Mortal Kombat 11 - table v: 1.0.8 CT

[SunBeam]

Will see what's going on with Souls

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[SunBeam]

I think this is pretty much what we want, right?



BR,
Sun

[TimFun13]

Here's a script for the vial use timer, tested with "vial of protection".

Code: Select all

{
	Process			: MK11.exe  -  (x64)
	Module			: MK11.exe
	Game Title		: Mortal Kombat 11
	Game Version	: 1.0.0.0
	CE Version		: 6.83
	Script Version	: 0.0.1
	Date			: 04/28/19
	Author			: ShyTwig16
	Name			: VialUseTimerHook

	Vial Use Timer Hook
}

{$STRICT}

define(address, MK11.exe+820BED)
define(bytes, F3 41 0F 2C 45 10)

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobVialUseTimerHook, MK11.exe, EBxx48xxxxxxxxxxxxF3xxxxxxxxxx48xxxx48xxxxxxxxxxxx48xxxxxx48)
define(injVialUseTimerHook, aobVialUseTimerHook+9)
assert(injVialUseTimerHook, bytes)
registerSymbol(injVialUseTimerHook)

alloc(memVialUseTimerHook, 0x400, injVialUseTimerHook)

label(fltVialUseTimerHook)
registerSymbol(fltVialUseTimerHook)

label(ptrVialUseTimerHook)
registerSymbol(ptrVialUseTimerHook)

label(n_code)
label(o_code)
label(exit)
label(return)

memVialUseTimerHook:
	fltVialUseTimerHook:
		dd (float)60
	align 10
	ptrVialUseTimerHook:
		dq 0
	align 10 CC
	n_code:
		mov [ptrVialUseTimerHook],r13
		mov eax,[fltVialUseTimerHook]
		mov [r13+10],eax
	o_code:
		cvttss2si eax,[r13+10]
	exit:
		jmp return


////
//// ---------- Injection Point ----------
injVialUseTimerHook:
	jmp n_code
	nop
	return:


////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injVialUseTimerHook:
	db bytes

unregisterSymbol(injVialUseTimerHook)

unregisterSymbol(fltVialUseTimerHook)

unregisterSymbol(ptrVialUseTimerHook)

dealloc(memVialUseTimerHook)

{
//// Injection Point: MK11.exe+820BED  -  0000000140820BED
//// AOB address: 0000000140820BE4  -  MK11.exe+820BE4
//// Process: MK11.exe  -  0000000140000000
//// Module: MK11.exe  -  0000000140000000
//// Module Size: 0000000018215000
MK11.exe+820BA1:  4C 8B 5D 67                 -  mov r11,[rbp+67]                   
MK11.exe+820BA5:  4C 89 5D F7                 -  mov [rbp-09],r11                   
MK11.exe+820BA9:  66 C7 45 FF 0000            -  mov word ptr [rbp-01],0000         
MK11.exe+820BAF:  44 3B C0                    -  cmp r8d,eax                        
MK11.exe+820BB2:  0F84 1A010000               -  je 140820CD2                       
MK11.exe+820BB8:  33 C0                       -  xor eax,eax                        
MK11.exe+820BBA:  89 45 77                    -  mov [rbp+77],eax                   
MK11.exe+820BBD:  0F1F 00                     -  nop [rax]                          
MK11.exe+820BC0:  49 63 C0                    -  movsxd  rax,r8d                    
MK11.exe+820BC3:  4C 6B E8 38                 -  imul r13,rax,38                    
MK11.exe+820BC7:  4D 03 2B                    -  add r13,[r11]                      
MK11.exe+820BCA:  49 8D 4D 10                 -  lea rcx,[r13+10]                   
MK11.exe+820BCE:  E8 2DBB6A00                 -  call 140ECC700                     
MK11.exe+820BD3:  84 C0                       -  test al,al                         
MK11.exe+820BD5:  74 0F                       -  je 140820BE6                       
MK11.exe+820BD7:  41 8B 55 08                 -  mov edx,[r13+08]                   
MK11.exe+820BDB:  48 8B 4D 67                 -  mov rcx,[rbp+67]                   
MK11.exe+820BDF:  E8 3C61FCFF                 -  call 1407E6D20                     
MK11.exe+820BE4:  EB 40                       -  jmp 140820C26                      <<<--- AOB Starts Here
MK11.exe+820BE6:  48 8B 1D 934F8502           -  mov rbx,[143075B80]                [4A0CFA60]
////  INJECTING START  ----------------------------------------------------------
MK11.exe+820BED:  F3 41 0F2C 45 10            -  cvttss2si eax,[r13+10]             
////  INJECTING END  ----------------------------------------------------------
MK11.exe+820BF3:  48 63 C8                    -  movsxd  rcx,eax                    
MK11.exe+820BF6:  48 69 C1 E8030000           -  imul rax,rcx000003E8               
MK11.exe+820BFD:  48 89 45 7F                 -  mov [rbp+7F],rax                   
MK11.exe+820C01:  48 8D 55 7F                 -  lea rdx,[rbp+7F]                   
MK11.exe+820C05:  48 8D 4D 07                 -  lea rcx,[rbp+07]                   
MK11.exe+820C09:  E8 72843D00                 -  call 140BF9080                     
MK11.exe+820C0E:  4C 8D 45 07                 -  lea r8,[rbp+07]                    
MK11.exe+820C12:  41 8B 55 08                 -  mov edx,[r13+08]                   
MK11.exe+820C16:  48 8B 8B 000D0000           -  mov rcx,[rbx+00000D00]             
MK11.exe+820C1D:  E8 CEA53000                 -  call 140B2B1F0                     
MK11.exe+820C22:  48 8B 5D 9F                 -  mov rbx,[rbp-61]                   
MK11.exe+820C26:  41 8B C7                    -  mov eax,r15d                       
MK11.exe+820C29:  F7 D0                       -  not eax                            
MK11.exe+820C2B:  44 23 F0                    -  and r14d,eax                       
MK11.exe+820C2E:  44 89 75 A7                 -  mov [rbp-59],r14d                  
MK11.exe+820C32:  48 8B 03                    -  mov rax,[rbx]                      
MK11.exe+820C35:  48 85 C0                    -  test rax,rax                       
MK11.exe+820C38:  75 04                       -  jne 140820C3E                      
MK11.exe+820C3A:  48 8D 43 10                 -  lea rax,[rbx+10]                   
MK11.exe+820C3E:  4C 8D 4D 77                 -  lea r9,[rbp+77]                    
//// Template: I2CEA_AOBFullInjectionWithValues
//// Generated with: I2 Cheat Engine Auto Assembler Script Template Generator
//// Code Happy, Code Freely, Be Awesome.
}

[SunBeam]

OK, so I got all hidden crap visible. You have to put Blindfold on one time, remove it, then bam Everything is visible.

Function that hides everything:

Code: Select all

MK11.exe+C300670 - 48 89 5C 24 08        - mov [rsp+08],rbx <-- RET this
MK11.exe+C300675 - 57                    - push rdi
MK11.exe+C300676 - 48 83 EC 20           - sub rsp,20 { 32 }
MK11.exe+C30067A - 48 8B 1D FF54D7F6     - mov rbx,[MK11.exe+3075B80] { (5FAF0CE0) }
MK11.exe+C300681 - 48 89 CF              - mov rdi,rcx
MK11.exe+C300684 - 48 85 DB              - test rbx,rbx
MK11.exe+C300687 - 74 0A                 - je MK11.exe+C300693
MK11.exe+C300689 - 31 D2                 - xor edx,edx
MK11.exe+C30068B - 48 89 D9              - mov rcx,rbx
MK11.exe+C30068E - E8 AD4C51F4           - call MK11.exe+815340
MK11.exe+C300693 - 31 C0                 - xor eax,eax
MK11.exe+C300695 - 89 47 04              - mov [rdi+04],eax
MK11.exe+C300698 - 39 47 08              - cmp [rdi+08],eax
MK11.exe+C30069B - 74 44                 - je MK11.exe+C3006E1
MK11.exe+C30069D - 89 47 08              - mov [rdi+08],eax
MK11.exe+C3006A0 - 48 8B 05 D954D7F6     - mov rax,[MK11.exe+3075B80] { (5FAF0CE0) }
MK11.exe+C3006A7 - 48 85 C0              - test rax,rax
MK11.exe+C3006AA - 74 35                 - je MK11.exe+C3006E1
MK11.exe+C3006AC - 48 83 B8 700C0000 00  - cmp qword ptr [rax+00000C70],00 { 0 }
MK11.exe+C3006B4 - 74 2B                 - je MK11.exe+C3006E1
MK11.exe+C3006B6 - 8B 88 780C0000        - mov ecx,[rax+00000C78]
MK11.exe+C3006BC - 81 F9 70170000        - cmp ecx,00001770 { 6000 }
MK11.exe+C3006C2 - 73 1D                 - jae MK11.exe+C3006E1
MK11.exe+C3006C4 - 8B 80 7C0C0000        - mov eax,[rax+00000C7C]
MK11.exe+C3006CA - 89 CA                 - mov edx,ecx
MK11.exe+C3006CC - 48 8D 0D B5F5E7F6     - lea rcx,[MK11.exe+317FC88] { (65602) }
MK11.exe+C3006D3 - 39 04 91              - cmp [rcx+rdx*4],eax
MK11.exe+C3006D6 - 75 09                 - jne MK11.exe+C3006E1
MK11.exe+C3006D8 - 48 8D 4F 10           - lea rcx,[rdi+10]
MK11.exe+C3006DC - E8 CFB6BCF4           - call MK11.exe+ECBDB0
MK11.exe+C3006E1 - 48 85 DB              - test rbx,rbx
MK11.exe+C3006E4 - 74 08                 - je MK11.exe+C3006EE
MK11.exe+C3006E6 - 48 89 D9              - mov rcx,rbx
MK11.exe+C3006E9 - E8 32204EF4           - call MK11.exe+7E2720
MK11.exe+C3006EE - 48 8B 5C 24 30        - mov rbx,[rsp+30]
MK11.exe+C3006F3 - 48 83 C4 20           - add rsp,20 { 32 }
MK11.exe+C3006F7 - 5F                    - pop rdi
MK11.exe+C3006F8 - C3                    - ret

RET-ing it will keep all hidden chests and other objects (like hidden walls and so on) visible Who knows, you might find something you never thought was there

I can't be arsed to also enable the E action when they are visible. So.. enable any script that comes out of the above code, head to your white-ish-hidden-now-visible chest, press R, loot it. Press R again to return to normal world. And so on

P.S.: Yes, you will see R - REMOVE BLINDFOLD in mid-screen; doesn't bother me

[TimFun13]

^ Can't wait to try it.

Oh LOL. The base for that 0xE14 bool is a pointer to a table of "MK11KryptStaticActor" UObject pointers Wonder if I can iterate through it and if it contains all spawned Actors in the Krypt.

EDIT: Ka-ching!

Code: Select all

MK11.exe+7FB725 - 48 8B 15 54A48702     - mov rdx,[MK11.exe+3075B80] { (A640FE00) }
MK11.exe+7FB72C - 48 89 55 8F           - mov [rbp-71],rdx

[[MK11.exe+3075B80]+E14] == 1 Global 0 Koins cost for any chest

This doesn't work on the Orbs either.

[SunBeam]

Noticed it doesn't work on Kronika Vaults. I'm off to find Ermac's Amulet. Tired of the Locked Soul Vaults Will then see how to make it work for Souls as well. Meanwhile, note that if you go from one big map to another, you need to do an R at least once. Engine doesn't unhide all hidden chests from a map that just got loaded (e.g.: when moving from main to Goro's Lair).

[TimFun13]

Noticed it doesn't work on Kronika Vaults. I'm off to find Ermac's Amulet. Tired of the Locked Soul Vaults Will then see how to make it work for Souls as well. Meanwhile, note that if you go from one big map to another, you need to do an R at least once. Engine doesn't unhide all hidden chests from a map that just got loaded (e.g.: when moving from main to Goro's Lair).

It's in the lower pit.

Code: Select all

Lower Pit
X -73.053924560547
Z -44.100292205811
Y -21.612953186035

[SunBeam]

Solved it:

Code: Select all

MK11.exe+807967 - 41 80 BC 24 140E0000 00 - cmp byte ptr [r12+00000E14],00 { 0 }
MK11.exe+807970 - 0F84 7C010000         - je MK11.exe+807AF2
MK11.exe+807976 - 83 F8 0A              - cmp eax,0A { 10 }
MK11.exe+807979 - 0F85 73010000         - jne MK11.exe+807AF2 <-- NOP this if you use 0xE14; else change CMP to JMP_to_xor_below_this_line
MK11.exe+80797F - 45 33 F6              - xor r14d,r14d

This is for the server: set 0xE14 BYTE to 0x1, then force the CMP to JMP to MK11.exe+80797F (xor r14d,r14d). This will tell the server not to subtract any amount from either of your resources

If you also want to see 0 for Souls when you approach Soul Vaults hijack this:

Code: Select all

MK11.exe+7FB854 - 80 B8 140E0000 00     - cmp byte ptr [rax+00000E14],00 { 0 }
MK11.exe+7FB85B - 74 2E                 - je MK11.exe+7FB88B
MK11.exe+7FB85D - 41 83 FF 0A           - cmp r15d,0A { 10 }
MK11.exe+7FB861 - 75 28                 - jne MK11.exe+7FB88B <-- NOP :)
MK11.exe+7FB863 - 45 33 E4              - xor r12d,r12d
MK11.exe+7FB866 - EB 56                 - jmp MK11.exe+7FB8BE

You now have a complete "0 Cost on Chests/Soul Vaults" hack

BR,
Sun

P.S.#1: Haven't tried it with a Kronika Vault. When I find on popping-up, will let you know. Although am sure that that location I mentioned in the beginning of this post covers that as well

P.S.#2: I think you can very well do with a JMP from that CMP, without the need to set 0xE14 to 1 anymore.. Just the JMP to xor in 1st part and NOP in 2nd part would do.

P.S.#3: Yup works

Code: Select all

MK11.exe+807967 - EB 16                 - jmp MK11.exe+80797F
MK11.exe+807969 - 90                    - nop 
MK11.exe+80796A - 90                    - nop 
MK11.exe+80796B - 90                    - nop 
MK11.exe+80796C - 90                    - nop 
MK11.exe+80796D - 90                    - nop 
MK11.exe+80796E - 90                    - nop 
MK11.exe+80796F - 90                    - nop 
MK11.exe+807970 - 0F84 7C010000         - je MK11.exe+807AF2
MK11.exe+807976 - 83 F8 0A              - cmp eax,0A { 10 }
MK11.exe+807979 - 0F85 73010000         - jne MK11.exe+807AF2
MK11.exe+80797F - 45 33 F6              - xor r14d,r14d

Code: Select all

MK11.exe+7FB854 - EB 0D                 - jmp MK11.exe+7FB863
MK11.exe+7FB856 - 90                    - nop 
MK11.exe+7FB857 - 90                    - nop 
MK11.exe+7FB858 - 90                    - nop 
MK11.exe+7FB859 - 90                    - nop 
MK11.exe+7FB85A - 90                    - nop 
MK11.exe+7FB85B - 74 2E                 - je MK11.exe+7FB88B
MK11.exe+7FB85D - 41 83 FF 0A           - cmp r15d,0A { 10 }
MK11.exe+7FB861 - 75 28                 - jne MK11.exe+7FB88B
MK11.exe+7FB863 - 45 31 E4              - xor r12d,r12d

Enjoy

P.S.#4: I think I found the server PROC:



If you scroll a bit, you'll find these:

MK11.exe+807B9E - 48 8D 15 972DB601 - lea rdx,[MK11.exe+236A93C] { ("KRYPT") }
MK11.exe+807BEA - 48 8D 15 872DB601 - lea rdx,[MK11.exe+236A978] { ("Exp_BrutalityHearts") }
MK11.exe+807CA2 - 48 8D 15 932CB601 - lea rdx,[MK11.exe+236A93C] { ("KRYPT") }
MK11.exe+807CEE - 48 8D 15 6B2CB601 - lea rdx,[MK11.exe+236A960] { ("Exp_SoulFragments") }
MK11.exe+807DA6 - 48 8D 15 8F2BB601 - lea rdx,[MK11.exe+236A93C] { ("KRYPT") }
MK11.exe+807DF2 - 48 8D 15 572BB601 - lea rdx,[MK11.exe+236A950] { ("Exp_Koins") }

So definitely in the core function Wonder if I can do more here, such as getting how many of those I want We shall see

[TimFun13]

...
I can't be arsed to also enable the E action when they are visible. So.. enable any script that comes out of the above code, head to your white-ish-hidden-now-visible chest, press R, loot it. Press R again to return to normal world. And so on

P.S.: Yes, you will see R - REMOVE BLINDFOLD in mid-screen; doesn't bother me

I had this active and had the blindfold on and was killed and now the chests show and so do the prompts to open them.

[SunBeam]

...
I can't be arsed to also enable the E action when they are visible. So.. enable any script that comes out of the above code, head to your white-ish-hidden-now-visible chest, press R, loot it. Press R again to return to normal world. And so on

P.S.: Yes, you will see R - REMOVE BLINDFOLD in mid-screen; doesn't bother me

I had this active and had the blindfold on and was killed and now the chests show and so do the prompts to open them.

Yeah. I'm in Kytinn Hive right now, near the Carcass. So.. if you get killed with Blindfold on, once you reset, the actions will be swapped. As in you will see normally, though move slow (like with Blindfold on) and Souls will decrease as well (just noticed now that while in the Spirits world, Souls decrease) So.. get yourself killed somehow if that happens to get back to normal

[SamsterXD]

Apart from chests the forge is the only way to drain hearts, is there any table or value i can edit so i can change the forge costs for draining hearts?

[TimFun13]

Table Updated:

• v 1.0.4:
  • Changed:
    • "Krypt Unlocker" now only uses flag to stop values from decreasing.
  • Added:
    • Krypt Orb Cost Hook (Used to set Koins amount)
    • Super Speed
    • Vial Timer Hook
    • Blindfold Show Hook { SunBeam }

[TimFun13]

Apart from chests the forge is the only way to drain hearts, is there any table or value i can edit so i can change the forge costs for draining hearts?

I just have to know, what changed to make you want to "drain" them after setting to a high value?

[KS212]

Hmmm, here's something somewhat interesting. Here I was under the impression that if you were offline, everything re-locks back to vanilla default.

Apparently that's not true... I firewalled the MK11 exe and ran the game. Sure enough all my currencies stayed at 0... but all my previously unlocked stuff was still unlocked. I could also change variations, despite it giving me a warning that changes will be 'temporary'. Sure enough if I closed the game and reopened it, the variation changes I made reverted to the 'last online saved state'.

But previously saved unlocked content that has been validated online did not re-lock. I can't help but wonder now if there's a flag somewhere in the engine that says if something has been validated or not...

[El_Feo]

Table Updated:

• v 1.0.4:
  • Changed:
    • "Krypt Unlocker" now only uses flag to stop values from decreasing.
  • Added:
    • Krypt Orb Cost Hook (Used to set Koins amount)
    • Super Speed
    • Vial Timer Hook
    • Blindfold Show Hook { SunBeam }

Thanks for the update, but I wonder if you guys can put a teleport save to Shang Tsung´s treasure cache. Good job by the way