Checking the forums, there's a few good ones I came up with that have yet to be released! So I'm uploading them Smile
I'm really glad most games are releasing as x64 versions now! 64bit assembler has grown on me considerably and I like that it has caught on a good amount now! RAX > EAX Wink
Like "Instantly Complete Warmap Operations" for example
Everyone has found the display timer that counts down in seconds right? But did you realize that setting the system clock forward advances time in the game? If so then you probably thought to debug some windows api's that get the time from the system clock! time64 is what I eventually came to which is called by the area of code which checks for whether or not the time has elapsed on your warmap operation(s) or not.
Code:
//Dragon Age: Inquisition
//Instantly Complete Map Operations
//Steve Andrew
//Found it by debugging kernel32.GetSystemTimeAsFileTime
//Which led me to MSVCR110.time64, which is called by the game here
//and compared against all active warmap operations
[enable]
DragonAgeInquisition.IsGameRuntime+6b3a1b:
jmp short +8 //skip the compare and go straight to the operation done code
[disable]
DragonAgeInquisition.IsGameRuntime+6b3a1b:
cmp [r15+10],rax
How about "Infinite Ability Points Pro" which is the pro version because it is actually the code which determines whether or not you can spend an ability point and not a shared write address which also writes to ability point and other attribute display values (which causes the ability points cheat not to work, and other adverse side effects)
Code:
//Dragon Age: Inquisition
//Infinite Ability Points Pro (Have at least 1 point and you can unlock all)
//Steve Andrew
//NOTE: Don't use "auto level up" only works on manual up/apply
[enable]
alloc(InfiniteAbilityPointsPro,1024)
registersymbol(InfiniteAbilityPointsPro)
InfiniteAbilityPointsPro:
readmem(DragonAgeInquisition.IsGameRuntime+67d788,2)
DragonAgeInquisition.IsGameRuntime+67d788:
jmp short +0c
[disable]
DragonAgeInquisition.IsGameRuntime+67d788:
readmem(InfiniteAbilityPointsPro,2)
unregistersymbol(InfiniteAbilityPointsPro)
Or maybe one of my signature cheats but done a little differently this time, old school Zelda:OOT style! Instead of player fly: "Moon Jump"
Code:
//Dragon Age: Inquisition
//Moon Jump (Press and hold Space/Jump to Moon Jump, release to float down slowly,
//then finally left mouse click to disengage and drop to the ground)
//Steve Andrew
[enable]
alloc(MoonJump,1024,DragonAgeInquisition.IsGameRuntime+fd1425)
label(MoonJumpRet)
label(JumpNotHeld)
label(NoMoonJump)
label(NullifyGravity)
label(GravityRet)
label(SkipNullification)
label(Nullify)
label(NotFalling)
label(JumpButtonHeldCheckThread)
label(JumpButtonHeldCheck)
label(ButtonCurrentlyHeld)
label(ExitJumpButtonThread)
label(MoonJumpEngaged)
label(JumpSpeed)
label(FallSpeed)
label(PlayerCharacterZPointer)
label(CurrentZ)
label(Falling)
label(JumpButtonHeld)
label(JumpButtonThreadExit)
registersymbol(JumpSpeed)
registersymbol(JumpButtonThreadExit)
createthread(JumpButtonHeldCheckThread)
MoonJump:
cmp rbx,1
jne NoMoonJump
cmp dword [JumpButtonHeld],1
jne JumpNotHeld
cmp dword [CurrentZ+4],1
je @f
push rbx
mov [PlayerCharacterZPointer],rax
movss xmm4,[rax+4]
movss [CurrentZ],xmm4
mov ebx,1
mov [CurrentZ+4],ebx
mov [MoonJumpEngaged],ebx
pop rbx
@@: //Fly upwards at 'JumpSpeed'
movss xmm4,[CurrentZ]
addss xmm4,[JumpSpeed]
movss [CurrentZ],xmm4
movss [rax+4],xmm4
movaps xmm0,[rax]
movaps xmm4,[rbp+70]
jmp MoonJumpRet
JumpNotHeld:
mov dword [Falling],1
NoMoonJump:
movaps xmm0,[rax]
movaps xmm4,[rbp+70]
jmp MoonJumpRet
NullifyGravity:
push rax
lea rax,[rcx+120]
cmp [PlayerCharacterZPointer],rax
je Nullify
SkipNullification:
movaps [rcx+120],xmm0
pop rax
jmp GravityRet
Nullify:
cmp dword [MoonJumpEngaged],0
je SkipNullification
cmp dword [Falling],1
jne NotFalling
//Fall at a slower rate until moon jump disengaged with left mouse click
movss xmm2,[CurrentZ]
subss xmm2,[FallSpeed]
movss [CurrentZ],xmm2
NotFalling:
movaps [rcx+120],xmm0
mov eax,[CurrentZ]
mov [rcx+124],eax
pop rax
jmp GravityRet
JumpButtonHeldCheckThread:
push rbp
mov rbp,rsp
and rsp,fffffff0
sub rsp,50
JumpButtonHeldCheck:
mov rcx,0a
call kernel32.Sleep
cmp dword [JumpButtonThreadExit],1
je ExitJumpButtonThread
mov rcx,1 //Left Mouse
call user32.GetAsyncKeyState
test ax,ax
je @f
xor rdx,rdx
mov [MoonJumpEngaged],edx
@@:
mov rcx,20 //Space
call user32.GetAsyncKeyState
test ax,ax
jne ButtonCurrentlyHeld
xor rdx,rdx
mov [JumpButtonHeld],edx
mov [CurrentZ+4],edx
jmp JumpButtonHeldCheck
ButtonCurrentlyHeld:
mov edx,1
mov [JumpButtonHeld],edx
jmp JumpButtonHeldCheck
ExitJumpButtonThread:
mov rsp,rbp
pop rbp
ret
MoonJumpEngaged:
dd 0
JumpSpeed:
dd (float)0.1570796371
FallSpeed:
dd (float)0.01570796408
PlayerCharacterZPointer:
dq 0
CurrentZ:
dd 0 0
Falling:
dd 0
JumpButtonHeld:
dd 0
JumpButtonThreadExit:
dd 0
DragonAgeInquisition.IsGameRuntime+fd1425:
jmp MoonJump
db 90 90
MoonJumpRet:
DragonAgeInquisition.exe+44ee5d5:
jmp NullifyGravity
db 90 90
GravityRet:
[disable]
DragonAgeInquisition.IsGameRuntime+fd1425:
movaps xmm0,[rax]
movaps xmm4,[rbp+70]
DragonAgeInquisition.exe+44ee5d5:
movaps [rcx+120],xmm0
JumpButtonThreadExit:
dd 1
unregistersymbol(JumpSpeed)
unregistersymbol(JumpButtonThreadExit)
{ Cheat Info }
1. Infinite Health (Player & Party) [float]
Uses pointer at [structure+28] to determine if its a player/party member's health being written to, or an enemy's health.
The pointer if the player/party points to another structure which is offset slightly if it's an enemy.
"mov rcx,[rbx+28]
test rcx,rcx
je NotPlayer
cmp word [rcx+32],'PE' //'PE' as part of a string kPE is present at offset 32 only if it's a player or party member
jne NotPlayer"
2. Infinite Stamina/Mana + Focus [float]
Same method used to determine if it's a player or party members stamina or mana or focus being accessed (an access address was hooked rather than a write address)
Basically required for Instant Cooldowns to be fully effective, and it's fun to mass create fade rifts / mark of the fade rifts where only 1 at a time is possible through normal play
3. Instant Cooldowns [float, counts upward] [+4 == finish cooldown time]
All special abilities cooldown instantly! Again best used with Infinite Mana/Stamina + Focus for maximum effect!
4. Instantly Complete Warmap Operations [8 byte, set once upon operation start] ex. current_time+operation_time and then it stores it
This one was a couple days in the making, with the first day I only found the display timer in seconds remaining and debugging it trying to find where it was getting it's value from was unsuccessful and I found other cheats instead. Day two I tried just for the hell of it adjusting the system clock and to my surprise that actually worked, from there I just had to find how it was getting the system clock's time and debug it to find the piece of code which can end warmap operations early! It was finally fruitful Smile
5. Infinite Potions Pro [byte] [+1 == max potions of type]
Back traced up one level and hooked an address which only ever has potions/grenade potions addresses pointed to by rax (if it's non null), so you can be sure only potions are effected by this cheat. It writes full potion amount BEFORE the code which executes immediately after reducing the amount, so it will always look like you have [max potions - 1] upon using them. No big deal because at least we're only writing to potions here...
6. Infinite Ability Points Pro [float]
Allows you to upgrade everything as long as you have at least 1 point for your character you're upgrading with it enabled and as long as you don't use "auto level up".
7. Infinite Crafting Materials
Works when crafting! Have at least enough [whatever material] to craft your item, and you'll get 99 / max of all crafting materials used to craft item in their respective slots... Ex. craft item with 2 dragon bones and 2 bear hides, get crafted item along with 99 dragon bones and 99 bear hides left.
8. Infinite Gold (Upon Selling An Item)
I was lazy to filter this one out, but only because I only ever needed to use it once Smile Plus as long as your in a shop, the code which is hooked only writes to your gold value, so it's completely safe to use as long as you're in a shop just to sell an item, get infinite gold, then disable it and not need to use it again for the rest of the game! lol
9. Moon Jump (Hold space, release, then left mouse click to drop)
As I couldn't find the key to the Grand Balcony that's when I made this one! With it enabled you press space/jump to fly upward! Release space/jump and instead of dropping instantly (how I had it originally) you will glide slowly down, until you left click your mouse which will finally drop you! I did this because sometimes getting high where you're not supposed to be, causes the parts of the map below you to "unload" and then if you drop you fall right through objects on the map. By allowing a slowed descent, you can allow the parts of the map that disappeared to reload into the game to safely land on them when you can!
10. Infinite Power & Inquisition Perks
Sets Power and Perks to 999 upon getting some power or perk points.
11. Manual Upgrade Influence
Reveals the pointer to your influence after you receive some influence points, which you can modify yourself to your liking.
Power, Perks, and Influence were filtered using a simple return address check, which allowed me to filter out those three values independent from others that passed through this area.
Alright that's all for now! I'll convert them to aobscan as well since these are for version 1.0 of the game.
Enjoy
-----
Alright well don't fret! You're going to get to the correct address from scratch! Very Happy
I made a lua script to automatically find the correct address, and an autoassembler script that will find the right address as well!
Using the lua script video: (Sorry about the low quality, the site compressed it heavily but you can still see what I did! Wink )
[Link]
1. Attach to the game
2. Go to the war room where the war map exists and either start an operation or be ready to start one!
3. Hit CTRL+ALT+L or go to Table->Show Cheat Table Lua Script
4. Paste lua script then open the memory viewer
5. Hit execute and wait 10 seconds... (This seems to be a bug, where the debugger is attached but CE doesn't realize it)
6. Hit "No" (as the debugger really is already attached)
7. Finally hit execute one last time, and if you have an operation started it'll bring you to the correct address... Or proceed to start one and check back! You'll probably catch it automatically tracing for you and it will land at the right place for you! Very Happy
Just NOP the "ja" instruction and as you can see from the video the warmap operation instantly gets completed!
Using the auto assembler script video:
[Link]
1. Attach to the game
2. Go to the war room where the war map exists AND START an operation first (otherwise the first found result won't be the right one, and you'll have to check ReturnAddresses+8, ReturnAddresses+10, ReturnAddresses+18, etc...)
3. Hit CTRL+ALT+A or goto the memory viewer then Tools->Auto Assemble
4. Paste Auto Assembler script and goto File->Assign to current cheat table
5. Enable the script
6. Manually add "ReturnAddresses" to your CT.
7. If you started an operation first before enabling the script, "ReturnAddresses" will contain the right address... Or you'll have to add ReturnAddresses+8, ReturnAddresses+10, ReturnAddresses+18 and go to each address in memory viewer and find which one is the right memory location! Make sure they are 8 byte (as this is a 64-bit game after all)
LUA Script:
Code:
debugProcess(2) --Start Debugging With VEH Debugger
BreakpointAddress=getAddress("MSVCR110.time64") --time64 will lead us where we want
FoundIt=0
debug_removeBreakpoint(BreakpointAddress)
function debugger_onBreakpoint()
if(FoundIt == 0) then -- step one
debug_continueFromBreakpoint(co_stepover)
extra, opcode, bytes, addy = splitDisassembledString(disassemble(RIP))
RetFound = string.find(opcode, "ret")
if(RetFound) then
FoundIt=1
debug_removeBreakpoint(BreakpointAddress)
return 0
end
elseif(FoundIt == 1) then --step two
extra, opcode, bytes, addy = splitDisassembledString(disassemble(RIP))
CompareFound = string.find(opcode, "cmp")
if(CompareFound) then
InstSize = getInstructionSize(RIP)
print(getNameFromAddress(addy)..": "..opcode)
extra, opcode, bytes, addy = splitDisassembledString(disassemble(RIP+InstSize))
JAFound = string.find(opcode, "ja")
if(JAFound) then
FoundIt=2
print(getNameFromAddress(addy)..": "..opcode.." <--This is it ")
debug_continueFromBreakpoint(co_run)
else
debug_setBreakpoint(BreakpointAddress)
debug_continueFromBreakpoint(co_run)
FoundIt=0
end
else
debug_setBreakpoint(BreakpointAddress)
debug_continueFromBreakpoint(co_run)
FoundIt=0
end
return 0
end
end
debug_setBreakpoint(BreakpointAddress)
Auto Assembler Script:
Code:
[enable]
alloc(time64Hook,1024,MSVCR110.time64)
label(time64Ret)
label(ContinueAddingToArray)
label(AddReturnAddressToArray)
label(AlreadyAdded)
label(ReturnAddressesCount)
label(ReturnAddresses)
registersymbol(ReturnAddressesCount)
registersymbol(ReturnAddresses)
time64Hook:
push rbx //original code
push rcx
push rax
xor rcx,rcx
mov rax,[rsp+18] //Return Address (with pushed registers taken into account)
mov rbx,ReturnAddresses
ContinueAddingToArray:
cmp ecx,[ReturnAddressesCount]
je AddReturnAddressToArray //Count Reached So It Must Be A "Fresh" Return Address
cmp rax,[rbx+rcx*8]
je AlreadyAdded //Return Address Already Added To Array
cmp ecx,#50 //let up to 50 return addresses be stored (though it wont reach that many)
je AlreadyAdded //Max Return Addresses To Store Reached
inc ecx
jmp ContinueAddingToArray
AddReturnAddressToArray:
mov [rbx+rcx*8],rax
inc [ReturnAddressesCount]
AlreadyAdded:
pop rax
pop rcx
sub rsp,20 //original code
jmp time64Ret
ReturnAddressesCount:
dd 0
ReturnAddresses:
dq 0
MSVCR110.time64:
jmp time64Hook
nop
time64Ret:
[disable]
MSVCR110.time64:
push rbx
sub rsp,20
dealloc(time64Hook)
unregistersymbol(ReturnAddressesCount)
unregistersymbol(ReturnAddresses)
After nopping the ja instruction the warmap operations will automatically complete anytime one is activated, or ones that are already running. Either update the script with the new address or just keep it in the "Advanced Options" of CE and replace the code with code that does nothing each time!
Made by SteveAndrew
How to use this cheat table?
- Install Cheat Engine
- Double-click the .CT file in order to open it.
- Click the PC icon in Cheat Engine in order to select the game process.
- Keep the list.
- Activate the trainer options by checking boxes or setting values from 0 to 1