Cyberpunk 2077 [Engine:REDengine 4]

[arazrad]

the GOG version works just as well for steam. tested it myself.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[twitchnotgood]

Here is some quick template code I used for 1,000,000 armor (must equip armor after using). I used this because health was glitchy and also screwed with my RAMs.

Code: Select all

alloc(newmem,2048,Cyberpunk2077.exe+198B894) 
label(returnhere)
label(originalcode)
label(exit)

newmem:
mov [r15], 49742400 // 1,000,000 float
mov [r15+4], 3F800000 // 1 float
mov [r15+8], 3F800000 // 1 float


originalcode:
addss xmm0,[r15]

exit:
jmp returnhere

Cyberpunk2077.exe+198B894:
jmp newmem
returnhere:

Also, this writes to weapon damage:
Cyberpunk2077.exe+19931EF

However it seems to write to other things too, but only when you equip a silencer.

[QuarryTen]

Is there a possible script for maxed out street cred or perk points, etc?

I got you, these are for steam:

Attribute:

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>65</ID>
      <Description>"Infinite Attribute Points"</Description>
      <LastState Activated="1"/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : Cyberpunk2077.exe
  Version: 
  Date   : 2020-12-09
  Author : Zach

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,Cyberpunk2077.exe,89 03 48 85 F6 74 02 89 06 48 8B 5C 24 40 48 8B 6C 24 58 48 83 C4 20 41 5E 5F 5E C3 CC CC CC CC CC CC CC CC 48 89 5C 24 08 48 89 6C 24 20 56 57 41 56 48 83 EC 20 48 8B 02 4C 8D 35 24 27 A5 03 33 ED C7 44 24 48 00 00 00 00 C6 42 60 01 49 8B F0 48 89 6A 30 4C 8D 44 24 48 48 89 6A 38 45 33 C9) // should be unique
alloc(newmem,$1000,INJECT)

label(code)
label(return)

newmem:

code:
  mov [rbx],#10
  test rsi,rsi
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 03 48 85 F6

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: Cyberpunk2077.exe+23C02C

Cyberpunk2077.exe+23C00D: 48 8B D7        - mov rdx,rdi
Cyberpunk2077.exe+23C010: 0F B6 08        - movzx ecx,byte ptr [rax]
Cyberpunk2077.exe+23C013: 48 FF C0        - inc rax
Cyberpunk2077.exe+23C016: 48 89 07        - mov [rdi],rax
Cyberpunk2077.exe+23C019: 8B C1           - mov eax,ecx
Cyberpunk2077.exe+23C01B: 48 8B 4F 40     - mov rcx,[rdi+40]
Cyberpunk2077.exe+23C01F: FF 54 C5 00     - call qword ptr [rbp+rax*8+00]
Cyberpunk2077.exe+23C023: 48 FF 07        - inc [rdi]
Cyberpunk2077.exe+23C026: 8B 03           - mov eax,[rbx]
Cyberpunk2077.exe+23C028: 2B 44 24 50     - sub eax,[rsp+50]
// ---------- INJECTING HERE ----------
Cyberpunk2077.exe+23C02C: 89 03           - mov [rbx],eax
// ---------- DONE INJECTING  ----------
Cyberpunk2077.exe+23C02E: 48 85 F6        - test rsi,rsi
Cyberpunk2077.exe+23C031: 74 02           - je Cyberpunk2077.exe+23C035
Cyberpunk2077.exe+23C033: 89 06           - mov [rsi],eax
Cyberpunk2077.exe+23C035: 48 8B 5C 24 40  - mov rbx,[rsp+40]
Cyberpunk2077.exe+23C03A: 48 8B 6C 24 58  - mov rbp,[rsp+58]
Cyberpunk2077.exe+23C03F: 48 83 C4 20     - add rsp,20
Cyberpunk2077.exe+23C043: 41 5E           - pop r14
Cyberpunk2077.exe+23C045: 5F              - pop rdi
Cyberpunk2077.exe+23C046: 5E              - pop rsi
Cyberpunk2077.exe+23C047: C3              - ret 
}
</AssemblerScript>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

Perks:

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>63</ID>
      <Description>"Infinite Perks"</Description>
      <LastState/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : Cyberpunk2077.exe
  Version: 
  Date   : 2020-12-09
  Author : Zach

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,Cyberpunk2077.exe,89 03 48 85 F6 74 02 89 06 48 8B 5C 24 40 48 8B 6C 24 58 48 83 C4 20 41 5E 5F 5E C3 CC CC CC CC CC CC CC CC 48 89 5C 24 08 48 89 6C 24 20 56 57 41 56 48 83 EC 20 48 8B 02 4C 8D 35 24 27 A5 03 33 ED C7 44 24 48 00 00 00 00 C6 42 60 01 49 8B F0 48 89 6A 30 4C 8D 44 24 48 48 89 6A 38 45 33 C9 0F B6 08 48 8B FA 48 FF C0 48 89 02 8B C1 48 8B 4A 40 41 FF 14 C6 48 8B 47 30 48 8D 5C 24 48 48 85 C0) // should be unique
alloc(newmem,$1000,INJECT)

label(code)
label(return)

newmem:

code:
  mov [rbx],#10
  test rsi,rsi
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 89 03 48 85 F6

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: Cyberpunk2077.exe+23C02C

Cyberpunk2077.exe+23C00D: 48 8B D7        - mov rdx,rdi
Cyberpunk2077.exe+23C010: 0F B6 08        - movzx ecx,byte ptr [rax]
Cyberpunk2077.exe+23C013: 48 FF C0        - inc rax
Cyberpunk2077.exe+23C016: 48 89 07        - mov [rdi],rax
Cyberpunk2077.exe+23C019: 8B C1           - mov eax,ecx
Cyberpunk2077.exe+23C01B: 48 8B 4F 40     - mov rcx,[rdi+40]
Cyberpunk2077.exe+23C01F: FF 54 C5 00     - call qword ptr [rbp+rax*8+00]
Cyberpunk2077.exe+23C023: 48 FF 07        - inc [rdi]
Cyberpunk2077.exe+23C026: 8B 03           - mov eax,[rbx]
Cyberpunk2077.exe+23C028: 2B 44 24 50     - sub eax,[rsp+50]
// ---------- INJECTING HERE ----------
Cyberpunk2077.exe+23C02C: 89 03           - mov [rbx],eax
// ---------- DONE INJECTING  ----------
Cyberpunk2077.exe+23C02E: 48 85 F6        - test rsi,rsi
Cyberpunk2077.exe+23C031: 74 02           - je Cyberpunk2077.exe+23C035
Cyberpunk2077.exe+23C033: 89 06           - mov [rsi],eax
Cyberpunk2077.exe+23C035: 48 8B 5C 24 40  - mov rbx,[rsp+40]
Cyberpunk2077.exe+23C03A: 48 8B 6C 24 58  - mov rbp,[rsp+58]
Cyberpunk2077.exe+23C03F: 48 83 C4 20     - add rsp,20
Cyberpunk2077.exe+23C043: 41 5E           - pop r14
Cyberpunk2077.exe+23C045: 5F              - pop rdi
Cyberpunk2077.exe+23C046: 5E              - pop rsi
Cyberpunk2077.exe+23C047: C3              - ret 
}
</AssemblerScript>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

i know this is offtopic but can you explain what exactly "test" is doing in your scripts here? something to do with the flags, right?

[thefireman504]

[Link]

Not sure if this is helpful to anyone or not.... I'm not too good at this, but it worked for me...

where do u get that table ?

I went through and figured out the addresses....
[Link]

[Sililos]

Can someone please point me too the table?
Im seeing only 3 pages on 2077.
This one which i dont see a table anywhere,
The GOG one which has multiple tables for download.
And one which only has Inf health and stamina.

(*Edit* BTW appreciate the effort guys, i can never make heads or tails of how to do this stuff even with tutorials lol)

[KillerZoneGG]

[Link]

Not sure if this is helpful to anyone or not.... I'm not too good at this, but it worked for me...

where do u get that table ?

I went through and figured out the addresses....
[Link]

Could you be able to share a table. or some how tell me how i can use those codes please

[superfunpop]

SO uh, I activated the inf attribute code right as I finished talking to Evelyn after Judy's thing, and when the convo ending and it rewards me xp, it gave me max xp and street cred, as well as inf attribute points and perks. Also I found it seems the game does not crash, simply freezes, and when you deactivate the script, it resumes. Not sure if this helps but figured I would let you guys know

What exactly did you did ? i might try it while i might be unable to spent perks and atributes the exp and street creed should stay static.

Made an account just to tell you that this is CONFIRMED. I just did it and have Max Level and Max Street Cred. No clue how it worked, but it did. The game does not freeze during that conversation with Evelin right at the end of that mission. If it freezes just click and unclick it. If you finish the convo and the mission ends you get max everything.

Probably will work on any mission, but 100% works on the BD one.

[akensai]

I already finished the game, did around ~70% of side quests.
You can 4b scan virtually every pointer in this game. Including health and stamina. And whats hilarious is, for example changing your max HP, change it once and it's set for the rest of the game. I basically played with 9999 max health and stamina. And 99999 of all resources on the hardest difficulty. Nothing else. Didn't even bother trying to find my armor values and such, but I suspect it's just as easy, scan your value, take a piece of gear off, scan again, take another off scan again, set it at 9999, save the game and exit CE+Game, come back, oh no my armor is insane! I would not suggest fucking with your level (street cred is fine). It's a lot harder to go backwards than it is forwards. As I can attest by my first "lets fuck around and find out" moment of finding the values for character level and changing it to 9999.
My only irritation throughout was the fast travel system and how shitty vehicles operate.

Overall, I feel like I went back to 2010 cheat engine.

[KillerZoneGG]

I already finished the game, did around ~70% of side quests.
You can 4b scan virtually every pointer in this game. Including health and stamina. And whats hilarious is, for example changing your max HP, change it once and it's set for the rest of the game. I basically played with 9999 max health and stamina. And 99999 of all resources on the hardest difficulty. Nothing else. Didn't even bother trying to find my armor values and such, but I suspect it's just as easy, scan your value, take a piece of gear off, scan again, take another off scan again, set it at 9999, save the game and exit CE+Game, come back, oh no my armor is insane! I would not suggest fucking with your level (street cred is fine). It's a lot harder to go backwards than it is forwards. As I can attest by my first "lets fuck around and find out" moment of finding the values for character level and changing it to 9999.
My only irritation throughout was the fast travel system and how shitty vehicles operate.

Overall, I feel like I went back to 2010 cheat engine.

A quick question im trying to mod the armour and hp but i had no luck. im searching on 4 bytes and on extract value. Am i doing something wrong

[akensai]

A quick question im trying to mod the armour and hp but i had no luck. im searching on 4 bytes and on extract value. Am i doing something wrong

All I can do is give you my steps for HP, I didn't mess with armor.
For Max HP. I found an armor item with +hp on it % or value doesn't matter. I scanned first without the armor piece on, then next scanned it with it on, took it back off and scanned a third. I got around 6 results, changed them all to 9999. Exited the menu, went back and found my HP updated. As is 2010 cheat engine tactics.

I am no longer on the scale of SunGod, too lazy to learn LUA bullshit. But the fact that the old tactics work in this game, means you should have no issue.

[KillerZoneGG]

A quick question im trying to mod the armour and hp but i had no luck. im searching on 4 bytes and on extract value. Am i doing something wrong

All I can do is give you my steps for HP, I didn't mess with armor.
For Max HP. I found an armor item with +hp on it % or value doesn't matter. I scanned first without the armor piece on, then next scanned it with it off, took it back on and scanned a third. I got around 6 results, changed them all to 9999. Exited the menu, went back and found my HP updated. As is 2010 cheat engine tactics.

I am no longer on the scale of SunGod, too lazy to learn LUA bullshit. But the fact that the old tactics work in this game, means you should have no issue.

thanks i will try it out

[KillerZoneGG]

Okay i got it to work. Did the same step get my character naked (so no outfit) then use extract value but change the value type to float. then equip a piece of amour and scan and u find 3 values (well for me it did) then change and done POG


NOW i can just focus on clothes that looks good than worrying about stats

[SunBeam]

REDengine 4 uses as optimization several hashing algorithms. In my post here I was mentioning 2 hashes located at 0x18 and 0x20 offsets in the RTTI Class. Well, took a bit of figuring out, but:

Code: Select all

Cyberpunk2077.exe+17D06D5 | 48:BB 27418AEED12FB02E | MOV RBX,2EB02FD1EE8A4127            |
Cyberpunk2077.exe+17D06DF | 0F85 5CFFFFFF          | JNE cyberpunk2077.7FF7624C0641      |
Cyberpunk2077.exe+17D06E5 | 48:8D15 9451A701       | LEA RDX,QWORD PTR DS:[7FF763F35880] | 00007FF763F35880:"gameStackedItemData"

2EB02FD1EE8A4127

Where's that coming from? Well, try out this page: [Link]. Put in gameStackedItemData, click Encode and scroll down a bit:



So 2EB02FD1EE8A4127 is FNV1A64( "gameStackedItemData" ).

Similarly, the hash stored at offset 0x20.. I couldn't find a static reference to it in game's code (it's not hardcoded like the MOV RBX,hash above), but a quick CE scan for the hash got me here:



So if you repeat the process and this time around encode script_ref:gameStackedItemData on that page, you get:



So that gives you what the 2 mysterious hashes in RTTI_Class +0x18 and +0x20 stand for

There's another function used for hashing game objects by string. For example, "Items.money" is hashed to F5E188EC. And you can find this value stored inside the processed structure that, for example, you read when you open the Inventory Yes, can be used as a filtering parameter.

This function is reached through here in the Steam 1.03 executable:

Code: Select all

Cyberpunk2077.exe+93E20 | 48:8D15 21E10F03 | LEA RDX,QWORD PTR DS:[7FF763E81F48] | 00007FF763E81F48:"AIGeneralSettings.baseActionParamsPackageName"
Cyberpunk2077.exe+93E27 | 48:8D0D 1A412104 | LEA RCX,QWORD PTR DS:[7FF764F97F48] |
Cyberpunk2077.exe+93E2E | E9 5D3EA302      | JMP cyberpunk2077.7FF7637B7C90      |

Inside Cyberpunk2077.exe+2AC7C90 this happens:



And the hashing core itself:



So, if we name "Cyberpunk2077.exe+2AC7C90" == HashStr, then the C++ prototype is: HashStr( out [rcx], in [rdx] ). And inside, if we name "Cyberpunk2077.exe+2AC8150" == hashstring, then the C++ prototype is: hashstring( lenA [rcx], str [rdx], len [r8] ). Where lenA is usually 0 and it represents up to how many characters from the string you want to hash. 0 means whole string, 1 means up to last character but without it, 2 means up to the 2nd from last character, not including it. And so on

So: HashStr( out, "Items.money" ) -> out: F5E188EC | 0B 00 00 00. The result of the hashing function is string hash | size of string. Something tells me the string size + hash can be used in a reverse (decode) function. Although, from the looks of it, seems a one-way hash. Remains to be seen.

How can you now use the above hash in your code? Simple. cfemen is already working on gathering hashes for filtering the stuff in his script, as I don't have time to spend on this. Still working on that console enabling, remember?

In short, Inventory crap is read through this generic function (it's a member-function in any gameUniqueItemData-typed object; that's why it will read anything and without a filter, your script will crap out):

Code: Select all

Cyberpunk2077.exe+17C1BB0 - 8B 41 78 - mov eax,[rcx+78]
Cyberpunk2077.exe+17C1BB3 - C3       - ret

Here's how I hooked it:

Code: Select all

[ENABLE]

alloc( ReadHook, 0x1000, Cyberpunk2077.exe )

ReadHook:
push rax
push rbx
push rdi
xor rdi,rdi
mov rbx,HashTable
_loop:
mov rax,[rbx+rdi*8] // read hash from our table
test rax,rax // check if we reached the end of the table
je short _skip // exit if so
  cmp [rcx+40],eax // if current game hash == our HashTable[i], then
  jne short @f
    // do something (e.g.: mov [rcx+78],#100)
    add [rcx+78],#100
    jmp short _skip // and exit
  @@:
  inc rdi
  jmp short _loop
_skip:
pop rdi
pop rbx
pop rax
readmem( Cyberpunk2077.exe+17C1BB0, 4 )

align 10 CC

HashTable:
dq 00000000F5E188EC // Items.money
dq 0

Cyberpunk2077.exe+17C1BB0:
jmp ReadHook

[DISABLE]

Cyberpunk2077.exe+17C1BB0:
mov eax,[rcx+78]
ret

dealloc( ReadHook )

So now, every time you open the Inventory, your quantity for "Items.money" is going to be updated to 100

BR,
Sun

[akensai]

REDengine 4 uses as optimization several hashing algorithms. In my post here I was mentioning 2 hashes located at 0x18 and 0x20 offsets in the RTTI Class. Well, took a bit of figuring out, but:

Spoiler

Code: Select all

Cyberpunk2077.exe+17D06D5 | 48:BB 27418AEED12FB02E | MOV RBX,2EB02FD1EE8A4127            |
Cyberpunk2077.exe+17D06DF | 0F85 5CFFFFFF          | JNE cyberpunk2077.7FF7624C0641      |
Cyberpunk2077.exe+17D06E5 | 48:8D15 9451A701       | LEA RDX,QWORD PTR DS:[7FF763F35880] | 00007FF763F35880:"gameStackedItemData"

2EB02FD1EE8A4127

Where's that coming from? Well, try out this page: [Link]. Put in gameStackedItemData, click Encode and scroll down a bit:



So 2EB02FD1EE8A4127 is FNV1A64( "gameStackedItemData" ).

Similarly, the hash stored at offset 0x20.. I couldn't find a static reference to it in game's code (it's not hardcoded like the MOV RBX,hash above), but a quick CE scan for the hash got me here:



So if you repeat the process and this time around encode script_ref:gameStackedItemData on that page, you get:



So that gives you what the 2 mysterious hashes in RTTI_Class +0x18 and +0x20 stand for

There's another function used for hashing game objects by string. For example, "Items.money" is hashed to F5E188EC. And you can find this value stored inside the processed structure that, for example, you read when you open the Inventory Yes, can be used as a filtering parameter.

This function is reached through here in the Steam 1.03 executable:

Code: Select all

Cyberpunk2077.exe+93E20 | 48:8D15 21E10F03 | LEA RDX,QWORD PTR DS:[7FF763E81F48] | 00007FF763E81F48:"AIGeneralSettings.baseActionParamsPackageName"
Cyberpunk2077.exe+93E27 | 48:8D0D 1A412104 | LEA RCX,QWORD PTR DS:[7FF764F97F48] |
Cyberpunk2077.exe+93E2E | E9 5D3EA302      | JMP cyberpunk2077.7FF7637B7C90      |

Inside Cyberpunk2077.exe+2AC7C90 this happens:



And the hashing core itself:



So, if we name "Cyberpunk2077.exe+2AC7C90" == HashStr, then the C++ prototype is: HashStr( out [rcx], in [rdx] ). And inside, if we name "Cyberpunk2077.exe+2AC8150" == hashstring, then the C++ prototype is: hashstring( lenA [rcx], str [rdx], len [r8] ). Where lenA is usually 0 and it represents up to how many characters from the string you want to hash. 0 means whole string, 1 means up to last character but without it, 2 means up to the 2nd from last character, not including it. And so on

So: HashStr( out, "Items.money" ) -> out: F5E188EC | 0B 00 00 00. The result of the hashing function is string hash | size of string. Something tells me the string size + hash can be used in a reverse (decode) function. Although, from the looks of it, seems a one-way hash. Remains to be seen.

How can you now use the above hash in your code? Simple. cfemen is already working on gathering hashes for filtering the stuff in his script, as I don't have time to spend on this. Still working on that console enabling, remember?

In short, Inventory crap is read through this generic function (it's a member-function in any gameUniqueItemData-typed object; that's why it will read anything and without a filter, your script will crap out):

Code: Select all

Cyberpunk2077.exe+17C1BB0 - 8B 41 78 - mov eax,[rcx+78]
Cyberpunk2077.exe+17C1BB3 - C3       - ret

Hook that in whatever way you wish, then do this:

Code: Select all

alloc( ReadHook, 0x1000, Cyberpunk2077.exe )

ReadHook:
push rbx
push rcx
push rdi
xor rcx,rcx
mov rbx,HashTable
_loop:
mov rdi,[rbx+rcx*8] // read hash from our table
test rdi,rdi // check if we reached the end of the table
je short _skip // exit if so
  cmp [rcx+40],edi // if current game hash == our HashTable[i], then
  jne short @f
    // do something (e.g.: mov [rcx+78],#100)
    jmp short _skip // and exit
  @@:
  inc rcx
  jmp short _loop
_skip:
pop rdi
pop rcx
pop rbx
readmem( Cyberpunk2077.exe+17C1BB0, 4 )

align 10 CC

HashTable:
dq 00000000F5E188EC // Items.money
dq 0

Cyberpunk2077.exe+17C1BB0:
call ReadHook

BR,
Sun

Thank you SunGod. While the rest of us go at it with a bat, you came at it with charisma and words, as normal.
Just a note, I found references to mid/qid (mission ID) like in TW3. I haven't messed with those yet, figured I'd get around to it if one of the quests broke, but loading an earlier save has proved king once again. There is an active pointer for your selected active quest. It changes as you change the highlighted quest. Seems to have a few values, including stages. But, I am not you.

[SunBeam]

But, I am not you.

Yes, you are akensai. I'm SunBeam