Jump to content




Welcome to dEViATED. We provide game trainers, cheats and gamehacking tutorials and a gamehacking forum for discussions and help. We have pc game trainers for various old and new games to download and will expand to other platforms. Go ahead and have a look around, you will love our pc trainers!.

Not interested in trainers ? socialize with us, we talk about girls, booze, movies, music and basically anything and everything.

watch dogs trainer

These are some of the latest trainers released by us and supported fully.
Watch Dogs Trainer
Wolfenstein The New Order Trainer

Photo

Instant Kill hacks


  • Please log in to reply
11 replies to this topic

#1 Recifense

Recifense

    n00b

  • n00b
  • Pip
  • 2 posts

Posted 24 July 2012 - 04:07 PM


Basic Summary

In this tutorial we'll be looking at instant kill hacks and one of the methods to achieve this.
We will be turning health into static to accomplish this.

You search for a bit of code that stores our health pointer for eg a display routine that only
points to us. Then we find a point in the game where the computer uses the same resources as we
do, we then inject our code.

Part 1

Target – Chicago 1930 v1.0
First we need to find a place in the game where we can turn our health register into a static
address and store it into an empty code cave. So fire up Chicago 1930 and do a inc/dec
search till we get our static address for health. Lets put a rw breakpoint on it in T-search.
Go back to the game and get shot. In T-Search you should now have eight addresses listed below.

541009
4a7512 <-Display routine
488099 <-Computer and Human player health decrement routine
4880a2
4880a8
4880c3
4880dd
51cb37
51cb6a

Fire up softice and go back to the game. Lets place an executional breakpoint on this address.
So bpx 4a7512 and get shot and Softice should pop. Now dump the contents of edx+0x28, so d edx+28.
Now lets take a look in the dump window it is equal to our health address. So ok go back to the
game and shoot an enemy. SI Should pop take another look has it changed, no it still equals our
health address excellent we have found our health address pointer which will always point to our
health and will never be used by the computer. This is where we want to turn our health pointer
into static. So ok go back to tsearch 4a7512 this is where we want to make our jump. Here’s my
easywrite script I’ll explain everything in a minute. If you’ve got this game you should be able
to easily understand whats going on anyway.

offset 4a7512

jmp 10abf <-Make our jump
nop <-4 nops to even out the code
nop
nop
nop
offset 10abf
mov eax,[edx+0x28] <-Recreate original instruction (EDX being a base pointer +28 = Our health)
mov [00822338],edx <-Move the value of edx to codecave 822338 (So we move this to 822338)
mov [ebp-0xe8],eax <-Recreate original instruction (If you don’t do this the game will crash)
jmp 4a751b <-Jump back to original code. (Code finished. Jump back to main Game code)

Now seeing as this is a display routine it is continuously updating. So our code will get
executed every millesecond. Here we have turned our health register/pointer that will always point to us
only seeing as it’s a display routine and we’ve turned it into a static address. We have moved
the contents of edx into an empty codecave at address 822338. So now (822338) will always
hold our static health address -28 or register EDX aslong as were playing the game :).

Part 2.

Lets take another look at the addresses we got before.

541009
4a7512
488099 <--- Computer and Human player health decrement routine 488099
4880a8
4880c3
4880dd
51cb37
51cb6a

Now we want to find an address that uses the same resources for both human and AI characters.
There are a few but I have picked address 488099. Now I hope I really don’t have to explain
how u find this :)

So this is where we want to make our jump here’s my code.

offset 488099 <- Declare our offset
jmp 10ad7 <- Jump to our codecave
nop <- Single nop to even out code
offset 10ad7 <- Declare our codecave address
cmp eax,[822338] <- We compare the eax register with our address 822338 where we stored our health pointer before.
je @Human <- Jump if equal to Human. (If us jump to infinite health script)
mov dword ptr [eax+0x28],0x0 <- Else Kill it if its not us
mov ecx,[eax+0x28] <- Original Instruction. When Executed kills the AI character.
add ecx,[ebp+0x8] <- Original Instruction
jmp 48809f <- Jump back to game code
@Human: <- Our infinite Health label.
mov dword ptr [eax+0x28],0xFFF <- If the contents of eax was our health pointer we then move FFF into [eax+0x28]
mov ecx,[eax+0x28] <- Original instruction When Executed gives us infinite Health
add ecx,[ebp+0x8] <- Original instruction
jmp 48809f <- Jump back to game (This being the address under what we nopped earlier).

So basically the instruction at 488099 mov ecx,[eax+0x28]
[eax+0x28] This can either be our health pointer base or the enemies so by
comparing eax with our health 2 static address. We can now be content that
only we will get the benefits.

So the whole finishing script would look like this.

offset 4a7512
jmp 10abf
nop
nop
nop
nop
offset 10abf
mov eax,[edx+0x28]
mov [00822338],edx
mov [ebp-0xe8],eax
jmp 4a751b
offset 488099
jmp 10ad7
nop
offset 10ad7
cmp eax,[822338]
je @Human
mov dword ptr [eax+0x28],0x0
mov ecx,[eax+0x28]
add ecx,[ebp+0x8]
jmp 48809f
@Human:
mov dword ptr [eax+0x28],0xFFF
mov ecx,[eax+0x28]
add ecx,[ebp+0x8]
jmp 48809f

And then in easywrite just click on TMK Button script and it will give you the bytes you
need to use in order to incorporate this into a trainer.


Greetz:-
To all I know and everyone in #gamehacking EFNET

Well till next time :) Recifense

#2 iNTANGiBLE

iNTANGiBLE

    Deviater

  • DEViATERS
  • 1,586 posts

Posted 25 July 2012 - 07:56 AM

Nice share man ;)

#3 Veggy

Veggy

    Tamed

  • Full Members
  • PipPipPip
  • 59 posts

Posted 25 July 2012 - 10:59 AM

Nice contribution. SoftICE those were the days. Although there are fine replacements of Softice.

#4 Cooperb

Cooperb

    Experienced Member

  • {VIP] Members
  • PipPipPipPipPip
  • 366 posts

Posted 25 July 2012 - 07:15 PM

like what.... IDA is impossible and olly keeps killing my PC :blink: :ph34r: :ph34r:

#5 STN

STN

    Founder

  • The G-Man
  • 5,598 posts

Posted 26 July 2012 - 01:47 AM

Welcome Recifense that is if you really are the Recifense that we know on CEF. I wonder because the tut you posted as yours isn't actually yours. Its of a friend of mine from extalia called Shinero who wrote it ages ago.

This tut has actually been posted here at http://deviatedhacki...tant-kill-hack/ and GH.com as well.

So care to explain why you are calling this tut yours ?.

#6 Recifense

Recifense

    n00b

  • n00b
  • Pip
  • 2 posts

Posted 26 July 2012 - 04:12 AM

i don't call this is my tut i just benefit from the tut so i decide to share it and iam friend to recifense too i love his name so i use it :D :D :D and take his permission so don't worry :blush:

#7 emptieness

emptieness

    dEViATED TESTER

  • Full Members
  • PipPipPipPip
  • 80 posts

Posted 28 July 2012 - 11:46 AM

like what.... IDA is impossible and olly keeps killing my PC :blink: :ph34r: :ph34r:

IDA is primary a disassembler, not a debugger. Olly is the best choice when it comes to debugging today.

#8 DABhand

DABhand

    Experienced Member

  • Full Members
  • PipPipPipPipPip
  • 168 posts

Posted 28 July 2012 - 08:58 PM

The good old days when you were guaranteed that 10abf and onwards was free space for your code injections :P

Not the case today :(

#9 genuine

genuine

    Experienced Member

  • Administrator
  • 169 posts

Posted 29 July 2012 - 05:41 PM

Nice contribution. SoftICE those were the days. Although there are fine replacements of Softice.


What replacements if you dont mind me asking? :)

#10 Cooperb

Cooperb

    Experienced Member

  • {VIP] Members
  • PipPipPipPipPip
  • 366 posts

Posted 02 August 2012 - 09:46 AM

Yes, still waiting ......

#11 emptieness

emptieness

    dEViATED TESTER

  • Full Members
  • PipPipPipPip
  • 80 posts

Posted 02 August 2012 - 01:04 PM

Olly, as I already mentioned above.

#12 STN

STN

    Founder

  • The G-Man
  • 5,598 posts

Posted 02 August 2012 - 07:18 PM

There is also windbg and i've heard good things about it. It isn't as friendly though last i checked so not really that popular.



Official Trainer Hosters:  
Affiliates:
 

Like our work ? Why not follow us on deviatedhacking youtube facebook page deviated twitter +deviatedhacking page