CoSMOS Gamehacking Tool

It would be nice with a script to freeze time and maybe set the time to a specific value.

I've tried myself but I can't seem to make it work.

This is so far as I've gotten, but activating the script crashes the game:

[ENABLE]
aobscanmodule(aobSeconds,VCRUNTIME140.dll,8B 0A 89 08 C3) //unique
registersymbol(aobSeconds)
label(aobSecondsRestore)
registersymbol(aobSecondsRestore)
alloc(codecave,2048,VCRUNTIME140.dll)
label(code)
label(return)

codecave:
mov [rdx],(int)0


code:
mov ecx,[rdx]
mov [rax],ecx
ret

jmp return

aobSecondsRestore:
readmem(aobSeconds,5)


aobSeconds:
jmp codecave

return:



[DISABLE]
aobSeconds:
readmem(aobSecondsRestore,5)

unregistersymbol(aobSeconds)
unregistersymbol(aobSecondsRestore)
dealloc(codecave)

{
INJECTION POINT: VCRUNTIME140.memcpy+12B / 7FF873DECAFB

7FF873DECABB: 48 89 08 - mov [rax],rcx
7FF873DECABE: C3 - ret
7FF873DECABF: 0F B7 0A - movzx ecx,word ptr [rdx]
7FF873DECAC2: 44 0F B6 42 02 - movzx r8d,byte ptr [rdx+2]
7FF873DECAC7: 66 89 08 - mov [rax],cx
7FF873DECACA: 44 88 40 02 - mov [rax+2],r8b
7FF873DECACE: C3 - ret
7FF873DECACF: 0F B6 0A - movzx ecx,byte ptr [rdx]
7FF873DECAD2: 88 08 - mov [rax],cl
7FF873DECAD4: C3 - ret
7FF873DECAD5: F3 0F 6F 02 - movdqu xmm0,[rdx]
7FF873DECAD9: F3 0F 7F 00 - movdqu [rax],xmm0
7FF873DECADD: C3 - ret
7FF873DECADE: 66 90 - xchg ax,ax
7FF873DECAE0: 4C 8B 02 - mov r8,[rdx]
7FF873DECAE3: 0F B7 4A 08 - movzx ecx,word ptr [rdx+8]
7FF873DECAE7: 44 0F B6 4A 0A - movzx r9d,byte ptr [rdx+A]
7FF873DECAEC: 4C 89 00 - mov [rax],r8
7FF873DECAEF: 66 89 48 08 - mov [rax+8],cx
7FF873DECAF3: 44 88 48 0A - mov [rax+A],r9b
7FF873DECAF7: 49 8B CB - mov rcx,r11
7FF873DECAFA: C3 - ret
---------- INJECTING HERE ----------
7FF873DECAFB: 8B 0A - mov ecx,[rdx]
7FF873DECAFD: 89 08 - mov [rax],ecx
7FF873DECAFF: C3 - ret
---------- DONE INJECTING ----------
7FF873DECB00: 8B 0A - mov ecx,[rdx]
7FF873DECB02: 44 0F B6 42 04 - movzx r8d,byte ptr [rdx+4]
7FF873DECB07: 89 08 - mov [rax],ecx
7FF873DECB09: 44 88 40 04 - mov [rax+4],r8b
7FF873DECB0D: C3 - ret
7FF873DECB0E: 66 90 - xchg ax,ax
7FF873DECB10: 8B 0A - mov ecx,[rdx]
7FF873DECB12: 44 0F B7 42 04 - movzx r8d,word ptr [rdx+4]
7FF873DECB17: 89 08 - mov [rax],ecx
7FF873DECB19: 66 44 89 40 04 - mov [rax+4],r8w
7FF873DECB1E: C3 - ret
7FF873DECB1F: 90 - nop
7FF873DECB20: 8B 0A - mov ecx,[rdx]
7FF873DECB22: 44 0F B7 42 04 - movzx r8d,word ptr [rdx+4]
7FF873DECB27: 44 0F B6 4A 06 - movzx r9d,byte ptr [rdx+6]
7FF873DECB2C: 89 08 - mov [rax],ecx
7FF873DECB2E: 66 44 89 40 04 - mov [rax+4],r8w
7FF873DECB33: 44 88 48 06 - mov [rax+6],r9b
7FF873DECB37: C3 - ret
7FF873DECB38: 4C 8B 02 - mov r8,[rdx]

}

FYI: If anybody else want to give it a try, the game seems to store time as three separate int16 values for seconds, minutes and hours, where seconds is a number from 0-59, minutes is a number from 0-59 and hours is a number from 0-23.
When seconds is 59 and the timer ticks, it rolls over to 0 and minutes is incremented etc.

Getting the memory addresses for the three values is easy in the tutorial mission, as that one has an in-game clock with a second-hand, making it trivial to search for the exact value, but the later missions only shows hours and minutes, making it harder to find the memory address for the seconds.

Hi man,

What I did, I looked for minutes value with CoSMOS, found it like you said very easily. I was unable to freeze it so I poked around and found what was writing to that value and replaced it with code that does nothing... It honestly took few minutes to do so.

But to be honest I am more interested in triggering permanent stealth mode, there always seems to be enough time anyway.

[Edited by wajrak, 3/13/2019 10:50:14 AM]