Memory Hacking Software

[FSB]

I am playing SPORE's space stage. first of all, its not too hard to find addresses in this game, i simply (for example) search for the money value, and it will probably narrow it down to 2 results pretty quickly. one of them is simply the value i want, and another is what i interpret to being the value that is sent to the screen to be displayed (changing and locking this value does nothing but make my Sporebucks rapidly flash red and green meaning it is going up and down from the value it should be to the value i hacked it to be. anyways that is not the issue. it became very apparent that when I hacked the correct value, i was able to spend as much as i wanted and it would remain at 99,999,999. but when i saved and returned to the main menu, or saved and quit, the addresses storing the data i hacked moved somewhere. I really dont want to find all of the hacked things again each time i load up. I tried opening up two instances of MHS, and searching for the value in MHS#1, which always appears to be somewhere between 0D000000 & 0DFFFFFF. then i search for pointers in MHS#2 which contain values at the range of between the address and the address - 10000h and get about 2k-5k results. then i go back to the main menu then load my save again and look for the new address for Sporebucks. then i find the difference between the addresses (in hex) and find one pointer that contains a value that changed exactly that much. I'm pretty sure im correct thus far, but what is the procedure to continue from here to make my money stay at 99999999 no matter how many times i go into the main menu or quit and restart the game?

[FSB]

I believe i solved my question! I found the differece between the value the pointer held and the current address that held the sporebucks. (which was +D0) i opened my save file again from the main menu, added D0 to my pointer's value and viola! SPOREBUCKS GALORE!
here is the address to the pointer: 0CB4C96C
And this is the offset you need to add to the pointer's value to find the sporebucks: +D0

still, i have to add +D0 to get what i want, is there a way to automatically add D0 to the value held at 0CB4C96C and add that address on the list of addresses and lock it to 99999999? can someone explain this to me?

[FSB]

grr, i closed the application and reopened instead of just going to the main menu, and now its gone from the pointer i found.

[L. Spiro]

It is not gone. The value will always the same offset from some base pointer. This is the basis of Complex Addresses, which you will need to handle this situation.


There are many tutorials on how to defeat DMA online and tutorials on how to use and create Complex Addresses on this site.


L. Spiro

[FSB]

how do i save something i found in the dissasembler so that i can get the effects of a "change to NOP" hack on future loads to SPORE and MHS. I've figured out that starting at 00C06FF5 and going for 6 bytes, auto-hack changed all of those bytes to 0x90. again, how do i save this change for future loads of MHS? also i confirmed that changing these exact same 6 bytes to 0x90 each will result in my SPOREbucks never changing, even if i load up spore, so that is solved.

[L. Spiro]

Either save and re-load an Auto-Assembler script or use Scripts to automatically write the NOP values at the desired address when the process loads.


L. Spiro

[FSB]

i guess it's off to the help file. I'll tell ya if i don't understand something.

[FSB]

ok i get this error that i can't make heads or tails of. am I not in the correct script set? is my syntax wrong? I spelled it correctly...

here's my script:

Code: Select all

void On_HK_0( DWORD dw1, DWORD dw2){
   char data[6];
   int i=0;
   for(i=0;i<6;i+=1)
   {
      data[i]=0x90;
   }
   WriteLocalMemory(0x00C06FF5, data, 6);
}

and here's my error:

Code: Select all

ERROR: Line: 8 Call to undefined function or incompatible argument lists (“WriteLocalMemory”).  File: C:\MHS5.009\Set_SB_2_not_change.lss
ERROR: Line: 9 Unable to compile function.  File: C:\MHS5.009\Set_SB_2_not_change.lss

EDIT: is there really only 1 script set, or is there not the apparent option to change it? that might be it, but again, im not sure.

[FSB]

well i managed a while ago to find the code that changes sporebucks, and another piece of code that decrements ammo when used. anyways i turned both of these into an auto-assembler file that works. but when i looked for my HP value, and tried changing the code with the autoassembler, (to NOPs) it seems it picks up a couple too many bytes to overwrite and when i get damaged the game crashes. and btw: @trialusert: i get those double question marks too. @L. Spiro: how do i control how many bytes im overwriting?

[trialusert]

Post the code you're trying to deal with... In my case, the question marks appear when the overwritten code has at least 1 blank line (look at the picture I posted in my topic).

[L. Spiro]

Question marks appear when you are overwriting unrecognized code.

All of these problems are normal when working with code the assembler does not recognize.


L. Spiro

[Calimaw]

Hi FSB,

I may be able to help in a sort of round about way, which is what I've had luck with in the past. It may or may not be correct, and is definitely not the most efficient, but I'll let you decide; it does work.

I was always curious how people would create hacks for games, and knew very little (just the basic logic involved with coding) so I sought answers and came across MHS.

I had a similar problem you did, which is due to DMA, and I had posted for help, at which L. Spiro was kind enough to help me with.

I was wanting to make a vector aimbot, and had limited coding knowledge, and I didnt know a thing about injecting code into memory (I still don't know much, as I've only punched in values).

Long story short(er), I knew that if I could get the XYZ location of a player and myself I could use that to create a vector aimbot, the problem I had was that the XYZ location of myself and other players would move around, due to DMA. But L. Spiro made me aware that these values are part of a player structure and will always maintain a fixed relation within that structure.

So what I did was look for the start of the structure addressed by a static pointer. The structure moves around, but obviously the static pointer does not.

I used AHK to gain read and write access privies to the games memory through the windows kernel, and I looked at the contents of that static pointer, which was the start of the structure which contained the XYZ values within.

After having done that I was able to solicite to the kernel what address I wanted to play with.

Here's an example of an AHK dllcall,

Code: Select all

ProcessHandle := DllCall("OpenProcess", "Int", 0x0038, "Char", 0, "UInt", PID, "UInt")

AHK has some unconventional syntax that a lot of people find irritating, but I've never really used much else, so it makes enough sense to me.

0x0038 is the read and write privies requested of the kernel.

Code: Select all

DllCall("ReadProcessMemory","UInt",ProcessHandle,"UInt", base_pointer, "Int *", player[%A_Index%]_pointer, "UInt", 4, "UInt *", 0)

The "UInt", 4, portion of the above code is where you define the type of data, and the size of it. In this case, its an 'Unsigned Integer' of 4 bytes.

The little 'hack' I made doesn't inject code, it only reads values, and plugs values, which doesnt change the games memory; except for falsely gained- yet legimate values where they should be.

If you still need help I can try to make you something in AHK that does this for you. I know I'm pretty noob, and don't know near as much as others on this forum, but I am willing to spend the time to talk with you and help you as much as I know how.

[FSB]

ok well ive pulled up the dissassembler, and here's what i get that's appears important:

Code: Select all

...
00BFC179    db 0Fh (15)
00BFC17A    2F    DAS
00BFC17B    C8 F30F11   ENTER FF3, 11    Operation causes misaligned stack
00BFC17F    46    INC ESI
00BFC180    3876 58    CMP BYTE PTR[ESI+58],DH
00BFC183    db 0Fh (15)
00BFC184    57    PUSH EDI
...

when i hit Go to Dissasembler after finding what wrote to the HP value, 00BFC17F 46 is what is highlighted.
when i go to tools->auto-assembler->templates->Inject Code and type in that 0x00BFC17F address, i get

Code: Select all

Alloc( MyCode, 2048)
Label( OverwrittenCode )
Label( Exit )
Label( Return )
FullAccess( SporeApp.exe+0x007FC17F, 2048 )
SporeApp.exe+007FC17F :
jmp MyCode
nop
Return :






MyCode :






OverwrittenCode :
inc    esi
cmp byte ptr [esi+58], dh
??






Exit :
jmp Return


and trying to mess with or inject the code crashes the game, and the ?? doesnt let me hit next. idky it used SporeApp+0x007FC17F but might have something to do with the crashing. if i simply write

Code: Select all

0x00BFC17F :
NOP


then it still crashes. either case it doesn't crash until my HP changes.


im pretty sure i didn't typo anything but just in case, ill tell you i dont have internet at the moment on my computer so im using my wii's internet channel and the wireless USB keyboard to type this to you guys.

[L. Spiro]

?? means the instruction is not recognized.

As WhiteHat said, use db to copy the bytes of the instruction to your Auto-Assembly manually.


L. Spiro

[WhiteHat]

I assume you want to NOP the address 0x00BFC17F, here is alternative steps:

1. Put 0x00BFC17F into MHS table (Main List), BYTE data-type. Give it any description you want.
2. Modify the address. Go to Auto-Assemble tab, and put following codes:

Code: Select all

FullAccess( SporeApp.exe+0x007FC17F, 1 )

[ENABLE]
nop

[DISABLE]
inc     esi

3. Don’t forget to tick “Use Auto-Assemble for Locking”

Now when you lock this address, the NOP will be activated and vice versa...

Hope this works.... Spoon fed this time, but feel free to discuss it further...


Edit: L. Spiro’s post arrived when i’m writing this reply...