 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
jaybz
How do I cheat?
![]() Reputation: 0
Joined: 19 Sep 2012
Posts: 7
|
 Posted: Tue Nov 13, 2012 3:13 am Post subject: Help with code replacement/injection |
 |
|
Hi. I'm trying to create a table for a game called Death Rally. I've already managed to freeze the ammo using aobscan to find the appropriate line of code then replacing it with nops.
Now I'm working on how to find a way to freeze the life. The game does not show how much life you have exactly but instead just shows a percentage. So far I couldn't find an exact value for life but I have found where it stores the percentage as a float. It appears that this is what the game actually uses as the hp value instead of an exact value as in other games and freezing this float does prevent me from dying as long as I don't suffer damage that would take my life down to 0% instantly. I already found the code which decreases my life and replaced it to a "mov [address], 3F800000" (3F800000 = float representation of 1). The problem with the code replacement is that it is actually the same code used to decrease the life for enemies as well.
I've considered how to proceed and have been thinking of a few solutions. The first is to just find the code which reads the life value for display so I can inject code that finds the address so I can lock it. But if I do lock it, I can still die from single damage that brings me from 100% to 0%.
The second approach is to dissect the data structures for the cars so I can find a way to identify when the life being modified is mine or an enemy's and inject the appropriate conditional code to the code that modifies the life.
The third approach is to forget about dissecting the data structures and instead get the address of my life the same way I would in the first method so I can use it for the conditional code that I'll inject.
So my question, or rather questions, are this. Is there a better way to do this? If there is, assume I'm mostly a noob when you explain it as I'm not really that experienced yet. If not, which one of those 3 solutions are actually possible? And which of those possible solutions would be best?
|
|
| Back to top |
|
 |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Nov 13, 2012 4:33 am Post subject: Re: Help with code replacement/injection |
|
|
| jaybz wrote: | | Is there a better way to do this? |
4-Cheat codes? (yeah that's so simple we sometimes forget it).
1.1-Instead of freezing to 1.0, try freezing to 3.4e+38, +INF (0x7F800000) or NaN (0xffffffff), and see if you still can insta-die.
5-Find the variable that changes (most likely a byte that goes from 0 to 1) when you activate the god mode, find the code that accesses this address, force it to always behave as if the godmode was activated.
6 (or 2.2)-Your shared mov [car_hp], result_of_hp-damage is within a function A, but check the PARENT function (=function B=the function that called function A) sometimes it's not the same whether the player is getting hurt or the opponents. This approach can be called 2.2 since the address from which function A is called can be found at esp+a_few ( a_few depending on how function A is made) and you could use this for differentiation.
6.1-Or you could edit function B so that it does not call function A. It may work depending on what function A actually does.
However seeing that your game used to have a multilayer mode before being ported to windows, I don't think approaches 6&6.1 will work, since most cars are most likely identical, with just a different controller entity. Still I'm listing this approach because it may come in handy in other games.
| jaybz wrote: | | If not, which one of those 3 solutions are actually possible? |
Technically they are all possible (trololol).
| jaybz wrote: | | And which of those possible solutions would be best |
Not counting my suggestions (4 & 5 beat all others), personally I'd go for the 1st one UNLESS instant-kills happen often in which case I'd go for number 3. I mean, if an opponent can blow you out in a single rocket, go for 3. If the only ways to insta-die are to jump into a lava pit or ram a easily dodgeable wall at full speed, stick with 1.
|
|
| Back to top |
|
|
jaybz
How do I cheat?
![]() Reputation: 0
Joined: 19 Sep 2012
Posts: 7
|
| Posted: Tue Nov 13, 2012 5:23 am Post subject: Re: Help with code replacement/injection |
|
|
| Gniarf wrote: | | jaybz wrote: | | Is there a better way to do this? |
4-Cheat codes? (yeah that's so simple we sometimes forget it).
|
I actually saw those before I started trying to make a table for the game but they're actually for a rather old version of the game and I'm trying to hack the newer one. That also means 4 and 5 is not possible unless I find cheat codes that do work.
| Gniarf wrote: |
| jaybz wrote: | | And which of those possible solutions would be best |
Not counting my suggestions (4 & 5 beat all others), personally I'd go for the 1st one UNLESS instant-kills happen often in which case I'd go for number 3. I mean, if an opponent can blow you out in a single rocket, go for 3. If the only ways to insta-die are to jump into a lava pit or ram a easily dodgeable wall at full speed, stick with 1. |
Thanks for the input. I think I'll try locking to a really big value first but I have a feeling that it will crash the game or something as it isn't possible to get more than 100% life in the game. If that is the case, I'll go try 6 and 6.1. I seem to remember more than one function calling the part that I initially tried to change. If it doesn't work, I hope number 3 isn't as hard and clunky as I think it is.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Tue Nov 13, 2012 6:51 am Post subject: Re: Help with code replacement/injection |
|
|
| jaybz wrote: | | I actually saw those before I started trying to make a table for the game but they're actually for a rather old version of the game and I'm trying to hack the newer one. |
Huh? There is a newer version? *re-googles death track*... Hot damn I knew that name rang a bell! I tend to mix up between dethkarz, death track and death rally. Anyway I finished DR (new version) some time ago.
IIRC the only way to insta-die is being sabotaged (not even sure using the base unupgraded car vs late-game opponents can get you insta-killed), so approach 1 should be enough.
| jaybz wrote: | | I hope number 3 isn't as hard and clunky as I think it is. |
3 isn't that complicated, here's a quickie (= no aobscans):
| Code: | [ENABLE]
alloc(CodeBuffer,512)
//places
label(PlayerHealthReader_end)
label(HealthWriter_end)
label(WriteHealthHook)
label(WriteHealthHook_OriginalCode)
//variables
label(PlayerPtr)
//hook the function that reads the player's health
DeathRally.exe+CB444:
jmp CodeBuffer
nop
nop
nop
PlayerHealthReader_end:
DeathRally.exe+A93A2:
jmp WriteHealthHook
nop
nop
nop
HealthWriter_end:
CodeBuffer:
//ReadPlayerHealthHook:
mov dword [PlayerPtr],eax //health is at eax+0x178
movss xmm0,[eax+00000178]
jmp PlayerHealthReader_end
WriteHealthHook:
cmp eax,dword [PlayerPtr]
jne WriteHealthHook_OriginalCode
mov dword [eax+00000178],(float)1.0 //lock the player's health at 1 while we're at it
jmp HealthWriter_end
WriteHealthHook_OriginalCode:
movss [eax+00000178],xmm0
jmp HealthWriter_end
PlayerPtr:
dd 0
[DISABLE]
dealloc(CodeBuffer)
DeathRally.exe+CB444:
movss xmm0,[eax+00000178]
DeathRally.exe+A93A2:
movss [eax+00000178],xmm0
|
Dunno why, but the car still appears damaged in the garage.
|
|
| Back to top |
|
|
jaybz
How do I cheat?
![]() Reputation: 0
Joined: 19 Sep 2012
Posts: 7
|
| Posted: Tue Nov 13, 2012 3:10 pm Post subject: Re: Help with code replacement/injection |
|
|
| Gniarf wrote: | | IIRC the only way to insta-die is being sabotaged (not even sure using the base unupgraded car vs late-game opponents can get you insta-killed), so approach 1 should be enough. |
Normally yes, but with the infinite ammo cheat, you can actually drop 2 or 3 mines really close together and insta-die when you run over them.
| Gniarf wrote: | | jaybz wrote: | I hope number 3 isn't as hard and clunky as I think it is.
|
3 isn't that complicated, here's a quickie (= no aobscans): |
Wow that was fast. Anyway I have been trying to look for the parent function but it looks like you got number 3 down already. It looks like we're using different versions of the game because the addresses are different, but it should be trivial to look for the read code since I already know where the write code is. I actually forgot to save the location of the write code and I had problems looking for the correct memory location this time for some reason. But your auto assembly script allowed me to do an assembly search.  Thanks very much. I think I should be able to get the right address in the next few minutes. I'm probably going to do an aobscan again since it appears that the opcodes are the same in the versions we're using.
| Gniarf wrote: | | Dunno why, but the car still appears damaged in the garage. |
The game is probably tracking damage in a different location as well. I'll see if I can do something about that.
|
|
| Back to top |
|
|
jaybz
How do I cheat?
![]() Reputation: 0
Joined: 19 Sep 2012
Posts: 7
|
| Posted: Wed Nov 14, 2012 11:43 pm Post subject: Re: Help with code replacement/injection |
|
|
| Gniarf wrote: | | Dunno why, but the car still appears damaged in the garage. |
So the game is definitely tracking damage elsewhere. After I've adapted your script to my version, it turns out that there are cases when I'd start a race dead because the game reads the starting hp elsewhere. I modified the read portion of the script to set the hp to 1.0 as well and it works so far. The car still looks damaged, but other than that cosmetic issue, the script now works perfectly.
As for the cosmetic issue, it seems the game actually stores that in floats in about 8 different places, one for each section of the car that can show damage. This is also where the game gets the % hp displayed on top of the car. So it looks like fixing that part is a bit too convoluted so I'm probably not going to bother since the script doesn't have any other problems.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Thu Nov 15, 2012 3:42 am Post subject: |
|
|
Incase you're interested, I found the function that damages (and repairs) each car part. Look for a function that starts with:
| Code: | DeathRally.exe+A9B50 - 55 - push ebp
DeathRally.exe+A9B51 - 8B EC - mov ebp,esp
DeathRally.exe+A9B53 - 80 B8 7C010000 00 - cmp byte ptr [eax+0000017C],00
DeathRally.exe+A9B5A - B9 01000000 - mov ecx,00000001
DeathRally.exe+A9B5F - 74 0A - je DeathRally.exe+A9B6B |
If eax=PlayerPtr at the first instruction, do a ret 4, otherwise proceed normally.
I initially planned something more funny: multiply all received damage by -1, until I realized that repairing the car would break it.
|
|
| Back to top |
|
|
jaybz
How do I cheat?
![]() Reputation: 0
Joined: 19 Sep 2012
Posts: 7
|
| Posted: Thu Nov 15, 2012 5:00 am Post subject: |
|
|
Actually it turns out that the answer to the car part problem was staring me right in the face.
The movss plus 7 addss operations prior to the movss which writes the health to memory is actually pulling the values off each car part and adding them together to get the total health. So I just changed it so that when eax = PlayerPtr, instead of reading values off each car part, they're just set to 0.125. Works perfectly so far. The part in the read hook where I set the health to 1.0 is no longer necessary too since when you end the race, you will have 100% health on both the car display and the repair button.
Also as a side effect, switching cars fully repair the car you switch to because it runs the same function when you switch.
Now I just need to find where the cash is stored to finish up the table.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
