Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Mechwarrior 4 MP3.1, hacking question

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
RisingForce
Newbie cheater
Reputation: 0

Joined: 14 Dec 2010
Posts: 10

PostPosted: Wed Feb 29, 2012 9:39 pm    Post subject: Mechwarrior 4 MP3.1, hacking question Reply with quote

Wep Damage
0051F237 - D8 48 54 - fmul dword ptr [eax+54]
0051F23A - D9 1B - fstp dword ptr [ebx]

Wep Range
0051F248 - 8B 48 58 - mov ecx,[eax+58]
0051F24B - 8B 54 24 14 - mov edx,[esp+14]
0051F24F - 89 4D 00 - mov [ebp+00],ecx

Heat/2
0051F252 - D9 40 3C - fld dword ptr [eax+3C]
0051F255 - DCC0 - fadd st(0),st(0)
0051F257 - D9 1A - fstp dword ptr [edx]

Recyle Times
0051F25D - 8B 48 6C - mov ecx,[eax+6C]
0051F260 - 89 0A - mov [edx],ecx


Ok, so this was surprisingly easy to find. I went in mechlab and hovered over a weapon. Then I searched by value for whatever I was trying to find the address of. For example, Weapon Damage. It gave a bunch of results. I hovered over a different weapon. Searched again with that value and I got one result. I asked cheat engine what wrote to this address. It directed me to the memory region containing fstp dword ptr [ebx]. Obviously, the previous address is not the correct address to modify the values. So, i preceded to search upwards in memory. It was super easy to find. I checked what addresses the instruction above accessed. It turned out that whenever I hovered the mouse over a weapon, the address for the value of that weapon's damage showed up in the debugger. I repeated this process for Weapon Range, Heat( which for some reason the values are halved ), and Recycle Time. The top listed instruction under each category is the instruction to check what addresses it accesses to get the addresses of the corresponding values.
*Note: Addresses for weapons of similar type are 180 hex value apart. Not sure if this is helpful or not.

My goal is to create a trainer or utility of some sort to allow the user to change the properties of weapons. This process works, when I change the values contained in those addresses I find, I can go into a mission and see the changes. It is quite neat. Smile

The problem is when I exit the mission, the addresses for the values change. I can go back and hover over a weapon while checking what addresses the instruction accesses. This gives me the address for that value again, but it is quite annoying. I want to be able to set it once and stay that way until I close the game. End goal is to have a program with a gui to allow such changes while the game is running.

Any ideas why the address keeps changing and any advice on what I can do?

(Recycle time is super fun, longtoms with 0 recycle time haha )
Back to top
View user's profile Send private message
Corruptor
Advanced Cheater
Reputation: 3

Joined: 10 Aug 2011
Posts: 79

PostPosted: Fri Mar 02, 2012 1:25 pm    Post subject: Reply with quote

i would guess that the weapon structures are dinamically created every time you leave a mission. I quite dont know what could be the point of this, but hey, i dont even know that game, so maybe theres a decent reason to do so...

Well, what you would mostlikely have to do now is finding a static multi level pointer to those weapons. I am quite sure that eax is the start of the structure and thus the value of the first pointer to find. You may want to search for some tutorials (or do the cheat engine tutorial) to do that. What you basically have to do is find out what accesses the adress, look for the value the pointer could possibly have (cheat engine does that for you if you click the "more information" button) and search for that value. Repeat that for the results until you find a static - a green - pointer.
Back to top
View user's profile Send private message
RisingForce
Newbie cheater
Reputation: 0

Joined: 14 Dec 2010
Posts: 10

PostPosted: Mon Mar 05, 2012 3:07 pm    Post subject: Reply with quote

Thank You very much for your response. I'll try it. But, I don't know if it will work because I think that these values might be coming from an encrypted file and are read into a dynamically created data structure each time. Maybe, I am wrong. I shouldn't of assumed. We'll see.
Back to top
View user's profile Send private message
marco1960
How do I cheat?
Reputation: 0

Joined: 12 Mar 2012
Posts: 1

PostPosted: Mon Mar 12, 2012 5:24 pm    Post subject: Mechwarrior 4 MP3.1, hacking question Reply with quote

Hi RisingForce
I'm trying to do the same change on Recycle time or Damage but I have some difficulties.
What search did you use, by text or by byte.
I was not able to find the right Recycle time memory region , I found the text value but setting it to zero, there was no changes to the weapon feature.

Do you have news about your idea to create a trainer with GUI to set all weapon parameters?

Thank you for your reply

Ciao
Marco
Back to top
View user's profile Send private message
Fresco
Grandmaster Cheater
Reputation: 3

Joined: 07 Nov 2010
Posts: 516

PostPosted: Tue Mar 13, 2012 9:51 am    Post subject: Reply with quote

Quote:
Wep Damage
0051F237 - D8 48 54 - fmul dword ptr [eax+54]
0051F23A - D9 1B - fstp dword ptr [ebx]

Wep Range
0051F248 - 8B 48 58 - mov ecx,[eax+58]
0051F24B - 8B 54 24 14 - mov edx,[esp+14]
0051F24F - 89 4D 00 - mov [ebp+00],ecx

Heat/2
0051F252 - D9 40 3C - fld dword ptr [eax+3C]
0051F255 - DCC0 - fadd st(0),st(0)
0051F257 - D9 1A - fstp dword ptr [edx]

Recyle Times
0051F25D - 8B 48 6C - mov ecx,[eax+6C]
0051F260 - 89 0A - mov [edx],ecx


Wep Damage
0051F23A - D9 1B - fstp dword ptr [ebx]
auto assemble here:

create 2 labels
registersymbol - value to store
assign the 2 labels a value
pop and store fpu
store whatever you want in [ebx]

just like this:
Code:
label(value)
lavel(original_value)
registersymbol(value)

newmem:
//place your code here
//make the original code write original value into [original_value] not [ebx]
fstp dword ptr [original_value]
//now store your value into val of ebx
mov dword ptr [ebx],[value]

originalcode:
//delete this:  "fstp dword ptr [ebx]"

//before [DISABLE] part write this
original_value:
db 00 00 00 00
value:
db 00 00 00 00

now in your cheat table add this address "4 bytes" or "float" depending on what kind of address you want to store

value

now change the value of address "value" to the value you want

_________________
... Fresco
Back to top
View user's profile Send private message
RisingForce
Newbie cheater
Reputation: 0

Joined: 14 Dec 2010
Posts: 10

PostPosted: Thu Mar 22, 2012 10:01 pm    Post subject: Reply with quote

Wow, that's pretty neat. I'll try this. Thank You. I guess I just needed to know more about programming in assembly. I didn't know you could do that. I have done very little in assembly. Thanks again. Smile
Back to top
View user's profile Send private message
RisingForce
Newbie cheater
Reputation: 0

Joined: 14 Dec 2010
Posts: 10

PostPosted: Fri Mar 23, 2012 5:52 pm    Post subject: Reply with quote

I got confused, I don't think what you showed me Fresco solves the problem. Here is what I want to do.

For recycle time:
0051F25D - 8B 48 6C - mov ecx,[eax+6C]

This instruction lets me find the memory locations for the the recycle times of each weapon. I debug here and hover over a weapon to get the corresponding memory location for its recycle time. This memory location changes when I exit a mission. However, I just repeat the process to find it again. What I would like to do is to inject code that does this algorithm for me. If it can be done. I did not know about registersymbol, that might be useful.

My Idea for injection.
1. Find what memory location mov ecx,[eax+6C] last accessed.
2. Change the value of a static pointer to point to this memory location.
3. Use the pointer to change the value in that memory location.
Back to top
View user's profile Send private message
Fresco
Grandmaster Cheater
Reputation: 3

Joined: 07 Nov 2010
Posts: 516

PostPosted: Wed Mar 28, 2012 3:52 pm    Post subject: Reply with quote

0051F25D - 8B 48 6C - mov ecx,[eax+6C]
eax+6C is the address of whatever
so auto assemble, registersymbol addressx, add to the table addressx
in the auto assemble:

Code:
push ebx
mov ebx,[addressx]
mov [eax+6C],ebx
pop ebx


every time the code above is executed, it will store the value of addressx (the one in your table) into the value of the address whatever

_________________
... Fresco
Back to top
View user's profile Send private message
RisingForce
Newbie cheater
Reputation: 0

Joined: 14 Dec 2010
Posts: 10

PostPosted: Sat Mar 31, 2012 9:52 am    Post subject: Reply with quote

Yeah, I figured that out. It isn't exactly what I wanted because I still have to go in and hover over the weapon then go to cheat engine and change the value. But, I'm realizing now that what I wanted to do is impossible unless I can actually find the static address of the values whether they are read in from a file or determined in a different section of memory.

Thank You very much Fresco. I appreciate the time you took to help me.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum



Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)