Re: Tom Clancy's Ghost Recon: Breakpoint *BETA* [Engine:AnvilNEXT64]
Posted: Fri Sep 06, 2019 9:41 pm
Is mentioning the fearlessrevolution released trainer here an offense or can i tell people about their battleeye bypass launcher.
Community Cheat Tables of Cheat Engine
https://fearlessrevolution.com/
Charging people money for a trainer to a beta that lasts 4 days is an offence in upon itself!Kalamity222 wrote: ↑Fri Sep 06, 2019 9:41 pmIs mentioning the fearlessrevolution released trainer here an offense or can i tell people about their battleeye bypass launcher.
Anything CH-related is an offense here. We do not allow such postings. The BattlEye bypass, as mentioned, regards setting /belaunch -be parameter in the UPlay client's launch arguments:Kalamity222 wrote: ↑Fri Sep 06, 2019 9:41 pmIs mentioning the fearlessrevolution released trainer here an offense or can i tell people about their battleeye bypass launcher.
Code: Select all
GRB.exe+16C58A77 - 48 85 C0 - test rax,rax
GRB.exe+16C58A7A - 74 31 - je GRB.exe+16C58AAD
GRB.exe+16C58A7C - 48 8B 00 - mov rax,[rax]
GRB.exe+16C58A7F - 48 89 F1 - mov rcx,rsi
GRB.exe+16C58A82 - FF 50 10 - call qword ptr [rax+10] // gets -1
GRB.exe+16C58A85 - 89 C7 - mov edi,eax
GRB.exe+16C58A87 - 4C 89 F9 - mov rcx,r15
GRB.exe+16C58A8A - 49 8B 07 - mov rax,[r15]
GRB.exe+16C58A8D - FF 10 - call qword ptr [rax] // gets item cost
GRB.exe+16C58A8F - 89 C3 - mov ebx,eax
GRB.exe+16C58A91 - 48 89 F1 - mov rcx,rsi
GRB.exe+16C58A94 - 48 8B 06 - mov rax,[rsi]
GRB.exe+16C58A97 - FF 10 - call qword ptr [rax] // gets current Skell Points
GRB.exe+16C58A99 - 01 C3 - add ebx,eax // sum (add)
GRB.exe+16C58A9B - 48 89 F1 - mov rcx,rsi
GRB.exe+16C58A9E - 48 8B 06 - mov rax,[rsi]
GRB.exe+16C58AA1 - 39 FB - cmp ebx,edi
GRB.exe+16C58AA3 - 0F46 FB - cmovbe edi,ebx
GRB.exe+16C58AA6 - 89 FA - mov edx,edi
GRB.exe+16C58AA8 - FF 50 08 - call qword ptr [rax+08] // update Skell Points
GRB.exe+16C58AAB - EB 70 - jmp GRB.exe+16C58B1D
Code: Select all
GRB.exe+16F6AB75 - 48 85 DB - test rbx,rbx
GRB.exe+16F6AB78 - 74 37 - je GRB.exe+16F6ABB1
GRB.exe+16F6AB7A - 48 8B 03 - mov rax,[rbx]
GRB.exe+16F6AB7D - BA 81870FF8 - mov edx,F80F8781
GRB.exe+16F6AB82 - 48 89 D9 - mov rcx,rbx
GRB.exe+16F6AB85 - FF 50 58 - call qword ptr [rax+58]
GRB.exe+16F6AB88 - 48 89 C7 - mov rdi,rax
GRB.exe+16F6AB8B - 48 85 C0 - test rax,rax
GRB.exe+16F6AB8E - 74 21 - je GRB.exe+16F6ABB1
GRB.exe+16F6AB90 - 48 8B 10 - mov rdx,[rax]
GRB.exe+16F6AB93 - 48 89 C1 - mov rcx,rax
GRB.exe+16F6AB96 - FF 12 - call qword ptr [rdx] // gets current Skell Points
GRB.exe+16F6AB98 - 39 E8 - cmp eax,ebp
GRB.exe+16F6AB9A - 72 15 - jb GRB.exe+16F6ABB1
GRB.exe+16F6AB9C - 48 8B 1F - mov rbx,[rdi]
GRB.exe+16F6AB9F - 48 89 F9 - mov rcx,rdi
GRB.exe+16F6ABA2 - FF 13 - call qword ptr [rbx] // gets current Skell Points
GRB.exe+16F6ABA4 - 29 E8 - sub eax,ebp // subtract
GRB.exe+16F6ABA6 - 48 89 F9 - mov rcx,rdi
GRB.exe+16F6ABA9 - 89 C2 - mov edx,eax
GRB.exe+16F6ABAB - FF 53 08 - call qword ptr [rbx+08] // update Skell Points
GRB.exe+16F6ABAE - 40 B6 01 - mov sil,01
GRB.exe+16F6ABB1 - 48 8D 4C 24 20 - lea rcx,[rsp+20]
GRB.exe+16F6ABB6 - E8 F5C043EB - call GRB.exe+23A6CB0
Yeah once you get down to the dam area around Mount Herbert that's when things just become a texure and no longer solid. The only annoying part about exploring is once you get the swarms of drones then you're unable to open chests or collect intel even when they disappear in the danger area leaving you in peace, once you get back into the safe zone then you're able to open them again. One problem with god mode that i can foresee is that because the drones can't kill you you're unable to open chests or collect intel due to what i suspect is an animation loop or a trigger somewhere that marks you as being dead so you can't open anything, then undoes that trigger once you get back into the safe zone if you managae to escape the drones cause they're pretty much insta kill, the invisibility script doesn't work for the insta kill drones so that would have to be something seperate if the trigger for them can be found and killed.
Code: Select all
function _readInteger( Input )
-- thanks, Pox!
local Value = readInteger( Input )
if Value < 0x80000000 then return Value
else return Value - 0x100000000 end
end
function GetName( input )
local addr = readQword( input )
addr = addr + 0x48 -- 0x48 in Breakpoint
addr = readQword( addr )
if readBytes( addr, 1 ) == 0xE9 then
addr = addr + _readInteger( addr + 0x1 ) + 0x5
end
addr = addr + _readInteger( addr + 0x3 ) + 0x7
addr = readQword( addr )
print( string.format( "IStruct: 0x%X", input ) )
print( string.format( "IName: 0x%X", addr ) )
local str = readString( readQword( addr + 0x20 ) )
print( string.format( "ObjStr: %s", str ) )
addr = readInteger( addr + 0x2C )
print( string.format( "ObjHash: 0x%X", addr ) )
print( "" )
print( "* * *")
end
GetName( 0x15B9E890AE0 )
Code: Select all
IStruct: 0x15B9E890AE0
IName: 0x7FF7411C56A0
ObjStr:
ObjHash: 0x6CD605D3
Code: Select all
GRB.exe+1D9232D0 - 48 89 E0 - mov rax,rsp <-- hook here
GRB.exe+1D9232D3 - 48 89 58 08 - mov [rax+08],rbx <-- or here
GRB.exe+1D9232D7 - 48 89 68 10 - mov [rax+10],rbp
GRB.exe+1D9232DB - 48 89 70 18 - mov [rax+18],rsi
GRB.exe+1D9232DF - 57 - push rdi
GRB.exe+1D9232E0 - 41 56 - push r14
GRB.exe+1D9232E2 - 41 57 - push r15
GRB.exe+1D9232E4 - 48 81 EC 80000000 - sub rsp,00000080
GRB.exe+1D9232EB - 0F29 70 D8 - movaps [rax-28],xmm6
GRB.exe+1D9232EF - 48 89 CF - mov rdi,rcx
GRB.exe+1D9232F2 - 0F29 78 C8 - movaps [rax-38],xmm7
GRB.exe+1D9232F6 - 0F28 F1 - movaps xmm6,xmm1
GRB.exe+1D9232F9 - 44 0F29 40 B8 - movaps [rax-48],xmm8
GRB.exe+1D9232FE - 44 0F29 48 A8 - movaps [rax-58],xmm9
GRB.exe+1D923303 - 44 0F29 50 98 - movaps [rax-68],xmm10
GRB.exe+1D923308 - E8 F306DEE4 - call GRB.exe+2703A00
GRB.exe+1D92330D - 48 8B 87 40030000 - mov rax,[rdi+00000340]
GRB.exe+1D923314 - 45 31 FF - xor r15d,r15d
GRB.exe+1D923317 - 48 83 F8 FD - cmp rax,-03 { 253 }
GRB.exe+1D92331B - 77 4C - ja GRB.exe+1D923369
GRB.exe+1D92331D - 48 85 C0 - test rax,rax
GRB.exe+1D923320 - 75 0A - jne GRB.exe+1D92332C
GRB.exe+1D923322 - 48 8B 87 48030000 - mov rax,[rdi+00000348]
GRB.exe+1D923329 - 48 8B 00 - mov rax,[rax]
GRB.exe+1D92332C - 48 3B 87 38030000 - cmp rax,[rdi+00000338]
GRB.exe+1D923333 - 72 34 - jb GRB.exe+1D923369
GRB.exe+1D923335 - 44 88 BF 8B040000 - mov [rdi+0000048B],r15l
GRB.exe+1D92333C - 48 8B 87 48030000 - mov rax,[rdi+00000348]
GRB.exe+1D923343 - 48 85 C0 - test rax,rax
GRB.exe+1D923346 - 74 05 - je GRB.exe+1D92334D
GRB.exe+1D923348 - 48 8B 08 - mov rcx,[rax]
GRB.exe+1D92334B - EB 03 - jmp GRB.exe+1D923350
GRB.exe+1D92334D - 4C 89 F9 - mov rcx,r15
GRB.exe+1D923350 - 48 89 8F 30030000 - mov [rdi+00000330],rcx
GRB.exe+1D923357 - 4C 89 BF 38030000 - mov [rdi+00000338],r15
GRB.exe+1D92335E - 48 C7 87 40030000 FFFFFFFF - mov qword ptr [rdi+00000340],FFFFFFFFFFFFFFFF
Code: Select all
[ENABLE]
aobscanmodule( GodMode, GRB.exe, 80BB????????000F85????????80BB????????000F85????????F683 )
registersymbol( GodMode )
label( GodMode_o )
registersymbol( GodMode_o )
alloc( Hook, 0x1000, GRB.exe )
Hook:
push rax
mov rax,[g_Player]
test rax,rax
je short @f
cmp rax,rbx
jne short @f
mov byte ptr [rbx+48B],1
@@:
pop rax
GodMode_o:
readmem( GodMode, 7 )
jmp GodMode+7
GodMode:
jmp Hook
db 90 90
[DISABLE]
[g_Player]+48B:
db 0
GodMode:
readmem( GodMode_o, 7 )
unregistersymbol( GodMode )
unregistersymbol( GodMode_o )
dealloc( Hook )
Code: Select all
GRB.exe+1CAEF1D0 - 48 83 EC 48 - sub rsp,48
GRB.exe+1CAEF1D4 - 49 8B 40 08 - mov rax,[r8+08]
GRB.exe+1CAEF1D8 - 49 89 CA - mov r10,rcx
GRB.exe+1CAEF1DB - 48 8D 0D DE80A5E8 - lea rcx,[GRB.exe+55472C0]
GRB.exe+1CAEF1E2 - 48 89 44 24 28 - mov [rsp+28],rax
GRB.exe+1CAEF1E7 - 49 89 D1 - mov r9,rdx
GRB.exe+1CAEF1EA - 48 39 C8 - cmp rax,rcx
..
..
GRB.exe+1CAEF21A - 48 8D 54 24 20 - lea rdx,[rsp+20]
GRB.exe+1CAEF21F - 4C 89 C9 - mov rcx,r9
GRB.exe+1CAEF222 - 41 FF 52 08 - call qword ptr [r10+08] <- enter
GRB.exe+1CAEF226 - 48 83 C4 48 - add rsp,48
GRB.exe+1CAEF22A - C3 - ret
Code: Select all
GRB.exe+2FE0480 - E9 3B43C319 - jmp GRB.exe+1CC147C0
..
..
GRB.exe+1CC147C0 - 48 89 6C 24 18 - mov [rsp+18],rbp
GRB.exe+1CC147C5 - 48 89 74 24 20 - mov [rsp+20],rsi
GRB.exe+1CC147CA - 57 - push rdi
GRB.exe+1CC147CB - 48 83 EC 20 - sub rsp,20
GRB.exe+1CC147CF - 48 8B 42 18 - mov rax,[rdx+18]
GRB.exe+1CC147D3 - 48 89 D6 - mov rsi,rdx
GRB.exe+1CC147D6 - 48 89 CD - mov rbp,rcx
GRB.exe+1CC147D9 - 48 63 78 0C - movsxd rdi,dword ptr [rax+0C]
..
..
GRB.exe+1CC14844 - 4C 8D 44 24 38 - lea r8,[rsp+38]
GRB.exe+1CC14849 - 48 89 DA - mov rdx,rbx
GRB.exe+1CC1484C - 48 89 E9 - mov rcx,rbp
GRB.exe+1CC1484F - E8 CC6A39E6 - call GRB.exe+2FAB320 <- enter
GRB.exe+1CC14854 - 48 8B 5C 24 30 - mov rbx,[rsp+30]
GRB.exe+1CC14859 - 48 89 F1 - mov rcx,rsi
GRB.exe+1CC1485C - 48 8B 6C 24 40 - mov rbp,[rsp+40]
GRB.exe+1CC14861 - 48 8B 74 24 48 - mov rsi,[rsp+48]
GRB.exe+1CC14866 - 48 83 C4 20 - add rsp,20
GRB.exe+1CC1486A - 5F - pop rdi
Code: Select all
GRB.exe+1CCE3190 - 40 53 - push rbx
GRB.exe+1CCE3192 - 48 83 EC 20 - sub rsp,20
GRB.exe+1CCE3196 - 48 89 CB - mov rbx,rcx
GRB.exe+1CCE3199 - 48 83 C2 78 - add rdx,78
GRB.exe+1CCE319D - 48 8D 4C 24 38 - lea rcx,[rsp+38]
GRB.exe+1CCE31A2 - E8 49FDFBE4 - call GRB.exe+1CA2EF0
GRB.exe+1CCE31A7 - 48 89 C2 - mov rdx,rax
GRB.exe+1CCE31AA - 48 8D 8B B0000000 - lea rcx,[rbx+000000B0]
GRB.exe+1CCE31B1 - E8 DA1CE5E4 - call GRB.exe+1B34E90
GRB.exe+1CCE31B6 - 48 8B 44 24 38 - mov rax,[rsp+38]
GRB.exe+1CCE31BB - 48 85 C0 - test rax,rax
GRB.exe+1CCE31BE - 74 1E - je GRB.exe+1CCE31DE
GRB.exe+1CCE31C0 - B9 FFFFFFFF - mov ecx,FFFFFFFF
GRB.exe+1CCE31C5 - F0 0FC1 48 08 - lock xadd [rax+08],ecx
GRB.exe+1CCE31CA - 83 F9 01 - cmp ecx,01
GRB.exe+1CCE31CD - 75 0F - jne GRB.exe+1CCE31DE
GRB.exe+1CCE31CF - 48 8B 4C 24 38 - mov rcx,[rsp+38]
GRB.exe+1CCE31D4 - 48 85 C9 - test rcx,rcx
GRB.exe+1CCE31D7 - 74 05 - je GRB.exe+1CCE31DE
GRB.exe+1CCE31D9 - E8 A29F4BE3 - call GRB.exe+19D180
GRB.exe+1CCE31DE - 48 83 C4 20 - add rsp,20
GRB.exe+1CCE31E2 - 5B - pop rbx
GRB.exe+1CCE31E3 - C3 - ret
Code: Select all
{ Game : GRB.exe
Version:
Date : 2019-09-08
Author : SunBeam
This script does blah blah blah
}
define(address,"GRB.exe"+771E24B)
define(bytes,48 89 D6 49 89 CE)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000,"GRB.exe"+771E24B)
label(code)
label(return)
newmem:
code:
mov rsi,rdx
mov r14,GRB.exe+573C6B0
cmp rdx,r14
jne short @f
nop
nop
jmp GRB.exe+771E301
@@:
mov r14,rcx
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
// mov rsi,rdx
// mov r14,rcx
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "GRB.exe"+771E24B
"GRB.exe"+771E221: 44 0B 34 24 - or r14d,[rsp]
"GRB.exe"+771E225: 41 F7 D6 - not r14d
"GRB.exe"+771E228: 45 29 C6 - sub r14d,r8d
"GRB.exe"+771E22B: 83 F6 FF - xor esi,-01
"GRB.exe"+771E22E: 4C 8D 05 3D 6E AA 16 - lea r8,[GRB.exe+1E1C5072]
"GRB.exe"+771E235: 41 FF E0 - jmp r8
"GRB.exe"+771E238: 67 0F 1F 80 00 00 00 00 - nop [rax+00000000]
"GRB.exe"+771E240: 48 89 74 24 20 - mov [rsp+20],rsi
"GRB.exe"+771E245: 41 56 - push r14
"GRB.exe"+771E247: 48 83 EC 20 - sub rsp,20
// ---------- INJECTING HERE ----------
"GRB.exe"+771E24B: 48 89 D6 - mov rsi,rdx
"GRB.exe"+771E24E: 49 89 CE - mov r14,rcx
// ---------- DONE INJECTING ----------
"GRB.exe"+771E251: 48 85 D2 - test rdx,rdx
"GRB.exe"+771E254: 0F 84 A7 00 00 00 - je GRB.exe+771E301
"GRB.exe"+771E25A: 83 7A 40 00 - cmp dword ptr [rdx+40],00
"GRB.exe"+771E25E: 0F 84 9D 00 00 00 - je GRB.exe+771E301
"GRB.exe"+771E264: 48 89 5C 24 30 - mov [rsp+30],rbx
"GRB.exe"+771E269: 48 8D 5A 08 - lea rbx,[rdx+08]
"GRB.exe"+771E26D: 48 89 6C 24 38 - mov [rsp+38],rbp
"GRB.exe"+771E272: 48 89 7C 24 40 - mov [rsp+40],rdi
"GRB.exe"+771E277: 48 85 DB - test rbx,rbx
"GRB.exe"+771E27A: 74 08 - je GRB.exe+771E284
}
Code: Select all
GRB.exe+167DE370 - 48 8B 0D B1C3F5EE - mov rcx,[GRB.exe+573A728] // [] == 1F93BCB2F60
GRB.exe+167DE377 - E8 F49DB4EB - call GRB.exe+2328170
Code: Select all
GRB.exe+2328170 - E9 2B36B614 - jmp GRB.exe+16E8B7A0
..
GRB.exe+16E8B7A0 - 4C 8B 49 14 - mov r9,[rcx+14]
GRB.exe+16E8B7A4 - 0FB7 41 1E - movzx eax,word ptr [rcx+1E]
GRB.exe+16E8B7A8 - 4D 8D 14 C1 - lea r10,[r9+rax*8]
GRB.exe+16E8B7AC - 4D 39 D1 - cmp r9,r10
GRB.exe+16E8B7AF - 74 27 - je GRB.exe+16E8B7D8
GRB.exe+16E8B7B1 - 49 8B 01 - mov rax,[r9]
GRB.exe+16E8B7B4 - 48 63 48 0C - movsxd rcx,dword ptr [rax+0C]
GRB.exe+16E8B7B8 - 48 C1 E1 20 - shl rcx,20
GRB.exe+16E8B7BC - 48 C1 F9 3F - sar rcx,3F
GRB.exe+16E8B7C0 - 48 23 08 - and rcx,[rax] // mark
GRB.exe+16E8B7C3 - 74 05 - je GRB.exe+16E8B7CA
GRB.exe+16E8B7C5 - 39 51 20 - cmp [rcx+20],edx
GRB.exe+16E8B7C8 - 74 06 - je GRB.exe+16E8B7D0
GRB.exe+16E8B7CA - 49 83 C1 08 - add r9,08
GRB.exe+16E8B7CE - EB DC - jmp GRB.exe+16E8B7AC
GRB.exe+16E8B7D0 - 4C 89 C2 - mov rdx,r8
GRB.exe+16E8B7D3 - E9 28C849EB - jmp GRB.exe+2328000
GRB.exe+16E8B7D8 - C3 - ret
Code: Select all
FindPlayer:
sub rsp,28
mov rbx,[GRB.exe+5738858] // ObjHash:0xF8753BCC
mov rbx,[rbx+D0]
mov edx,[rbx]
lea r8,[rbx+10]
mov rcx,[GRB.exe+573A728] // ObjHash:0x4B426612
call FindPlayerInPlayers
add rsp,28
ret
FindPlayerInPlayers:
mov r9,[rcx+14]
movzx eax,word ptr [rcx+1E]
lea r10,[r9+rax*8]
FindPlayerInPlayers_loop:
cmp r9,r10
je short FindPlayerInPlayers_exit
mov rax,[r9]
movsxd rcx,dword ptr [rax+C]
shl rcx,20
sar rcx,3F
and rcx,[rax]
je short @f
cmp [rcx+20],edx
je short FindPlayerInPlayers_done
@@:
add r9,8
jmp short IteratePartyPlayers_loop
FindPlayerInPlayers_done:
mov rax,r8
IteratePartyPlayers_exit:
ret
Code: Select all
[ENABLE]
aobscanmodule( HookUtil, GRB.exe, 4889E0488958??488968??488970??57415641574881EC????????0F2970??4889CF0F2978??0F28F1 )
registersymbol( HookUtil )
label( HookUtil_o )
registersymbol( HookUtil_o )
alloc( Hook, 0x1000, GRB.exe )
label( g_Player )
registersymbol( g_Player )
label( GR_cPlayerComponent )
registersymbol( GR_cPlayerComponent )
label( Entity )
registersymbol( Entity )
label( p_SilexNetComponent_Player ) // p->SilexNetComponent_Player, hence the p_
registersymbol( p_SilexNetComponent_Player )
Hook:
push rax
mov rax,[GRB.exe+5738858]
mov rax,[rax+D0]
mov rax,[rax+8]
mov rax,[rax]
cmp rax,[rcx+8] // check ObjHash_0xF8753BCC->Entity vs. GR_cPlayerComponent->Entity
pop rax
jne short @f
mov [GR_cPlayerComponent],rbx
mov [g_Player],rcx
mov rax,[rcx+8]
mov [Entity],rax
mov rax,[rcx+150]
mov [p_SilexNetComponent_Player],rax
HookUtil_o:
readmem( HookUtil, 7 )
jmp HookUtil+7
db CC CC CC CC
g_Player:
dq 0
GR_cPlayerComponent:
dq 0
Entity:
dq 0
p_SilexNetComponent_Player:
dq 0
HookUtil:
jmp Hook
db 90 90
[DISABLE]
HookUtil:
readmem( HookUtil_o, 7 )
unregistersymbol( p_SilexNetComponent_Player )
unregistersymbol( Entity )
unregistersymbol( GR_cPlayerComponent )
unregistersymbol( g_Player )
dealloc( Hook )
unregistersymbol( HookUtil_o )
unregistersymbol( HookUtil )
Code: Select all
+028 == p->GR_cInventoryHolder
+060 == p->GR_DBWeaponConstants
+068 == DBEntryWeaponShootSound
+080 == p->SilexNetComponent_Player (00007FF40C512B30->0000015B9DAC4EC0)
+0A8 == p->Entity
+148 == p->GR_cWeaponComponent
Code: Select all
sub rsp,28
mov rcx,Entity
GRB.exe+15CD54D6 - BA 28000000 - mov edx,28
GRB.exe+15CD54DB - E8 804FA7EC - call GRB.exe+274A460
add rsp,28
--> g_Player
Code: Select all
GRB.exe+1DA3E410 - 40 53 - push rbx
GRB.exe+1DA3E412 - 48 83 EC 20 - sub rsp,20
GRB.exe+1DA3E416 - 80 B9 71010000 00 - cmp byte ptr [rcx+00000171],00 // force to 0
GRB.exe+1DA3E41D - 48 89 CB - mov rbx,rcx
GRB.exe+1DA3E420 - C6 81 70010000 01 - mov byte ptr [rcx+00000170],01
GRB.exe+1DA3E427 - 0F84 FE000000 - je GRB.exe+1DA3E52B
GRB.exe+1DA3E42D - 48 8B 51 08 - mov rdx,[rcx+08]
GRB.exe+1DA3E431 - 48 63 42 0C - movsxd rax,dword ptr [rdx+0C]
GRB.exe+1DA3E435 - 48 C1 E0 20 - shl rax,20
GRB.exe+1DA3E439 - 48 C1 F8 3F - sar rax,3F
GRB.exe+1DA3E43D - 48 85 02 - test [rdx],rax
Code: Select all
rcx == 1DC0726C570 (CWeapAccuracy;ObjHash:0x1ADF57D0)
[rcx+130] == p->GR_WeaponDBEntry (ObjHash:0x530ACADB)
[rcx+138] == 00007FF3EC62EDF0 (p->p->CWeapon) = q
[q+C8] == CWeapon == 000001DC581F1C80