Far Cry 5 Megathread - EAC Bypass & Table Compilation

[Zozinhu]

Is it possible to freeze time for timed missions? Like the races.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[craftyjazz]

Hi all

First let me say thank you so much for the work done here! This is the first time I tinkered with cheat engine and your tips and work to get it enabled are amazing!

I wanted to ask for some help - not sure if this is the right place but it seems to be where everyone is talking about fc5 stuff.

I wanted to reduce the RP gain overall but my assembler knowledge is basically non-existant. I have had a little google but there is plenty more for me to learn so I thought I would try get some pointers from you wizards.

I have managed to freeze the RP by NOP-ing the instructions that write it into the pointer(?). Tested this for Jacob and Faith regions. Confirmed working as I did a whole bunch of missions having frozen my RP at 625(faith) and triggered no cutscenes or anything.
I then shut down cheat engine and restarted the game and continued doing missions - my RP climbed as expected and triggered the cutscene at the correct time.

What I would really like to do is reduce the RP gain. So I ran some scans of increased value as I completed RP gain tasks and narrowed down the following:

Spoiler

7FF8551BCEE0 - 48 01 F9 - add rcx,rdi
7FF8551BCEE3 - 48 89 0C 03 - mov [rbx+rax],rcx <<

rcx = current RP
rdi = incoming 50 RP from killed VIP

This is where I need some help - I don't know how to modify the value of rdi (e.g. x 0.5) I have generated the code injection but I honestly don't know what to write in there.

I used what I found on wikipedia:

Spoiler

newmem:
mov eax,rdi
mov ecx,2
div ecx
add rcx,eax
mov [rbx+rax],rcx

originalcode:
add rcx,rdi
mov [rbx+rax],rcx

But this kills my game when I inject it.

Any help would be greatly appreciated!

[jungletek]

Hi all

First let me say thank you so much for the work done here! This is the first time I tinkered with cheat engine and your tips and work to get it enabled are amazing!

I wanted to ask for some help - not sure if this is the right place but it seems to be where everyone is talking about fc5 stuff.

I wanted to reduce the RP gain overall but my assembler knowledge is basically non-existant. I have had a little google but there is plenty more for me to learn so I thought I would try get some pointers from you wizards.

I have managed to freeze the RP by NOP-ing the instructions that write it into the pointer(?). Tested this for Jacob and Faith regions. Confirmed working as I did a whole bunch of missions having frozen my RP at 625(faith) and triggered no cutscenes or anything.
I then shut down cheat engine and restarted the game and continued doing missions - my RP climbed as expected and triggered the cutscene at the correct time.

What I would really like to do is reduce the RP gain. So I ran some scans of increased value as I completed RP gain tasks and narrowed down the following:

Spoiler

7FF8551BCEE0 - 48 01 F9 - add rcx,rdi
7FF8551BCEE3 - 48 89 0C 03 - mov [rbx+rax],rcx <<

rcx = current RP
rdi = incoming 50 RP from killed VIP

This is where I need some help - I don't know how to modify the value of rdi (e.g. x 0.5) I have generated the code injection but I honestly don't know what to write in there.

I used what I found on wikipedia:

Spoiler

newmem:
mov eax,rdi
mov ecx,2
div ecx
add rcx,eax
mov [rbx+rax],rcx

originalcode:
add rcx,rdi
mov [rbx+rax],rcx

But this kills my game when I inject it.

Any help would be greatly appreciated!

If you're using eax and ecx, what's in them when you're overwriting their value? Chances are you're nuking some value(s) there which is probably causing the crash. PUSH the register first to save the value, then POP it after you're done with it to restore the PUSH'ed value. Also keep in mind that PUSH/POP is "last in, first out", i.e. if you PUSH more than one value, you have to POP the most recently PUSH'ed one first (it PUSHes the value to the stack, so if you POP in the wrong order, you'll get the wrong value back).

Alternately just MOV a value directly into rdi. If it's a float, you could do: mov rdi,(float)0.5

Also just be aware that you're mixing 32-bit and 64-bit registers there, i.e. rax is the 64-bit eax.

[SunBeam]

Sorry, but gamehacking is sometimes requiring you to just spend time fucking studying ASM. Got no time? Well, boo-fucking-hoo.

[UltimatePoto42]

Hi all

First let me say thank you so much for the work done here! This is the first time I tinkered with cheat engine and your tips and work to get it enabled are amazing!

I wanted to ask for some help - not sure if this is the right place but it seems to be where everyone is talking about fc5 stuff.

I wanted to reduce the RP gain overall but my assembler knowledge is basically non-existant. I have had a little google but there is plenty more for me to learn so I thought I would try get some pointers from you wizards.

I have managed to freeze the RP by NOP-ing the instructions that write it into the pointer(?). Tested this for Jacob and Faith regions. Confirmed working as I did a whole bunch of missions having frozen my RP at 625(faith) and triggered no cutscenes or anything.
I then shut down cheat engine and restarted the game and continued doing missions - my RP climbed as expected and triggered the cutscene at the correct time.

What I would really like to do is reduce the RP gain. So I ran some scans of increased value as I completed RP gain tasks and narrowed down the following:

Spoiler

7FF8551BCEE0 - 48 01 F9 - add rcx,rdi
7FF8551BCEE3 - 48 89 0C 03 - mov [rbx+rax],rcx <<

rcx = current RP
rdi = incoming 50 RP from killed VIP

This is where I need some help - I don't know how to modify the value of rdi (e.g. x 0.5) I have generated the code injection but I honestly don't know what to write in there.

I used what I found on wikipedia:

Spoiler

newmem:
mov eax,rdi
mov ecx,2
div ecx
add rcx,eax
mov [rbx+rax],rcx

originalcode:
add rcx,rdi
mov [rbx+rax],rcx

But this kills my game when I inject it.

Any help would be greatly appreciated!

Code: Select all

newmem:
mov eax,rdi  //// here you are changing RAX as well (EAX is 32 bits of RAX).
mov ecx,2
div ecx
add rcx,eax
mov [rbx+rax],rcx //// here the address then becomes RBX+RDI/2 which is most likely why it crashes).

originalcode:
add rcx,rdi  //// then you would add it again, if it didn't crash, so the divide by 2 would get canceled out any way.
//// You would end up with 1.5x the value
mov [rbx+rax],rcx

I like to use floats and convert.

Code: Select all

newmem:
	movaps [xmmStore],xmm0 //// Store xmm0
	cvtsi2ss xmm0,rdi //// convert int in RDI to float and store in xmm0
	mulss xmm0,[myMultiplier] //// multiply
	cvtss2si rdi,xmm0 //// convert float in xmm0 to int and store in RDI
	movaps xmm0,[xmmStore] //// restore xmm0
	originalcode:
		add rcx,rdi
		mov [rbx+rax],rcx
		// ...
		jmp returnhere //// the stuff below needs to be after the return jump.
	label(myMultiplier)
	registerSymbol(myMultiplier) //// this isn't required but will allow you to add it as an address to the table to change on the fly.
	align 10 CC //// this just makes it look nicer in the memory viewer.
	myMultiplier:
		dd (float)0.5
	label(xmmStore)
	align 10  //// align so you can use aligned moves.
	xmmStore:
		dd 0
		dd 0
		dd 0
		dd 0

[craftyjazz]

Hi all thanks for the assists! (Sorry if my terminology usage is abysmal... definite beginner!)
@Sunbeam
Thanks for the encouragement
I would say that I have no time but then if I have time to play the game anyway...
I'll start hello worlding myself on ASM

@jungletek
Thanks for the info/suggestions! I think I probably need to take it back to basics and understand exactly what I'm modifying as I can't answer your question sufficiently - I have no idea what is in these values (registers?) before I start writing to them. I'm looking a little too closed box around what I identified as part where the solution could lie.
I guess you are suggesting I should create(PUSH) my own registers to store the values, do the math and add to rcx and pop them off again.
Or alternatively MOV directly into RDI would already multiply the value by the float that is MOV in?

I'll try to get better understanding and give it a go!

@ShyTwig16
Thanks, you got me I clearly have no idea of what EAX, RAX etc mean. In my head that does not have any ASM knowledge, they are like properties I would use in higher level languages. Somehow I'm also assuming I can do what I want with them with no net effect which as I type that sounds ridiculous.
Also I made a stupid assumption that newmem: was defining some kind of procedure... rather than a label. Of course therefore executing the add and mov twice!
Thanks for the operation examples will start understanding these when I get chance.

Just another probably stupid question to you all - When I hit the Execute button on the Auto assembler - does this actually try and execute the instructions straight away? Or does it inject so that they will be executed next time the "originalcode" would have been executed?

I'll not post any more questions in this thread as I guess this is not so FC5 specific any more...

Thanks all!

[UltimatePoto42]

...
Just another probably stupid question to you all - When I hit the Execute button on the Auto assembler - does this actually try and execute the instructions straight away? Or does it inject so that they will be executed next time the "originalcode" would have been executed?

I'll not post any more questions in this thread as I guess this is not so FC5 specific any more...

Thanks all!

Any injected code runs on the games thread so to run it you have to get the original code to execute, with the exception of you creating a thread your self.

No worries but if you do have any more questions you should start posting in the General Gamehacking section, so you don't take over the FC5 thread. Plus making it easier for others to find if they have the same question.

[Rubyelf]

The Oxygen/1 hit kill does not work for me right now

Yea I know... I'm working on it I'm not a pro.

EDIT:

Here is a new table (I added all the scripts & pointers)

When I have time I'll try to see if I can make it more user friendly with one enable instead of 2.
Also I'm currently checking if it is possible to indicate if the NPC is an enemy or a friend.
For now 1 Hit kills everything in 1 Hit except the player.

EDIT2:
Wildlife seem to be unaffected from the 1-hit script. Will look on that later.

Your pointers dont appear to be working

[bonzay0]

The Oxygen/1 hit kill does not work for me right now

Yea I know... I'm working on it I'm not a pro.

EDIT:

Here is a new table (I added all the scripts & pointers)

When I have time I'll try to see if I can make it more user friendly with one enable instead of 2.
Also I'm currently checking if it is possible to indicate if the NPC is an enemy or a friend.
For now 1 Hit kills everything in 1 Hit except the player.

EDIT2:
Wildlife seem to be unaffected from the 1-hit script. Will look on that later.

Your pointers dont appear to be working

Are you playing in 1.2? or 1.4?

I can't edit correctly my previous post for some weird reason...
There are 3 tables there: the lowest one is for 1.2
the top one is for 1.4
the middle one is a mistake table (can't delete it...)

I can only support the 1.4 one so if you have issues with the 1.4 do tell me what doesn't work.

[craftyjazz]

@ShyTwig16
Thanks so much for your help
Registering the symbol so that the value can be modified is a great idea

After a bit of debugging I found the instruction that was calculating the new RP gain value and following your example it's now working!

RP Gain modifier table attached. Modifies the RP gain for all family members by the factor RP Gain Multiplier.

Thanks again!

[TimFun13]

...

Now you just need to look into AOB scripts/injections, so your scripts will be more likely to work after a update.

[craftyjazz]

Will do now!

[mflvs]

Will do now!

Thanks for the RP code, was working on it myself but got stuck due to it crashing whenever i wrote the value.

Went to use the code, for but for some reason on mine it was:
lea r13d,[rbx+r8], instead of lea r13d,[r8+rbx], so i changed the code around a bit

i have the code written with an aob, will post below.

Thanks again
also thanks ShyTwig16 i will probally use floats and converts myself in the future

[TimFun13]

...

For your script to use the AOB that's found, you need to change the address to the AOB symbol in the enable section:

Code: Select all

[ENABLE]
// ...
alloc(RPMult,$1000,rpGainAOB) //// change this as well // "FC_m64.dll"+167175B)
// ...
// "FC_m64.dll"+167175B:
rpGainAOB:
jmp RPMult
nop
nop
returnhere:
// ...

...
Went to use the code, for but for some reason on mine it was:
lea r13d,[rbx+r8], instead of lea r13d,[r8+rbx], so i changed the code around a bit
...

You can use wildcards in the AOB and [Link] or [Link] to get around this kinda thing.

Code: Select all

[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat

aobscanmodule(rpGainAOB,FC_m64.dll,46 xx xx xx 48 8B CF)
//// You'll most likelly need to extend the AOB to make it unique.
alloc(RPMult,$1000,rpGainAOB) //// change this as well // "FC_m64.dll"+167175B)

label(returnhere)
label(originalcode)
label(rpGainMultiplier)
label(exit)

RPMult:
movaps [xmmStore],xmm0 //// Store xmm0
cvtsi2ss xmm0,r8 //// convert int in RBX to float and store in xmm0
mulss xmm0,[rpGainMultiplier] //// multiply
cvtss2si r8,xmm0 //// convert float in xmm0 to int and store in RBX
movaps xmm0,[xmmStore] //// restore xmm0

originalcode:
readMem(rpGainAOB, 4)
mov rcx,rdi

exit:
jmp returnhere

align 10 CC //// this just makes it look nicer in the memory viewer.
rpGainMultiplier:
dd (float)0.5
label(xmmStore)
align 10  //// align so you can use aligned moves.
xmmStore:
	dd 0
	dd 0
	dd 0
	dd 0
label(rpGainStoredCode)
registerSymbol(rpGainStoredCode)
rpGainStoredCode:
	readMem(rpGainAOB, 4)  //// Store the original code for disabling
	
// "FC_m64.dll"+167175B:
rpGainAOB:
jmp RPMult
nop
nop
returnhere:
registersymbol(rpGainAOB)
registerSymbol(rpGainMultiplier) //// Register as symbol, to allow quick access
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
// "FC_m64.dll"+167175B:
rpGainAOB:
  readMem(rpGainStoredCode, 4) //// Restore original code
  db 48 8B CF
unregistersymbol(rpGainAOB)
unregisterSymbol(rpGainStoredCode)
dealloc(RPMult)

EDIT:
Added more comments.
Changed "alloc"s "close to address" to the AOB symbol.

[mflvs]

Thanks , will take this into consideration when i do more aob's