Resident Evil 4 Remake

[krustytoe]

Very helpful table, thanks a lot for this!
Unfortunately the latest RE4R update broke some options (like 'Always get S+'), resulting in the game crashing...
Also, would it be possible to implement 'No grab / no hit' and/or 'Infinite vehicle health' (for e.g. mine cart, jetski) options?
All the tables I found in this thread already containing these options have been impacted by the new update as well :\

it changed a bit

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[gir489]

Very helpful table, thanks a lot for this!
Unfortunately the latest RE4R update broke some options (like 'Always get S+'), resulting in the game crashing...

Fake news.

[gir489]

I have recoded several functions from scratch to try and make them more updateable.

Most noticeably is Manipulate Current Selected Item, I did that from the ground up and it no longer relies on a useless AoB scan that's only relevant for one version. It now uses static data from the stack to determine the pointer to grab. You may also notice now that you can select all treasures.

The other functions recoded are Unlock All Challenges and Set Mercenaries Timer. Unlock All Challenges now uses a signature I generated with IDA which seems to be more reliable between versions, but it requires shifting the location by almost 60 bytes. Set Mercenaries Timer now hijacks the function that called the function I was using before, and now doesn't rely on the padding for the AoBScan.

[Glowmoss]

it changed a bit

I would recommend instead of this

Code: Select all

jne re4.exe+2317EF8

use this

Code: Select all

reassemble(GodModeNoHit+04)

just so you won't need to update it every time there is an update.
you could also use the aob generator in the tools section if you wanted a better aob thats less likely to screw up with an update but it's up to you and your preference.

[gir489]

it changed a bit

I would recommend instead of this

Code: Select all

jne re4.exe+2317EF8

use this

Code: Select all

reassemble(GodModeNoHit+04)

just so you won't need to update it every time there is an update.
you could also use the aob generator in the tools section if you wanted a better aob thats less likely to screw up with an update but it's up to you and your preference.

It would probably be better to just trampoline at the mov rax,[rbx+00000148] instruction, as it's more than 5 bytes of opcodes. Then he could just do the original code which would populate the RAX register with the pointer he needs and then RAX+18 would land at the godmode byte.

Or, if this is the only place it's read, you could change the JNE to a JMP by changing the first byte to E9 skipping the need to write the byte only to just change the path of the conditional jump proceeding it.

Here's both:

Code: Select all

// Game Executable   : re4.exe
// Author            : gir489
// Executable Version: 1.0.5.0
// MD5 Signature     : 942BA056C69684FF07EB85260499A0F7
// EXE Compile Date  : April 17, 2023 12:32 PM
// Script Date       : April 24, 2023 10:22 PM
[ENABLE]
aobscanmodule(aob_HeckinGodmodarino,re4.exe,48 8B 83 48 01 00 00 80 78 18 00 75 0B 83 78 14 00 0F 9E C0 84 C0 75 0D)
registersymbol(aob_HeckinGodmodarino)
alloc(newmem_HeckinGodmodarino,1024,re4.exe)
label(return_HeckinGodmodarino)

newmem_HeckinGodmodarino:
  mov rax,[rbx+00000148]
  mov [rax+18], #1
  jmp return_HeckinGodmodarino

aob_HeckinGodmodarino:
  jmp newmem_HeckinGodmodarino
  nop 2
return_HeckinGodmodarino:

[DISABLE]
aob_HeckinGodmodarino:
  db 48 8B 83 48 01 00 00

unregistersymbol(aob_HeckinGodmodarino)
dealloc(newmem_HeckinGodmodarino)

{
// ORIGINAL CODE - INJECTION POINT: re4.exe+23AF3C0

re4.exe+23AF37B: 83 BB 84 00 00 00 00  - cmp dword ptr [rbx+00000084],00
re4.exe+23AF382: 0F 94 C0              - sete al
re4.exe+23AF385: 84 C0                 - test al,al
re4.exe+23AF387: 74 5C                 - je re4.exe+23AF3E5
re4.exe+23AF389: 48 8B 5F 50           - mov rbx,[rdi+50]
re4.exe+23AF38D: 48 85 DB              - test rbx,rbx
re4.exe+23AF390: 74 2C                 - je re4.exe+23AF3BE
re4.exe+23AF392: 48 8B 03              - mov rax,[rbx]
re4.exe+23AF395: 48 8B 15 5C EB D5 0A  - mov rdx,[re4.exe+D10DEF8]
re4.exe+23AF39C: 48 8B 08              - mov rcx,[rax]
re4.exe+23AF39F: E8 BC C4 1F 01        - call re4.exe+35AB860
re4.exe+23AF3A4: 84 C0                 - test al,al
re4.exe+23AF3A6: 74 16                 - je re4.exe+23AF3BE
re4.exe+23AF3A8: 48 8B 03              - mov rax,[rbx]
re4.exe+23AF3AB: 48 8B 15 06 A0 D6 0A  - mov rdx,[re4.exe+D1193B8]
re4.exe+23AF3B2: 48 8B 08              - mov rcx,[rax]
re4.exe+23AF3B5: E8 A6 C4 1F 01        - call re4.exe+35AB860
re4.exe+23AF3BA: 84 C0                 - test al,al
re4.exe+23AF3BC: 75 02                 - jne re4.exe+23AF3C0
re4.exe+23AF3BE: 33 DB                 - xor ebx,ebx
// ---------- INJECTING HERE ----------
re4.exe+23AF3C0: 48 8B 83 48 01 00 00  - mov rax,[rbx+00000148]
// ---------- DONE INJECTING  ----------
re4.exe+23AF3C7: 80 78 18 00           - cmp byte ptr [rax+18],00
re4.exe+23AF3CB: 75 0B                 - jne re4.exe+23AF3D8
re4.exe+23AF3CD: 83 78 14 00           - cmp dword ptr [rax+14],00
re4.exe+23AF3D1: 0F 9E C0              - setle al
re4.exe+23AF3D4: 84 C0                 - test al,al
re4.exe+23AF3D6: 75 0D                 - jne re4.exe+23AF3E5
re4.exe+23AF3D8: 33 C0                 - xor eax,eax
re4.exe+23AF3DA: 38 87 78 02 00 00     - cmp [rdi+00000278],al
re4.exe+23AF3E0: 0F 94 C0              - sete al
re4.exe+23AF3E3: EB 02                 - jmp re4.exe+23AF3E7
re4.exe+23AF3E5: 33 C0                 - xor eax,eax
re4.exe+23AF3E7: 48 8B 8D 80 00 00 00  - mov rcx,[rbp+00000080]
re4.exe+23AF3EE: 48 85 C9              - test rcx,rcx
re4.exe+23AF3F1: 74 0A                 - je re4.exe+23AF3FD
re4.exe+23AF3F3: 85 C0                 - test eax,eax
re4.exe+23AF3F5: 0F 95 C2              - setne dl
re4.exe+23AF3F8: E8 D3 F1 17 02        - call re4.exe+452E5D0
re4.exe+23AF3FD: 48 8B 5F 50           - mov rbx,[rdi+50]
re4.exe+23AF401: 48 8B AF A0 01 00 00  - mov rbp,[rdi+000001A0]
re4.exe+23AF408: 48 85 DB              - test rbx,rbx
}

Code: Select all

// Game Executable   : re4.exe
// Author            : gir489
// Executable Version: 1.0.5.0
// MD5 Signature     : 942BA056C69684FF07EB85260499A0F7
// EXE Compile Date  : April 17, 2023 12:32 PM
// Script Date       : April 24, 2023 10:28 PM
[ENABLE]
aobscanmodule(aob_HebbinGodmodearino,re4.exe,75 0B 83 78 14 00 0F 9E C0 84 C0 75 0D)
registersymbol(aob_HebbinGodmodearino)

aob_HebbinGodmodearino:
  db E9

[DISABLE]
aob_HebbinGodmodearino:
  db 75

unregistersymbol(aob_HebbinGodmodearino)

{
// ORIGINAL CODE - INJECTION POINT: re4.exe+23AF3CB

re4.exe+23AF385: 84 C0                 - test al,al
re4.exe+23AF387: 74 5C                 - je re4.exe+23AF3E5
re4.exe+23AF389: 48 8B 5F 50           - mov rbx,[rdi+50]
re4.exe+23AF38D: 48 85 DB              - test rbx,rbx
re4.exe+23AF390: 74 2C                 - je re4.exe+23AF3BE
re4.exe+23AF392: 48 8B 03              - mov rax,[rbx]
re4.exe+23AF395: 48 8B 15 5C EB D5 0A  - mov rdx,[re4.exe+D10DEF8]
re4.exe+23AF39C: 48 8B 08              - mov rcx,[rax]
re4.exe+23AF39F: E8 BC C4 1F 01        - call re4.exe+35AB860
re4.exe+23AF3A4: 84 C0                 - test al,al
re4.exe+23AF3A6: 74 16                 - je re4.exe+23AF3BE
re4.exe+23AF3A8: 48 8B 03              - mov rax,[rbx]
re4.exe+23AF3AB: 48 8B 15 06 A0 D6 0A  - mov rdx,[re4.exe+D1193B8]
re4.exe+23AF3B2: 48 8B 08              - mov rcx,[rax]
re4.exe+23AF3B5: E8 A6 C4 1F 01        - call re4.exe+35AB860
re4.exe+23AF3BA: 84 C0                 - test al,al
re4.exe+23AF3BC: 75 02                 - jne re4.exe+23AF3C0
re4.exe+23AF3BE: 33 DB                 - xor ebx,ebx
re4.exe+23AF3C0: 48 8B 83 48 01 00 00  - mov rax,[rbx+00000148]
re4.exe+23AF3C7: 80 78 18 00           - cmp byte ptr [rax+18],00
// ---------- INJECTING HERE ----------
re4.exe+23AF3CB: 75 0B                 - jne re4.exe+23AF3D8
// ---------- DONE INJECTING  ----------
re4.exe+23AF3CD: 83 78 14 00           - cmp dword ptr [rax+14],00
re4.exe+23AF3D1: 0F 9E C0              - setle al
re4.exe+23AF3D4: 84 C0                 - test al,al
re4.exe+23AF3D6: 75 0D                 - jne re4.exe+23AF3E5
re4.exe+23AF3D8: 33 C0                 - xor eax,eax
re4.exe+23AF3DA: 38 87 78 02 00 00     - cmp [rdi+00000278],al
re4.exe+23AF3E0: 0F 94 C0              - sete al
re4.exe+23AF3E3: EB 02                 - jmp re4.exe+23AF3E7
re4.exe+23AF3E5: 33 C0                 - xor eax,eax
re4.exe+23AF3E7: 48 8B 8D 80 00 00 00  - mov rcx,[rbp+00000080]
re4.exe+23AF3EE: 48 85 C9              - test rcx,rcx
re4.exe+23AF3F1: 74 0A                 - je re4.exe+23AF3FD
re4.exe+23AF3F3: 85 C0                 - test eax,eax
re4.exe+23AF3F5: 0F 95 C2              - setne dl
re4.exe+23AF3F8: E8 D3 F1 17 02        - call re4.exe+452E5D0
re4.exe+23AF3FD: 48 8B 5F 50           - mov rbx,[rdi+50]
re4.exe+23AF401: 48 8B AF A0 01 00 00  - mov rbp,[rdi+000001A0]
re4.exe+23AF408: 48 85 DB              - test rbx,rbx
re4.exe+23AF40B: 74 2C                 - je re4.exe+23AF439
re4.exe+23AF40D: 48 8B 03              - mov rax,[rbx]
}

Anyway, you find anything interesting with the REFramework SDK? None of the functions I found were very helpful and the search function (which says it takes RegEx but it never works) yielded nothing.

[EL-DOZO]

I updated rapid fire:

Code: Select all

{ 
Game   : re4.exe
  Version:
  Date   : 2023-04-25
  Author : EL-DOZO

  Rapid Fire Weapon Script
}


[ENABLE]

aobscanmodule(RapidFire,re4.exe,89 79 24 48 8B D9) // should be unique
alloc(newmem,$1000,RapidFire)

label(code)
label(return)

newmem:

code:
  mov rbx,rcx
  jmp return

RapidFire:
  jmp newmem
  nop

return:
registersymbol(RapidFire)

[DISABLE]

RapidFire:
  db 89 79 24 48 8B D9

unregistersymbol(RapidFire)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: re4.exe+752510C

re4.exe+75250ED: CC                 - int 3 
re4.exe+75250EE: CC                 - int 3 
re4.exe+75250EF: CC                 - int 3 
re4.exe+75250F0: 48 89 5C 24 10     - mov [rsp+10],rbx
re4.exe+75250F5: 48 89 74 24 18     - mov [rsp+18],rsi
re4.exe+75250FA: 48 89 7C 24 20     - mov [rsp+20],rdi
re4.exe+75250FF: 41 56              - push r14
re4.exe+7525101: 48 83 EC 30        - sub rsp,30
re4.exe+7525105: 33 FF              - xor edi,edi
re4.exe+7525107: 0F 29 74 24 20     - movaps [rsp+20],xmm6
// ---------- INJECTING HERE ----------
re4.exe+752510C: 89 79 24           - mov [rcx+24],edi
// ---------- DONE INJECTING  ----------
re4.exe+752510F: 48 8B D9           - mov rbx,rcx
re4.exe+7525112: 8B 49 20           - mov ecx,[rcx+20]
re4.exe+7525115: 45 8B F0           - mov r14d,r8d
re4.exe+7525118: 85 C9              - test ecx,ecx
re4.exe+752511A: 74 53              - je re4.exe+752516F
re4.exe+752511C: 83 F9 01           - cmp ecx,01
re4.exe+752511F: 0F 85 9F 00 00 00  - jne re4.exe+75251C4
re4.exe+7525125: 39 7B 28           - cmp [rbx+28],edi
re4.exe+7525128: 0F 8E 96 00 00 00  - jng re4.exe+75251C4
re4.exe+752512E: 0F 57 F6           - xorps xmm6,xmm6
}

[krustytoe]

Thank Glowmoss and gir489 for the examples. I still have a lot to learn about script.

[Glowmoss]

Yeah that's true. If I was doing it I would probably either go from there or just change the jmp if that is the only instruction that checks it. Some people do things the harder way though lol. The reassemble at the very least stops the guy from always updating lol.

I haven't found much all that interesting but I only looked that one time so far as I haven't been on it again yet. I will probably have another look over the weekend. The only stuff I was mainly looking at was stuff that didn't seem to actually have much to do with what they are called lol I at least learned more about all the timers as they have a fair few doing all sorts there's even one to keep track of the demo timer that was left in the game it's disabled by default though. I did come across the accuracy, death counter and dmg counter in there but I don't see much use in them myself lol. I came across the save hashing shit in there but that's above me. A lot of other stuff I found just didn't do anything at all.

[gir489]

I came across the save hashing shit in there but that's above me.

Originally I was going to attack the save loading function, but then I found unlock all challenges, and I didn't see a need to load unsigned saves anymore. It should be similar to other RE games in the past, you just need to figure out how it's grabbing the Steam64 ID from the account and then change it so it always loads. I was going to put a breakpoint on the Steam API to traverse how it was loaded, but lost interest.

[Arkaides]

Very helpful table, thanks a lot for this!
Unfortunately the latest RE4R update broke some options (like 'Always get S+'), resulting in the game crashing...

Fake news.

Not fake news, the issue seems to be more complex and occurs only after the latest RE4R update in combination with REFramework.

When REFramework is running in the background, the 'Remove protection' option in the CT can't be ticked anymore,
which seems to be the reason for the crashes further down the road in my case. (Can be verified by removing REFramework from the RE4R game files, which allows re-enabling the 'Remove Protection' option in the cheat table.)

Tested with most recent REFramework release:
[Link],

and RE4R Steam version with most recent update:

[Arkaides]

Very helpful table, thanks a lot for this!
Unfortunately the latest RE4R update broke some options (like 'Always get S+'), resulting in the game crashing...
Also, would it be possible to implement 'No grab / no hit' and/or 'Infinite vehicle health' (for e.g. mine cart, jetski) options?
All the tables I found in this thread already containing these options have been impacted by the new update as well :\

it changed a bit

Awesome, thanks a lot! Will check this out asap.

[gir489]

Blah blah blah gay goalpost moving crap.

Fake news.

[mi5hmash]

I came across the save hashing shit in there but that's above me.

Originally I was going to attack the save loading function, but then I found unlock all challenges, and I didn't see a need to load unsigned saves anymore. It should be similar to other RE games in the past, you just need to figure out how it's grabbing the Steam64 ID from the account and then change it so it always loads. I was going to put a breakpoint on the Steam API to traverse how it was loaded, but lost interest.

RE7 and RE8 use the "AutoStrong" encryption method which stores the Steam32 inside a SaveFile and then verifies it on load with the one grabbed from steamclient.dll. RE4 uses a new type of encryption called "Lime". Instead of asking steamAPI for the steamID every time it tries to load a game save, it stores the encrypted steamID in memory and retrieves it when needed. It also uses SteamID as part of the encryption key, so bypassing the Validate SteamID function like in the "AutoStrong" method is impossible.
Below is a table that lets you change the current encryption method.
You can choose between:
0:None
1:AutoStrong
2:XOR
3:BlowFish
4:Citrus
5:Lime
6:RdsModule

ATTENTION ALL NEWBIES!!! IT IS FOR THE RESEARCH PURPOSES ONLY. IT DOESN'T MAKE ANYTHING COOL AND IT CAN MAKE YOU LOSE YOUR PROGRESS. YOU HAVE BEEN WARNED!

[gir489]

RE7 and RE8 use the "AutoStrong" encryption method which stores the Steam32 inside a SaveFile and then verifies it on load with the one grabbed from steamclient.dll. RE4 uses a new type of encryption called "Lime". Instead of asking steamAPI for the steamID every time it tries to load a game save, it stores the encrypted steamID in memory and retrieves it when needed. It also uses SteamID as part of the encryption key, so bypassing the Validate SteamID function like in the "AutoStrong" method is impossible.
Below is a table that lets you change the current encryption method.
You can choose between:
0:None
1:AutoStrong
2:XOR
3:BlowFish
4:Citrus
5:Lime
6:RdsModule

ATTENTION ALL NEWBIES!!! IT IS FOR THE RESEARCH PURPOSES ONLY. IT DOESN'T MAKE ANYTHING COOL AND IT CAN MAKE YOU LOSE YOUR PROGRESS. YOU HAVE BEEN WARNED!

This is really good stuff. Sucks they went schizo with the encryption now. RE6 just used to have the Steam64 ID written to the file at 0x10 to 0x18. I'm guessing forcing it to none doesn't do anything?

[mi5hmash]

This is really good stuff. Sucks they went schizo with the encryption now. RE6 just used to have the Steam64 ID written to the file at 0x10 to 0x18. I'm guessing forcing it to none doesn't do anything?

If you standing in front of typewriter machine and change Encryption or Platform to 0:None, then it will save your savefile without encrypting it.