Re: Far Cry 5 Megathread - EAC Bypass & Table Compilation
Posted: Sat Apr 07, 2018 9:47 am
Is it possible to freeze time for timed missions? Like the races.
Community Cheat Tables of Cheat Engine
https://fearlessrevolution.com/
If you're using eax and ecx, what's in them when you're overwriting their value? Chances are you're nuking some value(s) there which is probably causing the crash. PUSH the register first to save the value, then POP it after you're done with it to restore the PUSH'ed value. Also keep in mind that PUSH/POP is "last in, first out", i.e. if you PUSH more than one value, you have to POP the most recently PUSH'ed one first (it PUSHes the value to the stack, so if you POP in the wrong order, you'll get the wrong value back).craftyjazz wrote: ↑Sat Apr 07, 2018 10:27 amHi all
First let me say thank you so much for the work done here! This is the first time I tinkered with cheat engine and your tips and work to get it enabled are amazing!
I wanted to ask for some help - not sure if this is the right place but it seems to be where everyone is talking about fc5 stuff.
I wanted to reduce the RP gain overall but my assembler knowledge is basically non-existant. I have had a little google but there is plenty more for me to learn so I thought I would try get some pointers from you wizards.
I have managed to freeze the RP by NOP-ing the instructions that write it into the pointer(?). Tested this for Jacob and Faith regions. Confirmed working as I did a whole bunch of missions having frozen my RP at 625(faith) and triggered no cutscenes or anything.
I then shut down cheat engine and restarted the game and continued doing missions - my RP climbed as expected and triggered the cutscene at the correct time.
What I would really like to do is reduce the RP gain. So I ran some scans of increased value as I completed RP gain tasks and narrowed down the following:
This is where I need some help - I don't know how to modify the value of rdi (e.g. x 0.5) I have generated the code injection but I honestly don't know what to write in there.Spoiler
7FF8551BCEE0 - 48 01 F9 - add rcx,rdi
7FF8551BCEE3 - 48 89 0C 03 - mov [rbx+rax],rcx <<
rcx = current RP
rdi = incoming 50 RP from killed VIP
I used what I found on wikipedia:But this kills my game when I inject it.Spoiler
newmem:
mov eax,rdi
mov ecx,2
div ecx
add rcx,eax
mov [rbx+rax],rcx
originalcode:
add rcx,rdi
mov [rbx+rax],rcx
Any help would be greatly appreciated!
craftyjazz wrote: ↑Sat Apr 07, 2018 10:27 amHi all
First let me say thank you so much for the work done here! This is the first time I tinkered with cheat engine and your tips and work to get it enabled are amazing!
I wanted to ask for some help - not sure if this is the right place but it seems to be where everyone is talking about fc5 stuff.
I wanted to reduce the RP gain overall but my assembler knowledge is basically non-existant. I have had a little google but there is plenty more for me to learn so I thought I would try get some pointers from you wizards.
I have managed to freeze the RP by NOP-ing the instructions that write it into the pointer(?). Tested this for Jacob and Faith regions. Confirmed working as I did a whole bunch of missions having frozen my RP at 625(faith) and triggered no cutscenes or anything.
I then shut down cheat engine and restarted the game and continued doing missions - my RP climbed as expected and triggered the cutscene at the correct time.
What I would really like to do is reduce the RP gain. So I ran some scans of increased value as I completed RP gain tasks and narrowed down the following:
This is where I need some help - I don't know how to modify the value of rdi (e.g. x 0.5) I have generated the code injection but I honestly don't know what to write in there.Spoiler
7FF8551BCEE0 - 48 01 F9 - add rcx,rdi
7FF8551BCEE3 - 48 89 0C 03 - mov [rbx+rax],rcx <<
rcx = current RP
rdi = incoming 50 RP from killed VIP
I used what I found on wikipedia:But this kills my game when I inject it.Spoiler
newmem:
mov eax,rdi
mov ecx,2
div ecx
add rcx,eax
mov [rbx+rax],rcx
originalcode:
add rcx,rdi
mov [rbx+rax],rcx
Any help would be greatly appreciated!
Code: Select all
newmem:
mov eax,rdi //// here you are changing RAX as well (EAX is 32 bits of RAX).
mov ecx,2
div ecx
add rcx,eax
mov [rbx+rax],rcx //// here the address then becomes RBX+RDI/2 which is most likely why it crashes).
originalcode:
add rcx,rdi //// then you would add it again, if it didn't crash, so the divide by 2 would get canceled out any way.
//// You would end up with 1.5x the value
mov [rbx+rax],rcx
Code: Select all
newmem:
movaps [xmmStore],xmm0 //// Store xmm0
cvtsi2ss xmm0,rdi //// convert int in RDI to float and store in xmm0
mulss xmm0,[myMultiplier] //// multiply
cvtss2si rdi,xmm0 //// convert float in xmm0 to int and store in RDI
movaps xmm0,[xmmStore] //// restore xmm0
originalcode:
add rcx,rdi
mov [rbx+rax],rcx
// ...
jmp returnhere //// the stuff below needs to be after the return jump.
label(myMultiplier)
registerSymbol(myMultiplier) //// this isn't required but will allow you to add it as an address to the table to change on the fly.
align 10 CC //// this just makes it look nicer in the memory viewer.
myMultiplier:
dd (float)0.5
label(xmmStore)
align 10 //// align so you can use aligned moves.
xmmStore:
dd 0
dd 0
dd 0
dd 0
Any injected code runs on the games thread so to run it you have to get the original code to execute, with the exception of you creating a thread your self.craftyjazz wrote: ↑Sat Apr 07, 2018 5:55 pm...
Just another probably stupid question to you all - When I hit the Execute button on the Auto assembler - does this actually try and execute the instructions straight away? Or does it inject so that they will be executed next time the "originalcode" would have been executed?
I'll not post any more questions in this thread as I guess this is not so FC5 specific any more...
Thanks all!
Your pointers dont appear to be workingbonzay0 wrote: ↑Fri Apr 06, 2018 9:07 amYea I know... I'm working on it I'm not a pro.
EDIT:
Here is a new table (I added all the scripts & pointers)
When I have time I'll try to see if I can make it more user friendly with one enable instead of 2.
Also I'm currently checking if it is possible to indicate if the NPC is an enemy or a friend.
For now 1 Hit kills everything in 1 Hit except the player.
EDIT2:
Wildlife seem to be unaffected from the 1-hit script. Will look on that later.
Are you playing in 1.2? or 1.4?Rubyelf wrote: ↑Sat Apr 07, 2018 9:44 pmYour pointers dont appear to be workingbonzay0 wrote: ↑Fri Apr 06, 2018 9:07 amYea I know... I'm working on it I'm not a pro.
EDIT:
Here is a new table (I added all the scripts & pointers)
When I have time I'll try to see if I can make it more user friendly with one enable instead of 2.
Also I'm currently checking if it is possible to indicate if the NPC is an enemy or a friend.
For now 1 Hit kills everything in 1 Hit except the player.
EDIT2:
Wildlife seem to be unaffected from the 1-hit script. Will look on that later.
Now you just need to look into AOB scripts/injections, so your scripts will be more likely to work after a update.
Thanks for the RP code, was working on it myself but got stuck due to it crashing whenever i wrote the value.
For your script to use the AOB that's found, you need to change the address to the AOB symbol in the enable section:
Code: Select all
[ENABLE]
// ...
alloc(RPMult,$1000,rpGainAOB) //// change this as well // "FC_m64.dll"+167175B)
// ...
// "FC_m64.dll"+167175B:
rpGainAOB:
jmp RPMult
nop
nop
returnhere:
// ...
You can use wildcards in the AOB and [Link] or [Link] to get around this kinda thing.
Code: Select all
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
aobscanmodule(rpGainAOB,FC_m64.dll,46 xx xx xx 48 8B CF)
//// You'll most likelly need to extend the AOB to make it unique.
alloc(RPMult,$1000,rpGainAOB) //// change this as well // "FC_m64.dll"+167175B)
label(returnhere)
label(originalcode)
label(rpGainMultiplier)
label(exit)
RPMult:
movaps [xmmStore],xmm0 //// Store xmm0
cvtsi2ss xmm0,r8 //// convert int in RBX to float and store in xmm0
mulss xmm0,[rpGainMultiplier] //// multiply
cvtss2si r8,xmm0 //// convert float in xmm0 to int and store in RBX
movaps xmm0,[xmmStore] //// restore xmm0
originalcode:
readMem(rpGainAOB, 4)
mov rcx,rdi
exit:
jmp returnhere
align 10 CC //// this just makes it look nicer in the memory viewer.
rpGainMultiplier:
dd (float)0.5
label(xmmStore)
align 10 //// align so you can use aligned moves.
xmmStore:
dd 0
dd 0
dd 0
dd 0
label(rpGainStoredCode)
registerSymbol(rpGainStoredCode)
rpGainStoredCode:
readMem(rpGainAOB, 4) //// Store the original code for disabling
// "FC_m64.dll"+167175B:
rpGainAOB:
jmp RPMult
nop
nop
returnhere:
registersymbol(rpGainAOB)
registerSymbol(rpGainMultiplier) //// Register as symbol, to allow quick access
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
// "FC_m64.dll"+167175B:
rpGainAOB:
readMem(rpGainStoredCode, 4) //// Restore original code
db 48 8B CF
unregistersymbol(rpGainAOB)
unregisterSymbol(rpGainStoredCode)
dealloc(RPMult)