Starfield

[GK133]

aobscan 00 00 12 00 00 00 00 00 00 00 00 00 AF 43 00 00 00 00
power supernova's spell power
00 00 AF 43 is float 350

It may not be effective unless you have supernova X

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[xylogeist]

Has anyone been able to locate a pointer for current player companion? I've scoured the player actor quite a bit, all I could find is a pointer for NPC currently being targeted by the player

[gir489]

Is it possible to have all corpo exclusive ship parts in ship building mode instead of just "bays"?

Put this into your starfield directory. Open the console, click the NPC who works on your ship, type bat shipyardcheat then it should unlock all buyable items. The only thing it doesn't do is the space station parts, which you can add if you execute addkeyword 1d2072 against the NPC.

[gir489]

Here's my contribution:

Infinite Auto-Slot (Lockpicking)

{ Game : Starfield.exe
Date : 2023-09-11
Author : Sigan
}

[ENABLE]

aobscanmodule(INJECT,Starfield.exe,C5 FA 5C C1 C5 FA 11 80 F0 0D 00 00) // should be unique
alloc(newmem,$1000,INJECT)

label(code)
label(return)

newmem:

code:
// vsubss xmm0,xmm0,xmm1
vmovss [rax+00000DF0],xmm0
jmp return

INJECT:
jmp newmem
nop 7
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
db C5 FA 5C C1 C5 FA 11 80 F0 0D 00 00

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+21A74B1

Starfield.exe+21A7484: 89 43 38 - mov [rbx+38],eax
Starfield.exe+21A7487: 48 8B 43 20 - mov rax,[rbx+20]
Starfield.exe+21A748B: B2 01 - mov dl,01
Starfield.exe+21A748D: 48 8D 4B 20 - lea rcx,[rbx+20]
Starfield.exe+21A7491: FF 50 48 - call qword ptr [rax+48]
Starfield.exe+21A7494: 48 8B 05 8D D8 3E 03 - mov rax,[Starfield.exe+5594D28]
Starfield.exe+21A749B: C5 FA 10 80 F0 0D 00 00 - vmovss xmm0,[rax+00000DF0]
Starfield.exe+21A74A3: C5 FA 10 0D 39 E4 D7 01 - vmovss xmm1,[Starfield.exe+3F258E4]
Starfield.exe+21A74AB: C5 F8 2F C1 - vcomiss xmm0,xmm1
Starfield.exe+21A74AF: 72 13 - jb Starfield.exe+21A74C4
// ---------- INJECTING HERE ----------
Starfield.exe+21A74B1: C5 FA 5C C1 - vsubss xmm0,xmm0,xmm1
// ---------- DONE INJECTING ----------
Starfield.exe+21A74B5: C5 FA 11 80 F0 0D 00 00 - vmovss [rax+00000DF0],xmm0
Starfield.exe+21A74BD: 48 8B 05 64 D8 3E 03 - mov rax,[Starfield.exe+5594D28]
Starfield.exe+21A74C4: C5 FA 10 B0 F0 0D 00 00 - vmovss xmm6,[rax+00000DF0]
Starfield.exe+21A74CC: 48 8B 5C 24 70 - mov rbx,[rsp+70]
Starfield.exe+21A74D1: 48 81 C3 A0 00 00 00 - add rbx,000000A0
Starfield.exe+21A74D8: 48 8B 4B 08 - mov rcx,[rbx+08]
Starfield.exe+21A74DC: 48 85 C9 - test rcx,rcx
Starfield.exe+21A74DF: 74 17 - je Starfield.exe+21A74F8
Starfield.exe+21A74E1: 48 8B 01 - mov rax,[rcx]
Starfield.exe+21A74E4: FF 50 30 - call qword ptr [rax+30]
}

How do I add this to a table?

Is there an ignore build materials for the outpost cheat yet? Ignore craft materials doesn't include base building stuff.

Here, this is my table that I've been using. Should have it already on it.

[Shintomato]

no, I have only 50mass in my backpack, I tried and checked everything, from gear to the mass of my inventory to perks. my standerd oxygen level is lowered.

Have you tried closing cheat engine and restarting the game? That removes all cheats and resets stuff to normal, assuming a value didn't accidentally get changed.

thanks for all the feedback, I tried this yes. I even tried recreating the exact circomstances and turning on and off all options like inf. oxygen and so on. Then I tried playing around with helmets and suits,... But nothing worked.
So I think certain conditions trigger the base value of oxygen to be changed.
Is there an option to rewrite those values somewhere? I tried finding it but my pc skills just ain't good enough.

[vosszaa]

Is it possible to have all corpo exclusive ship parts in ship building mode instead of just "bays"?

Put this into your starfield directory. Open the console, click the NPC who works on your ship, type bat shipyardcheat then it should unlock all buyable items. The only thing it doesn't do is the space station parts, which you can add if you execute addkeyword 1d2072 against the NPC.

thanks!

[Blueskadoo]

thanks for all the feedback, I tried this yes. I even tried recreating the exact circomstances and turning on and off all options like inf. oxygen and so on. Then I tried playing around with helmets and suits,... But nothing worked.
So I think certain conditions trigger the base value of oxygen to be changed.
Is there an option to rewrite those values somewhere? I tried finding it but my pc skills just ain't good enough.

If you can't replicate it then it might be some weird interaction of the game with the cheats and just hope it won't happen again.

Is it possible to have all corpo exclusive ship parts in ship building mode instead of just "bays"?

Just remember that you need to be a certain level to unlock the other higher class parts. 60 is the max.

[Shintomato]

thanks for all the feedback, I tried this yes. I even tried recreating the exact circomstances and turning on and off all options like inf. oxygen and so on. Then I tried playing around with helmets and suits,... But nothing worked.
So I think certain conditions trigger the base value of oxygen to be changed.
Is there an option to rewrite those values somewhere? I tried finding it but my pc skills just ain't good enough.

If you can't replicate it then it might be some weird interaction of the game with the cheats and just hope it won't happen again.

Is it possible to have all corpo exclusive ship parts in ship building mode instead of just "bays"?

Just remember that you need to be a certain level to unlock the other higher class parts. 60 is the max.

thanks for more follow up!
I have discovered the missing link. It seems to be connected to walking speed. Whenever I modify this number below the standard value, oxygen levels drop faster too. I think I modified to high but when I wantd to stop playing, set it back to 1 (which I thought would be base value but was not at all) and saved + exit the game. Afterwards my walking speed was automatically set back to it's regular value but my oxygen levels were not.
I played around with it and now my oxygen levels are totally fine again. Super weird interaction.
Cheers for all the help and feedback though!

[gir489]

I'm trying to reverse how contraband scans work and make them always succeed. So far, all I've managed to do is disable them, kind of. It will still complain you're carrying contraband, and you will still have to make an extraneous stop at a moon or something before landing. So, it's a real shit method of disabling the scan. It should just act like you're not carrying contraband, but the function that's checking if you have contraband is used for a ton of different things, the game basically checks if you have an item reference on the ship (or you) that is contraband.

Anyway, here's the script.

Code: Select all

// Game Executable   : Starfield.exe
// Author            : gir489
// Executable Version: 1.7.29.0
// MD5 Signature     : 74B8EE179586633226FC7C7EFEDBCA73
// EXE Compile Date  : September 06, 2023 09:23 PM
// Script Date       : September 22, 2023 05:41 PM
[ENABLE]
aobscanmodule(aob_ContraBand,Starfield.exe,75 3F 48 8B 46 50)
registersymbol(aob_ContraBand)

aob_ContraBand:
  db EB

[DISABLE]
aob_ContraBand:
  db 75

unregistersymbol(aob_ContraBand)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+1CD0E04

Starfield.exe+1CD0DB4: 48 8B D0              - mov rdx,rax
Starfield.exe+1CD0DB7: 48 8B CF              - mov rcx,rdi
Starfield.exe+1CD0DBA: 4C 8B F8              - mov r15,rax
Starfield.exe+1CD0DBD: 44 8B 70 60           - mov r14d,[rax+60]
Starfield.exe+1CD0DC1: E8 CA FE FF FF        - call Starfield.exe+1CD0C90
Starfield.exe+1CD0DC6: 48 8B 15 DB 4D 8C 03  - mov rdx,[Starfield.exe+5595BA8]
Starfield.exe+1CD0DCD: 48 8D 4C 24 50        - lea rcx,[rsp+50]
Starfield.exe+1CD0DD2: 4C 8B C2              - mov r8,rdx
Starfield.exe+1CD0DD5: 45 33 C9              - xor r9d,r9d
Starfield.exe+1CD0DD8: 44 8B E0              - mov r12d,eax
Starfield.exe+1CD0DDB: E8 A4 CE F7 FF        - call Starfield.exe+1C4DC84
Starfield.exe+1CD0DE0: 48 8B 4F 40           - mov rcx,[rdi+40]
Starfield.exe+1CD0DE4: 48 8B 16              - mov rdx,[rsi]
Starfield.exe+1CD0DE7: 48 89 4C 24 68        - mov [rsp+68],rcx
Starfield.exe+1CD0DEC: 48 8B CE              - mov rcx,rsi
Starfield.exe+1CD0DEF: FF 92 20 03 00 00     - call qword ptr [rdx+00000320]
Starfield.exe+1CD0DF5: 48 8B C8              - mov rcx,rax
Starfield.exe+1CD0DF8: 48 8D 54 24 50        - lea rdx,[rsp+50]
Starfield.exe+1CD0DFD: E8 3A CC F7 FF        - call Starfield.exe+1C4DA3C
Starfield.exe+1CD0E02: 84 C0                 - test al,al
// ---------- INJECTING HERE ----------
Starfield.exe+1CD0E04: 75 3F                 - jne Starfield.exe+1CD0E45
// ---------- DONE INJECTING  ----------
Starfield.exe+1CD0E06: 48 8B 46 50           - mov rax,[rsi+50]
Starfield.exe+1CD0E0A: BA 04 00 00 00        - mov edx,00000004
Starfield.exe+1CD0E0F: 48 89 5C 24 40        - mov [rsp+40],rbx
Starfield.exe+1CD0E14: C5 F8 57 C0           - vxorps xmm0,xmm0,xmm0
Starfield.exe+1CD0E18: C5 FA 11 44 24 38     - vmovss [rsp+38],xmm0
Starfield.exe+1CD0E1E: C5 FA 11 44 24 30     - vmovss [rsp+30],xmm0
Starfield.exe+1CD0E24: 88 5C 24 28           - mov [rsp+28],bl
Starfield.exe+1CD0E28: 48 89 44 24 20        - mov [rsp+20],rax
Starfield.exe+1CD0E2D: 4C 8B 47 40           - mov r8,[rdi+40]
Starfield.exe+1CD0E31: 4C 8B CE              - mov r9,rsi
Starfield.exe+1CD0E34: 48 8B 0D 65 2E C2 03  - mov rcx,[Starfield.exe+58F3CA0]
Starfield.exe+1CD0E3B: E8 90 E9 FF FF        - call Starfield.exe+1CCF7D0
Starfield.exe+1CD0E40: E9 5A 01 00 00        - jmp Starfield.exe+1CD0F9F
Starfield.exe+1CD0E45: 45 85 F6              - test r14d,r14d
Starfield.exe+1CD0E48: 74 2A                 - je Starfield.exe+1CD0E74
Starfield.exe+1CD0E4A: 45 3B E6              - cmp r12d,r14d
Starfield.exe+1CD0E4D: 72 25                 - jb Starfield.exe+1CD0E74
Starfield.exe+1CD0E4F: 48 89 5C 24 40        - mov [rsp+40],rbx
Starfield.exe+1CD0E54: BA 06 00 00 00        - mov edx,00000006
Starfield.exe+1CD0E59: C5 F8 57 C0           - vxorps xmm0,xmm0,xmm0
}

I hope to make it better by just forcing the scan to always succeed. Or find a way to make it always think I'm not carrying contraband.

[Zeppe]

Would be nice to get a script for survey/ fauna scans. Beta Marae I currently has a bugged fish you can't find.

[gir489]

Would be nice to get a script for survey/ fauna scans. Beta Marae I currently has a bugged fish you can't find.

Kinda sus of all these people who say they can't find certain things. When you're in orbit around the planet, it tells you how many things out of X you've found in that sector. Takes like 5 seconds to traverse the entire sphere looking for the biome of what you need. I've scanned over 20 planets, never had a problem.

[gir489]

Alright I've worked out the contraband scanning system. Here's the two scripts I had hoped for.

Always Succeed Contraband Scans

Code: Select all

// Game Executable   : Starfield.exe
// Author            : gir489
// Executable Version: 1.7.29.0
// MD5 Signature     : 74B8EE179586633226FC7C7EFEDBCA73
// EXE Compile Date  : September 06, 2023 09:23 PM
// Script Date       : September 23, 2023 12:13 AM
[ENABLE]
aobscanmodule(aob_CheckContrabandStatus,Starfield.exe,48 89 5C 24 08 57 48 83 EC 30 83 64 24 50)
registersymbol(aob_CheckContrabandStatus)

aob_CheckContrabandStatus:
  mov rax, -5
  retn

[DISABLE]
aob_CheckContrabandStatus:
  db 48 89 5C 24 08 57 48 83 EC 30 83 64 24 50 00

unregistersymbol(aob_CheckContrabandStatus)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+2B3643C

Starfield.exe+2B363FF: 90                       - nop
Starfield.exe+2B36400: 45 33 C0                 - xor r8d,r8d
Starfield.exe+2B36403: 48 8B D0                 - mov rdx,rax
Starfield.exe+2B36406: 48 8B CB                 - mov rcx,rbx
Starfield.exe+2B36409: E8 06 66 D7 FF           - call Starfield.exe+28ACA14
Starfield.exe+2B3640E: 90                       - nop
Starfield.exe+2B3640F: 48 8D 4C 24 50           - lea rcx,[rsp+50]
Starfield.exe+2B36414: E8 33 12 8C FE           - call Starfield.exe+13F764C
Starfield.exe+2B36419: 90                       - nop
Starfield.exe+2B3641A: 48 8D 4C 24 38           - lea rcx,[rsp+38]
Starfield.exe+2B3641F: E8 D0 D6 73 FE           - call Starfield.exe+1273AF4
Starfield.exe+2B36424: 48 8B 9C 24 60 01 00 00  - mov rbx,[rsp+00000160]
Starfield.exe+2B3642C: 48 81 C4 30 01 00 00     - add rsp,00000130
Starfield.exe+2B36433: 41 5F                    - pop r15
Starfield.exe+2B36435: 41 5E                    - pop r14
Starfield.exe+2B36437: 5F                       - pop rdi
Starfield.exe+2B36438: 5E                       - pop rsi
Starfield.exe+2B36439: 5D                       - pop rbp
Starfield.exe+2B3643A: C3                       - ret
Starfield.exe+2B3643B: CC                       - int 3
// ---------- INJECTING HERE ----------
Starfield.exe+2B3643C: 48 89 5C 24 08           - mov [rsp+08],rbx
// ---------- DONE INJECTING  ----------
Starfield.exe+2B36441: 57                       - push rdi
Starfield.exe+2B36442: 48 83 EC 30              - sub rsp,30
Starfield.exe+2B36446: 83 64 24 50 00           - and dword ptr [rsp+50],00
Starfield.exe+2B3644B: 8A DA                    - mov bl,dl
Starfield.exe+2B3644D: C5 F8 29 74 24 20        - vmovaps [rsp+20],xmm6
Starfield.exe+2B36453: 48 8B F9                 - mov rdi,rcx
Starfield.exe+2B36456: E8 85 2D 00 00           - call Starfield.exe+2B391E0
Starfield.exe+2B3645B: 4C 8D 44 24 50           - lea r8,[rsp+50]
Starfield.exe+2B36460: 8A D3                    - mov dl,bl
Starfield.exe+2B36462: 48 8B CF                 - mov rcx,rdi
Starfield.exe+2B36465: C5 F8 28 F0              - vmovaps xmm6,xmm0
Starfield.exe+2B36469: E8 B6 2D 00 00           - call Starfield.exe+2B39224
Starfield.exe+2B3646E: 83 C8 FF                 - or eax,-01
Starfield.exe+2B36471: 83 7C 24 50 00           - cmp dword ptr [rsp+50],00
Starfield.exe+2B36476: 76 07                    - jna Starfield.exe+2B3647F
Starfield.exe+2B36478: B8 01 00 00 00           - mov eax,00000001
Starfield.exe+2B3647D: EB 13                    - jmp Starfield.exe+2B36492
Starfield.exe+2B3647F: C5 F8 2F 05 59 04 3F 01  - vcomiss xmm0,[Starfield.exe+3F268E0]
Starfield.exe+2B36487: 76 09                    - jna Starfield.exe+2B36492
Starfield.exe+2B36489: 33 C0                    - xor eax,eax
}

Disable Contraband Scans

Code: Select all

// Game Executable   : Starfield.exe
// Author            : gir489
// Executable Version: 1.7.29.0
// MD5 Signature     : 74B8EE179586633226FC7C7EFEDBCA73
// EXE Compile Date  : September 06, 2023 09:23 PM
// Script Date       : September 23, 2023 12:21 AM
[ENABLE]
aobscanmodule(aob_CheckContrabandStatus,Starfield.exe,48 89 5C 24 08 57 48 83 EC 30 83 64 24 50)
registersymbol(aob_CheckContrabandStatus)

aob_CheckContrabandStatus:
  mov rax, -1
  retn

[DISABLE]
aob_CheckContrabandStatus:
  db 48 89 5C 24 08 57 48 83 EC 30 83 64 24 50 00

unregistersymbol(aob_CheckContrabandStatus)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+2B3643C

Starfield.exe+2B363FF: 90                       - nop
Starfield.exe+2B36400: 45 33 C0                 - xor r8d,r8d
Starfield.exe+2B36403: 48 8B D0                 - mov rdx,rax
Starfield.exe+2B36406: 48 8B CB                 - mov rcx,rbx
Starfield.exe+2B36409: E8 06 66 D7 FF           - call Starfield.exe+28ACA14
Starfield.exe+2B3640E: 90                       - nop
Starfield.exe+2B3640F: 48 8D 4C 24 50           - lea rcx,[rsp+50]
Starfield.exe+2B36414: E8 33 12 8C FE           - call Starfield.exe+13F764C
Starfield.exe+2B36419: 90                       - nop
Starfield.exe+2B3641A: 48 8D 4C 24 38           - lea rcx,[rsp+38]
Starfield.exe+2B3641F: E8 D0 D6 73 FE           - call Starfield.exe+1273AF4
Starfield.exe+2B36424: 48 8B 9C 24 60 01 00 00  - mov rbx,[rsp+00000160]
Starfield.exe+2B3642C: 48 81 C4 30 01 00 00     - add rsp,00000130
Starfield.exe+2B36433: 41 5F                    - pop r15
Starfield.exe+2B36435: 41 5E                    - pop r14
Starfield.exe+2B36437: 5F                       - pop rdi
Starfield.exe+2B36438: 5E                       - pop rsi
Starfield.exe+2B36439: 5D                       - pop rbp
Starfield.exe+2B3643A: C3                       - ret
Starfield.exe+2B3643B: CC                       - int 3
// ---------- INJECTING HERE ----------
Starfield.exe+2B3643C: 48 89 5C 24 08           - mov [rsp+08],rbx
// ---------- DONE INJECTING  ----------
Starfield.exe+2B36441: 57                       - push rdi
Starfield.exe+2B36442: 48 83 EC 30              - sub rsp,30
Starfield.exe+2B36446: 83 64 24 50 00           - and dword ptr [rsp+50],00
Starfield.exe+2B3644B: 8A DA                    - mov bl,dl
Starfield.exe+2B3644D: C5 F8 29 74 24 20        - vmovaps [rsp+20],xmm6
Starfield.exe+2B36453: 48 8B F9                 - mov rdi,rcx
Starfield.exe+2B36456: E8 85 2D 00 00           - call Starfield.exe+2B391E0
Starfield.exe+2B3645B: 4C 8D 44 24 50           - lea r8,[rsp+50]
Starfield.exe+2B36460: 8A D3                    - mov dl,bl
Starfield.exe+2B36462: 48 8B CF                 - mov rcx,rdi
Starfield.exe+2B36465: C5 F8 28 F0              - vmovaps xmm6,xmm0
Starfield.exe+2B36469: E8 B6 2D 00 00           - call Starfield.exe+2B39224
Starfield.exe+2B3646E: 83 C8 FF                 - or eax,-01
Starfield.exe+2B36471: 83 7C 24 50 00           - cmp dword ptr [rsp+50],00
Starfield.exe+2B36476: 76 07                    - jna Starfield.exe+2B3647F
Starfield.exe+2B36478: B8 01 00 00 00           - mov eax,00000001
Starfield.exe+2B3647D: EB 13                    - jmp Starfield.exe+2B36492
Starfield.exe+2B3647F: C5 F8 2F 05 59 04 3F 01  - vcomiss xmm0,[Starfield.exe+3F268E0]
Starfield.exe+2B36487: 76 09                    - jna Starfield.exe+2B36492
Starfield.exe+2B36489: 33 C0                    - xor eax,eax
}

Disable Contraband Scans I only tested while the ship had contraband, I don't know if it will still work if the player himself is holding contraband.

[Zeppe]

Would be nice to get a script for survey/ fauna scans. Beta Marae I currently has a bugged fish you can't find.

Kinda sus of all these people who say they can't find certain things. When you're in orbit around the planet, it tells you how many things out of X you've found in that sector. Takes like 5 seconds to traverse the entire sphere looking for the biome of what you need. I've scanned over 20 planets, never had a problem.

Beta Marae I is a known issue. It's missing a fish. No oceans on the planet only wetlands. Wetlands all over the planet has many ponds but the ponds are to shallow to spawn in the fish. Nothing ''Sus'' about it.

[khuong]

Alright I've worked out the contraband scanning system. Here's the two scripts I had hoped for.

Always Succeed Contraband Scans

Code: Select all

// Game Executable   : Starfield.exe
// Author            : gir489
// Executable Version: 1.7.29.0
// MD5 Signature     : 74B8EE179586633226FC7C7EFEDBCA73
// EXE Compile Date  : September 06, 2023 09:23 PM
// Script Date       : September 23, 2023 12:13 AM
[ENABLE]
aobscanmodule(aob_CheckContrabandStatus,Starfield.exe,48 89 5C 24 08 57 48 83 EC 30 83 64 24 50)
registersymbol(aob_CheckContrabandStatus)

aob_CheckContrabandStatus:
  mov rax, -5
  retn

[DISABLE]
aob_CheckContrabandStatus:
  db 48 89 5C 24 08 57 48 83 EC 30 83 64 24 50 00

unregistersymbol(aob_CheckContrabandStatus)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+2B3643C

Starfield.exe+2B363FF: 90                       - nop
Starfield.exe+2B36400: 45 33 C0                 - xor r8d,r8d
Starfield.exe+2B36403: 48 8B D0                 - mov rdx,rax
Starfield.exe+2B36406: 48 8B CB                 - mov rcx,rbx
Starfield.exe+2B36409: E8 06 66 D7 FF           - call Starfield.exe+28ACA14
Starfield.exe+2B3640E: 90                       - nop
Starfield.exe+2B3640F: 48 8D 4C 24 50           - lea rcx,[rsp+50]
Starfield.exe+2B36414: E8 33 12 8C FE           - call Starfield.exe+13F764C
Starfield.exe+2B36419: 90                       - nop
Starfield.exe+2B3641A: 48 8D 4C 24 38           - lea rcx,[rsp+38]
Starfield.exe+2B3641F: E8 D0 D6 73 FE           - call Starfield.exe+1273AF4
Starfield.exe+2B36424: 48 8B 9C 24 60 01 00 00  - mov rbx,[rsp+00000160]
Starfield.exe+2B3642C: 48 81 C4 30 01 00 00     - add rsp,00000130
Starfield.exe+2B36433: 41 5F                    - pop r15
Starfield.exe+2B36435: 41 5E                    - pop r14
Starfield.exe+2B36437: 5F                       - pop rdi
Starfield.exe+2B36438: 5E                       - pop rsi
Starfield.exe+2B36439: 5D                       - pop rbp
Starfield.exe+2B3643A: C3                       - ret
Starfield.exe+2B3643B: CC                       - int 3
// ---------- INJECTING HERE ----------
Starfield.exe+2B3643C: 48 89 5C 24 08           - mov [rsp+08],rbx
// ---------- DONE INJECTING  ----------
Starfield.exe+2B36441: 57                       - push rdi
Starfield.exe+2B36442: 48 83 EC 30              - sub rsp,30
Starfield.exe+2B36446: 83 64 24 50 00           - and dword ptr [rsp+50],00
Starfield.exe+2B3644B: 8A DA                    - mov bl,dl
Starfield.exe+2B3644D: C5 F8 29 74 24 20        - vmovaps [rsp+20],xmm6
Starfield.exe+2B36453: 48 8B F9                 - mov rdi,rcx
Starfield.exe+2B36456: E8 85 2D 00 00           - call Starfield.exe+2B391E0
Starfield.exe+2B3645B: 4C 8D 44 24 50           - lea r8,[rsp+50]
Starfield.exe+2B36460: 8A D3                    - mov dl,bl
Starfield.exe+2B36462: 48 8B CF                 - mov rcx,rdi
Starfield.exe+2B36465: C5 F8 28 F0              - vmovaps xmm6,xmm0
Starfield.exe+2B36469: E8 B6 2D 00 00           - call Starfield.exe+2B39224
Starfield.exe+2B3646E: 83 C8 FF                 - or eax,-01
Starfield.exe+2B36471: 83 7C 24 50 00           - cmp dword ptr [rsp+50],00
Starfield.exe+2B36476: 76 07                    - jna Starfield.exe+2B3647F
Starfield.exe+2B36478: B8 01 00 00 00           - mov eax,00000001
Starfield.exe+2B3647D: EB 13                    - jmp Starfield.exe+2B36492
Starfield.exe+2B3647F: C5 F8 2F 05 59 04 3F 01  - vcomiss xmm0,[Starfield.exe+3F268E0]
Starfield.exe+2B36487: 76 09                    - jna Starfield.exe+2B36492
Starfield.exe+2B36489: 33 C0                    - xor eax,eax
}

Disable Contraband Scans

Code: Select all

// Game Executable   : Starfield.exe
// Author            : gir489
// Executable Version: 1.7.29.0
// MD5 Signature     : 74B8EE179586633226FC7C7EFEDBCA73
// EXE Compile Date  : September 06, 2023 09:23 PM
// Script Date       : September 23, 2023 12:21 AM
[ENABLE]
aobscanmodule(aob_CheckContrabandStatus,Starfield.exe,48 89 5C 24 08 57 48 83 EC 30 83 64 24 50)
registersymbol(aob_CheckContrabandStatus)

aob_CheckContrabandStatus:
  mov rax, -1
  retn

[DISABLE]
aob_CheckContrabandStatus:
  db 48 89 5C 24 08 57 48 83 EC 30 83 64 24 50 00

unregistersymbol(aob_CheckContrabandStatus)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+2B3643C

Starfield.exe+2B363FF: 90                       - nop
Starfield.exe+2B36400: 45 33 C0                 - xor r8d,r8d
Starfield.exe+2B36403: 48 8B D0                 - mov rdx,rax
Starfield.exe+2B36406: 48 8B CB                 - mov rcx,rbx
Starfield.exe+2B36409: E8 06 66 D7 FF           - call Starfield.exe+28ACA14
Starfield.exe+2B3640E: 90                       - nop
Starfield.exe+2B3640F: 48 8D 4C 24 50           - lea rcx,[rsp+50]
Starfield.exe+2B36414: E8 33 12 8C FE           - call Starfield.exe+13F764C
Starfield.exe+2B36419: 90                       - nop
Starfield.exe+2B3641A: 48 8D 4C 24 38           - lea rcx,[rsp+38]
Starfield.exe+2B3641F: E8 D0 D6 73 FE           - call Starfield.exe+1273AF4
Starfield.exe+2B36424: 48 8B 9C 24 60 01 00 00  - mov rbx,[rsp+00000160]
Starfield.exe+2B3642C: 48 81 C4 30 01 00 00     - add rsp,00000130
Starfield.exe+2B36433: 41 5F                    - pop r15
Starfield.exe+2B36435: 41 5E                    - pop r14
Starfield.exe+2B36437: 5F                       - pop rdi
Starfield.exe+2B36438: 5E                       - pop rsi
Starfield.exe+2B36439: 5D                       - pop rbp
Starfield.exe+2B3643A: C3                       - ret
Starfield.exe+2B3643B: CC                       - int 3
// ---------- INJECTING HERE ----------
Starfield.exe+2B3643C: 48 89 5C 24 08           - mov [rsp+08],rbx
// ---------- DONE INJECTING  ----------
Starfield.exe+2B36441: 57                       - push rdi
Starfield.exe+2B36442: 48 83 EC 30              - sub rsp,30
Starfield.exe+2B36446: 83 64 24 50 00           - and dword ptr [rsp+50],00
Starfield.exe+2B3644B: 8A DA                    - mov bl,dl
Starfield.exe+2B3644D: C5 F8 29 74 24 20        - vmovaps [rsp+20],xmm6
Starfield.exe+2B36453: 48 8B F9                 - mov rdi,rcx
Starfield.exe+2B36456: E8 85 2D 00 00           - call Starfield.exe+2B391E0
Starfield.exe+2B3645B: 4C 8D 44 24 50           - lea r8,[rsp+50]
Starfield.exe+2B36460: 8A D3                    - mov dl,bl
Starfield.exe+2B36462: 48 8B CF                 - mov rcx,rdi
Starfield.exe+2B36465: C5 F8 28 F0              - vmovaps xmm6,xmm0
Starfield.exe+2B36469: E8 B6 2D 00 00           - call Starfield.exe+2B39224
Starfield.exe+2B3646E: 83 C8 FF                 - or eax,-01
Starfield.exe+2B36471: 83 7C 24 50 00           - cmp dword ptr [rsp+50],00
Starfield.exe+2B36476: 76 07                    - jna Starfield.exe+2B3647F
Starfield.exe+2B36478: B8 01 00 00 00           - mov eax,00000001
Starfield.exe+2B3647D: EB 13                    - jmp Starfield.exe+2B36492
Starfield.exe+2B3647F: C5 F8 2F 05 59 04 3F 01  - vcomiss xmm0,[Starfield.exe+3F268E0]
Starfield.exe+2B36487: 76 09                    - jna Starfield.exe+2B36492
Starfield.exe+2B36489: 33 C0                    - xor eax,eax
}

Disable Contraband Scans I only tested while the ship had contraband, I don't know if it will still work if the player himself is holding contraband.

very nice mate -- havn't tested but nice.. how did you search for this?

[gir489]

how did you search for this?

I decompiled the contraband scanning script and figured out how it worked, then attacked it based on its logic.

This is the code it uses to determine what to do.

Code: Select all

Int contrabandStatus = playerShipRef.CheckContrabandStatus(True)
If contrabandStatus < 0 && droppedContraband == False
  Self.HideContrabandScanWarning(False, True)
  SQ_GuardShipsScanStatus.SetValueInt(1)
ElseIf contrabandStatus > 0 || droppedContraband
  SQ_GuardShipsScanStatus.SetValueInt(0)
  Self.HideContrabandScanWarning(False, False)
  Self.SendSmugglingAlarm()
Else
  Bool scanStatus = SQ_Parent.SmugglingMinigame(playerShipRef, Ship01.GetShipRef())
  SQ_GuardShipsScanStatus.SetValueInt(scanStatus as Int)
  Self.HideContrabandScanWarning(False, scanStatus)
  If scanStatus
    
  Else
    Self.SendSmugglingAlarm()
  EndIf
EndIf

I figured that CheckContrabandStatus was a good attack vector. So, then I had to find it. What I did, was I looked for CheckContrabandStatus as a string in IDA. Which lead me to this section of code:



The NativeFunctionVSpaceShipRef shit is coming from the [Link] data, I have a plugin that scans the binary for it, and tries its best to reconstruct functions based on the virtual type inferences.

Just below it, you can see it load the address of the callback function that's used from the Papyrus engine, labeled here by IDA as sub_1428F7D60. This is just a trampoline function, not sure why the compiler did that? But anyway, it jumps to this function which I've properly labeled CheckContrabandStatus:



The parameters are the thisptr of the reference it's being ran against, and the boolean parameter we saw in the script. From here, it was just basic math to attack the game.

Because it checks if the contrabandStatus is < 0, I just returned a value (like -1) and it stopped the contraband scans altogether.

SQ_Parent has its own script, and I looked at SmugglingMinigame. SmugglingMinigame is really bog standard boilerplate code you'd expect, gets your chance to pass, generates a random number from 0 to 100, checks if you passed then returns accordingly.

Code: Select all

Bool Function SmugglingMinigame(spaceshipreference playerShipRef, spaceshipreference scanningShipRef)
  Float realChance = Self.GetSmugglingChance(playerShipRef, scanningShipRef)
  Float dieRoll = Utility.RandomFloat(1.0, 100.0)
  Bool bSuccess = dieRoll <= realChance
  If bSuccess
    Game.AddAchievement(SmugglingAchievementID)
  EndIf
  Return bSuccess
EndFunction

However, GetSmugglingChance seems like they had some testing code left over? Or maybe they just knew people were going to hack it, or maybe they always scanned you but then later made it skip the scan if you weren't carrying contraband because it takes so long. IDK probably reading into it too much, but I don't see a legit scenario for why the contrabandStatus < 0 sets realChance to 100 when the ScanForContraband function that calls this already checks if CheckContrabandStatus is < 0.

Code: Select all

Float Function GetSmugglingChance(spaceshipreference playerShipRef, spaceshipreference scanningShipRef)
  Int contrabandStatus = playerShipRef.CheckContrabandStatus(True)
  Float realChance = 0.0
  If contrabandStatus < 0
    realChance = 100.0
  ElseIf contrabandStatus > 0
    realChance = 0.0
  Else
    Float contrabandWeight = playerShipRef.GetContrabandWeight(False)
    Float contrabandWeightShip = playerShipRef.GetContrabandWeight(True)
    Float contrabandCapacity = playerShipRef.GetValue(CarryWeightShielded)
    Int playerSmugglingSkillValue = Math.Clamp(Game.GetPlayer().GetValueInt(PayloadLevel) as Float, 0.0, (PlayerSkillMults.Length - 1) as Float) as Int
    Float playerSmugglingSkillBonus = PlayerSkillMults[playerSmugglingSkillValue]
    Int playerScanJammerValue = Math.Clamp(playerShipRef.GetValueInt(SpaceshipScanJammer) as Float, 0.0, (ScanJammerMults.Length - 1) as Float) as Int
    Float playerScanJammerBonus = ScanJammerMults[playerScanJammerValue]
    Float scanningShipPerception = scanningShipRef.GetValue(Perception)
    Float targetSkillFactor = fSmugglingTargetSkillMult * scanningShipPerception
    Float contrabandWeightFactor = fSmugglingWeightMult * Math.pow(contrabandWeight, fSmugglingWeightPower) * contrabandWeight / contrabandCapacity
    Float baseChance = fSmugglingBaseChance + targetSkillFactor + contrabandWeightFactor
    realChance = baseChance * (1.0 + playerScanJammerBonus) * (1.0 + playerSmugglingSkillBonus)
    realChance = Math.Max(realChance, fSmugglingMinChance)
    realChance = Math.Min(realChance, fSmugglingMaxChance)
  EndIf
  Return realChance
EndFunction

That being said, I don't really know why this works. I didn't realize until just now that the function returns a float not an integer, and I'm basically returning a [Link]. I have no idea why it works with -1 to do what I want, but with -5 it fails the check in ScanForContraband but passes in GetSmugglingChance. Undefined behavior, I suppose.