Deep Rock Galactic

[Tigerlover73]

u can always make a "hack" xd who says we have to stay with cheat engine alone xd

[marius2k4]

7FF72660AF40+250 - static ptr for perk points

[marius2k4]

7FF72660AF40+250 - static ptr for perk points

Ok, fail. Can anyone tell me why static pointers don't actually persist?

[Tigerlover73]

i wish we could find a way around this, maybe by inserting a dll?

[michaelanglo.l]

the hotfix fucks some of the table again

[crissahavener]

Hey everyone, new coder here working with Omicron. I hope to help improve the scripts and keep things more up-to-date at faster pace.

[crissahavener]

- Scout -> Instant Grapple Projectile Speed
- Scout -> Unlimited Grapple Distance
- Gunner -> Unlimited Zipline Angle
- Gunner -> Unlimited Zipline Range
- Gunner -> Instant Minigun Firing Rate
- Perks -> Use Hover Boots Anytime (Host Required)
- Common Class -> No Recoil
- Mining -> Unlimited Mineral Capacity (On Dwarf)
- Mission Specific -> Always Spawn Cargo Crate in Level (By MatJoy)

so far recovered 5* scripts
scouts grapple scripts recovered
always spawn cargo now always spawns either cargo box or lost miner bag, and also seems to always cause matrix core events to spawn too
edit: 2am est - Gunner ziplines unlocked

Code: Select all

AOB-UnlimitedRangeZips {Requires Distance Upgrade Slot 2}
AOB-UnlimitedAngleZips {Requires Angle Upgrade Slot 1}

[SunBeam]

Function names can no longer be viewed

You mean they've provided the .pdb across time in all these updates? Am assuming the GOG version? I rarely see it for Steam games.

EDIT: Ah, yes, I see the Update 28 (found on IGG) had the .pdb in "FSD-Win64-Shipping.pdb"

So what's the problem, you can't find the functions you need by AOBs? Use the v28 binaries in an x64dbg instance and with another x64dbg instance open the v29_2 executable. Then select a bunch of lines in the v28 x64dbg, Shift+C, then go to the v29_2 x64dbg window (make sure you are in the main module first), then Ctrl+B, Ctrl+V, OK. It will scan for that shit for ya...

Link to U28 exe and pdb: [Link]
pass: sunbeam

• download the above and extract the content into your 'SteamLibrary\steamapps\common\Deep Rock Galactic\FSD\Binaries\Win64' folder

• get x64dbg from official site

• open 'FSD-Win64-Shipping.exe' in one instance of x64dbg, press F9 1 time

• open 'FSD-Win64-Shipping_U28.exe' in another instance of x64dbg, press F9 1 time

• wait for a bit till all symbols become available (10-15s)

• go to a function via Ctrl+G (e.g.: type in UCheatManager::God)
  
  

• select several lines like I did (the selection is your choice, there's no rules here)
  
  

• press Shift+C

• go to the other x64dbg instance where you have the U29_2 executable (the current one)

• press Ctrl+B and Shift+V to paste the just-copied bytes into the tab; tick "Entire Block"..
  
  
  
  

• ..and you should now see this:
  
  

• double-click it and you're now here:
  
  

• you can now head to the prologue of the function and press Shift+;

• then type in the name of the function you saw in the other window (UCheatManager::God) and hit OK
  
  

• now you've manually named your function to match the one from U28:
  
  

So in U29_2 UCheatManager::God function is at "FSD-Win64-Shipping.exe+1889CF0". In U28 it was at "FSD-Win64-Shipping_U28.exe+184FE70" - in CE format

Use the logic above, from a GLOBAL point of view, to determine anything else you need in U29_2.

When you close x64dbg, the names you've set are saved in x64dbg's internal database. So the next time you open it, you can do Ctrl+G and go to that function.

NOTE: If the game updates.. meaning the exe will change (will be overwritten by Steam with the new one), your list of named functions will point to wrong addresses; so you will have to redo. There's no shortcut to this, unless you start collecting some AOBs for the functions you want, to quickly search for them every time the game updates.

Play nice.

BR,
Sun

[SunBeam]

When the game first runs, the Engine will execute at some point a function: APlayerController::PostInitializeComponents. This function's execution will end-up running this piece of code:

Code: Select all

00007FF6E96C9E03 | FF90 600C0000         | CALL QWORD PTR DS:[RAX+C60]     | APlayerController::AddCheats
00007FF6E96C9E09 | 838B E0040000 10      | OR DWORD PTR DS:[RBX+4E0],10    |
00007FF6E96C9E10 | 48:C74424 30 42010000 | MOV QWORD PTR SS:[RSP+30],142   |
00007FF6E96C9E19 | 48:8B4424 30          | MOV RAX,QWORD PTR SS:[RSP+30]   |
00007FF6E96C9E1E | 48:8983 58030000      | MOV QWORD PTR DS:[RBX+358],RAX  |
00007FF6E96C9E25 | 48:83C4 20            | ADD RSP,20                      |
00007FF6E96C9E29 | 5B                    | POP RBX                         |
00007FF6E96C9E2A | C3                    | RET                             |

Within APlayerController::AddCheats this is what will happen:

- Engine checks if CheatManager was initialized (it's stored at 0x448 offset in PlayerController structure); to do that, it verifies that the CheatManager Class exists at offset 0x450:

Code: Select all

00007FF6E96B56DF | 48:83BF 50040000 00 | CMP QWORD PTR DS:[RDI+450],0 |

- past this check, another dynamic function is executed here:

Code: Select all

00007FF6E96B5739 | 48:8B01       | MOV RAX,QWORD PTR DS:[RCX]  |
00007FF6E96B573C | 48:8BD7       | MOV RDX,RDI                 |
00007FF6E96B573F | FF90 70070000 | CALL QWORD PTR DS:[RAX+770] | [rax+770]:AGameModeBase::AllowCheats
00007FF6E96B5745 | 84C0          | TEST AL,AL                  |

- this function has to return TRUE (0x1), otherwise the CheatManager UObject is not created and linked in the GUObjectArray
- result: you won't be able to execute any CheatManager-related functions in the console (e.g.: god, fly, ghost, slomo, toggledebugcamera, playersonly, etc.)

When the game is initialized, this happens just fine, you have the CheatManager available (UObject is created and Init function run), thus with access to the console you can type stuff in and it runs. However, you are at main menu, therefore no point in using the console here, right?

Now.. when you go in-game (PRESS ANY KEY and the LOADING... screen appears, either from main menu to game world -OR- from the Space Rig's Drop Pod to your chosen mission and vice-versa), the APlayerController::AddCheats function is ran again, but this time around that dynamic call (CALL QWORD PTR DS:[RAX+770]) will not run AGameModeBase::AllowCheats function again Instead, there's another function that's being run, which, according to UE4 source code, is called A<game>GameMode::AllowCheats. In this case, AFSDGameMode::AllowCheats. In the U28 (update 28) executable with .pdb, this function is here:

Code: Select all

00007FF6E0B070B0 | 32C0 | XOR AL,AL |
00007FF6E0B070B2 | C3   | RET       |

In reality, that function above is a generic function used by any dynamic function in the game where a FALSE is expected to be returned.

Example:

call qword ptr [rax+1C0] -> 7FF6E0B070B0
call qword ptr [rax+400] -> 7FF6E0B070B0

Both functions above will call same generic function. Why? Because that's how optimization works in MSVC++. If there are multiple functions that should return a FALSE value, then MSVC doesn't create 2 XOR AL,AL|RET functions, 1 for each. Instead, it compiles a single one and re-routes ALL such functions to this one That happens when you chosoe the "Maximum Optimization (Favor Size)" option in your C++ project properties.

Here's an example of how many NON-DYNAMIC functions call that location in U28; just so you get an idea (ignore the symbolic names, they are irrelevant):



So.. while at main menu.. and before going in-game (cuz I didn't see any feature in-game that allows you to get back to main menu; only exit game).. we need to patch the spot where this CALL happens in APlayerController::AddCheats, like so (this is in U29_2):

Code: Select all

00007FF6E96B56B0 | 48:895C24 18  | MOV QWORD PTR SS:[RSP+18],RBX  | APlayerController::AddCheats
..
00007FF6E96B573F | FF90 70070000 | CALL QWORD PTR DS:[RAX+770]    |
00007FF6E96B5745 | 84C0          | TEST AL,AL                     |

to

Code: Select all

00007FF6E96B56B0 | 48:895C24 18 | MOV QWORD PTR SS:[RSP+18],RBX  | APlayerController::AddCheats
..
00007FF6E96B573F | 30C0         | XOR AL,AL                      |
00007FF6E96B5741 | FEC0         | INC AL                         |
00007FF6E96B5743 | 90           | NOP                            |
00007FF6E96B5744 | 90           | NOP                            |
00007FF6E96B5745 | 84C0         | TEST AL,AL                     |

You can of course choose another format, if you want (e.g.: MOV EAX,1 instead of XOR AL,AL|INC AL):

Code: Select all

00007FF6E96B573F | B8 01000000 | MOV EAX,1   |
00007FF6E96B5744 | 90          | NOP         |
00007FF6E96B5745 | 84C0        | TEST AL,AL  |

As long as AL becomes 1, you're good.

So now.. when you go in-game.. AFSDGameMode::AllowCheats function is never executed (it returned 0, we need 1) and 1 is put in AL/EAX. That means TEST AL,AL will never skip the initialization of CheatManager, so everything will work as it did when we initially started the game

With the console enabled, here's a comparison between no patch -AND- patch:





See how 'god' is not recognized the first time around? That's because it's a CheatManager command. And since the UObject was not created, thus a NULL/0, this execution of CheatManager-related commands is skipped. In the second screenshot, with the patch in place, we don't see the same thing

I'll post the console enabler and dumper a bit later, as well as an incipient table which you can make use of in your own maintained one.

Enjoy.

BR,
Sun

[SunBeam]

[ Update #1 ]

I pulled it off without needing to patch this at main menu Or patching any code whatsoever. I've swapped the member-function at offset 0x770 in the Level's member-functions virtual table with my function:

Code: Select all

AFSDGameMode_AllowCheats:
mov al,1
ret

So now you can just run a simple script that does the swap and executes the APlayerController::AddCheats function. This in turn will now run my "AFSDGameMode_AllowCheats" function when it executes "CALL QWORD PTR DS:[RAX+770]" The benefits of patching the member-functions vtable is any future Level UObjects (you will leave mission, return to rig, then play another mission) will make use of the vtable that already has the function at 0x770 returning 1 instead of 0. So you won't need to do anything else. Just enable the script and that's that

This is what happens now when a level loads:



[ Update #2 ]

I now realized that when you abort mission and move back to Space Rig, the member-functions table with my patch is not used. And that is because there are 5 such tables, one for the Level, one for the Space Rig and 3 more (game init, multi-player, co-op). Out of these 5, the Level and Space Rig, by default, return 0 (so there's no CheatManager ever). The other 3 check to see what type of game are you running (AGameModeBase::AllowCheats) and based on that.. will return 0 or 1. In short.. if multi-player, return will always be 0. Meaning in multi-player you won't ever see the CheatManager. No idea what kind of cheats you'd be able to use with the console in MP or Co-Op, but yeah..

Bottom line is I will patch all those 5 occurrences with my "return 1" AFSDGameMode_AllowCheats function That makes it utterly global, so you won't need to worry about missing console cheating functionality in any game mode

[ Update #3 ]

Took a while, but.. done Soon, in a table near you..

BR,
Sun

[SunBeam]

One day's work turned into this: viewtopic.php?f=4&t=12022. Enjoy!

[zerbackle]

Not sure if this is the right place to ask, but looking for the location of the counter for "blank matrix cores" so I can edit my save and give myself a few extra. Any ideas?

[OmicronVega]

A BIG Tutorial

Thank you very much! I've only had limited time to check out DRG things this week. I'm very excited to dive into this asap!

I've updated the current DRG table to semi-former glory. Working with some cool kids in the Discord channel to get the table back in working order. Hopefully we will be back on top with this information!

If anyone wants to see if there are updates for any other games we work on check out the github here:
[Link]

[michaelanglo.l]

the hot fix destroyed the 'unlimited minigun ammo' , and could you please write for the recoil?

[OmicronVega]

Update 29 Hotfix 7 - Table repaired to last week's quality.