Sniper Elite 4

Post here (make sure thread doesn't exist first) any type of tutorials: text, images, videos or oriented discussions on specific games. No online-related discussions/posts OR warez!
Post Reply
User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 415
Joined: Thu Mar 02, 2017 10:15 pm
Reputation: 121

Sniper Elite 4

Post by SunBeam » Mon Mar 06, 2017 10:12 am

Since everyone's shy, let me open up this thread.

Post all your findings (you can/want to share): be it executable code, snippets, specific values to scan for or means to activate certain features. Kindly make sure you specify in bold (or use color code) the target option/feature.

Intended options to be discussed (I'll update these as I progress with checkboxes; note the boxes below are pure images, as I didn't find any phpBB feature replicating behavior):

Image No Reload/Unlimited Clip
Image Unlimited Ammo/Items
Image Player Structure/Player ID
Image God Mode
Image No Recoil
Image Super Accuracy
Image No Scope Sway/Movement
Image Scope Zoom
Image Game Maps/Hashes (the hash function)
Image Disabling Visual/Sound Detection
Image Teleporter to Collectibles

BR,
Sun

User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 415
Joined: Thu Mar 02, 2017 10:15 pm
Reputation: 121

Re: Sniper Elite 4

Post by SunBeam » Mon Mar 06, 2017 10:12 am

To verify the game's version, use Tilde key. This will bring down the console:

Image

Now, for this version of the game, running on DX11, I found the following:

Clip/Ammo: simply search for the amount you see on-screen, narrowing it down till you find the real address (freezing along the way as well). Value type: DWORD.

1. Debugging Clip to see what writes to it leads to this location, while shooting:

Code: Select all

SniperElite4_DX11.exe+161EAB4 - 44 89 49 20           - mov [rcx+20],r9d
SniperElite4_DX11.exe+161EAB8 - EB 05                 - jmp SniperElite4_DX11.exe+161EABF
SniperElite4_DX11.exe+161EABA - FF C8                 - dec eax                            <-- subtract clip ammo
SniperElite4_DX11.exe+161EABC - 89 41 20              - mov [rcx+20],eax                   <-- write it
SniperElite4_DX11.exe+161EABF - 44 39 49 20           - cmp [rcx+20],r9d
SniperElite4_DX11.exe+161EAC3 - 75 14                 - jne SniperElite4_DX11.exe+161EAD9
At this spot, RCX is the pointer to Clip ammo, 0x20 is the offset and R8 is the pointer to weapon structure. To get Unlimited Clip, I've written this code:

Code: Select all

13FFE0000 - 50                    - push rax
13FFE0001 - 48 31 C0              - xor rax,rax
13FFE0004 - A1 2C00FF3F01000000   - mov eax,[dwPlayerId]
13FFE000D - 39 43 08              - cmp [rbx+08],eax
13FFE0010 - 58                    - pop rax
13FFE0011 - 75 06                 - jne 13FFE0019
13FFE0013 - 41 8B 40 5C           - mov eax,[r8+5C]
13FFE0017 - EB 02                 - jmp 13FFE001B
13FFE0019 - FF C8                 - dec eax
13FFE001B - 89 41 20              - mov [rcx+20],eax
13FFE001E - E9 9DEA6301           - jmp SniperElite4_DX11.exe+161EAC0
You may ignore the top part for now, with dwPlayerId. This is what interests you for now:

Code: Select all

13FFE0013 - 41 8B 40 5C           - mov eax,[r8+5C]
..
13FFE001B - 89 41 20              - mov [rcx+20],eax
13FFE001E - E9 9DEA6301           - jmp SniperElite4_DX11.exe+161EAC0
Point of adding a comparison by player id is this location is shared with the enemy. When they shoot, clip ammo is processed though the same function.

2. Debugging Ammo value to see what accesses it leads to this location, while reloading for consumption:

Code: Select all

SniperElite4_DX11.exe+160685A - F6 41 2C 01           - test byte ptr [rcx+2C],01
SniperElite4_DX11.exe+160685E - 74 10                 - je SniperElite4_DX11.exe+1606870
SniperElite4_DX11.exe+1606860 - B8 0FA2FFE7           - mov eax,E7FFA20F
SniperElite4_DX11.exe+1606865 - 8D 80 D8610018        - lea eax,[rax+180061D8]
SniperElite4_DX11.exe+160686B - C3                    - ret 
SniperElite4_DX11.exe+160686C - 24 77                 - and al,77
SniperElite4_DX11.exe+160686E - 8E F0                 - mov hs,ax
SniperElite4_DX11.exe+1606870 - 8B 40 20              - mov eax,[rax+20] <-- this is one of the locations that breaks
Now, if you look atop in the code, there's a TEST instruction on the first line. If the logical condition is met, the code below the JE executes. And that code, although looking like gibberish to you, is Denuvo way of saying "make eax 999" :) Simply because: E7FFA20F + 180061D8 = 1000003E7. We're interested in 0x3E7, cuz that's what gets written to EAX :) And 0x3E7 is 999 in decimal. Now, if you wanna find out what's going on here, NOP that JE. And this is what happens:

Image

In the end, my code looks like this:

Code: Select all

[ENABLE]

aobscanmodule( ReadAmmo_AOB, SniperElite4_DX11.exe, F6412C0174??B80FA2FFE78D )
label( ReadAmmo )
registersymbol( ReadAmmo )
label( ReadAmmo_o )
registersymbol( ReadAmmo_o )
alloc( Hook, 1024, SniperElite4_DX11.exe )

Hook:
mov rcx,[rax+18]
or byte ptr [rcx+2C],1
ReadAmmo_o:
readmem( ReadAmmo_AOB-9, 7 )
jmp ReadAmmo+7

/*
SniperElite4_DX11.exe+1606851 - 48 8B 48 18           - mov rcx,[rax+18]
SniperElite4_DX11.exe+1606855 - 48 85 C9              - test rcx,rcx
SniperElite4_DX11.exe+1606858 - 74 16                 - je SniperElite4_DX11.exe+1606870
SniperElite4_DX11.exe+160685A - F6 41 2C 01           - test byte ptr [rcx+2C],01
SniperElite4_DX11.exe+160685E - 74 10                 - je SniperElite4_DX11.exe+1606870
SniperElite4_DX11.exe+1606860 - B8 0FA2FFE7           - mov eax,E7FFA20F
SniperElite4_DX11.exe+1606865 - 8D 80 D8610018        - lea eax,[rax+180061D8]
SniperElite4_DX11.exe+160686B - C3                    - ret
*/

ReadAmmo_AOB-9:
ReadAmmo:
jmp Hook
db 90 90

[DISABLE]

ReadAmmo:
readmem( ReadAmmo_o, 7 )

dealloc( Hook )
unregistersymbol( ReadAmmo_o )
unregistersymbol( ReadAmmo )
As a bonus, the above code also provides 999 Items. If you open up the dial via Q key, you'll see what I mean.

More on other options, soon :)

BR,
Sun

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 364
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 66

Re: Sniper Elite 4

Post by Kalas » Mon Mar 06, 2017 1:47 pm

By "Super Accuracy" you mean the Crosshair, the one that is expanding while shooting?

User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 415
Joined: Thu Mar 02, 2017 10:15 pm
Reputation: 121

Re: Sniper Elite 4

Post by SunBeam » Mon Mar 06, 2017 1:52 pm

Kalas wrote:
Mon Mar 06, 2017 1:47 pm
By "Super Accuracy" you mean the Crosshair, the one that is expanding while shooting?
Indeed. Also called "No Spread".

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 364
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 66

Re: Sniper Elite 4

Post by Kalas » Mon Mar 06, 2017 3:26 pm

SunBeam wrote:
Mon Mar 06, 2017 1:52 pm
Kalas wrote:
Mon Mar 06, 2017 1:47 pm
By "Super Accuracy" you mean the Crosshair, the one that is expanding while shooting?
Indeed. Also called "No Spread".
Ohh you just solve my biggest dilemma, I never knew what no spread means, thank you haha

Can't wait for the rest of your Tutorial :P

User avatar
Vee_
Expert Cheater
Expert Cheater
Posts: 77
Joined: Tue Mar 14, 2017 10:18 am
Reputation: 9

Re: Sniper Elite 4

Post by Vee_ » Mon Apr 10, 2017 12:52 am

Can't wait for the next tutorial SunBeam, im actually interested with Player Structure/Player ID topic and teleporter stuff, haha :D

Post Reply

Who is online

Users browsing this forum: No registered users