Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Does somebody have any info on how to hack painkiller?
Goto page Previous  1, 2, 3  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Tue Apr 03, 2012 11:02 pm    Post subject: This post has 1 review(s) Reply with quote

My mistake. I used pushfd and pushad at the beginning of script

So it should be like this:

ECX == 0x3 (dword)
[esp+20] == 0x70 (dword)
[esp+28] == 0x7 (dword)


Edit:

OK,
ECX == 0x3 (dword)
[esp+20] == 0x70 (dword)
[esp+28] == 0x7 (dword)
[esp+30] == 0x1 (dword)
[esp+34] == 0x7 (dword)

But I still get other "not health" hits:

Code:
[ENABLE]
alloc(THECODE,2048)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(THECODE)

THECODE:
pushfd
pushad
cmp ecx,00000003
jne short originalcode
cmp [esp+20+24],00000070
jne short originalcode
cmp [esp+28+24],00000007
jne short originalcode
cmp [esp+30+24],00000001
jne short originalcode
cmp [esp+34+24],00000007
jne short originalcode


//filtered
//
//

popad
popfd
mov ecx,[eax+08]    //  <-  try that  "find out what addresses this instructions accesses". We have much less other hits.
mov [edi+08],ecx
jmp returnhere

//
//
//


originalcode:
popad
popfd
mov ecx,[eax+08]
mov [edi+08],ecx

exit:
jmp returnhere

"Engine.dll"+15CD11:
jmp THECODE
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(THECODE)
"Engine.dll"+15CD11:
//mov ecx,[eax+08]
//mov [edi+08],ecx
db 8B 48 08 89 4F 08


But, it's a good start.



EDIT2:

Final. You can test it. 350HP


Code:
[ENABLE]
alloc(THECODE,2048)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(THECODE)
label(HP_value)

THECODE:
pushfd
pushad
cmp ecx,00000003
jne short originalcode
cmp [esp+20+24],00000070
jne short originalcode
cmp [esp+28+24],00000007
jne short originalcode
cmp [esp+30+24],00000001
jne short originalcode
cmp [esp+34+24],00000007
jne short originalcode
cmp dword ptr [eax+08+08],0
jne short originalcode
cmp dword ptr [eax+08+0C],0
jne short originalcode
cmp dword ptr [eax+08+10],4
jne short originalcode

mov ecx,[eax+08+18]
cmp [ecx+10],'_yaw'
jne short originalcode
cmp [ecx+30],'_hea'
jne short originalcode

//filtered
//
//

popad
popfd
fld qword ptr [HP_value]
fstp qword ptr [eax+08]

mov ecx,[eax+08]
mov [edi+08],ecx
jmp returnhere

//
//
//


originalcode:
popad
popfd
mov ecx,[eax+08]
mov [edi+08],ecx

exit:
jmp returnhere

HP_value:
dq (double)350.0

"Engine.dll"+15CD11:
jmp THECODE
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(THECODE)
"Engine.dll"+15CD11:
//mov ecx,[eax+08]
//mov [edi+08],ecx
db 8B 48 08 89 4F 08

_________________
Back to top
View user's profile Send private message MSN Messenger
Freiza
Grandmaster Cheater
Reputation: 22

Joined: 28 Jun 2010
Posts: 662

PostPosted: Wed Apr 04, 2012 12:03 am    Post subject: Reply with quote

What did you do. A brief summary so that I can recreate whole scenario.

1) Checked stack, When accessing health pointer. Took snapshot
2) restarted game
3) check stack again,
4)
ECX == 0x3 (dword)
[esp+20] == 0x70 (dword)
[esp+28] == 0x7 (dword)

(but this is something hard to believe, either you are a super duper human, or you know used the script for logging stack)


5) Again after 1/2 hour effort you came up with more stack addresses
6) then also used player structure to full proof it.
7) And finished hacking in matter of 1/2 hour. Great
Is there any point I am missing?

_________________
Back to top
View user's profile Send private message Send e-mail
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Apr 04, 2012 12:06 am    Post subject: Reply with quote

Because we have super dooper "dissect data/structures" feature Razz
this part:
Code:
cmp dword ptr [eax+08+08],0
jne short originalcode
cmp dword ptr [eax+08+0C],0
jne short originalcode
cmp dword ptr [eax+08+10],4
jne short originalcode

mov ecx,[eax+08+18]
cmp [ecx+10],'_yaw'
jne short originalcode
cmp [ecx+30],'_hea'
jne short originalcode





Keep in mind, that I didn't test it fully, only first map. It can crash from time to time.


Try it. I only tested it with only one save. I'm going to sleep.

_________________
Back to top
View user's profile Send private message MSN Messenger
Kavvman
Master Cheater
Reputation: 2

Joined: 17 Apr 2004
Posts: 316

PostPosted: Wed Apr 04, 2012 3:16 am    Post subject: Reply with quote

Stack comparison is not always a reliable method. There are other better ways that are far more reliable and actually ease hacking. e.g in unreal engine that me3 used, you can achieve the hack thru stack compare or if you dig really deeper...find a code section that accesses all your player data only.

In case of painkiller, i have never fiddled with it but i believe it is similar to any lua based game. Sometime back, i trained a lua based game called the first templar...i was able to find a really clean spot for comparison using string references compare and identifiers. The player structure usually contains some really interesting entries.

So i would say dig deeper and debug harder Wink

_________________
...
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Apr 04, 2012 8:48 am    Post subject: Reply with quote

cmp dword ptr [eax+08+08],0
jne short originalcode
(...)
cmp [ecx+30],'_hea'
jne short originalcode
Above checks do not apply to other maps Sad Script works only for one save state (checkpoint).

Painkiller player structure is huge and weird.

First map
Health at 2470B0B8
Armor at 24708750

Second map:
Health at 24CC5170
Armor at 24CC2A60


look at distances.
for first map: between HealthAddr and ArmorAddr, distance is 0x2968
for second map: 0x2710

Edit:
only stack checks:
Code:
[ENABLE]
alloc(THECODE,2048)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(THECODE)
label(HP_value)

THECODE:
pushfd
pushad
cmp ecx,00000003
jne short originalcode
cmp [esp+20+24],00000070
jne short originalcode
cmp [esp+24+24],40140000
jne short originalcode
cmp [esp+28+24],00000007
jne short originalcode
cmp [esp+2c+24],40180000
jne short originalcode
cmp [esp+30+24],00000001
jne short originalcode
cmp [esp+34+24],00000007
jne short originalcode

//filtered
//
//

popad
popfd
fld qword ptr [HP_value]
fstp qword ptr [eax+08]

mov ecx,[eax+08]
mov [edi+08],ecx
jmp returnhere

//
//
//


originalcode:
popad
popfd
mov ecx,[eax+08]
mov [edi+08],ecx

exit:
jmp returnhere

HP_value:
dq (double)350.0

"Engine.dll"+15CD11:
jmp THECODE
nop
returnhere:

[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(THECODE)
"Engine.dll"+15CD11:
//mov ecx,[eax+08]
//mov [edi+08],ecx
db 8B 48 08 89 4F 08

_________________
Back to top
View user's profile Send private message MSN Messenger
Freiza
Grandmaster Cheater
Reputation: 22

Joined: 28 Jun 2010
Posts: 662

PostPosted: Wed Apr 04, 2012 12:11 pm    Post subject: Reply with quote

Yes I saw that but I thought maybe you were using other version.
Because your stack states were somewhat different from mine.

But atleast you gave me a good foundation to work with.

_________________
Back to top
View user's profile Send private message Send e-mail
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Apr 04, 2012 4:10 pm    Post subject: Reply with quote

Last script is stable I think. I played (speed run) three maps.
_________________
Back to top
View user's profile Send private message MSN Messenger
Freiza
Grandmaster Cheater
Reputation: 22

Joined: 28 Jun 2010
Posts: 662

PostPosted: Wed Apr 04, 2012 4:20 pm    Post subject: Reply with quote

Is there any way to set conditional breakpoint in stack?
I want to know when an address was pushed onto the stack without backtracking the code?

How did you reach esp+20+24?

I tried to open it on data dissector. But the value there is 0 and not 70?

Are you sure you are using 1.64 version?

_________________
Back to top
View user's profile Send private message Send e-mail
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Wed Apr 04, 2012 4:54 pm    Post subject: Reply with quote

after setting the breakpoint (it will no doubt break instantly, just continue afterwards) rightclick the breakpoint and set a break condition
there put in readInteger(ESP+xxx)==0xvalueyouwish

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Freiza
Grandmaster Cheater
Reputation: 22

Joined: 28 Jun 2010
Posts: 662

PostPosted: Wed Apr 04, 2012 5:26 pm    Post subject: Reply with quote

In complex section?
_________________
Back to top
View user's profile Send private message Send e-mail
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Apr 04, 2012 5:31 pm    Post subject: Reply with quote



A added that "+24" thing because I used pushfd (+0x4) and pushad (+0x20).

_________________
Back to top
View user's profile Send private message MSN Messenger
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sat Apr 07, 2012 12:19 pm    Post subject: Reply with quote

I've searched for useful things in structures pointed by CPU registers:


Tried EDX and EDI. Without success. Structure checks worked only while exiting from pause menu.

But structures pointed by ESI were useful.
cheat table, HP and AMMO for Painkiller v1.64 Cool

_________________
Back to top
View user's profile Send private message MSN Messenger
Freiza
Grandmaster Cheater
Reputation: 22

Joined: 28 Jun 2010
Posts: 662

PostPosted: Sat Apr 07, 2012 12:43 pm    Post subject: Reply with quote

I didn't understand what you meant. Please Elaborate.
Why did you chose ESI? Was it just hit and trial?

And what is the difference between standard stack check and health stack check?

_________________
Back to top
View user's profile Send private message Send e-mail
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sat Apr 07, 2012 1:54 pm    Post subject: Reply with quote

Look at EDI (previous image), looks promising. Almost the same value for all calls (health, and for other ammo types). I've just looked into this memory region. Dissect data/structure, add address, "lock it" (right-click lock). Clicked "define new structure", .....

Load save (or better, load other map), again "what accesses this address" (for health address), take new address pointed by EDI, add address to "Dissect" window (add extra address). Green data: possible constant value, which we can use for structure checks. (you can lock second address, then repeat this step). (do not close "dissect" window)

(as you know, I made the same, dissect data/structure, for address pointed by [EAX+08] without success, worked only for one map and only one save checkpoint)


Then I tried the same thing for other CPU registers: EDX and ESI.


Finally I tried:

value (double)4.0 for health checks:
cmp dword ptr [esi+40],00000004
cmp dword ptr [esi+44],40100000
0x4010000000000004 == (double) 4.000000....

and value (double)3.0 for shotgun ammo checks:
cmp dword ptr [esi+18],00000000
cmp dword ptr [esi+1c],40080000
0x4008000000000000 == (double) 3.0


Wait, I will upload video with dissect window for shotgun ammo.

_________________


Last edited by mgr.inz.Player on Sat Apr 07, 2012 2:35 pm; edited 1 time in total
Back to top
View user's profile Send private message MSN Messenger
Freiza
Grandmaster Cheater
Reputation: 22

Joined: 28 Jun 2010
Posts: 662

PostPosted: Sat Apr 07, 2012 2:01 pm    Post subject: Reply with quote

Thank a lot.

You are truely awesome.

Will be eagerly waiting for your video. Btw, except for the line mentioned below, I understood the rest.
Quote:
" Green data: possible constant value, which we can use for structure checks. (you can lock second address, then repeat this step). (do not close "dissect" window) "

_________________
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites