View previous topic :: View next topic |
Author |
Message |
danny96 Newbie cheater Reputation: 0
Joined: 10 Jul 2020 Posts: 20
|
Posted: Tue Feb 23, 2021 2:58 pm Post subject: Hitman 3 Contracts One Hit Kill Problem |
|
|
So I'm trying to make one hit kill in hitman 3 contracts.In this game the opcode is writing health of enemies is different .I mean it is not shared code.The problem is when I write zero to enemies the game crashes.This is the part of enemies code:
HitmanContracts.NotifyDestroy+C43E:
0066B6D5 - 8B 96 8F000000 - mov edx,[esi+0000008F]
0066B6DB - 0FB7 C0 - movzx eax,ax
0066B6DE - 89 0C 10 - mov [eax+edx],ecx <<
0066B6E1 - 83 45 00 02 - add dword ptr [ebp+00],02
0066B6E5 - E9 76E9FFFF - jmp HitmanContracts.NotifyDestroy+ADC0
EAX=00000008
EBX=00000033
ECX=0000000E
EDX=0B92A030
ESI=0B929B90
EDI=0B929D38
ESP=0018F01C
EBP=0B929C27
EIP=0066B6E1
and this is my script :
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
originalcode:
mov [edx+8],0
mov [eax+edx],ecx
add dword ptr [ebp+00],02
exit:
jmp returnhere
"HitmanContracts.exe"+26B6DE:
jmp newmem
nop 2
returnhere:
After some testing , I added ''mov [edx+8],0 '' and I saw that it is working but of course the problem isn't over.Loading saves or restarting chapters and also picking particular items causes crash . When I look at '' find out what adresses this instruction accesses '' I see that a lot of adresses accessing .Is it about a lot of adresses ? How can I solve this problem ?
_________________
_d_ |
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Tue Feb 23, 2021 4:56 pm Post subject: Re: Hitman 3 Contracts One Hit Kill Problem |
|
|
Quote: | Is it about a lot of adresses ? How can I solve this problem ? |
yes. There are likely other pointers or data running through the operation and you need to delineate them to only get the 1 you want.
you've already found eax==8 is somehwat useful so start with that then find other significant factors.
Code: | newmem:
cmp eax,8
jne short @f
lea edx,[edx]
@@:
originalcode: |
Put a find what accesses trace on lea edx,[edx] and see what comes up. Then look for ways to distinguish one from the rest.
|
|
Back to top |
|
|
danny96 Newbie cheater Reputation: 0
Joined: 10 Jul 2020 Posts: 20
|
Posted: Wed Feb 24, 2021 8:34 am Post subject: |
|
|
''delineate them'' I totally agree with that but honestly I didn't understand what we are trying to achieve.I assume you get my point.Not only enemies health but also different values pop up when I debugging opcode.
311
312
313
326
22 I know that this 22 is health of enemy.
324
327
329
330
I know basic commands in assembly.For example ''load effective adress''.I don't know that . What is going on with those codes you wrote ?
newmem:
cmp eax,8
jne short @f
lea edx,[edx]
@@:
originalcode:
You said finding eax==8 was a good start .But why ? Why are we
comparing eax register ? What is the meaning of lea edx,[edx] ? Should I see that in codes ? or you just doing some logic ? Can you translate those codes you wrote ? Thank you very much for replie but you see I'm noob and
I feel like if I will understand your goal it will be very good lesson to me.Because it is a common problem for me in most games.
_________________
_d_ |
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Wed Feb 24, 2021 9:24 am Post subject: |
|
|
Code: | cmp eax,8 // compare eax to 8 and skip the check if it's
jne short @f
lea edx,[edx] // check to see what [edx] points to
@@: |
What is the meaning of lea edx,[edx] ?
The thing that crashes your game is accessing a pointer that's not a real pointer. This op simply allows you to trace all addresses that are accessed by the pointer [edx] without crashing your game. It's a way to debug your code.
After you trace lea edx,[edx] you will have multiple addresses pop up but you only want 1 of them so you have to look at the aspects or differences surrounding those addresses to find ways to compare them and do a jump to avoid accessing them. You want to look at other registers, other locations around that address, values on the stack or the value of the address itself. Look at many different things until you find something that distinguishes your address from the rest.
|
|
Back to top |
|
|
danny96 Newbie cheater Reputation: 0
Joined: 10 Jul 2020 Posts: 20
|
Posted: Wed Feb 24, 2021 12:29 pm Post subject: |
|
|
Man thanks a lot .Job is done. You showed me that next time I should also look at register states of each adress.The Eax carries that 8 is very good difference between other stuff.I made like this :
newmem:
cmp eax,8
jne originalcode
mov [eax+edx],0
add dword ptr [ebp+00],02
jmp exit
originalcode:
mov [eax+edx],ecx
add dword ptr [ebp+00],02
I have just tested and it works perfect.No crashes beetween loads , picking item , dropping item . People are dancing normally .. So I used register to compare .What do you think ?
_________________
_d_ |
|
Back to top |
|
|
sbryzl Master Cheater Reputation: 6
Joined: 25 Jul 2016 Posts: 252
|
Posted: Wed Feb 24, 2021 4:08 pm Post subject: |
|
|
Nice, glad to hear it's working.
|
|
Back to top |
|
|
|