|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Sarge411 Newbie cheater Reputation: 0
Joined: 21 Apr 2018 Posts: 21
|
Posted: Sun Apr 22, 2018 3:40 am Post subject: A few questions on creating a free fly camera trainer |
|
|
I've been looking at a few free fly camera scripts from this thread:
www[dot]cheatengine[dot]org[slash]forum [slash]viewtopic[dot]php?p=5643360
and am trying to create one for duke nukem 3d. So far I managed to find all coordinates as well as other fields from the player table:
Code: |
<CheatEntries>
<CheatEntry>
<ID>9</ID>
<Description>"Y coordinate"</Description>
<VariableType>2 Bytes</VariableType>
<Address>B70F58</Address>
</CheatEntry>
<CheatEntry>
<ID>4</ID>
<Description>"X coordinate"</Description>
<VariableType>2 Bytes</VariableType>
<Address>B70F5C</Address>
</CheatEntry>
<CheatEntry>
<ID>3</ID>
<Description>"Z coordinate"</Description>
<VariableType>2 Bytes</VariableType>
<Address>B70F60</Address>
</CheatEntry>
<CheatEntry>
<ID>0</ID>
<Description>"Camera angle"</Description>
<VariableType>2 Bytes</VariableType>
<Address>Duke3dw.exe+770F64</Address>
</CheatEntry>
<CheatEntry>
<ID>23</ID>
<Description>"Z Down Acceleration"</Description>
<VariableType>4 Bytes</VariableType>
<Address>00B70F8a</Address>
</CheatEntry>
<CheatEntry>
<ID>22</ID>
<Description>"Y Acceleration"</Description>
<VariableType>4 Bytes</VariableType>
<Address>00B70F92</Address>
</CheatEntry>
<CheatEntry>
<ID>21</ID>
<Description>"X Acceleration"</Description>
<VariableType>4 Bytes</VariableType>
<Address>00B70F96</Address>
</CheatEntry>
<CheatEntry>
<ID>28</ID>
<Description>"Rotation"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B70FD0</Address>
</CheatEntry>
<CheatEntry>
<ID>15</ID>
<Description>"Ammo 2 Pistol"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B70FE0</Address>
</CheatEntry>
<CheatEntry>
<ID>11</ID>
<Description>"Ammo 3 Shotgun"</Description>
<VariableType>2 Bytes</VariableType>
<Address>Duke3dw.exe+770FE2</Address>
</CheatEntry>
<CheatEntry>
<ID>16</ID>
<Description>"Ammo 4 Chaingun"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B70FE4</Address>
</CheatEntry>
<CheatEntry>
<ID>12</ID>
<Description>"Ammo 5 BFG (Sacrilege) "</Description>
<VariableType>2 Bytes</VariableType>
<Address>Duke3dw.exe+770FE6</Address>
</CheatEntry>
<CheatEntry>
<ID>17</ID>
<Description>"Ammo 6"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B70FE8</Address>
</CheatEntry>
<CheatEntry>
<ID>13</ID>
<Description>"Ammo 7"</Description>
<VariableType>2 Bytes</VariableType>
<Address>Duke3dw.exe+770FEA</Address>
</CheatEntry>
<CheatEntry>
<ID>18</ID>
<Description>"Ammo 8"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B70FEc</Address>
</CheatEntry>
<CheatEntry>
<ID>14</ID>
<Description>"Ammo 9"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B70FEE</Address>
</CheatEntry>
<CheatEntry>
<ID>19</ID>
<Description>"Ammo 0"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B70Ff0</Address>
</CheatEntry>
<CheatEntry>
<ID>26</ID>
<Description>"Armor"</Description>
<VariableType>2 Bytes</VariableType>
<Address>Duke3dw.exe+77107A</Address>
</CheatEntry>
<CheatEntry>
<ID>8</ID>
<Description>"Elevation physics"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00D071CA</Address>
</CheatEntry>
<CheatEntry>
<ID>20</ID>
<Description>"Player Size"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00D071D0</Address>
</CheatEntry>
<CheatEntry>
<ID>7</ID>
<Description>"Health"</Description>
<VariableType>2 Bytes</VariableType>
<Address>Duke3dw.exe+9071E6</Address>
</CheatEntry>
<CheatEntry>
<ID>30</ID>
<Description>"3rd person view enable disable"</Description>
<VariableType>4 Bytes</VariableType>
<Address>00B7102E</Address>
</CheatEntry>
<CheatEntry>
<ID>31</ID>
<Description>"Crouch for x seconds"</Description>
<VariableType>4 Bytes</VariableType>
<Address>00B70f9a</Address>
</CheatEntry>
<CheatEntry>
<ID>33</ID>
<Description>"Holoduke amount"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B71006</Address>
</CheatEntry>
<CheatEntry>
<ID>34</ID>
<Description>"Access wallnum"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B71019</Address>
</CheatEntry>
<CheatEntry>
<ID>35</ID>
<Description>"First aid amount"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B71024</Address>
</CheatEntry>
<CheatEntry>
<ID>36</ID>
<Description>"Cheat phase"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B71034</Address>
</CheatEntry>
<CheatEntry>
<ID>37</ID>
<Description>"Current inventory item"</Description>
<VariableType>4 Bytes</VariableType>
<Address>00B710B7</Address>
</CheatEntry>
<CheatEntry>
<ID>38</ID>
<Description>"Jetpack amount"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B71076</Address>
</CheatEntry>
<CheatEntry>
<ID>39</ID>
<Description>"Steroids amount"</Description>
<VariableType>2 Bytes</VariableType>
<Address>00B71078</Address>
</CheatEntry>
<CheatEntry>
<ID>40</ID>
<Description>"Enable weapons array"</Description>
<VariableType>8 Bytes</VariableType>
<Address>00B710C3</Address>
</CheatEntry>
</CheatEntries>
|
In this script
fearlessrevolution[dot]com[slash]threads[slash]god-mode-free-fly-camera[dot]372[slash]
, a base address is used for the camera, but is it really needed?
Up to now I tried changing the coordinates from cheat engine but this results in a death once the camera is moved beyond a wall that is outside the playable map. I looked for and nop-ed the code that writes to the health
field. After, finding all instructions, now I can move outside the map but there is a dying animation that I can't get rid of (moving around works).
How can the camera be detached so that it does not move along with the character (the game's code kills the character even if noclip is used)?
How can cheat engine show the values of a memory region given an address and its offsets?
Once an instruction that writes to an address has been found, how can you determine if the address of that instruction is static or not? I have used cheat engine's search with the instructions address in hex but the search did not return any results?
Can cheat engine record instructions that access a memory region instead of fixed address?
When executing the camera thread, what happens to the original thread that handles the player character? Which coordinates are used to update the view point?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Sun Apr 22, 2018 4:55 am Post subject: |
|
|
Quote: |
Can cheat engine record instructions that access a memory region instead of fixed address?
|
use pageexception breakpoints in settings, then in the memoryview select the whole region you wish to watch , rightclick and choose data breakpoint->find out what accesses
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Sarge411 Newbie cheater Reputation: 0
Joined: 21 Apr 2018 Posts: 21
|
Posted: Mon Apr 23, 2018 12:18 pm Post subject: |
|
|
Dark Byte wrote: | Quote: |
Can cheat engine record instructions that access a memory region instead of fixed address?
|
use pageexception breakpoints in settings, then in the memoryview select the whole region you wish to watch , rightclick and choose data breakpoint->find out what accesses |
Thanks.
I managed to get all instructions that were freezing the player's position after death as well as the those that rotate the view by a random angle. Right now, if I kill the character (set life to 0 from within cheat engine) the position remains the same and with the instructions found being nop-ed the player's coordinates are updated in game if the X, Y, Z addresses are changed (this also works for camera pitch and rotation).
The main idea is:
1. Find a thread that accesses any coordinate often and use the given instruction as an injection point.
2. Upon enabling the cheat disable (nop) freezing instructions (that constantly write the last players coordinates to the X, Y, Z addresses).
3. Create a thread that is launched afterwards, waits user input and updates the values from the addresses holding the positional coordinates (given these are static).
My questions now are:
1. Can those instructions accessing the coordinate values be nop-ed if a cheat is enable (and unnop-ed when disabled)?
2. Is there a better way of going about this than nop-ing instructions?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Tue Apr 24, 2018 11:53 am Post subject: |
|
|
1: Of course you can do that, but it depends on the game how it reacts. (Perhaps it works, or perhaps it goes into a loop till the coodinates have returned to what it expects)
2: no idea, perhaps
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Sarge411 Newbie cheater Reputation: 0
Joined: 21 Apr 2018 Posts: 21
|
Posted: Tue Apr 24, 2018 3:55 pm Post subject: |
|
|
Dark Byte wrote: | 1: Of course you can do that, but it depends on the game how it reacts. (Perhaps it works, or perhaps it goes into a loop till the coodinates have returned to what it expects)
2: no idea, perhaps |
Thanks again. I wrote a basic script that fetches the original coordinates and health values, and saves them to memory. Here is the code:
Code: |
{ Game : Duke3dw.exe
Version:
Date : 2018-04-23
Author : Sarge411
This script does blah blah blah
}
define(address,"Duke3dw.exe"+53401)
define(bytes,8B 85 18 02 00 00)
[ENABLE]
globalAlloc(myCamX, 4)
globalAlloc(myCamY, 4)
globalAlloc(myCamZ, 4)
globalAlloc(origCamX, 4)
globalAlloc(origCamY, 4)
globalAlloc(origCamZ, 4)
globalAlloc(health, 4)
globalAlloc(origHealth, 4)
origCamX:
dd 0
origCamY:
dd 0
origCamZ:
dd 0
myCamX:
dd B70F5C
myCamY:
dd B70F58
myCamZ:
dd B70F60
Health:
dd D071E6
origHealth:
dd 0
assert(address,bytes)
alloc(newmem,$2000)
label(code)
label(return)
newmem:
// Save previous camera coords
push eax
// Save X
mov eax, [myCamX]
mov [origCamX], eax
xor eax, eax
// Save Y
mov eax, [myCamY]
mov [origCamY], eax
xor eax, eax
// Save Z
mov eax, [origCamZ]
mov [origCamZ], eax
xor eax, eax
// Kill duke (set health to 0)
mov eax, [Health]
mov [origHealth], eax
xor eax, eax
pop eax
code:
mov eax,[ebp+00000218]
jmp return
address:
jmp newmem
nop
return:
[DISABLE]
address:
db bytes
// mov eax,[ebp+00000218]
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "Duke3dw.exe"+53401
"Duke3dw.exe"+533D2: 78 07 - js Duke3dw.exe+533DB
"Duke3dw.exe"+533D4: 66 81 FA FF 0F - cmp dx,0FFF
"Duke3dw.exe"+533D9: 7E 1A - jle Duke3dw.exe+533F5
"Duke3dw.exe"+533DB: 8B 85 38 02 00 00 - mov eax,[ebp+00000238]
"Duke3dw.exe"+533E1: 89 85 14 02 00 00 - mov [ebp+00000214],eax
"Duke3dw.exe"+533E7: 8B 85 3C 02 00 00 - mov eax,[ebp+0000023C]
"Duke3dw.exe"+533ED: 89 85 18 02 00 00 - mov [ebp+00000218],eax
"Duke3dw.exe"+533F3: EB 18 - jmp Duke3dw.exe+5340D
"Duke3dw.exe"+533F5: 8B 85 14 02 00 00 - mov eax,[ebp+00000214]
"Duke3dw.exe"+533FB: 89 85 38 02 00 00 - mov [ebp+00000238],eax
// ---------- INJECTING HERE ----------
"Duke3dw.exe"+53401: 8B 85 18 02 00 00 - mov eax,[ebp+00000218]
// ---------- DONE INJECTING ----------
"Duke3dw.exe"+53407: 89 85 3C 02 00 00 - mov [ebp+0000023C],eax
"Duke3dw.exe"+5340D: 8B 85 14 02 00 00 - mov eax,[ebp+00000214]
"Duke3dw.exe"+53413: 89 85 30 02 00 00 - mov [ebp+00000230],eax
"Duke3dw.exe"+53419: 8B 85 18 02 00 00 - mov eax,[ebp+00000218]
"Duke3dw.exe"+5341F: 89 85 34 02 00 00 - mov [ebp+00000234],eax
"Duke3dw.exe"+53425: 8B 85 1C 02 00 00 - mov eax,[ebp+0000021C]
"Duke3dw.exe"+5342B: 89 85 40 02 00 00 - mov [ebp+00000240],eax
"Duke3dw.exe"+53431: 8B 85 44 02 00 00 - mov eax,[ebp+00000244]
"Duke3dw.exe"+53437: 89 85 48 02 00 00 - mov [ebp+00000248],eax
"Duke3dw.exe"+5343D: 8B 85 8C 02 00 00 - mov eax,[ebp+0000028C]
}
|
I was wondering if the code for saving the original X, Y, Z coordinates from static addresses is correct (move value stored at static address to EAX, then move contents of EAX to locally defined address). I saw that other scripts didn't have to specifically define the addresses in the script but were using <SymbolEntries> from the cheat table.
Can a thread be created after these values are saved so that it begins updating the values stored at the static addresses? or does it have to be defined in a new script?[/code]
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|