| View previous topic :: View next topic |
| Author |
Message |
algrn912005
Expert Cheater
![]() Reputation: 0
Joined: 12 Nov 2005
Posts: 124
|
 Posted: Tue Mar 19, 2013 9:10 am Post subject: Have coordinate of 1 monster, need to get the others |
 |
|
So, I've gotten an address with the coordinates of the monster. I can freeze its location and it will stay in place so I know it's the right address. This is a 2d game and monsters will only move left or right so only the x is needed which I found.
Problem is, there is more than 1 monster on the screen at a time that can pop up. I'm trying to currently change all the coordinates of each monster to wherever I specify but I do not know how to go about finding the rest of the coordinates of each monster with just the 1 address.
I tried to use 'find out what writes to this address' to try to find a pointer but subsequent scans with the results return nothing.
If it helps, when I browse the memory viewer with the address from 'find out what writes to this pointer' I end up with this opcode :
| Code: | | fstp dword ptr [esi+2C] |
|
|
| Back to top |
|
 |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Mar 19, 2013 10:02 am Post subject: Re: Have coordinate of 1 monster, need to get the others |
|
|
| algrn912005 wrote: | So, I've gotten an address with the coordinates of the monster. I can freeze its location and it will stay in place so I know it's the right address. This is a 2d game and monsters will only move left or right so only the x is needed which I found.
Problem is, there is more than 1 monster on the screen at a time that can pop up. I'm trying to currently change all the coordinates of each monster to wherever I specify but I do not know how to go about finding the rest of the coordinates of each monster with just the 1 address.
I tried to use 'find out what writes to this address' to try to find a pointer but subsequent scans with the results return nothing.
If it helps, when I browse the memory viewer with the address from 'find out what writes to this pointer' I end up with this opcode :
| Code: | | fstp dword ptr [esi+2C] |
|
you can always hook that address and take note of what esi every time it's called and that should give you all the addresses of mobs. If you don't want to do any hooking, you're going to have to trace the code and reverse engineer out the structure.
|
|
| Back to top |
|
|
TsTg
Master Cheater
 Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Tue Mar 19, 2013 11:29 am Post subject: |
|
|
| If you want to get the addresses of the monsters, right click on the fstp dword ptr [esi+2C] command then choose 'Find out what this instruction accesses', then see how esi is collected each time the command is executed(backtracking the code).
|
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
 Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Tue Mar 19, 2013 11:39 am Post subject: |
|
|
Whats is game name May I ask?
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
SteveAndrew
Master Cheater
 Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Tue Mar 19, 2013 6:39 pm Post subject: |
|
|
Only left or right? Even if that's true they still could be at different heights no? Is there no jump button in this game? No higher or lower platforms to reach? lol
In any case, as TsTg pointed out finding out what addresses that instruction accesses should reveal all the other monsters x coordinates as they pass through that instruction...
Also as dnsi0 said, the best way is to just hook it! Are you just wanting to know their positions for some reason or are you trying to make a vac hack?
If so also find a reliable consistent way to get your player's coordinate(s) and make that instruction change every single monster that passes through move to your coordinate and stay there  (so only get your coordinate once upon enabling then they'll all be sucked to that position and stay there! haha I've been doing this with 3d games recently, but the same applies for 2d games as well... I doubt there's only an X coordinate though, so you'll probably want the Y coordinate as well...
_________________
|
|
| Back to top |
|
|
algrn912005
Expert Cheater
![]() Reputation: 0
Joined: 12 Nov 2005
Posts: 124
|
| Posted: Tue Mar 19, 2013 8:39 pm Post subject: |
|
|
This is actually for plants versus zombies, the zombies only move left and right and I have done "find what this instruction accesses" but I don't know how that works in getting the addresses.
I'll try hooking but since I have no knowledge or experience with hooks, it might take a while. If possible, could you point me to a thread with information on hooks?
Thanks a lot!
|
|
| Back to top |
|
|
SteveAndrew
Master Cheater
Reputation: 30
Joined: 02 Sep 2012
Posts: 323
|
| Posted: Tue Mar 19, 2013 10:12 pm Post subject: |
 |
|
| algrn912005 wrote: | This is actually for plants versus zombies, the zombies only move left and right and I have done "find what this instruction accesses" but I don't know how that works in getting the addresses.
I'll try hooking but since I have no knowledge or experience with hooks, it might take a while. If possible, could you point me to a thread with information on hooks?
Thanks a lot! |
Well think about it, you found a single zombie's x coordinate right? Then you found the instruction that accesses it (this instruction you've got writes to it reading/writing to the address is accessing it)
So by finding what addresses that instruction accesses you can verify that:
A. it only writes to zombie's x coordinates and
B. if it only writes to zombies coordinates it will show you all the addresses of zombies x coordinates that it writes to...
Have you tried selecting float from the drop down?
Anyways there is a Y coordinate too (the grass lane that they are moving down towards your house xD) and it's only +4 of the x coordinate address
However changing it makes them appear in whatever lane you put them in, but they still truly are in their proper lane, I'm still figuring out a way to make them all truly go into the same lane
But here's probably what you wanted:
| Code: |
//Plants Vs Zombies
//Zombie Vac
//Steve Andrew
[enable]
alloc(ZombieVac,64)
aobscan(ZombieVacAddress,83 7e 24 07 d9 5e 2c 0f 85 ? ? ? ? 83 7e)
label(ZombieVacAddy)
label(ZombieVacRet)
label(LockToThisXCoordinate)
label(LockToThisYCoordinate)
registersymbol(ZombieVacAddy)
ZombieVac:
cmp dword ptr [esi+24],7 //original instructions
fstp st(0) //original instructions
fld dword ptr [LockToThisXCoordinate]
fstp dword ptr [esi+2c]
//fld dword ptr [LockToThisYCoordinate] //I've commented out this as they only appear to be in the middle lane
//fstp dword ptr [esi+30] //but they're still in their rightful y coordinates
jmp ZombieVacRet
LockToThisXCoordinate:
dd (float)630.5 //near edge
LockToThisYCoordinate:
dd (float)250 //middle lane
ZombieVacAddress:
ZombieVacAddy:
jmp ZombieVac
db 90 90
ZombieVacRet:
[disable]
ZombieVacAddy:
cmp dword ptr [esi+24],7
fstp dword ptr [esi+2c]
dealloc(ZombieVac)
unregistersymbol(ZombieVacAddy)
|
EDIT: I solved it! offset 1c is which lane of grass they are in or should move to if they aren't, so by forcing it to 2 they will all move to the middle lane, at the game's speed, as shown in my video here: http://www.youtube.com/watch?v=RGXS3pH7JzI&feature=youtu.be
Or add 'InstantYCoordVac' to your CT after enabling and change it's value to 1, and along with forcing them into lane 2 it will also instantly change their Y coordinate so instead of seeing them move into the middle, they seem like they just appear there... lol Thats with the new script here that where you can add 'InstantYCoordVac' after enabling-->
| Code: |
//Plants Vs Zombies
//Zombie Vac
//Steve Andrew
[enable]
alloc(ZombieVac,64)
aobscan(ZombieVacAddress,83 7e 24 07 d9 5e 2c 0f 85 ? ? ? ? 83 7e)
label(ZombieVacAddy)
label(ZombieVacRet)
label(DontScrewUpFlags)
label(LockToThisXCoordinate)
label(LockToThisYCoordinate)
label(InstantYCoordVac)
registersymbol(ZombieVacAddy)
registersymbol(InstantYCoordVac)
ZombieVac:
fstp st(0) //original instructions
fld dword ptr [LockToThisXCoordinate]
fstp dword ptr [esi+2c]
mov [esi+1c],2 //move to middle lane REALLY ;) 0-4 / 5 lanes / 2 is middle
cmp [InstantYCoordVac],1 //because I compared here
jne DontScrewUpFlags //ive gotta have the overwritten compare after
fld dword ptr [LockToThisYCoordinate]
fstp dword ptr [esi+30]
DontScrewUpFlags:
cmp dword ptr [esi+24],7 //original instructions
jmp ZombieVacRet
LockToThisXCoordinate:
dd (float)670.5 //near edge
LockToThisYCoordinate: //Only used if you want an instant Y coord vac
dd (float)250
InstantYCoordVac: //off by default
dd 0
ZombieVacAddress:
ZombieVacAddy:
jmp ZombieVac
db 90 90
ZombieVacRet:
[disable]
ZombieVacAddy:
cmp dword ptr [esi+24],7
fstp dword ptr [esi+2c]
dealloc(ZombieVac)
unregistersymbol(ZombieVacAddy)
unregistersymbol(InstantYCoordVac)
|
So you were kind of right, you don't need the Y coord unless you want an instant vac Alright well on to the next game I guess 
With hooks the code you overwrite you usually have to replace in your own hook code...
In this case:
| Code: |
cmp dword ptr [esi+24],7
fstp dword ptr [esi+2c]
|
| Code: |
cmp dword ptr [esi+24],7 //original instructions
fstp st(0) //original instructions
|
I've kept the compare instruction how it is...
and the second one fstp dword ptr [esi+2c] (which is the same code you found)
it pops the value off the top of the floating point stack and puts it in the address pointed to by [esi+2c] which is whatever zombie happens to be walking through there's x coordinate address... Since we don't want their proper coordinate being put into that address, we instead just pop the top of the floating point stack and discard it's value
which is what 'fstp st(0)' does...
Then we are free to load our own value into the top of the floating point stack, then pop it off into [esi+2c]...
This makes it so any zombie walking onto the screen will be stuck at whatever coordinate you want them to be stuck at!
I'm going try to figure out how to actually lock them all into one lane and one position, as I think that would be cooler
You've already got infinite seeds and instant cooldowns though right? xD
Ahh what the hell, just in case you don't!
| Code: |
//Plants Vs Zombies
//Instant Cooldowns
//Steve Andrew
[enable]
aobscan(InstantCooldownAddress,ff 47 ? 8b 47 ? 3b 47 ? 7e ? c7 47)
label(InstantCooldownAddy)
registersymbol(InstantCooldownAddy)
InstantCooldownAddress+9:
InstantCooldownAddy:
db 90 90
[disable]
InstantCooldownAddy:
db 7e 14
unregistersymbol(InstantCooldownAddy)
|
And explanation how it works:
_________________
|
|
| Back to top |
|
|
TsTg
Master Cheater
Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Wed Mar 20, 2013 1:18 am Post subject: |
|
|
| Nice work, Steve
|
|
| Back to top |
|
|
algrn912005
Expert Cheater
![]() Reputation: 0
Joined: 12 Nov 2005
Posts: 124
|
| Posted: Wed Mar 20, 2013 5:38 am Post subject: |
|
|
| Wow, thanks a lot Steve! Very detailed. I'll have to scrutinize this further to understand it completely but it's been very helpful. I've been out of the memory hacking scene for a while and I've just been getting back into it so it'll take some time for me to relearn it all. Have some rep btw for such a helpful post.
|
|
| Back to top |
|
|
foxfire9
Advanced Cheater
![]() Reputation: 0
Joined: 23 Mar 2012
Posts: 57
|
| Posted: Wed Mar 20, 2013 11:37 pm Post subject: |
|
|
Nice 
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
