Thief 4 (Win32) - UnrealEngine3 Cheats and more..
Posted: Mon Apr 17, 2017 2:54 am
[ 19.04.2016 - First Release ]
You know who made this, who else writes these walls of text huh ? Made by SunBeam
Hello folks. Been playing quite a bit with Thief 4 these days (not the game necessarily, but exploiting Unreal Engine's functions/objects). Here's the work in progress so far:
Without further ado, attached you may find the table in the state I'm currently at, alongside the explanations below. In some of my comments, I will reference UE3 Objects and Functions (you may see #5 below for further information):
1. With SloMo, you can change the game speed. It affects everything around you, including your own movement. Try values lower than 1 (e.g.: 0.5) and see how game runs Smile Or, if you don't want to wait for long for a certain event (say, you want to wait till some guards move to a different spot), try higher values (e.g.: 1.5, 2), then reset back to 1 when you feel comfortable.
2. PlayersOnly cheat was supposed to freeze game world. In Thief 4, unfortunately, it freezes everything. I found two references in the ObjectsDump.txt file, aside from the actual function:
Code:
Line 13650: UObject[013649] PlayersOnly 0x0FF7F000 ( Function Engine.CheatManager.PlayersOnly )
Line 13651: UObject[013650] bPlayersOnly 0x0FF65F00 ( BoolProperty Engine.WorldInfo.bPlayersOnly )
Line 13652: UObject[013651] bPlayersOnlyPending 0x0FF65E60 ( BoolProperty Engine.WorldInfo.bPlayersOnlyPending )
Both BoolProperty references, when checked out in the Memory View of CE, indicate the effect applies to offset 0x6D4 in WorldInfo. For example, checking out bPlayersOnly (0x0FF65F00) in CE:
For BoolProperty types, 0x64 offset points to the offset in the UObject where the effect applies, 0x84 offset contains the switch. So, in this case, if I want to achieve PlayersOnly, I would go into WorldInfo at 0x6D4 offset and OR the BYTE value there (simple sum) with 0x40.
My current value is 0x23. So, add 0x40 to that and you get 0x63. Changing the value to that will freeze game world, you included. Tried other switches, some will crash the game. Try at your own risk.
Valid ones are: +0x40, +0x80.
3. From ThiePawn_Hero, as you can see, I've managed to branch out other features. For example, EPhysics is the BOOL property that tells us if the player is walking, flying, attached to a stair, swimming, etc. I mapped it since if you change value from 1 (PlayerWalking) to 4 (PlayerFlying) and move around, you'll see you hover. You can't move vertically though (on Z axis) and I've yet found a way to achieve this. The way to do it is to switch the Player.State in ThiefPlayerController (you have them listed in the table) from PlayerWalking to PlayerFlying. Even if you do that though, you're still not free to move vertically.
Just letting you know Smile
4. Now, the rest:
- mHealth is your current health; your maximum health is calculated like so:
Code:
MaxHealth calculation:
016F3AE0 - 55 - push ebp
016F3AE1 - 8B EC - mov ebp,esp
016F3AE3 - 51 - push ecx
016F3AE4 - 56 - push esi
016F3AE5 - 8B F1 - mov esi,ecx
016F3AE7 - F3 0F10 86 94000000 - movss xmm0,[esi+00000094]
016F3AEF - 0F2F 05 30B1FF01 - comiss xmm0,[01FFB130]
016F3AF6 - 76 58 - jna 016F3B50
016F3AF8 - 8B 06 - mov eax,[esi]
016F3AFA - D9 86 94000000 - fld dword ptr [esi+00000094] <-- get mHealth
016F3B00 - 8B 90 DC010000 - mov edx,[eax+000001DC]
016F3B06 - D9 5D FC - fstp dword ptr [ebp-04]
016F3B09 - FF D2 - call edx <-- enter this call
..
..
-->
016F5430 - 55 - push ebp
016F5431 - 8B EC - mov ebp,esp
016F5433 - 51 - push ecx
016F5434 - 56 - push esi
016F5435 - 57 - push edi
016F5436 - 8B F9 - mov edi,ecx
016F5438 - 8B 47 58 - mov eax,[edi+58] <-- get [ThiefPawn_Hero TheWorld.PersistentLevel.ThiefPawn_Hero]
016F543B - 8B B0 580D0000 - mov esi,[eax+00000D58] <-- get [ThiefItemUpgradeManager PersistentLevel.ThiefPawn_Hero.ThiefItemUpgradeManager]
016F5441 - 8B 4E 44 - mov ecx,[esi+44] <-- get [ThiefUpgrades Prog_GP_InventoryItemDatabase.Upgrades.UpgradeList]
016F5444 - 81 C1 58010000 - add ecx,00000158
016F544A - 51 - push ecx
016F544B - 8B CE - mov ecx,esi
016F544D - E8 EE19F6FF - call 01656E40
-->
01656E40 - 55 - push ebp
01656E41 - 8B EC - mov ebp,esp
01656E43 - 56 - push esi
01656E44 - 8B 75 08 - mov esi,[ebp+08]
01656E47 - 56 - push esi
01656E48 - E8 C3C5FFFF - call 01653410
01656E4D - 83 F8 FF - cmp eax,-01
01656E50 - 74 1E - je 01656E70
01656E52 - 8B 0E - mov ecx,[esi]
01656E54 - 8B 04 81 - mov eax,[ecx+eax*4]
01656E57 - 8B 40 54 - mov eax,[eax+54] <-- get [ThiefInventoryItemSettings Prog_GP_InventoryItemDatabase.Item.Item_UpgradeEquipped_WarmVest]
01656E5A - 85 C0 - test eax,eax
01656E5C - 74 12 - je 01656E70
01656E5E - F3 0F10 40 5C - movss xmm0,[eax+5C] <-- value is 1.25
01656E63 - F3 0F11 45 08 - movss [ebp+08],xmm0
01656E68 - D9 45 08 - fld dword ptr [ebp+08]
01656E6B - 5E - pop esi
01656E6C - 5D - pop ebp
01656E6D - C2 0400 - ret 0004
01656E70 - D9E8 - fld1
01656E72 - 5E - pop esi
01656E73 - 5D - pop ebp
01656E74 - C2 0400 - ret 0004
<--
016F5452 - D9 5D FC - fstp dword ptr [ebp-04] <-- dump in [ebp-04]; [ebp-04] = 1.25
016F5455 - 8B 56 44 - mov edx,[esi+44]
016F5458 - 81 C2 4C010000 - add edx,0000014C
016F545E - 52 - push edx
016F545F - 8B CE - mov ecx,esi
016F5461 - E8 DA19F6FF - call 01656E40 <-- get [ThiefInventoryItemSettings Prog_GP_InventoryItemDatabase.Item.Item_UpgradeEquipped_OvengutTonicWater]; value is 1.40
016F5466 - D8 4D FC - fmul dword ptr [ebp-04] <-- multiply with [ebp-04] = 1.25 * 1.40 = 1.75
016F5469 - 8B CE - mov ecx,esi
016F546B - D9 5D FC - fstp dword ptr [ebp-04] <-- store at [ebp-04]; [ebp-04] = 1.75
016F546E - E8 4D30EBFF - call 015A84C0
-->
015A84C0 - 55 - push ebp
015A84C1 - 8B EC - mov ebp,esp
015A84C3 - 51 - push ecx
015A84C4 - F3 0F10 05 949EFF01 - movss xmm0,[01FF9E94]
015A84CC - 56 - push esi
015A84CD - 8B F1 - mov esi,ecx
015A84CF - 8B 46 44 - mov eax,[esi+44]
015A84D2 - 8B 88 90010000 - mov ecx,[eax+00000190] <-- get [ThiefInventoryItemSettings Prog_GP_InventoryItemDatabase.Item.Item_UpgradeEquipped_Worldslayer]
015A84D8 - 51 - push ecx
015A84D9 - 8B CE - mov ecx,esi
015A84DB - F3 0F11 45 FC - movss [ebp-04],xmm0
015A84E0 - E8 9BAE0A00 - call 01653380 <-- checks out [ThiefCustomHardestModeManager PersistentLevel.ThiefGameInfo.ThiefCustomHardestModeManager]
015A84E5 - 85 C0 - test eax,eax
015A84E7 - 74 10 - je 015A84F9
015A84E9 - 8B 56 44 - mov edx,[esi+44] <-- get [ThiefUpgrades Prog_GP_InventoryItemDatabase.Upgrades.UpgradeList]
015A84EC - F3 0F10 82 94010000 - movss xmm0,[edx+00000194] <-- value is 10.00
015A84F4 - F3 0F11 45 FC - movss [ebp-04],xmm0 <-- store at [ebp-04]
015A84F9 - D9 45 FC - fld dword ptr [ebp-04] <-- and load in st(0)
015A84FC - 5E - pop esi
015A84FD - 8B E5 - mov esp,ebp
015A84FF - 5D - pop ebp
015A8500 - C3 - ret
<--
016F5473 - 8B 47 58 - mov eax,[edi+58] <-- get [ThiefPawn_Hero TheWorld.PersistentLevel.ThiefPawn_Hero]
016F5476 - D8 4D FC - fmul dword ptr [ebp-04] <-- 10.00 * 1.75 = 17.50
016F5479 - 8B 88 980A0000 - mov ecx,[eax+00000A98] <-- get [ThiefHeroSettings Prog_GP_Settings.Settings_ThiefHero]
016F547F - 5F - pop edi
016F5480 - D8 89 A4010000 - fmul dword ptr [ecx+000001A4] <-- value is 100.00; 17.50 * 100.00 = 1750.00
016F5486 - 5E - pop esi
016F5487 - 8B E5 - mov esp,ebp
016F5489 - 5D - pop ebp
016F548A - C3 - ret
<--
MaxHealth = 1750.00
- GodMode (set to 1) - setting this to 1 will stop Health from decreasing when you take damage, but only when you got 1 hit point remaining Smile Developer interpretation of god mode, they say..
- mStamina - this is your Stamina value; freeze it in place to get unlimited or debug and patch it Smile
- mFocus - you guessed; apply the above Smile
- ThiefInventorySystem lists out all items you have in your inventory. Am not 100% sure the offsets to access each item are static, so if you load a map, and the items in the table do not point to the correct consumables in-game, let me know and I'll find a stable way to get them
- mSpeed is the Speed with which you move; change to higher value, but be advised that if you hit Space Bar, it will reset; you can hook/patch it as you want (values: 250 = walk, 475 = shift-run, 600 = space bar transition)
- the ThiefUIWeaponSelector section shows the items as they appear in the lower bar, when choosing weapons; these are just for display, but can be used to refresh values on-screen (note that if you change the real values in ThiefInventorySytem, they don't update unless you shoot or purchase more; if, however, you change any Display_X item, they'll update when you switch weapons back and forth)
5. You can dump Unreal Engine 3's Names and Objects with the last script you see in the screenshot: GetUE3Components. Enter a map (not at main menu), then activate the script. Once tree expands, enable NamesObjects_Dumper script and press Numpad / key. Then check game's folder (the Steam version keeps the executables in separate folders, therefore check Binaries2/Win32 folder - ah, yes, it's just for the x32 executable). You should see two additional documents: NamesDump.txt and [/i]ObjectsDump.txt[/i]. I worked mainly with the second one, as it contains all the pointers I need Wink
Here's an example of use correlating the table and some of the data from ObjectsDump.txt (note that I had restarted the game, therefore different addresses than the ones in first screenshot; bottom line, yours will be different than mine):
Quick update of the table, having added the below:
In short, for Unlimited:
- set mStaminaSwitch to 4
- set mFocusToBurn to 0
Table can be downloaded from main post above.
BR,
Sun
You know who made this, who else writes these walls of text huh ? Made by SunBeam
Hello folks. Been playing quite a bit with Thief 4 these days (not the game necessarily, but exploiting Unreal Engine's functions/objects). Here's the work in progress so far:
Without further ado, attached you may find the table in the state I'm currently at, alongside the explanations below. In some of my comments, I will reference UE3 Objects and Functions (you may see #5 below for further information):
1. With SloMo, you can change the game speed. It affects everything around you, including your own movement. Try values lower than 1 (e.g.: 0.5) and see how game runs Smile Or, if you don't want to wait for long for a certain event (say, you want to wait till some guards move to a different spot), try higher values (e.g.: 1.5, 2), then reset back to 1 when you feel comfortable.
2. PlayersOnly cheat was supposed to freeze game world. In Thief 4, unfortunately, it freezes everything. I found two references in the ObjectsDump.txt file, aside from the actual function:
Code:
Line 13650: UObject[013649] PlayersOnly 0x0FF7F000 ( Function Engine.CheatManager.PlayersOnly )
Line 13651: UObject[013650] bPlayersOnly 0x0FF65F00 ( BoolProperty Engine.WorldInfo.bPlayersOnly )
Line 13652: UObject[013651] bPlayersOnlyPending 0x0FF65E60 ( BoolProperty Engine.WorldInfo.bPlayersOnlyPending )
Both BoolProperty references, when checked out in the Memory View of CE, indicate the effect applies to offset 0x6D4 in WorldInfo. For example, checking out bPlayersOnly (0x0FF65F00) in CE:
For BoolProperty types, 0x64 offset points to the offset in the UObject where the effect applies, 0x84 offset contains the switch. So, in this case, if I want to achieve PlayersOnly, I would go into WorldInfo at 0x6D4 offset and OR the BYTE value there (simple sum) with 0x40.
My current value is 0x23. So, add 0x40 to that and you get 0x63. Changing the value to that will freeze game world, you included. Tried other switches, some will crash the game. Try at your own risk.
Valid ones are: +0x40, +0x80.
3. From ThiePawn_Hero, as you can see, I've managed to branch out other features. For example, EPhysics is the BOOL property that tells us if the player is walking, flying, attached to a stair, swimming, etc. I mapped it since if you change value from 1 (PlayerWalking) to 4 (PlayerFlying) and move around, you'll see you hover. You can't move vertically though (on Z axis) and I've yet found a way to achieve this. The way to do it is to switch the Player.State in ThiefPlayerController (you have them listed in the table) from PlayerWalking to PlayerFlying. Even if you do that though, you're still not free to move vertically.
Just letting you know Smile
4. Now, the rest:
- mHealth is your current health; your maximum health is calculated like so:
Code:
MaxHealth calculation:
016F3AE0 - 55 - push ebp
016F3AE1 - 8B EC - mov ebp,esp
016F3AE3 - 51 - push ecx
016F3AE4 - 56 - push esi
016F3AE5 - 8B F1 - mov esi,ecx
016F3AE7 - F3 0F10 86 94000000 - movss xmm0,[esi+00000094]
016F3AEF - 0F2F 05 30B1FF01 - comiss xmm0,[01FFB130]
016F3AF6 - 76 58 - jna 016F3B50
016F3AF8 - 8B 06 - mov eax,[esi]
016F3AFA - D9 86 94000000 - fld dword ptr [esi+00000094] <-- get mHealth
016F3B00 - 8B 90 DC010000 - mov edx,[eax+000001DC]
016F3B06 - D9 5D FC - fstp dword ptr [ebp-04]
016F3B09 - FF D2 - call edx <-- enter this call
..
..
-->
016F5430 - 55 - push ebp
016F5431 - 8B EC - mov ebp,esp
016F5433 - 51 - push ecx
016F5434 - 56 - push esi
016F5435 - 57 - push edi
016F5436 - 8B F9 - mov edi,ecx
016F5438 - 8B 47 58 - mov eax,[edi+58] <-- get [ThiefPawn_Hero TheWorld.PersistentLevel.ThiefPawn_Hero]
016F543B - 8B B0 580D0000 - mov esi,[eax+00000D58] <-- get [ThiefItemUpgradeManager PersistentLevel.ThiefPawn_Hero.ThiefItemUpgradeManager]
016F5441 - 8B 4E 44 - mov ecx,[esi+44] <-- get [ThiefUpgrades Prog_GP_InventoryItemDatabase.Upgrades.UpgradeList]
016F5444 - 81 C1 58010000 - add ecx,00000158
016F544A - 51 - push ecx
016F544B - 8B CE - mov ecx,esi
016F544D - E8 EE19F6FF - call 01656E40
-->
01656E40 - 55 - push ebp
01656E41 - 8B EC - mov ebp,esp
01656E43 - 56 - push esi
01656E44 - 8B 75 08 - mov esi,[ebp+08]
01656E47 - 56 - push esi
01656E48 - E8 C3C5FFFF - call 01653410
01656E4D - 83 F8 FF - cmp eax,-01
01656E50 - 74 1E - je 01656E70
01656E52 - 8B 0E - mov ecx,[esi]
01656E54 - 8B 04 81 - mov eax,[ecx+eax*4]
01656E57 - 8B 40 54 - mov eax,[eax+54] <-- get [ThiefInventoryItemSettings Prog_GP_InventoryItemDatabase.Item.Item_UpgradeEquipped_WarmVest]
01656E5A - 85 C0 - test eax,eax
01656E5C - 74 12 - je 01656E70
01656E5E - F3 0F10 40 5C - movss xmm0,[eax+5C] <-- value is 1.25
01656E63 - F3 0F11 45 08 - movss [ebp+08],xmm0
01656E68 - D9 45 08 - fld dword ptr [ebp+08]
01656E6B - 5E - pop esi
01656E6C - 5D - pop ebp
01656E6D - C2 0400 - ret 0004
01656E70 - D9E8 - fld1
01656E72 - 5E - pop esi
01656E73 - 5D - pop ebp
01656E74 - C2 0400 - ret 0004
<--
016F5452 - D9 5D FC - fstp dword ptr [ebp-04] <-- dump in [ebp-04]; [ebp-04] = 1.25
016F5455 - 8B 56 44 - mov edx,[esi+44]
016F5458 - 81 C2 4C010000 - add edx,0000014C
016F545E - 52 - push edx
016F545F - 8B CE - mov ecx,esi
016F5461 - E8 DA19F6FF - call 01656E40 <-- get [ThiefInventoryItemSettings Prog_GP_InventoryItemDatabase.Item.Item_UpgradeEquipped_OvengutTonicWater]; value is 1.40
016F5466 - D8 4D FC - fmul dword ptr [ebp-04] <-- multiply with [ebp-04] = 1.25 * 1.40 = 1.75
016F5469 - 8B CE - mov ecx,esi
016F546B - D9 5D FC - fstp dword ptr [ebp-04] <-- store at [ebp-04]; [ebp-04] = 1.75
016F546E - E8 4D30EBFF - call 015A84C0
-->
015A84C0 - 55 - push ebp
015A84C1 - 8B EC - mov ebp,esp
015A84C3 - 51 - push ecx
015A84C4 - F3 0F10 05 949EFF01 - movss xmm0,[01FF9E94]
015A84CC - 56 - push esi
015A84CD - 8B F1 - mov esi,ecx
015A84CF - 8B 46 44 - mov eax,[esi+44]
015A84D2 - 8B 88 90010000 - mov ecx,[eax+00000190] <-- get [ThiefInventoryItemSettings Prog_GP_InventoryItemDatabase.Item.Item_UpgradeEquipped_Worldslayer]
015A84D8 - 51 - push ecx
015A84D9 - 8B CE - mov ecx,esi
015A84DB - F3 0F11 45 FC - movss [ebp-04],xmm0
015A84E0 - E8 9BAE0A00 - call 01653380 <-- checks out [ThiefCustomHardestModeManager PersistentLevel.ThiefGameInfo.ThiefCustomHardestModeManager]
015A84E5 - 85 C0 - test eax,eax
015A84E7 - 74 10 - je 015A84F9
015A84E9 - 8B 56 44 - mov edx,[esi+44] <-- get [ThiefUpgrades Prog_GP_InventoryItemDatabase.Upgrades.UpgradeList]
015A84EC - F3 0F10 82 94010000 - movss xmm0,[edx+00000194] <-- value is 10.00
015A84F4 - F3 0F11 45 FC - movss [ebp-04],xmm0 <-- store at [ebp-04]
015A84F9 - D9 45 FC - fld dword ptr [ebp-04] <-- and load in st(0)
015A84FC - 5E - pop esi
015A84FD - 8B E5 - mov esp,ebp
015A84FF - 5D - pop ebp
015A8500 - C3 - ret
<--
016F5473 - 8B 47 58 - mov eax,[edi+58] <-- get [ThiefPawn_Hero TheWorld.PersistentLevel.ThiefPawn_Hero]
016F5476 - D8 4D FC - fmul dword ptr [ebp-04] <-- 10.00 * 1.75 = 17.50
016F5479 - 8B 88 980A0000 - mov ecx,[eax+00000A98] <-- get [ThiefHeroSettings Prog_GP_Settings.Settings_ThiefHero]
016F547F - 5F - pop edi
016F5480 - D8 89 A4010000 - fmul dword ptr [ecx+000001A4] <-- value is 100.00; 17.50 * 100.00 = 1750.00
016F5486 - 5E - pop esi
016F5487 - 8B E5 - mov esp,ebp
016F5489 - 5D - pop ebp
016F548A - C3 - ret
<--
MaxHealth = 1750.00
- GodMode (set to 1) - setting this to 1 will stop Health from decreasing when you take damage, but only when you got 1 hit point remaining Smile Developer interpretation of god mode, they say..
- mStamina - this is your Stamina value; freeze it in place to get unlimited or debug and patch it Smile
- mFocus - you guessed; apply the above Smile
- ThiefInventorySystem lists out all items you have in your inventory. Am not 100% sure the offsets to access each item are static, so if you load a map, and the items in the table do not point to the correct consumables in-game, let me know and I'll find a stable way to get them
- mSpeed is the Speed with which you move; change to higher value, but be advised that if you hit Space Bar, it will reset; you can hook/patch it as you want (values: 250 = walk, 475 = shift-run, 600 = space bar transition)
- the ThiefUIWeaponSelector section shows the items as they appear in the lower bar, when choosing weapons; these are just for display, but can be used to refresh values on-screen (note that if you change the real values in ThiefInventorySytem, they don't update unless you shoot or purchase more; if, however, you change any Display_X item, they'll update when you switch weapons back and forth)
5. You can dump Unreal Engine 3's Names and Objects with the last script you see in the screenshot: GetUE3Components. Enter a map (not at main menu), then activate the script. Once tree expands, enable NamesObjects_Dumper script and press Numpad / key. Then check game's folder (the Steam version keeps the executables in separate folders, therefore check Binaries2/Win32 folder - ah, yes, it's just for the x32 executable). You should see two additional documents: NamesDump.txt and [/i]ObjectsDump.txt[/i]. I worked mainly with the second one, as it contains all the pointers I need Wink
Here's an example of use correlating the table and some of the data from ObjectsDump.txt (note that I had restarted the game, therefore different addresses than the ones in first screenshot; bottom line, yours will be different than mine):
Quick update of the table, having added the below:
In short, for Unlimited:
- set mStaminaSwitch to 4
- set mFocusToBurn to 0
Table can be downloaded from main post above.
BR,
Sun