vergilganesh Expert Cheater Reputation: 0
Joined: 01 Jul 2013 Posts: 134 Location: India
|
Posted: Thu Sep 05, 2013 9:23 am Post subject: [Tutorial] Advanced OHK for Shank 2 v1.0.0 |
|
|
I Think this is highly advanced cheat. Because i was highly tensed while write this cheat. This Cheat is for SHANK 2 V1.0.0 infinite health.
STEP 1:
First search for the Health address. Start with unknown initial value. Lose some health. Then use decreased value scan as next scan. Repeat this You will find correct value. Double click to attach into the cheat table. Right click on the address and "find what writes to this address". Note that instruction.
Just analyze this code. Note the fsubr just above the code. This is reverse substract. It just minus [ebp+a0] with another value. That another value must be the damage. Note the damage for above codes. fst [esp+28] is the damage value. Just analyze just above there is fmul [esp+b4] and fld [esp+1c]. So total damage [esp+28] = [esp+1c]*[esp+b4]. So for a perfect code for god mode just multiply the whole thing with 0.
STEP2:
If you dissect data or structures with the current code., you didnt get the correct address of the difference. There is another route to make infinite health cheat. Just Right Click on the address "Find what accesses this instruction". There is a lot of instruction but only one instruction which accesses players address only.
STEP3:
It is enough to just mov a value equals to the maximum health before the fld [esi+a0] to make a health cheat. However, this instruction doesnt execute players address only. It also accesses enemy boss health. So we are under a situation to write a code that make exception for boss.
The concept is very simple. First save the address on fld [esi+a0]. Then compare with the current address which changes health{refer image in step1}.
Code: |
1) [ENABLE]
2) alloc(newmem1,2048)
3) alloc(val,128)
4) alloc(count,12)
5) label(returnhere1)
6) label(originalcode1)
7) label(exit1)
8) label(next)
9) label(next2)
10) label(next3)
11) count:
12) dd (int)2
13) newmem1:
14) originalcode1:
15) fld dword ptr [esi+000000A0]
16) cmp [count],2
17) jne next
18) mov [val],esi
19) sub [count],1
20) jmp exit1
21) next:
22) cmp [count],1
23) jne next2
24) mov [val+4],esi
25) sub [count],1
26) jmp exit1
27) next2:
28) exit1:
29) cmp [val+8],esi
30) je returnhere1
31) cmp [val],esi
32) je returnhere1
33) cmp [val+4],esi
34) je returnhere1
35) cmp [esi+a0],(float)110
36) jle next3
37) mov [val+8],esi
38) jmp returnhere1
39) next3:
40) mov [count],2
41) jmp returnhere1
42) "Shank2.exe"+F0249:
43) jmp newmem1
44) nop
45) returnhere1:
46) alloc(newmem2,2048)
47) alloc(pas,12)
48) label(returnhere2)
49) label(originalcode2)
50) label(exit2)
51) pas:
52) dd (float)0.0
53) newmem2:
54) cmp [val],ebp
55) je originalcode2
56) cmp [val+4],ebp
57) je originalcode2
58) fld dword ptr [esp+1C]
59) mov ecx,[ebp+08]
60) jmp exit2
61) originalcode2:
62) fld dword ptr [esp+1C]
63) fmul dword ptr [pas]
64) mov ecx,[ebp+08]
65) exit2:
66) jmp returnhere2
67) "Shank2.exe"+EDCE4:
68) jmp newmem2
69) nop
70) nop
71) returnhere2:
72) [DISABLE]
73) dealloc(newmem2)
74) dealloc(val)
75) dealloc(count)
76) "Shank2.exe"+EDCE4:
77) fld dword ptr [esp+1C]
78) mov ecx,[ebp+08]
79) dealloc(newmem1)
80) "Shank2.exe"+F0249:
81) fld dword ptr [esi+000000A0]
82) //Alt: db D9 86 A0 00 00 00
|
EXPLANATION:
2. Allocating new memory for fld [esi+a0]
3. Allocating the memory for storing address
4. Allocating memory for a variable.
5. Labels
11. defining count here
12. Make [count] is int 2
13. Newmem starts here
15. Originalcode
16. comparing [count] with 2
17. jump near if not equal
18. Executes when equal- stores address of health esi to [val]
19. Decreasing [count] by 1
20. exit
21. another route
22. comparing [count] with 1
23. jump near if not equal
24. Executes when equal- stores address of health esi to [val+4](address is 4 byte value)
25. Decreases [count] by 1
26. Exit
29. Compare the stored [val+8] with players address esi
31. Compare the stored [val] with players address esi
33. Compare the stored [val+4] with players address esi
34. Jump if both are equal(if any one is correct)
35. Comparing health value [esi+a0] with maximum health of the player 110(float)
37. Store this into [val+8] If the value is greater than 110.
40. Set [count] as 2 if the value is less-- Repeating the procedure
46. Allocating memory address for the next instruction
47. Allocate a multiplier.
50. Labels
52. Set the multiplier as 0.0
53. newmem starts here
54. compare the stored address with the current one.
55. If it is equal then it is player so multiply the damage value with 0.0
56. Compare for the other address too.(One address is enough but i uses two)
58. If it is not equal then it is enemy, leave the code as it is
60. Dont forget to exit
72. Disable section starts here
73. Deallocating memories
77. Reputting Originalcodes
79. Deallocating memories
81. Reputting Originalcodes
EXECUTION
1. Stores the address in [val]
2. Decreases count
3. On 2nd Execution, Stores the same address in [val+4]
4. Decreases count
5. compares the [val] and [val+4] with esi
6. If the address doesnt change repeat this and activates the cheat while changing.
7. If the address is changed, if it is enemy stores in [val+8]
8. If the address is changed, it is player(less than 125) set count as 2. repeat with step 1.
The above image is the written code for the game.
The important one is we storing enemy boss health in [val+8] because when the health decreases and reaches below 110 he also got infinite health.
Code: |
[ENABLE]
alloc(newmem1,2048)
alloc(val,128)
alloc(count,12)
label(returnhere1)
label(originalcode1)
label(exit1)
label(next)
label(next2)
label(next3)
count:
dd (int)2
newmem1:
originalcode1:
fld dword ptr [esi+000000A0]
cmp [count],2
jne next
mov [val],esi
sub [count],1
jmp exit1
next:
cmp [count],1
jne next2
mov [val+4],esi
sub [count],1
jmp exit1
next2:
exit1:
cmp [val+8],esi
je returnhere1
cmp [val],esi
je returnhere1
cmp [val+4],esi
je returnhere1
cmp [esi+a0],(float)110
jle next3
mov [val+8],esi
jmp returnhere1
next3:
mov [count],2
jmp returnhere1
"Shank2.exe"+F0249:
jmp newmem1
nop
returnhere1:
alloc(newmem2,2048)
alloc(pas,12)
label(returnhere2)
label(originalcode2)
label(exit2)
pas:
dd (float)0.0
newmem2:
cmp [val],ebp
je originalcode2
cmp [val+4],ebp
je originalcode2
fld dword ptr [esp+1C]
mov ecx,[ebp+08]
jmp exit2
originalcode2:
fld dword ptr [esp+1C]
fmul dword ptr [pas]
mov ecx,[ebp+08]
exit2:
jmp returnhere2
"Shank2.exe"+EDCE4:
jmp newmem2
nop
nop
returnhere2:
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
cmp [val],ebp
je originalcode
cmp [val+4],ebp
je originalcode
mov [ebp+a0],(float)0.0
jmp exit
originalcode:
fstp dword ptr [ebp+000000A0]
exit:
jmp returnhere
"Shank2.exe"+EDD01:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(val)
dealloc(count)
"Shank2.exe"+EDD01:
fstp dword ptr [ebp+000000A0]
dealloc(newmem2)
"Shank2.exe"+EDCE4:
fld dword ptr [esp+1C]
mov ecx,[ebp+08]
dealloc(newmem1)
"Shank2.exe"+F0249:
fld dword ptr [esi+000000A0]
//Alt: db D9 86 A0 00 00 00
|
This is the code for One Hit Kill. Just recompare with the addresses and mov the value as 0 to [ebp+a0]
Click Here for next Part
http://forum.cheatengine.org/viewtopic.php?t=567929
|
|