RISE OF THE TOMB RAIDER Health hacking

Memory scanning, code injection, debugger internals and other gamemodding related discussion
User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 379
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 68

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas » Fri Sep 22, 2017 5:38 pm

pharaon wrote:
Fri Sep 22, 2017 4:37 pm
this on work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
but this one does not work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R13,0
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
any explanation
Hmm cause you use different registers..?

pharaon
Cheater
Cheater
Posts: 29
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon » Fri Sep 22, 2017 5:52 pm

i know i use different register
but why the compare to the second register not working

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 379
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 68

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas » Fri Sep 22, 2017 5:59 pm

Becayse Lara is in the R12 register and not the R13.

pharaon
Cheater
Cheater
Posts: 29
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon » Fri Sep 22, 2017 6:07 pm

how can i know which register is for lara and which is not

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 379
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 68

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas » Fri Sep 22, 2017 6:48 pm

pharaon wrote:
Fri Sep 22, 2017 6:07 pm
how can i know which register is for lara and which is not
By testing, as you tested R12 and R13, sometimes they both can work but this time you see R12 works fine for your Lara and still subtracting health from Enemies :)

pharaon
Cheater
Cheater
Posts: 29
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon » Mon Sep 25, 2017 4:34 pm

is the code right this way?

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)9999
jmp return

health1:
jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 379
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 68

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas » Mon Sep 25, 2017 6:20 pm

Yep

Could just do

cmp r12,1
jne code
mov [rax+2C](float)999
jmp return

pharaon
Cheater
Cheater
Posts: 29
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon » Tue Sep 26, 2017 1:04 am

how about this code

Code: Select all

{ Game   : ROTTR.exe
  Version: 
  Date   : 2017-09-26
  Author : DeskTop

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)


newmem:
cmp R12,1
jne code
push eax
mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
pop eax
jmp return

code:
  movss [rax+2C],xmm6
  jmp return

laraGODmode:
push eax
mov eax,(float)9999
movd xmm0,eax

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 70 2C

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "ROTTR.exe"+3356C18

"ROTTR.exe"+3356BF4: 48 8B 01                                      -  mov rax,[rcx]
"ROTTR.exe"+3356BF7: 0F 28 F1                                      -  movaps xmm6,xmm1
"ROTTR.exe"+3356BFA: FF 90 08 01 00 00                             -  call qword ptr [rax+00000108]
"ROTTR.exe"+3356C00: 84 C0                                         -  test al,al
"ROTTR.exe"+3356C02: 75 34                                         -  jne ROTTR.exe+3356C38
"ROTTR.exe"+3356C04: 48 8B 83 A8 02 00 00                          -  mov rax,[rbx+000002A8]
"ROTTR.exe"+3356C0B: 66 0F 6E 40 28                                -  movd xmm0,[rax+28]
"ROTTR.exe"+3356C10: 0F 5B C0                                      -  cvtdq2ps xmm0,xmm0
"ROTTR.exe"+3356C13: 0F 2E F0                                      -  ucomiss xmm6,xmm0
"ROTTR.exe"+3356C16: 74 20                                         -  je ROTTR.exe+3356C38
// ---------- INJECTING HERE ----------
"ROTTR.exe"+3356C18: F3 0F 11 70 2C                                -  movss [rax+2C],xmm6
// ---------- DONE INJECTING  ----------
"ROTTR.exe"+3356C1D: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C24: F3 0F 2C 41 2C                                -  cvttss2si eax,[rcx+2C]
"ROTTR.exe"+3356C29: 89 41 28                                      -  mov [rcx+28],eax
"ROTTR.exe"+3356C2C: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C33: E8 68 78 FC FF                                -  call ROTTR.exe+331E4A0
"ROTTR.exe"+3356C38: 0F 28 74 24 20                                -  movaps xmm6,[rsp+20]
"ROTTR.exe"+3356C3D: 48 83 C4 30                                   -  add rsp,30
"ROTTR.exe"+3356C41: 5B                                            -  pop rbx
"ROTTR.exe"+3356C42: C3                                            -  ret 
"ROTTR.exe"+3356C43: CC                                            -  int 3 
}

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 379
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 68

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas » Tue Sep 26, 2017 7:10 am

Again you are adding unneeded stuff, just do mov [rax+2C],(float)9999

But in general I think that yea It should work.

User avatar
seikur0
Expert Cheater
Expert Cheater
Posts: 59
Joined: Sat Aug 26, 2017 10:48 am
Reputation: 32

Re: RISE OF THE TOMB RAIDER Health hacking

Post by seikur0 » Tue Sep 26, 2017 8:43 pm

Code: Select all

mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
This should totally crash your game..

Do this:

Code: Select all

cmp R12,1
jne code
mov ecx,(float)9999
movd xmm6,ecx

code:
  movss [rax+2C],xmm6
  jmp return
ecx, because it gets overwritten after that. (Also it may not be necessary to overwrite xmm6.)

dl748
Cheater
Cheater
Posts: 47
Joined: Sun Jul 09, 2017 3:17 am
Reputation: 18

Re: RISE OF THE TOMB RAIDER Health hacking

Post by dl748 » Thu Oct 05, 2017 10:48 am

I have a really old LUA script that doesn't use code injection. Just tested and it still works.

Code: Select all

  if HealthLocation == nil then
    HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X")
    HealthLocation2 = AOBScan("45 30 FF FF 50 ?? 48 8B 0D ?? ?? ?? ?? 48 89 C2 45 31 C0","+W-C+X")
  end
  if HealthLocation ~= nil and HealthLocation2 ~= nil then
    count = stringlist_getCount(HealthLocation)
    count2 = stringlist_getCount(HealthLocation2)
    if count == 1 and count2 == 1 then
      address = getAddress(stringlist_getString(HealthLocation,0))
      offset = readInteger(address+3)
      address = address + 6
      if offset >= 0x80000000 then
        address = address - bAnd(bNot(offset),0xFFFFFFFF)
      else
        address = address + offset
      end
      address = readPointer(address)
      local id = readQword(address+0x348)
      address = getAddress(stringlist_getString(HealthLocation2,0))
      offset = readInteger(address+9)
      address = address + 12
      if offset >= 0x80000000 then
        address = address - bAnd(bNot(offset),0xFFFFFFFF)
      else
        address = address + offset
      end
      address = readPointer(address)
      local count = readInteger(address + 0x328)
      address = readPointer(address + 0x330)
      local addr = 0
      for i=0,count-1 do
        local tempaddr = readPointer(address + (i*0x8))
        if tempaddr ~= 0 then
          local tempaddr2 = readPointer(tempaddr + 0x338)
          if tempaddr2 ~= 0 then
            local tempid = readQword(tempaddr2+0x28)
            if id == tempid then
              addr = tempaddr
            end
          end
        end
      end
      if addr ~= 0 then
        address = readPointer(addr+0x60E8)
        if address ~= 0 then
          address = readPointer(address+0x3198)
          address = readPointer(address+0xD8)
          local healthpos = 0x20
          local healthloc = readPointer(address + (healthpos * 0x8))
          registerSymbol("MaxHealthLocation", healthloc + 0x2C4)
          address = readPointer(healthloc + 0x2A8)
          registerSymbol("HealthLocation", address + 0x2C)
          value = readInteger(healthloc+0x2C4)
          writeFloat(address + 0x2C, value)
        end
      end
    end
  end
This gets the internal ID of health, and then loops through though the objects to find that ID and then registers a symbol for HealthLocation and MaxHealthLocation. It then will write the HealthLocation with the float from the MaxHealthLocation. I have newer scripting functions that would make this a lot cleaner.

User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 436
Joined: Thu Mar 02, 2017 10:15 pm
Reputation: 125

Re: RISE OF THE TOMB RAIDER Health hacking

Post by SunBeam » Thu Oct 05, 2017 10:39 pm

^ Either next question would be how that works OR "it's too advanced for me". Just anticipating.

pharaon
Cheater
Cheater
Posts: 29
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon » Fri Oct 06, 2017 1:01 pm

SunBeam wrote:
Thu Oct 05, 2017 10:39 pm
^ Either next question would be how that works OR "it's too advanced for me". Just anticipating.
at least he is trying to help not just commenting like you do

User avatar
SunBeam
Trouble Makers
Trouble Makers
Posts: 436
Joined: Thu Mar 02, 2017 10:15 pm
Reputation: 125

Re: RISE OF THE TOMB RAIDER Health hacking

Post by SunBeam » Fri Oct 06, 2017 1:47 pm

^ Here we go: https://software.intel.com/en-us/articl ... 4-assembly. Hope it helps.

Also, stopping by to teach me a lesson by posting yourself something off-topic puts you in the same bucket, wouldn't you say? Funny how you tell me off, while you do the exact same thing. You're just a spectator here, you don't get a waiver from the rule you just enunciated.

pharaon
Cheater
Cheater
Posts: 29
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon » Fri Oct 06, 2017 9:07 pm

SunBeam wrote:
Fri Oct 06, 2017 1:47 pm
^ Here we go: https://software.intel.com/en-us/articl ... 4-assembly. Hope it helps.
thx

Post Reply

Who is online

Users browsing this forum: No registered users