 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| How many of you have h0zed a NFS-MW save game, in the name of haxX0ring? |
| Frequently |
|
33% |
[ 1 ] |
| A few, but not many... |
|
0% |
[ 0 ] |
| This one time... At Band Camp... |
|
0% |
[ 0 ] |
| What's an NFS-MW save game? |
|
0% |
[ 0 ] |
| Do you have wall hakus!? I NEED WALLLLL HCKUSSS |
|
66% |
[ 2 ] |
|
| Total Votes : 3 |
|
| Author |
Message |
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
 Posted: Fri Dec 23, 2005 1:42 pm Post subject: |
 |
|
| cparty wrote: | | Zhoul wrote: | | Sadly, VB is usually so assuming, that |
thanks for info, I already saw you can assign a string to an integer/long without a problem. Better though to use the conversion functions you gave in the post above  |
Absolutley - Because, what if there is no value at some point? (no text value).
Val("") or Val(test.Text) (if test.Text had no value) will return 0.
But,
dblValue = test.Text
If test.Text had no value, this would throw an error. A type mismatch error to be exact.
If test.Text DID have a value - and dblValue was not defined before using it, dblValue would 'turn itself into' a string... and that's not what we want either...
That's also a reason to define all variables before using them. If you use them without definition, they will 'become' whatever the first thing is , that tries to use it. You could accidentally use string data, when you meant to use its "Number value" instead... if not defined first.
P.s. I modified the last 2 posts.. If your read them once, read them again if you have any questions first 
|
|
| Back to top |
|
 |
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Fri Dec 23, 2005 6:01 pm Post subject: |
|
|
Want to jump to the safe house when being chased? NOP the following code and "Jump to Safe House" is never removed from the menu system. *warning* unsure what other effects this might cause
code :0052b9ea - a0 d8 d3 91 00 - mov ax,[0091d3d8]
Bytes Before: E9 8C 08 00 00
Bytes Of: A0 D8 D3 91 00
Bytes After: 84 C0
Search String: E9 8C 08 00 00 A0 D8 D3 91 00 84 C0
This is in read only memory, so make sure you're scanning read only when searching for the search string.
Also, found how to turn our cop lights on, but I have no 'codes' yet to pick out only the player... So even civ cars have blinking lights (albiet, not flashy cop lights).
*Edit* - Also, cops seem to get mad at you, when you got cop lights on. I found a float value near by that is 1 usually - and each cop that adds, it takes about 0.2 away. I found that having my own cop lights on sets this value already to 0.8 (as if I had a cop on me already) - but it doesnt change the 'being chased' status.. only makes cops immediately mad at you no matter what, if they spot you.
*EDIT 2* - New find.
Ghetto Jump Auto-Assemble Script:
- Go to Disassembler view
- Click "Tools" then "Auto Assemble"
- Copy/paste in the following code
| Code: |
[ENABLE]
009386EC:
add [eax],al
inc eax
inc ecx
[DISABLE]
009386EC:
add [eax],al
inc eax
inc ecx
|
- Click "Assign to current cheat table"
- Assign it a hot-key or use in trainer.
*Note* - This is *not* the right way to use auto-assemble to accomplish this task As stated, its a ghetto way.
What it's doing is writing 4 bytes, that = 12 in float form... The 'code' above that it's writing isnt really code that will be run. It's code that = 12 in float form. It does it when enabled, and when disabled.
This could also easily be done, if you were to write 12 (in float form) to address 009386EC. This is just a 'weird' example of how you can use auto-assemble.
With the Trainer...
Write4Bytes &H9386EC, &H41400000
The first &H is the address.
The second &H is what 12, in float form, is.
| Description: |
|
| Filesize: |
69.65 KB |
| Viewed: |
26124 Time(s) |
|
|
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Sat Dec 24, 2005 7:31 am Post subject: |
|
|
Hi Zhoul, your VB code let my VB trainer make so easy, very thanks you and cparty help.
A new question (yes, I always have question  ):
May you to give me an example like NFS:MW of money's pointer ? maybe its can let me to make another pointer like cars of pointer.
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 8:17 am Post subject: |
|
|
| JONG wrote: | | May you to give me an example like NFS:MW of money's pointer ? maybe its can let me to make another pointer like cars of pointer. |
-----------------------------------------------------------------
First: I define master pointers and pointer groups at the General Declerations area (top of code). The following, defines 10 master pointers (which we only use 1 with NFS), and 2 pointer groups lngPG1 and lngPG2. We only use 1 pointer group for NFS, so far (because everything seems to be a certain offset away from [master pointer] + 10.
This is just the definition of the variables, not the setting yet... Basically saying "Heres the pieces of paper we're going to work with, but we have not written anything on the paper yet. Also: If they are not defined in general declerations, and were defined in another sub, other functions/subs could not use them, so that's why they're *here*.
| Code: |
'---- Master Pointer(s) ----
'Most games just have 1
'Filled with data by LoadPointerGroups
Dim lngMasterPointer(1 To 10) As Long
'---- Pointer Groups ----
'Later filled with data by LoadPointerGroups
' Player Attributes 1 (Money/Ranking)
Dim lngPG1(1 To 1) As Long
' Not used yet
Dim lngPG2(1 To 3) As Long
|
-----------------------------------------------------------------
-----------------------------------------------------------------
Next, we have a function called "LoadPointerGroups", which is executed upon Form_Load. The first/top part, loads the master pointers 1-10, with the text on frmSettings text boxes, then fills the individual pointer groups with their data. Again only 1 group to worry about really, which is lngPG1(). The groups are arrays themselves. Back when we defined them, we defined how long each would be. Pointer group 1, is 1 in length.
| Code: |
Private Sub LoadPointerGroups()
'Master Pointers - From Settings Form
For i = 0 To 9
'Master Pointers - From Settings Form
For i = 0 To 9
If (frmSettings.txtVal(i).Tag = "") Then
frmSettings.txtVal(i).Tag = "00000000"
End If
lngMasterPointer(i + 1) = CLng("&H" & frmSettings.txtVal(i).Tag)
Next i
'Pointer Groups
'- Money +B4 / Ranking +B0
'- Car List (First Car = &H4A0 Last Car = +H13AC (but a lot of mem isn't used).
' +4A0 to +66C = Set of normal cars
' +680 to +A54 = AI/Other cars
' +A68 to +B80 = Player owned Car(s)
' +B94 to +13AC = Never Used? - Not accessed by default from what I can tell.
lngPG1(1) = &H10
'- Nothing Yet
lngPG2(1) = &H0
lngPG2(2) = &H0
lngPG2(3) = &H0
End Sub
|
For your purposes, you could simply do this...
| Code: |
Private Sub LoadPointerGroups()
lngMasterPointer(1) = &HXXXXXXXX
lngPG1(1) = &H10
End Sub
|
Just replace XXXXXXXX with whatever your master pointer is.
Also, Remember to call LoadPointerGroups from the Form_Load section of code, so these variables are written to when the program launches. You can easily get to Form_Load, by double-clicking on the form itself, in Visual Basic.
To call it, simply add a line like so...
| Code: |
Private Sub Form_Load()
LoadPointerGroups
End Sub
|
-----------------------------------------------------------------
-----------------------------------------------------------------
The last step is making a sub that will resolve pointer paths... I created the following function and put it in the code, of my frmMain (main form where most the calculations take place).
| Code: |
Public Function GetPointer(lngPtrBase As Long, lngPtrOffsetList As Variant) As Long
On Error GoTo EH
Dim lngCurPtrOffset As Long
Dim i As Variant
Dim intPtrOffsetListCount As Integer
lngCurPtrOffset = Read4Bytes(lngPtrBase, CLng(4&))
If (lngCurPtrOffset = 0) Then
CloseHandle (ProcessHandle)
ProcessHandle = 0
GamePID
If (ProcessHandle = 0) Then
Exit Function
End If
End If
'Simply return the pointer, if lngPtrOffsetList is Null
If (IsNull(lngPtrOffsetList)) Then
GetPointer = lngCurPtrOffset
Exit Function
End If
For Each i In lngPtrOffsetList
lngCurPtrOffset = Read4Bytes(lngCurPtrOffset + i, 4&)
Next i
GetPointer = lngCurPtrOffset
Exit Function
EH:
MsgBox "An error occured while in the GetPointer function." & vbNewLine & "Error Number: " & Err.Number & vbNewLine & "Error Description: " & Err.Description
Resume Next
End Function
|
-----------------------------------------------------------------
-----------------------------------------------------------------
Then, to use it...
This example writes 1,000,000 to player money. This is pretty easy, since player money isn't a float. It's just a 4 byte value.
| Code: |
Private Sub Command1_Click()
Dim lngWOffset As Long
Dim lngWValue As Long
Dim lngRValue As Long
Dim lngROffset As Long
Dim lngTagValue As Long
Dim dblValue As Double
lngWOffset = GetPointer(lngMasterPointer(1), lngPG1)
lngWOffset = lngWOffset + &HB4
lngWValue = CLng(1000000)
Write4Bytes lngWOffset, lngWValue
End Sub
|
All the DIM's at the top of that code, are the standard dim's I copy/paste into any function that will read/write from/to memory. Notice that most aren't even used.
Look down past them.
- lngWOffset is written to, using master pointer 1, and pointer group 1 as the 'path'.
- Then, I add B4 to it, because money is +B4 away from pointer group 1.
- Then I setup lngWValue (aka Write Value) as 1,000,000. I encase that number, without comma separation, with CLng() which means "Convert to Long".
- Then use Write4Bytes lngWOffset, lngWValue
-----------------------------------------------------------------
-----------------------------------------------------------------
Now: Lets assume that the money you'd like to set, were in a text box, instead of pre-defined in code...
| Code: |
Private Sub Command1_Click()
Dim lngWOffset As Long
Dim lngWValue As Long
Dim lngRValue As Long
Dim lngROffset As Long
Dim lngTagValue As Long
Dim dblValue As Double
lngWOffset = GetPointer(lngMasterPointer(1), lngPG1)
lngWOffset = lngWOffset + &HB4
lngWValue = CLng(Val(Text1.Text))
Write4Bytes lngWOffset, lngWValue
End Sub
|
The only thing changed is this line...
lngWValue = CLng(Val(Text1.Text))
-----------------------------------------------------------------
Lastly: It *can* all be done in 1 simple line of code (but you know me, I like to write it out heh).
| Code: |
Private Sub Command1_Click()
Write4Bytes GetPointer(lngMasterPointer(1), lngPG1) + &HB4, Clng(1000000)
End Sub
|
or for the text box...
| Code: |
Private Sub Command1_Click()
Write4Bytes GetPointer(lngMasterPointer(1), lngPG1) + &HB4, Clng(Val(Text1.Text))
End Sub
|
*NOTE* - If you are staring at your $ in game when you use this function, you won't see it change, until you navigate to the next screen, or, back one screen then forward one screen. The money *is* actually there, however, it's just that this function is not updating the graphical display.
Last edited by Zhoul on Sat Dec 24, 2005 10:32 am; edited 3 times in total |
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 8:46 am Post subject: |
|
|
Auto-Assemble Scripts...
The first one here, combines all 5 "UnLock/unLock" codes we've come across. (for v1.3 Eng)
It...
- Shows all vehicles in purchase mode
- Takes the padlock off of ALL career cars
- Takes the padlock off *most* "My Cars"
- Takes the padlock off ALL career parts
- Unlocks ALL career special parts.
| Code: |
[ENABLE]
//Open up cars to buy - Career and My Cars
0056F19F:
cmp dl, 01
jne 0056F1A6
mov al, dl
ret 0004
//unLock Career - Parts
00576678:
mov eax, 001DF7F3
nop
//unLock Career - Special Parts
007AF68C:
mov edx, 001DF7F3
nop
//unLock My Cars - Most Cars
0058A156:
mov dl, 00
nop
nop
nop
nop
//unLock Career - Cars
0058A644:
mov bl,00
nop
nop
nop
nop
[DISABLE]
//Open up cars to buy - Career/My Cars
0056F19F:
ret 0004
int 3
int 3
int 3
int 3
int 3
int 3
int 3
//unLock Career - Parts
00576678:
mov eax, [ecx+000000ac]
//unLock Career - Special Parts
007AF68C:
mov edx,[ecx+000000ac]
//unLock My Cars - Most Cars
0058A156:
mov dl,[edi+000000b0]
//unLock Career - Cars
0058A644:
mov bl,[eax+000000b0]
|
This one combines my new inf Nitro/Speedbreaker cheats. Note: The Speedbreaker cheat has been changed since last I updated and seems to work just fine.
| Code: |
[ENABLE]
//Nitro Sub - NOP
00692B01:
nop
nop
nop
nop
//Speedbreaker Write
006EDE03:
fstp [esi+0000008C]
[DISABLE]
//Nitro Sub
00692B01:
fsub dword ptr [esp+2c]
//Speedbreaker Write
006EDE03:
fstp [esi+00000084]
|
The last one, combines the Auto-Point 1 and 2 code changes (the two that make it so you can point to the current car selected/driven). After enabled, it will create a pointer at 00010B70 , to the begining of the memory block, for...
- Current car being driven.
- Or, if in 'Choose Car' mode, the current car you have selected on the screen.
| Code: |
// Replaces:
// Array of Bytes (30) - 0FFD0E20 - Auto-Point - 1 - Code Cave (Orig: 000000000000000000000000000000000000000000000000 New: CCCC81FB000000017E06891D700B0100B9A8269B00C3CCCC )
// Array of Bytes (5) - 0056F2C5 - Auto-Point - 2 - Toggle On/Off (Orig: B9A8269B00 New: E8581BA60F )
[ENABLE]
0FFD0E20:
int 3
int 3
cmp ebx, 01000000
jle 0ffd0e30
mov [00010B70], ebx
mov ecx, 009B26A8
ret
int 3
int 3
0056F2C5:
call 0ffd0e22
[DISABLE]
0056F2C5:
mov ecx, 009B26A8
0FFD0E20:
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
add [eax],al
|
Last edited by Zhoul on Sat Dec 24, 2005 8:51 am; edited 1 time in total |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Dec 24, 2005 8:49 am Post subject: |
|
|
just some info that may be usefull to you:
db 00,00,00,00,00,00,00,00,00 writes a array of 9 0's
(db 00 00 00 00 00 00 00 00 also works)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 8:53 am Post subject: |
|
|
| Dark Byte wrote: | just some info that may be usefull to you:
db 00,00,00,00,00,00,00,00,00 writes a array of 9 0's
(db 00 00 00 00 00 00 00 00 also works) |
Might be? I was wondering how to do this
What's DB stand for? Aside from the obvious initial's usage 
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Dec 24, 2005 8:57 am Post subject: |
|
|
No idea really, there's db, dw and dd , the 2nd char means byte,word or dword, but no idea about the first d.
I gues it means dark, yup, it means dark
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 9:04 am Post subject: |
|
|
| Dark Byte wrote: | No idea really, there's db, dw and dd , the 2nd char means byte,word or dword, but no idea about the first d.
I gues it means dark, yup, it means dark |
 LOL
Of course, Being the g33k I am, I had to find out. It appears it may mean "Declare"... but if not... I'll settle with Dark...
| http://nasm.sourceforge.net/doc/html/nasmdoc3.html wrote: |
Pseudo-instructions are things which, though not real x86 machine instructions, are used in the instruction field anyway because that's the most convenient place to put them. The current pseudo-instructions are DB, DW, DD, DQ and DT, their uninitialised counterparts RESB, RESW, RESD, RESQ and REST, the INCBIN command, the EQU command, and the TIMES prefix.
3.2.1 DB and friends: Declaring Initialised Data
DB, DW, DD, DQ and DT are used, much as in MASM, to declare initialised data in the output file. They can be invoked in a wide range of ways:
db 0x55 ; just the byte 0x55
db 0x55,0x56,0x57 ; three bytes in succession
db 'a',0x55 ; character constants are OK
db 'hello',13,10,'$' ; so are string constants
dw 0x1234 ; 0x34 0x12
dw 'a' ; 0x61 0x00 (it's just a number)
dw 'ab' ; 0x61 0x62 (character constant)
dw 'abc' ; 0x61 0x62 0x63 0x00 (string)
dd 0x12345678 ; 0x78 0x56 0x34 0x12
dd 1.234567e20 ; floating-point constant
dq 1.234567e20 ; double-precision float
dt 1.234567e20 ; extended-precision float
DQ and DT do not accept numeric constants or string constants as operands.
|
|
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Sat Dec 24, 2005 11:07 am Post subject: |
|
|
Thanks Zhoul, that will be a great Christmas gift !
Also best wishes you have a happy Christmas and new year. 
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 12:20 pm Post subject: |
|
|
Heres yer christmas present all
I dunno bout some of you, but theres this little road on the main map that branches off to the west (in the north-western area of the map) and I wondered just what was down that road. Seeing as we can't really get past it by conventional means due to the tractor and piles of rock... I decided to try out teh trainer.
I think this is the same journey that CParty and gnagna2000 took, however, this has a few more screenies to show where they went.
(pic from cparty found here, i think)
http://forum.cheatengine.org/viewtopic.php?p=29877#29877
| Description: |
| So what are you hiding Mr. Tractor-Man? |
|
| Filesize: |
152.34 KB |
| Viewed: |
26041 Time(s) |
|
| Description: |
| So we point out about where we'd like to land... And click Goto... |
|
| Filesize: |
165.45 KB |
| Viewed: |
26042 Time(s) |
|
| Description: |
| Well... We're on the right track so far.... |
|
| Filesize: |
143.82 KB |
| Viewed: |
26041 Time(s) |
|
| Description: |
|
| Filesize: |
117.53 KB |
| Viewed: |
26044 Time(s) |
|
Last edited by Zhoul on Sat Dec 24, 2005 12:33 pm; edited 1 time in total |
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 12:24 pm Post subject: |
|
|
Continued:
| Description: |
|
| Filesize: |
95.24 KB |
| Viewed: |
26038 Time(s) |
|
| Description: |
|
| Filesize: |
164.43 KB |
| Viewed: |
26044 Time(s) |
|
| Description: |
| What happens when you release the gas so you can snap a screenshot :) |
|
| Filesize: |
107.67 KB |
| Viewed: |
26040 Time(s) |
|
| Description: |
| What was supposed to happen (and did happen the first time I ventured here.. I sware!) |
|
| Filesize: |
99.03 KB |
| Viewed: |
26040 Time(s) |
|
| Description: |
| A wall at the end of the street? |
|
| Filesize: |
93.72 KB |
| Viewed: |
26038 Time(s) |
|
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 12:27 pm Post subject: |
|
|
Continued: Also, v0.5.2 C is attached to this post. Still, no 'Saved Locations' support, still no cheats, but a few new features and fixes are in. Also, try resetting your calibration 'to default'. There are better defaults in this version.
(see post http://forum.cheatengine.org/viewtopic.php?p=31536#31536 for the most recent version)
| Description: |
|
| Filesize: |
56.5 KB |
| Viewed: |
26038 Time(s) |
|
| Description: |
|
| Filesize: |
76.48 KB |
| Viewed: |
26037 Time(s) |
|
| Description: |
| d0h! These people and their walls which aren't , and non-walls which are! This is... The End... (until expansion?) |
|
| Filesize: |
75.29 KB |
| Viewed: |
26036 Time(s) |
|
Last edited by Zhoul on Wed Dec 28, 2005 3:28 pm; edited 1 time in total |
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Sat Dec 24, 2005 2:37 pm Post subject: |
|
|
nice screens Zhoul
To spoil the story for those who are going to complete the game:
On your last pursuit (with BMW after beating Razor) you have to evade the cops on heat 6 and your only chance is to take the jump over that bridge (tractor and piles of rock are gone).
Having a working encoding for the colors on the heightmap, driving all streets on the map right now, but there are plenty 
Also the game crashed already 
Before I leave for a few days I'm going to send Zhoul the Heightmap and some instructions. If I'm not posting anymore I wish you guys a merry xmas and a happy new year
greets
cparty
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Sat Dec 24, 2005 5:23 pm Post subject: |
|
|
| cparty wrote: | | To spoil the story for those who are going to complete the game: |
Wait... Spoil the story? I thought it was pretty bad already... as is...
| cparty wrote: |
Before I leave for a few days I'm going to send Zhoul the Heightmap and some instructions. If I'm not posting anymore I wish you guys a merry xmas and a happy new year
greets
cparty |
Right-on bro I knew we'd face some kind of issue with the height map and 16/32 bit colors/etc, but I also knew there were probably many ways around it... It just wasn't going to be /obvious
I was about to say "Great work!" - But I guess I have to wait to see it first /grin
I too will be pretty much AFK, at least until tomorrow night sometime. My GF is offering me a 'behind the scenes pass' - and asked that I come around the back way - so you know I'm totally going to take her up on that offer. (TMI) (she knows how to get me off the computer fo' sho')
!Happy Holidays!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
