Warhammer 40,000 Chaos Gate - Daemonhunters

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
dchunghk
What is cheating?
What is cheating?
Posts: 1
Joined: Mon Mar 25, 2024 7:39 pm
Reputation: 0

Warhammer 40,000 Chaos Gate - Daemonhunters

Post by dchunghk »

Made by Zanzer

Total noob here. I am torn between using cheat engine from scratch vs updating an existing table. I ended up trying the latter since I am not even sure how to scan for locked items which I cannot relock without loading a save (which may screw up scan results right?).

Anyhow, I'm trying to understanding the instructions. All feedback welcomed (including how to scan for locked items instead of trying to update the table). Thank you in advance!


//Script name = Unloack All Equipment
[ENABLE]
aobscanmodule(unlockAll,GameAssembly.dll,E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 47 ?? 48 85 C0 0F 84) // scan for injection point unlockAll
alloc(newmem,$1000,unlockAll) // locating 4096 bytes memory “newmem” at unlockAll

label(unlockAllBkp)
label(unlockAllLoop)
label(unlockAllEnd)
label(return)

newmem:
push rbx //store rbx, rdi, rsi, rbp to stack
push rdi
push rsi
push rbp
mov rbx,rcx //replace rbx with rcx
mov rdi,[rbx+20] //allEquipment; replace rdi with value at [rbx+20]
xor rbp,rbp //clear rbp to 0 as rbp = rbp
mov ebp,[rdi+18] //allEquipment.size; replace ebp with value at [rdi+18]
mov rdi,[rdi+10] //allEquipment.items; replace rdi with value at [rdi+10]
add rdi,20 //item[0] add 20 to rdi

unlockAllLoop:
dec rbp //rbp -1; rbp was cleared so -1
test rbp,rbp //set sign flag to negative
js unlockAllEnd //jump if sign is negative; rbp is always neg no?!
mov rcx,rbx //replace rcx with rbx
mov rdx,[rdi] //item[x]; replace rdx with value at [rdi]
test rdx,rdx //sets zero flag
je unlockAllEnd //jump when zero flag = 1
mov rdx,[rdx+20] //item[x].id; //replace rdx with value at [rdx+20]
xor r8d,r8d //clear r8d to 0 as r8d = r8d

unlockAllBkp:
reassemble(unlockAll) //?? unlockAll is in another script
add rdi,08 //add 8 to rdi
jmp unlockAllLoop //jump to unlockAllLoop

unlockAllEnd:
pop rbp //restore rbx, rdi, rsi, rbp from stack
pop rsi
pop rdi
pop rbx
jmp return

unlockAll:
jmp newmem
return:
registersymbol(unlockAll)
registersymbol(unlockAllBkp)

[DISABLE]
unlockAll:
reassemble(unlockAllBkp)
unregistersymbol(unlockAll)
unregistersymbol(unlockAllBkp)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+13EBFC1

GameAssembly.dll+13EBF94: 48 85 C0 - test rax,rax
GameAssembly.dll+13EBF97: 0F 84 0F 03 00 00 - je GameAssembly.dll+13EC2AC
GameAssembly.dll+13EBF9D: 48 8B 40 10 - mov rax,[rax+10]
GameAssembly.dll+13EBFA1: 48 85 C0 - test rax,rax
GameAssembly.dll+13EBFA4: 0F 84 02 03 00 00 - je GameAssembly.dll+13EC2AC
GameAssembly.dll+13EBFAA: 48 8B 88 90 00 00 00 - mov rcx,[rax+00000090]
GameAssembly.dll+13EBFB1: 48 85 C9 - test rcx,rcx
GameAssembly.dll+13EBFB4: 0F 84 F2 02 00 00 - je GameAssembly.dll+13EC2AC
GameAssembly.dll+13EBFBA: 48 8B 57 70 - mov rdx,[rdi+70]
GameAssembly.dll+13EBFBE: 45 33 C0 - xor r8d,r8d
// ---------- INJECTING HERE ----------
GameAssembly.dll+13EBFC1: E8 CA 9A 55 00 - call GreyKnights.ArmouryManager.UnlockEquipment
// ---------- DONE INJECTING ----------
GameAssembly.dll+13EBFC6: E9 13 02 00 00 - jmp GameAssembly.dll+13EC1DE
GameAssembly.dll+13EBFCB: 48 8B 47 78 - mov rax,[rdi+78]
GameAssembly.dll+13EBFCF: 48 85 C0 - test rax,rax
GameAssembly.dll+13EBFD2: 0F 84 D4 02 00 00 - je GameAssembly.dll+13EC2AC
GameAssembly.dll+13EBFD8: 48 8B 48 18 - mov rcx,[rax+18]
GameAssembly.dll+13EBFDC: 48 85 C9 - test rcx,rcx
GameAssembly.dll+13EBFDF: 0F 84 C7 02 00 00 - je GameAssembly.dll+13EC2AC
GameAssembly.dll+13EBFE5: 48 8B 59 30 - mov rbx,[rcx+30]
GameAssembly.dll+13EBFE9: 48 8B 0D 48 F0 8A 01 - mov rcx,[GameAssembly.dll+2C9B038]
GameAssembly.dll+13EBFF0: F6 81 33 01 00 00 02 - test byte ptr [rcx+00000133],02
}



//Script name = Armory Manager
[ENABLE]
aobscanmodule(armory,GameAssembly.dll,48 8B A8 ?? ?? 00 00 48 8B 87 ?? ?? 00 00 48 85 C0 74 ?? 3B 58)
alloc(newmem,$1000,armory)

label(armoryBkp)
label(armoryPtr)
label(return)
label(unlockAll)

newmem:
armoryBkp:
readmem(armory,7) //copy 7 bytes from armory to armorybkp (?)
mov rax,armoryPtr //replace rax with armoryPtr
mov [rax],rbp //replace value at [rax] with rbp
jmp return

align 10 //? overall completely lost here
armoryPtr:
dq 0 //declare armoryPtr is 0 (?)

align 10 //?
unlockAll:
sub rsp,60 //subtract 60 from rsp
//mov rcx,armoryPtr
//mov rcx,[rcx]
//test rcx,rcx
//je u/f
mov rcx,00000182E0FC20C0
mov rdx,182E1245060
xor r8,r8 //set r8 to 0
//jmp GreyKnights.ArmouryManager.UnlockEquipment
call 7FFB30D85A90
@@:
add rsp,60 //add 60 from rsp
ret

armory:
jmp newmem
nop 2
return:
registersymbol(armory)
registersymbol(armoryBkp)
registersymbol(armoryPtr)
registersymbol(unlockAll)

[DISABLE]
armory:
readmem(armoryBkp,7) //copy 7 bytes from armorybkp to armory?
unregistersymbol(armory)
unregistersymbol(armoryBkp)
unregistersymbol(armoryPtr)
unregistersymbol(unlockAll)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: GameAssembly.dll+117FD513

GameAssembly.dll+117FD4EC: 83 B9 E0 00 00 00 00 - cmp dword ptr [rcx+000000E0],00
GameAssembly.dll+117FD4F3: 75 05 - jne GameAssembly.dll+117FD4FA
GameAssembly.dll+117FD4F5: E8 76 5E 8D EE - call GameAssembly.dll+D3370
GameAssembly.dll+117FD4FA: 31 C9 - xor ecx,ecx
GameAssembly.dll+117FD4FC: E8 6F E0 55 EF - call GameAssembly.dll+D5B570
GameAssembly.dll+117FD501: 48 85 C0 - test rax,rax
GameAssembly.dll+117FD504: 0F 84 87 00 00 00 - je GameAssembly.dll+117FD591
GameAssembly.dll+117FD50A: 48 8B 40 10 - mov rax,[rax+10]
GameAssembly.dll+117FD50E: 48 85 C0 - test rax,rax
GameAssembly.dll+117FD511: 74 7E - je GameAssembly.dll+117FD591
// ---------- INJECTING HERE ----------
GameAssembly.dll+117FD513: 48 8B A8 90 00 00 00 - mov rbp,[rax+00000090]
// ---------- DONE INJECTING ----------
GameAssembly.dll+117FD51A: 48 8B 87 18 01 00 00 - mov rax,[rdi+00000118]
GameAssembly.dll+117FD521: 48 85 C0 - test rax,rax
GameAssembly.dll+117FD524: 74 6B - je GameAssembly.dll+117FD591
GameAssembly.dll+117FD526: 3B 58 18 - cmp ebx,[rax+18]
GameAssembly.dll+117FD529: 73 56 - jae GameAssembly.dll+117FD581
GameAssembly.dll+117FD52B: 48 8B 0C 06 - mov rcx,[rsi+rax]
GameAssembly.dll+117FD52F: 48 85 C9 - test rcx,rcx
GameAssembly.dll+117FD532: 74 5D - je GameAssembly.dll+117FD591
GameAssembly.dll+117FD534: 48 8B 15 BD 5C 4A F1 - mov rdx,[GameAssembly.dll+2CA31F8]
GameAssembly.dll+117FD53B: E8 30 DA 78 EF - call GameAssembly.dll+F8AF70
}

Post Reply

Who is online

Users browsing this forum: PronKill