vergilganesh Expert Cheater Reputation: 0
Joined: 01 Jul 2013 Posts: 134 Location: India
|
Posted: Thu Sep 05, 2013 9:58 am Post subject: [Tutorial] Advanced CHEAT for Shank 2 v1.0.0 Part 2 |
|
|
This is the second Part of the SHANK 2 Cheat.
This is majorly Done in a principle of single player survival mode.
INFINITE GRANADE
Just fill the granade bar and use 4 byte exact scan value 3. Throw a granade and use 2 as next scan. Throw another granade and use 1 as next scan. You will find a value. Just right click and "what writes to this address" and note that instruction.
Note the code just above there is a dec instruction. Just nop it to make a cheat. Or make a code as below.
Code: |
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
originalcode:
mov [esi+4C],03
mov ecx,[esp+18]
exit:
jmp returnhere
"Shank2.exe"+13FECA:
jmp newmem
nop
nop
nop
returnhere:
[DISABLE]
dealloc(newmem)
"Shank2.exe"+13FECA:
dec eax
mov [esi+4C],eax
mov ecx,[esp+18]
//Alt: db 48 89 46 4C 8B 4C 24 18
|
ITEM HACK
There are two different ways to make a item cheat. first one no decreasing of experience points second one instant item. Scan and search for points and find what writes to this address to find the correct instruction. Nop that. Second cheat is done by repeated scanning. Find the time counter value with value between option on float data type.
Then we will rewrite this code
Code: |
[ENABLE]
004D6032:
db 90 90 90
alloc(newmem,2048) //2kb should be enough
alloc(val,12)
label(returnhere)
label(originalcode)
label(exit)
val:
dd (float)0.5
newmem:
fmul dword ptr [val]
originalcode:
fsub dword ptr [ebp+08]
fstp dword ptr [ecx+10]
exit:
jmp returnhere
"Shank2.exe"+D5970:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Shank2.exe"+D5970:
fsub dword ptr [ebp+08]
fstp dword ptr [ecx+10]
004D6032:
sub [ebx+50],eax
|
POINTS
Just use 4 byte exact value scanning and find the correct value and addresses. There are two addressses and the game crashed if both are different. So the idea is just multiply with a number on any one instruction, then copy the same value to the other instruction.
Then we have to write the code as below:
Code: |
[ENABLE]
alloc(newmem,2048) //2kb should be enough
alloc(val,12)
label(returnhere)
label(originalcode)
label(exit)
newmem:
imul edi,edi,05
originalcode:
mov ecx,[esi+08]
add [esi+50],edi
mov eax,[esi+50]
mov [val],eax
exit:
jmp returnhere
"Shank2.exe"+D645E:
jmp newmem
nop
returnhere:
alloc(newmem1,2048) //2kb should be enough
label(returnhere1)
label(originalcode1)
label(exit1)
newmem1:
mov ecx,[val]
originalcode1:
mov eax,[ebp-30]
exit1:
jmp returnhere1
"Shank2.exe"+36759E:
jmp newmem1
nop
returnhere1:
[DISABLE]
dealloc(newmem)
"Shank2.exe"+D645E:
mov ecx,[esi+08]
add [esi+50],edi
dealloc(newmem1)
"Shank2.exe"+36759E:
add ecx,[edx+14]
mov eax,[ebp-30]
//Alt: db 03 4A 14 8B 45 D0
|
HITS
Hits are 4 byte values. Pause game and search with exact value. There are two values. but the main problem is Hits only is displayed after 3rd hit. Only shown at 4 then only increasing.
So try to make an exception while hit is under 4. There are two addressses and the game crashed if both are different. So the idea is mov a number on any one instruction, then copy the same value to the other instruction.
Code: |
[ENABLE]
alloc(newmem,2048) //2kb should be enough
alloc(val,12)
label(returnhere)
label(next)
label(originalcode)
label(exit)
newmem:
originalcode:
mov ecx,[eax+24]
cmp ecx,04
jle next
mov ecx,(int)99999
next:
mov edi,eax
mov [val],ecx
exit:
jmp returnhere
"Shank2.exe"+13DD2B:
jmp newmem
nop
returnhere:
alloc(newmem1,2048) //2kb should be enough
label(returnhere1)
label(originalcode1)
label(exit1)
newmem1:
originalcode1:
mov edx,[val]
mov [ecx+58],edx
mov eax,[ebp+0C]
exit1:
jmp returnhere1
"Shank2.exe"+3307FA:
jmp newmem1
nop
returnhere1:
[DISABLE]
dealloc(newmem1)
"Shank2.exe"+3307FA:
mov [ecx+58],edx
mov eax,[ebp+0C]
//Alt: db 89 51 58 8B 45 0C
dealloc(newmem)
"Shank2.exe"+13DD2B:
mov ecx,[eax+24]
inc ecx
mov edi,eax
|
BULLETS
Just nop dec instruction.
THANK U
Click here for next part
http://forum.cheatengine.org/viewtopic.php?t=567955
|
|