Monster Hunter World (Steam)

[TemptingIcarus]

I'll keep an eye out on the CH trainer. Just in case they suddenly change the anti-cheat bypassing method

don't hold your breath, dick

best,
Cal

Dude. Just leave.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[papalucas]

Updated scripts in Squall8's table that require StealthEdit. Bypasses integrity check crashes by recalculating valid hashes. Should work on both CODEX and STEAM version, more importantly the former because StealthEdit is in conflict with CODEX's routines.

There may be a really small chance an integrity check triggers while activating the script before the hash has been updated. To prevent crashing due to this pause the game process using CE before activation and deactivation of any scripts.

Note to table makers:
1. To list all hashed blocks, their offsets and their size, use Lua script below:

Code: Select all

for i = 1,#hashTable do
  print("Block "..i)
  print(string.format("Hash Addr: %X", hashTable[i].offset))
  print(string.format("Block Start: %X", hashTable[i].blkStart))
  print(string.format("Block End: %X\r\n", hashTable[i].blkStart + hashTable[i].blkSize))
end

2. rehashHelper(...) can be used for searching all affected checksums instead of manually hard coding in the rehash function, but hooks points must all be registered as symbols and must not be unregistered on deactivation. Pass all symbols into the function e.g. rehashHelper("infitemuse1","infitemuse2")

Thanks to @ShyTwig16 for the [Link] module

Doesn't works on CODEX, i just can't select any option

[predprey]

Doesn't works on CODEX, i just can't select any option

Did you execute the Lua script included in the table? Click Table>Show Cheat Table Lua Script>Execute script.
And attach to the game first before toggling [ENABLE].

[jonaaa]

Updated scripts in Squall8's table that require StealthEdit. Bypasses integrity check crashes by recalculating valid hashes. Should work on both CODEX and STEAM version, more importantly the former because StealthEdit is in conflict with CODEX's routines.

Working fine on CODEX here.

There may be a really small chance an integrity check triggers while activating the script before the hash has been updated. To prevent crashing due to this pause the game process using CE before activation and deactivation of any scripts.

Note to table makers:
1. To list all hashed blocks, their offsets and their size, use Lua script below:

Code: Select all

for i = 1,#hashTable do
  print("Block "..i)
  print(string.format("Hash Addr: %X", hashTable[i].offset))
  print(string.format("Block Start: %X", hashTable[i].blkStart))
  print(string.format("Block End: %X\r\n", hashTable[i].blkStart + hashTable[i].blkSize))
end

2. rehashHelper(...) can be used for searching all affected checksums instead of manually hard coding in the rehash function, but hooks points must all be registered as symbols and must not be unregistered on deactivation. Pass all symbols into the function e.g. rehashHelper("infitemuse1","infitemuse2")

Thanks to @ShyTwig16 for the [Link] module

Doesn't works on CODEX, i just can't select any option

Working fine here.

[JPCT]

Hi there is something wrong, couldnt find the plugin in the attach folder stealthedit.dll

[kyiori]

Hi guys, what is this script "Go To Character Edit Screen" in the table used for? What is this feature?

[xSimple]

Hi there is something wrong, couldnt find the plugin in the attach folder stealthedit.dll

if u download both the cheat table and SE2.4.zip..just follow all Squall8's instruction at this post How to add Stealthedit

[S7A599D4]

Updated scripts in Squall8's table that require StealthEdit. Bypasses integrity check crashes by recalculating valid hashes. Should work on both CODEX and STEAM version, more importantly the former because StealthEdit is in conflict with CODEX's routines.

There may be a really small chance an integrity check triggers while activating the script before the hash has been updated. To prevent crashing due to this pause the game process using CE before activation and deactivation of any scripts.

Note to table makers:
1. To list all hashed blocks, their offsets and their size, use Lua script below:

Code: Select all

for i = 1,#hashTable do
  print("Block "..i)
  print(string.format("Hash Addr: %X", hashTable[i].offset))
  print(string.format("Block Start: %X", hashTable[i].blkStart))
  print(string.format("Block End: %X\r\n", hashTable[i].blkStart + hashTable[i].blkSize))
end

2. rehashHelper(...) can be used for searching all affected checksums instead of manually hard coding in the rehash function, but hooks points must all be registered as symbols and must not be unregistered on deactivation. Pass all symbols into the function e.g. rehashHelper("infitemuse1","infitemuse2")

Thanks to @ShyTwig16 for the [Link] module

Good work!

But it seems there are 2 mismatched hash entry though. Maybe there is an error in the hash computation?

Code: Select all

1:	Start=1000	Size=1BA00	Hash=8601AC750769C6D4	True Hash=912B85E67BB2996D	[Hash Mismatch] 
2:	Start=1A75440	Size=2A53A0	Hash=8197BD3B7B070026	True Hash=8197BD3B7B070026 
3:	Start=2A55000	Size=E64C00	Hash=990E1F06B99A6D7B	True Hash=D9E856DBD1A205A3	[Hash Mismatch] 
4:	Start=1539D0	Size=1529D0	Hash=2991739987733EA9	True Hash=2991739987733EA9 
5:	Start=2A63A0	Size=1529D0	Hash=AF176EBF4BA3162A	True Hash=AF176EBF4BA3162A 
6:	Start=3F8D70	Size=1529D0	Hash=4F74744C83EE089C	True Hash=4F74744C83EE089C 
7:	Start=54B740	Size=1529D0	Hash=20BFEE325C7E14E1	True Hash=20BFEE325C7E14E1 
8:	Start=69E110	Size=1529D0	Hash=E963D02507BDB190	True Hash=E963D02507BDB190 
9:	Start=7F0AE0	Size=1529D0	Hash=F6D4A50C8C66B2A7	True Hash=F6D4A50C8C66B2A7 
A:	Start=9434B0	Size=1529D0	Hash=E0529FC38646FEE4	True Hash=E0529FC38646FEE4 
B:	Start=A95E80	Size=1529D0	Hash=C136D24B6C3749D	True Hash=C136D24B6C3749D 
C:	Start=BE8850	Size=1529D0	Hash=232A018B358D2AD6	True Hash=232A018B358D2AD6 
D:	Start=D3B220	Size=1529D0	Hash=E4642D2C781A51AA	True Hash=E4642D2C781A51AA 
E:	Start=E8DBF0	Size=1529D0	Hash=66BF7A99D8C1032E	True Hash=66BF7A99D8C1032E 
F:	Start=FE05C0	Size=1529D0	Hash=D08855A2D123FC2B	True Hash=D08855A2D123FC2B 
10:	Start=1132F90	Size=1529D0	Hash=90E8C0559631C577	True Hash=90E8C0559631C577 
11:	Start=1285960	Size=1529D0	Hash=87BE054A7B358E80	True Hash=87BE054A7B358E80 
12:	Start=13D8330	Size=1529D0	Hash=D5011A630AA592C4	True Hash=D5011A630AA592C4 
13:	Start=152AD00	Size=1529D0	Hash=A16F4C9FBDDBB70E	True Hash=A16F4C9FBDDBB70E 
14:	Start=167D6D0	Size=1529D0	Hash=8CCF9739F1EC3E5B	True Hash=8CCF9739F1EC3E5B 
15:	Start=17D00A0	Size=1529D0	Hash=5AB1754B1CD382C4	True Hash=5AB1754B1CD382C4 
16:	Start=1922A70	Size=1529D0	Hash=AFA1EF3444E15952	True Hash=AFA1EF3444E15952 
17:	Start=1A75440	Size=1529D0	Hash=8950277713E204D7	True Hash=8950277713E204D7 
18:	Start=1BC7E10	Size=1529D0	Hash=308BA04CFDB299B9	True Hash=308BA04CFDB299B9 
19:	Start=1D1A7E0	Size=1529D0	Hash=E25DD0C3224DFD29	True Hash=E25DD0C3224DFD29 
1A:	Start=1E6D1B0	Size=1529D0	Hash=DA7AC255AE656DE3	True Hash=DA7AC255AE656DE3 
1B:	Start=1FBFB80	Size=1529D0	Hash=8C8D0196C6AE4E6A	True Hash=8C8D0196C6AE4E6A 
1C:	Start=2112550	Size=1529D0	Hash=E44BE51515A605B5	True Hash=E44BE51515A605B5 
1D:	Start=2264F20	Size=1529D0	Hash=D4C14B8A1238D731	True Hash=D4C14B8A1238D731 
1E:	Start=23B78F0	Size=1529D0	Hash=F598F0B2FB2A9CB8	True Hash=F598F0B2FB2A9CB8 
1F:	Start=250A2C0	Size=1529D0	Hash=CD5F19321A419664	True Hash=CD5F19321A419664 
20:	Start=265CC90	Size=1529D0	Hash=39DD4EF982E51627	True Hash=39DD4EF982E51627 
21:	Start=27AF660	Size=1529D0	Hash=B97921451503F8AE	True Hash=B97921451503F8AE 
22:	Start=2902030	Size=1529D0	Hash=99668F26DD0328A6	True Hash=99668F26DD0328A6 
23:	Start=1000	Size=1529D0	Hash=2B5A94F9AFF3262	True Hash=2B5A94F9AFF3262 

Code: Select all

[ENABLE]
{$lua}
if syntaxcheck then return end

function computeHash(hashBlock)
  local initVector = 0x10AB36B6C49A6F8E
  local startAddr = baseAddr + hashBlock.blkStart
  local inDWord
  local hash = initVector
  local LSFBit
  for i = 0,(hashBlock.blkSize / 4) - 1 do
    inDWord = readInteger(startAddr + i * 4)
    hash = ((hash | inDWord) & ~(hash & inDWord))
    LSFBit = (~hash + 1) & 1
    if (hash >> 63) == 0 then
      hash = hash & ~1
    else
      hash = hash | 1
    end
    hash = (hash >> 1) | (hash << 63)
    hash = ~(~hash | 0x8000000000000000)
    hash = hash | (0x8000000000000000 * LSFBit)
  end
  return hash
end

baseAddr = getAddress("MonsterHunterWorld.exe")
if baseAddr == 0 then
  messageDialog("Attach to game process first!", mtError, mbOK)
  error()
end
hashTable = {}
local curOffset = 0x2E25690
local i = 1
fullAccess(baseAddr + curOffset, 0x1190)

while true do
  local nextOffset = readQword(baseAddr+curOffset + 0x38)
  local hash = readQword(baseAddr + curOffset + 0x0)
  local start = readQword(baseAddr + curOffset + 0x08)
  local size = readQword(baseAddr + curOffset + 0x10)

  hashTable[i] = {}
  hashTable[i].offset = curOffset
  hashTable[i].blkStart = start
  hashTable[i].blkSize = size

  local trueHash = computeHash(hashTable[i])

  local str = string.format("%X:\tStart=%X\tSize=%X\tHash=%X\tTrue Hash=%X",i,start,size,hash,trueHash)
  if (hash ~= trueHash)then
     str = str .. "\t[Hash Mismatch]"
  end

  print(str)

  i = i + 1
  if nextOffset < curOffset then break
  else curOffset = nextOffset end
end
[DISABLE]
{$lua}
if syntaxcheck then return end

[predprey]

Updated scripts in Squall8's table that require StealthEdit. Bypasses integrity check crashes by recalculating valid hashes. Should work on both CODEX and STEAM version, more importantly the former because StealthEdit is in conflict with CODEX's routines.

There may be a really small chance an integrity check triggers while activating the script before the hash has been updated. To prevent crashing due to this pause the game process using CE before activation and deactivation of any scripts.

Note to table makers:
1. To list all hashed blocks, their offsets and their size, use Lua script below:

Code: Select all

for i = 1,#hashTable do
  print("Block "..i)
  print(string.format("Hash Addr: %X", hashTable[i].offset))
  print(string.format("Block Start: %X", hashTable[i].blkStart))
  print(string.format("Block End: %X\r\n", hashTable[i].blkStart + hashTable[i].blkSize))
end

2. rehashHelper(...) can be used for searching all affected checksums instead of manually hard coding in the rehash function, but hooks points must all be registered as symbols and must not be unregistered on deactivation. Pass all symbols into the function e.g. rehashHelper("infitemuse1","infitemuse2")

Thanks to @ShyTwig16 for the [Link] module

Good work!

But it seems there are 2 mismatched hash entry though. Maybe there is an error in the hash computation?

Code: Select all

1:	Start=1000	Size=1BA00	Hash=8601AC750769C6D4	True Hash=912B85E67BB2996D	[Hash Mismatch] 
2:	Start=1A75440	Size=2A53A0	Hash=8197BD3B7B070026	True Hash=8197BD3B7B070026 
3:	Start=2A55000	Size=E64C00	Hash=990E1F06B99A6D7B	True Hash=D9E856DBD1A205A3	[Hash Mismatch] 
4:	Start=1539D0	Size=1529D0	Hash=2991739987733EA9	True Hash=2991739987733EA9 
5:	Start=2A63A0	Size=1529D0	Hash=AF176EBF4BA3162A	True Hash=AF176EBF4BA3162A 
6:	Start=3F8D70	Size=1529D0	Hash=4F74744C83EE089C	True Hash=4F74744C83EE089C 
7:	Start=54B740	Size=1529D0	Hash=20BFEE325C7E14E1	True Hash=20BFEE325C7E14E1 
8:	Start=69E110	Size=1529D0	Hash=E963D02507BDB190	True Hash=E963D02507BDB190 
9:	Start=7F0AE0	Size=1529D0	Hash=F6D4A50C8C66B2A7	True Hash=F6D4A50C8C66B2A7 
A:	Start=9434B0	Size=1529D0	Hash=E0529FC38646FEE4	True Hash=E0529FC38646FEE4 
B:	Start=A95E80	Size=1529D0	Hash=C136D24B6C3749D	True Hash=C136D24B6C3749D 
C:	Start=BE8850	Size=1529D0	Hash=232A018B358D2AD6	True Hash=232A018B358D2AD6 
D:	Start=D3B220	Size=1529D0	Hash=E4642D2C781A51AA	True Hash=E4642D2C781A51AA 
E:	Start=E8DBF0	Size=1529D0	Hash=66BF7A99D8C1032E	True Hash=66BF7A99D8C1032E 
F:	Start=FE05C0	Size=1529D0	Hash=D08855A2D123FC2B	True Hash=D08855A2D123FC2B 
10:	Start=1132F90	Size=1529D0	Hash=90E8C0559631C577	True Hash=90E8C0559631C577 
11:	Start=1285960	Size=1529D0	Hash=87BE054A7B358E80	True Hash=87BE054A7B358E80 
12:	Start=13D8330	Size=1529D0	Hash=D5011A630AA592C4	True Hash=D5011A630AA592C4 
13:	Start=152AD00	Size=1529D0	Hash=A16F4C9FBDDBB70E	True Hash=A16F4C9FBDDBB70E 
14:	Start=167D6D0	Size=1529D0	Hash=8CCF9739F1EC3E5B	True Hash=8CCF9739F1EC3E5B 
15:	Start=17D00A0	Size=1529D0	Hash=5AB1754B1CD382C4	True Hash=5AB1754B1CD382C4 
16:	Start=1922A70	Size=1529D0	Hash=AFA1EF3444E15952	True Hash=AFA1EF3444E15952 
17:	Start=1A75440	Size=1529D0	Hash=8950277713E204D7	True Hash=8950277713E204D7 
18:	Start=1BC7E10	Size=1529D0	Hash=308BA04CFDB299B9	True Hash=308BA04CFDB299B9 
19:	Start=1D1A7E0	Size=1529D0	Hash=E25DD0C3224DFD29	True Hash=E25DD0C3224DFD29 
1A:	Start=1E6D1B0	Size=1529D0	Hash=DA7AC255AE656DE3	True Hash=DA7AC255AE656DE3 
1B:	Start=1FBFB80	Size=1529D0	Hash=8C8D0196C6AE4E6A	True Hash=8C8D0196C6AE4E6A 
1C:	Start=2112550	Size=1529D0	Hash=E44BE51515A605B5	True Hash=E44BE51515A605B5 
1D:	Start=2264F20	Size=1529D0	Hash=D4C14B8A1238D731	True Hash=D4C14B8A1238D731 
1E:	Start=23B78F0	Size=1529D0	Hash=F598F0B2FB2A9CB8	True Hash=F598F0B2FB2A9CB8 
1F:	Start=250A2C0	Size=1529D0	Hash=CD5F19321A419664	True Hash=CD5F19321A419664 
20:	Start=265CC90	Size=1529D0	Hash=39DD4EF982E51627	True Hash=39DD4EF982E51627 
21:	Start=27AF660	Size=1529D0	Hash=B97921451503F8AE	True Hash=B97921451503F8AE 
22:	Start=2902030	Size=1529D0	Hash=99668F26DD0328A6	True Hash=99668F26DD0328A6 
23:	Start=1000	Size=1529D0	Hash=2B5A94F9AFF3262	True Hash=2B5A94F9AFF3262 

Code: Select all

[ENABLE]
{$lua}
if syntaxcheck then return end

function computeHash(hashBlock)
  local initVector = 0x10AB36B6C49A6F8E
  local startAddr = baseAddr + hashBlock.blkStart
  local inDWord
  local hash = initVector
  local LSFBit
  for i = 0,(hashBlock.blkSize / 4) - 1 do
    inDWord = readInteger(startAddr + i * 4)
    hash = ((hash | inDWord) & ~(hash & inDWord))
    LSFBit = (~hash + 1) & 1
    if (hash >> 63) == 0 then
      hash = hash & ~1
    else
      hash = hash | 1
    end
    hash = (hash >> 1) | (hash << 63)
    hash = ~(~hash | 0x8000000000000000)
    hash = hash | (0x8000000000000000 * LSFBit)
  end
  return hash
end

baseAddr = getAddress("MonsterHunterWorld.exe")
if baseAddr == 0 then
  messageDialog("Attach to game process first!", mtError, mbOK)
  error()
end
hashTable = {}
local curOffset = 0x2E25690
local i = 1
fullAccess(baseAddr + curOffset, 0x1190)

while true do
  local nextOffset = readQword(baseAddr+curOffset + 0x38)
  local hash = readQword(baseAddr + curOffset + 0x0)
  local start = readQword(baseAddr + curOffset + 0x08)
  local size = readQword(baseAddr + curOffset + 0x10)

  hashTable[i] = {}
  hashTable[i].offset = curOffset
  hashTable[i].blkStart = start
  hashTable[i].blkSize = size

  local trueHash = computeHash(hashTable[i])

  local str = string.format("%X:\tStart=%X\tSize=%X\tHash=%X\tTrue Hash=%X",i,start,size,hash,trueHash)
  if (hash ~= trueHash)then
     str = str .. "\t[Hash Mismatch]"
  end

  print(str)

  i = i + 1
  if nextOffset < curOffset then break
  else curOffset = nextOffset end
end
[DISABLE]
{$lua}
if syntaxcheck then return end

Yeah, I know about that, and I did look into it before. If I am right, the memory block containing all the hashes is checked by hash 3, but there are some skips here and there, probably the hashes themselves are skipped. But there is also some peculiarity about the hashing algorithm in that because it is ORing the bytes read in, some values will reset the hash, forgoing any traces of previous bytes hashed, e.g. 0xFFFFFFFF or 0xCCCCCCCC. So it might be because the hashes themselves were checked and then the hash got reset. Anyway, it doesn't seemed like changing the other hashes affected hash number 3, but if you want to calculate out hash 3, use 0xD3C78A32441B92D9 as the initialization vector, 0x2E26820 as the starting offset, and 0xA933E0 as the size.

EDIT: I wouldn't exactly call them skips but the hashing routines for that entire block is split up separately, so before 0x2E26820 is somewhere and after is elsewhere. The routine after is still the same, but I didn't bother reversing the one before. I am 80% sure the block with the hashes are checked for integrity and as I said the hash probably got reset.

EDIT2: Ok, I looked into it some more, the hash metadata themselves are skipped. Block 3 still uses the initialization vector of 0x10AB36B6C49A6F8E, starts hashing from +0x2A55D30 until +2E25690 where the first hash metadata starts. Then it hashes the 0x10 bytes at +0x2E25810 "steam_api64.dll." then skips the remaining metadata. The hash at this stage will be the 0xD3C78A32441B92D9 above. It then continues hashing from +0x2E26820.

[JPCT]

if u download both the cheat table and SE2.4.zip..just follow all Squall8's instruction at this post How to add Stealthedit

Thank you very much, got it now!!

[Sacrilage]

Uhm, I can't seem to find kulve taroth and lunastra's adresses for monster research level pointers. Can someone help me with that?

Edit: Guess I found it , thanks anyways ^^

[Acesquadron72]

So i downloaded the SE zip and extracted them in the plugins folder, do i need the files to be all together in a folder or is it fine that i just put them all in the plugins folder as is when i extracted them? I ask because it doesnt seem to work and i dont know what to right click and use the stealth edit.

[senseirain]

Ignore Crafting requirements not working?

[Tight]

is there a function of editing sharpness or health?

[Giodude556]

It seems like im still crashing... any help?