[DiY] The Haunted - Hells Reach (32 bits, DX9)

Post here (make sure thread doesn't exist first) any type of tutorials: text, images, videos or oriented discussions on specific games. No online-related discussions/posts OR warez!
Post Reply
User avatar
Recifense
RCE Fanatics
RCE Fanatics
Posts: 491
Joined: Thu Mar 02, 2017 11:25 pm
Reputation: 610

[DiY] The Haunted - Hells Reach (32 bits, DX9)

Post by Recifense » Sun Mar 26, 2017 4:41 pm

Hi guys,

I have been sharing my knowledge with you since 2008 by publishing my scripts. In 2011 I published a three parts tutorial rich in details (Galactic Civilization 2).
For 2012 I intend to publish once in a while a game specific tutorial (not so detailed as the first one). I will call it "Do it Yourself".

Here is a tutorial on "The Haunted Hells Reach" to give an idea.

Please look in the internet for IA32_SDM_Vol2A.pdf and IA32_SDM_Vol2B.pdf to use as OPCODE reference.
Use CE help for its reference.
If you could first follow the CE tutorial, would be helpful, but not essential.

Thanks to Dark Byte for the fantastic tool.

I hope you, guys, like it.

Cheers!

Recifense.

============================= Do it Yourself ===========================
===========================================
Game Title : The Haunted - Hells Reach (32 bits, DX9)
Game Version : 1.0.8788.0
Process Name : HauntedGame.exe
System : Windows XP SP3 32bits (it could be W7 32 bits as well)
Direct X : 9
===========================================

[Note] "The Haunted Hells Reach" is a third person action game (a shooter).
It uses UNREAL engine. Usually for this kind of game only 2 cheats are needed: God Mode and Unlimited Ammo.

1) First of all:

___ 1.1 Start Cheat Engine 6.1;
___ 1.2 Start the game in Window Mode;
___ 1.3 Adjust the windows so you can see both CE and the game at the same time;
___ 1.4 Click on CE and open HauntedGame.exe process;
___ 1.5 Creat a new game "Inferno Solo", "NORMAL", "Forsaken Canyon" and choose any character;
___ 1.6 Pause the game at the start;

2) Investigating the Health Points:

___ TutNote 01: Take a look, at the right down corner, the hero's HP (health points) is displayed (in my case it is 200).
___ Go to CE, enter 200 on value to be searched field (use CE's default configuration: Scan type = Exact Value, Value type = 4 Bytes,
___ Writable checked, Fast scan checked, field = 4 and Alignment selected) and click on FIRST SCAN.
___ Now we need to make the "HP" change and find out what codes access it;

______ A) Back to the game, unpause it and let you hero be attacked. Pause it again as soon as the HP is changed;
______ B) Go back to CE and put the new "HP" value on the value to be searched field and click on NEXT SCAN.
______ Since you are a lucky guy, only two addresses had its value changed. Double-click on each of them in order to add them to CE's table;
______ C) Now let's find out which address is the one we want. Change the first address value to 200. Note that the other address value also changed.
______ So the first one is the real HP value. Freeze it by checking its "active" box.
______ D) Now let's find out what code accesses it by right-clicking on this table entry and choosing "Find out what access this address";
______ A confirmation window will appear. Click on YES to attach the debugger.
______ E) Note that a code line is added to the list, even with game in paused state.
______ F) Back to the game, unpause it. Let the hero be attacked. Note that two more line codes are added to the list;
______ G) Now move around, do some jumps (by pressing space) until a new line is added to the list;
______ H) Pause the game and go back to CE. Note that 4 code lines are displayed. Add them to the code list on advanced option
______ by selecting all and clicking on ADD TO THE CODELIST. Rename each code line by adding " HP" right after code;

___ TutNote 02: Now we need to know when each code is used and, if needed, what they do. Before that
___ we have to be sure that each code line is safe to be used on next step. We have to check each one
___ looking at the code lines near it. We have to help CE NOT to crash the game because of an INT 3 instruction;
___ If you find an INT 3 near the code we are about to analyse (inside 5 bytes distance from the code), change it to NOP
___ (just double click on it and write NOP). It is important to know that when in an instruction there is something between [],
___ it means access to a memory address. The only exception is the instruction LEA.

Code: Select all

	C01 004BA63C - 8b 08                   - mov ecx,[eax]		   
	C02 00448111 - 29 03                   - sub [ebx],eax
	C03 00448113 - 8b 1b                   - mov ebx,[ebx]
	C04 00915fd0 - 83 b9 dc 02 00 00 00 00 - cmp dword ptr [ecx+000002DC],00
	
___ TutNote 03: Looking at the code lines we can see that all of them, except for C02, just read the value.
___ C02 updates the value by subtracting the content of the register EAX from it. C04 compares the value with 00,
___ checking if the character is still alive. But the most important information of this line code is that the HP is at offset "000002dc"
___ of a structure and that the register ECX points to the beginning of it (we usually say that it points to the "base address" of the structure);
___ Let's check that by dissecting a structure. :)

______ A) On the "The following opcodes ..." window, click on the last code line. Look for the value of the register ECX (mine = 13D44000) and copy it;
______ B) On CE's main window click on the "Memory View" button. Select the "Memory Viewer" window and press Ctrl+D to open
______ a "Memory dissect" window. It will pop up with the address field already filled and high-lighted. Paste the ECX value in it.
______ Select Structures->Define new structure. Give it a name (for instance, Hero) and press OK and then YES.
______ Now for the size enter the value in hexdecimal 0x400 since the "HP" has offset 0x02dc. CE will do its best to
______ figure out the offsets.
______ C) We already know what the offset 02dc is, so let's change its name to "**Current HP".
______ Just double-click on the description "Dword" and then change it. Let's save what we have done till now.
______ Click on the diskette on CE to save the table. Let's continue, we will probably find the meaning of some of those remaining offsets.
______ D) Note the value 200 at offset 02e0, it must be the maximum HP value. So change its name from "Dword" to "**Maximum HP".
______ Note that at offset "00d4", there is a pointer to the begnning of the structure. Rename it to "**pSelf";
______ E) On the "The following opcodes ..." window, click on the second code line (C02). Note that the content of register EDI points to
______ the beginning of the pHero structure. So go to the "Advanced Options" and rename the second line code again by adding "(EDI = pHero)".
______ F) Save the table again. Go back to the game and quit session;
______ G) Some code lines were added to the list, but they don't matter. Now let's close "The following opcodes ..." window.
______ Click on "STOP" button and then on "CLOSE" button. If for some reason a crash occurs, just start it all over again.
______ When in the main menu screen of the game, load the table that was saved previously;
______ H) Let's verify what addresses those codes access by right-clicking on each of them on the codelist of "Advanced Options" and choosing the option
______ "Find out what addresses the code reads/writes from/to"; For each code line, play a little (run, jump, shoot, etc) and go back to game main menu.

___ TutNote 04: C01 reads a lot of addresses even when in the main menu. This one is not good. C02 updates a lot of addresses,
___ not only hero's HP. It is a problem. C03 reads a lot of values, not only HP and C04 reads all HPs, not only the hero's HP.
___ Now that we have a lot of information about the HP, let's have a look at the ammo. :)

2) Investigating the Ammo:

___ TutNote 05: Start a game session again, and pause at the beginning. Take a look, at the center bottom of the screen, the ammo information
___ is displayed: current clip/Reserve. In my case 12/24.
___ Go to CE, enter 12 on value to be searched field (use CE's default configuration: Scan type = Exact Value, Value type = 4 Bytes,
___ Writable checked, Fast scan checked, field = 4 and Alignment selected) and click on FIRST SCAN.
___ Now we need to make the AMMO change and find out what codes access it;

______ A) Back to the game, unpause it and shoot once. Pause it again as soon as the AMMO is changed;
______ B) Go back to CE and put the new "AMMO" value on the value to be searched field and click on NEXT SCAN.
______ Since our luck has changed, 6 addresses had its values changed.
______ C) Back to the game, unpause it and shoot once again. Pause it again as soon as the AMMO is changed;
______ Now we are lucky and only one address had its value changed. Double-click on it in order to add it to CE's table;
______ D) Now let's find out what code accesses it by right-clicking on this table entry and choosing "Find out what access this address";
______ A conformation window will appear. Click on YES to attach the debugger (if asked).
______ E) Note that a code line is added to the list, even with game in paused state. It is the same line code that accessed the HP value.
______ F) Back to the game, unpause it. Shoot one more time and pause the game. Note that two more line codes are added to list.
______ The same lines that were added when we were investigating the HP;

___ TutNote 06: We have already checked those code lines. So we know that in C02, EDI is important. In the case of the HP
___ it pointed to the structure base. So it is reasonable to suppose that, in this case, it points to the base of the ammo structure.
___ Let's check that by dissecting another structure. :)

______ A) On the "The following opcodes ..." window, click on the second code line and copy the EDI content.
______ In my case, EDI = 1286F500 and EBX = 1286F7F4. So the ammo offset = EBX - EDI = 1286f7f4 - 1286F500 = 02f4 (use the windows calculator);
______ B) From the window "Dissect Memory - Hero", click on submenu File->New Window. Another "Memory dissect" window will pop up with
______ the address field already filled and high-lighted. Paste the EDI value in it.
______ Select Structures->Define new structure. Give it a name (for instance, Weapon) and press OK and then YES.
______ Now for the size enter the value in hexdecimal 0x400 since the "Ammo" has offset 0x02f4.
______ C) Look for the offset 02f4. Well, in my case, CE guessed it as a double. But we know it is the ammo (4 bytes). So let's change
______ the name to "**Current Ammo" and the type to "4 Bytes".
______ Just double-click on the description "Double", change its name and the type "4 Bytes". Let's save what we have done till now.
______ Click on the diskette on CE to save the table. Let's continue, we will probably find the meaning of some of those remaining offsets.
______ D) Note the value 12 at offset 02f0 right above the "current Ammo", it must be the maximum Ammo value per clip. So change its name
______ from "Dword" to "**Maximum Ammo". Note at offset 02d0 the value 24. Change it to 30 and look back in the game. It is the reserved ammo.
______ Change this offset name to "**cReserved Ammo". Look at the value 72 right below it. it must be the maximum reserved ammo value. So change
______ this offset (02d0) name to "**mReserved Ammo". So far so good. :)
______ E) With the use of C04, let's find the hero's HP base address again. Right-click on it in the "Advanced Options code list" and
______ choose "Find out what addresses the code reads/writes from/to". Go back to the game make your hero jump (press space) and pause
______ the game when you see his HP on the list. Go back to CE and press STOP on the "Changed addresses" window.
______ Now right-click on the hero's HP value and choose "Show register state". A small window will pop up showing the registers value. The register
______ we are looking for is ECX, so double-click on it. Note that the "hex view" in the "Memory Viewer" was updated to the address ECX points to.
______ Now at the window "Memory dissect - Hero", select the first address of the structure. Rick-click on it and choose "Recalculate address". A small
______ window pops up showing the content of ECX. Press OK.
______ F) Now both HP and Weapon structures are valid. Let's continue the analysis of the Weapon structure. Note that at offsets 009c and 00d4
______ we have pointers to the same address, the Hero's HP structure. That's is a good information. Rename them to "**pHero". Note, as well, that at
______ offset 03c4 of the Hero's HP structure we have a pointer to the Weapon structure. That's good too. Rename this offset to "**pWeapon".
______ G) Save the table again. Go back to the game and quit session;

___ TutNote 07: The analysis is almost done. But we need to find a way of distinguishing our hero's HP and Ammo when the code line C02 is executed.
___ So please close the "The following opcode ...." window by clicking on STOP and then on CLOSE. Close the "Changed addresses" window as well.
___ Start a new game session and pause it. Use the C04 again and update the hero's HP structure address and then, by following the pointer at
___ offset 03c4 update the Weapon structure. Let's try to find a routine that only reads the player's info.

______ A) Clear all addresses on the table by clicking on the "Crossed Zero" button right above it. Now add tp the table the second offset of the
______ Weapon structure. Right-click on this entry on the table and choose "Find out what accesses this address". Go back to the game and play a little.
______ It looks like that during game play no code access this offset. So STOP and CLOSE the "The following opcodes ..." window. Now add the third offset
______ of the Weapon structure and repeat the process. Note that, in this case, a lot of line codes are added to the list. But pay attention that some access counters
______ only increase when the hero shoots. Quit this game session.
______ B) Let's add to the code list two line codes that access the third offset value when the hero shoots.

Code: Select all

	C05 00465123 - 89 4e 08                - mov [esi+08],ecx		   
	C06 00465127 - 83 66 08 fb             - and dword ptr [esi+08],FB
	
______ C) Let's verify what addresses those code lines access by right-clicking on each of them on the codelist and choosing the option
______ "Find out what addresses the code reads/writes from/to"; Start by C05. Play a little (run, jump, shoot, etc) and then pause the game.

___ TutNote 08: Note that 3 addresses are added to the list, but when the hero shoots, only the last one counter increases. Let's place these 3 addresses
___ on the "Memory Dissect - Weapon". Add 2 extra addresses (File->Add Extra Address). Now just right-click on each of them, double-click on ESI and then
___ Recalculate address for each column. Look at the offsets 009c and 00d4. Note that only the third address has pointers different of 0 (null)
___ on each offset. Remember that they point to Hero's HP structure.

___ TutNote 09: The analysis phase is finished. We can use C05 to identify our hero's HP and Ammo. The information is valid only when offsets
___ 009c and 00d4 point to the same address that is different of 0 (NULL). We will need to intercept only two code addresses: C05 and C02;

3) The hacking points:

___ TutNote 10: In order to make our script to run we need to intercept the main code at the code addresses C02 and C05. We usually use the instruction
jmp. This instruction is 5 bytes long in a 32 bits system (IMPORTANT). So let's have a look around the hacking points.

Code: Select all

HauntedGame.exe+4810D - 8B 44 24 10   - mov eax,[esp+10]  <-- HP
HauntedGame.exe+48111 - 29 03         - sub [ebx],eax    (*) 
HauntedGame.exe+48113 - 8B 1B         - mov ebx,[ebx]
HauntedGame.exe+48115 - 8B 4C 24 14   - mov ecx,[esp+14]
(*) Instruction we want to intercept. It is 2 bytes long. We need at least 5 bytes space. The instruction right above it is 4 bytes long,
and in EAX we have the value that will be decreased. So the best place is at "HauntedGame.exe+4810D" (4 + 2 = 6 bytes).

Code: Select all

HauntedGame.exe+6511A - 81 66 0C FFDFFFFF - and [esi+0C],FFFFDFFF
HauntedGame.exe+65121 - 8B C1         - mov eax,ecx      <-- HP
HauntedGame.exe+65123 - 89 4E 08      - mov [esi+08],ecx (**) 
HauntedGame.exe+65126 - 83 E0 04      - and eax,04
(**) Instruction we want to intercept. It is 3 bytes long. We need at least 5 bytes space. The instruction right above it is 2 bytes long.
So the best place is at "HauntedGame.exe+65121" (3 + 2 = 5 bytes).

4) The Script:

___ TutNote 10: Select the "Memory Viewer" window and press CTRL+A to open the "Auto Assemble editor".
___ Now write the following script.

___ TutNote 11: A script is devided in two parts that are tagged by [ENABLE] and [DISABLE]. The first part is activated when its "Active Box" is checked.
___ The second part is activated when the its "Active box" is unchecked. '{' and '}' are used for a block of comments.
___ '//' is used for a sigle line comment. Memory needs to be allocated for the script to be loaded. All the labels need to be declared.
___ Each label represents a memory address. Labels can be declared as symbols, so they can be easily accessed in other parts of CE (table, memory viewer, dissect, etc).

Code: Select all

{												// '{' opens a comment block
===========================================
 Game Title    : The Haunted - Hells Reach (32 bits, DX9)
 Game Version  : 1.0.8788.0
 Process Name  : HauntedGame.exe
 Script Version: 1.0
 CE Version    : 6.1
 Release date  : 12-Dec-2011
 Author        : Recifense
 Features:
 - God Mode
 - Unlimited Ammo
===========================================
}												// '}' closes a comment block

[ENABLE]										
//=========================================
// Check if script is compatible to this game version
// If false the script will not be loaded

assert(HauntedGame.exe+065121,8b c1 89 4e 08)	// The script is only loaded if assert returns TRUE
assert(HauntedGame.exe+04810d,8b 44 24 10 29 03)// The script is only loaded if assert returns TRUE

//=========================================
alloc(MyCode,1024)					// Allocating memory. 1024 (1Kb) is enough.
//=========================================
// Declaration section
label(_MonAmmo)						// Declaring a label  My convention: starting with '_' means CODE LABEL
label(_BackMA)						// Declaring a label
label(_ExitMA)						// Declaring a label
label(_GodMode)						// Declaring a label
label(_GodM0)						// Declaring a label
label(_GodM1)						// Declaring a label
label(_GodM2)						// Declaring a label
label(_BackGM)						// Declaring a label
label(_ExitGM)						// Declaring a label
label(pPlayer)						// Declaring a label  My convention: starting with 'p' means VARIABLE LABEL (P)ointer
label(pHP)							// Declaring a label
label(pAmmo)						// Declaring a label
label(pWeapon)						// Declaring a label
label(iEnableGM)					// Declaring a label  My convention: starting with 'i' means VARIABLE LABEL (I)nteger (4 bytes)
label(iEnableMA)					// Declaring a label

//=========================================
// Registering Symbols
registersymbol(MyCode)				// Registering "MyCode",    so it can be easily find it in the memory viewer.
registersymbol(pPlayer)             // Registering "pPlayer",   so it can be easily used in a table or structure.
registersymbol(pHP)                 // Registering "pHP",       so it can be easily used in a table or structure.
registersymbol(pAmmo)               // Registering "pAmmo",     so it can be easily used in a table or structure.
registersymbol(pWeapon)             // Registering "pWeapon",   so it can be easily used in a table or structure.
registersymbol(iEnableGM)           // Registering "iEnableGM", so it can be easily used in a table or structure.
registersymbol(iEnableMA)           // Registering "iEnableMA", so it can be easily used in a table or structure.

//=========================================
MyCode:
//=========================================
// This script will:
// 1) Check if the information is valid -> the content of offsets 009c and 00d4 are equal and not NULL (0)
// 2) Identify the addresses of Hero's HP and Ammo
// 3) If Unlimited Ammo is enabled (iEnableMA <> 0), current ammo = maximum ammo and current reserve = maximum
// ESI = Base of a structure (Don't confuse Base with Bottom. Base here is the first address of a structure)
_MonAmmo:
 mov eax,[esi+0000009c]             // Load register EAX with the content of offset 009c
 test eax,eax                       // Test it
 jz _ExitMA                         // jcc is a conditional jump. The condition here is Z (if zero). 

 cmp eax,[esi+000000d4]             // Verify if the content of offset 00d4 is equal to that of offset 009c.
 jne _ExitMA                        // jcc is a conditional jump. The condition here is NE (not equal to). 

 mov [pPlayer],eax                  // EAX is the base of the HP structure. Save it for debugging;
 mov [pStrAmmo],esi                 // ESI is the base of the Ammo structure. Save it for debugging;                   

 lea eax,[eax+000002dc]             // Make EAX = EAX + Offset of current HP;
 mov [pHP],eax                      // EAX points to the exact address of current HP. Save it for further use.

 lea eax,[esi+000002f4]             // Make EAX = ESI + Offset of current Ammo;
 mov [pAmmo],eax                    // EAX points to the exact address of current Ammo. Save it for further use.

 cmp dword ptr [iEnableMA],0        // If the content of the memory address pointed by label iEnableMA is 0... 
 je _ExitMA                         // ... the script will continue at the label _ExitMA (jcc -> E = equal to) 

 mov eax,[esi+000002f0]             // Load EAX with the content of offset 02f0 (Maximum Ammo)
 mov [esi+000002f4],eax             // and copy it to the offset 02f4 (Current Ammo) 

 mov eax,[esi+000002d4]             // Load EAX with the content of offset 02d4 (Maximum Reserve Ammo)
 mov [esi+000002d0],eax             // and copy it to the offset 02d0 (Current Reserve Ammo)

_ExitMA:
 mov eax,ecx                        // Original code
 mov [esi+08],ecx                   // Original code
 jmp _BackMA                        // Back to main code

//=========================================
// This script will (if enabled: iEnableMA <> 0 and/or iEnableGM <> 0):
// 1) Not let the value to be decreased, if it is at Hero's HP address or at the Hero's Ammo address.
// 2) Make the current value equal to maximum
// EBX points to the address of the value to be decreased
_GodMode:
 cmp ebx,[pAmmo]                    // Is it the hero's ammo.
 je _GodM1                          // jcc is a conditional jump. The condition here is E (equal to). 

 cmp ebx,[pHP]                      // Is it the hero's HP.
 jne _ExitGM                        // jcc is a conditional jump. The condition here is NE (NOT equal to). 
 
 cmp dword ptr [iEnableGM],0        // If the content of the memory address pointed by label iEnableGM is 0... 
 je _ExitGM                         // ... the script will continue at the label _ExitGM (jcc -> E = equal to)
 
 mov eax,[ebx+04]                   // Load EAX with Maximum HP
 mov [ebx],eax                      // and copy it to Current HP address 
 jmp _GodM2                         // Continue at the label _GodM2

_GodM1:
 cmp dword ptr [iEnableMA],0        // If the content of the memory address pointed by label iEnableMA is 0... 
 je _ExitGM                         // ... the script will continue at the label _ExitGM (jcc -> E = equal to) 

 mov eax,[ebx-04]                   // Load EAX with Maximum Ammo
 mov [ebx],eax                      // and copy it to Current Ammo address 

_GodM2:
 xor eax,eax                        // Make EAX = 0 (A xor A = 0)
 mov [esp+10],eax                   // Make value to be decreased at the stack offset 10 = 0

_ExitGM:
 mov eax,[esp+10]                   // Original code (EAX = value to be decreased)
 sub [ebx],eax                      // Original code
 jmp _BackGM                        // Back to main code

//=========================================
 db '================>'                 // The memory at this location is filled with this string
 db 'CE6.1 Script by Recifense 121211'  // The memory at this location is filled with this string
//=========================================
// Variables
// We can put the variables here, right after the last script.
iEnableGM:							// The variable name followed by : (in fact, it is a lable)
 dd 1				                // Reserving 4 bytes and initializing its value with 1
iEnableMA:                          // The variable name followed by : (in fact, it is a lable) 
 dd 1                               // Reserving 4 bytes and initializing its value with 1
pPlayer:                            // The variable name followed by : (in fact, it is a lable)
 dd MyCode                          // Reserving 4 bytes and initializing its value with MyCode address value
pHP:                                // The variable name followed by : (in fact, it is a lable) 
 dd MyCode                          // Reserving 4 bytes and initializing its value with MyCode address value
pAmmo:                              // The variable name followed by : (in fact, it is a lable)
 dd MyCode                          // Reserving 4 bytes and initializing its value with MyCode address value
pWeapon:                            // The variable name followed by : (in fact, it is a lable)
 dd MyCode                          // Reserving 4 bytes and initializing its value with MyCode address value

//=========================================
// Hacking Points
// It can also be placed before the scripts. But let's put it after them, just to remind us
// that the script was created and loaded into the computer memory and now can be accessed.

HauntedGame.exe+065121:             // The address to be intercepted
 jmp _MonAmmo                       // Jumping to the script (this instruction is 5 bytes long in a 32 bits system)
_BackMA:                            // This label is the address to go back. It is HauntedGame.exe+065121 plus 5 bytes.

HauntedGame.exe+04810d:             // The address to be intercepted
 jmp _GodMode                       // Jumping to the script (this instruction is 5 bytes long in a 32 bits system)
 nop                                // Adding a NOP (90h) instruction to complete 6 bytes (remember this!)
_BackGM:                            // This label is the address to go back. It is HauntedGame.exe+04810d plus 6 bytes.


[DISABLE]
//=========================================
// This part is performed when we disable the script by unchecking its active box.
// Here we should:
// - Restore the original codes
// - Unregister the symbols
// - Deallocate (free) the memory

HauntedGame.exe+065121:             // The address to restore the code
// mov eax,ecx                      // The code to be restored (this instruction is 2 bytes long)
// mov [esi+08],ecx                 // The code to be restored (this instruction is 3 bytes long)
 db 8b c1 89 4e 08                  // The instruction in byte sequence representation

HauntedGame.exe+04810d:             // The address to restore the code
// mov eax,[esp+10]                 // The code to be restored (this instruction is 3 bytes long)
// sub [ebx],eax                    // The code to be restored (this instruction is 3 bytes long)
 db 8b 44 24 10 29 03               // The instruction in byte sequence representation

//=========================================
// Unregistering Symbols
unregistersymbol(MyCode)            // UNregistering "MyCode",  so it cannot be accessed anymore.
unregistersymbol(iEnableGM)         // UNregistering "iEnableGM",  so it cannot be accessed anymore.
unregistersymbol(iEnableMA)         // UNregistering "iEnableMA",  so it cannot be accessed anymore.
unregistersymbol(pPlayer)           // UNregistering "pPlayer", so it cannot be accessed anymore.
unregistersymbol(pHP)               // UNregistering "pHP",     so it cannot be accessed anymore.
unregistersymbol(pAmmo)             // UNregistering "pAmmo",   so it cannot be accessed anymore.
unregistersymbol(pWeapon)           // UNregistering "pWeapon", so it cannot be accessed anymore.

//=========================================
dealloc(MyCode)	                    // DE-allocating memory so the system can use it for other purposes.
//============= Scripts End ===============

// ****************************************
// NOTES
// ****************************************
{
struct WEAPON:
009c = pHero
00d4 = pHero
02d0 = current_Reserved_Ammo
02d4 = maximum_Reserved_Ammo
02f0 = maximum_Ammo_onCLIP
02f4 = current_Ammo_onCLIP

struct HERO:
00d4 = pSelf
02dc = current_HP
02e0 = maximum_HP
03c4 = pWeapon
}
______ A) Time to save the script. On the Auto Assemble, click on File and then select Save.
______ B) Clear the table by deleting all entries;
______ C) Let's add the script to CE table. Click on File and then select "Assigned to current cheat table".
______ CE will check the script and, if everything is ok, it will be added to the table with the discription "Auto assemble cheat".
______ Change it to "[X] <== The Haunted Hells Reach Script".
______ D) Save the table;
______ E) Now enable the new script;
______ F) Add the new variables to the table: iEnableGM and iEnableMC
______ G) Now go and kick some asses. :D

5) Additional Notes:

Used AA commands (have a look at the CE's help for better understanding):
assert, alloc, label, registersymbol, unregistersymbol and dealloc.

Used assembler opcodes (have a look at the intel manual for better understanding):

Code: Select all

MOV  destiny,source -> copy the content of source to destiny;
TEST reg,reg        -> checks the content of REG and sets the EFLAGS accordingly;
Jcc address         -> conditional jump (cc is the condition) (the range is 127 bytes up or down)
LEA reg,[equation]  -> Loads reg with the result of the mathmatical operation defined by "equation";
CMP oper1,oper2     -> Compares the contents of the 2 operands and sets the EFLAGS accordingly;
JMP address         -> jumps to the destination address (no-conditional) 
SUB oper1,oper2     -> oper1 = oper1 - oper2
DB  byte1,byte2,... -> Define Byte
DD  dw1, dw2, ...   -> Define Double-word

32 bits Registers: EAX, EBX, ECX, EDX, ESI, EDI, EBP and ESP.
That's it!

Cheers!
Attachments
HauntedGame.CT
(129.43 KiB) Downloaded 107 times

User avatar
Vee_
Expert Cheater
Expert Cheater
Posts: 80
Joined: Tue Mar 14, 2017 10:18 am
Reputation: 10

Re: [DiY] The Haunted - Hells Reach (32 bits, DX9)

Post by Vee_ » Mon Apr 10, 2017 12:44 am

Great tutorial Recifense, will try this one out. Thanks :D

Xblade Of Heaven
What is cheating?
What is cheating?
Posts: 1
Joined: Tue May 02, 2017 6:25 pm
Reputation: 0

Re: [DiY] The Haunted - Hells Reach (32 bits, DX9)

Post by Xblade Of Heaven » Tue May 02, 2017 6:26 pm

thanks man, and a question, is possible add a INTERNATIONAL forum section?

regards

User avatar
Recifense
RCE Fanatics
RCE Fanatics
Posts: 491
Joined: Thu Mar 02, 2017 11:25 pm
Reputation: 610

Re: [DiY] The Haunted - Hells Reach (32 bits, DX9)

Post by Recifense » Thu May 04, 2017 1:23 pm

Xblade Of Heaven wrote:
Tue May 02, 2017 6:26 pm
thanks man, and a question, is possible add a INTERNATIONAL forum section?

regards
What do you mean?

Cheers!

gimi
What is cheating?
What is cheating?
Posts: 1
Joined: Sun Aug 06, 2017 11:07 am
Reputation: 0

Re: [DiY] The Haunted - Hells Reach (32 bits, DX9)

Post by gimi » Sun Aug 06, 2017 11:12 am

Great tutorial thank you :)

Post Reply

Who is online

Users browsing this forum: No registered users