Death Stranding

[SunBeam]

Game Name: Death Stranding
Game Vendor: Steam
Game Version: 1.01
Game Process: ds.exe
Game File Version: 1.0.1.0



Hello folks. New game, different engine. This time around: Decima Engine.

Started playing the game for a little bit, past the intro with Norman falling off his dirt bike and running around for a while. Then stopped for a sec to dump the game's executable. For that I've used Task Explorer 64-bit (part of the CFF Explorer Suite found [Link]). Opened it up with x64dbg and checked the string references (it takes a bit to load them up) looking for some relevant words: debug, god, cheat, console, etc. And found this interesting lead:



Now I understand people are going to try to replicate what I describe here. Please understand you need to also have some decent knowledge on reverse-engineering, portable executables and what the hell the tools I'm using are and what they're used for. I am explaining this upfront because I have a feeling there will be a lot of "how do I make my tool look like yours?" questions, which I'm very sorry to say, I don't have patience for anymore. Having said that, let's continue (without the "how do you know this or that?" questions).

Followed that reference and saw these:



The reason I marked those LEAs is because they are functions. Hovering the mouse over the pointer in the [] brackets shows this:



So.. from here.. one could just.. you know.. SET A BREAKPOINT on that? This is the function, in CE-display format:

Code: Select all

ds.exe+3131B10 - 40 53                 - push rbx
ds.exe+3131B12 - 48 83 EC 20           - sub rsp,20 { 32 }
ds.exe+3131B16 - 48 8B D9              - mov rbx,rcx
ds.exe+3131B19 - 48 85 C9              - test rcx,rcx
ds.exe+3131B1C - 74 34                 - je ds.exe+3131B52
ds.exe+3131B1E - 48 8B 01              - mov rax,[rcx]
ds.exe+3131B21 - FF 90 D0000000        - call qword ptr [rax+000000D0]
ds.exe+3131B27 - 48 85 C0              - test rax,rax
ds.exe+3131B2A - 74 19                 - je ds.exe+3131B45
ds.exe+3131B2C - 80 78 78 00           - cmp byte ptr [rax+78],00 { 0 }
ds.exe+3131B30 - 74 13                 - je ds.exe+3131B45
ds.exe+3131B32 - 80 78 79 00           - cmp byte ptr [rax+79],00 { 0 }
ds.exe+3131B36 - 75 0D                 - jne ds.exe+3131B45
ds.exe+3131B38 - 48 8B 05 B1393804     - mov rax,[ds.exe+74B54F0] { (5ABE9CC4200) }
ds.exe+3131B3F - 83 78 24 01           - cmp dword ptr [rax+24],01 { 1 }
ds.exe+3131B43 - 7D 15                 - jnl ds.exe+3131B5A
ds.exe+3131B45 - 48 8B 03              - mov rax,[rbx]
ds.exe+3131B48 - 48 8B CB              - mov rcx,rbx
ds.exe+3131B4B - FF 50 70              - call qword ptr [rax+70]
ds.exe+3131B4E - 84 C0                 - test al,al
ds.exe+3131B50 - 75 08                 - jne ds.exe+3131B5A
ds.exe+3131B52 - 32 C0                 - xor al,al
ds.exe+3131B54 - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+3131B58 - 5B                    - pop rbx
ds.exe+3131B59 - C3                    - ret 
ds.exe+3131B5A - B0 01                 - mov al,01 { 1 }
ds.exe+3131B5C - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+3131B60 - 5B                    - pop rbx
ds.exe+3131B61 - C3                    - ret 

Did that and noticed there's no break yet. Moved around, lost balance, fell, etc. Then I saw this, a few lines down the function:

Code: Select all

ds.exe+3131B38 - 48 8B 05 B1393804     - mov rax,[ds.exe+74B54F0] { (5ABE9CC4200) }
ds.exe+3131B3F - 83 78 24 01           - cmp dword ptr [rax+24],01 { 1 }

So I added "ds.exe+74B54F0" as pointer in CE's main window, then 0x24 as offset for the first level. And debugged it. And found this function to access my value:



Looking at it, kinda resembles the "IsGodMode" function:

Code: Select all

ds.exe+312BE90 - 40 53                 - push rbx
ds.exe+312BE92 - 48 83 EC 20           - sub rsp,20 { 32 }
ds.exe+312BE96 - 48 8B 01              - mov rax,[rcx]
ds.exe+312BE99 - 48 8B D9              - mov rbx,rcx
ds.exe+312BE9C - FF 90 D0000000        - call qword ptr [rax+000000D0]
ds.exe+312BEA2 - 48 85 C0              - test rax,rax
ds.exe+312BEA5 - 74 21                 - je ds.exe+312BEC8
ds.exe+312BEA7 - 80 78 78 00           - cmp byte ptr [rax+78],00 { 0 }
ds.exe+312BEAB - 74 1B                 - je ds.exe+312BEC8
ds.exe+312BEAD - 80 78 79 00           - cmp byte ptr [rax+79],00 { 0 }
ds.exe+312BEB1 - 75 15                 - jne ds.exe+312BEC8
ds.exe+312BEB3 - 48 8B 05 36963804     - mov rax,[ds.exe+74B54F0] { (5ABE9CC4200) }
ds.exe+312BEBA - 83 78 24 02           - cmp dword ptr [rax+24],02 { 2 }
ds.exe+312BEBE - 75 08                 - jne ds.exe+312BEC8
ds.exe+312BEC0 - B0 01                 - mov al,01 { 1 }
ds.exe+312BEC2 - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+312BEC6 - 5B                    - pop rbx
ds.exe+312BEC7 - C3                    - ret 
ds.exe+312BEC8 - 48 8B CB              - mov rcx,rbx
ds.exe+312BECB - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+312BECF - 5B                    - pop rbx
ds.exe+312BED0 - E9 3B6FFCFE           - jmp ds.exe+20F2E10

It has the same checks as IsGodMode does, less a CALL:



Then I thought "isn't this maybe a GetPlayer function?" If all that's different between the two is that left-side block above, then the rest of the code above it should get the player.. or build up the player from some g_Game pointer. So then I remembered Anvil Engine where the member-functions table would contain (most likely) a function that leads to a name for the structure class or inheritance.

So.. I set a breakpoint at the prologue of the function above:

Code: Select all

ds.exe+312BE90 - 40 53                 - push rbx <-- here
ds.exe+312BE92 - 48 83 EC 20           - sub rsp,20 { 32 }
ds.exe+312BE96 - 48 8B 01              - mov rax,[rcx]
ds.exe+312BE99 - 48 8B D9              - mov rbx,rcx
ds.exe+312BE9C - FF 90 D0000000        - call qword ptr [rax+000000D0]
ds.exe+312BEA2 - 48 85 C0              - test rax,rax
ds.exe+312BEA5 - 74 21                 - je ds.exe+312BEC8
ds.exe+312BEA7 - 80 78 78 00           - cmp byte ptr [rax+78],00 { 0 }
ds.exe+312BEAB - 74 1B                 - je ds.exe+312BEC8
ds.exe+312BEAD - 80 78 79 00           - cmp byte ptr [rax+79],00 { 0 }
ds.exe+312BEB1 - 75 15                 - jne ds.exe+312BEC8
ds.exe+312BEB3 - 48 8B 05 36963804     - mov rax,[ds.exe+74B54F0] { (5ABE9CC4200) }
ds.exe+312BEBA - 83 78 24 02           - cmp dword ptr [rax+24],02 { 2 }
ds.exe+312BEBE - 75 08                 - jne ds.exe+312BEC8
ds.exe+312BEC0 - B0 01                 - mov al,01 { 1 }
ds.exe+312BEC2 - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+312BEC6 - 5B                    - pop rbx
ds.exe+312BEC7 - C3                    - ret 
ds.exe+312BEC8 - 48 8B CB              - mov rcx,rbx
ds.exe+312BECB - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+312BECF - 5B                    - pop rbx
ds.exe+312BED0 - E9 3B6FFCFE           - jmp ds.exe+20F2E10

I also checked if the RCX pointer is unique (not accessed by anything else in the game) and I could confirm 1 single hit. My RCX at the prologue is 0x000005ABF6B2D000. Yes, yours will be different.

Now this is where it gets interesting. Follow that pointer in CE's dump and set view to 8-bytes hexadecimal:



Then enter the first pointer you see there with Space key (0000000143959500). You will see this table of pointers. This is called the member-functions table (or virtual functions table - "vftable"). One of the functions in here will more than likely lead to a NAME. And from testing I found that it's actually the first pointer. Follow me:



And then I started looking around in the memory space of 1444FFD30. And found that if I check the pointer at offset 0x38, I will find this:





So.. I hope this is a general rule for Decima: in any object-pointer the member-function at 0x0 holds the pointer to the named-class (or type). I've adapted the Assassin's Creed Origins script I posted a while ago for Anvil to Decima

Code: Select all

function GetName( input )
  local p = readQword( input )    -- pointer to virtual functions table
  local f = readQword( p + 0x00 ) -- function at 0x0
  --[[ hopefully all of these 0x00 functions will look like this:
      lea rax,[ds.exe+offset]
      ret
  ]]

  -- making sure there's no JMP to JMP
  if readBytes( f + 0x00, 1 ) == 0xE9 then
    f = f + readInteger( f + 0x1, true ) + 0x5
      if readBytes( f + 0x00, 1 ) == 0xE9 then
        f = f + readInteger( f + 0x1, true ) + 0x5
      end
  end
  -- to make sure, let's check the ASM for a LEA RAX,[] (488D05xxxxxxxx)
  if readBytes( f + 0x00, 1 ) == 0x48 then
    if readBytes( f + 0x01, 1 ) == 0x8D then
      if readBytes( f + 0x02, 1 ) == 0x05 then
        local addr = f + readInteger( f + 0x3, true ) + 0x7
        local strA = readString( readQword( addr + 0x38 ) )
        local addr = readQword( readQword( addr + 0x58 ) )
        local strB = readString( readQword( addr + 0x38 ) )
        print( string.format( "Name:\t%s\r\nType:\t%s\r\n", strA, strB ) )
        print( "" )
        print( "* * *")
      end
    end
  end
end

GetName( 0x0000011542E4BEF0 )

In short.. give it a pointer and it will tell you a name:



So this is the run-down of the function we looked at:

Code: Select all

ds.exe+312BE90 - 40 53                 - push rbx
ds.exe+312BE92 - 48 83 EC 20           - sub rsp,20 { 32 }
ds.exe+312BE96 - 48 8B 01              - mov rax,[rcx]                              // DSPlayerEntity
ds.exe+312BE99 - 48 8B D9              - mov rbx,rcx
ds.exe+312BE9C - FF 90 D0000000        - call qword ptr [rax+000000D0]
ds.exe+312BEA2 - 48 85 C0              - test rax,rax                               // PlayerGame
ds.exe+312BEA5 - 74 21                 - je ds.exe+312BEC8
ds.exe+312BEA7 - 80 78 78 00           - cmp byte ptr [rax+78],00 { 0 }
ds.exe+312BEAB - 74 1B                 - je ds.exe+312BEC8
ds.exe+312BEAD - 80 78 79 00           - cmp byte ptr [rax+79],00 { 0 }
ds.exe+312BEB1 - 75 15                 - jne ds.exe+312BEC8
ds.exe+312BEB3 - 48 8B 05 36963804     - mov rax,[ds.exe+74B54F0] { (5ABE9CC4200) } // DebugSettings
ds.exe+312BEBA - 83 78 24 02           - cmp dword ptr [rax+24],02 { 2 }
ds.exe+312BEBE - 75 08                 - jne ds.exe+312BEC8
ds.exe+312BEC0 - B0 01                 - mov al,01 { 1 }
ds.exe+312BEC2 - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+312BEC6 - 5B                    - pop rbx
ds.exe+312BEC7 - C3                    - ret 
ds.exe+312BEC8 - 48 8B CB              - mov rcx,rbx
ds.exe+312BECB - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+312BECF - 5B                    - pop rbx
ds.exe+312BED0 - E9 3B6FFCFE           - jmp ds.exe+20F2E10

From DSPlayerEntity the code gets PlayerGame. It checks 2 flags at 0x78 and 0x79 (game state?) then checks a DebugSettings flag I'm assuming there's some dev stuff that can be toggled with that pointer.

More, later

EDIT #1: It looks like not all of them have the GetName at 0x00. If it's a sub-entity, then the function is at 0x08. Follow it through the JMP then find the string at 0x38. An example for you to debug:

Code: Select all

ds.exe+2A5AB67 - 48 8B 87 E8440000     - mov rax,[rdi+000044E8] // DSPlayerEntity
ds.exe+2A5AB6E - 48 85 C0              - test rax,rax           // DSPlayerInventoryComponent
ds.exe+2A5AB71 - 74 43                 - je ds.exe+2A5ABB6
ds.exe+2A5AB73 - 48 8B 80 304C0000     - mov rax,[rax+00004C30] // DSBackpackEntity <-- this one is retrieved at 0x08 in [DSPlayerInventoryComponent + 0x00]
ds.exe+2A5AB7A - 33 C9                 - xor ecx,ecx
ds.exe+2A5AB7C - 48 85 C0              - test rax,rax
ds.exe+2A5AB7F - 48 8D 50 E0           - lea rdx,[rax-20] // but the ptr reference is then fixed here, so script still works here, with RDX as your address

EDIT #2: This code handles the DSCollectibleLocator? Is there such a feature?

Code: Select all

ds.exe+2A5AB8C - 0FB6 92 B0170000      - movzx edx,byte ptr [rdx+000017B0]
ds.exe+2A5AB93 - 8B 8B 403E0300        - mov ecx,[rbx+00033E40] // rbx == DSCollectibleLocator
ds.exe+2A5AB99 - 83 EA 01              - sub edx,01 { 1 }
ds.exe+2A5AB9C - 74 0F                 - je ds.exe+2A5ABAD
ds.exe+2A5AB9E - 83 FA 07              - cmp edx,07 { 7 }
ds.exe+2A5ABA1 - 74 05                 - je ds.exe+2A5ABA8
ds.exe+2A5ABA3 - 83 E1 CF              - and ecx,-31 { 207 }
ds.exe+2A5ABA6 - EB 08                 - jmp ds.exe+2A5ABB0
ds.exe+2A5ABA8 - 83 C9 10              - or ecx,10 { 16 }
ds.exe+2A5ABAB - EB 03                 - jmp ds.exe+2A5ABB0
ds.exe+2A5ABAD - 83 C9 20              - or ecx,20 { 32 }
ds.exe+2A5ABB0 - 89 8B 403E0300        - mov [rbx+00033E40],ecx

I'm guessing that based on the value you feed, it will locate various types of things?.. Just assuming. "movzx edx,byte ptr [rdx+000017B0]" needs to return 0x1 or 0x7.

EDIT #3: Found some nifty correlations in the game's code. So here goes:

Getting DSPlayerEntity:

Code: Select all

ds.exe+2A5AA30 - 48 8B 0D 89B6A304     - mov rcx,[ds.exe+74960C0] { (5ABE9DCBE50) }
ds.exe+2A5AA37 - 33 D2                 - xor edx,edx
ds.exe+2A5AA39 - E8 02FC70FF           - call ds.exe+216A640
ds.exe+2A5AA3E - 48 8B C8              - mov rcx,rax // DSPlayerEntity

Getting DSPlayerInventoryComponent and DSBackpackEntity from DSPlayerEntity:

Code: Select all

ds.exe+2A5AB67 - 48 8B 87 E8440000     - mov rax,[rdi+000044E8] // DSPlayerEntity
ds.exe+2A5AB6E - 48 85 C0              - test rax,rax           // DSPlayerInventoryComponent
ds.exe+2A5AB71 - 74 43                 - je ds.exe+2A5ABB6
ds.exe+2A5AB73 - 48 8B 80 304C0000     - mov rax,[rax+00004C30]
ds.exe+2A5AB7A - 33 C9                 - xor ecx,ecx
ds.exe+2A5AB7C - 48 85 C0              - test rax,rax
ds.exe+2A5AB7F - 48 8D 50 E0           - lea rdx,[rax-20] // DSBackpackEntity

Getting CameraEntity via DSPlayerEntity:

Code: Select all

ds.exe+24FD340 - 48 89 5C 24 18        - mov [rsp+18],rbx
ds.exe+24FD345 - 48 89 7C 24 20        - mov [rsp+20],rdi
ds.exe+24FD34A - 41 56                 - push r14
ds.exe+24FD34C - 48 83 EC 20           - sub rsp,20 { 32 }
ds.exe+24FD350 - 48 8B F9              - mov rdi,rcx // DSPlayerSystem
ds.exe+24FD353 - E8 F86D1600           - call ds.exe+2664150 // it doesn't depend on the rcx above! > DSPlayerEntity
ds.exe+24FD358 - 48 8B D8              - mov rbx,rax
ds.exe+24FD35B - E8 206C1600           - call ds.exe+2663F80 // it doesn't depend on the rcx above! > CameraEntity
ds.exe+24FD360 - 4C 8B F0              - mov r14,rax

Getting DSPlayerState from DSPlayerEntity:

Code: Select all

ds.exe+2444D50 - 48 8B 81 20050000     - mov rax,[rcx+00000520] // DSPlayerEntity
ds.exe+2444D57 - 48 85 C0              - test rax,rax // DSPlayerState
ds.exe+2444D5A - 75 01                 - jne ds.exe+2444D5D
ds.exe+2444D5C - C3                    - ret 
ds.exe+2444D5D - 0FB6 80 4D0B0000      - movzx eax,byte ptr [rax+00000B4D]
ds.exe+2444D64 - C3                    - ret 

Getting DSGameState:

Code: Select all

ds.exe+30325FE - 48 8B 05 A3CD4804     - mov rax,[ds.exe+74BF3A8] { (5ABF7097800) }
..
ds.exe+303262A - 48 8B 1D 0FDD4804     - mov rbx,[ds.exe+74C0340] { (5ABF7097800) }

Getting DSPlayerController from DSPlayerEntity:

Code: Select all

ds.exe+31319D0 - 33 D2                 - xor edx,edx
ds.exe+31319D2 - 48 85 C9              - test rcx,rcx
ds.exe+31319D5 - 75 03                 - jne ds.exe+31319DA
ds.exe+31319D7 - 8B C2                 - mov eax,edx
ds.exe+31319D9 - C3                    - ret 
ds.exe+31319DA - 48 8B 89 30030000     - mov rcx,[rcx+00000330]
ds.exe+31319E1 - 48 85 C9              - test rcx,rcx
ds.exe+31319E4 - 48 8D 41 E0           - lea rax,[rcx-20]
ds.exe+31319E8 - 48 0F44 C2            - cmove rax,rdx
ds.exe+31319EC - C3                    - ret 

IsLocalPlayer from DSPlayerEntity:

Code: Select all

ds.exe+3131A40 - 40 57                 - push rdi
ds.exe+3131A42 - 48 83 EC 20           - sub rsp,20 { 32 }
ds.exe+3131A46 - 48 8B F9              - mov rdi,rcx
ds.exe+3131A49 - 48 85 C9              - test rcx,rcx
ds.exe+3131A4C - 74 53                 - je ds.exe+3131AA1
ds.exe+3131A4E - 48 89 5C 24 30        - mov [rsp+30],rbx
ds.exe+3131A53 - 48 8D 99 88020000     - lea rbx,[rcx+00000288]
ds.exe+3131A5A - 48 8B CB              - mov rcx,rbx
ds.exe+3131A5D - FF 15 7D0A6000        - call qword ptr [ds.exe+37324E0] { ->ntdll.dll+465E0 }
ds.exe+3131A63 - 85 C0                 - test eax,eax
ds.exe+3131A65 - 75 09                 - jne ds.exe+3131A70
ds.exe+3131A67 - 48 8B CB              - mov rcx,rbx
ds.exe+3131A6A - FF 15 780A6000        - call qword ptr [ds.exe+37324E8] { ->ntdll.dll+1B380 }
ds.exe+3131A70 - 48 8B 07              - mov rax,[rdi]
ds.exe+3131A73 - 48 8B CF              - mov rcx,rdi
ds.exe+3131A76 - FF 90 D0000000        - call qword ptr [rax+000000D0] // PlayerGame from DSPlayerEntity
ds.exe+3131A7C - 48 8B F8              - mov rdi,rax
ds.exe+3131A7F - 48 85 DB              - test rbx,rbx
ds.exe+3131A82 - 74 09                 - je ds.exe+3131A8D
ds.exe+3131A84 - 48 8B CB              - mov rcx,rbx
ds.exe+3131A87 - FF 15 4B0A6000        - call qword ptr [ds.exe+37324D8] { ->ntdll.dll+3A980 }
ds.exe+3131A8D - 48 8B 5C 24 30        - mov rbx,[rsp+30]
ds.exe+3131A92 - 48 85 FF              - test rdi,rdi
ds.exe+3131A95 - 74 0A                 - je ds.exe+3131AA1
ds.exe+3131A97 - 0FB6 47 78            - movzx eax,byte ptr [rdi+78] // reads this
ds.exe+3131A9B - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+3131A9F - 5F                    - pop rdi
ds.exe+3131AA0 - C3                    - ret 
ds.exe+3131AA1 - 32 C0                 - xor al,al
ds.exe+3131AA3 - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+3131AA7 - 5F                    - pop rdi
ds.exe+3131AA8 - C3                    - ret 

IsGodMode from DSPlayerEntity:

Code: Select all

ds.exe+3131B10 - 40 53                 - push rbx
ds.exe+3131B12 - 48 83 EC 20           - sub rsp,20 { 32 }
ds.exe+3131B16 - 48 8B D9              - mov rbx,rcx
ds.exe+3131B19 - 48 85 C9              - test rcx,rcx
ds.exe+3131B1C - 74 34                 - je ds.exe+3131B52
ds.exe+3131B1E - 48 8B 01              - mov rax,[rcx]
ds.exe+3131B21 - FF 90 D0000000        - call qword ptr [rax+000000D0]
ds.exe+3131B27 - 48 85 C0              - test rax,rax
ds.exe+3131B2A - 74 19                 - je ds.exe+3131B45
ds.exe+3131B2C - 80 78 78 00           - cmp byte ptr [rax+78],00 { 0 }
ds.exe+3131B30 - 74 13                 - je ds.exe+3131B45
ds.exe+3131B32 - 80 78 79 00           - cmp byte ptr [rax+79],00 { 0 }
ds.exe+3131B36 - 75 0D                 - jne ds.exe+3131B45
ds.exe+3131B38 - 48 8B 05 B1393804     - mov rax,[ds.exe+74B54F0] { (5ABE9CC4200) }
ds.exe+3131B3F - 83 78 24 01           - cmp dword ptr [rax+24],01 { 1 }
ds.exe+3131B43 - 7D 15                 - jnl ds.exe+3131B5A
ds.exe+3131B45 - 48 8B 03              - mov rax,[rbx]
ds.exe+3131B48 - 48 8B CB              - mov rcx,rbx
ds.exe+3131B4B - FF 50 70              - call qword ptr [rax+70]
ds.exe+3131B4E - 84 C0                 - test al,al
ds.exe+3131B50 - 75 08                 - jne ds.exe+3131B5A
ds.exe+3131B52 - 32 C0                 - xor al,al
ds.exe+3131B54 - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+3131B58 - 5B                    - pop rbx
ds.exe+3131B59 - C3                    - ret 
ds.exe+3131B5A - B0 01                 - mov al,01 { 1 }
ds.exe+3131B5C - 48 83 C4 20           - add rsp,20 { 32 }
ds.exe+3131B60 - 5B                    - pop rbx
ds.exe+3131B61 - C3                    - ret 

EDIT #4:

Getting DSPlayerLifeComponent from DSPlayerEntity:

Code: Select all

ds.exe+2505A40 - 48 85 C9              - test rcx,rcx
ds.exe+2505A43 - 74 20                 - je ds.exe+2505A65
ds.exe+2505A45 - 48 8B 81 00450000     - mov rax,[rcx+00004500] // rcx == DSPlayerEntity
ds.exe+2505A4C - 48 85 C0              - test rax,rax // result in rax is DSPlayerLifeComponent
ds.exe+2505A4F - 74 14                 - je ds.exe+2505A65
ds.exe+2505A51 - C5FA1088 6C 010000    - vmovss xmm1,[rax+0000016C]
ds.exe+2505A59 - C5F857C0              - vxorps xmm0,xmm0,xmm0
ds.exe+2505A5D - C5F82FC8              - vcomiss xmm1,xmm0,xmm0
ds.exe+2505A61 - 0F97 C0               - seta al
ds.exe+2505A64 - C3                    - ret 
ds.exe+2505A65 - 32 C0                 - xor al,al
ds.exe+2505A67 - C3                    - ret

One more spot for DSPlayerInventoryComponent from DSPlayerEntity:

Code: Select all

ds.exe+25059F0 - 48 8B 89 E8440000     - mov rcx,[rcx+000044E8]

Get PlayerId:

Code: Select all

ds.exe+32AAF80 - 48 8B 0D 39B11E04     - mov rcx,[ds.exe+74960C0] { (6DC9AB08C00) }
ds.exe+32AAF87 - 33 D2                 - xor edx,edx
ds.exe+32AAF89 - E9 92F6EBFE           - jmp ds.exe+216A620
..
..
ds.exe+216A620 - 48 63 C2              - movsxd  rax,edx
ds.exe+216A623 - 48 03 C0              - add rax,rax
ds.exe+216A626 - 8B 44 C1 08           - mov eax,[rcx+rax*8+08]
ds.exe+216A62A - C3                    - ret 

Best regards,
Sun

[SunBeam]

Then I started doing some debugging to see if I can get DSPlayerEntity without a hook. And eventually stepped into this:

Code: Select all

ds.exe+23BEED2 - 48 8D 05 A7730400     - lea rax,[ds.exe+2406280] { (1225100616) }
ds.exe+23BEED9 - C7 44 24 28 03000000  - mov [rsp+28],00000003 { 3 }
ds.exe+23BEEE1 - 4C 8B CB              - mov r9,rbx
ds.exe+23BEEE4 - 48 89 44 24 20        - mov [rsp+20],rax
ds.exe+23BEEE9 - 4C 8D 05 204D5801     - lea r8,[ds.exe+3943C10] { ("Application_sExportedGetApplication") }
ds.exe+23BEEF0 - 48 8B CE              - mov rcx,rsi
ds.exe+23BEEF3 - 48 8D 15 3E4D5801     - lea rdx,[ds.exe+3943C38] { ("GetApplication") }
ds.exe+23BEEFA - E8 31140000           - call ds.exe+23C0330

So.. "lea rax,[ds.exe+2406280]" leads to a function:

Code: Select all

ds.exe+2406280 - 48 8D 05 49EB0A05     - lea rax,[ds.exe+74B4DD0] { (143944838) }
ds.exe+2406287 - C3                    - ret 

Bottom line: "ds.exe+74B4DD0" is Application And now.. from here, we get:

Code: Select all

ds.exe+23FACF6 - 48 8B 8F 00070000     - mov rcx,[rdi+00000700]
ds.exe+23FACFD - 48 85 C9              - test rcx,rcx
ds.exe+23FAD00 - 74 06                 - je ds.exe+23FAD08
ds.exe+23FAD02 - 48 8B 01              - mov rax,[rcx]
ds.exe+23FAD05 - FF 50 78              - call qword ptr [rax+78]

"[rdi+00000700]", where RDI = Application, leads to, in my case, 0x6DC5A92EE00. The first member-function for this is:

Code: Select all

ds.exe+23D63E0 - E9 AB555C07           - jmp ds.exe+999B990
..
ds.exe+999B990 - 48 8D 05 99B3B4FA     - lea rax,[ds.exe+44E6D30] { (7835) }
ds.exe+999B997 - C3                    - ret 

Where "ds.exe+44E6D30" + 0x38 points to this string: GameModule. Like I said, not all objects/structures will have a dead-obvious getType() function at 0x00. Some may be malformed, due to Denuvo, while some may have this function further down in the vftable.

But now you know how to GetApplication and from there get to GameModule

BR,
Sun

[SunBeam]

Then there's a lot of string references pointing to _sExported functions and names. See file below:

_sExported.txt

(57.71 KiB) Downloaded 175 times

For example, how to use the information within. Let's say we want to find some function related to Player. I searched in the file and found this line:

000000014215CF48 lea r8,qword ptr ds:[1438EE7C8] "Player_sExportedGetLocalPlayer"

I then go to 14215CF48 in x64dbg (or CE) and look a few lines up where a LEA RAX is located, above a "MOV DWORD PTR SS:[RSP+0x28], 0x3" instruction:



So..

Code: Select all

ds.exe+216E810 - E9 0B040000           - jmp ds.exe+216EC20 // GetLocalPlayer

If you set a breakpoint at "ds.exe+216E810" function in CE and run it till RET you will see as result in RAX this (yes, your address will be different):



So.. RAX == 0x000006DC981D0700 in my case. Which, then, taken through the function I wrote in first post, GetName, leads to this:



So.. PlayerGame is LocalPlayer.

Here are some other interesting functions to debug:

Code: Select all

000000014240D06A lea r8,qword ptr ds:[14394C1B0] "DSPlayerSystem_sExportedActivateOdradek"
000000014240D1FF lea r8,qword ptr ds:[14394BC90] "DSPlayerSystem_sExportedGetPlayerInfo"
000000014240D394 lea r8,qword ptr ds:[14394AA70] "DSPlayerSystem_sExportedGetBareFootDamage"
000000014240D4CF lea r8,qword ptr ds:[143957DE0] "DSPlayerSystem_sExportedAddChiralCrystalCount"
000000014240D4FC lea r8,qword ptr ds:[143957D98] "DSPlayerSystem_sExportedSetChiralCrystalCount"
000000014240D605 lea r8,qword ptr ds:[143957590] "DSPlayerSystem_sExportedRecoverBattery"
000000014240D637 lea r8,qword ptr ds:[143957558] "DSPlayerSystem_sExportedRecoverFull"
000000014240D664 lea r8,qword ptr ds:[1439574F0] "DSPlayerSystem_sExportedRecoverOrSupplyShoes"
000000014240D691 lea r8,qword ptr ds:[1439574A8] "DSPlayerSystem_sExportedSetShoesLifeByRate"
000000014240D6BE lea r8,qword ptr ds:[143957470] "DSPlayerSystem_sExportedSetShoesLife"
000000014240D6EB lea r8,qword ptr ds:[143957428] "DSPlayerSystem_sExportedSetBBStressByRate"
000000014240D826 lea r8,qword ptr ds:[143956F98] "DSPlayerSystem_sExportedRemoveWeapon"
000000014240D853 lea r8,qword ptr ds:[143956C70] "DSPlayerSystem_sExportedAddWeapon"
000000014240D880 lea r8,qword ptr ds:[143956928] "DSPlayerSystem_sExportedAddSuitParts"
000000014240D907 lea r8,qword ptr ds:[143955F60] "DSPlayerSystem_sExportedAddAmmoToInventorySetting"
000000014240D934 lea r8,qword ptr ds:[143955ED8] "DSPlayerSystem_sExportedAddItemToInventorySetting"
000000014240D961 lea r8,qword ptr ds:[143955E50] "DSPlayerSystem_sExportedAddWeaponToInventorySetting"
000000014240E3C9 lea r8,qword ptr ds:[143951BF0] "DSPlayerNodeExporter_sExportedAddCryptbiosisCount"
000000014240E3F6 lea r8,qword ptr ds:[143951AA0] "DSPlayerNodeExporter_sExportedSetCryptbiosisCount"
..
000000014240F0DE lea r8,qword ptr ds:[143951E58] "DSPlayerEntity_sExportedResetNail"
000000014240F10B lea r8,qword ptr ds:[143951D00] "DSPlayerEntity_sExportedResetFrost"
000000014240F138 lea r8,qword ptr ds:[143951C80] "DSPlayerEntity_sExportedIsRightLegFrost"
000000014240F165 lea r8,qword ptr ds:[143951C40] "DSPlayerEntity_sExportedIsLeftLegFrost"
000000014240F192 lea r8,qword ptr ds:[143951B50] "DSPlayerEntity_sExportedIsHandFrost"
000000014240F1BF lea r8,qword ptr ds:[143951948] "DSPlayerEntity_sExportedIsFrost"
..
000000014240F2CD lea r8,qword ptr ds:[143951130] "DSPlayerEntity_sExportedGetLocalDSPlayerEntity"
..
000000014267479A lea r8,qword ptr ds:[1439770A0] "DSWeaponSystem_sExportedIsKillingAmmo"
00000001426747C7 lea r8,qword ptr ds:[143976F18] "DSWeaponSystem_sExportedIntToAmmoId"
00000001426747F4 lea r8,qword ptr ds:[143976CB0] "DSWeaponSystem_sExportedIntToSuitPartsId"
0000000142674821 lea r8,qword ptr ds:[143976648] "DSWeaponSystem_sExportedIntToItemId"
000000014267484E lea r8,qword ptr ds:[1439765C0] "DSWeaponSystem_sExportedIntToMagazineId"
000000014267487B lea r8,qword ptr ds:[143976520] "DSWeaponSystem_sExportedIntToWeaponId"
..
000000014290E9F5 lea r8,qword ptr ds:[1439AE850] "DSBaggage2Manager_sExportedExtractBaggageInfo"
000000014290EA22 lea r8,qword ptr ds:[1439AD570] "DSBaggage2Manager_sExportedGetAllBaggages"
000000014290EA4F lea r8,qword ptr ds:[1439ACB00] "DSBaggage2Manager_sExportedMoveBaggageToPlayer"
000000014290EA7C lea r8,qword ptr ds:[1439AC9B8] "DSBaggage2Manager_sExportedCreateAndAddBaggageToPlayer"
000000014290EAA9 lea r8,qword ptr ds:[1439AC8F0] "DSBaggage2Manager_sExportedAddBaggageToPlayerByGameActorId"
000000014290EAD6 lea r8,qword ptr ds:[1439AC888] "DSBaggage2Manager_sExportedAddBaggageToPlayer"
..
0000000142B9AD19 lea r8,qword ptr ds:[1439E4298] "DsGameActorCommand_sExportedGetGameActorEntity"
..
0000000142BEF3D8 lea r8,qword ptr ds:[1439ED378] "VehicleEntity_sExportedGetLife"
0000000142BEF5F4 lea r8,qword ptr ds:[1439ECC18] "VehicleEntity_sExportedSetForceSpeedScale"
0000000142BEF621 lea r8,qword ptr ds:[1439ECBD0] "VehicleEntity_sExportedSetOverrideInCutscene"
0000000142BEF64E lea r8,qword ptr ds:[1439ECB80] "VehicleEntity_sExportedIsDriving"
0000000142BEF67B lea r8,qword ptr ds:[1439ECB20] "VehicleEntity_sExportedGameActorIdToEntity"
0000000142BEF6A8 lea r8,qword ptr ds:[1439EC918] "VehicleEntity_sExportedEntityToGameActorId"
0000000142BEF6D5 lea r8,qword ptr ds:[1439EC8E0] "VehicleEntity_sExportedGetVehicleType"
..
00000001430F5B18 lea r8,qword ptr ds:[143A93528] "ComboComponent_sExportedIncreaseComboLevel"
00000001430F5B45 lea r8,qword ptr ds:[143A93490] "ComboComponent_sExportedGetComboLevel"
00000001430F5B72 lea r8,qword ptr ds:[143A933F8] "ComboComponent_sExportedGetComboTimer"
..
000000014325A94C lea r8,qword ptr ds:[143AC8A30] "TrophySystem_sExportedUnlockTrophy"
000000014325A979 lea r8,qword ptr ds:[143AC89F0] "TrophySystem_sExportedIsTrophyUnlocked"
..
00000001432899DC lea r8,qword ptr ds:[143ACD428] "CollectableManager_sExportedIsCollectableUnlocked"
0000000143289A09 lea r8,qword ptr ds:[143ACD3D8] "CollectableManager_sExportedSetCollectableUnlocked"
..
00000001432A47D9 lea r8,qword ptr ds:[143AD2768] "AIManagerGame_sExportedGetEntitiesInRadius"
00000001432A4806 lea r8,qword ptr ds:[143AD2700] "AIManagerGame_sExportedIsPlayerCurrentlyIdentifiedByRobot"
00000001432A4833 lea r8,qword ptr ds:[143AD2698] "AIManagerGame_sExportedIsPlayerCurrentlyIdentifiedByHumanoid"
00000001432A4860 lea r8,qword ptr ds:[143AD2550] "AIManagerGame_sExportedIsPlayerCurrentlyIdentified"
00000001432A488D lea r8,qword ptr ds:[143AD24E8] "AIManagerGame_sExportedGetCombatSituationSummaryForThreat"
00000001432A48BA lea r8,qword ptr ds:[143AD2490] "AIManagerGame_sExportedGetSearchTimeFactorForPlayer"
00000001432A48E7 lea r8,qword ptr ds:[143AD2438] "AIManagerGame_sExportedGetPlayerThreatLevelFactor"
00000001432A4914 lea r8,qword ptr ds:[143AD23F0] "AIManagerGame_sExportedGetPlayerThreatLevel"
00000001432A4941 lea r8,qword ptr ds:[143AD2398] "AIManagerGame_sExportedGetPlayerVisualThreatLevel"
00000001432A496E lea r8,qword ptr ds:[143AD2348] "AIManagerGame_sExportedGetPlayerHasBeenReported"
00000001432A499B lea r8,qword ptr ds:[143AD22E8] "AIManagerGame_sExportedGetPlayerLastBeingHeardTimestamp"
00000001432A49C8 lea r8,qword ptr ds:[143AD22A0] "AIManagerGame_sExportedGetPlayerIsBeingHeard"
00000001432A49F5 lea r8,qword ptr ds:[143AD2248] "AIManagerGame_sExportedGetPlayerLastBeingSeenTimestamp"
00000001432A4A22 lea r8,qword ptr ds:[143AD21F8] "AIManagerGame_sExportedGetPlayerIsInAntiStealth"
00000001432A4A4F lea r8,qword ptr ds:[143AD21B0] "AIManagerGame_sExportedGetPlayerIsBeingSeen"
..
0000000143388CA8 lea r8,qword ptr ds:[143AEE068] "FastTravelSystem_sExportedDisableFastTravel"
0000000143388CD5 lea r8,qword ptr ds:[143AEE020] "FastTravelSystem_sExportedEnableFastTravel"
..
000000014338B565 lea r8,qword ptr ds:[143AEF370] "BuddyManager_sExportedRequestSpawnBuddy"
000000014338B592 lea r8,qword ptr ds:[143AEF328] "BuddyManager_sExportedClearBuddy"
000000014338B5BF lea r8,qword ptr ds:[143AEF2C8] "BuddyManager_sExportedGetBuddy"

Yes, you will have to figure them out on your own, the parameters, how they work, etc. Please don't ask what they do or how they work. I don't know.

BR,
Sun

[SunBeam]

Oh.. And some more with "_Exported":

_Exported.txt

(56.78 KiB) Downloaded 166 times

For example:

Code: Select all

0000000143399BF5 lea r8,qword ptr ds:[143AF1060] "LootComponent_ExportedDisableLooting"
0000000143399C22 lea r8,qword ptr ds:[143AF1028] "LootComponent_ExportedEnableLooting"
..
00000001433C0038 lea r8,qword ptr ds:[143AF6480] "PickUpComponent_ExportedAddAmount"
..
000000014334230F lea r8,qword ptr ds:[143AE6970] "CharacterProgressionComponent_ExportedSetCurrentLevel"
000000014334233C lea r8,qword ptr ds:[143AE6858] "CharacterProgressionComponent_ExportedAddPerkLevel"
0000000143342369 lea r8,qword ptr ds:[143AE66D0] "CharacterProgressionComponent_ExportedAddPerkPoints"
0000000143342396 lea r8,qword ptr ds:[143AE6630] "CharacterProgressionComponent_ExportedHasPerkLevel"
00000001433423C3 lea r8,qword ptr ds:[143AE6458] "CharacterProgressionComponent_ExportedGetLevel"
..
00000001432E0522 lea r8,qword ptr ds:[143ADCB10] "StaminaComponent_ExportedGetStamina"
00000001432E054F lea r8,qword ptr ds:[143ADCA50] "StaminaComponent_ExportedRemoveModifier"
00000001432E057C lea r8,qword ptr ds:[143ADCA08] "StaminaComponent_ExportedAddModifier"
00000001432E05A9 lea r8,qword ptr ds:[143ADC968] "StaminaComponent_ExportedUseStamina"
00000001432E05D6 lea r8,qword ptr ds:[143ADC860] "StaminaComponent_ExportedFindStaminaComponentByType"
..
00000001432DCD78 lea r8,qword ptr ds:[143AD93E0] "WaterDetectionComponent_ExportedIsInDSWater"
00000001432DCDA5 lea r8,qword ptr ds:[143AD9100] "WaterDetectionComponent_ExportedIsInWater"
..
00000001432B7DD8 lea r8,qword ptr ds:[143AD6640] "CraftingComponent_ExportedCraftRecipeForFree"
00000001432B7E05 lea r8,qword ptr ds:[143AD65A0] "CraftingComponent_ExportedUnlockRecipe"
..
00000001431D24B8 lea r8,qword ptr ds:[143AB8210] "InventoryWeapon_ExportedGetRounds"
00000001431D24E5 lea r8,qword ptr ds:[143AB81C8] "InventoryWeapon_ExportedGetRoundsInMagazine"
00000001431D2512 lea r8,qword ptr ds:[143AB8180] "InventoryWeapon_ExportedGetChargeFraction"
..
00000001431AD988 lea r8,qword ptr ds:[143AB1808] "GameSettings_ExportedGetHealthRegenerationSettings"
00000001431AD9B5 lea r8,qword ptr ds:[143AB1670] "GameSettings_ExportedGetPlayerHealthSettings"
..
0000000143177698 lea r8,qword ptr ds:[143AA5070] "InventoryItem_ExportedIsQuestItem"
00000001431776C5 lea r8,qword ptr ds:[143AA5038] "InventoryItem_ExportedGetRarity"
00000001431776F2 lea r8,qword ptr ds:[143AA4FD0] "InventoryItem_ExportedGetCategory"
000000014317771F lea r8,qword ptr ds:[143AA4F98] "InventoryItem_ExportedGetOwner"
000000014317774C lea r8,qword ptr ds:[143AA4F30] "InventoryItem_ExportedGetEntity"
0000000143177779 lea r8,qword ptr ds:[143AA4EB8] "InventoryItem_ExportedGetAmount"
00000001431777A6 lea r8,qword ptr ds:[143AA4E70] "InventoryItem_ExportedGetItemResource"
00000001431777D3 lea r8,qword ptr ds:[143AA4DA0] "InventoryItem_ExportedGetDisplayName"
..
0000000143175190 lea r8,qword ptr ds:[143AA3DC8] "Inventory_ExportedGetItemAmount"
00000001431751BD lea r8,qword ptr ds:[143AA3D78] "Inventory_ExportedGetItems"
00000001431751EA lea r8,qword ptr ds:[143AA3CD8] "Inventory_ExportedRemoveAllItems"
0000000143175217 lea r8,qword ptr ds:[143AA3CA8] "Inventory_ExportedRemoveItem"
0000000143175244 lea r8,qword ptr ds:[143AA3C58] "Inventory_ExportedAddItem"
..
00000001423BB908 lea r8,qword ptr ds:[14393F328] "PlayerGame_ExportedSwitchPlayerCharacter"
..
000000014215CFFC lea r8,qword ptr ds:[1438EE718] "Player_ExportedGetFaction"
000000014215D029 lea r8,qword ptr ds:[1438EE6F8] "Player_ExportedGetEntity"
..
00000001420D4062 lea r8,qword ptr ds:[1438E2198] "Entity_ExportedGetPlayer"
..
00000001420D3ECD lea r8,qword ptr ds:[1438E26C8] "Entity_ExportedSetVelocity"
00000001420D3EFA lea r8,qword ptr ds:[1438E25F0] "Entity_ExportedGetVelocity"
00000001420D3F27 lea r8,qword ptr ds:[1438E2510] "Entity_ExportedGetLinearSpeed"
00000001420D3F51 lea r8,qword ptr ds:[1438E2440] "Entity_ExportedGetOrientation"
00000001420D3F81 lea r8,qword ptr ds:[1438E23E8] "Entity_ExportedGetPosition"
..
00000001420D3D65 lea r8,qword ptr ds:[1438E2B08] "Entity_ExportedIsPlayer"
..
00000001420D395A lea r8,qword ptr ds:[1438E33E0] "Entity_ExportedHeal"
00000001420D3987 lea r8,qword ptr ds:[1438E33B0] "Entity_ExportedGetMaxHealth"
00000001420D39B4 lea r8,qword ptr ds:[1438E32A0] "Entity_ExportedGetHealth"
00000001420D39E1 lea r8,qword ptr ds:[1438E3248] "Entity_ExportedSetHealth"
..
00000001420D36B7 lea r8,qword ptr ds:[1438E3A70] "Entity_ExportedSetInvulnerable"
..
00000001420BD738 lea r8,qword ptr ds:[1438E0E38] "CountdownTimer_ExportedSetBlinkStartTime"
00000001420BD765 lea r8,qword ptr ds:[1438E0E00] "CountdownTimer_ExportedResetTimer"
00000001420BD792 lea r8,qword ptr ds:[1438E0D50] "CountdownTimer_ExportedSetVisible"
00000001420BD7BF lea r8,qword ptr ds:[1438E0CE0] "CountdownTimer_ExportedIsTimerRunning"
00000001420BD7EC lea r8,qword ptr ds:[1438E0C60] "CountdownTimer_ExportedGetTimeRemaining"
00000001420BD819 lea r8,qword ptr ds:[1438E0BA0] "CountdownTimer_ExportedGetTimeElapsed"
00000001420BD846 lea r8,qword ptr ds:[1438E0B58] "CountdownTimer_ExportedAdjustTimeElapsed"
00000001420BD873 lea r8,qword ptr ds:[1438E0AC0] "CountdownTimer_ExportedAdjustTimeRemaining"
00000001420BD8A0 lea r8,qword ptr ds:[1438E0A28] "CountdownTimer_ExportedPauseTimer"
00000001420BD8CD lea r8,qword ptr ds:[1438E09F0] "CountdownTimer_ExportedStartTimer"

[SunBeam]

Then..

Getting DSPlayerSystem:

Code: Select all

ds.exe+266560A - 48 8B 3D 4F08E504     - mov rdi,[ds.exe+74B5E60] { (6DC97980000) } // DSPlayerSystem
ds.exe+2665611 - 48 8B D9              - mov rbx,rcx
ds.exe+2665614 - 48 8B 49 30           - mov rcx,[rcx+30]
ds.exe+2665618 - 48 81 C7 90DA0100     - add rdi,0001DA90 { (0) } // this leads to DSPlayerEntity if you do -0x20 after reading the ptr ;)
ds.exe+266561F - 48 85 C9              - test rcx,rcx
ds.exe+2665622 - 0F84 DD000000         - je ds.exe+2665705
ds.exe+2665628 - F6 43 44 01           - test byte ptr [rbx+44],01 { 1 }

[SunBeam]

BaggageItem Weight:

Code: Select all

ds.exe+29417D6 - 48 8B CE              - mov rcx,rsi
ds.exe+29417D9 - E8 A26B0300           - call ds.exe+2978380
ds.exe+29417DE - 48 8B CE              - mov rcx,rsi

ds.exe+2978380 - 40 53                 - push rbx
ds.exe+2978382 - 48 83 EC 40           - sub rsp,40 { 64 }
ds.exe+2978386 - 48 8B D9              - mov rbx,rcx
ds.exe+2978389 - C5F8297C 24 20        - vmovaps [rsp+20],xmm7
ds.exe+297838F - 48 8B 49 28           - mov rcx,[rcx+28]                           // rcx = DSBaggage2 -> [rcx+28] = DSGameBaggageListItem
ds.exe+2978393 - F6 83 04020000 80     - test byte ptr [rbx+00000204],-80 { 128 }
ds.exe+297839A - C5FA1079 50           - vmovss xmm7,[rcx+50] 						// Weight
ds.exe+297839F - 74 39                 - je ds.exe+29783DA
ds.exe+29783A1 - C5F82974 24 30        - vmovaps [rsp+30],xmm6
ds.exe+29783A7 - E8 C4896F00           - call ds.exe+3070D70
ds.exe+29783AC - 48 8B CB              - mov rcx,rbx
ds.exe+29783AF - C5F828F0              - vmovaps xmm6,xmm0
ds.exe+29783B3 - E8 485FFFFF           - call ds.exe+296E300
ds.exe+29783B8 - C5F828C8              - vmovaps xmm1,xmm0
ds.exe+29783BC - C5C25CC6              - vsubss xmm0,xmm7,xmm6
ds.exe+29783C0 - C5F259C8              - vmulss xmm1,xmm1,xmm0
ds.exe+29783C4 - C5F258C6              - vaddss xmm0,xmm1,xmm6
ds.exe+29783C8 - C5F82874 24 30        - vmovaps xmm6,[rsp+30]
ds.exe+29783CE - C5F8287C 24 20        - vmovaps xmm7,[rsp+20]
ds.exe+29783D4 - 48 83 C4 40           - add rsp,40 { 64 }
ds.exe+29783D8 - 5B                    - pop rbx
ds.exe+29783D9 - C3                    - ret 
ds.exe+29783DA - C5F828C7              - vmovaps xmm0,xmm7
ds.exe+29783DE - C5F8287C 24 20        - vmovaps xmm7,[rsp+20]
ds.exe+29783E4 - 48 83 C4 40           - add rsp,40 { 64 }
ds.exe+29783E8 - 5B                    - pop rbx
ds.exe+29783E9 - C3                    - ret 
[code]

[SunBeam]

Camera logic:

Code: Select all

ds.exe+3284078 - 48 8B 83 90000000     - mov rax,[rbx+00000090]
ds.exe+328407F - 48 8D 15 5AD01301     - lea rdx,[ds.exe+43C10E0] { (10810) }
ds.exe+3284086 - 48 8B 08              - mov rcx,[rax]
ds.exe+3284089 - 48 8B 71 20           - mov rsi,[rcx+20]
ds.exe+328408D - 48 8B 0D FCB0DE01     - mov rcx,[ds.exe+506F190] { (69CF0F5F8C0) }
ds.exe+3284094 - E8 571F5BFE           - call ds.exe+1835FF0
ds.exe+3284099 - 48 8B D6              - mov rdx,rsi
ds.exe+328409C - 48 8B C8              - mov rcx,rax
ds.exe+328409F - E8 CCD653FE           - call ds.exe+17C1770
ds.exe+32840A4 - 48 8B 05 0DB1DE01     - mov rax,[ds.exe+506F1B8] { (69CF0F43800) }
ds.exe+32840AB - 48 8B 88 F0000000     - mov rcx,[rax+000000F0]
ds.exe+32840B2 - 48 85 C9              - test rcx,rcx
ds.exe+32840B5 - 74 0C                 - je ds.exe+32840C3
ds.exe+32840B7 - 48 81 C1 70010000     - add rcx,00000170 { 368 }
ds.exe+32840BE - E8 DDDE84FE           - call ds.exe+1AD1FA0
ds.exe+32840C3 - 48 8D 93 88000000     - lea rdx,[rbx+00000088]


ds.exe+23FD8AE - 48 8B 0D 8B900905     - mov rcx,[ds.exe+7496940] { (69CF0B05000) } <--
ds.exe+23FD8B5 - 4C 8D 86 A0000000     - lea r8,[rsi+000000A0]
ds.exe+23FD8BC - 48 8D 56 60           - lea rdx,[rsi+60]
ds.exe+23FD8C0 - 48 8B 01              - mov rax,[rcx]
ds.exe+23FD8C3 - FF 50 58              - call qword ptr [rax+58]


mov rcx,[ds.exe+7496940] // 69CF0B05000
mov rax,[rcx+90]         // 69D1EBC5F00
mov rax,[rax]            // 69D17A1A000
mov rax,[rax+20]         // 69D1784C9E0 == Camera

[SunBeam]

Road repair/restore/build logic:

Code: Select all

ds.exe+2B90F85 - C5FA1073 0C           - vmovss xmm6,[rbx+0C]
ds.exe+2B90F8A - C4C16A59C5            - vmulss xmm0,xmm2,xmm13
ds.exe+2B90F8F - C5CA5CC8              - vsubss xmm1,xmm6,xmm0
ds.exe+2B90F93 - C5F25FD7              - vmaxss xmm2,xmm1,xmm7
ds.exe+2B90F97 - C5782FE2              - vcomiss xmm12,xmm0,xmm2
ds.exe+2B90F9B - C5FA1153 0C           - vmovss [rbx+0C],xmm2 <-- write road durability
ds.exe+2B90FA0 - 72 1A                 - jb ds.exe+2B90FBC
ds.exe+2B90FA2 - C4C1782FF4            - vcomiss xmm6,xmm0,xmm12

0000000142B90EBC | 4D:85E4                             | TEST R12,R12                                                |
0000000142B90EBF | 0F84 12010000                       | JE ds_dumped.142B90FD7                                      | <-- JMP here so no dec.
0000000142B90EC5 | 41:8BD7                             | MOV EDX,R15D                                                |
0000000142B90EC8 | 49:8BCC                             | MOV RCX,R12                                                 |

ds.exe+2A28A7B - 48 8B 0D 5E58A904     - mov rcx,[g_DSConstructionPointManager] { (5D51A000100) }
ds.exe+2A28A82 - 8B D7                 - mov edx,edi
ds.exe+2A28A84 - E8 8789F4FF           - call ds.exe+2971410
ds.exe+2A28A89 - 48 89 46 10           - mov [rsi+10],rax
ds.exe+2A28A8D - 48 8B F8              - mov rdi,rax
ds.exe+2A28A90 - 80 78 35 0E           - cmp byte ptr [rax+35],0E { 14 }
ds.exe+2A28A94 - 75 3A                 - jne ds.exe+2A28AD0
ds.exe+2A28A96 - 48 8B 0D 1B84B801     - mov rcx,[ds.exe+45B0EB8] { (1474C1848) }
ds.exe+2A28A9D - 8B 90 D0040000        - mov edx,[rax+000004D0]
ds.exe+2A28AA3 - 48 8B 09              - mov rcx,[rcx]
ds.exe+2A28AA6 - E8 45011300           - call ds.exe+2B58BF0
ds.exe+2A28AAB - C5FA1146 20           - vmovss [rsi+20],xmm0
ds.exe+2A28AB0 - 48 8B 05 0184B801     - mov rax,[ds.exe+45B0EB8] { (1474C1848) }
ds.exe+2A28AB7 - 8B 97 D0040000        - mov edx,[rdi+000004D0]
ds.exe+2A28ABD - 48 8B 08              - mov rcx,[rax]
ds.exe+2A28AC0 - E8 3B001300           - call ds.exe+2B58B00
ds.exe+2A28AC5 - C5FA594E 20           - vmulss xmm1,xmm0,[rsi+20]
ds.exe+2A28ACA - 48 8B 4E 10           - mov rcx,[rsi+10]
ds.exe+2A28ACE - EB 19                 - jmp ds.exe+2A28AE9
ds.exe+2A28AD0 - 48 8B CF              - mov rcx,rdi
ds.exe+2A28AD3 - E8 A8DCF4FF           - call ds.exe+2976780
ds.exe+2A28AD8 - 48 8B 4E 10           - mov rcx,[rsi+10]
ds.exe+2A28ADC - C5FA1146 20           - vmovss [rsi+20],xmm0
ds.exe+2A28AE1 - C5FA1089 D8 000000    - vmovss xmm1,[rcx+000000D8]
ds.exe+2A28AE9 - 4C 8D 46 28           - lea r8,[rsi+28]
ds.exe+2A28AED - 48 8D 56 24           - lea rdx,[rsi+24]

On TAB held at OperatorPad:

Code: Select all

ds.exe+2A28A96 - 48 8B 0D 1B84B801     - mov rcx,[ds.exe+45B0EB8] { (1474C1848) }
ds.exe+2A28A9D - 8B 90 D0040000        - mov edx,[rax+000004D0] // id
ds.exe+2A28AA3 - 48 8B 09              - mov rcx,[rcx]
ds.exe+2A28AA6 - E8 45011300           - call ds.exe+2B58BF0 <- max == 360000 (constant)
ds.exe+2A28AAB - C5FA1146 20           - vmovss [rsi+20],xmm0
ds.exe+2A28AB0 - 48 8B 05 0184B801     - mov rax,[ds.exe+45B0EB8] { (1474C1848) }
ds.exe+2A28AB7 - 8B 97 D0040000        - mov edx,[rdi+000004D0] // id
ds.exe+2A28ABD - 48 8B 08              - mov rcx,[rax]
--
ds.exe+2A28AC0 - E8 3B001300           - call ds.exe+2B58B00 (see 1)
--
ds.exe+2A28AC5 - C5FA594E 20           - vmulss xmm1,xmm0,[rsi+20] // 0.51 * 360000

1:
..
ds.exe+2B58B46 - 39 71 08              - cmp [rcx+08],esi
ds.exe+2B58B49 - 74 2F                 - je ds.exe+2B58B7A
ds.exe+2B58B4B - 48 83 C1 1C           - add rcx,1C { 28 }
ds.exe+2B58B4F - 49 3B C8              - cmp rcx,r8
ds.exe+2B58B52 - 75 F2                 - jne ds.exe+2B58B46
ds.exe+2B58B54 - C5C857F6              - vxorps xmm6,xmm6,xmm6
..
ds.exe+2B58B7A - 80 79 15 00           - cmp byte ptr [rcx+15],00 { 0 }
ds.exe+2B58B7E - 74 D4                 - je ds.exe+2B58B54
ds.exe+2B58B80 - C5FA1041 0C           - vmovss xmm0,[rcx+0C]
ds.exe+2B58B85 - C5FA5E35 57 BDC100    - vdivss xmm6,xmm0,[ds.exe+37748E4] { (100.00) }
ds.exe+2B58B8D - EB C9                 - jmp ds.exe+2B58B58

Once struct is found, value is read from [rcx+15] -> e.g.: 51.22 -> 51.22 / 100.0 = 0.51

This runs when you repair the road, making value 100 again:

Code: Select all

ds.exe+2B7F660 - 48 89 5C 24 08        - mov [rsp+08],rbx
ds.exe+2B7F665 - 48 89 74 24 10        - mov [rsp+10],rsi
ds.exe+2B7F66A - 57                    - push rdi
ds.exe+2B7F66B - 48 83 EC 30           - sub rsp,30 { 48 }
ds.exe+2B7F66F - 48 8D 59 08           - lea rbx,[rcx+08]
ds.exe+2B7F673 - C5F82974 24 20        - vmovaps [rsp+20],xmm6
ds.exe+2B7F679 - 48 8B F9              - mov rdi,rcx
ds.exe+2B7F67C - 8B F2                 - mov esi,edx
ds.exe+2B7F67E - 48 8B CB              - mov rcx,rbx
ds.exe+2B7F681 - C5F828F2              - vmovaps xmm6,xmm2
ds.exe+2B7F685 - E8 66D2C2FE           - call ds.exe+17AC8F0
ds.exe+2B7F68A - 48 8B 8F 98000000     - mov rcx,[rdi+00000098]
ds.exe+2B7F691 - 48 63 87 90000000     - movsxd  rax,dword ptr [rdi+00000090]
ds.exe+2B7F698 - 4C 6B C0 1C           - imul r8,rax,1C
ds.exe+2B7F69C - 4C 03 C1              - add r8,rcx
ds.exe+2B7F69F - 49 3B C8              - cmp rcx,r8
ds.exe+2B7F6A2 - 74 30                 - je ds.exe+2B7F6D4
ds.exe+2B7F6A4 - 39 71 08              - cmp [rcx+08],esi
ds.exe+2B7F6A7 - 74 0B                 - je ds.exe+2B7F6B4
ds.exe+2B7F6A9 - 48 83 C1 1C           - add rcx,1C { 28 }
ds.exe+2B7F6AD - 49 3B C8              - cmp rcx,r8
ds.exe+2B7F6B0 - 75 F2                 - jne ds.exe+2B7F6A4
ds.exe+2B7F6B2 - EB 20                 - jmp ds.exe+2B7F6D4
ds.exe+2B7F6B4 - 80 79 15 00           - cmp byte ptr [rcx+15],00 { 0 }
ds.exe+2B7F6B8 - 74 1A                 - je ds.exe+2B7F6D4
ds.exe+2B7F6BA - C5CA5905 22 52BF00    - vmulss xmm0,xmm6,[ds.exe+37748E4] { (100.00) }
ds.exe+2B7F6C2 - C5FA5849 0C           - vaddss xmm1,xmm0,[rcx+0C]
ds.exe+2B7F6C7 - C5F25D15 15 52BF00    - vminss xmm2,xmm1,[ds.exe+37748E4] { (100.00) }
ds.exe+2B7F6CF - C5FA1151 0C           - vmovss [rcx+0C],xmm2
ds.exe+2B7F6D4 - 48 85 DB              - test rbx,rbx
ds.exe+2B7F6D7 - 74 08                 - je ds.exe+2B7F6E1
ds.exe+2B7F6D9 - 48 8B CB              - mov rcx,rbx
ds.exe+2B7F6DC - E8 5FE3B6FE           - call ds.exe+16EDA40
ds.exe+2B7F6E1 - 48 8B 5C 24 40        - mov rbx,[rsp+40]
ds.exe+2B7F6E6 - 48 8B 74 24 48        - mov rsi,[rsp+48]
ds.exe+2B7F6EB - C5F82874 24 20        - vmovaps xmm6,[rsp+20]
ds.exe+2B7F6F1 - 48 83 C4 30           - add rsp,30 { 48 }
ds.exe+2B7F6F5 - 5F                    - pop rdi
ds.exe+2B7F6F6 - C3                    - ret 

[QuarryTen]

I know that you're done with this game, but I was also wondering if you'd made any more discoveries that you weren't posted?

[Csimbi]

...

Hi SunBeam,
I am going to start with this game in the winter break I guess.
Did you ever make a dumper for this one?
Thank you!