[REQUEST] Monster Hunter Stories 2: Wings of Ruin

[sleepykitty]

How does the anti-cheat work? Will I brick my save if I modify any values?

An important part of this game involves expedition tickets for coop later on, and none of the trainers/tables I could find will modify the quantity on expedition tickets. There must be a reason for this, like it being a flag for some kinda save rip, etc. Found a free trainer that is good for everything else, but I'm worried about bricking my save if I manually edit this value with CE, so can anyone comment on whether doing this will corrupt my save or not?

There's Normal, Rare, and Ultra rare tickets, there's like 4 nests in each expedition, and rare and ultra rare raise the odds of getting those eggs considerably, so having a way to dup ultra rare tickets would be highly desirable.

Or you could just modify bottle caps then buy SR tickets.

[chaosblade02]

I modified the quantity of these tickets manually, backed up my save first. It's a 2 byte value.

Been playing for awhile after that, and ran into no issues with my save. So it appears to be safe, if issues were going to arise, I would have ran into them already.

[chaosblade02]

Or you could just modify bottle caps then buy SR tickets.

You could, but I can't buy those yet, I'm still in the 4th village. Also, they only sell the tickets once.

The item ID for the SR tickets is right beside the R tickets in the memory, so find the value of the R tickets, and a few spaces over to the right past a few 00s is the item ID for SR and the quantity following it. Both are 2 byte values.

I tried manually adding the item in blank memory space, I was successful, however the quantity was glitched out for some unknown reasons, there's probably another tag in the memory somewhere for "item found" that's separate from this. A simple 1 = found 0 = not, etc. We know the game keeps track of how many items/monsters, etc found.

[sleepykitty]

Or you could just modify bottle caps then buy SR tickets.

You could, but I can't buy those yet, I'm still in the 4th village. Also, they only sell the tickets once.

The item ID for the SR tickets is right beside the R tickets in the memory, so find the value of the R tickets, and a few spaces over to the right past a few 00s is the item ID for SR and the quantity following it. Both are 2 byte values.

I tried manually adding the item in blank memory space, I was successful, however the quantity was glitched out for some unknown reasons, there's probably another tag in the memory somewhere for "item found" that's separate from this. A simple 1 = found 0 = not, etc. We know the game keeps track of how many items/monsters, etc found.

There's a 2nd tab where those tickets are permanent and cost 100 caps each

[ReDe3m3r]

Edit : oh i made it to lvl 99

Can you now quick finish every fight? Also, how did you cheat exp?

[caliber1942]

For anyone wanting to work on this game, maybe to add some options, you have to to disable the anti-VEH stuff so you can breakpoint and whatnot.

Making ANY changes to the game code from a large wide area of the game .exe .text you will eventually get popped by one of the scanners. The game randomly picks them, and and uses different ranges at different times. There is probably an elegant solution to this entire .exe integrity/scan check, which would make creating a trainer much easier, but for now everyone is using VEH redirect techniques and then having to fully reverse and use offsets, etc.

Maybe someone has defeated the scanner I don't know, but you can at least begin to debug and etc using the following code. For Monster Hunter World, I located where all the CRC and the code start/stop/length areas were at in the .exe and made them all point to a known CRC that had no mods, in effect the scans returned normal. I wasn't able to locate that for this game, but I suspect it's probably similar.

Bypass Anti VEH
--------------------------

Use this to find the code, then NOP them all:
aobscanmodule(originalcode_7738,$process,48 FF 05 ?? ?? ?? ?? F5) //unique
aobscanmodule(originalcode_9138,$process,48 FF 05 ?? ?? ?? ?? 49 85 F5) //unique
aobscanmodule(originalcode_1933,$process,48 FF 05 ?? ?? ?? ?? 66 99) //unique
aobscanmodule(originalcode_5459,$process,48 FF 05 ?? ?? ?? ?? 44 3A E1) //unique
aobscanmodule(originalcode_3554,$process,48 FF 05 ?? ?? ?? ?? 66 C1 F9 FA) //unique
aobscanmodule(originalcode_9553,$process,48 FF 05 ?? ?? ?? ?? 48 8B 4C 24 78) //unique
aobscanmodule(originalcode_9699,$process,48 FF 05 ?? ?? ?? ?? 66 44 03 FB) //unique
aobscanmodule(originalcode_1657,$process,48 FF 05 ?? ?? ?? ?? 4C 8B AC 24 B8 04 00 00) //unique

basically you are nopping the part that looks similar to this:

inc [game.exe+1FCB078]

You will still have trouble breakpointing since the game keeps doing calls to:

ntdll.ZwGetContextThread - 4C 8B D1 - mov r10,rcx
ntdll.NtGetContextThread+3- B8 F2000000 - mov eax,000000F2 { 242 }
ntdll.NtGetContextThread+8- F6 04 25 0803FE7F 01 - test byte ptr [7FFE0308],01 { (0),1 }
ntdll.NtGetContextThread+10- 75 03 - jne ntdll.NtGetContextThread+15
ntdll.NtGetContextThread+12- 0F05 - syscall
ntdll.NtGetContextThread+14- C3 - ret

and will F up your breakpoints, etc.


so use this to find the code:

aobscanmodule(Anti_BreakPoint,$process,FF E0 CC CC CC CC CC CC CC CC CC CC CC CC CC CC 48 8D 8A 90 00 00 00) //unique

convert to :

xor rax,rax
ret


Anyone defeats the scanner I'd be most interested to see how you did it. I blew a lot of time looking at it, but in the end didn't have unlimited time to keep messing with it.

It seems the game DOES have a single function that makes some calls and has a counter going up, etc., and it's part of a loop that is starting/stopping threads or whatever, so maybe the game Fs up when it detects the code change and merely doesn't restart a thread, which causes the game to bork.

You can BP here:

game.exe+64945AD - FF 90 E0000000 - call qword ptr [rax+000000E0]

And see that when this is called, eventually there is a scan of the .exe or a part of it.

Anyways, have fun.

[thiagodmc]

would like a trick to catch rainbow rarity eggs

[bloodtears23]

would like a trick to catch rainbow rarity eggs

The trick is the usual gamers' favorite save/load as gold monster dens doesn't change when you do until you entered to one, with the help of pray and charms ofc. For now, all we could do is wait for a cheat for that and hopefully there is.

[notpikachu]

I was watching on the sideline with all the hype for the game. Finally, I did try it on yuzu and the graphic was superb and breathtaking to any game I ever play before . Not sure why people keep asking about the rainbow egg though? Why not hack your way through the monster and edit the them? Or maybe I'm missing something here ? New and all to this game~

example

Edit1: I used my own cheat table for this but as it's still w.i.p, I suggest searching for the game save editor as I try that and it work also . Almost try to do the gene id myself, luckily they already complete it. Credit to the guys/girls at gbatemp .

[bloodtears23]

I was watching on the sideline with all the hype for the game. Finally, I did try it on yuzu and the graphic was superb and breathtaking to any game I ever play before . Not sure why people keep asking about the rainbow egg though? Why not hack your way through the monster and edit the them? Or maybe I'm missing something here ? New and all to this game~

example

Edit1: I used my own cheat table for this but as it's still w.i.p, I suggest searching for the game save editor as I try that and it work also . Almost try to do the gene id myself, luckily they already complete it. Credit to the guys/girls at gbatemp .

That could be the case but don't you love to see the rainbow shine as you gather the eggs, that's a romance right there. Just like how it feels good to win in a slot machine than have someone gave the prize to you, a rigged slot machine that is.

[seikur0]

Anyone defeats the scanner I'd be most interested to see how you did it. I blew a lot of time looking at it, but in the end didn't have unlimited time to keep messing with it.

For the scanner I just searched for ingame money and looked at what accesses it. Then I looked at what in turn accesses that code.
The scans are triggered by traveling, so then I found out where the checksum code is. Then I tracked down where the checksum goes and after some experiments I found the place and a bunch of other places that look similarly.

Some lua scripting later I have created this table based on your pre-work. It only contains one anti-anti-cheat entry.

(I'm still not sure whether it makes sense to disable 32 locations that look like the memory scanning one instead of just one, but it doesn't seem to break anything at least for me. I might have to reduce these or they might be just right, because they prevent future checks that I didn't notice while just quick traveling. There are also some locations that look kind of similar to the 32 ones but not quite, so I didn't include them for now.)


With that, anyone can go ahead and write normal memory injection based cheats.
If someone wants to start with that, always rainbow/heavy eggs and also rare caverns would be great
Have fun guys!

update to 1.1:
1.0 didn't have any problems and seemed to work just fine until now. I still looked into the other locations I mentioned and decided to disable them as well in the 1.1 version (now 58 locations disabled in addition to the veh ones). All of these locations are always the cause for the "freeze game" reaction and even the veh checks, which increase that one counter variable will just end up triggering one of these with it (which makes the anti-veh aobs redundant now, yay)(one of the added locations in 1.1, which is the reason for that). I've also confirmed that at least 2 of the original 32 locations are for memory scans.

moved to viewtopic.php?f=4&t=16775

[Impala]

What happens if you don't use this and do normal inject codes? I used cjbok's inventory script no problems

[seikur0]

What happens if you don't use this and do normal inject codes? I used cjbok's inventory script no problems

Your game will lock, meaning some actions in the game won't complete anymore, if you quick travel it'll load endlessly.
Cjbok's table doesn't modify any game code/doesn't use code injection. It gives you the memory addresses of item slots with id and amount and is entirely based on fixed pointers. That's fragile and will probably break with most game updates.

Code injection on the other hand would instead use aob codes to find for example the location where the first item slot is read and inject there, saving that slot's address and basing the other slots addresses on it. If the aob is good enough, it won't break with updates and if it does, it's often easier to restore.
And if you want to do more complex stuff like modify egg drops or something, you can't do it without code injection, because there won't be a fixed memory address that contains the properties of the next egg. That would be calculated on the fly.

[Impala]

What happens if you don't use this and do normal inject codes? I used cjbok's inventory script no problems

Your game will lock, meaning some actions in the game won't complete anymore, if you quick travel it'll load endlessly.
Cjbok's table doesn't modify any game code/doesn't use code injection. It gives you the memory addresses of item slots with id and amount and is entirely based on fixed pointers. That's fragile and will probably break with most game updates.

Code injection on the other hand would instead use aob codes to find for example the location where the first item slot is read and inject there, saving that slot's address and basing the other slots addresses on it. If the aob is good enough, it won't break with updates and if it does, it's often easier to restore.
And if you want to do more complex stuff like modify egg drops or something, you can't do it without code injection, because there won't be a fixed memory address that contains the properties of the next egg. That would be calculated on the fly.

I'm just curious, not debating whether the game has an anti cheat

I was going to make an egg cheat after someone made a post like this

[seikur0]

.

I think those trainer options could all be done and probably are done by updating (or regularly updating=freezing) fixed memory addresses. If it does modify game memory, he must have disabled the memory scanner too.

The real fun only begins when you are able to change the game code. See I'm the type of guy that wants to play a game for fun, the cheats I write, make a game more interesting/fun. I normally don't make something like infinite HP, because that's boring, my style is more to add things saving you from the boring grind. Or I add new possibilities to play the game that provide you with new experiences and uniquely fun ways to play a game.