Last active
April 27, 2017 07:05
-
-
Save Erquint/07ff043f270864f392720d96d4a0c78d to your computer and use it in GitHub Desktop.
v1.1 You nagged me so here's the rest. Didn't test much but everything except the Teleport Cheat should work out of the box. TP might or might not work — I ain't messing with it. v1.0 Hacked by Noobrzor. Updated for Steamworks version and gimped by Erquint. The original table(not included) contained more(useless from my point of view) scripts bu…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<CheatTable CheatEngineTableVersion="24"> | |
<CheatEntries> | |
<CheatEntry> | |
<ID>22</ID> | |
<Description>"Health Regeneration (2%/sec)"</Description> | |
<LastState/> | |
<VariableType>Auto Assembler Script</VariableType> | |
<AssemblerScript>[ENABLE] | |
aobscanmodule(healthAccess,DARKSOULS.exe,39 98 D4 02 00 00 7E) | |
alloc(newmem,$1000) | |
alloc(value1,$100) | |
alloc(backupEAX,$100) | |
alloc(backupECX,$100) | |
alloc(backupEDX,$100) | |
label(hack) | |
label(nohack) | |
label(clearvalue) | |
label(increasevalue) | |
label(return) | |
newmem: | |
cmp [value1],#30 //if 30 frames per second (FPS) then HealthTick happens every second | |
je clearvalue | |
ja clearvalue | |
jmp increasevalue | |
clearvalue: | |
mov [value1],#0 | |
jmp hack | |
increasevalue: | |
inc [value1] | |
jmp nohack | |
hack: | |
cmp [eax+000002D4],#0 | |
je nohack | |
jb nohack | |
jl nohack | |
mov [backupEAX],eax | |
mov [backupECX],ecx | |
mov [backupEDX],edx | |
mov eax,[eax+000002D8] | |
mov ecx,#50 //1/50 is 2/100 which is 2% | |
xor edx,edx | |
idiv ecx //divides maxHP value currently stored in eax by ecx | |
mov ecx,eax | |
mov eax,[backupEAX] | |
mov edx,[backupEDX] | |
add [eax+000002D4],ecx | |
mov ecx,[backupECX] | |
nohack: | |
cmp [eax+000002D4],ebx | |
jmp return | |
healthAccess: | |
jmp newmem | |
nop | |
return: | |
registersymbol(healthAccess) | |
[DISABLE] | |
healthAccess: | |
db 39 98 D4 02 00 00 | |
unregistersymbol(healthAccess) | |
dealloc(newmem) | |
dealloc(value1) | |
dealloc(backupEAX) | |
dealloc(backupECX) | |
dealloc(backupEDX) | |
</AssemblerScript> | |
</CheatEntry> | |
<CheatEntry> | |
<ID>33</ID> | |
<Description>"Health Regeneration (5/sec)"</Description> | |
<LastState/> | |
<VariableType>Auto Assembler Script</VariableType> | |
<AssemblerScript>[ENABLE] | |
aobscanmodule(healthAccess,DARKSOULS.exe,39 98 D4 02 00 00 7E) | |
alloc(newmem,$1000) | |
alloc(value1,$100) | |
label(hack) | |
label(nohack) | |
label(clearvalue) | |
label(increasevalue) | |
label(return) | |
newmem: | |
cmp [value1],#30 //if 30 frames per second (FPS) then HealthTick happens every second | |
je clearvalue | |
ja clearvalue | |
jmp increasevalue | |
clearvalue: | |
mov [value1],#0 | |
jmp hack | |
increasevalue: | |
inc [value1] | |
jmp nohack | |
hack: | |
cmp [eax+000002D4],#0 | |
je nohack | |
jb nohack | |
jl nohack | |
add [eax+000002D4],#5 | |
nohack: | |
cmp [eax+000002D4],ebx | |
jmp return | |
healthAccess: | |
jmp newmem | |
nop | |
return: | |
registersymbol(healthAccess) | |
[DISABLE] | |
healthAccess: | |
db 39 98 D4 02 00 00 | |
unregistersymbol(healthAccess) | |
dealloc(newmem) | |
dealloc(value1) | |
</AssemblerScript> | |
</CheatEntry> | |
<CheatEntry> | |
<ID>1</ID> | |
<Description>"Item Durability Cheat"</Description> | |
<LastState/> | |
<VariableType>Auto Assembler Script</VariableType> | |
<AssemblerScript>[ENABLE] | |
aobscanmodule(durabilityAccess,DARKSOULS.exe,8D 04 81 8B 40 14 C3 CC) | |
alloc(newmem,$1000) | |
label(return) | |
newmem: | |
lea eax,[ecx+eax*4] | |
mov [eax+14],#99999 | |
mov eax,[eax+14] | |
jmp return | |
durabilityAccess: | |
jmp newmem | |
nop | |
return: | |
registersymbol(durabilityAccess) | |
[DISABLE] | |
durabilityAccess: | |
db 8D 04 81 8B 40 14 | |
unregistersymbol(durabilityAccess) | |
dealloc(newmem) | |
</AssemblerScript> | |
</CheatEntry> | |
<CheatEntry> | |
<ID>10</ID> | |
<Description>"Ammo Cheat"</Description> | |
<LastState/> | |
<VariableType>Auto Assembler Script</VariableType> | |
<AssemblerScript>[ENABLE] | |
aobscanmodule(ammoAccess1,DARKSOULS.exe,8B 40 08 5F C3 8B C7 5F C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC 53) | |
aobscanmodule(ammoAccess2,DARKSOULS.exe,8B 40 08 5F C3 8B C7 5F C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC 57) | |
alloc(newmem1,$1000) | |
alloc(newmem2,$1000) | |
label(return1) | |
label(return2) | |
newmem1: | |
mov [eax+08],#999 | |
mov eax,[eax+08] | |
pop edi | |
ret | |
jmp return1 | |
ammoAccess1: | |
jmp newmem1 | |
return1: | |
registersymbol(ammoAccess1) | |
newmem2: | |
mov [eax+08],#999 | |
mov eax,[eax+08] | |
pop edi | |
ret | |
jmp return2 | |
ammoAccess2: | |
jmp newmem2 | |
return2: | |
registersymbol(ammoAccess2) | |
[DISABLE] | |
ammoAccess1: | |
db 8B 40 08 5F C3 | |
ammoAccess2: | |
db 8B 40 08 5F C3 | |
unregistersymbol(ammoAccess1) | |
unregistersymbol(ammoAccess2) | |
dealloc(newmem1) | |
dealloc(newmem2) | |
</AssemblerScript> | |
</CheatEntry> | |
<CheatEntry> | |
<ID>21</ID> | |
<Description>"Death Penalty Cheat"</Description> | |
<LastState/> | |
<VariableType>Auto Assembler Script</VariableType> | |
<AssemblerScript>[ENABLE] | |
aobscanmodule(DeathPenalty,DARKSOULS.exe,89 56 38 8B 53 7C 33 C9 89 8B 8C 00 00 00 89 56 34 89 4B 7C 8B 48 04 E8) | |
alloc(newmem,$1000) | |
label(return) | |
newmem: | |
//mov [esi+38],edx - Souls moved to Bloodstain | |
mov edx,[ebx+7C] | |
xor ecx,ecx | |
//mov [ebx+0000008C],ecx - Player's Souls set to 0 | |
//mov [esi+34],edx - Humanity moved to Bloodstain | |
//mov [ebx+7C],ecx - Player's Humanity set to 0 | |
mov ecx,[eax+04] | |
//call DARKSOULS.exe+986100 - Player's Hollowification | |
jmp return | |
DeathPenalty: | |
jmp newmem | |
db 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 | |
return: | |
registersymbol(DeathPenalty) | |
[DISABLE] | |
DeathPenalty: | |
db 89 56 38 8B 53 7C 33 C9 89 8B 8C 00 00 00 89 56 34 89 4B 7C 8B 48 04 E8 | |
unregistersymbol(DeathPenalty) | |
dealloc(newmem) | |
</AssemblerScript> | |
</CheatEntry> | |
<CheatEntry> | |
<ID>28</ID> | |
<Description>"Teleport Cheat (buggy)"</Description> | |
<LastState/> | |
<VariableType>Auto Assembler Script</VariableType> | |
<AssemblerScript>[ENABLE] | |
aobscanmodule(coordinateAccess,DARKSOULS.exe,58 F3 0F 7E 40 10 66 0F D6 84) | |
aobscanmodule(codeKilling,DARKSOULS.exe,89 85 D4 02 00 00 83) | |
aobscanmodule(codeKilling2,DARKSOULS.exe,89 85 D4 02 00 00) | |
alloc(newmem,$1000) | |
alloc(newmem2,$200) | |
alloc(newmem3,$200) | |
alloc(status,20) | |
alloc(timer,20) | |
alloc(safety1,20) | |
alloc(safety2,20) | |
alloc(backupEBX,20) | |
alloc(1saved0,20) | |
alloc(1saved4,20) | |
alloc(1saved8,20) | |
alloc(2saved0,20) | |
alloc(2saved4,20) | |
alloc(2saved8,20) | |
label(return2) | |
label(return3) | |
label(originalcode) | |
label(return) | |
label(clearStatusAndTimer) | |
label(saveCoordinates1) | |
label(teleportCoordinates1) | |
label(saveCoordinates2) | |
label(teleportCoordinates2) | |
safety1: | |
db 01 | |
safety2: | |
db 01 | |
newmem: | |
cmp [status],#1 | |
je saveCoordinates1 | |
cmp [status],#2 | |
je teleportCoordinates1 | |
cmp [status],#3 | |
je saveCoordinates2 | |
cmp [status],#4 | |
je teleportCoordinates2 | |
jmp originalcode | |
originalcode: | |
movq xmm0,[eax+10] | |
jmp return | |
saveCoordinates1: | |
mov [safety1],00000000 | |
mov [backupEBX],ebx | |
mov ebx,[eax+10] | |
mov [1saved0],ebx | |
mov ebx,[eax+14] | |
mov [1saved4],ebx | |
mov ebx,[eax+18] | |
mov [1saved8],ebx | |
mov ebx,[backupEBX] | |
mov [status],00000000 | |
movq xmm0,[eax+10] | |
jmp return | |
teleportCoordinates1: | |
cmp [safety1],00000000 | |
jne clearStatusAndTimer | |
mov [backupEBX],ebx | |
mov ebx,[1saved0] | |
mov [eax+10],ebx | |
mov ebx,[1saved4] | |
mov [eax+14],ebx | |
mov ebx,[1saved8] | |
mov [eax+18],ebx | |
mov ebx,[backupEBX] | |
inc [timer] | |
cmp [timer],#4000 //higher means longer delay. 1200 is approx. 5-10 sec. | |
je clearStatusAndTimer | |
ja clearStatusAndTimer | |
jmp originalcode | |
saveCoordinates2: | |
mov [safety2],00000000 | |
mov [backupEBX],ebx | |
mov ebx,[eax+10] | |
mov [2saved0],ebx | |
mov ebx,[eax+14] | |
mov [2saved4],ebx | |
mov ebx,[eax+18] | |
mov [2saved8],ebx | |
mov ebx,[backupEBX] | |
mov [status],00000000 | |
movq xmm0,[eax+10] | |
jmp return | |
teleportCoordinates2: | |
cmp [safety2],00000000 | |
jne clearStatusAndTimer | |
mov [backupEBX],ebx | |
mov ebx,[2saved0] | |
mov [eax+10],ebx | |
mov ebx,[2saved4] | |
mov [eax+14],ebx | |
mov ebx,[2saved8] | |
mov [eax+18],ebx | |
mov ebx,[backupEBX] | |
inc [timer] | |
cmp [timer],#4000 //higher means longer delay. 1200 is approx. 5-10 sec. | |
je clearStatusAndTimer | |
ja clearStatusAndTimer | |
jmp originalcode | |
clearStatusAndTimer: | |
mov [timer],00000000 | |
mov [status],00000000 | |
jmp originalcode | |
coordinateAccess+01: | |
jmp newmem | |
return: | |
registersymbol(coordinateAccess) | |
registersymbol(status) | |
newmem2: | |
cmp [status],00000000 | |
jne return2 | |
mov [ebp+000002D4],eax | |
jmp return2 | |
codeKilling: | |
jmp newmem2 | |
nop | |
return2: | |
registersymbol(codeKilling) | |
newmem3: | |
cmp [status],00000000 | |
jne return3 | |
mov [ebp+000002D4],eax | |
jmp return3 | |
codeKilling2: | |
jmp newmem3 | |
nop | |
return3: | |
registersymbol(codeKilling2) | |
[DISABLE] | |
coordinateAccess+01: | |
db F3 0F 7E 40 10 | |
codeKilling: | |
db 89 85 D4 02 00 00 | |
codeKilling2: | |
db 89 85 D4 02 00 00 | |
unregistersymbol(coordinateAccess) | |
unregistersymbol(status) | |
unregistersymbol(codeKilling) | |
unregistersymbol(codeKilling2) | |
dealloc(newmem) | |
dealloc(newmem2) | |
dealloc(newmem3) | |
dealloc(status) | |
dealloc(timer) | |
dealloc(safety1) | |
dealloc(safety2) | |
dealloc(backupEBX) | |
dealloc(1saved0) | |
dealloc(1saved4) | |
dealloc(1saved8) | |
dealloc(2saved0) | |
dealloc(2saved4) | |
dealloc(2saved8) | |
</AssemblerScript> | |
<CheatEntries> | |
<CheatEntry> | |
<ID>32</ID> | |
<Description>"1=save1//2=load1//3=save2//4=load2"</Description> | |
<VariableType>4 Bytes</VariableType> | |
<Address>status</Address> | |
</CheatEntry> | |
</CheatEntries> | |
</CheatEntry> | |
</CheatEntries> | |
<UserdefinedSymbols> | |
<SymbolEntry> | |
<Name>durabilityAccess</Name> | |
<Address>00C31F40</Address> | |
</SymbolEntry> | |
<SymbolEntry> | |
<Name>ammoAccess1</Name> | |
<Address>00C32129</Address> | |
</SymbolEntry> | |
<SymbolEntry> | |
<Name>ammoAccess2</Name> | |
<Address>00C320C9</Address> | |
</SymbolEntry> | |
<SymbolEntry> | |
<Name>DeathPenalty</Name> | |
<Address>00DA0F1B</Address> | |
</SymbolEntry> | |
<SymbolEntry> | |
<Name>coordinateAccess</Name> | |
<Address>00D6AF8B</Address> | |
</SymbolEntry> | |
<SymbolEntry> | |
<Name>codeKilling</Name> | |
<Address>00E91BED</Address> | |
</SymbolEntry> | |
<SymbolEntry> | |
<Name>codeKilling2</Name> | |
<Address>00E91BED</Address> | |
</SymbolEntry> | |
</UserdefinedSymbols> | |
<Comments>v1.1 | |
You nagged me so here's the rest. | |
Didn't test much but everything except the Teleport Cheat should work out of the box. | |
TP might or might not work — I ain't messing with it. | |
v1.0 | |
Hacked by Noobrzor. | |
Updated for Steamworks version and gimped by Erquint. | |
The original table(not included) contained more(useless from my point of view) scripts but I only bothered to update the one I needed. | |
Stalk and nag me online if you need the rest.</Comments> | |
</CheatTable> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment