Street Fighter IV

Hacking Any Other Offline Single-Player Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Street Fighter IV

Postby WhiteHat » Wed Jul 22, 2009 12:54 pm

Let’s discuss about this game, OFFLINE only...

Unlocking secrets will not be discussed here since liqmysaq has gave us link to it here. Although it’s a Cheat Engine table, we absolutely can learn something out of it...

Now for in-Battle values, I’ve obtained these Complex Address (pointer path):
Char Index, Player 1 : [["StreetFighterIV.exe"+0x645378]+0x4]+0x51C8
Char Index, Player 2 : [["StreetFighterIV.exe"+0x645378]+0x8]+0x51C8

Char Index is something i obtained from studying a little portion of SF4 code snipet. It works like:
- Ryu’s char index = 0
- Ken’s char index = 1
- Sakura’s char index = 23
- etc...

Had tried them several times and they work smooth for me. See if those paths also work for you...

How to use them: Follow those Complex Addresses result (addresses) in MHS Hex Editor, and you’ll find SF4 values of interests such as Current Health, Max Health, Combo Gauge, Ultra/Revenge Gauge. They’re all Unsigned Short data-type and reside several bytes away after the addresses of Player 1 and Player 2 Char Index...

Going to make the complete LSSAVE table or Complex Addresses later...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby WhiteHat » Fri Jul 24, 2009 12:08 pm

Following are Complex Addresses for Player 1 values during battle, along with the script lock codes to lock those values to their max assuming we play as Player 1 and want to cheat the game:

PLAYER 1, HP
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x4]+0x51C8+0x22
- Script Lock:
Code: Select all
VOID Lock ( MHS_ADDRESS aAddress, INT iItemSize )
{
   extern SHORT e_sPlayer1HP_Value    = { "", aAddress };
   extern SHORT e_sPlayer1HP_ValueMax = { "", aAddress + 4 };
   
   e_sPlayer1HP_Value = e_sPlayer1HP_ValueMax;
}


PLAYER 1, HP LIMIT
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x4]+0x51C8+0x2E
- Script Lock:
Code: Select all
VOID Lock ( MHS_ADDRESS aAddress, INT iItemSize )
{
   extern SHORT e_sPlayer1HPLimit_Value    = { "", aAddress };
   extern SHORT e_sPlayer1HPLimit_ValueMax = { "", aAddress + 4 };
   
   e_sPlayer1HPLimit_Value = e_sPlayer1HPLimit_ValueMax;
}


PLAYER 1, COMBO GAUGE
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x4]+0x51C8+0x36
- Script Lock:
Code: Select all
VOID Lock ( MHS_ADDRESS aAddress, INT iItemSize )
{
   extern SHORT e_sPlayer1Combo_Value    = { "", aAddress };
   extern SHORT e_sPlayer1Combo_ValueMax = { "", aAddress + 4 };
   
   e_sPlayer1Combo_Value = e_sPlayer1Combo_ValueMax;
}


PLAYER 1, ULTRA GAUGE
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x4]+0x51C8+0x42
- Script Lock:
Code: Select all
VOID Lock ( MHS_ADDRESS aAddress, INT iItemSize )
{
   extern SHORT e_sPlayer1Ultra_Value    = { "", aAddress };
   extern SHORT e_sPlayer1Ultra_ValueMax = { "", aAddress + 4 };
   
   e_sPlayer1Ultra_Value = e_sPlayer1Ultra_ValueMax;
}



And for Player 2 Complex Addresses: (no script lock codes included)

PLAYER 2, HP
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x8]+0x51C8+0x22

PLAYER 2, HP LIMIT
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x8]+0x51C8+0x2E

PLAYER 2, COMBO GAUGE
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x8]+0x51C8+0x36

PLAYER 2, ULTRA GAUGE
- Complex Address: [["StreetFighterIV.exe"+0x645378]+0x8]+0x51C8+0x42


See if they work for you. I’ll post the LSSAVE table once people confirm that they work... Thanks in advance for trying.

There are still a lot things to hack anyway...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby BrollyLSSJ » Fri Jul 24, 2009 11:09 pm

If you could tell me how I could add them I can test it. I tried it now and SF IV crashed, but I did probably a mistake.
BrollyLSSJ
I Ask A Lot Of Questions
 
Posts: 11
Joined: Sun Jul 05, 2009 4:48 am

Postby WhiteHat » Sat Jul 25, 2009 8:58 pm

Let’s say we’re gonna try to hack Player 1’s COMBO, assuming we are player 1:
1. Type this expression: [["StreetFighterIV.exe"+0x645378]+0x4]+0x51C8+0x36, into MHS Expression Evaluator.
2. The result will be two values (which actually an address): decimal and hexadecimal.
3. Copy the hexadecimal one, that is the one within “(...)”.
4. Create a table entry with the copied address, make it SHORT data type.
5. Lock its value to 1000.

If in the battle your combo always full, then the rest of those complex addresses should be working...

Please refer to MHS Help File about Expression Evaluator if you haven’t too familiar about it.
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Tue Sep 22, 2009 3:48 am

It might be a little late but the max values for the Combo and Ultra gauge are just like the health, only 4 bytes away from the current.

So if player 1 Combo Gauge is at [["StreetFighterIV.exe"+0x645378]+4]+0x51FC then the max would be at [["StreetFighterIV.exe"+0x645378]+4]+0x5200.

Just thought I could point that out since nobody has in this post. ;)
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place

Postby WhiteHat » Tue Sep 22, 2009 11:44 am

I post my reply here from internet public, not my PC, so i could make
mistake. But i’ve kind of double checked the Complex Addresses and as
long as i can remember they work...

The data-type for Combo Gauge and Ultra Gauge are all SHORT. I knew
this from studying those values via MHS Hex Editor.

I still have the game and will check those address out later to make things
certain, and hopefully along with some screen shots...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby WhiteHat » Tue Sep 22, 2009 3:24 pm

Here is my Street Fighter IV screen shot:
Image

You were right that max values for Combo and Ultra Gauge are just 4 bytes away after their current values...

Nevertheless, i chose to assume their data type is Short since the last nibble of their address are not 0x0, 0x4, 0x8 or 0xC. As we can see from the screen shot:
- My HP address was 0x0A63B69A
- My HP Limit address was 0x0A63B6A6
- My Combo Gauge address was 0x0A63B6AE
- My Ultra Gauge address was 0x0A63B6BA
I’ve almost never see any Unsigned Long data stored unaligned like them...

Moreover their values have never been exceed 0xFFFF nor 0x7FFF so i assumed they are SHORT though Unsigned Long will still work...

Ideally, in my understanding, we can determine their data type via debugging but [Psych]’s post here about bypassing xlive: http://memoryhacking.com/forums/viewtopic.php?t=4934 , did not work for me so far...

Please correct my mistakes should there is any...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby CoMPMStR » Wed Sep 23, 2009 12:12 am

Well as long as the value never reaches 32767 or greater it should be safe to assume the data type is short. Although in my trainer I read/write integer (long) values and it has never caused problems for me.

Another trick I learned with these games that don't allow debuggers is that sometimes you can attach the debugger and if you're quick enough to switch back it can actually catch a few ticks of the address in the auto-hack window before the game crashes. Then all you need to do is restart the game and see what the address was.

I do this sometimes to help find pointers for games that don't allow ASM modifications (like Quantum of Solice). The only downside to this is that if you try it twice in a row; like try it once, the game crashes without any results, so you restart and try again right away; the game will catch on quick the second time and may not allow you to switch to the game quick enough before it crashes. I noticed this may not work 100% of the time but it has worked for me before. ;)
Image

______________________________________________________
My Utilities:
CT <-> LSSAVE Converter
LSS Visual Dialog Designer
.NET Trainer Helper Library

~Whether you think you can or you think you can't, you're right.

L. Spiro wrote:In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.
User avatar
CoMPMStR
(P)ot (I)n (M)y (P)ipe
 
Posts: 451
Joined: Thu Mar 06, 2008 7:50 am
Location: Best Place


Return to Others (Offline)

Who is online

Users browsing this forum: No registered users and 0 guests

cron