Shadow of the Tomb Raider +18+1 (table Update12)

[SunBeam]

Alright; we'll see what we can do. Origins had a similar issue with one of the scrolls, thus no one could get 100% completion

How to use this cheat table?

1. Install Cheat Engine
2. Double-click the .CT file in order to open it.
3. Click the PC icon in Cheat Engine in order to select the game process.
4. Keep the list.
5. Activate the trainer options by checking boxes or setting values from 0 to 1

[finalevil151]

Alright; we'll see what we can do. Origins had a similar issue with one of the scrolls, thus no one could get 100% completion

Thank you. This cheat table is coming along great btw, I plan on using it for the second runthrough.

[dirtydanisreal]

Can't wait to see what you cook up Sunbeam. Great find on the engine parameters, you could theoretically assign bonuses from other outfits to another outfit.

these could be potentially usefull

Code: Select all

InventoryComponent::RPC_GiveAmmo
InventoryComponent::RPC_GiveItem
InventoryComponent::RPC_LoadItem

found some more as well

Code: Select all

InventoryComponent::InitFromLevelData
InventoryComponent::InitFromCharacterProfileData
InventoryComponent::InitFromSavegame

[SunBeam]

Here's another contribution: Unlimited Survival Instinct. Kept on bugging me I can't freakin' use it while running around for more than X seconds. Well, used x64dbg, looked for string references and found this:



The function itself is here:



Gets triggered only on disabling (pressing Q a second time) or starting to walk/run (via W key). So what I did was to set a breakpoint at its prologue and get out of it when triggered (Ctrl+G > [rsp]). Which landed me here:



Then I noticed that there's a timer that gets set from 0 to some value (different than 0) at offset 0x34. Then there's a byte at offset 0x30 that, from testing, controls enabling of Q key (on a multiple press); you probably noticed there's a cooldown timer not allowing you to press Q immediately. From testing, this delay is 3.0f (so, 3 seconds). And so on.. So I started playing around with the code below the JB.

Code: Select all

SOTTR.exe+9EB9D83 - 72 10                 - jb SOTTR.exe+9EB9D95 // [1]
SOTTR.exe+9EB9D85 - 45 31 C0              - xor r8d,r8d
SOTTR.exe+9EB9D88 - 48 89 F2              - mov rdx,rsi
SOTTR.exe+9EB9D8B - 48 89 F9              - mov rcx,rdi
SOTTR.exe+9EB9D8E - E8 6D0880F6           - call SOTTR.exe+6BA600
SOTTR.exe+9EB9D93 - EB 11                 - jmp SOTTR.exe+9EB9DA6
SOTTR.exe+9EB9D95 - 83 F9 01              - cmp ecx,01
SOTTR.exe+9EB9D98 - 75 0C                 - jne SOTTR.exe+9EB9DA6 // [2]
SOTTR.exe+9EB9D9A - 84 C0                 - test al,al
SOTTR.exe+9EB9D9C - 74 08                 - je SOTTR.exe+9EB9DA6 // [3]
SOTTR.exe+9EB9D9E - 48 89 F9              - mov rcx,rdi
SOTTR.exe+9EB9DA1 - E8 0AC984F6           - call SOTTR.exe+7066B0
SOTTR.exe+9EB9DA6 - E8 E5ED09F7           - call SOTTR.exe+F58B90

If I set that JB at [1] to JMP, then it doesn't turn off when you start running. Problem is there's a certain radius in which the objects are highlighted; so, as I move, the GUI doesn't update any *NEW* found objects as I transition. So I continued tracing, reaching [2]. If you check the above, [2] and [3] land on the same function, SOTTR.exe+9EB9DA6. Considering the JB from earlier was set to JMP, either of the two would land there and no update happens So.. there can be only one explanation to why there's no updating: call SOTTR.exe+7066B0 needs to be run. So what I did next was to NOP [3].

So there you go - - Unlimited Survival Instinct:

Code: Select all

SOTTR.exe+9EB9D83 - EB 10                 - jmp SOTTR.exe+9EB9D95
..
SOTTR.exe+9EB9D9C - 90                    - nop 
SOTTR.exe+9EB9D9D - 90                    - nop

You can turn it off by pressing Q again Turned it from "engine auto-forced off" to "at user disposal"

If you want to disable other crap while this is active, dig inside that big function I posted: you can disable the gray-like overlay making the orange look more visible; the background humming sound; etc. I'll post more when I play with it, for now should suffice as is.

L.E.#1: Found that right inside the function with OnSurvivalInstinctActivated:



Default value is 1.5f. Change that to a high value and watch it not deactivate when you start running around No need for the two patches above if you plan on using this one; else: a) either patch the 2 spots I mentioned above; b) hook the location above and make it so timer's always set to a high value on enable (update timer to your value in [RAX+0x16A4] first; then let original code run).

L.E.#2: The cooldown/deactivation timer (3.0f or 3 seconds) is in the same structure as the above one, though the offset is 0x2164

L.E.#3: Some more explanations and patching:

1) this block is in charge with enabling the markers (main objective, secondary objective(s)):

Code: Select all

SOTTR.exe+6BDC50 - 80 BF F6000000 00     - cmp byte ptr [rdi+000000F6],00
SOTTR.exe+6BDC57 - 74 1C                 - je SOTTR.exe+6BDC75
SOTTR.exe+6BDC59 - 48 8B 57 08           - mov rdx,[rdi+08]
SOTTR.exe+6BDC5D - 48 8B CF              - mov rcx,rdi
SOTTR.exe+6BDC60 - E8 4BC8FFFF           - call SOTTR.exe+6BA4B0
SOTTR.exe+6BDC65 - 84 C0                 - test al,al
SOTTR.exe+6BDC67 - 75 0C                 - jne SOTTR.exe+6BDC75
SOTTR.exe+6BDC69 - 48 8B 0D A03ED500     - mov rcx,[SOTTR.exe+1411B10] { [94B974A0] }
SOTTR.exe+6BDC70 - E8 FB673200           - call SOTTR.exe+9E4470

If you don't want them visible, patch the JE to JMP @ SOTTR.exe+6BDC57.

2) this block will enable the gray overlay and the background sound along with it:

Code: Select all

SOTTR.exe+6BDC77 - 38 9F F4000000        - cmp [rdi+000000F4],bl
SOTTR.exe+6BDC7D - 75 24                 - jne SOTTR.exe+6BDCA3
SOTTR.exe+6BDC7F - 4C 8B 47 08           - mov r8,[rdi+08]
SOTTR.exe+6BDC83 - 48 8D 15 96109B00     - lea rdx,[SOTTR.exe+106ED20] { ["evVisionEffectsFadeIn"] }
SOTTR.exe+6BDC8A - 48 8B 0D 0751F402     - mov rcx,[SOTTR.exe+3602D98] { [88BD28F0] }
SOTTR.exe+6BDC91 - 45 33 C9              - xor r9d,r9d
SOTTR.exe+6BDC94 - 48 89 5C 24 28        - mov [rsp+28],rbx
SOTTR.exe+6BDC99 - 48 89 5C 24 20        - mov [rsp+20],rbx
SOTTR.exe+6BDC9E - E8 AD752000           - call SOTTR.exe+8C5250

Want no gray overlay and background heartbeat sounds? Patch the JNE @ SOTTR.exe+6BDC7D to a JMP

BR,
Sun

[Cielos]

[...]

great findings so far, as always~
didn't do much cheating on the game myself. just finished a quick job, and going back to playing the game.

included your Unlimited Survival Instinct to my table (using the first approach), until you release your table (if ever?) as I'm going to use that myself.
also, as you've been tracking this already, how about removing the red/orange outline on the enemies when you're executing a take down with Survival Instinct activated?

EDIT:
went into some problem with the first approach, I can't reactivate the survival instinct if I deactivate it during moving. it's using your second approach now.

[SunBeam]

^ Sure, head inside 2nd call within SOTTR.exe+8C5250 (the function responsible for enabling the gray overlay, triggering the background drums sound and outlines) All I can say for now, haven't dug in too much Yeah, sure, add it in. I'd prefer the hook version:

Code: Select all

[ENABLE]

aobscanmodule( UnlimitedSurvivalInstinct, SOTTR.exe, F30F10B0????????F30F1177??488B05????????0FB750??B8FFFF0000 )
registersymbol( UnlimitedSurvivalInstinct )
label( UnlimitedSurvivalInstinct_o )
registersymbol( UnlimitedSurvivalInstinct_o )
alloc( UnlimitedSurvivalInstinctHook, 0x1000, SOTTR.exe )

UnlimitedSurvivalInstinctHook:
movss xmm6,[fSurvivalInstinctCooldown]
movss [rax+2164],xmm6
movss xmm6,[fSurvivalInstinctTimer]
movss [rax+16A4],xmm6
jmp UnlimitedSurvivalInstinct+8
// yeah, copied the original here
// no need to execute this, as we set xmm6 above
UnlimitedSurvivalInstinctHook_o:
readmem( UnlimitedSurvivalInstinct, 8 )

fSurvivalInstinctTimer: // default = 1.5f
dd (float)3600 // 60*60 = 1h; doubt you'll keep this active for more than 1h

fSurvivalInstinctCooldown: // default = 3.0f
dd (float)0 // think with this turned to 0 you can re-enable right away

//SOTTR.exe+6BDBBE - F30F10B0A4160000 - movss xmm6,[rax+16A4]
UnlimitedSurvivalInstinctHook:
jmp UnlimitedSurvivalInstinctHook

[DISABLE]

UnlimitedSurvivalInstinctHook:
readmem( UnlimitedSurvivalInstinct_o, 8 )

dealloc( UnlimitedSurvivalInstinctHook )
unregistersymbol( UnlimitedSurvivalInstinct_o )
unregistersymbol( UnlimitedSurvivalInstinct )

Typed it in Notepad++ without testing; am at work. Fix any typos

BR,
Sun

[Cielos]

^ +2164 holds a (float)3. but the game doesn't read it when I execute Survival Instinct. I've to locate the cooldown timer from the object itself (count from 0 to 1, after activation and de-activation, SI can be executed again when it reaches 1) in order to eliminate the timer.

and stop playing while working!

[SunBeam]

The cooldown activates on/for disabling Instinct. "fSurvivalInstinctTimer" is for the duration of being enabled. I just set it on enabling 2 at the cost of 1 Am not playing, lol. FFS, I said I wrote it in Notepad++ without testing. Don't have a laptop here capable of running these ng games

[Cielos]

"I said I wrote it in Notepad++ without testing"
but that's playing~

"The cooldown activates on/for disabling Instinct."
yeah, it's supposed to be, but it didn't.

""fSurvivalInstinctTimer" is for the duration of being enabled."
this has been dealt with on a previous version of that script.
I was updating the script to include the +2164 (cooldown timer), but the game didn't read this on disabling Instinct.
oh, I just read back on my previous message.
"+2164 holds a (float)3. but the game doesn't read it when I execute Survival Instinct." was meant to say "disable"... my bad.

anyway, it's been covered to last update..

I was going to check the game's stealth process. found some boolean like "b_IsStealth", "b_IsInMud". I thought how comes it'd be that obvious, turns out they are being access on killing enemies only. may look into the stealth more later...
time to rest...

[jhemp12]

Hmm, any chance for a day/night cheat?

[SunBeam]

Here's the fixed version, as I got the chance to test it:

Code: Select all

[ENABLE]

aobscanmodule( UnlimitedSurvivalInstinct, SOTTR.exe, F30F10B0????????F30F1177??488B05????????0FB750??B8FFFF0000 )
registersymbol( UnlimitedSurvivalInstinct )
label( UnlimitedSurvivalInstinct_o )
registersymbol( UnlimitedSurvivalInstinct_o )
alloc( UnlimitedSurvivalInstinctHook, 0x1000, SOTTR.exe )

UnlimitedSurvivalInstinctHook:
movss xmm6,[fSurvivalInstinctCooldown]
movss [rax+2164],xmm6
movss xmm6,[fSurvivalInstinctTimer]
movss [rax+16A4],xmm6
jmp UnlimitedSurvivalInstinct+8
// yeah, copied the original here
// no need to execute this, as we set xmm6 above
UnlimitedSurvivalInstinct_o:
readmem( UnlimitedSurvivalInstinct, 8 )

fSurvivalInstinctTimer: // default = 1.5f
dd (float)3600 // 60*60 = 1h; doubt you'll keep this active for more than 1h

fSurvivalInstinctCooldown: // default = 3.0f
dd (float)0 // think with this turned to 0 you can re-enable right away

//SOTTR.exe+6BDBBE - F30F10B0A4160000 - movss xmm6,[rax+16A4]
UnlimitedSurvivalInstinct:
jmp UnlimitedSurvivalInstinctHook
db 90 90 90

SOTTR.exe+9EB9D9C:
db 90 90

[DISABLE]

SOTTR.exe+9EB9D9C:
db 74 08

UnlimitedSurvivalInstinct:
readmem( UnlimitedSurvivalInstinct_o, 8 )

dealloc( UnlimitedSurvivalInstinctHook )
unregistersymbol( UnlimitedSurvivalInstinct_o )
unregistersymbol( UnlimitedSurvivalInstinct )

Regarding fSurvivalInstinctCooldown: this is defined as the time it takes the game engine to clear all Survival Instinct outlines it draws on the overlay. You noticed that when you disable the feature, although the gray overlay is disabled, the colored outlines still show for a few more seconds before vanishing (being erased). Well, that's what this float represents - - that amount of time in which the "bitmaps" are cleared

And yeah, you still need the NOP on the JE to further "discover" objects by rendering their outlines as you walk around. Added it in.

BR,
Sun

[SunBeam]

Also, checked out Breath and the logic (thanks to dl748's table/pointers) is as follows:

- default value is 50.0f
- you have 10.0 seconds from the moment you dive-in till breath starts decreasing

Shit happens here:



L.E.: In the pic above the timer is actually the extra time given by a stackable upgrade (Caiman's Breath II; I think)

So, once timer depletes, this occurs:

Code: Select all

SOTTR.exe+A7AC37C - F3 0F10 0D 941284F6   - movss xmm1,[SOTTR.exe+FED618] { [1.00] }
SOTTR.exe+A7AC384 - F3 0F11 8C 24 48010000  - movss [rsp+00000148],xmm1

Further down in the calculus, I found this:

Code: Select all

SOTTR.exe+A7AC42E - 74 0A                 - je SOTTR.exe+A7AC43A
SOTTR.exe+A7AC430 - F3 0F10 1D 645BD7F8   - movss xmm3,[SOTTR.exe+3521F9C] { [0.02] } // <--
SOTTR.exe+A7AC438 - EB 08                 - jmp SOTTR.exe+A7AC442
..
SOTTR.exe+A7AC473 - 0F28 C3               - movaps xmm0,xmm3 // xmm0 == 0.02
SOTTR.exe+A7AC476 - F3 0F59 C1            - mulss xmm0,xmm1 // 0.02 * 1 == 0.02
SOTTR.exe+A7AC47A - 0F28 CF               - movaps xmm1,xmm7 // xmm1 == 50.0
SOTTR.exe+A7AC47D - F3 0F5C C8            - subss xmm1,xmm0 // xmm1 = 50.0 - 0.02

So our Breath value decreases with 0.02 till reaching 0. Several ways to Unlimited Breath: a) NOP the SUBSS; b) patch the multiplier (to 0), so 0.02 * 0 = 0; c) patch the to-be-decremented-with value to 0 (from 0.02) etc.

Your choice Here's mine:

Code: Select all

[ENABLE]

aobscanmodule( UnlimitedUnderwaterBreathing, SOTTR.exe, F30F100D????????F30F118C24????????74 )
registersymbol( UnlimitedUnderwaterBreathing )
label( UnlimitedUnderwaterBreathing_o )
registersymbol( UnlimitedUnderwaterBreathing_o )
alloc( UnlimitedUnderwaterBreathingHook, 0x1000, SOTTR.exe )

UnlimitedUnderwaterBreathingHook:
movss xmm7,[fBreath]
movss [rdi+1BD8],xmm7
movss [rdi+1C2C],xmm7
xorps xmm1,xmm1
jmp UnlimitedUnderwaterBreathing+8
UnlimitedUnderwaterBreathing_o:
readmem( UnlimitedUnderwaterBreathing, 8 )

fBreath:
dd (float)50.0

//SOTTR.exe+A7AC37C - F3 0F10 0D 941284F6   - movss xmm1,[SOTTR.exe+FED618] { [1.00] }
UnlimitedUnderwaterBreathing:
jmp UnlimitedUnderwaterBreathingHook
db 90 90 90

[DISABLE]

UnlimitedUnderwaterBreathing:
readmem( UnlimitedUnderwaterBreathing_o, 8 )

dealloc( UnlimitedUnderwaterBreathingHook )
unregistersymbol( UnlimitedUnderwaterBreathing_o )
unregistersymbol( UnlimitedUnderwaterBreathing )

BR,
Sun

[ErraticEngineer]

I'm using the latest table and I'm trying out the values and such, and while unlimited survival instincts would be nice, I have to ask if you can make sure the script also toggles the ability to use it. Playing on Deadly Obsession it's not there, but the game feels great otherwise on that difficulty.

[SunBeam]

^ Has it ever occurred to you we don't have that much time in our hands? I'm glad you're far in the game, already re-playing it; but for the rest of us, part of the working class, it's a struggle to even play the game for 1h a day. Patience, lil' grasshopper

[ErraticEngineer]

I did. That's why I posted on an asynchronous forum where people can take their time and get back to people. I didn't demand it instantly. That being said I can be patient. Deadly Obsession is available from the start, I just chose that difficulty for achievement stacking. Just the collectible hunt is dragging on because of lack of Survival Instincts.