Metro Exodus [CPY] Table+20*Table Update 0.49*

[xorps]

Crosshair

Spoiler

Code: Select all

[ENABLE]
aobscanmodule(crosshair,MetroExodus.exe,F3 0F 10 * * * 48 * * F3 0F 5D 9B 30 06 00 00)
alloc(newmem,$1000,crosshair)
label(code)
label(return)
newmem:
  mov [rbx+0000062C],0
  mov [rbx+00000630],0
code:
  minss xmm3,[rbx+00000630]
  jmp return
crosshair+09:
  jmp newmem
  db 90 90 90
return:
registersymbol(crosshair)
[DISABLE]
crosshair+09:
  db F3 0F 5D 9B 30 06 00 00
unregistersymbol(crosshair)
dealloc(newmem)

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[SunBeam]

@l0wb1t: Finally, fucking console



Check the bottom-left, surprise

The Exodus 4A Engine is a bit evolved coding-wise, but the main structures and logic of them are still there Will post a video sometime these days showing fiddling with the console, haha

BR,
Sun

[l0wb1t]

@l0wb1t: Finally, fucking console

You make me feel like an idiot now. i dont have 2033 redux installed yet. Would be cool (if you got it also working for Exodus, how you enabled plus being able to type something in.

[SunBeam]

Fun fact: the new version of 4A Engine in this game has auto-complete for the console Pretty pimp. Video incoming



Yes, not yet out. Will do later on.

BR,
Sun

[Player360]

Fun fact: the new version of 4A Engine in this game has auto-complete for the console Pretty pimp. Video incoming

Yes, not yet out. Will do later on.

BR,
Sun

Quick question, are you working on the v1.0 only or you'll give support for upcoming updates, like Steam v1.0.0.2 and EpicGames v1.0.1.2.
Since you're posting on [CPY] table that means for 1.0 so far I am concerned

[SunBeam]

I have the original game bought off Epic. Am posting here cuz this is where the interesting discussions are (l0wb1t and several others, like xorps)

[l0wb1t]

Awesome Sun.

[TimFun13]

Here's one for the gas mask filter decrease flag. (Steam version)

Code: Select all

{
	Process			: MetroExodus.exe  -  (x64)
	Module			: MetroExodus.exe
	Game Title		: Metro Exodus
	Game Version	: 1.0.0.2
	CE Version		: 6.83
	Script Version	: 0.0.1
	Date			: 03/06/19
	Author			: ShyTwig16
	Name			: GasMaskFilterDecFlagHook

	Gas Mask Filter Dec Flag Hook

	48xxxx48xxxxFFxxxxxxxxxx84xx0F84xxxxxxxx80xxxxxxxxxxxx
	488B064889F1FF903817000084C00F842C04000080BF8E0A000000
	488B064889F1FF903817000084C00F84xxxxxxxx80BF8E0A000000
}

{$STRICT}

define(address, MetroExodus.exe+946DA4A)
define(oldBytes, FF 90 38 17 00 00) // call qword ptr [rax+00001738]
define(newBytes, B0 00 90 90 90 90) // mov al,00
									// db 90 90 90 90

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobGasMaskFilterDecFlagHook, MetroExodus.exe, 488B064889F1FF903817000084C00F84xxxxxxxx80BF8E0A000000)
define(injGasMaskFilterDecFlagHook, aobGasMaskFilterDecFlagHook+6)
assert(injGasMaskFilterDecFlagHook, oldBytes)
registerSymbol(injGasMaskFilterDecFlagHook)


////
//// ---------- Injection Point ----------
injGasMaskFilterDecFlagHook:
	db newBytes


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injGasMaskFilterDecFlagHook:
	db oldBytes

unregisterSymbol(injGasMaskFilterDecFlagHook)

{
//// Injection Point: MetroExodus.exe+946DA4A  -  000000014946DA4A
//// AOB address: 000000014946DA44  -  MetroExodus.exe+946DA44
//// Process: MetroExodus.exe  -  0000000140000000
//// Module: MetroExodus.exe  -  0000000140000000
//// Module Size: 00000000152FF000
MetroExodus.exe+946D9E6:  C6 87 910A0000 01           -  mov byte ptr [rdi+00000A91],01     
MetroExodus.exe+946D9ED:  C6 87 8D0A0000 00           -  mov byte ptr [rdi+00000A8D],00     
MetroExodus.exe+946D9F4:  E9 93040000                 -  jmp 14946DE8C                      
MetroExodus.exe+946D9F9:  F6 05 C0B906F8 80           -  test byte ptr [1414D93C0],-80      
MetroExodus.exe+946DA00:  0F85 86040000               -  jne 14946DE8C                      
MetroExodus.exe+946DA06:  80 BF 910A0000 00           -  cmp byte ptr [rdi+00000A91],00     
MetroExodus.exe+946DA0D:  0F85 79040000               -  jne 14946DE8C                      
MetroExodus.exe+946DA13:  48 85 F6                    -  test rsi,rsi                       
MetroExodus.exe+946DA16:  0F84 70040000               -  je 14946DE8C                       
MetroExodus.exe+946DA1C:  48 89 F9                    -  mov rcx,rdi                        
MetroExodus.exe+946DA1F:  E8 EC6D0BF7                 -  call 140524810                     
MetroExodus.exe+946DA24:  F3 0F10 35 04F8F5F7         -  movss xmm6,[1413CD230]             [7FFFFFFF]
MetroExodus.exe+946DA2C:  F3 0F10 3D F4DAF5F7         -  movss xmm7,[1413CB528]             [33D6BF95]
MetroExodus.exe+946DA34:  0F54 C6                     -  andps xmm0,xmm6                    
MetroExodus.exe+946DA37:  0F2F C7                     -  comiss xmm0,xmm7                   
MetroExodus.exe+946DA3A:  73 08                       -  jae 14946DA44                      
MetroExodus.exe+946DA3C:  48 89 F9                    -  mov rcx,rdi                        
MetroExodus.exe+946DA3F:  E8 6CAF0BF7                 -  call 1405289B0                     
MetroExodus.exe+946DA44:  48 8B 06                    -  mov rax,[rsi]                      <<<--- AOB Starts Here
MetroExodus.exe+946DA47:  48 89 F1                    -  mov rcx,rsi                        
////  INJECTING START  ----------------------------------------------------------
MetroExodus.exe+946DA4A:  FF 90 38170000              -  call qword ptr [rax+00001738]      
////  INJECTING END  ----------------------------------------------------------
MetroExodus.exe+946DA50:  84 C0                       -  test al,al                         
MetroExodus.exe+946DA52:  0F84 2C040000               -  je 14946DE84                       
MetroExodus.exe+946DA58:  80 BF 8E0A0000 00           -  cmp byte ptr [rdi+00000A8E],00     
MetroExodus.exe+946DA5F:  0F85 1F040000               -  jne 14946DE84                      
MetroExodus.exe+946DA65:  F3 0F10 87 740A0000         -  movss xmm0,[rdi+00000A74]          
MetroExodus.exe+946DA6D:  0F54 C6                     -  andps xmm0,xmm6                    
MetroExodus.exe+946DA70:  0F2F C7                     -  comiss xmm0,xmm7                   
MetroExodus.exe+946DA73:  0F82 0B040000               -  jb 14946DE84                       
MetroExodus.exe+946DA79:  F2 0F10 9F 800A0000         -  movsd xmm3,[rdi+00000A80]          
MetroExodus.exe+946DA81:  8B 87 880A0000              -  mov eax,[rdi+00000A88]             
MetroExodus.exe+946DA87:  0F28 D3                     -  movaps xmm2,xmm3                   
MetroExodus.exe+946DA8A:  0FC6 D2 55                  -  shufps xmm2,xmm2,55                
MetroExodus.exe+946DA8E:  0F28 E2                     -  movaps xmm4,xmm2                   
MetroExodus.exe+946DA91:  89 44 24 28                 -  mov [rsp+28],eax                   
MetroExodus.exe+946DA95:  F3 0F5C E3                  -  subss xmm4,xmm3                    
MetroExodus.exe+946DA99:  F2 0F11 5C 24 20            -  movsd [rsp+20],xmm3                
MetroExodus.exe+946DA9F:  89 44 24 28                 -  mov [rsp+28],eax                   
MetroExodus.exe+946DAA3:  F2 0F11 5C 24 20            -  movsd [rsp+20],xmm3                
MetroExodus.exe+946DAA9:  89 44 24 28                 -  mov [rsp+28],eax                   
MetroExodus.exe+946DAAD:  F3 0F10 6C 24 28            -  movss xmm5,[rsp+28]                
//// Template: I2CEA_AOBInjection
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}{
MetroExodus.exe+301F68 - 8A 81 1A140000        - mov al,[rcx+0000141A]
MetroExodus.exe+301F6E - C3                    - ret 
MetroExodus.exe+301F6F - CC                    - int 3 
MetroExodus.exe+301F70 - E9 3BF18E06           - jmp MetroExodus.exe+6BF10B0
MetroExodus.exe+301F75 - CC                    - int 3 
MetroExodus.exe+301F76 - CC                    - int 3 
MetroExodus.exe+301F77 - CC                    - int 3 
MetroExodus.exe+301F78 - CC                    - int 3 
}

[SunBeam]

LOL.. I mean..

Code: Select all

////  INJECTING START  ----------------------------------------------------------
MetroExodus.exe+946DA4A:  FF 90 38170000              -  call qword ptr [rax+00001738]      
////  INJECTING END  ----------------------------------------------------------
MetroExodus.exe+946DA50:  84 C0                       -  test al,al                         
MetroExodus.exe+946DA52:  0F84 2C040000               -  je 14946DE84                       
MetroExodus.exe+946DA58:  80 BF 8E0A0000 00           -  cmp byte ptr [rdi+00000A8E],00     
MetroExodus.exe+946DA5F:  0F85 1F040000               -  jne 14946DE84  

See how both the JE and JNE land in same spot? Why not find and patch [rdi+A8E] to 1?

EDIT: Actually.. what you can do is enter [rax+1738] and patch the function to return 0 (xor eax,eax + ret). That way, any other function calling member function @ 0x1738 would have 0 as return X birds, 1 stone

Code: Select all

MetroExodus.exe+301F68 - 8A 81 1A140000        - mov al,[rcx+0000141A]
MetroExodus.exe+301F6E - C3                    - ret

to

Code: Select all

MetroExodus.exe+301F68 - xor al,al + ret

[xorps]

Mask filter

Spoiler

Code: Select all

[ENABLE]
aobscanmodule(baseplayerfilter,MetroExodus.exe,F3 0F * * F3 0F * * F3 0F 11 55 50)
baseplayerfilter:
  db F3 0F 10 97 74 0A 00 00
registersymbol(baseplayerfilter)
[DISABLE]
baseplayerfilter:
  db F3 0F 59 CB F3 0F 5C D1
unregistersymbol(baseplayerfilter)


{
// ORIGINAL CODE - INJECTION POINT: "MetroExodus.exe"+B93D64A

"MetroExodus.exe"+B93D60D: F3 0F 10 97 70 0A 00 00     -  movss xmm2,[rdi+00000A70]
"MetroExodus.exe"+B93D615: F2 0F 11 87 80 0A 00 00     -  movsd [rdi+00000A80],xmm0
"MetroExodus.exe"+B93D61D: 44 0F 28 C2                 -  movaps xmm8,xmm2
"MetroExodus.exe"+B93D621: F3 44 0F 5E 87 74 0A 00 00  -  divss xmm8,[rdi+00000A74]
"MetroExodus.exe"+B93D62A: 89 87 88 0A 00 00           -  mov [rdi+00000A88],eax
"MetroExodus.exe"+B93D630: F2 0F 11 44 24 20           -  movsd [rsp+20],xmm0
"MetroExodus.exe"+B93D636: 0F 57 C0                    -  xorps xmm0,xmm0
"MetroExodus.exe"+B93D639: F2 49 0F 2A 07              -  cvtsi2sd xmm0,[r15]
"MetroExodus.exe"+B93D63E: F2 0F 59 05 82 01 A7 F5     -  mulsd xmm0,[MetroExodus.exe+13AD7C8]
"MetroExodus.exe"+B93D646: 66 0F 5A C8                 -  cvtpd2ps xmm1,xmm0
// ---------- INJECTING HERE ----------
"MetroExodus.exe"+B93D64A: F3 0F 59 CB                 -  mulss xmm1,xmm3
"MetroExodus.exe"+B93D64E: F3 0F 5C D1                 -  subss xmm2,xmm1
// ---------- DONE INJECTING  ----------
"MetroExodus.exe"+B93D652: F3 0F 11 55 50              -  movss [rbp+50],xmm2
"MetroExodus.exe"+B93D657: E8 D4 7D B1 F4              -  call MetroExodus.exe+455430
"MetroExodus.exe"+B93D65C: 80 3D CD 32 C9 F5 00        -  cmp byte ptr [MetroExodus.exe+15D0930],00
"MetroExodus.exe"+B93D663: 74 0A                       -  je MetroExodus.exe+B93D66F
"MetroExodus.exe"+B93D665: F3 0F 10 1D D7 FF A6 F5     -  movss xmm3,[MetroExodus.exe+13AD644]
"MetroExodus.exe"+B93D66D: EB 03                       -  jmp MetroExodus.exe+B93D672
"MetroExodus.exe"+B93D66F: 0F 57 DB                    -  xorps xmm3,xmm3
"MetroExodus.exe"+B93D672: F3 0F 10 05 1A 08 A7 F5     -  movss xmm0,[MetroExodus.exe+13ADE94]
"MetroExodus.exe"+B93D67A: F3 0F 10 55 50              -  movss xmm2,[rbp+50]
"MetroExodus.exe"+B93D67F: F3 0F 5D D0                 -  minss xmm2,xmm0
}

Although maybe the updated version of the game the value of the xmm register has changed. But you can see and replace it

[TimFun13]

LOL.. I mean..

Code: Select all

////  INJECTING START  ----------------------------------------------------------
MetroExodus.exe+946DA4A:  FF 90 38170000              -  call qword ptr [rax+00001738]      
////  INJECTING END  ----------------------------------------------------------
MetroExodus.exe+946DA50:  84 C0                       -  test al,al                         
MetroExodus.exe+946DA52:  0F84 2C040000               -  je 14946DE84                       
MetroExodus.exe+946DA58:  80 BF 8E0A0000 00           -  cmp byte ptr [rdi+00000A8E],00     
MetroExodus.exe+946DA5F:  0F85 1F040000               -  jne 14946DE84  

See how both the JE and JNE land in same spot? Why not find and patch [rdi+A8E] to 1?

EDIT: Actually.. what you can do is enter [rax+1738] and patch the function to return 0 (xor eax,eax + ret). That way, any other function calling member function @ 0x1738 would have 0 as return X birds, 1 stone

Code: Select all

MetroExodus.exe+301F68 - 8A 81 1A140000        - mov al,[rcx+0000141A]
MetroExodus.exe+301F6E - C3                    - ret

to

Code: Select all

MetroExodus.exe+301F68 - xor al,al + ret

Basically, I don't know what else might call that; in theory it would always be for the flag, but the code that calls it is only for the mask filter. That and it's just how I did it.


Here's one that uses a multiplier for the gas mask filter decrease.

Code: Select all

{
	Process			: MetroExodus.exe  -  (x64)
	Module			: MetroExodus.exe
	Game Title		: Metro Exodus
	Game Version	: 1.0.0.2
	CE Version		: 6.83
	Script Version	: 0.0.1
	Date			: 03/04/19
	Author			: ShyTwig16
	Name			: GasMaskFilterDecHook

	Gas Mask Filter Dec Hook
}

{$STRICT}

define(address, MetroExodus.exe+946DB5E)
define(bytes, F3 0F 5C D1 F3 0F 11 55 50)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobGasMaskFilterDecHook, MetroExodus.exe, F2xxxxxxxxxxxxxx66xxxxxxF3xxxxxxF3xxxxxxF3xxxxxxxxE8)
define(injGasMaskFilterDecHook, aobGasMaskFilterDecHook+10)
assert(injGasMaskFilterDecHook, bytes)
registerSymbol(injGasMaskFilterDecHook)

alloc(memGasMaskFilterDecHook, 0x400, injGasMaskFilterDecHook)

label(fltGasMaskFilterDecHook)
registerSymbol(fltGasMaskFilterDecHook)

label(ptrGasMaskFilterDecHook)
registerSymbol(ptrGasMaskFilterDecHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memGasMaskFilterDecHook:
	fltGasMaskFilterDecHook:
		dd (float)0.0625
	align 10
	ptrGasMaskFilterDecHook:
		dq 0
	align 10 CC
	n_code:
		mov [ptrGasMaskFilterDecHook],rdi
		mulss xmm1,[fltGasMaskFilterDecHook]
	o_code:
		subss xmm2,xmm1
		movss [rbp+50],xmm2
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injGasMaskFilterDecHook:
	jmp n_code
	nop
	nop
	nop
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injGasMaskFilterDecHook:
	db bytes

unregisterSymbol(injGasMaskFilterDecHook)

unregisterSymbol(fltGasMaskFilterDecHook)

unregisterSymbol(ptrGasMaskFilterDecHook)

dealloc(memGasMaskFilterDecHook)

{
//// Injection Point: MetroExodus.exe+946DB5E  -  000000014946DB5E
//// AOB address: 000000014946DB4E  -  MetroExodus.exe+946DB4E
//// Process: MetroExodus.exe  -  0000000140000000
//// Module: MetroExodus.exe  -  0000000140000000
//// Module Size: 00000000152FF000
MetroExodus.exe+946DAFE:  F3 0F58 D9                  -  addss xmm3,xmm1                    
MetroExodus.exe+946DB02:  EB 06                       -  jmp 14946DB0A                      
MetroExodus.exe+946DB04:  0F57 ED                     -  xorps xmm5,xmm5                    
MetroExodus.exe+946DB07:  0F28 D3                     -  movaps xmm2,xmm3                   
MetroExodus.exe+946DB0A:  0F28 C3                     -  movaps xmm0,xmm3                   
MetroExodus.exe+946DB0D:  F3 0F11 6C 24 28            -  movss [rsp+28],xmm5                
MetroExodus.exe+946DB13:  8B 44 24 28                 -  mov eax,[rsp+28]                   
MetroExodus.exe+946DB17:  48 89 F1                    -  mov rcx,rsi                        
MetroExodus.exe+946DB1A:  0F14 C2                     -  unpcklps xmm0,xmm2                 
MetroExodus.exe+946DB1D:  F3 0F10 97 700A0000         -  movss xmm2,[rdi+00000A70]          
MetroExodus.exe+946DB25:  F2 0F11 87 800A0000         -  movsd [rdi+00000A80],xmm0          
MetroExodus.exe+946DB2D:  44 0F28 C2                  -  movaps xmm8,xmm2                   
MetroExodus.exe+946DB31:  F3 44 0F5E 87 740A0000      -  divss xmm8,[rdi+00000A74]          
MetroExodus.exe+946DB3A:  89 87 880A0000              -  mov [rdi+00000A88],eax             
MetroExodus.exe+946DB40:  F2 0F11 44 24 20            -  movsd [rsp+20],xmm0                
MetroExodus.exe+946DB46:  0F57 C0                     -  xorps xmm0,xmm0                    
MetroExodus.exe+946DB49:  F2 49 0F2A 07               -  cvtsi2sd xmm0,[r15]                
MetroExodus.exe+946DB4E:  F2 0F59 05 3ADCF5F7         -  mulsd xmm0,[1413CB790]             [A0B5ED8D]<<<--- AOB Starts Here
MetroExodus.exe+946DB56:  66 0F5A C8                  -  cvtpd2ps xmm1,xmm0                 
MetroExodus.exe+946DB5A:  F3 0F59 CB                  -  mulss xmm1,xmm3                    
////  INJECTING START  ----------------------------------------------------------
MetroExodus.exe+946DB5E:  F3 0F5C D1                  -  subss xmm2,xmm1                    
MetroExodus.exe+946DB62:  F3 0F11 55 50               -  movss [rbp+50],xmm2                
////  INJECTING END  ----------------------------------------------------------
MetroExodus.exe+946DB67:  E8 B48FFEF6                 -  call 140456B20                     
MetroExodus.exe+946DB6C:  80 3D 8DA718F8 00           -  cmp byte ptr [1415F8300],00        
MetroExodus.exe+946DB73:  74 0A                       -  je 14946DB7F                       
MetroExodus.exe+946DB75:  F3 0F10 1D 97DAF5F7         -  movss xmm3,[1413CB614]             [(float)0.0010]
MetroExodus.exe+946DB7D:  EB 03                       -  jmp 14946DB82                      
MetroExodus.exe+946DB7F:  0F57 DB                     -  xorps xmm3,xmm3                    
MetroExodus.exe+946DB82:  F3 0F10 05 C2E2F5F7         -  movss xmm0,[1413CBE4C]             [(float)3000.0000]
MetroExodus.exe+946DB8A:  F3 0F10 55 50               -  movss xmm2,[rbp+50]                
MetroExodus.exe+946DB8F:  F3 0F5D D0                  -  minss xmm2,xmm0                    
MetroExodus.exe+946DB93:  F3 0F11 44 24 48            -  movss [rsp+48],xmm0                
MetroExodus.exe+946DB99:  F3 0F11 5C 24 4C            -  movss [rsp+4C],xmm3                
MetroExodus.exe+946DB9F:  F3 0F5F D3                  -  maxss xmm2,xmm3                    
MetroExodus.exe+946DBA3:  F3 0F11 97 700A0000         -  movss [rdi+00000A70],xmm2          
MetroExodus.exe+946DBAB:  F3 0F11 55 50               -  movss [rbp+50],xmm2                
MetroExodus.exe+946DBB0:  0F54 D6                     -  andps xmm2,xmm6                    
MetroExodus.exe+946DBB3:  0F2F D7                     -  comiss xmm2,xmm7                   
MetroExodus.exe+946DBB6:  73 63                       -  jae 14946DC1B                      
MetroExodus.exe+946DBB8:  44 0F2F 8E 68030000         -  comiss xmm9,[rsi+00000368]         
MetroExodus.exe+946DBC0:  73 59                       -  jae 14946DC1B                      
//// Template: I2CEA_AOBFullInjectionWithValues
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

And for the filter reserve.

Code: Select all

{
	Process			: MetroExodus.exe  -  (x64)
	Module			: MetroExodus.exe
	Game Title		: Metro Exodus
	Game Version	: 1.0.0.2
	CE Version		: 6.83
	Script Version	: 0.0.1
	Date			: 03/04/19
	Author			: ShyTwig16
	Name			: FilterReserveDecHook

	Filter Reserve Dec Hook
}

{$STRICT}

define(address, MetroExodus.exe+93BBB7C)
define(bytes, F3 0F 5C CA F3 0F 58 D6)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobFilterReserveDecHook, MetroExodus.exe, 0F5BxxF3xxxxxxF3xxxxxxF3xxxxxxF3xxxxxxF3xxxxxxxxxxxxxxF3)
define(injFilterReserveDecHook, aobFilterReserveDecHook+B)
assert(injFilterReserveDecHook, bytes)
registerSymbol(injFilterReserveDecHook)

alloc(memFilterReserveDecHook, 0x400, injFilterReserveDecHook)

label(fltFilterReserveDecHook)
registerSymbol(fltFilterReserveDecHook)

label(ptrFilterReserveDecHook)
registerSymbol(ptrFilterReserveDecHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memFilterReserveDecHook:
	fltFilterReserveDecHook:
		dd (float)0.0625
	align 10
	ptrFilterReserveDecHook:
		dq 0
	align 10 CC
	n_code:
		mov [ptrFilterReserveDecHook],rdi
		mulss xmm2,[fltFilterReserveDecHook]
		subss xmm1,xmm2
		movss xmm2,xmm0
	o_code:
		// subss xmm1,xmm2
		addss xmm2,xmm6
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injFilterReserveDecHook:
	jmp n_code
	nop
	nop
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injFilterReserveDecHook:
	db bytes

unregisterSymbol(injFilterReserveDecHook)

unregisterSymbol(fltFilterReserveDecHook)

unregisterSymbol(ptrFilterReserveDecHook)

dealloc(memFilterReserveDecHook)

{
//// Injection Point: MetroExodus.exe+93BBB7C  -  00000001493BBB7C
//// AOB address: 00000001493BBB71  -  MetroExodus.exe+93BBB71
//// Process: MetroExodus.exe  -  0000000140000000
//// Module: MetroExodus.exe  -  0000000140000000
//// Module Size: 00000000152FF000
MetroExodus.exe+93BBB2A:  0F86 85000000               -  jbe 1493BBBB5                      
MetroExodus.exe+93BBB30:  F3 0F5C C2                  -  subss xmm0,xmm2                    
MetroExodus.exe+93BBB34:  F3 0F5C C8                  -  subss xmm1,xmm0                    
MetroExodus.exe+93BBB38:  F3 0F11 8F F0080000         -  movss [rdi+000008F0],xmm1          
MetroExodus.exe+93BBB40:  EB 73                       -  jmp 1493BBBB5                      
MetroExodus.exe+93BBB42:  48 89 D9                    -  mov rcx,rbx                        
MetroExodus.exe+93BBB45:  E8 36C716F7                 -  call 140528280                     
MetroExodus.exe+93BBB4A:  F3 0F10 8F F0080000         -  movss xmm1,[rdi+000008F0]          
MetroExodus.exe+93BBB52:  48 8D 54 24 68              -  lea rdx,[rsp+68]                   
MetroExodus.exe+93BBB57:  0FB7 C0                     -  movzx eax,ax                       
MetroExodus.exe+93BBB5A:  0F28 D1                     -  movaps xmm2,xmm1                   
MetroExodus.exe+93BBB5D:  45 85 FF                    -  test r15d,r15d                     
MetroExodus.exe+93BBB60:  48 89 E9                    -  mov rcx,rbp                        
MetroExodus.exe+93BBB63:  40 0F94 D6                  -  sete sil                           
MetroExodus.exe+93BBB67:  45 31 C9                    -  xor r9d,r9d                        
MetroExodus.exe+93BBB6A:  66 0F6E C0                  -  movd xmm0,eax                      
MetroExodus.exe+93BBB6E:  41 89 F0                    -  mov r8d,esi                        
MetroExodus.exe+93BBB71:  0F5B C0                     -  cvtdq2ps xmm0,xmm0                 <<<--- AOB Starts Here
MetroExodus.exe+93BBB74:  F3 0F5C C6                  -  subss xmm0,xmm6                    
MetroExodus.exe+93BBB78:  F3 0F5D D0                  -  minss xmm2,xmm0                    
////  INJECTING START  ----------------------------------------------------------
MetroExodus.exe+93BBB7C:  F3 0F5C CA                  -  subss xmm1,xmm2                    
MetroExodus.exe+93BBB80:  F3 0F58 D6                  -  addss xmm2,xmm6                    
////  INJECTING END  ----------------------------------------------------------
MetroExodus.exe+93BBB84:  F3 0F11 8F F0080000         -  movss [rdi+000008F0],xmm1          
MetroExodus.exe+93BBB8C:  F3 0F11 93 740A0000         -  movss [rbx+00000A74],xmm2          
MetroExodus.exe+93BBB94:  F3 0F11 93 700A0000         -  movss [rbx+00000A70],xmm2          
MetroExodus.exe+93BBB9C:  48 8B 05 7D0A24F8           -  mov rax,[1415FC620]                [00000000]
MetroExodus.exe+93BBBA3:  48 89 44 24 68              -  mov [rsp+68],rax                   
MetroExodus.exe+93BBBA8:  E8 F349F7F6                 -  call 1403305A0                     
MetroExodus.exe+93BBBAD:  48 89 D9                    -  mov rcx,rbx                        
MetroExodus.exe+93BBBB0:  E8 2BC516F7                 -  call 1405280E0                     
MetroExodus.exe+93BBBB5:  48 89 D9                    -  mov rcx,rbx                        
MetroExodus.exe+93BBBB8:  E8 F3CD16F7                 -  call 1405289B0                     
MetroExodus.exe+93BBBBD:  0F28 74 24 20               -  movaps xmm6,[rsp+20]               
MetroExodus.exe+93BBBC2:  B8 01000000                 -  mov eax,00000001                   
MetroExodus.exe+93BBBC7:  48 8B 74 24 58              -  mov rsi,[rsp+58]                   
MetroExodus.exe+93BBBCC:  48 8B 6C 24 50              -  mov rbp,[rsp+50]                   
MetroExodus.exe+93BBBD1:  48 8B 5C 24 60              -  mov rbx,[rsp+60]                   
MetroExodus.exe+93BBBD6:  48 83 C4 30                 -  add rsp,30                         
MetroExodus.exe+93BBBDA:  41 5F                       -  pop r15                            
MetroExodus.exe+93BBBDC:  41 5E                       -  pop r14                            
MetroExodus.exe+93BBBDE:  5F                          -  pop rdi                            
//// Template: I2CEA_AOBFullInjectionWithValues
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

And if any one needs the camera pitch and yaw.

Code: Select all

MetroExodus.exe+5AAA59:  0F58 D0                     -  addps xmm2,xmm0                    
MetroExodus.exe+5AAA5C:  0F58 D1                     -  addps xmm2,xmm1                    
MetroExodus.exe+5AAA5F:  41 0F58 50 30               -  addps xmm2,[r8+30]                 <<<--- AOB Starts Here
MetroExodus.exe+5AAA64:  0F29 55 90                  -  movaps [rbp-70],xmm2               
////  INJECTING START  ----------------------------------------------------------
MetroExodus.exe+5AAA68:  F2 0F10 80 18090000         -  movsd xmm0,[rax+00000918]   // 918 = pitch // 91C = yaw
////  INJECTING END  ----------------------------------------------------------
MetroExodus.exe+5AAA70:  F2 0F11 44 24 50            -  movsd [rsp+50],xmm0                
MetroExodus.exe+5AAA76:  8B 80 20090000              -  mov eax,[rax+00000920]             
MetroExodus.exe+5AAA7C:  89 44 24 58                 -  mov [rsp+58],eax                   
MetroExodus.exe+5AAA80:  45 85 E4                    -  test r12d,r12d                     
MetroExodus.exe+5AAA83:  0F84 BD000000               -  je 1405AAB46                       
MetroExodus.exe+5AAA89:  4C 8D 4C 24 60              -  lea r9,[rsp+60]                    
MetroExodus.exe+5AAA8E:  49 8B CD                    -  mov rcx,r13                        
MetroExodus.exe+5AAA91:  4C 8D 45 90                 -  lea r8,[rbp-70]                    
MetroExodus.exe+5AAA95:  48 8D 54 24 50              -  lea rdx,[rsp+50]                   
MetroExodus.exe+5AAA9A:  E8 01449600                 -  call 140F0EEA0                     
MetroExodus.exe+5AAA9F:  45 85 F6                    -  test r14d,r14d                     
MetroExodus.exe+5AAAA2:  74 21                       -  je 1405AAAC5                       
MetroExodus.exe+5AAAA4:  45 85 FF                    -  test r15d,r15d                     
MetroExodus.exe+5AAAA7:  74 1C                       -  je 1405AAAC5                       
MetroExodus.exe+5AAAA9:  4C 8B 87 80000000           -  mov r8,[rdi+00000080]              
MetroExodus.exe+5AAAB0:  49 81 C0 00010000           -  add r8,00000100                    
MetroExodus.exe+5AAAB7:  48 8D 55 A0                 -  lea rdx,[rbp-60]                   
MetroExodus.exe+5AAABB:  48 8D 4C 24 30              -  lea rcx,[rsp+30]                   
MetroExodus.exe+5AAAC0:  E8 2B150000                 -  call 1405ABFF0                     
MetroExodus.exe+5AAAC5:  48 63 87 B0000000           -  movsxd  rax,dword ptr [rdi+000000B0]

[SunBeam]

@Tim: That's the thing, you can determine *who* or *what* else might call it via debugging or IDA analysis. Thing with dynamic calls is you never know which object/class might have that function of yours as a member, not necessarily at the same offset. Here's an example, based entirely on this game (some of it is hypothetical, so don't shoot):

pFilter -> [pFilter] == table to member-functions (let's call it "t")
t+0x1738 = CheckGasMaskActive == MetroExodus.exe+301F68

pGasMask -> [pGasMask] == table to member-functions (let's call it "q")
q+0x2568 = CheckGasMaskActive == MetroExodus.exe+301F68

So in the above, game engine might call the "CheckGasMaskActive" from the perspective of "pFilter" or "pGasMask". The address of "CheckGasMaskActive", as you can see, can be found in the member-functions tables at different offsets. That's the thing with dynamic calls Now.. if you patch the function itself to return 0 all the time, in both scenarios - - where either pFilter or pGasMask perform checks, via calling/running member-function at 0x1738, and 0x2568 respectively - - the return is always 0

BR,
Sun

[TimFun13]

...

I'll have to do some messin around, I'm still just starting to make use of the VTables. But as always, Thank you SB for never letting my laziness hinder my learning.

[SunBeam]

It's fine. Just making you aware ahead of time of those "why the fuck is this still happening? I patched that my way and it still has some misses" situations

[Player360]

And if any one needs the camera pitch and yaw.

Code: Select all

MetroExodus.exe+5AAA59:  0F58 D0                     -  addps xmm2,xmm0                    
MetroExodus.exe+5AAA5C:  0F58 D1                     -  addps xmm2,xmm1                    
MetroExodus.exe+5AAA5F:  41 0F58 50 30               -  addps xmm2,[r8+30]                 <<<--- AOB Starts Here
MetroExodus.exe+5AAA64:  0F29 55 90                  -  movaps [rbp-70],xmm2               
////  INJECTING START  ----------------------------------------------------------
MetroExodus.exe+5AAA68:  F2 0F10 80 18090000         -  movsd xmm0,[rax+00000918]   // 918 = pitch // 91C = yaw
////  INJECTING END  ----------------------------------------------------------
MetroExodus.exe+5AAA70:  F2 0F11 44 24 50            -  movsd [rsp+50],xmm0                
MetroExodus.exe+5AAA76:  8B 80 20090000              -  mov eax,[rax+00000920]             
MetroExodus.exe+5AAA7C:  89 44 24 58                 -  mov [rsp+58],eax                   
MetroExodus.exe+5AAA80:  45 85 E4                    -  test r12d,r12d                     
MetroExodus.exe+5AAA83:  0F84 BD000000               -  je 1405AAB46                       
MetroExodus.exe+5AAA89:  4C 8D 4C 24 60              -  lea r9,[rsp+60]                    
MetroExodus.exe+5AAA8E:  49 8B CD                    -  mov rcx,r13                        
MetroExodus.exe+5AAA91:  4C 8D 45 90                 -  lea r8,[rbp-70]                    
MetroExodus.exe+5AAA95:  48 8D 54 24 50              -  lea rdx,[rsp+50]                   
MetroExodus.exe+5AAA9A:  E8 01449600                 -  call 140F0EEA0                     
MetroExodus.exe+5AAA9F:  45 85 F6                    -  test r14d,r14d                     
MetroExodus.exe+5AAAA2:  74 21                       -  je 1405AAAC5                       
MetroExodus.exe+5AAAA4:  45 85 FF                    -  test r15d,r15d                     
MetroExodus.exe+5AAAA7:  74 1C                       -  je 1405AAAC5                       
MetroExodus.exe+5AAAA9:  4C 8B 87 80000000           -  mov r8,[rdi+00000080]              
MetroExodus.exe+5AAAB0:  49 81 C0 00010000           -  add r8,00000100                    
MetroExodus.exe+5AAAB7:  48 8D 55 A0                 -  lea rdx,[rbp-60]                   
MetroExodus.exe+5AAABB:  48 8D 4C 24 30              -  lea rcx,[rsp+30]                   
MetroExodus.exe+5AAAC0:  E8 2B150000                 -  call 1405ABFF0                     
MetroExodus.exe+5AAAC5:  48 63 87 B0000000           -  movsxd  rax,dword ptr [rdi+000000B0]

How exactly can I change the pitch turning rate with this code provided above ?
Do I change the opcode into the memory target or do I search for the address which has the opcode for it ?
I'm a bit confused since I have low clue about it and I'm doing it for trial error until I get it working.
Although I'm on Steam v1.2