Wolfenstein: Youngblood [Engine:idTech 6]

SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,489
[ 21.08.2019 - Update #2 ]
  • added "Disable "Maxed out!" for Armor/Ammo/Weapons/Items pick-up" script (the only things, I think, not yet covered are Life Chests and Throwables; the rest work out really fine); you can now pick-up almost anything regardless of your "Full" status; kinda bothered me you couldn't, but since I did it in the other games in the series, thought I'd do it here as well :p
  • added "Hook idSteamLobby::GetCoins" script (activate it, go back in-game, alt-tab to CE; you should see your Coins amount in 'CoinsRead'; if you want to set the amount to whatever value, use 'WantedCoins'; it will overwrite your current amount if set to anything but 0; keep in mind the game has a max of 900.000, so don't go full blown berserk with 999999999 shit as your value

You know the rest.

[attachment=1]Youngblood_x64vk.CT[/attachment]


BR,
Sun
[ 27.07.2019 - Update #1 ]

Added noclip to the list of commands.



Just run the "Add 'noclip' to the console commands" script. You will also need "Disable console commands/CVars restrictions" script active, cuz it's a restricted command.

If you're on CE 7.0, change line 46 in the script to this:

// mov qword ptr [rsp+20],FFFFFFFE
mov qword ptr [rsp+20],FFFFFFFFFFFFFFFE

There's some encoding misrepresentation in 6.8.3 which got fixed in 7.0.

What the script does is to use idTech engine's cmdSystem->AddCommand (see this reference) function to insert our 'noclip' at the end of the list :) I've rebuilt the noclip_exec from copy-pasting 1:1 the godmode_exec function and fixing the LEA pointer to the actual command block member-functions. Function 0x20 in this table is the toggler.

Once enabled, head to the console, type noclip [Enter] and you'll see this:



And this is how I could now do this:



Things to consider:
  • while in noclip, there won't be area triggers (as in AIs won't spawn if you're far from the spawn zone); so, head to an area, drop someplace (noclip off), see how AIs instantly spawn, noclip on again to fly around and shoot them nicely (as long as your sis is around, they spawn like normal)
  • noclip disables damage dealt to player (it's like 2 in 1: god + noclip)
  • use Space to boost up, Ctrl to descend and Shift to speed up while in noclip mode
  • the main menu black background won't be displayed when you alt-tab to Desktop (like you see in my screenshot above)

You can find other things, like Coins and Skill Points in the [ Debug ] section.



That's pretty much it, folks. Enjoy.. and remember where you got this from! (for the leechers and youtubers). And please send me an email or private message if you want to create videos about this table or the content of this page. It's not much I ask of you; asking for permission matters to me.

[attachment=2]Youngblood_x64vk.CT[/attachment]


BR,
Sun

* * *

https://www.youtube.com/watch?v=relkNsoeZwU
Game Name: Wolfenstein: Youngblood
Game Vendor: Steam
Game Version: 1.0
Game Process: Youngblood_x64vk.exe
Game File Version: 0.0.0.722

https://store.steampowered.com/app/1056960/
Hello everyone.

Let's fill this puppy up. Just installed the game; will post my findings on idTech for this game. Got stuff to share? Do post! :)

* * *

« NO INTROS »

Head to ..\Wolfenstein Youngblood\base\bink\boot folder and rename boot_pc.bk2 to boot_pc.bk2.BAK.

« CONSOLE »

The console seems to be enabled for this game. Testing if all of the CVars/commands are available (or if their effect is in there) shows the below:



See what I did next :p

« CVARS »

listCvars command returns 321 cvars in restricted mode:



If you use the script in my table you will be able to access all 3008 of them. The script will also kill the 'restricted_mode' check when executing them in the console ;)



For example, g_infiniteAmmo 1 will freeze your ammo (clip and magazine):



« DEVELOPER MODE »

You can enable this by typing devMode_enable 1 in the console. Not yet sure what functionality it unlocks.

Current Table:
[attachment=3]Youngblood_x64vk.CT[/attachment]


See this Wiki for a list of possible CVars/commands, till I build the one for this game.

« DUMPER »

You can dump console information using the conDump <filename.txt> command:



Just in case you wondered how I got the below :p

« LIST OF COMMANDS »
http://codepad.org/2nGe7wtm

« LIST OF CVARS »
http://codepad.org/TVOBnmml

What the commands/CVars do you'll have to find out on your own, via using listCvars/listCmds - help <name of command/CVar>. Here's an example:



You can filter the commands or CVars typed in the console by using the TAB key. Start typing a letter, then press TAB; then type another letter and press TAB. And so on. Example: g_ [Tab] will list all CVars of type "g_" (our goodies).

BR,
Sun

P.S.#1: I used the analysis I described for DOOM 2016/Dishonored 2 in this post. Just in case people ask "how did you do it?"
P.S.#2: No trainers out at the time of posting this, on CH, fearlessrevolution or MAF. I have a feeling this statement of mine will be useful later on ;)


How to use this cheat table?
  1. Install Cheat Engine
  2. Double-click the .CT file in order to open it.
  3. Click the PC icon in Cheat Engine in order to select the game process.
  4. Keep the list.
  5. Activate the trainer options by checking boxes or setting values from 0 to 1
 

Attachments

Idlehands88

Idlehands88

Expert Cheater
Fearless Donors
Table Maker
Joined
Jun 11, 2018
Messages
289
Updated table:

Max/Infinite Silver Coins
Max/Infinite Skill Points
Infinite Cloak NEW
Max/Infinite Boost Timers (Must purchase the Boost) NEW
 

Attachments

sebastianyyz

sebastianyyz

Expert Cheater
Joined
Jul 9, 2017
Messages
174
Thank you SunBeam
 
STN

STN

Founder
Staff member
Administrator
Joined
Mar 2, 2017
Messages
3,758
Idlehands88 said:
I moved your post here. Feel free to make a separate topic for it if you wish.
 
X

XxDarkus101Xx

Noobzor
Joined
Apr 24, 2019
Messages
11
I'm gonna repost here since I didn't know this post was for the request or what not.

This is what I'm looking forward to:
Infinite Health, Ammo, Armor, Money, and Skill Points
No Reload
No Recoil
No Spread
Max Experience
Be greatly appreciated since that is the only reason why I bought the game in the first place.
 
Idlehands88

Idlehands88

Expert Cheater
Fearless Donors
Table Maker
Joined
Jun 11, 2018
Messages
289
XxDarkus101Xx said:
I'm gonna repost here since I didn't know this post was for the request or what not.

This is what I'm looking forward to:
Infinite Health, Ammo, Armor, Money, and Skill Points
No Reload
No Recoil
No Spread
Max Experience
Be greatly appreciated since that is the only reason why I bought the game in the first place.
Money and Skill Points are already done
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,489
XxDarkus101Xx said:
I'm gonna repost here since I didn't know this post was for the request or what not.

This is what I'm looking forward to:
Infinite Health, Ammo, Armor, Money, and Skill Points
No Reload
No Recoil
No Spread
Max Experience
Be greatly appreciated since that is the only reason why I bought the game in the first place.
Download my table, run game, open game process, open table, enable "Disable Restricted Mode" script. In-game hit Tilde key and type this: g_playerXp. You should now see your XP and can override it with g_playerXp <value> :p
 
X

XxDarkus101Xx

Noobzor
Joined
Apr 24, 2019
Messages
11
oh well that's easy. I didn't even know this game has the same developer console that "The Evil Within" had. I just hope that at least No Recoil, No Spread, and No Reload are available. I get tired of the weapons recoiling all the time, makes it a little difficult to shoot at enemies. For that g_infiniteAmmo command, if that means I don't have to reload my weapons, then you can just ignore No Reload.


Update:FLING just made a trainer just now.has all the functions I want.
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,489
Well, I just tested these out :p And they work fine:



Also try God in the console :p You'll see what happens. And this is a no stagger or shake camera type of god mode ;) You're immune to any form of damage.

BR,
Sun

P.S.: Note that this is a community post. Wasn't created to honor just your request :) Glad you found what you wanted; the rest posted here remains for posterity :)
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,489
And now the information behind it all:

« GOD »
Code:
0000000141184B8B | 48:8B0D BE480903 | MOV RCX,QWORD PTR DS:[144219450] |
0000000141184B92 | 48:8B01          | MOV RAX,QWORD PTR DS:[RCX]       |
0000000141184B95 | 41:B8 10000000   | MOV R8D,10                       |
0000000141184B9B | FF50 10          | CALL QWORD PTR DS:[RAX+10]       |
0000000141184B9E | 90               | NOP                              |
0000000141184B9F | 48:8BCF          | MOV RCX,RDI                      |
0000000141184BA2 | FF56 08          | CALL QWORD PTR DS:[RSI+8]        | <-
The "god" command is executed here. The engine then gets the player structure from the game structure (it's stored at a certain offset):



Inside that function this happens:
Code:
00000001410D1E03 | 48:8B81 C04A0500 | MOV RAX,QWORD PTR DS:[RCX+54AC0] |
00000001410D1E0A | 48:85C0          | TEST RAX,RAX                     |
Further along, this is executed:


And inside that function the actual toggle is done at this CALL:



And going in..



The formula for the toggle is the one marked in yellow. It reads the existing BYTE in g_Player + 0x10000 (its default is 0x0: off), then through that processing we get 0x2. God Mode on -> 0x2; God Mode off -> 0x0.

« p_Game POINTER »

I've managed to back-trace all of the information to find out where that g_Player pointer above was read and figured the game itself checks if it's running a valid "game" when you press Escape. That's when ToggleMainMenu command is executed and this runs:



(I wonder if those "dev menu entries" work :D)

Anyway, the run-down is as follows:
Code:
mov rax,[Youngblood_x64vk.exe+3FA81D0]
lea rcx,[Youngblood_x64vk.exe+3FA81D0]  // p_Game
call qword ptr [rax+00000210]
..
..
mov rax,[rcx+00001568] // g_Game
ret
Then, from that, you can do these:
Code:
g_Player = [g_Game + 0x54AC0] or [g_Game + 0x3138]
god = [g_Player + 0x10000] (0x0 - off; 0x2 - on)
Get to the BYTE, debug it, hook it. Boom; god mode. Of course, you can now use g_Player to figure out where HP and Shield are stored - OR - as a compare in other checks that should be player-sided.
 
jungletek

jungletek

Expert Cheater
Joined
Oct 17, 2017
Messages
205
Nice work! I'll have to wait for the scene to do their magic to get to check it out, but quality engine-work as usual ;)

One question though: how long can you bear staring at that white debugger background before your eyes start to bleed?

Edit: Also, is +3008 a record for "trainer" options?
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,489
Idlehands88: HP and Shield are indeed encrypted. Or should I say encoded :p Here's one decode run-down for HP (Current and Max):
Code:
000000014B3B431B | 48:89D7          | MOV RDI,RDX                         | rcx == g_Player == 16EA1BFC0              
000000014B3B431E | 0F297C24 20      | MOVAPS XMMWORD PTR SS:[RSP+20],XMM7 |
000000014B3B4323 | 48:6381 18C60000 | MOVSXD RAX,DWORD PTR DS:[RCX+C618]  |
000000014B3B432A | 85C0             | TEST EAX,EAX                        |
000000014B3B432C | 0F8E A4000000    | JLE youngblood_x64vk.14B3B43D6      | taken
..
..
000000014B3B43D6 | 48:8B5E 28       | MOV RBX,QWORD PTR DS:[RSI+28]       | g_Player
000000014B3B43DA | 31D2             | XOR EDX,EDX                         |
000000014B3B43DC | 48:81C3 C02F0200 | ADD RBX,22FC0                       | + 0x22FC0
000000014B3B43E3 | 48:89D9          | MOV RCX,RBX                         |
000000014B3B43E6 | 48:8B03          | MOV RAX,QWORD PTR DS:[RBX]          |
000000014B3B43E9 | FF50 60          | CALL QWORD PTR DS:[RAX+60]          | [1]
000000014B3B43EC | 48:8B03          | MOV RAX,QWORD PTR DS:[RBX]          |
000000014B3B43EF | 31D2             | XOR EDX,EDX                         |
000000014B3B43F1 | 48:89D9          | MOV RCX,RBX                         |
000000014B3B43F4 | 0F28F8           | MOVAPS XMM7,XMM0                    |
000000014B3B43F7 | FF50 68          | CALL QWORD PTR DS:[RAX+68]          | [2]
000000014B3B43FA | 0F28F0           | MOVAPS XMM6,XMM0                    |
000000014B3B43FD | 0F28C7           | MOVAPS XMM0,XMM7                    |
000000014B3B4400 | E8 83529AF6      | CALL youngblood_x64vk.141D59688     |
000000014B3B4405 | F3:0F1107        | MOVSS DWORD PTR DS:[RDI],XMM0       | calculated HP Current
000000014B3B4409 | 0F28C6           | MOVAPS XMM0,XMM6                    |
000000014B3B440C | E8 77529AF6      | CALL youngblood_x64vk.141D59688     |
000000014B3B4411 | F3:0F1147 04     | MOVSS DWORD PTR DS:[RDI+4],XMM0     | calculated HP Max

[1]
000000014AAA0530 | 49:89CA          | MOV R10,RCX                         |
000000014AAA0533 | 48:63C2          | MOVSXD RAX,EDX                      |
000000014AAA0536 | 4C:6BC8 38       | IMUL R9,RAX,38                      |
000000014AAA053A | 49:8B5409 10     | MOV RDX,QWORD PTR DS:[R9+RCX+10]    | read 1st encoded value
000000014AAA053F | 89D0             | MOV EAX,EDX                         | mov DWORD_1 to eax
000000014AAA0541 | 49:89D0          | MOV R8,RDX                          |
000000014AAA0544 | C1CA 03          | ROR EDX,3                           | first decode
000000014AAA0547 | 49:C1E8 20       | SHR R8,20                           | rotate to bswap
000000014AAA054B | 49:31C0          | XOR R8,RAX                          | this basically XORs DWORD_1 with DWORD_2
000000014AAA054E | 89D1             | MOV ECX,EDX                         |
000000014AAA0550 | 4C:31C1          | XOR RCX,R8                          |
000000014AAA0553 | 89D0             | MOV EAX,EDX                         |
000000014AAA0555 | 48:C1E1 20       | SHL RCX,20                          |
000000014AAA0559 | 48:09C1          | OR RCX,RAX                          |
000000014AAA055C | 44:894424 10     | MOV DWORD PTR SS:[RSP+10],R8D       |
000000014AAA0561 | F3:0F104424 10   | MOVSS XMM0,DWORD PTR SS:[RSP+10]    |
000000014AAA0567 | 4B:894C11 10     | MOV QWORD PTR DS:[R9+R10+10],RCX    |
000000014AAA056C | C3               | RET                                 |

[2]
000000014AAA0AF0 | 49:89CA          | MOV R10,RCX                         |
000000014AAA0AF3 | 48:63C2          | MOVSXD RAX,EDX                      |
000000014AAA0AF6 | 4C:6BC8 38       | IMUL R9,RAX,38                      |
000000014AAA0AFA | 49:8B5409 20     | MOV RDX,QWORD PTR DS:[R9+RCX+20]    | read 2nd encoded value
000000014AAA0AFF | 89D0             | MOV EAX,EDX                         | same shit as above from here on
000000014AAA0B01 | 49:89D0          | MOV R8,RDX                          |
000000014AAA0B04 | C1CA 03          | ROR EDX,3                           |
000000014AAA0B07 | 49:C1E8 20       | SHR R8,20                           |
000000014AAA0B0B | 49:31C0          | XOR R8,RAX                          |
000000014AAA0B0E | 89D1             | MOV ECX,EDX                         |
000000014AAA0B10 | 4C:31C1          | XOR RCX,R8                          |
000000014AAA0B13 | 89D0             | MOV EAX,EDX                         |
000000014AAA0B15 | 48:C1E1 20       | SHL RCX,20                          |
000000014AAA0B19 | 48:09C1          | OR RCX,RAX                          |
000000014AAA0B1C | 44:894424 10     | MOV DWORD PTR SS:[RSP+10],R8D       |
000000014AAA0B21 | F3:0F104424 10   | MOVSS XMM0,DWORD PTR SS:[RSP+10]    |
000000014AAA0B27 | 4B:894C11 20     | MOV QWORD PTR DS:[R9+R10+20],RCX    |
000000014AAA0B2C | C3               | RET                                 |
So HP_Current is at g_Player + 0x22FC0 + 0x10; HP_Max is at g_Player + 0x22FC0 + 0x20 ;) Note this encode/decode is done constantly o_O. Weird mechanism they've implemented...

EDIT #1: Apparently, FLiNG's trainer doesn't have an option for HP/Shield :) As in "Infinite HP" or "Infinite Shield" :D Funny.

EDIT #2: Found Shield_Current and Shield_Max as well; they're further down, cyclic-rotated with same 2 functions. So: Shield_Current is at g_Player + 0x22FC0 + 0x38 + 0x10; Shield_Max is at g_Player + 0x22FC0 + 0x38 + 0x20 :p Here's a snapshot:



BR,
Sun
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,489
jungletek said:
Also, is +3008 a record for "trainer" options?
Ask STN, it's his video :D
 
X

XxDarkus101Xx

Noobzor
Joined
Apr 24, 2019
Messages
11
Guys this is what I'm noticing. As you level up, the enemies level up with you as well. I was wondering if there was an option to where it will disable enemy level scale or something. It takes a long time to kill some enemies with whatever weapons you have.
 
STN

STN

Founder
Staff member
Administrator
Joined
Mar 2, 2017
Messages
3,758
SunBeam said:
jungletek said:
Also, is +3008 a record for "trainer" options?
Ask STN, it's his video :D
Clickbait :oops: but it's sorta kinda 3008 "cheats"
 
Top