Welcome to dEViATED. We provide PC trainers, cheats, mods and game trainers and a gamehacking forum for discussions and help. We have pc cheats, cheat engine tables and mods for various old and new single player games.

These are some of the latest trainers released by us and supported fully.
Assassin's Creed Rogue Trainer
Grand Theft Auto 5 Trainer



Instant Kill hacks

12 posts in this topic

Posted

Basic Summary

In this tutorial we'll be looking at instant kill hacks and one of the methods to achieve this.

We will be turning health into static to accomplish this.

You search for a bit of code that stores our health pointer for eg a display routine that only

points to us. Then we find a point in the game where the computer uses the same resources as we

do, we then inject our code.

Part 1

Target – Chicago 1930 v1.0

First we need to find a place in the game where we can turn our health register into a static

address and store it into an empty code cave. So fire up Chicago 1930 and do a inc/dec

search till we get our static address for health. Lets put a rw breakpoint on it in T-search.

Go back to the game and get shot. In T-Search you should now have eight addresses listed below.

541009

4a7512 <-Display routine

488099 <-Computer and Human player health decrement routine

4880a2

4880a8

4880c3

4880dd

51cb37

51cb6a

Fire up softice and go back to the game. Lets place an executional breakpoint on this address.

So bpx 4a7512 and get shot and Softice should pop. Now dump the contents of edx+0x28, so d edx+28.

Now lets take a look in the dump window it is equal to our health address. So ok go back to the

game and shoot an enemy. SI Should pop take another look has it changed, no it still equals our

health address excellent we have found our health address pointer which will always point to our

health and will never be used by the computer. This is where we want to turn our health pointer

into static. So ok go back to tsearch 4a7512 this is where we want to make our jump. Here’s my

easywrite script I’ll explain everything in a minute. If you’ve got this game you should be able

to easily understand whats going on anyway.

offset 4a7512

jmp 10abf <-Make our jump

nop <-4 nops to even out the code

nop

nop

nop

offset 10abf

mov eax,[edx+0x28] <-Recreate original instruction (EDX being a base pointer +28 = Our health)

mov [00822338],edx <-Move the value of edx to codecave 822338 (So we move this to 822338)

mov [ebp-0xe8],eax <-Recreate original instruction (If you don’t do this the game will crash)

jmp 4a751b <-Jump back to original code. (Code finished. Jump back to main Game code)

Now seeing as this is a display routine it is continuously updating. So our code will get

executed every millesecond. Here we have turned our health register/pointer that will always point to us

only seeing as it’s a display routine and we’ve turned it into a static address. We have moved

the contents of edx into an empty codecave at address 822338. So now (822338) will always

hold our static health address -28 or register EDX aslong as were playing the game :).

Part 2.

Lets take another look at the addresses we got before.

541009

4a7512

488099 <--- Computer and Human player health decrement routine 488099

4880a8

4880c3

4880dd

51cb37

51cb6a

Now we want to find an address that uses the same resources for both human and AI characters.

There are a few but I have picked address 488099. Now I hope I really don’t have to explain

how u find this :)

So this is where we want to make our jump here’s my code.

offset 488099 <- Declare our offset

jmp 10ad7 <- Jump to our codecave

nop <- Single nop to even out code

offset 10ad7 <- Declare our codecave address

cmp eax,[822338] <- We compare the eax register with our address 822338 where we stored our health pointer before.

je @Human <- Jump if equal to Human. (If us jump to infinite health script)

mov dword ptr [eax+0x28],0x0 <- Else Kill it if its not us

mov ecx,[eax+0x28] <- Original Instruction. When Executed kills the AI character.

add ecx,[ebp+0x8] <- Original Instruction

jmp 48809f <- Jump back to game code

@Human: <- Our infinite Health label.

mov dword ptr [eax+0x28],0xFFF <- If the contents of eax was our health pointer we then move FFF into [eax+0x28]

mov ecx,[eax+0x28] <- Original instruction When Executed gives us infinite Health

add ecx,[ebp+0x8] <- Original instruction

jmp 48809f <- Jump back to game (This being the address under what we nopped earlier).

So basically the instruction at 488099 mov ecx,[eax+0x28]

[eax+0x28] This can either be our health pointer base or the enemies so by

comparing eax with our health 2 static address. We can now be content that

only we will get the benefits.

So the whole finishing script would look like this.

offset 4a7512

jmp 10abf

nop

nop

nop

nop

offset 10abf

mov eax,[edx+0x28]

mov [00822338],edx

mov [ebp-0xe8],eax

jmp 4a751b

offset 488099

jmp 10ad7

nop

offset 10ad7

cmp eax,[822338]

je @Human

mov dword ptr [eax+0x28],0x0

mov ecx,[eax+0x28]

add ecx,[ebp+0x8]

jmp 48809f

@Human:

mov dword ptr [eax+0x28],0xFFF

mov ecx,[eax+0x28]

add ecx,[ebp+0x8]

jmp 48809f

And then in easywrite just click on TMK Button script and it will give you the bytes you

need to use in order to incorporate this into a trainer.

Greetz:-

To all I know and everyone in #gamehacking EFNET

Well till next time :) Recifense

3 people like this

Share this post


Link to post
Share on other sites

Posted

Nice share man ;)

Share this post


Link to post
Share on other sites

Posted

Nice contribution. SoftICE those were the days. Although there are fine replacements of Softice.

Share this post


Link to post
Share on other sites

Posted

like what.... IDA is impossible and olly keeps killing my PC :blink::ph34r: :ph34r:

Share this post


Link to post
Share on other sites

Posted

Welcome Recifense that is if you really are the Recifense that we know on CEF. I wonder because the tut you posted as yours isn't actually yours. Its of a friend of mine from extalia called Shinero who wrote it ages ago.

This tut has actually been posted here at http://deviatedhacking.com/index.php/topic/829-one-hit-kill-instant-kill-hack/ and GH.com as well.

So care to explain why you are calling this tut yours ?.

Share this post


Link to post
Share on other sites

Posted

i don't call this is my tut i just benefit from the tut so i decide to share it and iam friend to recifense too i love his name so i use it :D :D :D and take his permission so don't worry :blush:

Share this post


Link to post
Share on other sites

Posted

like what.... IDA is impossible and olly keeps killing my PC :blink::ph34r: :ph34r:

IDA is primary a disassembler, not a debugger. Olly is the best choice when it comes to debugging today.

Share this post


Link to post
Share on other sites

Posted

The good old days when you were guaranteed that 10abf and onwards was free space for your code injections :P

Not the case today :(

Share this post


Link to post
Share on other sites

Posted

Nice contribution. SoftICE those were the days. Although there are fine replacements of Softice.

What replacements if you dont mind me asking? :)

Share this post


Link to post
Share on other sites

Posted

Yes, still waiting ......

Share this post


Link to post
Share on other sites

Posted

Olly, as I already mentioned above.

Share this post


Link to post
Share on other sites

Posted

There is also windbg and i've heard good things about it. It isn't as friendly though last i checked so not really that popular.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now