 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| How many of you have h0zed a NFS-MW save game, in the name of haxX0ring? |
| Frequently |
|
33% |
[ 1 ] |
| A few, but not many... |
|
0% |
[ 0 ] |
| This one time... At Band Camp... |
|
0% |
[ 0 ] |
| What's an NFS-MW save game? |
|
0% |
[ 0 ] |
| Do you have wall hakus!? I NEED WALLLLL HCKUSSS |
|
66% |
[ 2 ] |
|
| Total Votes : 3 |
|
| Author |
Message |
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
 Posted: Sun Dec 18, 2005 5:28 pm Post subject: |
 |
|
| JONG wrote: | | What kind of speed in this "00914654" address ? |
Its the current speed of the car (for v1.3), I had to find the new address to have Zhouls trainer show the speed (and do the tracking in the right speed color).
| JONG wrote: |
| Code: | 01 00 00 00 00 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00 |
|
exatcly you need to add it as many times as you want it to have (don't know why they choose such a long code for those markers, mabye the last 4 bytes always 01 00 00 00 are just a separator)
So the code you have should give you 2 "Impound release" markers, with those you can "buy" your car back for free after they have busted you 3 times (that is if you don't use an "Impound strike" marker to increase the limit). But I never had to use any of those as I usually load the game just right after I get busted (the game doesn't autosave there, so if you load it directly after, the impound strike is gone).
If we want to cheat on the markers we could try to find the code which zeroes out the marker when used and just NOP it.
But I never bothered much about those markers as I can "put" in those things into my car directly in memory 
|
|
| Back to top |
|
 |
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Mon Dec 19, 2005 4:45 am Post subject: |
|
|
| cparty wrote: | - unLOCK all parts in Career (takes the 'lockpad' off of them so they can be purchased, no matter what level).
Addy: v1.3 - 00576678
Type: Array of Byte (6 in length)
Description: Code - unLock Career - Parts (Orig: 8B81AC000000 New: B8F3F71D0090 )
- unLOCK special parts in Career (adds the parts you get after beating Razor).
Addy: v1.3 - 007AF68C
Type: Array of Byte (6 in length)
Description: Code - unLock Career - special Parts (Orig: 8B91AC000000 New: BAF3F71D0090 ) |
Hi cparty, may you can post more info for that ?
I think I may edit to wrong place, the game alway crash when I use those function. 
EDIT:
How can in VB add a pointer address ?
I was learn Zhoul's write of tutorial, but I can see any about pointer address, even I download Zhoul's VB project.
EDIT:
Never mind, I download VC++ and learn it.
@cparty again:
Thanks your help, now I know how to do it. 
EDIT:
I think that, maybe the "Tollbooth timer" not in speed.exe file, maybe in the server.dll or some dll's file, just guess.
Last edited by JONG on Tue Dec 20, 2005 1:45 pm; edited 3 times in total |
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Mon Dec 19, 2005 5:50 am Post subject: |
|
|
| JONG wrote: | | Hi cparty, may you can post more info for that ? |
The Bytes before 00576678 are: A1 90 CF 91 00 8B 48 10
The Bytes after are: 53 55 8B 6C 24 10
The Bytes before 007AF68C are: A1 90 CF 91 00 8B 48 10
The Bytes after are: C1 EA 0E F6 C2 01
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Wed Dec 21, 2005 10:37 pm Post subject: |
|
|
I have not been working on NFS much in the past few days, simply because I have a tooth ache and my dental appt isnt for another day... (it sux trying to code with a heavy pounding in thy head).
But I wanted to re-cap the infinite speedbreaker/nitro code I devised.
This is for v1.3
Type: Array of Byte (1 in length)
Address: v1.3 00692B08
Description: Code - Nitro - (Orig: F8 New: FC)
Type: Array of Byte (1 in length)
Address: v1.3 = 006EDE05
Description: Code - Speed Breaker - (Orig: 84 New: 88 )
This doesn't NOP the FSTP's which means the registers pop off the stack properly. Tested with police helicopters and all that jazz, and it works fine.
|
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Thu Dec 22, 2005 8:32 am Post subject: |
|
|
| Zhoul wrote: | | I have not been working on NFS much in the past few days, simply because I have a tooth ache and my dental appt isnt for another day... (it sux trying to code with a heavy pounding in thy head). |
I am wait for your VB project, because I find write 4 bytes can't write a array of bytes what a big then 4 bytes data.
EDIT:
Never mind, I was download your "B&W 2 - v1.1 - Trainer v1.0 - OpenSource Pre-Release" and learn it.
Thanks you Zhoul.
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Thu Dec 22, 2005 9:25 am Post subject: |
|
|
| JONG wrote: | | Zhoul wrote: | | I have not been working on NFS much in the past few days, simply because I have a tooth ache and my dental appt isnt for another day... (it sux trying to code with a heavy pounding in thy head). |
I am wait for your VB project, because I find write 4 bytes can't write a array of bytes what a big then 4 bytes data.
EDIT:
Never mind, I was download your "B&W 2 - v1.1 - Trainer v1.0 - OpenSource Pre-Release" and learn it.
Thanks you Zhoul. |
While Write4Bytes() function does write only 4 bytes, you can still use it to write array of bytes. Lets say the array of bytes was 8 long, you could use it back to back (twice) to write arrays of bytes. I'm going to implement a "Write_Bytes" function which can write an unlimited amount of bytes.
Also, if you have 7 bytes to write, you can use it to write the first 4 bytes, then use it to write the last 4 bytes (even though you will 'over-lap' it doesnt matter).
Lastly, If you have to write 1 byte, make sure you gather the following 3 bytes (from the game) and write those as well. Here are a few examples of how I used it with Black & White 2 and array of bytes...
*Edit* - Write2Bytes is a better function for this, for now, unless you want to divise a Write1Byte function (which shouldn't be hard... Just copy/paste the Write2Bytes function, change the name, and how many bytes it will write).
In the following example, I had to write 7 bytes (array of bytes).
The full data looked like this: 89 94 B1 EC 01 00 00
So I split it up into 2 write4bytes codes.
- 0080A6C7 - 0080A6CA - Data: 89 94 B1 EC
Write4Bytes &H80A6C7, &HECB19489
-0080A6CA - 0080A6CD - Data: EC 01 00 00
Write4Bytes &H80A6CA, &H1EC
- Notice how these two will actually overlap, at offset 0080A6CA (the EC byte)
- Also note that the data bytes are "Backward" as well
- NOP 6 bytes
Write4Bytes &H5C016B, &H90909090
Write2Bytes &H5C016F, &H9090
- NOP 7 bytes
Write4Bytes &H80A6C7, &H90909090
Write4Bytes &H80A6CA, &H90909090
- Write 6 bytes
Write4Bytes &H5C016B, &HE48601
Write2Bytes &H5C016F, &H0
- Write 7 bytes
Write4Bytes &H80A6C7, &HECB19489
Write4Bytes &H80A6CA, &H1EC
|
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Fri Dec 23, 2005 6:28 am Post subject: |
|
|
Thanks for your time to reply, in fact, its help me a lot of.
But I still have few question:
I see those address of hex data in VB seem like upside down, if I want to fill a data like:
FF 81
in VB I must fill:
81 FF
in this your ex:
| Zhoul wrote: |
- Write 6 bytes
Write4Bytes &H5C016B, &HE48601
Write2Bytes &H5C016F, &H0 |
on the "Write2Bytes &H5C016F, &H0", "&H0" is fill to address "5C016F" or "5C0170" ?
I think that is like let address "5C016F" and "5C0170" of value to be equal to "00", but if "5C0170" can't be "00", its must be "17" or other value, use "Write2Bytes &H5C016F, &H0" will be a mistake or not ?
Also I learn your "B&W 2 - v1.1 - Trainer v1.0 - OpenSource Pre-Release" of VB code about pointer part and try to do make a money's pointer in NFS:MW, but I can't find any change in my change, if I want to do same thing in this money's pointer, how can I do ?
May you to give me an example like NFS:MW of money's pointer ? maybe its can let me to make another pointer like cars of pointer.
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Fri Dec 23, 2005 7:17 am Post subject: |
|
|
| JONG wrote: | on the "Write2Bytes &H5C016F, &H0", "&H0" is fill to address "5C016F" or "5C0170" ?
I think that is like let address "5C016F" and "5C0170" of value to be equal to "00", but if "5C0170" can't be "00", its must be "17" or other value, use "Write2Bytes &H5C016F, &H0" will be a mistake or not ?
|
I'm going to answer this question now, and your other one, in another post, once I setup pointer resolution in the NFS-MW trainer...
This question: "on the "Write2Bytes &H5C016F, &H0", "&H0" is fill to address "5C016F" or "5C0170" ?"
It will fill both with 00 00
Lets say i wanted to fill 5C016F with 1A and 5C0170 with 00, then...
Write2Bytes &H5C016F, &H1A
Lets say I wanted to fill 5c016F with 00 and 5c0170 with 1A, then...
Write2Bytes &H5c016f, &H1A00
To understand why this is the case... Take an array of byte that is 4 long, then change it to a 4-byte value. Then right-click it and "Show Hexadecimal value". You will see that the 'value' shows opposite of what an array of bytes shows.
|
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Fri Dec 23, 2005 7:44 am Post subject: |
|
|
| Zhoul wrote: | | I'm going to answer this question now, and your other one, in another post, once I setup pointer resolution in the NFS-MW trainer... |
Thanks again Zhoul.
I go back to your trainer post and not yet see its update, maybe later I will try again.
A new question to ask for advice:
| Code: | Public Function FltToLng(fltData As Double) As Long
On Error GoTo EH
Dim lngLongData As LongData
Dim fltFloatData As FloatData
fltFloatData.dta = fltData
LSet lngLongData = fltFloatData
FltToLng = lngLongData.dta
Exit Function
EH:
MsgBox "An error occured while in the FltToLng function." & vbNewLine & "Error Number: " & Err.Number & vbNewLine & "Error Description: " & Err.Description
Resume Next
End Function |
Like above code, if I want to transform a Integer value to byte, how can I do ?
Ex:
Now I have a Integer value: 20
I want write it back to memory like float data, how can I do ?
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Fri Dec 23, 2005 11:09 am Post subject: |
|
|
Like above code, if I want to transform a Integer value to byte, how can I do ?
Ex:
Now I have a Integer value: 20
I want write it back to memory like float data, how can I do ?[/quote]
First, we see that the Write4Bytes function, accepts the offset and value, as longs. A long, is just a 4 byte integer.
| Code: | | Public Function Write4Bytes(Offset As Long, Value As Long) As Boolean |
Next, you actually found one of the functions I wrote, to convert into an "In game float". I found, early on in trainer making, that feeding a single or double, which are floats, directly to the game, gave 'not wanted/expected' results. The reason, is harder to explain then the resolution.
The resolution:
This is defined, at the top (general declerations). This is what is called "Defining a User Type". A type, is something like 'integer' , 'long' , 'string', etc. The type being defined, is 'FloatData'.
| Code: |
'Used by LngToFlt and FltToLng
Private Type FloatData
dta As Single
End Type
Private Type LongData
dta As Long
End Type
|
This is for converting data like integers and longs, into an float the game will accept.
| Code: |
Public Function LngToFlt(lngData As Long) As Double
On Error GoTo EH
Dim lngLongData As LongData
Dim fltFloatData As FloatData
lngLongData.dta = lngData
LSet fltFloatData = lngLongData
LngToFlt = CDbl(fltFloatData.dta)
Exit Function
EH:
MsgBox "An error occured while in the LngToFlt function." & vbNewLine & "Error Number: " & Err.Number & vbNewLine & "Error Description: " & Err.Description
Resume Next
End Function
|
And this code takes a float, read from the game, and turns it into a long (aka 4 byte integer).
| Code: |
Public Function FltToLng(fltData As Double) As Long
On Error GoTo EH
Dim lngLongData As LongData
Dim fltFloatData As FloatData
fltFloatData.dta = fltData
LSet lngLongData = fltFloatData
FltToLng = lngLongData.dta
Exit Function
EH:
MsgBox "An error occured while in the FltToLng function." & vbNewLine & "Error Number: " & Err.Number & vbNewLine & "Error Description: " & Err.Description
Resume Next
End Function
|
Using them:
In the begining of each sub or function I know I'll read/write to memory, I define these variables.
| Code: |
Dim lngWValue as Long
Dim lngRValue As Long
Dim lngWOffset As Long
Dim lngROffset As Long
Dim dblValue As Double
Dim i As Integer
|
lngWValue = This will be the variable I use, to hold the "Write Data", If I happen to write to memory.
lngRValue = This variable will be the recipient of any read data.
I.E.
| Code: |
lngRValue = Read4Bytes(lngROffset, 4)
|
lngROffset = The variable that holds the address im reading from or writing to, as seen in the above example.
dblValue = The variable that I use, if I need to turn a game-read float (which is in long form) , to a VB style float.
I.E.
| Code: |
dblValue = LngToFlt(lngRValue)
|
The following code...
- Sets lngROffset to an address, which is found in the "Tag" property of txtVal(22). (which is just a text box on the form).
- Reads the value from memory, found at lngROffset's address
- Uses dblValue to figure out what the float form of the read in data is.
- Updates the caption (displayed text) of lblName(7) - with "Current Speed: dblValue" (the rest is just formatting, which is needed to cut off the decimal numbers. Else, it would show 12.2312312441241 instead of 12 )
| Code: |
Dim lngWValue as Long
Dim lngRValue As Long
Dim lngROffset As Long
Dim dblValue As Double
Dim i As Integer
lngROffset = CLng(Val("&H" & frmSettings.txtVal(22).Tag))
lngRValue = Read4Bytes(lngROffset, 4)
dblValue = LngToFlt(lngRValue)
lblName(7).Caption = "Current Speed: " & Format(dblValue, "###0")
|
Soooo.. To answer your question finally...
| Code: |
Dim intJong as Integer
intJong=50
lngROffset = clng(val("&H12345678"))
lngWValue = FltToLng(CDbl(intJong))
Write4Bytes (lngWOffset,lngWValue
|
Last edited by Zhoul on Fri Dec 23, 2005 1:09 pm; edited 1 time in total |
|
| Back to top |
|
|
JONG
Expert Cheater
![]() Reputation: 0
Joined: 30 Nov 2005
Posts: 130
|
| Posted: Fri Dec 23, 2005 12:44 pm Post subject: |
|
|
| Zhoul wrote: | Soooo.. To answer your question finally...
| Code: |
Dim intJong as Integer
intJong=50
lngROffset = clng(val("&H12345678"))
lngWValue = FltToLng(CDbl(intJong))
Write4Bytes (lngWOffset,lngWValue
|
|
Wa, thanks for your hard work.
I write a code like your above answer:
| Code: | Private Sub Command1_Click()
JumpValue = jumpText
lngROffset = CLng(Val("&H961D0C"))
lngWValue = FltToLng(CDbl(JumpValue))
Write4Bytes lngROffset, lngWValue
End Sub |
The "jumpText" is a textbox, I want let player can fill in they want fill in of jump height, then push a key to change above thing.
When I compile it, VB show me an error:
Byref not right.
I think maybe I must to transform above of value to hex value, so I search the world net and find a code like:
| Code: | Private Function ConvertNumberToString(number As Double) As String
If number < 256 Then
ConvertNumberToString = Chr(number)
Exit Function
End If
If number < 65536 Then
ConvertNumberToString = Chr(number And 255) & Chr((number And 65280) / 256)
Exit Function
End If
b4 = number And 255: number = Int(number / 256)
b3 = number And 255: number = Int(number / 256)
b2 = number And 255: number = Int(number / 256)
b1 = number And 255: number = Int(number / 256)
ConvertNumberToString = Chr(b4) & Chr(b3) & Chr(b2) & Chr(b1)
End Function |
I try to use above of code to transform value, but still not right.
Maybe I must to search more of info. 
|
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Fri Dec 23, 2005 12:49 pm Post subject: |
|
|
| JONG wrote: | | JumpValue = jumpText |
I dont know if this will help, but if "jumpText" is the TextBox, then you usually want to access the content of this TextBox and not the TextBox itself, so it would be:
| Code: | | JumpValue = jumpText.Text |
|
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Fri Dec 23, 2005 12:55 pm Post subject: |
|
|
**EDIT**
Convert number to text!
| Code: |
Dim strTextNum as String
strTextNum = Str(intNumber)
|
---------------------------------------------------------
Convert text to a number:
| Code: |
Dim intNumber as Integer
intNumber = Val(jumpText.Text)
|
---------------------------------------------------------
Convert text to a long:
| Code: |
Dim lngNumber as Long
lngNumber = CLng(Val(jumpText.Text))
|
---------------------------------------------------------
Convert text to Double:
| Code: |
Dim dblValue as Double
dblValue = CDbl(Val(jumpText.Text))
|
---------------------------------------------------------
To fix your code:
| Code: |
Private Sub Command1_Click()
Dim lngWValue as Long
Dim lngWOffset as Long
Dim JumpValue as Double
JumpValue = CDbl(Val(jumpText.Text))
lngWOffset = CLng(Val("&H961D0C"))
lngWValue = FltToLng((JumpValue)
Write4Bytes lngROffset, lngWValue
End Sub
|
The entire code I wrote above (the fix to yours) could be as small as this even...
| Code: |
Private Sub Command1_Click()
Write4Bytes &H961D0C,FltToLng((CDbl(Val(jumpText.Text)))
End Sub
|
---------------------------------------------------------
Also, if you're going to put the address directly in code, rather then read it as text...
| Code: |
lngWOffset = CLng(&H961D0C)
|
Or, if you defined lngWOffset already!
| Code: |
Dim lngWOffset as Long
lngWOffset = &H961D0C
|
Works fine..
 All these conversions are IN THE CODE at the top of the frmMain code section
'---- Some Notes That Might Help ----
'The following functions will convert either a string or
'an expression to the indicated types. If the expression
'is outside the result type range, then an error results.
Return Type / Function
Boolean / CBool
Byte (0 to 255) / CByte
Byte (0 to 255) / Asc
Currency / CCur
Date / Cdate
Decimal (weird) / CDec
Double (Floating point) / CDbl
Integer (16 bits) / CInt
Integer part of number / Int
Integer part of number / Fix
Long (32-bit Integer) / CLng
Numeric (Floating Point) / Val
Single (Floating point) / CSng
String / Hex
String / Oct
String / CStr
String / Str
String / Format
Variant / Cvar
Last edited by Zhoul on Fri Dec 23, 2005 1:39 pm; edited 5 times in total |
|
| Back to top |
|
|
Zhoul
Master Cheater
![]() Reputation: 1
Joined: 19 Sep 2005
Posts: 394
|
| Posted: Fri Dec 23, 2005 1:21 pm Post subject: |
|
|
| cparty wrote: | | JONG wrote: | | JumpValue = jumpText |
I dont know if this will help, but if "jumpText" is the TextBox, then you usually want to access the content of this TextBox and not the TextBox itself, so it would be:
| Code: | | JumpValue = jumpText.Text |
|
Sadly, VB is usually so assuming, that
| Code: |
Dim strJumpValue as String
strJumpValue = jumpText.Text
|
is the same as...
| Code: |
Dim strJumpValue as String
strJumpValue = jumpText
|
But I will say, it's ALWAYS best to define the .Text part... as some code might think you're trying to pass the object (the text box object) - rather then the .Text value.
|
|
| Back to top |
|
|
cparty
Expert Cheater
![]() Reputation: 0
Joined: 01 Dec 2005
Posts: 219
|
| Posted: Fri Dec 23, 2005 1:26 pm Post subject: |
|
|
| Zhoul wrote: | | Sadly, VB is usually so assuming, that |
thanks for info, I already saw you can assign a string to an integer/long without a problem. Better though to use the conversion functions you gave in the post above
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
