View previous topic :: View next topic |
Author |
Message |
RisingForce Newbie cheater Reputation: 0
Joined: 14 Dec 2010 Posts: 10
|
Posted: Wed Feb 29, 2012 9:39 pm Post subject: Mechwarrior 4 MP3.1, hacking question |
|
|
Wep Damage
0051F237 - D8 48 54 - fmul dword ptr [eax+54]
0051F23A - D9 1B - fstp dword ptr [ebx]
Wep Range
0051F248 - 8B 48 58 - mov ecx,[eax+58]
0051F24B - 8B 54 24 14 - mov edx,[esp+14]
0051F24F - 89 4D 00 - mov [ebp+00],ecx
Heat/2
0051F252 - D9 40 3C - fld dword ptr [eax+3C]
0051F255 - DCC0 - fadd st(0),st(0)
0051F257 - D9 1A - fstp dword ptr [edx]
Recyle Times
0051F25D - 8B 48 6C - mov ecx,[eax+6C]
0051F260 - 89 0A - mov [edx],ecx
Ok, so this was surprisingly easy to find. I went in mechlab and hovered over a weapon. Then I searched by value for whatever I was trying to find the address of. For example, Weapon Damage. It gave a bunch of results. I hovered over a different weapon. Searched again with that value and I got one result. I asked cheat engine what wrote to this address. It directed me to the memory region containing fstp dword ptr [ebx]. Obviously, the previous address is not the correct address to modify the values. So, i preceded to search upwards in memory. It was super easy to find. I checked what addresses the instruction above accessed. It turned out that whenever I hovered the mouse over a weapon, the address for the value of that weapon's damage showed up in the debugger. I repeated this process for Weapon Range, Heat( which for some reason the values are halved ), and Recycle Time. The top listed instruction under each category is the instruction to check what addresses it accesses to get the addresses of the corresponding values.
*Note: Addresses for weapons of similar type are 180 hex value apart. Not sure if this is helpful or not.
My goal is to create a trainer or utility of some sort to allow the user to change the properties of weapons. This process works, when I change the values contained in those addresses I find, I can go into a mission and see the changes. It is quite neat.
The problem is when I exit the mission, the addresses for the values change. I can go back and hover over a weapon while checking what addresses the instruction accesses. This gives me the address for that value again, but it is quite annoying. I want to be able to set it once and stay that way until I close the game. End goal is to have a program with a gui to allow such changes while the game is running.
Any ideas why the address keeps changing and any advice on what I can do?
(Recycle time is super fun, longtoms with 0 recycle time haha ) |
|
Back to top |
|
|
Corruptor Advanced Cheater Reputation: 3
Joined: 10 Aug 2011 Posts: 82
|
Posted: Fri Mar 02, 2012 1:25 pm Post subject: |
|
|
i would guess that the weapon structures are dinamically created every time you leave a mission. I quite dont know what could be the point of this, but hey, i dont even know that game, so maybe theres a decent reason to do so...
Well, what you would mostlikely have to do now is finding a static multi level pointer to those weapons. I am quite sure that eax is the start of the structure and thus the value of the first pointer to find. You may want to search for some tutorials (or do the cheat engine tutorial) to do that. What you basically have to do is find out what accesses the adress, look for the value the pointer could possibly have (cheat engine does that for you if you click the "more information" button) and search for that value. Repeat that for the results until you find a static - a green - pointer. |
|
Back to top |
|
|
RisingForce Newbie cheater Reputation: 0
Joined: 14 Dec 2010 Posts: 10
|
Posted: Mon Mar 05, 2012 3:07 pm Post subject: |
|
|
Thank You very much for your response. I'll try it. But, I don't know if it will work because I think that these values might be coming from an encrypted file and are read into a dynamically created data structure each time. Maybe, I am wrong. I shouldn't of assumed. We'll see. |
|
Back to top |
|
|
marco1960 How do I cheat? Reputation: 0
Joined: 12 Mar 2012 Posts: 1
|
Posted: Mon Mar 12, 2012 5:24 pm Post subject: Mechwarrior 4 MP3.1, hacking question |
|
|
Hi RisingForce
I'm trying to do the same change on Recycle time or Damage but I have some difficulties.
What search did you use, by text or by byte.
I was not able to find the right Recycle time memory region , I found the text value but setting it to zero, there was no changes to the weapon feature.
Do you have news about your idea to create a trainer with GUI to set all weapon parameters?
Thank you for your reply
Ciao
Marco |
|
Back to top |
|
|
Fresco Grandmaster Cheater Reputation: 4
Joined: 07 Nov 2010 Posts: 600
|
Posted: Tue Mar 13, 2012 9:51 am Post subject: |
|
|
Quote: | Wep Damage
0051F237 - D8 48 54 - fmul dword ptr [eax+54]
0051F23A - D9 1B - fstp dword ptr [ebx]
Wep Range
0051F248 - 8B 48 58 - mov ecx,[eax+58]
0051F24B - 8B 54 24 14 - mov edx,[esp+14]
0051F24F - 89 4D 00 - mov [ebp+00],ecx
Heat/2
0051F252 - D9 40 3C - fld dword ptr [eax+3C]
0051F255 - DCC0 - fadd st(0),st(0)
0051F257 - D9 1A - fstp dword ptr [edx]
Recyle Times
0051F25D - 8B 48 6C - mov ecx,[eax+6C]
0051F260 - 89 0A - mov [edx],ecx |
Wep Damage
0051F23A - D9 1B - fstp dword ptr [ebx]
auto assemble here:
create 2 labels
registersymbol - value to store
assign the 2 labels a value
pop and store fpu
store whatever you want in [ebx]
just like this:
Code: | label(value)
lavel(original_value)
registersymbol(value)
newmem:
//place your code here
//make the original code write original value into [original_value] not [ebx]
fstp dword ptr [original_value]
//now store your value into val of ebx
mov dword ptr [ebx],[value]
originalcode:
//delete this: "fstp dword ptr [ebx]"
//before [DISABLE] part write this
original_value:
db 00 00 00 00
value:
db 00 00 00 00 |
now in your cheat table add this address "4 bytes" or "float" depending on what kind of address you want to store
value
now change the value of address "value" to the value you want _________________
... Fresco |
|
Back to top |
|
|
RisingForce Newbie cheater Reputation: 0
Joined: 14 Dec 2010 Posts: 10
|
Posted: Thu Mar 22, 2012 10:01 pm Post subject: |
|
|
Wow, that's pretty neat. I'll try this. Thank You. I guess I just needed to know more about programming in assembly. I didn't know you could do that. I have done very little in assembly. Thanks again. |
|
Back to top |
|
|
RisingForce Newbie cheater Reputation: 0
Joined: 14 Dec 2010 Posts: 10
|
Posted: Fri Mar 23, 2012 5:52 pm Post subject: |
|
|
I got confused, I don't think what you showed me Fresco solves the problem. Here is what I want to do.
For recycle time:
0051F25D - 8B 48 6C - mov ecx,[eax+6C]
This instruction lets me find the memory locations for the the recycle times of each weapon. I debug here and hover over a weapon to get the corresponding memory location for its recycle time. This memory location changes when I exit a mission. However, I just repeat the process to find it again. What I would like to do is to inject code that does this algorithm for me. If it can be done. I did not know about registersymbol, that might be useful.
My Idea for injection.
1. Find what memory location mov ecx,[eax+6C] last accessed.
2. Change the value of a static pointer to point to this memory location.
3. Use the pointer to change the value in that memory location. |
|
Back to top |
|
|
Fresco Grandmaster Cheater Reputation: 4
Joined: 07 Nov 2010 Posts: 600
|
Posted: Wed Mar 28, 2012 3:52 pm Post subject: |
|
|
0051F25D - 8B 48 6C - mov ecx,[eax+6C]
eax+6C is the address of whatever
so auto assemble, registersymbol addressx, add to the table addressx
in the auto assemble:
Code: | push ebx
mov ebx,[addressx]
mov [eax+6C],ebx
pop ebx |
every time the code above is executed, it will store the value of addressx (the one in your table) into the value of the address whatever _________________
... Fresco |
|
Back to top |
|
|
RisingForce Newbie cheater Reputation: 0
Joined: 14 Dec 2010 Posts: 10
|
Posted: Sat Mar 31, 2012 9:52 am Post subject: |
|
|
Yeah, I figured that out. It isn't exactly what I wanted because I still have to go in and hover over the weapon then go to cheat engine and change the value. But, I'm realizing now that what I wanted to do is impossible unless I can actually find the static address of the values whether they are read in from a file or determined in a different section of memory.
Thank You very much Fresco. I appreciate the time you took to help me. |
|
Back to top |
|
|
|