Tale of Immortal - Need help with destiny editor

Add topics here with methods, analysis, code snippets, mods etc. for a certain game that normally won't make it in the Tables or Requests sections.
Post Reply
Windfarer
What is cheating?
What is cheating?
Posts: 2
Joined: Fri Nov 17, 2017 6:31 pm
Reputation: 1

Tale of Immortal - Need help with destiny editor

Post by Windfarer »

I'm making a script to edit the destiny that we have chosen during each breakthrough. My script could find the target destiny and swap it to a desired one. Although the change is permanent (saving-loading and restarting the game does not revert it back), only the icon is changed. It does not have a real effect. For example, if I swap Water Burst to Fire Burst, my character is still shooting water. I need help figuring out how to make it work.

Here's how to use my script:


In short:
1. Hook the game and enable the script.
2. Go to "Rewrite Destiny" or press J
3. Select desired page and you should be able to swap the destiny in that page.


Here is my CT file:
The reason I'm working on this:
All other CE tables and English-language trainers do not have this function yet. The Chinese trainer (as posted on viewtopic.php?f=2&t=15535&start=30) can edit destiny; however, there is no English-translation for the destiny names so it is very difficult to use.

Since the Chinese trainer is working and the change has a real effect in game, I've been trying to search for changed / unchanged value after the destiny swap, but I'm unable to find what it is that the trainer does in addition to what I did for my table.


What I did and tried:
I searched the ID of a destiny I have on my character, for example, 700017 is Water Burst. Then I tried modifying the addresses to 700016, which is Fire Burst, to see if there are changes. There is one address that could change the icon, so I made a script based on that for now.

There were many addresses with the value 700017. I tried changing the other ones. Some resulted in crashes. Some caused the skill to be disabled. But none seem to change from shooting water burst to fire burst. Maybe I missed something.

Then I tied scanning for what the Chinese trainer did by searching for changed/unchanged. Surprisingly, only the address that changed the icon came up. The trainer does change that value, but I'm sure that it does something else besides this, because it works, unlike my script.

I also thought of the possibility that something needs to be updated in game for the change to take effect. So I tried changing the value and breakthrough, such as to Golden Core, but I still got Water Burst shooting effect.

This game is written on Unity. So mono features may help, but I could not find ones that relate to this.

Other than that, I'm not experienced enough to do anything like back-tracing so I really got stuck.

Windfarer
What is cheating?
What is cheating?
Posts: 2
Joined: Fri Nov 17, 2017 6:31 pm
Reputation: 1

Re: Tale of Immortal - Need help with destiny editor

Post by Windfarer »

Update: I tried using the item called "Jagu's Memories" which could respecialize a destiny. Only one address was found, which was the one I made the script for.

Now I'm thinking that maybe it is not just a display value, but rather that something else needs to be triggered in order to update the change made. This trigger, however, does not leave any traces. That's why I can't find it using changed/unchanged method. It could even be a boolean value that changes from 0 to 1 to cause the character to update the skill, and 1 second later, it goes back to 0.

Or maybe it does leave some traces but 4-bytes scanning does not give any results. Going to test more....

Update 2: I managed to find the instruction that writes to the value (ex. 700017), when the respec item (Jagu's Memories) is applied.

(See the last line)

Code: Select all

GameAssembly.dll+1C38DB4 - 33 C9                 - xor ecx,ecx
GameAssembly.dll+1C38DB6 - E8 2538BD01           - call g.get_world
GameAssembly.dll+1C38DBB - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38DBE - 0F84 42010000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38DC4 - 48 3B 78 10           - cmp rdi,[rax+10]
GameAssembly.dll+1C38DC8 - 0F85 C1000000         - jne GameAssembly.dll+1C38E8F
GameAssembly.dll+1C38DCE - 33 C9                 - xor ecx,ecx
GameAssembly.dll+1C38DD0 - E8 DB31BD01           - call g.get_data
GameAssembly.dll+1C38DD5 - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38DD8 - 0F84 28010000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38DDE - 33 D2                 - xor edx,edx
GameAssembly.dll+1C38DE0 - 48 8B C8              - mov rcx,rax
GameAssembly.dll+1C38DE3 - E8 38DB47FF           - call DataMgr.get_world
GameAssembly.dll+1C38DE8 - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38DEB - 0F84 15010000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38DF1 - 48 8B 40 78           - mov rax,[rax+78]
GameAssembly.dll+1C38DF5 - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38DF8 - 0F84 08010000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38DFE - 48 8B 48 40           - mov rcx,[rax+40]
GameAssembly.dll+1C38E02 - 48 85 C9              - test rcx,rcx
GameAssembly.dll+1C38E05 - 0F84 FB000000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38E0B - 4C 8B 05 065C4D02     - mov r8,[GameAssembly.dll+410EA18]
GameAssembly.dll+1C38E12 - 8B 53 48              - mov edx,[rbx+48]
GameAssembly.dll+1C38E15 - E8 06990201           - call GameAssembly.dll+2C62720
GameAssembly.dll+1C38E1A - 84 C0                 - test al,al
GameAssembly.dll+1C38E1C - 74 71                 - je GameAssembly.dll+1C38E8F
GameAssembly.dll+1C38E1E - 33 C9                 - xor ecx,ecx
GameAssembly.dll+1C38E20 - E8 8B31BD01           - call g.get_data
GameAssembly.dll+1C38E25 - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38E28 - 0F84 D8000000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38E2E - 33 D2                 - xor edx,edx
GameAssembly.dll+1C38E30 - 48 8B C8              - mov rcx,rax
GameAssembly.dll+1C38E33 - E8 E8DA47FF           - call DataMgr.get_world
GameAssembly.dll+1C38E38 - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38E3B - 0F84 C5000000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38E41 - 48 8B 40 78           - mov rax,[rax+78]
GameAssembly.dll+1C38E45 - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38E48 - 0F84 B8000000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38E4E - 48 8B 48 40           - mov rcx,[rax+40]
GameAssembly.dll+1C38E52 - 48 85 C9              - test rcx,rcx
GameAssembly.dll+1C38E55 - 0F84 AB000000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38E5B - 4C 8B 05 56674D02     - mov r8,[GameAssembly.dll+410F5B8]
GameAssembly.dll+1C38E62 - 8B 53 48              - mov edx,[rbx+48]
GameAssembly.dll+1C38E65 - E8 F6F61201           - call GameAssembly.dll+2D68560
GameAssembly.dll+1C38E6A - 48 85 C0              - test rax,rax
GameAssembly.dll+1C38E6D - 0F84 93000000         - je GameAssembly.dll+1C38F06
GameAssembly.dll+1C38E73 - 41 8B 4F 10           - mov ecx,[r15+10]

GameAssembly.dll+1C38E77 - 89 48 14              - mov [rax+14],ecx            <--- This one

Then I test writing a script on "mov [rax+14],ecx" and change ecx to a desired ID, but the result has no effect in game.
Same with "mov ecx,[r15+10]", the earlier instruction:

Code: Select all

  
newmem:
  mov [r15+10],#700013
code:
  mov ecx,[r15+10]
  mov [rax+14],ecx
  jmp return


So when the respec item is used, you could select any destiny but the script would change it to the desired destiny. Doing this still has no effect in game.

I try to trace back further, but I got lost. R15 seems to way above... and I can't find R15+10 anywhere earlier. So I suppose that those "je" jumps to another function and then jumps back ?? Can anyone help me trace back further ? I really got confused.

What I'm thinking is that... there should be an address earlier in the codes (probably temporary), in which triggers the change ?

Post Reply

Who is online

Users browsing this forum: link58