|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Tue Apr 03, 2012 11:02 pm Post subject: |
|
|
My mistake. I used pushfd and pushad at the beginning of script
So it should be like this:
ECX == 0x3 (dword)
[esp+20] == 0x70 (dword)
[esp+28] == 0x7 (dword)
Edit:
OK,
ECX == 0x3 (dword)
[esp+20] == 0x70 (dword)
[esp+28] == 0x7 (dword)
[esp+30] == 0x1 (dword)
[esp+34] == 0x7 (dword)
But I still get other "not health" hits:
Code: | [ENABLE]
alloc(THECODE,2048)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(THECODE)
THECODE:
pushfd
pushad
cmp ecx,00000003
jne short originalcode
cmp [esp+20+24],00000070
jne short originalcode
cmp [esp+28+24],00000007
jne short originalcode
cmp [esp+30+24],00000001
jne short originalcode
cmp [esp+34+24],00000007
jne short originalcode
//filtered
//
//
popad
popfd
mov ecx,[eax+08] // <- try that "find out what addresses this instructions accesses". We have much less other hits.
mov [edi+08],ecx
jmp returnhere
//
//
//
originalcode:
popad
popfd
mov ecx,[eax+08]
mov [edi+08],ecx
exit:
jmp returnhere
"Engine.dll"+15CD11:
jmp THECODE
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(THECODE)
"Engine.dll"+15CD11:
//mov ecx,[eax+08]
//mov [edi+08],ecx
db 8B 48 08 89 4F 08 |
But, it's a good start.
EDIT2:
Final. You can test it. 350HP
Code: | [ENABLE]
alloc(THECODE,2048)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(THECODE)
label(HP_value)
THECODE:
pushfd
pushad
cmp ecx,00000003
jne short originalcode
cmp [esp+20+24],00000070
jne short originalcode
cmp [esp+28+24],00000007
jne short originalcode
cmp [esp+30+24],00000001
jne short originalcode
cmp [esp+34+24],00000007
jne short originalcode
cmp dword ptr [eax+08+08],0
jne short originalcode
cmp dword ptr [eax+08+0C],0
jne short originalcode
cmp dword ptr [eax+08+10],4
jne short originalcode
mov ecx,[eax+08+18]
cmp [ecx+10],'_yaw'
jne short originalcode
cmp [ecx+30],'_hea'
jne short originalcode
//filtered
//
//
popad
popfd
fld qword ptr [HP_value]
fstp qword ptr [eax+08]
mov ecx,[eax+08]
mov [edi+08],ecx
jmp returnhere
//
//
//
originalcode:
popad
popfd
mov ecx,[eax+08]
mov [edi+08],ecx
exit:
jmp returnhere
HP_value:
dq (double)350.0
"Engine.dll"+15CD11:
jmp THECODE
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(THECODE)
"Engine.dll"+15CD11:
//mov ecx,[eax+08]
//mov [edi+08],ecx
db 8B 48 08 89 4F 08 |
_________________
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Wed Apr 04, 2012 12:03 am Post subject: |
|
|
What did you do. A brief summary so that I can recreate whole scenario.
1) Checked stack, When accessing health pointer. Took snapshot
2) restarted game
3) check stack again,
4)
ECX == 0x3 (dword)
[esp+20] == 0x70 (dword)
[esp+28] == 0x7 (dword)
(but this is something hard to believe, either you are a super duper human, or you know used the script for logging stack)
5) Again after 1/2 hour effort you came up with more stack addresses
6) then also used player structure to full proof it.
7) And finished hacking in matter of 1/2 hour. Great
Is there any point I am missing?
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Wed Apr 04, 2012 12:06 am Post subject: |
|
|
Because we have super dooper "dissect data/structures" feature
this part:
Code: | cmp dword ptr [eax+08+08],0
jne short originalcode
cmp dword ptr [eax+08+0C],0
jne short originalcode
cmp dword ptr [eax+08+10],4
jne short originalcode
mov ecx,[eax+08+18]
cmp [ecx+10],'_yaw'
jne short originalcode
cmp [ecx+30],'_hea'
jne short originalcode |
Keep in mind, that I didn't test it fully, only first map. It can crash from time to time.
Try it. I only tested it with only one save. I'm going to sleep.
_________________
|
|
Back to top |
|
|
Kavvman Master Cheater Reputation: 2
Joined: 17 Apr 2004 Posts: 316
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Wed Apr 04, 2012 8:48 am Post subject: |
|
|
cmp dword ptr [eax+08+08],0
jne short originalcode
(...)
cmp [ecx+30],'_hea'
jne short originalcode
Above checks do not apply to other maps Script works only for one save state (checkpoint).
Painkiller player structure is huge and weird.
First map
Health at 2470B0B8
Armor at 24708750
Second map:
Health at 24CC5170
Armor at 24CC2A60
look at distances.
for first map: between HealthAddr and ArmorAddr, distance is 0x2968
for second map: 0x2710
Edit:
only stack checks:
Code: | [ENABLE]
alloc(THECODE,2048)
label(returnhere)
label(originalcode)
label(exit)
registersymbol(THECODE)
label(HP_value)
THECODE:
pushfd
pushad
cmp ecx,00000003
jne short originalcode
cmp [esp+20+24],00000070
jne short originalcode
cmp [esp+24+24],40140000
jne short originalcode
cmp [esp+28+24],00000007
jne short originalcode
cmp [esp+2c+24],40180000
jne short originalcode
cmp [esp+30+24],00000001
jne short originalcode
cmp [esp+34+24],00000007
jne short originalcode
//filtered
//
//
popad
popfd
fld qword ptr [HP_value]
fstp qword ptr [eax+08]
mov ecx,[eax+08]
mov [edi+08],ecx
jmp returnhere
//
//
//
originalcode:
popad
popfd
mov ecx,[eax+08]
mov [edi+08],ecx
exit:
jmp returnhere
HP_value:
dq (double)350.0
"Engine.dll"+15CD11:
jmp THECODE
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(THECODE)
"Engine.dll"+15CD11:
//mov ecx,[eax+08]
//mov [edi+08],ecx
db 8B 48 08 89 4F 08 |
_________________
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Wed Apr 04, 2012 12:11 pm Post subject: |
|
|
Yes I saw that but I thought maybe you were using other version.
Because your stack states were somewhat different from mine.
But atleast you gave me a good foundation to work with.
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Wed Apr 04, 2012 4:10 pm Post subject: |
|
|
Last script is stable I think. I played (speed run) three maps.
_________________
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Wed Apr 04, 2012 4:20 pm Post subject: |
|
|
Is there any way to set conditional breakpoint in stack?
I want to know when an address was pushed onto the stack without backtracking the code?
How did you reach esp+20+24?
I tried to open it on data dissector. But the value there is 0 and not 70?
Are you sure you are using 1.64 version?
Description: |
|
Filesize: |
24.67 KB |
Viewed: |
23808 Time(s) |
|
Description: |
|
Filesize: |
47.15 KB |
Viewed: |
23810 Time(s) |
|
Description: |
|
Filesize: |
18.02 KB |
Viewed: |
23809 Time(s) |
|
_________________
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Wed Apr 04, 2012 4:54 pm Post subject: |
|
|
after setting the breakpoint (it will no doubt break instantly, just continue afterwards) rightclick the breakpoint and set a break condition
there put in readInteger(ESP+xxx)==0xvalueyouwish
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Wed Apr 04, 2012 5:26 pm Post subject: |
|
|
In complex section?
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Wed Apr 04, 2012 5:31 pm Post subject: |
|
|
A added that "+24" thing because I used pushfd (+0x4) and pushad (+0x20).
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Sat Apr 07, 2012 12:43 pm Post subject: |
|
|
I didn't understand what you meant. Please Elaborate.
Why did you chose ESI? Was it just hit and trial?
And what is the difference between standard stack check and health stack check?
_________________
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Sat Apr 07, 2012 1:54 pm Post subject: |
|
|
Look at EDI (previous image), looks promising. Almost the same value for all calls (health, and for other ammo types). I've just looked into this memory region. Dissect data/structure, add address, "lock it" (right-click lock). Clicked "define new structure", .....
Load save (or better, load other map), again "what accesses this address" (for health address), take new address pointed by EDI, add address to "Dissect" window (add extra address). Green data: possible constant value, which we can use for structure checks. (you can lock second address, then repeat this step). (do not close "dissect" window)
(as you know, I made the same, dissect data/structure, for address pointed by [EAX+08] without success, worked only for one map and only one save checkpoint)
Then I tried the same thing for other CPU registers: EDX and ESI.
Finally I tried:
value (double)4.0 for health checks:
cmp dword ptr [esi+40],00000004
cmp dword ptr [esi+44],40100000
0x4010000000000004 == (double) 4.000000....
and value (double)3.0 for shotgun ammo checks:
cmp dword ptr [esi+18],00000000
cmp dword ptr [esi+1c],40080000
0x4008000000000000 == (double) 3.0
Wait, I will upload video with dissect window for shotgun ammo.
_________________
Last edited by mgr.inz.Player on Sat Apr 07, 2012 2:35 pm; edited 1 time in total |
|
Back to top |
|
|
Freiza Grandmaster Cheater Reputation: 22
Joined: 28 Jun 2010 Posts: 662
|
Posted: Sat Apr 07, 2012 2:01 pm Post subject: |
|
|
Thank a lot.
You are truely awesome.
Will be eagerly waiting for your video. Btw, except for the line mentioned below, I understood the rest.
Quote: | " Green data: possible constant value, which we can use for structure checks. (you can lock second address, then repeat this step). (do not close "dissect" window) " |
_________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|