Far Cry: New Dawn [Engine:Dunia Engine 2]

SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
[ 19.02.2019 - Update #7]



[+] Added Disable 'Out Of Bounds' Check script. Now you can walk past the map's boundaries :)

Download:
[attachment=0]FarCryNewDawn.CT[/attachment]


BR,
Sun

[ 19.02.2019 - Update #6]

[+] Several fixes.

Download:
[attachment=1]FarCryNewDawn.CT[/attachment]


BR,
Sun

[ 19.02.2019 - Update #5]



[+] Added Super Speed script (with a conditional for grappling hook; annoying, right?)
  • Numpad 4 to decrease Speed value by (float)1.0
  • Numpad 5 to reset Speed to default
  • Numpad 6 to increase Speed value by (float)1.0

Keys can be changed in the CE interface.

Download:
[attachment=2]FarCryNewDawn.CT[/attachment]


BR,
Sun

[ 18.02.2019 - Update #4]

[+] Added Set Quest Reward Amount / Multiplier script

The above should help you with any crafting material as well as Ethanol. How to work with it: enable, set quantity or multiplier, do a quest (capture, re-capture of outpost, bring an ethanol truck to one of your bases, etc.). Although at time you'll see the default notification (e.g.: Ethanolx75), you will however get the amount you set in the table.

Download:
[attachment=3]FarCryNewDawn.CT[/attachment]


BR,
Sun

[ 16.02.2019 - Update #3]

Game Version:
Code:
ChangeList:1485791
Version:MTL-BOWMORE-BIGHORN-72.38
User:svc_compil.sigma
Branch://bowmore-branches/bighorn
Project Name:Bowmore
Time:Thu Feb 14 14:34:34 2019
SDK:N/A
Exec:FC_m64.dll
MD5:N/A
[+] Added Set Pick-Up Quantity script (works just for Components, not lootable dead bodies!)



Download:
[attachment=4]FarCryNewDawn.CT[/attachment]


BR,
Sun

[ 15.02.2019 - Update #2]

[+] Added Free Perk Points script

Download:
[attachment=5]FarCryNewDawn.CT[/attachment]


BR,
Sun

[ 15.02.2019 - Update #1]

[+] Added Stealth (just visual; you can still be heard!).

Download:
[attachment=6]FarCryNewDawn.CT[/attachment]


BR,
Sun

[ 15.02.2019 - First Release]

Hello folks.

Here's a starter table for the game:



And a little demo video:

https://www.youtube.com/watch?v=3D7wewrmMBo

Download:
[attachment=7]FarCryNewDawn.CT[/attachment]


BR,
Sun

P.S.: Ask any questions you might have.


How to use this cheat table?
  1. Install Cheat Engine
  2. Double-click the .CT file in order to open it.
  3. Click the PC icon in Cheat Engine in order to select the game process.
  4. Keep the list.
  5. Activate the trainer options by checking boxes or setting values from 0 to 1
 

Attachments

Last edited by a moderator:
B

budabum

Expert Cheater
Joined
Nov 28, 2017
Messages
356
no fall blur, nice. like it very much.
but no for me this time, i'm done with FR. 5th part killed my inspiration by FR. :(
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
^ Same here. My table was purely copy-pasta of the FC5 one (just had to find the same spots in the New Dawn DLL). Nothing else though. Might do an "ignore Perk points" option; perhaps also figure where the hell and in which form the points are stored (cuz the visual != real value).
 
J

jonasbeckman

Expert Cheater
Joined
May 6, 2017
Messages
300
Oh nice already out on UPlay then, this is going to be a fun one. :)

EDIT: And I suppose this one doesn't bother with using EAC, nice!
EDIT: No I think I misread the above reply. It does have that since it mentions .dll checks.

EDIT: No that's for other stuff not the EAC .dll bypass since that would use a .dll too in addition to the CE table.
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
No EAC in this one. Guess they've learned their lesson. And also added "Esc" on those intro movies, so you can easily skip them now :D I have a feeling Perks and Ethanol are encrypted (you can find the visual value via 4-byte searching, but it won't help yer arse; it's not the real value). Not gonna say anything about Far Cry Coins yet (although I think they obviously are server sided).

Challenge accepted! :) Will tell you later if "achievement unlocked" :D
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
So this is the function running when you click on a Perk and want to purchase it:
Code:
FC_m64.dll+12478FC0 - 40 53                 - push rbx
FC_m64.dll+12478FC2 - 56                    - push rsi
FC_m64.dll+12478FC3 - 48 83 EC 48           - sub rsp,48 { 72 }
FC_m64.dll+12478FC7 - 8B 91 D8010000        - mov edx,[rcx+000001D8]
FC_m64.dll+12478FCD - 48 89 CE              - mov rsi,rcx
FC_m64.dll+12478FD0 - 48 81 C1 C8010000     - add rcx,000001C8 { 456 }
FC_m64.dll+12478FD7 - E8 449130EF           - call FC_m64.dll+1782120
FC_m64.dll+12478FDC - 84 C0                 - test al,al
FC_m64.dll+12478FDE - 0F84 E0000000         - je FC_m64.dll+124790C4
FC_m64.dll+12478FE4 - BA 2A000000           - mov edx,0000002A { 42 }
FC_m64.dll+12478FE9 - 48 89 7C 24 40        - mov [rsp+40],rdi
FC_m64.dll+12478FEE - 48 8D 4C 24 78        - lea rcx,[rsp+78]
FC_m64.dll+12478FF3 - E8 289206F0           - call FC_m64.dll+24E2220
FC_m64.dll+12478FF8 - 48 8D 4C 24 60        - lea rcx,[rsp+60]
FC_m64.dll+12478FFD - E8 4E9DCFED           - call FC_m64.dll+172D50
FC_m64.dll+12479002 - 48 8D 4C 24 28        - lea rcx,[rsp+28]
FC_m64.dll+12479007 - 88 44 24 60           - mov [rsp+60],al
FC_m64.dll+1247900B - E8 409DCFED           - call FC_m64.dll+172D50
FC_m64.dll+12479010 - 48 8D 15 31D9A7F2     - lea rdx,[FC_m64.dll+4EF6948] { (0) }
FC_m64.dll+12479017 - 88 44 24 28           - mov [rsp+28],al
FC_m64.dll+1247901B - 48 8D 4C 24 28        - lea rcx,[rsp+28]
FC_m64.dll+12479020 - 48 C7 44 24 30 00000000 - mov qword ptr [rsp+30],00000000 { 0 }
FC_m64.dll+12479029 - E8 0287CDED           - call FC_m64.dll+151730
FC_m64.dll+1247902E - 48 8B 8E 48020000     - mov rcx,[rsi+00000248]
FC_m64.dll+12479035 - 48 8D 54 24 28        - lea rdx,[rsp+28]
FC_m64.dll+1247903A - E8 4135DAEF           - call FC_m64.dll+221C580
FC_m64.dll+1247903F - 48 8B 4C 24 30        - mov rcx,[rsp+30]
FC_m64.dll+12479044 - 48 85 C9              - test rcx,rcx
FC_m64.dll+12479047 - 74 25                 - je FC_m64.dll+1247906E
FC_m64.dll+12479049 - 83 C8 FF              - or eax,-01 { 255 }
FC_m64.dll+1247904C - F0 0FC1 41 08         - lock xadd [rcx+08],eax
FC_m64.dll+12479051 - 83 F8 01              - cmp eax,01 { 1 }
FC_m64.dll+12479054 - 75 18                 - jne FC_m64.dll+1247906E
FC_m64.dll+12479056 - 80 7C 24 28 00        - cmp byte ptr [rsp+28],00 { 0 }
FC_m64.dll+1247905B - 48 8B 4C 24 30        - mov rcx,[rsp+30]
FC_m64.dll+12479060 - 74 07                 - je FC_m64.dll+12479069
FC_m64.dll+12479062 - E8 2917D0ED           - call FC_m64.dll+17A790
FC_m64.dll+12479067 - EB 05                 - jmp FC_m64.dll+1247906E
FC_m64.dll+12479069 - E8 A2A9D0ED           - call FC_m64.dll+183A10
FC_m64.dll+1247906E - 8B 86 D8010000        - mov eax,[rsi+000001D8]
FC_m64.dll+12479074 - 48 8D 0C C0           - lea rcx,[rax+rax*8]
FC_m64.dll+12479078 - 48 8B 86 C8010000     - mov rax,[rsi+000001C8]
FC_m64.dll+1247907F - 48 8D 3C C8           - lea rdi,[rax+rcx*8]
FC_m64.dll+12479083 - 8B 04 C8              - mov eax,[rax+rcx*8]
FC_m64.dll+12479086 - 48 8D 4C 24 70        - lea rcx,[rsp+70]
FC_m64.dll+1247908B - 89 44 24 70           - mov [rsp+70],eax
FC_m64.dll+1247908F - E8 DC3931EF           - call FC_m64.dll+178CA70
FC_m64.dll+12479094 - B9 01000000           - mov ecx,00000001 { 1 }
FC_m64.dll+12479099 - 89 C3                 - mov ebx,eax
FC_m64.dll+1247909B - E8 703C31EF           - call FC_m64.dll+178CD10
FC_m64.dll+124790A0 - 48 8B 8E C0010000     - mov rcx,[rsi+000001C0]
FC_m64.dll+124790A7 - 39 C3                 - cmp ebx,eax
FC_m64.dll+124790A9 - 0F94 D2               - sete dl
FC_m64.dll+124790AC - 83 7F 04 04           - cmp dword ptr [rdi+04],04 { 4 }
FC_m64.dll+124790B0 - 41 0F94 D0            - sete r8l
FC_m64.dll+124790B4 - 48 8B 7C 24 40        - mov rdi,[rsp+40]
FC_m64.dll+124790B9 - 48 83 C4 48           - add rsp,48 { 72 }
FC_m64.dll+124790BD - 5E                    - pop rsi
FC_m64.dll+124790BE - 5B                    - pop rbx
FC_m64.dll+124790BF - E9 1C07D6EF           - jmp FC_m64.dll+21D97E0
FC_m64.dll+124790C4 - BA 29000000           - mov edx,00000029 { 41 }
FC_m64.dll+124790C9 - 48 8D 4C 24 20        - lea rcx,[rsp+20]
FC_m64.dll+124790CE - E8 4D9106F0           - call FC_m64.dll+24E2220
FC_m64.dll+124790D3 - 48 8B 8E C0010000     - mov rcx,[rsi+000001C0]
FC_m64.dll+124790DA - E8 8107D6EF           - call FC_m64.dll+21D9860
FC_m64.dll+124790DF - 8B 86 D8010000        - mov eax,[rsi+000001D8]
FC_m64.dll+124790E5 - 48 8D 0C C0           - lea rcx,[rax+rax*8]
FC_m64.dll+124790E9 - 48 8B 86 C8010000     - mov rax,[rsi+000001C8]
FC_m64.dll+124790F0 - 8B 4C C8 04           - mov ecx,[rax+rcx*8+04]
FC_m64.dll+124790F4 - E8 A76531EF           - call FC_m64.dll+178F6A0
FC_m64.dll+124790F9 - 84 C0                 - test al,al
FC_m64.dll+124790FB - 74 0C                 - je FC_m64.dll+12479109
FC_m64.dll+124790FD - 48 8B 8E C0010000     - mov rcx,[rsi+000001C0]
FC_m64.dll+12479104 - E8 8707D6EF           - call FC_m64.dll+21D9890
FC_m64.dll+12479109 - 48 83 C4 48           - add rsp,48 { 72 }
FC_m64.dll+1247910D - 5E                    - pop rsi
FC_m64.dll+1247910E - 5B                    - pop rbx
FC_m64.dll+1247910F - C3                    - ret
OK. So I first took a look at "mov edx,[rcx+000001D8]". Put a break on access, then hovered mouse over a Perk pictograph. And got this piece of code:
Code:
FC_m64.dll+124B2C34 - 44 89 AE D8010000     - mov [rsi+000001D8],r13d
Now.. if you do "find out what addresses this instruction accesses", then hover mouse over each Perk, one by one, you'll see r13d turning to these values:



What this means is every Perk that doesn't have a dependency will be "labeled" 0. Perks that require the previous one unlocked will go +1. So, for example, on the line before last the first 3 Perks are sequential. You need to unlock them one by one, from left to right. First one is "0", second one is "1", last one in the chain is "2" (in terms of ids).

Now.. if I want to purchase "Outdoor Enthusiast" (top-right one), I notice that it costs 7 points. I only have 3.



So this run-down happens when I click on it:
Code:
00007FFD0C468FC0 | 40:53              | PUSH RBX                             |
00007FFD0C468FC2 | 56                 | PUSH RSI                             |
00007FFD0C468FC3 | 48:83EC 48         | SUB RSP,48                           |
00007FFD0C468FC7 | 8B91 D8010000      | MOV EDX,DWORD PTR DS:[RCX+1D8]       | RCX == CFCXUILogicPerkDetailsPanel
00007FFD0C468FCD | 48:89CE            | MOV RSI,RCX                          |
00007FFD0C468FD0 | 48:81C1 C8010000   | ADD RCX,1C8                          |
00007FFD0C468FD7 | E8 449130EF        | CALL fc_m64.7FFCFB772120             | <-- F7

[CALL]
00007FFD08B8E0B0 | 40:56              | PUSH RSI                             |
00007FFD08B8E0B2 | 48:83EC 20         | SUB RSP,20                           |
00007FFD08B8E0B6 | 4C:8B01            | MOV R8,QWORD PTR DS:[RCX]            | [RCX]=[000001D62B1E9A38]=000001D5BC5710A0
00007FFD08B8E0B9 | 89D0               | MOV EAX,EDX                          | our ID
00007FFD08B8E0BB | 48:8D0CC0          | LEA RCX,QWORD PTR DS:[RAX+RAX*8]     | 1+1*8 = 9
00007FFD08B8E0BF | 41:8B44C8 04       | MOV EAX,DWORD PTR DS:[R8+RCX*8+4]    | [000001D5BC5710A0+9*8+4]=2
00007FFD08B8E0C4 | 49:8D34C8          | LEA RSI,QWORD PTR DS:[R8+RCX*8]      | 000001D5BC5710E8
00007FFD08B8E0C8 | 83C0 FE            | ADD EAX,FFFFFFFE                     |
00007FFD08B8E0CB | A9 FDFFFFFF        | TEST EAX,FFFFFFFD                    |
00007FFD08B8E0D0 | 74 08              | JE fc_m64.7FFD08B8E0DA               |
00007FFD08B8E0D2 | 30C0               | XOR AL,AL                            |
00007FFD08B8E0D4 | 48:83C4 20         | ADD RSP,20                           |
00007FFD08B8E0D8 | 5E                 | POP RSI                              |
00007FFD08B8E0D9 | C3                 | RET                                  |
00007FFD08B8E0DA | 85D2               | TEST EDX,EDX                         |
00007FFD08B8E0DC | 74 14              | JE fc_m64.7FFD08B8E0F2               |
00007FFD08B8E0DE | 8D42 FF            | LEA EAX,QWORD PTR DS:[RDX-1]         |
00007FFD08B8E0E1 | 48:8D04C0          | LEA RAX,QWORD PTR DS:[RAX+RAX*8]     |
00007FFD08B8E0E5 | 41:8B4CC0 04       | MOV ECX,DWORD PTR DS:[R8+RAX*8+4]    | [000001D5BC5710E8+0*8+4]=3
00007FFD08B8E0EA | 83E9 03            | SUB ECX,3                            |
00007FFD08B8E0ED | 83F9 01            | CMP ECX,1                            |
00007FFD08B8E0F0 | 77 E0              | JA fc_m64.7FFD08B8E0D2               |
00007FFD08B8E0F2 | 48:8B0D 1FDD24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  |
00007FFD08B8E0F9 | 48:8D15 A01B28F6   | LEA RDX,QWORD PTR DS:[7FFCFEE0FCA0]  |
00007FFD08B8E100 | 48:895C24 30       | MOV QWORD PTR SS:[RSP+30],RBX        |
00007FFD08B8E105 | 48:897C24 38       | MOV QWORD PTR SS:[RSP+38],RDI        |
00007FFD08B8E10A | E8 B113D0F1        | CALL fc_m64.7FFCFA88F4C0             |
00007FFD08B8E10F | 48:8B0D 02DD24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  |
00007FFD08B8E116 | 48:89C2            | MOV RDX,RAX                          |
00007FFD08B8E119 | 48:89C7            | MOV RDI,RAX                          |
00007FFD08B8E11C | E8 0FE2CEF1        | CALL fc_m64.7FFCFA87C330             |
00007FFD08B8E121 | 48:8B0D F0DC24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  |
00007FFD08B8E128 | 48:89FA            | MOV RDX,RDI                          |
00007FFD08B8E12B | E8 906DCFF1        | CALL fc_m64.7FFCFA884EC0             |
00007FFD08B8E130 | 48:8B0D E1DC24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  | RAX=000001D5C6AE9E5C->[RAX]=3
00007FFD08B8E137 | 48:89FA            | MOV RDX,RDI                          |
00007FFD08B8E13A | 48:89C3            | MOV RBX,RAX                          |
00007FFD08B8E13D | E8 0E3ACFF1        | CALL fc_m64.7FFCFA881B50             |
00007FFD08B8E142 | 837E 04 04         | CMP DWORD PTR DS:[RSI+4],4           |
00007FFD08B8E146 | 48:8B7C24 38       | MOV RDI,QWORD PTR SS:[RSP+38]        |
00007FFD08B8E14B | 75 13              | JNE fc_m64.7FFD08B8E160              |
00007FFD08B8E14D | 8B46 0C            | MOV EAX,DWORD PTR DS:[RSI+C]         |
00007FFD08B8E150 | 3903               | CMP DWORD PTR DS:[RBX],EAX           |
00007FFD08B8E152 | 48:8B5C24 30       | MOV RBX,QWORD PTR SS:[RSP+30]        |
00007FFD08B8E157 | 0F93D0             | SETAE AL                             |
00007FFD08B8E15A | 48:83C4 20         | ADD RSP,20                           |
00007FFD08B8E15E | 5E                 | POP RSI                              |
00007FFD08B8E15F | C3                 | RET                                  |
00007FFD08B8E160 | 8B46 08            | MOV EAX,DWORD PTR DS:[RSI+8]         | RAX=[RS+8]=[000001D5BC5710E8+8]=7
00007FFD08B8E163 | 3903               | CMP DWORD PTR DS:[RBX],EAX           | [RBX]=[000001D5C6AE9E5C]=3 vs. 7
00007FFD08B8E165 | 48:8B5C24 30       | MOV RBX,QWORD PTR SS:[RSP+30]        |
00007FFD08B8E16A | 0F93D0             | SETAE AL                             | AL is set to 0 cuz of the above CMP
00007FFD08B8E16D | 48:83C4 20         | ADD RSP,20                           |
00007FFD08B8E171 | 5E                 | POP RSI                              |
00007FFD08B8E172 | C3                 | RET                                  |
[/CALL]

00007FFD0C468FDC | 84C0               | TEST AL,AL                           | <-- this will fail
00007FFD0C468FDE | 0F84 E0000000      | JE fc_m64.7FFD0C4690C4               | <-- taken; the red clipping text animation occurs
In short, as long as we don't have the required amount of Perks, the function is not taken. Another thing I tested is if the "transaction" happens in this function, by RET-ing its prologue. Turns out it is ;) Which made me go in-depth studying it.

Hope we get to a useful conclusion after all of this run-down :p
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
So I stopped doing the above and took a completely different approach: I decided to see who writes to the display value when I pick-up a Perk from a bunker (fastest way to try this out). And found this location triggering:
Code:
FC_m64.dll+EC53714 - 41 89 07              - mov [r15],eax <--
FC_m64.dll+EC53717 - 48 8B 56 18           - mov rdx,[rsi+18]
FC_m64.dll+EC5371B - 48 8B 0D F68619F6     - mov rcx,[FC_m64.dll+4DEBE18]
FC_m64.dll+EC53722 - E8 A9E5C3F1           - call FC_m64.dll+891CD0
FC_m64.dll+EC53727 - 48 8B 0D EA8619F6     - mov rcx,[FC_m64.dll+4DEBE18]
Then I noticed the function that MOV is part of is called from multiple locations (so it's a generic function). Therefore, I had to use conditional breakpoints (break as long as R15 == my address). Did this in x64dbg and back-tracing led me to this nice spot:
Code:
00007FFD0B325369 | 48:8B57 08        | MOV RDX,QWORD PTR DS:[RDI+8]         |
00007FFD0B32536D | 4C:8D4424 28      | LEA R8,QWORD PTR SS:[RSP+28]         |
00007FFD0B325372 | 48:8B87 90020000  | MOV RAX,QWORD PTR DS:[RDI+290]       |
00007FFD0B325379 | 45:89F9           | MOV R9D,R15D                         | if 0x1, then Reward Item
00007FFD0B32537C | 48:894424 28      | MOV QWORD PTR SS:[RSP+28],RAX        |
00007FFD0B325381 | 48:8B12           | MOV RDX,QWORD PTR DS:[RDX]           |
00007FFD0B325384 | E8 67356AF0       | CALL fc_m64.7FFCFB9C88F0             | <-- enter CALL

[CALL]
00007FFCFB9C88F0 | 45:85C9           | TEST R9D,R9D                         |
00007FFCFB9C88F3 | 0F84 9B000000     | JE fc_m64.7FFCFB9C8994               |
00007FFCFB9C88F9 | 48:895424 10      | MOV QWORD PTR SS:[RSP+10],RDX        |
00007FFCFB9C88FE | 53                | PUSH RBX                             |
00007FFCFB9C88FF | 48:83EC 50        | SUB RSP,50                           |
00007FFCFB9C8903 | 33C0              | XOR EAX,EAX                          |
00007FFCFB9C8905 | 48:897C24 60      | MOV QWORD PTR SS:[RSP+60],RDI        |
00007FFCFB9C890A | 41:8BD9           | MOV EBX,R9D                          |
00007FFCFB9C890D | 894424 38         | MOV DWORD PTR SS:[RSP+38],EAX        |
00007FFCFB9C8911 | 894424 40         | MOV DWORD PTR SS:[RSP+40],EAX        |
00007FFCFB9C8915 | 48:8D3D 5C442903  | LEA RDI,QWORD PTR DS:[7FFCFEC5CD78]  |
00007FFCFB9C891C | 49:8B00           | MOV RAX,QWORD PTR DS:[R8]            |
00007FFCFB9C891F | 8BD3              | MOV EDX,EBX                          |
00007FFCFB9C8921 | 4C:8D4424 20      | LEA R8,QWORD PTR SS:[RSP+20]         |
00007FFCFB9C8926 | 48:894424 30      | MOV QWORD PTR SS:[RSP+30],RAX        |
00007FFCFB9C892B | C74424 20 05000000| MOV DWORD PTR SS:[RSP+20],5          |
00007FFCFB9C8933 | 48:897C24 28      | MOV QWORD PTR SS:[RSP+28],RDI        |
00007FFCFB9C8938 | 895C24 3C         | MOV DWORD PTR SS:[RSP+3C],EBX        |
00007FFCFB9C893C | E8 BFCBFEFF       | CALL fc_m64.7FFCFB9B5500             |
00007FFCFB9C8941 | 33D2              | XOR EDX,EDX                          |
00007FFCFB9C8943 | 8D4A 78           | LEA ECX,QWORD PTR DS:[RDX+78]        |
00007FFCFB9C8946 | E8 C5317BFE       | CALL fc_m64.7FFCFA17BB10             |
00007FFCFB9C894B | 4C:8B4424 68      | MOV R8,QWORD PTR SS:[RSP+68]         |
00007FFCFB9C8950 | 8BD3              | MOV EDX,EBX                          |
00007FFCFB9C8952 | 48:8BC8           | MOV RCX,RAX                          |
00007FFCFB9C8955 | E8 36A4C6FF       | CALL fc_m64.7FFCFB632D90             |
00007FFCFB9C895A | 4C:8D05 7783A402  | LEA R8,QWORD PTR DS:[7FFCFE410CD8]   | 00007FFCFE410CD8:"ProcessLootItemReward"
00007FFCFB9C8961 | 48:8BD0           | MOV RDX,RAX                          |
00007FFCFB9C8964 | B9 19000000       | MOV ECX,19                           |
00007FFCFB9C8969 | E8 E264DAFF       | CALL fc_m64.7FFCFB76EE50             |
00007FFCFB9C896E | 48:8B4C24 28      | MOV RCX,QWORD PTR SS:[RSP+28]        |
00007FFCFB9C8973 | 48:3BCF           | CMP RCX,RDI                          |
00007FFCFB9C8976 | 48:8B7C24 60      | MOV RDI,QWORD PTR SS:[RSP+60]        |
00007FFCFB9C897B | 74 12             | JE fc_m64.7FFCFB9C898F               |
00007FFCFB9C897D | 83C8 FF           | OR EAX,FFFFFFFF                      |
00007FFCFB9C8980 | F0:0FC141 08      | LOCK XADD DWORD PTR DS:[RCX+8],EAX   |
00007FFCFB9C8985 | 83F8 01           | CMP EAX,1                            |
00007FFCFB9C8988 | 75 05             | JNE fc_m64.7FFCFB9C898F              |
00007FFCFB9C898A | E8 51AF83FE       | CALL fc_m64.7FFCFA2038E0             |
00007FFCFB9C898F | 48:83C4 50        | ADD RSP,50                           |
00007FFCFB9C8993 | 5B                | POP RBX                              |
00007FFCFB9C8994 | C3                | RET                                  |
[/CALL]
See that "ProcessLootItemReward" string reference? Gee, I wonder what's up with it placed like that dead in the open :p

Furthermore, I noticed this function (FC_m64.dll+19D88F0) is called anytime you pick something up. However, the Perks are given only when the loot is of "Perk" type. And that is checked here:
Code:
FC_m64.dll+19D88F0 - 45 85 C9              - test r9d,r9d
FC_m64.dll+19D88F3 - 0F84 9B000000         - je FC_m64.dll+19D8994 <--
Guess what happens if you NOP that JE or set R9D to 0x1? :D Anything you pick-up will give you 1 Perk point :p

BR,
Sun
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
And yes.. like I said.. the values are encrypted :) As soon as you start tracing into the function, past the TEST R9D,R9D.. you'll get into something like this:
Code:
FC_m64.dll+19D893C - E8 BFCBFEFF           - call FC_m64.dll+19C5500 <-- enter CALL1
FC_m64.dll+19D8941 - 33 D2                 - xor edx,edx
FC_m64.dll+19D8943 - 8D 4A 78              - lea ecx,[rdx+78]
FC_m64.dll+19D8946 - E8 C5317BFE           - call FC_m64.dll+18BB10
FC_m64.dll+19D894B - 4C 8B 44 24 68        - mov r8,[rsp+68]
FC_m64.dll+19D8950 - 8B D3                 - mov edx,ebx
FC_m64.dll+19D8952 - 48 8B C8              - mov rcx,rax
FC_m64.dll+19D8955 - E8 36A4C6FF           - call FC_m64.dll+1642D90
FC_m64.dll+19D895A - 4C 8D 05 7783A402     - lea r8,[FC_m64.dll+4420CD8] { ("ProcessLootItemReward") }

[CALL1]
FC_m64.dll+F7D7E70 - 48 89 5C 24 18        - mov [rsp+18],rbx
FC_m64.dll+F7D7E75 - 48 89 74 24 20        - mov [rsp+20],rsi
FC_m64.dll+F7D7E7A - 55                    - push rbp
FC_m64.dll+F7D7E7B - 57                    - push rdi
FC_m64.dll+F7D7E7C - 41 56                 - push r14
FC_m64.dll+F7D7E7E - 48 89 E5              - mov rbp,rsp
FC_m64.dll+F7D7E81 - 48 83 EC 60           - sub rsp,60 { 96 }
FC_m64.dll+F7D7E85 - 48 8D B1 D0000000     - lea rsi,[rcx+000000D0]
FC_m64.dll+F7D7E8C - 89 55 28              - mov [rbp+28],edx
FC_m64.dll+F7D7E8F - 4C 89 C7              - mov rdi,r8
FC_m64.dll+F7D7E92 - 4C 8D 4D 28           - lea r9,[rbp+28]
FC_m64.dll+F7D7E96 - 41 89 D6              - mov r14d,edx
FC_m64.dll+F7D7E99 - 4C 8D 05 B0011CF2     - lea r8,[FC_m64.dll+1998050] { (-795173911) }
FC_m64.dll+F7D7EA0 - 48 89 CB              - mov rbx,rcx
FC_m64.dll+F7D7EA3 - 48 8D 55 20           - lea rdx,[rbp+20]
FC_m64.dll+F7D7EA7 - 48 89 F1              - mov rcx,rsi
FC_m64.dll+F7D7EAA - E8 11B987F4           - call FC_m64.dll+40537C0 <-- check this CALL2
[/CALL1]

[CALL2]
FC_m64.dll+40537C0 - E9 7B433816           - jmp FC_m64.dll+1A3D7B40
..
FC_m64.dll+1A3D7B40 - E9 3A683701           - jmp FC_m64.dll+1B74E37F
..
FC_m64.dll+1B74E37F - 68 4368A6CA           - push CAA66843 { -895063997 }
FC_m64.dll+1B74E384 - E8 D11DF5FF           - call FC_m64.dll+1B6A015A
FC_m64.dll+1B74E389 - 4C 2B 07              - sub r8,[rdi]
FC_m64.dll+1B74E38C - 7A BA                 - jp FC_m64.dll+1B74E348
FC_m64.dll+1B74E38E - 21 AC 37 BEA3B996     - and [rdi+rsi-69465C42],ebp
FC_m64.dll+1B74E395 - 53                    - push rbx
FC_m64.dll+1B74E396 - F0 0FB0 4B 28         - lock cmpxchg [rbx+28],cl
FC_m64.dll+1B74E39B - 68 E29DDC44           - push 44DC9DE2 { 1764.93 }
FC_m64.dll+1B74E3A0 - E8 4288F8FF           - call FC_m64.dll+1B6D6BE7
FC_m64.dll+1B74E3A5 - F3 90                 - repe nop 
[/CALL2]
And that, my friends, in CALL2 is Denuvo (or shall we say, VMProtect) mutated/virtualized code :)

BR,
Sun
 
S

supMarco

Expert Cheater
Table Maker
Joined
May 22, 2017
Messages
68
good shit :p
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
Can also tell you that if you don't execute this CALL, you won't get a Perk:
Code:
00007FFCFB9C8938 | 895C24 3C         | MOV DWORD PTR SS:[RSP+3C],EBX      |
00007FFCFB9C893C | E8 BFCBFEFF       | CALL fc_m64.7FFCFB9B5500           | <--
00007FFCFB9C8941 | 33D2              | XOR EDX,EDX                        |
00007FFCFB9C8943 | 8D4A 78           | LEA ECX,QWORD PTR DS:[RDX+78]      |
00007FFCFB9C8946 | E8 C5317BFE       | CALL fc_m64.7FFCFA17BB10           |
00007FFCFB9C894B | 4C:8B4424 68      | MOV R8,QWORD PTR SS:[RSP+68]       |
00007FFCFB9C8950 | 8BD3              | MOV EDX,EBX                        |
00007FFCFB9C8952 | 48:8BC8           | MOV RCX,RAX                        |
00007FFCFB9C8955 | E8 36A4C6FF       | CALL fc_m64.7FFCFB632D90           |
00007FFCFB9C895A | 4C:8D05 7783A402  | LEA R8,QWORD PTR DS:[7FFCFE410CD8] | 00007FFCFE410CD8:"ProcessLootItemReward"
00007FFCFB9C8961 | 48:8BD0           | MOV RDX,RAX                        |
00007FFCFB9C8964 | B9 19000000       | MOV ECX,19                         |
00007FFCFB9C8969 | E8 E264DAFF       | CALL fc_m64.7FFCFB76EE50           |
00007FFCFB9C896E | 48:8B4C24 28      | MOV RCX,QWORD PTR SS:[RSP+28]      |
00007FFCFB9C8973 | 48:3BCF           | CMP RCX,RDI                        |
00007FFCFB9C8976 | 48:8B7C24 60      | MOV RDI,QWORD PTR SS:[RSP+60]      |
00007FFCFB9C897B | 74 12             | JE fc_m64.7FFCFB9C898F             |
00007FFCFB9C897D | 83C8 FF           | OR EAX,FFFFFFFF                    |
00007FFCFB9C8980 | F0:0FC141 08      | LOCK XADD DWORD PTR DS:[RCX+8],EAX |
00007FFCFB9C8985 | 83F8 01           | CMP EAX,1                          |
00007FFCFB9C8988 | 75 05             | JNE fc_m64.7FFCFB9C898F            |
00007FFCFB9C898A | E8 51AF83FE       | CALL fc_m64.7FFCFA2038E0           |
00007FFCFB9C898F | 48:83C4 50        | ADD RSP,50                         |
00007FFCFB9C8993 | 5B                | POP RBX                            |
00007FFCFB9C8994 | C3                | RET                                |
Had a test-run right now, RET-ing it.

Sooo.. it's all in there ;)

Now I'm curious if the same function is run when you get Ethanol; cuz if that's the case, then it's only a matter of adjusting the input parameters :) And yes, the function doesn't break when you pick-up Far Cry Coins.. so.. server-sided (or another branch of the pick-up function), as I was saying.

Let me sum up the run-down logic in another post ;)

BR,
Sun
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
Yeah, I can confirm the same function is used for Ethanol. Here's the nice full run-down:
Code:
00007FFD0B325150 | 48:89E0                 | MOV RAX,RSP                          | RCX = __this = CFCXPickupItem; R11 = pszPickupEvent
00007FFD0B325153 | 53                      | PUSH RBX                             |
00007FFD0B325154 | 48:81EC A0000000        | SUB RSP,A0                           |
00007FFD0B32515B | 48:8968 08              | MOV QWORD PTR DS:[RAX+8],RBP         |
00007FFD0B32515F | 48:8970 18              | MOV QWORD PTR DS:[RAX+18],RSI        |
00007FFD0B325163 | 48:89D6                 | MOV RSI,RDX                          |
00007FFD0B325166 | 48:8978 F0              | MOV QWORD PTR DS:[RAX-10],RDI        |
00007FFD0B32516A | 48:89CF                 | MOV RDI,RCX                          |
00007FFD0B32516D | 4C:8960 E8              | MOV QWORD PTR DS:[RAX-18],R12        |
00007FFD0B325171 | 48:89D1                 | MOV RCX,RDX                          |
00007FFD0B325174 | 45:0FB6E0               | MOVZX R12D,R8B                       | R8 = 0x0
00007FFD0B325178 | E8 F3CA82F0             | CALL fc_m64.7FFCFBB51C70             |
00007FFD0B32517D | 84C0                    | TEST AL,AL                           |
00007FFD0B32517F | 0F84 81020000           | JE fc_m64.7FFD0B325406               |
00007FFD0B325185 | 48:83BF A8020000 00     | CMP QWORD PTR DS:[RDI+2A8],0         | [RDI+2A8] = 0x200767C4A968C8 (DuctTape_id); 0x0 for Perk Magazine
00007FFD0B32518D | 8BAF A0020000           | MOV EBP,DWORD PTR DS:[RDI+2A0]       | [RDI+2A0] = 0x1 (dwNoOfStacks)
00007FFD0B325193 | 4C:89BC24 80000000      | MOV QWORD PTR SS:[RSP+80],R15        |
00007FFD0B32519B | 44:8BBF A4020000        | MOV R15D,DWORD PTR DS:[RDI+2A4]      | [RDI+2A4] = dwRewardItem (0x0 for any; 0x1 for Perk Magazine)
00007FFD0B3251A2 | 74 6A                   | JE fc_m64.7FFD0B32520E               |
00007FFD0B3251A4 | 48:8D8F A8020000        | LEA RCX,QWORD PTR DS:[RDI+2A8]       |
00007FFD0B3251AB | E8 30D3C0F0             | CALL fc_m64.7FFCFBF324E0             |
00007FFD0B3251B0 | 48:85C0                 | TEST RAX,RAX                         | RAX = p->CFCXLootTable
00007FFD0B3251B3 | 74 59                   | JE fc_m64.7FFD0B32520E               |
00007FFD0B3251B5 | 48:8D8F A8020000        | LEA RCX,QWORD PTR DS:[RDI+2A8]       |
00007FFD0B3251BC | E8 1FD3C0F0             | CALL fc_m64.7FFCFBF324E0             |
00007FFD0B3251C1 | 48:8B48 38              | MOV RCX,QWORD PTR DS:[RAX+38]        | qwTableSize
00007FFD0B3251C5 | 48:8B58 30              | MOV RBX,QWORD PTR DS:[RAX+30]        | p_TableStart
00007FFD0B3251C9 | 48:C1E9 20              | SHR RCX,20                           |
00007FFD0B3251CD | 0FBAF1 1F               | BTR ECX,1F                           |
00007FFD0B3251D1 | 48:8D0449               | LEA RAX,QWORD PTR DS:[RCX+RCX*2]     |
00007FFD0B3251D5 | 48:C1E0 04              | SHL RAX,4                            | 0x30 (ComputedSize)
00007FFD0B3251D9 | 48:01D8                 | ADD RAX,RBX                          | p_TableEnd
00007FFD0B3251DC | 48:39C3                 | CMP RBX,RAX                          | while p_TableStart != p_TableEnd
00007FFD0B3251DF | 74 2D                   | JE fc_m64.7FFD0B32520E               |
00007FFD0B3251E1 | 48:8B8F 90020000        | MOV RCX,QWORD PTR DS:[RDI+290]       | qwItemHash
00007FFD0B3251E8 | 48:3B4B 08              | CMP RCX,QWORD PTR DS:[RBX+8]         | TableItemHash vs. PickedUpItemHash
00007FFD0B3251EC | 74 0B                   | JE fc_m64.7FFD0B3251F9               |
00007FFD0B3251EE | 48:83C3 30              | ADD RBX,30                           | iterate till found
00007FFD0B3251F2 | 48:39C3                 | CMP RBX,RAX                          |
00007FFD0B3251F5 | 75 F1                   | JNE fc_m64.7FFD0B3251E8              |
00007FFD0B3251F7 | EB 15                   | JMP fc_m64.7FFD0B32520E              |
00007FFD0B3251F9 | 48:89D9                 | MOV RCX,RBX                          |
00007FFD0B3251FC | E8 6FDDC0F0             | CALL fc_m64.7FFCFBF32F70             | GetQuantityOfItemsInStack
00007FFD0B325201 | 48:89D9                 | MOV RCX,RBX                          | RAX = 0x66 (container quantity for picked item)
00007FFD0B325204 | 89C5                    | MOV EBP,EAX                          |
00007FFD0B325206 | E8 35DDC0F0             | CALL fc_m64.7FFCFBF32F40             |
00007FFD0B32520B | 41:89C7                 | MOV R15D,EAX                         |
00007FFD0B32520E | 48:8B97 90020000        | MOV RDX,QWORD PTR DS:[RDI+290]       | qwItemHash
00007FFD0B325215 | 48:89F1                 | MOV RCX,RSI                          |
00007FFD0B325218 | E8 A3B6C0F0             | CALL fc_m64.7FFCFBF308C0             |
00007FFD0B32521D | 48:8B0E                 | MOV RCX,QWORD PTR DS:[RSI]           | RAX = 0x1
00007FFD0B325220 | 0FAFE8                  | IMUL EBP,EAX                         | 0x66 * 0x1 (amount of items * amount of picked up stacks)
00007FFD0B325223 | 48:8B59 10              | MOV RBX,QWORD PTR DS:[RCX+10]        |
00007FFD0B325227 | 48:8B8B C8000000        | MOV RCX,QWORD PTR DS:[RBX+C8]        |
00007FFD0B32522E | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B325231 | 74 17                   | JE fc_m64.7FFD0B32524A               |
00007FFD0B325233 | 44:0FB68424 B8000000    | MOVZX R8D,BYTE PTR SS:[RSP+B8]       | R8 = 0x0
00007FFD0B32523C | 48:8D93 A8000000        | LEA RDX,QWORD PTR DS:[RBX+A8]        |
00007FFD0B325243 | E8 3845C0EF             | CALL fc_m64.7FFCFAF29780             | SetQtyInLootTable?
00007FFD0B325248 | EB 1F                   | JMP fc_m64.7FFD0B325269              |
00007FFD0B32524A | E8 F117BCEF             | CALL fc_m64.7FFCFAEE6A40             |
00007FFD0B32524F | 48:89D9                 | MOV RCX,RBX                          |
00007FFD0B325252 | 8B50 18                 | MOV EDX,DWORD PTR DS:[RAX+18]        |
00007FFD0B325255 | 899424 B8000000         | MOV DWORD PTR SS:[RSP+B8],EDX        |
00007FFD0B32525C | 48:8D9424 B8000000      | LEA RDX,QWORD PTR SS:[RSP+B8]        |
00007FFD0B325264 | E8 37F690EF             | CALL fc_m64.7FFCFAC348A0             |
00007FFD0B325269 | 48:89C1                 | MOV RCX,RAX                          | RAX = CInventoryComponent
00007FFD0B32526C | 48:85C0                 | TEST RAX,RAX                         |
00007FFD0B32526F | 0F84 89010000           | JE fc_m64.7FFD0B3253FE               |
00007FFD0B325275 | 48:8B00                 | MOV RAX,QWORD PTR DS:[RAX]           |
00007FFD0B325278 | BA 10000000             | MOV EDX,10                           |
00007FFD0B32527D | 41:B9 06000000          | MOV R9D,6                            |
00007FFD0B325283 | 4C:89B424 88000000      | MOV QWORD PTR SS:[RSP+88],R14        |
00007FFD0B32528B | 45:84E4                 | TEST R12B,R12B                       |
00007FFD0B32528E | 41:89E8                 | MOV R8D,EBP                          |
00007FFD0B325291 | 44:0F45CA               | CMOVNE R9D,EDX                       |
00007FFD0B325295 | 48:8B97 90020000        | MOV RDX,QWORD PTR DS:[RDI+290]       | qwItemHash
00007FFD0B32529C | FF90 50010000           | CALL QWORD PTR DS:[RAX+150]          | GetQuantityOfItemsInStack -> RAX = 0x66 (102d)
00007FFD0B3252A2 | 48:8B0D F75DBAF3        | MOV RCX,QWORD PTR DS:[7FFCFEECB0A0]  |
00007FFD0B3252A9 | 41:89C6                 | MOV R14D,EAX                         |
00007FFD0B3252AC | 48:894C24 48            | MOV QWORD PTR SS:[RSP+48],RCX        |
00007FFD0B3252B1 | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B3252B4 | 74 56                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B3252B6 | 4C:8B87 90020000        | MOV R8,QWORD PTR DS:[RDI+290]        | qwItemHash
00007FFD0B3252BD | 48:8D5424 38            | LEA RDX,QWORD PTR SS:[RSP+38]        |
00007FFD0B3252C2 | E8 39AC87F0             | CALL fc_m64.7FFCFBB9FF00             |
00007FFD0B3252C7 | 48:8B5424 38            | MOV RDX,QWORD PTR SS:[RSP+38]        | qwPickedItemHash
00007FFD0B3252CC | 48:85D2                 | TEST RDX,RDX                         |
00007FFD0B3252CF | 74 3B                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B3252D1 | 48:8B0D C070AEF3        | MOV RCX,QWORD PTR DS:[7FFCFEE0C398]  |
00007FFD0B3252D8 | 48:894C24 50            | MOV QWORD PTR SS:[RSP+50],RCX        |
00007FFD0B3252DD | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B3252E0 | 74 0F                   | JE fc_m64.7FFD0B3252F1               |
00007FFD0B3252E2 | BA 46000000             | MOV EDX,46                           |
00007FFD0B3252E7 | E8 44E1B1EF             | CALL fc_m64.7FFCFAE43430             |
00007FFD0B3252EC | 48:8B5424 38            | MOV RDX,QWORD PTR SS:[RSP+38]        | qwPickedItemHash
00007FFD0B3252F1 | 48:85D2                 | TEST RDX,RDX                         |
00007FFD0B3252F4 | 74 16                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B3252F6 | 48:8B0D CB259EF3        | MOV RCX,QWORD PTR DS:[7FFCFED078C8]  |
00007FFD0B3252FD | 48:894C24 58            | MOV QWORD PTR SS:[RSP+58],RCX        |
00007FFD0B325302 | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B325305 | 74 05                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B325307 | E8 74B1F0EE             | CALL fc_m64.7FFCFA230480             |
00007FFD0B32530C | 45:85F6                 | TEST R14D,R14D                       | RAX = 0x5B (91d)
00007FFD0B32530F | 0F84 E1000000           | JE fc_m64.7FFD0B3253F6               |
00007FFD0B325315 | 48:8B06                 | MOV RAX,QWORD PTR DS:[RSI]           |
00007FFD0B325318 | 48:8B58 10              | MOV RBX,QWORD PTR DS:[RAX+10]        |
00007FFD0B32531C | 48:8BAB C8000000        | MOV RBP,QWORD PTR DS:[RBX+C8]        |
00007FFD0B325323 | E8 48E2C2EF             | CALL fc_m64.7FFCFAF53570             | get_CFCXPlayerAbilitiesComponent
00007FFD0B325328 | 8B50 18                 | MOV EDX,DWORD PTR DS:[RAX+18]        | dwComponentHash
00007FFD0B32532B | 48:85ED                 | TEST RBP,RBP                         |
00007FFD0B32532E | 74 20                   | JE fc_m64.7FFD0B325350               |
00007FFD0B325330 | 899424 C8000000         | MOV DWORD PTR SS:[RSP+C8],EDX        |
00007FFD0B325337 | 4C:8D83 A8000000        | LEA R8,QWORD PTR DS:[RBX+A8]         |
00007FFD0B32533E | 48:8D9424 C8000000      | LEA RDX,QWORD PTR SS:[RSP+C8]        |
00007FFD0B325346 | 48:89E9                 | MOV RCX,RBP                          |
00007FFD0B325349 | E8 F2F290EF             | CALL fc_m64.7FFCFAC34640             |
00007FFD0B32534E | EB 11                   | JMP fc_m64.7FFD0B325361              |
00007FFD0B325350 | 895424 20               | MOV DWORD PTR SS:[RSP+20],EDX        |
00007FFD0B325354 | 48:89D9                 | MOV RCX,RBX                          |
00007FFD0B325357 | 48:8D5424 20            | LEA RDX,QWORD PTR SS:[RSP+20]        |
00007FFD0B32535C | E8 3FF590EF             | CALL fc_m64.7FFCFAC348A0             |
00007FFD0B325361 | 48:89C1                 | MOV RCX,RAX                          |
00007FFD0B325364 | 48:85C0                 | TEST RAX,RAX                         |
00007FFD0B325367 | 74 20                   | JE fc_m64.7FFD0B325389               |
00007FFD0B325369 | 48:8B57 08              | MOV RDX,QWORD PTR DS:[RDI+8]         |
00007FFD0B32536D | 4C:8D4424 28            | LEA R8,QWORD PTR SS:[RSP+28]         |
00007FFD0B325372 | 48:8B87 90020000        | MOV RAX,QWORD PTR DS:[RDI+290]       |
00007FFD0B325379 | 45:89F9                 | MOV R9D,R15D                         | if R15D = 0x1, then it's a Reward Item
The function starts at FC_m64.dll+11335150 (just in case ASLR doesn't land you on the address in the code above).

You can break there on your own, process the logic, then turn this info into a nice script that allows people to hijack the picked-up amount ;) Sure, you won't get the quantity without picking up a certain item of a certain type; but you'll manage (you have super jump, super speed, god mode, etc. - - it's all a matter of finding something to pick-up; then you're set) ;)

BR,
Sun
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
Here you go, Free Perk Points:
Code:
[ENABLE]

FC_m64.dll+19D88F0:
xor r9d,r9d
inc r9d
db 90 90 90

[DISABLE]

FC_m64.dll+19D88F0:
test r9d,r9d
je FC_m64.dll+19D8994
Turn script on, then pick-up anything (doesn't matter if plant, corpse, etc.). You'll get 1 Perk Point with any pick-up :D

BR,
Sun

P.S.: Happy stealing, dear competition! :) Oh, you know who you are.
 
S

shaun12500

Noobzor
Joined
Oct 2, 2018
Messages
6
Stealth and free perk points won't work for me
 
SunBeam

SunBeam

Administrator
Staff member
Administrator
Joined
Feb 4, 2018
Messages
3,486
Don't think you people noticed that SILENT update a few hours ago. At least on UPlay it does show a Denuvo notification, some EULA or someth'. Will update the table later.
 
Savagetek

Savagetek

What is cheating?
Joined
Feb 15, 2019
Messages
4
looks like that last game update broke it both versions crash game now.... seems to be no spread crashing game
 
Top