Assassin's Creed: Origins

Status
Not open for further replies.
Mar 16, 2018
6
0
1
cosminuk2011 post_id=38164 time=1521385734 user_id=12592 said:
cosminuk2011 post_id=36924 time=1520816730 user_id=12592 said:
Guys, please, please, please add back Teleportation on map for v. 1.40.
I just fount out that teleportation on map is working on 1.41 if you use teleportation from SunBeam's table 1.21 (Update 1) from here:
http://fearlessrevolution.com/viewtopic.php?f=4&t=5983
1.41 crashes upon pressing numpad 0???
 

cosminuk2011

Novice Cheater
Feb 4, 2018
24
2
3
stephhhen post_id=38538 time=1521577294 user_id=14114 said:
cosminuk2011 post_id=38164 time=1521385734 user_id=12592 said:
cosminuk2011 post_id=36924 time=1520816730 user_id=12592 said:
Guys, please, please, please add back Teleportation on map for v. 1.40.
I just fount out that teleportation on map is working on 1.41 if you use teleportation from SunBeam's table 1.21 (Update 1) from here:
http://fearlessrevolution.com/viewtopic.php?f=4&t=5983
1.41 crashes upon pressing numpad 0???


For teleportation use numpad 9. No need to press numpad 0 ... anyway does nothing if you press.
In SunBeam's table 1.21 (Update 1) check like this and teleportation work flawlessly.

 
Mar 16, 2018
6
0
1
cosminuk2011 post_id=38554 time=1521586772 user_id=12592 said:
stephhhen post_id=38538 time=1521577294 user_id=14114 said:
cosminuk2011 post_id=38164 time=1521385734 user_id=12592 said:
I just fount out that teleportation on map is working on 1.41 if you use teleportation from SunBeam's table 1.21 (Update 1) from here:
http://fearlessrevolution.com/viewtopic.php?f=4&t=5983
1.41 crashes upon pressing numpad 0???


For teleportation use numpad 9. No need to press numpad 0 ... anyway does nothing if you press.
In SunBeam's table 1.21 (Update 1) check like this and teleportation work flawlessly.

Thanks!!
 

borucic

Novice Cheater
Mar 10, 2018
24
0
1

castix

What is cheating?
Mar 19, 2018
4
0
1
borucic post_id=38612 time=1521624665 user_id=13906 said:
stephhhen post_id=38583 time=1521602898 user_id=14114 said:
Just in case anyone wondered...
  • 0000017955049F41 mythical warrior ng+.
castix post_id=38604 time=1521622116 user_id=14266 said:
Can someone provide the Hash ID of the Isu Armor?
It's in this spreadsheet already:
http://fearlessrevolution.com/viewtopic.php?f=4&t=5267&start=360#p35352
Ah sorry I didn't know he updated his post since it's really hidden in this big topic. Thank you for pointing it out
 

v0id

Novice Cheater
Feb 24, 2018
16
0
1
Is it possible to get achievements like trigger some achievements via cheat engine?
 

fionajason

What is cheating?
Feb 22, 2018
3
0
1
Thanks for the Table but how do i use it to unlock weapons and outfit as the Weapon editor is lock some how
 

cosminuk2011

Novice Cheater
Feb 4, 2018
24
2
3
fionajason post_id=38752 time=1521692372 user_id=13197 said:
Thanks for the Table but how do i use it to unlock weapons and outfit as the Weapon editor is lock some how
just look at this .. http://fearlessrevolution.com/viewtopic.php?f=4&t=5267&start=420#p36680
 

Mac777

What is cheating?
Mar 22, 2018
3
0
1
Hi
I am a noob here but have used Sunbeams prog to get some items I would not otherwise have gotten without paying Ubisoft so many thanks to him/her and everyone else who gives of their time to help the community.

I do have a couple of questions though - looking at one of the tables it gives hash #'s for a couple of items that cannot be accessed in game any other way as far as I can see - Bringer of Chaos (Common Scepter) and Madu's Shield (Common Shield) which I have. I read that these had been cut from the game and that there was also a Common Predator Bow - Valkyrie's Operator

So would anyone know if Valkyrie's Operator is obtainable and if so what the hash # is?

Also similar question about the Hou Yi’s Bow - I read that one of the attributes was changed from Instant Charging to Poison on Hit so would the Instant Charging version be available and does anyone have the hash #?

Cheers
 

budabum

Expert Cheater
Nov 28, 2017
77
0
6
@Mac777
I reversed a bit UIInventoryItem object and how strings are processed, if I know an item name I can scan memory for duplicates. For "Hou Yi's Bow" there are only two items. Strings indices for them are 000FF5D4 and 000FF5D5. You may scan memory through 4 bytes search, you'll find only 2 unique addressed(2 bows) where these pairs stored.

as a note, I'll post this mumbo jumbo text for future readers/researchers.
Item Inventory is represented by UIInventoryItem object


+00 dq UIInventoryItem (functions vector)
+08 dq pUnk
+10 dq pWeaponSettings/pInventoryItemSettings -> (18h size) +00 dq (functions); +08 dq settings +10 dq objectID (aka hashID from the table)
+18 dq UIInventoryItemLODEntity (functions)
__+20 dq ptrUnk0
__+38 dq ptrUnk1
+50 dq pTextureMapSpec -> (18h) +00 dq TextureMapSpec (functions); +08 dq settings
+60 dq pTextureMapSpec -> (18h size) +10 objectID
__+68 dw str0 index (Item name)
__+98 dw str1 index (Item description)
__+C8 dw FFFFFFFF (termination pattern)


Each text string which is displayed on the screen is wrapped into TextureMapSpec object and referenced through string indices , the indices in turn point to encrypted table which is processed by decryption function when text needs to be displayed. While strings are being decrypted memory allocation is changed every 4 decrypted TCHARs. That is why CE text search may not work sometimes.
 
Nov 11, 2017
8
0
1
For some reason, I can't get the weapon editor to work. The Estore script works fine. But when I try to click the box for weapon editor .5 (1.4), nothing happens. Any ideas?

Edit: Now I can't get the Estore script to work, either. Nothing happens at all when I try to click on the box. I'm running CE 6.7 and up-to-date ACO from Uplay.

Edit: Nevermind! I just restarted the game and it's working great. Awesome work!
 

SunBeam

RCE Fanatics
Talents
Fearless Donors
Feb 4, 2018
675
343
63
Confirming buda's findings, with a few amendments; was there myself at some point, just didn't give it too much thought :)

Spot for processing item name by index:
Code:
ACOrigins.exe+15958B9 - 8B 53 10              - mov edx,[rbx+10] <-- contains index to name
ACOrigins.exe+15958BC - 4C 8D 45 28           - lea r8,[rbp+28]
ACOrigins.exe+15958C0 - 41 B1 01              - mov r9l,01
ACOrigins.exe+15958C3 - 48 8B C8              - mov rcx,rax
ACOrigins.exe+15958C6 - E8 7583EDFF           - call ACOrigins.exe+146DC40
This index is later on passed on to a function that processes it in the LocalizationManager's context:
Code:
ACOrigins.exe+146DD3A - 4D 8B C5              - mov r8,r13 <-- r8 becomes the pointer to the decrypted string
ACOrigins.exe+146DD3D - 41 8B D7              - mov edx,r15d <-- hello index :)
ACOrigins.exe+146DD40 - E8 CB000000           - call ACOrigins.exe+146DE10
ACOrigins.exe+146DD45 - 84 C0                 - test al,al <-- check r8 after this call
Decryption of string_size + 1 big encrypted index (e.g.: "Royal Chariot" is 12 chars big; size = 0xC + 1)
Code:
ACOrigins.exe+146DEB0 - 8B 0A                 - mov ecx,[rdx]
ACOrigins.exe+146DEB2 - 41 8B C2              - mov eax,r10d
ACOrigins.exe+146DEB5 - 0FC9                  - bswap ecx
ACOrigins.exe+146DEB7 - 2B C1                 - sub eax,ecx
ACOrigins.exe+146DEB9 - 78 26                 - js ACOrigins.exe+146DEE1
ACOrigins.exe+146DEBB - 44 8B 5A 04           - mov r11d,[rdx+04]
ACOrigins.exe+146DEBF - 41 FF C1              - inc r9d
ACOrigins.exe+146DEC2 - 8B 42 08              - mov eax,[rdx+08]
ACOrigins.exe+146DEC5 - 8B F9                 - mov edi,ecx
ACOrigins.exe+146DEC7 - 41 0FCB               - bswap r11d
ACOrigins.exe+146DECA - 0FC8                  - bswap eax
ACOrigins.exe+146DECC - 45 8B DB              - mov r11d,r11d
ACOrigins.exe+146DECF - 48 83 C2 0C           - add rdx,0C
ACOrigins.exe+146DED3 - 44 8B C0              - mov r8d,eax
ACOrigins.exe+146DED6 - 4C 03 DB              - add r11,rbx
ACOrigins.exe+146DED9 - 4C 03 C3              - add r8,rbx
ACOrigins.exe+146DEDC - 44 3B CE              - cmp r9d,esi
ACOrigins.exe+146DEDF - 72 CF                 - jb ACOrigins.exe+146DEB0
ACOrigins.exe+146DEE1 - 4D 85 C0              - test r8,r8
First-up, engine decodes the key to first 2 to-be-decrypted WORDs here:
Code:
ACOrigins.exe+146E1AC - 66 44 89 32           - mov [rdx],r14w
ACOrigins.exe+146E1B0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E1B3 - 0FB7 DE               - movzx ebx,si
ACOrigins.exe+146E1B6 - E9 D5FEFFFF           - jmp ACOrigins.exe+146E090
Then using a decrypted offset will fetch the next WORD ("R" as widechar -> 00 52):
Code:
ACOrigins.exe+146E093 - 45 0FB7 34 84         - movzx r14d,word ptr [r12+rax*4]
ACOrigins.exe+146E098 - 41 0FB7 74 84 02      - movzx esi,word ptr [r12+rax*4+02]
ACOrigins.exe+146E09E - 66 41 C1 CE 08        - ror r14w,08
ACOrigins.exe+146E0A3 - 66 C1 CE 08           - ror si,08
ACOrigins.exe+146E0A7 - 66 85 F6              - test si,si
And writes every 4 WORDs here:
Code:
ACOrigins.exe+146E2BC - 66 44 89 32           - mov [rdx],r14w <--
ACOrigins.exe+146E2C0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E2C3 - 85 FF                 - test edi,edi
ACOrigins.exe+146E2C5 - 0F84 CB000000         - je ACOrigins.exe+146E396
ACOrigins.exe+146E2CB - 48 8B 45 0F           - mov rax,[rbp+0F]
ACOrigins.exe+146E2CF - FF CF                 - dec edi
ACOrigins.exe+146E2D1 - 8D 0C 3F              - lea ecx,[rdi+rdi]
ACOrigins.exe+146E2D4 - 0FB7 1C 01            - movzx ebx,word ptr [rcx+rax]
ACOrigins.exe+146E2D8 - 8B 45 1B              - mov eax,[rbp+1B]
ACOrigins.exe+146E2DB - 48 8B 0D 6E323603     - mov rcx,[ACOrigins.exe+47D1550]
ACOrigins.exe+146E2E2 - 25 FFFFFF1F           - and eax,1FFFFFFF
ACOrigins.exe+146E2E7 - 3B C7                 - cmp eax,edi <-- check if >= 4
By the time the iterator finishes this loop, this is my buffer:

24232A650 -> R o -> 0x52 0x00 0x6F 0x00

Then it will decode the key to next 2 WORDs and redo the loop:
Code:
ACOrigins.exe+146E1AC - 66 44 89 32           - mov [rdx],r14w <-- store key
ACOrigins.exe+146E1B0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E1B3 - 0FB7 DE               - movzx ebx,si
ACOrigins.exe+146E1B6 - E9 D5FEFFFF           - jmp ACOrigins.exe+146E090
..
..
ACOrigins.exe+146E2BC - 66 44 89 32           - mov [rdx],r14w <-- store WORD
ACOrigins.exe+146E2C0 - 8B 7D 17              - mov edi,[rbp+17]
ACOrigins.exe+146E2C3 - 85 FF                 - test edi,edi
..
..
ACOrigins.exe+146E2E7 - 3B C7                 - cmp eax,edi <-- check if >= 4
This is where the buffer is shifted every 4 processed WORDs:
Code:
ACOrigins.exe+146E250 - 48 85 C9              - test rcx,rcx
ACOrigins.exe+146E253 - 74 07                 - je ACOrigins.exe+146E25C
ACOrigins.exe+146E255 - 41 0FB7 00            - movzx eax,word ptr [r8]
ACOrigins.exe+146E259 - 66 89 01              - mov [rcx],ax
ACOrigins.exe+146E25C - 48 83 C1 02           - add rcx,02
ACOrigins.exe+146E260 - 49 83 C0 02           - add r8,02
ACOrigins.exe+146E264 - 49 FF C1              - inc r9
ACOrigins.exe+146E267 - 4D 3B CA              - cmp r9,r10
ACOrigins.exe+146E26A - 75 E4                 - jne ACOrigins.exe+146E250
First-up, the allocator is here:
Code:
ACOrigins.exe+146E215 - 8B D3                 - mov edx,ebx
ACOrigins.exe+146E217 - E8 140539FF           - call ACOrigins.exe+7FE730
ACOrigins.exe+146E21C - 4C 8B 45 F7           - mov r8,[rbp-09]
Result of the call, in my case, is 0x26367A0. Then comes this bit:
Code:
ACOrigins.exe+146E250 - 48 85 C9              - test rcx,rcx
ACOrigins.exe+146E253 - 74 07                 - je ACOrigins.exe+146E25C
ACOrigins.exe+146E255 - 41 0FB7 00            - movzx eax,word ptr [r8] <--
ACOrigins.exe+146E259 - 66 89 01              - mov [rcx],ax <--
ACOrigins.exe+146E25C - 48 83 C1 02           - add rcx,02
ACOrigins.exe+146E260 - 49 83 C0 02           - add r8,02
ACOrigins.exe+146E264 - 49 FF C1              - inc r9
ACOrigins.exe+146E267 - 4D 3B CA              - cmp r9,r10
ACOrigins.exe+146E26A - 75 E4                 - jne ACOrigins.exe+146E250
R8 = 24232A650
RCX = 26367A0

So decrypted "R o y a" from 24232A650 is copied to 26367A0.

And so on..

Decryption ends here:
Code:
ACOrigins.exe+146E4A6 - 48 85 D2              - test rdx,rdx
ACOrigins.exe+146E4A9 - 74 03                 - je ACOrigins.exe+146E4AE
ACOrigins.exe+146E4AB - 66 89 32              - mov [rdx],si <-- writes the final 0x00 0x00; the NULL-terminator
ACOrigins.exe+146E4AE - 48 8B 55 F7           - mov rdx,[rbp-09]
ACOrigins.exe+146E4B2 - 49 8B CE              - mov rcx,r14
ACOrigins.exe+146E4B5 - E8 F60839FF           - call ACOrigins.exe+7FEDB0
Then buffer's loaded here:
Code:
ACOrigins.exe+146E4AE - 48 8B 55 F7           - mov rdx,[rbp-09] <-- get buffer
ACOrigins.exe+146E4B2 - 49 8B CE              - mov rcx,r14 <-- get stack for result
ACOrigins.exe+146E4B5 - E8 F60839FF           - call ACOrigins.exe+7FEDB0
And the CALL will allocate, copy string to allocated address and store it in [R14] (same R8 I mentioned in the beginning, 2nd snippet).

Function then exits successfully (MOV AL,1):
Code:
ACOrigins.exe+146E52C - B0 01                 - mov al,01
Now, if you properly feed the right parameters to this function - ACOrigins.exe+146DE10 - as in RCX,RDX,R8, you will get the decrypted string out of the index buda mentioned ;)

BR,
Sun
 

budabum

Expert Cheater
Nov 28, 2017
77
0
6
I recognize this code :) ...r12+rax*4... rsi, r8, r14... still fresh in mind
thanks for sharing
 

SmolGui

What is cheating?
Mar 24, 2018
2
0
1
I've tried to use the gear/item editor to give myself the Mut's Sorrow shield (I accidentally sold it, and I can't get it back without starting a new game), but I just can't get it to work. Admittedly, I am a noob at using cheat engine: so can I get some help as to what I need to do?
 

SunBeam

RCE Fanatics
Talents
Fearless Donors
Feb 4, 2018
675
343
63
@budabum: Incoming list of all game items, names and descriptions :)

@SmolGui: Get the table from my post and follow the instructions: http://fearlessrevolution.com/viewtopic.php?f=4&t=5983 (see comments for Update #3, "Inventory Item Swapper v2" script). Please be advised we don't easily fall for the "I am a noob, someone do it for me" routine. You have a mouse and can surf this board, figure your way out please.
 

budabum

Expert Cheater
Nov 28, 2017
77
0
6
SunBeam post_id=39198 time=1521932791 user_id=12587 said:
Now, if you properly feed the right parameters to this function - ACOrigins.exe+146DE10 - as in RCX,RDX,R8, you will get the decrypted string out of the index buda mentioned ;)
a few amendmends :)
I'm still working with 1.21 by diff reasons and looked into my scribbles on that code
Code:
141458F06 - 48 8D 4F 28           - lea rcx,[rdi+28] { [rdi+28]+4 crypto matrix start }
141458F0A - 4D 8B C5              - mov r8,r13
141458F0D - 41 8B D7              - mov edx,r15d { [rcx]+4 - crypto matrix start; r15d - string hash index
                                                        FF57F - Abyssal Steed
                                                        CA805 - Composite Bow }
141458F10 - E8 CB000000           - call 141458FE0 { <<< sets R13, decrypted string }
141458F15 - 84 C0                 - test al,al { [r13] -> 
                                                        LEGENDARY
                                                        HEAVY BLADE
                                                        Level up to equip this item...
                                                        Rapid Fire
                                                        DISMANTLE
                                                        Composite Bow }

Mac777 post_id=38878 time=1521759456 user_id=14384 said:
So would anyone know if Valkyrie's Operator is obtainable and if so what the hash # is?
hey.
I finally dumped all strings from both 1.21 and 1.41 versions, they refer neither "Valkyrie" nor "Operator".
ubi likely replaced this name or removed. What was interesting in 1.21 dump. It contained strings from DLC The Curse of the Pharaons like "Pharaon regalia".
 
Status
Not open for further replies.
Top Bottom