View previous topic :: View next topic |
Author |
Message |
Geri Moderator Reputation: 111
Joined: 05 Feb 2010 Posts: 5636
|
Posted: Wed Jun 22, 2011 7:05 am Post subject: |
|
|
Of course it is working in most of the games. I mean the feature itself is working for every program, but some games are different (like flash games, script based games, etc). In most games, you will find structures like this.
_________________
|
|
Back to top |
|
|
gaming04 Expert Cheater Reputation: 0
Joined: 06 Dec 2010 Posts: 186
|
Posted: Wed Aug 03, 2011 2:49 am Post subject: |
|
|
Funny story, I tried this method for unit health in Warcraft 3, Frozen Throne and I failed miserably. There was no playerID within a 4096 unit range.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Aug 03, 2011 7:29 am Post subject: |
|
|
It could be that the player id is stored in a structure the current structure points to.
So open all pointers or try the structure spider then and find the player id that way
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
gaming04 Expert Cheater Reputation: 0
Joined: 06 Dec 2010 Posts: 186
|
Posted: Wed Aug 03, 2011 12:43 pm Post subject: |
|
|
I took a look at pointers inside the structures, and found something interesting. None of the pointers are different, even though retrieved from different player units.
|
|
Back to top |
|
|
podstanar Advanced Cheater Reputation: 4
Joined: 02 May 2012 Posts: 82 Location: Flatland
|
Posted: Thu May 10, 2012 5:16 pm Post subject: |
|
|
Geri wrote: | Usually you do not need to bother with player ID. I think your game will have shared and non-shared codes for your health too. So make a script which is using both of them.
1. You use the non-shared code to find your health's address.
2. You use the shared code to set the enemy's health to 0 but add a compare to make sure that the health on your address is not set to 0.
If you cannot do this, you need to find the health of some enemies and your health too and compare the structures to see what is similar between enemies and different for you. |
Can you post more info on this subject? I'm looking for such a method and still don't know how to do it.
|
|
Back to top |
|
|
podstanar Advanced Cheater Reputation: 4
Joined: 02 May 2012 Posts: 82 Location: Flatland
|
Posted: Fri May 11, 2012 2:24 pm Post subject: |
|
|
416c6558 wrote: | Geri wrote: | Usually you do not need to bother with player ID. I think your game will have shared and non-shared codes for your health too. So make a script which is using both of them.
1. You use the non-shared code to find your health's address.
2. You use the shared code to set the enemy's health to 0 but add a compare to make sure that the health on your address is not set to 0.
If you cannot do this, you need to find the health of some enemies and your health too and compare the structures to see what is similar between enemies and different for you. |
Can you post more info on this subject? I'm looking for such a method and still don't know how to do it. |
Can someone explain this please?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Fri May 11, 2012 2:43 pm Post subject: |
|
|
You find what code accesses your health and then make sure it is only used for your health
Then do a code injection there to store the address of your health
In the code that decreases health check if it is your health or that of an enemy and take the appropriate steps
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
podstanar Advanced Cheater Reputation: 4
Joined: 02 May 2012 Posts: 82 Location: Flatland
|
Posted: Fri May 11, 2012 2:49 pm Post subject: |
|
|
Dark Byte wrote: | You find what code accesses your health and then make sure it is only used for your health
Then do a code injection there to store the address of your health
In the code that decreases health check if it is your health or that of an enemy and take the appropriate steps |
So, i can use (for e.g.) code that shows my health on screen? And for the second part(bolded), can you show me an example in asm(AA) if you dont mind?
|
|
Back to top |
|
|
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
|
Back to top |
|
|
podstanar Advanced Cheater Reputation: 4
Joined: 02 May 2012 Posts: 82 Location: Flatland
|
Posted: Sat May 12, 2012 7:27 am Post subject: |
|
|
SvcHost wrote: | This is example script that you are looking for.
forum.cheatengine.org/viewtopic.php?t=551314 |
I see what you did there. You compared values in a structure probably analyzing them with data/dissect structures. Actually i'm looking for a way of doing that without using data/dissector, like DarkByte mentioned above. It got something to do with player-only health address(like the one which is only drawing health on screen). In my case, i have two addresses: one that is changing the health of both player and cpu, if i modify it nobody will be able to die. Second is only drawing player's health on screen(gui). What i want to do is somehow patch only player's HP without touching cpu-s.
|
|
Back to top |
|
|
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
Posted: Sat May 12, 2012 8:14 am Post subject: |
|
|
416c6558 wrote: | I see what you did there. You compared values in a structure probably analyzing them with data/dissect structures. Actually i'm looking for a way of doing that without using data/dissector, like DarkByte mentioned above. It got something to do with player-only health address(like the one which is only drawing health on screen). In my case, i have two addresses: one that is changing the health of both player and cpu, if i modify it nobody will be able to die. Second is only drawing player's health on screen(gui). What i want to do is somehow patch only player's HP without touching cpu-s. | In the first script i used the data/dissect structures. And the alternate solution (the big one) in that i don't use data/dissect structures. This is actually writing health individually to player and enemy. You should consider the alternate solution in your case(means you don't need to find structure of player and enemy).
|
|
Back to top |
|
|
podstanar Advanced Cheater Reputation: 4
Joined: 02 May 2012 Posts: 82 Location: Flatland
|
Posted: Sat May 12, 2012 10:39 am Post subject: |
|
|
Interesting, i wonder how did you collected all that information? How did you know the player's and enemy's offsets? The address tutorial-i386.exe+2504C you used in your script never accessed any address for me, only tutorial-i386.exe+250C6 writed to health when i used "find out what writes to this address. Can you explain your script a bit more?
|
|
Back to top |
|
|
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
Posted: Sat May 12, 2012 12:22 pm Post subject: |
|
|
416c6558 wrote: | Interesting, i wonder how did you collected all that information? How did you know the player's and enemy's offsets? The address tutorial-i386.exe+2504C you used in your script never accessed any address for me, only tutorial-i386.exe+250C6 writed to health when i used "find out what writes to this address. Can you explain your script a bit more? |
You need to find how the ebx value is calculated at "Tutorial-i386.exe"+250C6 mov [ebx+04],eax.
Set the breakpoint at the top of the function and press F7 to Step In and check the values at the registers for finding how the ebx is calculated.
If you don't find it on current function then find the call of that function(simply press F8 till you find 'ret') and place another breakpoint at the top of that calling function. and check again. (repeat this)
Note:- 1)To find the top of the function right click and select 'select current function'
2)If you found mov ebx,[eax+30](for example) then after that you have to find how eax value is calculated and write down the offset 30.
3)You can also use 'Break and trace instruction'
I found Player1 offset at "tutorial-i386.exe"+258C7 mov eax,[ebx+0000049C] and i stored this to[Player1_Dave]
Quote: | push ecx
mov ecx,[ebx+49C] // Offset->49C Player1
mov [Player1_Dave],ecx
pop ecx |
Player2 at "tutorial-i386.exe"+25897 mov eax,[ebx+000004A0]
Player3 at "tutorial-i386.exe"+255F5 mov eax,[ebx+000004A4]
Player4 at "tutorial-i386.exe"+25625 mov eax,[ebx+000004A8]
after you save these then compare these address to the ebx and if this is equal then write amount or if not then jump to original code.
You should compare this at "Tutorial-i386.exe"+250C6 mov [ebx+04],eax (ebx value with stored address.)
Quote: | "Tutorial-i386.exe"+250C6:
jmp WriteHealthAddress
WriteHealthAddressReturn:
WriteHealthAddress:
cmp ebx,[Player1_Dave]
je IsPlayer1_Dave
cmp ebx,[Player2_Eric]
je IsPlayer2_Eric
cmp ebx,[Enemy1_Hal]
je IsEnemy1_Hal
cmp ebx,[Enemy2_Kitt]
je IsEnemy2_Kitt
jmp WriteOrignal
jmp WriteHealthAddressReturn
//----------------------------------
IsPlayer1_Dave:
mov [ebx+04],(float)99999
fldz
jmp WriteHealthAddressReturn
IsPlayer2_Eric:
mov [ebx+04],(float)99999
fldz
jmp WriteHealthAddressReturn
IsEnemy1_Hal:
mov [ebx+04],(float)0
fldz
jmp WriteHealthAddressReturn
IsEnemy2_Kitt:
mov [ebx+04],(float)0
fldz
jmp WriteHealthAddressReturn
//----------------------------------
WriteOrignal:
mov [ebx+04],eax
fldz
jmp WriteHealthAddressReturn |
|
|
Back to top |
|
|
yosimba2000 How do I cheat? Reputation: 0
Joined: 20 Jun 2012 Posts: 6
|
Posted: Thu Aug 09, 2012 7:07 pm Post subject: |
|
|
quick question, in the god mode code provided in the beginning, what does jne+6 mean?
i know jne is Jump If Not Equal, but why does jne +6 mean "skip two lines of following code"? why is it not jne+2?
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Aug 10, 2012 2:05 am Post subject: |
|
|
>>>jne +6 mean "skip two lines of following code"? why is it not jne+2?<<<
It can skip more lines. Maximum 6 lines (NOPs).
"jne +6" opcode is: 75 06
Quote: | 00401020 - 75 06 - jne 00401028
00401022 - 31 C0 - xor eax,eax
00401024 - 31 DB - xor ebx,ebx
00401026 - 31 C9 - xor ecx,ecx
00401028 - C3 - ret |
+6 skips three lines
"jne +2" opcode is: 75 02
Quote: | 00401020 - 75 02 - jne 00401024
00401022 - 31 C0 - xor eax,eax
00401024 - 31 DB - xor ebx,ebx
00401026 - 31 C9 - xor ecx,ecx
00401028 - C3 - ret |
+2 skips one line
again,
"jne +6"
Quote: |
00401020 - 75 06 - jne 00401028
00401022 - 8B 46 08 - mov eax,[esi+08]
00401025 - 89 46 04 - mov [esi+04],eax
00401028 - 61 - popad
00401029 - 9D - popfd |
+6 skips two lines
00401022 + 6 gives 00401028
00401022 + 2 gives 00401024
_________________
|
|
Back to top |
|
|
|