Page 3 of 4
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Fri Sep 22, 2017 5:38 pm
by Kalas
pharaon wrote: ↑Fri Sep 22, 2017 4:37 pm
this on work
Code: Select all
[ENABLE]
aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)
label(code)
label(return)
label(laraGODmode)
newmem:
cmp R12,1
je laraGODmode
code:
movss [rax+2C],xmm6
jmp return
laraGODmode:
mov [rax+2C],(float)450
jmp return
health1:
jmp newmem
return:
registersymbol(health1)
[DISABLE]
health1:
db F3 0F 11 70 2C
unregistersymbol(health1)
dealloc(newmem)
but this one does not work
Code: Select all
[ENABLE]
aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)
label(code)
label(return)
label(laraGODmode)
newmem:
cmp R13,0
je laraGODmode
code:
movss [rax+2C],xmm6
jmp return
laraGODmode:
mov [rax+2C],(float)450
jmp return
health1:
jmp newmem
return:
registersymbol(health1)
[DISABLE]
health1:
db F3 0F 11 70 2C
unregistersymbol(health1)
dealloc(newmem)
any explanation
Hmm cause you use different registers..?
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Fri Sep 22, 2017 5:52 pm
by pharaon
i know i use different register
but why the compare to the second register not working
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Fri Sep 22, 2017 5:59 pm
by Kalas
Becayse Lara is in the R12 register and not the R13.
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Fri Sep 22, 2017 6:07 pm
by pharaon
how can i know which register is for lara and which is not
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Fri Sep 22, 2017 6:48 pm
by Kalas
pharaon wrote: ↑Fri Sep 22, 2017 6:07 pm
how can i know which register is for lara and which is not
By testing, as you tested R12 and R13, sometimes they both can work but this time you see R12 works fine for your Lara and still subtracting health from Enemies
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Mon Sep 25, 2017 4:34 pm
by pharaon
is the code right this way?
[ENABLE]
aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)
label(code)
label(return)
label(laraGODmode)
newmem:
cmp R12,1
je laraGODmode
code:
movss [rax+2C],xmm6
jmp return
laraGODmode:
mov [rax+2C],(float)9999
jmp return
health1:
jmp newmem
return:
registersymbol(health1)
[DISABLE]
health1:
db F3 0F 11 70 2C
unregistersymbol(health1)
dealloc(newmem)
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Mon Sep 25, 2017 6:20 pm
by Kalas
Yep
Could just do
cmp r12,1
jne code
mov [rax+2C](float)999
jmp return
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Tue Sep 26, 2017 1:04 am
by pharaon
how about this code
Code: Select all
{ Game : ROTTR.exe
Version:
Date : 2017-09-26
Author : DeskTop
This script does blah blah blah
}
[ENABLE]
aobscanmodule(INJECT,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)
label(code)
label(return)
newmem:
cmp R12,1
jne code
push eax
mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
pop eax
jmp return
code:
movss [rax+2C],xmm6
jmp return
laraGODmode:
push eax
mov eax,(float)9999
movd xmm0,eax
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db F3 0F 11 70 2C
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "ROTTR.exe"+3356C18
"ROTTR.exe"+3356BF4: 48 8B 01 - mov rax,[rcx]
"ROTTR.exe"+3356BF7: 0F 28 F1 - movaps xmm6,xmm1
"ROTTR.exe"+3356BFA: FF 90 08 01 00 00 - call qword ptr [rax+00000108]
"ROTTR.exe"+3356C00: 84 C0 - test al,al
"ROTTR.exe"+3356C02: 75 34 - jne ROTTR.exe+3356C38
"ROTTR.exe"+3356C04: 48 8B 83 A8 02 00 00 - mov rax,[rbx+000002A8]
"ROTTR.exe"+3356C0B: 66 0F 6E 40 28 - movd xmm0,[rax+28]
"ROTTR.exe"+3356C10: 0F 5B C0 - cvtdq2ps xmm0,xmm0
"ROTTR.exe"+3356C13: 0F 2E F0 - ucomiss xmm6,xmm0
"ROTTR.exe"+3356C16: 74 20 - je ROTTR.exe+3356C38
// ---------- INJECTING HERE ----------
"ROTTR.exe"+3356C18: F3 0F 11 70 2C - movss [rax+2C],xmm6
// ---------- DONE INJECTING ----------
"ROTTR.exe"+3356C1D: 48 8B 8B A8 02 00 00 - mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C24: F3 0F 2C 41 2C - cvttss2si eax,[rcx+2C]
"ROTTR.exe"+3356C29: 89 41 28 - mov [rcx+28],eax
"ROTTR.exe"+3356C2C: 48 8B 8B A8 02 00 00 - mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C33: E8 68 78 FC FF - call ROTTR.exe+331E4A0
"ROTTR.exe"+3356C38: 0F 28 74 24 20 - movaps xmm6,[rsp+20]
"ROTTR.exe"+3356C3D: 48 83 C4 30 - add rsp,30
"ROTTR.exe"+3356C41: 5B - pop rbx
"ROTTR.exe"+3356C42: C3 - ret
"ROTTR.exe"+3356C43: CC - int 3
}
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Tue Sep 26, 2017 7:10 am
by Kalas
Again you are adding unneeded stuff, just do mov [rax+2C],(float)9999
But in general I think that yea It should work.
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Tue Sep 26, 2017 8:43 pm
by seikur0
Code: Select all
mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
This should totally crash your game..
Do this:
Code: Select all
cmp R12,1
jne code
mov ecx,(float)9999
movd xmm6,ecx
code:
movss [rax+2C],xmm6
jmp return
ecx, because it gets overwritten after that. (Also it may not be necessary to overwrite xmm6.)
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Thu Oct 05, 2017 10:48 am
by dl748
I have a really old LUA script that doesn't use code injection. Just tested and it still works.
Code: Select all
if HealthLocation == nil then
HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X")
HealthLocation2 = AOBScan("45 30 FF FF 50 ?? 48 8B 0D ?? ?? ?? ?? 48 89 C2 45 31 C0","+W-C+X")
end
if HealthLocation ~= nil and HealthLocation2 ~= nil then
count = stringlist_getCount(HealthLocation)
count2 = stringlist_getCount(HealthLocation2)
if count == 1 and count2 == 1 then
address = getAddress(stringlist_getString(HealthLocation,0))
offset = readInteger(address+3)
address = address + 6
if offset >= 0x80000000 then
address = address - bAnd(bNot(offset),0xFFFFFFFF)
else
address = address + offset
end
address = readPointer(address)
local id = readQword(address+0x348)
address = getAddress(stringlist_getString(HealthLocation2,0))
offset = readInteger(address+9)
address = address + 12
if offset >= 0x80000000 then
address = address - bAnd(bNot(offset),0xFFFFFFFF)
else
address = address + offset
end
address = readPointer(address)
local count = readInteger(address + 0x328)
address = readPointer(address + 0x330)
local addr = 0
for i=0,count-1 do
local tempaddr = readPointer(address + (i*0x8))
if tempaddr ~= 0 then
local tempaddr2 = readPointer(tempaddr + 0x338)
if tempaddr2 ~= 0 then
local tempid = readQword(tempaddr2+0x28)
if id == tempid then
addr = tempaddr
end
end
end
end
if addr ~= 0 then
address = readPointer(addr+0x60E8)
if address ~= 0 then
address = readPointer(address+0x3198)
address = readPointer(address+0xD8)
local healthpos = 0x20
local healthloc = readPointer(address + (healthpos * 0x8))
registerSymbol("MaxHealthLocation", healthloc + 0x2C4)
address = readPointer(healthloc + 0x2A8)
registerSymbol("HealthLocation", address + 0x2C)
value = readInteger(healthloc+0x2C4)
writeFloat(address + 0x2C, value)
end
end
end
end
This gets the internal ID of health, and then loops through though the objects to find that ID and then registers a symbol for HealthLocation and MaxHealthLocation. It then will write the HealthLocation with the float from the MaxHealthLocation. I have newer scripting functions that would make this a lot cleaner.
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Fri Oct 06, 2017 1:01 pm
by pharaon
SunBeam wrote: ↑Thu Oct 05, 2017 10:39 pm
^ Either next question would be how that works OR "it's too advanced for me". Just anticipating.
at least he is trying to help not just commenting like you do
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Fri Oct 06, 2017 9:07 pm
by pharaon
SunBeam wrote: ↑Fri Oct 06, 2017 1:47 pm
^ Here we go:
[Link]. Hope it helps.
thx
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Sun Oct 08, 2017 1:20 pm
by dl748
It follows a static address down to the correct health pointer by using similar code that the engine uses but in LUA.
1. Follows static pointer down to the ID of the health record.
2. Uses that ID to follow a hash/associative array down to the actual health record.
3. Creates/Updates a Symbol "HealthLocation" with the address of the health (I don't use symbol anymore, but create records in my latest code)
The first tomb raider uses the same exact method, I have updated the first game with my new code but not the latest.
viewtopic.php?f=4&t=4118&p=13996#p13996
HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X") -- Locates assembly code of the static address. I've found its LESS likely that coders will change code that accesses a global variable than they would say, change how health is calculated. Which is why code like this will generally work from version to version instead of code that attacks where health is being modified.
HealthLocation + 3 = Static address (as a code offset, the integer located here is an offset to where the static address is)
[[Static + 0] + 0x348] = Id of the health record
HealthLocation2 + 9 = Static location of the hash
[[Static + 0] + 0x328] = Item count
[[Static + 0] + 0x330] = Address of hash
Loop through items (0,count-1) and read the pointer at HashAddr + (i*8)
[[itemaddr + 0x338]+0x28] = id of item -- find the id that matches the health id
[[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2A8] + 0x2C] = float of health
[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2C4] = int of max health
I prefer this reference
[Link]
Re: RISE OF THE TOMB RAIDER Health hacking
Posted: Sun Oct 08, 2017 7:51 pm
by pharaon
dl748 wrote: ↑Sun Oct 08, 2017 1:20 pm
It follows a static address down to the correct health pointer by using similar code that the engine uses but in LUA.
1. Follows static pointer down to the ID of the health record.
2. Uses that ID to follow a hash/associative array down to the actual health record.
3. Creates/Updates a Symbol "HealthLocation" with the address of the health (I don't use symbol anymore, but create records in my latest code)
The first tomb raider uses the same exact method, I have updated the first game with my new code but not the latest.
viewtopic.php?f=4&t=4118&p=13996#p13996
HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X") -- Locates assembly code of the static address. I've found its LESS likely that coders will change code that accesses a global variable than they would say, change how health is calculated. Which is why code like this will generally work from version to version instead of code that attacks where health is being modified.
HealthLocation + 3 = Static address (as a code offset, the integer located here is an offset to where the static address is)
[[Static + 0] + 0x348] = Id of the health record
HealthLocation2 + 9 = Static location of the hash
[[Static + 0] + 0x328] = Item count
[[Static + 0] + 0x330] = Address of hash
Loop through items (0,count-1) and read the pointer at HashAddr + (i*8)
[[itemaddr + 0x338]+0x28] = id of item -- find the id that matches the health id
[[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2A8] + 0x2C] = float of health
[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2C4] = int of max health
I prefer this reference
[Link]
great help man thanks lot