Far Cry: New Dawn [Engine:Dunia Engine 2]

Upload your cheat tables here (No requests)
Post Reply
User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 6:24 am

[ 19.02.2019 - Update #7]

Image

[+] Added Disable 'Out Of Bounds' Check script. Now you can walk past the map's boundaries :)

Download:
FarCryNewDawn.CT
Update #7
(60.79 KiB) Downloaded 5777 times

BR,
Sun

[ 19.02.2019 - Update #6]

[+] Several fixes.

Download:
FarCryNewDawn.CT
Update #6
(60.08 KiB) Downloaded 557 times

BR,
Sun

[ 19.02.2019 - Update #5]

Image

[+] Added Super Speed script (with a conditional for grappling hook; annoying, right?)
  • Numpad 4 to decrease Speed value by (float)1.0
  • Numpad 5 to reset Speed to default
  • Numpad 6 to increase Speed value by (float)1.0
Keys can be changed in the CE interface.

Download:
FarCryNewDawn.CT
Update #5
(60.22 KiB) Downloaded 529 times

BR,
Sun

[ 18.02.2019 - Update #4]

[+] Added Set Quest Reward Amount / Multiplier script

The above should help you with any crafting material as well as Ethanol. How to work with it: enable, set quantity or multiplier, do a quest (capture, re-capture of outpost, bring an ethanol truck to one of your bases, etc.). Although at time you'll see the default notification (e.g.: Ethanolx75), you will however get the amount you set in the table.

Download:
FarCryNewDawn.CT
Update #4
(48.27 KiB) Downloaded 405 times

BR,
Sun

[ 16.02.2019 - Update #3]

Game Version:

Code: Select all

ChangeList:1485791
Version:MTL-BOWMORE-BIGHORN-72.38
User:svc_compil.sigma
Branch://bowmore-branches/bighorn
Project Name:Bowmore
Time:Thu Feb 14 14:34:34 2019
SDK:N/A
Exec:FC_m64.dll
MD5:N/A
[+] Added Set Pick-Up Quantity script (works just for Components, not lootable dead bodies!)

Image

Download:
FarCryNewDawn.CT
Update #3
(42.92 KiB) Downloaded 915 times

BR,
Sun

[ 15.02.2019 - Update #2]

[+] Added Free Perk Points script

Download:
FarCryNewDawn.CT
Update #2
(40.6 KiB) Downloaded 551 times

BR,
Sun

[ 15.02.2019 - Update #1]

[+] Added Stealth (just visual; you can still be heard!).

Download:
FarCryNewDawn.CT
Update #1
(40.2 KiB) Downloaded 240 times

BR,
Sun

[ 15.02.2019 - First Release]

Hello folks.

Here's a starter table for the game:

Image

And a little demo video:



Download:
FarCryNewDawn.CT
First Release
(42.56 KiB) Downloaded 336 times

BR,
Sun

P.S.: Ask any questions you might have.

User avatar
budabum
Expert Cheater
Expert Cheater
Posts: 356
Joined: Tue Nov 28, 2017 6:34 pm
Reputation: 298

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by budabum » Fri Feb 15, 2019 9:01 am

no fall blur, nice. like it very much.
but no for me this time, i'm done with FR. 5th part killed my inspiration by FR. :(

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 10:48 am

^ Same here. My table was purely copy-pasta of the FC5 one (just had to find the same spots in the New Dawn DLL). Nothing else though. Might do an "ignore Perk points" option; perhaps also figure where the hell and in which form the points are stored (cuz the visual != real value).

jonasbeckman
Expert Cheater
Expert Cheater
Posts: 221
Joined: Sat May 06, 2017 1:26 pm
Reputation: 9

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by jonasbeckman » Fri Feb 15, 2019 11:20 am

Oh nice already out on UPlay then, this is going to be a fun one. :)

EDIT: And I suppose this one doesn't bother with using EAC, nice!
EDIT: No I think I misread the above reply. It does have that since it mentions .dll checks.

EDIT: No that's for other stuff not the EAC .dll bypass since that would use a .dll too in addition to the CE table.

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 11:43 am

No EAC in this one. Guess they've learned their lesson. And also added "Esc" on those intro movies, so you can easily skip them now :D I have a feeling Perks and Ethanol are encrypted (you can find the visual value via 4-byte searching, but it won't help yer arse; it's not the real value). Not gonna say anything about Far Cry Coins yet (although I think they obviously are server sided).

Challenge accepted! :) Will tell you later if "achievement unlocked" :D

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 1:55 pm

So this is the function running when you click on a Perk and want to purchase it:

Code: Select all

FC_m64.dll+12478FC0 - 40 53                 - push rbx
FC_m64.dll+12478FC2 - 56                    - push rsi
FC_m64.dll+12478FC3 - 48 83 EC 48           - sub rsp,48 { 72 }
FC_m64.dll+12478FC7 - 8B 91 D8010000        - mov edx,[rcx+000001D8]
FC_m64.dll+12478FCD - 48 89 CE              - mov rsi,rcx
FC_m64.dll+12478FD0 - 48 81 C1 C8010000     - add rcx,000001C8 { 456 }
FC_m64.dll+12478FD7 - E8 449130EF           - call FC_m64.dll+1782120
FC_m64.dll+12478FDC - 84 C0                 - test al,al
FC_m64.dll+12478FDE - 0F84 E0000000         - je FC_m64.dll+124790C4
FC_m64.dll+12478FE4 - BA 2A000000           - mov edx,0000002A { 42 }
FC_m64.dll+12478FE9 - 48 89 7C 24 40        - mov [rsp+40],rdi
FC_m64.dll+12478FEE - 48 8D 4C 24 78        - lea rcx,[rsp+78]
FC_m64.dll+12478FF3 - E8 289206F0           - call FC_m64.dll+24E2220
FC_m64.dll+12478FF8 - 48 8D 4C 24 60        - lea rcx,[rsp+60]
FC_m64.dll+12478FFD - E8 4E9DCFED           - call FC_m64.dll+172D50
FC_m64.dll+12479002 - 48 8D 4C 24 28        - lea rcx,[rsp+28]
FC_m64.dll+12479007 - 88 44 24 60           - mov [rsp+60],al
FC_m64.dll+1247900B - E8 409DCFED           - call FC_m64.dll+172D50
FC_m64.dll+12479010 - 48 8D 15 31D9A7F2     - lea rdx,[FC_m64.dll+4EF6948] { (0) }
FC_m64.dll+12479017 - 88 44 24 28           - mov [rsp+28],al
FC_m64.dll+1247901B - 48 8D 4C 24 28        - lea rcx,[rsp+28]
FC_m64.dll+12479020 - 48 C7 44 24 30 00000000 - mov qword ptr [rsp+30],00000000 { 0 }
FC_m64.dll+12479029 - E8 0287CDED           - call FC_m64.dll+151730
FC_m64.dll+1247902E - 48 8B 8E 48020000     - mov rcx,[rsi+00000248]
FC_m64.dll+12479035 - 48 8D 54 24 28        - lea rdx,[rsp+28]
FC_m64.dll+1247903A - E8 4135DAEF           - call FC_m64.dll+221C580
FC_m64.dll+1247903F - 48 8B 4C 24 30        - mov rcx,[rsp+30]
FC_m64.dll+12479044 - 48 85 C9              - test rcx,rcx
FC_m64.dll+12479047 - 74 25                 - je FC_m64.dll+1247906E
FC_m64.dll+12479049 - 83 C8 FF              - or eax,-01 { 255 }
FC_m64.dll+1247904C - F0 0FC1 41 08         - lock xadd [rcx+08],eax
FC_m64.dll+12479051 - 83 F8 01              - cmp eax,01 { 1 }
FC_m64.dll+12479054 - 75 18                 - jne FC_m64.dll+1247906E
FC_m64.dll+12479056 - 80 7C 24 28 00        - cmp byte ptr [rsp+28],00 { 0 }
FC_m64.dll+1247905B - 48 8B 4C 24 30        - mov rcx,[rsp+30]
FC_m64.dll+12479060 - 74 07                 - je FC_m64.dll+12479069
FC_m64.dll+12479062 - E8 2917D0ED           - call FC_m64.dll+17A790
FC_m64.dll+12479067 - EB 05                 - jmp FC_m64.dll+1247906E
FC_m64.dll+12479069 - E8 A2A9D0ED           - call FC_m64.dll+183A10
FC_m64.dll+1247906E - 8B 86 D8010000        - mov eax,[rsi+000001D8]
FC_m64.dll+12479074 - 48 8D 0C C0           - lea rcx,[rax+rax*8]
FC_m64.dll+12479078 - 48 8B 86 C8010000     - mov rax,[rsi+000001C8]
FC_m64.dll+1247907F - 48 8D 3C C8           - lea rdi,[rax+rcx*8]
FC_m64.dll+12479083 - 8B 04 C8              - mov eax,[rax+rcx*8]
FC_m64.dll+12479086 - 48 8D 4C 24 70        - lea rcx,[rsp+70]
FC_m64.dll+1247908B - 89 44 24 70           - mov [rsp+70],eax
FC_m64.dll+1247908F - E8 DC3931EF           - call FC_m64.dll+178CA70
FC_m64.dll+12479094 - B9 01000000           - mov ecx,00000001 { 1 }
FC_m64.dll+12479099 - 89 C3                 - mov ebx,eax
FC_m64.dll+1247909B - E8 703C31EF           - call FC_m64.dll+178CD10
FC_m64.dll+124790A0 - 48 8B 8E C0010000     - mov rcx,[rsi+000001C0]
FC_m64.dll+124790A7 - 39 C3                 - cmp ebx,eax
FC_m64.dll+124790A9 - 0F94 D2               - sete dl
FC_m64.dll+124790AC - 83 7F 04 04           - cmp dword ptr [rdi+04],04 { 4 }
FC_m64.dll+124790B0 - 41 0F94 D0            - sete r8l
FC_m64.dll+124790B4 - 48 8B 7C 24 40        - mov rdi,[rsp+40]
FC_m64.dll+124790B9 - 48 83 C4 48           - add rsp,48 { 72 }
FC_m64.dll+124790BD - 5E                    - pop rsi
FC_m64.dll+124790BE - 5B                    - pop rbx
FC_m64.dll+124790BF - E9 1C07D6EF           - jmp FC_m64.dll+21D97E0
FC_m64.dll+124790C4 - BA 29000000           - mov edx,00000029 { 41 }
FC_m64.dll+124790C9 - 48 8D 4C 24 20        - lea rcx,[rsp+20]
FC_m64.dll+124790CE - E8 4D9106F0           - call FC_m64.dll+24E2220
FC_m64.dll+124790D3 - 48 8B 8E C0010000     - mov rcx,[rsi+000001C0]
FC_m64.dll+124790DA - E8 8107D6EF           - call FC_m64.dll+21D9860
FC_m64.dll+124790DF - 8B 86 D8010000        - mov eax,[rsi+000001D8]
FC_m64.dll+124790E5 - 48 8D 0C C0           - lea rcx,[rax+rax*8]
FC_m64.dll+124790E9 - 48 8B 86 C8010000     - mov rax,[rsi+000001C8]
FC_m64.dll+124790F0 - 8B 4C C8 04           - mov ecx,[rax+rcx*8+04]
FC_m64.dll+124790F4 - E8 A76531EF           - call FC_m64.dll+178F6A0
FC_m64.dll+124790F9 - 84 C0                 - test al,al
FC_m64.dll+124790FB - 74 0C                 - je FC_m64.dll+12479109
FC_m64.dll+124790FD - 48 8B 8E C0010000     - mov rcx,[rsi+000001C0]
FC_m64.dll+12479104 - E8 8707D6EF           - call FC_m64.dll+21D9890
FC_m64.dll+12479109 - 48 83 C4 48           - add rsp,48 { 72 }
FC_m64.dll+1247910D - 5E                    - pop rsi
FC_m64.dll+1247910E - 5B                    - pop rbx
FC_m64.dll+1247910F - C3                    - ret 
OK. So I first took a look at "mov edx,[rcx+000001D8]". Put a break on access, then hovered mouse over a Perk pictograph. And got this piece of code:

Code: Select all

FC_m64.dll+124B2C34 - 44 89 AE D8010000     - mov [rsi+000001D8],r13d
Now.. if you do "find out what addresses this instruction accesses", then hover mouse over each Perk, one by one, you'll see r13d turning to these values:

Image

What this means is every Perk that doesn't have a dependency will be "labeled" 0. Perks that require the previous one unlocked will go +1. So, for example, on the line before last the first 3 Perks are sequential. You need to unlock them one by one, from left to right. First one is "0", second one is "1", last one in the chain is "2" (in terms of ids).

Now.. if I want to purchase "Outdoor Enthusiast" (top-right one), I notice that it costs 7 points. I only have 3.

Image

So this run-down happens when I click on it:

Code: Select all

00007FFD0C468FC0 | 40:53              | PUSH RBX                             |
00007FFD0C468FC2 | 56                 | PUSH RSI                             |
00007FFD0C468FC3 | 48:83EC 48         | SUB RSP,48                           |
00007FFD0C468FC7 | 8B91 D8010000      | MOV EDX,DWORD PTR DS:[RCX+1D8]       | RCX == CFCXUILogicPerkDetailsPanel
00007FFD0C468FCD | 48:89CE            | MOV RSI,RCX                          |
00007FFD0C468FD0 | 48:81C1 C8010000   | ADD RCX,1C8                          |
00007FFD0C468FD7 | E8 449130EF        | CALL fc_m64.7FFCFB772120             | <-- F7

[CALL]
00007FFD08B8E0B0 | 40:56              | PUSH RSI                             |
00007FFD08B8E0B2 | 48:83EC 20         | SUB RSP,20                           |
00007FFD08B8E0B6 | 4C:8B01            | MOV R8,QWORD PTR DS:[RCX]            | [RCX]=[000001D62B1E9A38]=000001D5BC5710A0
00007FFD08B8E0B9 | 89D0               | MOV EAX,EDX                          | our ID
00007FFD08B8E0BB | 48:8D0CC0          | LEA RCX,QWORD PTR DS:[RAX+RAX*8]     | 1+1*8 = 9
00007FFD08B8E0BF | 41:8B44C8 04       | MOV EAX,DWORD PTR DS:[R8+RCX*8+4]    | [000001D5BC5710A0+9*8+4]=2
00007FFD08B8E0C4 | 49:8D34C8          | LEA RSI,QWORD PTR DS:[R8+RCX*8]      | 000001D5BC5710E8
00007FFD08B8E0C8 | 83C0 FE            | ADD EAX,FFFFFFFE                     |
00007FFD08B8E0CB | A9 FDFFFFFF        | TEST EAX,FFFFFFFD                    |
00007FFD08B8E0D0 | 74 08              | JE fc_m64.7FFD08B8E0DA               |
00007FFD08B8E0D2 | 30C0               | XOR AL,AL                            |
00007FFD08B8E0D4 | 48:83C4 20         | ADD RSP,20                           |
00007FFD08B8E0D8 | 5E                 | POP RSI                              |
00007FFD08B8E0D9 | C3                 | RET                                  |
00007FFD08B8E0DA | 85D2               | TEST EDX,EDX                         |
00007FFD08B8E0DC | 74 14              | JE fc_m64.7FFD08B8E0F2               |
00007FFD08B8E0DE | 8D42 FF            | LEA EAX,QWORD PTR DS:[RDX-1]         |
00007FFD08B8E0E1 | 48:8D04C0          | LEA RAX,QWORD PTR DS:[RAX+RAX*8]     |
00007FFD08B8E0E5 | 41:8B4CC0 04       | MOV ECX,DWORD PTR DS:[R8+RAX*8+4]    | [000001D5BC5710E8+0*8+4]=3
00007FFD08B8E0EA | 83E9 03            | SUB ECX,3                            |
00007FFD08B8E0ED | 83F9 01            | CMP ECX,1                            |
00007FFD08B8E0F0 | 77 E0              | JA fc_m64.7FFD08B8E0D2               |
00007FFD08B8E0F2 | 48:8B0D 1FDD24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  |
00007FFD08B8E0F9 | 48:8D15 A01B28F6   | LEA RDX,QWORD PTR DS:[7FFCFEE0FCA0]  |
00007FFD08B8E100 | 48:895C24 30       | MOV QWORD PTR SS:[RSP+30],RBX        |
00007FFD08B8E105 | 48:897C24 38       | MOV QWORD PTR SS:[RSP+38],RDI        |
00007FFD08B8E10A | E8 B113D0F1        | CALL fc_m64.7FFCFA88F4C0             |
00007FFD08B8E10F | 48:8B0D 02DD24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  |
00007FFD08B8E116 | 48:89C2            | MOV RDX,RAX                          |
00007FFD08B8E119 | 48:89C7            | MOV RDI,RAX                          |
00007FFD08B8E11C | E8 0FE2CEF1        | CALL fc_m64.7FFCFA87C330             |
00007FFD08B8E121 | 48:8B0D F0DC24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  |
00007FFD08B8E128 | 48:89FA            | MOV RDX,RDI                          |
00007FFD08B8E12B | E8 906DCFF1        | CALL fc_m64.7FFCFA884EC0             |
00007FFD08B8E130 | 48:8B0D E1DC24F6   | MOV RCX,QWORD PTR DS:[7FFCFEDDBE18]  | RAX=000001D5C6AE9E5C->[RAX]=3
00007FFD08B8E137 | 48:89FA            | MOV RDX,RDI                          |
00007FFD08B8E13A | 48:89C3            | MOV RBX,RAX                          |
00007FFD08B8E13D | E8 0E3ACFF1        | CALL fc_m64.7FFCFA881B50             |
00007FFD08B8E142 | 837E 04 04         | CMP DWORD PTR DS:[RSI+4],4           |
00007FFD08B8E146 | 48:8B7C24 38       | MOV RDI,QWORD PTR SS:[RSP+38]        |
00007FFD08B8E14B | 75 13              | JNE fc_m64.7FFD08B8E160              |
00007FFD08B8E14D | 8B46 0C            | MOV EAX,DWORD PTR DS:[RSI+C]         |
00007FFD08B8E150 | 3903               | CMP DWORD PTR DS:[RBX],EAX           |
00007FFD08B8E152 | 48:8B5C24 30       | MOV RBX,QWORD PTR SS:[RSP+30]        |
00007FFD08B8E157 | 0F93D0             | SETAE AL                             |
00007FFD08B8E15A | 48:83C4 20         | ADD RSP,20                           |
00007FFD08B8E15E | 5E                 | POP RSI                              |
00007FFD08B8E15F | C3                 | RET                                  |
00007FFD08B8E160 | 8B46 08            | MOV EAX,DWORD PTR DS:[RSI+8]         | RAX=[RS+8]=[000001D5BC5710E8+8]=7
00007FFD08B8E163 | 3903               | CMP DWORD PTR DS:[RBX],EAX           | [RBX]=[000001D5C6AE9E5C]=3 vs. 7
00007FFD08B8E165 | 48:8B5C24 30       | MOV RBX,QWORD PTR SS:[RSP+30]        |
00007FFD08B8E16A | 0F93D0             | SETAE AL                             | AL is set to 0 cuz of the above CMP
00007FFD08B8E16D | 48:83C4 20         | ADD RSP,20                           |
00007FFD08B8E171 | 5E                 | POP RSI                              |
00007FFD08B8E172 | C3                 | RET                                  |
[/CALL]

00007FFD0C468FDC | 84C0               | TEST AL,AL                           | <-- this will fail
00007FFD0C468FDE | 0F84 E0000000      | JE fc_m64.7FFD0C4690C4               | <-- taken; the red clipping text animation occurs
In short, as long as we don't have the required amount of Perks, the function is not taken. Another thing I tested is if the "transaction" happens in this function, by RET-ing its prologue. Turns out it is ;) Which made me go in-depth studying it.

Hope we get to a useful conclusion after all of this run-down :P

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 2:01 pm

So I stopped doing the above and took a completely different approach: I decided to see who writes to the display value when I pick-up a Perk from a bunker (fastest way to try this out). And found this location triggering:

Code: Select all

FC_m64.dll+EC53714 - 41 89 07              - mov [r15],eax <--
FC_m64.dll+EC53717 - 48 8B 56 18           - mov rdx,[rsi+18]
FC_m64.dll+EC5371B - 48 8B 0D F68619F6     - mov rcx,[FC_m64.dll+4DEBE18]
FC_m64.dll+EC53722 - E8 A9E5C3F1           - call FC_m64.dll+891CD0
FC_m64.dll+EC53727 - 48 8B 0D EA8619F6     - mov rcx,[FC_m64.dll+4DEBE18]
Then I noticed the function that MOV is part of is called from multiple locations (so it's a generic function). Therefore, I had to use conditional breakpoints (break as long as R15 == my address). Did this in x64dbg and back-tracing led me to this nice spot:

Code: Select all

00007FFD0B325369 | 48:8B57 08        | MOV RDX,QWORD PTR DS:[RDI+8]         |
00007FFD0B32536D | 4C:8D4424 28      | LEA R8,QWORD PTR SS:[RSP+28]         |
00007FFD0B325372 | 48:8B87 90020000  | MOV RAX,QWORD PTR DS:[RDI+290]       |
00007FFD0B325379 | 45:89F9           | MOV R9D,R15D                         | if 0x1, then Reward Item
00007FFD0B32537C | 48:894424 28      | MOV QWORD PTR SS:[RSP+28],RAX        |
00007FFD0B325381 | 48:8B12           | MOV RDX,QWORD PTR DS:[RDX]           |
00007FFD0B325384 | E8 67356AF0       | CALL fc_m64.7FFCFB9C88F0             | <-- enter CALL

[CALL]
00007FFCFB9C88F0 | 45:85C9           | TEST R9D,R9D                         |
00007FFCFB9C88F3 | 0F84 9B000000     | JE fc_m64.7FFCFB9C8994               |
00007FFCFB9C88F9 | 48:895424 10      | MOV QWORD PTR SS:[RSP+10],RDX        |
00007FFCFB9C88FE | 53                | PUSH RBX                             |
00007FFCFB9C88FF | 48:83EC 50        | SUB RSP,50                           |
00007FFCFB9C8903 | 33C0              | XOR EAX,EAX                          |
00007FFCFB9C8905 | 48:897C24 60      | MOV QWORD PTR SS:[RSP+60],RDI        |
00007FFCFB9C890A | 41:8BD9           | MOV EBX,R9D                          |
00007FFCFB9C890D | 894424 38         | MOV DWORD PTR SS:[RSP+38],EAX        |
00007FFCFB9C8911 | 894424 40         | MOV DWORD PTR SS:[RSP+40],EAX        |
00007FFCFB9C8915 | 48:8D3D 5C442903  | LEA RDI,QWORD PTR DS:[7FFCFEC5CD78]  |
00007FFCFB9C891C | 49:8B00           | MOV RAX,QWORD PTR DS:[R8]            |
00007FFCFB9C891F | 8BD3              | MOV EDX,EBX                          |
00007FFCFB9C8921 | 4C:8D4424 20      | LEA R8,QWORD PTR SS:[RSP+20]         |
00007FFCFB9C8926 | 48:894424 30      | MOV QWORD PTR SS:[RSP+30],RAX        |
00007FFCFB9C892B | C74424 20 05000000| MOV DWORD PTR SS:[RSP+20],5          |
00007FFCFB9C8933 | 48:897C24 28      | MOV QWORD PTR SS:[RSP+28],RDI        |
00007FFCFB9C8938 | 895C24 3C         | MOV DWORD PTR SS:[RSP+3C],EBX        |
00007FFCFB9C893C | E8 BFCBFEFF       | CALL fc_m64.7FFCFB9B5500             |
00007FFCFB9C8941 | 33D2              | XOR EDX,EDX                          |
00007FFCFB9C8943 | 8D4A 78           | LEA ECX,QWORD PTR DS:[RDX+78]        |
00007FFCFB9C8946 | E8 C5317BFE       | CALL fc_m64.7FFCFA17BB10             |
00007FFCFB9C894B | 4C:8B4424 68      | MOV R8,QWORD PTR SS:[RSP+68]         |
00007FFCFB9C8950 | 8BD3              | MOV EDX,EBX                          |
00007FFCFB9C8952 | 48:8BC8           | MOV RCX,RAX                          |
00007FFCFB9C8955 | E8 36A4C6FF       | CALL fc_m64.7FFCFB632D90             |
00007FFCFB9C895A | 4C:8D05 7783A402  | LEA R8,QWORD PTR DS:[7FFCFE410CD8]   | 00007FFCFE410CD8:"ProcessLootItemReward"
00007FFCFB9C8961 | 48:8BD0           | MOV RDX,RAX                          |
00007FFCFB9C8964 | B9 19000000       | MOV ECX,19                           |
00007FFCFB9C8969 | E8 E264DAFF       | CALL fc_m64.7FFCFB76EE50             |
00007FFCFB9C896E | 48:8B4C24 28      | MOV RCX,QWORD PTR SS:[RSP+28]        |
00007FFCFB9C8973 | 48:3BCF           | CMP RCX,RDI                          |
00007FFCFB9C8976 | 48:8B7C24 60      | MOV RDI,QWORD PTR SS:[RSP+60]        |
00007FFCFB9C897B | 74 12             | JE fc_m64.7FFCFB9C898F               |
00007FFCFB9C897D | 83C8 FF           | OR EAX,FFFFFFFF                      |
00007FFCFB9C8980 | F0:0FC141 08      | LOCK XADD DWORD PTR DS:[RCX+8],EAX   |
00007FFCFB9C8985 | 83F8 01           | CMP EAX,1                            |
00007FFCFB9C8988 | 75 05             | JNE fc_m64.7FFCFB9C898F              |
00007FFCFB9C898A | E8 51AF83FE       | CALL fc_m64.7FFCFA2038E0             |
00007FFCFB9C898F | 48:83C4 50        | ADD RSP,50                           |
00007FFCFB9C8993 | 5B                | POP RBX                              |
00007FFCFB9C8994 | C3                | RET                                  |
[/CALL]
See that "ProcessLootItemReward" string reference? Gee, I wonder what's up with it placed like that dead in the open :P

Furthermore, I noticed this function (FC_m64.dll+19D88F0) is called anytime you pick something up. However, the Perks are given only when the loot is of "Perk" type. And that is checked here:

Code: Select all

FC_m64.dll+19D88F0 - 45 85 C9              - test r9d,r9d
FC_m64.dll+19D88F3 - 0F84 9B000000         - je FC_m64.dll+19D8994 <--
Guess what happens if you NOP that JE or set R9D to 0x1? :D Anything you pick-up will give you 1 Perk point :P

BR,
Sun

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 2:10 pm

And yes.. like I said.. the values are encrypted :) As soon as you start tracing into the function, past the TEST R9D,R9D.. you'll get into something like this:

Code: Select all

FC_m64.dll+19D893C - E8 BFCBFEFF           - call FC_m64.dll+19C5500 <-- enter CALL1
FC_m64.dll+19D8941 - 33 D2                 - xor edx,edx
FC_m64.dll+19D8943 - 8D 4A 78              - lea ecx,[rdx+78]
FC_m64.dll+19D8946 - E8 C5317BFE           - call FC_m64.dll+18BB10
FC_m64.dll+19D894B - 4C 8B 44 24 68        - mov r8,[rsp+68]
FC_m64.dll+19D8950 - 8B D3                 - mov edx,ebx
FC_m64.dll+19D8952 - 48 8B C8              - mov rcx,rax
FC_m64.dll+19D8955 - E8 36A4C6FF           - call FC_m64.dll+1642D90
FC_m64.dll+19D895A - 4C 8D 05 7783A402     - lea r8,[FC_m64.dll+4420CD8] { ("ProcessLootItemReward") }

[CALL1]
FC_m64.dll+F7D7E70 - 48 89 5C 24 18        - mov [rsp+18],rbx
FC_m64.dll+F7D7E75 - 48 89 74 24 20        - mov [rsp+20],rsi
FC_m64.dll+F7D7E7A - 55                    - push rbp
FC_m64.dll+F7D7E7B - 57                    - push rdi
FC_m64.dll+F7D7E7C - 41 56                 - push r14
FC_m64.dll+F7D7E7E - 48 89 E5              - mov rbp,rsp
FC_m64.dll+F7D7E81 - 48 83 EC 60           - sub rsp,60 { 96 }
FC_m64.dll+F7D7E85 - 48 8D B1 D0000000     - lea rsi,[rcx+000000D0]
FC_m64.dll+F7D7E8C - 89 55 28              - mov [rbp+28],edx
FC_m64.dll+F7D7E8F - 4C 89 C7              - mov rdi,r8
FC_m64.dll+F7D7E92 - 4C 8D 4D 28           - lea r9,[rbp+28]
FC_m64.dll+F7D7E96 - 41 89 D6              - mov r14d,edx
FC_m64.dll+F7D7E99 - 4C 8D 05 B0011CF2     - lea r8,[FC_m64.dll+1998050] { (-795173911) }
FC_m64.dll+F7D7EA0 - 48 89 CB              - mov rbx,rcx
FC_m64.dll+F7D7EA3 - 48 8D 55 20           - lea rdx,[rbp+20]
FC_m64.dll+F7D7EA7 - 48 89 F1              - mov rcx,rsi
FC_m64.dll+F7D7EAA - E8 11B987F4           - call FC_m64.dll+40537C0 <-- check this CALL2
[/CALL1]

[CALL2]
FC_m64.dll+40537C0 - E9 7B433816           - jmp FC_m64.dll+1A3D7B40
..
FC_m64.dll+1A3D7B40 - E9 3A683701           - jmp FC_m64.dll+1B74E37F
..
FC_m64.dll+1B74E37F - 68 4368A6CA           - push CAA66843 { -895063997 }
FC_m64.dll+1B74E384 - E8 D11DF5FF           - call FC_m64.dll+1B6A015A
FC_m64.dll+1B74E389 - 4C 2B 07              - sub r8,[rdi]
FC_m64.dll+1B74E38C - 7A BA                 - jp FC_m64.dll+1B74E348
FC_m64.dll+1B74E38E - 21 AC 37 BEA3B996     - and [rdi+rsi-69465C42],ebp
FC_m64.dll+1B74E395 - 53                    - push rbx
FC_m64.dll+1B74E396 - F0 0FB0 4B 28         - lock cmpxchg [rbx+28],cl
FC_m64.dll+1B74E39B - 68 E29DDC44           - push 44DC9DE2 { 1764.93 }
FC_m64.dll+1B74E3A0 - E8 4288F8FF           - call FC_m64.dll+1B6D6BE7
FC_m64.dll+1B74E3A5 - F3 90                 - repe nop 
[/CALL2]
And that, my friends, in CALL2 is Denuvo (or shall we say, VMProtect) mutated/virtualized code :)

BR,
Sun

supMarco
Table Makers
Table Makers
Posts: 62
Joined: Mon May 22, 2017 11:15 am
Reputation: 9

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by supMarco » Fri Feb 15, 2019 2:16 pm

good shit :P

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 2:19 pm

Can also tell you that if you don't execute this CALL, you won't get a Perk:

Code: Select all

00007FFCFB9C8938 | 895C24 3C         | MOV DWORD PTR SS:[RSP+3C],EBX      |
00007FFCFB9C893C | E8 BFCBFEFF       | CALL fc_m64.7FFCFB9B5500           | <--
00007FFCFB9C8941 | 33D2              | XOR EDX,EDX                        |
00007FFCFB9C8943 | 8D4A 78           | LEA ECX,QWORD PTR DS:[RDX+78]      |
00007FFCFB9C8946 | E8 C5317BFE       | CALL fc_m64.7FFCFA17BB10           |
00007FFCFB9C894B | 4C:8B4424 68      | MOV R8,QWORD PTR SS:[RSP+68]       |
00007FFCFB9C8950 | 8BD3              | MOV EDX,EBX                        |
00007FFCFB9C8952 | 48:8BC8           | MOV RCX,RAX                        |
00007FFCFB9C8955 | E8 36A4C6FF       | CALL fc_m64.7FFCFB632D90           |
00007FFCFB9C895A | 4C:8D05 7783A402  | LEA R8,QWORD PTR DS:[7FFCFE410CD8] | 00007FFCFE410CD8:"ProcessLootItemReward"
00007FFCFB9C8961 | 48:8BD0           | MOV RDX,RAX                        |
00007FFCFB9C8964 | B9 19000000       | MOV ECX,19                         |
00007FFCFB9C8969 | E8 E264DAFF       | CALL fc_m64.7FFCFB76EE50           |
00007FFCFB9C896E | 48:8B4C24 28      | MOV RCX,QWORD PTR SS:[RSP+28]      |
00007FFCFB9C8973 | 48:3BCF           | CMP RCX,RDI                        |
00007FFCFB9C8976 | 48:8B7C24 60      | MOV RDI,QWORD PTR SS:[RSP+60]      |
00007FFCFB9C897B | 74 12             | JE fc_m64.7FFCFB9C898F             |
00007FFCFB9C897D | 83C8 FF           | OR EAX,FFFFFFFF                    |
00007FFCFB9C8980 | F0:0FC141 08      | LOCK XADD DWORD PTR DS:[RCX+8],EAX |
00007FFCFB9C8985 | 83F8 01           | CMP EAX,1                          |
00007FFCFB9C8988 | 75 05             | JNE fc_m64.7FFCFB9C898F            |
00007FFCFB9C898A | E8 51AF83FE       | CALL fc_m64.7FFCFA2038E0           |
00007FFCFB9C898F | 48:83C4 50        | ADD RSP,50                         |
00007FFCFB9C8993 | 5B                | POP RBX                            |
00007FFCFB9C8994 | C3                | RET                                |
Had a test-run right now, RET-ing it.

Sooo.. it's all in there ;)

Now I'm curious if the same function is run when you get Ethanol; cuz if that's the case, then it's only a matter of adjusting the input parameters :) And yes, the function doesn't break when you pick-up Far Cry Coins.. so.. server-sided (or another branch of the pick-up function), as I was saying.

Let me sum up the run-down logic in another post ;)

BR,
Sun

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 2:54 pm

Yeah, I can confirm the same function is used for Ethanol. Here's the nice full run-down:

Code: Select all

00007FFD0B325150 | 48:89E0                 | MOV RAX,RSP                          | RCX = __this = CFCXPickupItem; R11 = pszPickupEvent
00007FFD0B325153 | 53                      | PUSH RBX                             |
00007FFD0B325154 | 48:81EC A0000000        | SUB RSP,A0                           |
00007FFD0B32515B | 48:8968 08              | MOV QWORD PTR DS:[RAX+8],RBP         |
00007FFD0B32515F | 48:8970 18              | MOV QWORD PTR DS:[RAX+18],RSI        |
00007FFD0B325163 | 48:89D6                 | MOV RSI,RDX                          |
00007FFD0B325166 | 48:8978 F0              | MOV QWORD PTR DS:[RAX-10],RDI        |
00007FFD0B32516A | 48:89CF                 | MOV RDI,RCX                          |
00007FFD0B32516D | 4C:8960 E8              | MOV QWORD PTR DS:[RAX-18],R12        |
00007FFD0B325171 | 48:89D1                 | MOV RCX,RDX                          |
00007FFD0B325174 | 45:0FB6E0               | MOVZX R12D,R8B                       | R8 = 0x0
00007FFD0B325178 | E8 F3CA82F0             | CALL fc_m64.7FFCFBB51C70             |
00007FFD0B32517D | 84C0                    | TEST AL,AL                           |
00007FFD0B32517F | 0F84 81020000           | JE fc_m64.7FFD0B325406               |
00007FFD0B325185 | 48:83BF A8020000 00     | CMP QWORD PTR DS:[RDI+2A8],0         | [RDI+2A8] = 0x200767C4A968C8 (DuctTape_id); 0x0 for Perk Magazine
00007FFD0B32518D | 8BAF A0020000           | MOV EBP,DWORD PTR DS:[RDI+2A0]       | [RDI+2A0] = 0x1 (dwNoOfStacks)
00007FFD0B325193 | 4C:89BC24 80000000      | MOV QWORD PTR SS:[RSP+80],R15        |
00007FFD0B32519B | 44:8BBF A4020000        | MOV R15D,DWORD PTR DS:[RDI+2A4]      | [RDI+2A4] = dwRewardItem (0x0 for any; 0x1 for Perk Magazine)
00007FFD0B3251A2 | 74 6A                   | JE fc_m64.7FFD0B32520E               |
00007FFD0B3251A4 | 48:8D8F A8020000        | LEA RCX,QWORD PTR DS:[RDI+2A8]       |
00007FFD0B3251AB | E8 30D3C0F0             | CALL fc_m64.7FFCFBF324E0             |
00007FFD0B3251B0 | 48:85C0                 | TEST RAX,RAX                         | RAX = p->CFCXLootTable
00007FFD0B3251B3 | 74 59                   | JE fc_m64.7FFD0B32520E               |
00007FFD0B3251B5 | 48:8D8F A8020000        | LEA RCX,QWORD PTR DS:[RDI+2A8]       |
00007FFD0B3251BC | E8 1FD3C0F0             | CALL fc_m64.7FFCFBF324E0             |
00007FFD0B3251C1 | 48:8B48 38              | MOV RCX,QWORD PTR DS:[RAX+38]        | qwTableSize
00007FFD0B3251C5 | 48:8B58 30              | MOV RBX,QWORD PTR DS:[RAX+30]        | p_TableStart
00007FFD0B3251C9 | 48:C1E9 20              | SHR RCX,20                           |
00007FFD0B3251CD | 0FBAF1 1F               | BTR ECX,1F                           |
00007FFD0B3251D1 | 48:8D0449               | LEA RAX,QWORD PTR DS:[RCX+RCX*2]     |
00007FFD0B3251D5 | 48:C1E0 04              | SHL RAX,4                            | 0x30 (ComputedSize)
00007FFD0B3251D9 | 48:01D8                 | ADD RAX,RBX                          | p_TableEnd
00007FFD0B3251DC | 48:39C3                 | CMP RBX,RAX                          | while p_TableStart != p_TableEnd
00007FFD0B3251DF | 74 2D                   | JE fc_m64.7FFD0B32520E               |
00007FFD0B3251E1 | 48:8B8F 90020000        | MOV RCX,QWORD PTR DS:[RDI+290]       | qwItemHash
00007FFD0B3251E8 | 48:3B4B 08              | CMP RCX,QWORD PTR DS:[RBX+8]         | TableItemHash vs. PickedUpItemHash
00007FFD0B3251EC | 74 0B                   | JE fc_m64.7FFD0B3251F9               |
00007FFD0B3251EE | 48:83C3 30              | ADD RBX,30                           | iterate till found
00007FFD0B3251F2 | 48:39C3                 | CMP RBX,RAX                          |
00007FFD0B3251F5 | 75 F1                   | JNE fc_m64.7FFD0B3251E8              |
00007FFD0B3251F7 | EB 15                   | JMP fc_m64.7FFD0B32520E              |
00007FFD0B3251F9 | 48:89D9                 | MOV RCX,RBX                          |
00007FFD0B3251FC | E8 6FDDC0F0             | CALL fc_m64.7FFCFBF32F70             | GetQuantityOfItemsInStack
00007FFD0B325201 | 48:89D9                 | MOV RCX,RBX                          | RAX = 0x66 (container quantity for picked item)
00007FFD0B325204 | 89C5                    | MOV EBP,EAX                          |
00007FFD0B325206 | E8 35DDC0F0             | CALL fc_m64.7FFCFBF32F40             |
00007FFD0B32520B | 41:89C7                 | MOV R15D,EAX                         |
00007FFD0B32520E | 48:8B97 90020000        | MOV RDX,QWORD PTR DS:[RDI+290]       | qwItemHash
00007FFD0B325215 | 48:89F1                 | MOV RCX,RSI                          |
00007FFD0B325218 | E8 A3B6C0F0             | CALL fc_m64.7FFCFBF308C0             |
00007FFD0B32521D | 48:8B0E                 | MOV RCX,QWORD PTR DS:[RSI]           | RAX = 0x1
00007FFD0B325220 | 0FAFE8                  | IMUL EBP,EAX                         | 0x66 * 0x1 (amount of items * amount of picked up stacks)
00007FFD0B325223 | 48:8B59 10              | MOV RBX,QWORD PTR DS:[RCX+10]        |
00007FFD0B325227 | 48:8B8B C8000000        | MOV RCX,QWORD PTR DS:[RBX+C8]        |
00007FFD0B32522E | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B325231 | 74 17                   | JE fc_m64.7FFD0B32524A               |
00007FFD0B325233 | 44:0FB68424 B8000000    | MOVZX R8D,BYTE PTR SS:[RSP+B8]       | R8 = 0x0
00007FFD0B32523C | 48:8D93 A8000000        | LEA RDX,QWORD PTR DS:[RBX+A8]        |
00007FFD0B325243 | E8 3845C0EF             | CALL fc_m64.7FFCFAF29780             | SetQtyInLootTable?
00007FFD0B325248 | EB 1F                   | JMP fc_m64.7FFD0B325269              |
00007FFD0B32524A | E8 F117BCEF             | CALL fc_m64.7FFCFAEE6A40             |
00007FFD0B32524F | 48:89D9                 | MOV RCX,RBX                          |
00007FFD0B325252 | 8B50 18                 | MOV EDX,DWORD PTR DS:[RAX+18]        |
00007FFD0B325255 | 899424 B8000000         | MOV DWORD PTR SS:[RSP+B8],EDX        |
00007FFD0B32525C | 48:8D9424 B8000000      | LEA RDX,QWORD PTR SS:[RSP+B8]        |
00007FFD0B325264 | E8 37F690EF             | CALL fc_m64.7FFCFAC348A0             |
00007FFD0B325269 | 48:89C1                 | MOV RCX,RAX                          | RAX = CInventoryComponent
00007FFD0B32526C | 48:85C0                 | TEST RAX,RAX                         |
00007FFD0B32526F | 0F84 89010000           | JE fc_m64.7FFD0B3253FE               |
00007FFD0B325275 | 48:8B00                 | MOV RAX,QWORD PTR DS:[RAX]           |
00007FFD0B325278 | BA 10000000             | MOV EDX,10                           |
00007FFD0B32527D | 41:B9 06000000          | MOV R9D,6                            |
00007FFD0B325283 | 4C:89B424 88000000      | MOV QWORD PTR SS:[RSP+88],R14        |
00007FFD0B32528B | 45:84E4                 | TEST R12B,R12B                       |
00007FFD0B32528E | 41:89E8                 | MOV R8D,EBP                          |
00007FFD0B325291 | 44:0F45CA               | CMOVNE R9D,EDX                       |
00007FFD0B325295 | 48:8B97 90020000        | MOV RDX,QWORD PTR DS:[RDI+290]       | qwItemHash
00007FFD0B32529C | FF90 50010000           | CALL QWORD PTR DS:[RAX+150]          | GetQuantityOfItemsInStack -> RAX = 0x66 (102d)
00007FFD0B3252A2 | 48:8B0D F75DBAF3        | MOV RCX,QWORD PTR DS:[7FFCFEECB0A0]  |
00007FFD0B3252A9 | 41:89C6                 | MOV R14D,EAX                         |
00007FFD0B3252AC | 48:894C24 48            | MOV QWORD PTR SS:[RSP+48],RCX        |
00007FFD0B3252B1 | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B3252B4 | 74 56                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B3252B6 | 4C:8B87 90020000        | MOV R8,QWORD PTR DS:[RDI+290]        | qwItemHash
00007FFD0B3252BD | 48:8D5424 38            | LEA RDX,QWORD PTR SS:[RSP+38]        |
00007FFD0B3252C2 | E8 39AC87F0             | CALL fc_m64.7FFCFBB9FF00             |
00007FFD0B3252C7 | 48:8B5424 38            | MOV RDX,QWORD PTR SS:[RSP+38]        | qwPickedItemHash
00007FFD0B3252CC | 48:85D2                 | TEST RDX,RDX                         |
00007FFD0B3252CF | 74 3B                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B3252D1 | 48:8B0D C070AEF3        | MOV RCX,QWORD PTR DS:[7FFCFEE0C398]  |
00007FFD0B3252D8 | 48:894C24 50            | MOV QWORD PTR SS:[RSP+50],RCX        |
00007FFD0B3252DD | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B3252E0 | 74 0F                   | JE fc_m64.7FFD0B3252F1               |
00007FFD0B3252E2 | BA 46000000             | MOV EDX,46                           |
00007FFD0B3252E7 | E8 44E1B1EF             | CALL fc_m64.7FFCFAE43430             |
00007FFD0B3252EC | 48:8B5424 38            | MOV RDX,QWORD PTR SS:[RSP+38]        | qwPickedItemHash
00007FFD0B3252F1 | 48:85D2                 | TEST RDX,RDX                         |
00007FFD0B3252F4 | 74 16                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B3252F6 | 48:8B0D CB259EF3        | MOV RCX,QWORD PTR DS:[7FFCFED078C8]  |
00007FFD0B3252FD | 48:894C24 58            | MOV QWORD PTR SS:[RSP+58],RCX        |
00007FFD0B325302 | 48:85C9                 | TEST RCX,RCX                         |
00007FFD0B325305 | 74 05                   | JE fc_m64.7FFD0B32530C               |
00007FFD0B325307 | E8 74B1F0EE             | CALL fc_m64.7FFCFA230480             |
00007FFD0B32530C | 45:85F6                 | TEST R14D,R14D                       | RAX = 0x5B (91d)
00007FFD0B32530F | 0F84 E1000000           | JE fc_m64.7FFD0B3253F6               |
00007FFD0B325315 | 48:8B06                 | MOV RAX,QWORD PTR DS:[RSI]           |
00007FFD0B325318 | 48:8B58 10              | MOV RBX,QWORD PTR DS:[RAX+10]        |
00007FFD0B32531C | 48:8BAB C8000000        | MOV RBP,QWORD PTR DS:[RBX+C8]        |
00007FFD0B325323 | E8 48E2C2EF             | CALL fc_m64.7FFCFAF53570             | get_CFCXPlayerAbilitiesComponent
00007FFD0B325328 | 8B50 18                 | MOV EDX,DWORD PTR DS:[RAX+18]        | dwComponentHash
00007FFD0B32532B | 48:85ED                 | TEST RBP,RBP                         |
00007FFD0B32532E | 74 20                   | JE fc_m64.7FFD0B325350               |
00007FFD0B325330 | 899424 C8000000         | MOV DWORD PTR SS:[RSP+C8],EDX        |
00007FFD0B325337 | 4C:8D83 A8000000        | LEA R8,QWORD PTR DS:[RBX+A8]         |
00007FFD0B32533E | 48:8D9424 C8000000      | LEA RDX,QWORD PTR SS:[RSP+C8]        |
00007FFD0B325346 | 48:89E9                 | MOV RCX,RBP                          |
00007FFD0B325349 | E8 F2F290EF             | CALL fc_m64.7FFCFAC34640             |
00007FFD0B32534E | EB 11                   | JMP fc_m64.7FFD0B325361              |
00007FFD0B325350 | 895424 20               | MOV DWORD PTR SS:[RSP+20],EDX        |
00007FFD0B325354 | 48:89D9                 | MOV RCX,RBX                          |
00007FFD0B325357 | 48:8D5424 20            | LEA RDX,QWORD PTR SS:[RSP+20]        |
00007FFD0B32535C | E8 3FF590EF             | CALL fc_m64.7FFCFAC348A0             |
00007FFD0B325361 | 48:89C1                 | MOV RCX,RAX                          |
00007FFD0B325364 | 48:85C0                 | TEST RAX,RAX                         |
00007FFD0B325367 | 74 20                   | JE fc_m64.7FFD0B325389               |
00007FFD0B325369 | 48:8B57 08              | MOV RDX,QWORD PTR DS:[RDI+8]         |
00007FFD0B32536D | 4C:8D4424 28            | LEA R8,QWORD PTR SS:[RSP+28]         |
00007FFD0B325372 | 48:8B87 90020000        | MOV RAX,QWORD PTR DS:[RDI+290]       |
00007FFD0B325379 | 45:89F9                 | MOV R9D,R15D                         | if R15D = 0x1, then it's a Reward Item
The function starts at FC_m64.dll+11335150 (just in case ASLR doesn't land you on the address in the code above).

You can break there on your own, process the logic, then turn this info into a nice script that allows people to hijack the picked-up amount ;) Sure, you won't get the quantity without picking up a certain item of a certain type; but you'll manage (you have super jump, super speed, god mode, etc. - - it's all a matter of finding something to pick-up; then you're set) ;)

BR,
Sun

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 3:05 pm

Here you go, Free Perk Points:

Code: Select all

[ENABLE]

FC_m64.dll+19D88F0:
xor r9d,r9d
inc r9d
db 90 90 90

[DISABLE]

FC_m64.dll+19D88F0:
test r9d,r9d
je FC_m64.dll+19D8994
Turn script on, then pick-up anything (doesn't matter if plant, corpse, etc.). You'll get 1 Perk Point with any pick-up :D

BR,
Sun

P.S.: Happy stealing, dear competition! :) Oh, you know who you are.

shaun12500
Noobzor
Noobzor
Posts: 5
Joined: Tue Oct 02, 2018 10:02 pm
Reputation: 0

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by shaun12500 » Fri Feb 15, 2019 6:39 pm

Stealth and free perk points won't work for me

User avatar
SunBeam
Administration
Administration
Posts: 2536
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1023

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by SunBeam » Fri Feb 15, 2019 7:49 pm

Don't think you people noticed that SILENT update a few hours ago. At least on UPlay it does show a Denuvo notification, some EULA or someth'. Will update the table later.

Savagetek
What is cheating?
What is cheating?
Posts: 1
Joined: Fri Feb 15, 2019 8:33 pm
Reputation: 0

Re: Far Cry: New Dawn [Engine:Dunia Engine 2]

Post by Savagetek » Fri Feb 15, 2019 8:34 pm

looks like that last game update broke it both versions crash game now.... seems to be no spread crashing game

Post Reply

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], lonnalol