Sniper Ghost Warrior Contracts [Engine:CryEngine 4]

[SunBeam]

[ 08 Jun 21 - Hit #1 ]

Kindly DO NOT POST this content on other forums/communities (e.g.: Nexus, UnknownCheats, etc.). The same goes for you, avid ARTICLE WRITERS and YOUTUBE STREAMERS. Same as you prefer those places, I prefer FRF. I made this specifically for this community! If you want to share the news, do send those users to FRF instead.

Thank you for respecting my choice!

Game Name: Sniper Ghost Warrior Contracts
Game Vendor: Steam
Game Build ID: 6112106 [ Steam Client > Library > Sniper Ghost Warrior Contracts > right-click > Properties > Updates tab > check at the bottom ]
Game Process: SGWContracts.exe



Hello folks. Thought I'd revisit CryEngine for another round Before proceeding, please know that the table below might not contain the usual features you're looking for. If they're not in the table, please do not request them to be added. My interest (and this topic's goal) is to work with the Engine's CONSOLE (commands, CVars, whatever else can be done with it or derived from it). If you don't intend to use the table as intended, you may head back to Board Index (or w.e.) at this point. Just so I'm not wasting your time.

Alright. This topic is split in sections, denoted by the big ass text in bold between [ ] brackets. That being said, questions like "where can I find this or that?" are going to be frowned upon. I pretty much don't tolerate Speedy Gonzales-mode.



No one is chasing you, so be polite and fucking read everything, if you're interested


[ EAC bypass ]

The game is using EAC for its multi-player DLC. Because of that, the single-player part is affected as well. Namely, when you run the game from your Steam shortcut, EAC will run as well. I understand and know there are ways to get around it, however I don't like executing directly the game's EXE (SGWContracts.exe) as it never goes through Steam (for me). What that means is when I am at main menu, I do not have a CONTINUE button to click, meaning the progress is not synced. I don't know about you, but I wouldn't want to start all over again.

Please be advised I am not playing the MP part at all, so I don't know if the bypass works there. Bottom line: do not ask stupid questions like "will I get banned if I use this?", "is this safe in MP?". I do not care, the bypass IS NOT FOR MP! This forum is not for MP cheats! Period.

Instructions:

1) Download the ZIP below:

EAC_bypass.zip

pass: sunbeam

(2.13 KiB) Downloaded 469 times

2) Head to EAC folder in your game folder (e.g.: D:\SteamLibrary\steamapps\common\Sniper Ghost Warrior Contracts\EasyAntiCheat) and backup the existing DLLs. I renamed them to .BAK. I wouldn't stress about this step, as if you want the originals back, Steam will reacquire them. If you don't know how to make file extensions visible -> [Link].

3) Extract the archive content. When you're done, it should look like this:



I've highlighted in yellow the file sizes so you can guide yourself by that, knowing what sizes to expect.

Now all you have to do is run the game normally from your Steam shortcut on Desktop. Want the source-code, drop me a PM.


[ Cheat Table ]

SGWContracts.CT

(431.8 KiB) Downloaded 616 times

Options:

• [ Enable ]
  Main script. You need to activate this so all the sub-options work.

• Enable Console
  The script will set sys_DeactivateConsole to 0, so you can open it with Tilde (~`) key. "My key doesn't work.", "Can I change the key?", "I am using X keyboard." -> [Link]. There's no other way. The script will also set bUnrestrictCVars bool to 1, so you can use CVars in the console. Also, will patch out a condition to allow CVars or commands flagged as VF_CHEATS to be executed.
  
  The console can be opened and closed with the Tilde (~`) key. IT WILL NOT RENDER ANY TEXT, so don't go berserk yelling "I don't see any text in the console". It's how it is. However, you can type and execute stuff, even if you can't see it See last item explanation below.

• Enable Logging to File
  Once ran, a pop-up will show that instructs you to copy-paste 3 CVars to be set in the console. Simply copy the text (Ctrl+C), head back in-game, open the console with Tilde key and paste (Ctrl+V) the text. You will see if the paste worked by checking szConsoleTypingCommand line in the table (see my picture above). Hit enter and repeat. Don't close the console in the process, as it's pointless to close/open it 3 times. Leave it open, then copy and paste the next CVar from my pop-up. Repeat. When done, you can close the console.
  
  What this does is to allow logging of the console output to a text file on your disk. I'll return with feedback on this one, as I don't recall exactly what's the location for the file or if I need to set-up extra CVars. So stay tuned.

• Hook Resources
  Enable the script, open your map with M key (the list should already populate with your current amounts) and close it. Think it also works off-game world, just haven't tested.

• Unlimited Clip Ammo
  The script will check if the weapon firing the clip belongs to our player EntityId and add back the subtracted amount of bullets.

• Unlimited Inventory Ammo
  The script will check if the weapon having initiated the reload sequence belongs to our player EntityId and turn 0 the bullet amount supposed to be subtracted.

• szConsoleTypingCommand
  Here you can watch what you type or paste in the console, given there's no rendering (CryEngine SDK default behavior, commented in the source-code -- thanks, devs! /sarcasm) of what's going on in there.

Note that most of the scripts are re-worked ones from my Sniper Ghost Warrior 3 table. Those that do not work (haven't yet found a use for them or need to further progress in the storyline) are marked in gray color. What does gray mean? SCRIPT DOES NOT WORK. Hope it's clear.

Lastly, no point in using the Universal Remote Console, as the client/server Remote Console code is not compiled. In short: IT WON'T WORK.

Next-up: the sequel, Sniper Ghost Warrior Contracts 2.

BR,
Sun

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[aSwedishMagyar]

...

Great work as usual, this also applies to enabling the console in SGWC2.

Are there specific cues like in UE4 to how the structure is made up? I'm able to find lots of strings that show what I'm looking at but never saw any way to determine the actual offsets just from searching within the structure.

For example:


Here I can see that the sys_DeactivateConsole is within this structure but I couldn't figure out that it is at offset 0x48. Did you just check what accesses the pointer to the sys_DeactivateConsole base or is 0x48 the default offset for console related booleans in cryengine?

Thanks again for your explanations.
aSwedishMagyar

Edit:
So I'll answer my own question since I decided to follow the first idea I had:

Checking to see what accesses pointer leads to this:


When you disassemble that region you see it calls a member function at +10 which loads that 'integer' not 'byte' (as I initially thought) and tests to see if it is 0. If it is, it jumps down and checks the bUnrestrictCVars:



Which I would guess is how you found that value? Anyways very cool stuff, it's nice when you can use the referenced strings to find important functions.

[SunBeam]

I'm using the CryEngine SDK source code ([Link]). The logic with CryEngine is finding SSystemGlobalEnvironment pointer ([Link]). In there you can find all of the base systems you need to further map out the stuff ([Link]).

Here's how I mapped SGW3: [Link].

If it's complicated for you, then get the SDK matching your CryEngine version of the game. That way you can make sure the order of the member-functions is the same as what's in the source-code.

[aSwedishMagyar]

Well that's even better than what I thought, I downloaded the SDK for CryEngine 5 but haven't really delved into it that much. I should probably pay more attention to the member functions.

[SunBeam]

Well that's even better than what I thought, I downloaded the SDK for CryEngine 5 but haven't really delved into it that much. I should probably pay more attention to the member functions.

Well, you already have the AOB to get to SSGE in my table. From there, you can easily map out the various systems They're not far off from what you see in that .h file above. +/-0x8 in some places, tops

Which I would guess is how you found that value? Anyways very cool stuff, it's nice when you can use the referenced strings to find important functions.

Nah, I used the source code, like I said. It indicates how the structures are set-up, which rarely changes from version to version. The offsets I've mapped in that .h for SGW3 work identically for Contracts. SSGE -> IConsole. Then IConsole + 0x230 has a pointer. Which is what you're showing above. I went directly there, no additional checking or analysis

This is not my first rodeo with CryEngine, so yeah...

[SunBeam]

Well that's even better than what I thought, I downloaded the SDK for CryEngine 5 but haven't really delved into it that much. I should probably pay more attention to the member functions.

Also got a video for ya, if interested, from back in the days when I was doing random Discord sessions. STN recorded it



Tells how I learned to map SGW2, starting point, including using IDA and CE dissect tool. Note that this was all the way back in 2017; I've gained quite a bit of knowledge in the process, so do excuse the "typos" or miss-pronunciation. I'm open to criticism

[aSwedishMagyar]

Also got a video for ya, if interested, from back in the days when I was doing random Discord sessions. STN recorded it Tells how I learned to map SGW2, starting point, including using IDA and CE dissect tool.

Yep definitely interested, it would be fun to start taking a more ground up approach instead of scanning endlessly.

[SunBeam]

Also some other shit I did in SGW3 Maybe useful.

[SunBeam]

Here's a run-down of the resources in the menu system. It all starts with the Application:

Code: Select all

-------------------------------
 path to get to menu resources
-------------------------------

SGWContracts.CreateGameStartup - 48 83 EC 28           - sub rsp,28 { 40 }
SGWContracts.CreateGameStartup+4- 48 8D 05 6D8E8300     - lea rax,[SGWContracts.exe+1F5A288] { (7FF6F5079EF0) }
SGWContracts.CreateGameStartup+B- 48 C7 05 22799D04 00000000 - mov qword ptr [SGWContracts.exe+60F8D48],00000000 { (0),0 }
SGWContracts.CreateGameStartup+16- 48 89 05 03799D04     - mov [SGWContracts.exe+60F8D30],rax { (7FF6F58DA288) }
SGWContracts.CreateGameStartup+1D- 48 8D 0D 3C799D04     - lea rcx,[SGWContracts.exe+60F8D70] { (7FF6F5B5EE8C) }
SGWContracts.CreateGameStartup+24- 48 8D 05 9D8E8300     - lea rax,[SGWContracts.exe+1F5A2D8] { (7FF6F5079D40) }
SGWContracts.CreateGameStartup+2B- 66 C7 05 14799D04 0000 - mov word ptr [SGWContracts.exe+60F8D58],0000 { (16711680),0 }
SGWContracts.CreateGameStartup+34- 48 89 05 ED789D04     - mov [SGWContracts.exe+60F8D38],rax { (7FF6F58DA2D8) }
SGWContracts.CreateGameStartup+3B- 0F57 C0               - xorps xmm0,xmm0
SGWContracts.CreateGameStartup+3E- 48 8D 05 9B8E8300     - lea rax,[SGWContracts.exe+1F5A2F0] { (7FF6F3A0E390) }
SGWContracts.CreateGameStartup+45- C6 05 FE789D04 FF     - mov byte ptr [SGWContracts.exe+60F8D5A],-01 { (255),255 }
SGWContracts.CreateGameStartup+4C- 48 89 05 DD789D04     - mov [SGWContracts.exe+60F8D40],rax { (7FF6F58DA2F0) }
SGWContracts.CreateGameStartup+53- 48 8D 05 DE789D04     - lea rax,[SGWContracts.exe+60F8D48] { (0) }
SGWContracts.CreateGameStartup+5A- 48 89 05 DF789D04     - mov [SGWContracts.exe+60F8D50],rax { (7FF6F9A78D48) }
SGWContracts.CreateGameStartup+61- 66 0F7F 05 E7789D04   - movdqa [SGWContracts.exe+60F8D60],xmm0 { (0) }
SGWContracts.CreateGameStartup+69- E8 729996FE           - call SGWContracts.exe+8ADF0
SGWContracts.CreateGameStartup+6E- 48 8D 05 EB8D8300     - lea rax,[SGWContracts.exe+1F5A270] { (7FF6F3A2C3D0) }
SGWContracts.CreateGameStartup+75- C6 05 EC789D04 00     - mov byte ptr [SGWContracts.exe+60F8D78],00 { (0),0 }
SGWContracts.CreateGameStartup+7C- 48 89 05 F5789D04     - mov [SGWContracts.exe+60F8D88],rax { (7FF6F58DA270) }
SGWContracts.CreateGameStartup+83- 48 8D 05 96789D04     - lea rax,[SGWContracts.exe+60F8D30] { (7FF6F58DA288) }   	<---- 00007FF6F9A78D30
SGWContracts.CreateGameStartup+8A- 48 89 05 1F729D04     - mov [SGWContracts.exe+60F86C0],rax { (7FF6F9A78D30) }
SGWContracts.CreateGameStartup+91- 48 C7 05 D4789D04 00000000 - mov qword ptr [SGWContracts.exe+60F8D80],00000000 { (0),0 }
SGWContracts.CreateGameStartup+9C- 48 83 C4 28           - add rsp,28 { 40 }
SGWContracts.CreateGameStartup+A0- C3                    - ret

..
..

SGWContracts.ModuleInitISystem+1E54 - 4C 8B F8              - mov r15,rax 											<---- 00007FF6F9A78D30
SGWContracts.ModuleInitISystem+1E57 - BB F3FFFFFF           - mov ebx,FFFFFFF3 { -13 }
SGWContracts.ModuleInitISystem+1E5C - 48 85 C0              - test rax,rax

..
..

SGWContracts.exe+1717322 - 48 8B 4F 18           - mov rcx,[rdi+18]													<---- 00007FF6F9A78D90
SGWContracts.exe+1717326 - 48 85 C9              - test rcx,rcx
SGWContracts.exe+1717329 - 74 0F                 - je SGWContracts.exe+171733A
SGWContracts.exe+171732B - 48 8B 01              - mov rax,[rcx]
SGWContracts.exe+171732E - 45 8B C6              - mov r8d,r14d
SGWContracts.exe+1717331 - 41 0FB6 D7            - movzx edx,r15l
SGWContracts.exe+1717335 - FF 50 38              - call qword ptr [rax+38]

00007FF6F9A78D30 $ ==>             00007FF6F58DA288
00007FF6F9A78D38 $+8               00007FF6F58DA2D8
00007FF6F9A78D40 $+10              00007FF6F58DA2F0
00007FF6F9A78D48 $+18              00007FF6F9A78D90  <---- [ SSytemGlobalEnvironment + 0x90 ] == pGame

..
..

SGWContracts.exe+1396BA6 - 48 8B 4E 50           - mov rcx,[rsi+50]													<---- [ pGame + 0x50 ] == m_pFramework
SGWContracts.exe+1396BAA - 45 8B C5              - mov r8d,r13d
SGWContracts.exe+1396BAD - B2 01                 - mov dl,01 { 1 }
SGWContracts.exe+1396BAF - 48 8B 01              - mov rax,[rcx]
SGWContracts.exe+1396BB2 - FF 50 60              - call qword ptr [rax+60]
SGWContracts.exe+1396BB5 - 48 8B 4E 50           - mov rcx,[rsi+50]
SGWContracts.exe+1396BB9 - 48 8B 01              - mov rax,[rcx]
SGWContracts.exe+1396BBC - FF 50 78              - call qword ptr [rax+78]

..
..

SGWContracts.exe+529F26 - 49 8B 8D F0050000     - mov rcx,[r13+000005F0]											<---- [ m_pFramework + 0x5F0 ] == 000001ECA9621090
SGWContracts.exe+529F2D - 48 85 C9              - test rcx,rcx
SGWContracts.exe+529F30 - 74 0C                 - je SGWContracts.exe+529F3E
SGWContracts.exe+529F32 - 48 8B 01              - mov rax,[rcx]
SGWContracts.exe+529F35 - 0F28 CE               - movaps xmm1,xmm6
SGWContracts.exe+529F38 - FF 90 B8000000        - call qword ptr [rax+000000B8]
SGWContracts.exe+529F3E - 48 8B 0D C349CB01     - mov rcx,[SGWContracts.exe+21DE908] { (0) }

..
..

SGWContracts.exe+652600 - 85 D2                 - test edx,edx
SGWContracts.exe+652602 - 74 42                 - je SGWContracts.exe+652646
SGWContracts.exe+652604 - 83 EA 01              - sub edx,01 { 1 }
SGWContracts.exe+652607 - 74 2C                 - je SGWContracts.exe+652635
SGWContracts.exe+652609 - 83 EA 01              - sub edx,01 { 1 }
SGWContracts.exe+65260C - 74 16                 - je SGWContracts.exe+652624
SGWContracts.exe+65260E - 83 FA 01              - cmp edx,01 { 1 }
SGWContracts.exe+652611 - 75 43                 - jne SGWContracts.exe+652656
SGWContracts.exe+652613 - F3 0F58 91 84020000   - addss xmm2,[rcx+00000284]
SGWContracts.exe+65261B - F3 0F11 91 84020000   - movss [rcx+00000284],xmm2 										<---- Challenge Tokens
SGWContracts.exe+652623 - C3                    - ret
SGWContracts.exe+652624 - F3 0F58 91 80020000   - addss xmm2,[rcx+00000280] 										<---- Intel Tokens
SGWContracts.exe+65262C - F3 0F11 91 80020000   - movss [rcx+00000280],xmm2
SGWContracts.exe+652634 - C3                    - ret
SGWContracts.exe+652635 - F3 0F58 91 7C020000   - addss xmm2,[rcx+0000027C] 										<---- Contract Tokens
SGWContracts.exe+65263D - F3 0F11 91 7C020000   - movss [rcx+0000027C],xmm2
SGWContracts.exe+652645 - C3                    - ret
SGWContracts.exe+652646 - F3 0F58 91 78020000   - addss xmm2,[rcx+00000278] 										<---- Money
SGWContracts.exe+65264E - F3 0F11 91 78020000   - movss [rcx+00000278],xmm2
SGWContracts.exe+652656 - C3                    - ret

Short version: [ pGameFramework + 0x5F0 ] + 0x278 | +4 +4 +4 (as float).

[sebastianyyz]

Nice, thank you so much SunBeam