| View previous topic :: View next topic |
| Author |
Message |
itsoqrappy
Advanced Cheater
![]() Reputation: 0
Joined: 24 Mar 2016
Posts: 67
|
 Posted: Sun Jun 12, 2016 6:37 pm Post subject: Alternative method for finding no-recoil address |
 |
|
What i'm trying to do is finding no recoil address.
I've tryed searching for float, double and 2 bytes value but i didn't solve anything.
My method of searching the no recoil is pausing the game using P hotkey, and then binding hotkey for get increased/decreased/unchanged value.
After a day didn't found it. Any alternative and easy method to do it? Or just a solution's advise?
Im getting just crashes right now
EDIT:
the process is 32bit
|
|
| Back to top |
|
 |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Jun 12, 2016 7:35 pm Post subject: |
|
|
| Depends on the game. Usually, you can find it in the same data structure as ammo or something. If it's a mono game or something, it's quite easy. If the game uses symbols for that stuff, you can find it that way. Sometimes, you just have to do it the old-fashioned way and search for it. Search increased while firing weapon (using speedhack to slow down target), then search decreased while not firing. You can also analyze the code around the ammo instruction and start switching jumps around...you might find it that way.
|
|
| Back to top |
|
|
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
| Posted: Sun Jun 12, 2016 9:04 pm Post subject: |
|
|
| My method is similar to Methos, for a non-mono or .net game, I simply trace the function calls 2-3 before and after the ammo change. You will find that one of them typically handles it. What I do is simply bypass the calls entirely (NOP the call, or change the first line to a ret). When the recoil is gone you found the correct function call. Sometimes it crashes (because something was supposed to be set in the function call, so just skip any calls within each function or get more creative). Brute force isn't pretty, but it gets results!
|
|
| Back to top |
|
|
itsoqrappy
Advanced Cheater
![]() Reputation: 0
Joined: 24 Mar 2016
Posts: 67
|
| Posted: Mon Jun 13, 2016 7:11 am Post subject: |
|
|
| cooleko wrote: | | My method is similar to Methos, for a non-mono or .net game, I simply trace the function calls 2-3 before and after the ammo change. You will find that one of them typically handles it. What I do is simply bypass the calls entirely (NOP the call, or change the first line to a ret). When the recoil is gone you found the correct function call. Sometimes it crashes (because something was supposed to be set in the function call, so just skip any calls within each function or get more creative). Brute force isn't pretty, but it gets results! |
thank you all guys for your advises. @cooleko @++METHOS
i'll test and i'll tell you. i am pretty sure the game is not mono (it doesn't use any net framework like xna), but yeah. i'll tell you.
EDIT:
nothing, i still can't find it. tried and retried.
|
|
| Back to top |
|
|
itsoqrappy
Advanced Cheater
![]() Reputation: 0
Joined: 24 Mar 2016
Posts: 67
|
| Posted: Tue Jun 14, 2016 10:17 am Post subject: |
|
|
| itsoqrappy wrote: | | cooleko wrote: | | My method is similar to Methos, for a non-mono or .net game, I simply trace the function calls 2-3 before and after the ammo change. You will find that one of them typically handles it. What I do is simply bypass the calls entirely (NOP the call, or change the first line to a ret). When the recoil is gone you found the correct function call. Sometimes it crashes (because something was supposed to be set in the function call, so just skip any calls within each function or get more creative). Brute force isn't pretty, but it gets results! |
thank you all guys for your advises. @cooleko @++METHOS
i'll test and i'll tell you. i am pretty sure the game is not mono (it doesn't use any net framework like xna), but yeah. i'll tell you.
EDIT:
nothing, i still can't find it. tried and retried. |
still not working! 
any other suggestions?
|
|
| Back to top |
|
|
PinPoint
Expert Cheater
 Reputation: 10
Joined: 07 Apr 2016
Posts: 223
Location: Scotland
|
| Posted: Wed Jul 20, 2016 12:46 pm Post subject: |
|
|
Here is a video tutorial with ollydbg from GuidedHacking where it shows you the whole process of how he finds no recoil by using the code around the ammo instruction. you dont need olly though to do this though, it can be done through the CE dissassembler.
https://www.youtube.com/watch?v=BHYjxsDROn4
This way can be laborious mind you but it should in most cases get you results and you might also find other stuff.
here is the steps he uses
| Code: | Step one – find address in cheat engine
step two – find what rights to that address
step three – go on olly search for address the writes that
Step 3.5 – by setting hardware breakpoints find where
the beginning and end of the code is regarding the function you were looking for
e.g. firing gun, this way we know where to stop searching
step four – reverse through all the jumps jmp e.g. JNZ becomes JE
step five – write comments and test a command at a time
step six –if the game crashes then simply return to that address leaving a comment
saying nop crashes or reverse crashes
Step seven – you will have to restart ollydbg and the game every time, it can be tedious
comments are very important! always put them in to make sure you know where you were last
Here are some guidelines in detail
Order in which instructions should be modified:
1ST all jump commands should be reversed
2ND all calls should be NOPED
If you still haven't found our function that we keep searching in
more complex instructions
3RD we now start noping any instructions we haven't tried yet e.g. MOV BYTE PTR DS:[EAX+218],BL
MOV BYTE PTR DS:[EAX+218],BL because because no actual instruction is getting copied
4TH we leave to the end the most likely ones to crash
E.g. MOV EAX,DWORD PTR DS:[ESI+8]
ADD EAX,4 these instructions are very prone to crash
And that's why we leave them until the end
If an instruction like this is NOPED then we may have to NOP
several others above or below it usually until we found the next call
this is because those instructions may use a value stored within the instruction
that we NOPED this may take many tries and crashes
Reversing of JMP'S
JG = JL
JLE = JG
JE = JNZ
This is mostly about trial and error
Instructions like these should be ignored(unless they are part of a group of instructions):
CMP – stands for compare, this is usually seen before jumps
LEA – is used for more advanced calculations
Pop, push and retn don't usually have much to do with recoil, ammo and other info we usually
look for.
Int's are usually quite irrelevant also
Hope that helps out
Fleep |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
