 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
alesyt0h
Newbie cheater
![]() Reputation: 0
Joined: 12 Aug 2015
Posts: 19
|
 Posted: Sat Jul 23, 2016 11:56 am Post subject: Help with teleport hack |
 |
|
Hello!
I'm trying to make a teleport hack, I've found the address which is storing x, y and z , found the pointer aswell, but when I change the value in CE, is moving my character in the game but just 100ms or less after I modify the value, is returning me to the original position. Only allows small values like 5 or something every 2 or 3 seconds, tried seting hotkey to increment the value by 5 but is so slow and is returning me to the original position aswell.
Is there I can do using CE?? I've thought about something like: write the address and block the program to overwrite the address but I don't know if that is even possible xD
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Jul 23, 2016 12:04 pm Post subject: |
|
|
| Assuming the game is not an online game, you've found the wrong coordinate values.
|
|
| Back to top |
|
|
alesyt0h
Newbie cheater
![]() Reputation: 0
Joined: 12 Aug 2015
Posts: 19
|
| Posted: Sat Jul 23, 2016 12:36 pm Post subject: |
|
|
It's an online game.
I've read about people saying that for online games, xyz coordinates are stored on the server side or something like this.
But for this game it's possible, I know it because there is a paid hack that does exactly that, teleport to everywhere.
I've played around a bit with the addresses I've found, I can for example jump to higher position and when I fell, I take damage. I can teleport from 200.00 x/y coord to 210.00 for example,, but no more >.<
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Jul 23, 2016 12:40 pm Post subject: |
|
|
The paid hack could be manipulating packets that are sent to the server.
If you can teleport, but with limits, then there may be a server-sided check going on.
All that said, you may still have the wrong coordinate values (maybe).
|
|
| Back to top |
|
|
alesyt0h
Newbie cheater
![]() Reputation: 0
Joined: 12 Aug 2015
Posts: 19
|
| Posted: Sat Jul 23, 2016 12:50 pm Post subject: |
|
|
I didn't thought about the packets lol, thought that wasn't possible without hacking the server:P
I don't know if I have the wrong address, thought that maybe the address is correct but not the pointer. Achieved to get 5000 pointers on pointer scan but now is only decreasing the number by 2-3 (will take ages to find more specific pointer with this method I think)
With the address/pointer I have I'll freeze it, then I cannot move. If I freeze z coordinate, I cannot jump, that doesn't mean that I have the right coordinates?
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Jul 23, 2016 12:55 pm Post subject: |
|
|
Pointers are a waste of time unless you are certain that you have the correct address(es), in this case.
You may have the correct addresses...you may not. Sometimes, there are multiple coordinate addresses. I usually test by freezing the values and checking to make sure that there is no ghosting effect and also by checking to see if I can teleport through objects. If I can do those things successfully, then I am good.
|
|
| Back to top |
|
|
alesyt0h
Newbie cheater
![]() Reputation: 0
Joined: 12 Aug 2015
Posts: 19
|
| Posted: Sat Jul 23, 2016 1:17 pm Post subject: |
|
|
Lets say I start with unknown initial value, I use stairs to go up then increased value, go down, decreased value etc... until I have like 300-400. I'll put all the addresses to the list and I freeze stacks of 50 or something until I found the one that dont let me jump, on my case there is only one address that prevents me from jumping when I freeze it.
The others values usually dont do nothing, but sometimes there are some weird values, that creates a "ghost" of my character or something, like I only saw the head of my character on the original, and the body on the location I want to port.
Thought that maybe was some value that the game restores the position when it is changed, tested by freezing all the values, like 300 or more and changing the coordinates to all of them, result was the same, I cannot teleport longer distances :/
|
|
| Back to top |
|
|
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Sat Jul 23, 2016 3:41 pm Post subject: |
|
|
If you make your game believe that your coordonates changed, you can be pretty sure the game will send the packets to the server, that is if the game fully believes your coordonates.
I hacked an MMO that behaved the same way you're describing, the reason for it was that the program wrote the coordonates value many time per sec and only read those coordonates right after they were written, therefore you had 0.000000001 sec to write the "hacked" coordonates, between the program write and between the program read, in other word the solution is code injection.
You right click the coordonate address, "find out what writes to..." (make sure to use VEH debugger), you hook the opcode that writes to it and you make it write your value. What is likely to happen is that after 1 to 5 min the game crashes due to memory integrity checks so don't be surprised if that happens.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sat Jul 23, 2016 4:22 pm Post subject: |
|
|
| If the coordinate checks are being done client-side, then you can easily circumvent that.
|
|
| Back to top |
|
|
alesyt0h
Newbie cheater
![]() Reputation: 0
Joined: 12 Aug 2015
Posts: 19
|
| Posted: Sat Jul 23, 2016 6:45 pm Post subject: |
|
|
| ulysse3131 wrote: | | The reason for it was that the program wrote the coordonates value many time per sec and only read those coordonates right after they were written, therefore you had 0.000000001 sec to write the "hacked" coordonates, between the program write and between the program read, in other word the solution is code injection. |
You only had that 0.000000001 sec margin to write it or you just spamed the coordinate you want and do like 2000000000000 memory writes to the same address? Tried the last one with autohotkey some writememory function but didnt work >.<
I'm a bit lost now... I did this, tried with z cord value which is changing every time I jump, with the "find out what writes to this address" there is only one opcode for every jump, selected it > show disassembler > Ctrl+A and now I'm on the Auto Assemble on the template tab I've selected Code injection (is this the right one?) Then a lot of alien code appeared 
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
movlps [ebx+3C],xmm0
mov eax,[ebx+2C]
exit:
jmp returnhere
"BetterWithoutNames.exe"+5E534D:
jmp newmem
nop
nop
returnhere: |
Coordinates are on float like this one: 358.764801 ---- lets say I want to change to this one: 398.764801 which will port my character and fell.
How I can add the coordinates I want to that "script" ? 
| ++METHOS wrote: | | If the coordinate checks are being done client-side, then you can easily circumvent that. |
What do you mean exactly? If there is about packets, then I can try with code injection like ulysse3131 said, but if there is just client-side check, I can "bypass" that check?
Thanks both to bring some light into it!
|
|
| Back to top |
|
|
ulysse31
Master Cheater
![]() Reputation: 2
Joined: 19 Mar 2015
Posts: 324
Location: Paris
|
| Posted: Sun Jul 24, 2016 7:09 am Post subject: |
|
|
From what you said it seems that the game writes the coordonate value only after you edit it with CE, if that is the case it means the game detects the value you wrote as wrong and over writes it, you'd need to backtrace this function and see where the game value comes from, it could be sent by server and it could be a client sided check.
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [ebx+3C],43C761E5
mov eax,[ebx+2C]
exit:
jmp returnhere
"BetterWithoutNames.exe"+5E534D:
jmp newmem
nop
nop
returnhere: |
Since your float value translates to hexa 43C761E5, this piece of code should do the trick.
|
|
| Back to top |
|
|
alesyt0h
Newbie cheater
![]() Reputation: 0
Joined: 12 Aug 2015
Posts: 19
|
| Posted: Sun Jul 24, 2016 12:31 pm Post subject: |
|
|
Thanks ulysse3131 !!
I did a lot of tests this morning and the results are very good I think.
With that code Im able to teleport myself over me, I was on 358.76 ported to 398.76 then I fall and die 
However for teleport to x,y,z in one time I think its difficult, I did another script just like that one, but for y coord, put the z script and the y script on toggle and played with them for a while till I've found a way for teleport.
Had to make the script like this: | Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
[ENABLE]
originalcode:
mov [ebx+3C],4395e873
mov eax,[ebx+2C]
exit:
jmp returnhere
"BetterWithoutNames.exe"+5E534D:
jmp newmem
nop
nop
returnhere:
[DISABLE]
originalcode:
movlps [ebx+3C],xmm0
mov eax,[ebx+2C]
exit:
jmp returnhere
"BetterWithoutNames.exe"+5E534D:
jmp newmem
nop
nop
returnhere: |
Because without the disable the script freezes me at the new location.
So, I for the z script I put the toggle key on F1, the toggle for y script on F2, clicked F1,then F2 then nothing happened, I had to jump inside the game for see the changes, but the teleport only stays on those new positions if I "disable" the F1 script when my character is falling, otherwise I will be ported again to the original position. Sorry for the messy explanation but, in other words, when I jump, I can see my character doing his animation, its an animation when he open the arms, only when the arms are going down I disable the z script, after I disable the y script and then the teleport works. This margin is very very small and works only 1 of 20 times.
It doesnt surprise me because that paid hack I talked earlier does the same thing, you wrote the coordinates you want to go and the hacks says you to jump, when you jump you are in the new position.
And another weird thing, I cannot find the right x opcode, selected "find out what writes to this address". In the z coord case was a 'movlps', on the y coord case was a 'movss', but for the x coord, is showing the same 'movlps' from the z coord opcode, if I run an script for it, only teleports me above me or under me, just like the z script.
Since I cannot attach URLS to the post, I attached an snapshot, the unmarked movlps and movss are just copies I think, with "find out what address.." on memory view its showing the same coord for z / y but doesnt work if try to hook my new coordinate into those ones.
| Description: |
| opcodes for movement in memory viewer |
|
| Filesize: |
32.84 KB |
| Viewed: |
12896 Time(s) |
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
