gideon25
How do I cheat?
![]() Reputation: 0
Joined: 06 Mar 2006
Posts: 1
|
 Posted: Mon Mar 06, 2006 11:49 pm Post subject: I am hacking Lor: BFME2 - help! Enemy ai uses same routines |
 |
|
Ok well, I can find values for money (or resources), command points, unit cap, and a few other things. Problem: when I set the write bp for resources and DECREASE them I get this:
007aff93 - 29 7e 04 - sub [esi+04],edi
k, fine, I NOP that address and money never decreases. I change the SUB to an ADD and money gets added every time I spend. NOW, as I find out the ENEMY AI ALSO gets these benefits  I can't seem to track down the address to change that applies ONLY to me. The SAME thing apparently happens with command points, unit caps, power points, etc.. I nop or change something around where the original bp is and the computer AI proceeds to WHIP UP on me 
Ok so here is some code for the resources BP. Breaks during resource DECREASE:
| Code: |
007aff7a - 8d 95 6c ff ff ff - lea edx,[ebp-00000094]
007aff80 - 52 - push edx
007aff81 - ff 50 64 - call dword ptr [eax+64]
007aff84 - 83 4d fc ff - or dword ptr [ebp-04],ff
007aff88 - 8d 8d 6c ff ff ff - lea ecx,[ebp-00000094]
007aff8e - e8 2c 8f f2 ff - call stringbase<char>::peek+26c5a
007aff93 - 29 7e 04 - sub [esi+04],edi <-----------------Breaks HERE
007aff96 - a1 b0 e1 df 00 - mov eax,[fxparticlesystem::moduletag<5,fxparticlesystem:: Bunch OF STUFF:default+5b4]
007aff9b - 85 c0 - test eax,eax
007aff9d - 74 1c - je fxparticlesystem::getkey+fe0
007aff9f - 8b 0d 90 9d df 00 - mov ecx,[fxparticlesystem::categorymoduleclass<8>::s_first+1174]
007affa5 - 85 c9 - test ecx,ecx
007affa7 - 74 12 - je fxparticlesystem::getkey+fe0
007affa9 - 8b 49 10 - mov ecx,[ecx+10]
007affac - 85 c9 - test ecx,ecx
007affae - 74 0b - je fxparticlesystem::getkey+fe0
007affb0 - 8b 49 54 - mov ecx,[ecx+54]
007affb3 - 3b 4e 08 - cmp ecx,[esi+08]
007affb6 - 75 03 - jne fxparticlesystem::getkey+fe0
|
Now, during a resource INCREASE:
| Code: |
007b003f - ff 50 64 - call dword ptr [eax+64]
007b0042 - 83 4d fc ff - or dword ptr [ebp-04],ff
007b0046 - 8d 8d 6c ff ff ff - lea ecx,[ebp-00000094]
007b004c - e8 6e 8e f2 ff - call stringbase<char>::peek+26c5a
007b0051 - 01 7e 04 - add [esi+04],edi <----------------Breaks HERE
007b0054 - a1 b0 e1 df 00 - mov eax,[fxparticlesystem::moduletag<5,fxparticlesystem::LOTS of STUFFdefault+5b4]
007b0059 - 85 c0 - test eax,eax
007b005b - 74 1c - je fxparticlesystem::getkey+109e
007b005d - 8b 0d 90 9d df 00 - mov ecx,[fxparticlesystem::categorymoduleclass<8>::s_first+1174]
007b0063 - 85 c9 - test ecx,ecx
007b0065 - 74 12 - je fxparticlesystem::getkey+109e
007b0067 - 8b 49 10 - mov ecx,[ecx+10]
007b006a - 85 c9 - test ecx,ecx
007b006c - 74 0b - je fxparticlesystem::getkey+109e
|
[/code]
I maniupulate the code and the COMPUTER/ENEMY ALSO gets the advantages
Now, I am not sure what to do next :/ I wish I knew ASM better but whats some sugesstions on how to proceed??
When I change the bp type to "What access this address"
I get Some more bp hits (probably on read):
79c5af mov ebx,[esi+00000094]
6a9289 mov esi,[ecx+00000094]
6d39e4 mov edi,[eax+04]
So lets look at: 7aff28 mov eax,[esi+04]
Now I double click on it and it shows the registers and
Eax is: 4FB. Now, opening up windows calculator (scientific view) I see 4FB hex is 1275 decimal. HEY, thats how much money I had..
6a9289 mov esi,[ecx+00000094] ESI holds a money value- but it holds 4E2- 1250 (probably before I gained the extra 25 cash)..
Hmm.. So esi+04 is what I am looking for? So I look around some of the hits and I see 79c5af:
| Code: |
0079c598 - 3b f0 - cmp esi,eax
0079c59a - 72 0b - jb fxparticlesystem::emissionvolumeinfo::loadpostprocess+2a09d
0079c59c - 8d 46 01 - lea eax,[esi+01]
0079c59f - 50 - push eax
0079c5a0 - 8b cb - mov ecx,ebx
0079c5a2 - e8 6a ff ff ff - call fxparticlesystem::emissionvolumeinfo::loadpostprocess+2a007
0079c5a7 - 6b f6 14 - imul esi,esi,14
0079c5aa - 03 33 - add esi,[ebx]
0079c5ac - 8b 5d 08 - mov ebx,[ebp+08]
0079c5af - 8b 83 94 00 00 00 - mov eax,[ebx+00000094] <---------------BREAKS HERE
0079c5b5 - 89 46 04 - mov [esi+04],eax
0079c5b8 - 8b 0d a0 9d df 00 - mov ecx,[fxparticlesystem::categorymoduleclass<8>::s_first+1184]
0079c5be - 53 - push ebx
0079c5bf - e8 8a b7 f0 ff - call icoord2d::icoord2d+6abc3
0079c5c4 - 85 c0 - test eax,eax
0079c5c6 - 74 15 - je fxparticlesystem::emissionvolumeinfo::loadpostprocess+2a0d3
|
So the value is copied into EAX from [ebx+00000094] which is then moved into [esi+04]. The other hits show [ecx+00000094] (but NO esi+04 around) and [esi+00000094] (no esi+04 around).. Anyway what should I be looking for here? Any help would be GREAT as I have to do this with command points, power points,population, etc.. I need to get an idea of how/where the AI comes in and where only my resource points come in. Thanks!
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
