So this is the function running when you click on a Perk and want to purchase it:
Code: Select all
FC_m64.dll+12478FC0 - 40 53 - push rbx
FC_m64.dll+12478FC2 - 56 - push rsi
FC_m64.dll+12478FC3 - 48 83 EC 48 - sub rsp,48 { 72 }
FC_m64.dll+12478FC7 - 8B 91 D8010000 - mov edx,[rcx+000001D8]
FC_m64.dll+12478FCD - 48 89 CE - mov rsi,rcx
FC_m64.dll+12478FD0 - 48 81 C1 C8010000 - add rcx,000001C8 { 456 }
FC_m64.dll+12478FD7 - E8 449130EF - call FC_m64.dll+1782120
FC_m64.dll+12478FDC - 84 C0 - test al,al
FC_m64.dll+12478FDE - 0F84 E0000000 - je FC_m64.dll+124790C4
FC_m64.dll+12478FE4 - BA 2A000000 - mov edx,0000002A { 42 }
FC_m64.dll+12478FE9 - 48 89 7C 24 40 - mov [rsp+40],rdi
FC_m64.dll+12478FEE - 48 8D 4C 24 78 - lea rcx,[rsp+78]
FC_m64.dll+12478FF3 - E8 289206F0 - call FC_m64.dll+24E2220
FC_m64.dll+12478FF8 - 48 8D 4C 24 60 - lea rcx,[rsp+60]
FC_m64.dll+12478FFD - E8 4E9DCFED - call FC_m64.dll+172D50
FC_m64.dll+12479002 - 48 8D 4C 24 28 - lea rcx,[rsp+28]
FC_m64.dll+12479007 - 88 44 24 60 - mov [rsp+60],al
FC_m64.dll+1247900B - E8 409DCFED - call FC_m64.dll+172D50
FC_m64.dll+12479010 - 48 8D 15 31D9A7F2 - lea rdx,[FC_m64.dll+4EF6948] { (0) }
FC_m64.dll+12479017 - 88 44 24 28 - mov [rsp+28],al
FC_m64.dll+1247901B - 48 8D 4C 24 28 - lea rcx,[rsp+28]
FC_m64.dll+12479020 - 48 C7 44 24 30 00000000 - mov qword ptr [rsp+30],00000000 { 0 }
FC_m64.dll+12479029 - E8 0287CDED - call FC_m64.dll+151730
FC_m64.dll+1247902E - 48 8B 8E 48020000 - mov rcx,[rsi+00000248]
FC_m64.dll+12479035 - 48 8D 54 24 28 - lea rdx,[rsp+28]
FC_m64.dll+1247903A - E8 4135DAEF - call FC_m64.dll+221C580
FC_m64.dll+1247903F - 48 8B 4C 24 30 - mov rcx,[rsp+30]
FC_m64.dll+12479044 - 48 85 C9 - test rcx,rcx
FC_m64.dll+12479047 - 74 25 - je FC_m64.dll+1247906E
FC_m64.dll+12479049 - 83 C8 FF - or eax,-01 { 255 }
FC_m64.dll+1247904C - F0 0FC1 41 08 - lock xadd [rcx+08],eax
FC_m64.dll+12479051 - 83 F8 01 - cmp eax,01 { 1 }
FC_m64.dll+12479054 - 75 18 - jne FC_m64.dll+1247906E
FC_m64.dll+12479056 - 80 7C 24 28 00 - cmp byte ptr [rsp+28],00 { 0 }
FC_m64.dll+1247905B - 48 8B 4C 24 30 - mov rcx,[rsp+30]
FC_m64.dll+12479060 - 74 07 - je FC_m64.dll+12479069
FC_m64.dll+12479062 - E8 2917D0ED - call FC_m64.dll+17A790
FC_m64.dll+12479067 - EB 05 - jmp FC_m64.dll+1247906E
FC_m64.dll+12479069 - E8 A2A9D0ED - call FC_m64.dll+183A10
FC_m64.dll+1247906E - 8B 86 D8010000 - mov eax,[rsi+000001D8]
FC_m64.dll+12479074 - 48 8D 0C C0 - lea rcx,[rax+rax*8]
FC_m64.dll+12479078 - 48 8B 86 C8010000 - mov rax,[rsi+000001C8]
FC_m64.dll+1247907F - 48 8D 3C C8 - lea rdi,[rax+rcx*8]
FC_m64.dll+12479083 - 8B 04 C8 - mov eax,[rax+rcx*8]
FC_m64.dll+12479086 - 48 8D 4C 24 70 - lea rcx,[rsp+70]
FC_m64.dll+1247908B - 89 44 24 70 - mov [rsp+70],eax
FC_m64.dll+1247908F - E8 DC3931EF - call FC_m64.dll+178CA70
FC_m64.dll+12479094 - B9 01000000 - mov ecx,00000001 { 1 }
FC_m64.dll+12479099 - 89 C3 - mov ebx,eax
FC_m64.dll+1247909B - E8 703C31EF - call FC_m64.dll+178CD10
FC_m64.dll+124790A0 - 48 8B 8E C0010000 - mov rcx,[rsi+000001C0]
FC_m64.dll+124790A7 - 39 C3 - cmp ebx,eax
FC_m64.dll+124790A9 - 0F94 D2 - sete dl
FC_m64.dll+124790AC - 83 7F 04 04 - cmp dword ptr [rdi+04],04 { 4 }
FC_m64.dll+124790B0 - 41 0F94 D0 - sete r8l
FC_m64.dll+124790B4 - 48 8B 7C 24 40 - mov rdi,[rsp+40]
FC_m64.dll+124790B9 - 48 83 C4 48 - add rsp,48 { 72 }
FC_m64.dll+124790BD - 5E - pop rsi
FC_m64.dll+124790BE - 5B - pop rbx
FC_m64.dll+124790BF - E9 1C07D6EF - jmp FC_m64.dll+21D97E0
FC_m64.dll+124790C4 - BA 29000000 - mov edx,00000029 { 41 }
FC_m64.dll+124790C9 - 48 8D 4C 24 20 - lea rcx,[rsp+20]
FC_m64.dll+124790CE - E8 4D9106F0 - call FC_m64.dll+24E2220
FC_m64.dll+124790D3 - 48 8B 8E C0010000 - mov rcx,[rsi+000001C0]
FC_m64.dll+124790DA - E8 8107D6EF - call FC_m64.dll+21D9860
FC_m64.dll+124790DF - 8B 86 D8010000 - mov eax,[rsi+000001D8]
FC_m64.dll+124790E5 - 48 8D 0C C0 - lea rcx,[rax+rax*8]
FC_m64.dll+124790E9 - 48 8B 86 C8010000 - mov rax,[rsi+000001C8]
FC_m64.dll+124790F0 - 8B 4C C8 04 - mov ecx,[rax+rcx*8+04]
FC_m64.dll+124790F4 - E8 A76531EF - call FC_m64.dll+178F6A0
FC_m64.dll+124790F9 - 84 C0 - test al,al
FC_m64.dll+124790FB - 74 0C - je FC_m64.dll+12479109
FC_m64.dll+124790FD - 48 8B 8E C0010000 - mov rcx,[rsi+000001C0]
FC_m64.dll+12479104 - E8 8707D6EF - call FC_m64.dll+21D9890
FC_m64.dll+12479109 - 48 83 C4 48 - add rsp,48 { 72 }
FC_m64.dll+1247910D - 5E - pop rsi
FC_m64.dll+1247910E - 5B - pop rbx
FC_m64.dll+1247910F - C3 - ret
OK. So I first took a look at "mov edx,[rcx+000001D8]". Put a break on access, then hovered mouse over a Perk pictograph. And got this piece of code:
Code: Select all
FC_m64.dll+124B2C34 - 44 89 AE D8010000 - mov [rsi+000001D8],r13d
Now.. if you do "find out what addresses this instruction accesses", then hover mouse over each Perk, one by one, you'll see r13d turning to these values:
What this means is every Perk that doesn't have a dependency will be "labeled" 0. Perks that require the previous one unlocked will go +1. So, for example, on the line before last the first 3 Perks are sequential. You need to unlock them one by one, from left to right. First one is "0", second one is "1", last one in the chain is "2" (in terms of ids).
Now.. if I want to purchase "Outdoor Enthusiast" (top-right one), I notice that it costs 7 points. I only have 3.
So this run-down happens when I click on it:
Code: Select all
00007FFD0C468FC0 | 40:53 | PUSH RBX |
00007FFD0C468FC2 | 56 | PUSH RSI |
00007FFD0C468FC3 | 48:83EC 48 | SUB RSP,48 |
00007FFD0C468FC7 | 8B91 D8010000 | MOV EDX,DWORD PTR DS:[RCX+1D8] | RCX == CFCXUILogicPerkDetailsPanel
00007FFD0C468FCD | 48:89CE | MOV RSI,RCX |
00007FFD0C468FD0 | 48:81C1 C8010000 | ADD RCX,1C8 |
00007FFD0C468FD7 | E8 449130EF | CALL fc_m64.7FFCFB772120 | <-- F7
[CALL]
00007FFD08B8E0B0 | 40:56 | PUSH RSI |
00007FFD08B8E0B2 | 48:83EC 20 | SUB RSP,20 |
00007FFD08B8E0B6 | 4C:8B01 | MOV R8,QWORD PTR DS:[RCX] | [RCX]=[000001D62B1E9A38]=000001D5BC5710A0
00007FFD08B8E0B9 | 89D0 | MOV EAX,EDX | our ID
00007FFD08B8E0BB | 48:8D0CC0 | LEA RCX,QWORD PTR DS:[RAX+RAX*8] | 1+1*8 = 9
00007FFD08B8E0BF | 41:8B44C8 04 | MOV EAX,DWORD PTR DS:[R8+RCX*8+4] | [000001D5BC5710A0+9*8+4]=2
00007FFD08B8E0C4 | 49:8D34C8 | LEA RSI,QWORD PTR DS:[R8+RCX*8] | 000001D5BC5710E8
00007FFD08B8E0C8 | 83C0 FE | ADD EAX,FFFFFFFE |
00007FFD08B8E0CB | A9 FDFFFFFF | TEST EAX,FFFFFFFD |
00007FFD08B8E0D0 | 74 08 | JE fc_m64.7FFD08B8E0DA |
00007FFD08B8E0D2 | 30C0 | XOR AL,AL |
00007FFD08B8E0D4 | 48:83C4 20 | ADD RSP,20 |
00007FFD08B8E0D8 | 5E | POP RSI |
00007FFD08B8E0D9 | C3 | RET |
00007FFD08B8E0DA | 85D2 | TEST EDX,EDX |
00007FFD08B8E0DC | 74 14 | JE fc_m64.7FFD08B8E0F2 |
00007FFD08B8E0DE | 8D42 FF | LEA EAX,QWORD PTR DS:[RDX-1] |
00007FFD08B8E0E1 | 48:8D04C0 | LEA RAX,QWORD PTR DS:[RAX+RAX*8] |
00007FFD08B8E0E5 | 41:8B4CC0 04 | MOV ECX,DWORD PTR DS:[R8+RAX*8+4] | [000001D5BC5710E8+0*8+4]=3
00007FFD08B8E0EA | 83E9 03 | SUB ECX,3 |
00007FFD08B8E0ED | 83F9 01 | CMP ECX,1 |
00007FFD08B8E0F0 | 77 E0 | JA fc_m64.7FFD08B8E0D2 |
00007FFD08B8E0F2 | 48:8B0D 1FDD24F6 | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18] |
00007FFD08B8E0F9 | 48:8D15 A01B28F6 | LEA RDX,QWORD PTR DS:[7FFCFEE0FCA0] |
00007FFD08B8E100 | 48:895C24 30 | MOV QWORD PTR SS:[RSP+30],RBX |
00007FFD08B8E105 | 48:897C24 38 | MOV QWORD PTR SS:[RSP+38],RDI |
00007FFD08B8E10A | E8 B113D0F1 | CALL fc_m64.7FFCFA88F4C0 |
00007FFD08B8E10F | 48:8B0D 02DD24F6 | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18] |
00007FFD08B8E116 | 48:89C2 | MOV RDX,RAX |
00007FFD08B8E119 | 48:89C7 | MOV RDI,RAX |
00007FFD08B8E11C | E8 0FE2CEF1 | CALL fc_m64.7FFCFA87C330 |
00007FFD08B8E121 | 48:8B0D F0DC24F6 | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18] |
00007FFD08B8E128 | 48:89FA | MOV RDX,RDI |
00007FFD08B8E12B | E8 906DCFF1 | CALL fc_m64.7FFCFA884EC0 |
00007FFD08B8E130 | 48:8B0D E1DC24F6 | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18] | RAX=000001D5C6AE9E5C->[RAX]=3
00007FFD08B8E137 | 48:89FA | MOV RDX,RDI |
00007FFD08B8E13A | 48:89C3 | MOV RBX,RAX |
00007FFD08B8E13D | E8 0E3ACFF1 | CALL fc_m64.7FFCFA881B50 |
00007FFD08B8E142 | 837E 04 04 | CMP DWORD PTR DS:[RSI+4],4 |
00007FFD08B8E146 | 48:8B7C24 38 | MOV RDI,QWORD PTR SS:[RSP+38] |
00007FFD08B8E14B | 75 13 | JNE fc_m64.7FFD08B8E160 |
00007FFD08B8E14D | 8B46 0C | MOV EAX,DWORD PTR DS:[RSI+C] |
00007FFD08B8E150 | 3903 | CMP DWORD PTR DS:[RBX],EAX |
00007FFD08B8E152 | 48:8B5C24 30 | MOV RBX,QWORD PTR SS:[RSP+30] |
00007FFD08B8E157 | 0F93D0 | SETAE AL |
00007FFD08B8E15A | 48:83C4 20 | ADD RSP,20 |
00007FFD08B8E15E | 5E | POP RSI |
00007FFD08B8E15F | C3 | RET |
00007FFD08B8E160 | 8B46 08 | MOV EAX,DWORD PTR DS:[RSI+8] | RAX=[RS+8]=[000001D5BC5710E8+8]=7
00007FFD08B8E163 | 3903 | CMP DWORD PTR DS:[RBX],EAX | [RBX]=[000001D5C6AE9E5C]=3 vs. 7
00007FFD08B8E165 | 48:8B5C24 30 | MOV RBX,QWORD PTR SS:[RSP+30] |
00007FFD08B8E16A | 0F93D0 | SETAE AL | AL is set to 0 cuz of the above CMP
00007FFD08B8E16D | 48:83C4 20 | ADD RSP,20 |
00007FFD08B8E171 | 5E | POP RSI |
00007FFD08B8E172 | C3 | RET |
[/CALL]
00007FFD0C468FDC | 84C0 | TEST AL,AL | <-- this will fail
00007FFD0C468FDE | 0F84 E0000000 | JE fc_m64.7FFD0C4690C4 | <-- taken; the red clipping text animation occurs
In short, as long as we don't have the required amount of Perks, the function is not taken. Another thing I tested is if the "transaction" happens in this function, by RET-ing its prologue. Turns out it is
Which made me go in-depth studying it.
Hope we get to a useful conclusion after all of this run-down
I have a feeling Perks and Ethanol are encrypted (you can find the visual value via 4-byte searching, but it won't help yer arse; it's not the real value). Not gonna say anything about Far Cry Coins yet (although I think they obviously are server sided).
