Horizon Zero Dawn [Engine:Decima]

[bloodaxis]

Because in the post above you then say "Naturally if you finish the game and start another ng+ you'll be able to buy everything." your statements seem to contradict each other.

I was talking about using sunbeams script to change into ng+ in the middle of a game without finishing the game beforehand, if you finish the game legit without using the script all bluegleam stores will repopulate their wares.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[NumberXer0]

Because in the post above you then say "Naturally if you finish the game and start another ng+ you'll be able to buy everything." your statements seem to contradict each other.

I was talking about using sunbeams script to change into ng+ in the middle of a game without finishing the game beforehand, if you finish the game legit without using the script all bluegleam stores will repopulate their wares.

If you just want to play NG+ for your first run, there are multiple saves out there already. Not 100% saves, but with purple weapons and NG+ unlocked. I just downloaded one, created the NG+ data and I'm good to go now. I can do my NG+ Ultra Hard run first without needing to playthrough once =P

[SunBeam]

Judging by suns "true invisibility/ true nutral" post id say if you can, you would just change the string for the machine to your faction. Instead of changing you to a neutral faction. Doing it that way id assume you could actually get an few or more followers at the same time.

Won't work because there's also an OVERRIDE aspect you need to take into account. Also an OverrideComponent somewhere. It's possible, but honestly, I don't care that much to get interested in achieving it. You have all you need to get you going in my Death Stranding post about Decima. Good luck!

[SunBeam]

Here's what I managed to pull off. A list of my Inventory: [Link] "Are those all items?" - No. Just my current inventory.

[IcyPurpose99]

Here's what I managed to pull off. A list of my Inventory: [Link] "Are those all items?" - No. Just my current inventory.

Too bad it doesn't cover the coil's data yet which contains how much damage, freeze, shock, fire it does.

[SunBeam]

Too bad it doesn't cover the coil's data yet which contains how much damage, freeze, shock, fire it does.

Yes. Yet You can see all coils there, it's just they're not explicitly detailed

[acecel]

If some of you have a bug where any skill invoking a time slowing are not working anymore, it's not because of the table but it's a game bug a lot of people get and no fix yet.
It's linked to the save so as soon as you have the bug don't save and restart the game, if the bug is still there then your save is bugged and can't be fixed, any time slowing mechanics will never work anymore.

[ZippyDSMlee]

I have acouple questions, anyway to lower the amount of exp you gain by like half? Also would like to be able to leave things on hyper awareness but not make them tanky, I like most things being a glass cannon IE most things die in the same number of hits, or rather you get the higher awareness levels and longer timeouts on searching for the player but not the tougher to kill NPCs.

The way I like a game balanced is annoyingly esoteric...

[HylianZ]

I have acouple questions, anyway to lower the amount of exp you gain by like half? Also would like to be able to leave things on hyper awareness but not make them tanky, I like most things being a glass cannon IE most things die in the same number of hits, or rather you get the higher awareness levels and longer timeouts on searching for the player but not the tougher to kill NPCs.

The way I like a game balanced is annoyingly esoteric...

Sounds like you need to develop a damage multiplier for both player and enemies, along side your exp mult float. Then just play on Ultra Hard.

[SunBeam]

There's always 2-3 people who want some preferential option, just cuz they can't be arsed playing the game as is. And they all go like "is there a way to do this shit?" especially when: a) they've looked and didn't find anything on the subject; b) they didn't look, they just woke up, drank their coffee, took a dump and it hit them right there "what if I ask this, is it possible? let me go post as soon as I leave the bathroom". So, people, long story short, want to play the game your way, make your own scripts/tables/trainers. Cheers.

[vyrelis]

Asking if something is possible isn't automatically a request. It's asking if looking into it is going to be a waste of time. There's understanding how the code works and then there's being able to fudge some numbers you can find.

[RedKaezar]

Asking if something is possible isn't automatically a request. It's asking if looking into it is going to be a waste of time. There's understanding how the code works and then there's being able to fudge some numbers you can find.

You must be new here.

[SunBeam]

Okay, kids, remember this?



Well.. I kinda got bored of it and wanted to go still Screw the story, right? What if you break it?..

To get to a function that would bypass this restriction you first start with some brainstorming. Some people will say "find player's XYZ and debug that and see what accesses them when you enter such an area". Well, XYZ are accessed by a lot of functions that your expectation - that when a restricted area drops the message, only 1 piece of code extra from what you have in the debug window will pop - really won't be met. What else can we do? Well, there's a message on screen. It reads "You are leaving the play area". With that in mind, let's scan the memory for an occurrence of that string, then debug that. The string should be accessed ONLY when the message is displayed. Then from what accesses it we can back-trace through code and see what's the trigger/reason this is displayed. The most common way to see if some function you're at does the job is to make it not execute. And that means change the function's prologue with a RET instruction.

So I scanned the memory for the string and found 1 result (yes, your address will be different):



Then I set a breakpoint on access on the first byte of the string in hex dump and went ahead, triggering the message to show on-screen. And I got this:



Now.. if you go to that specific address and set a normal breakpoint, you will see there are a LOT of breaks. Why.. because it's a generic readstring function. What we want to happen is set a conditional breakpoint that gets hit only when OUR string is read. So.. my address is 27CCAE5D1F0. The place where it's read is:

Code: Select all

HorizonZeroDawn.exe+11DD9C - 44 0FB6 0B            - movzx r9d,byte ptr [rbx]

First make sure the message is not shown on screen yet (move back a little). Then go to "HorizonZeroDawn.exe+11DD9C", press F5. CE will break. Then right-click, "Set/Change break condition" and type in RBX == 0x27CCAE5D1F0 (of course, change the address with yours!). Now F9 to resume. If the message was already displayed on screen, then move back so it disappears, then return so it appears again. That's when CE will break again.

When it does break hit Shift+F8 6 times (how did I know? I back-traced the first 5 steps and saw they didn't work how I wanted). You will be here now:

Code: Select all

HorizonZeroDawn.exe+C94AAF - 49 8B D6              - mov rdx,r14
HorizonZeroDawn.exe+C94AB2 - E8 F95296FF           - call HorizonZeroDawn.exe+5F9DB0 <-- this is where we exited from
HorizonZeroDawn.exe+C94AB7 - 4C 89 25 02FE4806     - mov [HorizonZeroDawn.exe+71248C0],r12 { (2826A269620) } <-- here
HorizonZeroDawn.exe+C94ABE - 48 83 C4 28           - add rsp,28 { 40 }
HorizonZeroDawn.exe+C94AC2 - 41 5E                 - pop r14
HorizonZeroDawn.exe+C94AC4 - 41 5C                 - pop r12
HorizonZeroDawn.exe+C94AC6 - C3                    - ret 

What Shift+F8 does is:



Now scroll up top to the function's prologue, here:

Code: Select all

HorizonZeroDawn.exe+C949E0 - 41 54                 - push r12
HorizonZeroDawn.exe+C949E2 - 41 56                 - push r14
HorizonZeroDawn.exe+C949E4 - 48 83 EC 28           - sub rsp,28 { 40 }
HorizonZeroDawn.exe+C949E8 - 48 63 81 38010000     - movsxd  rax,dword ptr [rcx+00000138]
HorizonZeroDawn.exe+C949EF - 45 33 E4              - xor r12d,r12d

And place a RET where you see "push r12":

Code: Select all

HorizonZeroDawn.exe+C949E0 - C3                    - ret 
HorizonZeroDawn.exe+C949E1 - 90                    - nop 
HorizonZeroDawn.exe+C949E2 - 41 56                 - push r14
HorizonZeroDawn.exe+C949E4 - 48 83 EC 28           - sub rsp,28 { 40 }
HorizonZeroDawn.exe+C949E8 - 48 63 81 38010000     - movsxd  rax,dword ptr [rcx+00000138]
HorizonZeroDawn.exe+C949EF - 45 33 E4              - xor r12d,r12d

Then you'll see you can walk indefinitely in an area that's restricted, message won't show up and no loading of your latest quick-save.

So this is how I did it.

Here's an example. I am here:



The moment I advance 1-2m forward, I get this:



So I RET the function I mentioned and.. after a while of walking:





What you need to remember is the function is constantly executed when you are out of bounds. That means when you get to where you wanted to go, DON'T restore the code. It will instantly run a quick-load without warning you. First exit the area you know if off limits, then restore/disable the code/script.

You can also go in "black" areas of the map



They're represented like that, but in reality.. nothing black there:



In a similar way I believe you can do this kind of message:



Just know there's an invisible wall that prevents you from moving further, aside from that message showing up (although there's no quick-load of latest save).

BR,
Sun

[SunBeam]

[after]

[SunBeam]

So I scanned for Can't enter this location string. Note that the game shows it in all caps, but it's represented like that in memory. Make sure to un-tick "Case sensitive" when you search with CE. Found it, debugged it, back-traced a few Shift+F8s and got these locations:

Code: Select all

HorizonZeroDawn.exe+11F13C0 - 40 53                 - push rbx <--
HorizonZeroDawn.exe+11F13C2 - 48 83 EC 40           - sub rsp,40 { 64 }
HorizonZeroDawn.exe+11F13C6 - 48 8B 41 28           - mov rax,[rcx+28]
HorizonZeroDawn.exe+11F13CA - 4C 8B C2              - mov r8,rdx
HorizonZeroDawn.exe+11F13CD - C5F82974 24 30        - vmovaps [rsp+30],xmm6
HorizonZeroDawn.exe+11F13D3 - 48 8B D9              - mov rbx,rcx
HorizonZeroDawn.exe+11F13D6 - C5F8297C 24 20        - vmovaps [rsp+20],xmm7
HorizonZeroDawn.exe+11F13DC - C5C857F6              - vxorps xmm6,xmm6,xmm6
HorizonZeroDawn.exe+11F13E0 - C5FA1078 60           - vmovss xmm7,[rax+60]
HorizonZeroDawn.exe+11F13E5 - C5F82FFE              - vcomiss xmm7,xmm0,xmm6
HorizonZeroDawn.exe+11F13E9 - 0F86 2B010000         - jbe HorizonZeroDawn.exe+11F151A <--

Placing a RET here or changing JBE to JMP will not show the message anymore, but you're still not allowed to move past that invisible wall.

Then I back-traced some more and got to this spot:

Code: Select all

HorizonZeroDawn.exe+EF7DA0 - 40 55                 - push rbp
HorizonZeroDawn.exe+EF7DA2 - 53                    - push rbx
HorizonZeroDawn.exe+EF7DA3 - 56                    - push rsi
HorizonZeroDawn.exe+EF7DA4 - 57                    - push rdi
HorizonZeroDawn.exe+EF7DA5 - 48 8D AC 24 68FFFFFF  - lea rbp,[rsp-00000098]
HorizonZeroDawn.exe+EF7DAD - 48 81 EC 98010000     - sub rsp,00000198 { 408 }
HorizonZeroDawn.exe+EF7DB4 - 48 8B F2              - mov rsi,rdx
HorizonZeroDawn.exe+EF7DB7 - 48 8B F9              - mov rdi,rcx
HorizonZeroDawn.exe+EF7DBA - 48 85 D2              - test rdx,rdx
HorizonZeroDawn.exe+EF7DBD - 75 7B                 - jne HorizonZeroDawn.exe+EF7E3A
HorizonZeroDawn.exe+EF7DBF - C5F81005 51 9DB201    - vmovups xmm0,[HorizonZeroDawn.exe+2A21B18] { (0.00) }
HorizonZeroDawn.exe+EF7DC7 - C5F81141 60           - vmovups [rcx+60],xmm0
HorizonZeroDawn.exe+EF7DCC - 38 91 80000000        - cmp [rcx+00000080],dl <--
HorizonZeroDawn.exe+EF7DD2 - 0F84 CD070000         - je HorizonZeroDawn.exe+EF85A5

At this point, RCX is this:

Code: Select all

Name:	OutOfBoundsQueryComponent
Type:	EntityComponent

Another interesting this is the BYTE at 0x80 gets reset to 1 by this piece of code:

Code: Select all

HorizonZeroDawn.exe+EF823F - 48 8B 01              - mov rax,[rcx]
HorizonZeroDawn.exe+EF8242 - 83 49 38 04           - or dword ptr [rcx+38],04 { 4 }
HorizonZeroDawn.exe+EF8246 - FF 90 18010000        - call qword ptr [rax+00000118]
HorizonZeroDawn.exe+EF824C - C6 87 80000000 01     - mov byte ptr [rdi+00000080],01 { 1 } <--

The code is part of the same function I mentioned earlier (HorizonZeroDawn.exe+EF7DA0), which means the function leaps over the "cmp [rcx+00000080],dl".. and that happens here:

Code: Select all

HorizonZeroDawn.exe+EF7DA0 - 40 55                 - push rbp
HorizonZeroDawn.exe+EF7DA2 - 53                    - push rbx
HorizonZeroDawn.exe+EF7DA3 - 56                    - push rsi
HorizonZeroDawn.exe+EF7DA4 - 57                    - push rdi
HorizonZeroDawn.exe+EF7DA5 - 48 8D AC 24 68FFFFFF  - lea rbp,[rsp-00000098]
HorizonZeroDawn.exe+EF7DAD - 48 81 EC 98010000     - sub rsp,00000198 { 408 }
HorizonZeroDawn.exe+EF7DB4 - 48 8B F2              - mov rsi,rdx
HorizonZeroDawn.exe+EF7DB7 - 48 8B F9              - mov rdi,rcx
HorizonZeroDawn.exe+EF7DBA - 48 85 D2              - test rdx,rdx
HorizonZeroDawn.exe+EF7DBD - 75 7B                 - jne HorizonZeroDawn.exe+EF7E3A <-- here

So.. if you place a RET at HorizonZeroDawn.exe+EF7DA0 -OR- turn "jne HorizonZeroDawn.exe+EF7E3A" into "jmp HorizonZeroDawn.exe+EF7E3A" @ HorizonZeroDawn.exe+EF7DBD, then this happens now:

[before]


[after]




Make sure you don't have the message on-screen (exit the restricted area) before RET-ing the prologue. That byte[OutOfBoundsQueryComponent+0x60] needs to be reset to 0 by the same function you're disabling. Else you'll say "it's not working". In short: do it BEFORE the message shows up.