Cheat Engine

[HonestGamer]

Okay training "Land of the Dead" is getting tough for me.

As I am not a pro in game hacking, I fail in making conditions. So this game uses the same oppcode for player and AI. So if I try to inject a code or just NOP it, it affects the AI too. And yes there are no pointers found for health as the addresses change only on player death, not on game restart, level change, etc.

So here is the code:-

10136E9E: mov [ebx],eax

So I took advice from DABhand from FileForums and CheatHappens. He introduced me to a concept which crashed the game for me (Code areas are not mentioned as I am not checking it now!).

So I find a code cave with a code cave finder. And yes it has read-write attributes.

So 101369E: jmp codecave1 (The oppcode is 2 bytes only so I check to NOP the left out area, noting the oppcodes that were eliminated)

codecave1:

cmp esi, XXXXXXXX (When I check for the register's value for the player, I find out esi remains static, and the XXXXXXXX is the value I find when I double click on the oppcode)
je codecave2 (If it is equal, jump to codecave2)
mov [ebx],00000000 (move it to a 0 value for AI, this gives a one hit kill effect!)
mov ebx,eax (Terminated code for creating a jmp in the game code)
mov eax,[esp+14] (Again a terminated code!)
jmp 101369E (Back to game code)

codecave2:

mov [ebx],00000064 (Force 100 value for player only)
mov ebx,eax
mov eax,[esp+14]
jmp 101369E

So after I return to the game, it freezes and hangs. Any mistakes I made?

[Dark Byte]

Does your codecave have execute attributes and is big enough? (Really, use virtualallocex, it saves so much trouble)

also, are you sure he meant esi is the same? not [esi] (that is the value of the 4 bytes located at the address esi points at)?


But the real problem here is that you have a jmp 101369e, that means you jump right into your jmp codecave1 meaning a infinite loop (freeze and hang)
You should jump to after the jmp and the other overwritten code

[HonestGamer]

[Recifense]

Hi,

About the real problem that DB refers to, here is something to help clarifying it:

Considering the info you have passed, the original code should be like this:

[HonestGamer]

Thanks a lot. And this concept applies to this game where ESI remains static.

But what do you do when they are dynamic?

Which values do you compare to make an option player only?

[The_DABhand]

I know this has been answered ages ago, but please dont throw names about if you dont understand which in turn makes me look like an idiot HG


As said your infinite loop is the problem, you ALWAYS ALWAYS jump/ret back from code caves to the op code after your own op code that Jump/Call's to the code cave.

And by the look of the address its a case of Code Shifting.

You wil really have to read basic stuff so you understand it 100%. You have potential, but you need to goto school and learn properly.

[Bswap]

I'm certain any advice or information DAB has given out would be 100% accurate and reliable. It's not DAB's advice on the concept which is causing the GPF, it's your implementation of the advice.

I find 'Hit Tracing' in OllyDbg is perfect for shared routines.

I hate to refer away from CEF, but www.gamehacking.com (see the tutorials section) has some excellent tutorials detailing when and how to use 'Hit Tracing' . One by Labrynth comes to mind, [Psych] as well.

Hit tracing is a neat feature that highlights the exact path of execution, providing valuable information about the flow of code.

[Dark Byte]

it might be easier to just use ce's "find out what addresses this code accesses"
This will log all memory accesses by the specified instruction showing it when the enemy's memory is accessed and yours.
You can then inspect the address, and even the register states when it got asccessed.

It's perfect for shared routines

And you can then use the structure definer to compare two different objects to eachother to find out how to distinguish

http://wiki.cheatengine.org/index.php?title=Shared_health_routines