| View previous topic :: View next topic |
| Author |
Message |
Dam15192
How do I cheat?
![]() Reputation: 0
Joined: 16 Oct 2013
Posts: 9
Location: Belgium
|
 Posted: Wed Apr 29, 2015 9:38 am Post subject: [SOLVED]Orcs Must Die 2 need help with xmm register |
 |
|
Hi all,
I try to make a little script for be invincible in Orcs Must Die 2 I founded an float add with my hp when I check what writes I got
| Code: | 0048FBA6 - F6 C4 44 - test ah,44
0048FBA9 - 0F8B A5000000 - jnp OrcsMustDie2.configSet+764
0048FBAF - F3 0F11 4B 54 - movss [ebx+54],xmm1 <<
0048FBB4 - 85 FF - test edi,edi
0048FBB6 - 74 3F - je OrcsMustDie2.configSet+707
EAX=FFFF02FF
EBX=2D1B4628
ECX=2D1AC1C0
EDX=00000000
ESI=FFFFFFFF
EDI=2D1B2D50
ESP=0018F558
EBP=2D1B1CA8
EIP=0048FBB4
xmm0:-20.00 - 0.00 - 0.00 - 0.00
xmm1:160.00 - 0.00 - 0.00 - 0.00
xmm2:0.00 - 0.00 - 0.00 - 0.00
xmm3:160.00 - 0.00 - 0.00 - 0.00
xmm4:180.00 - 0.00 - 0.00 - 0.00
xmm5:0.00 - 0.00 - 0.00 - 0.00
xmm6:0.00 - 0.00 - 0.00 - 0.00
xmm7:0.00 - 0.00 - 0.00 - 0.00 |
It's pretty clear when I NOP it OFC some enemy became invincible too so my newbie brain say to myself maybe it's the same opcode who decrease ennemy hp and my address containt hp ennemy too.
I dissect data/struc ( btw i found my mana and make inf mana script and it works  xD) but i'm unaible to find if my player got and ID and about finding ennemy hp it's pretty impossible I one shot them :/
So my question is maybe a way exist to find ennemy hp in dissect data ? OR something sotred in xmm register that point to ennemy hp? I don't understand a lot :/
for me | Code: | push ok
pop ok
mov ok
add dec inc jmp je jnz jne etc etc is ok but
movss movaps fsubr WTF Oo |
and don't talk about x64 :/ xD I also try to break and trace see if i found sthg flashy and interesting but .. nope :/
www(.)noelshack(.)com/2015-18-1430312984-omd2ce.png
www(.)noelshack(.)com/2015-18-1430312984-omd2ce2.png
in the screenshot you'll see that movss [esp+18],xmm1 i tried to add manually this add but it gave me random number nothing with my hp :/
[EBX+54] is the address of my actual hp and +58 my max hp i also tried to put my max hp in my actual hp when i got hit but it crash the game the best way is NOP but enemy became god so no it's not the best way xD
EDIT : I also tried to find string in dissect-data see if i found my nickname "trololo" and 0 result :/
Last edited by Dam15192 on Fri May 01, 2015 9:26 pm; edited 1 time in total |
|
| Back to top |
|
 |
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Wed Apr 29, 2015 10:08 am Post subject: |
|
|
Check what is accessing to the address (not just writing to it, but also reading it) and you will probably find a code which is accessing to your health only.
_________________
|
|
| Back to top |
|
|
Rissorr
Master Cheater
![]() Reputation: 3
Joined: 17 Sep 2013
Posts: 273
Location: Israel!
|
| Posted: Wed Apr 29, 2015 12:49 pm Post subject: |
|
|
There is another way to filter your character from NPC's:
There might be a register that stores the ID of the character
Edit:
In your case: EDX? EAX? ESI?
Check it out!
and if this method doesn't work, then try what @Geri said. |
|
| Back to top |
|
|
Dam15192
How do I cheat?
![]() Reputation: 0
Joined: 16 Oct 2013
Posts: 9
Location: Belgium
|
| Posted: Wed Apr 29, 2015 6:21 pm Post subject: |
|
|
| Quote: | | Check what is accessing to the address (not just writing to it, but also reading it) and you will probably find a code which is accessing to your health only. |
I checked that i founded few instructions :
www(.)noelshack(.)com/2015-18-1430343658-omd2ce3.png
www(.)noelshack(.)com/2015-18-1430343655-omd2ce4.png
www(.)noelshack(.)com/2015-18-1430343659-omd2ce5.png
www(.)noelshack(.)com/2015-18-1430343659-omd2ce6.png
EBX+54 is still my address of HP in write and read. It seems that in what read this ad shows me my hp before being hit.
ESI+54 is my address of HP too and stored in xmm1 then re-added oO I have some trouble to find something maybe it's obvious but i'm noob :/
the instruction who check my address 100 times per second say :
| Code: | 00423D56 - 85 C0 - test eax,eax
00423D58 - 74 05 - je OrcsMustDie2.BModeManager::getPendingMode+13C3F
00423D5A - F3 0F10 40 54 - movss xmm0,[eax+54] <<
00423D5F - 0F5A C0 - cvtps2pd xmm0,xmm0
00423D62 - C7 44 24 04 00000000 - mov [esp+04],00000000
EAX=2AE6C5A8
EBX=7B6AF210
ECX=0361A7E0
EDX=00000001
ESI=2E661EA0
EDI=00000001
ESP=0018F774
EBP=0018F79C
EIP=00423D5F
xmm0:180.00 - 0.00 - 0.00 - 0.00
xmm1:0.00 - 0.00 - 0.00 - 0.00
xmm2:0.00 - 1.57 - 0.00 - -1.75
xmm3:0.00 - 0.01 - 0.00 - 0.22
xmm4:0.00 - 0.00 - 0.00 - 0.00
xmm5:0.00 - 0.00 - Nan - Nan
xmm6:0.00 - 0.05 - 0.00 - 0.05
xmm7:0.00 - 1.99 - 0.00 - 0.05
|
and
| Code: | 00424027 - 0F2F D1 - comiss xmm2,xmm1
0042402A - 77 09 - ja OrcsMustDie2.BModeManager::getPendingMode+13F15
0042402C - F3 0F10 40 54 - movss xmm0,[eax+54] <<
00424031 - F3 0F5E C1 - divss xmm0,xmm1
00424035 - 0F5A C0 - cvtps2pd xmm0,xmm0
EAX=2AE6C5A8
EBX=1503315C
ECX=0361A7E0
EDX=00000001
ESI=2E661EA0
EDI=00000001
ESP=0018F774
EBP=0018F79C
EIP=00424031
xmm0:180.00 - 0.00 - 0.00 - 0.00
xmm1:200.00 - 0.00 - 0.00 - 0.00
xmm2:0.00 - 0.00 - 0.00 - 0.00
xmm3:0.00 - 0.01 - 0.00 - 0.22
xmm4:0.00 - 0.00 - 0.00 - 0.00
xmm5:0.00 - 0.00 - Nan - Nan
xmm6:0.00 - 0.05 - 0.00 - 0.05
xmm7:0.00 - 1.99 - 0.00 - 0.05
|
BTW why xmm registers have XX-XX-XX-XX can we store 4 different value in one? I saw xmm register on other games with XOR opcode i know what is it in logical electronics ( NAND NOR) kind of stuff like that
go back to our sheep xD
| Quote: | There is another way to filter your character from NPC's:
There might be a register that stores the ID of the character |
Hmmm interesting but in this case i saw
EBX+54 ESI+54 EAX+54 all of them movss(copy xD) my address of hp in xmm0 or xmm1 I'm pretty lost with this read feature :/
Thanks.
EDIT :
I put all in order of execution
www(.)noelshack(.)com/2015-18-1430345135-omd2ce7.png
I saw now in xmm0 20 and -20 it's the damage when i got hit but i think it's still the same instruction in what write n read
EDIT2:
When i activate my god mode script it's only the "Medium Orc Warrior" who became invincible maybe because it has 200hp like me xD and it's the same instruction who decrase our hp because the value 200 is stored in one address used by other instruction i'm going to look around that
hahaha i'm close I feel it xD
I check what other addresses this instruction access in disassembler and i got 3 Medium Orc Warrior in front of me I killed them then I saw 3 addresses counted once and value 0
added them dissassemble data/struc and
www(.)noelshack(.)com/2015-18-1430346198-omd2ce8.png
maybe offset +1B is my player ID but now question is in which register EBX+1B ESI+1B XXX+1B xD? all of them +54 is my float address of hp :/
after that maybe i'll do a tuto on that xD haha with you in credits <3
Well I tested it yesterday didn't work offset +1B became +0C then +50 :/ |
|
| Back to top |
|
|
Dam15192
How do I cheat?
![]() Reputation: 0
Joined: 16 Oct 2013
Posts: 9
Location: Belgium
|
| Posted: Fri May 01, 2015 3:20 pm Post subject: |
|
|
| Still stuck :/ |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri May 01, 2015 5:37 pm Post subject: |
|
|
Alice0725 has already made a godmode for that game. Even if it doesn't work for your version of the game you can see that (s)he didn't need a player ID check, (s)he's just hooking a "movss xmm0,[eax+54]".
When using the find out what *** features, right click in their window->check if found opcodes also access other addresses. After that you'll see a number between parenthesis in the count column that indicates the number of addresses a given opcode accessed. Obviously you're interested in those who only access one address: your health.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Dam15192
How do I cheat?
![]() Reputation: 0
Joined: 16 Oct 2013
Posts: 9
Location: Belgium
|
| Posted: Fri May 01, 2015 7:34 pm Post subject: |
|
|
Well I downloaded 2 cheat tables from download page
First by DarkAngle
his godmode script :
| Code: | newmem: //this is allocated memory, you have read,write,execute access
//place your code here
cmp edx,00000000
jne originalcode
comiss xmm1,dword ptr [ebx+54]
jle originalcode
movss xmm1,dword ptr [ebx+54]
originalcode:
movss [ebx+54],xmm1
exit:
jmp returnhere |
I could copy that without understanding a shit but it's not my goal
it seems player ID is in EDX if it's not 0 it's jump to decrase life
comiss I don't understand this opcode :/ and google it's not my friend on that. it's comparing sthg with flags xD ...if this sthg is lower or = it loose life if not it's copy the float address in xmm1 ?
Second by Alice0725 is ... a little bit hard for me :/
the same opcode appears in check what read or write so no matters I tested your method to checked if founded .... and yeah the counter show that this opcode movss [ebx+54],xmm1 acces to my life address and maybe enemy hp add but i knew it by check what .. ? oO maybe I don't understanded you (sorry for my bad english) xD
www(.)noelshack(.)com/2015-18-1430521549-omd1.png
www(.)noelshack(.)com/2015-18-1430521550-omd2.png |
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri May 01, 2015 8:46 pm Post subject: |
|
|
| Gniarf wrote: | | When using the find out what *** features, right click in their window->check if found opcodes also access other addresses. After that you'll see a number between parenthesis in the count column that indicates the number of addresses a given opcode accessed. Obviously you're interested in those who only access one address: your health. |
You said you're from belgium, so I assume you understand some french. My french might be a bit rusty but here's an approximate translation:
Quand tu utilises la fonction find out what ***, fais un clique droit dans sa fenêtre et coches "check if found opcodes also access other addresses". Après ça (et un peu de temps en jeu) tu verras un nombre entre parenthèses dans la colonne count. Ca indique le nombre d'adresses auxquelles l'opcode en question a accédé. Évidemment ce qui t'intéresse ce sont les opcodes qui n'accèdes qu'à une seule adresse: celle de ta santé, donc prend une ligne où il y est marqué "(1)".
On your second screenshot, the lines that had 2700 and 134 hits look like good places to put your godmode.
Comments on DarkAngle's code
| Code: | newmem:
cmp edx,00000000 //this indeed looks like a player ID check. PlayerID=edx=0
jne originalcode
comiss xmm1,dword ptr [ebx+54] //compare xmm1 (=new health) with your current health
jle originalcode //go to original code if xmm1 is less than or equal to your current health
movss xmm1,dword ptr [ebx+54] //overwrite new health with current health
originalcode:
movss [ebx+54],xmm1 //overwrite current health with new health
exit:
jmp returnhere |
In other words:
-if player ID is not 0 -> behave normally.
-if we are about to decrease health -> behave normally. WTF? Do we die when health is 0 or when it's full in this game?
-if we are about to increase health, prevent health modification.
Anyway, you can consider that comiss is like a cmp for xmm* values.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
Dam15192
How do I cheat?
![]() Reputation: 0
Joined: 16 Oct 2013
Posts: 9
Location: Belgium
|
| Posted: Fri May 01, 2015 9:25 pm Post subject: |
|
|
Your French is PERFECT without mistakes excellent xD
I understand now the code is writing current hp to future hp so it'll never change no matters what happens
And I understand now why check if founded opcodes .... hahaha
About comiss it's ok now ^^ I need to go deeper in x86 opcodes
Thanks thanks thanks
You solved that
Thanks to all of you  |
|
| Back to top |
|
|
SREcheater
How do I cheat?
![]() Reputation: 0
Joined: 03 Nov 2014
Posts: 1
Location: Hell
|
| Posted: Sun May 03, 2015 10:48 pm Post subject: Table Fixed |
|
|
Sorry about that code,it seem that with "Comiss" you cann't use "JGE,JLE"
so i modify the table and instead of using compare instruction,load XMM1 with the Max HP,that is stored next to the HP value.[/b] |
|
| Back to top |
|
|
Dam15192
How do I cheat?
![]() Reputation: 0
Joined: 16 Oct 2013
Posts: 9
Location: Belgium
|
| Posted: Wed May 06, 2015 3:49 am Post subject: |
|
|
In fact I did that hp offset +54 max hp offset +58
Thanks a lot for all help |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
