date:2008/10/07
subject:finding complete god mode in games
difficulty:advanced
tools:cheat engine 5.4
please if you want to post this tut on other sites give my credit and link to extalia.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
today i show you how to make complete god mode in games.
what is complete god mode?
simple if you don't get any hit and damage then we can call this complete god mode.
so how to find it?
1.find health address
2.debug it
3.look in memory to find a check that is deals with hit and damages.
check?
well this is a simple check that is deals with damages and hits we get if you can find it and disable it then here is our complete god mode.
now lets find it.
for this i use Call Of Duty 4:Modern War Fare as example but with this tut you should to be able on other games as well.(please note that i install latest cod 4 patch).
first find your health.i'm sure you know how to find it.
then debug your health in ce write click on your address and select:find out what writes to this address.then back in game and lose some health.
now you should see this op code in your debug window:
004ae8de - 89 95 44 01 00 00 - mov [ebp+00000144],edx
in in debug window click show disassembler.now you should see whole memory view window with op codes.
now highlight the opcode you got
now where is that fucking check?you see ebp reg?in here ebp holds health.
simply scroll up memory view until where code starts.
look we found it!
now how we know code starts here?
simply scroll a bit again you see this:
there is no code before sub esp so our code starts from sub esp if before esp contains some opcodes witch is close to sub esp then you need to scroll up again until you found start address please note that there is no opcode should be found before that if it is that scroll up again.
now you see that compare and conditional jump "je".
in here what's that compare do?
simple if cmp=rue then conditional jump"je" make jump to 4aea8d if not then skip it.
now why it jumps to 4aea8d?
lets find out.go to this address in memory view "4aea8d"
it jumps to here if compare true then returns to where the address is called from.
now back to that compare.
now change that je 004aea8d to jmp 004aea8d.the je is 6 bytes long but jump takes 5 bytes so ce will ask you to replace 1 byte left with nop select yes.
now it will jump to 004aea8d so now no matter if compare true or now.
by changing this jump we tell game engine always jump to end of the code so it will skip whole health routine.
and after that go to game and let the enemy shot you see you don't even get hit!
why we get this effect?
because that compare you see above it deals with hits and damages.if compare true(when we don't get any hit)jump to 004ae8d and if compare fail(we get hit) skip jump and decrease our health.by changing that jump we will always jump to 004aea8d and we will skip whole health routine.
now it's your turn shot them enemy have same effect too!
why?
simple because it's share.
now how to make it just for player?
simply by find out player id then compare it with that.
now we make script like this:
Code:
[ENABLE]
alloc(cave,256)
label(back)
label(skip)
004AE5E9:
jmp cave
nop
nop
back:
cave:
cmp byte ptr [ebp],1
je skip
cmp byte ptr [ebp+00000115],00
skip:
jmp back
[DISABLE]
dealloc(cave)
004AE5E9:
cmp byte ptr [ebp+00000115],00
alloc(cave,256)
label(back)
label(skip)
004AE5E9:
jmp cave
nop
nop
back:
cave:
cmp byte ptr [ebp],1
je skip
cmp byte ptr [ebp+00000115],00
skip:
jmp back
[DISABLE]
dealloc(cave)
004AE5E9:
cmp byte ptr [ebp+00000115],00
in here "1" is player id(don't ask me how you can find this read my another tut on finding player id).in here simply we tell game engine if it's player(if we get hit) then skip the check that deals with hits/damages so hits will not be checked any more and if not(enemy get hit) skip jump.
now go to game and shot enemies and let them shot you see now only player have that effect and enemies still get hit.
phew!this is end!hope you learn something.
please note that in some games that check maybe in different location.
in next post i show you some example of it.
well here is another example.
in here i use lost planet.
find your health and debug it(find what write) then you should this:
0065c67c - f3 0f 11 86 98 11 00 00 - movss [esi+00001198],xmm0
now go to memory view and scroll up until where code starts:(like in cod 4)
just remember this hits and damages always besides first check.so in here first check is this:
test al,01
and conditional jump "je".
if check=true then jump to 0065C576 in not skip it and return to where the code called.
in here the first check's conditional jump "je" don't jump to end of the code(like cod4) it's just jumps to several bytes away.remember first check's conditional jump always it should jump to end of the code(like cod 4) then if it does it's correct one and if not we need to look in another locations.in here it's in another locations.
now how to find it?
simply in ce right click on health address and select what access to this then got to game and run around but don't get any hit back to ce and you should see this:
like picture above highlight the last one and back to game.
now get hit and back to ce:
now select op code after highlighted one.00672219 - f3 0f 10 86 98 11 00 00 - movss xmm0,[esi+00001198]
then like before go in memory view and scroll up until where the code starts:
did you see that test and conditional jump "je"?ok now lets find out where that conditional jump lead us.
lol it seems we found it.now change that je to jump.
and go to game then get hit you see you don't get any hit.
now this is share so simply we make script(like cod4) and compare it with player id.
Code:
[ENABLE]
alloc(cave,256)
label(back)
label(skip)
006720F1:
jmp cave
nop
back:
cave:
mov ebp,[esp+08]
cmp byte ptr [ecx],b8
je skip
test ebp,ebp
skip:
jmp back
[DISABLE]
dealloc(cave)
006720F1:
mov ebp,[esp+08]
test ebp,ebp
alloc(cave,256)
label(back)
label(skip)
006720F1:
jmp cave
nop
back:
cave:
mov ebp,[esp+08]
cmp byte ptr [ecx],b8
je skip
test ebp,ebp
skip:
jmp back
[DISABLE]
dealloc(cave)
006720F1:
mov ebp,[esp+08]
test ebp,ebp
now only player have god mode.
you see there nothing too strange.sometimes in some games that check is in different locations.like lost planet.jusy remember this that check always in write break points and it's always at where the code starts.
this is last about this hope you learn something.
No hay comentarios:
Publicar un comentario