Memory Hacking Software

[inuyasha]

Okay I found the grenade / Medkit address they weren't static so I found the pointers for them and I made them static they work when I retart the game and they work when I change difficulty

Now on the other hand Ammo wise

I find it it's already static the address is and when I change difficulty / restart the game it doesn't work no more what is the problem?

Here is my Normal Address tab for Med Kit and Frag Grenades

Code: Select all

4 Bytes

Frag Grenades

00405130

rf2.exe + 5130

[[0x00405130]+0x0]+0x4D0


Code: Select all

4 Bytes

Med Kit

00405130

rf2.exe + 5130

[[+0x00405130]+0x0]+4C8


These worked every time I restarted the game but the others didn't what is the problem???

*UPDATE*
This is the Machine Gun Ammo in chamber when you shoot it

Code: Select all

4 Bytes

Machine Gun

00B0B000

rf2.exe + 70B000

(no expression)


it works to freeze and everything but i'll try to restart and go to hard found this on medium (NOTE: Med Kit and Frag Grenades still work

*UPDATE 2*
I went to the next lvl and it still worked I go back to main menu without restarting the game and the address doesn't work any more.

This is really frustrating I can't think of what it could be

[L. Spiro]

The ammunition address is not static.

Like the others, you will need to use a Complex Address.

In this case, you found a static address that can even be used to change the real value in your game. However it does not work after performing some operations in the game.
This means the game is storing the ammunition value to a global location for temporary use. The game will keep a pool of global values available that it can use as it pleases, probably performing its own memory management on the pool. Their idea is probably to improve performance (but the benefits are questionable).

For this case, you need to treat the address as if it were not static and search for pointers to it. Making a Complex Address may lead you to a static address every time, but at least it will be the correct static address.


L. Spiro

[inuyasha]

Hmmm well thats interesting I will do that thanks L. Spiro Hope this works

*UPDATE*
I think I just discovered something....

It works all on the same LVL like

lvl 1 out of 10 stages

lvl 2 out of 5 stages

I think it works like that

lvl 1 has it' ammo address and lvl 2 has it's ammo addres and 3 4 5 etc. Meaning I have to find the Ammo Address in each one then it'll be good to go.

I think

*UPDATE2*

Nope just tried it and it's not that for sure it's something more stupid that I'm over looking *Sigh* I DON'T GET IT! I injected a code ADD DWORD PTR [ESI+310], 10 but that broke the game so when I start the lvl it goes up and up and up and up and up in ammo then crashes I have to go to the address that writes that code to it all the time and NOP it to make it stop

man I think I messed the game up doing that

[g3nuin3]

Hey there could be a limit to the amount of ammo you can have perhaps, so you could try and find out if there is and simple make a check for it in your code cave.

And like L.Spiro mentioned, you need to go deeper until you find that static base address, because it does exist, just keep finding what writes to the addresses you think youve found.

[trialusert]

Finding pointers could sometimes be mission impossible. Before you give up (which I hope you won't), you'll may want to try something a little different.
If your main purpose is to just know the amount of ammo, then you can find the function that writes it and tweak it a little.
Find that function (using "Find What Writes This Address"), and see if you can edit it so that it writes the ammunition value into one extra address. That "extra" address should be an address that you chose, that its value does not change and that won't cause anything to collapse in case its value is changed.
For example, if you chose 0xMyAddress to hold your ammunition, and the original writing function looks like this:

Code: Select all

506561CC    MOV DWORD PTR [EBX+214], EAX

then overwrite it; make it jump to a codecave similar to the following:

(Overwritten:)

Code: Select all

506561CC    JMP 50679F54
506561D1    NOP

(Codecave:)

Code: Select all

50679F54    MOV DWORD PTR [EBX+214], EAX
50679F5A    MOV DWORD PTR[0xMyAddress], EAX
50679F60    JMP 506561D1
50679F65    NOP

Afterwards, you'll have your own "static" address for ammo.
Hope this helps.

[inuyasha]

Okay I was testing something last night well every time I attach MHS to the game it writes this code I put in to it which broke the game the first time

Code: Select all

06610001 ADD     DWORD PTR [EBP+E0], 10 // This is what I code injected when I was expirmenting
06610008 jmp     06600008 // This is new after I injected the code above it


Now this increases my Ammo when shot. But the problem is it goes up to far and then it crashes it. When the MHS software isn't attached to the process the games fine.

I go to the address that does that and I NOP it by inject code but it just moves it to another one I go in and rewrite it it works or I just NOP that code by press NOP selected.

Is there a way to revert this back to normal and start from scractch I might have a way but i'm not 100% sure it'll work.

*UPDATE*

Well I am gonna do some assembly on it to see where I get just need to know a few things thing you can just close this thread

In Auto-Assembly tab where you do the ENABLE and DISABLE and GLOBAL

is there like a function that will freeze the address or something I can use to freeze it?

[CoMPMStR]

Okay I was testing something last night well every time I attach MHS to the game it writes this code I put in to it which broke the game the first time

Code: Select all

06610001 ADD     DWORD PTR [EBP+E0], 10 // This is what I code injected when I was expirmenting
06610008 jmp     06600008 // This is new after I injected the code above it


Now this increases my Ammo when shot. But the problem is it goes up to far and then it crashes it. When the MHS software isn't attached to the process the games fine.

I go to the address that does that and I NOP it by inject code but it just moves it to another one I go in and rewrite it it works or I just NOP that code by press NOP selected.

Is there a way to revert this back to normal and start from scractch I might have a way but i'm not 100% sure it'll work.

Rather than increasing the ammo each time you shoot, why not just add 0 to it that way it doesn't increase or decrease.

Also most of the time for things like this, you don't need an entirely new code cave. Sometimes you can easily overwrite the current opcode with the new one without any major problems. For example:

Original:

Code: Select all

add dword ptr [ebp+E0], -1 (83 85 E0 00 00 00 FF)

Modified:

Code: Select all

add dword ptr [ebp+E0], 0 (83 85 E0 00 00 00 00)

-OR-

Original:

Code: Select all

sub dword ptr [ebp+E0], 1 (83 AD E0 00 00 00 01)

Modified:

Code: Select all

sub dword ptr [ebp+E0], 0 (83 AD E0 00 00 00 00)

*UPDATE*

Well I am gonna do some assembly on it to see where I get just need to know a few things thing you can just close this thread

In Auto-Assembly tab where you do the ENABLE and DISABLE and GLOBAL

is there like a function that will freeze the address or something I can use to freeze it?

There is a tickbox under the Auto-Assemble script that says "Use Auto-Assemble for Locking (Disables Normal Lock)", this box needs to be ticked if you want to use an entry in the list for locking the auto-assemble script. When you tick the box it will write any code you put under [ENABLE] when the entry is locked (green) and it will write any code under [DISABLE] when it's unlocked (red).

[inuyasha]

I saw that thank you for informing me I guess that'll do me for now thanks for the help guys

Also

under a lvl and on a certain difficulty

this is whats goin on

Code: Select all

00B06F50 // NICW ammo

00520F9C // This is the address that writes to it

00520F9C 8985 E0000000  MOV     DWORD PTR [EBP+E0], EAX // this is the orginal code that writes to it now


Now I double click that code go to auto assembler

Code: Select all

00B06F50


and then I put in the auto-assembler

Code: Select all

[ENABLE]
00520F9C :
add dword ptr [ebp+E0], 0
[DISABLE]
00520F9C :
mov dword ptr [ebp+E0], EAX


Now I tick the box below to use it as a on and off switch to inject the code when I go into the game and when I press the fire button it doesn't shoot the game locks up and nothing happens then it instantly crashes.

now whats my problem

[CoMPMStR]

The problem now is that you're overwriting the next command. If you notice in the auto-assembler preview window, add dword ptr [ebp+E0], 0 is 7 bytes and mov dword ptr [ebp+E0], EAX is only 6 bytes. When you enable it, it overwrites the beginning of the next command which is why it crashes instantly. For this instance you will need to create a new codecave and provide the jumps to and from, back to the source.

You first need to tell MHS to provide full access for the address at hand and also declare a new allocated memory space at the top of the script:

Code: Select all

fullaccess(address, bytes)
- ex: fullaccess(00520F9C, 6)

Code: Select all

alloc(labelname, bytes)
- ex: alloc(ammocave, 0x90)

Then, under [ENABLE], you need to write in the jump to the code cave:

Code: Select all

[enable]
jmp ammocave
nop

Note the extra nop at the end, almost all jmp commands are 5 bytes so when you are writing a new code cave you need to be sure to write 5 or more bytes, placing nop at the end for each extra byte overwritten. You can always use the Preview window to be sure.

Then directly beneath that you need to insert the code for the code cave itself:

Code: Select all

ammocave:
mov eax, dword ptr [ebp+E0]
jmp 00520FA1

Simply write the value of the ammo into eax, no need to write it back because it should already be there (this should make it so the ammo stays the same when you shoot). Then we jump back to where we came from, resuming normal activity.

Finally, under [DISABLE], just put the original code and dealloc the memory space:

Code: Select all

[disable]
mov dword ptr [ebp+E0], EAX
dealloc(ammocave)

End result:

Code: Select all

fullaccess(00520F9C, 6)
alloc(ammocave, 0x90)

[enable]
jmp ammocave
nop

ammocave:
mov eax, dword ptr [ebp+E0]
jmp 00520FA1

[disable]
mov dword ptr [ebp+E0], EAX
dealloc(ammocave)

... or you could probably just go up a few lines in the disassembler to see where it's doing the addition or subtraction, and just overwrite said command.

[inuyasha]

mov eax, dword ptr [ebp+E0]
jmp 00520FA1

Why would I jump to that address???? i'm lost at that point is there a specific reason?

alloc(labelname, bytes)
- ex: alloc(ammocave, 0x90)

what is the 0x90???? what does the represent

sorry for asking so many questions that are probably obvious but I like to know what every function does

[CoMPMStR]

mov eax, dword ptr [ebp+E0]
jmp 00520FA1

Why would I jump to that address???? i'm lost at that point is there a specific reason?

The reason is to return to where you came from after you're done modifying what's needed. The initial address where you jump to the code cave is 00520F9C, add 5 to that and you get 00520FA1. The reason you add 5 is because the jmp command is only 5 bytes, if you jump onto a nop it does nothing anyway so it will just resume normal execution.

alloc(labelname, bytes)
- ex: alloc(ammocave, 0x90)

what is the 0x90???? what does the represent

sorry for asking so many questions that are probably obvious but I like to know what every function does

The 0x90 represents how much memory you want allocated for the code cave. Although I do believe that 0x1000 bytes is allocated even if you specify a lower number, you shouldn't need anymore than that for your code cave.

[inuyasha]

How does one determine how many bytes something is????

also adding 5 bytes to an address I can't see it

[CoMPMStR]

A byte is any number from 0x00-0xFF, so FE3CAB10 is 4 bytes and E9 FF FE 10 AB is 5 bytes. You can use the Preview button in the auto-assembler tab (or just use the disassembler) to see how many bytes a certain set of commands are, but as I said previously, you shouldn't need any more than 0x90 for a code cave.

You add 5 to the source address because where else would you return to from the code cave? If you return to the source address itself, it will simply result in an infinite loop and freeze/crash the game. If you return 1 or 2 or 3 bytes ahead of the source address it would result in a crash because the CPU would read the command incorrectly. Simply put, after executing a code cave, you need to return to the next available valid command to resume normal activity. How else should I explain it?

[inuyasha]

I'm still a little loss but you are big time helping me slowly but surely understanding this idk why this forum doesn't have like a chat room or something to have real time help

[L. Spiro]

In order to use the [ENABLE] and [DISABLE] features, you must make the Auto-Assembler script in the Modify Address dialog.

However, making it there will not allow you easy access to a lot of helpful features.

The easiest way to make your Auto-Assembler script is to right-click the address you want to modify in the Disassembler and select Auto-Assemble/Inject Code.

The generated template will automatically provide you with a code cave, a jump to your personal code, and a jump back to the original code, including the overwritten code.
You can use these generated features as you please to construct the final Auto-Assemble script you want to create, then paste the whole thing into the Modify Address dialog when done.

Specifically, it will generate the correct overwritten code and give you the address where you want to go when you jump back to the original code. These values are tedious to generate by hand.


L. Spiro