Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sat Feb 23, 2019 7:49 pm
Heeeeeereee we gooooo 
FearLess Cheat Engine
Community Cheat Tables of Cheat Engine
https://fearlessrevolution.com/
Crackdown 3 [Engine:Unreal 4.13] - Console enabler, commands and more..
Page 4 of 6
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sat Feb 23, 2019 7:58 pm
What is all this extra work, leading to or hoping to lead to?
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sat Feb 23, 2019 8:09 pm
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sat Feb 23, 2019 9:41 pm
Here's what the extra work did -> a list of all created UObjects in 4-5 sessions (cuz debug breakpoint + Lua printf sometimes crashes). They are created sequentially in memory, the only difference being the addresses where these objects are with each run of the game. Of course we're interested in them, but not for this run-down. I just wanted to dump all UObjects to disk to find more CheatManager-type commands to use 
So, you may find the list here -> [Link] (65 MB .txt file)
BR,
Sun
So, you may find the list here -> [Link] (65 MB .txt file)
BR,
Sun
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sun Feb 24, 2019 4:01 am
So yeah, managed to isolate the location where the commands are being set. Let me rephrase.. these are CVars "Player.GodModeEnabled 1" is setting 0x1 value to a static memory location. This happens here:
That CALL takes you to this location:
Then the CALL I've marked takes you here:
And the CVar is set here:
Now, if we take a step back, up in the code we see this:
Past that CALL, my RAX is -> 000001A447D74C80. Now if I check RAX's memory (which is out CVar structure), I see this:
Now, if I check that address and its value I see this:
Now, if I set it to 1, I see this:
And if you're curious to know where this byte is checked (for a PROPER God Mode):
And yes, the "Player.HasInfiniteAmmo 1" and "Player.HasInfiniteClipAmmo 1" CVars are not checked anywhere in the code. Now you know why some of them don't work
However, you can patch here the clip ammo:
BOOL gets reset here when you change weapons or grab some ledge:
There you go; happy unlimited clip ammo 
The game is non-standard in terms of programmed code and UE4; looks like the developers didn't want to use much of the stock engine features for movement, weaponry, etc. They had something else in mind
BR,
Sun
"Player.GodModeEnabled 1" is setting 0x1 value to a static memory location. This happens here:Code: Select all
Crackdown3.exe+223D98C - 49 8B D7 - mov rdx,r15
Crackdown3.exe+223D98F - 83 7D D7 00 - cmp dword ptr [rbp-29],00
Crackdown3.exe+223D993 - 48 0F45 55 CF - cmovne rdx,[rbp-31]
Crackdown3.exe+223D998 - 41 B8 00000009 - mov r8d,09000000
Crackdown3.exe+223D99E - FF 50 68 - call qword ptr [rax+68] <-- enter thisCode: Select all
Crackdown3.exe+22426D0 - 48 89 5C 24 10 - mov [rsp+10],rbx
Crackdown3.exe+22426D5 - 48 89 6C 24 18 - mov [rsp+18],rbp
Crackdown3.exe+22426DA - 57 - push rdi
Crackdown3.exe+22426DB - 48 83 EC 20 - sub rsp,20
Crackdown3.exe+22426DF - 48 8B EA - mov rbp,rdx
Crackdown3.exe+22426E2 - 41 8B F8 - mov edi,r8d
Crackdown3.exe+22426E5 - 41 8B D0 - mov edx,r8d
Crackdown3.exe+22426E8 - 48 8B D9 - mov rbx,rcx
Crackdown3.exe+22426EB - E8 50E9FEFF - call Crackdown3.exe+2231040
Crackdown3.exe+22426F0 - 84 C0 - test al,al
Crackdown3.exe+22426F2 - 74 3F - je Crackdown3.exe+2242733
Crackdown3.exe+22426F4 - 48 8B CD - mov rcx,rbp
Crackdown3.exe+22426F7 - 48 89 74 24 30 - mov [rsp+30],rsi
Crackdown3.exe+22426FC - FF 15 12AB3505 - call qword ptr [Crackdown3.exe+759D214]
Crackdown3.exe+2242702 - 8B D7 - mov edx,edi
Crackdown3.exe+2242704 - 48 8B CB - mov rcx,rbx
Crackdown3.exe+2242707 - 89 43 70 - mov [rbx+70],eax
Crackdown3.exe+224270A - E8 31E9FEFF - call Crackdown3.exe+2231040
Crackdown3.exe+224270F - 84 C0 - test al,al
Crackdown3.exe+2242711 - 74 1B - je Crackdown3.exe+224272E
Crackdown3.exe+2242713 - 44 8B 43 18 - mov r8d,[rbx+18]
Crackdown3.exe+2242717 - 48 8D 53 70 - lea rdx,[rbx+70]
Crackdown3.exe+224271B - 48 8B 4B 68 - mov rcx,[rbx+68]
Crackdown3.exe+224271F - E8 1C8CFEFF - call Crackdown3.exe+222B340 <-- enter this
Crackdown3.exe+2242724 - 8B D7 - mov edx,edi
Crackdown3.exe+2242726 - 48 8B CB - mov rcx,rbx
Crackdown3.exe+2242729 - E8 928EFFFF - call Crackdown3.exe+223B5C0
Crackdown3.exe+224272E - 48 8B 74 24 30 - mov rsi,[rsp+30]
Crackdown3.exe+2242733 - 48 8B 5C 24 38 - mov rbx,[rsp+38]
Crackdown3.exe+2242738 - 48 8B 6C 24 40 - mov rbp,[rsp+40]
Crackdown3.exe+224273D - 48 83 C4 20 - add rsp,20
Crackdown3.exe+2242741 - 5F - pop rdi
Crackdown3.exe+2242742 - C3 - retCode: Select all
Crackdown3.exe+222B340 - 48 89 5C 24 08 - mov [rsp+08],rbx
Crackdown3.exe+222B345 - 48 89 6C 24 10 - mov [rsp+10],rbp
Crackdown3.exe+222B34A - 48 89 74 24 18 - mov [rsp+18],rsi
Crackdown3.exe+222B34F - 57 - push rdi
Crackdown3.exe+222B350 - 48 83 EC 20 - sub rsp,20
Crackdown3.exe+222B354 - 48 8B 1D A580B804 - mov rbx,[Crackdown3.exe+6DB3400]
Crackdown3.exe+222B35B - 41 8B E8 - mov ebp,r8d
Crackdown3.exe+222B35E - 48 8B FA - mov rdi,rdx
Crackdown3.exe+222B361 - 48 8B F1 - mov rsi,rcx
Crackdown3.exe+222B364 - 48 85 DB - test rbx,rbx
Crackdown3.exe+222B367 - 75 0C - jne Crackdown3.exe+222B375
Crackdown3.exe+222B369 - E8 627F0100 - call Crackdown3.exe+22432D0
Crackdown3.exe+222B36E - 48 8B 1D 8B80B804 - mov rbx,[Crackdown3.exe+6DB3400]
Crackdown3.exe+222B375 - 80 3D C697B904 00 - cmp byte ptr [Crackdown3.exe+6DC4B42],00
Crackdown3.exe+222B37C - 74 17 - je Crackdown3.exe+222B395
Crackdown3.exe+222B37E - FF 15 481B3705 - call qword ptr [Crackdown3.exe+759CECC]
Crackdown3.exe+222B384 - 3B 05 BA97B904 - cmp eax,[Crackdown3.exe+6DC4B44]
Crackdown3.exe+222B38A - 75 2D - jne Crackdown3.exe+222B3B9
Crackdown3.exe+222B38C - 83 3D 2191B804 00 - cmp dword ptr [Crackdown3.exe+6DB44B4],00
Crackdown3.exe+222B393 - 75 24 - jne Crackdown3.exe+222B3B9
Crackdown3.exe+222B395 - 40 F6 C5 20 - test bpl,20
Crackdown3.exe+222B399 - 74 1A - je Crackdown3.exe+222B3B5
Crackdown3.exe+222B39B - 48 8B 8B 80000000 - mov rcx,[rbx+00000080]
Crackdown3.exe+222B3A2 - 48 85 C9 - test rcx,rcx
Crackdown3.exe+222B3A5 - 74 0E - je Crackdown3.exe+222B3B5
Crackdown3.exe+222B3A7 - 48 8B 01 - mov rax,[rcx]
Crackdown3.exe+222B3AA - 48 8B D6 - mov rdx,rsi
Crackdown3.exe+222B3AD - 44 8B 07 - mov r8d,[rdi]
Crackdown3.exe+222B3B0 - FF 50 18 - call qword ptr [rax+18]
Crackdown3.exe+222B3B3 - EB 04 - jmp Crackdown3.exe+222B3B9
Crackdown3.exe+222B3B5 - 8B 07 - mov eax,[rdi]
Crackdown3.exe+222B3B7 - 89 06 - mov [rsi],eax <-- this is where the CVar is set
Crackdown3.exe+222B3B9 - 48 8B 6C 24 38 - mov rbp,[rsp+38]
Crackdown3.exe+222B3BE - 48 8B 74 24 40 - mov rsi,[rsp+40]
Crackdown3.exe+222B3C3 - C6 83 8C000000 01 - mov byte ptr [rbx+0000008C],01
Crackdown3.exe+222B3CA - 48 8B 5C 24 30 - mov rbx,[rsp+30]
Crackdown3.exe+222B3CF - 48 83 C4 20 - add rsp,20
Crackdown3.exe+222B3D3 - 5F - pop rdi
Crackdown3.exe+222B3D4 - C3 - retCode: Select all
Crackdown3.exe+222B3B5 - 8B 07 - mov eax,[rdi]
Crackdown3.exe+222B3B7 - 89 06 - mov [rsi],eaxCode: Select all
Crackdown3.exe+223D45D - 48 0F45 55 DF - cmovne rdx,[rbp-21]
Crackdown3.exe+223D462 - 48 8B 07 - mov rax,[rdi]
Crackdown3.exe+223D465 - 48 8B CF - mov rcx,rdi
Crackdown3.exe+223D468 - FF 90 90000000 - call qword ptr [rax+00000090]
Crackdown3.exe+223D46E - 48 8B D8 - mov rbx,raxNow, if I check that address and its value I see this:
Now, if I set it to 1, I see this:
And if you're curious to know where this byte is checked (for a PROPER God Mode):
Code: Select all
Crackdown3.exe+CCCD20 - 40 53 - push rbx
Crackdown3.exe+CCCD22 - 48 83 EC 20 - sub rsp,20
Crackdown3.exe+CCCD26 - 83 3D 1B8BC305 01 - cmp dword ptr [Crackdown3.exe+6905848],01 <-- hello!
Crackdown3.exe+CCCD2D - 48 8B D9 - mov rbx,rcx
Crackdown3.exe+CCCD30 - 0F84 8D000000 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD36 - 48 8B 89 58330000 - mov rcx,[rcx+00003358]
Crackdown3.exe+CCCD3D - 48 85 C9 - test rcx,rcx
Crackdown3.exe+CCCD40 - 74 09 - je Crackdown3.exe+CCCD4B
Crackdown3.exe+CCCD42 - F6 81 82000000 40 - test byte ptr [rcx+00000082],40 <-- set by "god" command
Crackdown3.exe+CCCD49 - 74 78 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD4B - 48 63 83 D0150000 - movsxd rax,dword ptr [rbx+000015D0]
Crackdown3.exe+CCCD52 - 48 8B 94 C3 C0130000 - mov rdx,[rbx+rax*8+000013C0]
Crackdown3.exe+CCCD5A - 48 85 D2 - test rdx,rdx
Crackdown3.exe+CCCD5D - 74 2C - je Crackdown3.exe+CCCD8B
Crackdown3.exe+CCCD5F - F7 42 3C 00010000 - test [rdx+3C],0100
Crackdown3.exe+CCCD66 - 74 0D - je Crackdown3.exe+CCCD75
Crackdown3.exe+CCCD68 - 8B 83 58110000 - mov eax,[rbx+00001158]
Crackdown3.exe+CCCD6E - C1 E8 0B - shr eax,0B
Crackdown3.exe+CCCD71 - A8 01 - test al,01
Crackdown3.exe+CCCD73 - 74 4E - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD75 - F7 42 40 00020000 - test [rdx+40],0200
Crackdown3.exe+CCCD7C - 74 0D - je Crackdown3.exe+CCCD8B
Crackdown3.exe+CCCD7E - 8B 83 58110000 - mov eax,[rbx+00001158]
Crackdown3.exe+CCCD84 - C1 E8 0B - shr eax,0B
Crackdown3.exe+CCCD87 - A8 01 - test al,01
Crackdown3.exe+CCCD89 - 74 38 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD8B - 48 85 C9 - test rcx,rcx
Crackdown3.exe+CCCD8E - 74 22 - je Crackdown3.exe+CCCDB2
Crackdown3.exe+CCCD90 - 48 8B 89 58040000 - mov rcx,[rcx+00000458]
Crackdown3.exe+CCCD97 - 48 85 C9 - test rcx,rcx
Crackdown3.exe+CCCD9A - 74 16 - je Crackdown3.exe+CCCDB2
Crackdown3.exe+CCCD9C - E8 DF6B5B00 - call Crackdown3.exe+1283980
Crackdown3.exe+CCCDA1 - 84 C0 - test al,al
Crackdown3.exe+CCCDA3 - 74 0D - je Crackdown3.exe+CCCDB2
Crackdown3.exe+CCCDA5 - 8B 83 58110000 - mov eax,[rbx+00001158]
Crackdown3.exe+CCCDAB - C1 E8 0B - shr eax,0B
Crackdown3.exe+CCCDAE - A8 01 - test al,01
Crackdown3.exe+CCCDB0 - 74 11 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCDB2 - 80 BB AC460000 00 - cmp byte ptr [rbx+000046AC],00
Crackdown3.exe+CCCDB9 - 75 08 - jne Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCDBB - B0 01 - mov al,01
Crackdown3.exe+CCCDBD - 48 83 C4 20 - add rsp,20
Crackdown3.exe+CCCDC1 - 5B - pop rbx
Crackdown3.exe+CCCDC2 - C3 - ret
Crackdown3.exe+CCCDC3 - 32 C0 - xor al,al
Crackdown3.exe+CCCDC5 - 48 83 C4 20 - add rsp,20
Crackdown3.exe+CCCDC9 - 5B - pop rbx
Crackdown3.exe+CCCDCA - C3 - retHowever, you can patch here the clip ammo:
Code: Select all
Crackdown3.exe+1716CE0 - 48 89 5C 24 08 - mov [rsp+08],rbx
Crackdown3.exe+1716CE5 - 57 - push rdi
Crackdown3.exe+1716CE6 - 48 83 EC 20 - sub rsp,20
Crackdown3.exe+1716CEA - 80 B9 41020000 00 - cmp byte ptr [rcx+00000241],00 <-- flip bool ;)
Crackdown3.exe+1716CF1 - 48 8B D9 - mov rbx,rcx
Crackdown3.exe+1716CF4 - 48 63 81 24010000 - movsxd rax,dword ptr [rcx+00000124]
Crackdown3.exe+1716CFB - 48 8B BC C1 08010000 - mov rdi,[rcx+rax*8+00000108]
Crackdown3.exe+1716D03 - 75 0C - jne Crackdown3.exe+1716D11
Crackdown3.exe+1716D05 - 29 91 98000000 - sub [rcx+00000098],edx
Crackdown3.exe+1716D0B - 29 91 90000000 - sub [rcx+00000090],edx <-- ammo sub
Crackdown3.exe+1716D11 - B2 01 - mov dl,01
Crackdown3.exe+1716D13 - E8 5838FFFF - call Crackdown3.exe+170A570
Crackdown3.exe+1716D18 - 83 BB 90000000 00 - cmp dword ptr [rbx+00000090],00
Crackdown3.exe+1716D1F - 7F 58 - jg Crackdown3.exe+1716D79
Crackdown3.exe+1716D21 - 83 BB 98000000 00 - cmp dword ptr [rbx+00000098],00
Crackdown3.exe+1716D28 - 7E 4F - jle Crackdown3.exe+1716D79
Crackdown3.exe+1716D2A - 83 BB 9C000000 04 - cmp dword ptr [rbx+0000009C],04
Crackdown3.exe+1716D31 - 74 46 - je Crackdown3.exe+1716D79
Crackdown3.exe+1716D33 - 48 8B 47 10 - mov rax,[rdi+10]
Crackdown3.exe+1716D37 - 48 85 C0 - test rax,rax
Crackdown3.exe+1716D3A - 74 2C - je Crackdown3.exe+1716D68
Crackdown3.exe+1716D3C - 80 78 28 00 - cmp byte ptr [rax+28],00
Crackdown3.exe+1716D40 - 74 26 - je Crackdown3.exe+1716D68
Crackdown3.exe+1716D42 - 48 8B 03 - mov rax,[rbx]
Crackdown3.exe+1716D45 - 45 33 C9 - xor r9d,r9d
Crackdown3.exe+1716D48 - 0F57 D2 - xorps xmm2,xmm2
Crackdown3.exe+1716D4B - 33 D2 - xor edx,edx
Crackdown3.exe+1716D4D - 48 8B CB - mov rcx,rbx
Crackdown3.exe+1716D50 - FF 90 08020000 - call qword ptr [rax+00000208]
Crackdown3.exe+1716D56 - C6 83 30020000 01 - mov byte ptr [rbx+00000230],01
Crackdown3.exe+1716D5D - 48 8B 5C 24 30 - mov rbx,[rsp+30]
Crackdown3.exe+1716D62 - 48 83 C4 20 - add rsp,20
Crackdown3.exe+1716D66 - 5F - pop rdi
Crackdown3.exe+1716D67 - C3 - ret
Crackdown3.exe+1716D68 - 33 D2 - xor edx,edx
Crackdown3.exe+1716D6A - 48 8B CB - mov rcx,rbx
Crackdown3.exe+1716D6D - E8 DED9FFFF - call Crackdown3.exe+1714750
Crackdown3.exe+1716D72 - C6 83 30020000 01 - mov byte ptr [rbx+00000230],01
Crackdown3.exe+1716D79 - 48 8B 5C 24 30 - mov rbx,[rsp+30]
Crackdown3.exe+1716D7E - 48 83 C4 20 - add rsp,20
Crackdown3.exe+1716D82 - 5F - pop rdi
Crackdown3.exe+1716D83 - C3 - retCode: Select all
Crackdown3.exe+170B2C7 - 66 C7 81 36020000 0000 - mov word ptr [rcx+00000236],0000
Crackdown3.exe+170B2D0 - 0F94 C0 - sete al
Crackdown3.exe+170B2D3 - C6 81 41020000 00 - mov byte ptr [rcx+00000241],00 <-- here
Crackdown3.exe+170B2DA - 88 81 50010000 - mov [rcx+00000150],al
Crackdown3.exe+170B2E0 - 48 63 81 24010000 - movsxd rax,dword ptr [rcx+00000124]The game is non-standard in terms of programmed code and UE4; looks like the developers didn't want to use much of the stock engine features for movement, weaponry, etc. They had something else in mind
BR,
Sun
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sun Feb 24, 2019 4:29 am
Apart from that, I haven't encountered a single crash due to change of executable code. No idea if those scanners are set across whole memory map or just some hunted regions Setting that byte to 0x1 @ Crackdown3.exe+170B2D3+6 gives you unlimited clip ammo; and no crash Official game, not CODEX.
EDIT: Oh, spoke too soon
And the first two menu options get grayed out. Like Caliber said in another post (viewtopic.php?p=79381#p79381), there are several integrity checks that can be patched out.
Setting that byte to 0x1 @ Crackdown3.exe+170B2D3+6 gives you unlimited clip ammo; and no crash Official game, not CODEX.EDIT: Oh, spoke too soon
And the first two menu options get grayed out. Like Caliber said in another post (viewtopic.php?p=79381#p79381), there are several integrity checks that can be patched out.
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sun Feb 24, 2019 5:36 am
Yep, take a good 10-15 minutes for the scanners to hit.SunBeam wrote: ↑Sun Feb 24, 2019 4:29 amApart from that, I haven't encountered a single crash due to change of executable code. No idea if those scanners are set across whole memory map or just some hunted regions
EDIT: Oh, spoke too soon
And the first two menu options get grayed out. Like Caliber said in another post (viewtopic.php?p=79381#p79381), there are several integrity checks that can be patched out.
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sun Feb 24, 2019 1:49 pm
The game is well know for being in development hell for years and the final result isn't indicative of a game that has been in development for nearly half a decade. I wonder if the "non-standard" use of UE4 is a sign that maybe some of the developers didn't really know what they were doing and just hacked at it until it did what they wanted. That's usually the case when you see code that does something in a roundabout fashion that would have been much easier using something built-in, but who knows. It could be leftovers from a rebooted development.
It's still fascinating to see, though.
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sun Feb 24, 2019 8:13 pm
Thank you for your work SunBeam.
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Sun Feb 24, 2019 11:38 pm
^ You're welcome
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Tue Feb 26, 2019 7:30 pm
Crackdown had an update today and when I enter "1" for the console enabler my game crashes.
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Tue Feb 26, 2019 9:48 pm
The table uses fixed addresses. Since the binary updated, I am pretty sure those don't match the previous version's location anymore Good luck updating the table
Good luck updating the table Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Tue Feb 26, 2019 11:47 pm
i went through the codes trying to find one for infinity jump/boost i could only find "player.AdjustJumpHeight" but its not working, is there any other that i missed or is there none for that ?
Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Wed Feb 27, 2019 12:59 pm
Not all of the CVars have an effect. If that one doesn't do anything, then it's been removed from where it was used/checked in the Shipping build Nothing else you can do. Also.. I've finished the game, find it has not replay value.. so you're on your own
Nothing else you can do. Also.. I've finished the game, find it has not replay value.. so you're on your own Re: Crackdown 3 [Engine:UE4] - Console enabler, commands and more..
Posted: Fri Mar 01, 2019 11:35 pm
None of the infinite ammo commands work for me. Only got "god", "Player.UnlockAllEquipment", and "Player.UnlockAllVehicles" to work. God mode also seems to reset randomly. Also, I'm assuming this doesn't work on the v1.0.2918.2 update, as it just crashes the game when I try to set bkeypressed to 1?