Jump to content
Instant Kill hacks
11 replies to this topic
Posted 24 July 2012 - 04:07 PM
In this tutorial we'll be looking at instant kill hacks and one of the methods to achieve this.
We will be turning health into static to accomplish this.
You search for a bit of code that stores our health pointer for eg a display routine that only
points to us. Then we find a point in the game where the computer uses the same resources as we
do, we then inject our code.
Target – Chicago 1930 v1.0
First we need to find a place in the game where we can turn our health register into a static
address and store it into an empty code cave. So fire up Chicago 1930 and do a inc/dec
search till we get our static address for health. Lets put a rw breakpoint on it in T-search.
Go back to the game and get shot. In T-Search you should now have eight addresses listed below.
4a7512 <-Display routine
488099 <-Computer and Human player health decrement routine
Fire up softice and go back to the game. Lets place an executional breakpoint on this address.
So bpx 4a7512 and get shot and Softice should pop. Now dump the contents of edx+0x28, so d edx+28.
Now lets take a look in the dump window it is equal to our health address. So ok go back to the
game and shoot an enemy. SI Should pop take another look has it changed, no it still equals our
health address excellent we have found our health address pointer which will always point to our
health and will never be used by the computer. This is where we want to turn our health pointer
into static. So ok go back to tsearch 4a7512 this is where we want to make our jump. Here’s my
easywrite script I’ll explain everything in a minute. If you’ve got this game you should be able
to easily understand whats going on anyway.
jmp 10abf <-Make our jump
nop <-4 nops to even out the code
mov eax,[edx+0x28] <-Recreate original instruction (EDX being a base pointer +28 = Our health)
mov ,edx <-Move the value of edx to codecave 822338 (So we move this to 822338)
mov [ebp-0xe8],eax <-Recreate original instruction (If you don’t do this the game will crash)
jmp 4a751b <-Jump back to original code. (Code finished. Jump back to main Game code)
Now seeing as this is a display routine it is continuously updating. So our code will get
executed every millesecond. Here we have turned our health register/pointer that will always point to us
only seeing as it’s a display routine and we’ve turned it into a static address. We have moved
the contents of edx into an empty codecave at address 822338. So now (822338) will always
hold our static health address -28 or register EDX aslong as were playing the game .
Lets take another look at the addresses we got before.
488099 <--- Computer and Human player health decrement routine 488099
Now we want to find an address that uses the same resources for both human and AI characters.
There are a few but I have picked address 488099. Now I hope I really don’t have to explain
how u find this
So this is where we want to make our jump here’s my code.
offset 488099 <- Declare our offset
jmp 10ad7 <- Jump to our codecave
nop <- Single nop to even out code
offset 10ad7 <- Declare our codecave address
cmp eax, <- We compare the eax register with our address 822338 where we stored our health pointer before.
je @Human <- Jump if equal to Human. (If us jump to infinite health script)
mov dword ptr [eax+0x28],0x0 <- Else Kill it if its not us
mov ecx,[eax+0x28] <- Original Instruction. When Executed kills the AI character.
add ecx,[ebp+0x8] <- Original Instruction
jmp 48809f <- Jump back to game code
@Human: <- Our infinite Health label.
mov dword ptr [eax+0x28],0xFFF <- If the contents of eax was our health pointer we then move FFF into [eax+0x28]
mov ecx,[eax+0x28] <- Original instruction When Executed gives us infinite Health
add ecx,[ebp+0x8] <- Original instruction
jmp 48809f <- Jump back to game (This being the address under what we nopped earlier).
So basically the instruction at 488099 mov ecx,[eax+0x28]
[eax+0x28] This can either be our health pointer base or the enemies so by
comparing eax with our health 2 static address. We can now be content that
only we will get the benefits.
So the whole finishing script would look like this.
mov dword ptr [eax+0x28],0x0
mov dword ptr [eax+0x28],0xFFF
And then in easywrite just click on TMK Button script and it will give you the bytes you
need to use in order to incorporate this into a trainer.
To all I know and everyone in #gamehacking EFNET
Well till next time Recifense
Posted 25 July 2012 - 10:59 AM
Nice contribution. SoftICE those were the days. Although there are fine replacements of Softice.
Posted 25 July 2012 - 07:15 PM
like what.... IDA is impossible and olly keeps killing my PC
Posted 26 July 2012 - 01:47 AM
Welcome Recifense that is if you really are the Recifense that we know on CEF. I wonder because the tut you posted as yours isn't actually yours. Its of a friend of mine from extalia called Shinero who wrote it ages ago.
This tut has actually been posted here at http://deviatedhacki...tant-kill-hack/ and GH.com as well.
So care to explain why you are calling this tut yours ?.
Posted 26 July 2012 - 04:12 AM
i don't call this is my tut i just benefit from the tut so i decide to share it and iam friend to recifense too i love his name so i use it and take his permission so don't worry
Posted 28 July 2012 - 11:46 AM
IDA is primary a disassembler, not a debugger. Olly is the best choice when it comes to debugging today.
Posted 28 July 2012 - 08:58 PM
The good old days when you were guaranteed that 10abf and onwards was free space for your code injections
Not the case today
Posted 29 July 2012 - 05:41 PM
What replacements if you dont mind me asking?
Posted 02 August 2012 - 07:18 PM
There is also windbg and i've heard good things about it. It isn't as friendly though last i checked so not really that popular.