Author: SunBeam
Table:
[ 15.12.2016 - Update #9 ]
Teleporter now works Smile
[ 11.12.2016 - Update #8 ]
Updated to 1.51. Teleporter is not working, for now (need to find an alternate way of calling the functions I'm finding via array patterns). The rest is working like in 1.50 Smile
[ 26.06.2016 - Update #7 ]
No per-se update, just a refresher, as I've seen a lot of complaints in this thread or youtube videos I've posted:
1. You NEED to have version 1.50. I don't have time to adjust the table for lower versions, you might as well purchase the game.
2. Thoroughly read the below to get the table up and running.
- Download updated table from the bottom of this post.
- Run the game, enter its world (Main Menu -> Continue).
- Once loading finishes, alt-tab out, open Cheat Engine and the table (ACS.ct), then target game process (ACS.exe).
- Activate [Enable] script.
- Next up, enable Cheat Handler script.
Now, on with the functions:
- Numpad 0 - Toggle Player Vanish (will generate the gray-ish aura that appears when you're in a crowd, rendering you invisible to any NPC, unless you run into them)
- Numpad ./Del - God Mode (you won't die from any type of attacks, also from dropping from high altitudes: health will be reduced to 1, but won't die; just hit Q to refill)
- Numpad 1 - Refill All Equipment (will refill everything up; if this doesn't work sometimes, just use Fast Teleport to reload map)
- Numpad 2 - Invisible (renders you invisible to any NPC; same logic applies: if you bump into the enemy, you'll trigger the awareness, but meter will drop down fast)
- Numpad 3 - One Hit Kill (does what it says, reduces enemy health to 1 or 0 when hit)
- Numpad 4 - Refill Player Health (does what it says)
- Numpad / - Get Player (when you hit this key in-game, all pointers under pPlayer will be populated)
- Numpad * - Get Experience (will fetch the Experience pointer and populate data under pExperience in the tree; if you reach maximum Experience, the value the pointer fetches will be 0)
BR,
Sun
[ 29.03.2016 - Update #6 ]
Updated to 1.50. Not sure if compatible with previous versions.
[ 04.01.2016 - Update #5 ]
Updated and perfected the teleporter. Should now be more accurate. If you still stumble into walls, objects or fall off map, immediately press TAB key again and set the teleport marker once more. This applies to all the other situations where it might not work.
** small update **
Apparently, the Map pointer acquiring using statics didn't work for The Ripper DLC. Now it's fixed, you can teleport to chests, posters, ground etc. in the DLC as well.
Re-download from below!
[ 30.12.2015 - Update #4 ]
+ Fixed teleporter, making it dynamic (should work after update)
+ Found an universal way of fetching inventory for any character (Evie, Jacob and The Ripper DLC sections are gone from [Inventory])
+ Added some checks so game won't crash if it doesn't have the parameter it needs
Keys:
- for all cheats, they work as described:
Numpad 0 - TogglePlayerVanish
Numpad . (Del) - GodMode
Numpad 1 - RefillAllEquipment
Numpad 2 - Invisible
Numpad 3 - OneHitKill
Numpad 4 - RefillPlayerHealth
- now, if you want to use the teleporter or edit inventory stuff:
Numpad * - hit it to acquire the parameters I use to build up stuff
- to use the teleporter (will find a way to make it work perfectly):
Open map with TAB key (make sure you've pressed Numpad * at least once while in-game), select location with mouse, press Numpad 9, press TAB to resume game and teleport. Again, it's not perfect, but does the job. Oh, and you can't teleport on some objects (like mission markers, for example). Just teleport close to it.
[ 29.11.2015 - Recap ]
So far, I have the following requests:
- Sxsxarael (page 2): "Hopefully, there will be a way to hack skill points." -- will add them to the table.
- Dudren (page 2): "I doubt there's a way to hack Helix Points, probably server side. Can confirm?" -- haven't looked into it thoroughly, but you can't find the address/value with regular CE searching - so I go with 'no, they're server sided'.
- TheForgottenOne (page 3): "but when I tried one of function "kill yourself",then game crashed.can you tell me why this happen?" -- some functions require a different context pointer; I know they crash, still to research.
- danjako43 (page 3): "Is adding the ability to manually trigger slowmotion/bullet-time possible?" -- will look into it.
- MousE0910 (page 3): "If somebody could find a really easy way to get all the perks, that would be amazing." -- will add that quite soon, but need people to test it as perks have a certain identifier (a DWORD) - and we need to build up a list.
- jim2point0 (page 3): "I'd like to be able to fly the camera around and change the field of view" -- you might want to PM mgr.inz.Player, as he's done this for Black Flag.
- JohnLai (page 6): "Apparently, whenever player fast travels to other area, any existing enabled codes (example, Numpad 2 - Invisible) will reset to normal gameplay right away. Any possibility to make the cheat sticks after fast travel?" -- will work on automatizing it and getting it to "stick" Smile
- nattydread (page 6): "I wanted to beg for screenshot / video capture enabling cheats like freecam, timestop, fov, time of day..." -- will look into it.
- Aztec2012 (page 7): "Great! What about no desinhronization when citizens killing?" -- will see if I can do anything about it, no promises though.
- sky170111 (page 7): "please add in table 'stop mission timer'" -- once I get to some missions where I can test this, will add it.
Just FYI, to keep track of them.
BR,
Sun
[ 23.11.2015 - Update #3 ]
Fixed compatibility with various EXE builds out there (revamped scanned signatures).
Added:
- Numpad 4 - Refill Player Health (does what it says)
- Numpad / - Get Player (when you hit this key in-game, all pointers under pPlayer will be populated)
- Numpad * - Get Experience (will fetch the Experience pointer and populate data under pExperience in the tree)
BR,
Sun
[ 22.11.2015 - Update #2 ]
I've eliminated the use of hardware breakpoints Wink Thoroughly read the below! Version 1.12!
- Download updated table from first post of this thread.
- Run the game, enter its world (Main Menu -> Continue).
- Once loading finishes, alt-tab out, open Cheat Engine and the table (ACS.ct), then target game process (ACS.exe).
- Enable [Enable] script.
° Next up, enable Cheat Handler script.
Stop #2: If this one doesn't get enabled, let me know. If game crashes, simply make sure you pause te game (via Esc key) before activating this script. It may be due to some checks on thread creation.
Now, on with the functions:
- Numpad 0 - Toggle Player Vanish (will generate the gray-ish aura that appears when you're in a crowd, rendering you invisible to any NPC, unless you run into them)
- Numpad ./Del - God Mode (you won't die from any type of attacks, also from dropping from high altitudes: health will be reduced to 1, but won't die; just hit Q to refill)
- Numpad 1 - Refill All Equipment (will refill everything up; if this doesn't work sometimes, just use Fast Teleport to reload map)
- Numpad 2 - Invisible (renders you invisible to any NPC; same logic applies: if you bump into the enemy, you'll trigger the awareness, but meter will drop down fast)
- Numpad 3 - One Hit Kill (does what it says, reduces enemy health to 1 or 0 when hit)
- Numpad / - Retrieves player structure (I use this to build up future paths to some of the data: experience, level, money, perks, etc. Will populate the pointer paths you see below Cheat Handler - pContext, pPlayer, Invisible)
Sun
[ 20.11.2015 - Update #1 ]
Updated table, adding OneHitKill, TogglePlayerVanish, RefillAllEquipment and Invisible.
Hotkeys:
Numpad 0 - ToggleVanish
Numpad . - GodMode
Numpad 1 - RefillAllEquipment
Numpad 2 - Invisible
Numpad 3 - OneHitKill
[ 19.11.2015 - First Release ]
Will be editing stuff on and off.
** String references (via x64_dbg) ** Listing them out:
Code: Select all
00000001410045F6 LEA RDX,QWORD PTR DS:[142C49658] "DEBUG CATEGORY : BASIC"
0000000141004609 LEA RDX,QWORD PTR DS:[142C49670] "DEBUG CATEGORY : FIGHT"
0000000141004620 LEA RDX,QWORD PTR DS:[142C49688] "DEBUG CATEGORY : PLAYER PROGRESSION"
0000000141004794 LEA RDX,QWORD PTR DS:[142C496B0] "Toggle Teleport Mode"
000000014100491E LEA RDX,QWORD PTR DS:[142C496C8] "Free Running Jump"
00000001410049E8 LEA RDX,QWORD PTR DS:[142C496E0] "Nuke Enemies"
0000000141004AB6 LEA RDX,QWORD PTR DS:[142C496F0] "Nuke Allies"
0000000141004B80 LEA RDX,QWORD PTR DS:[142C49700] "Refill player's health"
0000000141004C44 LEA RDX,QWORD PTR DS:[142C49718] "Reset Conflict"
0000000141004D0E LEA RDX,QWORD PTR DS:[142C49728] "Refill All Equipment"
0000000141004DD8 LEA RDX,QWORD PTR DS:[142C49740] "Nuke Yourself"
0000000141004EA2 LEA RDX,QWORD PTR DS:[142C49750] "Trigger Mission Failure"
0000000141004F6C LEA RDX,QWORD PTR DS:[142C49768] "Go in ragdoll"
0000000141005036 LEA RDX,QWORD PTR DS:[142C49778] "Toggle Crowd Air Assassination"
0000000141005100 LEA RDX,QWORD PTR DS:[142C49798] "Change Debug Dude Type"
00000001410051CA LEA RDX,QWORD PTR DS:[142C497B0] "Spawn Follow Dude"
0000000141005294 LEA RDX,QWORD PTR DS:[142C497C8] "Spawn RedBall Dude"
000000014100535E LEA RDX,QWORD PTR DS:[142C497E0] "Spawn Still Dude"
0000000141005428 LEA RDX,QWORD PTR DS:[142C497F8] "Spawn Fight Dude"
00000001410054F2 LEA RDX,QWORD PTR DS:[142C49810] "Spawn Still Fight Dude (no movement no attacks)"
00000001410055B6 LEA RDX,QWORD PTR DS:[142C49840] "Spawn Desired Pos Fight Dude"
0000000141005680 LEA RDX,QWORD PTR DS:[142C49860] "Follow closest character"
000000014100574A LEA RDX,QWORD PTR DS:[142C49880] "Drive now"
0000000141005814 LEA RDX,QWORD PTR DS:[142C49890] "Force vehicle collision"
00000001410058DE LEA RDX,QWORD PTR DS:[142C498A8] "Force vehicle notification"
00000001410059A8 LEA RDX,QWORD PTR DS:[142C498C8] "Reserved vehicle cheat 3"
0000000141005A72 LEA RDX,QWORD PTR DS:[142C498E8] "Toggle player visibility"
0000000141005B3C LEA RDX,QWORD PTR DS:[142C49908] "Decrease Notoriety"
0000000141005C06 LEA RDX,QWORD PTR DS:[142C49920] "Increase Notoriety"
0000000141005CD0 LEA RDX,QWORD PTR DS:[142C49938] "[Blend Action] Toggle Player Vanish :"
0000000141005D9A LEA RDX,QWORD PTR DS:[142C49960] "Unfog current map"
0000000141005E64 LEA RDX,QWORD PTR DS:[142C49978] "Give Player All Equipment and Abilities"
0000000141005F2E LEA RDX,QWORD PTR DS:[142C499A0] "Unlock All World Upgrades"
0000000141005FF8 LEA RDX,QWORD PTR DS:[142C499C0] "Add All TradeObjects"
00000001410060C2 LEA RDX,QWORD PTR DS:[142C499D8] "Cheat Debug Menu"
000000014100618C LEA RDX,QWORD PTR DS:[142C499F0] "Toggle Full Progress Tracker Unlock"
0000000141006256 LEA RDX,QWORD PTR DS:[142C49A18] "Unlock And Gain All World Upgrades"
0000000141006320 LEA RDX,QWORD PTR DS:[142C49A40] "Lock All World Upgrades"
00000001410063EA LEA RDX,QWORD PTR DS:[142C49A58] "Invisible :"
00000001410064B0 LEA RDX,QWORD PTR DS:[142C49A68] "God Mode :"
000000014100657A LEA RDX,QWORD PTR DS:[142C49A78] "One Hit Kill :"
0000000141006648 LEA RDX,QWORD PTR DS:[142C49A88] "Cycle through / equip player cape"
00000001410066B5 LEA R8,QWORD PTR DS:[142C49AB0] "Enable assassin collision with trigger zones :"
0000000141006781 LEA RDX,QWORD PTR DS:[142C49AE0] "-- -- -- REBOOT -- -- --"
0000000141006849 LEA RDX,QWORD PTR DS:[142C49B00] "Teleport lantern near player"
00000001410068B3 LEA R8,QWORD PTR DS:[142C49B20] "Ghostmode use hierarchy : "
00000001410069E1 LEA RDX,QWORD PTR DS:[142C497F8] "Spawn Fight Dude"
0000000141006B18 LEA RDX,QWORD PTR DS:[142C49B3C] "Give "
0000000141006BE6 LEA RDX,QWORD PTR DS:[142C49B48] "Remove "
0000000141006CB4 LEA RDX,QWORD PTR DS:[142C49B3C] "Give "
0000000141006D82 LEA RDX,QWORD PTR DS:[142C49B3C] "Give "
0000000141006E4C LEA RDX,QWORD PTR DS:[142C49B50] "Max out district associate levels"
0000000141006F1A LEA RDX,QWORD PTR DS:[142C49B78] "Show Skills"
0000000141006FE8 LEA RDX,QWORD PTR DS:[142C49B88] "Cycle Skill Presets Forward"
00000001410070B6 LEA RDX,QWORD PTR DS:[142C49BA8] "Cycle Skill Presets Backward"
00000001410075E1 LEA R9,QWORD PTR DS:[142C49BC8] "Show Gear Stats"
0000000141007655 LEA RDX,QWORD PTR DS:[142C49BD8] "DEBUG CATEGORY : VEHICLE PROGRESSION"
00000001410077D1 LEA RDX,QWORD PTR DS:[142C49C00] "Toggle Kill 1 Mount on [RT] Press"
000000014100789B LEA RDX,QWORD PTR DS:[142C49C28] "Toggle Kill Carriage on [RB] Press"
0000000141007965 LEA RDX,QWORD PTR DS:[142C49C50] "Vehicle Damage Low"
0000000141007A2F LEA RDX,QWORD PTR DS:[142C49C68] "Vehicle Damage Medium"
0000000141007AF9 LEA RDX,QWORD PTR DS:[142C49C80] "Vehicle Damage High"
0000000141007BC3 LEA RDX,QWORD PTR DS:[142C49C98] "Vehicle Increase Damage"
To find the debug menu function of interest, simply follow the reference and scroll a bit upwards. Example below with "God Mode : " string reference:
God Mode function's location is 0x1410248D0:
Before we actually CALL the function, a tad wee of study is required, figuring out how it should be called (the number of arguments and which should these arguments be).
Code: Select all
00000001410248D0 | 48 89 5C 24 18 | MOV QWORD PTR SS:[RSP+18],RBX | <- function prologue
..
00000001410248DF | 48 8B 5A 20 | MOV RBX,QWORD PTR DS:[RDX+20] | <- fetch pointer from [RDX+20] into RBX
..
00000001410248E6 | 8B F9 | MOV EDI,ECX | <- save ECX into EDI
00000001410248E8 | 48 85 DB | TEST RBX,RBX | <- is it valid?
00000001410248EB | 0F 84 85 00 00 00 | JE acs_dumped.141024976 | <- no? -> exit; yes? - continue
..
0000000141024948 | 83 FF 01 | CMP EDI,1 | <- is EDI 1?
000000014102494B | 75 24 | JNZ acs_dumped.141024971 | <- no? -> exit; yes? -> enable/disable God
..
0000000141024971 | 48 8B 74 24 30 | MOV RSI,QWORD PTR SS:[RSP+30] |
0000000141024976 | 48 8B 5C 24 40 | MOV RBX,QWORD PTR SS:[RSP+40] |
000000014102497B | 48 8B 6C 24 48 | MOV RBP,QWORD PTR SS:[RSP+48] |
0000000141024980 | 48 83 C4 20 | ADD RSP,20 |
0000000141024984 | 5F | POP RDI |
0000000141024985 | C3 | RET | <- function epilogue
Therefore, function would be called like so:
mov rdx, pMenu // I called it a menu pointer, you'll see why ('p' is for pointer)
mov rcx, 1 // I think 'mov ecx, 1' would suffice
call God Mode // 0x1410248D0
Having said that, now how do we actually run the above code?
a. We can do it via a hook set on an instruction that's accessed constantly by the game. But we all know what will happen. Big bada-boom! Exactly, crashing.
b. Or via creating a thread that runs a code looper, monitoring key activity. When certain keys are pressed, the code executes inside this thread. And that's the way I chose to go with, what you all know as the Cheat Handler.
** pMenu, anyone? **
Alright, but what about pMenu? What is it and where do we get it? And furthermore, how do we acquire it given the code anti-tampering Ubisfot has implemented in this game. Haven't yet checked, though I am pretty sure implementation is identical to Unity, judging by the name of some of the executable's sections: UBX0, UBX1, UBX1. Yeaps, VMProtect.
If you scroll upwards/downwards from the "God Mode : " string reference, you may notice other string references. The list I've posted. Well, this entire function - at least from my perspective - is a debug menu. So far, I don't know how to actually display it for use, but no one said we can't use individual functions for our benefit
So, scroll all the way up to Debug Menu's prologue:
Set a breakpoint there with Cheat Engine (make sure you use hardware breakpoints via VEH Debugger). Now, back in-game (am assuming you're running in windowed mode) load the map, either from main menu entering game world - OR - teleporting to a location. Your choice.
When CE breaks, check out RCX. That will be the pointer we want to use in our future handler. I called it pMenu.
So now we know what pMenu is: a contextual pointer that contains a base address, at offset 0x20, that's used to build up a path to: player structure, world structure, etc.
** LUA me softly **
But still - how do we make CE retrieve RCX register at that location - combined with an auto-assemble script? Can we do that without CE actually freezing the game (cuz, yeah, we want to play it in fullscreen mode). This pointer will change everytime we teleport or load a map. Probably in other instances as well, but can't be arsed to figure all of them out.
So, how do we do it? And then LUA came in
In Assassin's Creed:Unity the implementation was as follows:
Code: Select all
[ENABLE]
{$lua}
pHook = getAddress( "qwMenu" )
pStorage = getAddress( "pMenu" )
debugProcess()
function debugger_onBreakpoint()
writeQword( pStorage, RCX )
debug_continueFromBreakpoint( co_run )
return 1
end
debug_setBreakpoint( pHook )
{$asm}
[DISABLE]
{$lua}
debug_removeBreakpoint(pHook)
{$asm}
In detail:
pBase represents an aobscan for several bytes in the Debug Menu function. I need to know which is the address I plan to set breakpoint on. Therefore:
Code: Select all
[ENABLE]
aobscanmodule( qwMenu_AOB, ACS.exe, 48895C240848896C241048897424185741544155415641574883EC604C8B05D5D82406 )
label( qwMenu )
registersymbol( qwMenu )
qwMenu_AOB:
qwMenu:
alloc( pMenu, ACS.exe, 4 )
registersymbol( pMenu )
[DISABLE]
unregistersymbol( qwMenu )
unregistersymbol( pMenu )
dealloc( pMenu )
- getAddress( "qwMenu" ) in LUA retrieves the address CE scanned, found and stored in qwMenu; and stores it in variable pHook
- getAddress( "pMenu" ) does the same, retrieving the address we allocated for pMenu; and stores it in pStorage variable
- debugProcess() speaks for itself
- debug_setBreakpoint( pHook ) sets hardware breakpoint on pHook address (the address of our Debug MenU)
Inside debugger_onBreakpoint() function:
- once CE breaks, it will retrieve RCX pointer and write it in pStorage, meaning pMenu via 'writeQword( pStorage, RCX )'
- debug_continueFromBreakpoint( co_run ) - tells the debugger it should resume the game when it breaks
So, now, when you add the two to the table, enable both scripts, load game, and check pMenu address (adding it to your list), you should have the pointer you need for the handler
What remains next up is to write the body of the handler, looking up the functions you want to execute. Example of calling God Mode function below:
Code: Select all
[ENABLE]
alloc( KeyHandlerThread, 8192 )
registersymbol( KeyHandlerThread )
CreateThread( KeyHandlerThread )
alloc( KeyHandlerOff, 4 )
registersymbol( KeyHandlerOff )
label( ExitKeyHandler )
label( KeyHandlerThread_loop )
// functions list start
label( GodMode_do )
// end of Functions list
KeyHandlerOff:
dd 0
KeyHandlerThread:
sub rsp,28
KeyHandlerThread_loop:
mov rcx,0a
call Sleep
cmp [KeyHandlerOff],1
je ExitKeyHandler
cmp [pMenu],0 // check if Debug Menu contextual pointer is valid
je KeyHandlerThread_loop
mov rcx,60 // VK_NUMPAD0
call GetAsyncKeyState
test ax,ax
jne GodMode_do
jmp KeyHandlerThread_loop
//******************************************
//* *
//* Debug Menu Functions *
//* *
//******************************************
GodMode_do:
mov rdx,[pMenu]
mov rcx,1
call 1410248D0 // GodMode
mov rcx,C8
call Sleep
jmp KeyHandlerThread_loop
ExitKeyHandler:
add rsp,28
mov [KeyHandlerOff],2
ret
[DISABLE]
{$lua}
if( syntaxcheck == false ) then --actual execution
local starttime = getTickCount()
if readInteger( "KeyHandlerOff" ) == 0 then --could be 2 already
writeInteger( "KeyHandlerOff", 1 ) --tell the thread to kill itself
end
while( getTickCount() < starttime + 1000 ) and ( readInteger( "KeyHandlerOff" ) ~=2 ) do --wait till it has finished
sleep( 20 )
end
if( getTickCount() > starttime + 1000 ) then --could happen when the window is shown
showMessage( 'Disabling the thread failed!' )
error( 'Thread disabling failed!' )
end
sleep( 1 )
end
{$asm}
unregistersymbol( KeyHandlerOff )
dealloc( KeyHandlerOff )
unregistersymbol( KeyHandlerThread )
dealloc( KeyHandlerThread )
That being said, try and compile the table based on all of this information
BR,
Sun
How to use this cheat table?
- Install Cheat Engine
- Double-click the .CT file in order to open it.
- Click the PC icon in Cheat Engine in order to select the game process.
- Keep the list.
- Activate the trainer options by checking boxes or setting values from 0 to 1