Cheat Engine

[Geri]

I am trying to hack C&C: Renegade for a long time now. I am using version 1.037.
I know that I can find a trainer on CheatHappens, but I want to know how is the game working.

This is the only game I have seen where I can't find any useful value for me, no matter what do I try. I have tried to find the ammo with zero luck so far. There is an address which has the same value as Your ammo and I have tried to backtrace with Olly where did it get the amount of ammunition, but I have failed or I need much more patience to check out a few thousand codes.

So I call upon You superior game hackers. Hack this game if You can and enlighten me by telling the story how You did it. I can promise it will be a challenge.

[justa_dude]

The value You're finding Easily is Probably the Float that (I think) is Used to Update the Ammo Display. If you Trace around A bit, You see A function That is Called twice To update The value You've found. It takes No parameters And returns The value In eax (Stdcall). EAX updates Some values On the Stack and Continues manipulation. All of These values Being passed Around on The stack Makes it More difficult To find What you're Looking for.

If you continue tracking the values, you'll find that there's a series of static variables containing ammo information. The ammo in the clip and the ammo in the reserve are stored as 4-byte integers, but they move around within this very small section of memory after every shot fired. The index into the static field that yields the ammo is stored in eax - so it is always referenced as [eax*4+008...]. The ammo count is manipulated as a transformation between these two sets of numbers during this function call. The manipulation itself is crazy complex - I did not attempt to figure out what the heck it is doing. However, it is certainly possible to abuse this scheme by altering the return value of the manipulating procedure. Just find the function epilogues (pop esi,pop ebx, add esi, ret) and ensure that you're loading EAX with a large value (I think the game treats 0xffffffff / -1.0 as infinite). This doesn't ever really get you numbers that you can evaluate as ammo, but it does give you an effective ammo cheat - and it's a LOT easier than trying to muddle through 5,000 lines of crazy asm (is it hashing against the time in there?!).

Cheers,
adude

ps - my version is unpatched off the CD, I'm not sure what's been changed since, and I couldn't check out the CH version since it seems to be written for something called a decade version. Dunno.

[Geri]

Hi justa_dude!

I have no clue what is the float value's purpose, I can freeze it or change it to whatever, nothing happens, but who cares, that is not important for me, I just want to trace where is the ammo going. As You did.

When I have tried to backtrace it, I also had the conclusion that the ammo is passed around in the stack and probably it is a 4 byte integer value which is rotated somehow. I think it just gets all the ammo information in the game including the enemies and start to rotate it in a crazy way. It does not even wait for me to fire a shot, it is just rotating it with a crazy speed. And that was the point when I was thinking it will take an eternity to find the code I need. I did not even know where to look for it or how far do I have to go back until I find it because I know that there are more than 100000 codes in the loop between 2 ammo updates.

All in all it was just amazing, I have never seen any other game which is doing that. That's why I wanted to learn how to beat it. Even in the debugging process, I have learned a lot about it. Now that You have told me some extra info about the code which I did not know yet, I get to it again until I find it.

Thanks for the help, I think this is really a though game to hack. If every game would do that with values, it would be a major pain.

I also have the original version but I have patched it up to v1.037 which is the latest version (this version is in the C&C First Decade game collection).

If You send the address of the codes found by You, or put it in a CT table, I will reinstall the game and check out if I can make a cheat based on those codes. I have also found some addresses which contains the value of the ammo when I am debugging it, but as I could see, it is a very long process. It is just passing it in the memory from address to address and finally it ends up as the value I have found. However I still don't know which address will be the one that contains the value of the ammo. All I can do is keep tracking.

If You have the code which is changing the ammo, I would trace it to see what is happening exactly, so I would know how could I have found it easily.

EDIT:
I think that here is the trick:

0045CBFB - 8b 31 - mov esi,[ecx]
0045CBFD - 8b 3d 78 94 82 00 - mov edi,[00829478] : [AAAAAAAA]
0045CC03 - 33 f7 - xor esi,edi
0045CC05 - 89 34 0a - mov [edx+ecx],esi

It takes [ecx] and the value on [00829478], then make a xor and the result is the ammo in decimals. This code is changing a lots of other things too, but it is working when calculating the ammo too.

EDIT2:
And the codes which are writing to the address hold by ecx are
0045CFCE - 89 3e - mov [esi],edi
0045D381 - 89 51 fc - mov [ecx-04],edx

It seems these codes are changing the health and the ammo and tons of other things.

Oh yeah, thats the code to change the real value of health, ammo and lots of other things. Now I only have to figure out a way how to modify health and ammo only. I am starting to understand why is the trainer on cheathappens so buggy and why can't I turn on unlimited ammo and health separately but only in one option.

EDIT3:
I have gone even further than I need to. This code is writing to the ammo too. I have written an "unlimited ammo" script but it is very lame at the moment. It works, but I have to fine tune it.
0045CC05 - 89 34 0a - mov [edx+ecx],esi

EDIT4:
I have a bunch of codes which has access to the ammo so I have made a normal, working unlimited ammo cheat. I see the big picture now, the main problem is that the program is constantly rotating the values (even if I don't fire with the weapon). Now that I see the whole procedure, I know that I could have found it in 5 minutes if I would not have missed a few things. Actually I had found the right codes at the start of the debugging process but I thought these are not holding the right value, only a copy of the ammo amount. That's because when I change a value, the program do not care about it, but if I freeze it with the script, I will have unlimited ammo. Most likely this is because of an extra protection against cheating. Even the program is popping up messages that is saying the "host is tempering with the data", so it has detected that I am cheating.


So here is how I found the ammo:
1. There is a Float value which always has the same number as Your ammo. I have checked what writes to that
address.
Game.exe+2AF08C - d9 1d 74 c6 85 00 - fstp dword ptr [game.exe+45c674]

2. Just above this code I find these codes:
Game.exe+2AF07A - 89 44 24 1c - mov [esp+1c],eax
Game.exe+2AF083 - db 44 24 1c - fild dword ptr [esp+1c]

So obviously, eax has the same value as ammo.

3. There is a call instruction before "mov [esp+1c],eax" so I follow it.

4. I jump to the "ret" instruction and start checking the code backwards
to see where has eax been changed. I find this instruction:

Game.exe+88B9 - 8b 06 - mov eax,[esi]

So I know that [esi] also is the value of the ammo at this point.

5. I check out what addresses this code reads from and I find a bunch of values which has the value
of my ammo in reserve, my ammo in the clip and my ammo in summary. I also find some other values.

6. I check out what writes to these addresses. And I find this code:
Game.exe+5CC05 - 89 34 0a - mov [edx+ecx],esi

That is the code which is changing the health, ammo and lots of other things. It is changing the
values and as the addresses are calculated from 2 registers, they are rotated too.

7. I have checked which codes are accessing to the addresses of the ammo and found a bunch of them.
These are good enough to make an ammo cheat for the game.

My error was that I have found these codes quickly, but as changing the resulted values did not show any changes, I was thinking these are just copies of the real values of ammo and I was searching even deeper which was totally unnecessary. Now I know that the values are not just rotated but also backed up somewhere so trying to freeze them or just change them does not work. However I can freeze them with a script.

Actually I have ran a few circles just to end up at the same place where I have started, but at least I know what did I mess up.

[justa_dude]

Good work, mate.

[Geri]

Thanks, this game was my nemesis because I could not hack it with CE a few years ago and I had to edit my savegame files. It was time to take revenge...

Finally it is done. Thanks again.

Cheers!

[calvin1007]

wait where do i put these codes?...or whatever they are

[Geri]

Nowhere. This is just a method to solve a unique game. If You want to have the unlimited ammo cheat, use this table. I didn't make it for health.

[Teh1337Bix]

I just read that whole thing. That has got to be the only game to tackle cheating head on like that, without no shitty 3rd part software or anything. Anyway, interesting find keep up the good work.

[Geri]

It was challenging for me to hack it properly. Now I know how could I have done in it 5 minutes, but I learned a lot until I figured it out.

[laserbeak]

Could I have your C&C: Renegade Cheat Table (with Infinite Health) please ? I downloaded your Ammo Hack, it's working well. I would be very grateful to you. Thank you ! I tried checking out your website but the link is dead !

[justa_dude]