In this tutorial we'll be looking at instant kill hacks and one of the methods to achieve this.
We will be turning health into static to accomplish this.
You search for a bit of code that stores our health pointer for eg a display routine that only
points to us. Then we find a point in the game where the computer uses the same resources as we
do, we then inject our code.
Part 1
Target – Chicago 1930 v1.0
First we need to find a place in the game where we can turn our health register into a static
address and store it into an empty code cave. So fire up Chicago 1930 and do a inc/dec
search till we get our static address for health. Lets put a rw breakpoint on it in T-search.
Go back to the game and get shot. In T-Search you should now have eight addresses listed below.
541009
4a7512 <-Display routine
488099 <-Computer and Human player health decrement routine
4880a2
4880a8
4880c3
4880dd
51cb37
51cb6a
Fire up softice and go back to the game. Lets place an executional breakpoint on this address.
So bpx 4a7512 and get shot and Softice should pop. Now dump the contents of edx+0x28, so d edx+28.
Now lets take a look in the dump window it is equal to our health address. So ok go back to the
game and shoot an enemy. SI Should pop take another look has it changed, no it still equals our
health address excellent we have found our health address pointer which will always point to our
health and will never be used by the computer. This is where we want to turn our health pointer
into static. So ok go back to tsearch 4a7512 this is where we want to make our jump. Here’s my
easywrite script I’ll explain everything in a minute. If you’ve got this game you should be able
to easily understand whats going on anyway.
offset 4a7512
jmp 10abf <-Make our jump
nop <-4 nops to even out the code
nop
nop
nop
offset 10abf
mov eax,[edx+0x28] <-Recreate original instruction (EDX being a base pointer +28 = Our health)
mov [00822338],edx <-Move the value of edx to codecave 822338 (So we move this to 822338)
mov [ebp-0xe8],eax <-Recreate original instruction (If you don’t do this the game will crash)
jmp 4a751b <-Jump back to original code. (Code finished. Jump back to main Game code)
Now seeing as this is a display routine it is continuously updating. So our code will get
executed every millesecond. Here we have turned our health register/pointer that will always point to us
only seeing as it’s a display routine and we’ve turned it into a static address. We have moved
the contents of edx into an empty codecave at address 822338. So now (822338) will always
hold our static health address -28 or register EDX aslong as were playing the game
.Part 2.
Lets take another look at the addresses we got before.
541009
4a7512
488099 <--- Computer and Human player health decrement routine 488099
4880a8
4880c3
4880dd
51cb37
51cb6a
Now we want to find an address that uses the same resources for both human and AI characters.
There are a few but I have picked address 488099. Now I hope I really don’t have to explain
how u find this
So this is where we want to make our jump here’s my code.
offset 488099 <- Declare our offset
jmp 10ad7 <- Jump to our codecave
nop <- Single nop to even out code
offset 10ad7 <- Declare our codecave address
cmp eax,[822338] <- We compare the eax register with our address 822338 where we stored our health pointer before.
je @Human <- Jump if equal to Human. (If us jump to infinite health script)
mov dword ptr [eax+0x28],0x0 <- Else Kill it if its not us
mov ecx,[eax+0x28] <- Original Instruction. When Executed kills the AI character.
add ecx,[ebp+0x8] <- Original Instruction
jmp 48809f <- Jump back to game code
@Human: <- Our infinite Health label.
mov dword ptr [eax+0x28],0xFFF <- If the contents of eax was our health pointer we then move FFF into [eax+0x28]
mov ecx,[eax+0x28] <- Original instruction When Executed gives us infinite Health
add ecx,[ebp+0x8] <- Original instruction
jmp 48809f <- Jump back to game (This being the address under what we nopped earlier).
So basically the instruction at 488099 mov ecx,[eax+0x28]
[eax+0x28] This can either be our health pointer base or the enemies so by
comparing eax with our health 2 static address. We can now be content that
only we will get the benefits.
So the whole finishing script would look like this.
offset 4a7512
jmp 10abf
nop
nop
nop
nop
offset 10abf
mov eax,[edx+0x28]
mov [00822338],edx
mov [ebp-0xe8],eax
jmp 4a751b
offset 488099
jmp 10ad7
nop
offset 10ad7
cmp eax,[822338]
je @Human
mov dword ptr [eax+0x28],0x0
mov ecx,[eax+0x28]
add ecx,[ebp+0x8]
jmp 48809f
@Human:
mov dword ptr [eax+0x28],0xFFF
mov ecx,[eax+0x28]
add ecx,[ebp+0x8]
jmp 48809f
And then in easywrite just click on TMK Button script and it will give you the bytes you
need to use in order to incorporate this into a trainer.
Greetz:-
To all I know and everyone in #gamehacking EFNET
Well till next time
Recifense
