| View previous topic :: View next topic |
| Author |
Message |
Nakor
Newbie cheater
![]() Reputation: 0
Joined: 23 Dec 2009
Posts: 22
|
 Posted: Tue Feb 21, 2012 1:48 pm Post subject: Separating player health from AI health |
 |
|
I have been working on a trainer in the last week or so in my spare time and I have run into a problem. I can not figure out how to separate the player's health from the enemy AI's health. From what I have read I am supposed to get the player's health address and store it in a variable, and then check when health changes to see if it is that address or not. The problem is, I have no idea how to do that and any posts I have found on the subject have been somewhat confusing to me.
Here are the scripts I am working with (have removed the game name as I am fairly certain I'm not supposed to mention that):
God Mode cheat part 1:
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
alloc(godModePt1,512)
registerSymbol(godModePt1)
label(returnhere)
label(originalcode)
label(exit)
newmem:
jmp returnhere
originalcode:
fst dword ptr [esi+0C]
fld dword ptr [esi+20]
exit:
jmp returnhere
"TheGame.exe"+CF04D:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(godModePt1)
unregisterSymbol(godModePt1)
"TheGame.exe"+CF04D:
fst dword ptr [esi+0C]
fld dword ptr [esi+20]
//Alt: db D9 56 0C D9 46 20 |
God Mode cheat part 2:
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
alloc(godModePt2,512)
registerSymbol(godModePt2)
label(returnhere)
label(originalcode)
label(exit)
newmem:
jmp returnhere
originalcode:
fstp dword ptr [esi+0C]
fldz
exit:
jmp returnhere
"TheGame.exe"+CF07A:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
dealloc(godModePt2)
unregisterSymbol(godModePt2)
"TheGame.exe"+CF07A:
fstp dword ptr [esi+0C]
fldz
//Alt: db D9 5E 0C D9 EE |
Both of these scripts need to be active in order to turn on "god mode" but it also makes the enemies invulnerable. I have not been able to figure out how to make this work.
_________________
---
Too bad my life doesn't have a hex address for suck... |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 474
Joined: 09 May 2003
Posts: 25926
Location: The netherlands
|
| Posted: Tue Feb 21, 2012 1:55 pm Post subject: |
|
|
Yeah. you're basically just nopping the instruction and the one behind it
I assume that the access to [esi+0C] is the access to the health?
If so, go to that instruction in the disassembler and rightclick it. then choose "find out what addresses this code writes to"
Get hit first so you know your own health address and then hurt one or more enemies (DO NOT KILL THEM)
Now go to data dissect fill in your players healthaddress-0c and create a new structure.
Now add a new address and fill in the address of the enemy/enemies
Now see if you can find out how to distinguish between you and the enemy.
Perhaps a certain byte is always 0 for you and 1 for the enemy. Or there is a pointer somewhere that points to your name, or see if there is some other pointer you could make use of
--
Also, if you use find what accesses your health you might get a function that is called ONLY for your player (to render the health)
You can do a hook there and then check in the routines that cause damage if the health address is yours or not and if not, skip
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Nakor
Newbie cheater
![]() Reputation: 0
Joined: 23 Dec 2009
Posts: 22
|
| Posted: Wed Feb 22, 2012 4:13 pm Post subject: |
|
|
Thanks for the reply.
So I have looked at the structures you said to create and I want to test for a value now to see if it is correct.
I have found that offset 001C a 1 for the enemy and 0 for the player. How do I check this? I am guessing it is something like:
| Code: |
cmp [esi+1C], 1
jne returnhere
// Original code here
after: |
Am I close to right? I'm not sure how to check as I don't know of any way to do output (and I don't think I can) in AA (like console output in other programming).
_________________
---
Too bad my life doesn't have a hex address for suck... |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 474
Joined: 09 May 2003
Posts: 25926
Location: The netherlands
|
| Posted: Wed Feb 22, 2012 4:27 pm Post subject: |
|
|
You could always run the game in a window and debug it, but yeah, small scripts like these are usually believing that the code works and try it
As for your code it might work, but i find your use of jmp returnhete a bit like working with a sledgehammer, i think you just nopped that code without knowing what it does
Also, another spot to check is the first 2 bytes of a structure, sometimes the player has a unique value there
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Nakor
Newbie cheater
![]() Reputation: 0
Joined: 23 Dec 2009
Posts: 22
|
| Posted: Wed Feb 22, 2012 5:31 pm Post subject: |
|
|
There is a function that calls every tick and it is checking to see if health should be increased and or increasing the health. How can I retrieve the address from that and use it in another script? I tried using a symbol to store but I think maybe I don't quite understand them very well yet as it doesn't seem to work.
This is called every tick (or close to it):
| Code: | fld dword ptr [ecx+0C]
fld dword ptr [esp+esp] |
I was wrong before about the 1 and 0 byte value...I think. I can't get it to work anyway. Although the byte value always seems to be consistent in my structures, my script results are inconsistent. I have noticed that at offset 0004 the player's value is always 5000 and the enemy value is usually 2000 (or sometimes other values). I have tried checking this other offset as well but I must be doing something wrong as it isn't working for me either.
If my health is stored at ESI+0C, how do I properly compare that to a value? I have been doing things like:
| Code: | cmp [esi+04],1388
je returnhere |
I know the returnhere thing is bad form but I am just trying to work out my other problems at the moment.
_________________
---
Too bad my life doesn't have a hex address for suck... |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 474
Joined: 09 May 2003
Posts: 25926
Location: The netherlands
|
| Posted: Wed Feb 22, 2012 5:57 pm Post subject: |
|
|
| Code: |
alloc(healthpointer,4)
registersymbol(healthpointer)
...yourhook where ecx+c points to your health...
push eax
lea eax, [ecx+0c] //write the address of ecx+0c into eax
mov [healthpointer], eax
|
Now in another script you can read [healthpointer] to get the address of health
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Nakor
Newbie cheater
![]() Reputation: 0
Joined: 23 Dec 2009
Posts: 22
|
| Posted: Wed Feb 22, 2012 6:12 pm Post subject: |
|
|
Ok I'm trying to access the symbol from another script but I'm not sure why it doesn't work. It says it can't compile the code.
I was trying:
| Code: | | cmp [esi+0C],[healthAddy] |
Is that wrong or do I have to allocate and register the same symbol again in this script?
_________________
---
Too bad my life doesn't have a hex address for suck... |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 474
Joined: 09 May 2003
Posts: 25926
Location: The netherlands
|
| Posted: Thu Feb 23, 2012 3:29 am Post subject: |
|
|
You can not use 2 address specifiers in the same instruction, and you're comparing the value of health to the address of health
Do:
| Code: |
push eax
lea eax,[esi+0c]
cmp eax,[healthAddy]
pop eax
je playerhealth
...
|
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
