Marvel's Avengers

[Sevael]

No one has figured this out yet so far until now.

Not true.

Those who have dabbled in costume unlocks haven't posted their results here because we don't know what actions might be taken against this site if they did. Unlocking costumes (some of them, at least) requires you to spend real-life money, so it's probably best not to distribute a way to circumvent that and get them for free.

[Captain America]

No one has figured this out yet so far until now.

Not true.

Those who have dabbled in costume unlocks haven't posted their results here because we don't know what actions might be taken against this site if they did. Unlocking costumes (some of them, at least) requires you to spend real-life money, so it's probably best not to distribute a way to circumvent that and get them for free.

Good point!

Shall make the info classified

luckily sunbeams method only unlocks what is already normal obtainable through gameplay without spending real life money.

[Gwinbleid]

Those who have dabbled in costume unlocks haven't posted their results here because we don't know what actions might be taken against this site if they did.

So maybe someone can PM me a way to unlock cosmetics, especially premium ones?) That way it won't be public. Hence, no fear)

[SunBeam]

...

I honestly believe you're full of shit If that were the case, why did you provide a table with a ton shit of editing capability? Why are people here posting stuff that has to do with unlocks, like those numerical ids you're so fond of? If something were to happen to FRF, the topic would either be locked down or removed completely. Since it's still here, knock yourselves out

P.S.#1: Kindly freakin' post the data hashes in HEXADECIMAL format (e.g.: 3139467863 Might -> 0xBB207A57), people..

P.S.#2: And since we're at it.. these are not proper:



Check out the values in the table vs. the ones at the bottom-left. Now I know you've calculated the offsets.. but the actual code accessing the values really shows the way to get to the proper format.

Let's break the code down:

Code: Select all

avengers.exe+1D66DC0 - 48 83 B9 F8030000 00  - cmp qword ptr [rcx+000003F8],00 { 0 }
avengers.exe+1D66DC8 - 74 3E                 - je avengers.exe+1D66E08
avengers.exe+1D66DCA - 44 8B 02              - mov r8d,[rdx]
avengers.exe+1D66DCD - 33 D2                 - xor edx,edx
avengers.exe+1D66DCF - 41 8B C0              - mov eax,r8d
avengers.exe+1D66DD2 - 48 F7 B1 00040000     - div [rcx+00000400]
avengers.exe+1D66DD9 - 48 8B 81 E8030000     - mov rax,[rcx+000003E8]
avengers.exe+1D66DE0 - 48 8B 04 D0           - mov rax,[rax+rdx*8]
avengers.exe+1D66DE4 - 48 85 C0              - test rax,rax
avengers.exe+1D66DE7 - 74 1F                 - je avengers.exe+1D66E08
avengers.exe+1D66DE9 - 0F1F 80 00000000      - nop dword ptr [rax+00000000]
avengers.exe+1D66DF0 - 44 39 40 08           - cmp [rax+08],r8d
avengers.exe+1D66DF4 - 74 08                 - je avengers.exe+1D66DFE
avengers.exe+1D66DF6 - 48 8B 00              - mov rax,[rax]
avengers.exe+1D66DF9 - 48 85 C0              - test rax,rax
avengers.exe+1D66DFC - 75 F2                 - jne avengers.exe+1D66DF0
avengers.exe+1D66DFE - 48 85 C0              - test rax,rax
avengers.exe+1D66E01 - 74 05                 - je avengers.exe+1D66E08
avengers.exe+1D66E03 - 0FB7 40 0C            - movzx eax,word ptr [rax+0C]
avengers.exe+1D66E07 - C3                    - ret 
avengers.exe+1D66E08 - 33 C0                 - xor eax,eax
avengers.exe+1D66E0A - C3                    - ret 

Your base is:

Code: Select all

["avengers.exe"+0x47B8C30]+3E8

So from what I could gather, there's a global pointer that leads to the structure address in use here: "avengers.exe"+0x47B8C30. If you read the quad from this one, you get that base I'm talking about. Who is the base? Well, in my case:



So, for me: [avengers.exe+0x47B8C30] == 0000000176073CF0. Fine so far.

Then if you check the code snippet I posted above, there's this:

Code: Select all

..
avengers.exe+1D66DD9 - 48 8B 81 E8030000     - mov rax,[rcx+000003E8]
avengers.exe+1D66DE0 - 48 8B 04 D0           - mov rax,[rax+rdx*8]
..

Which means a pointer to an array/table is being acquired from 0x3E8 offset, then, based on edx (rdx), a pointer to another structure is retrieved. I am assuming here you've thought "well, the offsets for each item read through here are constant". Hence why I see this in the table:



Now.. if you go like "well, it works for me", then we're done here Else.. that 0x100 offset you put there I'm afraid isn't a constant.

Back to "who is the base":







Looking at the member-functions table, I saw this function at offset 0x28:



So [avengers.exe+0x47B8C30] == 0000000176073CF0 == InventoryComponent. Member-function at [[InventoryComponent]+0x28] is GetClassName.

Alright, so far so good. Now let's take a look at InventoryComponent+0x3F8, 0x400 and 0x3F8. Because our code looks like this:

Code: Select all

avengers.exe+1D66DC0 - 48 83 B9 F8030000 00  - cmp qword ptr [rcx+000003F8],00 { 0 }
avengers.exe+1D66DC8 - 74 3E                 - je avengers.exe+1D66E08
avengers.exe+1D66DCA - 44 8B 02              - mov r8d,[rdx]
avengers.exe+1D66DCD - 33 D2                 - xor edx,edx
avengers.exe+1D66DCF - 41 8B C0              - mov eax,r8d
avengers.exe+1D66DD2 - 48 F7 B1 00040000     - div [rcx+00000400]
avengers.exe+1D66DD9 - 48 8B 81 E8030000     - mov rax,[rcx+000003E8]
avengers.exe+1D66DE0 - 48 8B 04 D0           - mov rax,[rax+rdx*8]

So:



Therefore, if 0x3F8 is 0, there's no calculus done, as the JE @ avengers.exe+1D66DC8 will exit. If it's not 0, then:

- a value is read into r8d from [rdx]
- edx becomes 0 and the read value is moved into eax
- a division occurs (the div instruction) which, according to the theory behind it ([Link]), does this:

Code: Select all

mov edx, 0        ; clear dividend
mov eax, 0x8003   ; dividend
mov ecx, 0x100    ; divisor
div ecx           ; EAX = 0x80, EDX = 0x3

In our case, "xor edx,edx" does the "clear dividend" part. Then the "dividend" is the value read from [rdx] into r8d, then moved into eax. So "mov eax,0x8003" matches our "mov eax,r8d". Then the "mov ecx,0x100" + "div ecx" is in the form of "div [rcx+400]". So [rcx+400] is our divisor. And we know its value is 0x11. So the operation is "whatever value is in [rdx]->r8d->eax divided by [rcx+400], as in 0x11". The result is the offset you want to combine then in [[InventoryComponent+3E8]+x*8]. Where "x" is the result of the division.

Which brings us to the new question: who the fuck is "x"? Let's see how it's obtained. Just return to game, then set a breakpoint @ avengers.exe+1D66DC0:

Code: Select all

avengers.exe+1D66DC0 - 48 83 B9 F8030000 00  - cmp qword ptr [rcx+000003F8],00 { 0 }

I'm using x64dbg to debug this. Then press TAB to open up the Inventory list. When your CE or x64dbg breaks, exit the function (check [rsp]) and you'll land here:



Notice how I've already set a breakpoint a little bit up because that's where this LOOP starts. The loop that reads all 9 resource types. How do I know there's 9? Well, at the very bottom you have a check to see if loop continues or exits. Here:



So what does it actually happen in the loop and where's the dividend value read from? It comes from this logic:

Code: Select all

00000001421F9180 | 8BF3        | MOV ESI,EBX                        | starting index is 0 (ebx=0)
00000001421F9182 | 41:0FB60CB7 | MOVZX ECX,BYTE PTR DS:[R15+RSI*4]  | [r15+rsi*4] = 0x5 (offset for idx 0)
00000001421F9187 | E8 D4C088FF                         | CALL avengers.141A85260                                |

Inside the CALL:

Code: Select all

0000000141A85260 | 0FB6C1           | MOVZX EAX,CL                     |
0000000141A85263 | 48:8B0D E695D202 | MOV RCX,QWORD PTR DS:[1447AE850] |
0000000141A8526A | 48:6BC0 78       | IMUL RAX,RAX,78                  |
0000000141A8526E | 48:0341 18       | ADD RAX,QWORD PTR DS:[RCX+18]    |
0000000141A85272 | C3               | RET                              |

So the resulting RAX will be, in my case, 000000015E8301C0.

Then:

Code: Select all

00000001421F918C | 4C:8D05 FD1D7200 | LEA R8,QWORD PTR DS:[14291AF90] | 000000014291AF90:"resource"
00000001421F9193 | 48:8D4C24 68     | LEA RCX,QWORD PTR SS:[RSP+68]   |
00000001421F9198 | 8B10             | MOV EDX,DWORD PTR DS:[RAX]      | 0xCB78FF8 == resource_hash

Then the CALL will check if the hash in edx is valid (if 0, then it will return 0):

Code: Select all

00000001415D9E70 | 8911            | MOV DWORD PTR DS:[RCX],EDX         |
00000001415D9E72 | 85D2            | TEST EDX,EDX                       | is 0?
00000001415D9E74 | 48:8BC1         | MOV RAX,RCX                        |
00000001415D9E77 | 0F4415 0688E401 | CMOVE EDX,DWORD PTR DS:[143422684] |
00000001415D9E7E | 8911            | MOV DWORD PTR DS:[RCX],EDX         |
00000001415D9E80 | C3              | RET                                |

Continuing:

Code: Select all

00000001421F91A4 | 8B00        | MOV EAX,DWORD PTR DS:[RAX] | hash
..
00000001421F91AE | E8 2D6FE4FF | CALL avengers.1420400E0    |

The function @ 1420400E0 is a look-up function. It uses the hash value to find a pointer in a table. And that pointer, in my case, is this: 000000028B0C9FA0. If I then check its memory space, I see this:



So.. hey.. 0xCB78FF8 == hash for "Fragments"

Let's continue:

Code: Select all

00000001421F91B7 | 48:8BF8      | MOV RDI,RAX                   | rdi<-pHash
..
00000001421F91DE | 48:8B4C24 60 | MOV RCX,QWORD PTR SS:[RSP+60] | this becomes [avengers.exe+0x47B8C30] == 0000000176073CF0
00000001421F91E3 | 48:8D5424 34 | LEA RDX,QWORD PTR SS:[RSP+34] | this loads the hash value in rdx (truncated edx is the hash DWORD)
..
00000001421F91FC | E8 BFDBB6FF  | CALL avengers.141D66DC0       | our read function, with the CMP and all we talked about

So then inside the CALL:

Code: Select all

0000000141D66DC0 | 48:83B9 F8030000 00 | CMP QWORD PTR DS:[RCX+3F8],0     | 0x11
0000000141D66DC8 | 74 3E               | JE avengers.141D66E08            |
0000000141D66DCA | 44:8B02             | MOV R8D,DWORD PTR DS:[RDX]       | 0xCB78FF8 (our hash)
0000000141D66DCD | 33D2                | XOR EDX,EDX                      | 0
0000000141D66DCF | 41:8BC0             | MOV EAX,R8D                      | 0xCB78FF8
0000000141D66DD2 | 48:F7B1 00040000    | DIV QWORD PTR DS:[RCX+400]       | 0x11
..                                                                        | --> rdx == 0x8
0000000141D66DD9 | 48:8B81 E8030000    | MOV RAX,QWORD PTR DS:[RCX+3E8]   | p
0000000141D66DE0 | 48:8B04D0           | MOV RAX,QWORD PTR DS:[RAX+RDX*8] | [p+8*8]
0000000141D66DE4 | 48:85C0             | TEST RAX,RAX                     | 0000000175DE92C0 == q
..
0000000141D66DF0 | 44:3940 08          | CMP DWORD PTR DS:[RAX+8],R8D     | check if [q+8] == hash
..
0000000141D66DFE | 48:85C0             | TEST RAX,RAX                     | check if q == valid
..
0000000141D66E03 | 0FB740 0C           | MOVZX EAX,WORD PTR DS:[RAX+C]    | read amount

So I get 0x2E9 in eax, which is 745 as decimal. And that value matches this, on-screen:



So that's the analysis behind it. The only thing left to determine is where R15 comes from. Which R15?.. This one:

Code: Select all

00000001421F9180 | 8BF3        | MOV ESI,EBX                        | starting index is 0 (ebx=0)
00000001421F9182 | 41:0FB60CB7 | MOVZX ECX,BYTE PTR DS:[R15+RSI*4]  | [r15+rsi*4] = 0x5 (offset for idx 0)

But do you actually need to know anything about it? Or is it sufficient that we've determine the calculus logic? What our read function needs is the base pointer and a hash value. With the breakpoint here:

Code: Select all

00000001421F91B3 | 8B4C24 78  | MOV ECX,DWORD PTR SS:[RSP+78] |

You will see the p->hash|string in RAX. And in my case, these are:



"Fragments" -> 0x0CB78FF8
"Plasma" -> 0x77E2DF2B
"Nanite" -> 0xA101AAAC
"Nanotube" -> 0x5779E7B7
"Catalyst" -> 0x5F13B6D1
"Upgrade Module" -> 0xC6658524
"Polychoron" -> 0xED2554AD
"Uru" -> 0x13C24C60
"DNA Key" -> 0x1B82A710
"Currency Coins" -> 0xF31BB28C

So here's a quick Lua with all of the above:

Code: Select all

local InventoryComponent = readQword( getAddressSafe( process ) + 0x47B8C30 )
local offset = readInteger( InventoryComponent + 0x400 )
print( string.format( "%X", InventoryComponent ) )
print( string.format( "%X", offset ) )
local dwFragmentsHash = 0x0CB78FF8
local Fragments_offset = dwFragmentsHash % offset
print( string.format( "%X", Fragments_offset ) )
local pResource = readQword( InventoryComponent + 0x3E8 )
local Fragments = readQword( pResource + Fragments_offset * 8 )
print( string.format( "%X", Fragments ) )
local readHash = readInteger( Fragments + 0x8 )
print( string.format( "0x%08X", readHash ) )
local readAmount = readInteger( Fragments + 0xC )
print( string.format( "%d", readAmount ) )

BR,
Sun

[asthebloody]

Not true.
Those who have dabbled in costume unlocks haven't posted their results here because we don't know what actions might be taken against this site if they did. Unlocking costumes (some of them, at least) requires you to spend real-life money, so it's probably best not to distribute a way to circumvent that and get them for free.

so we should pay thousand / million dollars for them just to unlock costumes? amazing

[SunBeam]

..and what's even funnier is there's 1 single reference to the hash for "Fragments", here:



Whereas "AV1" means "Avengers 1", I believe.

So that's how you'd find hashes for the game items My question now is.. Is Hardwood a game resource? If not, which game was coded before this one that used Foundation Engine and contained that type of resource? Or the rest. Cuz it's annoying to see developers bitching over hackers and reverse-engineering, but they're comfy reusing old shit and selling it as new T_T.. So, dear Crystal Dynamics, spare me the drama, please..

BR,
Sun

EDIT: Yeah, so it's the same Foundation Engine used for Rise of the Tomb Raider. I found a reference to a resource called Chromite Ore:



And google sez..



So.. the recipe for success: take the engine for a single-player game, revamp it a bit, add a few more specific stuff to it, don't remove the old stuff from it, pack it up nicely and insert micro-transactions + whine no one should touch your game cuz hacking dwindles in-game winnings from what people purchase. Awesome!..

[ChainEatFace]

...

I honestly believe you're full of shit If that were the case, why did you provide a table with a ton shit of editing capability? Why are people here posting stuff that has to do with unlocks, like those numerical ids you're so fond of? If something were to happen to FRF, the topic would either be locked down or removed completely. Since it's still here, knock yourselves out


BR,
Sun

Sevael is not full of shit, fearlessrevolution got taken down because they had an option to unlock marketplace skins (which did not really work). I would assume this thread would be locked if we tried that as well. But you can try or not. Sevael was just pointing that out.

[SunBeam]

Lastly, I took a look at the location I mentioned. There are 2 strings that get combined and used in the CALL that follows:

Code: Select all

0000000141061020 | 48:83EC 28       | SUB RSP,28                       |
0000000141061024 | 4C:8D05 15359E01 | LEA R8,QWORD PTR DS:[142A44540]  | "AV1_Resource_Upgrade_GearFragment"
000000014106102B | 48:8D15 5E9F8B01 | LEA RDX,QWORD PTR DS:[14291AF90] | "resource"
0000000141061032 | 48:8D0D 6B8C7503 | LEA RCX,QWORD PTR DS:[1447B9CA4] |
0000000141061039 | E8 C28E5700      | CALL avengers.1415D9F00          |
000000014106103E | 48:8D0D EB987001 | LEA RCX,QWORD PTR DS:[14276A930] |
0000000141061045 | 48:83C4 28       | ADD RSP,28                       |
0000000141061049 | E9 663A6401      | JMP avengers.1426A4AB4           |

RCX in the above is the recipient of whatever happens in the CALL:



So we have something like this: HashMe( p, "resource", "AV1_Resource_Upgrade_GearFragment" )

Then I wanted to learn what cryptographic algorithm is this. So I went inside the CALL and saw this:



Quick google search for FF51AFD7ED558CCD returned these:

- [Link]
- [Link]
- [Link]

The last one's quite funny. 2013

So Crystal Dynamics was apparently looking for "extremely fast hashes". So they ended up using this implementation of MurmurHash: [Link]. *claps*!

So the hashes I mentioned 2 posts ago should be interpreted like this: Fragments -> "resource" + "AV1_Resource_Upgrade_GearFragment" == 0x0CB78FF8.

Run this in Lua and let me know if you get the same result as I do

Code: Select all

local alloc = allocateMemory( 64 )
local MurmurHashMe = getAddressSafe( process ) + 0x15D9F00
local strA = 'resource'
local strB = 'AV1_Resource_Upgrade_GearFragment'
executeCodeEx( 0, nil, MurmurHashMe, alloc, strA, strB )
local t = readInteger( alloc )
print( string.format( "0x%08X", t ) )
deAlloc( alloc )

Fun times

BR,
Sun

[SunBeam]

Sevael is not full of shit, C H got taken down because they had an option to unlock marketplace skins (which did not really work). I would assume this thread would be locked if we tried that as well. But you can try or not. Sevael was just pointing that out.

I know the story, but like I said.. with FRF's different So carry on.

EDIT: I was further checking the code and found this

Code: Select all

0000000141E83FB6 | E8 A581CCFF      | CALL avengers.141B4C160          |
-->
0000000141B4C160 | 48:8B05 B164C602 | MOV RAX,QWORD PTR DS:[1447B2618] |
0000000141B4C167 | C3               | RET                              |
<--
0000000141E83FBB | 48:8B78 48       | MOV RDI,QWORD PTR DS:[RAX+48]    |
0000000141E83FBF | 48:85FF          | TEST RDI,RDI                     |
0000000141E83FC2 | 75 39            | JNE avengers.141E83FFD           |
..
..
0000000141E83FFD | 48:8D15 0444BD00 | LEA RDX,QWORD PTR DS:[142A58408] | 0000000142A58408:"AV1_Currency_AvengerCoins"
0000000141E84004 | 48:8BCF          | MOV RCX,RDI                      |
0000000141E84007 | E8 8482CCFF      | CALL avengers.141B4C290          |
-->
..
0000000141B4C296 | 48:8BD9          | MOV RBX,RCX                      |
0000000141B4C299 | 48:85D2          | TEST RDX,RDX                     |
..
0000000141B4C29E | 48:8B0D D30E4601 | MOV RCX,QWORD PTR DS:[142FAD178] | 0000000142FAD178:&"TRXCardNames"
0000000141B4C2A5 | E8 46C16CFF      | CALL avengers.1412183F0          | MurmurHash
0000000141B4C2AA | 48:837B 68 00    | CMP QWORD PTR DS:[RBX+68],0      |
0000000141B4C2AF | 8BC8             | MOV ECX,EAX                      |
0000000141B4C2B1 | 74 30            | JE avengers.141B4C2E3            |
0000000141B4C2B3 | 33D2             | XOR EDX,EDX                      |
0000000141B4C2B5 | 8BC1             | MOV EAX,ECX                      |
0000000141B4C2B7 | 48:F773 70       | DIV QWORD PTR DS:[RBX+70]        |
0000000141B4C2BB | 48:8B43 58       | MOV RAX,QWORD PTR DS:[RBX+58]    |
0000000141B4C2BF | 48:8B04D0        | MOV RAX,QWORD PTR DS:[RAX+RDX*8] |
0000000141B4C2C3 | 48:85C0          | TEST RAX,RAX                     |
0000000141B4C2C6 | 74 1B            | JE avengers.141B4C2E3            |
0000000141B4C2C8 | 3948 08          | CMP DWORD PTR DS:[RAX+8],ECX     |
0000000141B4C2CB | 74 08            | JE avengers.141B4C2D5            |
0000000141B4C2CD | 48:8B00          | MOV RAX,QWORD PTR DS:[RAX]       |
0000000141B4C2D0 | 48:85C0          | TEST RAX,RAX                     |
0000000141B4C2D3 | 75 F3            | JNE avengers.141B4C2C8           |
0000000141B4C2D5 | 48:85C0          | TEST RAX,RAX                     |
0000000141B4C2D8 | 74 09            | JE avengers.141B4C2E3            |
0000000141B4C2DA | 8B40 0C          | MOV EAX,DWORD PTR DS:[RAX+C]     |
0000000141B4C2DD | 48:83C4 20       | ADD RSP,20                       |
0000000141B4C2E1 | 5B               | POP RBX                          |
0000000141B4C2E2 | C3               | RET                              |
0000000141B4C2E3 | 33C0             | XOR EAX,EAX                      |
0000000141B4C2E5 | 48:83C4 20       | ADD RSP,20                       |
0000000141B4C2E9 | 5B               | POP RBX                          |
0000000141B4C2EA | C3               | RET                              |
<--

Guess what it does?

[ChainEatFace]

Sevael is not full of shit, C H got taken down because they had an option to unlock marketplace skins (which did not really work). I would assume this thread would be locked if we tried that as well. But you can try or not. Sevael was just pointing that out.

I know the story, but like I said.. with FRF's different So carry on.

EDIT: I was further checking the code and found this

Code: Select all

0000000141E83FB6 | E8 A581CCFF      | CALL avengers.141B4C160          |
-->
0000000141B4C160 | 48:8B05 B164C602 | MOV RAX,QWORD PTR DS:[1447B2618] |
0000000141B4C167 | C3               | RET                              |
<--
0000000141E83FBB | 48:8B78 48       | MOV RDI,QWORD PTR DS:[RAX+48]    |
0000000141E83FBF | 48:85FF          | TEST RDI,RDI                     |
0000000141E83FC2 | 75 39            | JNE avengers.141E83FFD           |
..
..
0000000141E83FFD | 48:8D15 0444BD00 | LEA RDX,QWORD PTR DS:[142A58408] | 0000000142A58408:"AV1_Currency_AvengerCoins"
0000000141E84004 | 48:8BCF          | MOV RCX,RDI                      |
0000000141E84007 | E8 8482CCFF      | CALL avengers.141B4C290          |
-->
..
0000000141B4C296 | 48:8BD9          | MOV RBX,RCX                      |
0000000141B4C299 | 48:85D2          | TEST RDX,RDX                     |
..
0000000141B4C29E | 48:8B0D D30E4601 | MOV RCX,QWORD PTR DS:[142FAD178] | 0000000142FAD178:&"TRXCardNames"
0000000141B4C2A5 | E8 46C16CFF      | CALL avengers.1412183F0          | MurmurHash
0000000141B4C2AA | 48:837B 68 00    | CMP QWORD PTR DS:[RBX+68],0      |
0000000141B4C2AF | 8BC8             | MOV ECX,EAX                      |
0000000141B4C2B1 | 74 30            | JE avengers.141B4C2E3            |
0000000141B4C2B3 | 33D2             | XOR EDX,EDX                      |
0000000141B4C2B5 | 8BC1             | MOV EAX,ECX                      |
0000000141B4C2B7 | 48:F773 70       | DIV QWORD PTR DS:[RBX+70]        |
0000000141B4C2BB | 48:8B43 58       | MOV RAX,QWORD PTR DS:[RBX+58]    |
0000000141B4C2BF | 48:8B04D0        | MOV RAX,QWORD PTR DS:[RAX+RDX*8] |
0000000141B4C2C3 | 48:85C0          | TEST RAX,RAX                     |
0000000141B4C2C6 | 74 1B            | JE avengers.141B4C2E3            |
0000000141B4C2C8 | 3948 08          | CMP DWORD PTR DS:[RAX+8],ECX     |
0000000141B4C2CB | 74 08            | JE avengers.141B4C2D5            |
0000000141B4C2CD | 48:8B00          | MOV RAX,QWORD PTR DS:[RAX]       |
0000000141B4C2D0 | 48:85C0          | TEST RAX,RAX                     |
0000000141B4C2D3 | 75 F3            | JNE avengers.141B4C2C8           |
0000000141B4C2D5 | 48:85C0          | TEST RAX,RAX                     |
0000000141B4C2D8 | 74 09            | JE avengers.141B4C2E3            |
0000000141B4C2DA | 8B40 0C          | MOV EAX,DWORD PTR DS:[RAX+C]     |
0000000141B4C2DD | 48:83C4 20       | ADD RSP,20                       |
0000000141B4C2E1 | 5B               | POP RBX                          |
0000000141B4C2E2 | C3               | RET                              |
0000000141B4C2E3 | 33C0             | XOR EAX,EAX                      |
0000000141B4C2E5 | 48:83C4 20       | ADD RSP,20                       |
0000000141B4C2E9 | 5B               | POP RBX                          |
0000000141B4C2EA | C3               | RET                              |
<--

Guess what it does?

Wow.. Does it work is the question. I tried a basic search but when I bought stuff, it wouldnt actually show up in the inventory

[SunBeam]

I dunno why you guys say Money doesn't work..





Works for me.. Or you mean the other blue currency that's 0 in top-right?..

[ChainEatFace]

...

Yeah the blue one is the marketplace currency (paid currency). I have altered the amount but once you buy something from the marketplace, it doesnt place it into your inventory. That currency and the Challenge Card seem to be server sided.

[Captain America]

...

Read a few reports about this before. Yeah it seems credits (paid currency) and Challenge card points are server side as you say.

Units the (green icon) (earnable through in game ) are easily editable.

[Captain America]

...

yeah the blue currency when u edit, its just visual and you cannot use it due to the actual currency being server sided.

[blackrobinhood]

The way SB decodes and explains everything is so soothing tbh (even tho I dont understand most of it)
+rep