Cheat Engine

Freiza

Does somebody have any info on how to hack painkiller?

Dark Byte · Posted: Tue Apr 03, 2012 2:24 pm Post subject:

Find health i believe it's a double, and then set the value extremely high

Freiza · Posted: Tue Apr 03, 2012 2:31 pm Post subject:

Yes I know that. But I am unable to find the player id for it. Since each code accesses millions of useless addresses. And I find no id that uniquely identifies player's health.
But I am trying my best to circumvent it.

Pointerscan also not working. I tried to back trace till my nerve last. But found no conclusion.

mgr.inz.Player · Posted: Tue Apr 03, 2012 6:50 pm Post subject:

Painkiller uses LUA. (you must use many checks: structure and stack ones)

I could try to make trainer for this game. I have Painkiller v1.64.
Stay tuned Smile

Freiza · Posted: Tue Apr 03, 2012 7:05 pm Post subject:

@"you must use many checks: structure and stack ones"
What do you mean by this?

I would love to learn to hack this game.

Thank You.

mgr.inz.Player · Posted: Tue Apr 03, 2012 8:36 pm Post subject:

http://forum.cheatengine.org/viewtopic.php?p=5184681#5184681

Stack checks:
cmp [esp+XX],YY
or
cmp [ebp+XX],YY
(as you know, ESP register is Extended Stack Pointer)

Example, for bionic commando, if [esp] is not zero (cmp [esp],0), we have definitely wrong call. If is equal zero, good or wrong call.

if [esp+68] is equal 1, we have "player health call".
if [esp+68] is equal 0, we have "enemy health call".

But this is not enough. There are many wrong calls with zero at the top of stack (esp+0) and 1 at esp+68.
[esp+00] == 0
[esp+68] == 1

We need player structure check. Player structure had few characteristic pointers

as you see, we can do two checks:

[address+10] == address + 64
[address+24] == address + 78

third check is (above screenshot doesn't show it)
[address+b0] == address + 50

Finally:
if ([esp+00] == 0) && ([esp+68] == 1) && ([address+10] == address + 64) && ([address+24] == address + 78 ) && ([address+b0] == address + 50) then this is "player health" call.

if ([esp+00] == 0) && ([esp+68] == 0) && ([address+10] == address + 64) && ([address+24] == address + 78 ) && ([address+b0] == address + 50) then this is "enemy health" call.

Bionic commando uses LUA,

Freiza · Posted: Tue Apr 03, 2012 9:00 pm Post subject:

"There are many calls with zero at the top of stack (esp+0) and 1 at esp+68. "

How did you come to know that there are many calls similar to yours. Did you manually checked them? Or there is some other method that I don't know?

And what is stack trace?

Dark Byte · Posted: Tue Apr 03, 2012 9:22 pm Post subject:

you can do a "find out what addresses this instruction accesses" to find out what other addresses it accesses and use that as a starting point to find a way to distinguish between the address you need and the ones you do not

the "S" in more info and the above function will show the view of the stack at the time it was called

Freiza · Posted: Tue Apr 03, 2012 9:28 pm Post subject:

"find out what addresses this instruction accesses"
Here is the problem . When I try to do that, since this game uses lua, trillions of codes popup. And making impossible to know , which one of the millions is the address of enemy.
So I wanted to know how did mgr.inz.Player came to know the enemy address. What steps he followed to know the enemy's address.

Once I get the enemy address the rest is not that difficult.

mgr.inz.Player · Posted: Tue Apr 03, 2012 9:34 pm Post subject:

"Did you manually checked them?"
I compared player/hero structure with enemy structure.

I compared above structures (hero/enemy) with many other structures/garbages.

I used cheat engine "dissect data/structures" (add extra address, add new group)

As for stack compares. I dumped stack for "hero health call" like 10000 times. I wrote assembler procedure - every time take first 256 bytes from stack, append to array. Then I saved that array to file1 (ce save memory region). Restarted pc, I made another file1_1. Then I concatenated both files.

Then I analyzed what file contains. At offsets:
0x0000, 0x0100, 0x0200, 0x0300, ..., I always had 0x00000000 (integer 4 bytes)

At offsets:
0x0068, 0x0168, 0x0268, 0x0368, ..., I always had 0x00000001 (integer 4 bytes)

Edit:

I used "find out what accesses this address" and "S" in "more info". But that was only the beginning. Then I made that "stack dumper procedure".

Freiza · Posted: Tue Apr 03, 2012 9:41 pm Post subject:

I wrote assembler procedure - every time take first 256 bytes from stack, append to array. Then I saved that array to file1 (ce save memory region). Restarted pc, I made another file1_1. Then I concatenated both files.

And "then I made that "stack dumper procedure".
"

Can I have blueprint of these procedures?

mgr.inz.Player · Posted: Tue Apr 03, 2012 9:51 pm Post subject:

Unfortunately, I do not have it anymore. It was autoassembler script.

It was something with "repe movsd", counters, loops. Of course I allocated some memory before I launched autoassembler script - CE "tools -> allocate memory". You can of course use alloc(newmemforstackdumps,XXXXXX) and registersymbol(newmemforstackdumps)

Freiza · Posted: Tue Apr 03, 2012 10:07 pm Post subject:

NO problem, anyways you are going to make trainer for painkiller. Then I will have the opportunity to learn from you. Idea

But how did you find the enemy's health address.

mgr.inz.Player · Posted: Tue Apr 03, 2012 10:26 pm Post subject:

Freiza · Posted: Tue Apr 03, 2012 10:35 pm Post subject:

I am trying to make stack trace script.
After I complete it I will come to you for corrections. Is it okay? (But the only problem is that I am not a pro like you. So expect stupid erroneous code)

And Your strategy is a Killer. Definitely a +rep. But I have just +rep DB, and Give you as soon as count down expires. ( Though I know you don't care about it. But it will give me happiness)

Thank You

Edit:
So fast. What did you do, made a script, for logging stack ?