View previous topic :: View next topic |
Author |
Message |
shingouki Newbie cheater Reputation: 0
Joined: 23 Aug 2021 Posts: 14
|
Posted: Mon Aug 23, 2021 1:49 am Post subject: AOB Commonalities help |
|
|
Hello people,
I am new here and i don't have much experience with game hacking although i did some hacks myself using pointer scanners and for some games it works and some games it doesn't work so have to use other tricks.
Now i am messing around with AOB injections and all udemy courses and youtube they all use shooting games and assault cube as example. For sure this works, but i want to hack my own games.
I got stuck with a fighting game i spent over 40+ hours on it and cant seem to solve it.
I can fix infinity health in many ways, but then its for both players. Me and the enemy.
I have seen tutorials where you can use Commonalities in Cheat Engine so that you can tell the script to do a cmp on two offsets and then the script knows which one is you and which one is your enemy.
However ... what should i do if i use Commonalities scan and there is only 1 offset available and only one address that use this health bar?
I tried everything and i appriciate really you help.
Example code:
aobscanmodule(INJECT,SFTK.exe,29 4B 20 29 43 2C)
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
sub [ebx+20],ecx
sub [ebx+2C],eax
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 29 4B 20 29 43 2C
unregistersymbol(INJECT)
dealloc(newmem)
You can see here on the substraction address (array of bytes) it shows ebx+20 and ebx+2C ... those are both to do with the graphics and values of the healthbar and nothing to do with the enemy.
Then when i check Commonalities they all refer to one offset that is: 20
So what should i fill in by:
newmem: ?
For another game like assault cube you can do something like this:
mov rax,[rbx+1C]
movzx rax,[rax+38]
cmp rax,0
je return
jmp code
But in my case i only have one offset so there is nothing to compare.
Appriciate your time guys.
Thanks.
|
|
Back to top |
|
|
Birdi Expert Cheater Reputation: 0
Joined: 08 Jun 2020 Posts: 122 Location: Migrating
|
Posted: Mon Aug 23, 2021 2:16 am Post subject: |
|
|
The idea in comparing offsets through sharedcode is that your health's base address, or nearby addresses, will often contain a constant that only the player has, and will always be there. This gets more complicated for games that use expansive sharedcode, but this shouldn't be impossible for you.
There's a few ways to easily get the health address for quick restarts, but assuming you can easily find those:
1) Find both your Health address and your enemy's Health address and add them to your table.
2) Open the Memory Viewer (CTRL+B)
3) Open the Structure Dissect tool (CTRL+D in Mem. Viewer)
4) Create a new group so you have two of them (CTRL+G in Struct. Tool)
5) Put your Health address in the first group, and your enemy's in the second group.
6) Under the Structures menu, define a new structure. Let it fill in the blanks for you.
Alternatively you can just regularly browse memory and find nearby values to your health that are always the same, but not for the enemy. This is more manual but can catch things the structure dissector may not automatically get due to how it fills in offsets/types, etc.
In your example, the health address is at [ebx+20] so your base address will start at your health address-20 (ex "0F18A69B-20"). You can use that to help find other possibly unique values between the health offset and the base.
With that, you can see the differences near the addresses.
You'll want to look for purple rows by default, as it means there's a difference in every group (unique values).
Take a screenshot or just note down the offsets to these purple values, reset your game and repeat these steps. Keep doing it until you're certain that with any combination of factors, you find the same value in the same offset from your health. This same value should just apply to your health address, and never the enemy.
When you have that unique value, you're pretty much done.
Let's say you found the Unique value at your Health Address+38.
Here, you would want:
Code: |
label(playerFound) //make a label for the jump
newmem:
cmp [ebx+20+38],#YourUniqueValueHere# //check if the current health address plus your offset has this unique value
je playerFound //if it is equal to that unique value, it's the player, so just jump to where you can run what you want to happen
//if it doesn't find the player, instructions will run into the regular code block
code: //regular instructions
...
jmp return //because of this jump, you won't run into the next label
playerFound: //your label to jump to
mov [ebx+20],#100 //set visual/actual health values to the player
mov [ebx+2C],#100
//...
jmp return
return:
... |
_________________
Trying to learn!
Add me on Discord if you want hands-on help: Birdi#0007
Last edited by Birdi on Mon Aug 23, 2021 3:43 am; edited 1 time in total |
|
Back to top |
|
|
shingouki Newbie cheater Reputation: 0
Joined: 23 Aug 2021 Posts: 14
|
Posted: Mon Aug 23, 2021 3:37 am Post subject: |
|
|
Thank you for your fast reply!
I appriciate your answer, although i am still stuck.
I dont understand where i can find this or understand this:
6) Under the Structures menu, define a new structure. Let it fill in the blanks for you.
All the others from your points 1 to 5 i understand and i done that.
Meanwhile i am still busy playing around.
|
|
Back to top |
|
|
Birdi Expert Cheater Reputation: 0
Joined: 08 Jun 2020 Posts: 122 Location: Migrating
|
Posted: Mon Aug 23, 2021 3:44 am Post subject: |
|
|
Here:
Description: |
|
Filesize: |
7.12 KB |
Viewed: |
1846 Time(s) |
|
_________________
Trying to learn!
Add me on Discord if you want hands-on help: Birdi#0007 |
|
Back to top |
|
|
shingouki Newbie cheater Reputation: 0
Joined: 23 Aug 2021 Posts: 14
|
Posted: Mon Aug 23, 2021 7:27 am Post subject: |
|
|
I am back again.
I tried your suggestions and instructors and from what i understand about it it doesn't work for me.
The pruple part in your exploanation refers to me as offset 0 ... we know the global offset for both players is 20 and 2C so logically for me it means ebx+20+0, but no luck.
I am not sure if i can include a link here, but i created a YouTube video where you can track down my work and what i am trying.
/watch?v=03-QjnLWp-w
The reason i use 20+0 and 20+0+C is, because i think i see those paterns from the purple guidelines.
Also i tried different array bytes such as sub, because those are the substractions, but when i use your code it still doesn't work.
Please check my video and guide me ... i am really exhausted after so many hours, but i can't let it go that i am unable to hack such a simple game from almost 10 years old!
|
|
Back to top |
|
|
Birdi Expert Cheater Reputation: 0
Joined: 08 Jun 2020 Posts: 122 Location: Migrating
|
Posted: Mon Aug 23, 2021 8:08 pm Post subject: |
|
|
If your offset is +0 I can only assume you're checking against the current health or the base address, both of which will change during gameplay.
You need to look for addresses near your health that is always a specific value no matter how many times you restart the game, change character, etc.
I can't work on that game myself but for example assume the address +8 from your health is always 1 for you but 0 for enemies. You cmp against that:
Code: |
cmp [ebx+20+8],1
je playerFound
...
|
If you want more direct help add me on Discord and I'll walk you through it: Birdi#0007
_________________
Trying to learn!
Add me on Discord if you want hands-on help: Birdi#0007 |
|
Back to top |
|
|
shingouki Newbie cheater Reputation: 0
Joined: 23 Aug 2021 Posts: 14
|
Posted: Tue Aug 24, 2021 3:06 am Post subject: |
|
|
Thank you so much for your explanation!
I think i understand it now.
The biggest problem i have now is the following:
The game i want to hack have 2 life bars for each players.
So i need to make a comparision of 1 offset with 4 addresses and make sure the values are for my player different then the enemy. Very hard to find the correct value. Most of the time one of the player is in sync with the offset/addresses but then also one of the enemy have infinity life, because they share the same address of that offset for some reason.
Going to analyse further! But i got the idea and thank you very much for your code and explaning. I might add you soon on discord when needed, but i dont want to bother you too much since your help is good enough on this forum.
|
|
Back to top |
|
|
Birdi Expert Cheater Reputation: 0
Joined: 08 Jun 2020 Posts: 122 Location: Migrating
|
Posted: Tue Aug 24, 2021 5:52 am Post subject: |
|
|
It's no issue, I love helping people out.
If you need help don't be afraid to ask. It's a great way to learn!
--Solved externally
_________________
Trying to learn!
Add me on Discord if you want hands-on help: Birdi#0007 |
|
Back to top |
|
|
hexcypher How do I cheat? Reputation: 0
Joined: 25 Jun 2021 Posts: 4
|
Posted: Wed Aug 25, 2021 8:45 pm Post subject: |
|
|
The comp operator might be returning one offset because its a multilevel pointer. It might be the offset for your next pointer. Does the DEC have MOV or JMP near it?
+2C could be an index and +20 could be a pointer. Did you follow those offsets in memory to see whats there?
|
|
Back to top |
|
|
Birdi Expert Cheater Reputation: 0
Joined: 08 Jun 2020 Posts: 122 Location: Migrating
|
Posted: Wed Aug 25, 2021 9:44 pm Post subject: |
|
|
As far as this case went, the game edits 4byte values 2 bytes behind, probably to deter cheating.. otherwise I'm not sure.
+C was the team's secondary character HP.
Code: |
00 00 03 E8 00 00 03 E8 00 00 ** ** 00 00 03 E8 00 00 03 E8
|
The solution to reading it properly is just read it +2 from where it's pointed.
From there you're left with Current HP / Max HP / ? / Current HP / Max HP in memory, where it stores both controllable character HP. The inner value I absolutely could not figure out the purpose of, but it seemed related to recovery HP in the currently non-combatant character.
_________________
Trying to learn!
Add me on Discord if you want hands-on help: Birdi#0007 |
|
Back to top |
|
|
|