View previous topic :: View next topic |
Author |
Message |
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 11:13 am Post subject: Does somebody have any info on how to hack painkiller? |
|
|
Does somebody have any info on how to hack painkiller?
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Tue Apr 03, 2012 2:24 pm Post subject: |
|
|
Find health i believe it's a double, and then set the value extremely high
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 2:31 pm Post subject: |
|
|
Yes I know that. But I am unable to find the player id for it. Since each code accesses millions of useless addresses. And I find no id that uniquely identifies player's health.
But I am trying my best to circumvent it.
Pointerscan also not working. I tried to back trace till my nerve last. But found no conclusion.
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Apr 03, 2012 6:50 pm Post subject: |
|
|
Painkiller uses LUA. (you must use many checks: structure and stack ones)
I could try to make trainer for this game. I have Painkiller v1.64.
Stay tuned
_________________
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 7:05 pm Post subject: |
|
|
@"you must use many checks: structure and stack ones"
What do you mean by this?
I would love to learn to hack this game.
Thank You.
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Apr 03, 2012 8:36 pm Post subject: |
|
|
http://forum.cheatengine.org/viewtopic.php?p=5184681#5184681
Stack checks:
cmp [esp+XX],YY
or
cmp [ebp+XX],YY
(as you know, ESP register is Extended Stack Pointer)
Example, for bionic commando, if [esp] is not zero (cmp [esp],0), we have definitely wrong call. If is equal zero, good or wrong call.
if [esp+68] is equal 1, we have "player health call".
if [esp+68] is equal 0, we have "enemy health call".
But this is not enough. There are many wrong calls with zero at the top of stack (esp+0) and 1 at esp+68.
[esp+00] == 0
[esp+68] == 1
We need player structure check. Player structure had few characteristic pointers
as you see, we can do two checks:
[address+10] == address + 64
[address+24] == address + 78
third check is (above screenshot doesn't show it)
[address+b0] == address + 50
Finally:
if ([esp+00] == 0) && ([esp+68] == 1) && ([address+10] == address + 64) && ([address+24] == address + 78 ) && ([address+b0] == address + 50) then this is "player health" call.
if ([esp+00] == 0) && ([esp+68] == 0) && ([address+10] == address + 64) && ([address+24] == address + 78 ) && ([address+b0] == address + 50) then this is "enemy health" call.
Bionic commando uses LUA,
_________________
Last edited by mgr.inz.Player on Tue Apr 03, 2012 9:06 pm; edited 3 times in total |
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 9:00 pm Post subject: |
|
|
"There are many calls with zero at the top of stack (esp+0) and 1 at esp+68. "
How did you come to know that there are many calls similar to yours. Did you manually checked them? Or there is some other method that I don't know?
And what is stack trace?
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25301 Location: The netherlands
|
Posted: Tue Apr 03, 2012 9:22 pm Post subject: |
|
|
you can do a "find out what addresses this instruction accesses" to find out what other addresses it accesses and use that as a starting point to find a way to distinguish between the address you need and the ones you do not
the "S" in more info and the above function will show the view of the stack at the time it was called
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 9:28 pm Post subject: |
|
|
"find out what addresses this instruction accesses"
Here is the problem . When I try to do that, since this game uses lua, trillions of codes popup. And making impossible to know , which one of the millions is the address of enemy.
So I wanted to know how did mgr.inz.Player came to know the enemy address. What steps he followed to know the enemy's address.
Once I get the enemy address the rest is not that difficult.
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Apr 03, 2012 9:34 pm Post subject: |
|
|
"Did you manually checked them?"
I compared player/hero structure with enemy structure.
I compared above structures (hero/enemy) with many other structures/garbages.
I used cheat engine "dissect data/structures" (add extra address, add new group)
As for stack compares. I dumped stack for "hero health call" like 10000 times. I wrote assembler procedure - every time take first 256 bytes from stack, append to array. Then I saved that array to file1 (ce save memory region). Restarted pc, I made another file1_1. Then I concatenated both files.
Then I analyzed what file contains. At offsets:
0x0000, 0x0100, 0x0200, 0x0300, ..., I always had 0x00000000 (integer 4 bytes)
At offsets:
0x0068, 0x0168, 0x0268, 0x0368, ..., I always had 0x00000001 (integer 4 bytes)
Edit:
I used "find out what accesses this address" and "S" in "more info". But that was only the beginning. Then I made that "stack dumper procedure".
_________________
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 9:41 pm Post subject: |
|
|
I wrote assembler procedure - every time take first 256 bytes from stack, append to array. Then I saved that array to file1 (ce save memory region). Restarted pc, I made another file1_1. Then I concatenated both files.
And "then I made that "stack dumper procedure".
"
Can I have blueprint of these procedures?
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Apr 03, 2012 9:51 pm Post subject: |
|
|
Unfortunately, I do not have it anymore. It was autoassembler script.
It was something with "repe movsd", counters, loops. Of course I allocated some memory before I launched autoassembler script - CE "tools -> allocate memory". You can of course use alloc(newmemforstackdumps,XXXXXX) and registersymbol(newmemforstackdumps)
_________________
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 10:07 pm Post subject: |
|
|
NO problem, anyways you are going to make trainer for painkiller. Then I will have the opportunity to learn from you.
But how did you find the enemy's health address.
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Apr 03, 2012 10:26 pm Post subject: |
|
|
Freiza wrote: | But how did you find the enemy's health address. |
Because, at the beginning, I made only stack check ("find out what accesses this address"):
"S" in "more info" , print screen, game restart
"S" in "more info" , print screen. look at both images.
I immediately noticed that zero at top of stack is "necessary but not sufficient".
Code: |
(...)
cmp dword ptr [esp+0],0
jne exit
//yay, I have found it, let's try...
mov [store_ebx],ebx
lea ebx,[ebp+00] <-"find out what addresses this instruction accesses"
mov ebx,[store_ebx]
(...)
exit:
jmp return
(...)
|
After playing with above for a while. Nope, "cmp dword ptr [esp+0],0" isn't enough.
But from millions hits, it dropped to only several dozen.
EDIT:
OK, PAINKILLER
Look at stack. For health calls, it always have this:
[esp+18] == 0x3 (dword)
[esp+44] == 0x70 (dword)
[esp+4c] == 0x7 (dword)
Of course, the above is only: "necessary but not sufficient".
but you can use it to filter out some things.
_________________
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Tue Apr 03, 2012 10:35 pm Post subject: |
|
|
I am trying to make stack trace script.
After I complete it I will come to you for corrections. Is it okay? (But the only problem is that I am not a pro like you. So expect stupid erroneous code)
And Your strategy is a Killer. Definitely a +rep. But I have just +rep DB, and Give you as soon as count down expires. ( Though I know you don't care about it. But it will give me happiness)
Thank You
Edit:
So fast. What did you do, made a script, for logging stack ?
_________________
|
|
Back to top |
|
|
|