Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Intro + JK2: Jedi Outcast progress + questions

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
J3RRY
How do I cheat?
Reputation: 0

Joined: 09 Jul 2013
Posts: 6

PostPosted: Tue Jul 09, 2013 1:14 pm    Post subject: Intro + JK2: Jedi Outcast progress + questions Reply with quote

Hello everyone. New guy here Smile

I started playing around with CE a few days ago; and I've really been enjoying it. I'm an EE grad, so I've got a basic understanding of x86 assembly; I can read it well enough. However, I don't have much coding experience. I've only done things like numerical computations/algorithms in Matlab and C. I don't know much about Windows APIs or what to use in LUA scripts for CE. For now I've stuck with simple [ENABLE] [DISABLE] scripts in the AA.

I'll be describing my progress in hacking JK2SP (if anyone is interested) as well as asking for general CE and gamehacking help. I have attached my current cheat table.

Anyway, on to JK2:
I hope some of you have played this game so you can understand what I'm referring to without me going into too much detail. My goals are to basically to make the player (Kyle Katarn) behave more like the NPC Jedis do. Many of these things are quite minor, but make for fun problems to tackle in CE (for me anyway Razz). Here is a list of things I'm trying to achieve:

Btw, all the force powers in this game vary from a level of 0 to 3 (except Mind Trick, which goes to 4).

Always auto-dodge disruptor shots with force speed:
There is a small chance that Kyle will automatically dodge these sniper shots. Every time he does, it uses up 50 units of force power. When the jedi NPCs are shot at, they dodge every single one of them, no matter how rapidly they come (and of course, they don't ever run out of force). The force power issue is a simple matter of preventing the force pool from decreasing; I've already done this. The auto-dodge was much harder for me to isolate; however, I managed to find a section of code that compares a number to your level of force speed. As long as that number is less than your force speed, you will dodge. I just nopped the jump after the CMP.

This works okay, but it could be better. Now Kyle dodges every shot, as long as he isn't dodging one already. This is unlike the NPCs who will interrupt a current dodge with another dodge, allowing them to dodge even more shots at once. Kyle gets hit every now and then against several snipers. I believe that there are more jumps like the one I nopped (that go to the same address, which likely has to do with skipping a dodge routine). So I suppose I'll investigate that.

One less important aspect of sniper dodging is how the NPCs would jump if a shot goes to their legs. It happens automatically for them, and might be related to AI. The player character never exhibits this behavior, even when I set him up to always dodge. I think it'd be quite a feat to make this happen for the player. It'd be funny too, since your player would just jump involuntarily, possibly causing you to fall of a ledge Razz

No limit on force jump height:
I have noticed that the NPCs aren't bound by the same Force Jump physics that the player is. They can't (or don't) change their trajectory mid jump. This isn't what I'm after though. I like being able to change direction in the air. Although they can't do that, the NPCs can launch themselves much higher than the player. So I'd like to find a way to jump as high as I want.

I've been having a hard time with this one. I haven't really come up with a good way to approach it. It seems simple enough, but there's SO MUCH assembly code for such little tasks. I think my best approach so far was to look for what accesses the value of force jump while you're jumping. My presumption was that there's something that checks the value of force jump to determine when you should stop gaining height. I found something this way, but haven't pursued the issue for a while, so I didn't keep it on the cheat table. I did write something down on some scrap paper just in case, if anyone wants to look at it:
Code:
jk2gamex86.dll+F8C4F     call jk2gamex86.dll+F8440   <-- occurs when you stop rising and begin falling.

These addresses don't change, btw. As far as I can tell, the relative offsets are the same every time you start the game.

Always win force push/pull:
If you use force push/pull on a jedi NPC, they have a chance of blocking it when they're facing you (push/pull to their back always works). Similarly, you have a chance of blocking their push/pull. I want to make a code that makes your push/pull always work on them and theirs never work on you.

I haven't really started on this one yet. I'm guessing that there is a comparison similar to the one on the force speed dodge. I believe that the higher the opponent's force push/pull level, the greater the chance it won't get blocked. There may be other factors as well. I suppose I'll start by looking for what accesses your level of force push.

Reduce or eliminate the interval between uses of force push/pull
The jedi NPCs can use force push/pull as rapidly as they need to. This is evident when you shoot rockets or other push-able projectiles at them because they spam force push. You can also take control of the NPC with the control npcname command in the console (if they're named), or using mind trick level 4 on them. Try holding down force push and you'll see that they can do it much faster than your player character can.

I'm not sure how to approach this one. In the past I've tried looking for changed values when you're using force push / not using force push; but this probably isn't the best method. I didn't get anything promising out of it. I believe the interval is limited by the animation. If so, I might be able to find a way to have the game ignore whether the animation has finished. If it works, it might be useful in the force speed dodge issue mentioned above.


GENERAL QUESTIONS:
1. Is there a way to break after a line of code has executed a certain number of times?
2. For what kinds of situations would you guys use the break/trace feature?
3. What is Ultimap for?
4. Is there any kind of simple reference or converter to show the opcode bytes for an arbitrary assembly instruction? I'm referring to an instruction that is not already in the disassembler. On a related note, are there any good references/tables to the x86 instruction set? I've been having trouble finding a resource that shows the instructions, their opcodes, and the flags they set. I usually end up googling a specific instruction.
5. Got any good tips for a beginner?

Thanks for reading, if you made it this far Laughing. If you have any advice for JK2 specifically, it is certainly welcome.



jk2sp.CT
 Description:

Download
 Filename:  jk2sp.CT
 Filesize:  263.22 KB
 Downloaded:  1038 Time(s)

Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25788
Location: The netherlands

PostPosted: Tue Jul 09, 2013 3:36 pm    Post subject: Reply with quote

I can't really help with the game specific stuff but I'll try to answer the general questions

1: After setting the breakpoint rightclick it and set a breakpoint condition (you may need to use the breakpoint list if it's a data bp)

in the condition choose a complex condition and write
Code:

if bpcount==nil then --not yet initialized
  bpcount=0
end

bpcount=bpcount+1
if bpcount>=5 then
  bpcount=nil
  return true --break
else
  return false
end

(I probably should add this as a standard bp condition you can pick)

2: You can use it to see what called the function (if stacktrace is broken) and it can be used to see what happens to your variable (e.g decryption)
There are probably other uses for it as well

3: Ultimap lets you pinpoint specific code paths without actively debugging.
For example, if you jump, you tell it the code has been executed, and if you walk around, shoot, and stand still, it didn't get executed,.
Eventually you'll be left with all the code paths that got executed only when you jumped.
From there it's up to you what to do with it. Perhaps you can call the function manually, or edit it, etc...

Your system needs to be able to use dbvm though, and it can be unstable sometimes

4: I usually assemble into 00400500 when not sure.
Anyhow, http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html
I recommend the instruction set reference

5:
I usually tell people to try the tutorial, but I think you already understand that
Based on your table I can only suggest to play around with more complex scripts besides nopping (conditional checks, pointer storages, etc...)
And not sure, since this is quite an old game, but perhaps multilevel pointers could come in handy

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Tue Jul 09, 2013 4:11 pm    Post subject: Re: Intro + JK2: Jedi Outcast progress + questions Reply with quote

Note: I don't have that game.

No limit on force jump height:
Reminds me of the jetpack energy you have in mecha games. See if there is a variable the keeps increasing/decreasing as long as you keep the spell button (?) down.
(tip: make use of the pause process feature.)

Otherwise try to find the variable that holds your force jump level and set it to 10.

Always win force push/pull:
If there is a minigame where you have to mash a key to win the push/pull duel, then look for a variable that increases (or decreases) when you mash, and slowly decreases (or increases) when you don't do anything. Then "find out what accesses...".

Otherwise find out what reads your position when you do a force pu**. They should need it to compute your relative angle to see if your in your opponent's back.

Reduce or eliminate the interval between uses of force push/pull
Either there is a cooldown timer, or if it is limited by the animation there might be a state variable that holds what animation you're currently doing, or simply a boolean the says if pu**ing is allowed.


J3RRY wrote:
2. For what kinds of situations would you guys use the break/trace feature?
I don't use it. When I need to trace I prefer ollydbg.

J3RRY wrote:
5. Got any good tips for a beginner?
Meh, usually in those cases I say something like "learn assembly, at your pace, on a need to know basis" but I think it doesn't apply here. Maybe something will come up as I see more of your problems.

Hmm, table looks clean, but I don't see why you chose to write db "0F 8F 41 02 00 00" instead of "jg jk2gamex86.dll+68AB8".

Other general questions: Dark Byte was faster.

_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
J3RRY
How do I cheat?
Reputation: 0

Joined: 09 Jul 2013
Posts: 6

PostPosted: Tue Jul 09, 2013 10:16 pm    Post subject: Reply with quote

Good tip on the breakpoint condition Dark Byte! I should really take a look at some LUA so I can do simple things like that. I agree that it should be a standard condition. It's nice to hear you're still working on CE. I appreciate all the work you've done for it Smile

Dark Byte wrote:
2: You can use it to see what called the function (if stacktrace is broken) and it can be used to see what happens to your variable (e.g decryption)
There are probably other uses for it as well

How do you use it to see what called the function? Sometimes the instruction only happens once. Tracing from there would only show me what happens afterward, which I can read anyway. I can also just follow an RET instruction if one occurs later. There are many times where I wonder if a section of code comes from a jump and not a call. Do you trace from the instruction and save snapshots of the stack?

Dark Byte wrote:
3: Ultimap lets you pinpoint specific code paths without actively debugging.
For example, if you jump, you tell it the code has been executed, and if you walk around, shoot, and stand still, it didn't get executed,.
Eventually you'll be left with all the code paths that got executed only when you jumped.
From there it's up to you what to do with it. Perhaps you can call the function manually, or edit it, etc...

Your system needs to be able to use dbvm though, and it can be unstable sometimes

This is awesome! I just tried it and it seems really useful for finding points of interest quicker, especially when the nature of the program is relatively unknown. The game definitely slowed down, but it worked well enough.

Dark Byte wrote:
4: I usually assemble into 00400500 when not sure.
Anyhow, I recommend the instruction set reference

That's a good idea for simple instructions. I'm just worried about jumps. If I remember correctly, the opcodes of jumps take into account the relative distance from the current address to the target. The opcodes wouldn't be the same if I try that in another region. However, the reason I asked was mainly because I wanted an easy way of determining how many bytes an opcode would be. I guess I'll have to use that manual for some cases.

Dark Byte wrote:
5: I usually tell people to try the tutorial, but I think you already understand that
Based on your table I can only suggest to play around with more complex scripts besides nopping (conditional checks, pointer storages, etc...)
And not sure, since this is quite an old game, but perhaps multilevel pointers could come in handy

I did the tutorial as a nice refresher course. It has some very educational exercises; I liked it. I've been thinking about doing more complicated scripts. When the game loads a save or a new map, it overwrites the nopped instructions from my scripts. I eventually want to be able to detect when my NOPs are overwritten while the cheat is active, and then have the script rewrite the NOPs. For now, I've been deactivating and then reactivating the cheats to fix it.



Thanks for the search tips Gniarf. It's nice to get a different perspective on these issues.

Gniarf wrote:
I don't use it. When I need to trace I prefer ollydbg.

Why is this? I have not tried OllyDbg

Gniarf wrote:
Hmm, table looks clean, but I don't see why you chose to write db "0F 8F 41 02 00 00" instead of "jg jk2gamex86.dll+68AB8".

Oh yeah. That's because initially I wasn't sure if the addresses remained the same when you restart the game. I remember learning that jump opcodes don't contain the address to jump to, but the offset from the current address to get to the jump destination. I was trying to avoid having to find the address of that instruction should it change... but I see that doesn't even make sense now Laughing
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Tue Jul 09, 2013 11:23 pm    Post subject: Reply with quote

J3RRY wrote:
When the game loads a save or a new map, it overwrites the nopped instructions from my scripts. I eventually want to be able to detect when my NOPs are overwritten while the cheat is active
I'm 99% sure that your game doesn't overwrite your patches, but instead unloads and reloads jk2gamex86.dll. Turns out LoadLibrary and FreeLibrary have a reference counter, so if you do
Code:
LoadLibrary("jk2gamex86.dll");
LoadLibrary("jk2gamex86.dll");
FreeLibrary("jk2gamex86.dll");

in C, the dll is not yet unloaded from memory, and thus not reloaded from disk on the next map, thus your fixes should be kept. Moreover you can tell CE to load jk2gamex86.dll into your game by adding "loadlibrary("jk2gamex86.dll")" at the beginning of the enable section of an AA script.

J3RRY wrote:
Gniarf wrote:
I don't use it. When I need to trace I prefer ollydbg.

Why is this? I have not tried OllyDbg
Hard to pinpoint the exact reason. Better visibility (code coloration, jumplines that stay put,...)? The right click->follow in dump option? Placing labels & comments on functions is a lot less cumbersome than in CE? The possibility to hardcode changes into the exe? List of open (file) handles? Breakpoints saved for when you restart your target ? And probably a ton of other small details.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25788
Location: The netherlands

PostPosted: Wed Jul 10, 2013 4:28 am    Post subject: Reply with quote

Quote:

How do you use it to see what called the function? Sometimes the instruction only happens once. Tracing from there would only show me what happens afterward, which I can read anyway. I can also just follow an RET instruction if one occurs later. There are many times where I wonder if a section of code comes from a jump and not a call. Do you trace from the instruction and save snapshots of the stack?


when single stepping view->stacktrace or in the bottom right
The list will show what called the function (and it's function, etc...)

Or if using the tracer if the trace is long enough, eventually it returns to the caller and from there you can see what it does with the results.
Also, if you save the stack, you can view a "normal" stacktrace rightclicking in the stackview window (if you press the S in the registerview)

If you're not sure it was jumped there or called, then you'll need to use the kernelmode debugger and activate last branch recording (lua command)
then when it breaks, you can fetch the last branch that caused the jump to the current location
(Usually it's sufficient to know the function that called the current function though)

--
For ultimap: Set the cpu affinity of the target process to only 1 cpu(or at most 50% of all cpu's)
That way the other cpu cores have more time to deal with the information stream
And using pre-emptive flushing speeds it up even more (it then waits in the CE thread instead of the game thread when the buffer is full)

Quote:

the reason I asked was mainly because I wanted an easy way of determining how many bytes an opcode would be

The question is why you need to know that?
If you use the code injection template it will count how many bytes will get replaced by the call, and in your own code you don't really need to worry about the bytes, as you can just write in assembler

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
J3RRY
How do I cheat?
Reputation: 0

Joined: 09 Jul 2013
Posts: 6

PostPosted: Sun Jul 14, 2013 12:45 pm    Post subject: Reply with quote

Thanks again for your wisdom Dark Byte. I've gotten much better at following the functions.

After making more progress, I remembered that the source code was recently released for these games. Having access to that made many features much easier to find and modify. It almost feels cheap, but I know I would not have been able to find some of the finer details that I ended up modifying. I made a video for a JK2 forum; the link the updated cheat table is there: ht tp:/ /www .youtube. com/ watch?v = WGxvezI5GYM.
The table is substantially larger now. I managed to implement a few code caves in assembly. I'm sure that some of these could have been done in LUA, but I've been lazy about that. I think these cheats were simple enough to do in x86 anyway.

I'm still having a problem with this though:
Gniarf wrote:
I'm 99% sure that your game doesn't overwrite your patches, but instead unloads and reloads jk2gamex86.dll. Turns out LoadLibrary and FreeLibrary have a reference counter, so if you do
Code:
LoadLibrary("jk2gamex86.dll");
LoadLibrary("jk2gamex86.dll");
FreeLibrary("jk2gamex86.dll");

in C, the dll is not yet unloaded from memory, and thus not reloaded from disk on the next map, thus your fixes should be kept. Moreover you can tell CE to load jk2gamex86.dll into your game by adding "loadlibrary("jk2gamex86.dll")" at the beginning of the enable section of an AA script.

This makes sense, but putting loadlibrary("jk2gamex86.dll") in my ENABLE section didn't work:
Code:
Not all code is injectable.
(Error in line 4 (loadlibrary("jk2gamex86.dll"))
:"jk2gamex86.dll" could not be injected)
Are you sure you want to edit it to this?

Even when I say "Yes", CE won't let me activate the script afterward.

Besides all that, I need to start getting my hands dirty with LUA. I'd like to make a nice trainer for this, so I'll be checking out the tutorials Smile
Back to top
View user's profile Send private message
Gniarf
Grandmaster Cheater Supreme
Reputation: 43

Joined: 12 Mar 2012
Posts: 1285

PostPosted: Tue Jul 16, 2013 6:01 pm    Post subject: Reply with quote

J3RRY wrote:
This makes sense, but putting loadlibrary("jk2gamex86.dll") in my ENABLE section didn't work
Ah sorry, I forgot that CE doesn't want quotes around filenames. Use loadlibrary(jk2gamex86.dll) instead.
_________________
DO NOT PM me if you want help on making/fixing/using a hack.
Back to top
View user's profile Send private message
J3RRY
How do I cheat?
Reputation: 0

Joined: 09 Jul 2013
Posts: 6

PostPosted: Tue Jul 16, 2013 8:35 pm    Post subject: Reply with quote

Lol, can't believe it was that simple Laughing
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 222

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Wed Jul 17, 2013 4:14 am    Post subject: Reply with quote

Gniarf wrote:
Ah sorry, I forgot that CE doesn't want quotes around filenames. Use loadlibrary(jk2gamex86.dll) instead.


Yep, I made the same mistake with aobscanmodule AA command.

_________________
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites