Mortal Kombat 11 - table v: 1.0.8 CT

[TimFun13]

Some description on the options would help. Unless I'm missing them and they are indeed someplace? (e.g.: Hitbox Hook?)

It's in the flags I guess, "00:Disabled", "01:No Hitbox". Basically "no hits" from your analysis.

Also I was waiting till you got back but, I can't figure out how to make use of the dumper. Like if I have Name[012517] Fatal_Blow_Available, how do I find the address or code related to it. I tried searching for the id/index in the object dump but it's not there and can't find anything for fatal blow in the object dump. Not sure if you have have time to explain the relation with names and the object dump, if not it can wait till you get back home.

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[SunBeam]

After that, the price was fixed! how now to return to the crypt the normal price of the chest?

Why do you want to set the price back? o_O Makes no fucking sense. If you think that way you'll outsmart WB, you got a thing coming. Each transaction (chest opened) will show you opened it with 1 Koin. That shit is in your activity log, in their DB. You can't ditch it no matter if you reset the cost...

[SunBeam]

Welp, from my study I can tell you UE uses all sorts of UObjects that store various properties. These are then combined with the main UObjects (like Player, PlayerController, etc.). For example, the UObjects of type ObjProperty will tell you the offset at which the given property can be found inside of those typed-UObjects. IntProperty and so on also tells you at which offset you'll find that Int. I'll give practical examples in a bit (got it here, just gotta use it and find a decent example).

[TimFun13]

^^ Yeah, all the "how to reset my max'ed out koins to normal levels" are pretty funny. My bet is your comment about how easy it'd be to check has them worried. But the fact that they have so much unlocked so early on doesn't seem to be a concern, yet; just has me laughing.

But after reading some articles, if you bought the game I don't think they will ban anyone; they said they were reluctant to ban people for DLC unlocks on MKX if they bought the game. Basically they think it's better to keep a helf customer then not having one at all.

[KS212]

^^ Yeah, all the "how to reset my max'ed out koins to normal levels" are pretty funny. My bet is your comment about how easy it'd be to check has them worried. But the fact that they have so much unlocked so early on doesn't seem to be a concern, yet; just has me laughing.

But after reading some articles, if you bought the game I don't think they will ban anyone; they said they were reluctant to ban people for DLC unlocks on MKX if they bought the game. Basically they think it's better to keep a helf customer then not having one at all.

Pretty much this. Its as I said before, they have 'years' of cut content... sorry, DLC *snort* planned as they've advertised. This generally means 2 maybe more Kombat Packs. Ban someone, and you not only lose them as a customer for that... you lose them as a customer, PERIOD. That banned person will be pirating WB games for life and then some.

Seeing as all this is always online SINGLEPLAYER which isn't going to directly affect anyone, easier to simply let it go and not totally burn the bridge with the customer.

I mean hell, look at all the people who hacked motherboxes or what not in Injustice 2... Nobody got banned, even on console... and WB honestly gives 0 fucks about PC, we are THIRD class citizens to them (not even 2nd class...).

[SunBeam]

Still haven't figured out where's the stored Koins amount for Kronika Chests. That glass ball spawning randomly on map at given intervals. Also.. where the fuck are the object coordinates? It'd be nice to map them all and do insta-tele to them (I'll just use this for now and map each room out; thanks Zandrial). Will try to adapt mgr.inz.Player's noclip I adjusted for Metro Exodus to also work in MK11. Need the NV first hand (that's where the dumper should come in handy, telling me where the default Camera is and figuring out the offset for the Rotator).

[SunBeam]

@Tim: Found the reason why Ermac Soul Vaults are locked (aside from the fact that you're missing Ermac's Amulet). Here goes:

- debug 0xD0 byte on access while you're not highlighting a Soul Vault (or Monk)
- once you approach and the "Locked" status becomes visible, these are going to pop-up in the debug window:

Code: Select all

1407DFF83 - F6 87 D0000000 10 - test byte ptr [rdi+000000D0],10 // pop while not showing
1407E105C - F6 83 D0000000 02 - test byte ptr [rbx+000000D0],02 // pops while not showing
14C358212 - F6 81 D0000000 04 - test byte ptr [rcx+000000D0],04
14C35D205 - F6 81 D0000000 08 - test byte ptr [rcx+000000D0],08 <--
14C364B3C - F6 81 D0000000 10 - test byte ptr [rcx+000000D0],10
14C3644DD - F6 83 D0000000 40 - test byte ptr [rbx+000000D0],40
1407E15EF - 8B 83 D0000000  - mov eax,[rbx+000000D0]
14C30441F - F7 83 D0000000 00000200 - test [rbx+000000D0],20000
14C326DD7 - F6 83 D0000000 10 - test byte ptr [rbx+000000D0],10

- if you remember, I said OR-ing 0xD0 with 0x8 will unlock the Monk/Soul Vault

So now I wanted to understand what's the actual condition, because when you do have Erma's Amultet or check a regular Koin Chest, you will see that the byte there is always 0x?2. That never changes. So, tracing out of the TEST [],8 function lands us here:

Code: Select all

MK11.exe+7E1231 - E8 2AC10100           - call MK11.exe+7FD360 // TEST [],9 func
MK11.exe+7E1236 - 48 8B CB              - mov rcx,rbx
MK11.exe+7E1239 - 85 C0                 - test eax,eax
MK11.exe+7E123B - 74 31                 - je MK11.exe+7E126E // if this jumps, we still see "Locked"
MK11.exe+7E123D - E8 EEBA0100           - call MK11.exe+7FCD30
MK11.exe+7E1242 - 85 C0                 - test eax,eax
MK11.exe+7E1244 - 0F85 BD040000         - jne MK11.exe+7E1707
MK11.exe+7E124A - 48 8B CB              - mov rcx,rbx
MK11.exe+7E124D - E8 4EBB0100           - call MK11.exe+7FCDA0
MK11.exe+7E1252 - 85 C0                 - test eax,eax
MK11.exe+7E1254 - 0F85 AD040000         - jne MK11.exe+7E1707
MK11.exe+7E125A - 48 85 FF              - test rdi,rdi
MK11.exe+7E125D - 0F84 FD010000         - je MK11.exe+7E1460
MK11.exe+7E1263 - 39 86 64060000        - cmp [rsi+00000664],eax
MK11.exe+7E1269 - E9 EC010000           - jmp MK11.exe+7E145A
MK11.exe+7E126E - E8 1DC90100           - call MK11.exe+7FDB90
MK11.exe+7E1273 - 85 C0                 - test eax,eax
MK11.exe+7E1275 - 0F85 8C040000         - jne MK11.exe+7E1707
MK11.exe+7E127B - 48 8B CB              - mov rcx,rbx
MK11.exe+7E127E - E8 5DBE0100           - call MK11.exe+7FD0E0
MK11.exe+7E1283 - 85 C0                 - test eax,eax
MK11.exe+7E1285 - 74 12                 - je MK11.exe+7E1299
MK11.exe+7E1287 - 80 BE 59060000 00     - cmp byte ptr [rsi+00000659],00 { 0 }
MK11.exe+7E128E - 0F84 73040000         - je MK11.exe+7E1707
MK11.exe+7E1294 - E9 C7010000           - jmp MK11.exe+7E1460
MK11.exe+7E1299 - 48 8B 83 A8000000     - mov rax,[rbx+000000A8] // reads a pointer from 0xA8 in the structure
MK11.exe+7E12A0 - 48 85 C0              - test rax,rax
MK11.exe+7E12A3 - 74 7C                 - je MK11.exe+7E1321
MK11.exe+7E12A5 - 80 B8 B8000000 0D     - cmp byte ptr [rax+000000B8],0D { 13 } // checks if BYTE is 0xD
MK11.exe+7E12AC - 75 73                 - jne MK11.exe+7E1321
MK11.exe+7E12AE - 80 BE 20070000 00     - cmp byte ptr [rsi+00000720],00 { 0 }
MK11.exe+7E12B5 - 41 0F94 C6            - sete r14l
MK11.exe+7E12B9 - 48 8B 83 C8010000     - mov rax,[rbx+000001C8]

So.. using the hook you have.. read-up 0xA8 offset and check if 0xB8 byte is 0xD in value. If not, the Monk/Soul Vault is locked

EDIT #1: Setting the value from 0x6 to 0xD does unlock it, but will also teleport you to the object when you press E Not cool, cuz you will then have to exit and re-enter the Krypt. You get the loot upon re-entry (don't worry, you don't lose it). So.. there's another check..

EDIT #2: Correction. That BYTE has to be set to 0x0 so the Monk becomes unlocked At least normal Koin Chests turn Locked when I flip byte from 0x0 to 0x6.

[TimFun13]

Still haven't figured out where's the stored Koins amount for Kronika Chests. That glass ball spawning randomly on map at given intervals. Also.. where the fuck are the object coordinates? It'd be nice to map them all and do insta-tele to them (I'll just use this for now and map each room out; thanks Zandrial). Will try to adapt mgr.inz.Player's noclip I adjusted for Metro Exodus to also work in MK11. Need the NV first hand (that's where the dumper should come in handy, telling me where the default Camera is and figuring out the offset for the Rotator).

If you mean the Ord things, I posted that the other day. And added to the table today.

Code: Select all

{
	Process			: MK11.exe  -  (x64)
	Module			: MK11.exe
	Game Title		: Mortal Kombat 11
	Game Version	: 1.0.0.0
	CE Version		: 6.83
	Script Version	: 0.0.1
	Date			: 04/26/19
	Author			: ShyTwig16
	Name			: KryptOrbCostReadHook

	Krypt Orb Cost Read Hook
}

{$STRICT}

define(address, MK11.exe+C32C3E0)
define(bytes, 8B 41 10 41 89 00)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobKryptOrbCostReadHook, MK11.exe, 8Bxxxx89xx8Bxxxx41xxxx8BxxxxC1)
define(injKryptOrbCostReadHook, aobKryptOrbCostReadHook+5)
assert(injKryptOrbCostReadHook, bytes)
registerSymbol(injKryptOrbCostReadHook)

alloc(memKryptOrbCostReadHook, 0x400, injKryptOrbCostReadHook)

label(ptrKryptOrbCostReadHook)
registerSymbol(ptrKryptOrbCostReadHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memKryptOrbCostReadHook:
	ptrKryptOrbCostReadHook:
		dq 0
	align 10 CC
	n_code:
		mov [ptrKryptOrbCostReadHook],rcx
		mov eax,1
		mov [rcx+10],eax
	o_code:
		// mov eax,[rcx+10]
		mov [r8],eax
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injKryptOrbCostReadHook:
	jmp n_code
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injKryptOrbCostReadHook:
	db bytes

unregisterSymbol(injKryptOrbCostReadHook)

unregisterSymbol(ptrKryptOrbCostReadHook)

dealloc(memKryptOrbCostReadHook)

{
//// Injection Point: MK11.exe+C32C3E0  -  000000014C32C3E0
//// AOB address: 000000014C32C3DB  -  MK11.exe+C32C3DB
//// Process: MK11.exe  -  0000000140000000
//// Module: MK11.exe  -  0000000140000000
//// Module Size: 0000000018215000
MK11.exe+C32C399:  4C 8D 2D CD526D06           -  lea r13,[152A0166D]                [DBBB8B4D]
MK11.exe+C32C3A0:  4C 87 2C 24                 -  xchg [rsp],r13                     
MK11.exe+C32C3A4:  C3                          -  ret                                
MK11.exe+C32C3A5:  8D 66 2E                    -  lea esp,[rsi+2E]                   
MK11.exe+C32C3A8:  0F1F 84 00 00000000         -  nop [rax+rax+00000000]             
MK11.exe+C32C3B0:  48 89 5C 24 08              -  mov [rsp+08],rbx                   
MK11.exe+C32C3B5:  48 89 74 24 10              -  mov [rsp+10],rsi                   
MK11.exe+C32C3BA:  57                          -  push rdi                           
MK11.exe+C32C3BB:  48 83 EC 20                 -  sub rsp,20                         
MK11.exe+C32C3BF:  31 C0                       -  xor eax,eax                        
MK11.exe+C32C3C1:  48 89 CE                    -  mov rsi,rcx                        
MK11.exe+C32C3C4:  89 02                       -  mov [rdx],eax                      
MK11.exe+C32C3C6:  4C 89 C3                    -  mov rbx,r8                         
MK11.exe+C32C3C9:  41 89 00                    -  mov [r8],eax                       
MK11.exe+C32C3CC:  48 89 D7                    -  mov rdi,rdx                        
MK11.exe+C32C3CF:  48 8B 89 C8010000           -  mov rcx,[rcx+000001C8]             
MK11.exe+C32C3D6:  48 85 C9                    -  test rcx,rcx                       
MK11.exe+C32C3D9:  74 25                       -  je 14C32C400                       
MK11.exe+C32C3DB:  8B 41 0C                    -  mov eax,[rcx+0C]                   <<<--- AOB Starts Here
MK11.exe+C32C3DE:  89 02                       -  mov [rdx],eax                      
////  INJECTING START  ----------------------------------------------------------
MK11.exe+C32C3E0:  8B 41 10                    -  mov eax,[rcx+10]                   
MK11.exe+C32C3E3:  41 89 00                    -  mov [r8],eax                       
////  INJECTING END  ----------------------------------------------------------
MK11.exe+C32C3E6:  8B 41 08                    -  mov eax,[rcx+08]                   
MK11.exe+C32C3E9:  C1 E8 0F                    -  shr eax,0F                         
MK11.exe+C32C3EC:  F6 D0                       -  not al                             
MK11.exe+C32C3EE:  24 01                       -  and al,01                          
MK11.exe+C32C3F0:  48 8B 5C 24 30              -  mov rbx,[rsp+30]                   
MK11.exe+C32C3F5:  48 8B 74 24 38              -  mov rsi,[rsp+38]                   
MK11.exe+C32C3FA:  48 83 C4 20                 -  add rsp,20                         
MK11.exe+C32C3FE:  5F                          -  pop rdi                            
MK11.exe+C32C3FF:  C3                          -  ret                                
MK11.exe+C32C400:  48 89 F1                    -  mov rcx,rsi                        
MK11.exe+C32C403:  E8 A8504CF4                 -  call 1407F14B0                     
MK11.exe+C32C408:  41 89 C0                    -  mov r8d,eax                        
MK11.exe+C32C40B:  FF C8                       -  dec eax                            
MK11.exe+C32C40D:  83 F8 16                    -  cmp eax,16                         
MK11.exe+C32C410:  77 1E                       -  ja 14C32C430                       
MK11.exe+C32C412:  48 63 C8                    -  movsxd  rcx,eax                    
MK11.exe+C32C415:  48 8D 05 E43BCDF3           -  lea rax,[140000000]                [00905A4D]
MK11.exe+C32C41C:  0FB6 8C 08 6C227F00         -  movzx ecx,byte ptr [rax+rcx+007F226C]
MK11.exe+C32C424:  8B 94 88 64227F00           -  mov edx,[rax+rcx*4+007F2264]       
//// Template: I2CEA_AOBFullInjection
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

[SunBeam]

Uhm, that [0x1C8]+0x10 for the Kronica glass sphere that's spawned randomly on map shows 0x1. Not the default 5000 cost. See this shit:



That shit in the background, at 01:56, that sphere, without the support is often summoned in main courtyard. When you see it, go to it and you'll find the hook doesn't show you the correct amount of Koins.

This:



BR,
Sun

[SunBeam]

@Tim: You are right. Managed to isolate the value via scans in the UObjects table range and found what accesses it. And it's this:

Code: Select all

MK11.exe+C32C3CF - 48 8B 89 C8010000     - mov rcx,[rcx+000001C8]
MK11.exe+C32C3D6 - 48 85 C9              - test rcx,rcx
MK11.exe+C32C3D9 - 74 25                 - je MK11.exe+C32C400
MK11.exe+C32C3DB - 8B 41 0C              - mov eax,[rcx+0C]
MK11.exe+C32C3DE - 89 02                 - mov [rdx],eax
MK11.exe+C32C3E0 - 8B 41 10              - mov eax,[rcx+10]

However, I need to link that to your hook (cmp [],-1 location). Upon debugging I found this relationship:

Code: Select all

UObject[122103] MK11KryptComponent0 | 0x0000004B7B349740 ( MK11KryptComponent Level.MK11KryptSkeletalActor.MK11KryptComponent0 )

= x

Then [[x+0x1C8] +0x10] = 5000.

What I now need to do is piece together what I see in CE with hook on in terms of structure with Locked flag, amounts at 0x488 and 0x4B8 (0x0000004B696C8000) and this one (0x0000004B7B349740). Where:

Code: Select all

UObject[049394] MK11KryptComponent0 | 0x0000004B696C8000 ( MK11KryptComponent Krypt_STI_CY_Design.MK11KryptStaticActor.MK11KryptComponent0 )

So, basically, how to get from 0x4B696C8000 to 0x4B7B349740 for those kinds of "chests".

[SunBeam]

So uhm.. the problem is the hook You shouldn't do a +0x10:

Code: Select all

MK11.exe+C304400 - 48 89 4C 24 08        - mov [rsp+08],rcx
MK11.exe+C304405 - 53                    - push rbx
MK11.exe+C304406 - 48 83 EC 70           - sub rsp,70 { 112 }
MK11.exe+C30440A - 48 89 CB              - mov rbx,rcx
MK11.exe+C30440D - 31 D2                 - xor edx,edx
MK11.exe+C30440F - 31 C9                 - xor ecx,ecx
MK11.exe+C304411 - E8 BA7613F4           - call MK11.exe+43BAD0
MK11.exe+C304416 - 48 85 C0              - test rax,rax
MK11.exe+C304419 - 0F84 47050000         - je MK11.exe+C304966
MK11.exe+C30441F - F7 83 D0000000 00000200 - test [rbx+000000D0],20000 { (0) } <-- this will force the JNE to be taken so it won't work for Kronika
MK11.exe+C304429 - 0F85 37050000         - jne MK11.exe+C304966
MK11.exe+C30442F - E9 CCBBCEF3           - jmp 13FFF0000 <-- hook
MK11.exe+C304434 - 90                    - nop 
MK11.exe+C304435 - 90                    - nop 
MK11.exe+C304436 - 74 30                 - je MK11.exe+C304468
MK11.exe+C304438 - 83 BB 58040000 FF     - cmp dword ptr [rbx+00000458],-01 { 255 }
MK11.exe+C30443F - 74 27                 - je MK11.exe+C304468
MK11.exe+C304441 - 83 BB 88040000 00     - cmp dword ptr [rbx+00000488],00 { 0 }
MK11.exe+C304448 - 0F85 18050000         - jne MK11.exe+C304966
MK11.exe+C30444E - 83 BB B8040000 00     - cmp dword ptr [rbx+000004B8],00 { 0 }
MK11.exe+C304455 - 0F85 0B050000         - jne MK11.exe+C304966
MK11.exe+C30445B - 83 BB E8040000 00     - cmp dword ptr [rbx+000004E8],00 { 0 }
MK11.exe+C304462 - 0F85 FE040000         - jne MK11.exe+C304966
MK11.exe+C304468 - 48 89 6C 24 68        - mov [rsp+68],rbp

What I was looking at earlier was the pointer from the previous break (whe I had in focus a different chest type). No wonder I couldn't get a proper relationship between 2 individual structures that have nothing to do one with the other

So this:

Code: Select all

define( injKryptChestCheckHook, aobKryptChestCheckHook+10 )

Should be this:

Code: Select all

define( injKryptChestCheckHook, aobKryptChestCheckHook )

And that shit is called "Kronika Valut". Fixed script:

Code: Select all

[ENABLE]

aobscanmodule( aobKryptChestCheckHook, MK11.exe, F7??????????????????0F85????????83????????????74??83????????????74??83????????????0F85????????83????????????0F85????????83 )
define( injKryptChestCheckHook, aobKryptChestCheckHook )
registersymbol( injKryptChestCheckHook )
label( injKryptChestCheckHook_o )
registersymbol( injKryptChestCheckHook_o )
alloc( memKryptChestCheckHook, 0x1000, MK11.exe )
label( p )
registersymbol( p )
label( back )

memKryptChestCheckHook:
mov [p],rbx
injKryptChestCheckHook_o:
readmem( injKryptChestCheckHook, 10 )
jmp long back

align 10 CC

p:
dq 0

injKryptChestCheckHook:
jmp memKryptChestCheckHook
db 90 90 90 90 90
back:

[DISABLE]

injKryptChestCheckHook:
readmem( injKryptChestCheckHook_o, 10 )

unregistersymbol( p )
unregistersymbol( injKryptChestCheckHook_o )
unregistersymbol( injKryptChestCheckHook )

[SunBeam]

Also.. whoever said they could not find all chests probably didn't realize there are a bunch you gotta find with Blindfold ON



BR,
Sun

[TimFun13]

So basically like this:

Code: Select all

{
	Process			: MK11.exe  -  (x64)
	Module			: MK11.exe
	Game Title		: MK11
	Game Version	: 1.0.0.0
	CE Version		: 6.83
	Script Version	: 0.0.1
	Date			: 04/26/19
	Author			: ShyTwig16
	Name			: KryptChestCheckHook

	Krypt Chest Check Hook
}

{$STRICT}

define(address, MK11.exe+8E5DD1F)
define(bytes, F7 83 D0000000 00000200)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobKryptChestCheckHook, MK11.exe, F7xxxxxxxxxxxxxxxxxx0F85xxxxxxxx83xxxxxxxxxxxx74xx83xxxxxxxxxxxx74xx83xxxxxxxxxxxx0F85xxxxxxxx83xxxxxxxxxxxx0F85xxxxxxxx83)
define(injKryptChestCheckHook, aobKryptChestCheckHook)
assert(injKryptChestCheckHook, bytes)
registerSymbol(injKryptChestCheckHook)

alloc(memKryptChestCheckHook, 0x400, injKryptChestCheckHook)

label(ptrKryptChestCheckHook)
registerSymbol(ptrKryptChestCheckHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memKryptChestCheckHook:
	ptrKryptChestCheckHook:
		dq 0
	align 10 CC
	n_code:
		push rax
		mov [ptrKryptChestCheckHook],rbx
		or byte ptr [rbx+D0],08
		cmp dword ptr [rbx+488],00
		je @f
			mov dword ptr [rbx+488],01
			jmp o_code
		@@:
		cmp dword ptr [rbx+4B8],00
		je @f
			mov dword ptr [rbx+4B8],01
			jmp o_code
		@@:
		mov rax,[rbx+1C8]
		test rax,rax
		jz o_code
			cmp dword ptr [rax+10],00
			je @f
				mov dword ptr [rax+10],01
				jmp o_code
			@@:
	o_code:
		test [rbx+000000D0],20000
	exit:
		pop rax
		jmp return


////
//// ---------- Injection Point ----------
injKryptChestCheckHook:
	jmp n_code
	nop
	nop
	nop
	nop
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injKryptChestCheckHook:
	db bytes

unregisterSymbol(injKryptChestCheckHook)

unregisterSymbol(ptrKryptChestCheckHook)

dealloc(memKryptChestCheckHook)

{
//// Injection Point: MK11.exe+8E5DD1F  -  0000000148E5DD1F
//// AOB address: 0000000148E5DD0F  -  MK11.exe+8E5DD0F
//// Process: MK11.exe  -  0000000140000000
//// Module: MK11.exe  -  0000000140000000
//// Module Size: 0000000017EBE000
MK11.exe+8E5DCCE:  48 8B 0C 24                 -  mov rcx,[rsp]                      
MK11.exe+8E5DCD2:  48 8D 64 24 08              -  lea rsp,[rsp+08]                   
MK11.exe+8E5DCD7:  9D                          -  popfq                              
MK11.exe+8E5DCD8:  53                          -  push rbx                           
MK11.exe+8E5DCD9:  48 8D 1D F0DF2101           -  lea rbx,[14A07BCD0]                [245C8948]
MK11.exe+8E5DCE0:  48 87 1C 24                 -  xchg [rsp],rbx                     
MK11.exe+8E5DCE4:  C3                          -  ret                                
MK11.exe+8E5DCE5:  4C 8D 3D B03B5C0E           -  lea r15,[15742189C]                [8D4C3289]
MK11.exe+8E5DCEC:  41 FF E3                    -  jmp r11                            
MK11.exe+8E5DCEF:  3D 48894C24                 -  cmp eax,244C8948                   [(float)-0.0304]
MK11.exe+8E5DCF4:  08 53 48                    -  or [rbx+48],dl                     
MK11.exe+8E5DCF7:  83 EC 70                    -  sub esp,70                         
MK11.exe+8E5DCFA:  48 89 CB                    -  mov rbx,rcx                        
MK11.exe+8E5DCFD:  31 D2                       -  xor edx,edx                        
MK11.exe+8E5DCFF:  31 C9                       -  xor ecx,ecx                        
MK11.exe+8E5DD01:  E8 3AB25DF7                 -  call 140438F40                     
MK11.exe+8E5DD06:  48 85 C0                    -  test rax,rax                       
MK11.exe+8E5DD09:  0F84 47050000               -  je 148E5E256                       
////  INJECTING START  ----------------------------------------------------------
MK11.exe+8E5DD0F:  F7 83 D0000000 00000200     -  test [rbx+000000D0],20000          <<<--- AOB Starts Here
////  INJECTING END  ----------------------------------------------------------
MK11.exe+8E5DD19:  0F85 37050000               -  jne 148E5E256                      
MK11.exe+8E5DD1F:  83 BB 28040000 FF           -  cmp dword ptr [rbx+00000428],-01   
MK11.exe+8E5DD26:  74 30                       -  je 148E5DD58                       
MK11.exe+8E5DD28:  83 BB 58040000 FF           -  cmp dword ptr [rbx+00000458],-01   
MK11.exe+8E5DD2F:  74 27                       -  je 148E5DD58                       
MK11.exe+8E5DD31:  83 BB 88040000 00           -  cmp dword ptr [rbx+00000488],00    
MK11.exe+8E5DD38:  0F85 18050000               -  jne 148E5E256                      
MK11.exe+8E5DD3E:  83 BB B8040000 00           -  cmp dword ptr [rbx+000004B8],00    
MK11.exe+8E5DD45:  0F85 0B050000               -  jne 148E5E256                      
MK11.exe+8E5DD4B:  83 BB E8040000 00           -  cmp dword ptr [rbx+000004E8],00    
MK11.exe+8E5DD52:  0F85 FE040000               -  jne 148E5E256                      
MK11.exe+8E5DD58:  48 89 6C 24 68              -  mov [rsp+68],rbp                   
MK11.exe+8E5DD5D:  48 8B 2D 1C5320FA           -  mov rbp,[143063080]                [74E4B940]
MK11.exe+8E5DD64:  48 89 AC 24 98000000        -  mov [rsp+00000098],rbp             
MK11.exe+8E5DD6C:  48 85 ED                    -  test rbp,rbp                       
MK11.exe+8E5DD6F:  0F84 DC040000               -  je 148E5E251                       
MK11.exe+8E5DD75:  48 89 D9                    -  mov rcx,rbx                        
MK11.exe+8E5DD78:  E8 D3EB98F7                 -  call 1407EC950                     
MK11.exe+8E5DD7D:  83 F8 05                    -  cmp eax,05                         
MK11.exe+8E5DD80:  0F84 CB040000               -  je 148E5E251                       
MK11.exe+8E5DD86:  48 83 BB C8010000 00        -  cmp qword ptr [rbx+000001C8],00    
MK11.exe+8E5DD8E:  0F85 BD040000               -  jne 148E5E251                      
//// Template: I2CEA_AOBFullInjectionWithValues
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

Just need a "Kronika Valut" to test.

Yeah they said there was only 250, but I'm well over that with out any resets. And I'm still finding new cheats and even small areas.

[SunBeam]

As for using the Blindfold.. the fuckers added some wraith or spirit or whatever the fuck. If you stay too much with it on, that fucker finds you and kills you. Meh T_T.. Will see if I can force those invisible chests to pop-out without the need to use the Blindfold

[SunBeam]

While tracing for it I found a global BYTE that turns all chest Koin cost to 0 (if set to 1). Thus you won't need to tamper with the chests anymore

Code: Select all

MK11.exe+7FB850 - 48 8B 45 8F           - mov rax,[rbp-71]
MK11.exe+7FB854 - 80 B8 140E0000 00     - cmp byte ptr [rax+00000E14],00 { 0 } // constant; set it to 0x1
MK11.exe+7FB85B - 74 2E                 - je MK11.exe+7FB88B
MK11.exe+7FB85D - 41 83 FF 0A           - cmp r15d,0A { 10 }

Yup, works nicely! I opened up 4-5 chests, left to main menu, got back in the Krypt. No cost was deducted on open and I didn't change the chests' Koin cost