Middle-earth: Shadow of War - Goodies

J

jrubimf

Novice Cheater
Joined
Oct 9, 2017
Messages
24
Thank you for this.

Now i can get the 100% buff for "playing online".

EDIT: :( Im a moron.
 
stealthcl0wn

stealthcl0wn

Expert Cheater
Fearless Donors
Joined
Jun 18, 2017
Messages
139
SunBeam said:
Thought I'd point out there are 4 BOOLs controlling: Focus, Wrath, Elf-shots and Might, all 1 byte away from each other:
Code:
ShadowOfWar.exe+395CE7 - 48 8D 0D A1402A02     - lea rcx,[ShadowOfWar.exe+2639D8F] <--
ShadowOfWar.exe+395CEE - E8 AD118800           - call ShadowOfWar.exe+C16EA0
ShadowOfWar.exe+395CF3 - 84 C0                 - test al,al
ShadowOfWar.exe+395CF5 - 74 37                 - je ShadowOfWar.exe+395D2E
ShadowOfWar.exe+395CF7 - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+395CFA - 45 84 F6              - test r14l,r14l
OR
Code:
ShadowOfWar.exe+55AB07 - 40 38 3D 81F20D02     - cmp [ShadowOfWar.exe+2639D8F],dil <--
ShadowOfWar.exe+55AB0E - 0F84 FC308200         - je ShadowOfWar.exe+D7DC10
ShadowOfWar.exe+55AB14 - F3 0F10 8B A8000000   - movss xmm1,[rbx+000000A8]
ShadowOfWar.exe+55AB1C - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+55AB1F - E8 20000000           - call ShadowOfWar.exe+55AB44
ShadowOfWar.exe+55AB24 - 48 8B 5C 24 68        - mov rbx,[rsp+68]
ShadowOfWar.exe+55AB29 - B0 01                 - mov al,01
ShadowOfWar.exe+55AB2B - 0F28 74 24 40         - movaps xmm6,[rsp+40]
ShadowOfWar.exe+55AB30 - 0F28 7C 24 30         - movaps xmm7,[rsp+30]
ShadowOfWar.exe+55AB35 - 48 83 C4 50           - add rsp,50
ShadowOfWar.exe+55AB39 - 5F                    - pop rdi
ShadowOfWar.exe+55AB3A - C3                    - ret
So there's no freakin' need to hook that much code when you can flip 4 BOOLs to 1:



- Focus gets auto-filled and will never get consumed
- Wrath bar gets filled to full and never gets consumed
- Elf-shots auto-get replenished and will replenish to max on each fired shot
- Might is set to full and never gets consumed

Setting them back to 0 will deplete Wrath and the others get back to normal.

BR,
Sun
Does this fix the issue with most other "infinite might" stats where you need to land a hit to use it? It's particularly annoying when using the Vengeance set since it eats my health.
 
stealthcl0wn

stealthcl0wn

Expert Cheater
Fearless Donors
Joined
Jun 18, 2017
Messages
139
To answer my own question; Yes, it does fix said issue. Now if only Raise Dead was affected by having full might...
 
J

jrubimf

Novice Cheater
Joined
Oct 9, 2017
Messages
24
jrubimf said:
Thank you for this.

How i can get the 100% buff for "playing online".
Jesus Christ, now HOW... It was NOW.

I saw my post quoted on Discord and was wondering why... Really sorry for that SB.
 
S

sleepylilreapy

Noobzor
Joined
Oct 20, 2017
Messages
5
Game crashes upon pressing num 0, any ideas what could be causing crash?
 
S

Spectre907

Cheater
Joined
Dec 17, 2017
Messages
28
Does anyone have a backup of what was lost from this thread when SB wiped?
 
A

APE

What is cheating?
Joined
Sep 24, 2018
Messages
1
Spectre907 said:
Does anyone have a backup of what was lost from this thread when SB wiped?
i know this is old but if someone still needs:
(also i'm new to this community, i couldn't find forum rules, can someone link me there? Hope i don't break rules by replying on a old post)

PLEASE NOTE: I HAVE NOTHING TO DO WITH SUNBEAM, ALL CREDITS GOES TO HIM
this is just a backup of is original post
------------------------------------------
------------------------------------------


Without any further ado:

• show/hide Debug Menu (not functional, for now):
Code:
[ENABLE]

alloc( CheatHandlerThread, 0x1000, ShadowOfWar.exe )
registersymbol( CheatHandlerThread )
CreateThread( CheatHandlerThread )
label( CheatHandlerOff )
registersymbol( CheatHandlerOff )
label( l_CheatHandlerThread )

label( ShowHideDebugMenu )

CheatHandlerThread:
sub rsp,28

l_CheatHandlerThread:
mov rcx,A
call Sleep

cmp [CheatHandlerOff],1
jne short @f
  add rsp,28
  mov [CheatHandlerOff],2
  ret
@@:
mov rcx,60 //VK_NUMPAD0
call GetAsyncKeyState
test ax,ax
jne short ShowHideDebugMenu

  jmp short l_CheatHandlerThread

ShowHideDebugMenu:
mov rax,[ShadowOfWar.exe+232B040]
mov rcx,[rax+88]
test rcx,rcx
je short @f
  mov dl,[bToggle]
  //call ShadowOfWar.exe+7C3658
  call ShadowOfWar.exe+7C3678
  xor [bToggle],1
@@:
mov rcx,C8
call Sleep
jmp l_CheatHandlerThread

CheatHandlerOff:
dd 0
bToggle:
db 1

[DISABLE]

{$lua}

if( syntaxcheck == false ) then --actual execution
  local starttime = getTickCount()

if readInteger( "CheatHandlerOff" ) == 0 then --could be 2 already
  writeInteger( "CheatHandlerOff", 1 ) --tell the thread to kill itself
end

while( getTickCount() < starttime + 1000 ) and ( readInteger( "CheatHandlerOff" ) ~= 2 ) do --wait till it has finished
  sleep( 20 )
end

if( getTickCount() > starttime + 1000 ) then --could happen when the window is shown
  showMessage( 'Disabling the thread failed!' )
  error( 'Thread disabling failed!' )
end
  sleep( 1 )
end

{$asm}

unregistersymbol( CheatHandlerOff )
unregistersymbol( CheatHandlerThread )
dealloc( CheatHandlerThread )

/*
ShadowOfWar.exe+183DD98 - 40 53                 - push rbx
ShadowOfWar.exe+183DD9A - 48 83 EC 40           - sub rsp,40 { 64 }
ShadowOfWar.exe+183DD9E - 45 33 C9              - xor r9d,r9d
ShadowOfWar.exe+183DDA1 - 48 8D 05 40D77300     - lea rax,[ShadowOfWar.exe+1F7B4E8] { ["ShowDebugMenu"] }
ShadowOfWar.exe+183DDA8 - 48 89 44 24 28        - mov [rsp+28],rax
ShadowOfWar.exe+183DDAD - 48 8B D9              - mov rbx,rcx
ShadowOfWar.exe+183DDB0 - 48 8D 05 45032100     - lea rax,[ShadowOfWar.exe+1A4E0FC] { ["System"] }
ShadowOfWar.exe+183DDB7 - 48 8B D1              - mov rdx,rcx
ShadowOfWar.exe+183DDBA - 48 8D 4C 24 30        - lea rcx,[rsp+30]
ShadowOfWar.exe+183DDBF - 48 89 44 24 20        - mov [rsp+20],rax
ShadowOfWar.exe+183DDC4 - 45 8D 41 02           - lea r8d,[r9+02]
ShadowOfWar.exe+183DDC8 - E8 BB29A9FE           - call ShadowOfWar.exe+2D0788
ShadowOfWar.exe+183DDCD - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+183DDD0 - E8 EB17CFFE           - call ShadowOfWar.exe+52F5C0
ShadowOfWar.exe+183DDD5 - BA 01000000           - mov edx,00000001 { 1 }
ShadowOfWar.exe+183DDDA - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+183DDDD - 44 8A D0              - mov r10l,al
ShadowOfWar.exe+183DDE0 - E8 8BAFAFFE           - call ShadowOfWar.exe+338D70
ShadowOfWar.exe+183DDE5 - 45 84 D2              - test r10l,r10l
ShadowOfWar.exe+183DDE8 - 74 1C                 - je ShadowOfWar.exe+183DE06
ShadowOfWar.exe+183DDEA - 48 8B 05 4FD2AE00     - mov rax,[ShadowOfWar.exe+232B040] { [291C8F00] }
ShadowOfWar.exe+183DDF1 - 48 8B 88 88000000     - mov rcx,[rax+00000088]
ShadowOfWar.exe+183DDF8 - 48 85 C9              - test rcx,rcx
ShadowOfWar.exe+183DDFB - 74 0E                 - je ShadowOfWar.exe+183DE0B
ShadowOfWar.exe+183DDFD - B2 01                 - mov dl,01 { 1 }
ShadowOfWar.exe+183DDFF - E8 7458F8FE           - call ShadowOfWar.exe+7C3678
ShadowOfWar.exe+183DE04 - EB 05                 - jmp ShadowOfWar.exe+183DE0B
ShadowOfWar.exe+183DE06 - E8 35EBCDFF           - call ShadowOfWar.exe+151C940
ShadowOfWar.exe+183DE0B - 48 8D 4C 24 30        - lea rcx,[rsp+30]
ShadowOfWar.exe+183DE10 - E8 1B34B5FE           - call ShadowOfWar.exe+391230
ShadowOfWar.exe+183DE15 - 33 C0                 - xor eax,eax
ShadowOfWar.exe+183DE17 - 48 83 C4 40           - add rsp,40 { 64 }
ShadowOfWar.exe+183DE1B - 5B                    - pop rbx
ShadowOfWar.exe+183DE1C - C3                    - ret
*/
You also need to set a BYTE at ShadowOfWar.exe+262B405 to 1. Use Numpad 0 to toggle on/off. Preferably in-game, not with menu on (as menu is still usable underneath).






• replenish Elf-shots with this script:
Code:
[ENABLE]

alloc( CheatHandlerThread, 0x1000, ShadowOfWar.exe )
registersymbol( CheatHandlerThread )
CreateThread( CheatHandlerThread )
label( CheatHandlerOff )
registersymbol( CheatHandlerOff )
label( l_CheatHandlerThread )

label( Replenish )

CheatHandlerThread:
sub rsp,28

l_CheatHandlerThread:
mov rcx,A
call Sleep

cmp [CheatHandlerOff],1
jne short @f
  add rsp,28
  mov [CheatHandlerOff],2
  ret
@@:
mov rcx,60 //VK_NUMPAD0
call GetAsyncKeyState
test ax,ax
jne short Replenish

  jmp short l_CheatHandlerThread

Replenish:
mov rax,[ShadowOfWar.exe+232AFD0]
mov rdi,[rax+888]
test rdi,rdi
je @f
  mov rcx,[rdi+24B0]
  test rcx,rcx
  je @f
    mov rcx,[rcx+2B0]
    test rcx,rcx
    je @f
      mov r8d,14 //20 Elf-shots I think is the maximum for a pool stuck in a wall
      mov edi,r8d
      mov r8d,[rcx+98]
      add r8d,edi
      mov edx,r8d
      shr edx,1F
      shr edx,1
      sbb edx,edx
      not edx
      and edx,r8d
      call ShadowOfWar.exe+5D0C04
@@:
mov rcx,C8
call Sleep
jmp l_CheatHandlerThread

CheatHandlerOff:
dd 0
bToggle:
db 1

[DISABLE]

{$lua}

if( syntaxcheck == false ) then --actual execution
  local starttime = getTickCount()

if readInteger( "CheatHandlerOff" ) == 0 then --could be 2 already
  writeInteger( "CheatHandlerOff", 1 ) --tell the thread to kill itself
end

while( getTickCount() < starttime + 1000 ) and ( readInteger( "CheatHandlerOff" ) ~= 2 ) do --wait till it has finished
  sleep( 20 )
end

if( getTickCount() > starttime + 1000 ) then --could happen when the window is shown
  showMessage( 'Disabling the thread failed!' )
  error( 'Thread disabling failed!' )
end
  sleep( 1 )
end

{$asm}

unregistersymbol( CheatHandlerOff )
unregistersymbol( CheatHandlerThread )
dealloc( CheatHandlerThread )
• the below explains how I've gotten from a certain hook where you can set amount of Gems to Gems' properties:

1. I noticed that if you play around with the Wealth Gems on your equipment, your XP % increases:



That increases from 3% to 33% if I imbue both the Armor and Cape with Perfect Wealth Gems. Time to find out where that % comes from and make it so it boosts XP to 100% or 200% :)

2. I figured out how to change the XP % rate. Value is 0 when no gem's worn. When adding to your Armor/Cape, this is what happens:

- Wealth Gem -> +0.05000000075
- Carved Wealth Gem -> +0.07500000298
- Polished Wealth Gem -> +0.1000000015
- Refined Wealth Gem -> +0.125
- Perfect Wealth Gem -> +0.150000006

If you add them all, you get a 50% increase, but XP is given only to armor type inventory (Armor and Cape).

Now, if both the Armor and Cape are slotted with Wealth gems, the value is the sum of the two being written to my address:


Time to backtrace a bit and see where these values come from. I guess I will find the property of the actual Gem stored in some structure ;) It will be easier to just hijack the stored value than hack the total amount (e.g.: get a Perfect Wealth Gem with 100% XP). Haven't yet tested in-game to see if this works (the effect, I mean).

3. This is my current set-up (no gems set to any slots, 3% default XP% value):



I found that in the process of setting a Perfect Wealth Gem to the Armor's Gem Slot, this happens:
Code:
ShadowOfWar.exe+4E5C65 - 48 8B 0F              - mov rcx,[rdi]
ShadowOfWar.exe+4E5C68 - E8 DB673D01           - call ShadowOfWar.exe+18BC448
ShadowOfWar.exe+4E5C6D - 48 85 C0              - test rax,rax
ShadowOfWar.exe+4E5C70 - 74 1C                 - je ShadowOfWar.exe+4E5C8E
ShadowOfWar.exe+4E5C72 - F3 0F10 57 08         - movss xmm2,[rdi+08] <-- break here and execute with F7
ShadowOfWar.exe+4E5C77 - 48 8B D0              - mov rdx,rax
ShadowOfWar.exe+4E5C7A - 48 8B CE              - mov rcx,rsi
ShadowOfWar.exe+4E5C7D - 40 84 ED              - test bpl,bpl
In my case, RDI == 0x1692C8DC8. Followed in dump:

The highlighted value is 0.150000006 as float.

Now, the 0-pointer leads to a structure where (same as earlier) the pointer at offset 0x20 points to a string:


Thing is this is still a temporary buffer, as when I resume game from debugging, that float is gone from that position. Our goal here is backtracing to the source, where the float is acquired.

Backtraced a bit more and landed in this function:
Code:
ShadowOfWar.exe+188A82C - 48 89 5C 24 08        - mov [rsp+08],rbx
ShadowOfWar.exe+188A831 - 48 89 74 24 10        - mov [rsp+10],rsi
ShadowOfWar.exe+188A836 - 48 89 7C 24 18        - mov [rsp+18],rdi
ShadowOfWar.exe+188A83B - 55                    - push rbp
ShadowOfWar.exe+188A83C - 41 56                 - push r14
ShadowOfWar.exe+188A83E - 41 57                 - push r15
ShadowOfWar.exe+188A840 - 48 8B EC              - mov rbp,rsp
ShadowOfWar.exe+188A843 - 48 83 EC 60           - sub rsp,60 { 96 }
ShadowOfWar.exe+188A847 - 48 8B DA              - mov rbx,rdx
ShadowOfWar.exe+188A84A - 49 8B F0              - mov rsi,r8
ShadowOfWar.exe+188A84D - 49 8B D0              - mov rdx,r8
ShadowOfWar.exe+188A850 - 48 8B F9              - mov rdi,rcx
ShadowOfWar.exe+188A853 - E8 B4FEFFFF           - call ShadowOfWar.exe+188A70C
ShadowOfWar.exe+188A858 - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+188A85B - E8 9CF699FE           - call ShadowOfWar.exe+229EFC
ShadowOfWar.exe+188A860 - 4C 8B F0              - mov r14,rax
ShadowOfWar.exe+188A863 - 48 85 C0              - test rax,rax
ShadowOfWar.exe+188A866 - 0F84 E3000000         - je ShadowOfWar.exe+188A94F
ShadowOfWar.exe+188A86C - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+188A86F - 48 89 5F 18           - mov [rdi+18],rbx
ShadowOfWar.exe+188A873 - E8 48ECBDFF           - call ShadowOfWar.exe+14694C0
ShadowOfWar.exe+188A878 - 49 8B D6              - mov rdx,r14
ShadowOfWar.exe+188A87B - 89 45 38              - mov [rbp+38],eax
ShadowOfWar.exe+188A87E - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A882 - 44 8B F8              - mov r15d,eax
ShadowOfWar.exe+188A885 - E8 9A6FD9FF           - call ShadowOfWar.exe+1621824
ShadowOfWar.exe+188A88A - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A88E - E8 35B594FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A893 - 84 C0                 - test al,al
ShadowOfWar.exe+188A895 - 0F85 9D000000         - jne ShadowOfWar.exe+188A938
ShadowOfWar.exe+188A89B - 8B 5D F8              - mov ebx,[rbp-08]
ShadowOfWar.exe+188A89E - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8A2 - E8 E174D9FF           - call ShadowOfWar.exe+1621D88
ShadowOfWar.exe+188A8A7 - 48 8B C8              - mov rcx,rax
ShadowOfWar.exe+188A8AA - 4C 8B F0              - mov r14,rax
ShadowOfWar.exe+188A8AD - E8 6AAFD9FF           - call ShadowOfWar.exe+162581C
ShadowOfWar.exe+188A8B2 - 48 85 C0              - test rax,rax
ShadowOfWar.exe+188A8B5 - 74 1A                 - je ShadowOfWar.exe+188A8D1
ShadowOfWar.exe+188A8B7 - 48 3B 47 20           - cmp rax,[rdi+20]
ShadowOfWar.exe+188A8BB - 74 14                 - je ShadowOfWar.exe+188A8D1
ShadowOfWar.exe+188A8BD - FF C3                 - inc ebx
ShadowOfWar.exe+188A8BF - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8C3 - 89 5D F8              - mov [rbp-08],ebx
ShadowOfWar.exe+188A8C6 - E8 FDB494FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A8CB - 84 C0                 - test al,al
ShadowOfWar.exe+188A8CD - 74 CF                 - je ShadowOfWar.exe+188A89E
ShadowOfWar.exe+188A8CF - EB 67                 - jmp ShadowOfWar.exe+188A938
ShadowOfWar.exe+188A8D1 - 49 8B D6              - mov rdx,r14
ShadowOfWar.exe+188A8D4 - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8D8 - E8 8B66D9FF           - call ShadowOfWar.exe+1620F68
ShadowOfWar.exe+188A8DD - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8E1 - E8 E2B494FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A8E6 - 84 C0                 - test al,al
ShadowOfWar.exe+188A8E8 - 75 4E                 - jne ShadowOfWar.exe+188A938
ShadowOfWar.exe+188A8EA - 8B 5D F8              - mov ebx,[rbp-08]
ShadowOfWar.exe+188A8ED - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8F1 - E8 B273D9FF           - call ShadowOfWar.exe+1621CA8
ShadowOfWar.exe+188A8F6 - 48 89 45 C8           - mov [rbp-38],rax
ShadowOfWar.exe+188A8FA - 48 85 C0              - test rax,rax
ShadowOfWar.exe+188A8FD - 74 27                 - je ShadowOfWar.exe+188A926
ShadowOfWar.exe+188A8FF - 4C 8D 4D 38           - lea r9,[rbp+38]
ShadowOfWar.exe+188A903 - 4C 8D 45 C8           - lea r8,[rbp-38]
ShadowOfWar.exe+188A907 - 48 8D 4D C0           - lea rcx,[rbp-40]
ShadowOfWar.exe+188A90B - E8 30FAFFFF           - call ShadowOfWar.exe+188A340
ShadowOfWar.exe+188A910 - 48 8D 4F 28           - lea rcx,[rdi+28]
ShadowOfWar.exe+188A914 - 48 8D 55 C0           - lea rdx,[rbp-40]
ShadowOfWar.exe+188A918 - E8 37B7DCFE           - call ShadowOfWar.exe+656054
ShadowOfWar.exe+188A91D - 48 8D 4D C0           - lea rcx,[rbp-40]
ShadowOfWar.exe+188A921 - E8 12B7DCFE           - call ShadowOfWar.exe+656038
ShadowOfWar.exe+188A926 - FF C3                 - inc ebx
ShadowOfWar.exe+188A928 - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A92C - 89 5D F8              - mov [rbp-08],ebx
ShadowOfWar.exe+188A92F - E8 94B494FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A934 - 84 C0                 - test al,al
ShadowOfWar.exe+188A936 - 74 B5                 - je ShadowOfWar.exe+188A8ED
ShadowOfWar.exe+188A938 - 48 85 F6              - test rsi,rsi
ShadowOfWar.exe+188A93B - 74 10                 - je ShadowOfWar.exe+188A94D
ShadowOfWar.exe+188A93D - 45 8B CF              - mov r9d,r15d
ShadowOfWar.exe+188A940 - 4C 8B C6              - mov r8,rsi
ShadowOfWar.exe+188A943 - B2 01                 - mov dl,01 { 1 }
ShadowOfWar.exe+188A945 - 48 8B CF              - mov rcx,rdi
ShadowOfWar.exe+188A948 - E8 7BFEFFFF           - call ShadowOfWar.exe+188A7C8
ShadowOfWar.exe+188A94D - B0 01                 - mov al,01 { 1 }
ShadowOfWar.exe+188A94F - 4C 8D 5C 24 60        - lea r11,[rsp+60]
ShadowOfWar.exe+188A954 - 49 8B 5B 20           - mov rbx,[r11+20]
ShadowOfWar.exe+188A958 - 49 8B 73 28           - mov rsi,[r11+28]
ShadowOfWar.exe+188A95C - 49 8B 7B 30           - mov rdi,[r11+30]
ShadowOfWar.exe+188A960 - 49 8B E3              - mov rsp,r11
ShadowOfWar.exe+188A963 - 41 5F                 - pop r15
ShadowOfWar.exe+188A965 - 41 5E                 - pop r14
ShadowOfWar.exe+188A967 - 5D                    - pop rbp
ShadowOfWar.exe+188A968 - C3                    - ret
Reason I'm mentioning the entire function is this block:

What happens here is engine iterates through all available slots to find the one you want to fill in. How do I know, simple. RAX+20 is a pointer leading to the string that tells me what's happening now :) The loop is running and when exiting, this is my RAX: 0x3ADBAE38. Which tells me we're talking about this slot: Socket_4Armor.


Which is the one I'm currently equipping with a Perfect Wealth Gem. Now, to find that blasted Gem property. Be back in a bit.

4. Alright, so I pin-pointed everything to this location:


Keep in mind the highlighted location also breaks when you hover the mouse over a Gem. Which is handy.

Now, going inside the function, led to this spot:



Further on, with 0x3AE482C8 in RCX and passing first CALL, RAX becomes 0x3A8E5730:



Well now, checking the buffer in dump reveals that:



So, having said that and changing value to 0.62, for example, this happens in-game:



I guess you know what you have to do now :p Similarly you can do the red and green ones ;)

5. Had to see what happens when I equip a Perfect Wealth Gem in Cape's Gem Slot:



Further on:



Then leading to this location:



Overall total is temporarily written to the buffer in RBX:



Then this shit is run and a pointer acquired:



And entering last CALL in this function shows that Overall Boosters XP % can easily be acquired via the pointer set in RBX :)



And finally, inside the next CALL, the place where the computed Boosters XP % is written:



There you have it, in a "nutshell" :D Note the above trace-run is done on previous version of the game (not the current exe build), but with slight offsetting (Ctrl+G, go to address, scroll a bit up or down) you can get there.

BR,
Sun



---------------------------------------------
---------------------------------------------
---------------------------------------------
PLEASE NOTE: I HAVE NOTHING TO DO WITH SUNBEAM, ALL CREDITS GOES TO HIM
this is just a backup of is original post
 
Top