Created
April 2, 2016 15:49
-
-
Save FransBouma/dcc9ea45bc232169b94dff6ef5d76db0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <CheatTable CheatEngineTableVersion="19"> | |
| <CheatEntries> | |
| <CheatEntry> | |
| <ID>2</ID> | |
| <Description>"Enable this first, then use NUMPAD 0 to toggle timestop"</Description> | |
| <LastState/> | |
| <VariableType>Auto Assembler Script</VariableType> | |
| <AssemblerScript>[ENABLE] | |
| //--------- | |
| // Scans for 2 address offsets and 2 indexes used as offsets from the address offsets | |
| // All scans are constants free, so they should be patch resistant (like Ubisoft patches their games!) | |
| // Made for AC Syndicate v1.5 or higher, but might also work on Unity or other AC builds (x64 only!)(but not tested). | |
| // | |
| // If you use it on other AC games, be sure to change the ACU.exe name to the exe name you're using, in the code below. | |
| // | |
| // By Otis / Infuse Project | |
| //--------- | |
| // Menu system data structures AOB scan. | |
| // Scan for: | |
| // 40 53 - push rbx | |
| // 48 83 EC ?? - sub rsp,20 { 32 } | |
| // 48 8B D9 - mov rbx,rcx | |
| // E8 ???????? - call 1418950C0 | |
| // 48 8B 0D ???????? - mov rcx,[1470C2A08] { [240] } <<< Offset we need | |
| // 48 85 C9 - test rcx,rcx | |
| // 74 ?? - je 1418A81B6 | |
| // E8 ???????? - call 141853E10 | |
| // 48 8B 0D ???????? - mov rcx,[1470C2A08] { [240] } <<< Same offset again. | |
| // | |
| // This offset gives us the pointer to the menu system data structures. We'll set the byte on an index to 1 to make | |
| // the menu render system think it's enabled. This will enable the camera when the complete engine is frozen in the second scan. | |
| aobscanmodule(MenuSystemEnable_AOB, ACU.exe, 40534883EC??488BD9E8????????488B0D????????4885C974??E8????????488B0D????????) | |
| label(MenuSystemEnable) | |
| registersymbol(MenuSystemEnable) | |
| MenuSystemEnable_AOB: | |
| MenuSystemEnable: | |
| // Engine control data structures AOB scan | |
| // scan for | |
| // 48 89 B4 24 ???????? - mov [rsp+00000080],rsi | |
| // 48 8B 35 ???????? - mov rsi,[147151690] { [03CB5D90] } << Offset we need | |
| // 4C 89 74 24 ?? - mov [rsp+68],r14 | |
| // 4C 89 7C 24 ?? - mov [rsp+60],r15 | |
| // 45 33 FF - xor r15d,r15d | |
| // 44 89 BC 24 ???????? - mov [rsp+000000B0],r15d | |
| // 48 85 F6 - test rsi,rsi | |
| // | |
| // This offset gives us the pointer to the engine control data structures. As it's a pointer to a pointer, we need two indices | |
| // to use it: [[address+offset1]+offset2]== byte for engine tick on/off. Setting it to 1 freezes the entire system, enabling the | |
| // flag in the first scan again will enable the camera system. | |
| aobscanmodule(EngineControlEnable_AOB, ACU.exe, 4889B424????????488B35????????4C897424??4C897C24??4533FF4489BC24????????4885F6) | |
| label(EngineControlEnable) | |
| registersymbol(EngineControlEnable) | |
| EngineControlEnable_AOB: | |
| EngineControlEnable: | |
| // Menu system enable/disable flag offset AOB scan. | |
| // scan for: | |
| // 48 8D 4A ?? - lea rcx,[rdx+18] | |
| // E8 ???????? - call 1401C0FE0 | |
| // C6 87 ???????? 01 - mov byte ptr [rdi+000002F8],01 { 1 } << Offset we need | |
| // E8 ???????? - call 141AB1D20 | |
| // 48 8B C8 - mov rcx,rax | |
| // E8 ???????? - call 14020AAE0 | |
| // 48 8B 87 ???????? - mov rax,[rdi+00000358] | |
| // 0F57 C9 - xorps xmm1,xmm1 | |
| aobscanmodule(MenuSystemEnableFlagOffset_AOB, ACU.exe, 488D4A??E8????????C687????????01E8????????488BC8E8????????488B87????????0F57C9) | |
| label(MenuSystemEnableFlagOffset) | |
| registersymbol(MenuSystemEnableFlagOffset) | |
| MenuSystemEnableFlagOffset_AOB: | |
| MenuSystemEnableFlagOffset: | |
| // Engine control ticker on/off switch offset 1 AOB scan | |
| // scan for | |
| // 4C 89 74 24 ?? - mov [rsp+68],r14 | |
| // 4C 89 7C 24 ?? - mov [rsp+60],r15 | |
| // 45 33 FF - xor r15d,r15d | |
| // 44 89 BC 24 ???????? - mov [rsp+000000B0],r15d | |
| // 48 85 F6 - test rsi,rsi | |
| // 74 ?? - je 1417A9CCF | |
| // 48 8B B6 ???????? - mov rsi,[rsi+00000098] << Offset we need | |
| // EB ?? - jmp 1417A9CD2 | |
| aobscanmodule(EngineTickerEnableFlagOffset1_AOB, ACU.exe, 4C897424??4C897C24??4533FF4489BC24????????4885F674??488BB6????????EB??) | |
| label(EngineTickerEnableFlagOffset1) | |
| registersymbol(EngineTickerEnableFlagOffset1) | |
| EngineTickerEnableFlagOffset1_AOB: | |
| EngineTickerEnableFlagOffset1: | |
| // Engine control ticker on/off switch offset 2 AOB scan | |
| // scan for | |
| // 4C 8B F0 - mov r14,rax | |
| // 48 85 F6 - test rsi,rsi | |
| // 0F84 ???????? - je 1417AA189 | |
| // 48 8B CE - mov rcx,rsi | |
| // E8 ???????? - call 141AB2980 | |
| // 84 C0 - test al,al | |
| // 0F85 ???????? - jne 1417AA189 | |
| // 44 39 BE ???????? - cmp [rsi+000008A8],r15d << Offset we need | |
| // 7E ?? - jle 1417A9D09 | |
| aobscanmodule(EngineTickerEnableFlagOffset2_AOB, ACU.exe, 4C8BF04885F60F84????????488BCEE8????????84C00F85????????4439BE????????7E??) | |
| label(EngineTickerEnableFlagOffset2) | |
| registersymbol(EngineTickerEnableFlagOffset2) | |
| EngineTickerEnableFlagOffset2_AOB: | |
| EngineTickerEnableFlagOffset2: | |
| [DISABLE] | |
| unregistersymbol(MenuSystemEnable) | |
| unregistersymbol(EngineControlEnable) | |
| unregistersymbol(MenuSystemEnableFlagOffset) | |
| unregistersymbol(EngineTickerEnableFlagOffset1) | |
| unregistersymbol(EngineTickerEnableFlagOffset2) | |
| </AssemblerScript> | |
| <CheatEntries> | |
| <CheatEntry> | |
| <ID>3</ID> | |
| <Description>"StopTime. NUMPAD0 enable/disable."</Description> | |
| <LastState/> | |
| <VariableType>Auto Assembler Script</VariableType> | |
| <AssemblerScript>[ENABLE] | |
| globalalloc(PerformTimeStopThread, 128) | |
| createthread(PerformTimeStopThread) | |
| //---------------------------------------------------- | |
| // Declarations | |
| // Global code labels | |
| label(CalculateRealAddress) | |
| // Local code labels | |
| label(_isPositive) | |
| label(_waitForDisable) | |
| // Data labels | |
| label(pMenuSystemData) | |
| registersymbol(pMenuSystemData) | |
| label(pEngineControlData) | |
| registersymbol(pEngineControlData) | |
| label(pStopFlag) | |
| registersymbol(pStopFlag) | |
| label(pThreadEnded) | |
| registersymbol(pThreadEnded) | |
| label(dwMenuSystemDataFlagOffset) | |
| registersymbol(dwMenuSystemDataFlagOffset) | |
| label(dwEngineTickerEnableFlagOffset1) | |
| registersymbol(dwEngineTickerEnableFlagOffset1) | |
| label(dwEngineTickerEnableFlagOffset2) | |
| registersymbol(dwEngineTickerEnableFlagOffset2) | |
| //---------------------------------------------------- | |
| // Code | |
| PerformTimeStopThread: | |
| push rsi | |
| push rdi | |
| push eax | |
| push rbx | |
| // calculate the absolute addresses based on the found offsets in the AOB blocks | |
| mov rsi, MenuSystemEnable+0 | |
| mov rax, 11 // offset in AOB block for DWord to read | |
| mov rbx, pMenuSystemData | |
| call CalculateRealAddress | |
| mov rsi, EngineControlEnable+0 | |
| mov rax, B // offset in AOB block for DWord to read | |
| mov rbx, pEngineControlData | |
| call CalculateRealAddress | |
| // obtain offsets for flag bytes within the datablocks found. | |
| mov rsi, MenuSystemEnableFlagOffset+0 | |
| add rsi, B // offset in AOB block for DWord to read | |
| mov eax, [rsi] | |
| mov [dwMenuSystemDataFlagOffset], eax | |
| mov rsi, EngineTickerEnableFlagOffset1+0 | |
| add rsi, 1D // offset in AOB block for DWord to read | |
| mov eax, [rsi] | |
| mov [dwEngineTickerEnableFlagOffset1], eax | |
| mov rsi, EngineTickerEnableFlagOffset2+0 | |
| add rsi, 1F // offset in AOB block for DWord to read | |
| mov eax, [rsi] | |
| mov [dwEngineTickerEnableFlagOffset2], eax | |
| // switch off engine ticker | |
| mov rdi, [pEngineControlData] | |
| mov eax, [dwEngineTickerEnableFlagOffset1] | |
| mov rdi, [rdi+eax] | |
| mov eax, [dwEngineTickerEnableFlagOffset2] | |
| mov byte ptr [rdi+eax], 01 | |
| // switch on menu camera system | |
| mov rdi, [pMenuSystemData] | |
| mov eax, [dwMenuSystemDataFlagOffset] | |
| mov byte ptr [rdi+eax], 01 | |
| // wait for disable using a sleep loop. | |
| push rcx | |
| _waitForDisable: | |
| mov rcx, #200 // x64, so pass # of milliseconds in rcx. | |
| call Sleep | |
| cmp byte [pStopFlag], 01 | |
| jne _waitForDisable | |
| // disable invoked, end it! | |
| pop rcx | |
| // reset flags to 0 | |
| // switch off menu camera system | |
| mov rdi, [pMenuSystemData] | |
| mov eax, [dwMenuSystemDataFlagOffset] | |
| mov byte ptr [rdi+eax], 0 | |
| // switch on engine ticker | |
| mov rdi, [pEngineControlData] | |
| mov eax, [dwEngineTickerEnableFlagOffset1] | |
| mov rdi, [rdi+eax] | |
| mov eax, [dwEngineTickerEnableFlagOffset2] | |
| mov byte ptr [rdi+eax], 0 | |
| // signal we ended a glorious death | |
| mov rbx, pThreadEnded | |
| mov byte ptr [rbx], 1 | |
| pop rbx | |
| pop eax | |
| pop rdi | |
| pop rsi | |
| ret | |
| // Calculates the real address for a RIP relative offset obtained from an offset in an AOB scanned block | |
| // Needed for x64 absolute address calculations based on RIP relative offset operands. | |
| // in: | |
| // - rsi: Source of AOB scanned block | |
| // - eax: offset in AOB block for dword to read | |
| // - rbx: address of label to write the calculated pointer to. Used in disable. | |
| // | |
| // out: | |
| // - rdi: address of start of block to index into. | |
| CalculateRealAddress: | |
| push ecx | |
| xor rdi, rdi | |
| add rsi, eax // rsi now points to DWord to read | |
| cmp dword [rsi], 80000000 // test if the most significant bit is set | |
| jb short _isPositive | |
| mov rdi, ffffffff00000000 // it's set so sign extend | |
| _isPositive: | |
| mov ecx, [rsi] // clear the upper bits of rcx leaving the unsigned value at [rsi+eax] in rcx | |
| add rdi, ecx | |
| add rsi, edi | |
| add rsi, 4 // offset to dword already added to rsi. add 4 as we read a dword, this is now the offset after the Dword in the AOB scanned block | |
| mov rdi, [rsi] | |
| mov [rbx], rdi // store address for later use | |
| pop ecx | |
| ret | |
| //---------------------------------------------------- | |
| // Local data variables | |
| pMenuSystemData: | |
| dq 0 | |
| pEngineControlData: | |
| dq 0 | |
| pStopFlag: | |
| db 0 | |
| pThreadEnded: | |
| db 0 | |
| dwMenuSystemDataFlagOffset: | |
| dd 0 | |
| dwEngineTickerEnableFlagOffset1: | |
| dd 0 | |
| dwEngineTickerEnableFlagOffset2: | |
| dd 0 | |
| [DISABLE] | |
| pStopFlag: | |
| db 1 | |
| unregistersymbol(pEngineControlData) | |
| unregistersymbol(pMenuSystemData) | |
| unregistersymbol(pStopFlag) | |
| unregistersymbol(pThreadEnded) | |
| unregistersymbol(dwMenuSystemDataFlagOffset) | |
| unregistersymbol(dwEngineTickerEnableFlagOffset1) | |
| unregistersymbol(dwEngineTickerEnableFlagOffset2) | |
| </AssemblerScript> | |
| <Hotkeys> | |
| <Hotkey> | |
| <Action>Toggle Activation</Action> | |
| <Keys> | |
| <Key>96</Key> | |
| </Keys> | |
| <ID>0</ID> | |
| </Hotkey> | |
| </Hotkeys> | |
| </CheatEntry> | |
| </CheatEntries> | |
| </CheatEntry> | |
| </CheatEntries> | |
| <UserdefinedSymbols> | |
| <SymbolEntry> | |
| <Name>Toggler</Name> | |
| <Address>08D80500</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>pRefill</Name> | |
| <Address>02713B80</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>pRefil1</Name> | |
| <Address>019E8A1C</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dwRefillPlayerHealth</Name> | |
| <Address>019DA330</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>SetForTeleport</Name> | |
| <Address>17AD00AA</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>MarkerAddress</Name> | |
| <Address>015F99B0</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>XYZAddress</Name> | |
| <Address>0047A109</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>GetPlayerCoordinatesHook</Name> | |
| <Address>0AC50059</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>PlayerCoordsPtr</Name> | |
| <Address>0AC500FE</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>SetForObjectTeleport</Name> | |
| <Address>0AC50116</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>SetForTargetTeleport</Name> | |
| <Address>0AC5011A</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>TargetCoordinateX</Name> | |
| <Address>0AC50102</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>TargetCoordinateY</Name> | |
| <Address>0AC50106</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>TargetCoordinateZ</Name> | |
| <Address>0AC5010A</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>MapCoordinateX</Name> | |
| <Address>0AC5010E</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>MapCoordinateY</Name> | |
| <Address>0AC50112</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>luainit</Name> | |
| <Address>08730000</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>LuaFunctionCall</Name> | |
| <Address>08730080</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>luaserverinitialized</Name> | |
| <Address>08730100</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>luaservername</Name> | |
| <Address>08730110</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>FreeRunningJump</Name> | |
| <Address>140EF6A00</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>ResetConflict</Name> | |
| <Address>140EF6DB0</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>DecreaseNotoriety</Name> | |
| <Address>140EF6170</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>IncreaseNotoriety</Name> | |
| <Address>140EF69E0</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>UnfogMap</Name> | |
| <Address>140EF7720</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>UnlockAllWorldUpgrades</Name> | |
| <Address>140EF77E0</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>SetMaxAssassinRank</Name> | |
| <Address>140EF6EA0</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>UnlockAllCompanionRewards</Name> | |
| <Address>140EF7760</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>ShowGearStatModifier</Name> | |
| <Address>140EF6F30</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>CycleForwardSkillsTreePreset</Name> | |
| <Address>140EF6080</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>CycleBackwardSkillsTreePreset</Name> | |
| <Address>140EF5FD0</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>ShowSkillsTreePreset</Name> | |
| <Address>140EF7020</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>TeleportLanternNearPlayer</Name> | |
| <Address>140EF7410</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>EnableAssassinCollisionWithTriggerZones</Name> | |
| <Address>140EF7420</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>UnlockAndGainAllWorldUpgrades</Name> | |
| <Address>140EF78A0</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>ToggleFullProgressTrackerUnlock</Name> | |
| <Address>140EF7680</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>LockAllWorldUpgrades</Name> | |
| <Address>140EF6A20</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>TriggerMissionFailure</Name> | |
| <Address>140EF6380</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>TogglePlayerVisibility</Name> | |
| <Address>141024D10</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>pContext</Name> | |
| <Address>13FFF0818</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>MyFunc</Name> | |
| <Address>14AF30510</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dwVal</Name> | |
| <Address>14AF30890</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqVoltaicBombs</Name> | |
| <Address>14AF30818</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqSmokeBombs</Name> | |
| <Address>14AF30820</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqThrowingKnives</Name> | |
| <Address>14AF30828</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqMedicine</Name> | |
| <Address>14AF30830</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqHallucinogenicDarts</Name> | |
| <Address>14AF30838</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqBullets</Name> | |
| <Address>14AF30840</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqFearBombs</Name> | |
| <Address>14AF30848</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqSpikes</Name> | |
| <Address>14AF30850</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqLeather</Name> | |
| <Address>14AF30858</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqIron</Name> | |
| <Address>14AF30860</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqThread</Name> | |
| <Address>14AF30868</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqChemicals</Name> | |
| <Address>14AF30870</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>dqMoney</Name> | |
| <Address>14AF30810</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>TogglePlayerVanish</Name> | |
| <Address>1400285BA</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>timestop</Name> | |
| <Address>16A10000</Address> | |
| </SymbolEntry> | |
| <SymbolEntry> | |
| <Name>PerformTimeStopThread</Name> | |
| <Address>07480000</Address> | |
| </SymbolEntry> | |
| </UserdefinedSymbols> | |
| </CheatTable> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment