Memory Hacking Software

[Felheart]

Hi,
on the front page I saw that L.Spiro made a Trainer or Cheat for Doom3.

http://www.memoryhacking.com/LivingObjects.gif
I wonder how this was made.
How can you get such tings as enemys or something out of a game ?
L.Spiro: have you only used MHS for this ??

And another thing in this picture:
How can you find the "shake" function to disable / nop it ??

In my games iam only able to find things like ammo/health and so on!

[L. Spiro]

I used only MHS for finding all data to use to create the cheat.


Enemies
Enemies can be found by searching for their HP values or even their names.
For HP values, start with Greater Then and 0 (finds all values greater than 0).
Be sure to pause the game while the search takes place, and use a Hotkey to perform Decreased Sub Searches while you fire at the enemy.

This allows the searching to be done in real-time while you play. After each time you hit the enemy, press your Hotkey.


Once the enemy is found use the Hex Editor to view the data around the HP. You will easily recognize things such as position, name, etc. For float values, change the Hex Editor view to float.

Once you find one enemy you can use the debugger to see how the game finds the enemy. Then you can use the same method to find all the other enemies.
In the case of Doom 3®, there is a big list of pointers at a static address. the first pointer is to your player. Skip about 32 players (for online players) and you get to the enemy pointers. Following each of these pointers takes you to an enemy. NULL pointers are not to be followed, obviously.



Shaking
When you find your own player data you only need to use the Hex Editor to look around that area of memory to see what other data is there.
If your character moves a bit while idle, you only need to let your player sit idle and then look at the Hex Editor to see data that changes while you sit. It turns blue. You can watch the data to see if it changes in roughly the same way as your screen bob. Once found, find what writes to these addresses and NOP them.

In my case the screen shakes only when you fire. Once you find the code that reduces your ammo you will also find code that increases your view bob. NOP it.
You will be looking for code that deals with floating-point numbers and the ST# registers.


L. Spiro

[Felheart]

Thank you very much for the detailed explantion!
I didnt know about the "Hotkey search", really a excellent feature.

In my game ( FaceWound, http://www.garry.tv/?p=512 ) / the game i want to hack. I have already found the value that holds the multiplicator for the
screenshaking for weapons and explosions.
And i hacked t successfully ( i let the game multiplicate the final variable by 0 ).

For the Player and Enemys:
Tanks to the HexEditor and RamWatcher i could recreate/reverse the
Enemy and Player structures partially.

EnemyStruct (same for the player)
float Health;
float VelocityX;
float VelocityY;
float PositionX;
float PositionY;

Once you find one enemy you can use the debugger to see how the game finds the enemy. Then you can use the same method to find all the other enemies.

Could you explain that a bit more please?
How do i proceed then ?
And how do i get the complete structure/class of the enemys in the first place ?
I can get a good part from observing and even testing but how do i handle
values i dont know what they are for ?

Thanks!

[L. Spiro]

Could you explain that a bit more please?
How do i proceed then ?

You use the Auto-Hack and/or Pointer Search to find the pointer trail to the enemy class.

And how do i get the complete structure/class of the enemys in the first place ?

This never happens.

I can get a good part from observing and even testing but how do i handle
values i dont know what they are for ?

By figuring out for what they are.


L. Spiro

[Felheart]

You use the Auto-Hack and/or Pointer Search to find the pointer trail to the enemy class.

When i use "What accesses this", Autohack finds some ASM Instructions,
but how are they exactly usefull for me?
The only use of autohack for ME is finding and eliminating/NOPing
things ( Decreasers for ammo and so on ).

It would be good if you could write a tutorial about finding pointers and things using Autohack. I didnt see a tut regarding this in the tutorial section.

[mezzo]

the instruction where the auto hack breaks uses the pointer or at least gives
you a hint on where to begin searching.

[WhiteHat]

I hope this can explain something... (sorry if it is not...)

Grand Theft Auto: San Andreas
Health for CJ is a float data-type. Every time CJ saves game, his health restored fully... In early game CJ’s max health is 100.00..
After i found his health address, i applied “Find What Writes This Address” to it... Then i re-saved the game.

Back in MHS i got these in Auto-Hack:

Code: Select all

00618F81 | D999 40050000 | FSTP    DWORD PTR [ECX+540]     |

that’s the code which writes to CJ’s health to his full health every time CJ saves his progress (save the game).
By that time i knew the address of CJ’s health is ECX+540...

Next, i was studying the code when i caught these:

Code: Select all

00618F79 | 8B0D 98CDB700 | MOV     ECX, DWORD PTR [B7CD98] |
00618F7F | 6A 00         | PUSH    0                       |
00618F81 | D999 40050000 | FSTP    DWORD PTR [ECX+540]     | --> the code from auto-hack


I already knew that CJ’s health address is ECX+540, and this code:

Code: Select all

00618F79 | 8B0D 98CDB700 | MOV     ECX, DWORD PTR [B7CD98] |

is obviously made ECX value is the same as the value of address 0x00B7CD98.

So the complex address for CJ’s health is [0x00B7CD98]+0x540 which then i put this on my MHS Table...

What better was CJ’s weapons stored only a few bytes after his Health address, and the ‘pattern’ in Hex Editor seemed static.
So, i can use similar complex address for all of CJ’s weapons and made my MHS table richer...