Horizon Zero Dawn [Engine:Decima]

[SunBeam]

There is still a big flaw in your Unlimited Ammo script. You are also taking metal shards into consideration of manipulating. Money gets also fixed to 99 - which in most cases renders buying more expensive things impossible.

Which is why.. when looking at all the scripts posted so far fiddling with this option.. I was like "meh, when you see people hook stuff like 'mov rax,[rcx+rdx*8]' it will surely break some shit". Instructions like and improper filtering in functions that deal with ANY InventoryEntity will do that to you. Of course they can be fixed, no one said otherwise. It's just.. I'd prefer not seeing it happen. But you learn from any experience is what they say

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[SunBeam]

...

Code: Select all

HorizonZeroDawn.exe+B79170 - 48 85 C9              - test rcx,rcx
HorizonZeroDawn.exe+B79173 - 74 23                 - je HorizonZeroDawn.exe+B79198
HorizonZeroDawn.exe+B79175 - 48 83 79 40 00        - cmp qword ptr [rcx+40],00 { 0 }
HorizonZeroDawn.exe+B7917A - 74 1C                 - je HorizonZeroDawn.exe+B79198
HorizonZeroDawn.exe+B7917C - 48 8B 41 20           - mov rax,[rcx+20]
HorizonZeroDawn.exe+B79180 - 48 85 C0              - test rax,rax
HorizonZeroDawn.exe+B79183 - 74 13                 - je HorizonZeroDawn.exe+B79198
HorizonZeroDawn.exe+B79185 - C5FA1040 14           - vmovss xmm0,[rax+14]
HorizonZeroDawn.exe+B7918A - C5FA5C50 1C           - vsubss xmm2,xmm0,[rax+1C]
HorizonZeroDawn.exe+B7918F - C5F057C9              - vxorps xmm1,xmm1,xmm1
HorizonZeroDawn.exe+B79193 - C5F25FC2              - vmaxss xmm0,xmm1,xmm2
HorizonZeroDawn.exe+B79197 - C3                    - ret 
HorizonZeroDawn.exe+B79198 - C5FA1005 D8 69EE00    - vmovss xmm0,[HorizonZeroDawn.exe+1A5FB78] { (-1.00) }
HorizonZeroDawn.exe+B791A0 - C3                    - ret 

At the location above you have in RCX the CountdownTimer. [RCX+20] holds the CountdownTimerSave, the one you're obtaining in your hook. This one, at 0x1C holds the tick (counter going up). In the Engine string references there is this:

Code: Select all

00007FF7B0E6334B | 48:8D05 FE5E0100                    | LEA RAX,QWORD PTR DS:[7FF7B0E79250]                | rax:EntryPoint
00007FF7B0E63352 | C74424 28 03000000                  | MOV DWORD PTR SS:[RSP+28],3                        |
00007FF7B0E6335A | 4C:8BCB                             | MOV R9,RBX                                         | r9:EntryPoint
00007FF7B0E6335D | 48:894424 20                        | MOV QWORD PTR SS:[RSP+20],RAX                      | rax:EntryPoint
00007FF7B0E63362 | 4C:8D05 AFE41B01                    | LEA R8,QWORD PTR DS:[7FF7B2021818]                 | 00007FF7B2021818:"CountdownTimer_ExportedResetTimer"

If you go to the function @ "HorizonZeroDawn.exe+B6334B - 48 8D 05 FE5E0100 - lea rax,[HorizonZeroDawn.exe+B79250]", as in "HorizonZeroDawn.exe+B79250", you will see this:

Code: Select all

HorizonZeroDawn.exe+B79250 - 48 85 C9              - test rcx,rcx // CountdownTimer
HorizonZeroDawn.exe+B79253 - 74 17                 - je HorizonZeroDawn.exe+B7926C
HorizonZeroDawn.exe+B79255 - 48 83 79 40 00        - cmp qword ptr [rcx+40],00 { 0 } // IsValid
HorizonZeroDawn.exe+B7925A - 74 10                 - je HorizonZeroDawn.exe+B7926C
HorizonZeroDawn.exe+B7925C - 48 8B 41 20           - mov rax,[rcx+20] // CountdownTimerSave
HorizonZeroDawn.exe+B79260 - 48 85 C0              - test rax,rax
HorizonZeroDawn.exe+B79263 - 74 07                 - je HorizonZeroDawn.exe+B7926C
HorizonZeroDawn.exe+B79265 - C7 40 1C 00000000     - mov [rax+1C],00000000 { 0 } // reset
HorizonZeroDawn.exe+B7926C - C3                    - ret 

So there you go. You can also script it like this in Lua:

Code: Select all

local timer = --timer address from hook @ "HorizonZeroDawn.exe+B79175"
local ResetTimer = getAddressSafe( process ) + 0xB79250 --HorizonZeroDawn.exe+B79250
executeCodeEx( 0, nil, ResetTimer, timer )

So I got this path:



Then there's also this:

Code: Select all

00007FF7B0E63486 | 48:8D05 435D0100                    | LEA RAX,QWORD PTR DS:[7FF7B0E791D0]                | rax:EntryPoint
00007FF7B0E6348D | C74424 28 03000000                  | MOV DWORD PTR SS:[RSP+28],3                        |
00007FF7B0E63495 | 4C:8BCB                             | MOV R9,RBX                                         | r9:EntryPoint
00007FF7B0E63498 | 48:894424 20                        | MOV QWORD PTR SS:[RSP+20],RAX                      | rax:EntryPoint
00007FF7B0E6349D | 4C:8D05 D4E11B01                    | LEA R8,QWORD PTR DS:[7FF7B2021678]                 | 00007FF7B2021678:"CountdownTimer_ExportedPauseTimer"

Which leads to this function in CE:

Code: Select all

HorizonZeroDawn.exe+B791D0 - 48 85 C9              - test rcx,rcx
HorizonZeroDawn.exe+B791D3 - 74 70                 - je HorizonZeroDawn.exe+B79245
HorizonZeroDawn.exe+B791D5 - 53                    - push rbx
HorizonZeroDawn.exe+B791D6 - 48 83 EC 50           - sub rsp,50 { 80 }
HorizonZeroDawn.exe+B791DA - 48 83 79 40 00        - cmp qword ptr [rcx+40],00 { 0 }
HorizonZeroDawn.exe+B791DF - 48 8B D9              - mov rbx,rcx
HorizonZeroDawn.exe+B791E2 - 74 5C                 - je HorizonZeroDawn.exe+B79240
HorizonZeroDawn.exe+B791E4 - 48 8B 41 20           - mov rax,[rcx+20]
HorizonZeroDawn.exe+B791E8 - 48 85 C0              - test rax,rax
HorizonZeroDawn.exe+B791EB - 74 53                 - je HorizonZeroDawn.exe+B79240
HorizonZeroDawn.exe+B791ED - C6 40 10 00           - mov byte ptr [rax+10],00 { 0 }
HorizonZeroDawn.exe+B791F1 - 48 83 79 40 00        - cmp qword ptr [rcx+40],00 { 0 }
HorizonZeroDawn.exe+B791F6 - 74 48                 - je HorizonZeroDawn.exe+B79240
HorizonZeroDawn.exe+B791F8 - 48 8D 4C 24 20        - lea rcx,[rsp+20]
HorizonZeroDawn.exe+B791FD - E8 4EB61000           - call HorizonZeroDawn.exe+C84850
HorizonZeroDawn.exe+B79202 - 48 89 5C 24 40        - mov [rsp+40],rbx
HorizonZeroDawn.exe+B79207 - 48 8D 05 528C1A01     - lea rax,[HorizonZeroDawn.exe+1D21E60] { (7FF7B0E644F0) }
HorizonZeroDawn.exe+B7920E - 48 8B 5B 40           - mov rbx,[rbx+40]
HorizonZeroDawn.exe+B79212 - 48 89 44 24 20        - mov [rsp+20],rax
HorizonZeroDawn.exe+B79217 - 48 8B CB              - mov rcx,rbx
HorizonZeroDawn.exe+B7921A - 48 8B 03              - mov rax,[rbx]
HorizonZeroDawn.exe+B7921D - FF 10                 - call qword ptr [rax]
HorizonZeroDawn.exe+B7921F - 4C 8D 0D DA1AB601     - lea r9,[HorizonZeroDawn.exe+26DAD00] { (70837) }
HorizonZeroDawn.exe+B79226 - 48 8B D3              - mov rdx,rbx
HorizonZeroDawn.exe+B79229 - 48 8B C8              - mov rcx,rax
HorizonZeroDawn.exe+B7922C - 4C 8D 44 24 20        - lea r8,[rsp+20]
HorizonZeroDawn.exe+B79231 - E8 2A2D77FF           - call HorizonZeroDawn.exe+2EBF60
HorizonZeroDawn.exe+B79236 - 48 8D 4C 24 20        - lea rcx,[rsp+20]
HorizonZeroDawn.exe+B7923B - E8 608476FF           - call HorizonZeroDawn.exe+2E16A0
HorizonZeroDawn.exe+B79240 - 48 83 C4 50           - add rsp,50 { 80 }
HorizonZeroDawn.exe+B79244 - 5B                    - pop rbx
HorizonZeroDawn.exe+B79245 - C3                    - ret 

If you feed the same CountdownTimer pointer to it, you'll get it to pause.

BR,
Sun

[axellslade]

Oh SunBean, god of tearing game engine functions apart, please release your mightmighty table for us plebs.

Edit: Typo.

[IcyPurpose99]

Found modifications in weapons:

NOTE: THis is only accessing a reference to a modification, selling it seems to kill it off on all slots used. So yeah, it is a pointer...

I am still trying to understand what the numbers mean...

How to use?
1. Goto Crafting and modify weapons.
2. Apply/Remove Modification from slot.

I think right now this only works on the first slot.

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>1337092203</ID>
      <Description>"Get Modifications"</Description>
      <LastState Activated="1"/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : HorizonZeroDawn.exe
  Version: 
  Date   : 2020-08-09
  Author : Marcus101RR

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(getModifcation,HorizonZeroDawn.exe,48 8B 0C D0 33 D2 48 85 C9 48 8D 41 E0 48 0F 44 C2 48) // should be unique
alloc(newmem,$1000,getModifcation)

label(code)
label(return)

label(gModifications)
registersymbol(gModifications)
newmem:

code:
  mov [gModifications],rax
  mov rcx,[rax+rdx*8]
  xor edx,edx
  jmp return

gModifications:
dq 0

getModifcation:
  jmp newmem
  nop
return:
registersymbol(getModifcation)

[DISABLE]

getModifcation:
  db 48 8B 0C D0 33 D2

unregistersymbol(getModifcation)
dealloc(newmem)
unregistersymbol(gModifcation)
{
// ORIGINAL CODE - INJECTION POINT: "HorizonZeroDawn.exe"+1481FCB

"HorizonZeroDawn.exe"+1481FB9: CC                    -  int 3 
"HorizonZeroDawn.exe"+1481FBA: CC                    -  int 3 
"HorizonZeroDawn.exe"+1481FBB: CC                    -  int 3 
"HorizonZeroDawn.exe"+1481FBC: CC                    -  int 3 
"HorizonZeroDawn.exe"+1481FBD: CC                    -  int 3 
"HorizonZeroDawn.exe"+1481FBE: CC                    -  int 3 
"HorizonZeroDawn.exe"+1481FBF: CC                    -  int 3 
"HorizonZeroDawn.exe"+1481FC0: 48 63 C2              -  movsxd  rax,edx
"HorizonZeroDawn.exe"+1481FC3: 48 8D 14 40           -  lea rdx,[rax+rax*2]
"HorizonZeroDawn.exe"+1481FC7: 48 8B 41 60           -  mov rax,[rcx+60]
// ---------- INJECTING HERE ----------
"HorizonZeroDawn.exe"+1481FCB: 48 8B 0C D0           -  mov rcx,[rax+rdx*8]
"HorizonZeroDawn.exe"+1481FCF: 33 D2                 -  xor edx,edx
// ---------- DONE INJECTING  ----------
"HorizonZeroDawn.exe"+1481FD1: 48 85 C9              -  test rcx,rcx
"HorizonZeroDawn.exe"+1481FD4: 48 8D 41 E0           -  lea rax,[rcx-20]
"HorizonZeroDawn.exe"+1481FD8: 48 0F 44 C2           -  cmove rax,rdx
"HorizonZeroDawn.exe"+1481FDC: 48 85 C0              -  test rax,rax
"HorizonZeroDawn.exe"+1481FDF: 74 13                 -  je HorizonZeroDawn.exe+1481FF4
"HorizonZeroDawn.exe"+1481FE1: 48 8D 88 88 02 00 00  -  lea rcx,[rax+00000288]
"HorizonZeroDawn.exe"+1481FE8: 48 8D 15 C1 37 41 01  -  lea rdx,[HorizonZeroDawn.exe+28957B0]
"HorizonZeroDawn.exe"+1481FEF: E9 0C 91 6D FF        -  jmp HorizonZeroDawn.exe+B5B100
"HorizonZeroDawn.exe"+1481FF4: C3                    -  ret 
"HorizonZeroDawn.exe"+1481FF5: CC                    -  int 3 
}
</AssemblerScript>
      <CheatEntries>
        <CheatEntry>
          <ID>1337092204</ID>
          <Description>"No description"</Description>
          <LastState Value="546397360" RealAddress="2B1DA9E7050"/>
          <VariableType>4 Bytes</VariableType>
          <Address>gModifications</Address>
          <Offsets>
            <Offset>0</Offset>
          </Offsets>
        </CheatEntry>
        <CheatEntry>
          <ID>1337092205</ID>
          <Description>"No description"</Description>
          <LastState Value="3032450896" RealAddress="2B1DA9E7060"/>
          <VariableType>4 Bytes</VariableType>
          <Address>gModifications</Address>
          <Offsets>
            <Offset>10</Offset>
          </Offsets>
        </CheatEntry>
      </CheatEntries>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

[SunBeam]

CountdownTimer_ResetTimer:

Code: Select all

[ENABLE]

{$lua}
return [[alloc( KeyHandlerThread, 0x1000, ]] .. process .. [[ )]]
{$asm}
registersymbol( KeyHandlerThread )
CreateThread( KeyHandlerThread )
label( KeyHandlerOff )
registersymbol( KeyHandlerOff )
label( KeyHandlerThread_loop )
label( KeyHandlerThread_back )

label( FindComponent )
label( FindComponent_exit )

KeyHandlerThread:
sub rsp,28

KeyHandlerThread_loop:
mov rcx,A
call Sleep

cmp [KeyHandlerOff],1
jne short @f
  add rsp,28
  mov [KeyHandlerOff],2
  ret
@@:

  // VK_NUMPAD.
  mov rcx,6E
  call GetAsyncKeyState
  test ax,ax
  je KeyHandlerThread_back

    xor ecx,ecx
    call HorizonZeroDawn.exe+C30E90        // GetLocalPlayer
    mov rcx,rax
    mov rcx,[rcx+D0]                       // GameViewGame
    mov rcx,[rcx+350]                      // HUD
    lea rcx,[rcx+128]                      // table_size
    lea rdx,[HorizonZeroDawn.exe+28104B0]  // HUDCountdownTimerLogic
    call short FindComponent
    test rax,rax                           // if HUDCountdownTimerLogic == NULL
    je short @f                            // exit

      mov rcx,[rax+60]                     // CountdownTimer
      test rcx,rcx                         // if CountdownTimer == NULL
      je short @f                          // exit

        // ResetTimer
        call HorizonZeroDawn.exe+B79250

    @@:
    mov rcx,C8
    call Sleep

  KeyHandlerThread_back:
  jmp KeyHandlerThread_loop

align 10 CC

FindComponent:
  sub rsp,28
  mov rbx,[rcx+8]              // table_start
  movsx rax,[rcx]              // size
  lea rdi,[rbx+rax*8]          // table_end
  @@:
  cmp rbx,rdi                  // if current step == table_end
  je short FindComponent_exit  // exit
    mov rcx,[rbx]
    mov rax,[rcx]
    call [rax]                 // GetName
    add rbx,8
    cmp rax,rdx
    jne short @b
      mov rax,rcx
      add rsp,28
      ret
  FindComponent_exit:
  xor rax,rax
  add rsp,28
  ret

align 10 CC

KeyHandlerOff:
dd 0

align 10 CC

[DISABLE]

{$lua}

if not syntaxcheck then
  local starttime = getTickCount()

  if readInteger( "KeyHandlerOff" ) == 0 then --could be 2 already
    writeInteger( "KeyHandlerOff", 1 ) --tell the thread to kill itself
  end

  while( getTickCount() < starttime + 1000 ) and ( readInteger( "KeyHandlerOff" ) ~= 2 ) do --wait till it has finished
    sleep( 20 )
  end

  if( getTickCount() > starttime + 1000 ) then --could happen when the window is shown
    showMessage( 'Disabling the thread failed!' )
    error( 'Thread disabling failed!' )
  end
    sleep( 1 )
  end

{$asm}

unregistersymbol( KeyHandlerOff )
unregistersymbol( KeyHandlerThread )
dealloc( KeyHandlerThread )

Paste this script in your table, enable it and press Numpad Del when you want to reset any active Trial's timer

[MnemonicLight]

Hell yea, thank you SunBeam, because I can not get a burning sun in the log challenge to save my life

Edit: I think I'm doing something wrong because the pointer for the engine is not showing up when I paste it

[Ashar]

i tried posting that script, but it wouldnt let me. The other scripts can be added fine, but not the timer one.

[Oridjinn]

Hell yea, thank you SunBeam, because I can not get a burning sun in the log challenge to save my life

Edit: I think I'm doing something wrong because the pointer for the engine is not showing up when I paste it

i tried posting that script, but it wouldnt let me. The other scripts can be added fine, but not the timer one.

Mine's not as robust as SunBeam's, but I think it's working (you can find it two pages back). Can just freeze the value whenever you're hunting and take however long you like!

[SunBeam]

i tried posting that script, but it wouldnt let me. The other scripts can be added fine, but not the timer one.

Open CE, open Memory Viewer, Ctrl+A, paste what you copied, File > Assign to current cheat table.

I am sorry, but this is purely noob stuff you should be able to do. But then again, you people bitch at me when I uncover your noob asses.. "where does he know I have no fucking clue about CE?". That's where.

[MnemonicLight]

I fully admit to being a noob at this, thank ya!!!

[SunBeam]

Updated first post. Enjoy.

[KS212]

@Sunbeam

Just a question (no, this isn't a request) since you're digging into the engine... is there any leftover anything anywhere about potentially being able to ride the Stormbird as a mount? This feature not being in the game by default has always felt like a huge oversight... so just curious on if they actually ever planned to do it and just didn't finish it or if they really didn't do it.

[ReDe3m3r]

Hmm, the countdown timer is for the challenges?

[fireundubh]

Some interesting functions:

WorldMap::FastTravelToCrosshair_141297A00
WorldMap::FastTravelToMarker_141297C10
WorldMap::FastTravelSkipToDestination_141297D30

There's probably a switch somewhere that you can flip to let you fast travel to any campfire. I'm hoping to find a way to unlock all fast travel points. Looking... looking...

[jgoemat]

Here's a stealth cheat. Probably will need to be changed after an update since the AOB needs to go into the next function to be unique:

Code: Select all

{ Game   : HorizonZeroDawn.exe
  Version: 
  Date   : 2020-08-09
  Author : jgoemat

  Not a very good AOB, will need to change I'm sure when the game is updated
}

[ENABLE]

aobscanmodule(INJECT_STEALTH,HorizonZeroDawn.exe,40 0F B6 C7 48 83 C4 20 5F C3 CC CC CC CC CC 48 89 5C 24 08 57 48 83 EC 20 48 8B) // should be unique
alloc(newmem,$1000,"HorizonZeroDawn.exe"+12EB8C1)

label(code)
label(return)

newmem:

code:
  movzx eax,dil // original code
  xor eax,eax   // set to 0 instead
  add rsp,20    // original code
  jmp return

INJECT_STEALTH:
  jmp newmem
  nop 3
return:
registersymbol(INJECT_STEALTH)

[DISABLE]

INJECT_STEALTH:
  db 40 0F B6 C7 48 83 C4 20

unregistersymbol(INJECT_STEALTH)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "HorizonZeroDawn.exe"+12EB8C1

HorizonZeroDawn.exe+12EB880 - 48 89 5C 24 08        - mov [rsp+08],rbx
HorizonZeroDawn.exe+12EB885 - 57                    - push rdi
HorizonZeroDawn.exe+12EB886 - 48 83 EC 20           - sub rsp,20
HorizonZeroDawn.exe+12EB88A - 48 8B 79 08           - mov rdi,[rcx+08]
HorizonZeroDawn.exe+12EB88E - 48 8D 5F 50           - lea rbx,[rdi+50]
HorizonZeroDawn.exe+12EB892 - 48 8B CB              - mov rcx,rbx
HorizonZeroDawn.exe+12EB895 - FF 15 A5D07500        - call qword ptr [HorizonZeroDawn.exe+1A48940]
"HorizonZeroDawn.exe"+12EB89B: 85 C0                 -  test eax,eax
"HorizonZeroDawn.exe"+12EB89D: 75 09                 -  jne HorizonZeroDawn.exe+12EB8A8
"HorizonZeroDawn.exe"+12EB89F: 48 8B CB              -  mov rcx,rbx
"HorizonZeroDawn.exe"+12EB8A2: FF 15 A0 D0 75 00     -  call qword ptr [HorizonZeroDawn.exe+1A48948]
"HorizonZeroDawn.exe"+12EB8A8: 48 8B CF              -  mov rcx,rdi
"HorizonZeroDawn.exe"+12EB8AB: E8 F0 72 17 00        -  call HorizonZeroDawn.exe+1462BA0
"HorizonZeroDawn.exe"+12EB8B0: 48 8B CB              -  mov rcx,rbx
"HorizonZeroDawn.exe"+12EB8B3: 0F B6 F8              -  movzx edi,al
"HorizonZeroDawn.exe"+12EB8B6: FF 15 7C D0 75 00     -  call qword ptr [HorizonZeroDawn.exe+1A48938]
"HorizonZeroDawn.exe"+12EB8BC: 48 8B 5C 24 30        -  mov rbx,[rsp+30]
// ---------- INJECTING HERE ----------
"HorizonZeroDawn.exe"+12EB8C1: 40 0F B6 C7           -  movzx eax,dil
"HorizonZeroDawn.exe"+12EB8C5: 48 83 C4 20           -  add rsp,20
// ---------- DONE INJECTING  ----------
"HorizonZeroDawn.exe"+12EB8C9: 5F                    -  pop rdi
"HorizonZeroDawn.exe"+12EB8CA: C3                    -  ret 
"HorizonZeroDawn.exe"+12EB8CB: CC                    -  int 3 
"HorizonZeroDawn.exe"+12EB8CC: CC                    -  int 3 
"HorizonZeroDawn.exe"+12EB8CD: CC                    -  int 3 
"HorizonZeroDawn.exe"+12EB8CE: CC                    -  int 3 
"HorizonZeroDawn.exe"+12EB8CF: CC                    -  int 3 
"HorizonZeroDawn.exe"+12EB8D0: 48 89 5C 24 08        -  mov [rsp+08],rbx
"HorizonZeroDawn.exe"+12EB8D5: 57                    -  push rdi
"HorizonZeroDawn.exe"+12EB8D6: 48 83 EC 20           -  sub rsp,20
HorizonZeroDawn.exe+12EB8DA - 48 8B 59 08           - mov rbx,[rcx+08]
HorizonZeroDawn.exe+12EB8DE - 48 8B FA              - mov rdi,rdx
HorizonZeroDawn.exe+12EB8E1 - 8B 83 30020000        - mov eax,[rbx+00000230]
HorizonZeroDawn.exe+12EB8E7 - C1 E8 07              - shr eax,07
HorizonZeroDawn.exe+12EB8EA - A8 01                 - test al,01
HorizonZeroDawn.exe+12EB8EC - 75 57                 - jne HorizonZeroDawn.exe+12EB945
HorizonZeroDawn.exe+12EB8EE - 48 8B 03              - mov rax,[rbx]
HorizonZeroDawn.exe+12EB8F1 - 48 8B CB              - mov rcx,rbx
HorizonZeroDawn.exe+12EB8F4 - FF 90 00010000        - call qword ptr [rax+00000100]
HorizonZeroDawn.exe+12EB8FA - 84 C0                 - test al,al
HorizonZeroDawn.exe+12EB8FC - 74 16                 - je HorizonZeroDawn.exe+12EB914
HorizonZeroDawn.exe+12EB8FE - 80 BB C0020000 00     - cmp byte ptr [rbx+000002C0],00
HorizonZeroDawn.exe+12EB905 - 75 0D                 - jne HorizonZeroDawn.exe+12EB914
HorizonZeroDawn.exe+12EB907 - B0 01                 - mov al,01
HorizonZeroDawn.exe+12EB909 - 48 8B 5C 24 30        - mov rbx,[rsp+30]
HorizonZeroDawn.exe+12EB90E - 48 83 C4 20           - add rsp,20
HorizonZeroDawn.exe+12EB912 - 5F                    - pop rdi
HorizonZeroDawn.exe+12EB913 - C3                    - ret
}