Shadow of the Tomb Raider +18+1 (table Update12)

[jonasbeckman]

Season pass for this wasn't too impressive from what I read up about it's content but there were plenty of discount sales available so that made the price a lot more manageable at least. (And the early unlock was a nice bonus I suppose even if used as a sales incentive.)

7 dungeons, 7 existing dungeons getting additional challenges, 7 outfits and "multiple narrative missions." side quests which I guess will be adding more fetch missions throughout the regular game with one of each of the above being exclusive to the season pass, until Square-Enix and/or Eidos needs a bit of a cash boost and starts selling them separately as usual.

And nice work on the updated table, bit of junk on the guns always looked a bit silly. (Compensator, silencer, sights and various straps and other bits.)

EDIT: Ah so there's weapons and skills too.

What exactly more do you need though for guns seeing how a few hours in you'll be having multiple of everything besides possibly the shotgun which is progression gated since it doubles as a door opener though I guess we'll see what those and the skills will be.
(Eh guess that technically applies to dress-up mode too, many of the outfits don't even provide bonuses though I think those are mainly the ones carrying over from existing save data being found from the last two titles.)

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[sage3k]

Thank you!

[NumberXer0]

Table update works great, thanks. Unfortunately, I had to roll the game back an update because the latest update makes the game error for me and a lot of people online. They had to release a beta branch for the rollback. Hopefully they fix it soon, because the table wont work on the older versions now.

[SunBeam]

Hi Cielos.

Finally got some access to my PC.

First-up, you may want to add all hooked code in a single cave. It's a waste of space and running around through memory to allocate 2048 bytes all the time.

alloc(newmem,2048,equippedAmmoPouchReadAOB)
alloc(newmem2,2048,equippedAmmoClipReadAOB+7)
alloc(newmem6,2048,playerHealthChk1AOB+5)
alloc(newmem11,2048,skillPtReadOnCampMenuAccessAOB)
alloc(aHideAppearanceChange,2048,SOTTR.exe)
etc.

Secondly, I'll investigate your hooks, maybe I find something interesting out of those functions (before they're called-in); flags, dev things

BR,
Sun

[SunBeam]

Here's my first run-down, starting from your Undead feature.

Your hook spot:

Code: Select all

000000014673308E | 0F28F8              | MOVAPS XMM7,XMM0                      |
0000000146733091 | 48:8B83 A8020000    | MOV RAX,QWORD PTR DS:[RBX+2A8]        | rax:EntryPoint
0000000146733098 | 0F28F7              | MOVAPS XMM6,XMM7                      |
000000014673309B | F3:0F100D 75A58BFA  | MOVSS XMM1,DWORD PTR DS:[140FED618]   | <--
00000001467330A3 | F3:0F5870 2C        | ADDSS XMM6,DWORD PTR DS:[RAX+2C]      |
00000001467330A8 | 41:0F2FF0           | COMISS XMM6,XMM8                      |

Scrolling upwards, I found this:

Code: Select all

0000000146732FF8 | 48:8B0D 895AE2FC    | MOV RCX,QWORD PTR DS:[143558A88]      |
0000000146732FFF | 4C:89CF             | MOV RDI,R9                            | r9:EntryPoint
0000000146733002 | 45:0FB6F0           | MOVZX R14D,R8B                        |
0000000146733006 | 0F28F9              | MOVAPS XMM7,XMM1                      |
0000000146733009 | 48:8B01             | MOV RAX,QWORD PTR DS:[RCX]            | rax:EntryPoint
000000014673300C | FF90 08010000       | CALL QWORD PTR DS:[RAX+108]           | <--
0000000146733012 | 84C0                | TEST AL,AL                            |
0000000146733014 | 74 0C               | JE sottr_dumped.146733022             |
0000000146733016 | 48:85FF             | TEST RDI,RDI                          |
0000000146733019 | 75 07               | JNE sottr_dumped.146733022            |
000000014673301B | 31C0                | XOR EAX,EAX                           |
000000014673301D | E9 63020000         | JMP sottr_dumped.146733285            |

Which led me to this location:

Code: Select all

0000000149651880 | 48:8B05 1172F0F9    | MOV RAX,QWORD PTR DS:[143558A98]      | rax:EntryPoint
0000000149651887 | 48:85C0             | TEST RAX,RAX                          | rax:EntryPoint
000000014965188A | 74 0C               | JE sottr_dumped.149651898             |
000000014965188C | 80B8 C8040000 00    | CMP BYTE PTR DS:[RAX+4C8],0           |
0000000149651893 | 75 03               | JNE sottr_dumped.149651898            |
0000000149651895 | B0 01               | MOV AL,1                              |
0000000149651897 | C3                  | RET                                   |
0000000149651898 | 30C0                | XOR AL,AL                             |
000000014965189A | C3                  | RET                                   |

In here, I noticed the pointer stored @ 143558A98 is NULL. Check-out the CMP 3 line below. So, there's a BYTE at offset 0x4C8 in a (uninitialized) structure which, if 1, will allow you not to die when (in my case) underwater. At this point I don't know if this is something like "if wearing underwater suit", "if wearing breathing mask" or just a dev uninitialized pointer. Considering it's coming from a static location, I tend to believe more the latter

I tested this while underwater (am not far off in the story to be shot at or fall from great heights). The function kicks in here:

Code: Select all

00000001469BEFD0 | 44:0FB787 BE000000  | MOVZX R8D,WORD PTR DS:[RDI+BE]        |
00000001469BEFD8 | 45:31C9             | XOR R9D,R9D                           |
00000001469BEFDB | 8B87 A8000000       | MOV EAX,DWORD PTR DS:[RDI+A8]         |
00000001469BEFE1 | 41:0FB6C8           | MOVZX ECX,R8B                         |
00000001469BEFE5 | F3:0F108B D0020000  | MOVSS XMM1,DWORD PTR DS:[RBX+2D0]     |
00000001469BEFED | 41:0FB6D0           | MOVZX EDX,R8B                         |
00000001469BEFF1 | 0F570D 384A63FA     | XORPS XMM1,XMMWORD PTR DS:[140FF3A30] |
00000001469BEFF8 | C0E9 06             | SHR CL,6                              |
00000001469BEFFB | 80E1 01             | AND CL,1                              |
00000001469BEFFE | 894424 30           | MOV DWORD PTR SS:[RSP+30],EAX         |
00000001469BF002 | C0EA 05             | SHR DL,5                              |
00000001469BF005 | 80E2 01             | AND DL,1                              |
00000001469BF008 | 41:C0E8 04          | SHR R8B,4                             |
00000001469BF00C | 885424 28           | MOV BYTE PTR SS:[RSP+28],DL           |
00000001469BF010 | 41:80E0 01          | AND R8B,1                             |
00000001469BF014 | 884C24 20           | MOV BYTE PTR SS:[RSP+20],CL           |
00000001469BF018 | 48:89D9             | MOV RCX,RBX                           |
00000001469BF01B | E8 20118AF9         | CALL sottr_dumped.140260140           | <--
00000001469BF020 | 4C:8B83 F8040000    | MOV R8,QWORD PTR DS:[RBX+4F8]         |
00000001469BF027 | 4D:85C0             | TEST R8,R8                            |

You may want to break and trace.

So next step's to determine where the initialization of that pointer occurs and force it Maybe there's a "is_retail" check

BR,
Sun

L.E.1: Found like 900+ references to that 0x143558A98 pointer. Not to mention there's a lot more offsets being used in certain portions of code; of course, leading to other member-functions The problem we have is none of those references is a "MOV [ptr],r64" So I think that initialization is ripped out.

L.E.2: Found a static one referenced here, but for 0x143558A88; had to use Ctrl+F to get to it:

Code: Select all

00000001494847A0 | 48:83EC 28                | SUB RSP,28                        |
00000001494847A4 | B9 E8040000               | MOV ECX,4E8                       |
00000001494847A9 | E8 B20BF6F6               | CALL sottr_dumped.1403E5360       |
00000001494847AE | 48:85C0                   | TEST RAX,RAX                      | rax:EntryPoint
00000001494847B1 | 74 14                     | JE sottr_dumped.1494847C7         |
00000001494847B3 | 48:89C1                   | MOV RCX,RAX                       | rax:EntryPoint
00000001494847B6 | E8 B5131AF7               | CALL sottr_dumped.140625B70       | <--
00000001494847BB | 48:8905 C6420DFA          | MOV QWORD PTR DS:[143558A88],RAX  | <--
00000001494847C2 | 48:83C4 28                | ADD RSP,28                        |
00000001494847C6 | C3                        | RET                               |
00000001494847C7 | 48:C705 B6420DFA 00000000 | MOV QWORD PTR DS:[143558A88],0    |
00000001494847D2 | 48:83C4 28                | ADD RSP,28                        |
00000001494847D6 | C3                        | RET                               |

And that CALL leads to this

Code: Select all

000000014941CCF0 | 48:895C24 08        | MOV QWORD PTR SS:[RSP+8],RBX                         |
000000014941CCF5 | 57                  | PUSH RDI                                             |
000000014941CCF6 | 48:83EC 20          | SUB RSP,20                                           |
000000014941CCFA | 48:89CB             | MOV RBX,RCX                                          |
000000014941CCFD | E8 DE7D20F7         | CALL sottr_dumped.140624AE0                          |
000000014941CD02 | 48:8D8B 90040000    | LEA RCX,QWORD PTR DS:[RBX+490]                       |
000000014941CD09 | 31FF                | XOR EDI,EDI                                          |
000000014941CD0B | 48:8D05 C6B1C4F7    | LEA RAX,QWORD PTR DS:[141067ED8]                     | rax:EntryPoint
000000014941CD12 | BA 4D010000         | MOV EDX,14D                                          |
000000014941CD17 | 48:8903             | MOV QWORD PTR DS:[RBX],RAX                           | rax:EntryPoint
000000014941CD1A | 48:8D05 57B1C4F7    | LEA RAX,QWORD PTR DS:[141067E78]                     | rax:EntryPoint
000000014941CD21 | 48:8901             | MOV QWORD PTR DS:[RCX],RAX                           | rax:EntryPoint
000000014941CD24 | 48:8D05 75BA21F7    | LEA RAX,QWORD PTR DS:[1406387A0]                     | rax:EntryPoint
000000014941CD2B | 48:8941 18          | MOV QWORD PTR DS:[RCX+18],RAX                        | rax:EntryPoint
000000014941CD2F | C641 08 00          | MOV BYTE PTR DS:[RCX+8],0                            |
000000014941CD33 | 8979 0C             | MOV DWORD PTR DS:[RCX+C],EDI                         |
000000014941CD36 | 48:8959 10          | MOV QWORD PTR DS:[RCX+10],RBX                        |
000000014941CD3A | FF15 F8525009       | CALL QWORD PTR DS:[<&SteamAPI_RegisterCallback>]     |
000000014941CD40 | 48:8D8B B0040000    | LEA RCX,QWORD PTR DS:[RBX+4B0]                       |
000000014941CD47 | BA FA010000         | MOV EDX,1FA                                          |
000000014941CD4C | 48:8D05 55B1C4F7    | LEA RAX,QWORD PTR DS:[141067EA8]                     | rax:EntryPoint
000000014941CD53 | 40:8879 08          | MOV BYTE PTR DS:[RCX+8],DIL                          |
000000014941CD57 | 48:8901             | MOV QWORD PTR DS:[RCX],RAX                           | rax:EntryPoint
000000014941CD5A | 48:8D05 4FE021F7    | LEA RAX,QWORD PTR DS:[14063ADB0]                     | rax:EntryPoint
000000014941CD61 | 48:8941 18          | MOV QWORD PTR DS:[RCX+18],RAX                        | rax:EntryPoint
000000014941CD65 | 8979 0C             | MOV DWORD PTR DS:[RCX+C],EDI                         |
000000014941CD68 | 48:8959 10          | MOV QWORD PTR DS:[RCX+10],RBX                        |
000000014941CD6C | FF15 C6525009       | CALL QWORD PTR DS:[<&SteamAPI_RegisterCallback>]     |
000000014941CD72 | 81A3 D4040000 FFFF0FFF              | AND DWORD PTR DS:[RBX+4D4],FF0FFFFF  |
000000014941CD7C | 48:89D8             | MOV RAX,RBX                                          | rax:EntryPoint
000000014941CD7F | 40:88BB D7040000    | MOV BYTE PTR DS:[RBX+4D7],DIL                        |
000000014941CD86 | 81A3 D4040000 0000F0FF              | AND DWORD PTR DS:[RBX+4D4],FFF00000  |
000000014941CD90 | 89BB D0040000       | MOV DWORD PTR DS:[RBX+4D0],EDI                       |
000000014941CD96 | 81A3 DC040000 FFFF0FFF              | AND DWORD PTR DS:[RBX+4DC],FF0FFFFF  |
000000014941CDA0 | 40:88BB DF040000    | MOV BYTE PTR DS:[RBX+4DF],DIL                        |
000000014941CDA7 | 81A3 DC040000 0000F0FF              | AND DWORD PTR DS:[RBX+4DC],FFF00000  |
000000014941CDB1 | 89BB D8040000       | MOV DWORD PTR DS:[RBX+4D8],EDI                       |
000000014941CDB7 | 40:88BB E0040000    | MOV BYTE PTR DS:[RBX+4E0],DIL                        |
000000014941CDBE | 66:89BB E1040000    | MOV WORD PTR DS:[RBX+4E1],DI                         |
000000014941CDC5 | 48:8B5C24 30        | MOV RBX,QWORD PTR SS:[RSP+30]                        |
000000014941CDCA | 48:83C4 20          | ADD RSP,20                                           |
000000014941CDCE | 5F                  | POP RDI                                              |
000000014941CDCF | C3                  | RET                                                  |

So.. uhm.. something to do with Steam? I saw there's Challenges or something in the Main Menu; can think of online activities, perhaps, where Steam API might be required for some reason? Or.. something unlocked via Steam? Say.. if item X is unlocked (in player's inventory), then you won't die underwater. Uhm, I also think that check I described earlier doesn't happen only underwater. That was my scenario, that one situation. I found there's more calls to that block of data. Example:

Code: Select all

00000001454AB8B4 | 48:833D DCD10AFE 00 | CMP QWORD PTR DS:[143558A98],0        |
00000001454AB8BC | 74 18               | JE sottr_dumped.1454AB8D6             |
00000001454AB8BE | 48:8B0D C3D10AFE    | MOV RCX,QWORD PTR DS:[143558A88]      | <--
00000001454AB8C5 | 48:8B01             | MOV RAX,QWORD PTR DS:[RCX]            | <--
00000001454AB8C8 | FF90 08010000       | CALL QWORD PTR DS:[RAX+108]           | <--
00000001454AB8CE | 84C0                | TEST AL,AL                            | <--
00000001454AB8D0 | 0F85 F1000000       | JNE sottr_dumped.1454AB9C7            |
00000001454AB8D6 | 48:8B83 30030000    | MOV RAX,QWORD PTR DS:[RBX+330]        |

I'll keep looking for 0x143558A98 write references

[Cielos]

[...]

took me a whole afternoon to track down the flashlight switching process.
managed to force call the "switch on" process, but lara won't auto-turn with the camera just like when the game switch on the flashlight for you, so I thought I should trace some more of the game's flashlight-trigger point to see what else it does.
I ran back to a cave through a flashlight-trigger with my flashlight on, it creates another flashlight object, and one of them followed me while the other stayed at the trigger spot. I thought, interesting, I'll have to manipulate the game's flashlight-trigger point later as well. then without thinking, I ran back to the trigger spot and the game crash.
and
...
....
I didn't save the table beforehand. the last saved were some mid-way testing scripts that was probably led to some dead end.
wasted a Saturday. and a storm is coming, meant to go see a movie tomorrow, now it'll be an in-door gathering at my friend's place, which would take much longer than a movie. so it's my turn to have the itching fingers I guess.

so, I'm done with it. for now at least.
I'll wait for more of your discovery, hopefully the player-coords among them, so that I can make a no-clip mush easier...

off to play some more now...

EDIT:
missed your first message.
I used to do that for awhile, some years ago. using one code cave for the enable script.
one of the reasons I stop is that, I tend to added option to the table as I play the game, it's mush easier to debug if some scripts stop working after some game patches.
but the main reason is just laziness, somehow a tiny voice in my head always tells me that it doesn't really matter much, just leave it be....
anyway, it's a good practice I believe. maybe on next game I'll try the one cave route again, see if I like it....

///*******************************************///

Table update works great, thanks. Unfortunately, I had to roll the game back an update because the latest update makes the game error for me and a lot of people online. They had to release a beta branch for the rollback. Hopefully they fix it soon, because the table wont work on the older versions now.

the previous table versions can still be found in the table post. tell me which one is still working on the rollback, I'll see if I can do something about it and make at least some of the new options for the rollback for now.

[SunBeam]

So yeah, guess what.. we can easily figure out a ton shit of stuff via GetName and GetHash member-functions I'll start filling this post-up, so you get the idea. Furthermore, I think we can also force some engine setting of parameters, which I could find listed here:

Code: Select all

NetObject::RPC_MigrationSuccess
NetObject::RPC_MigrationFailure
NetInstance::RPC_MovePlayer
NetObject::RPC_SignalDuplicaConstructed
NetComponent::RPC_SignalDuplicaConstructed
NetPlayerInfo::RPC_RemoveFromGame
NetPlayerInfo::RPC_SetCurrentGameState
NetPlayerInfo::RPC_GetUniqueID
NetPlayerInfo::RPC_SetUniqueID
NetPlayerInfo::RPC_RequestPromotion
NetPlayerInfo::RPC_FulfillPromotionRequest
NetPlayerInfo::RPC_SetFlag
NetPlayerInfo::RPC_SkipMovie
RageComponent::RPC_ResetRage
LootComponent::RPC_RequestLoot
LootComponent::RPC_SetLootItems
InventoryComponent::RPC_GiveAmmo
InventoryComponent::RPC_GiveItem
InventoryComponent::RPC_LoadItem
HealthComponent::RPC_Die
HealthComponent::RPC_DoContactDamage
HealthComponent::RPC_SetHitPoints
HealthComponent::RPC_SetInvincible
HealthComponent::RPC_ApplyDefaultHealing
InteractableComponent::RPC_RequestEmigration
InteractableComponent::RPC_EnableProfile
InteractableComponent::RPC_RequestInteract
InteractableComponent::RPC_LockProfile
InteractableComponent::RPC_SyncProfileData
InteractComponent::RPC_HostRegisterAndRequestInteract
InteractComponent::RPC_CancelInteract
InteractComponent::RPC_ConfirmInteract
InteractComponent::RPC_HostUnregisterInteract
InteractComponent::RPC_SetInteractInfo
InteractComponent::RPC_InteractFinish
CustomizationSpawnerComponent::RPC_SpawnObject
BuildPointComponent::RPC_PerformAction
BuildPointComponentManager::RPC_PurchaseItem
BuildPointComponentManager::RPC_SpawnObject
ObjectNetDataComponent::RPC_SetValue
FlammableComponent::RPC_RequestFlammableTransition
WorldStateManager::RPC_SetTension
NetDebugger::RPC_SetOption
MarkupManager::RPC_AddZipLine
MarkupManager::RPC_SetMarkupBoxEnabled
DynamicMarkupComponent::RPC_EnableInstanceDynamicMarkupComponent
AGInstanceNetSyncNode::RPC_TriggerNetSyncNode
AGInstanceNetSendEventNode::RPC_SendEventNode
NetSyncObjectMgr::RPC_NetSyncObjectMgr
NetStreamManager::RPC_ReportClientLoadedUnits
NetSession::RPC_SetGameState
NetSession::RPC_RequestNextGameState
NetSession::RPC_ForceSyncUnitName
NetVoiceComBase::RPC_ProcessVoiceData
SeeThroughComponent::RPC_SetEnabled
SurvivalInstinctComponent::RPC_SetActive
NpcComponent::RPC_HandleRequestEmigration
UiMenuStateMain2MPGame::RPC_On2MPGameState
Stream::RPC_RelocateWorld
CorpseManager::RPC_ActivateCorpse
CorpseManager::RPC_DeleteCorpseInstance
ChallengeTombModeManager::RPC_TriggerMapVote
ChallengeTombModeManager::RPC_StartChallengeTomb
ChallengeTombModeManager::RPC_TriggerLevelEnd
UiWidgetMapVoteDialog::RPC_SetPlayerStatus
ChallengeTracker::RPC_IncrementChallenge
ChallengeTracker::RPC_FailChallenge
StateControlComponent::RPC_ConfirmFinisherRequest
StateControlComponent::RPC_SetNetFinisherPlayer
UiMenuStateLiveMultiplayerVote::RPC_StartCountdown
UiMenuStateLiveMultiplayerVote::RPC_SetVoteState
UiMenuStateLiveMultiplayerVote::RPC_VoteComplete
UiMenuStatePause::RPC_AttemptToStartVote
UiMenuStatePause::RPC_StartVote
DeathReset::RPC_RequestDeathReset

I'll refer to HealthComponent::RPC_SetInvincible in a bit, after the explanation of what I'm tracking down/doing.

So, starting from your hook spot:

Code: Select all

000000014673308E | 0F28F8              | MOVAPS XMM7,XMM0                      |
0000000146733091 | 48:8B83 A8020000    | MOV RAX,QWORD PTR DS:[RBX+2A8]        |<--
0000000146733098 | 0F28F7              | MOVAPS XMM6,XMM7                      |
000000014673309B | F3:0F100D 75A58BFA  | MOVSS XMM1,DWORD PTR DS:[140FED618]   |
00000001467330A3 | F3:0F5870 2C        | ADDSS XMM6,DWORD PTR DS:[RAX+2C]      |
00000001467330A8 | 41:0F2FF0           | COMISS XMM6,XMM8                      |

I checked out RBX in memory. Most game engines keep the structure member-functions pointer at 0x0. That being said, whichever functions are tied to this structure, whose purpose or name we have to find, are going to be referenced via this pointer So, in my case RBX is 0xA929DF80. CE shows the following in Dump:



Pointer to member-functions is the QWORD at 0x0: 0x141005380. If we check-out its memory block, we see this:



First-up, there's a vtable of functions, starting from 0x0 till the "HealthComponent" string. From experience I can tell this structure is called HealthComponent (by that string alone). But, just to double-check my assumption, let's start checking the first 3-4 functions in the disassembler. Again, from experience, I know first two will be a constructor and destructor - so I'll skip them - then looking at the 3rd and 4th in that list, I see these:



0x18 member-function retrieves a DWORD; a hash value - - 0xD132F59E.



0x20 member-function retrieves a pointer to a string; a name pointer - - "HealthComponent".

So we can call these member-functions GetHash and GetName We can use GetName to identify structures; the hash we might also find hard-coded in game's engine (for example, game may do something like this "CMP EAX,D132F59E" in some function to filter out HealthComponent structure processing).

Then there's this portion:

Code: Select all

0000000146733091 | 48:8B83 A8020000               | MOV RAX,QWORD PTR DS:[RBX+2A8]             | rax:"@S", [rbx+2A8]:"@S"
0000000146733098 | 0F28F7                         | MOVAPS XMM6,XMM7                           |

The retrieved address, in my case, is 0x85DC54E0. And guess what, GetName says it's also called "HealthComponent". However, this is not the base object, it's the actual component, because 0x28 contains CurrentHealth (as DWORD), while 0x2C is the actual CurrentHealth (as FLOAT).

Then a fag script is run that forces Laura to get to surface for air Once outside, CurrentHealth starts increasing by 1.0f. Also, keep in mind that function you're hooking can be called UpdateHealth (as it's called on decrease/increase of HealthComponent).

Now for the references I found up top and HealthComponent::RPC_SetInvincible.

There are two references from this string, one in the block with all those strings I pulled out and another where the actual execution and invoke happens:



So I then used IDA and back-traced my way through several locations I set breaks on:







This 3rd spot [3] is part of a big-ass function checking-up hash DWORDs (remember earlier?). This function starts here:



So, knowing the right object pointer (HealthComponent) I can use the break above (when hit) to head exactly through the path I described earlier ([3], [2], [1], HealthComponent::RPC_SetInvincible). Will report my finding

BR,
Sun

[SunBeam]

As far as ammunition goes, I started searching for my bow arrows amount. Found address as 0x9BE6F87C. Then I debugged it and found this to write to it when firing:

Code: Select all

SOTTR.exe+9AEB565 - 66 89 18              - mov [rax],bx

I back-traced out of the function and then started tracing code from its prologue:

Code: Select all

SOTTR.exe+9B20E55 - 48 89 6C 24 18        - mov [rsp+18],rbp

RCX here in my case is 0xA9123400. Using the logic from previous post, I found that it's an "InventoryComponent" object.

Then this:

Code: Select all

SOTTR.exe+9B20E97 - 48 8B 8B A8030000     - mov rcx,[rbx+000003A8]
SOTTR.exe+9B20E9E - 48 89 FA              - mov rdx,rdi
SOTTR.exe+9B20EA1 - 48 83 C1 28           - add rcx,28

Tells me 0x3A8 contains a pointer (another reference to InventoryComponent, but I think this is the value object). So address is 0xB340BF40 in my case. Add 0x28 to it, then a CALL follows:

Code: Select all

SOTTR.exe+9B20EAA - E8 E1C8B2F6           - call SOTTR.exe+64D790

The result of this CALL returned in RAX is 0x9BE6F87C. Yup, my bow amount address. Let's continue.

Code: Select all

SOTTR.exe+9B20EAF - 48 89 D9              - mov rcx,rbx
SOTTR.exe+9B20EB2 - 0FB7 10               - movzx edx,word ptr [rax] // get amount; current amount I have is 0xF
SOTTR.exe+9B20EB5 - 29 EA                 - sub edx,ebp // subtract 0x1
SOTTR.exe+9B20EB7 - 31 ED                 - xor ebp,ebp
SOTTR.exe+9B20EB9 - 85 D2                 - test edx,edx // check if NULL
SOTTR.exe+9B20EBB - 0F4F EA               - cmovg ebp,edx // move the greater of the two in ebp (ebp == 0xE)
SOTTR.exe+9B20EBE - 48 89 FA              - mov rdx,rdi

So that's where the subtraction occurs.

Next-up, engine checks the calculated amount vs. maximum amount. Let's see where.

Code: Select all

SOTTR.exe+9B20F59 - C6 44 24 30 01        - mov byte ptr [rsp+30],01
SOTTR.exe+9B20F5E - 41 B1 01              - mov r9l,01
SOTTR.exe+9B20F61 - C6 44 24 28 00        - mov byte ptr [rsp+28],00
SOTTR.exe+9B20F66 - 44 0FB7 C5            - movzx r8d,bp // move 0xE into r8d
SOTTR.exe+9B20F6A - 48 89 FA              - mov rdx,rdi
SOTTR.exe+9B20F6D - C6 44 24 20 00        - mov byte ptr [rsp+20],00
SOTTR.exe+9B20F72 - 48 89 D9              - mov rcx,rbx
SOTTR.exe+9B20F75 - E8 964CB7F6           - call SOTTR.exe+695C10 <-- our "mov [rax],bx" function; go inside

Code: Select all

SOTTR.exe+9AEB499 - 8B 0A                 - mov ecx,[rdx] // rdx here is InventoryComponent pointer - 0xA9123400
SOTTR.exe+9AEB49B - 31 D2                 - xor edx,edx
SOTTR.exe+9AEB49D - 89 C8                 - mov eax,ecx
SOTTR.exe+9AEB49F - 48 F7 B6 30030000     - div [rsi+00000330]
SOTTR.exe+9AEB4A6 - 48 8B 86 18030000     - mov rax,[rsi+00000318]
SOTTR.exe+9AEB4AD - 4C 8B 0C D0           - mov r9,[rax+rdx*8]
SOTTR.exe+9AEB4B1 - 4D 85 C9              - test r9,r9

The above code will give this address as result: 0x99A8C9A0. Why is this important? Well, because:

Code: Select all

SOTTR.exe+9AEB4C9 - 41 0FB7 79 0C         - movzx edi,word ptr [r9+0C]

Returns 0x19 in EDI. In decimal, that is 25. Guess what, that's the maximum amount.

So then:

Code: Select all

SOTTR.exe+9AEB4D5 - 48 8B 8E A8030000     - mov rcx,[rsi+000003A8]
SOTTR.exe+9AEB4DC - 4C 89 F2              - mov rdx,r14
SOTTR.exe+9AEB4DF - 48 83 C1 28           - add rcx,28
SOTTR.exe+9AEB4E3 - E8 A822B6F6           - call SOTTR.exe+64D790 // we know this flow already; gets the arrows amount address
..
SOTTR.exe+9AEB4F1 - 0FB7 08               - movzx ecx,word ptr [rax] // return current amount
SOTTR.exe+9AEB4F4 - 66 39 F9              - cmp cx,di // ecx = 0xF; edi = 0x19
SOTTR.exe+9AEB4F7 - 66 0F42 CF            - cmovb cx,di // store in cx the greater of the two
..
SOTTR.exe+9AEB503 - 0FB7 D1               - movzx edx,cx
SOTTR.exe+9AEB506 - 74 0E                 - je SOTTR.exe+9AEB516
SOTTR.exe+9AEB508 - 0FB7 C3               - movzx eax,bx // ebx here holds the calculated amount (0xF - 0x1 == 0xE)
SOTTR.exe+9AEB50B - 39 D0                 - cmp eax,edx // compare 0xE with 0x19
SOTTR.exe+9AEB50D - 76 07                 - jna SOTTR.exe+9AEB516
..
SOTTR.exe+9AEB516 - 48 8B 8E A8030000     - mov rcx,[rsi+000003A8]
SOTTR.exe+9AEB51D - 4C 89 F2              - mov rdx,r14
SOTTR.exe+9AEB520 - 48 83 C1 28           - add rcx,28
SOTTR.exe+9AEB524 - E8 6722B6F6           - call SOTTR.exe+64D790 // fetch address again
SOTTR.exe+9AEB529 - 66 3B 18              - cmp bx,[rax] // check current amount (0xF) with the one the code earlier stored in bx
SOTTR.exe+9AEB52C - 0F84 2F020000         - je SOTTR.exe+9AEB761 // if equal, skip; else...
..
SOTTR.exe+9AEB552 - 48 8B 8E A8030000     - mov rcx,[rsi+000003A8]
SOTTR.exe+9AEB559 - 4C 89 F2              - mov rdx,r14
SOTTR.exe+9AEB55C - 48 83 C1 28           - add rcx,28
SOTTR.exe+9AEB560 - E8 2B22B6F6           - call SOTTR.exe+64D790 // fetch address again
SOTTR.exe+9AEB565 - 66 89 18              - mov [rax],bx // store calculated amount

And that's the parkour

BR,
Sun

[SunBeam]

Oh, and if you go one more step out of the function I started the tracing with, you'll see this:



That string right there is a nice dead giveaway

BR,
Sun

[ErraticEngineer]

I know it defeats the purpose of the difficulty, but with what feels like a third of the skills relating to health regen and survival instincts, do you think it's possible to add them to the table that you regen and survival instincts is available again? There's an achievement for shooting animals in their weakspots, but you can't see them on Deadly Obsession. I know that's part of the point, and I'm enjoying the game by having to be more perceptive myself, but I don't want to change difficulties to get achievements.

Thank you for your time and effort.

-- Lana

[SunBeam]

Some more analysis:

Code: Select all

SOTTR.exe+9E79740 - 48 B8 00000000FFFFFFFF - mov rax,FFFFFFFF00000000 { 0 } <-- break while ECX == 0x9E
SOTTR.exe+9E7974A - 49 89 D2              - mov r10,rdx
SOTTR.exe+9E7974D - 48 85 C8              - test rax,rcx
SOTTR.exe+9E79750 - 74 65                 - je SOTTR.exe+9E797B7
SOTTR.exe+9E79752 - 48 85 C9              - test rcx,rcx
SOTTR.exe+9E79755 - 74 60                 - je SOTTR.exe+9E797B7
SOTTR.exe+9E79757 - 81 F9 204E0000        - cmp ecx,00004E20 { 20000 }
SOTTR.exe+9E7975D - 73 58                 - jae SOTTR.exe+9E797B7
SOTTR.exe+9E7975F - 89 C8                 - mov eax,ecx // get it here
SOTTR.exe+9E79761 - 4C 8D 1D 98FB0EF9     - lea r11,[SOTTR.exe+2F69300] { [B32DE780] } <-- here
SOTTR.exe+9E79768 - 4C 8D 04 C0           - lea r8,[rax+rax*8] // 0x9E+0x9E*8
SOTTR.exe+9E7976C - 49 C1 E0 05           - shl r8,05 // times 5
SOTTR.exe+9E79770 - 4B 39 8C 18 90010000  - cmp [r8+r11+00000190],rcx
SOTTR.exe+9E79778 - 75 3D                 - jne SOTTR.exe+9E797B7
SOTTR.exe+9E7977A - 8B 15 2C3F7AF7        - mov edx,[SOTTR.exe+161D6AC] { [0000001B] } // offset set here
SOTTR.exe+9E79780 - 43 39 94 18 50010000  - cmp [r8+r11+00000150],edx
SOTTR.exe+9E79788 - 76 0E                 - jna SOTTR.exe+9E79798
SOTTR.exe+9E7978A - 4B 8B 84 18 58010000  - mov rax,[r8+r11+00000158] // read base
SOTTR.exe+9E79792 - 4C 8B 0C D0           - mov r9,[rax+rdx*8] // get pointer via offset
SOTTR.exe+9E79796 - EB 03                 - jmp SOTTR.exe+9E7979B
SOTTR.exe+9E79798 - 45 31 C9              - xor r9d,r9d
SOTTR.exe+9E7979B - 4D 85 C9              - test r9,r9
SOTTR.exe+9E7979E - 74 17                 - je SOTTR.exe+9E797B7
SOTTR.exe+9E797A0 - 4B 8B 84 18 58010000  - mov rax,[r8+r11+00000158] // similarly here
SOTTR.exe+9E797A8 - 48 89 D1              - mov rcx,rdx
SOTTR.exe+9E797AB - 4C 89 D2              - mov rdx,r10
SOTTR.exe+9E797AE - 48 8B 0C C8           - mov rcx,[rax+rcx*8] <-- gets 000000009A5B9840 (WeaponComponent)
SOTTR.exe+9E797B2 - E9 990486F6           - jmp SOTTR.exe+6D9C50
SOTTR.exe+9E797B7 - 4C 89 D0              - mov rax,r10
SOTTR.exe+9E797BA - C3                    - ret 

when firing with bow and normal arrows (right-click, left-click):

SOTTR.exe+9E7E1D1 - 48 89 DA              - mov rdx,rbx <-- 00000000B06A9FF0
SOTTR.exe+9E7E1D4 - 48 89 F9              - mov rcx,rdi <-- 000000009A5B9840
SOTTR.exe+9E7E1D7 - E8 142D84F6           - call SOTTR.exe+6C0EF0

SOTTR.exe+9D58FD0 - 48 89 5C 24 18        - mov [rsp+18],rbx
SOTTR.exe+9D58FD5 - 56                    - push rsi
SOTTR.exe+9D58FD6 - 57                    - push rdi
SOTTR.exe+9D58FD7 - 41 54                 - push r12
SOTTR.exe+9D58FD9 - 41 55                 - push r13
SOTTR.exe+9D58FDB - 41 57                 - push r15
SOTTR.exe+9D58FDD - 48 81 EC 80000000     - sub rsp,00000080 { 128 }
SOTTR.exe+9D58FE4 - 31 DB                 - xor ebx,ebx
SOTTR.exe+9D58FE6 - 49 89 D5              - mov r13,rdx
SOTTR.exe+9D58FE9 - 41 89 DF              - mov r15d,ebx
SOTTR.exe+9D58FEC - 48 89 CF              - mov rdi,rcx <-- 000000009A5B9840
SOTTR.exe+9D58FEF - E8 1C2797F6           - call SOTTR.exe+6CB710 <-- gets 00000000A9123400 (InventoryComponent)
SOTTR.exe+9D58FF4 - 48 8B 8F 30030000     - mov rcx,[rdi+00000330]
...
SOTTR.exe+9D59219 - C3                    - ret 

SOTTR.exe+9D59187 - 48 89 F9              - mov rcx,rdi <-- 000000009A5B9840 (WeaponComponent)
SOTTR.exe+9D5918A - E8 F18996F6           - call SOTTR.exe+6C1B80

SOTTR.exe+9D5B79F - 89 C8                 - mov eax,ecx
SOTTR.exe+9D5B7A1 - 48 8D 34 C0           - lea rsi,[rax+rax*8]
SOTTR.exe+9D5B7A5 - 48 C1 E6 05           - shl rsi,05 { 5 }
SOTTR.exe+9D5B7A9 - 48 01 D6              - add rsi,rdx
SOTTR.exe+9D5B7AC - 48 89 74 24 60        - mov [rsp+60],rsi
SOTTR.exe+9D5B7B1 - 48 39 8E 10010000     - cmp [rsi+00000110],rcx
SOTTR.exe+9D5B7B8 - 74 0A                 - je SOTTR.exe+9D5B7C4
SOTTR.exe+9D5B7BA - 4C 89 FE              - mov rsi,r15
SOTTR.exe+9D5B7BD - 4C 89 7C 24 60        - mov [rsp+60],r15
SOTTR.exe+9D5B7C2 - EB 20                 - jmp SOTTR.exe+9D5B7E4
SOTTR.exe+9D5B7C4 - 8B 86 C8000000        - mov eax,[rsi+000000C8]
SOTTR.exe+9D5B7CA - C1 E8 05              - shr eax,05 { 5 }
SOTTR.exe+9D5B7CD - A8 01                 - test al,01 { 1 }
SOTTR.exe+9D5B7CF - 74 13                 - je SOTTR.exe+9D5B7E4
SOTTR.exe+9D5B7D1 - 48 8B 0D 48D07FF9     - mov rcx,[SOTTR.exe+3558820] { [95B83B90] }
SOTTR.exe+9D5B7D8 - 48 8D 15 693631F7     - lea rdx,[SOTTR.exe+106EE48] { ["OnPlayerWeaponFire"] }

SOTTR.exe+9D5BCEB - 4C 89 F1              - mov rcx,r14
SOTTR.exe+9D5BCEE - E8 1DFA96F6           - call SOTTR.exe+6CB710 <-- gets 00000000A9123400 (InventoryComponent)

SOTTR.exe+9D5BD03 - 45 0FBF 86 98050000   - movsx r8d,word ptr [r14+00000598] // 0
SOTTR.exe+9D5BD0B - 48 8D 54 24 48        - lea rdx,[rsp+48] // buffer
SOTTR.exe+9D5BD10 - 45 8B 8E 6C050000     - mov r9d,[r14+0000056C] // 0
SOTTR.exe+9D5BD17 - 4C 89 F1              - mov rcx,r14 <-- 000000009A5B9840 (WeaponComponent)
SOTTR.exe+9D5BD1A - E8 D1FF96F6           - call SOTTR.exe+6CBCF0 <-- gets ammo_id --> 0x8863BA99

SOTTR.exe+9D5BD2A - 48 8B 85 98FFFFFF     - mov rax,[rbp-00000068] <-- 00000000A9123400 (InventoryComponent)
SOTTR.exe+9D5BD31 - 48 8D 48 18           - lea rcx,[rax+18] <-- +0x18
..
SOTTR.exe+9D5BD4B - 45 31 C9              - xor r9d,r9d
SOTTR.exe+9D5BD4E - 48 8D 54 24 48        - lea rdx,[rsp+48] // buffer from earlier with ammo_id
SOTTR.exe+9D5BD53 - 41 89 D8              - mov r8d,ebx // 1
SOTTR.exe+9D5BD56 - 48 89 C1              - mov rcx,rax // 00000000A9123400 (InventoryComponent)
SOTTR.exe+9D5BD59 - E8 423494F6           - call SOTTR.exe+69F1A0 <-- fire weapon with ammo_id (with 1 as decrement in r8d)

And timers (for quick-action or whatever is called). Pressing E 1000x times..

Code: Select all

SOTTR.exe+3EDBC0 - 48 89 4C 24 08        - mov [rsp+08],rcx <-- requires filtering to identify E scripted action
SOTTR.exe+3EDBC5 - 55                    - push rbp
SOTTR.exe+3EDBC6 - 56                    - push rsi
SOTTR.exe+3EDBC7 - 57                    - push rdi
SOTTR.exe+3EDBC8 - 41 55                 - push r13
SOTTR.exe+3EDBCA - 48 8B EC              - mov rbp,rsp
SOTTR.exe+3EDBCD - 48 83 EC 58           - sub rsp,58 { 88 }
SOTTR.exe+3EDBD1 - 48 8B 41 20           - mov rax,[rcx+20] <-- ScriptExec (00000000AA3AE5F0); rax == 00000000B55D63B0
..
SOTTR.exe+3EDBD8 - 48 8B 78 08           - mov rdi,[rax+08] <-- rdi == 00000000BACB5FA0
SOTTR.exe+3EDBDC - 48 8B 47 08           - mov rax,[rdi+08] <-- rax == 000000009DB2AA40
SOTTR.exe+3EDBE0 - 4C 8B 47 30           - mov r8,[rdi+30] <-- r8 == 00000000B0BF12E0
..
SOTTR.exe+3EDBEC - 48 8B 50 18           - mov rdx,[rax+18] <-- rdx == 00000000B508DEC0

rdx + C = timer (as float)

SOTTR.exe+3EDBFD - 80 78 31 00           - cmp byte ptr [rax+31],00 { 0 } <-- what if we change this to 1
SOTTR.exe+3EDC01 - 0F85 15200000         - jne SOTTR.exe+3EFC1C

[SunBeam]

And the formula for Skill Points retrieval is this:

Code: Select all

SOTTR.exe+9F503AC - 48 8B 05 BD336BF9     - mov rax,[SOTTR.exe+3603770] { [B3A75000] }
..
SOTTR.exe+B8C84BC - 48 8B 88 48040000     - mov rcx,[rax+00000448]
..
SOTTR.exe+B8C84D1 - 31 D2                 - xor edx,edx
SOTTR.exe+B8C84D3 - 48 89 C8              - mov rax,rcx
SOTTR.exe+B8C84D6 - 48 F7 35 F306C9F7     - div [SOTTR.exe+3558BD0] { [00000011] }
SOTTR.exe+B8C84DD - 48 8B 05 D406C9F7     - mov rax,[SOTTR.exe+3558BB8] { [8055E1B0] }
SOTTR.exe+B8C84E4 - 48 8B 04 D0           - mov rax,[rax+rdx*8]
..
SOTTR.exe+B8C850B - 48 8B 58 10           - mov rbx,[rax+10]
..
SOTTR.exe+B8B356E - 48 8B 80 38110100     - mov rax,[rax+00011138]

Feed that to a thread or convert it to Lua and you get your Skill Points pointer See below





BR,
Sun

[finalevil151]

I dunno if you take requests, but would it be possible to have a 'unlock outfits' script? My game is bugged where the manko's tunic won't unlock for me.

[SunBeam]

Most requests I've seen like this one come from people who fuck up their game using various tables/trainers/mods from here and there, then coming to the forums and whining their shit is broken. Is this here the case? Be honest.

[finalevil151]

Most requests I've seen like this one come from people who fuck up their game using various tables/trainers/mods from here and there, then coming to the forums and whining their shit is broken. Is this here the case? Be honest.

Surprisingly no, havent bothered with a cheat engine this first run. Digging through steam discussions it seems like the last piece of equipment received seems to not register for a lot of people.

As an addendum, would it be possible to do a 'unlock all artifacts' script? This game release is far buggier than I thought.