Crackdown 3 [Engine:Unreal 4.13] - Console enabler, commands and more..

[SunBeam]

Heeeeeereee we gooooo



How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[LoneStrider]

What is all this extra work, leading to or hoping to lead to?

[sebastianyyz]

Heeeeeereee we gooooo

Nice, thank you

[SunBeam]

Here's what the extra work did -> a list of all created UObjects in 4-5 sessions (cuz debug breakpoint + Lua printf sometimes crashes). They are created sequentially in memory, the only difference being the addresses where these objects are with each run of the game. Of course we're interested in them, but not for this run-down. I just wanted to dump all UObjects to disk to find more CheatManager-type commands to use

So, you may find the list here -> [Link] (65 MB .txt file)

BR,
Sun

[SunBeam]

So yeah, managed to isolate the location where the commands are being set. Let me rephrase.. these are CVars "Player.GodModeEnabled 1" is setting 0x1 value to a static memory location. This happens here:

Code: Select all

Crackdown3.exe+223D98C - 49 8B D7              - mov rdx,r15
Crackdown3.exe+223D98F - 83 7D D7 00           - cmp dword ptr [rbp-29],00
Crackdown3.exe+223D993 - 48 0F45 55 CF         - cmovne rdx,[rbp-31]
Crackdown3.exe+223D998 - 41 B8 00000009        - mov r8d,09000000
Crackdown3.exe+223D99E - FF 50 68              - call qword ptr [rax+68] <-- enter this

That CALL takes you to this location:

Code: Select all

Crackdown3.exe+22426D0 - 48 89 5C 24 10        - mov [rsp+10],rbx
Crackdown3.exe+22426D5 - 48 89 6C 24 18        - mov [rsp+18],rbp
Crackdown3.exe+22426DA - 57                    - push rdi
Crackdown3.exe+22426DB - 48 83 EC 20           - sub rsp,20
Crackdown3.exe+22426DF - 48 8B EA              - mov rbp,rdx
Crackdown3.exe+22426E2 - 41 8B F8              - mov edi,r8d
Crackdown3.exe+22426E5 - 41 8B D0              - mov edx,r8d
Crackdown3.exe+22426E8 - 48 8B D9              - mov rbx,rcx
Crackdown3.exe+22426EB - E8 50E9FEFF           - call Crackdown3.exe+2231040
Crackdown3.exe+22426F0 - 84 C0                 - test al,al
Crackdown3.exe+22426F2 - 74 3F                 - je Crackdown3.exe+2242733
Crackdown3.exe+22426F4 - 48 8B CD              - mov rcx,rbp
Crackdown3.exe+22426F7 - 48 89 74 24 30        - mov [rsp+30],rsi
Crackdown3.exe+22426FC - FF 15 12AB3505        - call qword ptr [Crackdown3.exe+759D214]
Crackdown3.exe+2242702 - 8B D7                 - mov edx,edi
Crackdown3.exe+2242704 - 48 8B CB              - mov rcx,rbx
Crackdown3.exe+2242707 - 89 43 70              - mov [rbx+70],eax
Crackdown3.exe+224270A - E8 31E9FEFF           - call Crackdown3.exe+2231040
Crackdown3.exe+224270F - 84 C0                 - test al,al
Crackdown3.exe+2242711 - 74 1B                 - je Crackdown3.exe+224272E
Crackdown3.exe+2242713 - 44 8B 43 18           - mov r8d,[rbx+18]
Crackdown3.exe+2242717 - 48 8D 53 70           - lea rdx,[rbx+70]
Crackdown3.exe+224271B - 48 8B 4B 68           - mov rcx,[rbx+68]
Crackdown3.exe+224271F - E8 1C8CFEFF           - call Crackdown3.exe+222B340 <-- enter this
Crackdown3.exe+2242724 - 8B D7                 - mov edx,edi
Crackdown3.exe+2242726 - 48 8B CB              - mov rcx,rbx
Crackdown3.exe+2242729 - E8 928EFFFF           - call Crackdown3.exe+223B5C0
Crackdown3.exe+224272E - 48 8B 74 24 30        - mov rsi,[rsp+30]
Crackdown3.exe+2242733 - 48 8B 5C 24 38        - mov rbx,[rsp+38]
Crackdown3.exe+2242738 - 48 8B 6C 24 40        - mov rbp,[rsp+40]
Crackdown3.exe+224273D - 48 83 C4 20           - add rsp,20
Crackdown3.exe+2242741 - 5F                    - pop rdi
Crackdown3.exe+2242742 - C3                    - ret

Then the CALL I've marked takes you here:

Code: Select all

Crackdown3.exe+222B340 - 48 89 5C 24 08        - mov [rsp+08],rbx
Crackdown3.exe+222B345 - 48 89 6C 24 10        - mov [rsp+10],rbp
Crackdown3.exe+222B34A - 48 89 74 24 18        - mov [rsp+18],rsi
Crackdown3.exe+222B34F - 57                    - push rdi
Crackdown3.exe+222B350 - 48 83 EC 20           - sub rsp,20
Crackdown3.exe+222B354 - 48 8B 1D A580B804     - mov rbx,[Crackdown3.exe+6DB3400]
Crackdown3.exe+222B35B - 41 8B E8              - mov ebp,r8d
Crackdown3.exe+222B35E - 48 8B FA              - mov rdi,rdx
Crackdown3.exe+222B361 - 48 8B F1              - mov rsi,rcx
Crackdown3.exe+222B364 - 48 85 DB              - test rbx,rbx
Crackdown3.exe+222B367 - 75 0C                 - jne Crackdown3.exe+222B375
Crackdown3.exe+222B369 - E8 627F0100           - call Crackdown3.exe+22432D0
Crackdown3.exe+222B36E - 48 8B 1D 8B80B804     - mov rbx,[Crackdown3.exe+6DB3400]
Crackdown3.exe+222B375 - 80 3D C697B904 00     - cmp byte ptr [Crackdown3.exe+6DC4B42],00
Crackdown3.exe+222B37C - 74 17                 - je Crackdown3.exe+222B395
Crackdown3.exe+222B37E - FF 15 481B3705        - call qword ptr [Crackdown3.exe+759CECC]
Crackdown3.exe+222B384 - 3B 05 BA97B904        - cmp eax,[Crackdown3.exe+6DC4B44]
Crackdown3.exe+222B38A - 75 2D                 - jne Crackdown3.exe+222B3B9
Crackdown3.exe+222B38C - 83 3D 2191B804 00     - cmp dword ptr [Crackdown3.exe+6DB44B4],00
Crackdown3.exe+222B393 - 75 24                 - jne Crackdown3.exe+222B3B9
Crackdown3.exe+222B395 - 40 F6 C5 20           - test bpl,20
Crackdown3.exe+222B399 - 74 1A                 - je Crackdown3.exe+222B3B5
Crackdown3.exe+222B39B - 48 8B 8B 80000000     - mov rcx,[rbx+00000080]
Crackdown3.exe+222B3A2 - 48 85 C9              - test rcx,rcx
Crackdown3.exe+222B3A5 - 74 0E                 - je Crackdown3.exe+222B3B5
Crackdown3.exe+222B3A7 - 48 8B 01              - mov rax,[rcx]
Crackdown3.exe+222B3AA - 48 8B D6              - mov rdx,rsi
Crackdown3.exe+222B3AD - 44 8B 07              - mov r8d,[rdi]
Crackdown3.exe+222B3B0 - FF 50 18              - call qword ptr [rax+18]
Crackdown3.exe+222B3B3 - EB 04                 - jmp Crackdown3.exe+222B3B9
Crackdown3.exe+222B3B5 - 8B 07                 - mov eax,[rdi]
Crackdown3.exe+222B3B7 - 89 06                 - mov [rsi],eax <-- this is where the CVar is set
Crackdown3.exe+222B3B9 - 48 8B 6C 24 38        - mov rbp,[rsp+38]
Crackdown3.exe+222B3BE - 48 8B 74 24 40        - mov rsi,[rsp+40]
Crackdown3.exe+222B3C3 - C6 83 8C000000 01     - mov byte ptr [rbx+0000008C],01
Crackdown3.exe+222B3CA - 48 8B 5C 24 30        - mov rbx,[rsp+30]
Crackdown3.exe+222B3CF - 48 83 C4 20           - add rsp,20
Crackdown3.exe+222B3D3 - 5F                    - pop rdi
Crackdown3.exe+222B3D4 - C3                    - ret

And the CVar is set here:

Code: Select all

Crackdown3.exe+222B3B5 - 8B 07                 - mov eax,[rdi]
Crackdown3.exe+222B3B7 - 89 06                 - mov [rsi],eax

Now, if we take a step back, up in the code we see this:

Code: Select all

Crackdown3.exe+223D45D - 48 0F45 55 DF         - cmovne rdx,[rbp-21]
Crackdown3.exe+223D462 - 48 8B 07              - mov rax,[rdi]
Crackdown3.exe+223D465 - 48 8B CF              - mov rcx,rdi
Crackdown3.exe+223D468 - FF 90 90000000        - call qword ptr [rax+00000090]
Crackdown3.exe+223D46E - 48 8B D8              - mov rbx,rax

Past that CALL, my RAX is -> 000001A447D74C80. Now if I check RAX's memory (which is out CVar structure), I see this:



Now, if I check that address and its value I see this:



Now, if I set it to 1, I see this:



And if you're curious to know where this byte is checked (for a PROPER God Mode):

Code: Select all

Crackdown3.exe+CCCD20 - 40 53                 - push rbx
Crackdown3.exe+CCCD22 - 48 83 EC 20           - sub rsp,20
Crackdown3.exe+CCCD26 - 83 3D 1B8BC305 01     - cmp dword ptr [Crackdown3.exe+6905848],01 <-- hello!
Crackdown3.exe+CCCD2D - 48 8B D9              - mov rbx,rcx
Crackdown3.exe+CCCD30 - 0F84 8D000000         - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD36 - 48 8B 89 58330000     - mov rcx,[rcx+00003358]
Crackdown3.exe+CCCD3D - 48 85 C9              - test rcx,rcx
Crackdown3.exe+CCCD40 - 74 09                 - je Crackdown3.exe+CCCD4B
Crackdown3.exe+CCCD42 - F6 81 82000000 40     - test byte ptr [rcx+00000082],40 <-- set by "god" command
Crackdown3.exe+CCCD49 - 74 78                 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD4B - 48 63 83 D0150000     - movsxd  rax,dword ptr [rbx+000015D0]
Crackdown3.exe+CCCD52 - 48 8B 94 C3 C0130000  - mov rdx,[rbx+rax*8+000013C0]
Crackdown3.exe+CCCD5A - 48 85 D2              - test rdx,rdx
Crackdown3.exe+CCCD5D - 74 2C                 - je Crackdown3.exe+CCCD8B
Crackdown3.exe+CCCD5F - F7 42 3C 00010000     - test [rdx+3C],0100
Crackdown3.exe+CCCD66 - 74 0D                 - je Crackdown3.exe+CCCD75
Crackdown3.exe+CCCD68 - 8B 83 58110000        - mov eax,[rbx+00001158]
Crackdown3.exe+CCCD6E - C1 E8 0B              - shr eax,0B
Crackdown3.exe+CCCD71 - A8 01                 - test al,01
Crackdown3.exe+CCCD73 - 74 4E                 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD75 - F7 42 40 00020000     - test [rdx+40],0200
Crackdown3.exe+CCCD7C - 74 0D                 - je Crackdown3.exe+CCCD8B
Crackdown3.exe+CCCD7E - 8B 83 58110000        - mov eax,[rbx+00001158]
Crackdown3.exe+CCCD84 - C1 E8 0B              - shr eax,0B
Crackdown3.exe+CCCD87 - A8 01                 - test al,01
Crackdown3.exe+CCCD89 - 74 38                 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCD8B - 48 85 C9              - test rcx,rcx
Crackdown3.exe+CCCD8E - 74 22                 - je Crackdown3.exe+CCCDB2
Crackdown3.exe+CCCD90 - 48 8B 89 58040000     - mov rcx,[rcx+00000458]
Crackdown3.exe+CCCD97 - 48 85 C9              - test rcx,rcx
Crackdown3.exe+CCCD9A - 74 16                 - je Crackdown3.exe+CCCDB2
Crackdown3.exe+CCCD9C - E8 DF6B5B00           - call Crackdown3.exe+1283980
Crackdown3.exe+CCCDA1 - 84 C0                 - test al,al
Crackdown3.exe+CCCDA3 - 74 0D                 - je Crackdown3.exe+CCCDB2
Crackdown3.exe+CCCDA5 - 8B 83 58110000        - mov eax,[rbx+00001158]
Crackdown3.exe+CCCDAB - C1 E8 0B              - shr eax,0B
Crackdown3.exe+CCCDAE - A8 01                 - test al,01
Crackdown3.exe+CCCDB0 - 74 11                 - je Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCDB2 - 80 BB AC460000 00     - cmp byte ptr [rbx+000046AC],00
Crackdown3.exe+CCCDB9 - 75 08                 - jne Crackdown3.exe+CCCDC3
Crackdown3.exe+CCCDBB - B0 01                 - mov al,01
Crackdown3.exe+CCCDBD - 48 83 C4 20           - add rsp,20
Crackdown3.exe+CCCDC1 - 5B                    - pop rbx
Crackdown3.exe+CCCDC2 - C3                    - ret 
Crackdown3.exe+CCCDC3 - 32 C0                 - xor al,al
Crackdown3.exe+CCCDC5 - 48 83 C4 20           - add rsp,20
Crackdown3.exe+CCCDC9 - 5B                    - pop rbx
Crackdown3.exe+CCCDCA - C3                    - ret

And yes, the "Player.HasInfiniteAmmo 1" and "Player.HasInfiniteClipAmmo 1" CVars are not checked anywhere in the code. Now you know why some of them don't work

However, you can patch here the clip ammo:

Code: Select all

Crackdown3.exe+1716CE0 - 48 89 5C 24 08        - mov [rsp+08],rbx
Crackdown3.exe+1716CE5 - 57                    - push rdi
Crackdown3.exe+1716CE6 - 48 83 EC 20           - sub rsp,20
Crackdown3.exe+1716CEA - 80 B9 41020000 00     - cmp byte ptr [rcx+00000241],00 <-- flip bool ;)
Crackdown3.exe+1716CF1 - 48 8B D9              - mov rbx,rcx
Crackdown3.exe+1716CF4 - 48 63 81 24010000     - movsxd  rax,dword ptr [rcx+00000124]
Crackdown3.exe+1716CFB - 48 8B BC C1 08010000  - mov rdi,[rcx+rax*8+00000108]
Crackdown3.exe+1716D03 - 75 0C                 - jne Crackdown3.exe+1716D11
Crackdown3.exe+1716D05 - 29 91 98000000        - sub [rcx+00000098],edx
Crackdown3.exe+1716D0B - 29 91 90000000        - sub [rcx+00000090],edx <-- ammo sub
Crackdown3.exe+1716D11 - B2 01                 - mov dl,01
Crackdown3.exe+1716D13 - E8 5838FFFF           - call Crackdown3.exe+170A570
Crackdown3.exe+1716D18 - 83 BB 90000000 00     - cmp dword ptr [rbx+00000090],00
Crackdown3.exe+1716D1F - 7F 58                 - jg Crackdown3.exe+1716D79
Crackdown3.exe+1716D21 - 83 BB 98000000 00     - cmp dword ptr [rbx+00000098],00
Crackdown3.exe+1716D28 - 7E 4F                 - jle Crackdown3.exe+1716D79
Crackdown3.exe+1716D2A - 83 BB 9C000000 04     - cmp dword ptr [rbx+0000009C],04
Crackdown3.exe+1716D31 - 74 46                 - je Crackdown3.exe+1716D79
Crackdown3.exe+1716D33 - 48 8B 47 10           - mov rax,[rdi+10]
Crackdown3.exe+1716D37 - 48 85 C0              - test rax,rax
Crackdown3.exe+1716D3A - 74 2C                 - je Crackdown3.exe+1716D68
Crackdown3.exe+1716D3C - 80 78 28 00           - cmp byte ptr [rax+28],00
Crackdown3.exe+1716D40 - 74 26                 - je Crackdown3.exe+1716D68
Crackdown3.exe+1716D42 - 48 8B 03              - mov rax,[rbx]
Crackdown3.exe+1716D45 - 45 33 C9              - xor r9d,r9d
Crackdown3.exe+1716D48 - 0F57 D2               - xorps xmm2,xmm2
Crackdown3.exe+1716D4B - 33 D2                 - xor edx,edx
Crackdown3.exe+1716D4D - 48 8B CB              - mov rcx,rbx
Crackdown3.exe+1716D50 - FF 90 08020000        - call qword ptr [rax+00000208]
Crackdown3.exe+1716D56 - C6 83 30020000 01     - mov byte ptr [rbx+00000230],01
Crackdown3.exe+1716D5D - 48 8B 5C 24 30        - mov rbx,[rsp+30]
Crackdown3.exe+1716D62 - 48 83 C4 20           - add rsp,20
Crackdown3.exe+1716D66 - 5F                    - pop rdi
Crackdown3.exe+1716D67 - C3                    - ret 
Crackdown3.exe+1716D68 - 33 D2                 - xor edx,edx
Crackdown3.exe+1716D6A - 48 8B CB              - mov rcx,rbx
Crackdown3.exe+1716D6D - E8 DED9FFFF           - call Crackdown3.exe+1714750
Crackdown3.exe+1716D72 - C6 83 30020000 01     - mov byte ptr [rbx+00000230],01
Crackdown3.exe+1716D79 - 48 8B 5C 24 30        - mov rbx,[rsp+30]
Crackdown3.exe+1716D7E - 48 83 C4 20           - add rsp,20
Crackdown3.exe+1716D82 - 5F                    - pop rdi
Crackdown3.exe+1716D83 - C3                    - ret

BOOL gets reset here when you change weapons or grab some ledge:

Code: Select all

Crackdown3.exe+170B2C7 - 66 C7 81 36020000 0000 - mov word ptr [rcx+00000236],0000
Crackdown3.exe+170B2D0 - 0F94 C0               - sete al
Crackdown3.exe+170B2D3 - C6 81 41020000 00     - mov byte ptr [rcx+00000241],00 <-- here
Crackdown3.exe+170B2DA - 88 81 50010000        - mov [rcx+00000150],al
Crackdown3.exe+170B2E0 - 48 63 81 24010000     - movsxd  rax,dword ptr [rcx+00000124]

There you go; happy unlimited clip ammo

The game is non-standard in terms of programmed code and UE4; looks like the developers didn't want to use much of the stock engine features for movement, weaponry, etc. They had something else in mind

BR,
Sun

[SunBeam]

Apart from that, I haven't encountered a single crash due to change of executable code. No idea if those scanners are set across whole memory map or just some hunted regions Setting that byte to 0x1 @ Crackdown3.exe+170B2D3+6 gives you unlimited clip ammo; and no crash Official game, not CODEX.

EDIT: Oh, spoke too soon



And the first two menu options get grayed out. Like Caliber said in another post (viewtopic.php?p=79381#p79381), there are several integrity checks that can be patched out.

[STN]

Apart from that, I haven't encountered a single crash due to change of executable code. No idea if those scanners are set across whole memory map or just some hunted regions Setting that byte to 0x1 @ Crackdown3.exe+170B2D3+6 gives you unlimited clip ammo; and no crash Official game, not CODEX.

EDIT: Oh, spoke too soon



And the first two menu options get grayed out. Like Caliber said in another post (viewtopic.php?p=79381#p79381), there are several integrity checks that can be patched out.

Yep, take a good 10-15 minutes for the scanners to hit.

[Kushan]

The game is non-standard in terms of programmed code and UE4; looks like the developers didn't want to use much of the stock engine features for movement, weaponry, etc. They had something else in mind

BR,
Sun

The game is well know for being in development hell for years and the final result isn't indicative of a game that has been in development for nearly half a decade. I wonder if the "non-standard" use of UE4 is a sign that maybe some of the developers didn't really know what they were doing and just hacked at it until it did what they wanted. That's usually the case when you see code that does something in a roundabout fashion that would have been much easier using something built-in, but who knows. It could be leftovers from a rebooted development.

It's still fascinating to see, though.

[viteq]

Thank you for your work SunBeam.

[SunBeam]

^ You're welcome

[teefree14]

Crackdown had an update today and when I enter "1" for the console enabler my game crashes.

[SunBeam]

The table uses fixed addresses. Since the binary updated, I am pretty sure those don't match the previous version's location anymore Good luck updating the table

[azunda]

i went through the codes trying to find one for infinity jump/boost i could only find "player.AdjustJumpHeight" but its not working, is there any other that i missed or is there none for that ?

[SunBeam]

Not all of the CVars have an effect. If that one doesn't do anything, then it's been removed from where it was used/checked in the Shipping build Nothing else you can do. Also.. I've finished the game, find it has not replay value.. so you're on your own

[ericiscool]

None of the infinite ammo commands work for me. Only got "god", "Player.UnlockAllEquipment", and "Player.UnlockAllVehicles" to work. God mode also seems to reset randomly. Also, I'm assuming this doesn't work on the v1.0.2918.2 update, as it just crashes the game when I try to set bkeypressed to 1?