[COMPLETED] [Request] Vampire's Fall: Origins

[cfemen]

Now you can set that hotkey and give it a run

BR,
Sun

its added, thx! thats a nice improvement to make it more comfortable to use

[TheBoorsh]

cfemen Thank you so much mate! Great job

[SillytheSow]

nr

[SunBeam]

^ Of course.. always something nice is followed by "how do I use CE?".. Meanwhile:

[SunBeam]

its added, thx! thats a nice improvement to make it more comfortable to use

Another thing I recommend is to modify it like this:

• find the instance pointer and store it

• while script is active, always use the FIRST found instance pointer

• if you exit to main menu, die, etc. - any event that might RESET or reinitialize the pointers - then re-enable the script

Using the script with a hotkey often crashes my game (I'm currently mapping items, thus have to open/close the admin panel often). Well.. after 4-5 tries (number is random), game freezes. I'm assuming it's because the check you placed doesn't succeed all the time? I've not investigated/debugged the script. So: either bulletproof the check for the RIGHT instance pointer - OR - make use of a stored one all the time, as long as you are in same game session.

I will actually split the code in 2 scripts: find Instance [1] -> execute method [2] (this 2nd one will be the one with a hotkey).

Will let you know if I still experience crashes this way.

BR,
Sun

P.S.: There are exactly 664 items So I will need some help from you guys to cover all

[SunBeam]

...

See attached table.

Run in this order:
- Mono Init
-- [Admin Panel] (expand)
--- Find Instance (should return the required ptr)
---- Toggle Admin Panel (hit Numpad *)

Vampire's Fall Origins.CT

(63.78 KiB) Downloaded 219 times

The idea is once the RIGHT Instance pointer is retrieved, there's no need to re-run the script each time you need the Admin Panel like where you're at (near a shop or whatever) in the current game session. That way you get the required instance ptr for mono_invoke_method and reuse it.

BR,
Sun

EDIT: Will actually take screenshots of these items, rather than an Excel. Faster.

[SunBeam]

And even faster is using this and hooking it:

Code: Select all

AdminPanel:AddItem - 55                    - push rbp
AdminPanel:AddItem+1- 48 8B EC              - mov rbp,rsp
AdminPanel:AddItem+4- 48 83 EC 40           - sub rsp,40 { 64 }
AdminPanel:AddItem+8- 48 89 4D F8           - mov [rbp-08],rcx
AdminPanel:AddItem+c- 48 B8 70382838A9010000 - mov rax,000001A938283870 { (1A958B63080) }
AdminPanel:AddItem+16- 48 8B 00              - mov rax,[rax]
AdminPanel:AddItem+19- 48 89 45 F0           - mov [rbp-10],rax
AdminPanel:AddItem+1d- 48 B8 203C2838A9010000 - mov rax,000001A938283C20 { (" R&8?") }
AdminPanel:AddItem+27- 48 8B 00              - mov rax,[rax]
AdminPanel:AddItem+2a- 48 89 45 E8           - mov [rbp-18],rax
AdminPanel:AddItem+2e- 48 8B 45 F8           - mov rax,[rbp-08]
AdminPanel:AddItem+32- 48 8B 40 40           - mov rax,[rax+40]
AdminPanel:AddItem+36- 48 8B C8              - mov rcx,rax
AdminPanel:AddItem+39- 83 38 00              - cmp dword ptr [rax],00 { 0 }
AdminPanel:AddItem+3c- 66 90                 - nop 
AdminPanel:AddItem+3e- 49 BB 70F28642A9010000 - mov r11,UIInput:get_value { (-326416299) }
AdminPanel:AddItem+48- 41 FF D3              - call r11
AdminPanel:AddItem+4b- 48 8B C8              - mov rcx,rax
AdminPanel:AddItem+4e- 49 BB F080D939A9010000 - mov r11,System:Int32:Parse { (-326416299) }
AdminPanel:AddItem+58- 41 FF D3              - call r11
AdminPanel:AddItem+5b- 48 8B D0              - mov rdx,rax
AdminPanel:AddItem+5e- 48 8B 45 E8           - mov rax,[rbp-18]
AdminPanel:AddItem+62- 48 8B C8              - mov rcx,rax
AdminPanel:AddItem+65- 83 38 00              - cmp dword ptr [rax],00 { 0 }
AdminPanel:AddItem+68- 48 8D 64 24 00        - lea rsp,[rsp+00]
AdminPanel:AddItem+6d- 90                    - nop 
AdminPanel:AddItem+6e- 49 BB 007CDB40A9010000 - mov r11,ItemRepository:GetItem { (-326416299) }
AdminPanel:AddItem+78- 41 FF D3              - call r11
AdminPanel:AddItem+7b- 48 8B D0              - mov rdx,rax
AdminPanel:AddItem+7e- 48 8B 45 F0           - mov rax,[rbp-10]
AdminPanel:AddItem+82- 48 8B C8              - mov rcx,rax
AdminPanel:AddItem+85- 83 38 00              - cmp dword ptr [rax],00 { 0 }
AdminPanel:AddItem+88- 48 8D 64 24 00        - lea rsp,[rsp+00]
AdminPanel:AddItem+8d- 90                    - nop 
AdminPanel:AddItem+8e- 49 BB 00B5DB40A9010000 - mov r11,CharacterInventory:TryAddItem { (-326416299) }
AdminPanel:AddItem+98- 41 FF D3              - call r11
AdminPanel:AddItem+9b- 48 8D 65 00           - lea rsp,[rbp+00]
AdminPanel:AddItem+9f- 5D                    - pop rbp
AdminPanel:AddItem+a0- C3                    - ret 

Code: Select all

public void AddItem()
{
    Singleton<CharacterInventory>.Instance.TryAddItem(Singleton<ItemRepository>.Instance.GetItem(int.Parse(this.inputAddItem.@value)));
}

[cfemen]

See attached table.

i just did the same,bit different than your approach but same effect : alloced space for InstanceAdd in Mono-Init, Init Admin Menu writes the InstanceAdd, and a script to read and invoke the method.
about the freezes : i executed the old script really often now (without invoke the method so it cant crash) and it always found the right instance, the only thing that happened : mono-features deactivated randomly itself sometimes.
i guess that was a mono problem, coz if the instance address would be wrong then the game would just crash, and not freeze.
.
.
.
oh i just wanted to write about the items list, and then the game is frozen as i clicked on my toggle script with the already found instance...dammed, i will now check your approach.


edit : same on your appraoch
executing Toggle Admin Panel randomly causes a freeze, ok i will look whats the problem.

edit 2 : observed now for changing instance pointer -> nope never changed in 5 mins.
had the idea to test the manual invoke with the 100% right instance pointer, after ~15 invokes this happened:


game frozen, CE lua error.

im pretty sure its a problem of mono_invoke_method...i will now look to call it from a thread or a similar call like the Add XP/Bloodstones etc Calls.

[SunBeam]

I did run this by Dark Byte, yet the conclusion is I had the wrong instance pointer. Then I fixed that and attempted to run the mono_invoke_method multiple times and got the same result as you. Mono randomly deactivates itself and can't be re-enabled (tried the top-menu option in main CE window; just doesn't work). So I will just use the "Find Instance" part, that seems to work well and call the "ToogleAdminPanel" function (or any other) in a normal thread, with supplied Instance param.

[cfemen]

just tested calling it with the MinimapController.:Update:
its works stable...but instance is changing after every fight...
Activate Find Instance after a fight again and it works perfectly without freezes with the call from a update method.

dammed i did not expect that a fight changes it :/

attached the current table for anyone who wants to test it:

[SunBeam]

Meanwhile I got something stable in ASM format, re-using the code I had in my BattleTech table

Notes:
- you still need "Mono Init" > "[Admin Panel]" > "Find Instance" scripts active first, so run them in this order
- enable the "Cheat Handler" script
- go back in-game
- hit Numpad Del 1 time; menu will show
- wait 1s
- hit Numpad Del 1 time; menu will disappear
- repeat with mentioned interval, as spamming this (pressing too fast the key will cause something to break in the mono thread)

Lastly, note what cfemen said. After a fight you will be required to re-run "Find Instance" script.

Vampire's Fall Origins.CT

(70.95 KiB) Downloaded 304 times

Time to add the "Add Item" thingie and make use of fast adding items to my inventory Wanna map all 664.

BR,
Sun

[SunBeam]

its works stable...but instance is changing after every fight...
Activate Find Instance after a fight again and it works perfectly without freezes with the call from a update method.
dammed i did not expect that a fight changes it :/

What causes it to change? Have you managed to find a lead into fetching it? Maybe we can hook there and always have the stable pointer, without doing the look-up version

EDIT: Adding Bloodstones via the Admin Panel GUI doesn't work because...

Code: Select all

public void AdBS()
{
}

as in:

Code: Select all

AdminPanel:AdBS - 48 83 EC 08           - sub rsp,08
AdminPanel:AdBS+4- 48 83 C4 08           - add rsp,08
AdminPanel:AdBS+8- C3                    - ret 

D'ohhh...

However, this exists:

Code: Select all

public void AddBloodStones(int value)
{
	this.BloodStones = this.BloodStones + value;
	if (this.BloodStones < 0)
	{
		this.BloodStones = 0;
	}
}

So it's just a matter of hijacking the function and sending it to AddXp, while replacing the caller (so it calls AddBloodStones, instead of AddXP):

Code: Select all

public void AddXp()
{
	Singleton<Character>.Instance.AddXP(int.Parse(this.inputAddXp.@value), false);
	// replace AddXP with AddBloodStones :) -- find function address and change it manually
}

which is here:

Code: Select all

AdminPanel:AddXp - 55                    - push rbp
AdminPanel:AddXp+1- 48 8B EC              - mov rbp,rsp
AdminPanel:AddXp+4- 48 83 EC 30           - sub rsp,30
AdminPanel:AddXp+8- 48 89 4D F8           - mov [rbp-08],rcx
AdminPanel:AddXp+c- 48 B8 F031C3879C020000 - mov rax,0000029C87C331F0 { (29C931E4E00) }
AdminPanel:AddXp+16- 48 8B 00              - mov rax,[rax]
AdminPanel:AddXp+19- 48 89 45 F0           - mov [rbp-10],rax
AdminPanel:AddXp+1d- 48 8B 45 F8           - mov rax,[rbp-08]
AdminPanel:AddXp+21- 48 8B 40 50           - mov rax,[rax+50]
AdminPanel:AddXp+25- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+28- 83 38 00              - cmp dword ptr [rax],00
AdminPanel:AddXp+2b- 66 66 90              - nop 
AdminPanel:AddXp+2e- 49 BB 5749E18D9C020000 - mov r11,0000029C8DE14957
AdminPanel:AddXp+38- 41 FF D3              - call r11
AdminPanel:AddXp+3b- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+3e- 49 BB D91434939C020000 - mov r11,0000029C933414D9
AdminPanel:AddXp+48- 41 FF D3              - call r11
AdminPanel:AddXp+4b- 48 8B D0              - mov rdx,rax
AdminPanel:AddXp+4e- 48 8B 45 F0           - mov rax,[rbp-10]
AdminPanel:AddXp+52- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+55- 45 33 C0              - xor r8d,r8d
AdminPanel:AddXp+58- 83 38 00              - cmp dword ptr [rax],00
AdminPanel:AddXp+5b- 66 66 90              - nop 
AdminPanel:AddXp+5e- 49 BB CBB7E0999C020000 - mov r11,0000029C99E0B7CB
AdminPanel:AddXp+68- 41 FF D3              - call r11
AdminPanel:AddXp+6b- 48 8D 65 00           - lea rsp,[rbp+00]
AdminPanel:AddXp+6f- 5D                    - pop rbp
AdminPanel:AddXp+70- C3                    - ret 

Execute it 1 time (as in type 1 in Admin Panel for XP and click the XP button so it executes, adding 1 XP to your Character) and you'll now see the symbols

Code: Select all

AdminPanel:AddXp - 55                    - push rbp
AdminPanel:AddXp+1- 48 8B EC              - mov rbp,rsp
AdminPanel:AddXp+4- 48 83 EC 30           - sub rsp,30
AdminPanel:AddXp+8- 48 89 4D F8           - mov [rbp-08],rcx
AdminPanel:AddXp+c- 48 B8 F031C3879C020000 - mov rax,0000029C87C331F0 { (29C931E4E00) }
AdminPanel:AddXp+16- 48 8B 00              - mov rax,[rax]
AdminPanel:AddXp+19- 48 89 45 F0           - mov [rbp-10],rax
AdminPanel:AddXp+1d- 48 8B 45 F8           - mov rax,[rbp-08]
AdminPanel:AddXp+21- 48 8B 40 50           - mov rax,[rax+50]
AdminPanel:AddXp+25- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+28- 83 38 00              - cmp dword ptr [rax],00
AdminPanel:AddXp+2b- 66 66 90              - nop 
AdminPanel:AddXp+2e- 49 BB B05AE18D9C020000 - mov r11,UIInput:get_value
AdminPanel:AddXp+38- 41 FF D3              - call r11
AdminPanel:AddXp+3b- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+3e- 49 BB F0803D979C020000 - mov r11,System:Int32:Parse
AdminPanel:AddXp+48- 41 FF D3              - call r11
AdminPanel:AddXp+4b- 48 8B D0              - mov rdx,rax
AdminPanel:AddXp+4e- 48 8B 45 F0           - mov rax,[rbp-10]
AdminPanel:AddXp+52- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+55- 45 33 C0              - xor r8d,r8d
AdminPanel:AddXp+58- 83 38 00              - cmp dword ptr [rax],00
AdminPanel:AddXp+5b- 66 66 90              - nop 
AdminPanel:AddXp+5e- 49 BB E0BCE0999C020000 - mov r11,Character:AddXP <-- tanaaa!
AdminPanel:AddXp+68- 41 FF D3              - call r11
AdminPanel:AddXp+6b- 48 8D 65 00           - lea rsp,[rbp+00]
AdminPanel:AddXp+6f- 5D                    - pop rbp
AdminPanel:AddXp+70- C3                    - ret 

Replace the address of "Character:AddXP" with that of "Character:AddBloodStones". Copy what's between "", open Memory View, Ctrl+G, paste, Enter; you're now at that address; in my case it's 29C99DE2820; now head to the "tanaaa" row above and change the ptr to your address; once done you'll see this:

Code: Select all

AdminPanel:AddXp - 55                    - push rbp
AdminPanel:AddXp+1- 48 8B EC              - mov rbp,rsp
AdminPanel:AddXp+4- 48 83 EC 30           - sub rsp,30
AdminPanel:AddXp+8- 48 89 4D F8           - mov [rbp-08],rcx
AdminPanel:AddXp+c- 48 B8 F031C3879C020000 - mov rax,0000029C87C331F0 { (29C931E4E00) }
AdminPanel:AddXp+16- 48 8B 00              - mov rax,[rax]
AdminPanel:AddXp+19- 48 89 45 F0           - mov [rbp-10],rax
AdminPanel:AddXp+1d- 48 8B 45 F8           - mov rax,[rbp-08]
AdminPanel:AddXp+21- 48 8B 40 50           - mov rax,[rax+50]
AdminPanel:AddXp+25- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+28- 83 38 00              - cmp dword ptr [rax],00
AdminPanel:AddXp+2b- 66 66 90              - nop 
AdminPanel:AddXp+2e- 49 BB B05AE18D9C020000 - mov r11,UIInput:get_value
AdminPanel:AddXp+38- 41 FF D3              - call r11
AdminPanel:AddXp+3b- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+3e- 49 BB F0803D979C020000 - mov r11,System:Int32:Parse
AdminPanel:AddXp+48- 41 FF D3              - call r11
AdminPanel:AddXp+4b- 48 8B D0              - mov rdx,rax
AdminPanel:AddXp+4e- 48 8B 45 F0           - mov rax,[rbp-10]
AdminPanel:AddXp+52- 48 8B C8              - mov rcx,rax
AdminPanel:AddXp+55- 45 33 C0              - xor r8d,r8d
AdminPanel:AddXp+58- 83 38 00              - cmp dword ptr [rax],00
AdminPanel:AddXp+5b- 66 66 90              - nop 
AdminPanel:AddXp+5e- 49 BB 2028DE999C020000 - mov r11,Character:AddBloodStones <--- boom
AdminPanel:AddXp+68- 41 FF D3              - call r11
AdminPanel:AddXp+6b- 48 8D 65 00           - lea rsp,[rbp+00]
AdminPanel:AddXp+6f- 5D                    - pop rbp
AdminPanel:AddXp+70- C3                    - ret 

So now head into the Admin Panel, find the XP field, type in your amount and click the button. I had 689 Stones. Typed in 500. Now I got 1189 Easy hack

BR,
Sun

[cfemen]

What causes it to change? Have you managed to find a lead into fetching it? Maybe we can hook there and always have the stable pointer, without doing the look-up version

nope unfortunately i couldnt trace the instance while its changes

but! finally looked for the IDs, dumped them and can now contribute:



and i tested your script with the thread, but even without spamming, i still got randomly freezes and mono deactivate

edit:

maybe someone is also interested in the enemy ID:

[SunBeam]

and can now contribute:

No shit, Sherlock. You dumped all Good work!

[SunBeam]

Alright.. so I looked at the Forge success rate While looking for an automated way to read the Instance pointer needed for the Admin Panel, I got to this function that gets executed as you click on a button (any button from the Admin Panel GUI):

Code: Select all

UIButton:OnClick - 55                    - push rbp
UIButton:OnClick+1- 48 8B EC              - mov rbp,rsp
UIButton:OnClick+4- 48 83 EC 30           - sub rsp,30
UIButton:OnClick+8- 48 89 75 F8           - mov [rbp-08],rsi
UIButton:OnClick+c- 48 8B F1              - mov rsi,rcx
UIButton:OnClick+f- 48 B8 B03B150807010000 - mov rax,0000010708153BB0
UIButton:OnClick+19- 48 8B 08              - mov rcx,[rax]
UIButton:OnClick+1c- 33 D2                 - xor edx,edx
UIButton:OnClick+1e- 49 BB 408B941307010000 - mov r11,UnityEngine:Object:op_Equality { (-326416299) }
UIButton:OnClick+28- 41 FF D3              - call r11
UIButton:OnClick+2b- 85 C0                 - test eax,eax
UIButton:OnClick+2d- 0F84 71000000         - je UIButton:OnClick+a4
UIButton:OnClick+33- 48 8B CE              - mov rcx,rsi
UIButton:OnClick+36- 48 8B 06              - mov rax,[rsi]
UIButton:OnClick+39- FF 90 A8000000        - call qword ptr [rax+000000A8]
UIButton:OnClick+3f- 85 C0                 - test eax,eax
UIButton:OnClick+41- 0F84 5D000000         - je UIButton:OnClick+a4
UIButton:OnClick+47- 48 B8 542B150807010000 - mov rax,0000010708152B54
UIButton:OnClick+51- 48 63 00              - movsxd  rax,dword ptr [rax]
UIButton:OnClick+54- 83 F8 FE              - cmp eax,-02
UIButton:OnClick+57- 0F84 47000000         - je UIButton:OnClick+a4
UIButton:OnClick+5d- 48 B8 542B150807010000 - mov rax,0000010708152B54
UIButton:OnClick+67- 48 63 00              - movsxd  rax,dword ptr [rax]
UIButton:OnClick+6a- 83 F8 FD              - cmp eax,-03
UIButton:OnClick+6d- 74 35                 - je UIButton:OnClick+a4
UIButton:OnClick+6f- 48 B8 B03B150807010000 - mov rax,0000010708153BB0
UIButton:OnClick+79- 48 89 30              - mov [rax],rsi
UIButton:OnClick+7c- 48 8B 8E B8000000     - mov rcx,[rsi+000000B8]
UIButton:OnClick+83- 66 66 90              - nop 
UIButton:OnClick+86- 49 BB D0D9ED1607010000 - mov r11,EventDelegate:Execute { (-326416299) }
UIButton:OnClick+90- 41 FF D3              - call r11
UIButton:OnClick+93- 48 B8 B03B150807010000 - mov rax,0000010708153BB0
UIButton:OnClick+9d- 48 C7 00 00000000     - mov qword ptr [rax],00000000
UIButton:OnClick+a4- 48 8B 75 F8           - mov rsi,[rbp-08]
UIButton:OnClick+a8- 48 8D 65 00           - lea rsp,[rbp+00]
UIButton:OnClick+ac- 5D                    - pop rbp
UIButton:OnClick+ad- C3                    - ret 

Since I couldn't find any reference in Telerik's JustDecompile for it (seems to be a universal Unity function), I reckon it would work for any button in a GUI, right? Such as this one?



Said and done.. I know by now where to find the function that gets executed via that click of a button.

So:

Code: Select all

UIButton:OnClick - 55                    - push rbp <-- breakpoint

Click the button and CE breaks. Trace the code till here:

Code: Select all

UIButton:OnClick+7c - 48 8B 8E B8000000     - mov rcx,[rsi+000000B8] <-- ptr is read
UIButton:OnClick+83 - 66 66 90              - nop 
UIButton:OnClick+86 - 49 BB D0D9AFDAA5020000 - mov r11,EventDelegate:Execute
UIButton:OnClick+90 - 41 FF D3              - call r11 <-- F7 here

Time to go inside "EventDelegate:Execute", via F7 on that "call r11". Then trace the code till here:

Code: Select all

EventDelegate:Execute+7d - 48 63 4D 80           - movsxd  rcx,dword ptr [rbp-80]
EventDelegate:Execute+81 - 48 63 C9              - movsxd  rcx,ecx
EventDelegate:Execute+84 - 48 8D 44 C8 20        - lea rax,[rax+rcx*8+20]
EventDelegate:Execute+89 - 48 8B 00              - mov rax,[rax]
EventDelegate:Execute+8c - 48 89 85 78FFFFFF     - mov [rbp-00000088],rax
EventDelegate:Execute+93 - 48 89 45 A8           - mov [rbp-58],rax
EventDelegate:Execute+97 - 48 85 C0              - test rax,rax
EventDelegate:Execute+9a - 0F84 7D010000         - je EventDelegate:Execute+21d
EventDelegate:Execute+a0 - 48 8B 45 A8           - mov rax,[rbp-58]
EventDelegate:Execute+a4 - 48 8B C8              - mov rcx,rax
EventDelegate:Execute+a7 - 83 38 00              - cmp dword ptr [rax],00
EventDelegate:Execute+aa - 48 8D 6D 00           - lea rbp,[rbp+00]
EventDelegate:Execute+ae - 49 BB 0000B0DAA5020000 - mov r11,EventDelegate:Execute { (-326416299) }
EventDelegate:Execute+b8 - 41 FF D3              - call r11 <-- F7 here

And we continue till here:

Code: Select all

EventDelegate:Execute+7a - 48 8B 40 28           - mov rax,[rax+28]
EventDelegate:Execute+7e - 48 85 C0              - test rax,rax
EventDelegate:Execute+81 - 74 29                 - je EventDelegate:Execute+ac
EventDelegate:Execute+83 - 48 8B 85 58FFFFFF     - mov rax,[rbp-000000A8]
EventDelegate:Execute+8a - 48 8B 40 28           - mov rax,[rax+28]
EventDelegate:Execute+8e - 48 8B C8              - mov rcx,rax
EventDelegate:Execute+91 - 48 89 85 50FFFFFF     - mov [rbp-000000B0],rax
EventDelegate:Execute+98 - FF 50 18              - call qword ptr [rax+18] <-- F7 here

And we see that a generic wrapper is executed:

Code: Select all

2A5C9AA21F0 - 48 8B C1              - mov rax,rcx
2A5C9AA21F3 - 48 8B 48 20           - mov rcx,[rax+20] <-- Instance ptr of the Forge window
2A5C9AA21F7 - FF 60 10              - jmp qword ptr [rax+10] <-- exec function

And that function iiiissss...

Code: Select all

ForgeView:Forge - 55                    - push rbp
ForgeView:Forge+1- 48 8B EC              - mov rbp,rsp
ForgeView:Forge+4- 48 81 EC D0000000     - sub rsp,000000D0
ForgeView:Forge+b- 48 89 75 E8           - mov [rbp-18],rsi

Tanaaa

Now to see where the fuck in there is the SUCCESS rate.

- - -

This is the decompiled code

Code: Select all

private IEnumerator ForgeAnimation()
{
	ForgeView color32 = null;
	float? nullable;
	double? nullable1;
	bool flag = true;
	while (flag)
	{
		yield return new WaitForSeconds(0.01f);
		UISlider uISlider = color32.slider;
		uISlider.@value = uISlider.@value + 0.018f;
		if (color32.slider.@value < 1f)
		{
			continue;
		}
		flag = false;
		bool flag1 = Singleton<ForgeManager>.Instance.TryForgeItem(color32.activeItem);
		PersistenceManager.SaveData(null, false);
		if (!flag1)
		{
			color32.foreGroundSlider.color = new Color32(113, 8, 0, 255);
			color32.resultLabel.color = new Color32(113, 8, 0, 255);
			color32.resultLabel.text = LanguageManager.GetText(6340, "Failed!", true);
			nullable = null;
			nullable1 = null;
			MasterAudio.PlaySoundAndForget("WeaponUpgradeFailed", 1f, nullable, 0.1f, null, nullable1);
		}
		else
		{
			color32.StartCoroutine("PlayEffects");
			yield return new WaitForSeconds(0.05f);
			color32.foreGroundSlider.color = new Color32(8, 114, 0, 255);
			color32.resultLabel.color = new Color32(8, 114, 0, 255);
			color32.resultLabel.text = LanguageManager.GetText(6341, "Success!", true);
			nullable = null;
			nullable1 = null;
			MasterAudio.PlaySoundAndForget("WeaponUpgradeFinish", 1f, nullable, 0.1f, null, nullable1);
			TweenAlpha.Begin(color32.plusOneLabelLeft.gameObject, 0.5f, 1f, 0f);
			Vector3 vector3 = color32.startPosLeftPlus + (Vector3.up * 45f);
			TweenPosition.Begin(color32.plusOneLabelLeft.gameObject, 1.2f, vector3);
		}

As in here:

Code: Select all

public void Forge()
{
	if (Singleton<Character>.Instance.BloodStones == 0)
	{
		ConfirmPopUp confirmPopUp = new ConfirmPopUp()
		{
			text = LanguageManager.GetText(6419, "You have no bloodstones!", true),
			OnConfirm = () => MonoSingleton<ViewManager>.Instance.HideView(ViewType.ConfirmPopUp)
		};
		MonoSingleton<ViewManager>.Instance.ActivateView(ViewType.ConfirmPopUp, confirmPopUp, null);
		return;
	}
	this.closeButton.SetActive(false);
	float? nullable = null;
	double? nullable1 = null;
	MasterAudio.PlaySoundAndForget("WeaponUpgrade", 1f, nullable, 0f, null, nullable1);
	this.ForgeButton.isEnabled = false;
	this.ForgeButton.UpdateColor(true);
	this.meltButton.SetActive(false);
	base.StartCoroutine(this.ForgeAnimation()); <-- here!
	this.SelectItem.isEnabled = false;
	Singleton<Character>.Instance.UseBloodStone(1);
	this.bsCount.text = Singleton<Character>.Instance.BloodStones.ToString();
}

Now to break in there and see how the rate is calculated (where to patch).

Apparently, that's what happens after the forging has finished. So it's not in the IEnumerator the show goes down, but here:



So re-route to ForgeManager::TryForgeItem.

CONCLUSION: "Always Success!" -> kill the "jnl" (NOP it):

Code: Select all

ForgeManager:TryForgeItem+176 - 49 BB 70FEE9439B020000 - mov r11,ForgeManager:GetForgeChance
ForgeManager:TryForgeItem+180 - 41 FF D3              - call r11
ForgeManager:TryForgeItem+183 - 44 3B F8              - cmp r15d,eax
ForgeManager:TryForgeItem+186 - 0F8D 80010000         - jnl ForgeManager:TryForgeItem+30c <--

BR,
Sun