witcher3.exe"+6EAB2C: 5F - pop rdi
"witcher3.exe"+6EAB2D: C3 - ret
// ---------- INJECTING HERE ----------
"witcher3.exe"+6EAB2E: F3 0F 10 47 74 - movss xmm0,[rdi+74]
// ---------- DONE INJECTING ----------
"witcher3.exe"+6EAB33: 0F 2F C2 - comiss xmm0,xmm2
"witcher3.exe"+6EAB36: 73 03 - jae witcher3.exe+6EAB3B
"witcher3.exe"+6EAB38: 0F 28 C2 - movaps xmm0,xmm2
"witcher3.exe"+6EAB3B: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+6EAB40: 48 8B 74 24 38 - mov rsi,[rsp+38]
"witcher3.exe"+6EAB45: F3 0F 5E C1 - divss xmm0,xmm1
"witcher3.exe"+6EAB49: 48 83 C4 20 - add rsp,20
"witcher3.exe"+6EAB4D: 5F - pop rdi
"witcher3.exe"+6EAB4E: C3 - ret
"witcher3.exe"+6EAB4F: CC - int 3
}
193
"Sample Call to Get Item Name"
Auto Assembler Script
[ENABLE]
aobscanmodule(call_item_name,witcher3.exe,48 8D 4C 24 48 E8 * * * * 48 8D 4C 24 20 48 8B D0 E8 * * * * 48 85 DB)
registersymbol(call_item_name)
[DISABLE]
unregistersymbol(call_item_name)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+7E723
"witcher3.exe"+7E6F6: 48 8B 42 30 - mov rax,[rdx+30]
"witcher3.exe"+7E6FA: C7 44 24 48 00 00 00 00 - mov [rsp+48],00000000
"witcher3.exe"+7E702: 49 8B D8 - mov rbx,r8
"witcher3.exe"+7E705: 44 0F B6 08 - movzx r9d,byte ptr [rax]
"witcher3.exe"+7E709: 48 FF C0 - inc rax
"witcher3.exe"+7E70C: 4C 8D 44 24 48 - lea r8,[rsp+48]
"witcher3.exe"+7E711: 48 89 42 30 - mov [rdx+30],rax
"witcher3.exe"+7E715: 41 8B C1 - mov eax,r9d
"witcher3.exe"+7E718: 4C 8D 0D E1 50 7B 02 - lea r9,[witcher3.exe+2833800]
"witcher3.exe"+7E71F: 41 FF 14 C1 - call qword ptr [r9+rax*8]
// ---------- INJECTING HERE ----------
"witcher3.exe"+7E723: 48 8D 4C 24 48 - lea rcx,[rsp+48]
// ---------- DONE INJECTING ----------
"witcher3.exe"+7E728: E8 B3 1F F9 FF - call item_name
"witcher3.exe"+7E72D: 48 8D 4C 24 20 - lea rcx,[rsp+20]
"witcher3.exe"+7E732: 48 8B D0 - mov rdx,rax
"witcher3.exe"+7E735: E8 46 AD F8 FF - call witcher3.exe+9480
"witcher3.exe"+7E73A: 48 85 DB - test rbx,rbx
"witcher3.exe"+7E73D: 74 17 - je witcher3.exe+7E756
"witcher3.exe"+7E73F: 48 8D 44 24 20 - lea rax,[rsp+20]
"witcher3.exe"+7E744: 48 3B C3 - cmp rax,rbx
"witcher3.exe"+7E747: 74 0D - je witcher3.exe+7E756
"witcher3.exe"+7E749: 48 8D 54 24 20 - lea rdx,[rsp+20]
}
197
"GodMode"
String
64
1
1
witcher3.exe+27f07f8
0
0
2F8
11830
209
"ConGeralt Array"
Auto Assembler Script
[ENABLE]
aobscan(ConGeralt,34 80 01 00 00 00 00 00 34 80 01 00)
registersymbol(ConGeralt)
[DISABLE]
unregistersymbol(ConGeralt)
247
"Array Size (Do Not Touch)"
4 Bytes
ConGeralt+18
210
"Array Base Address"
String
0
0
1
ConGeralt+10
0
246
"Base Vitality"
Float
+c
211
"Base Stamina"
Float
+24
212
"Base Air"
Float
+3c
213
"Base Swimming Stamina"
Float
+54
214
"Base Focus"
Float
+6c
215
"Base Toxicity"
Float
+84
216
"Base Weight Limit"
Float
+9c
217
"Base Health Regeneration"
Float
+b4
218
"Base Health Regeneration in Combat"
Float
+e4
219
"Base Stamina Regeneration"
Float
+12c
222
"Base Poison Resistance"
Float
+33c
223
"Base Bleeding Resistance"
Float
+354
239
"Critical Hit Chance Multiplier"
Float
+864
245
"GeraltSkills Pointer"
Auto Assembler Script
[ENABLE]
aobscan(GeraltSkills,35 80 01 00 00 00 00 00 35 80 01 00)
registersymbol(GeraltSkills)
[DISABLE]
unregistersymbol(GeraltSkills)
248
"Base Address"
4 Bytes
GeraltSkills
250
"all_PC_ability Array"
Auto Assembler Script
[ENABLE]
aobscan(all_PC_ability,A2 D3 00 00 00 00 00 00 A2 D3 00 00)
registersymbol(all_PC_ability)
[DISABLE]
unregistersymbol(all_PC_ability)
251
"Array Size (Do Not Touch)"
4 Bytes
all_PC_ability+18
252
"Array Base Address"
String
0
0
1
all_PC_ability+10
0
225
"Find Variable Addresses"
Auto Assembler Script
[ENABLE]
aobscanmodule(find_var,witcher3.exe,F3 0F 10 74 33 0C 0F 2F)
alloc(newmem,$1000,find_var)
alloc(find_var_ptr,80)
alloc(find_var_id,4)
label(code)
label(return)
label(loop)
label(save)
label(exit)
newmem:
cmp [find_var_id],eax
jne code
push rax
push rcx
push rdx
xor rdx,rdx
lea rcx,[rbx+rsi+0C]
lea rax,[find_var_ptr]
loop:
cmp [rax+rdx*8],0
je save
cmp [rax+rdx*8],rcx
je exit
inc rdx
cmp rdx,a
jl loop
jmp exit
save:
mov [rax+rdx*8],rcx
exit:
pop rdx
pop rcx
pop rax
code:
movss xmm6,[rbx+rsi+0C]
jmp return
find_var:
jmp newmem
nop
return:
registersymbol(find_var)
registersymbol(find_var_ptr)
registersymbol(find_var_id)
[DISABLE]
find_var:
db F3 0F 10 74 33 0C
unregistersymbol(find_var)
unregistersymbol(find_var_ptr)
unregistersymbol(find_var_id)
dealloc(newmem)
dealloc(find_var_ptr)
dealloc(find_var_id)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+A15E80
"witcher3.exe"+A15E4E: 0F 84 F7 00 00 00 - je witcher3.exe+A15F4B
"witcher3.exe"+A15E54: 83 78 10 00 - cmp dword ptr [rax+10],00
"witcher3.exe"+A15E58: 8B EB - mov ebp,ebx
"witcher3.exe"+A15E5A: 0F 86 EB 00 00 00 - jbe witcher3.exe+A15F4B
"witcher3.exe"+A15E60: 4C 8B BC 24 B0 00 00 00 - mov r15,[rsp+000000B0]
"witcher3.exe"+A15E68: 0F 1F 84 00 00 00 00 00 - nop [rax+rax+00000000]
"witcher3.exe"+A15E70: 49 8B 76 08 - mov rsi,[r14+08]
"witcher3.exe"+A15E74: 41 8B 07 - mov eax,[r15]
"witcher3.exe"+A15E77: 39 04 33 - cmp [rbx+rsi],eax
"witcher3.exe"+A15E7A: 0F 85 B4 00 00 00 - jne witcher3.exe+A15F34
// ---------- INJECTING HERE ----------
"witcher3.exe"+A15E80: F3 0F 10 74 33 0C - movss xmm6,[rbx+rsi+0C]
// ---------- DONE INJECTING ----------
"witcher3.exe"+A15E86: 0F 2F 74 33 10 - comiss xmm6,[rbx+rsi+10]
"witcher3.exe"+A15E8B: 73 75 - jae witcher3.exe+A15F02
"witcher3.exe"+A15E8D: 48 8D 8C 24 A8 00 00 00 - lea rcx,[rsp+000000A8]
"witcher3.exe"+A15E95: E8 26 80 10 00 - call witcher3.exe+B1DEC0
"witcher3.exe"+A15E9A: 41 0F B7 95 D0 00 00 00 - movzx edx,word ptr [r13+000000D0]
"witcher3.exe"+A15EA2: 48 8D 8C 24 A8 00 00 00 - lea rcx,[rsp+000000A8]
"witcher3.exe"+A15EAA: E8 41 80 10 00 - call witcher3.exe+B1DEF0
"witcher3.exe"+A15EAF: F3 0F 10 7C 33 10 - movss xmm7,[rbx+rsi+10]
"witcher3.exe"+A15EB5: F3 0F 10 74 33 0C - movss xmm6,[rbx+rsi+0C]
"witcher3.exe"+A15EBB: 0F 2E F7 - ucomiss xmm6,xmm7
}
226
"Variable Identifier"
4 Bytes
find_var_id
237
"Variable Identifier (Hex)"
1
4 Bytes
find_var_id
227
"Variable Address 1"
Float
find_var_ptr
0
228
"Variable Address 2"
Float
find_var_ptr+8
0
236
"Variable Address 3"
Float
find_var_ptr+10
0
235
"Variable Address 4"
Float
find_var_ptr+18
0
234
"Variable Address 5"
Float
find_var_ptr+20
0
233
"Variable Address 6"
Float
find_var_ptr+28
0
232
"Variable Address 7"
Float
find_var_ptr+30
0
231
"Variable Address 8"
Float
find_var_ptr+38
0
230
"Variable Address 9"
Float
find_var_ptr+40
0
229
"Variable Address 10"
Float
find_var_ptr+48
0
25
"Unlimited Health"
Auto Assembler Script
[ENABLE]
aobscanmodule(status,witcher3.exe,8B 0C 90 89 0E)
alloc(newmem,$1000,status)
//alloc(status_on,6)
label(code)
label(return)
label(cheat)
newmem:
//health
cmp rdx,0
je cheat
//stamina
//cmp rdx,3
//je cheat
jmp code
cheat:
//mov rcx,status_on
//add rcx,rdx
//cmp byte ptr [rcx],1
//jne code
inc rdx
mov ecx,[rax+rdx*4]
dec rdx
mov [rax+rdx*4],ecx
mov [rsi],ecx
jmp return
code:
mov ecx,[rax+rdx*4]
mov [rsi],ecx
jmp return
status:
jmp newmem
return:
registersymbol(status)
//registersymbol(status_on)
[DISABLE]
status:
db 8B 0C 90 89 0E
unregistersymbol(status)
//unregistersymbol(status_on)
dealloc(newmem)
//dealloc(status_on)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D95F81
"witcher3.exe"+D95F5D: 4C 8D 74 24 60 - lea r14,[rsp+60]
"witcher3.exe"+D95F62: 48 8B CD - mov rcx,rbp
"witcher3.exe"+D95F65: 4C 0F 45 F0 - cmovne r14,rax
"witcher3.exe"+D95F69: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+D95F6D: E8 5E E6 FF FF - call witcher3.exe+D945D0
"witcher3.exe"+D95F72: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D95F75: 74 1E - je witcher3.exe+D95F95
"witcher3.exe"+D95F77: 48 98 - cdqe
"witcher3.exe"+D95F79: 48 8D 14 40 - lea rdx,[rax+rax*2]
"witcher3.exe"+D95F7D: 48 8B 45 60 - mov rax,[rbp+60]
// ---------- INJECTING HERE ----------
"witcher3.exe"+D95F81: 8B 0C 90 - mov ecx,[rax+rdx*4]
"witcher3.exe"+D95F84: 89 0E - mov [rsi],ecx
// ---------- DONE INJECTING ----------
"witcher3.exe"+D95F86: 48 8B 45 60 - mov rax,[rbp+60]
"witcher3.exe"+D95F8A: 8B 4C 90 04 - mov ecx,[rax+rdx*4+04]
"witcher3.exe"+D95F8E: B0 01 - mov al,01
"witcher3.exe"+D95F90: 41 89 0E - mov [r14],ecx
"witcher3.exe"+D95F93: EB 0F - jmp witcher3.exe+D95FA4
"witcher3.exe"+D95F95: C7 06 00 00 80 BF - mov [rsi],BF800000
"witcher3.exe"+D95F9B: 32 C0 - xor al,al
"witcher3.exe"+D95F9D: 41 C7 06 00 00 80 BF - mov [r14],BF800000
"witcher3.exe"+D95FA4: 48 85 FF - test rdi,rdi
"witcher3.exe"+D95FA7: 74 02 - je witcher3.exe+D95FAB
}
30
"Unlimited Stamina/Breath"
Auto Assembler Script
[ENABLE]
aobscanmodule(stamina,witcher3.exe,F3 0F 11 34 88 83 FB)
alloc(newmem,$1000,stamina)
label(code)
label(return)
label(cheat)
newmem:
//stamina
cmp rcx,3
je cheat
//breath
cmp rcx,c
je cheat
jmp code
cheat:
inc rcx
movss xmm6,[rax+rcx*4]
dec rcx
code:
movss [rax+rcx*4],xmm6
jmp return
stamina:
jmp newmem
return:
registersymbol(stamina)
[DISABLE]
stamina:
db F3 0F 11 34 88
unregistersymbol(stamina)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D96063
"witcher3.exe"+D9603F: 8B D3 - mov edx,ebx
"witcher3.exe"+D96041: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D96044: 0F 29 74 24 30 - movaps [rsp+30],xmm6
"witcher3.exe"+D96049: F3 0F 10 74 24 68 - movss xmm6,[rsp+68]
"witcher3.exe"+D9604F: E8 7C E5 FF FF - call witcher3.exe+D945D0
"witcher3.exe"+D96054: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D96057: 74 2B - je witcher3.exe+D96084
"witcher3.exe"+D96059: 48 98 - cdqe
"witcher3.exe"+D9605B: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+D9605F: 48 8B 47 60 - mov rax,[rdi+60]
// ---------- INJECTING HERE ----------
"witcher3.exe"+D96063: F3 0F 11 34 88 - movss [rax+rcx*4],xmm6
// ---------- DONE INJECTING ----------
"witcher3.exe"+D96068: 83 FB 06 - cmp ebx,06
"witcher3.exe"+D9606B: 75 17 - jne witcher3.exe+D96084
"witcher3.exe"+D9606D: 8B 05 95 D0 CF 01 - mov eax,[witcher3.exe+2A93108]
"witcher3.exe"+D96073: 48 8D 54 24 20 - lea rdx,[rsp+20]
"witcher3.exe"+D96078: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D9607B: 89 44 24 20 - mov [rsp+20],eax
"witcher3.exe"+D9607F: E8 3C 02 2B FF - call witcher3.exe+462C0
"witcher3.exe"+D96084: 0F 28 74 24 30 - movaps xmm6,[rsp+30]
"witcher3.exe"+D96089: 48 8B 5C 24 60 - mov rbx,[rsp+60]
"witcher3.exe"+D9608E: 48 83 C4 40 - add rsp,40
}
32
"Full Adrenaline"
Auto Assembler Script
[ENABLE]
aobscanmodule(rage,witcher3.exe,F3 0F 10 04 88 EB)
alloc(newmem,$1000,rage)
label(code)
label(return)
newmem:
cmp rcx,9
jne code
inc rcx
movss xmm0,[rax+rcx*4]
dec rcx
movss [rax+rcx*4],xmm0
jmp return
code:
movss xmm0,[rax+rcx*4]
jmp return
rage:
jmp newmem
return:
registersymbol(rage)
[DISABLE]
rage:
db F3 0F 10 04 88
unregistersymbol(rage)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D95D27
"witcher3.exe"+D95D04: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+D95D08: 8B 54 24 48 - mov edx,[rsp+48]
"witcher3.exe"+D95D0C: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+D95D10: 48 8B CE - mov rcx,rsi
"witcher3.exe"+D95D13: E8 B8 E8 FF FF - call witcher3.exe+D945D0
"witcher3.exe"+D95D18: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D95D1B: 74 11 - je witcher3.exe+D95D2E
"witcher3.exe"+D95D1D: 48 98 - cdqe
"witcher3.exe"+D95D1F: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+D95D23: 48 8B 46 60 - mov rax,[rsi+60]
// ---------- INJECTING HERE ----------
"witcher3.exe"+D95D27: F3 0F 10 04 88 - movss xmm0,[rax+rcx*4]
// ---------- DONE INJECTING ----------
"witcher3.exe"+D95D2C: EB 08 - jmp witcher3.exe+D95D36
"witcher3.exe"+D95D2E: F3 0F 10 05 2A AF EE 00 - movss xmm0,[witcher3.exe+1C80C60]
"witcher3.exe"+D95D36: 48 85 FF - test rdi,rdi
"witcher3.exe"+D95D39: 74 04 - je witcher3.exe+D95D3F
"witcher3.exe"+D95D3B: F3 0F 11 07 - movss [rdi],xmm0
"witcher3.exe"+D95D3F: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"witcher3.exe"+D95D44: 48 83 C4 20 - add rsp,20
"witcher3.exe"+D95D48: 5F - pop rdi
"witcher3.exe"+D95D49: 5E - pop rsi
"witcher3.exe"+D95D4A: 5D - pop rbp
}
9956
"Ignore Crafting Material Requirements"
Auto Assembler Script
[ENABLE]
aobscanmodule(crafting,witcher3.exe,E8 * * * * 8B C8 48 85 FF)
alloc(crafting_backup,5)
crafting_backup:
readmem(crafting,5)
crafting:
db B8
dd #9999
registersymbol(crafting)
registersymbol(crafting_backup)
[DISABLE]
crafting:
readmem(crafting_backup,5)
unregistersymbol(crafting)
unregistersymbol(crafting_backup)
dealloc(crafting_backup)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6F18BA
"witcher3.exe"+6F1892: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+6F1896: 8B 44 24 50 - mov eax,[rsp+50]
"witcher3.exe"+6F189A: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+6F189E: 33 C9 - xor ecx,ecx
"witcher3.exe"+6F18A0: 3B 05 2A 0A 12 02 - cmp eax,[witcher3.exe+28122D0]
"witcher3.exe"+6F18A6: 74 19 - je witcher3.exe+6F18C1
"witcher3.exe"+6F18A8: 44 0F B6 44 24 48 - movzx r8d,byte ptr [rsp+48]
"witcher3.exe"+6F18AE: 48 8D 54 24 58 - lea rdx,[rsp+58]
"witcher3.exe"+6F18B3: 48 8B CE - mov rcx,rsi
"witcher3.exe"+6F18B6: 89 44 24 58 - mov [rsp+58],eax
// ---------- INJECTING HERE ----------
"witcher3.exe"+6F18BA: E8 51 6B FF FF - call witcher3.exe+6E8410
// ---------- DONE INJECTING ----------
"witcher3.exe"+6F18BF: 8B C8 - mov ecx,eax
"witcher3.exe"+6F18C1: 48 85 FF - test rdi,rdi
"witcher3.exe"+6F18C4: 74 02 - je witcher3.exe+6F18C8
"witcher3.exe"+6F18C6: 89 0F - mov [rdi],ecx
"witcher3.exe"+6F18C8: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"witcher3.exe"+6F18CD: 48 83 C4 20 - add rsp,20
"witcher3.exe"+6F18D1: 5F - pop rdi
"witcher3.exe"+6F18D2: 5E - pop rsi
"witcher3.exe"+6F18D3: 5D - pop rbp
"witcher3.exe"+6F18D4: C3 - ret
}
10034
"Craftsman Type"
Auto Assembler Script
[ENABLE]
aobscanmodule(craftsman_type,witcher3.exe,8B 81 80 00 00 00 C3 CC CC CC CC CC CC CC CC CC 48 89) // should be unique
alloc(newmem,$1000,"witcher3.exe"+2F1A0)
label(code)
label(return)
newmem:
code:
mov eax,[rcx+00000080]
jmp return
craftsman_type:
jmp code
nop
return:
registersymbol(craftsman_type)
[DISABLE]
craftsman_type:
db 8B 81 80 00 00 00
unregistersymbol(craftsman_type)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+2F1A0
"witcher3.exe"+2F196: C3 - ret
"witcher3.exe"+2F197: CC - int 3
"witcher3.exe"+2F198: CC - int 3
"witcher3.exe"+2F199: CC - int 3
"witcher3.exe"+2F19A: CC - int 3
"witcher3.exe"+2F19B: CC - int 3
"witcher3.exe"+2F19C: CC - int 3
"witcher3.exe"+2F19D: CC - int 3
"witcher3.exe"+2F19E: CC - int 3
"witcher3.exe"+2F19F: CC - int 3
// ---------- INJECTING HERE ----------
"witcher3.exe"+2F1A0: 8B 81 80 00 00 00 - mov eax,[rcx+00000080]
// ---------- DONE INJECTING ----------
"witcher3.exe"+2F1A6: C3 - ret
"witcher3.exe"+2F1A7: CC - int 3
"witcher3.exe"+2F1A8: CC - int 3
"witcher3.exe"+2F1A9: CC - int 3
"witcher3.exe"+2F1AA: CC - int 3
"witcher3.exe"+2F1AB: CC - int 3
"witcher3.exe"+2F1AC: CC - int 3
"witcher3.exe"+2F1AD: CC - int 3
"witcher3.exe"+2F1AE: CC - int 3
"witcher3.exe"+2F1AF: CC - int 3
}
255
"Activate Player Scripts (old)"
Auto Assembler Script
[ENABLE]
aobscanmodule(player,witcher3.exe,8B 0C 90 89 0E)
aobscanmodule(player_stats,witcher3.exe,F3 0F 11 34 88 83 FB)
alloc(newmem,$1000,player)
alloc(newmem2,$1000,player_stats)
alloc(player_ptr,8)
alloc(player_hack,256)
label(code)
label(return)
label(code2)
label(return2)
label(isplayer)
label(ishorse)
label(isnpc)
label(setzero)
newmem:
mov [player_ptr],rax
code:
mov ecx,[rax+rdx*4]
mov [rsi],ecx
jmp return
player:
jmp newmem
return:
newmem2:
cmp [rax+2C],8
je ishorse
cmp [player_ptr],rax
jne isnpc
ishorse:
push rbx
mov rbx,player_hack
cmp byte ptr [rbx+rcx],1
pop rbx
jne isplayer
cmp [rax+rcx*4+8],3//toxicity
je setzero
inc rcx
movss xmm6,[rax+rcx*4]
dec rcx
jmp isplayer
isplayer:
movss [rax+rcx*4],xmm6
jmp return2
setzero:
mov dword ptr [rax+rcx*4],0
jmp return2
isnpc:
cmp byte ptr [player_hack+2],1
jne code2
xorps xmm6,xmm6
code2:
movss [rax+rcx*4],xmm6
jmp return2
player_stats:
jmp newmem2
return2:
registersymbol(player)
registersymbol(player_ptr)
registersymbol(player_stats)
registersymbol(player_hack)
[DISABLE]
player:
db 8B 0C 90 89 0E
player_stats:
db F3 0F 11 34 88
unregistersymbol(player)
unregistersymbol(player_ptr)
unregistersymbol(player_stats)
unregistersymbol(player_hack)
dealloc(newmem)
dealloc(newmem2)
dealloc(player_ptr)
dealloc(player_hack)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D95501
"witcher3.exe"+D954DD: 4C 8D 74 24 60 - lea r14,[rsp+60]
"witcher3.exe"+D954E2: 48 8B CD - mov rcx,rbp
"witcher3.exe"+D954E5: 4C 0F 45 F0 - cmovne r14,rax
"witcher3.exe"+D954E9: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+D954ED: E8 5E E6 FF FF - call witcher3.exe+D93B50
"witcher3.exe"+D954F2: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D954F5: 74 1E - je witcher3.exe+D95515
"witcher3.exe"+D954F7: 48 98 - cdqe
"witcher3.exe"+D954F9: 48 8D 14 40 - lea rdx,[rax+rax*2]
"witcher3.exe"+D954FD: 48 8B 45 60 - mov rax,[rbp+60]
// ---------- INJECTING HERE ----------
"witcher3.exe"+D95501: 8B 0C 90 - mov ecx,[rax+rdx*4]
"witcher3.exe"+D95504: 89 0E - mov [rsi],ecx
// ---------- DONE INJECTING ----------
"witcher3.exe"+D95506: 48 8B 45 60 - mov rax,[rbp+60]
"witcher3.exe"+D9550A: 8B 4C 90 04 - mov ecx,[rax+rdx*4+04]
"witcher3.exe"+D9550E: B0 01 - mov al,01
"witcher3.exe"+D95510: 41 89 0E - mov [r14],ecx
"witcher3.exe"+D95513: EB 0F - jmp witcher3.exe+D95524
"witcher3.exe"+D95515: C7 06 00 00 80 BF - mov [rsi],BF800000
"witcher3.exe"+D9551B: 32 C0 - xor al,al
"witcher3.exe"+D9551D: 41 C7 06 00 00 80 BF - mov [r14],BF800000
"witcher3.exe"+D95524: 48 85 FF - test rdi,rdi
"witcher3.exe"+D95527: 74 02 - je witcher3.exe+D9552B
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+D955E3
"witcher3.exe"+D955BF: 8B D3 - mov edx,ebx
"witcher3.exe"+D955C1: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D955C4: 0F 29 74 24 30 - movaps [rsp+30],xmm6
"witcher3.exe"+D955C9: F3 0F 10 74 24 68 - movss xmm6,[rsp+68]
"witcher3.exe"+D955CF: E8 7C E5 FF FF - call witcher3.exe+D93B50
"witcher3.exe"+D955D4: 83 F8 FF - cmp eax,-01
"witcher3.exe"+D955D7: 74 2B - je witcher3.exe+D95604
"witcher3.exe"+D955D9: 48 98 - cdqe
"witcher3.exe"+D955DB: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+D955DF: 48 8B 47 60 - mov rax,[rdi+60]
// ---------- INJECTING HERE ----------
"witcher3.exe"+D955E3: F3 0F 11 34 88 - movss [rax+rcx*4],xmm6
// ---------- DONE INJECTING ----------
"witcher3.exe"+D955E8: 83 FB 06 - cmp ebx,06
"witcher3.exe"+D955EB: 75 17 - jne witcher3.exe+D95604
"witcher3.exe"+D955ED: 8B 05 85 DB CF 01 - mov eax,[witcher3.exe+2A93178]
"witcher3.exe"+D955F3: 48 8D 54 24 20 - lea rdx,[rsp+20]
"witcher3.exe"+D955F8: 48 8B CF - mov rcx,rdi
"witcher3.exe"+D955FB: 89 44 24 20 - mov [rsp+20],eax
"witcher3.exe"+D955FF: E8 0C 10 2B FF - call witcher3.exe+46610
"witcher3.exe"+D95604: 0F 28 74 24 30 - movaps xmm6,[rsp+30]
"witcher3.exe"+D95609: 48 8B 5C 24 60 - mov rbx,[rsp+60]
"witcher3.exe"+D9560E: 48 83 C4 40 - add rsp,40
}
9865
"Unlimited Health"
Auto Assembler Script
[ENABLE]
player_hack+0:
db 1
[DISABLE]
player_hack+0:
db 0
9866
"Unlimited Stamina"
Auto Assembler Script
[ENABLE]
player_hack+3:
db 1
[DISABLE]
player_hack+3:
db 0
9867
"Unlimited Adrenaline"
Auto Assembler Script
[ENABLE]
player_hack+9:
db 1
[DISABLE]
player_hack+9:
db 0
9868
"Unlimited Breath"
Auto Assembler Script
[ENABLE]
player_hack+C:
db 1
[DISABLE]
player_hack+C:
db 0
10069
"No Toxicity"
Auto Assembler Script
[ENABLE]
player_hack+6:
db 1
[DISABLE]
player_hack+6:
db 0
10039
"One Hit Kills"
Auto Assembler Script
[ENABLE]
player_hack+2:
db 1
[DISABLE]
player_hack+2:
db 0
10100
"Pause Game"
Auto Assembler Script
[ENABLE]
aobscanmodule(pause_game,witcher3.exe,83 B9 50 01 00 00 00 0F 29)
pause_game+6:
db A
registersymbol(pause_game)
[DISABLE]
pause_game+6:
db 0
unregistersymbol(pause_game)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+CFDA8
"witcher3.exe"+CFD8C: CC - int 3
"witcher3.exe"+CFD8D: CC - int 3
"witcher3.exe"+CFD8E: CC - int 3
"witcher3.exe"+CFD8F: CC - int 3
"witcher3.exe"+CFD90: 40 55 - push rbp
"witcher3.exe"+CFD92: 53 - push rbx
"witcher3.exe"+CFD93: 48 8D AC 24 18 AD FE FF - lea rbp,[rsp-000152E8]
"witcher3.exe"+CFD9B: B8 E8 53 01 00 - mov eax,000153E8
"witcher3.exe"+CFDA0: E8 EB 39 D0 00 - call witcher3.exe+DD3790
"witcher3.exe"+CFDA5: 48 2B E0 - sub rsp,rax
// ---------- INJECTING HERE ----------
"witcher3.exe"+CFDA8: 83 B9 50 01 00 00 00 - cmp dword ptr [rcx+00000150],00
// ---------- DONE INJECTING ----------
"witcher3.exe"+CFDAF: 0F 29 B4 24 C0 53 01 00 - movaps [rsp+000153C0],xmm6
"witcher3.exe"+CFDB7: 0F 29 BC 24 B0 53 01 00 - movaps [rsp+000153B0],xmm7
"witcher3.exe"+CFDBF: 48 8B D9 - mov rbx,rcx
"witcher3.exe"+CFDC2: 0F 28 F9 - movaps xmm7,xmm1
"witcher3.exe"+CFDC5: 75 0F - jne witcher3.exe+CFDD6
"witcher3.exe"+CFDC7: 8B 81 58 01 00 00 - mov eax,[rcx+00000158]
"witcher3.exe"+CFDCD: 85 C0 - test eax,eax
"witcher3.exe"+CFDCF: 7F 05 - jg witcher3.exe+CFDD6
"witcher3.exe"+CFDD1: 0F 28 F1 - movaps xmm6,xmm1
"witcher3.exe"+CFDD4: EB 03 - jmp witcher3.exe+CFDD9
}
10109
"Add to Float"
Auto Assembler Script
[ENABLE]
aobscanmodule(addToFloat,witcher3.exe,F3 0F 58 03 F3 0F 11 03 48)
registersymbol(addToFloat)
[DISABLE]
unregistersymbol(addToFloat)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+17F9BB1
"witcher3.exe"+17F9B8D: 48 8B 47 30 - mov rax,[rdi+30]
"witcher3.exe"+17F9B91: 48 8B D7 - mov rdx,rdi
"witcher3.exe"+17F9B94: 0F B6 08 - movzx ecx,byte ptr [rax]
"witcher3.exe"+17F9B97: 48 FF C0 - inc rax
"witcher3.exe"+17F9B9A: 48 89 47 30 - mov [rdi+30],rax
"witcher3.exe"+17F9B9E: 8B C1 - mov eax,ecx
"witcher3.exe"+17F9BA0: 48 8B 0F - mov rcx,[rdi]
"witcher3.exe"+17F9BA3: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+17F9BA7: 48 FF 47 30 - inc [rdi+30]
"witcher3.exe"+17F9BAB: F3 0F 10 44 24 50 - movss xmm0,[rsp+50]
// ---------- INJECTING HERE ----------
"witcher3.exe"+17F9BB1: F3 0F 58 03 - addss xmm0,[rbx]
"witcher3.exe"+17F9BB5: F3 0F 11 03 - movss [rbx],xmm0
// ---------- DONE INJECTING ----------
"witcher3.exe"+17F9BB9: 48 85 F6 - test rsi,rsi
"witcher3.exe"+17F9BBC: 74 04 - je witcher3.exe+17F9BC2
"witcher3.exe"+17F9BBE: F3 0F 11 06 - movss [rsi],xmm0
"witcher3.exe"+17F9BC2: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"witcher3.exe"+17F9BC7: 48 83 C4 20 - add rsp,20
"witcher3.exe"+17F9BCB: 5F - pop rdi
"witcher3.exe"+17F9BCC: 5E - pop rsi
"witcher3.exe"+17F9BCD: 5D - pop rbp
"witcher3.exe"+17F9BCE: C3 - ret
"witcher3.exe"+17F9BCF: CC - int 3
}
10110
"Subtract from Float"
Auto Assembler Script
[ENABLE]
aobscanmodule(subtractFromFloat,witcher3.exe,F3 0F 58 03 F3 0F 11 03 48)
registersymbol(subtractFromFloat)
[DISABLE]
unregistersymbol(subtractFromFloat)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+17F9BB1
"witcher3.exe"+17F9B8D: 48 8B 47 30 - mov rax,[rdi+30]
"witcher3.exe"+17F9B91: 48 8B D7 - mov rdx,rdi
"witcher3.exe"+17F9B94: 0F B6 08 - movzx ecx,byte ptr [rax]
"witcher3.exe"+17F9B97: 48 FF C0 - inc rax
"witcher3.exe"+17F9B9A: 48 89 47 30 - mov [rdi+30],rax
"witcher3.exe"+17F9B9E: 8B C1 - mov eax,ecx
"witcher3.exe"+17F9BA0: 48 8B 0F - mov rcx,[rdi]
"witcher3.exe"+17F9BA3: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+17F9BA7: 48 FF 47 30 - inc [rdi+30]
"witcher3.exe"+17F9BAB: F3 0F 10 44 24 50 - movss xmm0,[rsp+50]
// ---------- INJECTING HERE ----------
"witcher3.exe"+17F9BB1: F3 0F 58 03 - addss xmm0,[rbx]
"witcher3.exe"+17F9BB5: F3 0F 11 03 - movss [rbx],xmm0
// ---------- DONE INJECTING ----------
"witcher3.exe"+17F9BB9: 48 85 F6 - test rsi,rsi
"witcher3.exe"+17F9BBC: 74 04 - je witcher3.exe+17F9BC2
"witcher3.exe"+17F9BBE: F3 0F 11 06 - movss [rsi],xmm0
"witcher3.exe"+17F9BC2: 48 8B 5C 24 40 - mov rbx,[rsp+40]
"witcher3.exe"+17F9BC7: 48 83 C4 20 - add rsp,20
"witcher3.exe"+17F9BCB: 5F - pop rdi
"witcher3.exe"+17F9BCC: 5E - pop rsi
"witcher3.exe"+17F9BCD: 5D - pop rbp
"witcher3.exe"+17F9BCE: C3 - ret
"witcher3.exe"+17F9BCF: CC - int 3
}
10166
"Enable Console"
Auto Assembler Script
[ENABLE]
aobscanmodule(console,witcher3.exe,48 83 EC 28 48 8B 05 ? ? ? ? 0F B6 90)
registersymbol(console)
aobscanmodule(keyboard,witcher3.exe,48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 40 80 3D)
registersymbol(keyboard)
aobscanmodule(global_console_debug,witcher3.exe,48 89 05 ? ? ? ? EB 07 48 89 35 ? ? ? ? 48 8B 47 60)
registersymbol(global_console_debug)
aobscanmodule(global_game,witcher3.exe,48 8B 05 90 31 EA 01)
registersymbol(global_game)
[DISABLE]
unregistersymbol(console)
unregistersymbol(global_console_debug)
unregistersymbol(global_game)
unregistersymbol(keyboard)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+5962E0
"witcher3.exe"+5962D6: CC - int 3
"witcher3.exe"+5962D7: CC - int 3
"witcher3.exe"+5962D8: CC - int 3
"witcher3.exe"+5962D9: CC - int 3
"witcher3.exe"+5962DA: CC - int 3
"witcher3.exe"+5962DB: CC - int 3
"witcher3.exe"+5962DC: CC - int 3
"witcher3.exe"+5962DD: CC - int 3
"witcher3.exe"+5962DE: CC - int 3
"witcher3.exe"+5962DF: CC - int 3
// ---------- INJECTING HERE ----------
"witcher3.exe"+5962E0: 48 83 EC 28 - sub rsp,28
"witcher3.exe"+5962E4: 48 8B 05 15 6B 2C 02 - mov rax,[witcher3.exe+285CE00]
// ---------- DONE INJECTING ----------
"witcher3.exe"+5962EB: 0F B6 90 21 01 00 00 - movzx edx,byte ptr [rax+00000121]
"witcher3.exe"+5962F2: 38 15 B8 3D 6F 01 - cmp [witcher3.exe+1C8A0B0],dl
"witcher3.exe"+5962F8: 76 07 - jna witcher3.exe+596301
"witcher3.exe"+5962FA: 32 C0 - xor al,al
"witcher3.exe"+5962FC: 48 83 C4 28 - add rsp,28
"witcher3.exe"+596300: C3 - ret
"witcher3.exe"+596301: 41 8D 80 5E FF FF FF - lea eax,[r8-000000A2]
"witcher3.exe"+596308: 83 F8 01 - cmp eax,01
"witcher3.exe"+59630B: 77 0D - ja witcher3.exe+59631A
"witcher3.exe"+59630D: 41 83 F9 01 - cmp r9d,01
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+E9090
"witcher3.exe"+E9086: CC - int 3
"witcher3.exe"+E9087: CC - int 3
"witcher3.exe"+E9088: CC - int 3
"witcher3.exe"+E9089: CC - int 3
"witcher3.exe"+E908A: CC - int 3
"witcher3.exe"+E908B: CC - int 3
"witcher3.exe"+E908C: CC - int 3
"witcher3.exe"+E908D: CC - int 3
"witcher3.exe"+E908E: CC - int 3
"witcher3.exe"+E908F: CC - int 3
// ---------- INJECTING HERE ----------
"witcher3.exe"+E9090: 48 89 5C 24 08 - mov [rsp+08],rbx
// ---------- DONE INJECTING ----------
"witcher3.exe"+E9095: 48 89 74 24 10 - mov [rsp+10],rsi
"witcher3.exe"+E909A: 57 - push rdi
"witcher3.exe"+E909B: 48 83 EC 40 - sub rsp,40
"witcher3.exe"+E909F: 80 3D 1A 3E 77 02 00 - cmp byte ptr [witcher3.exe+285CEC0],00
"witcher3.exe"+E90A6: 0F 29 74 24 30 - movaps [rsp+30],xmm6
"witcher3.exe"+E90AB: 0F 29 7C 24 20 - movaps [rsp+20],xmm7
"witcher3.exe"+E90B0: 41 8B F0 - mov esi,r8d
"witcher3.exe"+E90B3: 8B FA - mov edi,edx
"witcher3.exe"+E90B5: 48 8B D9 - mov rbx,rcx
"witcher3.exe"+E90B8: 0F 28 FB - movaps xmm7,xmm3
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+CB1510
"witcher3.exe"+CB14EA: 48 8D 55 EF - lea rdx,[rbp-11]
"witcher3.exe"+CB14EE: 48 8B 01 - mov rax,[rcx]
"witcher3.exe"+CB14F1: FF 90 78 01 00 00 - call qword ptr [rax+00000178]
"witcher3.exe"+CB14F7: B9 B8 00 00 00 - mov ecx,000000B8
"witcher3.exe"+CB14FC: E8 DF 85 36 FF - call witcher3.exe+19AE0
"witcher3.exe"+CB1501: 48 85 C0 - test rax,rax
"witcher3.exe"+CB1504: 74 13 - je witcher3.exe+CB1519
"witcher3.exe"+CB1506: B2 01 - mov dl,01
"witcher3.exe"+CB1508: 48 8B C8 - mov rcx,rax
"witcher3.exe"+CB150B: E8 C0 3E 8E FF - call witcher3.exe+5953D0
// ---------- INJECTING HERE ----------
"witcher3.exe"+CB1510: 48 89 05 21 F7 CD 01 - mov [witcher3.exe+2990C38],rax
// ---------- DONE INJECTING ----------
"witcher3.exe"+CB1517: EB 07 - jmp witcher3.exe+CB1520
"witcher3.exe"+CB1519: 48 89 35 18 F7 CD 01 - mov [witcher3.exe+2990C38],rsi
"witcher3.exe"+CB1520: 48 8B 47 60 - mov rax,[rdi+60]
"witcher3.exe"+CB1524: 48 89 45 C7 - mov [rbp-39],rax
"witcher3.exe"+CB1528: 48 85 C0 - test rax,rax
"witcher3.exe"+CB152B: 74 17 - je witcher3.exe+CB1544
"witcher3.exe"+CB152D: 48 8B 0D CC B8 BA 01 - mov rcx,[witcher3.exe+285CE00]
"witcher3.exe"+CB1534: 48 8D 55 C7 - lea rdx,[rbp-39]
"witcher3.exe"+CB1538: 48 81 C1 E0 01 00 00 - add rcx,000001E0
"witcher3.exe"+CB153F: E8 2C 3F F8 FF - call witcher3.exe+C35470
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+AFD3A9
"witcher3.exe"+AFD386: 4C 89 74 24 50 - mov [rsp+50],r14
"witcher3.exe"+AFD38B: 48 0F 45 CF - cmovne rcx,rdi
"witcher3.exe"+AFD38F: FF C3 - inc ebx
"witcher3.exe"+AFD391: 89 5C 24 40 - mov [rsp+40],ebx
"witcher3.exe"+AFD395: 48 85 C9 - test rcx,rcx
"witcher3.exe"+AFD398: 74 0F - je witcher3.exe+AFD3A9
"witcher3.exe"+AFD39A: 48 89 4C DC 50 - mov [rsp+rbx*8+50],rcx
"witcher3.exe"+AFD39F: 8B 5C 24 40 - mov ebx,[rsp+40]
"witcher3.exe"+AFD3A3: FF C3 - inc ebx
"witcher3.exe"+AFD3A5: 89 5C 24 40 - mov [rsp+40],ebx
// ---------- INJECTING HERE ----------
"witcher3.exe"+AFD3A9: 48 8B 05 90 31 EA 01 - mov rax,[witcher3.exe+29A0540]
// ---------- DONE INJECTING ----------
"witcher3.exe"+AFD3B0: 48 8D 4C 24 50 - lea rcx,[rsp+50]
"witcher3.exe"+AFD3B5: C6 44 24 30 01 - mov byte ptr [rsp+30],01
"witcher3.exe"+AFD3BA: 0F 28 DE - movaps xmm3,xmm6
"witcher3.exe"+AFD3BD: 89 5C 24 28 - mov [rsp+28],ebx
"witcher3.exe"+AFD3C1: 48 89 4C 24 20 - mov [rsp+20],rcx
"witcher3.exe"+AFD3C6: 48 8B 88 08 B0 00 00 - mov rcx,[rax+0000B008]
"witcher3.exe"+AFD3CD: 4C 8D 87 90 00 00 00 - lea r8,[rdi+00000090]
"witcher3.exe"+AFD3D4: 49 8D 96 90 00 00 00 - lea rdx,[r14+00000090]
"witcher3.exe"+AFD3DB: E8 20 3F F6 FF - call witcher3.exe+A61300
"witcher3.exe"+AFD3E0: 84 C0 - test al,al
}
10167
"Auto Assemble script"
Auto Assembler Script
[ENABLE]
createthread(toggle_console)
[DISABLE]
createthread(toggle_console)
10196
"Skill Level"
4 Bytes
EF6378CC
10198
"Max Level"
4 Bytes
+4
10204
"No description"
4 Bytes
+34
0
10199
"No description"
4 Bytes
+44
0
10200
"No description"
4 Bytes
+64
0
10201
"No description"
4 Bytes
+74
0
10202
"No description"
4 Bytes
+84
0
10203
"No description"
4 Bytes
+a4
0
10220
"Skill Slot 1"
Auto Assembler Script
[ENABLE]
{$lua}
autoAssemble([[
aobscan(skill_slot1,90 01 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 * 01 00 00)
alloc(skill_id,8)
registersymbol(skill_slot1)
registersymbol(skill_id)
]])
local address = getAddress("skill_slot1") + 32
unregisterSymbol("skill_slot1")
writeQword("skill_id", address)
--label(skill_id)
--slot1+20:
--skill_id:
--registersymbol(skill_id)
{$asm}
[DISABLE]
unregistersymbol(skill_id)
10224
"Skill ID"
Byte
skill_id
0
10222
"Always Enable Skill ID"
Auto Assembler Script
[ENABLE]
//"witcher3.exe"+1877A10
//aobscanmodule(activeSkill,witcher3.exe,FF54C50048FF43304885FF740D8B442438394424400F94C08807488B5C2430488B6C24484883C4205FC3CC)
alloc(newmem,$1000,"witcher3.exe"+1877A10)
label(code)
label(return)
label(overwrite)
newmem:
mov eax,[rsp+38]
cmp eax,#38
je overwrite
jmp code
overwrite:
//mov [rsp+40],eax
nop
code:
//mov eax,[rsp+38]
cmp [rsp+40],eax
jmp return
//activeSkill+D:
"witcher3.exe"+1877A10:
jmp newmem
nop
nop
nop
return:
//registersymbol(activeSkill)
[DISABLE]
//activeSkill+D:
"witcher3.exe"+1877A10:
db 8B 44 24 38 39 44 24 40
//unregistersymbol(activeSkill)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+1877A10
"witcher3.exe"+18779EF: 48 FF C0 - inc rax
"witcher3.exe"+18779F2: 4C 8D 44 24 38 - lea r8,[rsp+38]
"witcher3.exe"+18779F7: 48 89 43 30 - mov [rbx+30],rax
"witcher3.exe"+18779FB: 8B C1 - mov eax,ecx
"witcher3.exe"+18779FD: 48 8B 0B - mov rcx,[rbx]
"witcher3.exe"+1877A00: 48 8B D3 - mov rdx,rbx
"witcher3.exe"+1877A03: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+1877A07: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+1877A0B: 48 85 FF - test rdi,rdi
"witcher3.exe"+1877A0E: 74 0D - je witcher3.exe+1877A1D
// ---------- INJECTING HERE ----------
"witcher3.exe"+1877A10: 8B 44 24 38 - mov eax,[rsp+38]
"witcher3.exe"+1877A14: 39 44 24 40 - cmp [rsp+40],eax
// ---------- DONE INJECTING ----------
"witcher3.exe"+1877A18: 0F 94 C0 - sete al
"witcher3.exe"+1877A1B: 88 07 - mov [rdi],al
"witcher3.exe"+1877A1D: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+1877A22: 48 8B 6C 24 48 - mov rbp,[rsp+48]
"witcher3.exe"+1877A27: 48 83 C4 20 - add rsp,20
"witcher3.exe"+1877A2B: 5F - pop rdi
"witcher3.exe"+1877A2C: C3 - ret
"witcher3.exe"+1877A2D: CC - int 3
"witcher3.exe"+1877A2E: CC - int 3
"witcher3.exe"+1877A2F: CC - int 3
}
10225
"Activate All Skills"
Auto Assembler Script
[ENABLE]
alloc(newmem,2048,"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+42913)
alloc(skill_lookup,1)
label(returnhere)
label(originalcode)
label(exit)
label(skip)
newmem:
movzx eax,byte ptr [skill_lookup]
test eax,eax
je skip
mov byte ptr [skill_lookup],0
jmp originalcode
skip:
movzx eax,byte ptr [rbx]
cmp rbx,[skill_id]
jne originalcode
mov [skill_lookup],al
originalcode:
//movzx eax,byte ptr [rbx]
mov [rdi],al
exit:
jmp returnhere
"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+42913:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(myvar)
"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+42913:
movzx eax,byte ptr [rbx]
mov [rdi],al
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+44883
"witcher3.exe"+44867: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4486C: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44870: 5F - pop rdi
"witcher3.exe"+44871: C3 - ret
"witcher3.exe"+44872: 0F B7 03 - movzx eax,word ptr [rbx]
"witcher3.exe"+44875: 66 89 07 - mov [rdi],ax
"witcher3.exe"+44878: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4487D: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44881: 5F - pop rdi
"witcher3.exe"+44882: C3 - ret
// ---------- INJECTING HERE ----------
"witcher3.exe"+44883: 0F B6 03 - movzx eax,byte ptr [rbx]
"witcher3.exe"+44886: 88 07 - mov [rdi],al
// ---------- DONE INJECTING ----------
"witcher3.exe"+44888: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4488D: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44891: 5F - pop rdi
"witcher3.exe"+44892: C3 - ret
"witcher3.exe"+44893: CC - int 3
"witcher3.exe"+44894: CC - int 3
"witcher3.exe"+44895: CC - int 3
"witcher3.exe"+44896: CC - int 3
"witcher3.exe"+44897: CC - int 3
"witcher3.exe"+44898: CC - int 3
}
10226
"Activate All Skills"
Auto Assembler Script
[ENABLE]
{$lua}
--aobscan(skill_slot1,90 01 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF FF FF FF FF 03 00 00 00 * 01 00 00)
autoAssemble([[
aobscan(skill_slot1,FF FF FF FF FF FF FF FF * 00 00 00 * 01 00 00 * 00 00 00 * 00 00 00 * 00 00 00 * 00 00 00 FF FF FF FF * 00 00 00)
alloc(skill_id,8)
registersymbol(skill_slot1)
registersymbol(skill_id)
]])
local address = getAddress("skill_slot1") + 12
unregisterSymbol("skill_slot1")
writeQword("skill_id", address)
{$asm}
alloc(newmem,2048,"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+42913)
alloc(newmem2,2048,"witcher3.exe"+1877A10)
alloc(skill_lookup,1)
label(returnhere)
label(originalcode)
label(exit)
label(returnhere2)
label(originalcode2)
label(exit2)
newmem:
cmp rbx,[skill_id]
jne originalcode
mov byte ptr [skill_lookup],1
originalcode:
movzx eax,byte ptr [rbx]
mov [rdi],al
exit:
jmp returnhere
newmem2:
mov eax,[rsp+38]
cmp byte ptr [skill_lookup],1
jne originalcode2
mov byte ptr [skill_lookup],0
mov [rsp+40],eax
originalcode2:
//mov eax,[rsp+38]
cmp [rsp+40],eax
exit2:
jmp returnhere2
"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+42913:
jmp newmem
returnhere:
"witcher3.exe"+1877A10:
jmp newmem2
nop
nop
nop
returnhere2:
[DISABLE]
dealloc(newmem)
dealloc(newmem2)
dealloc(myvar)
"witcher3.Scaleform::Render::Matrix4x4<float>::SetIdentity"+42913:
movzx eax,byte ptr [rbx]
mov [rdi],al
"witcher3.exe"+1877A10:
mov eax,[rsp+38]
cmp [rsp+40],eax
unregistersymbol(skill_id)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+44883
"witcher3.exe"+44867: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4486C: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44870: 5F - pop rdi
"witcher3.exe"+44871: C3 - ret
"witcher3.exe"+44872: 0F B7 03 - movzx eax,word ptr [rbx]
"witcher3.exe"+44875: 66 89 07 - mov [rdi],ax
"witcher3.exe"+44878: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4487D: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44881: 5F - pop rdi
"witcher3.exe"+44882: C3 - ret
// ---------- INJECTING HERE ----------
"witcher3.exe"+44883: 0F B6 03 - movzx eax,byte ptr [rbx]
"witcher3.exe"+44886: 88 07 - mov [rdi],al
// ---------- DONE INJECTING ----------
"witcher3.exe"+44888: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+4488D: 48 83 C4 20 - add rsp,20
"witcher3.exe"+44891: 5F - pop rdi
"witcher3.exe"+44892: C3 - ret
"witcher3.exe"+44893: CC - int 3
"witcher3.exe"+44894: CC - int 3
"witcher3.exe"+44895: CC - int 3
"witcher3.exe"+44896: CC - int 3
"witcher3.exe"+44897: CC - int 3
"witcher3.exe"+44898: CC - int 3
}
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+1877A10
"witcher3.exe"+18779EF: 48 FF C0 - inc rax
"witcher3.exe"+18779F2: 4C 8D 44 24 38 - lea r8,[rsp+38]
"witcher3.exe"+18779F7: 48 89 43 30 - mov [rbx+30],rax
"witcher3.exe"+18779FB: 8B C1 - mov eax,ecx
"witcher3.exe"+18779FD: 48 8B 0B - mov rcx,[rbx]
"witcher3.exe"+1877A00: 48 8B D3 - mov rdx,rbx
"witcher3.exe"+1877A03: FF 54 C5 00 - call qword ptr [rbp+rax*8+00]
"witcher3.exe"+1877A07: 48 FF 43 30 - inc [rbx+30]
"witcher3.exe"+1877A0B: 48 85 FF - test rdi,rdi
"witcher3.exe"+1877A0E: 74 0D - je witcher3.exe+1877A1D
// ---------- INJECTING HERE ----------
"witcher3.exe"+1877A10: 8B 44 24 38 - mov eax,[rsp+38]
"witcher3.exe"+1877A14: 39 44 24 40 - cmp [rsp+40],eax
// ---------- DONE INJECTING ----------
"witcher3.exe"+1877A18: 0F 94 C0 - sete al
"witcher3.exe"+1877A1B: 88 07 - mov [rdi],al
"witcher3.exe"+1877A1D: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+1877A22: 48 8B 6C 24 48 - mov rbp,[rsp+48]
"witcher3.exe"+1877A27: 48 83 C4 20 - add rsp,20
"witcher3.exe"+1877A2B: 5F - pop rdi
"witcher3.exe"+1877A2C: C3 - ret
"witcher3.exe"+1877A2D: CC - int 3
"witcher3.exe"+1877A2E: CC - int 3
"witcher3.exe"+1877A2F: CC - int 3
}
10235
"Call XP Increment"
Auto Assembler Script
[ENABLE]
aobscanmodule(vtable,witcher3.exe,4D 8B 8C C4 40 FD 83 02)
alloc(newmem,$1000,vtable)
label(code)
label(return)
newmem:
cmp rax,8F8
jne code
mov r9,[rsi+30]
test r9,r9
je code
mov r9,[r9]
test r9,r9
je code
mov r9,[r9+20]
code:
mov r9,[r12+rax*8+0283FD40]
jmp return
vtable:
jmp newmem
nop
nop
nop
return:
registersymbol(vtable)
[DISABLE]
vtable:
db 4D 8B 8C C4 40 FD 83 02
unregistersymbol(vtable)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+450F5
"witcher3.exe"+450D3: 49 8B F0 - mov rsi,r8
"witcher3.exe"+450D6: E8 05 12 00 00 - call witcher3.exe+462E0
"witcher3.exe"+450DB: 8B 43 14 - mov eax,[rbx+14]
"witcher3.exe"+450DE: A8 01 - test al,01
"witcher3.exe"+450E0: 74 6E - je witcher3.exe+45150
"witcher3.exe"+450E2: D1 E8 - shr eax,1
"witcher3.exe"+450E4: 4C 8D 25 15 AF FB FF - lea r12,[witcher3.exe]
"witcher3.exe"+450EB: A8 01 - test al,01
"witcher3.exe"+450ED: 8B 83 B8 00 00 00 - mov eax,[rbx+000000B8]
"witcher3.exe"+450F3: 74 1E - je witcher3.exe+45113
// ---------- INJECTING HERE ----------
"witcher3.exe"+450F5: 4D 8B 8C C4 40 FD 83 02 - mov r9,[r12+rax*8+0283FD40]
// ---------- DONE INJECTING ----------
"witcher3.exe"+450FD: 4D 85 C9 - test r9,r9
"witcher3.exe"+45100: 74 47 - je witcher3.exe+45149
"witcher3.exe"+45102: 4D 8B C5 - mov r8,r13
"witcher3.exe"+45105: 48 8B D6 - mov rdx,rsi
"witcher3.exe"+45108: 49 8B CF - mov rcx,r15
"witcher3.exe"+4510B: 41 FF D1 - call r9d
"witcher3.exe"+4510E: E9 10 03 00 00 - jmp witcher3.exe+45423
"witcher3.exe"+45113: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+45117: 4D 8B 8C CC 40 7D 82 02 - mov r9,[r12+rcx*8+02827D40]
"witcher3.exe"+4511F: 49 8B 84 CC 50 7D 82 02 - mov rax,[r12+rcx*8+02827D50]
}
10237
"Set Experience Multiplier (old)"
Auto Assembler Script
[ENABLE]
//01038B034885F674028906488B5C24404883C420415E5F5EC3
alloc(newmem,2048,"witcher3.exe"+1877A90)
alloc(xp_mult,4)
registersymbol(xp_mult)
label(returnhere)
label(originalcode)
label(exit)
xp_mult:
dd #10
newmem:
cmp [rbx],0
jnl originalcode
push r8
sub r8,r9
cmp r8,4
pop r8
jne originalcode
push rdx
mov edx,[xp_mult]
mul edx
pop rdx
originalcode:
add [rbx],eax
mov eax,[rbx]
test rsi,rsi
exit:
jmp returnhere
"witcher3.exe"+1877A90:
jmp newmem
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(xp_mult)
unregistersymbol(xp_mult)
"witcher3.exe"+1877A90:
add [rbx],eax
mov eax,[rbx]
test rsi,rsi
//Alt: db 01 03 8B 03 48 85 F6
39
"Unlimited Durability"
Auto Assembler Script
[ENABLE]
aobscanmodule(durability,witcher3.exe,F3 0F 10 44 24 48 F3 0F 11 40 74)
durability:
db C7 40 74
dd (float)500
db 90 90 90 90
registersymbol(durability)
[DISABLE]
durability:
db F3 0F 10 44 24 48 F3 0F 11 40 74
unregistersymbol(durability)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6F511C
"witcher3.exe"+6F5105: 5F - pop rdi
"witcher3.exe"+6F5106: C3 - ret
"witcher3.exe"+6F5107: 85 C9 - test ecx,ecx
"witcher3.exe"+6F5109: 78 1C - js witcher3.exe+6F5127
"witcher3.exe"+6F510B: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+6F510E: 7D 17 - jnl witcher3.exe+6F5127
"witcher3.exe"+6F5110: 48 63 C1 - movsxd rax,ecx
"witcher3.exe"+6F5113: 48 C1 E0 07 - shl rax,07
"witcher3.exe"+6F5117: 49 03 C1 - add rax,r9
"witcher3.exe"+6F511A: 74 0B - je witcher3.exe+6F5127
// ---------- INJECTING HERE ----------
"witcher3.exe"+6F511C: F3 0F 10 44 24 48 - movss xmm0,[rsp+48]
// ---------- DONE INJECTING ----------
"witcher3.exe"+6F5122: F3 0F 11 40 74 - movss [rax+74],xmm0
"witcher3.exe"+6F5127: 48 8B 5C 24 30 - mov rbx,[rsp+30]
"witcher3.exe"+6F512C: 48 8B 74 24 40 - mov rsi,[rsp+40]
"witcher3.exe"+6F5131: 48 83 C4 20 - add rsp,20
"witcher3.exe"+6F5135: 5F - pop rdi
"witcher3.exe"+6F5136: C3 - ret
"witcher3.exe"+6F5137: CC - int 3
"witcher3.exe"+6F5138: CC - int 3
"witcher3.exe"+6F5139: CC - int 3
"witcher3.exe"+6F513A: CC - int 3
}
45
"Mouse Over Item Pointer"
Auto Assembler Script
[ENABLE]
aobscanmodule(mouseover,witcher3.exe,48 8B 19 8B 41 08 48 8B FA 48 8D 0C 40 48 8D 2C CB 48 3B DD 74 5C)
alloc(newmem,$1000,mouseover)
alloc(mouseover_ptr,8)
label(code)
label(return)
newmem:
code:
mov [mouseover_ptr],rcx
mov rbx,[rcx]
mov eax,[rcx+08]
jmp return
mouseover:
jmp code
nop
return:
registersymbol(mouseover)
registersymbol(mouseover_ptr)
[DISABLE]
mouseover:
db 48 8B 19 8B 41 08
unregistersymbol(mouseover)
unregistersymbol(mouseover_ptr)
dealloc(newmem)
dealloc(mouseover_ptr)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+96043F
"witcher3.exe"+96042A: CC - int 3
"witcher3.exe"+96042B: CC - int 3
"witcher3.exe"+96042C: CC - int 3
"witcher3.exe"+96042D: CC - int 3
"witcher3.exe"+96042E: CC - int 3
"witcher3.exe"+96042F: CC - int 3
"witcher3.exe"+960430: 48 89 5C 24 10 - mov [rsp+10],rbx
"witcher3.exe"+960435: 48 89 6C 24 18 - mov [rsp+18],rbp
"witcher3.exe"+96043A: 57 - push rdi
"witcher3.exe"+96043B: 48 83 EC 30 - sub rsp,30
// ---------- INJECTING HERE ----------
"witcher3.exe"+96043F: 48 8B 19 - mov rbx,[rcx]
"witcher3.exe"+960442: 8B 41 08 - mov eax,[rcx+08]
// ---------- DONE INJECTING ----------
"witcher3.exe"+960445: 48 8B FA - mov rdi,rdx
"witcher3.exe"+960448: 48 8D 0C 40 - lea rcx,[rax+rax*2]
"witcher3.exe"+96044C: 48 8D 2C CB - lea rbp,[rbx+rcx*8]
"witcher3.exe"+960450: 48 3B DD - cmp rbx,rbp
"witcher3.exe"+960453: 74 5C - je witcher3.exe+9604B1
"witcher3.exe"+960455: 48 89 74 24 40 - mov [rsp+40],rsi
"witcher3.exe"+96045A: 66 0F 1F 44 00 00 - nop [rax+rax+00]
"witcher3.exe"+960460: 8B 77 08 - mov esi,[rdi+08]
"witcher3.exe"+960463: 8D 4E 01 - lea ecx,[rsi+01]
"witcher3.exe"+960466: 89 4F 08 - mov [rdi+08],ecx
}
154
"Loot Item Pointer"
Auto Assembler Script
[ENABLE]
aobscanmodule(loot,witcher3.exe,46 8B 54 08 64)
alloc(newmem,$1000,loot)
alloc(loot_ptr,8)
label(code)
label(return)
newmem:
cmp rax,0
jne code
mov qword ptr [loot_ptr],r9
code:
mov r10d,[rax+r9+64]
jmp return
loot:
jmp newmem
return:
registersymbol(loot)
registersymbol(loot_ptr)
[DISABLE]
loot:
db 46 8B 54 08 64
unregistersymbol(loot)
unregistersymbol(loot_ptr)
dealloc(newmem)
dealloc(loot_ptr)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+6F1D01
"witcher3.exe"+6F1CE6: 48 83 EA 80 - sub rdx,-80
"witcher3.exe"+6F1CEA: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+6F1CED: 72 F1 - jb witcher3.exe+6F1CE0
"witcher3.exe"+6F1CEF: EB 15 - jmp witcher3.exe+6F1D06
"witcher3.exe"+6F1CF1: 85 C9 - test ecx,ecx
"witcher3.exe"+6F1CF3: 78 11 - js witcher3.exe+6F1D06
"witcher3.exe"+6F1CF5: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+6F1CF8: 7D 0C - jnl witcher3.exe+6F1D06
"witcher3.exe"+6F1CFA: 48 63 C1 - movsxd rax,ecx
"witcher3.exe"+6F1CFD: 48 C1 E0 07 - shl rax,07
// ---------- INJECTING HERE ----------
"witcher3.exe"+6F1D01: 46 8B 54 08 64 - mov r10d,[rax+r9+64]
// ---------- DONE INJECTING ----------
"witcher3.exe"+6F1D06: 48 85 FF - test rdi,rdi
"witcher3.exe"+6F1D09: 74 03 - je witcher3.exe+6F1D0E
"witcher3.exe"+6F1D0B: 44 89 17 - mov [rdi],r10d
"witcher3.exe"+6F1D0E: 48 8B 5C 24 38 - mov rbx,[rsp+38]
"witcher3.exe"+6F1D13: 48 8B 74 24 40 - mov rsi,[rsp+40]
"witcher3.exe"+6F1D18: 48 83 C4 20 - add rsp,20
"witcher3.exe"+6F1D1C: 5F - pop rdi
"witcher3.exe"+6F1D1D: C3 - ret
"witcher3.exe"+6F1D1E: CC - int 3
"witcher3.exe"+6F1D1F: CC - int 3
}
10247
"# Loot Item Pointer"
Auto Assembler Script
[ENABLE]
aobscanmodule(loot,witcher3.exe,46 8B 54 08 54)
alloc(newmem,$1000,loot)
label(code)
label(return)
label(loot_ptr)
newmem:
cmp rax,0
jne code
mov qword ptr [loot_ptr],r9
code:
mov r10d,[rax+r9+54]
jmp return
loot_ptr:
dq 0
loot:
jmp newmem
return:
registersymbol(loot)
registersymbol(loot_ptr)
[DISABLE]
loot:
db 46 8B 54 08 54
unregistersymbol(loot)
unregistersymbol(loot_ptr)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "witcher3.exe"+712697
"witcher3.exe"+712676: 48 81 C2 88 00 00 00 - add rdx,00000088
"witcher3.exe"+71267D: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+712680: 72 EE - jb witcher3.exe+712670
"witcher3.exe"+712682: EB 18 - jmp witcher3.exe+71269C
"witcher3.exe"+712684: 85 C9 - test ecx,ecx
"witcher3.exe"+712686: 78 14 - js witcher3.exe+71269C
"witcher3.exe"+712688: 41 3B C8 - cmp ecx,r8d
"witcher3.exe"+71268B: 7D 0F - jnl witcher3.exe+71269C
"witcher3.exe"+71268D: 48 63 C1 - movsxd rax,ecx
"witcher3.exe"+712690: 48 69 C0 88 00 00 00 - imul rax,rax,00000088
// ---------- INJECTING HERE ----------
"witcher3.exe"+712697: 46 8B 54 08 54 - mov r10d,[rax+r9+54]
// ---------- DONE INJECTING ----------
"witcher3.exe"+71269C: 48 85 FF - test rdi,rdi
"witcher3.exe"+71269F: 74 03 - je witcher3.exe+7126A4
"witcher3.exe"+7126A1: 44 89 17 - mov [rdi],r10d
"witcher3.exe"+7126A4: 48 8B 5C 24 38 - mov rbx,[rsp+38]
"witcher3.exe"+7126A9: 48 8B 74 24 40 - mov rsi,[rsp+40]
"witcher3.exe"+7126AE: 48 83 C4 20 - add rsp,20
"witcher3.exe"+7126B2: 5F - pop rdi
"witcher3.exe"+7126B3: C3 - ret
"witcher3.exe"+7126B4: CC - int 3
"witcher3.exe"+7126B5: CC - int 3
}
rage
1409552A7
weight
4039F908
unlimited
140DB8F24
player
1400F59C1
player_stats
1400F5AA3
keyboard
13F709090
global_game
14011D3A9
vtable
13F1550F5
update_stats
7FF74B127853
time
7FF74A531FC5
time_save
7FF74A290007
time_ptr
7FF74A29001C
durability
7FF74AA34F5C
freeze
7FF74A7C8CB6
mouseover
7FF74AC9F4AE
mouseover_ptr
7FF74A2E001B
console
7FF742253810
global_console_debug
7FF742D0E18A
use_console
7FF7426FB043