Darksiders 3 [Engine:UE4] - Console enabler, Dumper and more..

Upload your cheat tables here (No requests)
Post Reply
Jevnaker
Cheater
Cheater
Posts: 29
Joined: Wed Mar 08, 2017 10:59 am
Reputation: 2

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by Jevnaker »

VoidRunner wrote:
Sat Dec 01, 2018 9:14 am
So.... Just a tip.... But beware Spoilers....
Spoiler
Don't Beat Gluttony with Damage Reflection.... It broke my game. Have to Restart Story...
a fix for gluttony becoming bugged was in the patch notes for the december 1 update. said it should also fix saves that had the issue.

How to use this cheat table?
  1. Install Cheat Engine
  2. Double-click the .CT file in order to open it.
  3. Click the PC icon in Cheat Engine in order to select the game process.
  4. Keep the list.
  5. Activate the trainer options by checking boxes or setting values from 0 to 1

VoidRunner
Noobzor
Noobzor
Posts: 13
Joined: Thu Sep 20, 2018 6:43 pm
Reputation: 0

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by VoidRunner »

Jevnaker wrote:
Sat Dec 01, 2018 3:36 pm
VoidRunner wrote:
Sat Dec 01, 2018 9:14 am
So.... Just a tip.... But beware Spoilers....
Spoiler
Don't Beat Gluttony with Damage Reflection.... It broke my game. Have to Restart Story...
a fix for gluttony becoming bugged was in the patch notes for the december 1 update. said it should also fix saves that had the issue.
Yeah thaey fixed it. Although they Nerfed my Fafnir Enhancement damage. only doing 700 a hit with force hammer instead of 1100.

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4284

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by SunBeam »

That speed-up script should make it worth your while. Even with 100 damage, you deal like 500-700 in a cycle. Per second. So stop whining :) If there's one thing I hate about people is trying to look legit hacking other features of the game, like stats or weapons/armor. But they wouldn't use 1 hit kill or damage enhancers, cuz it's not right for their play style. However, hacked stats are OK in their books :P

Finished the game last night; was a bit confused by the order of events. Had to backtrack my way around from the Sand Halls to the factory and up the tower. I used toggledebugcamera to pass an iron wall and get directly to the elevator leading up that tower. Of course, not going through the designed path.. enabled some dialogue that was supposed to happen BEFORE the second battle with Wrath, LOL. Pretty much like: killed Wrath, went backwards once movie was over, dialogue with the Watcher "are we ready to defeat Wrath a second time?" - - wait, what? :D

Not to mention the random ending and extra cutscene; what am I to understand.. there's going to be a new game sometime soon?

Updated some more stuff in the Excel; seems the most bad-ass Lurcher Cache is "Larger Lurcher Cache" -> Item_Crystal_08.Item_Crystal_08_C. However, you cannot summon it if you don't already have it in your inventory. Unless it was loaded as Package in the map you're in.

Lastly, you can get a better version of Raider's Mercy as you find more people; just visit Ulthane ;)

BR,
Sun

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4284

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by SunBeam »

One more thing I want to show you and I'm done with this title. This one thing should apply to any other UE4 game out there, considering most CheatManager functions are C++ compiled code now. I wanted to find out why fly works in We Happy Few and doesn't in the games I started analyzing (Darksiders 3, OVERKILL's The Walking Dead). I've created a similar DLL for WHF to dump Names/Objects) and started my analysis.

Let's dive in - - warning: long post below.

Fired up We Happy Few (will shorten it to WHF). Started game, got past the first few actions till I could move around. Injected the DLL to dump Names/Objects in .txt files, then attached x64dbg. fly can be found via string references and is here:

-- wrapper --

Image

-- actual function --

Image

The parkour goes like this:
  • RCX is:

    Code: Select all

    [154909] GlimpseCheatManager GlimpsePrologue_Arthur.GlimpsePrologue_Arthur.PersistentLevel.DefaultPlayerController_C_1.GlimpseCheatManager_1 0x000002225976D400
So.. a CheatManager pointer.
  • after the first MOV, RAX becomes:

    Code: Select all

    [154882] DefaultPlayerController_C GlimpsePrologue_Arthur.GlimpsePrologue_Arthur.PersistentLevel.DefaultPlayerController_C_1 0x000002223DBCEA70
  • at the TEST instruction, RBX is:

    Code: Select all

    [185737] ArthurCharacter_C GlimpsePrologue_Arthur.GlimpsePrologue_Arthur.PersistentLevel.ArthurCharacter_C_1  0x00000222508CC000
The next part is not of interest, as it fetches the console interface, the position in the console at which to write "You feel much lighter" string and writing it to the actual console. What is important starts here:

Image

Notice how the engine loads-up that string -> "/Script/Engine". A CALL follows inside of which we see:

Image

And that CALL returns:

Code: Select all

[000165] Class Engine.Character                                                                               0x0000022209D65100
A loop follows:

Code: Select all

00007FF77217C3A0 | 48:8B4B 10                             | MOV RCX,QWORD PTR DS:[RBX+10]                                     | rcx:L"/Script/Engine"
00007FF77217C3A4 | 4C:8D80 88000000                       | LEA R8,QWORD PTR DS:[RAX+88]                                      |
00007FF77217C3AB | 49:6340 08                             | MOVSXD RAX,DWORD PTR DS:[R8+8]                                    |
00007FF77217C3AF | 3B81 90000000                          | CMP EAX,DWORD PTR DS:[RCX+90]                                     |
00007FF77217C3B5 | 7F 30                                  | JG glimpsegame.7FF77217C3E7                                       |
00007FF77217C3B7 | 48:8BD0                                | MOV RDX,RAX                                                       |
00007FF77217C3BA | 48:8B81 88000000                       | MOV RAX,QWORD PTR DS:[RCX+88]                                     |
00007FF77217C3C1 | 4C:3904D0                              | CMP QWORD PTR DS:[RAX+RDX*8],R8                                   |
00007FF77217C3C5 | 75 20                                  | JNE glimpsegame.7FF77217C3E7                                      |
00007FF77217C3C7 | 48:8BCB                                | MOV RCX,RBX                                                       | rcx:L"/Script/Engine"
00007FF77217C3CA | E8 D1F44D00                            | CALL glimpsegame.7FF77265B8A0                                     |
RBX is ArthurCharacter_C. At 0x10 offset inside this structure we find:

Code: Select all

[113385] BlueprintGeneratedClass ArthurCharacter.ArthurCharacter_C                                            0x0000022232313000
RAX is our fetched Class; RAX is adjusted to Class+0x88. We then see a DWORD is read from this location+0x8. In my case, the value is 0x3. Then this value is checked against [BlueprintGeneratedClass+90] (the class at 0x10 from earlier). The value I found there is 0x7. As long as EAX < [RCX+90] (3 < 7), the JG will not jump. So the next block executes:

Code: Select all

00007FF77217C3B7 | 48:8BD0                                | MOV RDX,RAX                                                       |
00007FF77217C3BA | 48:8B81 88000000                       | MOV RAX,QWORD PTR DS:[RCX+88]                                     |
00007FF77217C3C1 | 4C:3904D0                              | CMP QWORD PTR DS:[RAX+RDX*8],R8                                   |
00007FF77217C3C5 | 75 20                                  | JNE glimpsegame.7FF77217C3E7                                      |
A pointer is now read from 0x88 offset of the BlueprintGeneratedClass. We then see the CMP indicates that 0x3 value is actually an offset; and that is because of this setup:

Code: Select all

00007FF77217C3C1 | 4C:3904D0                              | CMP QWORD PTR DS:[RAX+RDX*8],R8                                   |
RDX*8 indicates QWORD offsetting.

As long as the two pointers match, the next block executes; else, JNE hops to exit.

So, we're here:

Code: Select all

00007FF77217C3C7 | 48:8BCB                                | MOV RCX,RBX                                                       |
00007FF77217C3CA | E8 D1F44D00                            | CALL glimpsegame.7FF77265B8A0                                     |
RBX moved into RCX; RCX becomes:

Code: Select all

[185737] ArthurCharacter_C GlimpsePrologue_Arthur.GlimpsePrologue_Arthur.PersistentLevel.ArthurCharacter_C_1  0x00000222508CC000
Updated the parkour:

Image

Let's see if any other registers are used inside the next CALL, aside from RCX:

Image

Doesn't look like. RCX is the one we need; RDX is filled from that static. And R8 is NULL-ed past the first CALL inside this function. Now let's see what's written to RDX ;) This represented the reason I started writing this.

Image
OK. So RDX is 0x1619. Keep this in mind for now. You'll soon learn what's the use of it and where can we find it ;)

Continuing with the execution, I peeked inside the next CALL and saw this:

Image

Interesting; could it be that.. what the CALL does is to actually retrieve an UFunction? Let's F8 over it and check the result (the result of a function, if returning anything, is stored in RAX) -> so my RAX is . Looking it up in the .txt file I see that it is:

Code: Select all

[016707] Function Engine.Character.ClientCheatFly                                                             0x0000022211737440
Ta-naaa :) Now.. remember that 0x1619? Let's take a look at this UFunction in memory:

Image

Image

So offset 0x18 contains the look-up ID we want ;)

Continuing with the code, we're here:

Code: Select all

00007FF77265B8BC | 48:8BD0                                | MOV RDX,RAX                                     |
00007FF77265B8BF | 45:33C0                                | XOR R8D,R8D                                     |
00007FF77265B8C2 | 48:8BCF                                | MOV RCX,RDI                                     |
00007FF77265B8C5 | 48:8B83 A8010000                       | MOV RAX,QWORD PTR DS:[RBX+1A8]                  |
00007FF77265B8CC | 48:8B5C24 30                           | MOV RBX,QWORD PTR SS:[RSP+30]                   |
00007FF77265B8D1 | 48:83C4 20                             | ADD RSP,20                                      |
00007FF77265B8D5 | 5F                                     | POP RDI                                         |
00007FF77265B8D6 | 48:FFE0                                | JMP RAX                                         |
RAX is moved to RDX, so this becomes the 2nd (or first parameter if RCX == __this) of the next function to be executed; R8 is NULLed (this is the 3rd parameter); RCX is updated with RDI, so it becomes ArthurCharacter_C. Then RAX is updated with the function address JMP RAX will hop to, RBX restored and function epilogue run to restore stack. Then..

Image

JMP RAX takes us here:

Image

I'll stop the explanations here. Why? Because this function will execute the UFunction :P

So, in pseudo-code, we have this: ExecUFunction( ArthurCharacter_C, Function Engine.Character.ClientCheatFly, 0 ). Where:
  • ExecUFunction == 00007FF7720709E0
  • ArthurCharacter_C == 00000222508CC000
  • Function Engine.Character.ClientCheatFly == 0000022211737440
In my case.

Conclusions:

- to find the pointer to the base Class, look at the first part of your UFunction -> Function Engine.Character.bla; remember the function referencing "Character"? (4th screenshot in this post)
- to find the function ID, get the address from our .txt file, browse it in memory and fetch it from 0x18 offset
- you'll have to manually track down the FindUFunction address; the ExecUFunction can be obtained as member-function in the UObject (0x1A8 is the offset)
- lastly, you need to make this simple logical correspondence to determine which UObject the function is applied to -> function is called "Engine.Character.ClientCheatFly"; OK.. so.. Character.. who is the Character? Well, can it be.. ArthurCharacter_C?

Apply the same logic to other functions you want to run. Note that some may have parameters; in which case, R8 will not have to be NULL (if one parameter the function is called with). If multiple parameters, you need to use the stack.

I'll post later a thread handler that allows you to run SetFuryGodMode UFunction in Darksiders 3 as proof of concept :)

BR,
Sun

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4284

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by SunBeam »

Just o have it as reference, here's parkour for the walk command (disabling fly):

-- wrapper --

Image

-- actual function --

Image

Reason I'm posting this is it's easier to interpret without that shitload of console writing code :P You can see above that the engine just checks if the Character is valid, then proceeds with acquiring the Character Class, finding walk function by ID (0x161B) and executing it. Haven't figured out the purpose of "CALL QWORD PTR DS:[RAX+0x640]", but from analyzing it.. it doesn't execute anything trivial. Am guessing its purpose is to initialize something if not already done.

Jevnaker
Cheater
Cheater
Posts: 29
Joined: Wed Mar 08, 2017 10:59 am
Reputation: 2

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by Jevnaker »

i wish i could summon rescuable humans. i have felt so bad because there was one i saw but couldn't find the entrance to get to the room they were in and i had to leave them there and now i can't remember where it was so i can't try again now i have all the special abilities.

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4284

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by SunBeam »

^ Why didn't you use toggledebugcamera/teleport? :) I don't think the summoned humans will count even if you get to materialize them.

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4284

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by SunBeam »

Alright.. figured out why fly doesn't work:

Image

( left: Darksiders 3; right: We Happy Few )

Thanks, dear developers T_T. Time to rebuild the code.

L.E.: Same goes for walk.

vrork
Noobzor
Noobzor
Posts: 14
Joined: Sun Apr 01, 2018 8:21 pm
Reputation: 0

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by vrork »

Hey, i think this is not the best place to ask, buuuut, worth a shot. Anybody has a save just after beating Lust?
This cheat table (viewtopic.php?f=4&t=8319) broke my game and i really dont want to replay everything...
(and yes, i know, i was dumb and didnt made a backup, but i never had a table do that kind of damage on any game)

zachillios
Table Makers
Table Makers
Posts: 866
Joined: Fri Mar 03, 2017 9:05 am
Reputation: 692

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by zachillios »

vrork wrote:
Sun Dec 02, 2018 12:34 am
Hey, i think this is not the best place to ask, buuuut, worth a shot. Anybody has a save just after beating Lust?
This cheat table (viewtopic.php?f=4&t=8319) broke my game and i really dont want to replay everything...
(and yes, i know, i was dumb and didnt made a backup, but i never had a table do that kind of damage on any game)
How exactly is your game broken?

vrork
Noobzor
Noobzor
Posts: 14
Joined: Sun Apr 01, 2018 8:21 pm
Reputation: 0

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by vrork »

zachillios wrote:
Sun Dec 02, 2018 2:07 am
vrork wrote:
Sun Dec 02, 2018 12:34 am
Hey, i think this is not the best place to ask, buuuut, worth a shot. Anybody has a save just after beating Lust?
This cheat table (viewtopic.php?f=4&t=8319) broke my game and i really dont want to replay everything...
(and yes, i know, i was dumb and didnt made a backup, but i never had a table do that kind of damage on any game)
How exactly is your game broken?
The trade doesnt work (cant sell anything) and i cant gain or lose "souls". Its like the table has worked to enable but not to disable.

zachillios
Table Makers
Table Makers
Posts: 866
Joined: Fri Mar 03, 2017 9:05 am
Reputation: 692

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by zachillios »

vrork wrote:
Sun Dec 02, 2018 2:12 am
zachillios wrote:
Sun Dec 02, 2018 2:07 am
vrork wrote:
Sun Dec 02, 2018 12:34 am
Hey, i think this is not the best place to ask, buuuut, worth a shot. Anybody has a save just after beating Lust?
This cheat table (viewtopic.php?f=4&t=8319) broke my game and i really dont want to replay everything...
(and yes, i know, i was dumb and didnt made a backup, but i never had a table do that kind of damage on any game)
How exactly is your game broken?
The trade doesnt work (cant sell anything) and i cant gain or lose "souls". Its like the table has worked to enable but not to disable.
Gotcha, I'm not sure if this works, but here's my save. I believe it's right before fighting Lust (literally right outside her room), I'm max level, and have made use of Sunbeam's dev console.

\AppData\Local\Darksiders3\Saved\SaveGames
Attachments
save_1.zip
(57.65 KiB) Downloaded 36 times

vrork
Noobzor
Noobzor
Posts: 14
Joined: Sun Apr 01, 2018 8:21 pm
Reputation: 0

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by vrork »

I will test later. Is it possible to unlevell? (I was around 40 (i think 37) when i got there

VoidRunner
Noobzor
Noobzor
Posts: 13
Joined: Thu Sep 20, 2018 6:43 pm
Reputation: 0

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by VoidRunner »

SunBeam wrote:
Sat Dec 01, 2018 7:43 pm
That speed-up script should make it worth your while. Even with 100 damage, you deal like 500-700 in a cycle. Per second. So stop whining :) If there's one thing I hate about people is trying to look legit hacking other features of the game, like stats or weapons/armor. But they wouldn't use 1 hit kill or damage enhancers, cuz it's not right for their play style. However, hacked stats are OK in their books :P...
first of all... I wasnt whining... It was sarcasm more than anything.

Second of all i dont try to look Legit... I will openly admit to anyone that i use Hacked Stats. But where i personally draw the line (In most cases) is if it is obtainable in game without cheats... I use cheats as a kind of way to skip the Grinding. (I hate Grinding)

So no i wont use a Speed up script or 1 hit kill. That being said, Sometimes i feel like going balls to the wall and use 1 hit kill or a Speed hack.

demorest
Expert Cheater
Expert Cheater
Posts: 122
Joined: Tue Mar 28, 2017 5:09 pm
Reputation: 2

Re: Darksiders 3 - Unreal Engine 4 Console, Dumper and more..

Post by demorest »

Any help to activate cheat 1 on gog ver darksidrs.exe? There r seem to be a bit different (cant find offset)

Post Reply

Who is online

Users browsing this forum: adinth, asheninhere, Bing [Bot], Daz, de1ta0ne, DotBot, Google Adsense [Bot], Jetstream17, JupixTU, killerkrok555, loci22, mitose, neochinoko