God of War [Engine:Unknown]

[SunBeam]

Hey! So...this is my first time posting on a Cheat Engine form. And forgive me if this has already been asked, but is there a command that can revert the Leviathan axe BACK to it's basic form? I'm doing a "canon"/no upgrade run. And I wanted to use the very basic look to the axe, but of course when you meet Brok it forces you to upgrade. I'm not really worried about stats since I'm playing on the easiest difficulty for this run. Plus I have another Cheat Engine table that allows me to edit the overall stats. So...really I just want to downgrade the axe to the basic version. Any help would be much appreciated!

You can use the RemoveResource command in the Lua UDF window to remove stuff from your inventory. Please read through the pages of this topic to find out how it works, several people have talked about it.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[SunBeam]

Thanks to Ekey, IDA 7.5 and some plugins, I was able to retrieve some RTTI information and generate a fake .pdb Attached below, you can drop it in your game folder and check .exe with x64dbg for some interesting symbols:

GoW.rar

GoW.pdb; password: sunbeam

(783.87 KiB) Downloaded 259 times

And, as per my previous post with analysis, the function I put a breakpoint on to get to Codyi's stuff now shows this in dump:



So we're looking at a goSoldier object. The offsetting to 0x910 shows this now:

The kid's name is Atreus, right? That's probably what he meant.

And yes, he meant Atreus, as the 2nd object of goSoldier being initialized there is goSon00

Now that I look at the hierarchy with the names the .pdb offers, I see this, starting from goPlayer:





Then follow +0x08:



Then follow +0x08:



So the hierarchy looks like this, from top (parent) to bottom (child):

goheroa00::goSoldier::goPlayer

Where goheroa00 is a goGameObject.

So now if you scan memory for all references to 0x7FF3B79CEAA0, you will find at least one () that is used by the game's executable code:



And that's what I meant with "the game should be using it" to be valid and usable in any logic you want to build from this. And if you check the code, you can see where that RCX comes from

Code: Select all

000000014060E984 | 48:8B05 AD88C401  | MOV RAX,QWORD PTR DS:[<g_goPlayer>]
...
...
000000014060E996 | 48:8B40 08        | MOV RAX,QWORD PTR DS:[RAX+8]
000000014060E99A | 48:8B48 08        | MOV RCX,QWORD PTR DS:[RAX+8]

So yeah, we're back to g_goPlayer. From it, the Engine reads the parent (goheroa00) via [[+0x8]+0x8] and stores it in 0x0x1411AD4A8.

[JohnTom_The3rd]

Hey! So...this is my first time posting on a Cheat Engine form. And forgive me if this has already been asked, but is there a command that can revert the Leviathan axe BACK to it's basic form? I'm doing a "canon"/no upgrade run. And I wanted to use the very basic look to the axe, but of course when you meet Brok it forces you to upgrade. I'm not really worried about stats since I'm playing on the easiest difficulty for this run. Plus I have another Cheat Engine table that allows me to edit the overall stats. So...really I just want to downgrade the axe to the basic version. Any help would be much appreciated!

You can use the RemoveResource command in the Lua UDF window to remove stuff from your inventory. Please read through the pages of this topic to find out how it works, several people have talked about it.

Hey, I hope I'm not being annoying. Maybe I'm kind of stupid, but I tried the "RemoveResource" command and no change. The axe still has the metal grip you get after Brok forces you to upgrade. Maybe I used the wrong command? I used the

Code: Select all

game.Wallets.RemoveResource("HERO", "AxeReinforcement", 1, "NO_TELEMETRY")

command and still nothing. Any help would be appreciated. I did look through the pages of this topic, but the only thing I see is occasionally people would respond with "Use RemoveResource instead of AddReseource". Which like I said, I did but it still didn't change the axe.

Edit: I just wanted to quickly say that I'm not trying to remove the Frozen Flame from my inventory. I'm trying to remove the upgrade on the axe. The one that is forced upon you by Brok and the tutorial at the beginning.

[Wulf]

Sunbeam, do you use ReClass?

Here's my rcnet file, mostly updated to 1.04.

[Link]

If you don't use it, it's goddamn fucking amazeballs for figuring out structures in live memory.

...And if you do use it, well, then carry on.

[SunBeam]

Sunbeam, do you use ReClass?

Here's my rcnet file, mostly updated to 1.04.

[Link]

If you don't use it, it's goddamn fucking amazeballs for figuring out structures in live memory.

...And if you do use it, well, then carry on.

Nah, I don't use ReClass. Used to when I was checking out UE3 class stuff. You should try CE's RTTI feature (it's on by default). Just open Memory View > Ctrl+D > add in your address and let it auto-guess stuff. See aSwedishMagyar's table.

[ribasmudj]

Sorry if it's been answered already but I'm having a problem editing the value files for the Item Hash tab. Whenever I double click the value or go through right click>edit value, nothing happens and I only get an error-like sound in the background without seeing an error. CE updated to the latest, not sure why I can't edit the value tab?

[Wulf]

Anybody tired of the unskippable intro cinematic can delete the bk2 file.

GodOfWar\exec\cinematics\ps_studios_long_strawberry_4k30_006.bk2

[Wulf]

Script to change the difficulty live, instead of needing to toggle the value then save/reload. Change RCX from 0-3 to select difficulty.
1.04

[ENABLE]
alloc(code, 0x1000)
CreateThread(code)

code:
sub rsp, 0x100
pushfq

mov rcx, 3
call GoW.exe+6cc490

popfq
add rsp, 0x100
ret

[DISABLE]
dealloc(code)

SunBeam, your table's pretty fancy. Clearly not your job to teach me CT-building, but is there a simple way to add a selector/inputread to the above? Or would I have to wrap the whole thing in a form/LUA?

[Wulf]

Not sure if this sort of thing tickles your fancy, but here's a powershell script to dump the first 20 LUA client names from memory, and the value of LUAClient+0x58 that you grab in your ScriptExec function.

I'm assuming that it should be somewhat reasonable to throw LUA commands at any of the LUA contexts.

Code: Select all

# $ErrorActionPreference= 'silentlycontinue'
$procname = "GoW"

cls

Function RBytes
{
	Param (
		$addr,
		$sizetoread
	)
	[Byte[]] $buff = New-Object Byte[]($sizetoread)
	$read = $rpm::ReadProcessMemory($proc,$addr,$buff,$buff.length,$null);
	$buff
}
Function RAsciiStr
{   
	Param (
        $addr
    )
	([System.Text.Encoding]::ASCII.GetString($(RBytes $addr 30))).Split([char]0)[0]
}
Function RInt64
{   
	Param (
        $addr
    )
	$sizetoread = 8
	[Byte[]] $buff = New-Object Byte[]($sizetoread)
	$read = $rpm::ReadProcessMemory($proc,$addr,$buff,$buff.length,$null);
	[bitconverter]::ToInt64($(RBytes $addr 8),0)
}

$signature = @"
[DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(
    uint h,bool b ,uint p);
[DllImport("kernel32.dll")] public static extern bool ReadProcessMemory(
    IntPtr hp,IntPtr Base,[Out]Byte[] buff,int Size,[Out]int bread);
"@
$rpm = Add-Type -MemberDefinition $signature -Name rpm -PassThru
$access = 0x001F0FFF





$ba = (get-Process $procname).MainModule.BaseAddress.ToInt64()
$procid = (get-Process $procname).ID
$proc = $rpm::OpenProcess($access, $false, $procid)

$luaserv = RInt64 ($ba + 0x122ab68)
$luaclients = $luaserv + 0x4ca8

for ($i = 0; $i -le 20; $i += 1)
{
	Write-Host (RAsciiStr (RInt64 ((RInt64 ($luaclients + 8 * $i)) + 0x38)))     (RInt64 ((RInt64 ($luaclients + 8 * $i)) + 0x58)).ToString("X")
}

	

Code: Select all

WAD_R_Perm 7FF2FE29CB60
WAD_R_UI 7FF2F930E3C0
goheroa00 7FF2F4529A30
goson00 7FF2EC7AD220
WAD_Riv200_c115_BridgeCollapse 7FF2E58BD830
WAD_Riv000_Sound 7FF2CAC83020
WAD_Riv085_DangersEntranceLH 7FF2C32C20C0
WAD_Riv100_DangersEntrance 7FF2BBBB9650
WAD_Riv075_Lighting 7FF2DD1CAF70
WAD_Riv150_DangersMainLH 7FF2E08EB190
WAD_Riv200_DangersMain 7FF2B426FA60
WAD_Riv300_CalderaVistaLH 7FF2E6F11820
WAD_For950_RiverPassLH 7FF2CDBF1C10
WAD_Riv200_c115_BridgeCollapse 0
godraugr00 0
 0
 0
 0
 0
 0
 0

[SunBeam]

...

Yeah, we knew. That doesn't skip the "Sony Interactive presents" and "Santa Monica" ones

P.S.: In games where this doesn't work - game still needs the .bik there to play it - you can replace the file with a 0-frames one. Just rename your original to .BAK and extract the attached one below to your folder:

ps_studios_long_strawberry_4k30_006.zip

generic 0-frames .bik file

(593 Bytes) Downloaded 120 times

Again, can be used with any games having their intros as .bik files, whereas each of those files have to be renamed to .BAK and this one here copied several times and named like the originals.

...

Been meaning to ask.. why do you use pushfq/popfq? I mean.. I know what they're for. Why do you use them where they make no sense? Not only that, but why do you use them in an INDEPENDENT thread? See this post of yours: viewtopic.php?p=232840#p232840. It just doesn't make sense. If you are in a standalone thread, you don't need preserving of registers or flags T_T

Code: Select all

[ENABLE]
alloc(code, 0x1000)
CreateThread(code)

code:
pushfq // no need for this
mov rcx, GoW.exe+76BE70
mov rcx, [rcx]
call GoW.exe+76BE70
popfq // no need for this
ret

[DISABLE]
dealloc(code)

What you do need is proper stack intialization, which, on x64, the default is this:

Code: Select all

sub  rsp,28
..
..
add rsp,28
ret

So you code above becomes:

Code: Select all

[ENABLE]
alloc(code, 0x1000)
CreateThread(code)

code:
sub rsp,28
mov rcx, GoW.exe+76BE70
mov rcx, [rcx]
call GoW.exe+76BE70
add rsp,28
ret

[DISABLE]
dealloc(code)

Why? Because that "call GoW.exe+76BE70" may require stack room, which you've never accounted for. If there was no CALL in your code, you wouldn't need sub rsp,28/add rsp,28 + ret. But then again, that's good practice to prefix/suffix your functions with those 3 lines. That's what a C++ compiler would do anyway.

...

Yeah, it's useful. Especially since the Lua files in first post refer to the specific VMs they're used in. Take a look at this: [Link]. The top folder in each hierarchy is the Lua VM name. The subsequent Lua files within each root folder are what's run inside that VM. If you can find a way to get all of those VMs, then they can be stored in a structure and used later on.

I've started looking at this: [Link]. Want to adapt it to God of War. With what I just said above, the code could do a GetVM() every time you want to run a Lua script in the context of a specific VM. For example, in "Mafia-Definitive-Edition-ScriptHook/files/scripts/dev.lua", you could do..

Code: Select all

printPlayerPosition = [[
	vec = game.game:GetActivePlayer():GetPos();
	posi = string.format('vec = Math:newVector(%f,%f,%f)', vec.x, vec.y, vec.z);
	printToLog("dev.log", posi);
	dir = game.game:GetActivePlayer():GetDir();
	diri = string.format('dir = Math:newVector(%f,%f,%f)', dir.x, dir.y, dir.z);
	printToLog("dev.log", diri);
]]

..after you've ran a GetVM() to specify which VM's lua_state you want to use for the execution of the above. Which VM you want to run this piece of code in. My table does everything in the Lua state of goPlayer; I don't use other VMs, so that's maybe why some shit doesn't work.

What the ScriptHook does extra than what there already is in my table is to offer the possibility to run .lua files (instead of copy-pasting stuff to an UDF), add bind keys and obtain print logs (to a physical file, on disk: dev.log). That way you can track what the fuck fails and so on.

Cheers,
Sun

[Wulf]

Been meaning to ask.. why do you use pushfq/popfq? I mean.. I know what they're for. Why do you use them where they make no sense? Not only that, but why do you use them in an INDEPENDENT thread? See this post of yours: viewtopic.php?p=232840#p232840. It just doesn't make sense. If you are in a standalone thread, you don't need preserving of registers or flags T_T

I got into the habit of doing it back when I used to do more mid-function hooking, but you're absolutely right that it makes zero sense in a new thread. I also caught that I'd been screwing up the stack and fixed that in my local CT, haven't synced it yet I guess.

I rarely use CT scripting stuff so when I do I usually end up copy/pasting bits from old tables to make things work.

Thanks for the input and response, I'll read through the rest a bit later.

[Wulf]

Neat.

Set gow.exe+75e2f5 = 0

[Link]

Doesn't seem to have the suboptions enabled, but I wonder what else checks that value.

Edit: Spoiler alert: - Nothing. Nothing else checks that value. But it would be neat to figure out how to populate those wadlists.

[SunBeam]

^ Good spotting. Debug bytes around that address of yours, up and down, using exception breakpoints. See what comes up

[Wulf]

The LUA print function is nullsubbed out at GoW.exe+5a5c60. The text it's trying to print at that point is at [[rsp+38]+10]+20.

Probably a more complex printf type dealy going on, but should be enough bytes there to hook print to something with better handling.

[SunBeam]

^ Good work, keep at it. Sent you a PM

EDIT #1: One thing you need to be aware of is when MSVC compiles code with optimizations in place, for any nullstub it will point all such pointers to the same instance of "xor eax,eax|ret".

EDIT #2: Well, fuck it. I will map all Lua into 1.0.4 binary in IDA, so the next time the game updates I can use BinDiff and port over all labels/symbols. I am sick and tired of manually updating x64dbg .dd64 file every time they add in some feature no one cares about. Sharpness slider for DLSS.. who gives a fuck??...