z The Last Stand: Aftermath

[Zanzer]

Unlimited Armory
Unlimited Fuel
Unlimited Throwables
Full Ammo Clip
Full Durability
No Health Penalty
No Stamina Penalty
Stop Infection
Unlimited Stamina When Running
Unlimited Stamina When Attacking
Show Hidden Objects/Traps
Can Always Interact
Always Within Interact Range
Craft For Free
Inventory Mouseover
Weapon Mouseover
- Quantity
- Durability
- Clip Count
Experience Multipler new
Game State Pointers
- Knowledge
- Supplies

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[toydefenser]

nice thank

[Send]

I added a few of your options to my existing table, if you don't mind. Let me know and I'll remove them if you'd like. Credits given in table and thread.


viewtopic.php?f=4&t=18221&p=220899#p220899 +29

[tfigment]

...
Inventory Mouseover
...

Learned new stuff like reassemble command from this table. Anyway running into crashes with your table.

The root causes is something I've started seeing a lot on my machine. Basically jmp becomes a 14 byte 64-bit jmp instruction instead of a 5 byte 32-bit jmp instruction and mangles the assembly.

I assume this is known issue in general but not sure if there is reliable workaround. The last time I encountered this I ended up having to assume the 14 byte version and include a lot of nops and related protection to deal with either case.

Not expecting solution as I will figure it out myself. But would love to see a simple reliable workaround that is fairly generic.

Example for Inventory Mouseover

This is "Inventory Mouseover". GameAssembly.dll is at 1429D1A0000, inventoryPtr is at 14352DE0000

Code: Select all

GameAssembly.dll+6FBE5D - C6 05 930BBC03 01     - mov byte ptr [GameAssembly.dll+42BC9F7],01 { (1),1 }
GameAssembly.dll+6FBE64 - 48 85 FF              - test rdi,rdi
// ---------- INJECTING HERE ----------
GameAssembly.dll+6FBE67 - 0F84 DE010000         - je GameAssembly.dll+6FC04B
GameAssembly.dll+6FBE6D - 83 7F 20 01           - cmp dword ptr [rdi+20],01 { 1 }
GameAssembly.dll+6FBE71 - 0F8E 4A010000         - jng GameAssembly.dll+6FBFC1
// ---------- DONE INJECTING  ----------
GameAssembly.dll+6FBE77 - 48 8B B3 B8000000     - mov rsi,[rbx+000000B8]
GameAssembly.dll+6FBE7E - 48 85 F6              - test rsi,rsi
GameAssembly.dll+6FBE81 - 0F84 1C020000         - je GameAssembly.dll+6FC0A3
GameAssembly.dll+6FBE87 - 48 8B 05 C211BD03     - mov rax,[GameAssembly.dll+42CD050] { (7FFC5F19D3B0) }

becomes

Code: Select all

GameAssembly.dll+6FBE5D - C6 05 930BBC03 01     - mov byte ptr [GameAssembly.dll+42BC9F7],01 { (1),1 }
GameAssembly.dll+6FBE64 - 48 85 FF              - test rdi,rdi
inventory               - FF25 00000000 0000DE5243010000 - jmp inventoryBkp
GameAssembly.dll+6FBE75 - 90                    - nop
// ---------- Misalignment here ----------
GameAssembly.dll+6FBE76 - 00 48 8B              - add [rax-75],cl
GameAssembly.dll+6FBE79 - B3 B8                 - mov bl,-48 { 184 }
GameAssembly.dll+6FBE7B - 00 00                 - add [rax],al
GameAssembly.dll+6FBE7D - 00 48 85              - add [rax-7B],cl
GameAssembly.dll+6FBE80 - F6                    - db -0A
GameAssembly.dll+6FBE81 - 0F84 1C020000         - je GameAssembly.dll+6FC0A3

Edit: Alternative Code for Inventory Ptr

Here is my alternative version using a different point later in function with 16 bytes open. reassemble would be nice if you give it a size and have it reassemble what it can from the size and then pad with nops or something. Instead of picking individual instructions but then again readmem is sufficient here.

Code: Select all

[ENABLE]
aobscanmodule(inventory,GameAssembly.dll,48 8B B3 C8 00 00 00 33 D2 48 8B 8B E8 00 00 00)
alloc(inventoryBkp,$100,inventory)

label(return)
label(inventoryPtr)

inventoryBkp:
  readmem(inventory, 16)
  mov [inventoryPtr],rdi
  jmp return

align 8
inventoryPtr:
  dq 0

inventory:
  nop 5 // 32 bit jmp align
  nop 9 // 64 bit jmp align if needed
  nop 2
return:

inventory:
  jmp inventoryBkp

registersymbol(inventory)
registersymbol(inventoryBkp)
registersymbol(inventoryPtr)

[DISABLE]
inventory:
  readmem(inventoryBkp, 16)

unregistersymbol(inventory)
unregistersymbol(inventoryBkp)
unregistersymbol(inventoryPtr)
dealloc(inventoryBkp)

[Zanzer]

...

Yea, I don't believe CE has something automatic to assist with this. If these long jumps seem to be occurring a lot, you may just need to write your scripts to always assume it will need to reserve 15 bytes. It happens when CE can't find an empty block of code near your target injection. It's possible that reducing the alloc() size will help it find a better code cave. Instead of $1000, pick a much smaller number that reflects your actual needed space. Although, it probably always reserves a chunk of bytes and doesn't necessarily honor your requested size.

But, for something like this scenario, if you always assume it will require 15 bytes, you could do something like below. Note you don't have to NOP as long as you tell the code where to JMP properly. The disassembler view may look bad, but the code itself doesn't care when running.

Code: Select all

[ENABLE]
aobscanmodule(inventory,GameAssembly.dll,0F 84 ?? ?? ?? ?? 83 7F ?? 01 0F 8E)
alloc(inventoryBkp,$1000,inventory)

label(inventoryPtr)

inventoryBkp:
  reassemble(inventory+00)
  reassemble(inventory+06)
  reassemble(inventory+0A)
  mov rcx,inventoryPtr
  mov [rcx],rdi
  jmp inventory+10

align 8
inventoryPtr:
  dq 0

inventory:
  jmp inventoryBkp
registersymbol(inventory)
registersymbol(inventoryBkp)
registersymbol(inventoryPtr)

[DISABLE]
inventory:
  reassemble(inventoryBkp+00)
  reassemble(inventoryBkp+06)
  reassemble(inventoryBkp+0A)
unregistersymbol(inventory)
unregistersymbol(inventoryBkp)
unregistersymbol(inventoryPtr)
dealloc(inventoryBkp)

[tfigment]

Thanks. This was my assumption. Even a smaller block does not always work. I edited post with my approach here. Mentally easier in this case. Would be nice if reassemble could do more than one instruction and do a range but its all doable manually.