Assassin's Creed: Odyssey Arrow Address Issue

[Badass Dolphin]

So, the issue I'm having is the addresses for the arrows change constantly, and no pointers exist. I've tried generating a pointer map, no results, and finding out what other addresses share the instruction I learned it's a shared instruction. I have found commonalities between all the addresses, but issue now is when I inject code to change the arrow count to the max it changes to 0 arrows left, when I craft more arrows, it also sets all my resources to 0.

Instruction:

Spoiler

ACOdyssey.AK::MusicEngine::Term+3584:
7FF6EFB87F8D - 41 0F46 C4 - cmovbe eax,r12d
7FF6EFB87F91 - 44 2B C0 - sub r8d,eax
7FF6EFB87F94 - 44 89 03 - mov [rbx],r8d <<
7FF6EFB87F97 - 75 0B - jne ACOdyssey.AK::MusicEngine::Term+3594
7FF6EFB87F99 - 8B D7 - mov edx,edi

RAX=0000000000000001
RBX=000002B861454DF0
RCX=000002B872B79BF8
RDX=000002B59A40DA88
RSI=000002B84570A9C8
RDI=0000000000000136
RSP=000000DF752FEF00
RBP=000002B8614550D0
RIP=00007FF6EFB87F97
R8=0000000000000040
R9=0000000000000000
R10=0000000000000000
R11=00000000FFFFFFFF
R12=0000000000000001
R13=000002B8717F0980
R14=000002B872B79BB8
R15=000002B5A5FB0594

r8d is the new arrow count, being set to the address rbx, when I change the register of r8d to 70 it gets set to 0. I've also tried seeing what addresses access the instruction: sub r8d,eax when I fire an arrow nothing shows? I'm quite confused on what to do here anyone have any ideas?

Edit: Don't think I'll ever be able to accomplish infinite arrows unless I find the function that gives the player items...

[ShyTwig16]

You should post your script, really can't say what your issue is without seeing what you're doing. And sub r8d,eax doesn't access an address so "see what addresses this instruction accesses" won't show anything. You'd have to modify the code to access an address. Or you can set a breakpoint, or use break and trace to see what's going on. But you'll likely need to set a condition breakpoint either way.

[Badass Dolphin]

You should post your script, really can't say what your issue is without seeing what you're doing. And sub r8d,eax doesn't access an address so "see what addresses this instruction accesses" won't show anything. You'd have to modify the code to access an address. Or you can set a breakpoint, or use break and trace to see what's going on. But you'll likely need to set a condition breakpoint either way.

Writing a script right now, I may have figured out how I'm going to do this.
sub r8d,eax
and
mov [rbx],r8d

the rbx register doesn't change. So, I can use a cmp with a givin' offset.

[Badass Dolphin]

You should post your script, really can't say what your issue is without seeing what you're doing. And sub r8d,eax doesn't access an address so "see what addresses this instruction accesses" won't show anything. You'd have to modify the code to access an address. Or you can set a breakpoint, or use break and trace to see what's going on. But you'll likely need to set a condition breakpoint either way.

Got it working, can't believe I spent 3 days trying to figure this out it was simple.

Spoiler


[ENABLE]
aobscanmodule(infArrows,ACOdyssey.exe,44 2B C0 44 89 03 75) // should be unique
alloc(newmem,$100,infArrows)

label(code)
label(return)

newmem:
cmp [rbx+1C8],0
jne code
mov eax,#0

code:
sub r8d,eax
mov [rbx],r8d
jmp return

INJECT:
jmp newmem
nop

return:
registersymbol(infArrows)

[DISABLE]
infArrows:
db 44 2B C0 44 89 03

unregistersymbol(infArrows)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: ACOdyssey.AK::MusicEngine::Term+3581

ACOdyssey.AK::MusicEngine::Term+3560: 48 C1 F8 3F - sar rax,3F
ACOdyssey.AK::MusicEngine::Term+3564: 48 23 D0 - and rdx,rax
ACOdyssey.AK::MusicEngine::Term+3567: 48 83 C2 28 - add rdx,28
ACOdyssey.AK::MusicEngine::Term+356B: E8 E0 0B FC FF - call ACOdyssey.exe+25D8B60
ACOdyssey.AK::MusicEngine::Term+3570: 84 C0 - test al,al
ACOdyssey.AK::MusicEngine::Term+3572: 75 20 - jne ACOdyssey.AK::MusicEngine::Term+3594
ACOdyssey.AK::MusicEngine::Term+3574: 44 8B 03 - mov r8d,[rbx]
ACOdyssey.AK::MusicEngine::Term+3577: 45 3B E0 - cmp r12d,r8d
ACOdyssey.AK::MusicEngine::Term+357A: 41 8B C0 - mov eax,r8d
ACOdyssey.AK::MusicEngine::Term+357D: 41 0F 46 C4 - cmovbe eax,r12d
// ---------- INJECTING HERE ----------
ACOdyssey.AK::MusicEngine::Term+3581: 44 2B C0 - sub r8d,eax
// ---------- DONE INJECTING ----------
ACOdyssey.AK::MusicEngine::Term+3584: 44 89 03 - mov [rbx],r8d
ACOdyssey.AK::MusicEngine::Term+3587: 75 0B - jne ACOdyssey.AK::MusicEngine::Term+3594
ACOdyssey.AK::MusicEngine::Term+3589: 8B D7 - mov edx,edi
ACOdyssey.AK::MusicEngine::Term+358B: 49 8D 4E 2C - lea rcx,[r14+2C]
ACOdyssey.AK::MusicEngine::Term+358F: E8 CC 10 00 00 - call ACOdyssey.AK::MusicEngine::Term+4660
ACOdyssey.AK::MusicEngine::Term+3594: 49 8B 4E 38 - mov rcx,[r14+38]
ACOdyssey.AK::MusicEngine::Term+3598: 48 85 C9 - test rcx,rcx
ACOdyssey.AK::MusicEngine::Term+359B: 74 09 - je ACOdyssey.AK::MusicEngine::Term+35A6
ACOdyssey.AK::MusicEngine::Term+359D: 48 8B 01 - mov rax,[rcx]
ACOdyssey.AK::MusicEngine::Term+35A0: 48 8B D6 - mov rdx,rsi
}


Never mind, [rbx+1C8] changes upon exiting and reloading the game...

[rdx+278] doesn't appear to change.

[ShyTwig16]

Yeah, 0x1C8 definitely seems like it's bigger than an ammo structure would be. And picking random things to compare can work but often will break randomly, since it may not be related at all. But it is were most people start out, even me. Better to look at the code and find something related, you might have to backtrace the structure or code a bit to find something though. But that call and then test al,al seems like it's checking something for the structure, you might be able to find something in that called function. Or backtrace the code a bit to see if you can figure out how RBX is set.

[Badass Dolphin]

Yeah, 0x1C8 definitely seems like it's bigger than an ammo structure would be. And picking random things to compare can work but often will break randomly, since it may not be related at all. But it is were most people start out, even me. Better to look at the code and find something related, you might have to backtrace the structure or code a bit to find something though. But that call and then test al,al seems like it's checking something for the structure, you might be able to find something in that called function. Or backtrace the code a bit to see if you can figure out how RBX is set.

Good news!
rdx+1C doesn't appear to change at all, even when restarting the game. Arrows have a commonality of 0.

Spoiler

newmem:
push r9
cmp [rdx+1C],0
jne code
mov r9,r8
mov [arrowCount],r9
mov eax,#0

So far so good, no issues.

[SunBeam]

The function you are trying to hook is used for decrementing ANYTHING. While you are looking at only arrows, you will soon start wondering why some quests are bricked. Then return to this post of mine

[Badass Dolphin]

Then return to this post of mine

Link? Because you're right having the same issue again

[ShyTwig16]

Then return to this post of mine

Link? Because you're right having the same issue again

I'm thinking "this" refers to the post it's in, i.e. the one you quoted.

So it sounds like you might be better off finding a better place to inject and set the value to something so you always have arrows. Maybe somewhere it only accesses arrows or somewhere that only accesses one address that you can get to the arrows with.

[Badass Dolphin]

Then return to this post of mine

Link? Because you're right having the same issue again

I'm thinking "this" refers to the post it's in, i.e. the one you quoted.

So it sounds like you might be better off finding a better place to inject and set the value to something so you always have arrows. Maybe somewhere it only accesses arrows or somewhere that only accesses one address that you can get to the arrows with.

Well, it's a bit confusing when I click "Select Current Function" in memory viewer and find out what addresses this instruction accesses, nothing appears.

[ShyTwig16]

...
Well, it's a bit confusing when I click "Select Current Function" in memory viewer and find out what addresses this instruction accesses, nothing appears.

"Select current function", just selects what CE thinks the full function is, basically from a 0xCC to a 0xC3. And for "see what addresses this instruction accesses" you need to select one line of code and it needs to be a RET (return) or access an address, if there are no brackets it's not accessing an address. When you do what you're doing it's likely only using the first address and this is not accessing an address, so there is nothing to show. It's just not how breakpoints work. You might want to do some reading on what breakpoints are and what you can do with them.

[SunBeam]

I feel like he's trying to do more than he understands. Once he's gotten better at this, we'll resume talk. Cuz right now, search for value, debug, quick script won't cut it with AC series. I have left a lot of information behind in any AC topic I ever created. Why not start there? In short, you will need to filter out item pointers based on their hashes. Like I said, everything in the game that has a quantity goes through that sub function you pointed out. Start looking for my posts and read-up

[ShyTwig16]

I feel like he's trying to do more than he understands. Once he's gotten better at this, we'll resume talk. Cuz right now, search for value, debug, quick script won't cut it with AC series. I have left a lot of information behind in any AC topic I ever created. Why not start there? In short, you will need to filter out item pointers based on their hashes. Like I said, everything in the game that has a quantity goes through that sub function you pointed out. Start looking for my posts and read-up

Yeah, this is why I'd don't have any posted tables for any AC games. They are a big pain in the ass. I just find money give my self lots of it and play as normal. Admittedly I haven't played one in years either though.

[Badass Dolphin]

I feel like he's trying to do more than he understands. Once he's gotten better at this, we'll resume talk. Cuz right now, search for value, debug, quick script won't cut it with AC series. I have left a lot of information behind in any AC topic I ever created. Why not start there? In short, you will need to filter out item pointers based on their hashes. Like I said, everything in the game that has a quantity goes through that sub function you pointed out. Start looking for my posts and read-up

Thanks, I'm aware of item hashes, (inventory editor) so I need to find the hash id for all of the arrows.

Yeah, this is why I'd don't have any posted tables for any AC games. They are a big pain in the ass. I just find money give my self lots of it and play as normal. Admittedly I haven't played one in years either though.

Yes, making cheats on AC games are proving to be a huge pain the ass... I got infinite oxygen working to a degree, I don't run out of breath at all, but eventually for some reason the game crashes randomly so I probably need to find a pointer that acknowledges when the player is underwater.
But hey, at least I got Instant Level Up working without any issues whatsoever!

[ShyTwig16]

I feel like he's trying to do more than he understands. Once he's gotten better at this, we'll resume talk. Cuz right now, search for value, debug, quick script won't cut it with AC series. I have left a lot of information behind in any AC topic I ever created. Why not start there? In short, you will need to filter out item pointers based on their hashes. Like I said, everything in the game that has a quantity goes through that sub function you pointed out. Start looking for my posts and read-up

Thanks, I'm aware of item hashes, (inventory editor) so I need to find the hash id for all of the arrows.

Yeah, this is why I'd don't have any posted tables for any AC games. They are a big pain in the ass. I just find money give my self lots of it and play as normal. Admittedly I haven't played one in years either though.

Yes, making cheats on AC games are proving to be a huge pain the ass... I got infinite oxygen working to a degree, I don't run out of breath at all, but eventually for some reason the game crashes randomly so I probably need to find a pointer that acknowledges when the player is underwater.
But hey, at least I got [Link] working without any issues whatsoever!

I think most of the newer AC games (after 4) have integrity check, if I remember right they just fire at odd times. The CE tutorial game has integrity checks if you want to learn about that.