Baldur's Gate 3

[Zanzer]

Here's a listing of the dumped class/structure names. Haven't looked into how to use them yet.

I'll point out a few interesting ones that could possibly unlock great potential.

Code: Select all

0018 class ecl::GameMasterCampaignManager
0019 class ecl::GameMasterManager
000F class ecl::GameMasterProtocol
0029 class eoc::GameMasterComponent
006F class esv::GameMasterCampaignManager
0070 class esv::GameMasterManager
003A class esv::GameMasterProtocol

I'll hazard a guess and say the class namespaces refer to:
ecl == client
esv == server
eoc == domain objects

The dump:

[SunBeam]

^ Glad someone did that boring work for us I was gonna write some script to pull those out, but heh. Much more interesting getting the client/server to player to character logic

eoc == domain objects

I think that might be object components (o.c.) I mean.. it's in the FQN itself -> eoc::GameMasterComponent.

[Zanzer]

A few function name dumps for future research.







SunBeam edit:

ModuleBase: 0x7FF6A0E20000
Build: 4.1.83.6620
Executable: bg3.exe [ [Link]; pass: FRF ]

[SunBeam]

...

Please also post the ModuleBase for your executable, as it uses ASLR. Hence this happens:



P.S.1: Yep, am using the latest binary (bg3_dx11.exe, 4.1.83.6620). Would be an idea to also specify the build when you post something; am sure in 2-3 months' time this shit here will become obsolete and people won't be able to tie it back to their current executables at the time. You've also not said if those addresses are for bg3.exe or bg3_dx11.exe.. Post more info, man..

P.S.2: I'm assuming you found those functions via string references:





Whereas, in my case, this would be the function?



P.S.3: Nevermind, I see you used bg3.exe, build 4.1.83.6620 and ModuleBase would be.. 0x7FF6A0E20000 (0x7FF6A0E20000 + 0x25AD960 = 0x7FF6A33CD960). Edited your post with additional information at the bottom.

BR,
Sun

[SunBeam]

Best Practices

As @fireundubh suggested, let's use normalized binaries with no ASLR in. There's no impact over the execution (you can run the game with the modified .exe as well) and will surely help everyone around doing reversing to keep things steady. Working with same binary, we'll know where we are.

He suggested this blog link: [Link].

Once you read-up what you're to do, you'll land on this step -> "Open up a VS command prompt and use:". What that means.. if you have Visual Studio installed.. is WinKey > "Developer":



Take your pick (I have all those versions installed, cuz I needed them to compiled various versions of Unreal Engine 4..). I'd recommend opening it as Administrator, although it might work without it. But just to be safe.

Then navigate to game folder:



This will alter your executable, as it's a change in the PE header. So you will see the timestamp of the executable has changed.

Alternately, if you don't have VS installed and still wanna do it, then install [Link] and follow the steps below:

1) Right-click on your executable and:



2) You want to load the whole executable (I don't know if opening it partially allows to save changed integrally). So click "No":



3) Then head into the Optional Header:



4) And untick "DLL can move":



5) Click OK, then Save and "Yes" to "Overwrite original file".

Done.

So now when you'll open the executable in a debugger or CE (like I said, there's no impact over execution, so you can run it safely.. as in play the game), you'll see this:



The EP is now referenced to the standard 140000000 ModuleBase, because:



ASLR-less Executable(s)

So here are the 2 executables (DX11) I have, with the above modifications in place:

4.1.83.3931: [Link]
4.1.83.6620: [Link]

Password: FRF

I will continue the analysis with 4.1.83.3931 (DX11), as, like I said, I don't want to re-offset/find everything again for the latest build. You'll just have to use aobscan to get to the spots I'm referencing here, in case you wanna use them in the most recent build. I have no interest in that, as I'm not actively playing the game nor care for bugs or other crap the regular user looks at. Said it so you know.

BR,
Sun

[Zanzer]

viewtopic.php?p=157760
All of my name dumps are available via Lua scripts within my table.
Click the bottom hidden "Ignore This" group.
You can edit the scripts to change the F: output directory.
Then you can get updated addresses for your executable.

[SunBeam]

...

The table's missing the script that gets the list containing the "IntegerSum" names/addresses. Or I'm blind

[Zanzer]

...

Function List 2

[Euadonis]

I apologize if this is in the wrong place but..Anyone figure out a 'Always Roll 20's' cheat? This game seems to be skewed towards rolling low.
It once took me over 30 rolls to get a 10+ on the dice, and the DC was 11.

[Zanzer]

I guess "Always Win Rolls" is confusing.

[Euadonis]

I guess "Always Win Rolls" is confusing.

Most of this is gibberish to me. I can't find 'always win rolls' in any of the 3 pages, and I usually just download a completed table.

[SunBeam]

Most of this is gibberish to me. I can't find 'always win rolls' in any of the 3 pages, and I usually just download a completed table.

You are in the wrong thread. Shoo to Zanzer's.. like he said.. get his table and use that script he mentioned -> viewtopic.php?f=4&t=13996.

[BruteForce]

Previously you wrote this:

"I got it by setting an exception breakpoint over the Health structure, of a considerable size, and watching what pops up as the Caustic Brine damages the Player. And this was the list:"

Being able to do this is super useful! However, I guess I've not used CE enough. There is only 4 hardware breakpoints and also we are trying to breakpoint the reading of an entire data struct! How are you doing this using the "Find out what accesses this address" feature?

Can you direct me to a youtube on this, or a discussion on CE, or something similar? Or if you have time to demonstrate?

As usual, thanks for your breakdown of these game title engines, sometimes I learn something new, or see a way to handle things more quickly, or discover a new feature of a tool.

I'd really appreciate your insight!

[SunBeam]

Memory Viewer > bottom sub-window, with hex data. Right-click > Data Breakpoint > Exception Breakpoint. Go to your structure's address so you see its memory. Then, like I said, select a considerable range (if you know the structure's size, then select that much; else use something like 0x500 bytes). Then right-click > Data Breakpoint > Find out what accesses this address. You'll see the whole selection flash-out in red and ?? symbols. And the debugger window will pop-up and start getting filled with data. If the game doesn't lag.. go back in and do stuff so more pops up. Sometimes the game may lag, so either do your best to give that lag a breather (have patience so you can actually see the frames render and such) and perform some actions. Once you're done, click Stop in the debug window AND DON'T FORGET TO SWITCH BACK TO "HARDWARE BREAKPOINT"! Else CE will continue to use Exception Breakpoints. And that will always land you below the address you set a breakpoint on.

[Enron2]

Is there a way to achieve god mode or unlimited actions in "noob mode"?

I have been trying everything to find the address where the remaining hit points are stored but nothing worked. Even when I start with unknown initial value, all types and then increased / decreased search after healing or damage. Since on Macintosh cannot use premade cheat tables they only work on Windows.

Thanks.