Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..
Posted: Tue Dec 04, 2018 8:45 pm
Community Cheat Tables of Cheat Engine
https://fearlessrevolution.com/
I've just checked the table.SunBeam wrote: ↑Mon Dec 03, 2018 7:53 pmI got that Want the camera, sin/cos, player coords, etc.? See attached table.
- CollisionCylinder -> X,Y,Z (player)
Rotators are in DSStateCamera; check that offset I listed; it's 1.00 when rotate further left-back, etc.
- DSStateCamera -> MovieSceneFloatSection_3 -> X,Y,Z (camera)
Darksiders3-Win64-Shipping.CT
Meanwhile: viewtopic.php?p=70654#p70654
Code: Select all
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>4554</ID>
<Description>"NVs fetch"</Description>
<LastState Activated="1"/>
<VariableType>Auto Assembler Script</VariableType>
<AssemblerScript>[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(someNVWritesAOB,Darksiders3-Win64-Shipping.exe,0F 28 ** ** ** ** ** 41 0F 11 ** ** ** ** ** 0F 28 ** ** ** ** ** 41)
registersymbol(someNVWritesAOB)
label(aNV3)
registersymbol(aNV3)
label(aNV2)
registersymbol(aNV2)
alloc(newmem,2048,someNVWritesAOB) //"Darksiders3-Win64-Shipping.exe"+16D1A37)
label(returnhere)
label(originalcode_nmfetch)
registersymbol(originalcode_nmfetch)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push rax
push rbx
db 49 8D 98
readmem(someNVWritesAOB+b,4)
//lea rbx,[r8+280]
mov rax,aNV3
movss xmm0,[rbx+c]
movss [rax],xmm0
movss xmm0,[rbx+1c]
movss [rax+4],xmm0
movss xmm0,[rbx+2c]
movss [rax+8],xmm0
mov rax,aNV2
movss xmm0,[rbx]
divss xmm0,[rax-4]
movss [rax],xmm0
movss xmm0,[rbx+10]
divss xmm0,[rax-4]
movss [rax+4],xmm0
pop rbx
pop rax
originalcode_nmfetch:
readmem(someNVWritesAOB,7)
//movaps xmm0,[rdx+000001E0]
exit:
jmp returnhere
///
aNV3:
dq 0
dd 0
dd (float)1
dd (float)1.2
aNV2:
dq 0
dd (float)1
dd (float)1
///
someNVWritesAOB: //"Darksiders3-Win64-Shipping.exe"+16D1A37:
jmp newmem
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
someNVWritesAOB: //"Darksiders3-Win64-Shipping.exe"+16D1A37:
readmem(originalcode_nmfetch,7)
//db 0F 28 82 E0 01 00 00
//Alt: movaps xmm0,[rdx+000001E0]
unregistersymbol(originalcode_nmfetch)
unregistersymbol(aNV3)
unregistersymbol(aNV2)
</AssemblerScript>
<CheatEntries>
<CheatEntry>
<ID>4555</ID>
<Description>"aNV3"</Description>
<LastState Value="" RealAddress="1457C006D"/>
<VariableType>Array of byte</VariableType>
<ByteLength>0</ByteLength>
<Address>aNV3</Address>
<CheatEntries>
<CheatEntry>
<ID>4558</ID>
<Description>""</Description>
<LastState Value="0.1725046337" RealAddress="1457C006D"/>
<VariableType>Float</VariableType>
<Address>+0</Address>
</CheatEntry>
<CheatEntry>
<ID>4556</ID>
<Description>""</Description>
<LastState Value="0.02013435028" RealAddress="1457C0071"/>
<VariableType>Float</VariableType>
<Address>+4</Address>
</CheatEntry>
<CheatEntry>
<ID>4557</ID>
<Description>""</Description>
<LastState Value="-0.9848029017" RealAddress="1457C0075"/>
<VariableType>Float</VariableType>
<Address>+8</Address>
</CheatEntry>
</CheatEntries>
</CheatEntry>
<CheatEntry>
<ID>4559</ID>
<Description>"aNV2"</Description>
<LastState Value="" RealAddress="1457C0081"/>
<VariableType>Array of byte</VariableType>
<ByteLength>0</ByteLength>
<Address>aNV2</Address>
<CheatEntries>
<CheatEntry>
<ID>4560</ID>
<Description>""</Description>
<LastState Value="-0.1151340753" RealAddress="1457C0081"/>
<VariableType>Float</VariableType>
<Address>+0</Address>
</CheatEntry>
<CheatEntry>
<ID>4561</ID>
<Description>""</Description>
<LastState Value="0.9864315987" RealAddress="1457C0085"/>
<VariableType>Float</VariableType>
<Address>+4</Address>
</CheatEntry>
</CheatEntries>
</CheatEntry>
</CheatEntries>
</CheatEntry>
</CheatEntries>
</CheatTable>
seems it's still "heavy traffic" now, so I'm typing in notepad first this time...
thanks for the heads up, implemented the player filter right away when I made the script..SunBeam wrote: ↑Thu Dec 06, 2018 10:13 am...
Simply NOP-ing (at first) the movement writer and testing this out in a spot where there aren't any AIs should work (UE4 controls movement in a certain radius; if no AI nearby or spawned, the engine handles only your player's controller; so it should be safe).
...
um... maybe I'm misunderstanding you, or you misunderstood me. anyway, what I meant was, this value won't be affected by the cam Z changes if it's for the 2d rotation, so it must be part of the 3d nv. but it doesn't exhausted the -1 to 1 range when looking up/down; so I can't use it as part of the 3d nv, as the movement would be inaccurate (while moving towards, or back away from, where the camera is facing when pressing W/S, the direction would be slightly off to the horizon), and I can't use it as the 2d nv is the movement would be slowed down if the camera is not facing the horizon.
that would be great! it's nice to have the no-clip ready easily (or easier) in the console command when you crack other UE4 games~
here it is:
Code: Select all
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>4568</ID>
<Description>"no-clip (Home+PageUp:ON, Home+PageDown:OFF)"</Description>
<Options moHideChildren="1"/>
<LastState/>
<Color>FF0000</Color>
<VariableType>Auto Assembler Script</VariableType>
<AssemblerScript>[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
define(noclipbasespeed,(float)10)
define(fasterkeynoclipspeedmultiplier,(float)3)
define(slowerkeynoclipspeedmultiplier,(float)0.5)
alloc(values_noclip,1024,"Darksiders3-Win64-Shipping.exe")
label(dNoClipSpeedMultiplier)
registersymbol(dNoClipSpeedMultiplier)
label(dXF)
registersymbol(dXF)
label(dYF)
registersymbol(dYF)
label(dZF)
registersymbol(dZF)
///*****************************************************///
values_noclip:
dNoClipSpeedMultiplier:
dd (float)1
dXF:
dd 0
dYF:
dd 0
dZF:
dd 0
///*****************************************************///
aobscanmodule(someNVWritesAOB,Darksiders3-Win64-Shipping.exe,0F 28 ** ** ** ** ** 41 0F 11 ** ** ** ** ** 0F 28 ** ** ** ** ** 41)
registersymbol(someNVWritesAOB)
label(aNV3)
registersymbol(aNV3)
label(aNV2)
registersymbol(aNV2)
alloc(newmem,2048,someNVWritesAOB) //"Darksiders3-Win64-Shipping.exe"+16D1A37)
label(returnhere)
label(originalcode_nmfetch)
registersymbol(originalcode_nmfetch)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push rax
push rbx
db 49 8D 98
readmem(someNVWritesAOB+b,4)
//lea rbx,[r8+280]
mov rax,aNV3
movss xmm0,[rbx+c]
movss [rax],xmm0
movss xmm0,[rbx+1c]
movss [rax+4],xmm0
movss xmm0,[rbx+2c]
movss [rax+8],xmm0
mov rax,aNV2
movss xmm0,[rbx]
divss xmm0,[rax-4]
movss [rax],xmm0
movss xmm0,[rbx+10]
divss xmm0,[rax-4]
movss [rax+4],xmm0
pop rbx
pop rax
originalcode_nmfetch:
readmem(someNVWritesAOB,7)
//movaps xmm0,[rdx+000001E0]
exit:
jmp returnhere
///
aNV3:
dq 0
dd 0
dd (float)1
dd (float)1.2
aNV2:
dq 0
dd (float)1
dd (float)1
///
someNVWritesAOB: //"Darksiders3-Win64-Shipping.exe"+16D1A37:
jmp newmem
nop
nop
returnhere:
///*****************************************************///
aobscanmodule(someCoordsWriteAOB,Darksiders3-Win64-Shipping.exe,0F 29 ** ** ** ** ** 0F 29 ** ** ** ** ** E8 ** ** ** ** 0F 28 ** ** ** ** ** ** 0F 28)
registersymbol(someCoordsWriteAOB)
label(pPlayerCoords)
registersymbol(pPlayerCoords)
alloc(newmem2,2048,someCoordsWriteAOB) //"Darksiders3-Win64-Shipping.exe"+12A0D0C)
label(returnhere2)
label(originalcode2_freezecoord_noclipmain)
registersymbol(originalcode2_freezecoord_noclipmain)
label(exit2)
newmem2: //this is allocated memory, you have read,write,execute access
//place your code here
push rax
mov rax,LocalPlayer
mov rax,[rax]
test rax,rax
jz end2
mov rax,[rax+30]
cmp [rax+348],r13
jne end2
mov rax,pPlayerCoords
mov [rax],rbx
//store registers, xmms
//push rax
push r8
push r9
sub rsp,10
movdqu dqword [rsp],xmm3
xorps xmm3,xmm3
sub rsp,10
movdqu dqword [rsp],xmm4
xorps xmm4,xmm4
//freeze coord
readmem(someCoordsWriteAOB,1)
db 28
readmem(someCoordsWriteAOB+2,5)
//movaps xmm7,[rbx+190]
//do y
//get delta y
mov r8,dYF
test r8,r8
jz @f
movss xmm4,[r8]
shufps xmm4,xmm4,c0 //broadcast except 4th
//apply speed
mov eax,noclipbasespeed
movd xmm3,eax
shufps xmm3,xmm3,00 //broadcast
mulps xmm4,xmm3
mov rax,dNoClipSpeedMultiplier
movss xmm3,[rax]
shufps xmm3,xmm3,c0 //broadcast except 4th
mulps xmm4,xmm3
//apply vector
mov r9,aNV3
test r9,r9
jz @f
movups xmm3,[r9]
mulps xmm4,xmm3
//update new coord
addps xmm7,xmm4
//do x
//get delta x
mov r8,dXF
test r8,r8
jz @f
movss xmm4,[r8]
shufps xmm4,xmm4,e0 //copy to 2nd
//apply speed
mov eax,noclipbasespeed
movd xmm3,eax
shufps xmm3,xmm3,e0 //copy to 2nd
mulps xmm4,xmm3
mov rax,dNoClipSpeedMultiplier
movss xmm3,[rax]
shufps xmm3,xmm3,00 //broadcast
mulps xmm4,xmm3
//apply vector
mov r9,aNV2
test r9,r9
jz @f
movups xmm3,[r9]
mulps xmm4,xmm3
//update new coord
addps xmm7,xmm4
//do z
//get z direction
mov r8,dZF
test r8,r8
jz @f
movss xmm4,[r8]
shufps xmm4,xmm4,c6 //place z direction to 3rd element
//apply speed
mov eax,noclipbasespeed
movd xmm3,eax
shufps xmm3,xmm3,00
mulps xmm4,xmm3
mov rax,dNoClipSpeedMultiplier
movss xmm3,[rax]
shufps xmm3,xmm3,00 //broadcast
mulps xmm4,xmm3
//update new coord
addps xmm7,xmm4
@@:
//restore registers, xmms
movdqu xmm4,dqword [rsp]
add rsp,10
movdqu xmm3,dqword [rsp]
add rsp,10
pop r9
pop r8
//pop rax
end2:
pop rax
originalcode2_freezecoord_noclipmain:
readmem(someCoordsWriteAOB,7)
//movaps [rbx+00000190],xmm7
exit2:
jmp returnhere2
///
pPlayerCoords:
///
someCoordsWriteAOB: //"Darksiders3-Win64-Shipping.exe"+12A0D0C:
jmp newmem2
nop
nop
returnhere2:
///*****************************************************///
///*****************************************************///
label(bEndThread_Darksiders3_noClip_keylistener_mem)
registersymbol(bEndThread_Darksiders3_noClip_keylistener_mem)
alloc(Darksiders3_noClip_keylistener_mem,2048,"Darksiders3-Win64-Shipping.exe")
registersymbol(Darksiders3_noClip_keylistener_mem)
createthread(Darksiders3_noClip_keylistener_mem)
label(keylistenerstart)
label(keylistenerend)
label(keylistenerexit)
label(dTempXF)
label(dTempYF)
label(dTempZF)
label(dTempNoClipSpeedMultiplier)
label(dNoClipSpeedMultiplierMod1)
registersymbol(dNoClipSpeedMultiplierMod1)
label(dNoClipSpeedMultiplierMod2)
registersymbol(dNoClipSpeedMultiplierMod2)
Darksiders3_noClip_keylistener_mem:
sub rsp,28
keylistenerstart:
//do noclip speed x?
mov dword ptr [dTempNoClipSpeedMultiplier],(float)1
mov rcx,10 //SHIFT key
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dNoClipSpeedMultiplierMod1
mov ecx,[rbx]
mov rbx,dTempNoClipSpeedMultiplier
mov [rbx],ecx
@@:
mov rcx,14 //CAPS LOCK key
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dNoClipSpeedMultiplierMod2
mov ecx,[rbx]
mov rbx,dTempNoClipSpeedMultiplier
mov [rbx],ecx
@@:
mov dword ptr [dTempXF],0
mov dword ptr [dTempYF],0
mov dword ptr [dTempZF],0
doyf:
mov rcx,'W'
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dTempYF
mov dword ptr [rbx],(float)1
jmp doxf
@@:
mov rcx,'S'
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dTempYF
mov dword ptr [rbx],(float)-1
jmp doxf
doxf:
mov rcx,'A'
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dTempXF
mov dword ptr [rbx],(float)-1
mov rdx,dTempYF
cmp dword ptr [rdx],0
je @f
mov rcx,dTempNoClipSpeedMultiplier
fld dword ptr [rbx]
fmul dword ptr [rcx+4]
fstp dword ptr [rbx]
fld dword ptr [rdx]
fmul dword ptr [rcx+4]
fstp dword ptr [rdx]
jmp dozf
@@:
mov rcx,'D'
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dTempXF
mov dword ptr [rbx],(float)1
mov rdx,dTempYF
cmp dword ptr [rdx],0
je @f
mov rcx,dTempNoClipSpeedMultiplier
fld dword ptr [rbx]
fmul dword ptr [rcx+4]
fstp dword ptr [rbx]
fld dword ptr [rdx]
fmul dword ptr [rcx+4]
fstp dword ptr [rdx]
jmp dozf
dozf:
mov rcx,20 //SPACEBAR
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dTempZF
mov dword ptr [rbx],(float)1
jmp keylistenerend
@@:
mov rcx,'E'
push rcx
call GetAsyncKeyState
add rsp,08
shr ax,#15
cmp ax,1
jne @f
mov rbx,dTempZF
mov dword ptr [rbx],(float)-1
jmp keylistenerend
keylistenerend:
mov rbx,dTempNoClipSpeedMultiplier
mov ecx,[rbx]
mov rbx,dNoClipSpeedMultiplier
mov [rbx],ecx
mov rbx,dTempXF
mov rdx,dXF
mov ecx,[rbx]
mov [rdx],ecx
mov rbx,dTempYF
mov rdx,dYF
mov ecx,[rbx]
mov [rdx],ecx
mov rbx,dTempZF
mov rdx,dZF
mov ecx,[rbx]
mov [rdx],ecx
mov rcx,#100
call Sleep
cmp dword ptr [bEndThread_Darksiders3_noClip_keylistener_mem],1
jne keylistenerstart
keylistenerexit:
add rsp,28
mov dword ptr [bEndThread_Darksiders3_noClip_keylistener_mem],2
ret
///
bEndThread_Darksiders3_noClip_keylistener_mem:
dd 0
dTempXF:
dd 0
dTempYF:
dd 0
dTempZF:
dd 0
dTempNoClipSpeedMultiplier:
dd (float)1
dd (float)0.5
dNoClipSpeedMultiplierMod1: //shift key pressed speed
dd fasterkeynoclipspeedmultiplier
dNoClipSpeedMultiplierMod2: //caps key pressed speed
dd slowerkeynoclipspeedmultiplier
///
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
//obtained from SubBeam's ACS script - start//
{$lua}
if( syntaxcheck == false ) then --actual execution
local starttime = getTickCount()
if readInteger( "bEndThread_Darksiders3_noClip_keylistener_mem" ) == 0 then --could be 2 already
writeInteger( "bEndThread_Darksiders3_noClip_keylistener_mem", 1 ) --tell the thread to kill itself
end
while( getTickCount() < starttime + 1000 ) and ( readInteger( "bEndThread_Darksiders3_noClip_keylistener_mem" ) ~=2 ) do --wait till it has finished
sleep( 20 )
end
if( getTickCount() > starttime + 1000 ) then --could happen when the window is shown
showMessage( 'Disabling the thread failed!' )
error( 'Thread disabling failed!' )
end
sleep( 1 )
end
{$asm}
//obtained from SubBeam's ACS script - end//
//bEndThread_Darksiders3_noClip_keylistener_mem:
//dd 1
///*****************************************************///
dealloc(newmem)
someNVWritesAOB: //"Darksiders3-Win64-Shipping.exe"+16D1A37:
readmem(originalcode_nmfetch,7)
//db 0F 28 82 E0 01 00 00
//Alt: movaps xmm0,[rdx+000001E0]
unregistersymbol(originalcode_nmfetch)
///*****************************************************///
unregistersymbol(aNV3)
unregistersymbol(aNV2)
dealloc(newmem2)
someCoordsWriteAOB: //"Darksiders3-Win64-Shipping.exe"+12A0D0C:
readmem(originalcode2_freezecoord_noclipmain,7)
//db 0F 29 BB 90 01 00 00
//Alt: movaps [rbx+00000190],xmm7
unregistersymbol(originalcode2_freezecoord_noclipmain)
unregistersymbol(pPlayerCoords)
///*****************************************************///
dealloc(values_noclip)
unregistersymbol(values_noclip)
unregistersymbol(dNoClipSpeedMultiplier)
unregistersymbol(dXForce)
unregistersymbol(dYForce)
unregistersymbol(dZForce)
///*****************************************************///
unregistersymbol(bEndThread_Darksiders3_noClip_keylistener_mem)
dealloc(Darksiders3_noClip_keylistener_mem)
unregistersymbol(Darksiders3_noClip_keylistener_mem)
unregistersymbol(dNoClipSpeedMultiplierMod1)
unregistersymbol(dNoClipSpeedMultiplierMod2)
///*****************************************************///
</AssemblerScript>
<Hotkeys>
<Hotkey>
<Action>Activate</Action>
<Keys>
<Key>36</Key>
<Key>33</Key>
</Keys>
<ID>0</ID>
</Hotkey>
<Hotkey>
<Action>Deactivate</Action>
<Keys>
<Key>36</Key>
<Key>34</Key>
</Keys>
<ID>1</ID>
</Hotkey>
</Hotkeys>
<CheatEntries>
<CheatEntry>
<ID>4569</ID>
<Description>"CapsLock: Slower"</Description>
<LastState Value="" RealAddress="00000000"/>
<Color>808080</Color>
<GroupHeader>1</GroupHeader>
</CheatEntry>
<CheatEntry>
<ID>4570</ID>
<Description>"Shift: Faster"</Description>
<LastState Value="" RealAddress="00000000"/>
<Color>808080</Color>
<GroupHeader>1</GroupHeader>
</CheatEntry>
</CheatEntries>
</CheatEntry>
</CheatEntries>
</CheatTable>
Code: Select all
BlueprintGeneratedClass Item_Crossblade.Item_Crossblade_C 0x000001D8B285DF00