Bannerlords M&B

[Gehenna]

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>9</ID>
      <Description>"Focus/Attribute Getter (Open/close character menu, activate this, open character menu again)"</Description>
      <LastState Activated="1"/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : TaleWorlds.MountAndBlade.Launcher.exe
  Version: 
  Date   : 2020-03-31
  Author : chodn

  This script does blah blah blah
}

[ENABLE]

aobscan(INJECTFOCUSGETTER,8B 51 40 8B CA) // should be unique
alloc(newmem,$1000,7FFDA255F636)

label(skip)
label(return)
label(charptr)
registersymbol(charptr)
label(retptr)
registersymbol(retptr)

newmem:
  mov edx,[rcx+40]
  push rax
  mov rax,[rsp+10]
  cmp rax,[retptr]
  jne skip
  mov [charptr],rcx
skip:
  pop eax
  mov ecx,edx
  jmp return
charptr:
  dq 0
retptr:
  dq System.Core.ni.dll+34F9FB

INJECTFOCUSGETTER:
  jmp newmem
return:
registersymbol(INJECTFOCUSGETTER)

[DISABLE]

INJECTFOCUSGETTER:
  db 8B 51 40 8B CA

unregistersymbol(INJECTFOCUSGETTER)
unregistersymbol(charptr)
unregistersymbol(retptr)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 7FFDA255F636

7FFDA255F611: E8 9A 49 27 5E                 -  call clr.dll+3FB0
7FFDA255F616: 48 8D 4E 30                    -  lea rcx,[rsi+30]
7FFDA255F61A: 48 8B D7                       -  mov rdx,rdi
7FFDA255F61D: E8 8E 49 27 5E                 -  call clr.dll+3FB0
7FFDA255F622: 48 8B 56 20                    -  mov rdx,[rsi+20]
7FFDA255F626: 48 85 D2                       -  test rdx,rdx
7FFDA255F629: 75 04                          -  jne 7FFDA255F62F
7FFDA255F62B: 33 C9                          -  xor ecx,ecx
7FFDA255F62D: EB 07                          -  jmp 7FFDA255F636
7FFDA255F62F: 48 8B 8A 38 01 00 00           -  mov rcx,[rdx+00000138]
// ---------- INJECTING HERE ----------
7FFDA255F636: 8B 51 40                       -  mov edx,[rcx+40]
7FFDA255F639: 8B CA                          -  mov ecx,edx
// ---------- DONE INJECTING  ----------
7FFDA255F63B: 89 8E A0 00 00 00              -  mov [rsi+000000A0],ecx
7FFDA255F641: 48 8B CE                       -  mov rcx,rsi
7FFDA255F644: E8 47 2C 90 FF                 -  call 7FFDA1E62290
7FFDA255F649: 48 8B 56 20                    -  mov rdx,[rsi+20]
7FFDA255F64D: 48 85 D2                       -  test rdx,rdx
7FFDA255F650: 75 04                          -  jne 7FFDA255F656
7FFDA255F652: 33 C9                          -  xor ecx,ecx
7FFDA255F654: EB 07                          -  jmp 7FFDA255F65D
7FFDA255F656: 48 8B 8A 38 01 00 00           -  mov rcx,[rdx+00000138]
7FFDA255F65D: 8B 51 44                       -  mov edx,[rcx+44]
}
</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>3</ID>
          <Description>"Focus Points"</Description>
          <LastState Value="0" RealAddress="20225002D98"/>
          <VariableType>4 Bytes</VariableType>
          <Address>charptr</Address>
          <Offsets>
            <Offset>40</Offset>
          </Offsets>
        </CheatEntry>
        <CheatEntry>
          <ID>4</ID>
          <Description>"Attribute Points"</Description>
          <LastState Value="0" RealAddress="20225002D9C"/>
          <VariableType>4 Bytes</VariableType>
          <Address>charptr</Address>
          <Offsets>
            <Offset>44</Offset>
          </Offsets>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

Edited my previous Focus Point getter script to now work whenever you open the character menu. Don't know why I didn't just make it this way in the first place.

EDIT: There's an error with that script - in some cases, the code runs again on a second set of memory and redirects the pointers to somewhere useless. Going to fix it. For now I spoilered it to hide it. Fixed it. It works now.

Could anyone be so kind as to link a resource saying how to use this? Tried googling, but hard to get a good result when one isn't exactly sure what to google for.

[fardriel]

Think I found the issue. I was popping an 8 byte pointer back into what I was calling a 4 byte register. Weird that it didn't give me any issues when I was making/using it. Should be fixed now.

Could anyone be so kind as to link a resource saying how to use this? Tried googling, but hard to get a good result when one isn't exactly sure what to google for.

Just hit the "select all" button at the top of the code box, ctrl-C to copy it, and then ctrl-V in the cheat engine list to paste it.

[LillyanaKabal]

You....Ahh, I do remember this...

notepad++, paste the code and save as " filename.CT " (Ok, so I didn't remember but copied it from a guy who told me)

[Gehenna]

Something fun I noted, the actual level of Focus is a 4 byte pointer, and can be thoroughly changed past 5. Same for Attributes.

I am not entirely sure attributes going over 10 does anything, but the Focus going over provides a massive boost to experience gained for skills.

[fardriel]

Spoiler

No need to worry about notepad++ or saving files or anything. Just copy and paste like I said.

Holy jeebus that gif is high res.

Gehenna, that's interesting. One obvious thing you can look at is map movement speed. If your END is 2, you move really slow. If your END is 10, you move fast. Try setting your END to something higher and see if your base speed rises. If so, I'll try to make another pointer getter for the character struct.

[Darkcore]

that script still appears to crash the game when you try to re-open the character menu

[Gehenna]

Spoiler

No need to worry about notepad++ or saving files or anything. Just copy and paste like I said.

Holy jeebus that gif is high res.

Gehenna, that's interesting. One obvious thing you can look at is map movement speed. If your END is 2, you move really slow. If your END is 10, you move fast. Try setting your END to something higher and see if your base speed rises. If so, I'll try to make another pointer getter for the character struct.

This is why I said I am not sure. Set everything to 100 and it basically did nothing. I think Vig had an effect (no matter how heavy of armor I wore, I always moved at full speed), but everything else? nada. No absurd HP either, which I learned the hard way....

Also, can confirm. Crashes still.

Addendum: I don't see any differences in the code between the prior version and 'new' version. Did you accidentally paste the old one in?

Addendum 2: nevermind, i am the stoop. The change is from eax to rax. Whatever those mean.

[fardriel]

eax and rax are both registers. Or, to be more precise, rax is eax but twice as big. I did "push rax" which saved the entire 8 bytes of the rax register, then did "pop eax" which (I think) only recalled the first 4 bytes of saved data. I thought that was what was causing you guys's crashes, but apparently not.

[Link]

Apparently this gif won't embed, so this one is a link instead. If you guys are doing the same as that and it's crashing for you, I can't recreate it and will have an incredibly hard time figuring out what's causing it.

EDIT: Also here's that infinite ammo script in case anyone wants it. Let me know if this one crashes, too, and I'll just go bang my head against a wall.

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>8</ID>
      <Description>"Infinite Ammo"</Description>
      <LastState/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : TaleWorlds.MountAndBlade.Launcher.exe
  Version: 
  Date   : 2020-03-30
  Author : chodn

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECTAMMO,Game.dll,49 03 C9 66 44 89 01) // should be unique
alloc(newmem,$1000,"Game.dll"+F583D)

label(code)
label(return)

newmem:

code:
  add rcx,r9
  mov r8w,[rcx]
  mov [rcx],r8w
  jmp return

INJECTAMMO:
  jmp newmem
  nop 2
return:
registersymbol(INJECTAMMO)

[DISABLE]

INJECTAMMO:
  db 49 03 C9 66 44 89 01

unregistersymbol(INJECTAMMO)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Game.dll"+F583D

"Game.dll"+F580D: 48 C7 44 24 28 FE FF FF FF  -  mov qword ptr [rsp+28],FFFFFFFFFFFFFFFE
"Game.dll"+F5816: 48 89 5C 24 50              -  mov [rsp+50],rbx
"Game.dll"+F581B: 48 89 6C 24 58              -  mov [rsp+58],rbp
"Game.dll"+F5820: 41 0F B7 E8                 -  movzx ebp,r8w
"Game.dll"+F5824: 4C 63 F2                    -  movsxd  r14,edx
"Game.dll"+F5827: 4C 8B D1                    -  mov r10,rcx
"Game.dll"+F582A: 45 33 DB                    -  xor r11d,r11d
"Game.dll"+F582D: 44 89 5C 24 20              -  mov [rsp+20],r11d
"Game.dll"+F5832: 4D 69 CE 18 02 00 00        -  imul r9,r14,00000218
"Game.dll"+F5839: 48 83 C1 08                 -  add rcx,08
// ---------- INJECTING HERE ----------
"Game.dll"+F583D: 49 03 C9                    -  add rcx,r9
"Game.dll"+F5840: 66 44 89 01                 -  mov [rcx],r8w
// ---------- DONE INJECTING  ----------
"Game.dll"+F5844: 4C 39 99 18 01 00 00        -  cmp [rcx+00000118],r11
"Game.dll"+F584B: 74 05                       -  je Game.dll+F5852
"Game.dll"+F584D: E8 7E ED FF FF              -  call Game.dll+F45D0
"Game.dll"+F5852: 49 63 02                    -  movsxd  rax,dword ptr [r10]
"Game.dll"+F5855: 49 8B 92 B8 0A 00 00        -  mov rdx,[r10+00000AB8]
"Game.dll"+F585C: 44 89 5C 24 68              -  mov [rsp+68],r11d
"Game.dll"+F5861: 48 69 F0 D0 08 00 00        -  imul rsi,rax,000008D0
"Game.dll"+F5868: 48 03 F2                    -  add rsi,rdx
"Game.dll"+F586B: 8B BE 48 04 00 00           -  mov edi,[rsi+00000448]
"Game.dll"+F5871: 8B 5C 24 68                 -  mov ebx,[rsp+68]
}
</AssemblerScript>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

EDIT2: I wonder.... in the script that is crashing for you, try finding the line alloc(newmem,$1000,7FFDA255F636) and changing it to just alloc(newmem,$1000) and seeing if it still crashes. It probably will, but that's the only thing I can think of that might be causing it right now, is that it might be allocating memory outside of how much memory you even have.

[WWII44]

What of Infinite Health?

[4blood]

EDIT2: I wonder.... in the script that is crashing for you, try finding the line alloc(newmem,$1000,7FFDA255F636) and changing it to just alloc(newmem,$1000) and seeing if it still crashes. It probably will, but that's the only thing I can think of that might be causing it right now, is that it might be allocating memory outside of how much memory you even have.

Still crashes for me

[Darkcore]

Don't know what to tell you dude, followed your exact steps, tried the code edit, still crashes the instant I try to re-open the character screen after activating the script

[Gehenna]

eax and rax are both registers. Or, to be more precise, rax is eax but twice as big. I did "push rax" which saved the entire 8 bytes of the rax register, then did "pop eax" which (I think) only recalled the first 4 bytes of saved data. I thought that was what was causing you guys's crashes, but apparently not.

[Link]

Apparently this gif won't embed, so this one is a link instead. If you guys are doing the same as that and it's crashing for you, I can't recreate it and will have an incredibly hard time figuring out what's causing it.

EDIT: Also here's that infinite ammo script in case anyone wants it. Let me know if this one crashes, too, and I'll just go bang my head against a wall.

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>8</ID>
      <Description>"Infinite Ammo"</Description>
      <LastState/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : TaleWorlds.MountAndBlade.Launcher.exe
  Version: 
  Date   : 2020-03-30
  Author : chodn

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECTAMMO,Game.dll,49 03 C9 66 44 89 01) // should be unique
alloc(newmem,$1000,"Game.dll"+F583D)

label(code)
label(return)

newmem:

code:
  add rcx,r9
  mov r8w,[rcx]
  mov [rcx],r8w
  jmp return

INJECTAMMO:
  jmp newmem
  nop 2
return:
registersymbol(INJECTAMMO)

[DISABLE]

INJECTAMMO:
  db 49 03 C9 66 44 89 01

unregistersymbol(INJECTAMMO)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Game.dll"+F583D

"Game.dll"+F580D: 48 C7 44 24 28 FE FF FF FF  -  mov qword ptr [rsp+28],FFFFFFFFFFFFFFFE
"Game.dll"+F5816: 48 89 5C 24 50              -  mov [rsp+50],rbx
"Game.dll"+F581B: 48 89 6C 24 58              -  mov [rsp+58],rbp
"Game.dll"+F5820: 41 0F B7 E8                 -  movzx ebp,r8w
"Game.dll"+F5824: 4C 63 F2                    -  movsxd  r14,edx
"Game.dll"+F5827: 4C 8B D1                    -  mov r10,rcx
"Game.dll"+F582A: 45 33 DB                    -  xor r11d,r11d
"Game.dll"+F582D: 44 89 5C 24 20              -  mov [rsp+20],r11d
"Game.dll"+F5832: 4D 69 CE 18 02 00 00        -  imul r9,r14,00000218
"Game.dll"+F5839: 48 83 C1 08                 -  add rcx,08
// ---------- INJECTING HERE ----------
"Game.dll"+F583D: 49 03 C9                    -  add rcx,r9
"Game.dll"+F5840: 66 44 89 01                 -  mov [rcx],r8w
// ---------- DONE INJECTING  ----------
"Game.dll"+F5844: 4C 39 99 18 01 00 00        -  cmp [rcx+00000118],r11
"Game.dll"+F584B: 74 05                       -  je Game.dll+F5852
"Game.dll"+F584D: E8 7E ED FF FF              -  call Game.dll+F45D0
"Game.dll"+F5852: 49 63 02                    -  movsxd  rax,dword ptr [r10]
"Game.dll"+F5855: 49 8B 92 B8 0A 00 00        -  mov rdx,[r10+00000AB8]
"Game.dll"+F585C: 44 89 5C 24 68              -  mov [rsp+68],r11d
"Game.dll"+F5861: 48 69 F0 D0 08 00 00        -  imul rsi,rax,000008D0
"Game.dll"+F5868: 48 03 F2                    -  add rsi,rdx
"Game.dll"+F586B: 8B BE 48 04 00 00           -  mov edi,[rsi+00000448]
"Game.dll"+F5871: 8B 5C 24 68                 -  mov ebx,[rsp+68]
}
</AssemblerScript>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

EDIT2: I wonder.... in the script that is crashing for you, try finding the line alloc(newmem,$1000,7FFDA255F636) and changing it to just alloc(newmem,$1000) and seeing if it still crashes. It probably will, but that's the only thing I can think of that might be causing it right now, is that it might be allocating memory outside of how much memory you even have.

Infinite ammo cheat works just fine! buuut other one crashes.

Hmm, we know it only crashes once we try to reenter the character sheet. Perhaps something related to that and not the general structure?

[Gehenna]

Idea, try a new save and your own cheat table? Maybe its something clicking right with specifically your save, but not ours?

[Rysefox]

Spoiler

This FOV looks nice

Spoiler

Also found fly

[SODI]

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>9</ID>
      <Description>"Focus/Attribute Getter (Open/close character menu, activate this, open character menu again)"</Description>
      <LastState/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : TaleWorlds.MountAndBlade.Launcher.exe
  Version: 
  Date   : 2020-03-31
  Author : chodn

  This script does blah blah blah
}

[ENABLE]

aobscan(INJECTFOCUSGETTER,8B 51 40 8B CA) // should be unique
alloc(newmem,$1000,INJECTFOCUSGETTER)

label(skip)
label(return)
label(charptr)
registersymbol(charptr)
label(retptr)
registersymbol(retptr)

newmem:
  mov edx,[rcx+40]
  push rax
  mov rax,[rsp+10]
  cmp rax,[retptr]
  jne skip
  mov [charptr],rcx
skip:
  pop rax
  mov ecx,edx
  jmp return
charptr:
  dq 0
retptr:
  dq System.Core.ni.dll+34F9FB

INJECTFOCUSGETTER:
  jmp newmem
return:
registersymbol(INJECTFOCUSGETTER)

[DISABLE]

INJECTFOCUSGETTER:
  db 8B 51 40 8B CA

unregistersymbol(INJECTFOCUSGETTER)
unregistersymbol(charptr)
unregistersymbol(retptr)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 7FFDA255F636

7FFDA255F611: E8 9A 49 27 5E                 -  call clr.dll+3FB0
7FFDA255F616: 48 8D 4E 30                    -  lea rcx,[rsi+30]
7FFDA255F61A: 48 8B D7                       -  mov rdx,rdi
7FFDA255F61D: E8 8E 49 27 5E                 -  call clr.dll+3FB0
7FFDA255F622: 48 8B 56 20                    -  mov rdx,[rsi+20]
7FFDA255F626: 48 85 D2                       -  test rdx,rdx
7FFDA255F629: 75 04                          -  jne 7FFDA255F62F
7FFDA255F62B: 33 C9                          -  xor ecx,ecx
7FFDA255F62D: EB 07                          -  jmp 7FFDA255F636
7FFDA255F62F: 48 8B 8A 38 01 00 00           -  mov rcx,[rdx+00000138]
// ---------- INJECTING HERE ----------
7FFDA255F636: 8B 51 40                       -  mov edx,[rcx+40]
7FFDA255F639: 8B CA                          -  mov ecx,edx
// ---------- DONE INJECTING  ----------
7FFDA255F63B: 89 8E A0 00 00 00              -  mov [rsi+000000A0],ecx
7FFDA255F641: 48 8B CE                       -  mov rcx,rsi
7FFDA255F644: E8 47 2C 90 FF                 -  call 7FFDA1E62290
7FFDA255F649: 48 8B 56 20                    -  mov rdx,[rsi+20]
7FFDA255F64D: 48 85 D2                       -  test rdx,rdx
7FFDA255F650: 75 04                          -  jne 7FFDA255F656
7FFDA255F652: 33 C9                          -  xor ecx,ecx
7FFDA255F654: EB 07                          -  jmp 7FFDA255F65D
7FFDA255F656: 48 8B 8A 38 01 00 00           -  mov rcx,[rdx+00000138]
7FFDA255F65D: 8B 51 44                       -  mov edx,[rcx+44]
}
</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>3</ID>
          <Description>"Focus Points"</Description>
          <VariableType>4 Bytes</VariableType>
          <Address>charptr</Address>
          <Offsets>
            <Offset>40</Offset>
          </Offsets>
        </CheatEntry>
        <CheatEntry>
          <ID>4</ID>
          <Description>"Attribute Points"</Description>
          <VariableType>4 Bytes</VariableType>
          <Address>charptr</Address>
          <Offsets>
            <Offset>44</Offset>
          </Offsets>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

There should work now. Does for me.