Tom Clancy's Ghost Recon: Breakpoint *BETA* [Engine:AnvilNEXT64]

[Kalamity222]

Is mentioning the fearlessrevolution released trainer here an offense or can i tell people about their battleeye bypass launcher.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[miobambino]

Is mentioning the fearlessrevolution released trainer here an offense or can i tell people about their battleeye bypass launcher.

Charging people money for a trainer to a beta that lasts 4 days is an offence in upon itself!

[SunBeam]

Is mentioning the fearlessrevolution released trainer here an offense or can i tell people about their battleeye bypass launcher.

Anything CH-related is an offense here. We do not allow such postings. The BattlEye bypass, as mentioned, regards setting /belaunch -be parameter in the UPlay client's launch arguments:



That will skip both launching BattlEye and creating and running BEService.exe.

Cheers,
Sun

[SunBeam]

Welp, today it seems GRB_UPP.exe isn't launched for me, so I'll adjust the table options to GRB.exe

EDIT: It looks like the Skell Points (cash) are not encrypted Try this out:

OnSell:

Code: Select all

GRB.exe+16C58A77 - 48 85 C0              - test rax,rax
GRB.exe+16C58A7A - 74 31                 - je GRB.exe+16C58AAD
GRB.exe+16C58A7C - 48 8B 00              - mov rax,[rax]
GRB.exe+16C58A7F - 48 89 F1              - mov rcx,rsi
GRB.exe+16C58A82 - FF 50 10              - call qword ptr [rax+10] // gets -1
GRB.exe+16C58A85 - 89 C7                 - mov edi,eax
GRB.exe+16C58A87 - 4C 89 F9              - mov rcx,r15
GRB.exe+16C58A8A - 49 8B 07              - mov rax,[r15]
GRB.exe+16C58A8D - FF 10                 - call qword ptr [rax] // gets item cost
GRB.exe+16C58A8F - 89 C3                 - mov ebx,eax
GRB.exe+16C58A91 - 48 89 F1              - mov rcx,rsi
GRB.exe+16C58A94 - 48 8B 06              - mov rax,[rsi]
GRB.exe+16C58A97 - FF 10                 - call qword ptr [rax] // gets current Skell Points
GRB.exe+16C58A99 - 01 C3                 - add ebx,eax // sum (add)
GRB.exe+16C58A9B - 48 89 F1              - mov rcx,rsi
GRB.exe+16C58A9E - 48 8B 06              - mov rax,[rsi]
GRB.exe+16C58AA1 - 39 FB                 - cmp ebx,edi
GRB.exe+16C58AA3 - 0F46 FB               - cmovbe edi,ebx
GRB.exe+16C58AA6 - 89 FA                 - mov edx,edi
GRB.exe+16C58AA8 - FF 50 08              - call qword ptr [rax+08] // update Skell Points
GRB.exe+16C58AAB - EB 70                 - jmp GRB.exe+16C58B1D

OnBuy:

Code: Select all

GRB.exe+16F6AB75 - 48 85 DB              - test rbx,rbx
GRB.exe+16F6AB78 - 74 37                 - je GRB.exe+16F6ABB1
GRB.exe+16F6AB7A - 48 8B 03              - mov rax,[rbx]
GRB.exe+16F6AB7D - BA 81870FF8           - mov edx,F80F8781
GRB.exe+16F6AB82 - 48 89 D9              - mov rcx,rbx
GRB.exe+16F6AB85 - FF 50 58              - call qword ptr [rax+58]
GRB.exe+16F6AB88 - 48 89 C7              - mov rdi,rax
GRB.exe+16F6AB8B - 48 85 C0              - test rax,rax
GRB.exe+16F6AB8E - 74 21                 - je GRB.exe+16F6ABB1
GRB.exe+16F6AB90 - 48 8B 10              - mov rdx,[rax]
GRB.exe+16F6AB93 - 48 89 C1              - mov rcx,rax
GRB.exe+16F6AB96 - FF 12                 - call qword ptr [rdx] // gets current Skell Points
GRB.exe+16F6AB98 - 39 E8                 - cmp eax,ebp
GRB.exe+16F6AB9A - 72 15                 - jb GRB.exe+16F6ABB1
GRB.exe+16F6AB9C - 48 8B 1F              - mov rbx,[rdi]
GRB.exe+16F6AB9F - 48 89 F9              - mov rcx,rdi
GRB.exe+16F6ABA2 - FF 13                 - call qword ptr [rbx] // gets current Skell Points
GRB.exe+16F6ABA4 - 29 E8                 - sub eax,ebp // subtract 
GRB.exe+16F6ABA6 - 48 89 F9              - mov rcx,rdi
GRB.exe+16F6ABA9 - 89 C2                 - mov edx,eax
GRB.exe+16F6ABAB - FF 53 08              - call qword ptr [rbx+08] // update Skell Points
GRB.exe+16F6ABAE - 40 B6 01              - mov sil,01
GRB.exe+16F6ABB1 - 48 8D 4C 24 20        - lea rcx,[rsp+20]
GRB.exe+16F6ABB6 - E8 F5C043EB           - call GRB.exe+23A6CB0

The value is 4 bytes (DWORD).

Bought pretty much everything. The menus marked below will always contain content, be it consumables or refreshed items in X hours:



Am expecting Ubi to encode this as well in the full game release.

BR,
Sun

[SunBeam]

Managed to go to all of the map boundaries. Guess what.. they're not solid, just a bunch of textures.. I think there's a certain area around main designated beta that's solid; once outside, you fall through the ground/map.

[chrisreddot3]

nice work sunbeam,i have just one question,is teleport to waypoint possible in this beta?

[miobambino]

Managed to go to all of the map boundaries. Guess what.. they're not solid, just a bunch of textures.. I think there's a certain area around main designated beta that's solid; once outside, you fall through the ground/map.

Yeah once you get down to the dam area around Mount Herbert that's when things just become a texure and no longer solid. The only annoying part about exploring is once you get the swarms of drones then you're unable to open chests or collect intel even when they disappear in the danger area leaving you in peace, once you get back into the safe zone then you're able to open them again. One problem with god mode that i can foresee is that because the drones can't kill you you're unable to open chests or collect intel due to what i suspect is an animation loop or a trigger somewhere that marks you as being dead so you can't open anything, then undoes that trigger once you get back into the safe zone if you managae to escape the drones cause they're pretty much insta kill, the invisibility script doesn't work for the insta kill drones so that would have to be something seperate if the trigger for them can be found and killed.

[jonasbeckman]

There's a few zones in the main areas too that are "Drone swarm incoming." but yeah exploring item level 150 bases and seeing the heavy infantry and vehicles is neat but no looting anything with the dynamic invisible border instant kill drone swarm around until I guess somewhere in the full game that will get turned off. (I suppose changing the friend/foe parameters would be too easy so probably midpoint and it's off to explore the interesting Zone 01 and what looks like some Skell HQ on the map but I guess is just some low-res texture area in this beta build. )

The item level doesn't actually mean much against humans though as a headshot or a few body shots takes out anything whether it's mercs, heavy mercs or wolf mercs though I suppose it would let you survive a bit longer and thanks to the cosmetic system you can at least look marginally less silly while still getting high level scuba diving armor and various odd headgear.
(And no idea if it's server related or what not but responsiveness and the menu jankiness really needs work!)

Will be curious to see what gets changed around in the full game, expecting a few adjustments both as reported from the beta and what they find as players have fun and try different things like these though there's probably going to be something.


Fully expecting a premium currency system too down the line similar to Wildlands and the rest of the Ubi gaming as a service lineup but that remains to be seen, not much from what I can get out of the exe file so far at least but I might not be finding the right things either.

[SunBeam]

And here are some goodies for the upcoming full version Preparations, lol

GetName: (you need a certain pointer format for this to work; for me to know)

Code: Select all

function _readInteger( Input )
  -- thanks, Pox!
  local Value = readInteger( Input )
  if Value < 0x80000000 then return Value
  else return Value - 0x100000000 end
end

function GetName( input )
  local addr = readQword( input )
  addr = addr + 0x48 -- 0x48 in Breakpoint
  addr = readQword( addr )
  if readBytes( addr, 1 ) == 0xE9 then
    addr = addr + _readInteger( addr + 0x1 ) + 0x5
  end
  addr = addr + _readInteger( addr + 0x3 ) + 0x7
  addr = readQword( addr )
  print( string.format( "IStruct:  0x%X", input ) )
  print( string.format( "IName:    0x%X", addr ) )
  local str = readString( readQword( addr + 0x20 ) )
  print( string.format( "ObjStr:   %s", str ) )
  addr = readInteger( addr + 0x2C )
  print( string.format( "ObjHash:  0x%X", addr ) )
  print( "" )
  print( "* * *")
end

GetName( 0x15B9E890AE0 )

Example:

Code: Select all

IStruct:  0x15B9E890AE0 
IName:    0x7FF7411C56A0 
ObjStr:    
ObjHash:  0x6CD605D3

Note the developers have stripped almost any string references leading to their classes/objects Luckily, I stored the crc32b hashes table dumped from the GRW PS4 ISO So 0x6CD605D3 == "GR_cPlayerComponent".

And a nifty hook spot for various useful pointers, player-related, that can be used in turning all the scripts out there player-only

Code: Select all

GRB.exe+1D9232D0 - 48 89 E0              - mov rax,rsp <-- hook here
GRB.exe+1D9232D3 - 48 89 58 08           - mov [rax+08],rbx <-- or here
GRB.exe+1D9232D7 - 48 89 68 10           - mov [rax+10],rbp
GRB.exe+1D9232DB - 48 89 70 18           - mov [rax+18],rsi
GRB.exe+1D9232DF - 57                    - push rdi
GRB.exe+1D9232E0 - 41 56                 - push r14
GRB.exe+1D9232E2 - 41 57                 - push r15
GRB.exe+1D9232E4 - 48 81 EC 80000000     - sub rsp,00000080
GRB.exe+1D9232EB - 0F29 70 D8            - movaps [rax-28],xmm6
GRB.exe+1D9232EF - 48 89 CF              - mov rdi,rcx
GRB.exe+1D9232F2 - 0F29 78 C8            - movaps [rax-38],xmm7
GRB.exe+1D9232F6 - 0F28 F1               - movaps xmm6,xmm1
GRB.exe+1D9232F9 - 44 0F29 40 B8         - movaps [rax-48],xmm8
GRB.exe+1D9232FE - 44 0F29 48 A8         - movaps [rax-58],xmm9
GRB.exe+1D923303 - 44 0F29 50 98         - movaps [rax-68],xmm10
GRB.exe+1D923308 - E8 F306DEE4           - call GRB.exe+2703A00
GRB.exe+1D92330D - 48 8B 87 40030000     - mov rax,[rdi+00000340]
GRB.exe+1D923314 - 45 31 FF              - xor r15d,r15d
GRB.exe+1D923317 - 48 83 F8 FD           - cmp rax,-03 { 253 }
GRB.exe+1D92331B - 77 4C                 - ja GRB.exe+1D923369
GRB.exe+1D92331D - 48 85 C0              - test rax,rax
GRB.exe+1D923320 - 75 0A                 - jne GRB.exe+1D92332C
GRB.exe+1D923322 - 48 8B 87 48030000     - mov rax,[rdi+00000348]
GRB.exe+1D923329 - 48 8B 00              - mov rax,[rax]
GRB.exe+1D92332C - 48 3B 87 38030000     - cmp rax,[rdi+00000338]
GRB.exe+1D923333 - 72 34                 - jb GRB.exe+1D923369
GRB.exe+1D923335 - 44 88 BF 8B040000     - mov [rdi+0000048B],r15l
GRB.exe+1D92333C - 48 8B 87 48030000     - mov rax,[rdi+00000348]
GRB.exe+1D923343 - 48 85 C0              - test rax,rax
GRB.exe+1D923346 - 74 05                 - je GRB.exe+1D92334D
GRB.exe+1D923348 - 48 8B 08              - mov rcx,[rax]
GRB.exe+1D92334B - EB 03                 - jmp GRB.exe+1D923350
GRB.exe+1D92334D - 4C 89 F9              - mov rcx,r15
GRB.exe+1D923350 - 48 89 8F 30030000     - mov [rdi+00000330],rcx
GRB.exe+1D923357 - 4C 89 BF 38030000     - mov [rdi+00000338],r15
GRB.exe+1D92335E - 48 C7 87 40030000 FFFFFFFF - mov qword ptr [rdi+00000340],FFFFFFFFFFFFFFFF

At the above point, you got these:

rbx == GR_cPlayerComponent
rcx == g_Player (don't have the string for 0x3F61AFE6 hash yet; this is the same in GRW)
[rcx+8] == Entity (our player's Entity; 0x0984415E)

Example: (this will make sure the God check is applied only to your g_Player, just in case the enemy benefits from it)

Code: Select all

[ENABLE]

aobscanmodule( GodMode, GRB.exe, 80BB????????000F85????????80BB????????000F85????????F683 )
registersymbol( GodMode )
label( GodMode_o )
registersymbol( GodMode_o )

alloc( Hook, 0x1000, GRB.exe )

Hook:
push rax
mov rax,[g_Player]
test rax,rax
je short @f
  cmp rax,rbx
  jne short @f
    mov byte ptr [rbx+48B],1
@@:
pop rax
GodMode_o:
readmem( GodMode, 7 )
jmp GodMode+7

GodMode:
jmp Hook
db 90 90

[DISABLE]

[g_Player]+48B:
db 0

GodMode:
readmem( GodMode_o, 7 )

unregistersymbol( GodMode )
unregistersymbol( GodMode_o )
dealloc( Hook )

[SunBeam]

Alright, regarding the Drone Swarm, I figured out a way to disable them

Hit 1:

Code: Select all

GRB.exe+1CAEF1D0 - 48 83 EC 48           - sub rsp,48
GRB.exe+1CAEF1D4 - 49 8B 40 08           - mov rax,[r8+08]
GRB.exe+1CAEF1D8 - 49 89 CA              - mov r10,rcx
GRB.exe+1CAEF1DB - 48 8D 0D DE80A5E8     - lea rcx,[GRB.exe+55472C0]
GRB.exe+1CAEF1E2 - 48 89 44 24 28        - mov [rsp+28],rax
GRB.exe+1CAEF1E7 - 49 89 D1              - mov r9,rdx
GRB.exe+1CAEF1EA - 48 39 C8              - cmp rax,rcx
..
..
GRB.exe+1CAEF21A - 48 8D 54 24 20        - lea rdx,[rsp+20]
GRB.exe+1CAEF21F - 4C 89 C9              - mov rcx,r9
GRB.exe+1CAEF222 - 41 FF 52 08           - call qword ptr [r10+08] <- enter
GRB.exe+1CAEF226 - 48 83 C4 48           - add rsp,48
GRB.exe+1CAEF22A - C3                    - ret

Hit 2:

Code: Select all

GRB.exe+2FE0480 - E9 3B43C319           - jmp GRB.exe+1CC147C0
..
..
GRB.exe+1CC147C0 - 48 89 6C 24 18        - mov [rsp+18],rbp
GRB.exe+1CC147C5 - 48 89 74 24 20        - mov [rsp+20],rsi
GRB.exe+1CC147CA - 57                    - push rdi
GRB.exe+1CC147CB - 48 83 EC 20           - sub rsp,20
GRB.exe+1CC147CF - 48 8B 42 18           - mov rax,[rdx+18]
GRB.exe+1CC147D3 - 48 89 D6              - mov rsi,rdx
GRB.exe+1CC147D6 - 48 89 CD              - mov rbp,rcx
GRB.exe+1CC147D9 - 48 63 78 0C           - movsxd  rdi,dword ptr [rax+0C]
..
..
GRB.exe+1CC14844 - 4C 8D 44 24 38        - lea r8,[rsp+38]
GRB.exe+1CC14849 - 48 89 DA              - mov rdx,rbx
GRB.exe+1CC1484C - 48 89 E9              - mov rcx,rbp
GRB.exe+1CC1484F - E8 CC6A39E6           - call GRB.exe+2FAB320 <- enter
GRB.exe+1CC14854 - 48 8B 5C 24 30        - mov rbx,[rsp+30]
GRB.exe+1CC14859 - 48 89 F1              - mov rcx,rsi
GRB.exe+1CC1485C - 48 8B 6C 24 40        - mov rbp,[rsp+40]
GRB.exe+1CC14861 - 48 8B 74 24 48        - mov rsi,[rsp+48]
GRB.exe+1CC14866 - 48 83 C4 20           - add rsp,20
GRB.exe+1CC1486A - 5F                    - pop rdi

Hit 3:

Code: Select all

GRB.exe+1CCE3190 - 40 53                 - push rbx
GRB.exe+1CCE3192 - 48 83 EC 20           - sub rsp,20
GRB.exe+1CCE3196 - 48 89 CB              - mov rbx,rcx
GRB.exe+1CCE3199 - 48 83 C2 78           - add rdx,78
GRB.exe+1CCE319D - 48 8D 4C 24 38        - lea rcx,[rsp+38]
GRB.exe+1CCE31A2 - E8 49FDFBE4           - call GRB.exe+1CA2EF0
GRB.exe+1CCE31A7 - 48 89 C2              - mov rdx,rax
GRB.exe+1CCE31AA - 48 8D 8B B0000000     - lea rcx,[rbx+000000B0]
GRB.exe+1CCE31B1 - E8 DA1CE5E4           - call GRB.exe+1B34E90
GRB.exe+1CCE31B6 - 48 8B 44 24 38        - mov rax,[rsp+38]
GRB.exe+1CCE31BB - 48 85 C0              - test rax,rax
GRB.exe+1CCE31BE - 74 1E                 - je GRB.exe+1CCE31DE
GRB.exe+1CCE31C0 - B9 FFFFFFFF           - mov ecx,FFFFFFFF
GRB.exe+1CCE31C5 - F0 0FC1 48 08         - lock xadd [rax+08],ecx
GRB.exe+1CCE31CA - 83 F9 01              - cmp ecx,01
GRB.exe+1CCE31CD - 75 0F                 - jne GRB.exe+1CCE31DE
GRB.exe+1CCE31CF - 48 8B 4C 24 38        - mov rcx,[rsp+38]
GRB.exe+1CCE31D4 - 48 85 C9              - test rcx,rcx
GRB.exe+1CCE31D7 - 74 05                 - je GRB.exe+1CCE31DE
GRB.exe+1CCE31D9 - E8 A29F4BE3           - call GRB.exe+19D180
GRB.exe+1CCE31DE - 48 83 C4 20           - add rsp,20
GRB.exe+1CCE31E2 - 5B                    - pop rbx
GRB.exe+1CCE31E3 - C3                    - ret

At "Hit 3", if you pass the "add rdx,78", you'll see RDX is now a pointer leading to the "DEADLY AREA - DRONE SWARM INCOMING" message.

So what I did with these was to back-trace out to Engine::StepDispatchEvents function and kill it there. Note the address is hardcoded to current GRB.exe.

So here goes:

Code: Select all

{ Game   : GRB.exe
  Version: 
  Date   : 2019-09-08
  Author : SunBeam

  This script does blah blah blah
}

define(address,"GRB.exe"+771E24B)
define(bytes,48 89 D6 49 89 CE)

[ENABLE]

assert(address,bytes)
alloc(newmem,$1000,"GRB.exe"+771E24B)

label(code)
label(return)

newmem:

code:
  mov rsi,rdx
  mov r14,GRB.exe+573C6B0
  cmp rdx,r14
  jne short @f
    nop
    nop
    jmp GRB.exe+771E301
  @@:
  mov r14,rcx
  jmp return

address:
  jmp newmem
  nop
return:

[DISABLE]

address:
  db bytes
  // mov rsi,rdx
  // mov r14,rcx

dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "GRB.exe"+771E24B

"GRB.exe"+771E221: 44 0B 34 24              -  or r14d,[rsp]
"GRB.exe"+771E225: 41 F7 D6                 -  not r14d
"GRB.exe"+771E228: 45 29 C6                 -  sub r14d,r8d
"GRB.exe"+771E22B: 83 F6 FF                 -  xor esi,-01
"GRB.exe"+771E22E: 4C 8D 05 3D 6E AA 16     -  lea r8,[GRB.exe+1E1C5072]
"GRB.exe"+771E235: 41 FF E0                 -  jmp r8
"GRB.exe"+771E238: 67 0F 1F 80 00 00 00 00  -  nop [rax+00000000]
"GRB.exe"+771E240: 48 89 74 24 20           -  mov [rsp+20],rsi
"GRB.exe"+771E245: 41 56                    -  push r14
"GRB.exe"+771E247: 48 83 EC 20              -  sub rsp,20
// ---------- INJECTING HERE ----------
"GRB.exe"+771E24B: 48 89 D6                 -  mov rsi,rdx
"GRB.exe"+771E24E: 49 89 CE                 -  mov r14,rcx
// ---------- DONE INJECTING  ----------
"GRB.exe"+771E251: 48 85 D2                 -  test rdx,rdx
"GRB.exe"+771E254: 0F 84 A7 00 00 00        -  je GRB.exe+771E301
"GRB.exe"+771E25A: 83 7A 40 00              -  cmp dword ptr [rdx+40],00
"GRB.exe"+771E25E: 0F 84 9D 00 00 00        -  je GRB.exe+771E301
"GRB.exe"+771E264: 48 89 5C 24 30           -  mov [rsp+30],rbx
"GRB.exe"+771E269: 48 8D 5A 08              -  lea rbx,[rdx+08]
"GRB.exe"+771E26D: 48 89 6C 24 38           -  mov [rsp+38],rbp
"GRB.exe"+771E272: 48 89 7C 24 40           -  mov [rsp+40],rdi
"GRB.exe"+771E277: 48 85 DB                 -  test rbx,rbx
"GRB.exe"+771E27A: 74 08                    -  je GRB.exe+771E284
}

Make sure you've not already triggered the Drones when you do this.

Happy exploring





LOL, unfinished roads and train lines:





And some videos:





Watch the last part of the 2nd one; funny how that Comanche or whatever it is just appears out of thin air.

BR,
Sun

[miobambino]

You're knocking it out of the park with these finds, well done. Also getting stuck in the water i had a similar experience in the air, i went too far off the map without realising it and my chopper just stopped, i tried jumping and and parachuting but ended up just hanging there in the air

[SunBeam]

When you mount a vehicle, this be it an air vehicle, its properties apply. You inherit and control the vehicle; all player control is suspended. That's how Anvil works. So of course the chopper allows Z movement and has less constrictions. But when you exit, control is restored so whatever impacts player models, will impact you - like no gravity outside of the intdended game area. The reason the chopper remains still is it looses the entity controlling it There is no gravity for all objects outside the payable map.

[SunBeam]

Then..

Code: Select all

GRB.exe+167DE370 - 48 8B 0D B1C3F5EE     - mov rcx,[GRB.exe+573A728] // [] == 1F93BCB2F60
GRB.exe+167DE377 - E8 F49DB4EB           - call GRB.exe+2328170

That object's hash is 0x4B426612. Just for reference. Why am I mentioning this:

Code: Select all

GRB.exe+2328170 - E9 2B36B614           - jmp GRB.exe+16E8B7A0
..
GRB.exe+16E8B7A0 - 4C 8B 49 14           - mov r9,[rcx+14]
GRB.exe+16E8B7A4 - 0FB7 41 1E            - movzx eax,word ptr [rcx+1E]
GRB.exe+16E8B7A8 - 4D 8D 14 C1           - lea r10,[r9+rax*8]
GRB.exe+16E8B7AC - 4D 39 D1              - cmp r9,r10
GRB.exe+16E8B7AF - 74 27                 - je GRB.exe+16E8B7D8
GRB.exe+16E8B7B1 - 49 8B 01              - mov rax,[r9]
GRB.exe+16E8B7B4 - 48 63 48 0C           - movsxd  rcx,dword ptr [rax+0C]
GRB.exe+16E8B7B8 - 48 C1 E1 20           - shl rcx,20
GRB.exe+16E8B7BC - 48 C1 F9 3F           - sar rcx,3F
GRB.exe+16E8B7C0 - 48 23 08              - and rcx,[rax] // mark
GRB.exe+16E8B7C3 - 74 05                 - je GRB.exe+16E8B7CA
GRB.exe+16E8B7C5 - 39 51 20              - cmp [rcx+20],edx
GRB.exe+16E8B7C8 - 74 06                 - je GRB.exe+16E8B7D0
GRB.exe+16E8B7CA - 49 83 C1 08           - add r9,08
GRB.exe+16E8B7CE - EB DC                 - jmp GRB.exe+16E8B7AC
GRB.exe+16E8B7D0 - 4C 89 C2              - mov rdx,r8
GRB.exe+16E8B7D3 - E9 28C849EB           - jmp GRB.exe+2328000
GRB.exe+16E8B7D8 - C3                    - ret

At the "mark" point above, the pointer being read there points to this section:



So now you can use this shit to basically filter even more the "[Gather Intel]" script in such a way that it retrieves only YOUR pointers while in Erewhon How? By using the p->Entity, leading to your player's Entity, then linking them in the hook

You might also find this useful

Code: Select all

FindPlayer:
sub rsp,28
mov rbx,[GRB.exe+5738858] // ObjHash:0xF8753BCC
mov rbx,[rbx+D0]
mov edx,[rbx]
lea r8,[rbx+10]
mov rcx,[GRB.exe+573A728] // ObjHash:0x4B426612
call FindPlayerInPlayers
add rsp,28
ret

FindPlayerInPlayers:
  mov r9,[rcx+14]
  movzx eax,word ptr [rcx+1E]
  lea r10,[r9+rax*8]

FindPlayerInPlayers_loop:
  cmp r9,r10
  je short FindPlayerInPlayers_exit
  mov rax,[r9]
  movsxd rcx,dword ptr [rax+C]
  shl rcx,20
  sar rcx,3F
  and rcx,[rax]
  je short @f
  cmp [rcx+20],edx
  je short FindPlayerInPlayers_done
  
@@:
  add r9,8
  jmp short IteratePartyPlayers_loop
  
FindPlayerInPlayers_done:
  mov rax,r8
  
IteratePartyPlayers_exit:
  ret

And here's the adjusted [ Gather Intel ] script:

Code: Select all

[ENABLE]

aobscanmodule( HookUtil, GRB.exe, 4889E0488958??488968??488970??57415641574881EC????????0F2970??4889CF0F2978??0F28F1 )
registersymbol( HookUtil )
label( HookUtil_o )
registersymbol( HookUtil_o )

alloc( Hook, 0x1000, GRB.exe )

label( g_Player )
registersymbol( g_Player )
label( GR_cPlayerComponent )
registersymbol( GR_cPlayerComponent )
label( Entity )
registersymbol( Entity )
label( p_SilexNetComponent_Player ) // p->SilexNetComponent_Player, hence the p_
registersymbol( p_SilexNetComponent_Player )

Hook:
push rax
mov rax,[GRB.exe+5738858]
mov rax,[rax+D0]
mov rax,[rax+8]
mov rax,[rax]
cmp rax,[rcx+8] // check ObjHash_0xF8753BCC->Entity vs. GR_cPlayerComponent->Entity
pop rax
jne short @f
  mov [GR_cPlayerComponent],rbx
  mov [g_Player],rcx
  mov rax,[rcx+8]
  mov [Entity],rax
  mov rax,[rcx+150]
  mov [p_SilexNetComponent_Player],rax
HookUtil_o:
readmem( HookUtil, 7 )
jmp HookUtil+7

db CC CC CC CC

g_Player:
dq 0
GR_cPlayerComponent:
dq 0
Entity:
dq 0
p_SilexNetComponent_Player:
dq 0

HookUtil:
jmp Hook
db 90 90

[DISABLE]

HookUtil:
readmem( HookUtil_o, 7 )

unregistersymbol( p_SilexNetComponent_Player )
unregistersymbol( Entity )
unregistersymbol( GR_cPlayerComponent )
unregistersymbol( g_Player )
dealloc( Hook )
unregistersymbol( HookUtil_o )
unregistersymbol( HookUtil )

[miobambino]

Someone whose game starts with the GRB.exe will have to test all that out and the drone swarm block and report back, unfortunately mine loads using the GRB_UPP.exe

[SunBeam]

Here's something useful for the CWeapon structure:

Code: Select all

+028 == p->GR_cInventoryHolder
+060 == p->GR_DBWeaponConstants
+068 == DBEntryWeaponShootSound
+080 == p->SilexNetComponent_Player (00007FF40C512B30->0000015B9DAC4EC0)
+0A8 == p->Entity
+148 == p->GR_cWeaponComponent

Also, how to get g_Player from Entity:

Code: Select all

sub rsp,28
mov rcx,Entity
GRB.exe+15CD54D6 - BA 28000000           - mov edx,28
GRB.exe+15CD54DB - E8 804FA7EC           - call GRB.exe+274A460
add rsp,28
--> g_Player

Similarly, you can get GR_cWeaponComponent from CWeapon->Entity

Lastly, Super Accuracy is here:

Code: Select all

GRB.exe+1DA3E410 - 40 53                 - push rbx
GRB.exe+1DA3E412 - 48 83 EC 20           - sub rsp,20
GRB.exe+1DA3E416 - 80 B9 71010000 00     - cmp byte ptr [rcx+00000171],00 // force to 0
GRB.exe+1DA3E41D - 48 89 CB              - mov rbx,rcx
GRB.exe+1DA3E420 - C6 81 70010000 01     - mov byte ptr [rcx+00000170],01
GRB.exe+1DA3E427 - 0F84 FE000000         - je GRB.exe+1DA3E52B
GRB.exe+1DA3E42D - 48 8B 51 08           - mov rdx,[rcx+08]
GRB.exe+1DA3E431 - 48 63 42 0C           - movsxd  rax,dword ptr [rdx+0C]
GRB.exe+1DA3E435 - 48 C1 E0 20           - shl rax,20
GRB.exe+1DA3E439 - 48 C1 F8 3F           - sar rax,3F
GRB.exe+1DA3E43D - 48 85 02              - test [rdx],rax

And to check if "RCX" is our "Accuracy" subsystem, we do this:

Code: Select all

rcx == 1DC0726C570 (CWeapAccuracy;ObjHash:0x1ADF57D0)
[rcx+130] == p->GR_WeaponDBEntry (ObjHash:0x530ACADB)
[rcx+138] == 00007FF3EC62EDF0 (p->p->CWeapon) = q
[q+C8] == CWeapon == 000001DC581F1C80

..and we're back to CWeapon From here you know the paths.

BR.
Sun