Prey (2017)+Mooncrash DLC

Ask about cheats/tables for single player games here
User avatar
SunBeam
Administration
Administration
Posts: 4932
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4630

Prey (2017)+Mooncrash DLC

Post by SunBeam »

Almost all game values are FLOATS. Search for unknown, changed, increased, not changed. Freeze remaining set of addresses and see which one increases as the bar progresses. Debug it, find the executable code that makes it change, hook or NOP and voila.



P.S.: That shit with the FreeCam/Teleporter came as a necessity. I tried my way to jump on some ledge and got stuck between a rock and a wall T_T Imagine my dismay having to start all over. Nuh-uh! FreeCam + teleported my way out :P
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

Nudels
Noobzor
Noobzor
Posts: 5
Joined: Wed Apr 11, 2018 12:09 am
Reputation: 0

Prey (2017)+Mooncrash DLC

Post by Nudels »

[IMG]https://nrw-tracker.eu/pic/smilies/laugh1.gif[/IMG] [IMG]https://nrw-tracker.eu/pic/smilies/good.gif[/IMG]



ps: there is a item shaped like a hourglas and it turns some time back of that timer but only at the current level of destruction, but with that it should be easier to find the adress increased - decreased you know :D
Last edited by Nudels on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

colorfinger
Noobzor
Noobzor
Posts: 7
Joined: Thu Jun 14, 2018 7:00 pm
Reputation: 0

Prey (2017)+Mooncrash DLC

Post by colorfinger »

Super impressed with your work SunBeam! Thank you so much for doing this. I was relying on your 1.04 table until they updated the damn thing to 1.06 haha



I see the latest table you posted says "not fixed yet" for the base game. Is that still on your radar to fix that too? (Hopefully? :) )

kirby59
Expert Cheater
Expert Cheater
Posts: 83
Joined: Sat Aug 19, 2017 8:36 am
Reputation: 9

Prey (2017)+Mooncrash DLC

Post by kirby59 »

[QUOTE="SunBeam, post: 49305, member: 12587"]Added [B]Infinite PSI[/B].[/QUOTE]

Works only God mode and Infinite Ammo, other options doesn't work, at least for me.

[QUOTE="Nudels, post: 49383, member: 15397"][IMG]https://nrw-tracker.eu/pic/smilies/laugh1.gif[/IMG] [IMG]https://nrw-tracker.eu/pic/smilies/good.gif[/IMG]



ps: there is a item shaped like a hourglas and it turns some time back of that timer but only at the current level of destruction, but with that it should be easier to find the adress increased - decreased you know :D[/QUOTE]

The timer of destruction is really annoying.

Nudels
Noobzor
Noobzor
Posts: 5
Joined: Wed Apr 11, 2018 12:09 am
Reputation: 0

Prey (2017)+Mooncrash DLC

Post by Nudels »

yes REALLY annoying. my solution - set hourglas item to turn back time to 50 and freeze ( everything in the inventory is in 4byte ;) )



p.s. : tried to find the address of the timer but i think im to stupid ^^ ... so for now im stuck on destruction level 3

Offor
Noobzor
Noobzor
Posts: 14
Joined: Tue May 29, 2018 10:26 am
Reputation: 4

Prey (2017)+Mooncrash DLC

Post by Offor »

[QUOTE="SunBeam, post: 49371, member: 12587"]Want this? :p



[MEDIA=youtube]f-Mu8mS44xE[/MEDIA]



BR,

Sun[/QUOTE]

Wouldn't mind having that just to complete some quests to unlock near characters.

colorfinger
Noobzor
Noobzor
Posts: 7
Joined: Thu Jun 14, 2018 7:00 pm
Reputation: 0

Prey (2017)+Mooncrash DLC

Post by colorfinger »

[QUOTE="Nudels, post: 49410, member: 15397"]yes REALLY annoying. my solution - set hourglas item to turn back time to 50 and freeze ( everything in the inventory is in 4byte ;) )



p.s. : tried to find the address of the timer but i think im to stupid ^^ ... so for now im stuck on destruction level 3[/QUOTE]



The timer's a float. If you search for an "unknown initial value" then wait and search for "value increased" a few times, then use one of the hourglass objects to set it back, search for "value decreased" etc. you'll find it. Then you can just freeze it at 0. I am not good enough at CE to know how to set a pointer so that I can reliably find it every time, but that will get you to the current address at least.

ReversUp
What is cheating?
What is cheating?
Posts: 3
Joined: Tue Jun 12, 2018 5:46 am
Reputation: 0

Prey (2017)+Mooncrash DLC

Post by ReversUp »

To freeze corruption at level 1 you can modify "No corruption timer and Higher difficulty" from nexus.



Since apk was decrypted just open it with archiver, find DoomClock.xml and modify it (I've made PreIncrement="0" for all levels).

Works well for me, no more corruption progress.
Last edited by ReversUp on Thu Jan 01, 1970 12:00 am, edited 2 times in total.

User avatar
SunBeam
Administration
Administration
Posts: 4932
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4630

Prey (2017)+Mooncrash DLC

Post by SunBeam »

This is what I got for corruption:



[code]

PreyDll.dll+11CB5E0 - 40 57 - push rdi

PreyDll.dll+11CB5E2 - 48 81 EC A0000000 - sub rsp,000000A0 { 160 }

PreyDll.dll+11CB5E9 - 0F29 B4 24 90000000 - movaps [rsp+00000090],xmm6

PreyDll.dll+11CB5F1 - 48 8B F9 - mov rdi,rcx

PreyDll.dll+11CB5F4 - 0F28 F1 - movaps xmm6,xmm1

PreyDll.dll+11CB5F7 - E8 E42F4D00 - call PreyDll.dll+169E5E0

PreyDll.dll+11CB5FC - 80 7F 08 00 - cmp byte ptr [rdi+08],00 { 0 }

PreyDll.dll+11CB600 - 0F84 DA010000 - je PreyDll.dll+11CB7E0

PreyDll.dll+11CB606 - 8B 57 18 - mov edx,[rdi+18]

PreyDll.dll+11CB609 - 39 57 10 - cmp [rdi+10],edx

PreyDll.dll+11CB60C - 0F8D CE010000 - jnl PreyDll.dll+11CB7E0

PreyDll.dll+11CB612 - 48 85 C0 - test rax,rax

PreyDll.dll+11CB615 - 0F84 C5010000 - je PreyDll.dll+11CB7E0

PreyDll.dll+11CB61B - 83 B8 900B0000 00 - cmp dword ptr [rax+00000B90],00 { 0 } <-- CVar

PreyDll.dll+11CB622 - 0F85 B8010000 - jne PreyDll.dll+11CB7E0

PreyDll.dll+11CB628 - 80 7F 78 00 - cmp byte ptr [rdi+78],00 { 0 }

PreyDll.dll+11CB62C - F3 0F58 77 0C - addss xmm6,dword ptr [rdi+0C] <-- adds to timer

PreyDll.dll+11CB631 - F3 0F5D 77 7C - minss xmm6,[rdi+7C]

PreyDll.dll+11CB636 - F3 0F11 77 0C - movss [rdi+0C],xmm6

PreyDll.dll+11CB63B - 0F85 6F010000 - jne PreyDll.dll+11CB7B0

PreyDll.dll+11CB641 - F3 0F10 47 7C - movss xmm0,[rdi+7C]

PreyDll.dll+11CB646 - F3 0F5C C6 - subss xmm0,xmm6

PreyDll.dll+11CB64A - 0F2F 87 80000000 - comiss xmm0,[rdi+00000080]

PreyDll.dll+11CB651 - 0F87 59010000 - ja PreyDll.dll+11CB7B0[/code]





There's a [B]CVar[/B] for it (cmp dword ptr [rax+00000B90],00) that if set to 1, freezes the timer (won't increase). Found the timer with unknown, increase (as Float). Then used an hourglass to decrease it and scanned for that.



EDIT: On a closer look, that 0xB90 offset is in [I]ArkPlayer[/I] structure, not a CVar. Anyway, set it to 1 :p



Another check is done here:



[code]

PreyDll.dll+17866A5 - 48 8B 05 D4095B01 - mov rax,[PreyDll.dll+2D37080] { [7FFEB0511C90] } <-- pointer

PreyDll.dll+17866AC - 48 8B 98 B8020000 - mov rbx,[rax+000002B8] <-- offset 1

PreyDll.dll+17866B3 - 48 8B CB - mov rcx,rbx

PreyDll.dll+17866B6 - E8 157A34FF - call PreyDll.dll+ACE0D0

PreyDll.dll+17866BB - 4C 8B A4 24 00020000 - mov r12,[rsp+00000200]

PreyDll.dll+17866C3 - 84 C0 - test al,al

PreyDll.dll+17866C5 - 0F84 19010000 - je PreyDll.dll+17867E4

PreyDll.dll+17866CB - F3 44 0F10 4B 7C - movss xmm9,[rbx+7C] <-- offset 2 (max timer)

PreyDll.dll+17866D1 - 45 0F2F C8 - comiss xmm9,xmm8

PreyDll.dll+17866D5 - 76 0C - jna PreyDll.dll+17866E3

PreyDll.dll+17866D7 - F3 0F10 7B 0C - movss xmm7,[rbx+0C] <-- offset 3 (current timer)

PreyDll.dll+17866DC - F3 41 0F5E F9 - divss xmm7,xmm9

PreyDll.dll+17866E1 - EB 04 - jmp PreyDll.dll+17866E7

PreyDll.dll+17866E3 - 41 0F28 F8 - movaps xmm7,xmm8

PreyDll.dll+17866E7 - 49 8D 8E 98020000 - lea rcx,[r14+00000298][/code]





So if you add it like this:



[IMG]https://i.imgur.com/NAdP3HO.png[/IMG]



You got your timer :)



This is what [B]800.0[/B] value looks like on my end:



[IMG]https://i.imgur.com/2kSNLcX.png[/IMG]



BR,

Sun



EDIT #2: Shit, setting DWORD to 1 will not allow you to move, as game thinks ArkPlayer is locked. Just change this from JNE to JMP:

[code]PreyDll.dll+11CB622 - 0F85 B8010000 - jne PreyDll.dll+11CB7E0[/code]
Last edited by SunBeam on Sun Jun 17, 2018 10:22 pm, edited 7 times in total.

User avatar
SunBeam
Administration
Administration
Posts: 4932
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4630

Prey (2017)+Mooncrash DLC

Post by SunBeam »

As far as unlimited money (or whatever the post-mission currency is called):



[code]PreyDll.dll+1497EB6 - 66 0F6E 48 68 - movd xmm1,[rax+68] <-- this is the cost of the item you wanna buy

PreyDll.dll+1497EBB - 0F5B C9 - cvtdq2ps xmm1,xmm1 <-- it's then transformed to float

PreyDll.dll+1497EBE - EB 08 - jmp PreyDll.dll+1497EC8

PreyDll.dll+1497EC0 - F3 0F10 0D 80468E00 - movss xmm1,[PreyDll.dll+1D7C548] { [340282346638528860000000000000000000000.00] }

PreyDll.dll+1497EC8 - 0F57 0D 213A8E00 - xorps xmm1,[PreyDll.dll+1D7B8F0] { [80000000] } <-- XORing it like so makes it negative

PreyDll.dll+1497ECF - 48 8B 4E 48 - mov rcx,[rsi+48]

PreyDll.dll+1497ED3 - E8 A8500000 - call PreyDll.dll+149CF80 <-- this is where it is written

PreyDll.dll+1497ED8 - 48 8B 4E 48 - mov rcx,[rsi+48]

PreyDll.dll+1497EDC - E8 3F810000 - call PreyDll.dll+14A0020

PreyDll.dll+1497EE1 - 48 8B 0D 70ABEC00 - mov rcx,[PreyDll.dll+2362A58] { [16155AE2410] }

PreyDll.dll+1497EE8 - 4C 8D 45 40 - lea r8,[rbp+40]

PreyDll.dll+1497EEC - 89 5D 40 - mov [rbp+40],ebx

PreyDll.dll+1497EEF - 48 8D 15 5276AA00 - lea rdx,[PreyDll.dll+1F3F548] { ["Play_UI_WL_ReadyRoom_Cart_Add"] }

..

..

PreyDll.dll+149CF80 - 48 83 B9 B8030000 00 - cmp qword ptr [rcx+000003B8],00 { 0 }

PreyDll.dll+149CF88 - F3 0F58 89 00040000 - addss xmm1,dword ptr [rcx+00000400] <-- rcx+400 is your money; addss to your amount something negative

PreyDll.dll+149CF90 - F3 0F11 89 00040000 - movss [rcx+00000400],xmm1 <-- refresh amount

PreyDll.dll+149CF98 - 0F85 82300000 - jne PreyDll.dll+14A0020

PreyDll.dll+149CF9E - C3 - ret[/code]





So, if you buy a Neuromod of value 3000, game gets that value as DWORD, converts it to FLOAT, then XORs it so it gets negative sign, then it's added (as negative) to your amount and stored back into your amount (subtracted, basically).
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

jackal1234
Cheater
Cheater
Posts: 29
Joined: Wed Nov 01, 2017 4:28 pm
Reputation: 0

Prey (2017)+Mooncrash DLC

Post by jackal1234 »

thanks for all your work! infinite neuromod not working for engineer, while it worked for me using volunteer

User avatar
SunBeam
Administration
Administration
Posts: 4932
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4630

Prey (2017)+Mooncrash DLC

Post by SunBeam »

Am aware the CVar is not always retrieved. Will investigate why that happens. Else will just post the spots to hook so you can just do it yourselves :)

User avatar
SunBeam
Administration
Administration
Posts: 4932
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4630

Prey (2017)+Mooncrash DLC

Post by SunBeam »

Turns out [B]pl_infiniteNeuromods[/B] fails to work after the first transition once in-game. If you exit to main menu, then back in-game, it will work again.

User avatar
SunBeam
Administration
Administration
Posts: 4932
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4630

Prey (2017)+Mooncrash DLC

Post by SunBeam »

Here's my updated table:



[img]https://i.imgur.com/k4YpDIm.png[/img]



[U]Options/Hotkeys[/U]:

[LIST]

[*][B]Numpad 1[/B] - God Mode On/Off

[*][B]Numpad 2[/B] - Infinite Ammo On/Off

[*][B]Numpad 3[/B] - Infinite Stamina On/Off

[*][B]Numpad 4[/B] - Infinite Flashlight On/Off

[*][B]Numpad 5[/B] - Infinite Neuromods On/Off

[*][B]Numpad 6[/B] - Infinite PSI On/Off

[*][B]Numpad 7[/B] - FreeCam On

[*][B]Numpad 8[/B] - Corruption On/Off

[*][B]Numpad 9[/B] - FreeCam Off + Teleport to Cam position

[/LIST]

[U]Notes[/U]:

[LIST]

[*]don't touch anything you see in [I]gray[/I] color in the table; there's no need to (you have hotkeys)

[*]some of the above may need toggled off/on when transitioning to other areas than the first you've loaded from main menu; some CVars are not re-initialized, thus I had to improvise (e.g.: [I]pl_infiniteNeuromods[/I])

[*]regarding Infinite Neuromods, once On, you can use them on available powers without the need to have X points; if power is enabled, you can buy it right away

[*]regarding FreeCam, once enabled, you will see you can fly around; can't yet fix the movement speed (will figure a way), thus move carefully, pressing slowly on WASD :)

[*]all table options come with both visual and sound notifications; hotkeys can be changed as you see fit

[/LIST]

[U]Demo[/U]:



[MEDIA=youtube]FWA0GuIcTq8[/MEDIA]



BR,

Sun
Last edited by SunBeam on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

colorfinger
Noobzor
Noobzor
Posts: 7
Joined: Thu Jun 14, 2018 7:00 pm
Reputation: 0

Prey (2017)+Mooncrash DLC

Post by colorfinger »

[QUOTE="SunBeam, post: 49736, member: 12587"]Here's my updated table:





BR,

Sun[/QUOTE]



Absolutely outstanding work again. I wish I understood how you did this. I'm amazed.



Would it be relatively easy to port this back to the main game now that you've figured all this out? Is there anything any of us can do to help?
Last edited by colorfinger on Thu Jan 01, 1970 12:00 am, edited 1 time in total.

Post Reply

Who is online

Users browsing this forum: Punkadoobaby, Quakester