Cheat Engine

[mouser]

Hi, I'm having a brainfreeze again, I have this instruction:

[++METHOS]

[mouser]

Hi Methos, I double checked and have to make some corrections, it's only one function that writes the value to this spot, not two. And the area where the address is located, where the value is written to, isn't very turbulent at all, I still lose the address after restarting my computer. Probably not important I think.

I'm 99% certain it's the correct address (not sure about the sub routine...I checked for changed/unchanged with bytes and going in and out of the menu with the esc button that's how I found it), at the moment I always set a breakpint on access on the function that writes to it (the function has a stable AOB so I always have it at hand) and so I retrieve this address. I set a hotkey for it that puts "1" into it and now I have my timestop (I reverse the timestop by pressing esc)

It's not really a very userfriendly way of having always to retrieve the address like that though, everytime starting up the game.

I don't know why CE is crashing when I try to AOB the address directly, I have tried this 3 times, it always freezes CE.

I know that you are usually talking on a higher level of knowledge when it comes to these things so i'm not sure how helpful my own research and answers seem to you here but I put up a screencap of the tracer (break and trace on the function writing the value). You can see when rdi receives the value for the first time down in the chain. It's at the load effective address function highlighted in the screenshot.

Is that in any way useful for finding another spot or do I have to go further back to the address that is loaded into rdi at that place? (I believe rdi and edi are part of the same register? Do I need to learn registers better ?)

I hope I'm making sense here with my limited knowledge about the english language?

[++METHOS]

The address at your targeted instruction should be static: [mgsvtpp.exe+2B99C78]

You should be able to add that address to your cheat table and use it every time.

If it's not static and is changing on startup, for whatever reason, then you can try injection. We will need to look at why the target is crashing when you inject at that location. Is it an online game or a game that is likely to have memory integrity checks?

[mouser]

The game is MGS V the singleplayer of it, I'm disconeccting from the internet while doing this so there shouldn't be anything disrupting it. There are some dll modules I don't know what they do so maybe there are some integrity checks going on...but I think I know what went wrong, it's my own fault again. When cheat engine was crashing for the first time it eat up all my hdd space (I have only a few gigs left on my SSD) I just now managed to figure that out and I guess this is why it was crashing all the time, I freed up the space... have not yet dared to try again to aob that spot. But I did a check and restarted my comp 5 times now having the address in the list, as you said, it seems stable now.

I keep an eye on it and if it changes again I will go and try something else.
I've also tried full injection at that spot:

it's something like:

[++METHOS]

Injection should be easy. If there is an integrity check, you can work around that, too, usually.

[mouser]

On a somehwat related problem, I can freeze the game now but I lose camera control via mouse/controller.

I can still move the camera by changing the xyz values for it... would it be possible to reactivate the cameracontrols for mouse /controller and still keep the game frozen?

(Maybe that's better suited for another thread?)

[cooleko]

You would just create a new thread and call the camera move function independently in that thread while the game was paused. If the game doesnt render the screen while paused, you would have more problems though.

[mouser]

Do I get to the camera function by simply backtracing the cameras position? Is the camera base address this function or is it further back/somewhere else completely? (or am I missunderstanding something, never tried this?)

[cooleko]

Find what accesses the camera's address. See if instruction accesses anything else, if not, then it is solely for setting the camera. Trace the function call to the return, see what calls it. See what is pushed or added to stack before function call, now you can trace the full function and call it when you want by setting it up properly, maybe.

[mouser]

This is a screenshot of the end of the function that writes the camera coordinates.

I highlighted the last call that was made. But this is not the call you are talking about, right?

Would the call be at the very beginning (at the bottom of that screenshot) or can it be somewhere in between or even inside another call?

[++METHOS]

You may be over-complicating things. Sometimes, it's a simple bool that prohibits such things...but not always.

[mouser]

You're probably right, I'm just very curious about how this would be done and I usually need more than the concept of it to really understand it... it's a slow fight for me

Anyway, when I try to look for booleans using changed/unchanged with bytes only the I can widdle down the nearly 5 billion results to around 2200. From there it's a trial & error of crashes over crashes though, I'm not sure I have the patience to check them all under these circumstances. I'll definitely try some more but I already gave it good amount of hours.

[++METHOS]

Keep in mind that if the time-stop value that you are manipulating controls everything, globally, then it may not be possible. For example, slowing down game speed to a halt won't allow you to move your character, but changing the character's coordinates will still allow you to teleport to a different location. In this case, the frames are probably managed, so everything is affected. Not all games are like this, however.

[cooleko]

The trace you uploaded did not find the return, so you didnt find the function call that handles it

The return will be the last line of the current function call, when you trace to it, and double click the next line after the return, it takes you to the line below the function call in memory viewer (usually). If the instruction you traced accesses other stuff, you might be tracing the wrong calls unless you set a breakpoint with conditions (break only on your value, and then trace after the break).

Once you find it, just go up one line, NOP the call, see if you broke the camera, if so, you are very close!