Assassin's Creed: Origins

[SunBeam]

Well, I did it Really works as I put it.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[budabum]

where have you been, man? i confirm, hash search works!!!
to test, i just unlocked UltimaBlade on start battle. (hash = 000001601BA94377)

[SunBeam]

scan for hash (not pointer) is good to try, let me see.

by the way, your screen, Sunslayer is consiten for you also, it is still "0x????9E20" which is shared in xls shitty table

I am going to say it one more time: what you people are doing is mad wrong. It's a simple coincidence that some pointers end in the same 2 bytes, the method itself is flawed. You're supposed to find the structure containing the item hash by its hash. Search for that QWORD in memory, subtract 0x10 from the found result. Then you can update any bought item with that result - 0x10 address to "convert" it to your item_by_hash

Example: (Sunslayer)

- on my end, the Sunslayer's structure shows this:



- what you are doing is teaching badly people to keep the last 2 bytes (9E20) and change the first two; but this is a POINTER, a memory address
- what you should be doing is select 000000000BC79E20 (in my case) - click on it - then tap Space and check the QWORD at offset 0x10



- search for that QWORD in memory, on your end, and from the result subtract 0x10; that will be your POINTER; only then swap it where you want

BR,
Sun

[SunBeam]

And here's some Lua to help in the collection process



Out.

[SunBeam]

And I think I found the entire table You'll just have to test out all these hashes

Code: Select all

ACOrigins.exe+1DAF380 - 40 53                 - push rbx
ACOrigins.exe+1DAF382 - 48 83 EC 30           - sub rsp,30 { 48 }
ACOrigins.exe+1DAF386 - 48 8B 05 BBB9DB02     - mov rax,[ACOrigins.exe+4B6AD48] { [5D198100] }
ACOrigins.exe+1DAF38D - 48 8B DA              - mov rbx,rdx
ACOrigins.exe+1DAF390 - 48 8B 90 A8160000     - mov rdx,[rax+000016A8]
ACOrigins.exe+1DAF397 - 48 8D 05 C28D9A02     - lea rax,[ACOrigins.exe+4758160] { [00000000] }
ACOrigins.exe+1DAF39E - 48 39 82 B0000000     - cmp [rdx+000000B0],rax
ACOrigins.exe+1DAF3A5 - 0F84 B0000000         - je ACOrigins.exe+1DAF45B
ACOrigins.exe+1DAF3AB - 48 81 C2 B0000000     - add rdx,000000B0 { 176 }
ACOrigins.exe+1DAF3B2 - E8 692EE3FF           - call ACOrigins.exe+1BE2220
ACOrigins.exe+1DAF3B7 - 48 85 C0              - test rax,rax
ACOrigins.exe+1DAF3BA - 0F84 9B000000         - je ACOrigins.exe+1DAF45B
ACOrigins.exe+1DAF3C0 - 8B 53 08              - mov edx,[rbx+08]
ACOrigins.exe+1DAF3C3 - 48 8B 03              - mov rax,[rbx]
ACOrigins.exe+1DAF3C6 - C1 EA 11              - shr edx,11 { 17 }
ACOrigins.exe+1DAF3C9 - C1 E2 04              - shl edx,04 { 4 }
ACOrigins.exe+1DAF3CC - 48 03 D0              - add rdx,rax
ACOrigins.exe+1DAF3CF - 48 3B C2              - cmp rax,rdx
ACOrigins.exe+1DAF3D2 - 74 1E                 - je ACOrigins.exe+1DAF3F2
ACOrigins.exe+1DAF3D4 - 49 B8 0889FA1273000000 - mov r8,0000007312FA8908 { 318408968 }
ACOrigins.exe+1DAF3DE - 66 90                 - nop 
ACOrigins.exe+1DAF3E0 - 48 8B 08              - mov rcx,[rax]
ACOrigins.exe+1DAF3E3 - 4C 39 41 10           - cmp [rcx+10],r8
ACOrigins.exe+1DAF3E7 - 74 72                 - je ACOrigins.exe+1DAF45B
ACOrigins.exe+1DAF3E9 - 48 83 C0 10           - add rax,10 { 16 }
ACOrigins.exe+1DAF3ED - 48 3B C2              - cmp rax,rdx
ACOrigins.exe+1DAF3F0 - 75 EE                 - jne ACOrigins.exe+1DAF3E0
ACOrigins.exe+1DAF3F2 - 41 B9 AB7590C6        - mov r9d,C69075AB { -18490.83 }
ACOrigins.exe+1DAF3F8 - 48 8D 0D 718E9A02     - lea rcx,[ACOrigins.exe+4758270] { [18EB30000] }
ACOrigins.exe+1DAF3FF - 45 33 C0              - xor r8d,r8d
ACOrigins.exe+1DAF402 - 48 BA AC76E2E049010000 - mov rdx,00000149E0E276AC { -522029396 }
ACOrigins.exe+1DAF40C - E8 5FBFA9FE           - call ACOrigins.exe+84B370
ACOrigins.exe+1DAF411 - 48 8D 54 24 50        - lea rdx,[rsp+50]
ACOrigins.exe+1DAF416 - 48 89 44 24 50        - mov [rsp+50],rax
ACOrigins.exe+1DAF41B - 48 8D 4C 24 20        - lea rcx,[rsp+20]
ACOrigins.exe+1DAF420 - E8 1B01E2FF           - call ACOrigins.exe+1BCF540
ACOrigins.exe+1DAF425 - 48 8D 54 24 20        - lea rdx,[rsp+20]
ACOrigins.exe+1DAF42A - 48 8B CB              - mov rcx,rbx
ACOrigins.exe+1DAF42D - E8 BE14C0FE           - call ACOrigins.exe+9B08F0
ACOrigins.exe+1DAF432 - 48 85 C0              - test rax,rax
ACOrigins.exe+1DAF435 - 75 10                 - jne ACOrigins.exe+1DAF447
ACOrigins.exe+1DAF437 - 45 33 C0              - xor r8d,r8d
ACOrigins.exe+1DAF43A - 48 8D 54 24 20        - lea rdx,[rsp+20]
ACOrigins.exe+1DAF43F - 48 8B CB              - mov rcx,rbx
ACOrigins.exe+1DAF442 - E8 6954E2FF           - call ACOrigins.exe+1BD48B0
ACOrigins.exe+1DAF447 - 48 8D 4C 24 20        - lea rcx,[rsp+20]
ACOrigins.exe+1DAF44C - E8 EFD59AFF           - call ACOrigins.exe+175CA40
ACOrigins.exe+1DAF451 - 48 8B 4C 24 50        - mov rcx,[rsp+50]
ACOrigins.exe+1DAF456 - E8 B520A6FE           - call ACOrigins.exe+811510
ACOrigins.exe+1DAF45B - 48 83 C4 30           - add rsp,30 { 48 }
ACOrigins.exe+1DAF45F - 5B                    - pop rbx
ACOrigins.exe+1DAF460 - C3                    - ret

Set a breakpoint here:

Code: Select all

ACOrigins.exe+1DAF3B2 - E8 692EE3FF           - call ACOrigins.exe+1BE2220
ACOrigins.exe+1DAF3B7 - 48 85 C0              - test rax,rax <--

Then set an item in the slot (click on a sword to equip it) and let it break. Check RAX in memory:



Then just take each +0x8 pointer (every 0x20 block of bytes) and use it in your currently selected item. See what results you get

On my end the table ends at offset 0x5BC0 (so: 000000007EE76870 + 5BC0). Quite a big table.

[budabum]

i like how mad_wrong_2bytes_swap_approach revealed mad right hash table
good job!

[SunBeam]

Here's some more info, how to trace the VisualTextComponent elements of the item pane:

break #1: ACOrigins.exe+155B820 (hover mouse over an item; on break, F9 till 2nd break)

then

break #2: ACOrigins.exe+152DBB3 (conditional: R14 == 0x35)

then

break #3: ACOrigins.exe+1520CE0 (conditiona: R14 == 0x35 and R8 == 001500009A713616)

then

Code: Select all

ACOrigins.exe+1520D1F - 48 8B D7              - mov rdx,rdi
ACOrigins.exe+1520D22 - E8 19FDFFFF           - call ACOrigins.exe+1520A40 <-- enter here
ACOrigins.exe+1520D27 - 84 C0                 - test al,al

then

Code: Select all

ACOrigins.exe+15764D0 - 40 53                 - push rbx (RAX = 15; R8 = 001500009A713616; R14 = 0000000000000035)
ACOrigins.exe+15764D2 - 48 83 EC 20           - sub rsp,20 { 32 }
ACOrigins.exe+15764D6 - 8B 02                 - mov eax,[rdx]
ACOrigins.exe+15764D8 - 48 8B D9              - mov rbx,rcx
ACOrigins.exe+15764DB - 39 01                 - cmp [rcx],eax
ACOrigins.exe+15764DD - 74 1C                 - je ACOrigins.exe+15764FB
ACOrigins.exe+15764DF - 89 01                 - mov [rcx],eax
ACOrigins.exe+15764E1 - 48 83 C1 08           - add rcx,08 { 8 }
ACOrigins.exe+15764E5 - 48 83 39 00           - cmp qword ptr [rcx],00 { 0 }
ACOrigins.exe+15764E9 - 75 07                 - jne ACOrigins.exe+15764F2
ACOrigins.exe+15764EB - 48 83 79 08 00        - cmp qword ptr [rcx+08],00 { 0 }
ACOrigins.exe+15764F0 - 74 09                 - je ACOrigins.exe+15764FB
ACOrigins.exe+15764F2 - 48 8B 11              - mov rdx,[rcx]
ACOrigins.exe+15764F5 - 48 8B 41 20           - mov rax,[rcx+20]
ACOrigins.exe+15764F9 - FF D0                 - call rax
ACOrigins.exe+15764FB - 48 8B C3              - mov rax,rbx
ACOrigins.exe+15764FE - 48 83 C4 20           - add rsp,20 { 32 }
ACOrigins.exe+1576502 - 5B                    - pop rbx
ACOrigins.exe+1576503 - C3                    - ret

then

Code: Select all

ACOrigins.exe+A3FE4D - 48 8D 54 24 40        - lea rdx,[rsp+40]
ACOrigins.exe+A3FE52 - E8 6911B400           - call ACOrigins.exe+1580FC0 <-- enter here

then

Code: Select all

ACOrigins.exe+1581163 - 48 8B C8              - mov rcx,rax
ACOrigins.exe+1581166 - E8 4584EDFF           - call ACOrigins.exe+14595B0 <-- enter here (RDX = 00000000000E000A)

then

Code: Select all

ACOrigins.exe+14596AD - 41 8B D7              - mov edx,r15d
ACOrigins.exe+14596B0 - E8 CB000000           - call ACOrigins.exe+1459780 <-- enter here (RDX = 00000000000E000A)
ACOrigins.exe+14596B5 - 84 C0                 - test al,al

then

Code: Select all

ACOrigins.exe+1459851 - 4D 85 C0              - test r8,r8 <-- R8 = 000000006E2564E6
ACOrigins.exe+1459854 - 0F84 49060000         - je ACOrigins.exe+1459EA3
ACOrigins.exe+145985A - 41 8B C2              - mov eax,r10d
ACOrigins.exe+145985D - 2B C7                 - sub eax,edi

then

Code: Select all

ACOrigins.exe+14599B2 - 41 0FB6 1F            - movzx ebx,byte ptr [r15] <-- first offset
ACOrigins.exe+14599B6 - 49 FF C7              - inc r15
ACOrigins.exe+14599B9 - 66 41 3B DD           - cmp bx,r13w
..
..
ACOrigins.exe+14599F6 - 66 FF C3              - inc bx
ACOrigins.exe+14599F9 - 45 33 ED              - xor r13d,r13d
ACOrigins.exe+14599FC - 0F1F 40 00            - nop [rax+00]
ACOrigins.exe+1459A00 - 0FB7 C3               - movzx eax,bx <--
ACOrigins.exe+1459A03 - 45 0FB7 34 84         - movzx r14d,word ptr [r12+rax*4] <--
ACOrigins.exe+1459A08 - 41 0FB7 74 84 02      - movzx esi,word ptr [r12+rax*4+02]

All the above, reduced to 2 breaks:

Code: Select all

ACOrigins.exe+14596AD - 41 8B D7              - mov edx,r15d
ACOrigins.exe+14596B0 - E8 CB000000           - call ACOrigins.exe+1459780
ACOrigins.exe+14596B5 - 84 C0                 - test al,al

Code: Select all

ACOrigins.exe+1459E2A - 8B 45 1B              - mov eax,[rbp+1B] // check RCX in memory :P
ACOrigins.exe+1459E2D - C1 E8 1E              - shr eax,1E { 30 }
ACOrigins.exe+1459E30 - A8 01                 - test al,01 { 1 }
ACOrigins.exe+1459E32 - 74 2F                 - je ACOrigins.exe+1459E63
ACOrigins.exe+1459E34 - 48 8B 5D 0F           - mov rbx,[rbp+0F]
ACOrigins.exe+1459E38 - 48 85 DB              - test rbx,rbx

[budabum]

have not put my fingers into that code snippets yet
by VisualTextComponent you mean hashed/cyphered txt strings? or they are open?

[Cielos]

Sorry, I've been busy with this lately:





BR,
Sun

this is beautiful!

[SunBeam]

With some hours of work and some help from Dark Byte (regarding calling Lua functions from ASM hooks), I got this cropped-up. Listing the "id" properly after all the text isn't fixed yet But this should give you an idea what am working on. Uhm, suffices to say I can safely read the entire player Inventory and retrieve content by hash. Don't yet know how to correlate the item with its descriptions. Editor, later on



Peace,
Sun

[machine4578]

holy crap SunBeam!! looking amazing!

cant wait for final product

[slayer0527]

.

[Impe97]

pls share 100% savegame

[SunBeam]

Posting this here till this evening; figured a way to stabilize the hook and order the output text as I want

Code: Select all

ACOrigins.exe+21D209E - 48 C1 F9 3F           - sar rcx,3F
ACOrigins.exe+21D20A2 - 48 23 08              - and rcx,[rax]

- read RSP -> x = [RSP]
- then [x+78] = pointer to item settings; from here +0x10 = item hash

hook 1: get the item; set bool to 1

ACOrigins.exe+8C53BA - C6 85 7E020000 02     - mov byte ptr [rbp+0000027E],02

hook 2: if bool is 1, collect pointers to storage

ACOrigins.exe+21D20AC - 48 8B B4 24 B8000000  - mov rsi,[rsp+000000B8]

hook 3: set bool to 0; call Lua to print what you collected

Also, this:

Code: Select all

outputDebugString(text): Outputs a message using the windows OutputDebugString message. You can use tools like dbgview to read this. Useful for testing situations where the GUI freezes

+ TraceSpy ([Link])

or

+ DebugView++ ([Link])

[Tomototo88]

Hello, can somebody tell me how to use the debug menu in the anvilnext64 games? I seen SunBeam's post for ages provided with a picture of the menu, but never knew how to use it, and that's the reason why I registered. Thanks in advance and sorry for the misunderstandings!