RISE OF THE TOMB RAIDER Health hacking

Memory scanning, code injection, debugger internals and other gamemodding related discussion
pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

im trying to separate the hero life than enemies life by different registries the hero register RDI=000000000000012C is always the same and is different for the enemies

i tried this code but it's not working

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)

newmem:
pushf
cmp RDI,000000000000012C
jne code
popf
mov [rax+2C],(float)450
jmp return

code:
popf
movss [rax+2C],xmm6
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

Bloodybone
Table Makers
Table Makers
Posts: 288
Joined: Thu Aug 03, 2017 6:19 am
Reputation: 133

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Bloodybone »

After Testing arround i found out that you can only use je for some od reason ... So mabe this will work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(hero)

newmem:
pushf
cmp RDI,000000000000012C
je hero
popf
jmp code

hero:
mov [rax+2C],(float)450
popf
jmp return

code:
movss [rax+2C],xmm6
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

i had to adjust it because it crashes the game
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(hero)

newmem:
pushf
cmp RDI,000000000000012C
je hero
jmp code

hero:
popf
mov [rax+2C],(float)450
jmp return

code:
popf
movss [rax+2C],xmm6
jmp return

health1:
jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)


but it's still not working and laura die

Bloodybone
Table Makers
Table Makers
Posts: 288
Joined: Thu Aug 03, 2017 6:19 am
Reputation: 133

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Bloodybone »

Maybe instead of using "cmp RDI,000000000000012C" use "cmp RDI,12C" it works for me but if that doesn't work compare the enemies and laura another way like through the Dissect data/Structures or through the stack (I prefere the Dissect data/Structures method)

User avatar
seikur0
Code Alchemist
Code Alchemist
Posts: 440
Joined: Sat Aug 26, 2017 10:48 am
Reputation: 339

Re: RISE OF THE TOMB RAIDER Health hacking

Post by seikur0 »

I wouldn't push the flags to the stack here, in 99.999999% of the cases you do an instruction and use the flags immediately afterwards, after that they become obsolete, so no need to preserve them.

And instead of alloc(newmem,$1000,"ROTTR.exe"+3356C18) you can use alloc(newmem,$1000,health1), so the memory gets reserved near the aob.

Last but not least rdi might be a pretty weird register to find the identification of the player in, they are mainly used for moving strings in memory. As Bloodybone already stated it might be better to find some other way to identify the player.
It could be, that an rdi of 12C always means you have the player health. But player health maybe doesn't always lead to an rdi of 12c?

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 551
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 134

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas »

just do:

newmem:

cmp rdi,000000000000012C
jne code
mov [rax+2C],(float)450
jmp return

If the cmp doesn't work try to find a new way to cmp in dissect data.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

tried throw Dissect data/Structures but the offset keep changing what should i do

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 551
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 134

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas »

pharaon wrote:
Mon Sep 18, 2017 12:16 am
tried throw Dissect data/Structures but the offset keep changing what should i do
Find a new one, I suggest looking for 1 and 0 those are usually remain the same.

I would export the Dissect Data Structure to a notepad and another one to compare, may take a bit of time but you could just use a small size cause usually you can find a good offset to cmp in only the very first lines.

TheByteSize
Expert Cheater
Expert Cheater
Posts: 293
Joined: Sat Mar 04, 2017 7:28 am
Reputation: 232

Re: RISE OF THE TOMB RAIDER Health hacking

Post by TheByteSize »

if you sure RDI contain identifier for your char health ID.
copy that RDI to one of r8d~r15d then do comparison.

Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

Kalas wrote:
Mon Sep 18, 2017 10:23 am
pharaon wrote:
Mon Sep 18, 2017 12:16 am
tried throw Dissect data/Structures but the offset keep changing what should i do
Find a new one, I suggest looking for 1 and 0 those are usually remain the same.

I would export the Dissect Data Structure to a notepad and another one to compare, may take a bit of time but you could just use a small size cause usually you can find a good offset to cmp in only the very first lines.

tried and still some enemies share me with offset value

that is the code i got so far and some enemies still show up with same value

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp [rax+B04],1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

TheByteSize wrote:
Mon Sep 18, 2017 6:50 pm
Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.
please explain how can i do that

TheByteSize
Expert Cheater
Expert Cheater
Posts: 293
Joined: Sat Mar 04, 2017 7:28 am
Reputation: 232

Re: RISE OF THE TOMB RAIDER Health hacking

Post by TheByteSize »

pharaon wrote:
Mon Sep 18, 2017 7:23 pm
TheByteSize wrote:
Mon Sep 18, 2017 6:50 pm
Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.
please explain how can i do that
find the address that contain your char health then add that to your table then right click and browse that address location then looks around and see anything that obvious, you may find that 12C around there.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

TheByteSize wrote:
Mon Sep 18, 2017 7:33 pm
find the address that contain your char health then add that to your table then right click and browse that address location then looks around and see anything that obvious, you may find that 12C around there.
this is what i found

Code: Select all

ROTTR.exe+3356BD1 - 66 66 66 66 66 66 2E 0F1F 84 00 00000000  - nop cs:[rax+rax+00000000]
ROTTR.exe+3356BE0 - 53                    - push rbx
ROTTR.exe+3356BE1 - 48 83 EC 30           - sub rsp,30 { 48 }
ROTTR.exe+3356BE5 - 48 89 CB              - mov rbx,rcx
ROTTR.exe+3356BE8 - 48 8B 0D 39A74FFF     - mov rcx,[ROTTR.exe+2851328] { [858496A0] }
ROTTR.exe+3356BEF - 0F29 74 24 20         - movaps [rsp+20],xmm6
ROTTR.exe+3356BF4 - 48 8B 01              - mov rax,[rcx]
ROTTR.exe+3356BF7 - 0F28 F1               - movaps xmm6,xmm1
ROTTR.exe+3356BFA - FF 90 08010000        - call qword ptr [rax+00000108]
ROTTR.exe+3356C00 - 84 C0                 - test al,al
ROTTR.exe+3356C02 - 75 34                 - jne ROTTR.exe+3356C38
ROTTR.exe+3356C04 - 48 8B 83 A8020000     - mov rax,[rbx+000002A8]
ROTTR.exe+3356C0B - 66 0F6E 40 28         - movd xmm0,[rax+28]
ROTTR.exe+3356C10 - 0F5B C0               - cvtdq2ps xmm0,xmm0
ROTTR.exe+3356C13 - 0F2E F0               - ucomiss xmm6,xmm0
ROTTR.exe+3356C16 - 74 20                 - je ROTTR.exe+3356C38
ROTTR.exe+3356C18 - F3 0F11 70 2C         - movss [rax+2C],xmm6
ROTTR.exe+3356C1D - 48 8B 8B A8020000     - mov rcx,[rbx+000002A8]
ROTTR.exe+3356C24 - F3 0F2C 41 2C         - cvttss2si eax,[rcx+2C]
ROTTR.exe+3356C29 - 89 41 28              - mov [rcx+28],eax
ROTTR.exe+3356C2C - 48 8B 8B A8020000     - mov rcx,[rbx+000002A8]
ROTTR.exe+3356C33 - E8 6878FCFF           - call ROTTR.exe+331E4A0
ROTTR.exe+3356C38 - 0F28 74 24 20         - movaps xmm6,[rsp+20]
ROTTR.exe+3356C3D - 48 83 C4 30           - add rsp,30 { 48 }
ROTTR.exe+3356C41 - 5B                    - pop rbx

TheByteSize
Expert Cheater
Expert Cheater
Posts: 293
Joined: Sat Mar 04, 2017 7:28 am
Reputation: 232

Re: RISE OF THE TOMB RAIDER Health hacking

Post by TheByteSize »

Yup, that 12C is at -04 position from [rax+2c] address.
[Link]
this code should do the trick.

oops there is bug in the code I posted.
Last edited by TheByteSize on Mon Sep 18, 2017 8:20 pm, edited 1 time in total.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

how are you displaying your memory that way because mine look like this

[Link]

but the code didn't work it decrease my health then crash the game

Post Reply

Who is online

Users browsing this forum: No registered users