Borderlands 3 [Engine:Unreal 4.20] - Console enabler, Dumper and more..

Upload your cheat tables here (No requests)
User avatar
mgr.inz.Player
Novice Cheater
Novice Cheater
Posts: 17
Joined: Fri Mar 03, 2017 8:41 am
Reputation: 32

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by mgr.inz.Player » Sun Nov 10, 2019 10:31 am

Csimbi wrote:
Sun Nov 10, 2019 10:11 am
mgr.inz.Player wrote:
Sat Nov 09, 2019 11:48 pm
I was looking for a solution.
...
Scanning time changed from 30 seconds to 4 seconds.
...
Excuse my french, but this is truly effing fantastic!
Hats off! +3 rep.
Updating my post with this info and script shortly.

You know, you could consult with DB to make that somehow officially part of CE ;-)
mgr.inz.Player wrote:
Sat Nov 09, 2019 11:48 pm
...
How those OPTIM were created
...
You might want to give that script a file name (the one that goes into AUTORUN) so it can be easily referenced/updated in the future.

So, I create a script with just AA scans, and I experiment with the window, that's it?
Is that 0.2 coming from experience (trial/error) or is there some science to it?
Currently my scripts are in rough state, I will change/rename some functions and variables.
When I finish it, it will be added to "CEF Cheat Engine Extensions". The name probably will be "AOBScanModuleOptimizer".

I chose 0.10 based on script activation time, I think 5 seconds should be OK.
On my machine it is 5 seconds. How many seconds it takes on your machine?


If you have two or more versions of game, you can try the smallest possible value. For example you optimized scripts for game version1 with value 0.01, If optimized scripts still work with game version2 and above I think you can publish it.

On my machine with 0.01 main script activates immediately.

Edit:
your 19 aobscanmodule with radius:
  • 0.30 = 16 - 17 seconds
  • 0.20 = 7 - 8 seconds
  • 0.10 = 4 - 5 seconds
  • 0.01 = 0.5 - 1 seconds

justiny
Expert Cheater
Expert Cheater
Posts: 118
Joined: Mon May 22, 2017 1:02 pm
Reputation: 7

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by justiny » Sun Nov 10, 2019 4:39 pm

Thanks Csimbi & mgr.inz.Player for making BL3 pc better and way more fun than the console version.

User avatar
TemptingIcarus
Expert Cheater
Expert Cheater
Posts: 265
Joined: Thu Aug 16, 2018 11:32 pm
Reputation: 38

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by TemptingIcarus » Mon Nov 11, 2019 8:27 am

I know Sunbeam you don't take requests, so I won't say it's a requests. Instead I'll say this.

Proposal: Being able to Freeze Ability Timers to make them last forever. (i.e - Zane's Drone) for example.

User avatar
SunBeam
Administration
Administration
Posts: 3325
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1714

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by SunBeam » Mon Nov 11, 2019 9:57 am

mgr.inz.Player wrote:
Sat Nov 09, 2019 11:48 pm
...
Hi there.

At my current job I used to work with Database schemas in which we created the tables we needed. Now, we're using 1 schema with all those tables partitioned into datasets. So.. instead of making use of same table in multiple schemas, we now make use of table partitions within 1 schema. Point of this.. if I read it right.. you're querying the memory size and split it into sub-sections to be scanned for. The optimization lies in the probability that the scan result will fall into one of the subsets. Let me know if I interpreted this wrong.

BR,
Sun

User avatar
Csimbi
RCE Fanatics
RCE Fanatics
Posts: 371
Joined: Sat Apr 29, 2017 9:04 pm
Reputation: 377

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by Csimbi » Mon Nov 11, 2019 1:21 pm

You already know where the data might be, why don't we scan only that bit?
I won't pretend to know what that code actually does, but I got the impression that you operate with a scan window and its size, expressed in terms of % relative to the overall size of the binary image.

User avatar
SunBeam
Administration
Administration
Posts: 3325
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1714

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by SunBeam » Mon Nov 11, 2019 1:43 pm

^ The idea was to give this code flexibility. If the game updates, I won't know again where the data is :P The x64dbg script I sent to you by PM works in a similar way, but not for scanning, just for determining which is the section with the highest virtual size. The reason I look for that section is personal observations (multiple test subjects) on how the Denuvo envelope works. Reminds me somewhat of HASP Sentinel :)

So:

Code: Select all

mov $ModuleBase, mod.main()
mov $FileHeader, $ModuleBase + dword:[$ModuleBase+0x3C] // +0x3C = e_lfanew
mov $NumberOfSections, 2:[$FileHeader+0x6]
mov $SizeOfOptionalHeader, 2:[$FileHeader+0x14]
mov $FirstSection, $FileHeader + 0x18 + $SizeOfOptionalHeader
mov $LastSection, $FirstSection + ($NumberOfSections - 1) * 0x28
mov $ExecStart, $ModuleBase + dword:[$FirstSection + 0xC]
mov $AddressOfEntryPoint, $ModuleBase + dword:[$FileHeader + 0x28]
// load all section sizes into an array (sizes are DWORDs)
mov $i, 0
alloc $NumberOfSections * 4
mov $array, $result
a0:
cmp i, $NumberOfSections
je a1
  mov dword:[$array + $i * 4], dword:[$FirstSection + $i * 0x28 + 0x10]
  mov $i, $i + 1
  jmp a0
a1:
// time to get to the Denuvo section via the largest raw size
// we'll store the first max found, then iterate NumberOfSections times the rest
mov $i, 0
mov $j, $NumberOfSections
mov $u, 0
mov $v, 0
mov $max, 0
a2:
cmp dword:[$array + $i * 4], 0 // while not having parkoured the entire sizes_array
je a3
  mov $u, dword:[$array + $i * 4] // get i-iterated stored size value
  a4:
  cmp $j, 0 // start by checking NumberOfSections, if 0
  je a5
    mov $v, dword:[$array + ($NumberOfSections - $j) * 4] // get j-iterated stored size value
    cmp $u, $v
    jg a6 // if u < v
      cmp $max, $v
      jge a6 // and max <= v
        mov $max, $v // store max
        mov $ExecDenuvo, $ModuleBase + dword:[$FirstSection + ($NumberOfSections - $j) * 0x28 + 0xC] // and its section address
    a6:
	mov $j, $j - 1 // next j-iteration
	jmp a4 // that's why the cmp at line #32, because we loop
  a5:
  mov $j, $NumberOfSections // restore j iterator
  mov $i, $i + 1 // next i-iteration
  jmp a2 // and loop till we compare each size with all sizes in the array and the max
a3:
free $array // clean up
log "First exec section starts at: {$ModuleBase + dword:[$FirstSection + 0xC]}"
log "Denuvo exec section starts at: {$ExecDenuvo}"
ret
This is to be executed in x64dbg, Script pane. Just save the above as a .txt and load it up. Then open the game .exe in x64dbg (doesn't have to be running; the script expects the process to be paused to run), load script .txt and run it. You'll see what happens next :P And that's how I know which section the executable code was relocated in by Denuvo.

Of course.. some of the executable code will still be in the (usually) first section. Like I said, Denuvo doesn't relocate ALL of it; just certain sized-one. Example: MOV AL,1|RET will not be relocated.

Image

Ignore the target in the screenshot above. Red Dead Redemption 2 doesn't use Denuvo, so the script is useless in that context.

BR,
Sun

P.S.#1: What Denuvo does when enveloping a target is to scan the executable code of the original PE32/64, determine the # of functions to relocate based on function size, allocate enough physical space in a section of its own, relocate the executable code and replace the function prologues with JMPs to the relocated code, generate the encrypted version of the whole Denuvo section and envelope the target. Moving the code-to-be-protected to their own section is the safest way for them to control the decryption process (the relocated code is decrypted with the license key). They don't care about the rest, as you would not obtain a working executable anyway without the key :P

What I don't understand is why it takes a shitload of time for the reversing teams to properly copy-paste (and offset-fix) the code back to its original location. Unless there's some of it that runs virtualized that I don't know about...

P.S.#2: I can turn the above into a Lua script that would allow it to be run whenever you like (e.g.: at table open) and will calculate the location of the Denuvo section for you. Then it's up to you to determine if the AOB you scan for is in then first (or the original executable) section or Denuvo's relocated executable section :P Or even better.. scan for it either of them. The advantage is if the code won't be found in the first section, the others will be skipped (scanner should jump directly into Denuvo's). It won't probably faster than mgr.inz.Player's code, but in-between normal and his :P Lemme know :)

User avatar
mgr.inz.Player
Novice Cheater
Novice Cheater
Posts: 17
Joined: Fri Mar 03, 2017 8:41 am
Reputation: 32

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by mgr.inz.Player » Mon Nov 11, 2019 3:18 pm

SunBeam wrote:
Mon Nov 11, 2019 1:43 pm
I already converted your "x64dbg script" to CE Lua. I didn't like the speed.

You can test it yourself.

replace this

Code: Select all

[ENABLE]
aobscanmodule(aobPlayerControllerGrabber,Borderlands3.exe,80 B9 ?? ?? 00 00 00 48 ?? ?? 75 ?? E8 ?? ?? ?? ?? 83)
aobscanmodule(aobControllerPawnOffset,Borderlands3.exe,48 83 B9 ?? ?? 00 00 00 41 0F B6 ?? 44)
...
...
[DISABLE]
with this

Code: Select all

[ENABLE]
aobscanregion(aobPlayerControllerGrabber, denuvosectionSTART, denuvosectionEND, 80 B9 ?? ?? 00 00 00 48 ?? ?? 75 ?? E8 ?? ?? ?? ?? 83)
aobscanregion(aobControllerPawnOffset, denuvosectionSTART, denuvosectionEND,48 83 B9 ?? ?? 00 00 00 41 0F B6 ?? 44)
...
...
[DISABLE]
change MR description to "Borderlands 3 DenuvoSection"

and check the time with this script:

Code: Select all

mr = getTableEntry('Borderlands 3 DenuvoSection')
mr.Async  = false; mr.Active = false
mr.Async  = true ; mr.Active = true
timer = createTimer(nil)
timer.Interval = 10
timer.OnTimer = function (t)
  if mr.AsyncProcessing==false then
    t.destroy()
  else
    print(mr.AsyncProcessingTime //10 /100)
  end
end

User avatar
SunBeam
Administration
Administration
Posts: 3325
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1714

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by SunBeam » Mon Nov 11, 2019 3:40 pm

mgr.inz.Player wrote:
Mon Nov 11, 2019 3:18 pm
...
^ Man, I already said the timing won't be great. And it's not cuz of Lua, but cuz of the amount to read through :) You get from a scan over the entire process (aobscanmodule) to a scan of just 2 sections (my method) to a scan of chunks (your method). Of course what you posted returns the best result :P You just wanted me to acknowledge and put it in writing, eh? :D

User avatar
mgr.inz.Player
Novice Cheater
Novice Cheater
Posts: 17
Joined: Fri Mar 03, 2017 8:41 am
Reputation: 32

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by mgr.inz.Player » Mon Nov 11, 2019 4:30 pm

I almost finished making script which converts aobscanmodule into aobscanregion,
additional //SECTION comment will be:
- section name (starting with ., max 8 chars)
- BIGGESTSECTION(assume Denuvo section)
e.g.:

Code: Select all

aobscanmodule(aobMagSpinRateCalc,Borderlands3.exe,F3 0F 58 86 ?? ?? 00 00 0F 2F C6 73 ?? 0F 57 C0 EB)  //SECTION(.text1)
or
aobscanmodule(aobMagSpinRateCalc,Borderlands3.exe,F3 0F 58 86 ?? ?? 00 00 0F 2F C6 73 ?? 0F 57 C0 EB)  //BIGGESTSECTION

EDIT:
Now I'm merging those both methods into one Lua extension.




EDIT:
AOBScanModuleOptimizer initial release: https://forum.cheatengine.org/viewtopic.php?t=611296
Last edited by mgr.inz.Player on Tue Nov 12, 2019 11:42 am, edited 2 times in total.

User avatar
SunBeam
Administration
Administration
Posts: 3325
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1714

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by SunBeam » Mon Nov 11, 2019 5:06 pm

Cool, keep it up! :)

sudieken
Noobzor
Noobzor
Posts: 10
Joined: Mon May 28, 2018 6:13 am
Reputation: 0

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by sudieken » Mon Nov 11, 2019 6:13 pm

Would anyone happen to have a profile save with all heads and skins?

User avatar
TemptingIcarus
Expert Cheater
Expert Cheater
Posts: 265
Joined: Thu Aug 16, 2018 11:32 pm
Reputation: 38

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by TemptingIcarus » Mon Nov 11, 2019 6:59 pm

sudieken wrote:
Mon Nov 11, 2019 6:13 pm
Would anyone happen to have a profile save with all heads and skins?
Wrong thread brother.

User avatar
Csimbi
RCE Fanatics
RCE Fanatics
Posts: 371
Joined: Sat Apr 29, 2017 9:04 pm
Reputation: 377

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by Csimbi » Mon Nov 11, 2019 7:39 pm

mgr.inz.Player wrote:
Sun Nov 10, 2019 10:31 am
On my machine it is 5 seconds. How many seconds it takes on your machine?
Forgot to answer this, sorry.
Without: 29.42 seconds
With: 2.76 seconds
So, yeah, about 10x faster now.

sebastianyyz
Expert Cheater
Expert Cheater
Posts: 153
Joined: Sun Jul 09, 2017 3:33 am
Reputation: 9

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by sebastianyyz » Tue Nov 12, 2019 12:09 am

The injector is still working, although I have to press "Tab" key, not "Tilde." Is that normal?

_SaintIago_
What is cheating?
What is cheating?
Posts: 2
Joined: Wed Sep 26, 2018 11:03 am
Reputation: 0

Re: Borderlands 3 [Engine:Unreal Engine 4] - Console enabler, Dumper and more..

Post by _SaintIago_ » Tue Nov 12, 2019 3:53 pm

Hi people. I'm so new to this, I seek for a way to get all the customizations. The way you do before still works or the updates in the game changed everything? Thanks anyway 😊

Post Reply