Assassin's Creed: Origins

Upload your cheat tables here (No requests)
borucic
Expert Cheater
Expert Cheater
Posts: 60
Joined: Sat Mar 10, 2018 9:23 pm
Reputation: 39

Re: Assassin's Creed: Origins

Post by borucic »

stephhhen wrote:
Wed Mar 21, 2018 3:28 am
Just in case anyone wondered...
  • 0000017955049F41 mythical warrior ng+.
castix wrote:
Wed Mar 21, 2018 8:48 am
Can someone provide the Hash ID of the Isu Armor?
It's in this spreadsheet already:
viewtopic.php?f=4&t=5267&start=360#p35352

How to use this cheat table?
  1. Install Cheat Engine
  2. Double-click the .CT file in order to open it.
  3. Click the PC icon in Cheat Engine in order to select the game process.
  4. Keep the list.
  5. Activate the trainer options by checking boxes or setting values from 0 to 1

castix
Noobzor
Noobzor
Posts: 6
Joined: Mon Mar 19, 2018 12:32 pm
Reputation: 0

Re: Assassin's Creed: Origins

Post by castix »

borucic wrote:
Wed Mar 21, 2018 9:31 am
stephhhen wrote:
Wed Mar 21, 2018 3:28 am
Just in case anyone wondered...
  • 0000017955049F41 mythical warrior ng+.
castix wrote:
Wed Mar 21, 2018 8:48 am
Can someone provide the Hash ID of the Isu Armor?
It's in this spreadsheet already:
viewtopic.php?f=4&t=5267&start=360#p35352
Ah sorry I didn't know he updated his post since it's really hidden in this big topic. Thank you for pointing it out

v0id
Novice Cheater
Novice Cheater
Posts: 20
Joined: Sat Feb 24, 2018 6:11 am
Reputation: 0

Re: Assassin's Creed: Origins

Post by v0id »

Is it possible to get achievements like trigger some achievements via cheat engine?

fionajason
Novice Cheater
Novice Cheater
Posts: 24
Joined: Thu Feb 22, 2018 11:45 pm
Reputation: 4

Re: Assassin's Creed: Origins

Post by fionajason »

Thanks for the Table but how do i use it to unlock weapons and outfit as the Weapon editor is lock some how

User avatar
cosminuk2011
Expert Cheater
Expert Cheater
Posts: 52
Joined: Sun Feb 04, 2018 9:16 pm
Reputation: 7

Re: Assassin's Creed: Origins

Post by cosminuk2011 »

fionajason wrote:
Thu Mar 22, 2018 4:19 am
Thanks for the Table but how do i use it to unlock weapons and outfit as the Weapon editor is lock some how
just look at this .. viewtopic.php?f=4&t=5267&start=420#p36680

Mac777
What is cheating?
What is cheating?
Posts: 3
Joined: Thu Mar 22, 2018 10:34 pm
Reputation: 0

Re: Assassin's Creed: Origins

Post by Mac777 »

Hi
I am a noob here but have used Sunbeams prog to get some items I would not otherwise have gotten without paying Ubisoft so many thanks to him/her and everyone else who gives of their time to help the community.

I do have a couple of questions though - looking at one of the tables it gives hash #'s for a couple of items that cannot be accessed in game any other way as far as I can see - Bringer of Chaos (Common Scepter) and Madu's Shield (Common Shield) which I have. I read that these had been cut from the game and that there was also a Common Predator Bow - Valkyrie's Operator

So would anyone know if Valkyrie's Operator is obtainable and if so what the hash # is?

Also similar question about the Hou Yi’s Bow - I read that one of the attributes was changed from Instant Charging to Poison on Hit so would the Instant Charging version be available and does anyone have the hash #?

Cheers

User avatar
budabum
Expert Cheater
Expert Cheater
Posts: 279
Joined: Tue Nov 28, 2017 6:34 pm
Reputation: 310

Re: Assassin's Creed: Origins

Post by budabum »

@Mac777
I reversed a bit UIInventoryItem object and how strings are processed, if I know an item name I can scan memory for duplicates. For "Hou Yi's Bow" there are only two items. Strings indices for them are 000FF5D4 and 000FF5D5. You may scan memory through 4 bytes search, you'll find only 2 unique addressed(2 bows) where these pairs stored.

as a note, I'll post this mumbo jumbo text for future readers/researchers.
Item Inventory is represented by UIInventoryItem object


+00 dq UIInventoryItem (functions vector)
+08 dq pUnk
+10 dq pWeaponSettings/pInventoryItemSettings -> (18h size) +00 dq (functions); +08 dq settings +10 dq objectID (aka hashID from the table)
+18 dq UIInventoryItemLODEntity (functions)
__+20 dq ptrUnk0
__+38 dq ptrUnk1
+50 dq pTextureMapSpec -> (18h) +00 dq TextureMapSpec (functions); +08 dq settings
+60 dq pTextureMapSpec -> (18h size) +10 objectID
__+68 dw str0 index (Item name)
__+98 dw str1 index (Item description)
__+C8 dw FFFFFFFF (termination pattern)


Each text string which is displayed on the screen is wrapped into TextureMapSpec object and referenced through string indices , the indices in turn point to encrypted table which is processed by decryption function when text needs to be displayed. While strings are being decrypted memory allocation is changed every 4 decrypted TCHARs. That is why CE text search may not work sometimes.

User avatar
hose10
Expert Cheater
Expert Cheater
Posts: 83
Joined: Sun Jul 09, 2017 9:10 am
Reputation: 37

Re: Assassin's Creed: Origins

Post by hose10 »

nice man

Mac777
What is cheating?
What is cheating?
Posts: 3
Joined: Thu Mar 22, 2018 10:34 pm
Reputation: 0

Re: Assassin's Creed: Origins

Post by Mac777 »

Thanks Budabum

Kudos

Cheers

dnap2010
Noobzor
Noobzor
Posts: 12
Joined: Sat Nov 11, 2017 1:59 am
Reputation: 0

Re: Assassin's Creed: Origins

Post by dnap2010 »

For some reason, I can't get the weapon editor to work. The Estore script works fine. But when I try to click the box for weapon editor .5 (1.4), nothing happens. Any ideas?

Edit: Now I can't get the Estore script to work, either. Nothing happens at all when I try to click on the box. I'm running CE 6.7 and up-to-date ACO from Uplay.

Edit: Nevermind! I just restarted the game and it's working great. Awesome work!
Last edited by dnap2010 on Sat Mar 24, 2018 11:56 pm, edited 1 time in total.

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4286

Re: Assassin's Creed: Origins

Post by SunBeam »

Confirming buda's findings, with a few amendments; was there myself at some point, just didn't give it too much thought :)

Spot for processing item name by index:

Code: Select all

ACOrigins.exe+15958B9 - 8B 53 10              - mov edx,[rbx+10] <-- contains index to name
ACOrigins.exe+15958BC - 4C 8D 45 28           - lea r8,[rbp+28]
ACOrigins.exe+15958C0 - 41 B1 01              - mov r9l,01
ACOrigins.exe+15958C3 - 48 8B C8              - mov rcx,rax
ACOrigins.exe+15958C6 - E8 7583EDFF           - call ACOrigins.exe+146DC40
This index is later on passed on to a function that processes it in the LocalizationManager's context:

Code: Select all

ACOrigins.exe+146DD3A - 4D 8B C5              - mov r8,r13 <-- r8 becomes the pointer to the decrypted string
ACOrigins.exe+146DD3D - 41 8B D7              - mov edx,r15d <-- hello index :)
ACOrigins.exe+146DD40 - E8 CB000000           - call ACOrigins.exe+146DE10
ACOrigins.exe+146DD45 - 84 C0                 - test al,al <-- check r8 after this call
Decryption of string_size + 1 big encrypted index (e.g.: "Royal Chariot" is 12 chars big; size = 0xC + 1)

Code: Select all

ACOrigins.exe+146DEB0 - 8B 0A                 - mov ecx,[rdx]
ACOrigins.exe+146DEB2 - 41 8B C2              - mov eax,r10d
ACOrigins.exe+146DEB5 - 0FC9                  - bswap ecx
ACOrigins.exe+146DEB7 - 2B C1                 - sub eax,ecx
ACOrigins.exe+146DEB9 - 78 26                 - js ACOrigins.exe+146DEE1
ACOrigins.exe+146DEBB - 44 8B 5A 04           - mov r11d,[rdx+04]
ACOrigins.exe+146DEBF - 41 FF C1              - inc r9d
ACOrigins.exe+146DEC2 - 8B 42 08              - mov eax,[rdx+08]
ACOrigins.exe+146DEC5 - 8B F9                 - mov edi,ecx
ACOrigins.exe+146DEC7 - 41 0FCB               - bswap r11d
ACOrigins.exe+146DECA - 0FC8                  - bswap eax
ACOrigins.exe+146DECC - 45 8B DB              - mov r11d,r11d
ACOrigins.exe+146DECF - 48 83 C2 0C           - add rdx,0C
ACOrigins.exe+146DED3 - 44 8B C0              - mov r8d,eax
ACOrigins.exe+146DED6 - 4C 03 DB              - add r11,rbx
ACOrigins.exe+146DED9 - 4C 03 C3              - add r8,rbx
ACOrigins.exe+146DEDC - 44 3B CE              - cmp r9d,esi
ACOrigins.exe+146DEDF - 72 CF                 - jb ACOrigins.exe+146DEB0
ACOrigins.exe+146DEE1 - 4D 85 C0              - test r8,r8
First-up, engine decodes the key to first 2 to-be-decrypted WORDs here:

Code: Select all

ACOrigins.exe+146E1AC - 66 44 89 32           - mov [rdx],r14w
ACOrigins.exe+146E1B0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E1B3 - 0FB7 DE               - movzx ebx,si
ACOrigins.exe+146E1B6 - E9 D5FEFFFF           - jmp ACOrigins.exe+146E090
Then using a decrypted offset will fetch the next WORD ("R" as widechar -> 00 52):

Code: Select all

ACOrigins.exe+146E093 - 45 0FB7 34 84         - movzx r14d,word ptr [r12+rax*4]
ACOrigins.exe+146E098 - 41 0FB7 74 84 02      - movzx esi,word ptr [r12+rax*4+02]
ACOrigins.exe+146E09E - 66 41 C1 CE 08        - ror r14w,08
ACOrigins.exe+146E0A3 - 66 C1 CE 08           - ror si,08
ACOrigins.exe+146E0A7 - 66 85 F6              - test si,si
And writes every 4 WORDs here:

Code: Select all

ACOrigins.exe+146E2BC - 66 44 89 32           - mov [rdx],r14w <--
ACOrigins.exe+146E2C0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E2C3 - 85 FF                 - test edi,edi
ACOrigins.exe+146E2C5 - 0F84 CB000000         - je ACOrigins.exe+146E396
ACOrigins.exe+146E2CB - 48 8B 45 0F           - mov rax,[rbp+0F]
ACOrigins.exe+146E2CF - FF CF                 - dec edi
ACOrigins.exe+146E2D1 - 8D 0C 3F              - lea ecx,[rdi+rdi]
ACOrigins.exe+146E2D4 - 0FB7 1C 01            - movzx ebx,word ptr [rcx+rax]
ACOrigins.exe+146E2D8 - 8B 45 1B              - mov eax,[rbp+1B]
ACOrigins.exe+146E2DB - 48 8B 0D 6E323603     - mov rcx,[ACOrigins.exe+47D1550]
ACOrigins.exe+146E2E2 - 25 FFFFFF1F           - and eax,1FFFFFFF
ACOrigins.exe+146E2E7 - 3B C7                 - cmp eax,edi <-- check if >= 4
By the time the iterator finishes this loop, this is my buffer:

24232A650 -> R o -> 0x52 0x00 0x6F 0x00

Then it will decode the key to next 2 WORDs and redo the loop:

Code: Select all

ACOrigins.exe+146E1AC - 66 44 89 32           - mov [rdx],r14w <-- store key
ACOrigins.exe+146E1B0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E1B3 - 0FB7 DE               - movzx ebx,si
ACOrigins.exe+146E1B6 - E9 D5FEFFFF           - jmp ACOrigins.exe+146E090
..
..
ACOrigins.exe+146E2BC - 66 44 89 32           - mov [rdx],r14w <-- store WORD
ACOrigins.exe+146E2C0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E2C3 - 85 FF                 - test edi,edi
..
..
ACOrigins.exe+146E2E7 - 3B C7                 - cmp eax,edi <-- check if >= 4
This is where the buffer is shifted every 4 processed WORDs:

Code: Select all

ACOrigins.exe+146E250 - 48 85 C9              - test rcx,rcx
ACOrigins.exe+146E253 - 74 07                 - je ACOrigins.exe+146E25C
ACOrigins.exe+146E255 - 41 0FB7 00            - movzx eax,word ptr [r8]
ACOrigins.exe+146E259 - 66 89 01              - mov [rcx],ax
ACOrigins.exe+146E25C - 48 83 C1 02           - add rcx,02
ACOrigins.exe+146E260 - 49 83 C0 02           - add r8,02
ACOrigins.exe+146E264 - 49 FF C1              - inc r9
ACOrigins.exe+146E267 - 4D 3B CA              - cmp r9,r10
ACOrigins.exe+146E26A - 75 E4                 - jne ACOrigins.exe+146E250
First-up, the allocator is here:

Code: Select all

ACOrigins.exe+146E215 - 8B D3                 - mov edx,ebx
ACOrigins.exe+146E217 - E8 140539FF           - call ACOrigins.exe+7FE730
ACOrigins.exe+146E21C - 4C 8B 45 F7           - mov r8,[rbp-09]
Result of the call, in my case, is 0x26367A0. Then comes this bit:

Code: Select all

ACOrigins.exe+146E250 - 48 85 C9              - test rcx,rcx
ACOrigins.exe+146E253 - 74 07                 - je ACOrigins.exe+146E25C
ACOrigins.exe+146E255 - 41 0FB7 00            - movzx eax,word ptr [r8] <--
ACOrigins.exe+146E259 - 66 89 01              - mov [rcx],ax <--
ACOrigins.exe+146E25C - 48 83 C1 02           - add rcx,02
ACOrigins.exe+146E260 - 49 83 C0 02           - add r8,02
ACOrigins.exe+146E264 - 49 FF C1              - inc r9
ACOrigins.exe+146E267 - 4D 3B CA              - cmp r9,r10
ACOrigins.exe+146E26A - 75 E4                 - jne ACOrigins.exe+146E250
R8 = 24232A650
RCX = 26367A0

So decrypted "R o y a" from 24232A650 is copied to 26367A0.

And so on..

Decryption ends here:

Code: Select all

ACOrigins.exe+146E4A6 - 48 85 D2              - test rdx,rdx
ACOrigins.exe+146E4A9 - 74 03                 - je ACOrigins.exe+146E4AE
ACOrigins.exe+146E4AB - 66 89 32              - mov [rdx],si <-- writes the final 0x00 0x00; the NULL-terminator
ACOrigins.exe+146E4AE - 48 8B 55 F7           - mov rdx,[rbp-09]
ACOrigins.exe+146E4B2 - 49 8B CE              - mov rcx,r14
ACOrigins.exe+146E4B5 - E8 F60839FF           - call ACOrigins.exe+7FEDB0
Then buffer's loaded here:

Code: Select all

ACOrigins.exe+146E4AE - 48 8B 55 F7           - mov rdx,[rbp-09] <-- get buffer
ACOrigins.exe+146E4B2 - 49 8B CE              - mov rcx,r14 <-- get stack for result
ACOrigins.exe+146E4B5 - E8 F60839FF           - call ACOrigins.exe+7FEDB0
And the CALL will allocate, copy string to allocated address and store it in [R14] (same R8 I mentioned in the beginning, 2nd snippet).

Function then exits successfully (MOV AL,1):

Code: Select all

ACOrigins.exe+146E52C - B0 01                 - mov al,01
Now, if you properly feed the right parameters to this function - ACOrigins.exe+146DE10 - as in RCX,RDX,R8, you will get the decrypted string out of the index buda mentioned ;)

BR,
Sun

User avatar
budabum
Expert Cheater
Expert Cheater
Posts: 279
Joined: Tue Nov 28, 2017 6:34 pm
Reputation: 310

Re: Assassin's Creed: Origins

Post by budabum »

I recognize this code :) ...r12+rax*4... rsi, r8, r14... still fresh in mind
thanks for sharing

SmolGui
What is cheating?
What is cheating?
Posts: 2
Joined: Sat Mar 24, 2018 11:41 pm
Reputation: 0

Re: Assassin's Creed: Origins

Post by SmolGui »

I've tried to use the gear/item editor to give myself the Mut's Sorrow shield (I accidentally sold it, and I can't get it back without starting a new game), but I just can't get it to work. Admittedly, I am a noob at using cheat engine: so can I get some help as to what I need to do?

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4286

Re: Assassin's Creed: Origins

Post by SunBeam »

@budabum: Incoming list of all game items, names and descriptions :)

@SmolGui: Get the table from my post and follow the instructions: viewtopic.php?f=4&t=5983 (see comments for Update #3, "Inventory Item Swapper v2" script). Please be advised we don't easily fall for the "I am a noob, someone do it for me" routine. You have a mouse and can surf this board, figure your way out please.

User avatar
budabum
Expert Cheater
Expert Cheater
Posts: 279
Joined: Tue Nov 28, 2017 6:34 pm
Reputation: 310

Re: Assassin's Creed: Origins

Post by budabum »

SunBeam wrote:
Sat Mar 24, 2018 11:06 pm

Now, if you properly feed the right parameters to this function - ACOrigins.exe+146DE10 - as in RCX,RDX,R8, you will get the decrypted string out of the index buda mentioned ;)
a few amendmends :)
I'm still working with 1.21 by diff reasons and looked into my scribbles on that code
Spoiler

Code: Select all

141458F06 - 48 8D 4F 28           - lea rcx,[rdi+28] { [rdi+28]+4 crypto matrix start }
141458F0A - 4D 8B C5              - mov r8,r13
141458F0D - 41 8B D7              - mov edx,r15d { [rcx]+4 - crypto matrix start; r15d - string hash index
                                                        FF57F - Abyssal Steed
                                                        CA805 - Composite Bow }
141458F10 - E8 CB000000           - call 141458FE0 { <<< sets R13, decrypted string }
141458F15 - 84 C0                 - test al,al { [r13] -> 
                                                        LEGENDARY
                                                        HEAVY BLADE
                                                        Level up to equip this item...
                                                        Rapid Fire
                                                        DISMANTLE
                                                        Composite Bow }
Mac777 wrote:
Thu Mar 22, 2018 10:57 pm
So would anyone know if Valkyrie's Operator is obtainable and if so what the hash # is?
hey.
I finally dumped all strings from both 1.21 and 1.41 versions, they refer neither "Valkyrie" nor "Operator".
ubi likely replaced this name or removed. What was interesting in 1.21 dump. It contained strings from DLC The Curse of the Pharaons like "Pharaon regalia".
Last edited by budabum on Sun Mar 25, 2018 6:13 pm, edited 2 times in total.

Post Reply

Who is online

Users browsing this forum: assasin01, Baidu [Spider], BigBrotherBear, blouy, Demon2rus, Google Adsense [Bot], lb43, smjm75, tabyw1259, TemptingIcarus, tindr_sb, variante, yaguo9