Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Need For Speed - Most Wanted
Goto page Previous  1, 2, 3 ... 10, 11, 12 ... 18, 19, 20  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  

How many of you have h0zed a NFS-MW save game, in the name of haxX0ring?
Frequently
33%
 33%  [ 1 ]
A few, but not many...
0%
 0%  [ 0 ]
This one time... At Band Camp...
0%
 0%  [ 0 ]
What's an NFS-MW save game?
0%
 0%  [ 0 ]
Do you have wall hakus!? I NEED WALLLLL HCKUSSS
66%
 66%  [ 2 ]
Total Votes : 3

Author Message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Tue Dec 13, 2005 10:58 pm    Post subject: Reply with quote

y0 cparty. I got a complaint Wink

Your code changes are great, but im a lazy bastard. Follow-up code changes with an
Address:
Type: Arrayy of Byte (length of X)
Description: Blah (orig: xxxxxx new: xxxxxx )

Also, since this game has too many versions, give us a search string to locate it if you can, else we'll have about 8 posts talking about how to find such things.

/wink

Really it's not a complaint bud. Yer doin' great!

Great finds btw =) I'll probably be up through the night finishing a table I've made specifically for cars. It's actually the one I posted page or two ago that auto-offsets 1 set of values to the car you currently have, or, in the 'choose car menu', currently have selected.

What i've added is about +100 entries, of each car that appears in the first car list ([main pointer] + 10 + (414+offset). They are all 20 bytes long and its simply amazing to be able to look at them all, in a straight-up-line-up.

Here, I'll post what I have so far....

You should be able to simply offset them by as much as your main poniter is diff from the one I'm using (the +100 for the 20 length array's)

The rest is up to you (like the auto-setting of the first set of car values).

This is a CE 5.2 table.

The list seems to be 'split up' into 3 sections. Each section is defined by coloring/grouping, in the CT.

The first part (green group) gets written on game launch (before profile). It's the 'player list' of cars. About 30 or so in length.

The second part (purple group) is written at the same time, it's the list of AI cars along with some other cars (im guessing for multi play).

The final part (white group) is written when a profile loads and contains the cars the player currently has.

They are split up into different colored groups in the current .ct. Some of the 'names' may be misleading, but ive just not had time to name all 100 yet.

*EDIT* - Important note. To see all 20 bytes, you have to 'expand' the default width of your address column. Attached is a screenshot showing what this looks like when the game is running, and with the column properly expanded, and , my mouse over what i used to expand the column.



speed - Cars Only (Table-5.2).CT
 Description:

Download
 Filename:  speed - Cars Only (Table-5.2).CT
 Filesize:  14.27 KB
 Downloaded:  2638 Time(s)



Last edited by Zhoul on Wed Dec 14, 2005 7:43 am; edited 1 time in total
Back to top
View user's profile Send private message AIM Address
cparty
Expert Cheater
Reputation: 0

Joined: 01 Dec 2005
Posts: 219

PostPosted: Wed Dec 14, 2005 5:21 am    Post subject: Reply with quote

JONG wrote:
If you have more about this code "0062bab0 - 89 48 08 - mov [eax+08],ecx" of information, please let me know.

it turned out to be a false positive (that means it looks like its holding the timer and that code also actually writes to it), but when I traced through the code to see the content of the registers, it turned out its something else - thats also why you crash the game if you write a time there Laughing
so forget about this address.

Zhoul wrote:
y0 cparty. I got a complaint Wink
Your code changes are great, but im a lazy bastard. Follow-up code changes with an
Address:
Type: Arrayy of Byte (length of X)
Description: Blah (orig: xxxxxx new: xxxxxx )

hehe, advice taken Smile I wondered what way would be best, yours seem to be it, will do it like this.

and thats one hell of a table you attached there Smile nice work, going to have a closer look in a bit!
Back to top
View user's profile Send private message
gnagna2000
Cheater
Reputation: 0

Joined: 12 Dec 2005
Posts: 32

PostPosted: Wed Dec 14, 2005 5:22 am    Post subject: Reply with quote

Some more info :

Car position X address + 0x10 = Instant Speed Address
Car position X address + 0x14 = Jump Height Address
Car position X address + 0x24 = Spinning Speed Address

Note : setting a value as instant speed works but weirdly, your car will just speed up at right or left, i think there's a value that decide the direction, but i can't find it

i made a quick trainer for that adding an instant break but it's like not sufficient to get the same result like Racer_S trainer+12, i must have missed some value to modify like the instant speed aswell :-/

address around this addresses looks like to be collision-effect addresses like Car position X address + 0x20 :-/ useless

continue the good work Cool



The Extension 'rar' was deactivated by an board admin, therefore this Attachment is not displayed.

Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Wed Dec 14, 2005 5:39 am    Post subject: Reply with quote

Really Nice work gnagna2000.

2 Questions.

1. What method do you use to find the process? It appears to be the FindWindow function, which doesn't work with a 2 computer/remote desktop setup Sad

2. What language did you code this up in? If VB, I have a great vb example I for you, as to 'true' process listing/filtering to find a process ID based on (by default) EXE name, but could be used to find the process in any number of ways.

- GamePID is the function I created to use WMI to find a process ID. It uses a pre-defined (in the declerations) string called strGameEXE , as the EXE it will search for.
Just assume in this example, that you have already declared strGameEXE and set it to whatever you wish. You could also declare it right here in code if you wanted to.

Lastly, I use a few custom things, like the SetConnected function, which is my function, not one that has to be run Smile So watch out, as a copy/paste without a *tiny* bit of mod, isn't going to work.

Code:

Public Function GamePID() As Long
On Error GoTo EH
    Dim objWMI, objProcess, objProcesses
    Dim intCounter, intRetVal As Integer
    Dim bolTaskFound As Boolean
    bolEXEInMemory = False
    SetConnected
    Set objWMI = GetObject("winmgmts://.")
    If Err.Number <> 0 Then
        MsgBox "Could not contact WMI on this computer." & vbNewLine & "Attempting to find Black & White 2 by window insetad.", vbCritical, "WMI Problem"
        SetConnected
        GamePID2
        Exit Function
    End If
    Set objProcesses = objWMI.execquery("Select * from win32_process")
    If objProcesses.Count = 0 Then
        MsgBox "Could not enumerate processes on this computer.", vbCritical, "WMI Problem"
        SetConnected
        GamePID2
        Exit Function
    End If
    For Each objProcess In objProcesses
        bolTaskFound = False
        If UCase(objProcess.Name) = UCase(strGameEXE) Then
            bolEXEInMemory = True
            GamePID = objProcess.ProcessID
            ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, objProcess.ProcessID)
            If ProcessHandle = 0 Then
                If (bolConnected = True) Then
                    'MsgBox "Could not attach to the process, " & strGameEXE & vbNewLine & "Are you sure the game is even running?"
                End If
                SetConnected
            Else
                SetConnected
            End If
            Exit Function
        End If
    Next

Exit Function
EH:
GamePID2
Exit Function
End Function


If WMI isn't enabled on the PC, the above function will fail out (but without crashing/error). It is set to auto-fail over to GamePID2. GamePID2 is also an example of how you find PID's with your current trainer.

Code:

Public Function GamePID2() As Long
On Error GoTo EH
Dim hwnd As Long
Dim ProcessID As Long
Dim ProcessHandle As Long
    ' Find game based on window name, rather then use WMI.
    hwnd = FindWindow(vbNullString, strWN)
    If hwnd = 0 Then
        MsgBox "Could not find process window!", vbCritical, "Write error"
        bolEXEInMemory = False
        SetConnected
        Exit Function
    End If
    bolEXEInMemory = True
    GetWindowThreadProcessId hwnd, ProcessID
    ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessID)
    If ProcessHandle = 0 Then
        'MsgBox "Could not get a process handle!", vbCritical, "Write error"
        SetConnected
        Exit Function
    End If
    SetConnected

Exit Function
EH:
MsgBox "An error occured while in the GamePID2 function." & vbNewLine & "Error Number: " & Err.Number & vbNewLine & "Error Description: " & Err.Description
SetConnected
Resume Next

End Function


*Edit*
cparty wrote:
and thats one hell of a table you attached there nice work, going to have a closer look in a bit!

Yeah... To me, it's pretty much known as "The cparty table" since you were the one that triggered me tword it, and probably the only one that will use it besides me Cool
Back to top
View user's profile Send private message AIM Address
gnagna2000
Cheater
Reputation: 0

Joined: 12 Dec 2005
Posts: 32

PostPosted: Wed Dec 14, 2005 6:03 am    Post subject: Reply with quote

thanks Zhoul
no, i've used Visual C++ to code this trainer
i didn't know for remote desktop for process but yeah, i used the FindWindow function
i'll look for the one based on filename, shouldn't be so different like FindWindow :-/
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Wed Dec 14, 2005 6:59 am    Post subject: Reply with quote

gnagna2000 wrote:
thanks Zhoul
no, i've used Visual C++ to code this trainer
i didn't know for remote desktop for process but yeah, i used the FindWindow function
i'll look for the one based on filename, shouldn't be so different like FindWindow :-/


The method to do it is the same in C as it is in VB Wink

Just hack up the example code I have above into C-like structure.

Dim objWMI, objProcess, objProcesses

Those are just variable definitions..


Set objWMI = GetObject("winmgmts://.")


I forget exactly how to do that in C - but again, the same.

Also, I'm not using any declirations, like you have to with FindWindow. As my previous post stated: The only things i'd change are places where I call other functions that are my own. At a glance, the only place I really do that is when I call "SetConnected".

At any rate - any examples you can get on using WMI with C , would probably do the trick.

*Note* Only the GamePID function above (minus the GamePID2 function that is) - is the one using WMI. Like I said... It fails over to GamePID2 if it can't access WMI for some reason (older PC, or option turned off, which is rare).

In your trainer, you could make your old findwindow function GamePID2 - just to keep it around incase the new function fails.

Are you planning on 'running' with this trainer at all? - There are a lot of options we've found in previous posts, and I can sum them up for you in 1 big post (the ones I notice missing from your trainer).

The biggest thing mising is the 'unlock all cars' features. There are 3.

1.
- Add most cars to purchasable lists (aka Unlock cars).
- Adds about 65 cars that were never meant for the player to 'obtain'
- Adds all pinkslip cars as well.

Address: 1.2 - 0056F00F *edit* The "unlock all cars" code moved to 0056F19F in v1.3 (thanks cparty)
Type: Array of Bytes - 10
Description: Code - Unlock All Cars (Orig: C20400CCCCCCCCCCCCCC New: 80FA01750288D0C20400 )

This one above simply adds all the cars to your list... but what about "Locks?" the reall locks. The ones that stop you from being able to actually get the car.

----------------------------------------------------------------------------------

2.
- unLOCK *most* "My Cars" (takes the 'lockpad' off of the cars in the My Cars list, used for online games).

Addy: v1.2 - 0058A686 (See JongData for offset for 1.3)
Type: Array of Byte (6 in length)
Description: Code - unLock My Cars - Most Cars - (Orig: 8A88B0000000 New: B20090909090 )
JongData: Add +2B677 to the *other* Unlock that you already have (the 10-byte one)

----------------------------------------------------------------------------------

3.
- unLOCK all Career cars (takes the 'lockpad' off of them so they can be purchased, no matter what level).

Addy: 0058AB74 (See JongData for offset for 1.3)
Type: Array of Byte (6 in length)
Description: Code - unLock Career - Cars (Orig: 8A98B0000000 New: B30090909090 )
JongData: Add +4EE to the unlock My Cars - Most Cars address (the one right above this one)

Alternatively: You can probably search for the original values and nail them down pretty quick. They should be +4EE apart anyhow, as you will find more then 2 (and you don't want to change the other ones, as it could make a quirky save-game).
--------------------------------------------------------------------

*Edit*
gnagna2000 wrote:
Car position X address + 0x14 = Jump Height Address

JONG! Theres your jump height code Smile
Back to top
View user's profile Send private message AIM Address
JONG
Expert Cheater
Reputation: 0

Joined: 30 Nov 2005
Posts: 130

PostPosted: Wed Dec 14, 2005 7:23 am    Post subject: Reply with quote

gnagna2000 wrote:
Some more info :

Car position X address + 0x10 = Instant Speed Address
Car position X address + 0x14 = Jump Height Address
Car position X address + 0x24 = Spinning Speed Address


Very very thanks your info, its help me a lot of.

gnagna2000 wrote:
Note : setting a value as instant speed works but weirdly, your car will just speed up at right or left, i think there's a value that decide the direction, but i can't find it


I think its to occer because car instant speed but its gears is low, so your car will go right or left.

Thanks again all of you, I am so happy to know those info.
Back to top
View user's profile Send private message
gnagna2000
Cheater
Reputation: 0

Joined: 12 Dec 2005
Posts: 32

PostPosted: Wed Dec 14, 2005 7:24 am    Post subject: Reply with quote

i'll just use EnumProcess function, it's all in the Platform SDK which i'm most familiar with instead of using services that can be disabled :-/
i didn't choose to add "more cars" features in the trainer because i'm not very interested by such "hack", i mean driving cars that wasn't designed to be driven that's why i haven't added such thing, but i must admit you all made a very good work finding this thing Very Happy
but what i'm looking for is the address that define the car, i mean around the addresses where we can find values like Tires, Brakes, Body Kit, etc., an address that define the car, i think i'm not clear here Embarassed
having such address and with cparty's cars database, i could display the car type when reading the car informations (noticed the blank space in the trainer ? Very Happy)
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Wed Dec 14, 2005 7:52 am    Post subject: Reply with quote

gnagna2000 wrote:
but what i'm looking for is the address that define the car, i mean around the addresses where we can find values like Tires, Brakes, Body Kit, etc., an address that define the car, i think i'm not clear here Embarassed
having such address and with cparty's cars database, i could display the car type when reading the car informations (noticed the blank space in the trainer ? Very Happy)

This goes great with an update I was about to give you all... I just updated the "Cars Only" ct that I use. Again, offset all the pointers in this table, to your 'master pointer' offset. CParty, can you save out a version for v1.3 that works for you?

http://forum.cheatengine.org/download.php?id=361

Once you get this working - you can 'monkey around' and see where cars get their values from.

One very important note! Most of the 'values' in the initial cars memory blocks are actually addresses and offsets within those addresses.

The cars you own, start at around:
Pointer Level 1: [Master Pointer] + 0x10
Pointer Level 2: +0x13B4

The very first 4 byte value there, is actually an address, pointing to where some features of the car is.
In array byte form, on my screen, it has
DA 13 DB 13
What I do , is put that in 4 byte hex form... so its 0x13DB13DA
Go to that address and bam, theres some attributes...
Other values are also direct addresses, with the following bytes, usually being offsets in those addresses Smile


Last edited by Zhoul on Wed Dec 14, 2005 8:32 am; edited 2 times in total
Back to top
View user's profile Send private message AIM Address
JONG
Expert Cheater
Reputation: 0

Joined: 30 Nov 2005
Posts: 130

PostPosted: Wed Dec 14, 2005 8:29 am    Post subject: Reply with quote

gnagna2000 wrote:
Car position X address + 0x10 = Instant Speed Address


I was go into game and try this value, I find that:

If you turn your car to some direction, it will be work fine.

So I guess maybe its need a direction value, what you think ?

And also I think in those address block, maybe we can find some thing like tire dameged etc.

I find a address in here can let your car reset like you push a "R" key.

Sorry for my poor English.

EDIT:

I find if you use:

Car position Y address + 0x10

You can instant speed too.

The "Car position X address" and "Car position Y address + 0x10" all need a direction.


Last edited by JONG on Wed Dec 14, 2005 8:54 am; edited 3 times in total
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Wed Dec 14, 2005 8:32 am    Post subject: Reply with quote

JONG wrote:
gnagna2000 wrote:
Car position X address + 0x10 = Instant Speed Address

I was go into game and try this value, I find that:
If you turn your car to some direction, it will be work fine.
So I guess maybe its need a direction value, what you think ?


gnagna2000 wrote:
Car position X address + 0x10 = Instant Speed Address


As with all things with the car and its location/direction, there is an X and Y velocity and Z (like locs)

009376AC - Z - Velocity (+ = Higher - = Lower )
009376B0 - Y - Velocity (+(positive) = Down -(negative) = Up)
009376AC - X - Velocity (+(positive) = Right -(negative) = Left)

You would need to figure out what direction the car is facing, then determine how much force to deliver to X and Y.

You can use these two addresses to do it... (floats)

0093768C - Rear Turn - Left/Right (from -1 to 1)
00937694 - Frontal Turn - Left/Right (from -1 to 1)

They're funky numbers...

Let's say im facing directly East
0093768C = 0.00000
00937694 = 1.00000

Turn directly west
0093768C = 1.00000
00937694 = 0.00000

Turn directly east again
0093768C = 0.00000 (counting up from -1)
00937694 = -1.00000 (cointing up from 0)

Basically, each time i turned around it went either from 1 to 0, 0 to -1 or -1 to 0 One obviously deals with which way you're facing from/to Y and X but goes from 1 to 0 in a 1/2 turn, from 0 to -1 in 1/2 turn, then from -1 to 0 in the next 1/2 turn, from 0 to 1 in the next, and so on.

Not sure how yer gonna factor that in just yet Wink i just work here...

*EDIT* - You can give the car negative velocity in either the X or Y velocity values as well.. Lets say you gave the car 10 velocity and noticed it rolled backward.. You can just give it negative 10 velocity and watch it roll forward...
Back to top
View user's profile Send private message AIM Address
JONG
Expert Cheater
Reputation: 0

Joined: 30 Nov 2005
Posts: 130

PostPosted: Wed Dec 14, 2005 10:13 am    Post subject: Reply with quote

Hi gnagna2000, I was download your trainer, I see its have many function, may you can tell me:

1.How to re-set the cars pos ? I was try to change X,Y,Z in CE trainer, but its not work.

2.May you can tell me the "Instant Break" of address or its information ?

Because my game version is Chinese, so thanks for your kind to share.

@Zhoul:

Code:
-- C: Get Cur Car Addy 2 - Toggle (00561F35) - When scanning for it's original value, in array of byte form ( B9 68 16 9B 00 ), it appears as the 5th entry on my list. Since this might change, here are a few more bytes, before and after, that might help. ( 04 73 50 b9 68 16 9b 00 e8 b1 95 1d ). Scanning those bytes turns up only 1 result.. Of course, add +3 to the offset that is found, and make it an array of byte, 5 long.


In game version V1.3, I can't find this address, even I only search "B9 68 16 9B 00".

EDIT:

gnagna2000 wrote:
Car position X address + 0x10 = Instant Speed Address


I think maybe this line change to:

Car position Y address + 0x10 = Instant Speed Address

will be better, because:

(Jump Height Address) - (Car position Z address ) = 0x10

But let me confused is:

If you change "Car position X address + 0x10" value, it can let your car Instant Speed.

If you change "Car position Y address + 0x10" value, it can let your car Instant Speed too.

Why ?
Back to top
View user's profile Send private message
gnagna2000
Cheater
Reputation: 0

Joined: 12 Dec 2005
Posts: 32

PostPosted: Wed Dec 14, 2005 3:55 pm    Post subject: Reply with quote

thanks for this information zhoul

jong : the instant break it's when the speed value is equal 0 (that's what i made), there're no particular address to instant break Smile
like zhoul said, speed on X and Y are used to determine the direction, we need to adjust the power to get the instant speed up to work properly :-/
Back to top
View user's profile Send private message
Zhoul
Master Cheater
Reputation: 1

Joined: 19 Sep 2005
Posts: 394

PostPosted: Wed Dec 14, 2005 10:04 pm    Post subject: Reply with quote

gnagna2000 wrote:
thanks for this information zhoul

jong : the instant break it's when the speed value is equal 0 (that's what i made), there're no particular address to instant break Smile
like zhoul said, speed on X and Y are used to determine the direction, we need to adjust the power to get the instant speed up to work properly :-/


To get instant break, just set X Y and Z velocity to 0


chong wrote:
In game version V1.3, I can't find this address, even I only search "B9 68 16 9B 00
The *only* time I scan for this array of bytes and get NO results is when I *dont* scan read only memory.

When I do scan read only memory for B9 68 16 9B 00 - I get 53 results, in which the one that we're supposed to change here, is the 5th one.

chong wrote:
1.How to re-set the cars pos ? I was try to change X,Y,Z in CE trainer, but its not work.
Here's what I've found in the current trainer I'm making... If you are pretty far from an X, Y, Z location, for some reason, the game won't immediately set you at the loc, the first time you force it to memory. The button "Goto location" on the screenshot below, has to be hit several times until you 'finally' pop up at the new location. I'm going to have the trainer force these values to memory about 10 times (or whatever seems appropriate).


Here's meh current project btw Wink



NFS-MW-Trn.jpg
 Description:
 Filesize:  103.41 KB
 Viewed:  25259 Time(s)

NFS-MW-Trn.jpg


Back to top
View user's profile Send private message AIM Address
JONG
Expert Cheater
Reputation: 0

Joined: 30 Nov 2005
Posts: 130

PostPosted: Thu Dec 15, 2005 1:47 am    Post subject: Reply with quote

gnagna2000 wrote:
jong : the instant break it's when the speed value is equal 0 (that's what i made), there're no particular address to instant break Smile
like zhoul said, speed on X and Y are used to determine the direction, we need to adjust the power to get the instant speed up to work properly :-/


Thanks for your info, I will try to adjust this function.

Zhoul wrote:
The *only* time I scan for this array of bytes and get NO results is when I *dont* scan read only memory.

When I do scan read only memory for B9 68 16 9B 00 - I get 53 results, in which the one that we're supposed to change here, is the 5th one.


I was sacn read only memory, In fact, every time I do a search, I always include read only memory, maybe because my game version is Chinese.

Zhoul wrote:
If you are pretty far from an X, Y, Z location, for some reason, the game won't immediately set you at the loc.


Yes, you are right, if I change they're value and lock it, wait a several times, then my car will be move to I want of location.

But I don't know how to make the wait time on this function.

Your current project are great, I hope my game version is not Chinese, then I can wait your great project and don't need to make a new one. Crying or Very sad

EDIT:

Does any one interested that, change game of DPI ?

If does, I can post it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page Previous  1, 2, 3 ... 10, 11, 12 ... 18, 19, 20  Next
Page 11 of 20

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites