Vampyr XP Issue

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
User avatar
Shadow_Wulfe
Fearless Donors
Fearless Donors
Posts: 134
Joined: Sun Apr 02, 2017 3:21 pm
Reputation: 5

Vampyr XP Issue

Post by Shadow_Wulfe »

Editing XP in Vampyr seems to be an issue, directly modifying the value resets the player level to 1.

One thing I notice is how the game seems to prefer values added via individual "injections" of value rather than direct modification.

For example, killing an enemy adds a "+5" to the XP which is then added.

I think that in order to get around the level reset issue, finding the value that is "adding" to XP would be the solution, however, I am not quite sure how to find that value. For the most part, values in Vampyr seem to be stored in 4 bytes.

Is there any idea how to locate that value?

beguiler
Expert Cheater
Expert Cheater
Posts: 76
Joined: Sun Mar 19, 2017 1:31 pm
Reputation: 47

Re: Vampyr XP Issue

Post by beguiler »

Usually you first find the XP address, then find what writes to that value. Then go over each one listed that writes to that address and see which one actually does an add ahead of it. This can be tricky since it might not directly do the add before it and might call a function to handle it. In which case you can utilize the break and trace function to help you figure it out. That's how I would go about trying to get it.
For example (not real code just making crap up here):

Code: Select all

1) xor eax,eax
2) mov eax,[ecx+22930]
3) call progname.exe+56544
4) mov [ecx+22930], eax
let's say you found xp is written at line 4 above. You don't see an add somewhere before it, but you do see a zeroing of eax (line 1) then a copy of the xp value to eax (line 2) and a function call on line 3. So you can guess it's doing something to the xp value during the function call on line 3. So you can go to the address in the disassembly window using the goto progname.exe+56544 and look there for the addition part, but sometimes there is a lot of code there along with checks and you can get lost by just manually following and in that case you should use the break and trace function starting at line 1. Then you can try to follow along which checking all the values in the registers as you go.

User avatar
Shadow_Wulfe
Fearless Donors
Fearless Donors
Posts: 134
Joined: Sun Apr 02, 2017 3:21 pm
Reputation: 5

Re: Vampyr XP Issue

Post by Shadow_Wulfe »

Thanks.

So I did find a single Instruction titled "7FF6904C7CAE - 01 91 B40400000 - add [rcx + 0000004B4], edx", anytime there was an add, a similar instruction would pop up. An address writing to it was suggested, however, manually adding it showed an outrageous number, and modifying it crashed the game.

There were values that corresponded to the onscreen prompt of added XP, and finding that and modifying it seemed to work on the XP value on the main screen, but not in the actual XP screen in character editing.

User avatar
SunBeam
Administration
Administration
Posts: 3011
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 2151

Re: Vampyr XP Issue

Post by SunBeam »

Did it ever occur to you guys values are perhaps either stored in encoded format or Double? You're only looking at half the value with DWORD.

beguiler
Expert Cheater
Expert Cheater
Posts: 76
Joined: Sun Mar 19, 2017 1:31 pm
Reputation: 47

Re: Vampyr XP Issue

Post by beguiler »

You might want to look at kalas' old vampyr CT. The add you list looks similar to what he uses in his Stats script where he set up max level. He used a cmp line instead of a add line to aobscanmodule. You might need to verify that the add address is not changing, best way to do that is to inject at that add line, and just copy the rcx register value to a local variable that you can display in CE. Then play the game in a smaller window and watch the CE window as you play and get some XP and see if it changes. If it does change then most likely the add code there is a function being used by multiple parts of the program so unless you make it so it only changes when the XP address is being used it will crash.

As far as the XP value on screen, most likely there is probably a 2 step process. One updates the XP displayed on screen then another that is used to verify it before copying it to the character editing part. Again look at the Stats part of Kalas' vampyr CT, when he sets his XP to max he sets 2 locations rax+4B0 and rax+4b4.

Sunbeam: Actually nope didn't even consider it. I am not actually trying to make a vampyr XP code, I just loaded up the old vampyr.ct script Kalas wrote for an old version of the game and am trying to follow it for some clues. :) It's been a long while since I even loaded up the game.

User avatar
Shadow_Wulfe
Fearless Donors
Fearless Donors
Posts: 134
Joined: Sun Apr 02, 2017 3:21 pm
Reputation: 5

Re: Vampyr XP Issue

Post by Shadow_Wulfe »

You will have to forgive the delay, I am not quite great with this coding and the initial workup seemed a bit daunting.

Examining Kalas's table, it almost seems as though the XP modifier actually does TWO ultimate actions. In order to set maximum XP, he accesses the rax+4B0 and rax+4B4 values. Directly underneath that, there is the cheat to make the level set to max.

In the game, if you force the XP to be out of the natural chain of progression, the game detects this and knocks your level down to 0, locking you out of any sort of level progression. While I can't test this as I don't have the version that Kalas used, it seems as though this table first maxes out the XP value, and then, once the game locks the level down to 0, provides and option to force the level back to maximum, allowing the use of the maxed out XP.

Please correct me if I'm wrong.

If I am interpreting it correctly, in order to modify XP, both values have to changed, meaning that if one could find the value for the level and change that AFTER modifying the XP to a maximal number, then it would be simple to use the newly gained XP.

From Kalas's table:

aobscanmodule(aobXP,AVGame-Win64-Shipping.exe,39 90 B4 04 00 00)
alloc(newmem,$100, aobXP)

label(code)
label(return)
label(ptrBaseXP)
label(setXP)
label(setLevel)

newmem:
cmp [setXP], 0
je @f
mov [rax+4B0], #99999999
mov [rax+4B4], #9999999

@@:
cmp [setLevel], 0
je @f
mov [rax+4AC], #50 // Max Level

code:
mov [ptrBaseXP], rax

cmp [rax+000004B4],edx
jmp return

ptrBaseXP:
dq 0

setXP:
dd 0

setLevel:
dd 0

aobXP:
jmp newmem
nop
return:
registersymbol(aobXP)
registersymbol(ptrBaseXP)
registersymbol(setXP)
registersymbol(setLevel)

beguiler
Expert Cheater
Expert Cheater
Posts: 76
Joined: Sun Mar 19, 2017 1:31 pm
Reputation: 47

Re: Vampyr XP Issue

Post by beguiler »

The variables setXP and setLevel are flags set to 0 by default. If they are equal to 0 jump forward and skip to the next section, if they are anything else do the commands listed.

Looks like XP is stored in 2 doubles or is that a typo? maybe they have to match but they don't in the code as the +4b4 one is one 9 short.

User avatar
Shadow_Wulfe
Fearless Donors
Fearless Donors
Posts: 134
Joined: Sun Apr 02, 2017 3:21 pm
Reputation: 5

Re: Vampyr XP Issue

Post by Shadow_Wulfe »

I remember searching for XP under Double and it not showing up. Addresses seemed to return as 4 bytes for the most part even on the "what writes", but I am low level enough that I am probably missing some things.

While the options are separate, I wonder if the intent behind the table was to use the XP to max it out, then use the MaxLevel to correct the level depletion when maxing out XP. I can't test it though.

Post Reply

Who is online

Users browsing this forum: No registered users