This is what I got so far; camera pitch and yaw, plus coords., deltas, movement speed, and jump height. I might be back at it this weekend.
Code: Select all
{
Process : BorderlandsGOTY.exe - (x64)
Module : BorderlandsGOTY.exe
Game Title : Borderlands GOTY Enhanced
Game Version : 1.5.0.0
CE Version : 6.83
Script Version : 0.0.1
Date : 04/04/19
Author : ShyTwig16
Name : PlayerHook
Player Hook
}
{$STRICT}
define(address, BorderlandsGOTY.exe+13C39DD)
define(bytes, F2 0F 10 81 9C 00 00 00)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobPlayerHook, BorderlandsGOTY.exe, 8Bxxxxxxxxxx89xxxxxxF2xxxxxxxxxxxxxxF2xxxxxxxx8Bxxxxxxxxxx89xxxxEBxx48)
define(injPlayerHook, aobPlayerHook+A)
assert(injPlayerHook, bytes)
registerSymbol(injPlayerHook)
alloc(memPlayerHook, 0x400, injPlayerHook)
label(ptrPlayerHook)
registerSymbol(ptrPlayerHook)
label(n_code)
label(o_code)
label(exit)
label(return)
memPlayerHook:
ptrPlayerHook:
dq 0
align 10 CC
n_code:
mov [ptrPlayerHook],rcx
o_code:
movsd xmm0,[rcx+0000009C]
exit:
jmp return
////
//// ---------- Injection Point ----------
injPlayerHook:
jmp n_code
nop
nop
nop
return:
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injPlayerHook:
db bytes
unregisterSymbol(injPlayerHook)
unregisterSymbol(ptrPlayerHook)
dealloc(memPlayerHook)
{
//// Injection Point: BorderlandsGOTY.exe+13C39DD - 0000000140BC39DD
//// AOB address: 0000000140BC39D3 - BorderlandsGOTY.exe+13C39D3
//// Process: BorderlandsGOTY.exe - 000000013F800000
//// Module: BorderlandsGOTY.exe - 000000013F800000
//// Module Size: 00000000028FA000
BorderlandsGOTY.exe+13C3974: 4D 8B EC - mov r13,r12
BorderlandsGOTY.exe+13C3977: 4C 89 64 24 60 - mov [rsp+60],r12
BorderlandsGOTY.exe+13C397C: 48 85 DB - test rbx,rbx
BorderlandsGOTY.exe+13C397F: 0F84 1A1B0000 - je 140BC549F
BorderlandsGOTY.exe+13C3985: 4D 85 ED - test r13,r13
BorderlandsGOTY.exe+13C3988: 0F84 111B0000 - je 140BC549F
BorderlandsGOTY.exe+13C398E: 44 39 A6 C0110000 - cmp [rsi+000011C0],r12d
BorderlandsGOTY.exe+13C3995: 0F84 041B0000 - je 140BC549F
BorderlandsGOTY.exe+13C399B: 48 69 C7 34020000 - imul rax,rdi00000234
BorderlandsGOTY.exe+13C39A2: 4C 8D BE 60050000 - lea r15,[rsi+00000560]
BorderlandsGOTY.exe+13C39A9: 4C 03 F8 - add r15,rax
BorderlandsGOTY.exe+13C39AC: 4C 89 7C 24 58 - mov [rsp+58],r15
BorderlandsGOTY.exe+13C39B1: 48 8B 8C FE B8010000 - mov rcx,[rsi+rdi*8+000001B8]
BorderlandsGOTY.exe+13C39B9: 48 8B 81 60020000 - mov rax,[rcx+00000260]
BorderlandsGOTY.exe+13C39C0: 48 85 C0 - test rax,rax
BorderlandsGOTY.exe+13C39C3: 74 30 - je 140BC39F5
BorderlandsGOTY.exe+13C39C5: F2 0F10 80 90000000 - movsd xmm0,[rax+00000090]
BorderlandsGOTY.exe+13C39CD: F2 0F11 44 24 30 - movsd [rsp+30],xmm0
BorderlandsGOTY.exe+13C39D3: 8B 80 98000000 - mov eax,[rax+00000098] <<<--- AOB Starts Here
BorderlandsGOTY.exe+13C39D9: 89 44 24 38 - mov [rsp+38],eax
//// INJECTING START ----------------------------------------------------------
BorderlandsGOTY.exe+13C39DD: F2 0F10 81 9C000000 - movsd xmm0,[rcx+0000009C]
//// INJECTING END ----------------------------------------------------------
BorderlandsGOTY.exe+13C39E5: F2 0F11 45 C0 - movsd [rbp-40],xmm0
BorderlandsGOTY.exe+13C39EA: 8B 81 A4000000 - mov eax,[rcx+000000A4]
BorderlandsGOTY.exe+13C39F0: 89 45 C8 - mov [rbp-38],eax
BorderlandsGOTY.exe+13C39F3: EB 15 - jmp 140BC3A0A
BorderlandsGOTY.exe+13C39F5: 48 8B 01 - mov rax,[rcx]
BorderlandsGOTY.exe+13C39F8: 45 33 C9 - xor r9d,r9d
BorderlandsGOTY.exe+13C39FB: 4C 8D 45 C0 - lea r8,[rbp-40]
BorderlandsGOTY.exe+13C39FF: 48 8D 54 24 30 - lea rdx,[rsp+30]
BorderlandsGOTY.exe+13C3A04: FF 90 08080000 - call qword ptr [rax+00000808]
BorderlandsGOTY.exe+13C3A0A: 0FB7 45 C4 - movzx eax,word ptr [rbp-3C]
BorderlandsGOTY.exe+13C3A0E: 89 85 C8000000 - mov [rbp+000000C8],eax
BorderlandsGOTY.exe+13C3A14: 41 8B 0F - mov ecx,[r15]
BorderlandsGOTY.exe+13C3A17: 89 8D D0000000 - mov [rbp+000000D0],ecx
BorderlandsGOTY.exe+13C3A1D: 48 8D 15 7CC81001 - lea rdx,[141CD02A0] ["x\jA"]
BorderlandsGOTY.exe+13C3A24: F3 44 0F10 25 E7925F00 - movss xmm12,[1411BCD14] [(float)0.0000]
BorderlandsGOTY.exe+13C3A2D: 3B C1 - cmp eax,ecx
BorderlandsGOTY.exe+13C3A2F: 74 79 - je 140BC3AAA
BorderlandsGOTY.exe+13C3A31: 41 89 07 - mov [r15],eax
BorderlandsGOTY.exe+13C3A34: 66 0F6E B6 C0110000 - movd xmm6,[rsi+000011C0]
BorderlandsGOTY.exe+13C3A3C: 0F5B F6 - cvtdq2ps xmm6,xmm6
//// Template: I2CEA_AOBFullInjection
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}
And this is the structure I've figured out so far.
Code: Select all
<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
<CheatEntries>
<CheatEntry>
<ID>1825</ID>
<Description>"ptrPlayerHook"</Description>
<LastState Value="00000000357C79A0" RealAddress="13F7C0000"/>
<ShowAsHex>1</ShowAsHex>
<Color>808080</Color>
<VariableType>8 Bytes</VariableType>
<Address>ptrPlayerHook</Address>
<CheatEntries>
<CheatEntry>
<ID>1826</ID>
<Description>"+9C - Camera Pitch"</Description>
<LastState Value="64247" RealAddress="357C7A3C"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>4 Bytes</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>9C</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1827</ID>
<Description>"+A0 - Camera Yaw"</Description>
<LastState Value="100044" RealAddress="357C7A40"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>4 Bytes</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>A0</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1866</ID>
<Description>"+260"</Description>
<LastState Value="0000000075ECD5F0" RealAddress="357C7C00"/>
<ShowAsHex>1</ShowAsHex>
<Color>808080</Color>
<VariableType>8 Bytes</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>260</Offset>
</Offsets>
<CheatEntries>
<CheatEntry>
<ID>1868</ID>
<Description>"+90 - X Coord."</Description>
<LastState Value="-27346.83984" RealAddress="75ECD680"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>90</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1870</ID>
<Description>"+94 - Z Coord."</Description>
<LastState Value="26507.2793" RealAddress="75ECD684"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>94</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1869</ID>
<Description>"+98 - Y Coord."</Description>
<LastState Value="565.8141479" RealAddress="75ECD688"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>98</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1880</ID>
<Description>"+17C - X Coord. Delta"</Description>
<LastState Value="188.040863" RealAddress="75ECD76C"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>17C</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1881</ID>
<Description>"+180 - Z Coord. Delta"</Description>
<LastState Value="31.70456505" RealAddress="75ECD770"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>180</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1882</ID>
<Description>"+184 - Y Coord. Delta"</Description>
<LastState Value="0" RealAddress="75ECD774"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>184</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1875</ID>
<Description>"+37C - Moevment Speed"</Description>
<LastState Value="440" RealAddress="75ECD96C"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>37C</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1878</ID>
<Description>"+380 - Base Moevment Speed"</Description>
<LastState Value="440" RealAddress="75ECD970"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>380</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1879</ID>
<Description>"+38C - Is Sprinting"</Description>
<LastState Value="0" RealAddress="75ECD97C"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>38C</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1877</ID>
<Description>"+3B8 - Jump Height"</Description>
<LastState Value="630" RealAddress="75ECD9A8"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>3B8</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1876</ID>
<Description>"+3BC - Base Jump Height"</Description>
<LastState Value="630" RealAddress="75ECD9AC"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>3BC</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1883</ID>
<Description>"+424 - View Height"</Description>
<LastState Value="77" RealAddress="75ECDA14"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>424</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
<CheatEntry>
<ID>1884</ID>
<Description>"+428 - ?? View Height"</Description>
<LastState Value="74.3034668" RealAddress="75ECDA18"/>
<ShowAsSigned>1</ShowAsSigned>
<Color>000000</Color>
<VariableType>Float</VariableType>
<Address>ptrPlayerHook</Address>
<Offsets>
<Offset>428</Offset>
<Offset>260</Offset>
</Offsets>
</CheatEntry>
</CheatEntries>
</CheatEntry>
</CheatEntries>
</CheatEntry>
</CheatEntries>
</CheatTable>
And a movement speed hook to go with it. Seems all entities use this code, so it could be used to slow others down. But it requires the
ptrPlayerHook symbol to be set.
Code: Select all
{
Process : BorderlandsGOTY.exe - (x64)
Module : BorderlandsGOTY.exe
Game Title : Borderlands GOTY Enhanced
Game Version : 1.5.0.0
CE Version : 6.83
Script Version : 0.0.1
Date : 04/05/19
Author : ShyTwig16
Name : MovementSpeedHook
Movement Speed Hook
}
{$STRICT}
define(address, BorderlandsGOTY.exe+809399)
define(bytes, F3 41 0F 10 9E 7C 03 00 00)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobMovementSpeedHook, BorderlandsGOTY.exe, F3xxxxxxxxxxxxxxF3xxxxxxxxxxF3xxxxxxxxxxxxxxxx41xxxxxx48xxxxxxxxxxxx49xxxx41xxxxxxxxxxxxF2)
define(injMovementSpeedHook, aobMovementSpeedHook+E)
assert(injMovementSpeedHook, bytes)
registerSymbol(injMovementSpeedHook)
alloc(memMovementSpeedHook, 0x400, injMovementSpeedHook)
label(fltMovementSpeedHook)
registerSymbol(fltMovementSpeedHook)
label(ptrMovementSpeedHook)
registerSymbol(ptrMovementSpeedHook)
label(pms_code)
label(n_code)
label(o_code)
label(exit)
label(return)
memMovementSpeedHook:
fltMovementSpeedHook:
dd (float)1.75
align 10
ptrMovementSpeedHook:
dq 0
dq 0
align 10 CC
pms_code:
mov [ptrMovementSpeedHook],r14
movss xmm3,[r14+0000037C]
mulss xmm3,[fltMovementSpeedHook]
jmp exit
align 10 CC
n_code:
pushfq
push rax
mov rax,[ptrPlayerHook]
test rax,rax
jz o_code
mov rax,[rax+260]
test rax,rax
jz o_code
cmp rax,r14
je pms_code
mov [ptrMovementSpeedHook+8],r14
o_code:
movss xmm3,[r14+0000037C]
exit:
pop rax
popfq
jmp return
////
//// ---------- Injection Point ----------
injMovementSpeedHook:
jmp n_code
nop
nop
nop
nop
return:
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injMovementSpeedHook:
db bytes
unregisterSymbol(injMovementSpeedHook)
unregisterSymbol(fltMovementSpeedHook)
unregisterSymbol(ptrMovementSpeedHook)
dealloc(memMovementSpeedHook)
{
//// Injection Point: BorderlandsGOTY.exe+809399 - 0000000140009399
//// AOB address: 000000014000938B - BorderlandsGOTY.exe+80938B
//// Process: BorderlandsGOTY.exe - 000000013F800000
//// Module: BorderlandsGOTY.exe - 000000013F800000
//// Module Size: 00000000028FA000
BorderlandsGOTY.exe+809333: 0F28 CA - movaps xmm1,xmm2
BorderlandsGOTY.exe+809336: F3 0F59 CC - mulss xmm1,xmm4
BorderlandsGOTY.exe+80933A: F3 0F11 4C 24 50 - movss [rsp+50],xmm1
BorderlandsGOTY.exe+809340: 0F28 C2 - movaps xmm0,xmm2
BorderlandsGOTY.exe+809343: F3 0F59 C3 - mulss xmm0,xmm3
BorderlandsGOTY.exe+809347: F3 0F11 44 24 54 - movss [rsp+54],xmm0
BorderlandsGOTY.exe+80934D: F3 0F59 D5 - mulss xmm2,xmm5
BorderlandsGOTY.exe+809351: F3 0F11 54 24 58 - movss [rsp+58],xmm2
BorderlandsGOTY.exe+809357: 48 8D 44 24 50 - lea rax,[rsp+50]
BorderlandsGOTY.exe+80935C: F2 0F10 00 - movsd xmm0,[rax]
BorderlandsGOTY.exe+809360: F2 0F11 85 98000000 - movsd [rbp+00000098],xmm0
BorderlandsGOTY.exe+809368: 8B 40 08 - mov eax,[rax+08]
BorderlandsGOTY.exe+80936B: 89 85 A0000000 - mov [rbp+000000A0],eax
BorderlandsGOTY.exe+809371: 4D 8B 06 - mov r8,[r14]
BorderlandsGOTY.exe+809374: 49 8B 86 74010000 - mov rax,[r14+00000174]
BorderlandsGOTY.exe+80937B: 89 7C 24 38 - mov [rsp+38],edi
BorderlandsGOTY.exe+80937F: C7 44 24 30 01000000 - mov [rsp+30],00000001
BorderlandsGOTY.exe+809387: 89 7C 24 28 - mov [rsp+28],edi
BorderlandsGOTY.exe+80938B: F3 0F10 80 C0020000 - movss xmm0,[rax+000002C0] <<<--- AOB Starts Here
BorderlandsGOTY.exe+809393: F3 0F11 44 24 20 - movss [rsp+20],xmm0
//// INJECTING START ----------------------------------------------------------
BorderlandsGOTY.exe+809399: F3 41 0F10 9E 7C030000 - movss xmm3,[r14+0000037C]
//// INJECTING END ----------------------------------------------------------
BorderlandsGOTY.exe+8093A2: 41 0F28 D0 - movaps xmm2,xmm8
BorderlandsGOTY.exe+8093A6: 48 8D 95 98000000 - lea rdx,[rbp+00000098]
BorderlandsGOTY.exe+8093AD: 49 8B CE - mov rcx,r14
BorderlandsGOTY.exe+8093B0: 41 FF 90 800A0000 - call qword ptr [r8+00000A80]
BorderlandsGOTY.exe+8093B7: F2 41 0F10 86 7C010000 - movsd xmm0,[r14+0000017C]
BorderlandsGOTY.exe+8093C0: F2 0F11 44 24 50 - movsd [rsp+50],xmm0
BorderlandsGOTY.exe+8093C6: 41 8B 86 84010000 - mov eax,[r14+00000184]
BorderlandsGOTY.exe+8093CD: 89 44 24 58 - mov [rsp+58],eax
BorderlandsGOTY.exe+8093D1: 49 8B 8E 74010000 - mov rcx,[r14+00000174]
BorderlandsGOTY.exe+8093D8: F6 81 BC020000 01 - test byte ptr [rcx+000002BC],01
BorderlandsGOTY.exe+8093DF: 74 4C - je 14000942D
BorderlandsGOTY.exe+8093E1: 48 8B 01 - mov rax,[rcx]
BorderlandsGOTY.exe+8093E4: 4D 8B C6 - mov r8,r14
BorderlandsGOTY.exe+8093E7: 48 8D 54 24 60 - lea rdx,[rsp+60]
BorderlandsGOTY.exe+8093EC: FF 90 D8070000 - call qword ptr [rax+000007D8]
BorderlandsGOTY.exe+8093F2: F3 0F10 10 - movss xmm2,[rax]
BorderlandsGOTY.exe+8093F6: F3 0F59 15 C2A31A01 - mulss xmm2,[1411B37C0] [(float)25.0000]
BorderlandsGOTY.exe+8093FE: F3 0F10 48 04 - movss xmm1,[rax+04]
BorderlandsGOTY.exe+809403: F3 0F59 0D B5A31A01 - mulss xmm1,[1411B37C0] [(float)25.0000]
BorderlandsGOTY.exe+80940B: F3 41 0F59 D0 - mulss xmm2,xmm8
//// Template: I2CEA_AOBFullInjectionWithValues
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}
