Middle-earth: Shadow of War - Goodies

Post your topics and discussions here that you can't find a good section for.
Post Reply
jrubimf
Cheater
Cheater
Posts: 34
Joined: Mon Oct 09, 2017 2:02 pm
Reputation: 5

Re: Middle-earth: Shadow of War - Goodies

Post by jrubimf »

Thank you for this.

Now i can get the 100% buff for "playing online".

EDIT: :( Im a moron.
Last edited by jrubimf on Thu Oct 19, 2017 3:42 pm, edited 1 time in total.

User avatar
stealthcl0wn
Fearless Donors
Fearless Donors
Posts: 131
Joined: Sun Jun 18, 2017 1:23 am
Reputation: 20

Re: Middle-earth: Shadow of War - Goodies

Post by stealthcl0wn »

SunBeam wrote:
Tue Oct 17, 2017 12:05 am
Thought I'd point out there are 4 BOOLs controlling: Focus, Wrath, Elf-shots and Might, all 1 byte away from each other:

Code: Select all

ShadowOfWar.exe+395CE7 - 48 8D 0D A1402A02     - lea rcx,[ShadowOfWar.exe+2639D8F] <--
ShadowOfWar.exe+395CEE - E8 AD118800           - call ShadowOfWar.exe+C16EA0
ShadowOfWar.exe+395CF3 - 84 C0                 - test al,al
ShadowOfWar.exe+395CF5 - 74 37                 - je ShadowOfWar.exe+395D2E
ShadowOfWar.exe+395CF7 - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+395CFA - 45 84 F6              - test r14l,r14l
OR

Code: Select all

ShadowOfWar.exe+55AB07 - 40 38 3D 81F20D02     - cmp [ShadowOfWar.exe+2639D8F],dil <--
ShadowOfWar.exe+55AB0E - 0F84 FC308200         - je ShadowOfWar.exe+D7DC10
ShadowOfWar.exe+55AB14 - F3 0F10 8B A8000000   - movss xmm1,[rbx+000000A8]
ShadowOfWar.exe+55AB1C - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+55AB1F - E8 20000000           - call ShadowOfWar.exe+55AB44
ShadowOfWar.exe+55AB24 - 48 8B 5C 24 68        - mov rbx,[rsp+68]
ShadowOfWar.exe+55AB29 - B0 01                 - mov al,01
ShadowOfWar.exe+55AB2B - 0F28 74 24 40         - movaps xmm6,[rsp+40]
ShadowOfWar.exe+55AB30 - 0F28 7C 24 30         - movaps xmm7,[rsp+30]
ShadowOfWar.exe+55AB35 - 48 83 C4 50           - add rsp,50
ShadowOfWar.exe+55AB39 - 5F                    - pop rdi
ShadowOfWar.exe+55AB3A - C3                    - ret
So there's no freakin' need to hook that much code when you can flip 4 BOOLs to 1:

Image

- Focus gets auto-filled and will never get consumed
- Wrath bar gets filled to full and never gets consumed
- Elf-shots auto-get replenished and will replenish to max on each fired shot
- Might is set to full and never gets consumed

Setting them back to 0 will deplete Wrath and the others get back to normal.

BR,
Sun
Does this fix the issue with most other "infinite might" stats where you need to land a hit to use it? It's particularly annoying when using the Vengeance set since it eats my health.

User avatar
stealthcl0wn
Fearless Donors
Fearless Donors
Posts: 131
Joined: Sun Jun 18, 2017 1:23 am
Reputation: 20

Re: Middle-earth: Shadow of War - Goodies

Post by stealthcl0wn »

To answer my own question; Yes, it does fix said issue. Now if only Raise Dead was affected by having full might...

jrubimf
Cheater
Cheater
Posts: 34
Joined: Mon Oct 09, 2017 2:02 pm
Reputation: 5

Re: Middle-earth: Shadow of War - Goodies

Post by jrubimf »

jrubimf wrote:
Mon Oct 16, 2017 11:50 pm
Thank you for this.

How i can get the 100% buff for "playing online".
Jesus Christ, now HOW... It was NOW.

I saw my post quoted on Discord and was wondering why... Really sorry for that SB.

sleepylilreapy
Noobzor
Noobzor
Posts: 5
Joined: Fri Oct 20, 2017 10:32 pm
Reputation: 0

Re: Middle-earth: Shadow of War - Goodies

Post by sleepylilreapy »

Game crashes upon pressing num 0, any ideas what could be causing crash?

Spectre907
Noobzor
Noobzor
Posts: 14
Joined: Sun Dec 17, 2017 9:49 am
Reputation: 1

Re: Middle-earth: Shadow of War - Goodies

Post by Spectre907 »

Does anyone have a backup of what was lost from this thread when SB wiped?

APE
What is cheating?
What is cheating?
Posts: 1
Joined: Mon Sep 24, 2018 6:13 pm
Reputation: 1

Re: Middle-earth: Shadow of War - Goodies

Post by APE »

Spectre907 wrote:
Sun Dec 17, 2017 3:51 pm
Does anyone have a backup of what was lost from this thread when SB wiped?
i know this is old but if someone still needs:
(also i'm new to this community, i couldn't find forum rules, can someone link me there? Hope i don't break rules by replying on a old post)

PLEASE NOTE: I HAVE NOTHING TO DO WITH SUNBEAM, ALL CREDITS GOES TO HIM
this is just a backup of is original post
------------------------------------------
------------------------------------------


Without any further ado:

• show/hide Debug Menu (not functional, for now):

Code: Select all

[ENABLE]

alloc( CheatHandlerThread, 0x1000, ShadowOfWar.exe )
registersymbol( CheatHandlerThread )
CreateThread( CheatHandlerThread )
label( CheatHandlerOff )
registersymbol( CheatHandlerOff )
label( l_CheatHandlerThread )

label( ShowHideDebugMenu )

CheatHandlerThread:
sub rsp,28

l_CheatHandlerThread:
mov rcx,A
call Sleep

cmp [CheatHandlerOff],1
jne short @f
  add rsp,28
  mov [CheatHandlerOff],2
  ret
@@:
mov rcx,60 //VK_NUMPAD0
call GetAsyncKeyState
test ax,ax
jne short ShowHideDebugMenu

  jmp short l_CheatHandlerThread

ShowHideDebugMenu:
mov rax,[ShadowOfWar.exe+232B040]
mov rcx,[rax+88]
test rcx,rcx
je short @f
  mov dl,[bToggle]
  //call ShadowOfWar.exe+7C3658
  call ShadowOfWar.exe+7C3678
  xor [bToggle],1
@@:
mov rcx,C8
call Sleep
jmp l_CheatHandlerThread

CheatHandlerOff:
dd 0
bToggle:
db 1

[DISABLE]

{$lua}

if( syntaxcheck == false ) then --actual execution
  local starttime = getTickCount()

if readInteger( "CheatHandlerOff" ) == 0 then --could be 2 already
  writeInteger( "CheatHandlerOff", 1 ) --tell the thread to kill itself
end

while( getTickCount() < starttime + 1000 ) and ( readInteger( "CheatHandlerOff" ) ~= 2 ) do --wait till it has finished
  sleep( 20 )
end

if( getTickCount() > starttime + 1000 ) then --could happen when the window is shown
  showMessage( 'Disabling the thread failed!' )
  error( 'Thread disabling failed!' )
end
  sleep( 1 )
end

{$asm}

unregistersymbol( CheatHandlerOff )
unregistersymbol( CheatHandlerThread )
dealloc( CheatHandlerThread )

/*
ShadowOfWar.exe+183DD98 - 40 53                 - push rbx
ShadowOfWar.exe+183DD9A - 48 83 EC 40           - sub rsp,40 { 64 }
ShadowOfWar.exe+183DD9E - 45 33 C9              - xor r9d,r9d
ShadowOfWar.exe+183DDA1 - 48 8D 05 40D77300     - lea rax,[ShadowOfWar.exe+1F7B4E8] { ["ShowDebugMenu"] }
ShadowOfWar.exe+183DDA8 - 48 89 44 24 28        - mov [rsp+28],rax
ShadowOfWar.exe+183DDAD - 48 8B D9              - mov rbx,rcx
ShadowOfWar.exe+183DDB0 - 48 8D 05 45032100     - lea rax,[ShadowOfWar.exe+1A4E0FC] { ["System"] }
ShadowOfWar.exe+183DDB7 - 48 8B D1              - mov rdx,rcx
ShadowOfWar.exe+183DDBA - 48 8D 4C 24 30        - lea rcx,[rsp+30]
ShadowOfWar.exe+183DDBF - 48 89 44 24 20        - mov [rsp+20],rax
ShadowOfWar.exe+183DDC4 - 45 8D 41 02           - lea r8d,[r9+02]
ShadowOfWar.exe+183DDC8 - E8 BB29A9FE           - call ShadowOfWar.exe+2D0788
ShadowOfWar.exe+183DDCD - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+183DDD0 - E8 EB17CFFE           - call ShadowOfWar.exe+52F5C0
ShadowOfWar.exe+183DDD5 - BA 01000000           - mov edx,00000001 { 1 }
ShadowOfWar.exe+183DDDA - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+183DDDD - 44 8A D0              - mov r10l,al
ShadowOfWar.exe+183DDE0 - E8 8BAFAFFE           - call ShadowOfWar.exe+338D70
ShadowOfWar.exe+183DDE5 - 45 84 D2              - test r10l,r10l
ShadowOfWar.exe+183DDE8 - 74 1C                 - je ShadowOfWar.exe+183DE06
ShadowOfWar.exe+183DDEA - 48 8B 05 4FD2AE00     - mov rax,[ShadowOfWar.exe+232B040] { [291C8F00] }
ShadowOfWar.exe+183DDF1 - 48 8B 88 88000000     - mov rcx,[rax+00000088]
ShadowOfWar.exe+183DDF8 - 48 85 C9              - test rcx,rcx
ShadowOfWar.exe+183DDFB - 74 0E                 - je ShadowOfWar.exe+183DE0B
ShadowOfWar.exe+183DDFD - B2 01                 - mov dl,01 { 1 }
ShadowOfWar.exe+183DDFF - E8 7458F8FE           - call ShadowOfWar.exe+7C3678
ShadowOfWar.exe+183DE04 - EB 05                 - jmp ShadowOfWar.exe+183DE0B
ShadowOfWar.exe+183DE06 - E8 35EBCDFF           - call ShadowOfWar.exe+151C940
ShadowOfWar.exe+183DE0B - 48 8D 4C 24 30        - lea rcx,[rsp+30]
ShadowOfWar.exe+183DE10 - E8 1B34B5FE           - call ShadowOfWar.exe+391230
ShadowOfWar.exe+183DE15 - 33 C0                 - xor eax,eax
ShadowOfWar.exe+183DE17 - 48 83 C4 40           - add rsp,40 { 64 }
ShadowOfWar.exe+183DE1B - 5B                    - pop rbx
ShadowOfWar.exe+183DE1C - C3                    - ret
*/
You also need to set a BYTE at ShadowOfWar.exe+262B405 to 1. Use Numpad 0 to toggle on/off. Preferably in-game, not with menu on (as menu is still usable underneath).

Image

Image


• replenish Elf-shots with this script:

Code: Select all

[ENABLE]

alloc( CheatHandlerThread, 0x1000, ShadowOfWar.exe )
registersymbol( CheatHandlerThread )
CreateThread( CheatHandlerThread )
label( CheatHandlerOff )
registersymbol( CheatHandlerOff )
label( l_CheatHandlerThread )

label( Replenish )

CheatHandlerThread:
sub rsp,28

l_CheatHandlerThread:
mov rcx,A
call Sleep

cmp [CheatHandlerOff],1
jne short @f
  add rsp,28
  mov [CheatHandlerOff],2
  ret
@@:
mov rcx,60 //VK_NUMPAD0
call GetAsyncKeyState
test ax,ax
jne short Replenish

  jmp short l_CheatHandlerThread

Replenish:
mov rax,[ShadowOfWar.exe+232AFD0]
mov rdi,[rax+888]
test rdi,rdi
je @f
  mov rcx,[rdi+24B0]
  test rcx,rcx
  je @f
    mov rcx,[rcx+2B0]
    test rcx,rcx
    je @f
      mov r8d,14 //20 Elf-shots I think is the maximum for a pool stuck in a wall
      mov edi,r8d
      mov r8d,[rcx+98]
      add r8d,edi
      mov edx,r8d
      shr edx,1F
      shr edx,1
      sbb edx,edx
      not edx
      and edx,r8d
      call ShadowOfWar.exe+5D0C04
@@:
mov rcx,C8
call Sleep
jmp l_CheatHandlerThread

CheatHandlerOff:
dd 0
bToggle:
db 1

[DISABLE]

{$lua}

if( syntaxcheck == false ) then --actual execution
  local starttime = getTickCount()

if readInteger( "CheatHandlerOff" ) == 0 then --could be 2 already
  writeInteger( "CheatHandlerOff", 1 ) --tell the thread to kill itself
end

while( getTickCount() < starttime + 1000 ) and ( readInteger( "CheatHandlerOff" ) ~= 2 ) do --wait till it has finished
  sleep( 20 )
end

if( getTickCount() > starttime + 1000 ) then --could happen when the window is shown
  showMessage( 'Disabling the thread failed!' )
  error( 'Thread disabling failed!' )
end
  sleep( 1 )
end

{$asm}

unregistersymbol( CheatHandlerOff )
unregistersymbol( CheatHandlerThread )
dealloc( CheatHandlerThread )
• the below explains how I've gotten from a certain hook where you can set amount of Gems to Gems' properties:

1. I noticed that if you play around with the Wealth Gems on your equipment, your XP % increases:

Image

That increases from 3% to 33% if I imbue both the Armor and Cape with Perfect Wealth Gems. Time to find out where that % comes from and make it so it boosts XP to 100% or 200% :)

2. I figured out how to change the XP % rate. Value is 0 when no gem's worn. When adding to your Armor/Cape, this is what happens:

- Wealth Gem -> +0.05000000075
- Carved Wealth Gem -> +0.07500000298
- Polished Wealth Gem -> +0.1000000015
- Refined Wealth Gem -> +0.125
- Perfect Wealth Gem -> +0.150000006

If you add them all, you get a 50% increase, but XP is given only to armor type inventory (Armor and Cape).

Now, if both the Armor and Cape are slotted with Wealth gems, the value is the sum of the two being written to my address:
Image

Time to backtrace a bit and see where these values come from. I guess I will find the property of the actual Gem stored in some structure ;) It will be easier to just hijack the stored value than hack the total amount (e.g.: get a Perfect Wealth Gem with 100% XP). Haven't yet tested in-game to see if this works (the effect, I mean).

3. This is my current set-up (no gems set to any slots, 3% default XP% value):

Image

I found that in the process of setting a Perfect Wealth Gem to the Armor's Gem Slot, this happens:

Code: Select all

ShadowOfWar.exe+4E5C65 - 48 8B 0F              - mov rcx,[rdi]
ShadowOfWar.exe+4E5C68 - E8 DB673D01           - call ShadowOfWar.exe+18BC448
ShadowOfWar.exe+4E5C6D - 48 85 C0              - test rax,rax
ShadowOfWar.exe+4E5C70 - 74 1C                 - je ShadowOfWar.exe+4E5C8E
ShadowOfWar.exe+4E5C72 - F3 0F10 57 08         - movss xmm2,[rdi+08] <-- break here and execute with F7
ShadowOfWar.exe+4E5C77 - 48 8B D0              - mov rdx,rax
ShadowOfWar.exe+4E5C7A - 48 8B CE              - mov rcx,rsi
ShadowOfWar.exe+4E5C7D - 40 84 ED              - test bpl,bpl
In my case, RDI == 0x1692C8DC8. Followed in dump:
Image
The highlighted value is 0.150000006 as float.

Now, the 0-pointer leads to a structure where (same as earlier) the pointer at offset 0x20 points to a string:
Image
Image
Thing is this is still a temporary buffer, as when I resume game from debugging, that float is gone from that position. Our goal here is backtracing to the source, where the float is acquired.

Backtraced a bit more and landed in this function:

Code: Select all

ShadowOfWar.exe+188A82C - 48 89 5C 24 08        - mov [rsp+08],rbx
ShadowOfWar.exe+188A831 - 48 89 74 24 10        - mov [rsp+10],rsi
ShadowOfWar.exe+188A836 - 48 89 7C 24 18        - mov [rsp+18],rdi
ShadowOfWar.exe+188A83B - 55                    - push rbp
ShadowOfWar.exe+188A83C - 41 56                 - push r14
ShadowOfWar.exe+188A83E - 41 57                 - push r15
ShadowOfWar.exe+188A840 - 48 8B EC              - mov rbp,rsp
ShadowOfWar.exe+188A843 - 48 83 EC 60           - sub rsp,60 { 96 }
ShadowOfWar.exe+188A847 - 48 8B DA              - mov rbx,rdx
ShadowOfWar.exe+188A84A - 49 8B F0              - mov rsi,r8
ShadowOfWar.exe+188A84D - 49 8B D0              - mov rdx,r8
ShadowOfWar.exe+188A850 - 48 8B F9              - mov rdi,rcx
ShadowOfWar.exe+188A853 - E8 B4FEFFFF           - call ShadowOfWar.exe+188A70C
ShadowOfWar.exe+188A858 - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+188A85B - E8 9CF699FE           - call ShadowOfWar.exe+229EFC
ShadowOfWar.exe+188A860 - 4C 8B F0              - mov r14,rax
ShadowOfWar.exe+188A863 - 48 85 C0              - test rax,rax
ShadowOfWar.exe+188A866 - 0F84 E3000000         - je ShadowOfWar.exe+188A94F
ShadowOfWar.exe+188A86C - 48 8B CB              - mov rcx,rbx
ShadowOfWar.exe+188A86F - 48 89 5F 18           - mov [rdi+18],rbx
ShadowOfWar.exe+188A873 - E8 48ECBDFF           - call ShadowOfWar.exe+14694C0
ShadowOfWar.exe+188A878 - 49 8B D6              - mov rdx,r14
ShadowOfWar.exe+188A87B - 89 45 38              - mov [rbp+38],eax
ShadowOfWar.exe+188A87E - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A882 - 44 8B F8              - mov r15d,eax
ShadowOfWar.exe+188A885 - E8 9A6FD9FF           - call ShadowOfWar.exe+1621824
ShadowOfWar.exe+188A88A - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A88E - E8 35B594FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A893 - 84 C0                 - test al,al
ShadowOfWar.exe+188A895 - 0F85 9D000000         - jne ShadowOfWar.exe+188A938
ShadowOfWar.exe+188A89B - 8B 5D F8              - mov ebx,[rbp-08]
ShadowOfWar.exe+188A89E - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8A2 - E8 E174D9FF           - call ShadowOfWar.exe+1621D88
ShadowOfWar.exe+188A8A7 - 48 8B C8              - mov rcx,rax
ShadowOfWar.exe+188A8AA - 4C 8B F0              - mov r14,rax
ShadowOfWar.exe+188A8AD - E8 6AAFD9FF           - call ShadowOfWar.exe+162581C
ShadowOfWar.exe+188A8B2 - 48 85 C0              - test rax,rax
ShadowOfWar.exe+188A8B5 - 74 1A                 - je ShadowOfWar.exe+188A8D1
ShadowOfWar.exe+188A8B7 - 48 3B 47 20           - cmp rax,[rdi+20]
ShadowOfWar.exe+188A8BB - 74 14                 - je ShadowOfWar.exe+188A8D1
ShadowOfWar.exe+188A8BD - FF C3                 - inc ebx
ShadowOfWar.exe+188A8BF - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8C3 - 89 5D F8              - mov [rbp-08],ebx
ShadowOfWar.exe+188A8C6 - E8 FDB494FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A8CB - 84 C0                 - test al,al
ShadowOfWar.exe+188A8CD - 74 CF                 - je ShadowOfWar.exe+188A89E
ShadowOfWar.exe+188A8CF - EB 67                 - jmp ShadowOfWar.exe+188A938
ShadowOfWar.exe+188A8D1 - 49 8B D6              - mov rdx,r14
ShadowOfWar.exe+188A8D4 - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8D8 - E8 8B66D9FF           - call ShadowOfWar.exe+1620F68
ShadowOfWar.exe+188A8DD - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8E1 - E8 E2B494FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A8E6 - 84 C0                 - test al,al
ShadowOfWar.exe+188A8E8 - 75 4E                 - jne ShadowOfWar.exe+188A938
ShadowOfWar.exe+188A8EA - 8B 5D F8              - mov ebx,[rbp-08]
ShadowOfWar.exe+188A8ED - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A8F1 - E8 B273D9FF           - call ShadowOfWar.exe+1621CA8
ShadowOfWar.exe+188A8F6 - 48 89 45 C8           - mov [rbp-38],rax
ShadowOfWar.exe+188A8FA - 48 85 C0              - test rax,rax
ShadowOfWar.exe+188A8FD - 74 27                 - je ShadowOfWar.exe+188A926
ShadowOfWar.exe+188A8FF - 4C 8D 4D 38           - lea r9,[rbp+38]
ShadowOfWar.exe+188A903 - 4C 8D 45 C8           - lea r8,[rbp-38]
ShadowOfWar.exe+188A907 - 48 8D 4D C0           - lea rcx,[rbp-40]
ShadowOfWar.exe+188A90B - E8 30FAFFFF           - call ShadowOfWar.exe+188A340
ShadowOfWar.exe+188A910 - 48 8D 4F 28           - lea rcx,[rdi+28]
ShadowOfWar.exe+188A914 - 48 8D 55 C0           - lea rdx,[rbp-40]
ShadowOfWar.exe+188A918 - E8 37B7DCFE           - call ShadowOfWar.exe+656054
ShadowOfWar.exe+188A91D - 48 8D 4D C0           - lea rcx,[rbp-40]
ShadowOfWar.exe+188A921 - E8 12B7DCFE           - call ShadowOfWar.exe+656038
ShadowOfWar.exe+188A926 - FF C3                 - inc ebx
ShadowOfWar.exe+188A928 - 48 8D 4D D0           - lea rcx,[rbp-30]
ShadowOfWar.exe+188A92C - 89 5D F8              - mov [rbp-08],ebx
ShadowOfWar.exe+188A92F - E8 94B494FE           - call ShadowOfWar.exe+1D5DC8
ShadowOfWar.exe+188A934 - 84 C0                 - test al,al
ShadowOfWar.exe+188A936 - 74 B5                 - je ShadowOfWar.exe+188A8ED
ShadowOfWar.exe+188A938 - 48 85 F6              - test rsi,rsi
ShadowOfWar.exe+188A93B - 74 10                 - je ShadowOfWar.exe+188A94D
ShadowOfWar.exe+188A93D - 45 8B CF              - mov r9d,r15d
ShadowOfWar.exe+188A940 - 4C 8B C6              - mov r8,rsi
ShadowOfWar.exe+188A943 - B2 01                 - mov dl,01 { 1 }
ShadowOfWar.exe+188A945 - 48 8B CF              - mov rcx,rdi
ShadowOfWar.exe+188A948 - E8 7BFEFFFF           - call ShadowOfWar.exe+188A7C8
ShadowOfWar.exe+188A94D - B0 01                 - mov al,01 { 1 }
ShadowOfWar.exe+188A94F - 4C 8D 5C 24 60        - lea r11,[rsp+60]
ShadowOfWar.exe+188A954 - 49 8B 5B 20           - mov rbx,[r11+20]
ShadowOfWar.exe+188A958 - 49 8B 73 28           - mov rsi,[r11+28]
ShadowOfWar.exe+188A95C - 49 8B 7B 30           - mov rdi,[r11+30]
ShadowOfWar.exe+188A960 - 49 8B E3              - mov rsp,r11
ShadowOfWar.exe+188A963 - 41 5F                 - pop r15
ShadowOfWar.exe+188A965 - 41 5E                 - pop r14
ShadowOfWar.exe+188A967 - 5D                    - pop rbp
ShadowOfWar.exe+188A968 - C3                    - ret 
Reason I'm mentioning the entire function is this block:
Image
What happens here is engine iterates through all available slots to find the one you want to fill in. How do I know, simple. RAX+20 is a pointer leading to the string that tells me what's happening now :) The loop is running and when exiting, this is my RAX: 0x3ADBAE38. Which tells me we're talking about this slot: Socket_4Armor.
Image

Which is the one I'm currently equipping with a Perfect Wealth Gem. Now, to find that blasted Gem property. Be back in a bit.

4. Alright, so I pin-pointed everything to this location:
Image

Keep in mind the highlighted location also breaks when you hover the mouse over a Gem. Which is handy.

Now, going inside the function, led to this spot:

Image

Further on, with 0x3AE482C8 in RCX and passing first CALL, RAX becomes 0x3A8E5730:

Image

Well now, checking the buffer in dump reveals that:

Image

So, having said that and changing value to 0.62, for example, this happens in-game:

Image

I guess you know what you have to do now :P Similarly you can do the red and green ones ;)

5. Had to see what happens when I equip a Perfect Wealth Gem in Cape's Gem Slot:

Image

Further on:

Image

Then leading to this location:

Image

Overall total is temporarily written to the buffer in RBX:

Image

Then this shit is run and a pointer acquired:

Image

And entering last CALL in this function shows that Overall Boosters XP % can easily be acquired via the pointer set in RBX :)

Image

And finally, inside the next CALL, the place where the computed Boosters XP % is written:

Image

There you have it, in a "nutshell" :D Note the above trace-run is done on previous version of the game (not the current exe build), but with slight offsetting (Ctrl+G, go to address, scroll a bit up or down) you can get there.

BR,
Sun



---------------------------------------------
---------------------------------------------
---------------------------------------------
PLEASE NOTE: I HAVE NOTHING TO DO WITH SUNBEAM, ALL CREDITS GOES TO HIM
this is just a backup of is original post

Post Reply

Who is online

Users browsing this forum: No registered users