RESIDENT EVIL 2 +19 +1 (table Update14.3)

Upload your cheat tables here (No requests)
kennean
Cheater
Cheater
Posts: 27
Joined: Sun Sep 30, 2018 2:10 pm
Reputation: 4

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by kennean » Sun May 19, 2019 6:47 pm

Cielos wrote:
Sat May 18, 2019 4:56 pm
Show
kennean wrote:
Tue May 14, 2019 7:24 pm
pk5547 wrote:
Tue May 14, 2019 10:21 am
Is there any chance of getting updated character model mod script for denuvoless exe?
Really want that feature....
Well, I've managed to update the hud mod, but no luck on the character model yet...

@Cielos
Can you post the opcodes for the character model script, please? It's the only one that I couldn't update...
sorry for a very very late reply....

as there are tons of injection points for the character model script, which aobscan(s) of the script is/are defected?
also, if memory serves (nor reading the script now), at least 1 of the aobscan is using lua script to fetch the 2nd or 3rd result. meaning the result may not be accurate. you may need to retrace the correct injection point from scratch again.

let me know if you're still on it. tell me which aobscan(s) needed to be updated, and we can start there. I make a short holiday for myself next week, I should have time to re-install the game to fetch the opcodes for you.
if it proves to be more complicated than expected (e.g. need to re-trace the game code to re-locate the injection point), we can move to PM or discord.
Thanks! The problem, I think, lies exactly inside the lua script, because the others have the opcodes for me to compare... I've updated the lua scan with no problems:

Code: Select all

luaCall(lua_aobscan("charIDReadForLoadoutOnLoadAOB","re2.exe"

updated - "48 ** ** ** 48 ** ** ** 48 ** ** 48 ** ** ** 00 74 08 33 C0 48 ** ** ** 5F C3 48 ** ** ** ** 45 ** ** 8B ** 54 48"
original - 48 ** ** ** 48 ** ** ** 48 ** ** 48 ** ** ** 00 74 08 31 C0 48 ** ** ** 5F C3 48 ** ** ** ** 45 ** ** 8B ** ** 48
The only change in the code is 33 C0 instead of 31 C0, which is a consistent change in other AOB scans, including on other scripts that are working. An update on the assembly of the XOR command, because the opcode remains the same.

But I can't quite understand the next 2 AOB scans, as there's no simple opcodes for me to analyze... They're mov commands, but they pull data from certain addresses, which obviously I can't replicate:

Code: Select all

aobscanmodule(notCharLoadoutCallerAOB,re2.exe

updated - EB 08 48 ** ** ** 48 ** ** ** 48 ** ** ** 4C ** ** ** ** 48 ** ** ** 00 0F 85)
original - EB 08 48 ** ** E8 ** ** ** ** 48 ** ** ** 48 ** ** ** ** 48 ** ** ** 00 0F 85

Code: Select all

aobscanmodule(charIDChkForWorldObjectLoadoutCallerAOB

updated - "8B ** ** E8 ** ** ** ** 48 ** ** ** 4C ** ** ** 0F 85 ** ** ** ** 3D E8 03 00 00 7E"
original - 4C ** ** E8 ** ** ** ** 48 ** ** ** 48 ** ** ** 0F 85 ** ** ** ** 3D E8 03 00 00 7E
Alas, with these "updated" scans the game crashes as soon as it starts loading or starting a new game... They arent' pulling the right addresses, hence the crash...
Thanks in advance for your help!!!
gir489 wrote:
Sun May 19, 2019 5:11 am
Show
Easier unlock everything:

Code: Select all

{ Game : re2.exe
 Version: 1.0
 Date : 2019-05-19
 Author : gir489

 Unlock Everything
}

[ENABLE]
aobscanmodule(UnlockEverything,re2.exe,74 1C 41 89 F8 48 89 EA) // should be unique
aobscanmodule(GhostSurvivor,re2.exe, 40 0F 95 D7 40 84 FF 0F 95 D0 48 8B 6C 24 30) // should be unique
registersymbol(UnlockEverything)
registersymbol(GhostSurvivor)

UnlockEverything:
db 90 90

GhostSurvivor:
sete dil

[DISABLE]
unregistersymbol(UnlockEverything)
unregistersymbol(GhostSurvivor)

UnlockEverything:
db 74 1C

GhostSurvivor:
db 40 0F 95 D7

{
// ORIGINAL CODE - INJECTION POINT: "re2.exe"+CAC692B

"re2.exe"+CAC6908: 75 3F - jne re2.exe+CAC6949
"re2.exe"+CAC690A: 41 89 F8 - mov r8d,edi
"re2.exe"+CAC690D: 48 89 EA - mov rdx,rbp
"re2.exe"+CAC6910: 48 89 D9 - mov rcx,rbx
"re2.exe"+CAC6913: E8 78 65 8D F4 - call re2.exe+139CE90
"re2.exe"+CAC6918: 0F B6 C8 - movzx ecx,al
"re2.exe"+CAC691B: 48 8B 43 50 - mov rax,[rbx+50]
"re2.exe"+CAC691F: 4C 39 78 18 - cmp [rax+18],r15
"re2.exe"+CAC6923: 0F 85 63 02 00 00 - jne re2.exe+CAC6B8C
"re2.exe"+CAC6929: 85 C9 - test ecx,ecx
// ---------- INJECTING HERE ----------
"re2.exe"+CAC692B: 74 1C - je re2.exe+CAC6949
"re2.exe"+CAC692D: 41 89 F8 - mov r8d,edi
// ---------- DONE INJECTING ----------
"re2.exe"+CAC6930: 48 89 EA - mov rdx,rbp
"re2.exe"+CAC6933: 48 89 D9 - mov rcx,rbx
"re2.exe"+CAC6936: E8 E5 01 8E F4 - call re2.exe+13A6B20
"re2.exe"+CAC693B: 48 8B 43 50 - mov rax,[rbx+50]
"re2.exe"+CAC693F: 4C 39 78 18 - cmp [rax+18],r15
"re2.exe"+CAC6943: 0F 85 43 02 00 00 - jne re2.exe+CAC6B8C
"re2.exe"+CAC6949: FF C7 - inc edi
"re2.exe"+CAC694B: 48 FF C6 - inc rsi
"re2.exe"+CAC694E: 4C 39 E6 - cmp rsi,r12
"re2.exe"+CAC6951: 7C 8D - jl re2.exe+CAC68E0
}

{
// ORIGINAL CODE - INJECTION POINT: "re2.exe"+BE066AA

"re2.exe"+BE06689: EB 04 - jmp re2.exe+BE0668F
"re2.exe"+BE0668B: 44 8B 40 18 - mov r8d,[rax+18]
"re2.exe"+BE0668F: 48 89 F2 - mov rdx,rsi
"re2.exe"+BE06692: 48 89 D9 - mov rcx,rbx
"re2.exe"+BE06695: E8 86 9E 02 F5 - call re2.exe+E30520
"re2.exe"+BE0669A: 0F B6 C8 - movzx ecx,al
"re2.exe"+BE0669D: 48 8B 43 50 - mov rax,[rbx+50]
"re2.exe"+BE066A1: 48 83 78 18 00 - cmp qword ptr [rax+18],00
"re2.exe"+BE066A6: 75 B1 - jne re2.exe+BE06659
"re2.exe"+BE066A8: 85 C9 - test ecx,ecx
// ---------- INJECTING HERE ----------
"re2.exe"+BE066AA: 40 0F 95 D7 - setne dil
"re2.exe"+BE066AE: 40 84 FF - test dil,dil
// ---------- DONE INJECTING ----------
"re2.exe"+BE066B1: 0F 95 D0 - setne al
"re2.exe"+BE066B4: 48 8B 6C 24 30 - mov rbp,[rsp+30]
"re2.exe"+BE066B9: 48 8B 5C 24 38 - mov rbx,[rsp+38]
"re2.exe"+BE066BE: 48 8B 74 24 40 - mov rsi,[rsp+40]
"re2.exe"+BE066C3: 48 8B 7C 24 48 - mov rdi,[rsp+48]
"re2.exe"+BE066C8: 48 83 C4 20 - add rsp,20
"re2.exe"+BE066CC: 41 5E - pop r14
"re2.exe"+BE066CE: C3 - ret
"re2.exe"+BE066CF: CC - int 3
"re2.exe"+BE066D0: 4C 8D 1C 24 - lea r11,[rsp]
}
Thanks!!! I've already updated to the denuvo free .exe. I'll try to release a new table when everything is working, including the character model script!

masterkivat
What is cheating?
What is cheating?
Posts: 1
Joined: Wed Apr 12, 2017 6:53 pm
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by masterkivat » Mon May 20, 2019 11:16 am

Hi. I've been using the table you guys are providing and it's great!
I wanna know if it's possible to add an option that could freeze the Item Box counter to always zero.
Thanks in advance!

Mee
Noobzor
Noobzor
Posts: 6
Joined: Fri May 10, 2019 2:45 am
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by Mee » Mon May 27, 2019 7:25 pm

kennean wrote:
Tue May 14, 2019 7:24 pm
Well, I've managed to update the hud mod, but no luck on the character model yet...
Hello, would it be possible to just get the voice script working separately until character script gets fixed? I hope this isn't too much to ask, I thought maybe the voice script might not be as tricky.

castle
Noobzor
Noobzor
Posts: 10
Joined: Fri May 03, 2019 8:58 am
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by castle » Tue May 28, 2019 10:38 pm

item pouch still not functioning

shinelucid
What is cheating?
What is cheating?
Posts: 2
Joined: Thu May 30, 2019 5:27 pm
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by shinelucid » Thu May 30, 2019 6:28 pm

anybody outhere using the updated codex version with the ghost survivors dlc no table in this website works on the executable they made this time, do we have to make a different table for this version or what? literally all kinds of mods have stopped working after the weird patch they made, fluffymanager trainer is not hooking anymore, the main table outhere won't enable and the re2 framework is not working anymore rip fps mode...

User avatar
Exeter
Table Makers
Table Makers
Posts: 297
Joined: Fri Mar 03, 2017 9:16 am
Reputation: 110

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by Exeter » Fri May 31, 2019 12:26 am

shinelucid wrote:
Thu May 30, 2019 6:28 pm
anybody outhere using the updated codex version with the ghost survivors dlc no table in this website works on the executable they made this time, do we have to make a different table for this version or what? literally all kinds of mods have stopped working after the weird patch they made, fluffymanager trainer is not hooking anymore, the main table outhere won't enable and the re2 framework is not working anymore rip fps mode...
The tables posted here are for the Steam version, which is why it's not working for you.

kennean
Cheater
Cheater
Posts: 27
Joined: Sun Sep 30, 2018 2:10 pm
Reputation: 4

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by kennean » Fri May 31, 2019 2:51 am

shinelucid wrote:
Thu May 30, 2019 6:28 pm
anybody outhere using the updated codex version with the ghost survivors dlc no table in this website works on the executable they made this time, do we have to make a different table for this version or what? literally all kinds of mods have stopped working after the weird patch they made, fluffymanager trainer is not hooking anymore, the main table outhere won't enable and the re2 framework is not working anymore rip fps mode...
Exeter is partially right... I've been updating the table for those that have another "version" of the game... If you're using the denuvo free .exe, which I suppose you are, then you can use this attached table... The opcodes are updated so they work specifically for this version.
castle wrote:
Tue May 28, 2019 10:38 pm
item pouch still not functioning
I've just booted the game, and loaded a save with almost no pouch spaces and tested the script... It worked like a charm, 20 spaces on the go... Don't know why it's not working on your end... Try this new table and tell me the results.
Mee wrote:
Mon May 27, 2019 7:25 pm
Show
kennean wrote:
Tue May 14, 2019 7:24 pm
Well, I've managed to update the hud mod, but no luck on the character model yet...
Hello, would it be possible to just get the voice script working separately until character script gets fixed? I hope this isn't too much to ask, I thought maybe the voice script might not be as tricky.
If I knew which codes affect the voices I would do, but on the descriptions of the AOB scans there isn't one just for the voices... Perhaps Cielos could help you with this...

Changelog: This table includes the last Unlock Everything by gir489 (all credits to him), and the hud mod is now fully functional (at least on my end, and I've tried all options to be sure).
Still no luck on the character model.

This table is only for those who have the denuvo free .exe!!!
Attachments
re2.CT
(284.1 KiB) Downloaded 218 times

shinelucid
What is cheating?
What is cheating?
Posts: 2
Joined: Thu May 30, 2019 5:27 pm
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by shinelucid » Sat Jun 01, 2019 3:20 am

kennean wrote:
Fri May 31, 2019 2:51 am
shinelucid wrote:
Thu May 30, 2019 6:28 pm
anybody outhere using the updated codex version with the ghost survivors dlc no table in this website works on the executable they made this time, do we have to make a different table for this version or what? literally all kinds of mods have stopped working after the weird patch they made, fluffymanager trainer is not hooking anymore, the main table outhere won't enable and the re2 framework is not working anymore rip fps mode...
Exeter is partially right... I've been updating the table for those that have another "version" of the game... If you're using the denuvo free .exe, which I suppose you are, then you can use this attached table... The opcodes are updated so they work specifically for this version.
castle wrote:
Tue May 28, 2019 10:38 pm
item pouch still not functioning
I've just booted the game, and loaded a save with almost no pouch spaces and tested the script... It worked like a charm, 20 spaces on the go... Don't know why it's not working on your end... Try this new table and tell me the results.
Mee wrote:
Mon May 27, 2019 7:25 pm
Show
kennean wrote:
Tue May 14, 2019 7:24 pm
Well, I've managed to update the hud mod, but no luck on the character model yet...
Hello, would it be possible to just get the voice script working separately until character script gets fixed? I hope this isn't too much to ask, I thought maybe the voice script might not be as tricky.
If I knew which codes affect the voices I would do, but on the descriptions of the AOB scans there isn't one just for the voices... Perhaps Cielos could help you with this...

Changelog: This table includes the last Unlock Everything by gir489 (all credits to him), and the hud mod is now fully functional (at least on my end, and I've tried all options to be sure).
Still no luck on the character model.

This table is only for those who have the denuvo free .exe!!!
thank you very much! I didn't notice there was a denovo free version, this instantly solves a lot of issues, although I don't think there is a denovo free script for the re 2 mod framework is there?

kennean
Cheater
Cheater
Posts: 27
Joined: Sun Sep 30, 2018 2:10 pm
Reputation: 4

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by kennean » Sat Jun 01, 2019 7:41 am

shinelucid wrote:
Sat Jun 01, 2019 3:20 am
Show
kennean wrote:
Fri May 31, 2019 2:51 am
shinelucid wrote:
Thu May 30, 2019 6:28 pm
anybody outhere using the updated codex version with the ghost survivors dlc no table in this website works on the executable they made this time, do we have to make a different table for this version or what? literally all kinds of mods have stopped working after the weird patch they made, fluffymanager trainer is not hooking anymore, the main table outhere won't enable and the re2 framework is not working anymore rip fps mode...
Exeter is partially right... I've been updating the table for those that have another "version" of the game... If you're using the denuvo free .exe, which I suppose you are, then you can use this attached table... The opcodes are updated so they work specifically for this version.
castle wrote:
Tue May 28, 2019 10:38 pm
item pouch still not functioning
I've just booted the game, and loaded a save with almost no pouch spaces and tested the script... It worked like a charm, 20 spaces on the go... Don't know why it's not working on your end... Try this new table and tell me the results.
Mee wrote:
Mon May 27, 2019 7:25 pm
Show
Hello, would it be possible to just get the voice script working separately until character script gets fixed? I hope this isn't too much to ask, I thought maybe the voice script might not be as tricky.
If I knew which codes affect the voices I would do, but on the descriptions of the AOB scans there isn't one just for the voices... Perhaps Cielos could help you with this...

Changelog: This table includes the last Unlock Everything by gir489 (all credits to him), and the hud mod is now fully functional (at least on my end, and I've tried all options to be sure).
Still no luck on the character model.

This table is only for those who have the denuvo free .exe!!!
thank you very much! I didn't notice there was a denovo free version, this instantly solves a lot of issues, although I don't think there is a denovo free script for the re 2 mod framework is there?
If by mod framework, you mean the First-person Camera, you'll have to contact the author, as I have absolutely no idea how it works (only that it needs a .dll). I've never used this mod so I can't help you with it...
About FluffyQuack's Mod Manager, then I remember reading some time ago that it's still works (I'm using it right now, but I've used it on a freshly installed and updated version), but if you just changed the .exe with mods installed you need to these steps:
Open the Manager, then select Manage Mods;
Next, "Uninstall all mods";
Then Re-read Game Archives;
Finally, install all the mods you like.
Like I said, I read that some time ago, and I'm not sure if it'll work...

Mee
Noobzor
Noobzor
Posts: 6
Joined: Fri May 10, 2019 2:45 am
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by Mee » Sat Jun 01, 2019 4:33 pm

kennean wrote:
Fri May 31, 2019 2:51 am
If I knew which codes affect the voices I would do, but on the descriptions of the AOB scans there isn't one just for the voices... Perhaps Cielos could help you with this...
The voice script is named "voice (no aob)" that's why I thought it might be simpler to extract and update separately.

kennean
Cheater
Cheater
Posts: 27
Joined: Sun Sep 30, 2018 2:10 pm
Reputation: 4

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by kennean » Sat Jun 01, 2019 8:41 pm

Mee wrote:
Sat Jun 01, 2019 4:33 pm
kennean wrote:
Fri May 31, 2019 2:51 am
If I knew which codes affect the voices I would do, but on the descriptions of the AOB scans there isn't one just for the voices... Perhaps Cielos could help you with this...
The voice script is named "voice (no aob)" that's why I thought it might be simpler to extract and update separately.
Oh! Missed that one... I was looking only at the enable script of the character model, and not inside the options of the script...

I've snipped the part of the entire script that was responsible for it to not enable, so I've managed to get a "working" character model script, but with no custom loadout (the culprit!!!). Even so, it worked only with Claire (with Leon it CTD with whatever options I selected), and even updating the voice script it wouldn't work no matter what voices I've chosen (only silence and/or CTD loading a save)...

So, perhaps some AOB's that I've updated are still wrong and messing with some of the scripts, and I won't post something that it isn't working perfectly...

It's best to wait for help from those that made this script!

Mee
Noobzor
Noobzor
Posts: 6
Joined: Fri May 10, 2019 2:45 am
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by Mee » Sun Jun 02, 2019 12:59 am

kennean wrote:
Sat Jun 01, 2019 8:41 pm
Mee wrote:
Sat Jun 01, 2019 4:33 pm
kennean wrote:
Fri May 31, 2019 2:51 am
If I knew which codes affect the voices I would do, but on the descriptions of the AOB scans there isn't one just for the voices... Perhaps Cielos could help you with this...
The voice script is named "voice (no aob)" that's why I thought it might be simpler to extract and update separately.
Oh! Missed that one... I was looking only at the enable script of the character model, and not inside the options of the script...

I've snipped the part of the entire script that was responsible for it to not enable, so I've managed to get a "working" character model script, but with no custom loadout (the culprit!!!). Even so, it worked only with Claire (with Leon it CTD with whatever options I selected), and even updating the voice script it wouldn't work no matter what voices I've chosen (only silence and/or CTD loading a save)...

So, perhaps some AOB's that I've updated are still wrong and messing with some of the scripts, and I won't post something that it isn't working perfectly...

It's best to wait for help from those that made this script!
Thank you very much for giving it at a try, you're very helpful.

cheataddict5150
Novice Cheater
Novice Cheater
Posts: 22
Joined: Mon Jun 10, 2019 2:57 am
Reputation: 0

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by cheataddict5150 » Fri Jun 14, 2019 5:14 pm

game player time mod
- when activated, game play time would stop at the time you specified.
- the display time in-game may appear within 4 seconds less then what you set via the script.
- by script default, time would stop at 1:58:43. i.e., when the game time reaches 1:58:43, the time would start cycle between 1:58:39 - 1:58:43.
- for easy time setting, remember you have to allow CE to run the LUA when you open the table.
How can i set a time? please tell me

User avatar
Cielos
RCE Fanatics
RCE Fanatics
Posts: 762
Joined: Fri Mar 03, 2017 4:35 am
Reputation: 1103
Contact:

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by Cielos » Fri Jun 14, 2019 5:53 pm

kennean wrote:
Sun May 19, 2019 6:47 pm
[...]
sorry again for another very very late reply..... it's been almost a month..

first off, about charIDReadForLoadoutOnLoadAOB.
although it may seems you have updated the aobs for the aobscan, as you can see from the script, I've used the lua script to locate the SECOND aobscan result. that means the aob I used isn't that accurate from the first place. you may need to double check if it's actually located the correct place for the injection.
1 way to check, is to first update the 2 caller aobscans related to it.
so, below are the opcodes around the 2 caller aobs...

notCharLoadoutCallerAOB:

Code: Select all

re2.exe+11FC3785 - 48 85 FF              - test rdi,rdi
re2.exe+11FC3788 - 75 3D                 - jne re2.exe+11FC37C7
re2.exe+11FC378A - 45 31 C0              - xor r8d,r8d
re2.exe+11FC378D - 8D 57 38              - lea edx,[rdi+38]
re2.exe+11FC3790 - 48 89 D9              - mov rcx,rbx
re2.exe+11FC3793 - E8 58C0E1EF           - call re2.exe+1DDF7F0
re2.exe+11FC3798 - 31 FF                 - xor edi,edi
re2.exe+11FC379A - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+11FC379E - 48 83 78 18 00        - cmp qword ptr [rax+18],00 { 0 }
re2.exe+11FC37A3 - 75 53                 - jne re2.exe+11FC37F8
re2.exe+11FC37A5 - 45 31 C0              - xor r8d,r8d
re2.exe+11FC37A8 - 48 89 FA              - mov rdx,rdi
re2.exe+11FC37AB - 48 89 D9              - mov rcx,rbx
re2.exe+11FC37AE - E8 8D473DEF           - call re2.exe+1397F40
re2.exe+11FC37B3 - 0FB6 D0               - movzx edx,al
re2.exe+11FC37B6 - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+11FC37BA - 48 8B 48 18           - mov rcx,[rax+18]
re2.exe+11FC37BE - 48 85 C9              - test rcx,rcx
re2.exe+11FC37C1 - 74 0A                 - je re2.exe+11FC37CD
re2.exe+11FC37C3 - 30 C0                 - xor al,al
re2.exe+11FC37C5 - EB 0B                 - jmp re2.exe+11FC37D2
re2.exe+11FC37C7 - 48 8B 7F 50           - mov rdi,[rdi+50]
re2.exe+11FC37CB - EB CD                 - jmp re2.exe+11FC379A
re2.exe+11FC37CD - 85 D2                 - test edx,edx
re2.exe+11FC37CF - 0F95 D0               - setne al
re2.exe+11FC37D2 - 48 85 C9              - test rcx,rcx
re2.exe+11FC37D5 - 75 21                 - jne re2.exe+11FC37F8
re2.exe+11FC37D7 - 84 C0                 - test al,al
re2.exe+11FC37D9 - 74 1D                 - je re2.exe+11FC37F8
re2.exe+11FC37DB - 48 89 D9              - mov rcx,rbx
re2.exe+11FC37DE - 48 85 FF              - test rdi,rdi
re2.exe+11FC37E1 - 75 0D                 - jne re2.exe+11FC37F0
re2.exe+11FC37E3 - 45 31 C0              - xor r8d,r8d
re2.exe+11FC37E6 - 8D 57 38              - lea edx,[rdi+38]
re2.exe+11FC37E9 - E8 02C0E1EF           - call re2.exe+1DDF7F0
notCharLoadoutCallerAOB- EB 08                 - jmp re2.exe+11FC37F8
re2.exe+11FC37F0 - 48 89 FA              - mov rdx,rdi
re2.exe+11FC37F3 - E8 88B349EE           - call re2.exe+45EB80        //caller
re2.exe+11FC37F8 - 48 8B 43 50           - mov rax,[rbx+50]           //ret check
re2.exe+11FC37FC - 48 8B 7C 24 30        - mov rdi,[rsp+30]
re2.exe+11FC3801 - 48 83 78 18 00        - cmp qword ptr [rax+18],00 { 0 }
re2.exe+11FC3806 - 0F85 48FFFFFF         - jne re2.exe+11FC3754
re2.exe+11FC380C - 48 89 D9              - mov rcx,rbx
re2.exe+11FC380F - 41 B8 2F000000        - mov r8d,0000002F { 47 }
re2.exe+11FC3815 - 48 89 F2              - mov rdx,rsi
re2.exe+11FC3818 - E8 D38AD8EF           - call re2.exe+1D4C2F0
re2.exe+11FC381D - 48 8B 4B 50           - mov rcx,[rbx+50]
re2.exe+11FC3821 - 0F57 C0               - xorps xmm0,xmm0
re2.exe+11FC3824 - 48 83 79 18 00        - cmp qword ptr [rcx+18],00 { 0 }
re2.exe+11FC3829 - 75 2A                 - jne re2.exe+11FC3855
re2.exe+11FC382B - 89 C0                 - mov eax,eax
re2.exe+11FC382D - F2 48 0F2A C0         - cvtsi2sd xmm0,rax
re2.exe+11FC3832 - 66 0F5A C8            - cvtpd2ps xmm1,xmm0
re2.exe+11FC3836 - 0F5A D1               - vcvtps2pd xmm2,xmm1
re2.exe+11FC3839 - F2 0F5E 15 D794E5F1   - divsd xmm2,[re2.exe+3E1CD18] { (0) }
re2.exe+11FC3841 - F2 0F59 15 7F94E5F1   - mulsd xmm2,[re2.exe+3E1CCC8] { (-1610612736) }
re2.exe+11FC3849 - F2 0F58 15 BF8DE5F1   - addsd xmm2,qword ptr [re2.exe+3E1C610] { (1.00) }
re2.exe+11FC3851 - 66 0F5A C2            - cvtpd2ps xmm0,xmm2
re2.exe+11FC3855 - 48 8B 5C 24 38        - mov rbx,[rsp+38]
re2.exe+11FC385A - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+11FC385E - 5E                    - pop rsi
re2.exe+11FC385F - C3                    - ret 
re2.exe+11FC3860 - CC                    - int 3 
re2.exe+11FC3861 - 48 8B 0C 24           - mov rcx,[rsp]
re2.exe+11FC3865 - 48 89 34 24           - mov [rsp],rsi
re2.exe+11FC3869 - D1 C8                 - ror eax,1
re2.exe+11FC386B - 48 8D 64 24 F8        - lea rsp,[rsp-08]
re2.exe+11FC3870 - 48 89 0C 24           - mov [rsp],rcx
re2.exe+11FC3874 - B9 E34E0B1D           - mov ecx,1D0B4EE3 { (0) }
re2.exe+11FC3879 - E9 890FEEF6           - jmp re2.exe+8EA4807
re2.exe+11FC387E - 4D 29 C0              - sub r8,r8
re2.exe+11FC3881 - 41 50                 - push r8
re2.exe+11FC3883 - 49 81 E0 E05D5FD3     - and r8,D35F5DE0 { (0) }
re2.exe+11FC388A - 48 81 0C 24  E05D5FD3 - or qword ptr [rsp],D35F5DE0 { (0) }
re2.exe+11FC3892 - 49 89 C2              - mov r10,rax
charIDChkForWorldObjectLoadoutCallerAOB:

Code: Select all

re2.exe+9F7E151 - 75 15                 - jne re2.exe+9F7E168
re2.exe+9F7E153 - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E156 - 8D 50 38              - lea edx,[rax+38]
re2.exe+9F7E159 - 48 8B 5C 24 48        - mov rbx,[rsp+48]
re2.exe+9F7E15E - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+9F7E162 - 5F                    - pop rdi
re2.exe+9F7E163 - E9 8816E6F7           - jmp re2.exe+1DDF7F0
re2.exe+9F7E168 - 4C 89 74 24 40        - mov [rsp+40],r14
re2.exe+9F7E16D - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E170 - 4C 8B 70 50           - mov r14,[rax+50]
re2.exe+9F7E174 - 4C 89 F2              - mov rdx,r14
re2.exe+9F7E177 - E8 C49D41F7           - call re2.exe+1397F40
re2.exe+9F7E17C - 0FB6 D0               - movzx edx,al
re2.exe+9F7E17F - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+9F7E183 - 48 8B 48 18           - mov rcx,[rax+18]
re2.exe+9F7E187 - 48 85 C9              - test rcx,rcx
re2.exe+9F7E18A - 74 04                 - je re2.exe+9F7E190
re2.exe+9F7E18C - 30 C0                 - xor al,al
re2.exe+9F7E18E - EB 05                 - jmp re2.exe+9F7E195
re2.exe+9F7E190 - 85 D2                 - test edx,edx
re2.exe+9F7E192 - 0F95 D0               - setne al
re2.exe+9F7E195 - 48 85 C9              - test rcx,rcx
re2.exe+9F7E198 - 0F85 1F010000         - jne re2.exe+9F7E2BD
re2.exe+9F7E19E - 48 89 6C 24 30        - mov [rsp+30],rbp
re2.exe+9F7E1A3 - 31 ED                 - xor ebp,ebp
re2.exe+9F7E1A5 - 48 89 74 24 38        - mov [rsp+38],rsi
re2.exe+9F7E1AA - 84 C0                 - test al,al
re2.exe+9F7E1AC - 0F84 8D000000         - je re2.exe+9F7E23F
re2.exe+9F7E1B2 - 89 EE                 - mov esi,ebp
re2.exe+9F7E1B4 - 48 89 D9              - mov rcx,rbx
re2.exe+9F7E1B7 - 4D 85 F6              - test r14,r14
re2.exe+9F7E1BA - 75 10                 - jne charIDChkForWorldObjectLoadoutCallerAOB
re2.exe+9F7E1BC - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E1BF - 8D 55 38              - lea edx,[rbp+38]
re2.exe+9F7E1C2 - E8 2916E6F7           - call re2.exe+1DDF7F0
re2.exe+9F7E1C7 - E9 E7000000           - jmp re2.exe+9F7E2B3
charIDChkForWorldObjectLoadoutCallerAOB- 4C 89 F2              - mov rdx,r14
re2.exe+9F7E1CF - E8 AC094EF6           - call re2.exe+45EB80                //caller
re2.exe+9F7E1D4 - 48 8B 4B 50           - mov rcx,[rbx+50]                   //ret check
re2.exe+9F7E1D8 - 48 39 71 18           - cmp [rcx+18],rsi
re2.exe+9F7E1DC - 0F85 D1000000         - jne re2.exe+9F7E2B3
re2.exe+9F7E1E2 - 3D E8030000           - cmp eax,000003E8 { 1000 }
re2.exe+9F7E1E7 - 7E 20                 - jle re2.exe+9F7E209
re2.exe+9F7E1E9 - 3D D0070000           - cmp eax,000007D0 { 2000 }
re2.exe+9F7E1EE - 75 09                 - jne re2.exe+9F7E1F9
re2.exe+9F7E1F0 - 48 8B B7 20010000     - mov rsi,[rdi+00000120]
re2.exe+9F7E1F7 - EB 2B                 - jmp re2.exe+9F7E224
re2.exe+9F7E1F9 - 3D B80B0000           - cmp eax,00000BB8 { 3000 }
re2.exe+9F7E1FE - 75 24                 - jne re2.exe+9F7E224
re2.exe+9F7E200 - 48 8B B7 28010000     - mov rsi,[rdi+00000128]
re2.exe+9F7E207 - EB 1B                 - jmp re2.exe+9F7E224
re2.exe+9F7E209 - 85 C0                 - test eax,eax
re2.exe+9F7E20B - 75 09                 - jne re2.exe+9F7E216
re2.exe+9F7E20D - 48 8B B7 10010000     - mov rsi,[rdi+00000110]
re2.exe+9F7E214 - EB 0E                 - jmp re2.exe+9F7E224
re2.exe+9F7E216 - 3D E8030000           - cmp eax,000003E8 { 1000 }
re2.exe+9F7E21B - 75 07                 - jne re2.exe+9F7E224
re2.exe+9F7E21D - 48 8B B7 18010000     - mov rsi,[rdi+00000118]
re2.exe+9F7E224 - 49 89 F0              - mov r8,rsi
re2.exe+9F7E227 - 48 89 FA              - mov rdx,rdi
re2.exe+9F7E22A - 48 89 D9              - mov rcx,rbx
re2.exe+9F7E22D - E8 CE9946F6           - call re2.exe+3E7C00
re2.exe+9F7E232 - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+9F7E236 - 48 8B 48 18           - mov rcx,[rax+18]
re2.exe+9F7E23A - 48 85 C9              - test rcx,rcx
re2.exe+9F7E23D - 75 74                 - jne re2.exe+9F7E2B3
re2.exe+9F7E23F - 48 8B 05 4A3612FD     - mov rax,[re2.exe+70A1890] { (149D6E00) }
re2.exe+9F7E246 - 48 85 C9              - test rcx,rcx
re2.exe+9F7E249 - 75 68                 - jne re2.exe+9F7E2B3
re2.exe+9F7E24B - 48 85 C0              - test rax,rax
re2.exe+9F7E24E - 75 10                 - jne re2.exe+9F7E260
re2.exe+9F7E250 - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E253 - 8D 50 38              - lea edx,[rax+38]
these 2 aobscans are for the caller checks in the code cave injected to "charIDReadForLoadoutOnLoadAOB+1f"

that means, once you updated these 2 aobscans, you should be able to trace from both notCharLoadoutCallerAOB and charIDChkForWorldObjectLoadoutCallerAOB to charIDReadForLoadoutOnLoadAOB very quickly, if not, one of the aobscans are wrong.

e.g., for notCharLoadoutCallerAOB:
"notCharLoadoutCallerAOB+5" ("re2.exe+11FC37F3"). is a call that would leads you to a jmp opcode

Code: Select all

re2.exe+45EB80 - E9 3B49BC08           - jmp re2.exe+90234C0
which would lead you to here "charIDReadForLoadoutOnLoadAOB-2", and this is the first line of the following opcodes.

Code: Select all

re2.exe+90234C0 - 40 57                 - push rdi
charIDReadForLoadoutOnLoadAOB- 48 83 EC 20           - sub rsp,20 { 32 }
re2.exe+90234C6 - 48 8B 41 50           - mov rax,[rcx+50]
re2.exe+90234CA - 48 89 CF              - mov rdi,rcx
re2.exe+90234CD - 48 83 78 18 00        - cmp qword ptr [rax+18],00 { 0 }
re2.exe+90234D2 - 74 08                 - je re2.exe+90234DC
re2.exe+90234D4 - 31 C0                 - xor eax,eax
re2.exe+90234D6 - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+90234DA - 5F                    - pop rdi
re2.exe+90234DB - C3                    - ret 
re2.exe+90234DC - 48 89 5C 24 38        - mov [rsp+38],rbx
inj point >>> re2.exe+90234E1 - 45 31 C0              - xor r8d,r8d
re2.exe+90234E4 - 8B 5A 54              - mov ebx,[rdx+54]
re2.exe+90234E7 - 48 8B 15 5A4602FE     - mov rdx,[re2.exe+7047B48] { (14514F568) }
re2.exe+90234EE - E8 8DA6DBF8           - call re2.exe+1DDDB80
re2.exe+90234F3 - 48 89 C2              - mov rdx,rax
re2.exe+90234F6 - 48 89 F9              - mov rcx,rdi
re2.exe+90234F9 - 89 58 10              - mov [rax+10],ebx
re2.exe+90234FC - E8 4F65DDF8           - call re2.exe+1DF9A50
re2.exe+9023501 - 48 8B 4F 50           - mov rcx,[rdi+50]
re2.exe+9023505 - 31 DB                 - xor ebx,ebx
re2.exe+9023507 - 48 8B 51 18           - mov rdx,[rcx+18]
re2.exe+902350B - 48 85 D2              - test rdx,rdx
re2.exe+902350E - 74 13                 - je re2.exe+9023523
re2.exe+9023510 - 89 D8                 - mov eax,ebx
re2.exe+9023512 - 48 85 D2              - test rdx,rdx
re2.exe+9023515 - 0F45 C3               - cmovne eax,ebx
re2.exe+9023518 - 48 8B 5C 24 38        - mov rbx,[rsp+38]
re2.exe+902351D - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+9023521 - 5F                    - pop rdi
re2.exe+9023522 - C3                    - ret 
re2.exe+9023523 - 4C 8D 44 24 30        - lea r8,[rsp+30]
re2.exe+9023528 - 48 89 C2              - mov rdx,rax
re2.exe+902352B - 48 89 F9              - mov rcx,rdi
re2.exe+902352E - E8 1DAEA2F8           - call re2.exe+1A4E350
re2.exe+9023533 - 0FB6 C8               - movzx ecx,al
re2.exe+9023536 - 48 8B 47 50           - mov rax,[rdi+50]
re2.exe+902353A - 48 8B 50 18           - mov rdx,[rax+18]
re2.exe+902353E - 48 85 D2              - test rdx,rdx
re2.exe+9023541 - 75 CD                 - jne re2.exe+9023510
re2.exe+9023543 - 8B 44 24 30           - mov eax,[rsp+30]
re2.exe+9023547 - 85 C9                 - test ecx,ecx
re2.exe+9023549 - 41 B8 FFFFFFFF        - mov r8d,FFFFFFFF { (0) }
re2.exe+902354F - 41 0F44 C0            - cmove eax,r8d
re2.exe+9023553 - 48 85 D2              - test rdx,rdx
re2.exe+9023556 - 0F45 C3               - cmovne eax,ebx
re2.exe+9023559 - 48 8B 5C 24 38        - mov rbx,[rsp+38]
that means you should be able to see charIDReadForLoadoutOnLoadAOB in SECONDS if you follow the call at "notCharLoadoutCallerAOB+5", or the call at "charIDChkForWorldObjectLoadoutCallerAOB+3", in which both call destination should be the same: call re2.exe+45EB80.

(EDIT: in case you're not familiar with the navigation of CE's Memory View ----- press SPACEBAR while highlighting a call xxxx or jmp xxxx would view the destination immediately.)

if you're still interested in updating the script for the denuvo free ver... hope this helps~
(14,Nov,2019)
on-going protest for about 6 months. "police" storming universities campus for 2 days, fired 2xxx tear gas to a university while students throwing molotov in return.
still play/cheat when I can for distraction...

///
my Patreon.

kennean
Cheater
Cheater
Posts: 27
Joined: Sun Sep 30, 2018 2:10 pm
Reputation: 4

Re: RESIDENT EVIL 2 +19 +1 (table Update14.3)

Post by kennean » Tue Jun 18, 2019 10:01 am

Cielos wrote:
Fri Jun 14, 2019 5:53 pm
Show
kennean wrote:
Sun May 19, 2019 6:47 pm
[...]
sorry again for another very very late reply..... it's been almost a month..

first off, about charIDReadForLoadoutOnLoadAOB.
although it may seems you have updated the aobs for the aobscan, as you can see from the script, I've used the lua script to locate the SECOND aobscan result. that means the aob I used isn't that accurate from the first place. you may need to double check if it's actually located the correct place for the injection.
1 way to check, is to first update the 2 caller aobscans related to it.
so, below are the opcodes around the 2 caller aobs...

notCharLoadoutCallerAOB:

Code: Select all

re2.exe+11FC3785 - 48 85 FF              - test rdi,rdi
re2.exe+11FC3788 - 75 3D                 - jne re2.exe+11FC37C7
re2.exe+11FC378A - 45 31 C0              - xor r8d,r8d
re2.exe+11FC378D - 8D 57 38              - lea edx,[rdi+38]
re2.exe+11FC3790 - 48 89 D9              - mov rcx,rbx
re2.exe+11FC3793 - E8 58C0E1EF           - call re2.exe+1DDF7F0
re2.exe+11FC3798 - 31 FF                 - xor edi,edi
re2.exe+11FC379A - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+11FC379E - 48 83 78 18 00        - cmp qword ptr [rax+18],00 { 0 }
re2.exe+11FC37A3 - 75 53                 - jne re2.exe+11FC37F8
re2.exe+11FC37A5 - 45 31 C0              - xor r8d,r8d
re2.exe+11FC37A8 - 48 89 FA              - mov rdx,rdi
re2.exe+11FC37AB - 48 89 D9              - mov rcx,rbx
re2.exe+11FC37AE - E8 8D473DEF           - call re2.exe+1397F40
re2.exe+11FC37B3 - 0FB6 D0               - movzx edx,al
re2.exe+11FC37B6 - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+11FC37BA - 48 8B 48 18           - mov rcx,[rax+18]
re2.exe+11FC37BE - 48 85 C9              - test rcx,rcx
re2.exe+11FC37C1 - 74 0A                 - je re2.exe+11FC37CD
re2.exe+11FC37C3 - 30 C0                 - xor al,al
re2.exe+11FC37C5 - EB 0B                 - jmp re2.exe+11FC37D2
re2.exe+11FC37C7 - 48 8B 7F 50           - mov rdi,[rdi+50]
re2.exe+11FC37CB - EB CD                 - jmp re2.exe+11FC379A
re2.exe+11FC37CD - 85 D2                 - test edx,edx
re2.exe+11FC37CF - 0F95 D0               - setne al
re2.exe+11FC37D2 - 48 85 C9              - test rcx,rcx
re2.exe+11FC37D5 - 75 21                 - jne re2.exe+11FC37F8
re2.exe+11FC37D7 - 84 C0                 - test al,al
re2.exe+11FC37D9 - 74 1D                 - je re2.exe+11FC37F8
re2.exe+11FC37DB - 48 89 D9              - mov rcx,rbx
re2.exe+11FC37DE - 48 85 FF              - test rdi,rdi
re2.exe+11FC37E1 - 75 0D                 - jne re2.exe+11FC37F0
re2.exe+11FC37E3 - 45 31 C0              - xor r8d,r8d
re2.exe+11FC37E6 - 8D 57 38              - lea edx,[rdi+38]
re2.exe+11FC37E9 - E8 02C0E1EF           - call re2.exe+1DDF7F0
notCharLoadoutCallerAOB- EB 08                 - jmp re2.exe+11FC37F8
re2.exe+11FC37F0 - 48 89 FA              - mov rdx,rdi
re2.exe+11FC37F3 - E8 88B349EE           - call re2.exe+45EB80        //caller
re2.exe+11FC37F8 - 48 8B 43 50           - mov rax,[rbx+50]           //ret check
re2.exe+11FC37FC - 48 8B 7C 24 30        - mov rdi,[rsp+30]
re2.exe+11FC3801 - 48 83 78 18 00        - cmp qword ptr [rax+18],00 { 0 }
re2.exe+11FC3806 - 0F85 48FFFFFF         - jne re2.exe+11FC3754
re2.exe+11FC380C - 48 89 D9              - mov rcx,rbx
re2.exe+11FC380F - 41 B8 2F000000        - mov r8d,0000002F { 47 }
re2.exe+11FC3815 - 48 89 F2              - mov rdx,rsi
re2.exe+11FC3818 - E8 D38AD8EF           - call re2.exe+1D4C2F0
re2.exe+11FC381D - 48 8B 4B 50           - mov rcx,[rbx+50]
re2.exe+11FC3821 - 0F57 C0               - xorps xmm0,xmm0
re2.exe+11FC3824 - 48 83 79 18 00        - cmp qword ptr [rcx+18],00 { 0 }
re2.exe+11FC3829 - 75 2A                 - jne re2.exe+11FC3855
re2.exe+11FC382B - 89 C0                 - mov eax,eax
re2.exe+11FC382D - F2 48 0F2A C0         - cvtsi2sd xmm0,rax
re2.exe+11FC3832 - 66 0F5A C8            - cvtpd2ps xmm1,xmm0
re2.exe+11FC3836 - 0F5A D1               - vcvtps2pd xmm2,xmm1
re2.exe+11FC3839 - F2 0F5E 15 D794E5F1   - divsd xmm2,[re2.exe+3E1CD18] { (0) }
re2.exe+11FC3841 - F2 0F59 15 7F94E5F1   - mulsd xmm2,[re2.exe+3E1CCC8] { (-1610612736) }
re2.exe+11FC3849 - F2 0F58 15 BF8DE5F1   - addsd xmm2,qword ptr [re2.exe+3E1C610] { (1.00) }
re2.exe+11FC3851 - 66 0F5A C2            - cvtpd2ps xmm0,xmm2
re2.exe+11FC3855 - 48 8B 5C 24 38        - mov rbx,[rsp+38]
re2.exe+11FC385A - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+11FC385E - 5E                    - pop rsi
re2.exe+11FC385F - C3                    - ret 
re2.exe+11FC3860 - CC                    - int 3 
re2.exe+11FC3861 - 48 8B 0C 24           - mov rcx,[rsp]
re2.exe+11FC3865 - 48 89 34 24           - mov [rsp],rsi
re2.exe+11FC3869 - D1 C8                 - ror eax,1
re2.exe+11FC386B - 48 8D 64 24 F8        - lea rsp,[rsp-08]
re2.exe+11FC3870 - 48 89 0C 24           - mov [rsp],rcx
re2.exe+11FC3874 - B9 E34E0B1D           - mov ecx,1D0B4EE3 { (0) }
re2.exe+11FC3879 - E9 890FEEF6           - jmp re2.exe+8EA4807
re2.exe+11FC387E - 4D 29 C0              - sub r8,r8
re2.exe+11FC3881 - 41 50                 - push r8
re2.exe+11FC3883 - 49 81 E0 E05D5FD3     - and r8,D35F5DE0 { (0) }
re2.exe+11FC388A - 48 81 0C 24  E05D5FD3 - or qword ptr [rsp],D35F5DE0 { (0) }
re2.exe+11FC3892 - 49 89 C2              - mov r10,rax
charIDChkForWorldObjectLoadoutCallerAOB:

Code: Select all

re2.exe+9F7E151 - 75 15                 - jne re2.exe+9F7E168
re2.exe+9F7E153 - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E156 - 8D 50 38              - lea edx,[rax+38]
re2.exe+9F7E159 - 48 8B 5C 24 48        - mov rbx,[rsp+48]
re2.exe+9F7E15E - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+9F7E162 - 5F                    - pop rdi
re2.exe+9F7E163 - E9 8816E6F7           - jmp re2.exe+1DDF7F0
re2.exe+9F7E168 - 4C 89 74 24 40        - mov [rsp+40],r14
re2.exe+9F7E16D - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E170 - 4C 8B 70 50           - mov r14,[rax+50]
re2.exe+9F7E174 - 4C 89 F2              - mov rdx,r14
re2.exe+9F7E177 - E8 C49D41F7           - call re2.exe+1397F40
re2.exe+9F7E17C - 0FB6 D0               - movzx edx,al
re2.exe+9F7E17F - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+9F7E183 - 48 8B 48 18           - mov rcx,[rax+18]
re2.exe+9F7E187 - 48 85 C9              - test rcx,rcx
re2.exe+9F7E18A - 74 04                 - je re2.exe+9F7E190
re2.exe+9F7E18C - 30 C0                 - xor al,al
re2.exe+9F7E18E - EB 05                 - jmp re2.exe+9F7E195
re2.exe+9F7E190 - 85 D2                 - test edx,edx
re2.exe+9F7E192 - 0F95 D0               - setne al
re2.exe+9F7E195 - 48 85 C9              - test rcx,rcx
re2.exe+9F7E198 - 0F85 1F010000         - jne re2.exe+9F7E2BD
re2.exe+9F7E19E - 48 89 6C 24 30        - mov [rsp+30],rbp
re2.exe+9F7E1A3 - 31 ED                 - xor ebp,ebp
re2.exe+9F7E1A5 - 48 89 74 24 38        - mov [rsp+38],rsi
re2.exe+9F7E1AA - 84 C0                 - test al,al
re2.exe+9F7E1AC - 0F84 8D000000         - je re2.exe+9F7E23F
re2.exe+9F7E1B2 - 89 EE                 - mov esi,ebp
re2.exe+9F7E1B4 - 48 89 D9              - mov rcx,rbx
re2.exe+9F7E1B7 - 4D 85 F6              - test r14,r14
re2.exe+9F7E1BA - 75 10                 - jne charIDChkForWorldObjectLoadoutCallerAOB
re2.exe+9F7E1BC - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E1BF - 8D 55 38              - lea edx,[rbp+38]
re2.exe+9F7E1C2 - E8 2916E6F7           - call re2.exe+1DDF7F0
re2.exe+9F7E1C7 - E9 E7000000           - jmp re2.exe+9F7E2B3
charIDChkForWorldObjectLoadoutCallerAOB- 4C 89 F2              - mov rdx,r14
re2.exe+9F7E1CF - E8 AC094EF6           - call re2.exe+45EB80                //caller
re2.exe+9F7E1D4 - 48 8B 4B 50           - mov rcx,[rbx+50]                   //ret check
re2.exe+9F7E1D8 - 48 39 71 18           - cmp [rcx+18],rsi
re2.exe+9F7E1DC - 0F85 D1000000         - jne re2.exe+9F7E2B3
re2.exe+9F7E1E2 - 3D E8030000           - cmp eax,000003E8 { 1000 }
re2.exe+9F7E1E7 - 7E 20                 - jle re2.exe+9F7E209
re2.exe+9F7E1E9 - 3D D0070000           - cmp eax,000007D0 { 2000 }
re2.exe+9F7E1EE - 75 09                 - jne re2.exe+9F7E1F9
re2.exe+9F7E1F0 - 48 8B B7 20010000     - mov rsi,[rdi+00000120]
re2.exe+9F7E1F7 - EB 2B                 - jmp re2.exe+9F7E224
re2.exe+9F7E1F9 - 3D B80B0000           - cmp eax,00000BB8 { 3000 }
re2.exe+9F7E1FE - 75 24                 - jne re2.exe+9F7E224
re2.exe+9F7E200 - 48 8B B7 28010000     - mov rsi,[rdi+00000128]
re2.exe+9F7E207 - EB 1B                 - jmp re2.exe+9F7E224
re2.exe+9F7E209 - 85 C0                 - test eax,eax
re2.exe+9F7E20B - 75 09                 - jne re2.exe+9F7E216
re2.exe+9F7E20D - 48 8B B7 10010000     - mov rsi,[rdi+00000110]
re2.exe+9F7E214 - EB 0E                 - jmp re2.exe+9F7E224
re2.exe+9F7E216 - 3D E8030000           - cmp eax,000003E8 { 1000 }
re2.exe+9F7E21B - 75 07                 - jne re2.exe+9F7E224
re2.exe+9F7E21D - 48 8B B7 18010000     - mov rsi,[rdi+00000118]
re2.exe+9F7E224 - 49 89 F0              - mov r8,rsi
re2.exe+9F7E227 - 48 89 FA              - mov rdx,rdi
re2.exe+9F7E22A - 48 89 D9              - mov rcx,rbx
re2.exe+9F7E22D - E8 CE9946F6           - call re2.exe+3E7C00
re2.exe+9F7E232 - 48 8B 43 50           - mov rax,[rbx+50]
re2.exe+9F7E236 - 48 8B 48 18           - mov rcx,[rax+18]
re2.exe+9F7E23A - 48 85 C9              - test rcx,rcx
re2.exe+9F7E23D - 75 74                 - jne re2.exe+9F7E2B3
re2.exe+9F7E23F - 48 8B 05 4A3612FD     - mov rax,[re2.exe+70A1890] { (149D6E00) }
re2.exe+9F7E246 - 48 85 C9              - test rcx,rcx
re2.exe+9F7E249 - 75 68                 - jne re2.exe+9F7E2B3
re2.exe+9F7E24B - 48 85 C0              - test rax,rax
re2.exe+9F7E24E - 75 10                 - jne re2.exe+9F7E260
re2.exe+9F7E250 - 45 31 C0              - xor r8d,r8d
re2.exe+9F7E253 - 8D 50 38              - lea edx,[rax+38]
these 2 aobscans are for the caller checks in the code cave injected to "charIDReadForLoadoutOnLoadAOB+1f"

that means, once you updated these 2 aobscans, you should be able to trace from both notCharLoadoutCallerAOB and charIDChkForWorldObjectLoadoutCallerAOB to charIDReadForLoadoutOnLoadAOB very quickly, if not, one of the aobscans are wrong.

e.g., for notCharLoadoutCallerAOB:
"notCharLoadoutCallerAOB+5" ("re2.exe+11FC37F3"). is a call that would leads you to a jmp opcode

Code: Select all

re2.exe+45EB80 - E9 3B49BC08           - jmp re2.exe+90234C0
which would lead you to here "charIDReadForLoadoutOnLoadAOB-2", and this is the first line of the following opcodes.

Code: Select all

re2.exe+90234C0 - 40 57                 - push rdi
charIDReadForLoadoutOnLoadAOB- 48 83 EC 20           - sub rsp,20 { 32 }
re2.exe+90234C6 - 48 8B 41 50           - mov rax,[rcx+50]
re2.exe+90234CA - 48 89 CF              - mov rdi,rcx
re2.exe+90234CD - 48 83 78 18 00        - cmp qword ptr [rax+18],00 { 0 }
re2.exe+90234D2 - 74 08                 - je re2.exe+90234DC
re2.exe+90234D4 - 31 C0                 - xor eax,eax
re2.exe+90234D6 - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+90234DA - 5F                    - pop rdi
re2.exe+90234DB - C3                    - ret 
re2.exe+90234DC - 48 89 5C 24 38        - mov [rsp+38],rbx
inj point >>> re2.exe+90234E1 - 45 31 C0              - xor r8d,r8d
re2.exe+90234E4 - 8B 5A 54              - mov ebx,[rdx+54]
re2.exe+90234E7 - 48 8B 15 5A4602FE     - mov rdx,[re2.exe+7047B48] { (14514F568) }
re2.exe+90234EE - E8 8DA6DBF8           - call re2.exe+1DDDB80
re2.exe+90234F3 - 48 89 C2              - mov rdx,rax
re2.exe+90234F6 - 48 89 F9              - mov rcx,rdi
re2.exe+90234F9 - 89 58 10              - mov [rax+10],ebx
re2.exe+90234FC - E8 4F65DDF8           - call re2.exe+1DF9A50
re2.exe+9023501 - 48 8B 4F 50           - mov rcx,[rdi+50]
re2.exe+9023505 - 31 DB                 - xor ebx,ebx
re2.exe+9023507 - 48 8B 51 18           - mov rdx,[rcx+18]
re2.exe+902350B - 48 85 D2              - test rdx,rdx
re2.exe+902350E - 74 13                 - je re2.exe+9023523
re2.exe+9023510 - 89 D8                 - mov eax,ebx
re2.exe+9023512 - 48 85 D2              - test rdx,rdx
re2.exe+9023515 - 0F45 C3               - cmovne eax,ebx
re2.exe+9023518 - 48 8B 5C 24 38        - mov rbx,[rsp+38]
re2.exe+902351D - 48 83 C4 20           - add rsp,20 { 32 }
re2.exe+9023521 - 5F                    - pop rdi
re2.exe+9023522 - C3                    - ret 
re2.exe+9023523 - 4C 8D 44 24 30        - lea r8,[rsp+30]
re2.exe+9023528 - 48 89 C2              - mov rdx,rax
re2.exe+902352B - 48 89 F9              - mov rcx,rdi
re2.exe+902352E - E8 1DAEA2F8           - call re2.exe+1A4E350
re2.exe+9023533 - 0FB6 C8               - movzx ecx,al
re2.exe+9023536 - 48 8B 47 50           - mov rax,[rdi+50]
re2.exe+902353A - 48 8B 50 18           - mov rdx,[rax+18]
re2.exe+902353E - 48 85 D2              - test rdx,rdx
re2.exe+9023541 - 75 CD                 - jne re2.exe+9023510
re2.exe+9023543 - 8B 44 24 30           - mov eax,[rsp+30]
re2.exe+9023547 - 85 C9                 - test ecx,ecx
re2.exe+9023549 - 41 B8 FFFFFFFF        - mov r8d,FFFFFFFF { (0) }
re2.exe+902354F - 41 0F44 C0            - cmove eax,r8d
re2.exe+9023553 - 48 85 D2              - test rdx,rdx
re2.exe+9023556 - 0F45 C3               - cmovne eax,ebx
re2.exe+9023559 - 48 8B 5C 24 38        - mov rbx,[rsp+38]
that means you should be able to see charIDReadForLoadoutOnLoadAOB in SECONDS if you follow the call at "notCharLoadoutCallerAOB+5", or the call at "charIDChkForWorldObjectLoadoutCallerAOB+3", in which both call destination should be the same: call re2.exe+45EB80.

(EDIT: in case you're not familiar with the navigation of CE's Memory View ----- press SPACEBAR while highlighting a call xxxx or jmp xxxx would view the destination immediately.)

if you're still interested in updating the script for the denuvo free ver... hope this helps~

No problem!!! I think I got the script to work, but I had to find a different way than what you had told me...
Show
First I've tried the way you suggested, but no matter what changes I've made, I couldn't find any jmp or call that were the same on both "notCharLoadoutCallerAOB" and "charIDChkForWorldObjectLoadoutCallerAOB"...

Then I started the opposite way.. I've found the perfect AOB scan for "charIDReadForLoadoutOnLoadAOB-2" as it only changed the xor opcode (33 C0 instead of 31 C0), so all I needed to do was find the other 2...
What I did was to search for the opcode "call re2.exe+charIDReadForLoadoutOnLoadAOB-2", and voilá!!! Found me some addresses. Then I compared them with the orignals, and put the most similar ones in the script!!!
Again thanks for helping me with this!!! I still don't know how you could do it in the first place, but I've learned a lot more with your explanation!!!
Do you know a shortcut for when you search for an array of bytes, and it shows at the Hex part of the Memory View, to immediately jump at that address on the opcode part too??? It's a pain in the ass to have to type the address over and over...

Also, if you still have the game installed, can you help me with another problem I'm having? Do you know about the fix for the low framerate of the zombies when they are beyond a certain distance? The guy (gal?) who posted it said to edit the .exe, but I believe it can be done within the CE too.
Show
I've compared the fix on the old crack, and on the denuvo-less crack and found that on the old, it modifies a jmp opcode to a xor followed by the same jmp opcode. So, I've made a AOB scan at a similar pattern, and simply "added" the xor as a newmem code, but couldn't see the difference on my end... Maybe I didn't "patched" the right address?? At least the game didn't crashed...
So, here is the table with a working character model script for those who have the denuvo-less .exe!!! I've only tested it for a few minutes, and as I never used it before, don't really know how to fully explore the options, so I would like to ask for those who know to tell me if anything went wrong!!!

All credits go to Cielos and everyone else who made these scripts!!

Edit: I removed the table because it was crashing... Made a new one on the next page!
Last edited by kennean on Wed Jun 19, 2019 4:29 pm, edited 2 times in total.

Post Reply