| View previous topic :: View next topic |
| Author |
Message |
zirkhaki
Cheater
 Reputation: 0
Joined: 10 Dec 2008
Posts: 44
Location: Iran
|
 Posted: Sun Dec 14, 2008 4:54 am Post subject: Chicken Invaders 3 problem |
 |
|
Hey guys
I'm a noob and i had made some trainers for some games before but all of them were easy to hack
this game I mean chicken invaders 3 has made some problems for me
i found some addresses for options like Gun power and Gun health. and make them freeze by aas
another option is the "life"
i found its address and i freezed it and it didn't freez. i chose what writes to this address and a code is find
| Code: | | Code :00489c48 - 89 87 54 22 00 00 - mov [edi+00002254],eax |
then i replaced it whith code that does nothing again no result
then i went to auto assembly and find this
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
00489c48:
jmp newmem
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov [edi+00002254],eax
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
|
I wrote some commands like add or sub and changed the value "eax" to 5 and again no good result
If anyone can help it would be appreciated
|
|
| Back to top |
|
 |
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Sun Dec 14, 2008 2:31 pm Post subject: |
|
|
scroll up in memory above that address you found and see if you see dec or sub.
Alter that instruction and you might have it.
Also that AA you posted is default one when going to AA in memory view.
|
|
| Back to top |
|
|
zirkhaki
Cheater
Reputation: 0
Joined: 10 Dec 2008
Posts: 44
Location: Iran
|
| Posted: Sun Dec 14, 2008 2:58 pm Post subject: |
|
|
Thanks, I'll try that
EDIT:
first i want to say that the code that i put in my first post is the default and i changed it to somthing like
| Code: | add [edi+00002254],5
or
sub [edi+00002254],5 |
and it didn't make any changes
now i put the addresses before and after that addres whick no one started with dec or sub
| Code: | 00489C3A - 8d bc 01 f0 03 00 00 - lea edi,[ecx+eax+000003f0]
00489C41 - 8b ce - mov ecx,esi
00489C43 - e8 68 ee 00 00 - call 00498ab0
00489C48 - 89 87 54 22 00 00 - mov [edi+00002254],eax
00489C4E - a1 2c d5 55 00 - mov eax,[0055d52c] : 00C00048
00489C53 - 5f - pop edi
00489C54 - 8b 90 fc 5b 01 00 - mov edx,[eax+00015bfc]
00489C5A - 88 9a 61 02 00 00 - mov [edx+00000261],bl
|
If youcan understand anything from these addresse please make me aware of that
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Mon Dec 15, 2008 7:38 pm Post subject: |
|
|
Change:
00489C48 - 89 87 54 22 00 00 - mov [edi+00002254],eax
To:
00489C48 - 90
00489C49 - 90
00489C4A - 90
00489C4B - 90
00489C4C - 90
00489C4D - 90
See if it freezes for you. Also this could have weird effects like enemies health as well. But worth a try.
Another way is to change the value of eax before mov [edi+00002254],eax is executed.
mov eax,64 <----- moves 100 decimal to eax
mov [edi+00002254],eax
-------------------------------------------------
64 hexadecimal = 100 decimal "What you see in game"
|
|
| Back to top |
|
|
zirkhaki
Cheater
Reputation: 0
Joined: 10 Dec 2008
Posts: 44
Location: Iran
|
| Posted: Sat Jan 03, 2009 2:06 pm Post subject: |
|
|
I did both of them. but for the first method i have a question!
Should I do it by the "Fill Memory" option and change the value to 90 for 00489C48 to 00489C4D?
because when i choose what writes to to address a code is found and when i replace it with code that does nothing, it also nop all the addresses you said and change them to 90
although I did both of them and still no result
---------------------------------------------------
EDIT:
Any help yet?
I continued my search with other methods like chandeg & unchanged options until i got 4 addresses which are dynamic but i can't find the pointer because when i search for the value of the pointer needed to find this addresses i get a blank board. (no result)
so tried to nop the address or do a code injection.
here is what I found:
4 addresses for the number of life.
after closing an reopening the game the addresses and even the values will change, so i can't do an exact value search. so what you are seeing here are all dynamic
i brought them here for you to see the similarities between the values:
the addresses for 1 life (as you see the difference between first and second one and also the difference between third and forth one is just 1 value)
| Code: | 0285BFF4 4byte 771509522
0285C078 4byte 771509523
028E443C 4byte 3485192703
028E44C0 4byte 3485192702 |
when I try to find what writes to this address i get these:
for the first and the third address i get this
| Code: | | 00498aeb - 89 b3 80 00 00 00 - mov [ebx+00000080],esi |
but for the second one and the forth one i get this
| Code: | | 00498af4 - 89 b3 04 01 00 00 - mov [ebx+00000104],esi |
as i said i couldn't find the pointer so i tried to do a code injection:
| Code: | mov [ebx+00000080],esi to mov [ebx+00000080],2DFC4D12 or(2DFC4D13 or CFBBD1FF or CFBBD1FE or even 5)
or
mov [ebx+00000104],esi to mov [ebx+00000104],2DFC4D12 or(2DFC4D13 or CFBBD1FF or CFBBD1FE or even 5) |
but after doing a code injection i will get a negative mark behind the number of lives.
as i checked later i found that for another option(chicken foot) there is 2 addresses which have situation of life addresses. i mean they are also dynamic.
the same thing among them is the opcode which are the above mentioned
so what should i do now?
--------------------------------
At last I did it
wow
at last i made it
i did a code injection for both opcodes and move them to two different values such as 100 and 5 so the result was 95 lives adn also other options like missile and chicken foot.
operation finished
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Sun Jan 04, 2009 5:52 am Post subject: |
|
|
Now if you would, write a tutorial on your scans and assembly.
There are 2 or 3 other people asking about this very game in this section and wanting help on hacking it.
|
|
| Back to top |
|
|
samse
Grandmaster Cheater
 Reputation: 0
Joined: 02 Aug 2006
Posts: 760
Location: Look Back! But remember that I won't be there~ JackAss
|
| Posted: Sun Jan 04, 2009 1:23 pm Post subject: |
|
|
I'm not wanting to hack it .. I want to learn how to hack so I'm trying to hack this random game .. 
_________________
| mooglekiller wrote: | | If i get him auto banned if there a chance that he'll get back on the rankings and if it's possible, how do i get him auto banned? |
| samse wrote: | | Its like you wanna save dying person by shooting him in the head. If possible, where do you get guns from? |
|
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Sun Jan 04, 2009 3:24 pm Post subject: |
|
|
| samse wrote: | | I'm not wanting to hack it .. I want to learn how to hack so I'm trying to hack this random game .. |
And you don't think a tutorial on how to hack the same game you are attempting to learn on will work for you?
That happens to be the craziest reply I have seen in a while.
|
|
| Back to top |
|
|
zirkhaki
Cheater
Reputation: 0
Joined: 10 Dec 2008
Posts: 44
Location: Iran
|
| Posted: Sun Jan 04, 2009 6:12 pm Post subject: |
|
|
Good idea
I'll try to do that if i had enough time
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
