Cheat Engine

[Freiza]

Tutorial Author: Razali Rambli @ Bie

Introduction:

I have seen lots of trainer for this game and have try it all. They are great trainer with infinite money, power, speed build, etc.

But the bad thing is, all the trainer also give benefit to the AI (computer player) thus making it is more difficult than ever.

So, after I get a tips from The Lord Of The Gamehacking, [sheep] I manage to get speed build for Command and Conquer General Zero Hour.

I decided to created a tutorial on making one side speed build starting from Red Alert 2. I hope I have time to make tutorial for One Side speed build for General Zero Hour.

**[Sheep] you are a great teacher, thank you.

So, let get started and enjoy the tutorial. Remember, this is not a tutorial on using the tool, this is a tutorial on making speed build option. Learn to use the tool and read the method tutorial.

Razali Rambli @ Bie
Sarawak, Malaysia



Target



Red Alert v1.00

Tools

1. Tsearch
2. Bie Code Cave Tool



Method

1. Code Injection, Code Cave and Staple Intersection
2. Pointer

Collecting Info



When we building something in Red Alert 2, we don't see a numeric value to give us a hint on our building progress. The only indicator are a layer of translucent blue on top of the building we wish to build and it will move clock wise to show us the building progress.



Choosing the search method



Since we don't know how much is the value are, we can choose 3 type of search in Tsearch



1. Unknown, Increase

2. Unknown, Decrease

3. Unknown, Change, Not Change



Starting the search



Choose one of the search method above, for this tutorial, I choose the 1st method. Remember, different game have different method.



1. Build and pause

2. Do unknown search

3. Unpause and pause again

4. Search 1 byte increase

5. Repeat step 3 and 4 until you find your address.



Opcode



After you have found the address, we have to put a write breakpoint on it to get to the opcode that control the value.



In autohack, we will land here



Offset
Hex
Asm
Detail

004b8e82
8B 56 24
mov edx,[esi+0x24]
Move our value to edx register

004b8e85
03 D0
add edx,eax
Add our value with value from eax register

004b8e87
89 56 24
mov [esi+0x24],edx
We land here

Move our new value back into our address



Write breakpoint on our address [write pointer]



So, from the opcode above, we know that our write pointer reside in esi register.



Then I let the game finish building and I look at my address, the value inside it show 54, so now I know that when our value reach 54, that mean our building is complete.



So what we need to do it just make our value that is put inside the edx register with 54 and it will build instantly.



Since this address is share between human player and AI player, we need to find a staple intersection. So to find the staple intersection, we have to put read breakpoint on our address.



1. Pause the building by right click on the building icon, don't pause the game, just alt+tab out

2. So in autohack, put a Read/Write breakpoint on our address.

3. Get back to game and don't do nothing, just alt+tab out again.



We will find a few breakpoint. But we only need only one that are not shared. In autohack, click the read breakpoint and register it one by one one. At Register tab, just focus on register in the bracket [ ].



4. Get back to game and don't do nothing, just alt+tab out again.



Look at the register and compare it with our pointer, if the pointer show different address with our pointer, that is not our staple intersection. So, after looking at all the read breakpoint, only 1 opcode is not shared between human player and AI player.



Offset
Hex
Asm
Detail

004b9410
8B 41 24
mov eax,[ecx+0x24]
We land here

Move our staple intersection to eax register. ecx is our pointer and are not shared between us and AI.

004b9413
C3
ret
Return back to call opcode



Read breakpoint on our address that are not shared [Staple Intersection]



Jump, Code Cave and compare pointer



We planned our injected code.



Jump from staple intersection opcode:

1. We jump to code cave, we choose 400314

2. We move our staple intersection pointer into one address, we choose 400370. Jump back



Jump from write opcode:

1. We jump to code cave, we choose 40031e

2. We then compare our staple intersection pointer with write pointer.

3. If equal, we put 54 [decimal] = 36 [heximal] inside our value [edx]

4. If not equal, add value with eax

5. Jump back to next write opcode.



Use Bie Code Cave Tools to open the 400300 address for code injection or use Tsearch easywrite. If you don't want to make code cave there, just use SAS



Example of Code Cave and Jump



Code Cave

Offset
Hex
Asm
Detail

00400314 8B4124 mov eax,[ecx+0x24] jump from staple intersection, original code
00400317 890D70034000 mov [0x400370],ecx move staple intersection pointer to 400370 to be compare later. our code
0040031d C3 retn get back to call opcode
0040031e 393570034000 cmp [0x400370],esi compare write pointer with our staple intersection pointer
00400324 740D je short 0x00400333 if equal go to 400333
00400326 8B5624 mov edx,[esi+0x24] if not equal, recreate original code
00400329 03D0 add edx,eax recreate original code
0040032b 895624 mov [esi+0x24],edx recreate original code
0040032e E9578B0B00 jmp 0x004B8E8A jump back to normal next write opcode
00400333 BA36000000 mov edx,0x36 move 36 (hex) = 54 (dec) into edx
00400338 EBF1 jmp short 0x0040032B
go to 40032B


Jump from staple intersection

Offset
Hex
Asm
Detail

004b9410 E9FF6EF4FF jmp 0x00400314 jump to code cave



Jump from write opcode

Offset
Hex
Asm
Detail

004b8e82 E99774F4FF jmp 0x0040031E jump to code cave
004b8e87 90 nop no operation [destroyed code]
004b8e88 90 nop no operation [destroyed code]
004b8e89 90 nop no operation [destroyed code]

[justa_dude]

This works for your game, but what happens if there is no unique piece of code specific to handling your builds? I.E., some games use a giant linked list (or multiple lists) of items and just walk the list iterating each one. If the build progress you see for their builds is the same as yours, there might not even be unique code for displaying your build progress (the blue semi-circle, in your case).

Cheers,
adude

[Bie]

wow... my old tutorial

look at my bad english... haha... and still are

one thing i learn from all these year... if u cant find it, keep trying with other method... this is just a way... not the only way

it is all mathematics... something must represent something...

if there is no unique code, perhaps a pointer... or a flag might do the trick

[Bie]

haha... i cant reply pm since im not worthy enough and have no contribution to gamehacking scene. so... sorry, i cant reply pm.. we must follow rules, right?

oh well... this is and old game and old tutorial, new game mostly use dll to store it code, but it teach how to use the staple intersection, using display as a way to filter human and AI. so it is still relevant.

so here is my old tsearch easyscript for cnc general 1.7 +4 on my old harddisk... it have been so long... wow... 2003... i have a better one thou... but i cant find it... hmm. need to open all the rar files and look for it.

copy, paste, claim is as ur own, reverse engineer it or whatever... i wont mind

code cave

[Freiza]

any tips to find player id using building structures in rts games.