Tom Clancy's Ghost Recon: Breakpoint *BETA* [Engine:AnvilNEXT64]

[SunBeam]

[ 25.09.2019 - Open_1.39 (4356657) ]

Code: Select all

ChangeList:4356657
Version:Open_1.39
User:silex-buildfarm
Branch://tgt-streams/beta
Project Name:TGT
Time:Wed Sep 18 17:54:34 2019
SDK:N/A
Exec:scimitar_engine_win64_f.exe
MD5:N/A

Updated the previous table. You will need a BattlEye bypass for the table to work; can't provide that for now, sorry.

Notable changes:

• /belaunch -be still works, but once you get past the "Connecting" step, you'll see the game restarts itself *really* launching BE this time around; so I'd advise removing it from your UPlay client's 'Properties' > 'Game launch arguments' pane.

• GetName is now at 0x28 offset in the member-functions vtable, instead of 0x48.

• p_SilexNetComponent_Player (0x507DC2EC) shifted to 0x160 offset

• 'God Mode' offset moved to 0x4AB

• 'Immunity' offset moved to 0x1ED

• g_Weapon+0xC8 is now the offset at which p_SilexNetComponent_Player is stored

GRB.CT

Open_1.39

(16.26 KiB) Downloaded 406 times

BR,
Sun

[ 08.09.2019 - LIVE_5.63 (4290415) ]

Revamped all scripts, as per the information here. All scripts are now player-sided, regardless or not the hooked locations are used by AI as well (I know 'Unlimited Clip Ammo' is).

Note #1: While in Erewhon, the [ Gather Intel ] script will loop through all available players in the room You can see that in the [ Debug ] section, while in windowed mode. Once you exit Erewhon, the hook will stabilize and fetch just your pointers. I recommend not using this in Co-Op or PVP, due to the aforementioned reason.

Note #2: The [ Debug ] section is just for debug purposes; you don't need to change anything in there, the scripts do the job by default.

GRB.CT

(6.71 KiB) Downloaded 168 times

BR,
Sun

[ 07.09.2019 - LIVE_5.63 (4290415) ]

Added below the table for GRB.exe:

GRB_UPP.CT

1.2: +God Mode (&revamped Infinite Stamina)

(5.63 KiB) Downloaded 165 times

BR,
Sun

[ 07.09.2019 - LIVE_5.63 (4290415) ]

The BattlEye bypass method is mentioned in this post. Just so I don't hear anymore whining and spamming

[ 05.09.2019 - LIVE_5.63 (4290415) ]

Code: Select all

ChangeList:4290415
Version:LIVE_5.63
User:silex-buildfarm
Branch://tgt-streams/livetest
Project Name:TGT
Time:Wed Sep 4 16:15:17 2019
SDK:N/A
Exec:scimitar_engine_win64_f.exe
MD5:N/A

Hello folks,

I've mentioned some information about this game in this post. Please have a quick read.

What I'm about to post below is just personal information that may or not help gamehackers in the final release of the game. THIS IS JUST FOR SINGLE PLAYER! I/We do not care about multiplayer or co-op. Let this be clear. Since the BETA is open till the 8th, I believe it makes no sense to come up with my solution and post it here for the grabs

Also:

• I'm doing this for fun, with no commercial intentions (this is not aimed at helping anyone)

• I'm not doing this to be "the first" (even though I may be contradicted, that some shit I say or said implies the opposite)

• not doing it for the trainer makers out there who, perhaps, might find this information useful

The developers seem to be using the same encryption mechanism for on-screen values, depicted in the functions below.

EncodeWrite:

Code: Select all

GRB_UPP.exe+1A6350D0 - 8B 41 20              - mov eax,[rcx+20]
GRB_UPP.exe+1A6350D3 - 49 89 C8              - mov r8,rcx
GRB_UPP.exe+1A6350D6 - 48 8B 49 18           - mov rcx,[rcx+18]
GRB_UPP.exe+1A6350DA - 31 D0                 - xor eax,edx
GRB_UPP.exe+1A6350DC - C6 01 00              - mov byte ptr [rcx],00
GRB_UPP.exe+1A6350DF - 49 8B 48 10           - mov rcx,[r8+10]
GRB_UPP.exe+1A6350E3 - C6 01 00              - mov byte ptr [rcx],00
GRB_UPP.exe+1A6350E6 - 49 8B 48 08           - mov rcx,[r8+08]
GRB_UPP.exe+1A6350EA - C6 01 00              - mov byte ptr [rcx],00
GRB_UPP.exe+1A6350ED - 49 8B 08              - mov rcx,[r8]
GRB_UPP.exe+1A6350F0 - C6 01 00              - mov byte ptr [rcx],00
GRB_UPP.exe+1A6350F3 - 31 C9                 - xor ecx,ecx
GRB_UPP.exe+1A6350F5 - 66 66 66 0F1F 84 00 00000000  - nop [rax+rax+00000000]
GRB_UPP.exe+1A635100 - 4D 8B 08              - mov r9,[r8]
GRB_UPP.exe+1A635103 - 0FB6 D0               - movzx edx,al
GRB_UPP.exe+1A635106 - 80 E2 01              - and dl,01
GRB_UPP.exe+1A635109 - D1 E8                 - shr eax,1
GRB_UPP.exe+1A63510B - D2 E2                 - shl dl,cl
GRB_UPP.exe+1A63510D - 41 08 11              - or [r9],dl
GRB_UPP.exe+1A635110 - 0FB6 D0               - movzx edx,al
GRB_UPP.exe+1A635113 - 4D 8B 48 08           - mov r9,[r8+08]
GRB_UPP.exe+1A635117 - 80 E2 01              - and dl,01
GRB_UPP.exe+1A63511A - D2 E2                 - shl dl,cl
GRB_UPP.exe+1A63511C - D1 E8                 - shr eax,1
GRB_UPP.exe+1A63511E - 41 08 11              - or [r9],dl
GRB_UPP.exe+1A635121 - 0FB6 D0               - movzx edx,al
GRB_UPP.exe+1A635124 - 4D 8B 48 10           - mov r9,[r8+10]
GRB_UPP.exe+1A635128 - 80 E2 01              - and dl,01
GRB_UPP.exe+1A63512B - D2 E2                 - shl dl,cl
GRB_UPP.exe+1A63512D - D1 E8                 - shr eax,1
GRB_UPP.exe+1A63512F - 41 08 11              - or [r9],dl
GRB_UPP.exe+1A635132 - 0FB6 D0               - movzx edx,al
GRB_UPP.exe+1A635135 - 4D 8B 48 18           - mov r9,[r8+18]
GRB_UPP.exe+1A635139 - 80 E2 01              - and dl,01
GRB_UPP.exe+1A63513C - D2 E2                 - shl dl,cl
GRB_UPP.exe+1A63513E - FF C1                 - inc ecx
GRB_UPP.exe+1A635140 - D1 E8                 - shr eax,1
GRB_UPP.exe+1A635142 - 41 08 11              - or [r9],dl
GRB_UPP.exe+1A635145 - 83 F9 08              - cmp ecx,08
GRB_UPP.exe+1A635148 - 7C B6                 - jl GRB_UPP.exe+1A635100
GRB_UPP.exe+1A63514A - C3                    - ret 

So having set a "Find out what addresses this instruction accesses" on the RET of the function, I got this:



This is what I have right now:



30 bullets in my clip.

Now, if I head to the first address in the "on firing weapon" tree:

Code: Select all

GRB_UPP.exe+1A3573EE - 29 D8                 - sub eax,ebx <- the sub's here :)
GRB_UPP.exe+1A3573F0 - B3 01                 - mov bl,01
GRB_UPP.exe+1A3573F2 - 89 C2                 - mov edx,eax
GRB_UPP.exe+1A3573F4 - 48 8D 8E A0010000     - lea rcx,[rsi+000001A0]
GRB_UPP.exe+1A3573FB - E8 5054BCE7           - call GRB_UPP.exe+1F1C850
GRB_UPP.exe+1A357400 - 84 DB                 - test bl,bl <-

NOP the SUB and boom, quick Infinite Clip Ammo.

DecodeRead:

Code: Select all

GRB_UPP.exe+1A4FA640 - 48 89 5C 24 08        - mov [rsp+08],rbx
GRB_UPP.exe+1A4FA645 - 48 8B 01              - mov rax,[rcx]
GRB_UPP.exe+1A4FA648 - 31 D2                 - xor edx,edx
GRB_UPP.exe+1A4FA64A - 49 89 C8              - mov r8,rcx
GRB_UPP.exe+1A4FA64D - 44 0FB6 08            - movzx r9d,byte ptr [rax]
GRB_UPP.exe+1A4FA651 - 48 8B 41 08           - mov rax,[rcx+08]
GRB_UPP.exe+1A4FA655 - 44 0FB6 10            - movzx r10d,byte ptr [rax]
GRB_UPP.exe+1A4FA659 - 48 8B 41 10           - mov rax,[rcx+10]
GRB_UPP.exe+1A4FA65D - 44 0FB6 18            - movzx r11d,byte ptr [rax]
GRB_UPP.exe+1A4FA661 - 48 8B 41 18           - mov rax,[rcx+18]
GRB_UPP.exe+1A4FA665 - 89 D1                 - mov ecx,edx
GRB_UPP.exe+1A4FA667 - 0FB6 18               - movzx ebx,byte ptr [rax]
GRB_UPP.exe+1A4FA66A - 66 0F1F 44 00 00      - nop [rax+rax+00]
GRB_UPP.exe+1A4FA670 - 41 0FB6 C1            - movzx eax,r9l
GRB_UPP.exe+1A4FA674 - 83 E0 01              - and eax,01
GRB_UPP.exe+1A4FA677 - 41 D0 E9              - shr r9l,1
GRB_UPP.exe+1A4FA67A - D3 E0                 - shl eax,cl
GRB_UPP.exe+1A4FA67C - FF C1                 - inc ecx
GRB_UPP.exe+1A4FA67E - 09 C2                 - or edx,eax
GRB_UPP.exe+1A4FA680 - 41 0FB6 C2            - movzx eax,r10l
GRB_UPP.exe+1A4FA684 - 83 E0 01              - and eax,01
GRB_UPP.exe+1A4FA687 - 41 D0 EA              - shr r10l,1
GRB_UPP.exe+1A4FA68A - D3 E0                 - shl eax,cl
GRB_UPP.exe+1A4FA68C - FF C1                 - inc ecx
GRB_UPP.exe+1A4FA68E - 09 C2                 - or edx,eax
GRB_UPP.exe+1A4FA690 - 41 0FB6 C3            - movzx eax,r11l
GRB_UPP.exe+1A4FA694 - 83 E0 01              - and eax,01
GRB_UPP.exe+1A4FA697 - 41 D0 EB              - shr r11l,1
GRB_UPP.exe+1A4FA69A - D3 E0                 - shl eax,cl
GRB_UPP.exe+1A4FA69C - FF C1                 - inc ecx
GRB_UPP.exe+1A4FA69E - 09 C2                 - or edx,eax
GRB_UPP.exe+1A4FA6A0 - 0FB6 C3               - movzx eax,bl
GRB_UPP.exe+1A4FA6A3 - 83 E0 01              - and eax,01
GRB_UPP.exe+1A4FA6A6 - D0 EB                 - shr bl,1
GRB_UPP.exe+1A4FA6A8 - D3 E0                 - shl eax,cl
GRB_UPP.exe+1A4FA6AA - FF C1                 - inc ecx
GRB_UPP.exe+1A4FA6AC - 09 C2                 - or edx,eax
GRB_UPP.exe+1A4FA6AE - 83 F9 20              - cmp ecx,20
GRB_UPP.exe+1A4FA6B1 - 7C BD                 - jl GRB_UPP.exe+1A4FA670
GRB_UPP.exe+1A4FA6B3 - 41 8B 40 20           - mov eax,[r8+20]
GRB_UPP.exe+1A4FA6B7 - 48 8B 5C 24 08        - mov rbx,[rsp+08]
GRB_UPP.exe+1A4FA6BC - 31 D0                 - xor eax,edx
GRB_UPP.exe+1A4FA6BE - C3                    - ret 

Magazine DecodeRead:

Code: Select all

GRB_UPP.exe+1A4F1B86 - 48 8D 4C 24 50        - lea rcx,[rsp+50]
GRB_UPP.exe+1A4F1B8B - E8 C0ACA2E7           - call GRB_UPP.exe+1F1C850
GRB_UPP.exe+1A4F1B90 - 48 8B 8B 00040000     - mov rcx,[rbx+00000400]
GRB_UPP.exe+1A4F1B97 - 45 89 F0              - mov r8d,r14d
GRB_UPP.exe+1A4F1B9A - 48 89 FA              - mov rdx,rdi
GRB_UPP.exe+1A4F1B9D - 48 8B 01              - mov rax,[rcx]
GRB_UPP.exe+1A4F1BA0 - FF 50 30              - call qword ptr [rax+30]
GRB_UPP.exe+1A4F1BA3 - 48 89 C6              - mov rsi,rax
GRB_UPP.exe+1A4F1BA6 - 48 85 C0              - test rax,rax
GRB_UPP.exe+1A4F1BA9 - 74 7F                 - je GRB_UPP.exe+1A4F1C2A
GRB_UPP.exe+1A4F1BAB - 48 8D 48 08           - lea rcx,[rax+08]
GRB_UPP.exe+1A4F1BAF - E8 9CF99DE7           - call GRB_UPP.exe+1ED1550 <-
GRB_UPP.exe+1A4F1BB4 - 0FB7 D0               - movzx edx,ax
GRB_UPP.exe+1A4F1BB7 - 48 8D 4C 24 28        - lea rcx,[rsp+28]
GRB_UPP.exe+1A4F1BBC - E8 8FACA2E7           - call GRB_UPP.exe+1F1C850

Magazine EncodeWrite:

Code: Select all

GRB_UPP.exe+1A613F95 - 48 8D BB A0010000     - lea rdi,[rbx+000001A0]
GRB_UPP.exe+1A613F9C - 48 89 F9              - mov rcx,rdi
GRB_UPP.exe+1A613F9F - E8 ACD58BE7           - call GRB_UPP.exe+1ED1550 <- Read
GRB_UPP.exe+1A613FA4 - 48 89 F9              - mov rcx,rdi
GRB_UPP.exe+1A613FA7 - 8D 14 28              - lea edx,[rax+rbp] <- sum
GRB_UPP.exe+1A613FAA - E8 A18890E7           - call GRB_UPP.exe+1F1C850 <- Write
GRB_UPP.exe+1A613FAF - 48 89 F9              - mov rcx,rdi
GRB_UPP.exe+1A613FB2 - E8 99D58BE7           - call GRB_UPP.exe+1ED1550 <- Read
GRB_UPP.exe+1A613FB7 - 48 8D 8B 50010000     - lea rcx,[rbx+00000150]

Here's the above in action:



On another note, I think GRB.exe is the single-player executable, while GRB_UPP.exe is the online services one.

More will follow.

BR,
Sun

P.S.: If I'm able to do this, maybe Ubisoft reconsiders their BattlEye strategy.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[STN]

This is EPiC

[jonasbeckman]

Nice, wasn't expecting to see a table due to the game being always online akin to Division and unlike the first Wildlands which retained a offline option.

For BattleEye I just removed the batch file contents but I would expect them to have better for the full game if they're not doing a real offline mode though at least it's only for the social hub where you and 40+ other you as the sole survivor hang around and most of the rest of the game is fairly solo-able though still affected by latency issues and unplanned downtime and maintenance as always.

Nice to see a table up already, was mostly just tinkering with fixed values seeing if it would work (It kinda did so I guess there's no further checks then.) will be interesting to see if anything changes between now and a month or so when the game launches.
(Doubtful, too little time beyond maybe one more patch after all and then the patch afterwards for working forward on their planned roadmap and update strategy for the game from then on.)


EDIT: UPP should be the Uplay Plus service subscription exe too, newer games such as Assassin's Creed Odyssey Discovery Tour (Launches stand-alone September 10th.) also has that little _UPP.exe addition and the service launched yesterday.
(Not the easiest to cancel but free month and just as planned right with the Wildlands Breakpoint beta here to entice users to at least check it though they had to pull Anno 1800 as the game could be added permanently which wasn't quite as planned. )

[sebastianyyz]

Thank you SunBeam

[SunBeam]

Adding some more.

Immunity (God + Invisibility):

Code: Select all

GRB_UPP.exe+267F7A4B - 48 8B 83 18010000     - mov rax,[rbx+00000118]
GRB_UPP.exe+267F7A52 - 48 85 C0              - test rax,rax
GRB_UPP.exe+267F7A55 - 74 09                 - je GRB_UPP.exe+267F7A60
GRB_UPP.exe+267F7A57 - F6 80 D9010000 01     - test byte ptr [rax+000001D9],01 // set this to 0x1
GRB_UPP.exe+267F7A5E - 75 1C                 - jne GRB_UPP.exe+267F7A7C
GRB_UPP.exe+267F7A60 - 31 D2                 - xor edx,edx
GRB_UPP.exe+267F7A62 - 48 89 D9              - mov rcx,rbx
GRB_UPP.exe+267F7A65 - E8 168CF6DB           - call GRB_UPP.exe+2760680

Infinite Stamina:

Code: Select all

GRB_UPP.exe+267D721C - 41 0F28 C8            - movaps xmm1,xmm8
GRB_UPP.exe+267D7220 - 48 89 D9              - mov rcx,rbx
GRB_UPP.exe+267D7223 - F3 0F59 8B A8010000   - mulss xmm1,[rbx+000001A8]
GRB_UPP.exe+267D722B - E8 C047EADB           - call GRB_UPP.exe+267B9F0
GRB_UPP.exe+267D7230 - 80 BB F1010000 00     - cmp byte ptr [rbx+000001F1],00 // flip BOOL to 0x1
GRB_UPP.exe+267D7237 - 75 21                 - jne GRB_UPP.exe+267D725A
GRB_UPP.exe+267D7239 - F3 0F10 8B 94010000   - movss xmm1,[rbx+00000194]
GRB_UPP.exe+267D7241 - 0F57 C0               - xorps xmm0,xmm0
GRB_UPP.exe+267D7244 - 0F2F C8               - comiss xmm1,xmm0
GRB_UPP.exe+267D7247 - 76 11                 - jna GRB_UPP.exe+267D725A
GRB_UPP.exe+267D7249 - 48 8B 03              - mov rax,[rbx]
GRB_UPP.exe+267D724C - 48 89 D9              - mov rcx,rbx
GRB_UPP.exe+267D724F - F3 41 0F59 C8         - mulss xmm1,xmm8
GRB_UPP.exe+267D7254 - FF 90 88000000        - call qword ptr [rax+00000088]
GRB_UPP.exe+267D725A - 48 8B 8B 68010000     - mov rcx,[rbx+00000168]
GRB_UPP.exe+267D7261 - 48 85 C9              - test rcx,rcx

You can see how your stamina decreases on its own if you press TAB to toggle the interface in-game, then here:

Code: Select all

GRB_UPP.exe+265E7DEC - E8 EF12DFDB           - call GRB_UPP.exe+23D90E0
GRB_UPP.exe+265E7DF1 - F3 0F59 83 94010000   - mulss xmm0,[rbx+00000194] // NOP this
GRB_UPP.exe+265E7DF9 - F3 0F11 83 94010000   - movss [rbx+00000194],xmm0
GRB_UPP.exe+265E7E01 - 48 83 C4 20           - add rsp,20
GRB_UPP.exe+265E7E05 - 5B                    - pop rbx
GRB_UPP.exe+265E7E06 - C3                    - ret 

The NOP will make [rbx+194] always be (float)1.0 and as such the Stamina counter will slowly deplete Thought it would be fun checking it out; just that. The decoded value for Stamina is (float)75.0.

[SunBeam]

Noticed my "Quick Infinite Clip" script deals only with Pistols and Machine Guns. Just got a Sniper Rifle to use and clip decreases To fix.

[sebastianyyz]

SunBeam Wins, Flawless Victory

[SunBeam]

And here's another gameplay video with cheats



BR,
Sun

[pl02225681]

Hey man, firstly, thanks for the table
i got a question, I'm new to CE,
and why am i having this?

<<Error in Line 3(GRB_UPP.exe+1A3573EE:):This address specifier is not valid>>

or


<<Error in Line 3(alloc ( Hook, 0x1000, GRB_UPP.exe)):Failure determining what GRB_UPP.exe means>>

I'm using CE 7.0 and all the functions in this table cannot be applied.
Could u help me?

[jonasbeckman]

Are you perhaps on the regular version of UPlay as a standard beta invite and not Uplay Plus which would make it GRB.exe and not GRB_UPP.exe thus address mismatch and that's why it doesn't hook.
(There's also GRB_BE.exe but that's just a jumper for BattlEye which then tries to execute a batch file similar to say the Easy Anti Cheat launcher exe files before starting the game proper.)

That would be my guess at least without additional info but from what I can tell in the log lines provided I'm pretty sure that's it.

[chusski]

SunBeam, thx fro sharinf you great wrok.

i can not do t work, atm get same errors:

<<Error in Line 3(GRB_UPP.exe+1A3573EE:):This address specifier is not valid>>
<<Error in Line 3(alloc ( Hook, 0x1000, GRB_UPP.exe)):Failure determining what GRB_UPP.exe means>>

i was try with services :
GRB_UPP.exe
GRB_BE.exe

dont have the service GRB.exe. and cant see nothing on memory view at others services...

thx for your work ^^

[Saliery7685]

Hello! Dear SunBeam! Please make a table for GRB.EXE. To get around the BattlEye you need to specify the key /belaunch in the parameters of the game launch. Sorry for my English, I am writing through a translator.

[SunBeam]

@pl02225681 & @chusski: I left a LINK up top, in the beginning of this topic. Did you read it? CE can't do anything till you have BattlEye disabled. The post above tells you how, so please figure it out.

@Saliery7685: I'll look into it.

[miobambino]

Nice job Sunbeam it works perfectly, spent most of last night exploring the untextured areas of the islands thanks to God Mode, those pesky drone swarms are no match for me now

[SunBeam]

The sad part is.. I think.. we'll have to start all over when the full version's launched