View previous topic :: View next topic |
Author |
Message |
balrog_svr How do I cheat? Reputation: 0
Joined: 13 Sep 2011 Posts: 2
|
Posted: Fri Jul 27, 2012 11:41 am Post subject: Cheat Engine 6.2 Tutorial Step 9: Explanation by the beginer |
|
|
Cheat Engine 6.2 Tutorial Step 9 actions:
1. Found the address for health of Player 1, Player 2, Player 3, Player 4 via scanning for the float value
Player 1 00098FAC
Player 2 01B3007C
Player 3 01B70084
Player 4 01B88424
2. Using "Find what writes to this address" option on the Player 1 I found out the memory address of the Player 1:
>>004250C6 - mov [ebx+04], eax -----where EBX=00098FA8
the offset 04 provides the location of the health of the player in question.
3. Now, i created and defined new structure to get the offset for the Group to which players were assigned:
a. Browse this memory region (CRTL+B) from Player 1
b. Dissect data/structure (CTRL+D) from Tools menu
c. Adding 4 Extra Addresses (for all players) with the offsets found in step 2:
00098FAC-04
01B3007C-04
01B70084-04
01B88424-04
d. I found that offset 10 contains the group ID# to which players are assigned
Player 1 & Player 2 ====> Group ID#1
Player 3 & Player 4 ====> Group ID#2
4. Now, i find out what accesses this address for Player 1 when he is hit. The following is the result:
0042507E - D9 43 04 - fld dword ptr [ebx+04]
0042509D - D8 6B 04 - fsubr dword ptr [ebx+04]
004250C6 - 89 43 04 - mov [ebx+04],eax
004250CB - D9 43 04 - fld dword ptr [ebx+04]
00425107 - FF 73 04 - push [ebx+04]
Looking at the first access in disassembler i get this:
1. Tutorial-i386.exe+25076 - 0F85 CD000000 - jne Tutorial-i386.exe+25149
2. Tutorial-i386.exe+2507C - D9EE - fldz
3. Tutorial-i386.exe+2507E - D9 43 04 - fld dword ptr [ebx+04]
4. Tutorial-i386.exe+25081 - DED9 - fcompp
5. Tutorial-i386.exe+25083 - DFE0 - fnstsw ax
6. Tutorial-i386.exe+25085 - 9E - sahf
7. Tutorial-i386.exe+25086 - 75 0F - jne Tutorial-i386.exe+25097
8. Tutorial-i386.exe+25088 - A1 74145500 - mov eax,[Tutorial-i386.exe+151474]
9. Tutorial-i386.exe+2508D - E8 5E940E00 - call Tutorial-i386.exe+10E4F0
10. Tutorial-i386.exe+25092 - E9 B2000000 - jmp Tutorial-i386.exe+25149
11. Tutorial-i386.exe+25097 - 89 75 CC - mov [ebp-34],esi
12. Tutorial-i386.exe+2509A - DB 45 CC - fild dword ptr [ebp-34]
13. Tutorial-i386.exe+2509D - D8 6B 04 - fsubr dword ptr [ebx+04]
14. Tutorial-i386.exe+250A0 - D9 5D D0 - fstp dword ptr [ebp-30]
15. Tutorial-i386.exe+250A3 - D9EE - fldz
16. Tutorial-i386.exe+250A5 - D9 5D CC - fstp dword ptr [ebp-34]
17. Tutorial-i386.exe+250A8 - D9 45 D0 - fld dword ptr [ebp-30]
18. Tutorial-i386.exe+250AB - D9 45 CC - fld dword ptr [ebp-34]
19. Tutorial-i386.exe+250AE - DED9 - fcompp
20. Tutorial-i386.exe+250B0 - DFE0 - fnstsw ax
21. Tutorial-i386.exe+250B2 - 9E - sahf
Looking at the disassembler, as a novice, my intuition tells me that what i need is located on the line #13 with float subtraction
(fsubr dword ptr [ebx+04]) and storing of the result (fstp dword ptr [ebp-30]).
what does fsubr dword ptr [ebx+04] really mean?
This is what it would look like if we would write it in a regular C math expression:
ST(0) = EAX-ST(0); // subtract ST(0) from the REAL4 value pointed to by EAX and store the result in ST(0)
5. Using line 13 for Auto Assemble with code injection at: "Tutorial-i386.exe"+2509D:
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(friendly)
newmem:
cmp [ebx+10], 1 //i am checking if the player who is hit belongs to group 1
je friendly //if the player is from group 1 i will jump to the special code for friendly players
jmp originalcode
originalcode: //this code is kept so the enemies are getting hit
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
jmp returnhere
friendly: //this will allow to increase friendly unit health in the amount of a hit they should take
fadd dword ptr [ebx+04] //add the REAL4 value pointed to by EAX to ST(0)
fstp dword ptr [ebp-30] //stored the result of the ST(0) computation in the address specified by [ebp-30] and pops st(0)
jmp returnhere
"Tutorial-i386.exe"+2509D:
jmp newmem
nop
returnhere:
6. Now when i hit friendly i get the health of Player 1 and Player 2 to increase, but Player 3 and Player 4 will get their health reduced if hit.
Now click on auto play and you are a winner.
Please note I have never studied or used assembler. I googled for the references of assembly commands to figure out what to do. If you have any questions please let me know.
|
|
Back to top |
|
|
Xylem How do I cheat? Reputation: 0
Joined: 04 Dec 2011 Posts: 1
|
Posted: Fri Jan 18, 2013 8:05 am Post subject: |
|
|
this works for me, thanks brother, learnt heaps
|
|
Back to top |
|
|
chinccw How do I cheat? Reputation: 0
Joined: 03 Mar 2013 Posts: 1
|
|
Back to top |
|
|
Nemexia55 Expert Cheater Reputation: 0
Joined: 28 Jan 2014 Posts: 160
|
Posted: Mon Feb 17, 2014 9:36 am Post subject: so hard! |
|
|
so hard!
_________________
|
|
Back to top |
|
|
phadeb Cheater Reputation: 0
Joined: 25 Jun 2007 Posts: 35
|
Posted: Sun Mar 16, 2014 8:52 pm Post subject: |
|
|
It crashed with this :
Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [ebx+10],1
je originalcode
mov [ebx+04],0
jmp exit
originalcode:
mov [ebx+04],eax
fldz
exit:
jmp returnhere
050A0000:
jmp newmem
returnhere: |
and i Lol'd so hard [/code]
|
|
Back to top |
|
|
Nemexia55 Expert Cheater Reputation: 0
Joined: 28 Jan 2014 Posts: 160
|
Posted: Mon Mar 17, 2014 4:42 am Post subject: |
|
|
Finally I could do it!!!
_________________
|
|
Back to top |
|
|
JohnDude Newbie cheater Reputation: 0
Joined: 30 Aug 2013 Posts: 20
|
Posted: Tue Jun 03, 2014 2:12 pm Post subject: |
|
|
for 6.3 version
"Find what writes to this address" is enough to do it.
ebx = player's address
10 - health offset
ebx + 10 gives player's hp
2 - team offset
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [ebx+10],2
je originalcode
mov [ebx+04],(float)100
fldz
jmp returnhere
originalcode:
mov [ebx+04],0
fldz
exit:
jmp returnhere
"Tutorial-i386.exe"+27E76:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+27E76:
mov [ebx+04],eax
fldz |
|
|
Back to top |
|
|
Nemexia55 Expert Cheater Reputation: 0
Joined: 28 Jan 2014 Posts: 160
|
Posted: Wed Dec 10, 2014 4:57 pm Post subject: |
|
|
LOL i think this is the easiest code for this level!!
EXPERTS, please let me know if there is any problem in my coding because i'm not professional in Assembly but want to become professional
Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
label(gro1)
newmem: //this is allocated memory, you have read,write,execute access
cmp [ebx+10],#1
je gro1
mov [ebx+04],eax
jmp originalcode
gro1:
nop
nop
originalcode:
//mov [ebx+04],eax
fldz
exit:
jmp returnhere
"Tutorial-i386.exe"+27DA6:
jmp newmem
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+27DA6:
mov [ebx+04],eax
fldz
//Alt: db 89 43 04 D9 EE |
_________________
|
|
Back to top |
|
|
Nemexia55 Expert Cheater Reputation: 0
Joined: 28 Jan 2014 Posts: 160
|
|
Back to top |
|
|
|