Starfield

Upload your cheat tables here (No requests)
khuong
Expert Cheater
Expert Cheater
Posts: 76
Joined: Sat Jan 08, 2022 5:18 pm
Reputation: 43

Re: Starfield

Post by khuong »

gir489 wrote:
Sun Sep 24, 2023 4:16 am
khuong wrote:
Sun Sep 24, 2023 3:53 am
how did you search for this?
I decompiled the contraband scanning script and figured out how it worked, then attacked it based on its logic.

This is the code it uses to determine what to do.

Code: Select all

Int contrabandStatus = playerShipRef.CheckContrabandStatus(True)
If contrabandStatus < 0 && droppedContraband == False
  Self.HideContrabandScanWarning(False, True)
  SQ_GuardShipsScanStatus.SetValueInt(1)
ElseIf contrabandStatus > 0 || droppedContraband
  SQ_GuardShipsScanStatus.SetValueInt(0)
  Self.HideContrabandScanWarning(False, False)
  Self.SendSmugglingAlarm()
Else
  Bool scanStatus = SQ_Parent.SmugglingMinigame(playerShipRef, Ship01.GetShipRef())
  SQ_GuardShipsScanStatus.SetValueInt(scanStatus as Int)
  Self.HideContrabandScanWarning(False, scanStatus)
  If scanStatus
    
  Else
    Self.SendSmugglingAlarm()
  EndIf
EndIf
I figured that CheckContrabandStatus was a good attack vector. So, then I had to find it. What I did, was I looked for CheckContrabandStatus as a string in IDA. Which lead me to this section of code:

Image

The NativeFunctionVSpaceShipRef shit is coming from the [Link] data, I have a plugin that scans the binary for it, and tries its best to reconstruct functions based on the virtual type inferences.

Just below it, you can see it load the address of the callback function that's used from the Papyrus engine, labeled here by IDA as sub_1428F7D60. This is just a trampoline function, not sure why the compiler did that? But anyway, it jumps to this function which I've properly labeled CheckContrabandStatus:

Image

The parameters are the thisptr of the reference it's being ran against, and the boolean parameter we saw in the script. From here, it was just basic math to attack the game.

Because it checks if the contrabandStatus is < 0, I just returned a value (like -1) and it stopped the contraband scans altogether.

SQ_Parent has its own script, and I looked at SmugglingMinigame. SmugglingMinigame is really bog standard boilerplate code you'd expect, gets your chance to pass, generates a random number from 0 to 100, checks if you passed then returns accordingly.

Code: Select all

Bool Function SmugglingMinigame(spaceshipreference playerShipRef, spaceshipreference scanningShipRef)
  Float realChance = Self.GetSmugglingChance(playerShipRef, scanningShipRef)
  Float dieRoll = Utility.RandomFloat(1.0, 100.0)
  Bool bSuccess = dieRoll <= realChance
  If bSuccess
    Game.AddAchievement(SmugglingAchievementID)
  EndIf
  Return bSuccess
EndFunction
However, GetSmugglingChance seems like they had some testing code left over? Or maybe they just knew people were going to hack it, or maybe they always scanned you but then later made it skip the scan if you weren't carrying contraband because it takes so long. IDK probably reading into it too much, but I don't see a legit scenario for why the contrabandStatus < 0 sets realChance to 100 when the ScanForContraband function that calls this already checks if CheckContrabandStatus is < 0.

Code: Select all

Float Function GetSmugglingChance(spaceshipreference playerShipRef, spaceshipreference scanningShipRef)
  Int contrabandStatus = playerShipRef.CheckContrabandStatus(True)
  Float realChance = 0.0
  If contrabandStatus < 0
    realChance = 100.0
  ElseIf contrabandStatus > 0
    realChance = 0.0
  Else
    Float contrabandWeight = playerShipRef.GetContrabandWeight(False)
    Float contrabandWeightShip = playerShipRef.GetContrabandWeight(True)
    Float contrabandCapacity = playerShipRef.GetValue(CarryWeightShielded)
    Int playerSmugglingSkillValue = Math.Clamp(Game.GetPlayer().GetValueInt(PayloadLevel) as Float, 0.0, (PlayerSkillMults.Length - 1) as Float) as Int
    Float playerSmugglingSkillBonus = PlayerSkillMults[playerSmugglingSkillValue]
    Int playerScanJammerValue = Math.Clamp(playerShipRef.GetValueInt(SpaceshipScanJammer) as Float, 0.0, (ScanJammerMults.Length - 1) as Float) as Int
    Float playerScanJammerBonus = ScanJammerMults[playerScanJammerValue]
    Float scanningShipPerception = scanningShipRef.GetValue(Perception)
    Float targetSkillFactor = fSmugglingTargetSkillMult * scanningShipPerception
    Float contrabandWeightFactor = fSmugglingWeightMult * Math.pow(contrabandWeight, fSmugglingWeightPower) * contrabandWeight / contrabandCapacity
    Float baseChance = fSmugglingBaseChance + targetSkillFactor + contrabandWeightFactor
    realChance = baseChance * (1.0 + playerScanJammerBonus) * (1.0 + playerSmugglingSkillBonus)
    realChance = Math.Max(realChance, fSmugglingMinChance)
    realChance = Math.Min(realChance, fSmugglingMaxChance)
  EndIf
  Return realChance
EndFunction
That being said, I don't really know why this works. I didn't realize until just now that the function returns a float not an integer, and I'm basically returning a [Link]. I have no idea why it works with -1 to do what I want, but with -5 it fails the check in ScanForContraband but passes in GetSmugglingChance. Undefined behavior, I suppose.
I appreciate you breaking it down :) added to my brain.

How to use this cheat table?
  1. Install Cheat Engine
  2. Double-click the .CT file in order to open it.
  3. Click the PC icon in Cheat Engine in order to select the game process.
  4. Keep the list.
  5. Activate the trainer options by checking boxes or setting values from 0 to 1

User avatar
gir489
RCE Fanatics
RCE Fanatics
Posts: 801
Joined: Mon May 08, 2017 4:08 am
Reputation: 616

Re: Starfield

Post by gir489 »

khuong wrote:
Sun Sep 24, 2023 5:37 am
I appreciate you breaking it down :) added to my brain.
An investment in knowledge always pays the best interest.

User avatar
SunBeam
Administration
Administration
Posts: 4932
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4630

Re: Starfield

Post by SunBeam »

gir489 wrote:
Sun Sep 24, 2023 4:16 am
...
I think there may be more than the 2 args you labeled for CheckContabandStatus. If you look for references to the function, there's a CALL here:

Code: Select all

00007FF75DB86EB7 | 74 49          | JE starfield.7FF75DB86F02             |
00007FF75DB86EB9 | 48:8365 CF 00  | AND QWORD PTR SS:[RBP-31],0           |
00007FF75DB86EBE | 48:8D4D C7     | LEA RCX,QWORD PTR SS:[RBP-39]         |  <<
00007FF75DB86EC2 | 48:8365 F7 00  | AND QWORD PTR SS:[RBP-9],0            |
00007FF75DB86EC7 | 33C0           | XOR EAX,EAX                           |
00007FF75DB86EC9 | 2145 2F        | AND DWORD PTR SS:[RBP+2F],EAX         |
00007FF75DB86ECC | 45:33C0        | XOR R8D,R8D                           |  <<
00007FF75DB86ECF | 48:2145 FF     | AND QWORD PTR SS:[RBP-1],RAX          |
00007FF75DB86ED3 | 48:6355 B7     | MOVSXD RDX,DWORD PTR SS:[RBP-49]      |  <<
00007FF75DB86ED7 | 4C:8B4D 77     | MOV R9,QWORD PTR SS:[RBP+77]          |  <<
00007FF75DB86EDB | C5F9EFC0       | VPXOR XMM0,XMM0,XMM0                  |
00007FF75DB86EDF | C5F1EFC9       | VPXOR XMM1,XMM1,XMM1                  |
00007FF75DB86EE3 | C5FA7F45 D7    | VMOVDQU XMMWORD PTR SS:[RBP-29],XMM0  |
00007FF75DB86EE8 | C5FA7F4D E7    | VMOVDQU XMMWORD PTR SS:[RBP-19],XMM1  |
00007FF75DB86EED | C5FC1145 07    | VMOVUPS YWORD PTR SS:[RBP+7],YMM0     |
00007FF75DB86EF2 | 48:8945 27     | MOV QWORD PTR SS:[RBP+27],RAX         |
00007FF75DB86EF6 | 48:895D C7     | MOV QWORD PTR SS:[RBP-39],RBX         |
00007FF75DB86EFA | C5F877         | VZEROUPPER                            |
00007FF75DB86EFD | E8 729AF9FF    | CALL starfield.7FF75DB20974           |   << CALL to CheckContabandStatus
So you got: rcx (__this), rdx being set-up with an integer, r8 initialized as a null integer and r9 receiving a pointer. All that before the CALL at the bottom leading into your CheckContabandStatus function. Also, inside the function, the return is MOV AL,1 indicating bool.

So, piece it all together:

Code: Select all

public: bool __cdecl PlayerShipRef::CheckContabandStatus(unsigned int, unsigned int = 0, class/struct *)
Since I wrote it PlayerShipRef::, then the args in the () start with rdx. But, from what I can tell, the game doesn't break on that function or the reference CALL when you enter a system that scans you for contraband. However, inner function calls to CheckContabandStatus are called/used instead.

Other than that, good explanation ;) Keep it up!

kanepuntz
What is cheating?
What is cheating?
Posts: 1
Joined: Mon Sep 25, 2023 11:59 am
Reputation: 0

Re: Starfield

Post by kanepuntz »

Strange, Free research is not working for me, do i still need materials for it? if I am understanding the option wrong.
[Link]
[Link]
Last edited by kanepuntz on Fri Dec 08, 2023 1:29 pm, edited 1 time in total.

AlbertHP
Cheater
Cheater
Posts: 41
Joined: Sat Dec 25, 2021 5:55 am
Reputation: 0

Re: Starfield

Post by AlbertHP »

A quick question for Cheat Engine experts, is there a way to set it up so that everytime cheat engine gets activated for a particular game, say Starfield, a certain number of cheats you want active would automatically activate without having to manually do it one by one?

This is especially useful if you have a game where you know that you're going to use a set of cheats everytime you boot up the game.

User avatar
gir489
RCE Fanatics
RCE Fanatics
Posts: 801
Joined: Mon May 08, 2017 4:08 am
Reputation: 616

Re: Starfield

Post by gir489 »

SunBeam wrote:
Mon Sep 25, 2023 8:38 am
I think there may be more than the 2 args you labeled for CheckContabandStatus. If you look for references to the function, there's a CALL here:

Code: Select all

00007FF75DB86EB7 | 74 49          | JE starfield.7FF75DB86F02             |
00007FF75DB86EB9 | 48:8365 CF 00  | AND QWORD PTR SS:[RBP-31],0           |
00007FF75DB86EBE | 48:8D4D C7     | LEA RCX,QWORD PTR SS:[RBP-39]         |  <<
00007FF75DB86EC2 | 48:8365 F7 00  | AND QWORD PTR SS:[RBP-9],0            |
00007FF75DB86EC7 | 33C0           | XOR EAX,EAX                           |
00007FF75DB86EC9 | 2145 2F        | AND DWORD PTR SS:[RBP+2F],EAX         |
00007FF75DB86ECC | 45:33C0        | XOR R8D,R8D                           |  <<
00007FF75DB86ECF | 48:2145 FF     | AND QWORD PTR SS:[RBP-1],RAX          |
00007FF75DB86ED3 | 48:6355 B7     | MOVSXD RDX,DWORD PTR SS:[RBP-49]      |  <<
00007FF75DB86ED7 | 4C:8B4D 77     | MOV R9,QWORD PTR SS:[RBP+77]          |  <<
00007FF75DB86EDB | C5F9EFC0       | VPXOR XMM0,XMM0,XMM0                  |
00007FF75DB86EDF | C5F1EFC9       | VPXOR XMM1,XMM1,XMM1                  |
00007FF75DB86EE3 | C5FA7F45 D7    | VMOVDQU XMMWORD PTR SS:[RBP-29],XMM0  |
00007FF75DB86EE8 | C5FA7F4D E7    | VMOVDQU XMMWORD PTR SS:[RBP-19],XMM1  |
00007FF75DB86EED | C5FC1145 07    | VMOVUPS YWORD PTR SS:[RBP+7],YMM0     |
00007FF75DB86EF2 | 48:8945 27     | MOV QWORD PTR SS:[RBP+27],RAX         |
00007FF75DB86EF6 | 48:895D C7     | MOV QWORD PTR SS:[RBP-39],RBX         |
00007FF75DB86EFA | C5F877         | VZEROUPPER                            |
00007FF75DB86EFD | E8 729AF9FF    | CALL starfield.7FF75DB20974           |   << CALL to CheckContabandStatus
So you got: rcx (__this), rdx being set-up with an integer, r8 initialized as a null integer and r9 receiving a pointer. All that before the CALL at the bottom leading into your CheckContabandStatus function. Also, inside the function, the return is MOV AL,1 indicating bool.

So, piece it all together:

Code: Select all

public: bool __cdecl PlayerShipRef::CheckContabandStatus(unsigned int, unsigned int = 0, class/struct *)
Since I wrote it PlayerShipRef::, then the args in the () start with rdx. But, from what I can tell, the game doesn't break on that function or the reference CALL when you enter a system that scans you for contraband. However, inner function calls to CheckContabandStatus are called/used instead.

Other than that, good explanation ;) Keep it up!
Not sure what those are, but here is an example of where it's called properly.

Code: Select all

.text:0000000142260EB6                 mov     edi, 1 //Expected result.
.text:0000000142260EBB                 mov     dl, dil //Boolean Parameter
.text:0000000142260EBE                 mov     rcx, [rsp+40h] //thisptr
.text:0000000142260EC3                 call    CheckContrabandStatus //CALL
.text:0000000142260EC8                 test    sil, sil //TEST parent call's boolean parameter 
.text:0000000142260ECB                 jz      short loc_142260ED3
.text:0000000142260ECD                 cmp     eax, edi //Compare CheckContrabandStatus against expected result
EAX is the return parameter register for integers/floats. Keep in mind Papyrus is built on Game Framework from Gamebyro. All they were using was just C++ functions exposed as command functions that the SDK would compile into a batch script. The Papyrus function returns an int and takes a bool, it would stand to reason the function runner does the same.

EDIT: Just checked all my scripts against v1.7.33 signed September 17, 2023 07:41 AM, everything seems to still work.

EDIT: I fixed Always Succeed Contraband Scans always making it think you're carrying contraband, thus needing to be scanned when you are not carrying contraband.

Code: Select all

// Game Executable   : Starfield.exe
// Author            : gir489
// Executable Version: 1.7.33.0
// MD5 Signature     : DA2EBEE8F6DB7B1844B4C39BAAF2D30D
// EXE Compile Date  : September 17, 2023 07:41 AM
// Script Date       : September 25, 2023 03:39 PM
[ENABLE]
aobscanmodule(aob_CheckContrabandStatus,Starfield.exe, B8 01 00 00 00 EB 13 * * * * 79)
registersymbol(aob_CheckContrabandStatus)

aob_CheckContrabandStatus:
  mov eax,-5

[DISABLE]
aob_CheckContrabandStatus:
  mov eax,1

unregistersymbol(aob_CheckContrabandStatus)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+2B39F58

Starfield.exe+2B39F18: 5E                       - pop rsi
Starfield.exe+2B39F19: 5D                       - pop rbp
Starfield.exe+2B39F1A: C3                       - ret
Starfield.exe+2B39F1B: CC                       - int 3
Starfield.exe+2B39F1C: 48 89 5C 24 08           - mov [rsp+08],rbx
Starfield.exe+2B39F21: 57                       - push rdi
Starfield.exe+2B39F22: 48 83 EC 30              - sub rsp,30
Starfield.exe+2B39F26: 83 64 24 50 00           - and dword ptr [rsp+50],00
Starfield.exe+2B39F2B: 8A DA                    - mov bl,dl
Starfield.exe+2B39F2D: C5 F8 29 74 24 20        - vmovaps [rsp+20],xmm6
Starfield.exe+2B39F33: 48 8B F9                 - mov rdi,rcx
Starfield.exe+2B39F36: E8 85 2D 00 00           - call Starfield.exe+2B3CCC0
Starfield.exe+2B39F3B: 4C 8D 44 24 50           - lea r8,[rsp+50]
Starfield.exe+2B39F40: 8A D3                    - mov dl,bl
Starfield.exe+2B39F42: 48 8B CF                 - mov rcx,rdi
Starfield.exe+2B39F45: C5 F8 28 F0              - vmovaps xmm6,xmm0
Starfield.exe+2B39F49: E8 B6 2D 00 00           - call Starfield.exe+2B3CD04
Starfield.exe+2B39F4E: 83 C8 FF                 - or eax,-01
Starfield.exe+2B39F51: 83 7C 24 50 00           - cmp dword ptr [rsp+50],00
Starfield.exe+2B39F56: 76 07                    - jna Starfield.exe+2B39F5F
// ---------- INJECTING HERE ----------
Starfield.exe+2B39F58: B8 01 00 00 00           - mov eax,00000001
// ---------- DONE INJECTING  ----------
Starfield.exe+2B39F5D: EB 13                    - jmp Starfield.exe+2B39F72
Starfield.exe+2B39F5F: C5 F8 2F 05 79 F9 3E 01  - vcomiss xmm0,[Starfield.exe+3F298E0]
Starfield.exe+2B39F67: 76 09                    - jna Starfield.exe+2B39F72
Starfield.exe+2B39F69: 33 C0                    - xor eax,eax
Starfield.exe+2B39F6B: C5 F8 2F F0              - vcomiss xmm6,xmm0
Starfield.exe+2B39F6F: 0F 92 C0                 - setb al
Starfield.exe+2B39F72: 48 8B 5C 24 40           - mov rbx,[rsp+40]
Starfield.exe+2B39F77: C5 F8 28 74 24 20        - vmovaps xmm6,[rsp+20]
Starfield.exe+2B39F7D: 48 83 C4 30              - add rsp,30
Starfield.exe+2B39F81: 5F                       - pop rdi
Starfield.exe+2B39F82: C3                       - ret
Starfield.exe+2B39F83: CC                       - int 3
Starfield.exe+2B39F84: 48 8B C4                 - mov rax,rsp
Starfield.exe+2B39F87: 48 89 68 10              - mov [rax+10],rbp
Starfield.exe+2B39F8B: 48 89 70 20              - mov [rax+20],rsi
Starfield.exe+2B39F8F: 57                       - push rdi
Starfield.exe+2B39F90: 41 56                    - push r14
Starfield.exe+2B39F92: 41 57                    - push r15
Starfield.exe+2B39F94: 48 83 EC 40              - sub rsp,40
Starfield.exe+2B39F98: C5 F8 29 70 D8           - vmovaps [rax-28],xmm6
}

aio_dubay
Noobzor
Noobzor
Posts: 14
Joined: Thu Dec 26, 2019 8:19 am
Reputation: 3

Re: Starfield

Post by aio_dubay »

AlbertHP wrote:
Mon Sep 25, 2023 12:25 pm
A quick question for Cheat Engine experts, is there a way to set it up so that everytime cheat engine gets activated for a particular game, say Starfield, a certain number of cheats you want active would automatically activate without having to manually do it one by one?

This is especially useful if you have a game where you know that you're going to use a set of cheats everytime you boot up the game.
Definitively not a CE expert, but perhaps you could give all the cheats you want the same hotkey and activating it once gameplay starts?
Or just move them all on top of the table and shift select them and toggle.

Sigan
Expert Cheater
Expert Cheater
Posts: 267
Joined: Fri May 26, 2017 1:23 am
Reputation: 125

Re: Starfield

Post by Sigan »

X-- Deleted --X
Last edited by Sigan on Thu Sep 28, 2023 5:45 pm, edited 2 times in total.

AlbertHP
Cheater
Cheater
Posts: 41
Joined: Sat Dec 25, 2021 5:55 am
Reputation: 0

Re: Starfield

Post by AlbertHP »

aio_dubay wrote:
Tue Sep 26, 2023 4:10 pm
Definitively not a CE expert, but perhaps you could give all the cheats you want the same hotkey and activating it once gameplay starts?
Or just move them all on top of the table and shift select them and toggle.
Yes, assigning multiple cheats to the same hotkey was what I have been doing so far. It's not that big of a bother, I was just curious if there was such a feature. Thanks for the suggestions.

AlbertHP
Cheater
Cheater
Posts: 41
Joined: Sat Dec 25, 2021 5:55 am
Reputation: 0

Re: Starfield

Post by AlbertHP »

Sigan wrote:
Tue Sep 26, 2023 6:16 pm
I'm uploading my version of three cheat tables cobbled together, with auto activation of a list of scripts upon activating the table. The way it's done is through headers.

Create Header -> Right Click on Header -> Group Config -> Activating this entry activates its children

It's recommended to simply accept Akira's request, toggle dark mode, and click Activate when you have Starfield running.

Hopefully I've given credit to all parties as due. Feel free to call out any that aren't labeled properly. This is just an example to help demonstrate the answer to this particular question - not me trying to take credit for any of the scripts involved.

This is how I've color coded my personal table. It looks pretty cool in Akira's dark mode, but it may be an assault on the visual senses of some. Please don't hold it against me. And, this is generally how I color code things in every table I post. In this table, headers may work a bit differently than they do in some of my previously posted tables, for other games. In this one, some of them both activate and deactivate their children based on whether they, themselves, are activated or deactivated. This can be changed through the right clicking them, and messing with the Group Config options.
Table Color Code
Pink: Header - This is what sets up auto-activation of a list of scripts, all at once.
Purple: Hook - This does nothing by itself, but it populates pointers and may set Green variables
Light Blue: Scripts - These prevent math from being done (no longer subtract health, for instance), or do something else. They are independent scripts change the game in some way, but don't affect anything other than what they're titled to affect.
Green: Variables - These are created by Hooks and Scripts. They don't exist within the game code, and are created by the script to which they belong.
Blue: Pointers - These are addresses (static or dynamic) to values on which the game relies. Changing their values should see an immediate difference in the game, regardless of whether the script or hook they belong to is turned on or off, once the script has populated them. Though, if the script is deactivated, they may not be updated and so, it's best to leave their script activated if they're frozen or you plan on adjusting them directly.
Orange: Old/Outdated/Need Update - If you mess with these, it could cause permanent damage to your save. If it's something you know how to update, feel free to chip in!
Grey: Base Pointer/Info - This is only for reference. Do not adjust.


Thanks, I'll check this out

User avatar
Akira
Table Makers
Table Makers
Posts: 1292
Joined: Fri May 24, 2019 2:04 am
Reputation: 1717

Re: Starfield

Post by Akira »

Sigan wrote:
Tue Sep 26, 2023 6:16 pm
I'm uploading my version of three cheat tables cobbled together, with auto activation of a list of scripts upon activating the table.
Please remove my stuff from your table and maybe read things before copying & re-uploading code.
And always ask ppl for permission unless they clearly stated that you're free to use their work.
Akira wrote:
Fri Sep 01, 2023 1:22 pm
If you want to share the table then share the link to this post but do not upload this table anywhere else.

Blueskadoo
Expert Cheater
Expert Cheater
Posts: 51
Joined: Sun Jul 23, 2023 12:50 pm
Reputation: 25

Re: Starfield

Post by Blueskadoo »

I just noticed that some of the ship parts are still locked behind level requirements. Specifically the turret variants.

BubbaJubbs
Noobzor
Noobzor
Posts: 11
Joined: Sun May 28, 2023 3:22 pm
Reputation: 0

Re: Starfield

Post by BubbaJubbs »

Does anyone by chance know if it's possible to use the cheat table with the PC game pass version of Starfield?

Sigan
Expert Cheater
Expert Cheater
Posts: 267
Joined: Fri May 26, 2017 1:23 am
Reputation: 125

Re: Starfield

Post by Sigan »

Akira wrote:
Wed Sep 27, 2023 10:01 am
Sigan wrote:
Tue Sep 26, 2023 6:16 pm
I'm uploading my version of three cheat tables cobbled together, with auto activation of a list of scripts upon activating the table.
Please remove my stuff from your table and maybe read things before copying & re-uploading code.
And always ask ppl for permission unless they clearly stated that you're free to use their work.
Akira wrote:
Fri Sep 01, 2023 1:22 pm
If you want to share the table then share the link to this post but do not upload this table anywhere else.
Yeah, alright... I've never run into the problem before, and it was only for an illustration. But, the entire table has been removed. Hopefully it was explained well enough, and hopefully the harm done was limited. No harm meant.

User avatar
gir489
RCE Fanatics
RCE Fanatics
Posts: 801
Joined: Mon May 08, 2017 4:08 am
Reputation: 616

Re: Starfield

Post by gir489 »

Had a weird scenario with Always Succeed Contraband Scan where I was carrying something in the cargo bay, but it thought I was within the limit, but still scanned me anyway, so I made the 0 scenario return -5 too.

Code: Select all

// Game Executable   : Starfield.exe
// Author            : gir489
// Executable Version: 1.7.33.0
// MD5 Signature     : DA2EBEE8F6DB7B1844B4C39BAAF2D30D
// EXE Compile Date  : September 17, 2023 07:41 AM
// Script Date       : September 25, 2023 03:39 PM
[ENABLE]
aobscanmodule(aob_CheckContrabandStatus,Starfield.exe, B8 01 00 00 00 EB 13 * * * * 79)
registersymbol(aob_CheckContrabandStatus)

aob_CheckContrabandStatus:
  mov eax,-5

aob_CheckContrabandStatus+11:
  mov eax,-5
  nop 4

[DISABLE]
aob_CheckContrabandStatus:
  mov eax,1

aob_CheckContrabandStatus+11:
  db 33 C0 C5 F8 2F F0 0F 92 C0

unregistersymbol(aob_CheckContrabandStatus)

{
// ORIGINAL CODE - INJECTION POINT: Starfield.exe+2B39F58

Starfield.exe+2B39F18: 5E                       - pop rsi
Starfield.exe+2B39F19: 5D                       - pop rbp
Starfield.exe+2B39F1A: C3                       - ret
Starfield.exe+2B39F1B: CC                       - int 3
Starfield.exe+2B39F1C: 48 89 5C 24 08           - mov [rsp+08],rbx
Starfield.exe+2B39F21: 57                       - push rdi
Starfield.exe+2B39F22: 48 83 EC 30              - sub rsp,30
Starfield.exe+2B39F26: 83 64 24 50 00           - and dword ptr [rsp+50],00
Starfield.exe+2B39F2B: 8A DA                    - mov bl,dl
Starfield.exe+2B39F2D: C5 F8 29 74 24 20        - vmovaps [rsp+20],xmm6
Starfield.exe+2B39F33: 48 8B F9                 - mov rdi,rcx
Starfield.exe+2B39F36: E8 85 2D 00 00           - call Starfield.exe+2B3CCC0
Starfield.exe+2B39F3B: 4C 8D 44 24 50           - lea r8,[rsp+50]
Starfield.exe+2B39F40: 8A D3                    - mov dl,bl
Starfield.exe+2B39F42: 48 8B CF                 - mov rcx,rdi
Starfield.exe+2B39F45: C5 F8 28 F0              - vmovaps xmm6,xmm0
Starfield.exe+2B39F49: E8 B6 2D 00 00           - call Starfield.exe+2B3CD04
Starfield.exe+2B39F4E: 83 C8 FF                 - or eax,-01
Starfield.exe+2B39F51: 83 7C 24 50 00           - cmp dword ptr [rsp+50],00
Starfield.exe+2B39F56: 76 07                    - jna Starfield.exe+2B39F5F
// ---------- INJECTING HERE ----------
Starfield.exe+2B39F58: B8 01 00 00 00           - mov eax,00000001
// ---------- DONE INJECTING  ----------
Starfield.exe+2B39F5D: EB 13                    - jmp Starfield.exe+2B39F72
Starfield.exe+2B39F5F: C5 F8 2F 05 79 F9 3E 01  - vcomiss xmm0,[Starfield.exe+3F298E0]
Starfield.exe+2B39F67: 76 09                    - jna Starfield.exe+2B39F72
Starfield.exe+2B39F69: 33 C0                    - xor eax,eax
Starfield.exe+2B39F6B: C5 F8 2F F0              - vcomiss xmm6,xmm0
Starfield.exe+2B39F6F: 0F 92 C0                 - setb al
Starfield.exe+2B39F72: 48 8B 5C 24 40           - mov rbx,[rsp+40]
Starfield.exe+2B39F77: C5 F8 28 74 24 20        - vmovaps xmm6,[rsp+20]
Starfield.exe+2B39F7D: 48 83 C4 30              - add rsp,30
Starfield.exe+2B39F81: 5F                       - pop rdi
Starfield.exe+2B39F82: C3                       - ret
Starfield.exe+2B39F83: CC                       - int 3
Starfield.exe+2B39F84: 48 8B C4                 - mov rax,rsp
Starfield.exe+2B39F87: 48 89 68 10              - mov [rax+10],rbp
Starfield.exe+2B39F8B: 48 89 70 20              - mov [rax+20],rsi
Starfield.exe+2B39F8F: 57                       - push rdi
Starfield.exe+2B39F90: 41 56                    - push r14
Starfield.exe+2B39F92: 41 57                    - push r15
Starfield.exe+2B39F94: 48 83 EC 40              - sub rsp,40
Starfield.exe+2B39F98: C5 F8 29 70 D8           - vmovaps [rax-28],xmm6
}

Post Reply

Who is online

Users browsing this forum: AhrefsBot, alx_on, Bing [Bot], binhtuxedo, blackbeardo, dryspell59, Majestic-12 [Bot], shinchang