Skip to content

Instantly share code, notes, and snippets.

@FransBouma

FransBouma/ceoutput.md

Last active March 28, 2016 16:48
Show Gist options
  • Save FransBouma/cb367f4a932dd3202a0d to your computer and use it in GitHub Desktop.
Save FransBouma/cb367f4a932dd3202a0d to your computer and use it in GitHub Desktop.
Download ZIP
AC Syndicate Timestop addresses
Raw
ceoutput.md

Timestop is done by writing a '1' at an address location. This is shown in this picture: .

After writing a 1, press ESC to stop the engine. Cameras still work, the game clock however has stopped.

Below are the addresses which write and read from this address.

Writing

ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+D0C6D - C6 87 FB020000 01     - mov byte ptr [rdi+000002FB],01 { 1 }
...
ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+C7488 - C6 87 F8020000 01     - mov byte ptr [rdi+000002F8],01 { 1 }
...
ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+D4F30 - 44 88 BF FB020000     - mov [rdi+000002FB],r15l

Reading

ACS.G4_GetBP+24D600 - 80 B8 F8020000 00     - cmp byte ptr [rax+000002F8],00 { 0 }
...
ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+D4E67 - 44 38 BF F9020000     - cmp [rdi+000002F9],r15l
...
ACS.G4_GetBP+221B7E - 80 B8 F8020000 00     - cmp byte ptr [rax+000002F8],00 { 0 }
...
ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+D4F1F - 44 38 BF FB020000     - cmp [rdi+000002FB],r15l
...
ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+D4F37 - 44 38 BF F8020000     - cmp [rdi+000002F8],r15l
...
ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+CCC06 - 80 B9 FA020000 00     - cmp byte ptr [rcx+000002FA],00 { 0 }
...
ACS.WriteData+E10749 - 80 B8 F8020000 00     - cmp byte ptr [rax+000002F8],00 { 0 }
...
ACS.scimitar::GraphicLibFacade::~GraphicLibFacade+3338D7 - 0FB6 80 F8020000      - movzx eax,byte ptr [rax+000002F8]

Pointers and addresses

Examining the code on the read addresses, revealed that the read takes place on: cmp byte ptr [rax+000002F8],00. rax is filled with:

ACS.G4_GetBP+24D5F4 - 48 8B 05 19141F05     - mov rax,[ACS.exe+70C2A08] { [144] }

The address on the location ACS.exe+70C2A08 is the start of the data buffer. Add 0x2F8 to that, and you'll have the address of the timestop!

(edit).

Info added 28-mar-2016

The flag mentioned above is for the menu not appearing. It doesn't stop the engine's clock. To stop the engine clock, we have to do something else, which is mentioned below.

at ACS.WriteData+EB1B76, a compare is done with 0 of an address, which is reachable through the double pointer read: [[ACS.exe+7151690]+98]+8A8. Writing a 1 there will stop everything. Writing a 0 there makes everything continue.

Stopping everything also means: camera handling. However, our previous flag makes the cameras move again if it's set.

So the complete cheat table becomes:

[ENABLE]
[ACS.exe+70C2A08]+2F8:
db 01
[[ACS.exe+7151690]+98]+8A8:
db 01
[DISABLE]
[ACS.exe+70C2A08]+2F8:
db 0
[[ACS.exe+7151690]+98]+8A8:
db 0

This will stop everything except cameras, with a 1 button press!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment