I need help for taking control under all animals animations in "theHunter: Call of the Wild" game. Value that i can find with change/unchanged method is probably encrypted (it have different range of values after restarting the game) and i do not have enough of experience to make back trace, but value goes from shared instruction that affect player and all different animals. Accidentally, with "dissect data" i found actual value with stable offsets [[+18]+10] that do not change after restarting the game and even with the new updates and different type of animals have the same offset and stable animation value:
Spoiler
Spoiler
[ENABLE]
aobscanmodule(AnimAnim1,theHunterCotW_F.exe,48 89 7B 18 48 8B D3 48 8B 07 48 8B CF FF 50 40 48 8B 43 38 48 85 C0 74 0C 48 8B 4B 30 4C 8B C7 48 8B D6 FF D0 48 8B 74 24 38) // should be unique
alloc(newmem,$1000,"theHunterCotW_F.exe"+2BC8D9)
label(code)
label(return)
newmem:
cmp byte ptr [rbx+B0],0
je code //leave original player animations and nop animals animation
mov rdx,rbx
jmp return
code:
mov [rbx+18],rdi
mov rdx,rbx
jmp return
AnimAnim1:
jmp newmem
nop
nop
return:
registersymbol(AnimAnim1)
[DISABLE]
AnimAnim1:
db 48 89 7B 18 48 8B D3
unregistersymbol(AnimAnim1)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "theHunterCotW_F.exe"+2BC8D9
"theHunterCotW_F.exe"+2BC8B9: 48 8B 38 - mov rdi,[rax]
"theHunterCotW_F.exe"+2BC8BC: 74 06 - je theHunterCotW_F.exe+2BC8C4
"theHunterCotW_F.exe"+2BC8BE: 48 3B 7B 18 - cmp rdi,[rbx+18]
"theHunterCotW_F.exe"+2BC8C2: 74 3F - je theHunterCotW_F.exe+2BC903
"theHunterCotW_F.exe"+2BC8C4: 48 89 74 24 38 - mov [rsp+38],rsi
"theHunterCotW_F.exe"+2BC8C9: 48 8B D3 - mov rdx,rbx
"theHunterCotW_F.exe"+2BC8CC: 48 8B 73 18 - mov rsi,[rbx+18]
"theHunterCotW_F.exe"+2BC8D0: 48 8B CE - mov rcx,rsi
"theHunterCotW_F.exe"+2BC8D3: 48 8B 06 - mov rax,[rsi]
"theHunterCotW_F.exe"+2BC8D6: FF 50 50 - call qword ptr [rax+50]
// ---------- INJECTING HERE ----------
"theHunterCotW_F.exe"+2BC8D9: 48 89 7B 18 - mov [rbx+18],rdi
"theHunterCotW_F.exe"+2BC8DD: 48 8B D3 - mov rdx,rbx
// ---------- DONE INJECTING ----------
"theHunterCotW_F.exe"+2BC8E0: 48 8B 07 - mov rax,[rdi]
"theHunterCotW_F.exe"+2BC8E3: 48 8B CF - mov rcx,rdi
"theHunterCotW_F.exe"+2BC8E6: FF 50 40 - call qword ptr [rax+40]
"theHunterCotW_F.exe"+2BC8E9: 48 8B 43 38 - mov rax,[rbx+38]
"theHunterCotW_F.exe"+2BC8ED: 48 85 C0 - test rax,rax
"theHunterCotW_F.exe"+2BC8F0: 74 0C - je theHunterCotW_F.exe+2BC8FE
"theHunterCotW_F.exe"+2BC8F2: 48 8B 4B 30 - mov rcx,[rbx+30]
"theHunterCotW_F.exe"+2BC8F6: 4C 8B C7 - mov r8,rdi
"theHunterCotW_F.exe"+2BC8F9: 48 8B D6 - mov rdx,rsi
"theHunterCotW_F.exe"+2BC8FC: FF D0 - call rax
}
aobscanmodule(AnimAnim1,theHunterCotW_F.exe,48 89 7B 18 48 8B D3 48 8B 07 48 8B CF FF 50 40 48 8B 43 38 48 85 C0 74 0C 48 8B 4B 30 4C 8B C7 48 8B D6 FF D0 48 8B 74 24 38) // should be unique
alloc(newmem,$1000,"theHunterCotW_F.exe"+2BC8D9)
label(code)
label(return)
newmem:
cmp byte ptr [rbx+B0],0
je code //leave original player animations and nop animals animation
mov rdx,rbx
jmp return
code:
mov [rbx+18],rdi
mov rdx,rbx
jmp return
AnimAnim1:
jmp newmem
nop
nop
return:
registersymbol(AnimAnim1)
[DISABLE]
AnimAnim1:
db 48 89 7B 18 48 8B D3
unregistersymbol(AnimAnim1)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "theHunterCotW_F.exe"+2BC8D9
"theHunterCotW_F.exe"+2BC8B9: 48 8B 38 - mov rdi,[rax]
"theHunterCotW_F.exe"+2BC8BC: 74 06 - je theHunterCotW_F.exe+2BC8C4
"theHunterCotW_F.exe"+2BC8BE: 48 3B 7B 18 - cmp rdi,[rbx+18]
"theHunterCotW_F.exe"+2BC8C2: 74 3F - je theHunterCotW_F.exe+2BC903
"theHunterCotW_F.exe"+2BC8C4: 48 89 74 24 38 - mov [rsp+38],rsi
"theHunterCotW_F.exe"+2BC8C9: 48 8B D3 - mov rdx,rbx
"theHunterCotW_F.exe"+2BC8CC: 48 8B 73 18 - mov rsi,[rbx+18]
"theHunterCotW_F.exe"+2BC8D0: 48 8B CE - mov rcx,rsi
"theHunterCotW_F.exe"+2BC8D3: 48 8B 06 - mov rax,[rsi]
"theHunterCotW_F.exe"+2BC8D6: FF 50 50 - call qword ptr [rax+50]
// ---------- INJECTING HERE ----------
"theHunterCotW_F.exe"+2BC8D9: 48 89 7B 18 - mov [rbx+18],rdi
"theHunterCotW_F.exe"+2BC8DD: 48 8B D3 - mov rdx,rbx
// ---------- DONE INJECTING ----------
"theHunterCotW_F.exe"+2BC8E0: 48 8B 07 - mov rax,[rdi]
"theHunterCotW_F.exe"+2BC8E3: 48 8B CF - mov rcx,rdi
"theHunterCotW_F.exe"+2BC8E6: FF 50 40 - call qword ptr [rax+40]
"theHunterCotW_F.exe"+2BC8E9: 48 8B 43 38 - mov rax,[rbx+38]
"theHunterCotW_F.exe"+2BC8ED: 48 85 C0 - test rax,rax
"theHunterCotW_F.exe"+2BC8F0: 74 0C - je theHunterCotW_F.exe+2BC8FE
"theHunterCotW_F.exe"+2BC8F2: 48 8B 4B 30 - mov rcx,[rbx+30]
"theHunterCotW_F.exe"+2BC8F6: 4C 8B C7 - mov r8,rdi
"theHunterCotW_F.exe"+2BC8F9: 48 8B D6 - mov rdx,rsi
"theHunterCotW_F.exe"+2BC8FC: FF D0 - call rax
}
Spoiler
[ENABLE]
aobscanmodule(AnimAnim1,theHunterCotW_F.exe,48 89 7B 18 48 8B D3 48 8B 07 48 8B CF FF 50 40 48 8B 43 38 48 85 C0 74 0C 48 8B 4B 30 4C 8B C7 48 8B D6 FF D0 48 8B 74 24 38) // should be unique
alloc(newmem,$1000,"theHunterCotW_F.exe"+2BC8D9)
label(code)
label(return)
label(exit)
newmem:
cmp byte ptr [rbx+B0],0
je code
push rcx
mov rcx,[theHunterCotW_F.exe+2BB789]
mov rcx,[rcx+18]
mov rcx,[rcx+10]
mov [rcx],#527526523 //example of value that i want to insert
mov rdx,rbx //part of original code
jmp exit
code:
mov [rbx+18],rdi
mov rdx,rbx
jmp return
exit:
pop rcx
jmp return
AnimAnim1:
jmp newmem
nop
nop
return:
registersymbol(AnimAnim1)
[DISABLE]
AnimAnim1:
db 48 89 7B 18 48 8B D3
unregistersymbol(AnimAnim1)
dealloc(newmem)
aobscanmodule(AnimAnim1,theHunterCotW_F.exe,48 89 7B 18 48 8B D3 48 8B 07 48 8B CF FF 50 40 48 8B 43 38 48 85 C0 74 0C 48 8B 4B 30 4C 8B C7 48 8B D6 FF D0 48 8B 74 24 38) // should be unique
alloc(newmem,$1000,"theHunterCotW_F.exe"+2BC8D9)
label(code)
label(return)
label(exit)
newmem:
cmp byte ptr [rbx+B0],0
je code
push rcx
mov rcx,[theHunterCotW_F.exe+2BB789]
mov rcx,[rcx+18]
mov rcx,[rcx+10]
mov [rcx],#527526523 //example of value that i want to insert
mov rdx,rbx //part of original code
jmp exit
code:
mov [rbx+18],rdi
mov rdx,rbx
jmp return
exit:
pop rcx
jmp return
AnimAnim1:
jmp newmem
nop
nop
return:
registersymbol(AnimAnim1)
[DISABLE]
AnimAnim1:
db 48 89 7B 18 48 8B D3
unregistersymbol(AnimAnim1)
dealloc(newmem)
Spoiler
newmem:
cmp byte ptr [rbx+B0],0
je code
push rcx
mov rcx,[theHunterCotW_F.exe+2BB789]
mov rcx,[rcx+10] //without of [+18] offset. IDK what i'm expect with this.
mov [rcx],#527526523
mov rdx,rbx
jmp exit
cmp byte ptr [rbx+B0],0
je code
push rcx
mov rcx,[theHunterCotW_F.exe+2BB789]
mov rcx,[rcx+10] //without of [+18] offset. IDK what i'm expect with this.
mov [rcx],#527526523
mov rdx,rbx
jmp exit
Spoiler
[ENABLE]
aobscanmodule(AnimAnim1,theHunterCotW_F.exe,48 89 7B 18 48 8B D3 48 8B 07 48 8B CF FF 50 40 48 8B 43 38 48 85 C0 74 0C 48 8B 4B 30 4C 8B C7 48 8B D6 FF D0 48 8B 74 24 38) // should be unique
alloc(newmem,$1000,"theHunterCotW_F.exe"+2BC8D9)
label(code)
label(return)
newmem:
cmp byte ptr [rbx+B0],0
je code
mov rax,[theHunterCotW_F.exe+2BB789]
mov rax,[rax+18]
lea rax,[rax+10]
mov [rax],#527526523
mov rdx,rbx
jmp exit
code:
mov [rbx+18],rdi
mov rdx,rbx
jmp return
AnimAnim1:
jmp newmem
nop
nop
return:
registersymbol(AnimAnim1)
[DISABLE]
AnimAnim1:
db 48 89 7B 18 48 8B D3
unregistersymbol(AnimAnim1)
dealloc(newmem)
aobscanmodule(AnimAnim1,theHunterCotW_F.exe,48 89 7B 18 48 8B D3 48 8B 07 48 8B CF FF 50 40 48 8B 43 38 48 85 C0 74 0C 48 8B 4B 30 4C 8B C7 48 8B D6 FF D0 48 8B 74 24 38) // should be unique
alloc(newmem,$1000,"theHunterCotW_F.exe"+2BC8D9)
label(code)
label(return)
newmem:
cmp byte ptr [rbx+B0],0
je code
mov rax,[theHunterCotW_F.exe+2BB789]
mov rax,[rax+18]
lea rax,[rax+10]
mov [rax],#527526523
mov rdx,rbx
jmp exit
code:
mov [rbx+18],rdi
mov rdx,rbx
jmp return
AnimAnim1:
jmp newmem
nop
nop
return:
registersymbol(AnimAnim1)
[DISABLE]
AnimAnim1:
db 48 89 7B 18 48 8B D3
unregistersymbol(AnimAnim1)
dealloc(newmem)
UPD:
I guess i figure out why game crash even if some of this code is correct. Instruction also send separate values for head animations and, probably, status (eat, drink, walk, calm) and even maybe something more. So the problem may be that i need to do here one or few more compares.
