Enotria: The Last Song

[sanitka]

Another game update has arrived.

So what ?
Anything does not work or everything works so far ?

Yes when I activated the code for the items it gave fatal error.

Have you tried to read previous questions / answers ? (like this one)
btw Item search is game version independent, as it does not do anything else than compile the pattern for a group scan and executes the scan

Good luck

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[Rainroom]

Please, add infinite "awaken" state cheat, if it's possible.

[Akira]

Item Finder / Inf. Health / Stamina (Attack sb to fill pointer)

The game makes use of the AbilitySystemComponent shit with AttributeSet, so pretty much any player stat is handled by the same system and has a base and current value.
The player himself has 16 different AttributeSet classes, so many many values that are handled by the same game code.

For a more simple player enemy compare check at your injection point of Inf. Health / Stamina (Attack sb to fill pointer) for rsi + 0x20 as that points to the player address which you can easily use as compare.

I also see you doing float compares to know if you got the right value, which isn't exactly a good solution.
Instead make again use of the previous mentioned register rsi which holds the base address of the class.
Now within that class Health for example is at offset 0x40
(+ 0x08 BaseValue | + 0x0C CurrentValue)
And rcx holds the address of the current stat.
So if the pointer value at rsi + 0x20 equals the player address and the address at rsi + 0x40 equals the address held in rcx then it's your health stat.

As alternative, since you do have a player pointer you could also make use of that for all compares.
From the player class go into the pointer at 0x9B0 and from there into the pointer at 0x10A0 (this is an array of all the player's AttributeSet classes) that points at offset 0x18 to the class that holds the health.

Example script based on your scripts:

Code: Select all

[ENABLE]

aobscanmodule(INJHP,$process,CC F3 0F 11 49 08 C3)
define(INJHP,INJHP+01)
alloc(newmem,$100,INJHP)

label(code)
label(return)
label(null)
label(entity)

newmem:
  push r12
  push r13
  mov r12,PlayerPtr
  mov r12,[r12]
  test r12,r12
  jz null
  cmp [rsi+20],r12
  jne entity
  mov r12,[r12+9B0]
  test r12,r12
  jz null
  mov r12,[r12+10A0]
  test r12,r12
  jz null
  mov r12,[r12+18]
  test r12,r12
  jz null
  cmp r12,rsi
  jne null
  // rsi holds base of health class here
  lea r13,[rsi+40] // offset 40 = Health stat
  cmp r13,rcx
  jne null
  // rcx holds the address of the health stat here
  lea r13,[rcx-10] // max health stat is at offset 30, so 0x10 bytes before the health stat address
  movss xmm1,[r13+08] // read base value of max health stat
  movss [rcx+0C],xmm1 // write max value to current value of health stat
  jmp null

entity:

null:
  pop r13
  pop r12

code:
  movss [rcx+08],xmm1
  jmp return

INJHP:
  jmp newmem

return:
registersymbol(INJHP)

[DISABLE]

INJHP:
  db F3 0F 11 49 08

unregistersymbol(*)
dealloc(*)

It's rather simple to adjust this to include stuff to set other values besides the health.

And for the Item Finder (Enter Current and Max item count, wait for result) script, the player items can be found here.
Go into the pointer at PlayerAddress + 0x9B8 and from there to 0xF8 which is a pointer to the item array.
Each item class has a current quantity, a max quantity and a current level value (the rest is rather useless).
Using that path you can easily write a code to dynamically generate pointers for the items.

What I've made so far:
[Link]

[sanitka]

Item Finder / Inf. Health / Stamina (Attack sb to fill pointer)

The game makes use of the AbilitySystemComponent shit with AttributeSet, so pretty much any player stat is handled by the same system and has a base and current value.
The player himself has 16 different AttributeSet classes, so many many values that are handled by the same game code.

Thank you, most of it is a result of "continuous improvements", I started with the code sb wrote, which was probably initially used only for HP, then I realized that it is used for more than that, looked for solution and "cheated" by using known max/current values . The same applies to the item finder - which was done for lazy people - as I tried in one trainer explain how to "group search" and failed ...
And finally PlayerPtr - I "distilled" it when I was looking for jump values, I do not know if it is the right structure, but it contains pretty much everything
So, if rewritten now, probably only one pointer would be needed.

Thanks again for the insight, I do not have UE5 dumper, so I am pretty much guessing.

upd:
I missed the image - nice looking table, great job.

[Akira]

Thanks again for the insight, I do not have UE5 dumper, so I am pretty much guessing.

Having a dumper is ofc very useful but many things can easily be found and done in UE without having one.
Teleport, fov, fly, noClip, inf jumps, player speed, game speed and much more, there's no real difference between UE4 and UE5 for that matter.
To name just a few things that exist in UE4 and 5 alike:

Code: Select all

GameEngine -> GameInstance (usually savegame stuff and alike)
GameEngine -> GameInstance -> LocalPlayers -> LocalPlayer (0) -> PlayerController -> PlayerState
GameEngine -> GameInstance -> LocalPlayers -> LocalPlayer (0) -> PlayerController -> Pawn (bCanBeDamaged, bActorEnableCollision, CustomTimeDilation, JumpMaxCount)
GameEngine -> GameInstance -> LocalPlayers -> LocalPlayer (0) -> PlayerController -> Pawn -> RootComponent (cor-ords)
GameEngine -> GameInstance -> LocalPlayers -> LocalPlayer (0) -> PlayerController -> Pawn -> CharacterMovementComponent (GravityScale, speed values, MovementMode/fly and more)
GameEngine -> GameViewportClient -> World -> Level -> WorldSettings (TimeDilation, WorldGravityZ /world speed and world gravity)
GameEngine -> GameViewportClient -> World -> GameMode
GameEngine -> GameViewportClient -> World -> GameState (holds the player array)
GameEngine -> GameViewportClient -> World -> AISaystem (has somewhere down the lines ai class array if used)

And when you got used to the structure of UE you'll easily find these things in all UE games even without a dumper.

Spoiler

GameEngine is a static class that shouldn't be to hrad to find, the pointer from there to GameInstane can easily be identified by that fact that it always has the LocalPlayers array at offset 0x38 and for every array the array size is 0x08 bytes further and max size 0x0C bytes, the max LocalPlayer count in UE is 4 and the current is 1 when playing alone, so you are looking within GameEngine for a pointer that holds at offset 0x38 another pointer adn at offset 0x40 the 4 byte value 1 and at offset 0x44 the value 4, on a side note the GameInstance pointer is usually at a offset that is higher than 0xD00, now once you found GameInstance youe the LocalPlayer array at offset 0x38 and in there offset 0x00 points to your LocalPlayer class and that always holds a pointer to the PlayerController at offset 0x30, so as I said just knowing the UE structure gets you already far without a dumper.

Video of my inventory script in action:
[Link]

Here you got a little gift from me as my table won't be for the public.

[Enotria-Win64-Shipping.exe] ObjectsDump.txt.zip

(3.63 MiB) Downloaded 144 times

[leikeylosh]

Working perfectly, thank you!!

[MrHitman]

Thank you very much for the table, it works well.