|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Sat Jul 17, 2010 10:23 am Post subject: staple intersection tutorial (Red alert) for instant build |
|
|
Tutorial Author: Razali Rambli @ Bie
Introduction:
I have seen lots of trainer for this game and have try it all. They are great trainer with infinite money, power, speed build, etc.
But the bad thing is, all the trainer also give benefit to the AI (computer player) thus making it is more difficult than ever.
So, after I get a tips from The Lord Of The Gamehacking, [sheep] I manage to get speed build for Command and Conquer General Zero Hour.
I decided to created a tutorial on making one side speed build starting from Red Alert 2. I hope I have time to make tutorial for One Side speed build for General Zero Hour.
**[Sheep] you are a great teacher, thank you.
So, let get started and enjoy the tutorial. Remember, this is not a tutorial on using the tool, this is a tutorial on making speed build option. Learn to use the tool and read the method tutorial.
Razali Rambli @ Bie
Sarawak, Malaysia
Target
Red Alert v1.00
Tools
1. Tsearch
2. Bie Code Cave Tool
Method
1. Code Injection, Code Cave and Staple Intersection
2. Pointer
Collecting Info
When we building something in Red Alert 2, we don't see a numeric value to give us a hint on our building progress. The only indicator are a layer of translucent blue on top of the building we wish to build and it will move clock wise to show us the building progress.
Choosing the search method
Since we don't know how much is the value are, we can choose 3 type of search in Tsearch
1. Unknown, Increase
2. Unknown, Decrease
3. Unknown, Change, Not Change
Starting the search
Choose one of the search method above, for this tutorial, I choose the 1st method. Remember, different game have different method.
1. Build and pause
2. Do unknown search
3. Unpause and pause again
4. Search 1 byte increase
5. Repeat step 3 and 4 until you find your address.
Opcode
After you have found the address, we have to put a write breakpoint on it to get to the opcode that control the value.
In autohack, we will land here
Offset
Hex
Asm
Detail
004b8e82
8B 56 24
mov edx,[esi+0x24]
Move our value to edx register
004b8e85
03 D0
add edx,eax
Add our value with value from eax register
004b8e87
89 56 24
mov [esi+0x24],edx
We land here
Move our new value back into our address
Write breakpoint on our address [write pointer]
So, from the opcode above, we know that our write pointer reside in esi register.
Then I let the game finish building and I look at my address, the value inside it show 54, so now I know that when our value reach 54, that mean our building is complete.
So what we need to do it just make our value that is put inside the edx register with 54 and it will build instantly.
Since this address is share between human player and AI player, we need to find a staple intersection. So to find the staple intersection, we have to put read breakpoint on our address.
1. Pause the building by right click on the building icon, don't pause the game, just alt+tab out
2. So in autohack, put a Read/Write breakpoint on our address.
3. Get back to game and don't do nothing, just alt+tab out again.
We will find a few breakpoint. But we only need only one that are not shared. In autohack, click the read breakpoint and register it one by one one. At Register tab, just focus on register in the bracket [ ].
4. Get back to game and don't do nothing, just alt+tab out again.
Look at the register and compare it with our pointer, if the pointer show different address with our pointer, that is not our staple intersection. So, after looking at all the read breakpoint, only 1 opcode is not shared between human player and AI player.
Offset
Hex
Asm
Detail
004b9410
8B 41 24
mov eax,[ecx+0x24]
We land here
Move our staple intersection to eax register. ecx is our pointer and are not shared between us and AI.
004b9413
C3
ret
Return back to call opcode
Read breakpoint on our address that are not shared [Staple Intersection]
Jump, Code Cave and compare pointer
We planned our injected code.
Jump from staple intersection opcode:
1. We jump to code cave, we choose 400314
2. We move our staple intersection pointer into one address, we choose 400370. Jump back
Jump from write opcode:
1. We jump to code cave, we choose 40031e
2. We then compare our staple intersection pointer with write pointer.
3. If equal, we put 54 [decimal] = 36 [heximal] inside our value [edx]
4. If not equal, add value with eax
5. Jump back to next write opcode.
Use Bie Code Cave Tools to open the 400300 address for code injection or use Tsearch easywrite. If you don't want to make code cave there, just use SAS
Example of Code Cave and Jump
Code Cave
Offset
Hex
Asm
Detail
00400314 8B4124 mov eax,[ecx+0x24] jump from staple intersection, original code
00400317 890D70034000 mov [0x400370],ecx move staple intersection pointer to 400370 to be compare later. our code
0040031d C3 retn get back to call opcode
0040031e 393570034000 cmp [0x400370],esi compare write pointer with our staple intersection pointer
00400324 740D je short 0x00400333 if equal go to 400333
00400326 8B5624 mov edx,[esi+0x24] if not equal, recreate original code
00400329 03D0 add edx,eax recreate original code
0040032b 895624 mov [esi+0x24],edx recreate original code
0040032e E9578B0B00 jmp 0x004B8E8A jump back to normal next write opcode
00400333 BA36000000 mov edx,0x36 move 36 (hex) = 54 (dec) into edx
00400338 EBF1 jmp short 0x0040032B
go to 40032B
Jump from staple intersection
Offset
Hex
Asm
Detail
004b9410 E9FF6EF4FF jmp 0x00400314 jump to code cave
Jump from write opcode
Offset
Hex
Asm
Detail
004b8e82 E99774F4FF jmp 0x0040031E jump to code cave
004b8e87 90 nop no operation [destroyed code]
004b8e88 90 nop no operation [destroyed code]
004b8e89 90 nop no operation [destroyed code]
|
|
Back to top |
|
|
justa_dude Grandmaster Cheater Reputation: 23
Joined: 29 Jun 2010 Posts: 891
|
Posted: Sat Jul 17, 2010 6:49 pm Post subject: |
|
|
This works for your game, but what happens if there is no unique piece of code specific to handling your builds? I.E., some games use a giant linked list (or multiple lists) of items and just walk the list iterating each one. If the build progress you see for their builds is the same as yours, there might not even be unique code for displaying your build progress (the blue semi-circle, in your case).
Cheers,
adude
|
|
Back to top |
|
|
Bie How do I cheat? Reputation: 0
Joined: 26 Aug 2010 Posts: 2 Location: Sarawak
|
Posted: Thu Aug 26, 2010 8:43 am Post subject: |
|
|
wow... my old tutorial
look at my bad english... haha... and still are
one thing i learn from all these year... if u cant find it, keep trying with other method... this is just a way... not the only way
it is all mathematics... something must represent something...
if there is no unique code, perhaps a pointer... or a flag might do the trick
|
|
Back to top |
|
|
Bie How do I cheat? Reputation: 0
Joined: 26 Aug 2010 Posts: 2 Location: Sarawak
|
Posted: Tue Aug 31, 2010 9:33 pm Post subject: |
|
|
haha... i cant reply pm since im not worthy enough and have no contribution to gamehacking scene. so... sorry, i cant reply pm.. we must follow rules, right?
oh well... this is and old game and old tutorial, new game mostly use dll to store it code, but it teach how to use the staple intersection, using display as a way to filter human and AI. so it is still relevant.
so here is my old tsearch easyscript for cnc general 1.7 +4 on my old harddisk... it have been so long... wow... 2003... i have a better one thou... but i cant find it... hmm. need to open all the rar files and look for it.
copy, paste, claim is as ur own, reverse engineer it or whatever... i wont mind
code cave
Code: | //code cave begin
offset 0x400020
//general point, optimum 14 or put it 99 if u like
mov dword ptr [eax+0x17c], 0x63
//general experience, max 5000 or 6000, cant remember
mov dword ptr [eax+0x178], 0x1388
//power, u know u still need to build the power building to enable other tech, right?
mov dword ptr [eax+0x74], 0x98967F
//money, show me the money, oh wait, that starcraft
mov dword ptr [eax+0x34], 0xF423F
//original code
mov ebp,[eax+0x34]
cmp [0x928A2C],ebp
//jump back to original code
jmp 0x508ee9
//original address
offset 0x508ee0
//jump to code cave
jmp 0x400020
//cleaning up trailing code
hex 90909090 |
original code
Code: | offset 0x508ee0
mov ebp,[eax+0x34]
cmp [0x928A2C],ebp |
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Thu Sep 02, 2010 5:48 pm Post subject: |
|
|
any tips to find player id using building structures in rts games.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|