| View previous topic :: View next topic |
| Author |
Message |
0DarkShadow0
How do I cheat?
![]() Reputation: 0
Joined: 08 Jul 2014
Posts: 2
|
 Posted: Fri Nov 14, 2014 3:08 am Post subject: Need help, confused. |
 |
|
Alright I'm not sure if this is the right section, but I need help with a enable/disable script for godmode/infinite health. I have googled around for like half an hour now, and still can't figure it out. I found my current value of health (1.25). Max is 1.5. I then right clicked and searched for what is writing to the health, but I'm not sure how to right the enable/disable script. Here's what I've got. Help would be appreciated
Seems I can't directly put in img, so I added it as an attachment.
| Description: |
|
| Filesize: |
130.97 KB |
| Viewed: |
6372 Time(s) |
|
|
|
| Back to top |
|
 |
Servus
Newbie cheater
![]() Reputation: 0
Joined: 08 Nov 2014
Posts: 11
Location: gamevial
|
| Posted: Fri Nov 14, 2014 11:51 am Post subject: |
|
|
| What do you want to do with this? Find pointer?
|
|
| Back to top |
|
|
0DarkShadow0
How do I cheat?
![]() Reputation: 0
Joined: 08 Jul 2014
Posts: 2
|
| Posted: Fri Nov 14, 2014 8:08 pm Post subject: |
|
|
| Servus wrote: | | What do you want to do with this? Find pointer? |
As I said in my OP, I would like to know how to make a enable/disable script for it, like below;
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
alloc(double,4)
double:
dd (int)200
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
fstp qword ptr [ebx+00000498]
fild qword ptr [double]
fstp qword ptr [ebx+00000498]
exit:
jmp returnhere
"Tutorial-i386.exe"+25FCB:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
"Tutorial-i386.exe"+25FCB:
fstp qword ptr [ebx+00000498]
//Alt: db DD 9B 98 04 00 00 |
But I'm unsure how to do that. I would like assistance. What I want again, is a script that pretty much freezes the existing health to full health when activated.
|
|
| Back to top |
|
|
Servus
Newbie cheater
![]() Reputation: 0
Joined: 08 Nov 2014
Posts: 11
Location: gamevial
|
| Posted: Fri Nov 14, 2014 10:08 pm Post subject: |
|
|
| Nope no idea how you can freeze values using script. I do know that you can freeze values using hotkeys. What you can do is make your health increase every time you receive damage. Reverse effect.
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
| Posted: Sat Nov 15, 2014 3:20 am Post subject: |
|
|
I've complement your graphical code listing, since the address offset is not shown completely (please check if it is correct):
| Code: | +639da : ff 50 48 call dword ptr [eax+48]
+639dd : d9 45 08 fld dword ptr [ebp+08] ** amount to be substrate
+639e0 : d9 9e 8c 08 00 00 fstp dword ptr [esi+0000088c]
+639e6 : d9 86 6c 06 00 00 fld dword ptr [esi+0000066c]
+639ec : d8 65 08 fsub dword ptr [ebp+08] ** substrate
+639ef : d9 9e 6c 06 00 00 fstp dword ptr [esi+0000066c]
+639f5 : 85 ff test edi,edi
+639f7 : 74 11 je Juxta.GameDLLInit +63a0a
+639f9 : 3b fe cmp edi,esi |
It seems the instructions with ** marked are the desired modification, net effect substrate zero amount , so that the target value health is not changed.
The fsub instruction can be nullified by 3 nops (0x90).
For integrity, the substrate amount has also saved at [esi+0000088c], so the previous instruction fld dword ptr [ebp+08] is also replace by fldz.
fldz is to load a double 0.0 into stack. It is 2 bytes long , ie. d9 ee, so it has to follow by an extra nop.
Since the modification can fit into the original code, no code cave is need.
I've nearly no experience on using address with label, since I almost only doing flash cheat with aobscan but not pc game/native code. I don't know if following work or not :
| Code: | [ENABLE]
Juxta.GameDLLInit +639de:
fldz
nop
Juxta.GameDLLInit +639ed:
db 90 90 90 // 3 nops
[DISABLE]
Juxta.GameDLLInit +639de:
db d9 45 08
Juxta.GameDLLInit +639ed:
db d8 65 08 |
The modification can also be done with AOBScan, but the the scanning is much slower:
| Code: | [ENABLE]
// offset: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12
aobscan(_target, ff 50 48 d9 45 08 d9 9e 8c 08 00 00 d9 86 6c 06 00 00 d8 65 08 )
_target+03:
db d9 ee 90
_target+12:
db 90 90 90
[DISABLE]
// offset: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12
aobscan(_target, ff 50 48 d9 ee 90 d9 9e 8c 08 00 00 d9 86 6c 06 00 00 90 90 90 )
_target+03:
db d9 45 08
_target+12:
db d8 65 08 |
I may have typo, please check yourself.
The cheat effect may also apply to enemy/opponent, which may not what you want.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Nov 15, 2014 8:41 am Post subject: |
|
|
He wanted "a script that pretty much freezes the existing health to full health when activated".
About addresses, We can easly get correct address from je instructions (short conditional jump):
74 11 - je Juxta.GameDLLInit+63A0A
Address of je instruction is:
Juxta.GameDLLInit+0x63A0A - 0x11 - 0x2 = Juxta.GameDLLInit+0x639F7
Then we can go backwards:
test edi,edi is two bytes - address of this instruction Juxta.GameDLLInit+0x639F5
fstp dword ptr [esi+66C] is six bytes - address Juxta.GameDLLInit+0x639EF
| Code: |
[ENABLE]
alloc(newmem,2048)
label(returnhere)
label(myValue)
newmem:
fstp dword ptr [esi+0000066C]
fld dword ptr [myValue]
fstp dword ptr [esi+0000066C]
jmp returnhere
myValue:
dd (float)1.5
Juxta.GameDLLInit+0x639EF:
jmp newmem
nop
returnhere:
[DISABLE]
dealloc(newmem)
Juxta.GameDLLInit+0x639EF:
db D9 9E 6C 06 00 00 |
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
