 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| How many of you have h0zed a NFS-MW save game, in the name of haxX0ring? |
| Frequently |
|
33% |
[ 1 ] |
| A few, but not many... |
|
0% |
[ 0 ] |
| This one time... At Band Camp... |
|
0% |
[ 0 ] |
| What's an NFS-MW save game? |
|
0% |
[ 0 ] |
| Do you have wall hakus!? I NEED WALLLLL HCKUSSS |
|
66% |
[ 2 ] |
|
| Total Votes : 3 |
|
| Author |
Message |
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
 Posted: Thu Dec 08, 2005 12:03 am Post subject: |
 |
|
| Zhoul wrote: | Use the debugger to find a place in memory you can put your code cave. Not all places will work.
- Go into the debugger
- Scan for a code cave (Extra > Scan for code caves)
- For size, put in 3400
- Scan
Some of these places will work great, some won't because the game will eventually use the space for its own stuff. Put the code tword the end of a code cave, but not the very end. It should work, at least for a long time  unless the game uses that memory between load screens or whatever. |
It's too difficult to me who a beginner, I find many code caves have 3400 of size too.
Oh ! I am a fool so I will give up to edit this function, keep use cparty of function to make "No Collision Mode".
Zhoul, may you can tell me that, how many bytes rank address infront of the money address, if I know that, it will be help me to find the rank address.
I search for "8B8674010000", but still have many address, and I see that is show "mov eax,[esi+00000174]", not "call 0FFD0E4A" why ?
|
|
| Back to top |
|
 |
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Thu Dec 08, 2005 6:46 am Post subject: |
|
|
| Zhoul wrote: | | Once you change them both, your car will have infinite 'blinky effect' (no collision). To stop the effect, just change Code Cave 2 back to its Orig value. (Remember, it will take 5 seconds to actually turn off after this, as we keep writing 5 seconds to the length of time the blinky will last). |
Going to try that in a bit, will post my results. I could crash my game with every AI-version of a car I tried so far (see below).
*edit* not if I use Master Zhouls ultimate no collision code 
| Zhoul wrote: | | Dudeee, All I have to do is modify the "Unlock all cars" code to search the memory location you found these at, so it adds them to the purchasable list!!! I'll work on this, as it is indeed a great find. |
Firstly one note about the 8 Byte codes for cars:
The first 4 Bytes are only used for the logo displayed in the game (thats why for special cars its always AF 2D C3 C1 (== temp350)), so what matters are the second 4 Bytes. I did search mem for one of the special codes (cross) and came up with this block.
You see its just a listing of 4 Byte carcodes (with many duplicates), everyone works fine from that block, but it seems only be part of a whole.
However, it also turns up in memory in a kindof list... but not every entry there works (crashing my game every 2nd try  ) and the structure is somehow unclear to me yet.
Here is a screen from part of that list where they work just fine.
The red codes are: CivilCar Pickup (AI-version), Pizza (AI-version), Civilcar Minivan (user-version), Taxi (AI-version), CopCorvette (AI-version)
You see AI-versions and user-version are mixed up in this list. I'm going to build another carlist once I collect enough (Ai-version) carcodes.
| JONG wrote: | | I need to know how many bytes rank address infront of the money address, if I know that, it will be help me to find the rank address. |
I reply with quoting myself
| cparty wrote: | | That said the Rank (only 1 Byte in length) should be 4 Bytes infront of the Money. |
In the english version its 4Bytes ahead of the Money so:
| Code: | | XX CD CD CD YY YY YY YY |
is what you look for, where XX is your Rank and YY YY YY YY your Money.
It might be different in your version though.
*edit* The "unlock all cars" code moved to 0056F19F in v1.3
Zhouls ultimate no collision cave2 moved to 0068BC8A
I think the code you gave for cave2 points at the wrong address for cave1 
For those who use my version of the following:
NOS moved to 00692B01
Speedbreaker to 006EDDC8
Collisiontimer to 0068BCBB
Bustedtimer and Heatfreeze are still the same
Last edited by cparty on Thu Dec 08, 2005 1:54 pm; edited 5 times in total |
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Thu Dec 08, 2005 11:04 am Post subject: |
|
|
| cparty wrote: |
In the english version its 4Bytes ahead of the Money so:
| Code: | | XX CD CD CD YY YY YY YY |
is what you look for, where XX is your Rank and YY YY YY YY your Money.
It might be different in your version though. |
Very thanks you cparty, now I am work on version 1.3 of game, it's change many address and I must redo those function.
I will see if I change the rank, it's can make what change.
|
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Thu Dec 08, 2005 2:00 pm Post subject: |
|
|
| JONG wrote: | | I search for "8B8674010000", but still have many address, and I see that is show "mov eax,[esi+00000174]", not "call 0FFD0E4A" why ? |
When I did the search CE found about 50 results, but because (for the english version) I knew it cannot be much different than the address Zhoul posted I hit it in my first try (check the post above for the changed address).
The code "8B8674010000" actually stands for "mov eax,[esi+174]" it only becomes "call 0FFD0E4A" AFTER you change it to E8BB51940F90. Note: the new code I just posted was different in Zhouls example, he had either another cave location or forgot to change the value, or maybe something else which I'm glad if he could tell us
|
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Thu Dec 08, 2005 2:29 pm Post subject: |
|
|
was just having some fun with cross and Zhouls great collision haXx, getting caught in speed traps 
when I noticed that the trailers of the trucks are blinking too.
Just see how the truck misses the trailer.
and finally noticed you can still kill the car 
though the game doesn't crash, but you cannot move anymore if there is smoke comming out of your car. This happens when you tilt the car some degrees.
So we might still look after something like damage
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Thu Dec 08, 2005 4:12 pm Post subject: |
|
|
CParty - have you tried the car injection I've talked about?
That is, replacing bytes in the purchasable list, then buying the cars? This seems to negate any of the damage 'crap', as it writes the full car to memory properly.
I can give a better example if needed.
Furthermore: Does the pointer path I gave, still function in 1.3?
+414
0091BF50 + 10
The first value at this offset should be.
Array of Byte (4) - 78 56 34 12
Hex (4 byte) - 0x1234567
From there until the FF FF FF FF 00 00 00 00 value, is a list of 'purchasable' cars. These can be changed, then bought, and don't need to be 'changed again' the next time the game loads, for the cars that were bought to work.
|
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Fri Dec 09, 2005 4:31 am Post subject: |
|
|
| Zhoul wrote: | | CParty - have you tried the car injection I've talked about? |
Yes I tried that, its what I meant when I said the "parts-part" will be added by the game automatically. What I found is that for the non-stockcars (civils, cops, specials) there exists an AI-Version and for some also a User-Version (because you can drive some of them in the Challenges). All user versions are in the savegame, while the AI-version can only be found in the memory (those blocks I posted earlier used for rank/money). The AI-Version will always crash your game when you hit cars/obstacles at highspeed no difference if you purchased, overwritten or simply added by hand.
| Zhoul wrote: | | Furthermore: Does the pointer path I gave, still function in 1.3? |
It changed to this after update (the 1st level pointer should also be in the rank table I posted earlier):
@JONG: I forgot in my last post, to find certain values you need to turn on "Also scan read-only memory" because they are in the area showing green in the memory view.
Last edited by cparty on Fri Dec 09, 2005 5:21 am; edited 2 times in total |
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Fri Dec 09, 2005 4:49 am Post subject: |
|
|
| cparty wrote: |
@JONG: I forgot in my last post, to find certain values you need to turn on "Also scan read-only memory" because they are in the area showing green in the memory view. |
Hi cparty, I have some question may ask you:
Zhoul of "ultimate no collision" and your "ultimate no collision" have what different ? if it's not different, I think use your edit will easy to Zhoul, because I still can't sure what address is right place to edit Zhoul give of address.
Your Heatfreeze function can make what change in the game ?
I try to change it in the game and go to 69th challenge, but I don't see any different when I don't change it before.
Jump code was change it's address, until now I still can't let it work fine when I want make a jump trainer. 
Oh, also thanks for all of your share information.
I think if we can unlock all of part, that will be great too.
|
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Fri Dec 09, 2005 5:13 am Post subject: |
|
|
| JONG wrote: | | Zhoul of "ultimate no collision" and your "ultimate no collision" have what different ? |
It should be the same except he used v1.2 and I used patched v1.3, thats why the address for cave2 is different.
| JONG wrote: | Your Heatfreeze function can make what change in the game ?
I try to change it in the game and go to 69th challenge, but I don't see any different when I don't change it before. |
It will freeze the heat, that means it cannot increase during the pursuit. Now the problem with the Challenges is that they already start at high heat, so freezing it doesn't do any good. Go to the address for the heatfreeze and do "Find out what addresses this code writes to", this should give you the address where the heat is stored (it will probably be different for every race you start) and you can change it to your desired value (float). Though as it has an upper bound I wouldn't be surperised if it had a lower bound too.
| JONG wrote: | | I think if we can unlock all of part, that will be great too. |
yes that would be great, but I dont think there is an easy way to do it.
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Fri Dec 09, 2005 5:35 am Post subject: |
|
|
| Jong wrote: | | I think if we can unlock all of part, that will be great too. |
I think if there were an easier way to do it, *we* would have done it already. Since it appears that there would be about 100 places in code that would have to be modified, it'd be great if *you* could do it
| cparty wrote: | | Yes I tried that, its what I meant when I said the "parts-part" will be added by the game automatically. |
Ahhh! Ok, I get whatcha mean now...
And as for the pointer path - you already said that in a previous post - I'm just being a tard thats been away for a few days who completely forgot about it until now.
Thanks for puttin up with meh..
(Can anybody say SPAM-BURGER!)
- Zhoul
|
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Fri Dec 09, 2005 6:00 am Post subject: |
|
|
| Zhoul wrote: | | I think if there were an easier way to do it, *we* would have done it already. Since it appears that there would be about 100 places in code that would have to be modified, it'd be great if *you* could do it |
Yes, thanks for your reply.
Never mind, I will try any I can do to find it even I am a newbie.
Now I still to search the "mission timer" and "jump", if I find any information, I will share it ASAP.
|
|
| Back to top |
|
|
-=DocDOOM=-
How do I cheat?
 Reputation: 0
Joined: 09 Dec 2005
Posts: 6
Location: Germany
|
| Posted: Fri Dec 09, 2005 11:21 am Post subject: |
|
|
Hi guys,
nice work!!!
But I don't understand how you found thoses adresses like
Most Cars and Upgrades ... so I have the problem,
I've patched NFS to 1.3 the the adress for Most Car isn't the same
and now, i don't know how to find it !!
PLZ Help
p.s. Sorry for my poor english 
|
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Fri Dec 09, 2005 12:07 pm Post subject: |
|
|
| -=DocDOOM=- wrote: | Hi guys,
nice work!!!
But I don't understand how you found thoses adresses like
Most Cars and Upgrades ... so I have the problem,
I've patched NFS to 1.3 the the adress for Most Car isn't the same
and now, i don't know how to find it !!
PLZ Help
p.s. Sorry for my poor english |
I guess what you are a Chinese, right ?
If that's right, maybe I can tell you what address are you want. 
|
|
| Back to top |
|
|
-=DocDOOM=-
How do I cheat?
Reputation: 0
Joined: 09 Dec 2005
Posts: 6
Location: Germany
|
| Posted: Fri Dec 09, 2005 12:35 pm Post subject: |
|
|
| no, im not chinese...
|
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Fri Dec 09, 2005 2:09 pm Post subject: |
|
|
Hi Doc, most answers you can get by reading this whole thread a couple of times. It gets confusing sometimes especially if you don't know yet what its been talked about.
| -=DocDOOM=- wrote: | | But I don't understand how you found thoses adresses like Most Cars and Upgrades ... so I have the problem |
Finding these things is much try & error, having a good guess and crashing the game often
Ok, lets go for the cars first:
http://forum.cheatengine.org/viewtopic.php?p=28274#28274 will tell you the format of a car. Again you will have to start with a good guess and then start changing values and see what happens to find out which address does what until you end up with a list like in the post.
http://forum.cheatengine.org/viewtopic.php?p=28285#28285 then describes how Zhoul found the address for "unlock all cars" code with the information above.
For the parts change one part at a time and check for changes, doing it for all parts and you end up with something like this (sorry only have a loosy scan):
http://i34.photobucket.com/albums/d117/cparty/parts.jpg
| -=DocDOOM=- wrote: | | I've patched NFS to 1.3 the the adress for Most Car isn't the same and now, i don't know how to find it !! |
You can try to recreate what Zhoul has done (second link I posted), try to do a "near" search for the value (I call near search when I know that the address probably won't have changed much and limit the search range to the old address +/- a few bytes), or just take the new value from here (to the end of the post):
http://forum.cheatengine.org/viewtopic.php?p=28748#28748
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
