Far Cry 5 Megathread - EAC Bypass & Table Compilation

[SunBeam]

Well until I figure out how to get CPlayer or SunBeam will share it with us I can give you guys a bit complex but fixed version of no reload.

Figured it out

This is the spot where clip ammo quantity is subtracted before being written to clip inside that CALL:

Code: Select all

FC_m64.dll+AC814F8 - 29 DA                 - sub edx,ebx
FC_m64.dll+AC814FA - E8 11C308F7           - call FC_m64.dll+1D0D810

In my current run, R14 register contains this pointer: 0x0000026629A516D0.

Now, I found this function from previous research in Far Cry: Primal:

Code: Select all

FC_m64.dll+A6A1020 - 48 8B 81 682A0000     - mov rax,[rcx+00002A68]
FC_m64.dll+A6A1027 - 80 B8 29070000 00     - cmp byte ptr [rax+00000729],00
FC_m64.dll+A6A102E - 74 08                 - je FC_m64.dll+A6A1038
FC_m64.dll+A6A1030 - 0FB6 05 495F45FA      - movzx eax,byte ptr [FC_m64.dll+4AF6F80] { [00000001] }
FC_m64.dll+A6A1037 - C3                    - ret 
FC_m64.dll+A6A1038 - 48 83 C1 08           - add rcx,08
FC_m64.dll+A6A103C - E9 4F1F4AF7           - jmp FC_m64.dll+1B42F90
...

That being said, here's a flow I tested debugging the above:

Code: Select all

RCX == 0000026614379A98 ->
FC_m64.dll+A789638 - 48 8B 89 40020000     - mov rcx,[rcx+00000240]
->
RCX == 0000026629A516D0 ->
FC_m64.dll+A6971E0 - 48 8B 81 682A0000     - mov rax,[rcx+00002A68]
->
RAX == 0000026614378EA0

As you can see, the pointer obtained from 0x240 offset is identical to my R14. So, if we read further the pointer at offset 0x2A68, we get the base for CPawnEntity. Inside this structure there's a BOOL at offset 0x729 which can have 2 values: 0 = player_entity_id; 1 = any_other_entity_id.

And if I run a "Find out what addresses this instruction accesses", just to be thorough in the demo, I get this:



So here's my Unlimited Clip Ammo script

Code: Select all

[ENABLE]

aobscanmodule( _ClipAmmo, FC_m64.dll, 48895C2408574883EC2089D74889CB3B9188010000 )
registersymbol( _ClipAmmo )
alloc( ClipAmmo, 256, FC_m64.dll )
label( ClipAmmo_orig )
registersymbol( ClipAmmo_orig )

ClipAmmo:
push rax
push rbx
push rcx // psLaunch
push rdx
push r8
mov rax,[rcx+80]
mov rbx,[rax+10] // CPawnEntity
test rbx,rbx
je short @f
  mov rcx,[rbx+C8] // CEntityArchetypeRes
  test rcx,rcx
  je short @f
    lea rdx,[rbx+A8]
    movsxd  r8,dword ptr [rcx+20]
    mov rax,[rdx]
    mov rax,[rax+r8*8]
    mov rax,[rax+2A68]
    cmp byte ptr [rax+729],0 // IsPlayer
    jne short @f
      pop r8 // yes
      pop rdx
      pop rcx
      pop rbx
      pop rax
      add edx,ebx // add back subtracted ammo
      jmp short ClipAmmo_orig // exit
@@:
pop r8 // no
pop rdx
pop rcx
pop rbx
pop rax
ClipAmmo_orig:
readmem( _ClipAmmo, 5 )
jmp _ClipAmmo+5

_ClipAmmo:
jmp ClipAmmo

[DISABLE]

_ClipAmmo:
readmem( ClipAmmo_orig, 5 )

unregistersymbol( ClipAmmo_orig )
dealloc( ClipAmmo )
unregistersymbol( _ClipAmmo )

/*
FC_m64.dll+AADF710 - 48 89 5C 24 08        - mov [rsp+08],rbx <--
FC_m64.dll+AADF715 - 57                    - push rdi
FC_m64.dll+AADF716 - 48 83 EC 20           - sub rsp,20
FC_m64.dll+AADF71A - 89 D7                 - mov edi,edx
FC_m64.dll+AADF71C - 48 89 CB              - mov rbx,rcx
FC_m64.dll+AADF71F - 3B 91 88010000        - cmp edx,[rcx+00000188]
FC_m64.dll+AADF725 - 74 3C                 - je FC_m64.dll+AADF763
FC_m64.dll+AADF727 - E8 244024F7           - call FC_m64.dll+1D23750
FC_m64.dll+AADF72C - 39 F8                 - cmp eax,edi
FC_m64.dll+AADF72E - C6 83 C4000000 01     - mov byte ptr [rbx+000000C4],01
FC_m64.dll+AADF735 - 41 89 F8              - mov r8d,edi
FC_m64.dll+AADF738 - 44 0F4C C0            - cmovl r8d,eax
FC_m64.dll+AADF73C - 44 89 83 88010000     - mov [rbx+00000188],r8d
FC_m64.dll+AADF743 - 85 FF                 - test edi,edi
FC_m64.dll+AADF745 - 7E 07                 - jle FC_m64.dll+AADF74E
FC_m64.dll+AADF747 - C6 83 D0010000 00     - mov byte ptr [rbx+000001D0],00
FC_m64.dll+AADF74E - 48 8B 8B E0010000     - mov rcx,[rbx+000001E0]
FC_m64.dll+AADF755 - 48 85 C9              - test rcx,rcx
FC_m64.dll+AADF758 - 74 09                 - je FC_m64.dll+AADF763
FC_m64.dll+AADF75A - 48 8B 01              - mov rax,[rcx]
FC_m64.dll+AADF75D - FF 90 E8000000        - call qword ptr [rax+000000E8]
FC_m64.dll+AADF763 - 48 8B 5C 24 30        - mov rbx,[rsp+30]
FC_m64.dll+AADF768 - 48 83 C4 20           - add rsp,20
FC_m64.dll+AADF76C - 5F                    - pop rdi
FC_m64.dll+AADF76D - C3                    - ret
*/

Enjoy,
Sun

P.S.: You may use the condition in any other scripts, given you determine the register holding the pointer you'll use to get to CPawnPlayer

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[gir489]

Code: Select all

{ Game   : FarCry5.exe
  Version: 1.2.0
  Date   : 2018-03-31
  Author : gir489

  Infinite Armor
}

[ENABLE]
aobscanmodule(Armor,FC_m64.dll, F3 0F 11 41 18 45) // should be unique
aobscanmodule(ReturnAddress,FC_m64.dll,48 8B 46 10 48 8D 54 24 20 48 8B CF) // should be unique
alloc(newmem,$1000,"FC_m64.dll")
registersymbol(Armor)
label(return)

newmem:
movss [rcx+18],xmm0
push r8
mov r8, ReturnAddress
cmp [rsp+30],r8
pop r8
jne return
mov [rcx+18], (float)100
jmp return

Armor:
jmp newmem
return:

[DISABLE]
unregistersymbol(Armor)
dealloc(newmem)

Armor:
movss [rcx+18],xmm0

Optimized Infinite Armor.

[mflvs]

was using the Helicopter scripts and noticed they also affect the plane, but the bombs still decrease.
This is for unlimited bombs on planes

Code: Select all

{ Game   : FarCry5.exe
  Version: 1.2.0
  Date   : 2018-04-01
  Author : mflvs

  Unlimited Bombs }

[ENABLE]
aobscanmodule(BombsLocation,FC_m64.dll,74 04 FF 4C C1 74 C3) // should be unique
registersymbol(BombsLocation)

BombsLocation:
db EB

[DISABLE]
unregistersymbol(BombsLocation)

BombsLocation:
db 74

[budabum]

i'm done with FR5. on GF 1080ti with ultra settings i get FR2 quality graphics. what a disappointment...
just requested refund... let's see what ubi replies

[gir489]

Code: Select all

{ Game   : FarCry5.exe
  Version: 1.2.0
  Date   : 2018-04-01
  Author : gir489

  Infinite Armor }
[ENABLE]
aobscanmodule(Armor,FC_m64.dll,F3 0F 11 BC 24 98 00 00 00) // should be unique
alloc(newmem,$1000,"FC_m64.dll")
registersymbol(Armor)
label(return)

newmem:
mov [rcx+18],(float)100
movss [rsp+00000098],xmm7
jmp return

Armor:
jmp newmem
nop
nop
nop
nop
return:

[DISABLE]
unregistersymbol(Armor)
dealloc(newmem)

Armor:
movss [rsp+00000098],xmm7

Infinite Armor last time super cereal guys, I swear.

[mflvs]

Thanks gir, ill get back to it, trying to find Z position.

[vrork]

What do i need to do to get only more X money instead of infinity everything? And only X perk points

[vrork]

Can we please get a max money cheat that only changes the money, not everything else too?

[SunBeam]

^ I'll see if I can make one. Peace.

[vrork]

^ I'll see if I can make one. Peace.

Thanks. (sorry for the double post. I didnt had noticed that i had to wait for the aproval for my post to appear)

[LazerPazer]

can someone add also Freeze Timer function((((

[Draxhax]

@SunBeam - thanks for that info. I've almost got something together for Vehicle Health because of you. I just need to find a consistent pointer that I can use and it'll be ready... But my eyes feel like they're bleeding and need a break.

[bonzay0]

Can we please get a max money cheat that only changes the money, not everything else too?

Doesn't the current table has one? doesn't work?

Edit: Just to make it clear: There is an option called: "Infinite Money" in the table.
It maxes your money and stop it there. Nothing else.

[velvetio]

Could someone do something with the game's time scale? The day night cycle goes very fast! It would be good also to be able to fast forward time since the game does not bring the option to sleep. Thank you!

[vrork]

Can we please get a max money cheat that only changes the money, not everything else too?

Doesn't the current table has one? doesn't work?

Edit: Just to make it clear: There is an option called: "Infinite Money" in the table.
It maxes your money and stop it there. Nothing else.

Nope. it doesnt. I maxes out and them some (aka, 1000+ of everything) money, "loot", special ammo, granades, and soo on