[COMPLETED] Mortal Kombat 11

[Stalker4589]

Hi SunBeam

I'm having a little trouble following this.

Lets say the chest value is 10,750. You next say "The editor will fill in the values." I understand English isn't your native language do you mean to search and change this value in cheat engine?

Currently searching "10750" as a float value will not return an value you can edit. That's where a few of us are stuck. He commented it was a "long value" which I don't understand.

[Stalker4589]

Still having issues locating the value as a double.



Edit

Managed to find the value of a chest but doesn't look like you can set it to a negative value. The chest becomes unopenable

[SunBeam]

And here's a dump of the Objects at "Kotal vs. Erron Black" story mission

Code: Select all

UObject[021258] koins                          0x1EDC5EE0 ( IntProperty Core.FPortalTierCost.koins             )
UObject[021259] souls                          0x1EDC6080 ( IntProperty Core.FPortalTierCost.souls             )
UObject[021260] hearts                         0x1EDC6220 ( IntProperty Core.FPortalTierCost.hearts            )
UObject[021087] Health                         0x1EDABC20 ( IntProperty Core.FBaseAttributeEntry.Health        )

And we have the Console available as well

Code: Select all

UObject[025623] Console                        0x4FBFE310 ( Console MK11GameEngine.MwyGameViewportClient.Console )

Then there's the PlayerController and CollisionCylinder:

Code: Select all

UObject[058013] CollisionCylinder           0x41B76E6EC0 ( CylinderComponent Level.MK11GamePlayerController.CollisionCylinder )
UObject[058014] MK11GamePlayerController    0x41B7639240 ( MK11GamePlayerController Transient.Level.MK11GamePlayerController )

Remember my map? Here's the Pawns

Code: Select all

UObject[057927] CHAR_ErronBlack[P2]            0x41B0328000 ( MKPawn Transient.Level.CHAR_ErronBlack[P2]         )
UObject[057981] CHAR_Kotal[P1]                 0x41B0329240 ( MKPawn Transient.Level.CHAR_Kotal[P1]              )

Size of Pawn structure is 0x16D0.

[TroliusMaximus]

^ Can the console be enabled (for use)?... Or is simply "finding" it, and we still haven't access to it?

Also, I tried finding Krypt chest values, and I found 330 addresses for a K6350 chest > change values to 100,000... and it crashed v_v

[SunBeam]

^ I don't think you'll be able to do anything with it even if enabled. I didn't find the usual: god, fly, ghost, slomo, playersonly, etc. So I wouldn't know. But maybe there's other commands in there that might prove useful Still researching the findings.

[Nureruu]

I found 90% of the chests pretty fast after i found the first one.

Simple exact value 4 byte search of the chest number. I would usually try to find an expensive chest that you wouldn't find as many values for like 12450. Simple search would usually get ~100 results. I then just changed the values to 1 til it changed the chest. Once i found one chest number it seemed like every other chest would have the same 2 numbers/letters at the start of the address for the others. For example i found 51?????? would always be the address for chests so i would just go around find a chest price and search for it then scroll through the list and change any address with the 51 at the start. It worked to some degree on the green currency chests but there's so many that i found changing too many crashed the game. I could not find the 250 heart chests at all though. You get nearly 10k addresses back

Im sure theres a smarter way to do this but i'm just a limited knowledge cheat engine noob that usually just uses it to change currency in select games.

[SunBeam]

Here's what you can do with the dumper



Note how the in-game GUI says the last opponent's name is Geras, yet the game object says "MKPawn Transient.Level.CHAR_Terminas[P2]" Guess WB changed their minds

BR,
Sun

P.S.: Watch now how some of the trainers will feature another option - "Increase Player Movement Speed" Because.. cool options benefit the trainer maker's image, right?

These are the trainers:

• [Link] (change the 4 to a)

• http://fearlessrevolution.com/viewtopic.php?f=5&t=9281

CH's changes the overall game speed. fearlessrevolution's doesn't even have a speeding feature. Why am I posting this? Because I want to prove a point; how easy it is to watch a video, borrow an offset, hook it in Pawn and come up with a +1 option. I will soooo laugh about this.

[JessieKazama]

Tim was able to do a Krpyt unlocker for MKX, which I remember the coins were server sided there as well. Different game but the same engine I believe.

[TimFun13]

I just found where it checked if you had enough and set the display it checked to a high value, so it thought you always had enough. And the game took care of resetting the value so you didn't get a negative value.

Here's the script if it helps.

Code: Select all

{
	Process			: MK10.exe  -  (x64)
	Module			: MK10.exe
	Game Title		: Mortal Kombat 10
	Game Version	: 1.0.0.0
	CE Version		: 6.83
	Script Version	: 0.0.1
	Date			: 03/17/19
	Author			: ShyTwig16
	Name			: KryptMoneyCheckHook

	Krypt Money Check Hook

	E8xxxxxxxx48xxxx74xx8B4008488B5C243048xxxxxx5xC333xx48xxxxxxxx48xxxxxx5xC3
	E8xxxxxxxx48xxxx74xx8Bxxxx48xxxxxxxx48xxxxxxxxxx33xx48xxxxxxxx48xxxxxxxxC3
}

{$STRICT}

define(address, MK10.MK10ExperienceManager::GetExperience+36)
define(bytes, 8B 40 08 48 8B 5C 24 30)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
// aobScanModule(aobKryptMoneyCheckHook, MK10.exe, E8xxxxxxxx48xxxx74xx8B4008488B5C243048xxxxxx5xC333xx48xxxxxxxx48xxxxxx5xC3)
i2aobScanModule(aobKryptMoneyCheckHook, MK10.exe, E8xxxxxxxx48xxxx74xx8B4008488B5C243048xxxxxx5xC333xx48xxxxxxxx48xxxxxx5xC3)
define(injKryptMoneyCheckHook, aobKryptMoneyCheckHook+A)
// assert(injKryptMoneyCheckHook, bytes)
i2assert(injKryptMoneyCheckHook, bytes)
registerSymbol(injKryptMoneyCheckHook)

alloc(memKryptMoneyCheckHook, 0x400, injKryptMoneyCheckHook)

label(intKryptMoneyCheckHook)
registerSymbol(intKryptMoneyCheckHook)

label(ptrKryptMoneyCheckHook)
registerSymbol(ptrKryptMoneyCheckHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memKryptMoneyCheckHook:
	intKryptMoneyCheckHook:
		dd (int)1000000
	align 10
	ptrKryptMoneyCheckHook:
		dq 0
	align 10 CC
	n_code:
		mov [ptrKryptMoneyCheckHook],rax
		mov ebx,[intKryptMoneyCheckHook]
		mov [rax+08],ebx
	o_code:
		mov eax,[rax+08]
		mov rbx,[rsp+30]
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injKryptMoneyCheckHook:
	jmp n_code
	nop
	nop
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injKryptMoneyCheckHook:
	db bytes

unregisterSymbol(injKryptMoneyCheckHook)

unregisterSymbol(intKryptMoneyCheckHook)

unregisterSymbol(ptrKryptMoneyCheckHook)

dealloc(memKryptMoneyCheckHook)

{
//// Injection Point: MK10.MK10ExperienceManager::GetExperience+36  -  000000013F62FEF6
//// AOB address: 000000013F62FEEC  -  MK10.MK10ExperienceManager::GetExperience+2C
//// Process: MK10.exe  -  000000013F230000
//// Module: MK10.exe  -  000000013F230000
//// Module Size: 0000000003B8D000
MK10.exe+3FFEBC:  CC                          -  int 3                              
MK10.exe+3FFEBD:  CC                          -  int 3                              
MK10.exe+3FFEBE:  CC                          -  int 3                              
MK10.exe+3FFEBF:  CC                          -  int 3                              
MK10.MK10ExperienceManager::GetExperience:  48 89 5C 24 08              -  mov [rsp+08],rbx                   
MK10.MK10ExperienceManager::GetExperience+5:  57                          -  push rdi                           
MK10.MK10ExperienceManager::GetExperience+6:  48 83 EC 20                 -  sub rsp,20                         
MK10.MK10ExperienceManager::GetExperience+A:  48 8B F9                    -  mov rdi,rcx                        
MK10.MK10ExperienceManager::GetExperience+D:  48 8B 0D 7C36CC02           -  mov rcx,[1422F3550]                [4252AF00]
MK10.MK10ExperienceManager::GetExperience+14:  8B DA                       -  mov ebx,edx                        
MK10.MK10ExperienceManager::GetExperience+16:  41 8B D0                    -  mov edx,r8d                        
MK10.MK10ExperienceManager::GetExperience+19:  E8 426D0300                 -  call 13F666C20                     
MK10.MK10ExperienceManager::GetExperience+1E:  48 85 C0                    -  test rax,rax                       
MK10.MK10ExperienceManager::GetExperience+21:  74 21                       -  je 13F62FF04                       
MK10.MK10ExperienceManager::GetExperience+23:  4C 8B 40 50                 -  mov r8,[rax+50]                    
MK10.MK10ExperienceManager::GetExperience+27:  8B D3                       -  mov edx,ebx                        
MK10.MK10ExperienceManager::GetExperience+29:  48 8B CF                    -  mov rcx,rdi                        
MK10.MK10ExperienceManager::GetExperience+2C:  E8 2F0D0000                 -  call 13F630C20                     <<<--- AOB Starts Here
MK10.MK10ExperienceManager::GetExperience+31:  48 85 C0                    -  test rax,rax                       
MK10.MK10ExperienceManager::GetExperience+34:  74 0E                       -  je 13F62FF04                       
////  INJECTING START  ----------------------------------------------------------
MK10.MK10ExperienceManager::GetExperience+36:  8B 40 08                    -  mov eax,[rax+08]                   
MK10.MK10ExperienceManager::GetExperience+39:  48 8B 5C 24 30              -  mov rbx,[rsp+30]                   
////  INJECTING END  ----------------------------------------------------------
MK10.MK10ExperienceManager::GetExperience+3E:  48 83 C4 20                 -  add rsp,20                         
MK10.MK10ExperienceManager::GetExperience+42:  5F                          -  pop rdi                            
MK10.MK10ExperienceManager::GetExperience+43:  C3                          -  ret                                
MK10.MK10ExperienceManager::GetExperience+44:  33 C0                       -  xor eax,eax                        
MK10.MK10ExperienceManager::GetExperience+46:  48 8B 5C 24 30              -  mov rbx,[rsp+30]                   
MK10.MK10ExperienceManager::GetExperience+4B:  48 83 C4 20                 -  add rsp,20                         
MK10.MK10ExperienceManager::GetExperience+4F:  5F                          -  pop rdi                            
MK10.MK10ExperienceManager::GetExperience+50:  C3                          -  ret                                
MK10.exe+3FFF11:  CC                          -  int 3                              
MK10.exe+3FFF12:  CC                          -  int 3                              
MK10.exe+3FFF13:  CC                          -  int 3                              
MK10.exe+3FFF14:  CC                          -  int 3                              
MK10.exe+3FFF15:  CC                          -  int 3                              
MK10.exe+3FFF16:  CC                          -  int 3                              
MK10.exe+3FFF17:  CC                          -  int 3                              
MK10.exe+3FFF18:  CC                          -  int 3                              
MK10.exe+3FFF19:  CC                          -  int 3                              
MK10.exe+3FFF1A:  CC                          -  int 3                              
MK10.exe+3FFF1B:  CC                          -  int 3                              
//// Template: I2CEA_AOBFullInjectionWithValues
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

[Stalker4589]

Here's what you can do with the dumper



Note how the in-game GUI says the last opponent's name is Geras, yet the game object says "MKPawn Transient.Level.CHAR_Terminas[P2]" Guess WB changed their minds

BR,
Sun

P.S.: Watch now how some of the trainers will feature another option - "Increase Player Movement Speed" Because.. cool options benefit the trainer maker's image, right?

These are the trainers:

• [Link] (change the 4 to a)

• viewtopic.php?f=5&t=9281

CH's changes the overall game speed. fearlessrevolution's doesn't even have a speeding feature. Why am I posting this? Because I want to prove a point; how easy it is to watch a video, borrow an offset, hook it in Pawn and come up with a +1 option. I will soooo laugh about this.

are you planning on releasing a CE Table for the game. Great work so far

[Anfraxx]

Well - all this has gone well over my head now haha, I am able to search for values and that's about it, you lot are now speaking a different language.

Can we confirm if at all, the value of a chest can be amended? I mean it seems the negative value comment is rubbish, but you could potentially change them to the value of 1, but I would guess that would be a LOT of messing about through 100s of codes to just find the one for the chest you are looking at?

[Stalker4589]

Well - all this has gone well over my head now haha, I am able to search for values and that's about it, you lot are now speaking a different language.

Can we confirm if at all, the value of a chest can be amended? I mean it seems the negative value comment is rubbish, but you could potentially change them to the value of 1, but I would guess that would be a LOT of messing about through 100s of codes to just find the one for the chest you are looking at?

I'm pretty much in the same boat as you.

Here's the situation.

CaliberCH has a trainer he sells on a monthly subscription that can change values and for some users appears broken. (That's an iffy subject for me so I won't comment further)

Sunbeam has shredded the game to bits so far and seems to be able to bend it to his whim but there's no sign of anything being released (I Hope he eventually does)

As for the the dumb people like me and you.

You can change the chest cost value. I'm still actually unable to efficiently locate the chest values. The best method so far for me seems to be.

Stand in front of chest with a somewhat unique value (13500 Koins)
Search this value in CE using Scan Type=Exact Value and Value Type=4 Bytes
This should give you a few hundred results
Add them to the addresses list and start batch changing them by highlighting groups and pressing ENTER and put the value at 1
Start at the bottom and change about 50 at a time or a "page worth"
Tab back into the game every time to check chest cost will update automatically no need to walk away and come back

You can do this with Heart Chests too but they return about 12k addresses

[KS212]

There is supposedly a line/string/object/etc called MK11Unlockables in there somewhere. Setting that to IsUnlocked will unlock all of the Kollection as well as Shao Kahn and Frost. Apparently that's what was done for Switch.

[TroliusMaximus]

So, I've been changing chest values to "1 Koin" and closing CE after each one I open. The tedium aside, this worked for most part... But, then I got a crash long after I had closed CE -- after I hit that golden gong that opens the gates, past that wall you break on the left, to reach the second large area.

Why would it have CTD'd then -- so long (20~30 seconds) after closing CE? How often does the anti-cheat make its checks? Would there be anyway to "hide" CE, so that the anti-cheat doesn't detect it -- kind of like the "unsigned" version?
---

@Stalker4589
Yeah... That's what I've been doing. However, are you getting crashes? Are you closing and opening CE after each chest or two?... Or just leaving it hooked to the game...?

[Stalker4589]

So, I've been changing chest values to "1 Koin" and closing CE after each one I open. The tedium aside, this worked for most part... But, then I got a crash long after I had closed CE -- after I hit that golden gong that opens the gates, past that wall you break on the left, to reach the second large area.

Why would it have CTD'd then -- so long (20~30 seconds) after closing CE? How often does the anti-cheat make its checks? Would there be anyway to "hide" CE, so that the anti-cheat doesn't detect it -- kind of like the "unsigned" version?

Did you batch change addresses and not change them back? you would have sent a lot of values to 1 doing that and they could be loaded later