 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
 Posted: Fri Nov 29, 2013 11:33 pm Post subject: Map hack/reveal,insta build Yuri's Revenge(Mental Omega 3.0) |
 |
|
Hei!
I've been looking all over web and this forum as well for a good tutorial on how to reveal map and instant build for buildings. Now gameplayer made a table for RAII and YR which has everything except map reveal. Unfortunately some of the options like those mentioned above don't work with the mod I'm playing: Mental Omega 3.0
Long story short, *would you kindly teach me how.
Much obliged from Norway 
*reference from Bioshock I
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sat Nov 30, 2013 7:40 am Post subject: Re: Map hack/reveal,insta build Yuri's Revenge(Mental Omega |
|
|
| jonny1980 wrote: | | would you kindly teach me how. |
But of course, dearest of all my friends. (Crap to think I hacked a game for the sake of making a stupid joke).
Do note that I do not have red alert 2 or yuri's revenge, so I hacked tiberium wars (same game engine)
Fast stuff first: for instant build look for a timer (value that keeps increasing or decreasing as long as the build goes on), then apply what on cheat engine's tutorial, step 9.
Now for the map revealing, well. Basically there are 3 ways of making this hack:
A-Unlimited sight range, basically edit an unit's sight rage and set it to an huge value, I suggest using mod tools for that.
B-The omniscient way: basically marks all cells as explored. Somewhere it's written:
cell 0,0: hidden
cell 0,1: hidden
cell 0,2: explored
....
Problem is that each of those variables only change once per game session (unless the game supports fog of war), and you don't know how many bytes there are between each cell property, but the spacing is regular.
C-The all seeing camera: a camera that renders cells even if they aren't explored. Same as type B, but just for the array stores whether a cell should be rendered onscreen or not.
The easiest way to find cell properties is to make use of the fog of war: explore one cell, search for an unknown initial value, type byte, wait until the FoW take the cell back, filter with changed value, explore the cell again, changed value, add a few unchanged value filtering inbetween and you should be set.
Me I was an idiot and thought "fog of war on/off" in this game meant "whole map revealed on/off", so I did it the hard way: I tried to find directly the explored Yes/No array. I assumed there was no spacing, so I scanned for an unknown initial value 8 byte variable that changed each time I moved an unit of one cell in one direction (bottom-left to top-right diagonal). Given this game uses 2 bytes per cell data it allows of 4 "changed" scans (I thought I'd have 8 ). Much to my shame what I actually found was the "cell rendered on/off" array for type C revealers...
Anyway when you suspect a result might be the good one, right click on it->browse memory region. If you see a repeated motive (I had a lot of 7F 00 7F 00 7F 00...) it's a good sign. Explore one more cell in that direction and see if a byte goes red in the memory viewer. If yes you likely hit the jackpot. After that "find out what accesses..." one such byte and make is so the game alway write those bytes into "explored" state, or overwrite whatever it reads with the "explored" state.
For this specific game, 0x7F means that a cell is explored AND onscreen, 0x0 off screen and fog of war is turned off, 0x3, offscreen but fog of war is turned on. So If you scroll the camera and see your memory viewer PROGRESSIVELY fill with red as you move the camera, you probably have found the right spot.
With that I made a type C revealer by taking that: | Code: | GAME.ICD+525C5 - 45 - inc ebp
GAME.ICD+525C6 - 80 FA FE - cmp dl,-02
GAME.ICD+525C9 - 74 07 - je GAME.ICD+525D2
GAME.ICD+525CB - 66 0FB6 D2 - movzx dx,dl
GAME.ICD+525CF - 66 89 10 - mov [eax],dx <-this is what wrote the cell properties when I move the camera over it
GAME.ICD+525D2 - 83 C0 02 - add eax,02
GAME.ICD+525D5 - 4E - dec esi
GAME.ICD+525D6 - 75 EA - jne GAME.ICD+525C2
GAME.ICD+525D8 - 8B 74 24 1C - mov esi,[esp+1C]
GAME.ICD+525DC - 8B 54 24 20 - mov edx,[esp+20] |
which I turned into: | Code: | GAME.ICD+525C5 - 45 - inc ebp
GAME.ICD+525C6 - 80 FA FE - cmp dl,-02
GAME.ICD+525C9 - 74 07 - je GAME.ICD+525D2
GAME.ICD+525CB - 66 C7 00 7F00 - mov word ptr [eax],007F <-set cell to "explored" state
GAME.ICD+525D0 - 90 - nop <-padding
GAME.ICD+525D1 - 90 - nop <-padding
GAME.ICD+525D2 - 83 C0 02 - add eax,02
GAME.ICD+525D5 - 4E - dec esi
GAME.ICD+525D6 - 75 EA - jne GAME.ICD+525C2
GAME.ICD+525D8 - 8B 74 24 1C - mov esi,[esp+1C]
GAME.ICD+525DC - 8B 54 24 20 - mov edx,[esp+20]
|
It has the slight flaw of displaying a black border every screenful of terrain when you pan the camera, but it's good enough.
Digging a bit where the dx comes from I made what I think is a type B revealer, at least it doesn't show black borders and map stays revealed even if I turn the hack off. | Code: | GAME.ICD+525BE - 7D 18 - jnl GAME.ICD+525D8
GAME.ICD+525C0 - 2B F2 - sub esi,edx
GAME.ICD+525C2 - 8A 55 00 - mov dl,[ebp+00] <-...and dl comes from [ebp], if you do an auto assembler script
that does "mov byte [ebp],7f" just above, you do not get black borders anymore.
GAME.ICD+525C5 - 45 - inc ebp
GAME.ICD+525C6 - 80 FA FE - cmp dl,-02
GAME.ICD+525C9 - 74 07 - je GAME.ICD+525D2
GAME.ICD+525CB - 66 0FB6 D2 - movzx dx,dl <-so dx comes from dl....
GAME.ICD+525CF - 66 89 10 - mov [eax],dx <-this is what wrote the cell properties when I move the camera over it |
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
| Posted: Sun Dec 01, 2013 2:49 pm Post subject: |
|
|
Firstly, thank you very much for your time! Secondly I feel like I don't understand a single word here, and I completed tutorial on C.E.
However I'm gonna try really hard to figure it out, because I really wanna learn to hack games, cause it gives so much more fun playing.
Last but not least I'd like to thank every hacker out there cause it really makes me glad that there are people whom help each other just because they can, and not for something material wordly thing.
Ok, here's what I found out: firstly there is no fog of war in RA II or it's expansions. There is only shroud. That's very unfortunate cause, it would realy make things easy.
Secondly, I tried something similar to what you wrote here before, but alas neither this time or the time before I couldn't hack it.
I went back to tutorial to see if there is something I'm missing/forgot. I've tried the "unknown initial value" and bytes, and 2 bytes.
I'm sure I'm missing something, but since I've no experience whatsoever, it's like I'm learning to walk again.
Any advise is welcomed with open arms.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Dec 01, 2013 6:39 pm Post subject: |
|
|
| jonny1980 wrote: | | I'm sure I'm missing something, but since I've no experience whatsoever, it's like I'm learning to walk again. |
Ouch, I assumed you had a little bit more experience, map revealers aren't the easiest (nor the hardest) hacks and usually it's not the first thing a greenhorn tries to do.
Anyway here is a more detailed protocol, but know that this one is very engine specific.
1-Watch some explored terrain, always the same area (I suggest using the "watch HQ" hotkey that'll always put you at the exact same place).
2-Scan for 7F 00 7F 00 7F 00 7F 00 of type "array of bytes".
3-Put the camera on unexplored terrain.
4-Filter with exact value= 00 00 00 00 00 00 00 00 .
5-Rinse and repeat until the number of results no longer decreases (much). But always use the same place for explored terrain.
6-Right-click one result->"browse this memory region". A new window will pop up, but we will only use its LOWER pane.
If you have a multi-monitor setup, put this window on one screen and the game on another.
If you only have one monitor, right click on this pane->change fade timer->30000 (that means 30 seconds)
7-Scroll up 2-3 lines.
8-Get back in game and move the camera from explored to unexplored terrain (or vice-versa depending on what the camera was on). Keep using the same place for explored terrain as in step 1.
multi-monitor case:you should see the memory viewer progressively fill with red as you move the camera.
single monitor case: memory viewer should be filled with red (or at least one cell out of 2).
both cases: you should see either a lot of 00 (as in "the whole pane") or a lot of 7F 00s.
If it's not the case get back to step 6 but pick another result (one with much different an address).
9-When you've got a result that has the correct behavior, add it to the cheat table, right on it->"find out what accesses...".
10-Get back ingame and switch explored/unexplored terrain again.
11-4 results should have popped up in the window titled "The following opcode accessed...". For each result either you know enough assembly to apply the fix I posted above, or click "show disassembler" and paste here (address+bytes+opcodes) everything from 10 lines above the highlighted line in the upper pane to 5 lines below. I'll do the rest.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
| Posted: Sun Dec 01, 2013 8:25 pm Post subject: |
|
|
Can't go past number 4. Here is what happens: I do 1,2,3 but for number 4 I only get zero adresses -always  . And sorry, I shoud've told you that I'm a greenhorn.
P.S.
I've added screeshots so you can see for yourself.
| Description: |
|
| Filesize: |
61.94 KB |
| Viewed: |
83609 Time(s) |
|
| Description: |
|
| Filesize: |
67.07 KB |
| Viewed: |
83609 Time(s) |
|
| Description: |
|
| Filesize: |
84.49 KB |
| Viewed: |
83609 Time(s) |
|
| Description: |
|
| Filesize: |
124.19 KB |
| Viewed: |
83610 Time(s) |
|
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Dec 01, 2013 9:05 pm Post subject: |
|
|
| jonny1980 wrote: | | Can't go past number 4. Here is what happens: I do 1,2,3 but for number 4 I only get zero adresses -always |
Crap, that means that they have changed the cell "codes". Try with changed/unchanged. Datatype doesn't matter as long as it's not "all". I suggest using "byte".
So basically watch HQ, unknown initial value, go in the dark, changed value, go somewhere else in the dark, unchanged value, back to hq, changed, go in the dark then back to hq, unchanged value, etc.... Then step 6.
I just hope they didn't rewrite the game using the open-ra engine, that would thwart off my theories.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Dec 01, 2013 10:24 pm Post subject: |
|
|
| jonny1980 wrote: | | Everything went really good! Just as you said up until 9. |
So after all what values do cell properties toggle between? (I mean instead of my 00 00 and 7F 00).
| jonny1980 wrote: | | I can't access it and get following message from C.E. |
I never had this error message, try settings->debugger options->use veh debugger. If it doesn't changer anything try to run cheat engine as administrator.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
| Posted: Sun Dec 01, 2013 11:59 pm Post subject: |
|
|
The cell values toggle between 00 00 and different ones, I mean no pattern like 7F 00.
I can now access the addresses thanks to your advise, but nothing has ever come up there. So I'm stuck AGAIN
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Dec 02, 2013 1:19 am Post subject: |
|
|
| jonny1980 wrote: | | The cell values toggle between 00 00 and different ones, I mean no pattern like 7F 00. |
That's suspicious, you might not have found the correct place. If you extend your explored area without moving the camera, do some 00 around there turn into something else?
Yes: maybe you're at the right spot after all.
No: expand explored area in the 3 other directions.
Still No: you probably haven't found the right address.
| jonny1980 wrote: | | I can now access the addresses thanks to your advise, but nothing has ever come up there. |
1-Make those variable change, ie: Move the camera between explored/unexplored terrain.
2-If you see the values change but the debugger doesn't pick up anything, it's a bug in the VEH debugger. It happens sometimes. Try to use some persuasion moving back and fro explored areas, it might pick something up in the end. Asking to find out what access on 2 different cell might also do the trick. Tip: you can right click in the memory viewer's lower pane and add selected address to the list.
3-Worst case scenario you can try to kernelmode debugger, but I've never used it personally.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
| Posted: Thu Dec 05, 2013 12:21 pm Post subject: thank you |
|
|
Couldn't reply earlier 'cause of work.
As Vladimir Lem used to say,
Dearest of all my friends, thankx a lot for all your hard work and help, but I've acchieved nothing and give up. Who knows maybe someone else figures it out. Neither instant build or map reveal, but I tried.
P.S.
Cheat table that "gameplayer" made works partially. He has many awesome options like veterancy, god mode and even as if you spied the enemy.
Do you know why some of them work and others don't. And maybe there is a way to tweak it, so it work with Mental Omega as well.
P.S.S.
I have a trainer for RA2 and YR that reveals map, but it doesn't work with YR Mental Omega.
|
|
| Back to top |
|
|
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
| Posted: Wed Dec 25, 2013 3:32 pm Post subject: business proposition |
|
|
Would consider making me a cheat table for RA 2: YR Mental Omega 3.0 Mod, if I were to donate for your hard work?
Best Regards
|
|
| Back to top |
|
|
besthsq
Newbie cheater
![]() Reputation: 1
Joined: 04 Jan 2014
Posts: 12
|
| Posted: Sat Jan 04, 2014 11:19 pm Post subject: |
|
|
Hey guys. Based on your information, I think I figured out what you want.
1. Camera based map revealer. (No selection, no powers etc.)
2. Everything else from gameplayer's cheat table. Credits: Can't post URL. Search for Red Alert 2 Yuri's Revenge on this forum and you'll find it.
How I did it:
For the map revealer, I simply followed Gniarf's instructions, as they are so well written and detailed. It was not hard finding the right addresses, but hard to get the debugger working. I had to use kernel debugger.
And then I took Gniarf's example code and did similar things. The code was similar but not exactly the same as the Tiberium War's. It took me quite a while to figure out this one out.
For the options that did not work from gameplayer's cheat table, (notice how gamemd.exe and gamemo.exe have the same size?) I simply changed everything "gamemd.exe" to "gamemo.exe" in the scripts and they worked perfectly fine. 
Future wishes:
The map revealer is certainly not perfect at the moment. Having the map actually revealed enables you to select things and use powers, which are pretty important. This camera method leaves some visual artifact around the explored territory too. But making such thing is beyond my capability. I hope someone can make it come true.
Additionally, having the options to ready the new powers instantly would be nice. I think I can figure this out. I will probably update this in the future.
Details of the map revealer for those who might be curious:
| Code: | gamemo.exe+7F1AB - 7D 30 - jnl gamemo.exe+7F1DD
gamemo.exe+7F1AD - 8B FA - mov edi,edx
gamemo.exe+7F1AF - 2B FB - sub edi,ebx
gamemo.exe+7F1B1 - 8B 4D 10 - mov ecx,[ebp+10]
gamemo.exe+7F1B4 - 8A 11 - mov dl,[ecx] <- I added mov byte [ecx],7f before this.
gamemo.exe+7F1B6 - 41 - inc ecx
gamemo.exe+7F1B7 - 80 FA FE - cmp dl,-02
gamemo.exe+7F1BA - 89 4D 10 - mov [ebp+10],ecx
gamemo.exe+7F1BD - 74 0E - je gamemo.exe+7F1CD
gamemo.exe+7F1BF - 66 33 C9 - xor cx,cx
gamemo.exe+7F1C2 - 8A CA - mov cl,dl
gamemo.exe+7F1C4 - 66 89 08 - mov [eax],cx
gamemo.exe+7F1C7 - 8B 35 A4E88700 - mov esi,[gamemo.exe+47E8A4]
gamemo.exe+7F1CD - 8B 4E 1C - mov ecx,[esi+1C]
|
Enjoy!
| Description: |
| Mental Omega 3.0 Public Beta 1 |
|
Download |
| Filename: |
Mental Omega.CT |
| Filesize: |
32.07 KB |
| Downloaded: |
3544 Time(s) |
|
|
| Back to top |
|
|
jonny1980
Cheater
![]() Reputation: 0
Joined: 01 Jan 2012
Posts: 28
|
| Posted: Mon Jan 06, 2014 3:39 pm Post subject: |
|
|
Thank you so much man! I really wish you'd find some time to show us noobs how you did it.
For this part "For the options that did not work from gameplayer's cheat table, (notice how gamemd.exe and gamemo.exe have the same size?) I simply changed everything "gamemd.exe" to "gamemo.exe" in the scripts and they worked perfectly fine." I knew that something easy was the solution.
Maybe you could also explain where I went wrong.
P.S.
I would really recommend you to play and make similar table for C&C Generals, Zero Hour and arguably their best mod Shockwave. 
So I checked your table and found out that three options don't work: Soviet, Allied and Yuri Battle Lab Techs.
Yeah and there is a new stolen technology as well in MO. In order to get stolen tech TANK you need to infiltrate enemy construction yard(the main building).
P.S.
Before folks from MO went over to Ares DLL, I used a small trainer for map reveal by "Cyberman".
I'm not allowed to add it as attachment, but you can find on: http://www.cheathappens.com/1595-PC-Command_Conquer_Red_Alert_2_cheats
It's the second trainer that gives money as well.
So you think you could reverse engineer it as well?
|
|
| Back to top |
|
|
besthsq
Newbie cheater
![]() Reputation: 1
Joined: 04 Jan 2014
Posts: 12
|
| Posted: Wed Jan 08, 2014 10:53 pm Post subject: |
|
|
Added the option to ready all superpowers.
I tried to find the spy infiltration flags, but I just couldn't find them.
I think what went wrong for you were probably:
1. You didn't find the right address. There was a pretty obvious pattern just as Gniarf stated. It could be 00, 02 or 7F (I used byte).
2. You have to use kernel debugger for the next step, otherwise nothing will show up. To use kernel debugger you have to turn on Intel-VT feature for your CPU which is in the BIOS.
Oh and I am huge fan of C&C Generals, Zero Hour. I'll see what's already been made and look into the mod if I have the time.
And I really wish I could just reverse engineer that trainer. Believe me, I am just experienced as you are (merely completed the tutorial). I used that trainer before too. The map revealer was great.
| Description: |
| Mental Omega 3.0 Public Beta 1 |
|
Download |
| Filename: |
Mental Omega.CT |
| Filesize: |
67.86 KB |
| Downloaded: |
4108 Time(s) |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
