 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Jacusiek
Advanced Cheater
![]() Reputation: 0
Joined: 24 Jan 2011
Posts: 81
|
 Posted: Wed Jun 12, 2013 6:04 am Post subject: How to make working script on Sacred? |
 |
|
Hello there. At first I would like to say, that I'm totally new to scripts, and I want to learn something about them. I would like to start something "easy", and to make script for my game "Sacred", which will give me "God Mode" (of course I can use pointers, but scripts are better and work always). After I did some scans I added my HP value to the table, and pressed: Find out what writes to this address. After some changes in HP in game, I found out some points (All images and descriptions to them are below). The main problem is that, when I press "Replace with code that does nothing" I don't lose HP, neither my enemies - that's the problem and that's why I want to learn scripting, so when I will write one, it will make only my hero (and optionally other people, who sometime join me) will have God Mode. I read some tutorials about scripts but I will understand it better by writting my own script. I would like to make when the value of that script is 1, then script is activated and I have God Mode, and when the value is 0, I don't have God Mode. Please, help.
Thanks in advance
Jacusiek
| Description: |
| Memory view after checking "replace with code that does nothing" |
|
| Filesize: |
48.33 KB |
| Viewed: |
13728 Time(s) |
|
| Description: |
| Memory view of this point |
|
| Filesize: |
51.28 KB |
| Viewed: |
13728 Time(s) |
|
| Description: |
| Here are some informations about the point which is good for sure (I checked it by adding it to the codelist and replacing with the code that does nothing so I didn't lose any HP) |
|
| Filesize: |
18.05 KB |
| Viewed: |
13728 Time(s) |
|
| Description: |
|
| Filesize: |
19.35 KB |
| Viewed: |
13728 Time(s) |
|
|
|
| Back to top |
|
 |
sp4rx
Advanced Cheater
 Reputation: 0
Joined: 19 Feb 2013
Posts: 64
Location: India
|
| Posted: Wed Jun 12, 2013 6:42 am Post subject: |
|
|
This is happening because your enemies are also using the same code for their HP
dissect data/ sturctures may help here
Did you completed the last step(step-9) of the tutorial??? It is same as the last step of the tut.
I don't have this game so the tutorial is a better option for helping you.
See this tutorial
http://forum.cheatengine.org/viewtopic.php?t=530548&sid=2f4df3f1be963a92e8d0f09cfb662f36
_________________
|
|
| Back to top |
|
|
docblue
How do I cheat?
![]() Reputation: 0
Joined: 13 Feb 2013
Posts: 6
Location: United States
|
| Posted: Wed Jun 12, 2013 8:08 am Post subject: |
|
|
| EBP is probably a structure of you and enemies, EBP+130 may be the health of whoever EBP is. I agree with sparx and definitely check out the dissect data/structures tutorials.
|
|
| Back to top |
|
|
Jacusiek
Advanced Cheater
![]() Reputation: 0
Joined: 24 Jan 2011
Posts: 81
|
| Posted: Wed Jun 12, 2013 8:53 am Post subject: |
|
|
Now, according to that link:
| Quote: | God Mode script (this is an old script that I have made ages ago):
fstp dword ptr [esi+04] //original code which is changing the health
pushfd //save flags
pushad //save registers
cmp [esi],0 //check if ESI=0
jne +6 //if ESI is not 0, the code will jump over the next 2 lines, jumping to the "popad" instruction
mov eax,[esi+08] //copy the max health on eax
mov [esi+04],eax //copy eax to the health, so max health = health
popad //load registers
popfd //load flags |
I made a script:
| Quote: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
newmem:
originalcode:
mov [ebp+00000130],edi
pushfd - here start my code
pushad
cmp [ebp],0
jne +6
mov edi,[ebp+012c]
mov [ebp+00000130],edi
popad
popfd - here ends my code
exit:
jmp returnhere
"sacred.exe"+163020:
jmp newmem
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat |
It freezes my health - but not to maximum, but to about half of it, and it also restores enemies' health every second to their maximum HP. I tried to do the last step in CE tutorial using this link http://forum.cheatengine.org/viewtopic.php?t=555086&sid=457de70fd9285a8c83ceaa1461289266 as a help, but i DON'T understand how did he write that code?
| Quote: | alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(friendly)
newmem:
cmp [ebx+10], 1 //i am checking if the player who is hit belongs to group 1
je friendly //if the player is from group 1 i will jump to the special code for friendly players
jmp originalcode
originalcode: //this code is kept so the enemies are getting hit
fsubr dword ptr [ebx+04]
fstp dword ptr [ebp-30]
jmp returnhere
friendly: //this will allow to increase friendly unit health in the amount of a hit they should take
fadd dword ptr [ebx+04] //add the REAL4 value pointed to by EAX to ST(0)
fstp dword ptr [ebp-30] //stored the result of the ST(0) computation in the address specified by [ebp-30] and pops st(0)
jmp returnhere
"Tutorial-i386.exe"+2509D:
jmp newmem
nop
returnhere:
|
How did he know what should be in newmen, original code or friendly? That shows that I am doing everything wrong.
P.S. Is there a page, which will explain me what are the shortcutes in scripts? I mean what are: fstp, jmp, nop, cmp, etc. If I could understand those shortcuts I will have more chance to write script corectly.
|
|
| Back to top |
|
|
sp4rx
Advanced Cheater
Reputation: 0
Joined: 19 Feb 2013
Posts: 64
Location: India
|
| Posted: Wed Jun 12, 2013 1:45 pm Post subject: |
|
|
Hey Jacusiek you didn't get the right thing, Your Script is wrong
I am showing here the steps for the tut(step-9), Later i will show you for your game
1st you have to find some of your unit and enemy unit's HP
In the tut Dave and Eric is your unit and Hal and Kitt is enemy unit
You need to find all the 4 address of their HP
And the code which is writing their health is
So in dissect data window you will have to subtract 4(because the code is [ebx+4]) from every address to get the correct offset for ebx
Ohh i forgot to tell that you have to keep the addresses of your friend unit in one group and enemy unit in another group
In the dissect data window, at offset value we can see that your friend unit has 1 and enemy has 2
from this [ebx+10] we can distinguish the enemy and the friend
So this is the code:
| Code: | [ENABLE]
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(enemy)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp [ebx+10],1//checks the group(friend is 1 and enemy is 2)
jne enemy //jump to enemy if not equal
mov eax,461C3C00//move 9999 to friend unit
jmp originalcode
enemy:
mov eax,0//move 0 to enemy unit
originalcode:
mov [ebx+04],eax//this is the original code
fldz
exit:
jmp returnhere
"Tutorial-i386.exe"+250C6:
jmp newmem
returnhere:
[DISABLE]
dealloc(newmem)
"Tutorial-i386.exe"+250C6:
mov [ebx+04],eax
fldz |
I hope this may helps you to understand
| Description: |
|
| Filesize: |
225.36 KB |
| Viewed: |
13638 Time(s) |
|
_________________
|
|
| Back to top |
|
|
Jacusiek
Advanced Cheater
![]() Reputation: 0
Joined: 24 Jan 2011
Posts: 81
|
| Posted: Wed Jun 12, 2013 2:33 pm Post subject: |
|
|
| Well... In structure dissect in tutorial I can easly find line with 1, 1, 2, 2 - groups, but in my game I cannot find line with 1, 2, 2, 2 (1 - me, 2 - enemies) and I cannot write script for something I can't find.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jun 12, 2013 2:59 pm Post subject: |
|
|
Find what accesses your HP. For each results, select it in the disassembler and click "find what addresses this function accesses"*, then go see one enemy. Note that you can monitor a maximum of 4 addresses at a time, so you might need several attempts to test all the instructions that access your HP.
Anyway, if amongst the instructions you were monitoring, there is one instruction that accesses only one address, hook it to store your HP's address somewhere. Then in the function that applies damage compare the address of the updated HP with the stored HP address.
Other than that, don't ditch the pointer approach, for example if you find a stable pointer to your HP, you can use it for comparison in the function that applies damage...I know you also want to godmode your friends, but the pointers to their health should be very very similar.
Otherwise you can find hints to differentiate player vs enemies here on the first page (the 2nd is game-specific).
|
|
| Back to top |
|
|
Jacusiek
Advanced Cheater
![]() Reputation: 0
Joined: 24 Jan 2011
Posts: 81
|
| Posted: Wed Jun 12, 2013 3:26 pm Post subject: |
|
|
| sparx wrote: |
| Code: | | mov eax,461C3C00//move 9999 to friend unit |
|
How did you get 461C3C00?? It isn't 9999in dec, or something, I don't understand this part.
| Gniarf wrote: |
Find what accesses your HP. For each results, select it in the disassembler and click "find what addresses this function accesses"*, then go see one enemy. Note that you can monitor a maximum of 4 addresses at a time, so you might need several attempts to test all the instructions that access your HP.
Anyway, if amongst the instructions you were monitoring, there is one instruction that accesses only one address, hook it to store your HP's address somewhere. Then in the function that applies damage compare the address of the updated HP with the stored HP address.
Other than that, don't ditch the pointer approach, for example if you find a stable pointer to your HP, you can use it for comparison in the function that applies damage...I know you also want to godmode your friends, but the pointers to their health should be very very similar.
Otherwise you can find hints to differentiate player vs enemies here on the first page (the 2nd is game-specific).
|
I have found 5 functions that access only one address (You said I should find only 1 function). What should I do now with them?
And I don't want to make pointers, because when someone joins me he is with me during half the game, sometimes he leaves my team after 1 minute, so You know, I don't have permanent friends, all of them are temporary (they usually are for mission: escort them somewhere), so finding pointers for all of them will be difficult task here.
| Description: |
|
| Filesize: |
14.16 KB |
| Viewed: |
13608 Time(s) |
|
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Wed Jun 12, 2013 4:08 pm Post subject: |
|
|
| Jacusiek wrote: |
How did you get 461C3C00?? It isn't 9999in dec, or something, I don't understand this part. |
http://gregstoll.dyndns.org/~gregstoll/floattohex/
There are integers values, and floting-point values.
_________________
|
|
| Back to top |
|
|
Jacusiek
Advanced Cheater
![]() Reputation: 0
Joined: 24 Jan 2011
Posts: 81
|
| Posted: Wed Jun 12, 2013 4:12 pm Post subject: |
|
|
Aaah! I totally forgot that it was float, not 4 bytes... Anyway, I'm still trying to write my own script, looking for help on forum, etc.
Last edited by Jacusiek on Wed Jun 12, 2013 4:25 pm; edited 2 times in total |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jun 12, 2013 4:16 pm Post subject: |
|
|
| Jacusiek wrote: | | I have found 5 functions that access only one address (You said I should find only 1 function). What should I do now with them? |
For now just pick the one you want. When you clicked on "find out what accesses" HP you had counters that showed how many times said instruction accesses you HP, well, it's slightly safer to use one with an high hit count.
After that adapt this script:
| Code: | [ENABLE]
alloc(NewMem,1024)
//code locations
label(LogHealthAddress)
label(LogHealthAddress_End)
label(ApplyDamage)
label(ApplyDamage_WriteHealth)
label(ApplyDamage_End)
//variables
label(HpAddress)
sacred.exe+1397f7:
jmp LogHealthAddress
nop
LogHealthAddress_End:
"sacred.exe"+163020:
jmp ApplyDamage
nop
ApplyDamage_End:
NewMem:
ApplyDamage:
push eax //save eax
lea eax, [ebp+130] //eax=address of Hp
cmp dword [HpAddress],eax //are we applying damage on the player?
jne ApplyDamage_WriteHealth
mov edi,[ebp+00000134] //load max health in edi if dealing with the player's HP
ApplyDamage_WriteHealth:
pop eax //restore saved eax
mov [ebp+00000130],edi //original code
jmp ApplyDamage_End
LogHealthAddress:
push eax //save eax
lea eax, [ebp+4D8] //eax=address of Hp
mov dword [HpAddress],eax //store address of Hp at HpAddress
pop eax //restore saved eax
cmp dword [ebp+4d8],ebx //original code
jmp LogHealthAddress_End //exit LogHealthAddress
HpAddress:
dd 0
[DISABLE]
dealloc(NewMem)
sacred.exe+1397f7:
cmp dword [ebp+4d8],ebx
"sacred.exe"+163020:
mov [ebp+00000130],edi |
Get this to work, sit back and enjoy your personal godmode.
When adding support for companions, see if there is a function that accesses your HP and your companion's HP, but not the enemies'. Then update LogHealthAddress to store like 5 addresses in a rotating order, and check them all in ApplyDamage.
| Jacusiek wrote: | | And I don't want to make pointers, because when someone joins me he is with me during half the game, sometimes he leaves my team after 1 minute, so You know, I don't have permanent friends, all of them are temporary (they usually are for mission: escort them somewhere), so finding pointers for all of them will be difficult task here. |
Ah by 'friends" you meant companions! Like - what was his name already? Wilbur? That blue guy that kept getting knocked out.
Anyway there should be a pointer to "the person whose portrait is displayed just under yours", which would spare you finding pointers for all possible companions.
|
|
| Back to top |
|
|
mgr.inz.Player
I post too much
Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Wed Jun 12, 2013 4:19 pm Post subject: |
|
|
| Jacusiek wrote: | | Aaah! I totally forgot that it was float, not 4 bytes... Anyway, I'm still trying to write my own script, looking for help on forum, etc. |
Btw. we can use floating-point values inside AA scripts, example:
| Code: | | mov eax,(float)9999 |
_________________
|
|
| Back to top |
|
|
Jacusiek
Advanced Cheater
![]() Reputation: 0
Joined: 24 Jan 2011
Posts: 81
|
| Posted: Wed Jun 12, 2013 4:29 pm Post subject: |
|
|
Gniarf, I tried Your script it, works, but a bit, because when I get hit my HP gets crazy and goes to value, eg. 50, then very fast goes up to 253, then 364, then 646, then again to 50, again to 253, etc... After all I can still die. Maybe I found wrong instructions?
@Off, Yes, it was Wilbur, that little, blue guy 
@Edit: I have found 4 new instructions:
1) sacred.exe+16FE79 (first one):
When I press "replace with code that does nothing" it allows my HP only to increase (my enemies are invulnerable too)
2) sacred.exe+16FF54 (second one):
The same as first one
3) sacred.exe+163020 (third one):
When I press "replace with code that does nothing" it allows my HP only to DECREASE (I think it's wrong one, but my enemies' HP can only decrease too)
4) The last one is exactly the same as the second (I don't know why I put it twice)
But there is a problem to those instructions, because when I press "find what addresses this function accesses" it finds me more than just my HP (my enemies) but I found my Hero ID:
My Hero ID for all of them is (probably, I hope so) 142 and the offset of it is 0040 (4 bytes)
| Description: |
|
| Filesize: |
13.05 KB |
| Viewed: |
13553 Time(s) |
|
Last edited by Jacusiek on Wed Jun 12, 2013 5:01 pm; edited 1 time in total |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Wed Jun 12, 2013 4:54 pm Post subject: |
|
|
@Jacusiek: Then max HP is not at ebp+134. I see that in your script you used ebp+12c, but the old godmode used HealthAddress+4 that's why I used ebp+134. Anyway you just need to update the "mov edi,[ebp+00000134]" line.
Worst case scenario, do as mgr.inz.Player said: mov edi,(float)9999
|
|
| Back to top |
|
|
Jacusiek
Advanced Cheater
![]() Reputation: 0
Joined: 24 Jan 2011
Posts: 81
|
| Posted: Wed Jun 12, 2013 5:18 pm Post subject: |
|
|
It works but it also changes my textures of game, so it is good way to get epilepsy. Now I found some instructions to Max HP and I'm trying to change them...
@Edit: I have found one, which works and replaced it so it is now:
mov edx,[eax+000004D8] (unfortunately it works only for my hero)
@Edit2: I don't know why it isn't working, in every situation max HP is 4 offset back (when 0130 is current HP, 012C is max HP). I checked it and it should work for companions, but it doesn't.
| Code: | | mov edi,[ebp+0000012C] |
- it made me invincible, but not my companions. Maybe companions are like enemies, so they don't get invincibility?
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
