Here's another contribution:
Unlimited Survival Instinct. Kept on bugging me I can't freakin' use it while running around for more than X seconds. Well, used x64dbg, looked for string references and found this:
The function itself is here:
Gets triggered only on disabling (pressing Q a second time) or starting to walk/run (via W key). So what I did was to set a breakpoint at its prologue and get out of it when triggered (Ctrl+G > [rsp]). Which landed me here:
Then I noticed that there's a timer that gets set from 0 to some value (different than 0) at offset 0x34. Then there's a byte at offset 0x30 that, from testing, controls enabling of Q key (on a multiple press); you probably noticed there's a cooldown timer not allowing you to press Q immediately. From testing, this delay is 3.0f (so, 3 seconds). And so on.. So I started playing around with the code below the JB.
Code: Select all
SOTTR.exe+9EB9D83 - 72 10 - jb SOTTR.exe+9EB9D95 // [1]
SOTTR.exe+9EB9D85 - 45 31 C0 - xor r8d,r8d
SOTTR.exe+9EB9D88 - 48 89 F2 - mov rdx,rsi
SOTTR.exe+9EB9D8B - 48 89 F9 - mov rcx,rdi
SOTTR.exe+9EB9D8E - E8 6D0880F6 - call SOTTR.exe+6BA600
SOTTR.exe+9EB9D93 - EB 11 - jmp SOTTR.exe+9EB9DA6
SOTTR.exe+9EB9D95 - 83 F9 01 - cmp ecx,01
SOTTR.exe+9EB9D98 - 75 0C - jne SOTTR.exe+9EB9DA6 // [2]
SOTTR.exe+9EB9D9A - 84 C0 - test al,al
SOTTR.exe+9EB9D9C - 74 08 - je SOTTR.exe+9EB9DA6 // [3]
SOTTR.exe+9EB9D9E - 48 89 F9 - mov rcx,rdi
SOTTR.exe+9EB9DA1 - E8 0AC984F6 - call SOTTR.exe+7066B0
SOTTR.exe+9EB9DA6 - E8 E5ED09F7 - call SOTTR.exe+F58B90
If I set that JB at [1] to JMP, then it doesn't turn off when you start running. Problem is there's a certain radius in which the objects are highlighted; so, as I move, the GUI doesn't update any *NEW* found objects as I transition. So I continued tracing, reaching [2]. If you check the above, [2] and [3] land on the same function, SOTTR.exe+9EB9DA6. Considering the JB from earlier was set to JMP, either of the two would land there and no update happens
![Wink ;)](./images/smilies/icon_e_wink.gif)
So.. there can be only one explanation to why there's no updating: call SOTTR.exe+7066B0 needs to be run. So what I did next was to NOP [3].
So there you go - -
Unlimited Survival Instinct:
Code: Select all
SOTTR.exe+9EB9D83 - EB 10 - jmp SOTTR.exe+9EB9D95
..
SOTTR.exe+9EB9D9C - 90 - nop
SOTTR.exe+9EB9D9D - 90 - nop
You can turn it off by pressing Q again
![Razz :P](./images/smilies/icon_razz.gif)
Turned it from "engine auto-forced off" to "at user disposal"
If you want to disable other crap while this is active, dig inside that big function I posted: you can disable the gray-like overlay making the orange look more visible; the background humming sound; etc. I'll post more when I play with it, for now should suffice as is.
L.E.#1: Found that right inside the function with
OnSurvivalInstinctActivated:
Default value is
1.5f. Change that to a high value and watch it not deactivate when you start running around
![Razz :P](./images/smilies/icon_razz.gif)
No need for the two patches above if you plan on using this one; else: a) either patch the 2 spots I mentioned above; b) hook the location above and make it so timer's always set to a high value on enable (update timer to your value in [RAX+0x16A4] first; then let original code run).
L.E.#2: The cooldown/deactivation timer (3.0f or 3 seconds) is in the same structure as the above one, though the offset is
0x2164
L.E.#3: Some more explanations and patching:
1) this block is in charge with enabling the markers (main objective, secondary objective(s)):
Code: Select all
SOTTR.exe+6BDC50 - 80 BF F6000000 00 - cmp byte ptr [rdi+000000F6],00
SOTTR.exe+6BDC57 - 74 1C - je SOTTR.exe+6BDC75
SOTTR.exe+6BDC59 - 48 8B 57 08 - mov rdx,[rdi+08]
SOTTR.exe+6BDC5D - 48 8B CF - mov rcx,rdi
SOTTR.exe+6BDC60 - E8 4BC8FFFF - call SOTTR.exe+6BA4B0
SOTTR.exe+6BDC65 - 84 C0 - test al,al
SOTTR.exe+6BDC67 - 75 0C - jne SOTTR.exe+6BDC75
SOTTR.exe+6BDC69 - 48 8B 0D A03ED500 - mov rcx,[SOTTR.exe+1411B10] { [94B974A0] }
SOTTR.exe+6BDC70 - E8 FB673200 - call SOTTR.exe+9E4470
If you don't want them visible, patch the JE to JMP @ SOTTR.exe+6BDC57.
2) this block will enable the gray overlay and the background sound along with it:
Code: Select all
SOTTR.exe+6BDC77 - 38 9F F4000000 - cmp [rdi+000000F4],bl
SOTTR.exe+6BDC7D - 75 24 - jne SOTTR.exe+6BDCA3
SOTTR.exe+6BDC7F - 4C 8B 47 08 - mov r8,[rdi+08]
SOTTR.exe+6BDC83 - 48 8D 15 96109B00 - lea rdx,[SOTTR.exe+106ED20] { ["evVisionEffectsFadeIn"] }
SOTTR.exe+6BDC8A - 48 8B 0D 0751F402 - mov rcx,[SOTTR.exe+3602D98] { [88BD28F0] }
SOTTR.exe+6BDC91 - 45 33 C9 - xor r9d,r9d
SOTTR.exe+6BDC94 - 48 89 5C 24 28 - mov [rsp+28],rbx
SOTTR.exe+6BDC99 - 48 89 5C 24 20 - mov [rsp+20],rbx
SOTTR.exe+6BDC9E - E8 AD752000 - call SOTTR.exe+8C5250
Want no gray overlay and background heartbeat sounds? Patch the JNE @ SOTTR.exe+6BDC7D to a JMP
BR,
Sun