forked from server-imp/SFAE
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnotes.txt
More file actions
239 lines (217 loc) · 16.5 KB
/
notes.txt
File metadata and controls
239 lines (217 loc) · 16.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
To test:
Open the steam console:
Windows Key + R: steam://open/console
Paste this command to reset the lvl 100 achievement:
achievement_clear 1716740 50
In-game paste this command to become lvl 100:
player.setlevel 100
Repeat achievement_clear command to keep testing
Mod Check:
Starfield.exe+2736117: E8 30 3C E3 FF - call Starfield.exe+2569D4C
Starfield.exe+273611C: 8A 44 24 5A - mov al,[rsp+5A]
Starfield.exe+2736120: C0 E0 02 - shl al,02
Starfield.exe+2736123: 32 87 16 11 00 00 - xor al,[rdi+00001116]
Starfield.exe+2736129: 41 22 C7 - and al,r15l
Starfield.exe+273612C: 30 87 16 11 00 00 - xor [rdi+00001116],al
Starfield.exe+2736132: 44 84 BF 16 11 00 00 - test [rdi+00001116],r15l
Starfield.exe+2736139: 75 15 - jne Starfield.exe+2736150
Starfield.exe+273613B: 33 D2 - xor edx,edx
Starfield.exe+273613D: 48 8B 0D 6C 6F DD 03 - mov rcx,[Starfield.exe+650D0B0]
// ---------- INJECTING HERE ----------
Starfield.exe+2736144: E8 97 65 DA FE - call Starfield.exe+14DC6E0
// ---------- DONE INJECTING ----------
Starfield.exe+2736149: 84 C0 - test al,al
Starfield.exe+273614B: 41 8A C4 - mov al,r12l
Starfield.exe+273614E: 74 03 - je Starfield.exe+2736153
Starfield.exe+2736150: 41 8A C7 - mov al,r15l
Starfield.exe+2736153: 80 A7 16 11 00 00 FB - and byte ptr [rdi+00001116],-05
Starfield.exe+273615A: 08 87 16 11 00 00 - or [rdi+00001116],al
Starfield.exe+2736160: 48 8B 8D 88 01 00 00 - mov rcx,[rbp+00000188]
Starfield.exe+2736167: 80 79 28 61 - cmp byte ptr [rcx+28],61
Starfield.exe+273616B: 72 2A - jb Starfield.exe+2736197
Starfield.exe+273616D: 45 8B C5 - mov r8d,r13d
E8 ? ? ? ? 84 ? ? ? ? 74 ? 41 ? ? 80 ? ? ? ? ? FB
Achievement Awarded:
.text:0000000002B52180 48 89 5C 24 08 mov [rsp+arg_0], rbx
.text:0000000002B52185 48 89 74 24 10 mov [rsp+arg_8], rsi
.text:0000000002B5218A 57 push rdi
.text:0000000002B5218B 48 81 EC 40 04 00 00 sub rsp, 440h
.text:0000000002B52192 41 8B F1 mov esi, r9d
.text:0000000002B52195 48 8B F9 mov rdi, rcx
.text:0000000002B52198 4C 8D 05 31 E3 88 02 lea r8, aAchievementDAw ; "Achievement %d awarded"
.text:0000000002B5219F BA 00 04 00 00 mov edx, 400h ; BufferCount
.text:0000000002B521A4 48 8D 4C 24 40 lea rcx, [rsp+448h+Buffer] ; Buffer
.text:0000000002B521A9 E8 EA 46 6D FE call sprintf_s
.text:0000000002B521AE 48 8B 07 mov rax, [rdi]
.text:0000000002B521B1 48 8B 98 10 02 00 00 mov rbx, [rax+210h]
.text:0000000002B521B8 48 8D 05 59 58 7C 02 lea rax, off_5317A18
.text:0000000002B521BF 48 89 44 24 20 mov [rsp+448h+var_428], rax
.text:0000000002B521C4 48 8D 44 24 40 lea rax, [rsp+448h+Buffer]
.text:0000000002B521C9 48 89 44 24 28 mov [rsp+448h+var_420], rax
.text:0000000002B521CE 48 8D 4C 24 30 lea rcx, [rsp+448h+var_418]
.text:0000000002B521D3 E8 38 65 C3 FD call sub_788710
.text:0000000002B521D8 90 nop
.text:0000000002B521D9 45 33 C0 xor r8d, r8d
.text:0000000002B521DC 48 8D 54 24 20 lea rdx, [rsp+448h+var_428]
.text:0000000002B521E1 48 8B CF mov rcx, rdi
.text:0000000002B521E4 FF D3 call rbx
.text:0000000002B521E6 90 nop
.text:0000000002B521E7 48 8D 4C 24 30 lea rcx, [rsp+448h+var_418]
.text:0000000002B521EC E8 17 A1 C3 FD call sub_78C308
.text:0000000002B521F1 90 nop
.text:0000000002B521F2 48 8B 05 77 1F D2 03 mov rax, cs:qword_6874170
.text:0000000002B521F9 83 78 54 01 cmp dword ptr [rax+54h], 1
.text:0000000002B521FD 75 11 jnz short loc_2B52210 <--- nop this
.text:0000000002B521FF E8 50 71 C2 00 call sub_3779354
.text:0000000002B52204 4C 8B 00 mov r8, [rax]
.text:0000000002B52207 8B D6 mov edx, esi
.text:0000000002B52209 48 8B C8 mov rcx, rax
.text:0000000002B5220C 41 FF 50 28 call qword ptr [r8+28h]
.text:0000000002B52210
.text:0000000002B52210 loc_2B52210: ; CODE XREF: achievementAwarded+7D↑j
.text:0000000002B52210 4C 8D 9C 24 40 04 00 00 lea r11, [rsp+448h+var_8]
.text:0000000002B52218 49 8B 5B 10 mov rbx, [r11+10h]
.text:0000000002B5221C 49 8B 73 18 mov rsi, [r11+18h]
.text:0000000002B52220 49 8B E3 mov rsp, r11
.text:0000000002B52223 5F pop rdi
.text:0000000002B52224 C3 retn
48 ? ? ? ? ? ? 83 ? ? 01 75 ? E8 ? ? ? ? 4C
+11
Achievement Friendly:
.text:0000000001089B2C C6 83 50 07 00 00 01 mov byte ptr [rbx+750h], 1
.text:0000000001089B33
.text:0000000001089B33 loc_1089B33: ; CODE XREF: sub_10893F0+725↑j
.text:0000000001089B33 ; sub_10893F0+73A↑j
.text:0000000001089B33 4C 8D 83 58 07 00 00 lea r8, [rbx+758h]
.text:0000000001089B3A C6 44 24 20 00 mov [rsp+5F0h+var_5D0], 0
.text:0000000001089B3F 45 33 C9 xor r9d, r9d
.text:0000000001089B42 48 8D 15 5F AD 12 04 lea rdx, aAchievementFri ; "achievement_friendly"
.text:0000000001089B49 48 8D 4C 24 40 lea rcx, [rsp+5F0h+var_5B0]
.text:0000000001089B4E E8 BD E6 01 00 call jsonReadBool <--- hook this
C6 ? ? ? ? ? 01 4C ? ? ? ? ? ? C6 ? ? ? 00 ? ? ? 48 ? ? ? ? ? ? 48 ? ? ? ? E8 ? ? ? ? ? ? ? ? ? ? ? ? 4C ? ? ? ? ? ? C6 ? ? ? 00 45 ? ?
+35 and rip()
Mods Message:
Starfield.exe+24DEE27: E9 19 01 00 00 - jmp Starfield.exe+24DEF45
Starfield.exe+24DEE2C: F6 03 10 - test byte ptr [rbx],10
Starfield.exe+24DEE2F: 74 0A - je Starfield.exe+24DEE3B
Starfield.exe+24DEE31: E8 7A E5 00 00 - call Starfield.exe+24ED3B0
Starfield.exe+24DEE36: E9 0A 01 00 00 - jmp Starfield.exe+24DEF45
Starfield.exe+24DEE3B: 40 B7 01 - mov dil,01
Starfield.exe+24DEE3E: 48 85 DB - test rbx,rbx
Starfield.exe+24DEE41: 74 46 - je Starfield.exe+24DEE89
Starfield.exe+24DEE43: 40 8A 7B 28 - mov dil,[rbx+28]
Starfield.exe+24DEE47: 8B 03 - mov eax,[rbx]
// ---------- INJECTING HERE ----------
Starfield.exe+24DEE49: 89 05 25 7C 3A 04 - mov [Starfield.exe+6886A74],eax
// ---------- DONE INJECTING ----------
Starfield.exe+24DEE4F: B2 01 - mov dl,01
Starfield.exe+24DEE51: 48 8D 0D 48 B4 02 04 - lea rcx,[Starfield.exe+650A2A0]
Starfield.exe+24DEE58: E8 63 FB FF FF - call Starfield.exe+24DE9C0
Starfield.exe+24DEE5D: 48 8D 4B 10 - lea rcx,[rbx+10]
Starfield.exe+24DEE61: E8 2A 4D FF FF - call Starfield.exe+24D3B90
Starfield.exe+24DEE66: 4D 8B C4 - mov r8,r12
Starfield.exe+24DEE69: BA 04 01 00 00 - mov edx,00000104
Starfield.exe+24DEE6E: 48 8D 0D 0B 7C 3A 04 - lea rcx,[Starfield.exe+6886A80]
Starfield.exe+24DEE75: FF 15 6D 5B CD 01 - call qword ptr [Starfield.exe+41B49E8]
Starfield.exe+24DEE7B: 44 89 3D 3E 8C A7 03 - mov [Starfield.exe+5F57AC0],r15d
89 ? ? ? ? ? ? ? 48 ? ? ? ? ? ? E8 ? ? ? ? 48 ? ? ? E8 ? ? ? ? 4D ? ? ? 04 01 00 00 48 ? ? ? ? ? ? FF
Console Message:
7FF69944D156: CC - int 3
7FF69944D157: CC - int 3
7FF69944D158: CC - int 3
7FF69944D159: CC - int 3
7FF69944D15A: CC - int 3
7FF69944D15B: CC - int 3
7FF69944D15C: CC - int 3
7FF69944D15D: CC - int 3
7FF69944D15E: CC - int 3
7FF69944D15F: CC - int 3
// ---------- INJECTING HERE ----------
7FF69944D160: 48 89 5C 24 08 - mov [rsp+08],rbx < Replace this instruction with a return instruction (0xC3)
// ---------- DONE INJECTING ----------
7FF69944D165: 57 - push rdi
7FF69944D166: 48 83 EC 60 - sub rsp,60
7FF69944D16A: 48 8B F9 - mov rdi,rcx
7FF69944D16D: 80 79 72 00 - cmp byte ptr [rcx+72],00
7FF69944D171: 0F 84 A7 00 00 00 - je 7FF69944D21E
7FF69944D177: 48 8B 1D CA 4C 07 03 - mov rbx,[7FF69C4C1E48]
7FF69944D17E: 48 C7 44 24 20 00 00 00 00 - mov qword ptr [rsp+20],00000000
7FF69944D187: 48 8D 15 7A D7 6A 01 - lea rdx,[7FF69AAFA908]
7FF69944D18E: 48 8D 4C 24 28 - lea rcx,[rsp+28]
7FF69944D193: E8 9C B5 F9 FD - call 7FF6973E8734
48 ? ? ? ? ? 48 ? ? ? 48 ? ? 80 ? ? 00 0F ? ? ? ? ? 48 ? ? ? ? ? ? 48 ? ? ? ? 00 00 00 00
Ever Modded:
Starfield.exe+1AE7377: 5D - pop rbp
Starfield.exe+1AE7378: C3 - ret
Starfield.exe+1AE7379: CC - int 3
Starfield.exe+1AE737A: CC - int 3
Starfield.exe+1AE737B: CC - int 3
Starfield.exe+1AE737C: 40 53 - push rbx
Starfield.exe+1AE737E: 48 83 EC 20 - sub rsp,20
Starfield.exe+1AE7382: 48 8B 0D 1F 2E 9E 03 - mov rcx,[Starfield.exe+54CA1A8]
Starfield.exe+1AE7389: 4C 8D 05 F0 03 00 00 - lea r8,[Starfield.exe+1AE7780]
Starfield.exe+1AE7390: B2 5B - mov dl,5B
// ---------- INJECTING HERE ---------- We need to read this part VVVVVVV
Starfield.exe+1AE7392: C6 05 BF E5 E1 03 01 - mov byte ptr [Starfield.exe+5905958],01
// ---------- DONE INJECTING ----------
Starfield.exe+1AE7399: E8 86 04 9A FF - call Starfield.exe+1487824
Starfield.exe+1AE739E: 65 48 8B 04 25 58 00 00 00 - mov rax,gs:[00000058]
Starfield.exe+1AE73A7: 48 8B 18 - mov rbx,[rax]
Starfield.exe+1AE73AA: B8 BC 00 00 00 - mov eax,000000BC
Starfield.exe+1AE73AF: 80 3C 18 00 - cmp byte ptr [rax+rbx],00
Starfield.exe+1AE73B3: 75 05 - jne Starfield.exe+1AE73BA
Starfield.exe+1AE73B5: E8 16 21 68 FF - call Starfield.exe+11694D0
Starfield.exe+1AE73BA: B9 D0 01 00 00 - mov ecx,000001D0
Starfield.exe+1AE73BF: 80 3C 19 00 - cmp byte ptr [rcx+rbx],00
Starfield.exe+1AE73C3: 74 26 - je Starfield.exe+1AE73EB
40 ? 48 ? ? ? 48 ? ? ? ? ? ? 4C ? ? ? ? ? ? ? ? C6 ? ? ? ? ? 01 E8 ? ? ? ? 65 ? ? ? ? ? ? ? ? 48 ? ? B8 ? ? ? ? ? ? ? 00 75
Background Check 1:
Starfield_original.exe+23F72D2: 0F 84 8F 00 00 00 - je Starfield_original.exe+23F7367
Starfield_original.exe+23F72D8: 48 8B 0D 61 F1 50 03 - mov rcx,[Starfield_original.exe+5906440]
Starfield_original.exe+23F72DF: 48 85 C9 - test rcx,rcx
Starfield_original.exe+23F72E2: 74 09 - je Starfield_original.exe+23F72ED
Starfield_original.exe+23F72E4: E8 FF 0B EA FE - call Starfield_original.exe+1297EE8
Starfield_original.exe+23F72E9: 84 C0 - test al,al
Starfield_original.exe+23F72EB: 75 7A - jne Starfield_original.exe+23F7367
Starfield_original.exe+23F72ED: 48 39 35 7C EC 19 03 - cmp [Starfield_original.exe+5595F70],rsi
Starfield_original.exe+23F72F4: 75 71 - jne Starfield_original.exe+23F7367
Starfield_original.exe+23F72F6: 40 38 35 DB E8 19 03 - cmp [Starfield_original.exe+5595BD8],sil
// ---------- INJECTING HERE ----------
Starfield_original.exe+23F72FD: 75 68 - jne Starfield_original.exe+23F7367
// ---------- DONE INJECTING ----------
Starfield_original.exe+23F72FF: 40 84 FF - test dil,dil
Starfield_original.exe+23F7302: 75 33 - jne Starfield_original.exe+23F7337
Starfield_original.exe+23F7304: 33 C9 - xor ecx,ecx
Starfield_original.exe+23F7306: 40 B7 01 - mov dil,01
Starfield_original.exe+23F7309: E8 32 DC 45 FE - call Starfield_original.exe+854F40
Starfield_original.exe+23F730E: 48 8B 1D C3 D8 50 03 - mov rbx,[Starfield_original.exe+5904BD8]
Starfield_original.exe+23F7315: 48 85 DB - test rbx,rbx
Starfield_original.exe+23F7318: 74 1D - je Starfield_original.exe+23F7337
Starfield_original.exe+23F731A: 48 8D 8B 00 04 00 00 - lea rcx,[rbx+00000400]
Starfield_original.exe+23F7321: E8 EA C0 E4 00 - call Starfield_original.exe+3243410
75 ? 40 ? ? 75 ? 33 ? ? ? 01 E8 ? ? ? ? 48 ? ? ? ? ? ? 48 ? ? 74 ? 48 ? ? ? ? ? ? E8
Background Check 2:
Starfield_original.exe+23F7BA7: CC - int 3
Starfield_original.exe+23F7BA8: 48 89 5C 24 08 - mov [rsp+08],rbx
Starfield_original.exe+23F7BAD: 48 89 6C 24 10 - mov [rsp+10],rbp
Starfield_original.exe+23F7BB2: 57 - push rdi
Starfield_original.exe+23F7BB3: 48 83 EC 20 - sub rsp,20
Starfield_original.exe+23F7BB7: 80 3D 1A E0 19 03 00 - cmp byte ptr [Starfield_original.exe+5595BD8],00
Starfield_original.exe+23F7BBE: BD 01 00 00 00 - mov ebp,00000001
Starfield_original.exe+23F7BC3: 48 8B 05 DE 66 2F 03 - mov rax,[Starfield_original.exe+56EE2A8]
Starfield_original.exe+23F7BCA: 48 8B 3D 7F E8 50 03 - mov rdi,[Starfield_original.exe+5906450]
Starfield_original.exe+23F7BD1: 0F B6 DA - movzx ebx,dl
// ---------- INJECTING HERE ----------
Starfield_original.exe+23F7BD4: 0F 45 DD - cmovne ebx,ebp
// ---------- DONE INJECTING ----------
Starfield_original.exe+23F7BD7: 48 85 C0 - test rax,rax
Starfield_original.exe+23F7BDA: 74 1F - je Starfield_original.exe+23F7BFB
Starfield_original.exe+23F7BDC: 88 98 85 00 00 00 - mov [rax+00000085],bl
Starfield_original.exe+23F7BE2: 48 8B 0D BF 66 2F 03 - mov rcx,[Starfield_original.exe+56EE2A8]
Starfield_original.exe+23F7BE9: E8 72 A7 89 00 - call Starfield_original.exe+2C92360
Starfield_original.exe+23F7BEE: C5 F0 57 C9 - vxorps xmm1,xmm1,xmm1
Starfield_original.exe+23F7BF2: C5 F8 57 C0 - vxorps xmm0,xmm0,xmm0
Starfield_original.exe+23F7BF6: E8 65 60 8B 00 - call Starfield_original.exe+2CADC60
Starfield_original.exe+23F7BFB: 80 3D F6 DF 19 03 00 - cmp byte ptr [Starfield_original.exe+5595BF8],00
Starfield_original.exe+23F7C02: 74 58 - je Starfield_original.exe+23F7C5C
0F 45 ? 48 ? ? 74 ? 88 ? ? ? ? ? 48 ? ? ? ? ? ? E8 ? ? ? ? C5 ? ? ? C5 ? ? ? E8 ? ? ? ? 80 ? ? ? ? ? 00 74