RISE OF THE TOMB RAIDER Health hacking

Memory scanning, code injection, debugger internals and other gamemodding related discussion
User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 551
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 134

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas »

pharaon wrote:
Fri Sep 22, 2017 4:37 pm
this on work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
but this one does not work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R13,0
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
any explanation
Hmm cause you use different registers..?

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

i know i use different register
but why the compare to the second register not working

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 551
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 134

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas »

Becayse Lara is in the R12 register and not the R13.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

how can i know which register is for lara and which is not

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 551
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 134

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas »

pharaon wrote:
Fri Sep 22, 2017 6:07 pm
how can i know which register is for lara and which is not
By testing, as you tested R12 and R13, sometimes they both can work but this time you see R12 works fine for your Lara and still subtracting health from Enemies :)

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

is the code right this way?

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)9999
jmp return

health1:
jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 551
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 134

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas »

Yep

Could just do

cmp r12,1
jne code
mov [rax+2C](float)999
jmp return

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

how about this code

Code: Select all

{ Game   : ROTTR.exe
  Version: 
  Date   : 2017-09-26
  Author : DeskTop

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)


newmem:
cmp R12,1
jne code
push eax
mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
pop eax
jmp return

code:
  movss [rax+2C],xmm6
  jmp return

laraGODmode:
push eax
mov eax,(float)9999
movd xmm0,eax

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 70 2C

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "ROTTR.exe"+3356C18

"ROTTR.exe"+3356BF4: 48 8B 01                                      -  mov rax,[rcx]
"ROTTR.exe"+3356BF7: 0F 28 F1                                      -  movaps xmm6,xmm1
"ROTTR.exe"+3356BFA: FF 90 08 01 00 00                             -  call qword ptr [rax+00000108]
"ROTTR.exe"+3356C00: 84 C0                                         -  test al,al
"ROTTR.exe"+3356C02: 75 34                                         -  jne ROTTR.exe+3356C38
"ROTTR.exe"+3356C04: 48 8B 83 A8 02 00 00                          -  mov rax,[rbx+000002A8]
"ROTTR.exe"+3356C0B: 66 0F 6E 40 28                                -  movd xmm0,[rax+28]
"ROTTR.exe"+3356C10: 0F 5B C0                                      -  cvtdq2ps xmm0,xmm0
"ROTTR.exe"+3356C13: 0F 2E F0                                      -  ucomiss xmm6,xmm0
"ROTTR.exe"+3356C16: 74 20                                         -  je ROTTR.exe+3356C38
// ---------- INJECTING HERE ----------
"ROTTR.exe"+3356C18: F3 0F 11 70 2C                                -  movss [rax+2C],xmm6
// ---------- DONE INJECTING  ----------
"ROTTR.exe"+3356C1D: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C24: F3 0F 2C 41 2C                                -  cvttss2si eax,[rcx+2C]
"ROTTR.exe"+3356C29: 89 41 28                                      -  mov [rcx+28],eax
"ROTTR.exe"+3356C2C: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C33: E8 68 78 FC FF                                -  call ROTTR.exe+331E4A0
"ROTTR.exe"+3356C38: 0F 28 74 24 20                                -  movaps xmm6,[rsp+20]
"ROTTR.exe"+3356C3D: 48 83 C4 30                                   -  add rsp,30
"ROTTR.exe"+3356C41: 5B                                            -  pop rbx
"ROTTR.exe"+3356C42: C3                                            -  ret 
"ROTTR.exe"+3356C43: CC                                            -  int 3 
}

User avatar
Kalas
Expert Cheater
Expert Cheater
Posts: 551
Joined: Fri Mar 03, 2017 9:49 am
Reputation: 134

Re: RISE OF THE TOMB RAIDER Health hacking

Post by Kalas »

Again you are adding unneeded stuff, just do mov [rax+2C],(float)9999

But in general I think that yea It should work.

User avatar
seikur0
Code Alchemist
Code Alchemist
Posts: 440
Joined: Sat Aug 26, 2017 10:48 am
Reputation: 339

Re: RISE OF THE TOMB RAIDER Health hacking

Post by seikur0 »

Code: Select all

mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
This should totally crash your game..

Do this:

Code: Select all

cmp R12,1
jne code
mov ecx,(float)9999
movd xmm6,ecx

code:
  movss [rax+2C],xmm6
  jmp return
ecx, because it gets overwritten after that. (Also it may not be necessary to overwrite xmm6.)

dl748
Table Makers
Table Makers
Posts: 116
Joined: Sun Jul 09, 2017 3:17 am
Reputation: 98

Re: RISE OF THE TOMB RAIDER Health hacking

Post by dl748 »

I have a really old LUA script that doesn't use code injection. Just tested and it still works.

Code: Select all

  if HealthLocation == nil then
    HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X")
    HealthLocation2 = AOBScan("45 30 FF FF 50 ?? 48 8B 0D ?? ?? ?? ?? 48 89 C2 45 31 C0","+W-C+X")
  end
  if HealthLocation ~= nil and HealthLocation2 ~= nil then
    count = stringlist_getCount(HealthLocation)
    count2 = stringlist_getCount(HealthLocation2)
    if count == 1 and count2 == 1 then
      address = getAddress(stringlist_getString(HealthLocation,0))
      offset = readInteger(address+3)
      address = address + 6
      if offset >= 0x80000000 then
        address = address - bAnd(bNot(offset),0xFFFFFFFF)
      else
        address = address + offset
      end
      address = readPointer(address)
      local id = readQword(address+0x348)
      address = getAddress(stringlist_getString(HealthLocation2,0))
      offset = readInteger(address+9)
      address = address + 12
      if offset >= 0x80000000 then
        address = address - bAnd(bNot(offset),0xFFFFFFFF)
      else
        address = address + offset
      end
      address = readPointer(address)
      local count = readInteger(address + 0x328)
      address = readPointer(address + 0x330)
      local addr = 0
      for i=0,count-1 do
        local tempaddr = readPointer(address + (i*0x8))
        if tempaddr ~= 0 then
          local tempaddr2 = readPointer(tempaddr + 0x338)
          if tempaddr2 ~= 0 then
            local tempid = readQword(tempaddr2+0x28)
            if id == tempid then
              addr = tempaddr
            end
          end
        end
      end
      if addr ~= 0 then
        address = readPointer(addr+0x60E8)
        if address ~= 0 then
          address = readPointer(address+0x3198)
          address = readPointer(address+0xD8)
          local healthpos = 0x20
          local healthloc = readPointer(address + (healthpos * 0x8))
          registerSymbol("MaxHealthLocation", healthloc + 0x2C4)
          address = readPointer(healthloc + 0x2A8)
          registerSymbol("HealthLocation", address + 0x2C)
          value = readInteger(healthloc+0x2C4)
          writeFloat(address + 0x2C, value)
        end
      end
    end
  end
This gets the internal ID of health, and then loops through though the objects to find that ID and then registers a symbol for HealthLocation and MaxHealthLocation. It then will write the HealthLocation with the float from the MaxHealthLocation. I have newer scripting functions that would make this a lot cleaner.

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

SunBeam wrote:
Thu Oct 05, 2017 10:39 pm
^ Either next question would be how that works OR "it's too advanced for me". Just anticipating.
at least he is trying to help not just commenting like you do

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

SunBeam wrote:
Fri Oct 06, 2017 1:47 pm
^ Here we go: [Link]. Hope it helps.
thx

dl748
Table Makers
Table Makers
Posts: 116
Joined: Sun Jul 09, 2017 3:17 am
Reputation: 98

Re: RISE OF THE TOMB RAIDER Health hacking

Post by dl748 »

It follows a static address down to the correct health pointer by using similar code that the engine uses but in LUA.

1. Follows static pointer down to the ID of the health record.
2. Uses that ID to follow a hash/associative array down to the actual health record.
3. Creates/Updates a Symbol "HealthLocation" with the address of the health (I don't use symbol anymore, but create records in my latest code)

The first tomb raider uses the same exact method, I have updated the first game with my new code but not the latest.

viewtopic.php?f=4&t=4118&p=13996#p13996

HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X") -- Locates assembly code of the static address. I've found its LESS likely that coders will change code that accesses a global variable than they would say, change how health is calculated. Which is why code like this will generally work from version to version instead of code that attacks where health is being modified.

HealthLocation + 3 = Static address (as a code offset, the integer located here is an offset to where the static address is)
[[Static + 0] + 0x348] = Id of the health record

HealthLocation2 + 9 = Static location of the hash
[[Static + 0] + 0x328] = Item count
[[Static + 0] + 0x330] = Address of hash

Loop through items (0,count-1) and read the pointer at HashAddr + (i*8)
[[itemaddr + 0x338]+0x28] = id of item -- find the id that matches the health id

[[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2A8] + 0x2C] = float of health
[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2C4] = int of max health

I prefer this reference [Link]

pharaon
Expert Cheater
Expert Cheater
Posts: 93
Joined: Sat Aug 05, 2017 1:42 pm
Reputation: 0

Re: RISE OF THE TOMB RAIDER Health hacking

Post by pharaon »

dl748 wrote:
Sun Oct 08, 2017 1:20 pm
It follows a static address down to the correct health pointer by using similar code that the engine uses but in LUA.

1. Follows static pointer down to the ID of the health record.
2. Uses that ID to follow a hash/associative array down to the actual health record.
3. Creates/Updates a Symbol "HealthLocation" with the address of the health (I don't use symbol anymore, but create records in my latest code)

The first tomb raider uses the same exact method, I have updated the first game with my new code but not the latest.

viewtopic.php?f=4&t=4118&p=13996#p13996

HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X") -- Locates assembly code of the static address. I've found its LESS likely that coders will change code that accesses a global variable than they would say, change how health is calculated. Which is why code like this will generally work from version to version instead of code that attacks where health is being modified.

HealthLocation + 3 = Static address (as a code offset, the integer located here is an offset to where the static address is)
[[Static + 0] + 0x348] = Id of the health record

HealthLocation2 + 9 = Static location of the hash
[[Static + 0] + 0x328] = Item count
[[Static + 0] + 0x330] = Address of hash

Loop through items (0,count-1) and read the pointer at HashAddr + (i*8)
[[itemaddr + 0x338]+0x28] = id of item -- find the id that matches the health id

[[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2A8] + 0x2C] = float of health
[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2C4] = int of max health

I prefer this reference [Link]
great help man thanks lot

Post Reply

Who is online

Users browsing this forum: DotBot