Hacking health old games - DOOM 1/HL

Ezilkannan

What is cheating?
Jun 25, 2017
9
0
1
#1
Hi,
I have been trying to use simple memory search/editing to hack old games like DOOM 1 and Half Life. However, even though I narrow down to the address and freeze the value, I still end up dying. What am I doing wrong?
 

Bloodybone

Novice Cheater
Aug 3, 2017
103
0
16
#2
Ezilkannan post_id=18643 time=1506692846 user_id=6793 said:
Hi,
I have been trying to use simple memory search/editing to hack old games like DOOM 1 and Half Life. However, even though I narrow down to the address and freeze the value, I still end up dying. What am I doing wrong?
In a game like Half Life or games made with source there is a client.dll and a server.dll That means that you probably locked the graphical adress you can try locking every adress and see what adress is the right one or you can rightclick on an adress choose find out what writes to this adress and then click onto show disassembler and look at the left and if you see client.dll its the wrong adress and if you see server.dll than it is the right on.
 

Ezilkannan

What is cheating?
Jun 25, 2017
9
0
1
#3
Bloodybone post_id=18671 time=1506708179 user_id=7561 said:
Ezilkannan post_id=18643 time=1506692846 user_id=6793 said:
Hi,
I have been trying to use simple memory search/editing to hack old games like DOOM 1 and Half Life. However, even though I narrow down to the address and freeze the value, I still end up dying. What am I doing wrong?
In a game like Half Life or games made with source there is a client.dll and a server.dll That means that you probably locked the graphical adress you can try locking every adress and see what adress is the right one or you can rightclick on an adress choose find out what writes to this adress and then click onto show disassembler and look at the left and if you see client.dll its the wrong adress and if you see server.dll than it is the right on.
Tried that. But I am unable to freeze or change the value for that address. It updates too fast, tried setting the update and freeze interval to 1ms didn't work. Tried pointer scan, one of the expected pointer address returned no results so I guess its the other one, however there is no expected value in this one. Just "push word or doubleword onto the stack(sign extended)". I don't know how to proceed further. Changing the code to nop crashes the game so can't do that.
 

Ezilkannan

What is cheating?
Jun 25, 2017
9
0
1
#5
Bloodybone post_id=18751 time=1506761009 user_id=7561 said:
I made a video showing how to find Health. I used Half Life 2 for it but i was made with the same engine, I hope it helps :)

Video showing how to find Health
That didn't work. Like I said, some of the address cannot be changed/frozen. It is updated back to the original value anyway :(
 

Bloodybone

Novice Cheater
Aug 3, 2017
103
0
16
#6
Ezilkannan post_id=18753 time=1506763431 user_id=6793 said:
Bloodybone post_id=18751 time=1506761009 user_id=7561 said:
I made a video showing how to find Health. I used Half Life 2 for it but i was made with the same engine, I hope it helps :)

Video showing how to find Health
That didn't work. Like I said, some of the address cannot be changed/frozen. It is updated back to the original value anyway :(
Try locking every adress you found at once and see if you can still get killed
 

Ezilkannan

What is cheating?
Jun 25, 2017
9
0
1
#7
Bloodybone post_id=18757 time=1506764630 user_id=7561 said:
Ezilkannan post_id=18753 time=1506763431 user_id=6793 said:
Bloodybone post_id=18751 time=1506761009 user_id=7561 said:
I made a video showing how to find Health. I used Half Life 2 for it but i was made with the same engine, I hope it helps :)

Video showing how to find Health
That didn't work. Like I said, some of the address cannot be changed/frozen. It is updated back to the original value anyway :(
Try locking every adress you found at once and see if you can still get killed
Tried that too. Every address seem to be reverting back to the actual value even when I freeze/change it at 1ms. It seems the game is updating it faster than CE can freeze/update.
 

Bloodybone

Novice Cheater
Aug 3, 2017
103
0
16
#8
Ezilkannan post_id=18765 time=1506767983 user_id=6793 said:
Bloodybone post_id=18757 time=1506764630 user_id=7561 said:
Ezilkannan post_id=18753 time=1506763431 user_id=6793 said:
That didn't work. Like I said, some of the address cannot be changed/frozen. It is updated back to the original value anyway :(
Try locking every adress you found at once and see if you can still get killed
Tried that too. Every address seem to be reverting back to the actual value even when I freeze/change it at 1ms. It seems the game is updating it faster than CE can freeze/update.
I think that all of them are graphical adresses then... You could maybe Backtrace a graphical one and get to the real one
 

Blayde

Novice Cheater
Aug 25, 2017
229
0
16
#11
Ezilkannan post_id=28712 time=1514031174 user_id=6793 said:
Blayde post_id=20988 time=1508416022 user_id=8084 said:
Half-Life v1.1.1.1
This health script affects the monsters too :lol:
UuuuPS :mrgreen:
Code:
[ENABLE]
aobscanmodule(health,hl.dll,D8 64 24 64 D9 98 60 01 00 00)
alloc(newmem,$100)

label(code)
label(return)

newmem:
  cmp [eax+104],0
  jne code
  fstp dword ptr [eax+00000160]
  mov [eax+00000160],(float)100
  jmp return

code:
  fsub dword ptr [esp+64]
  fstp dword ptr [eax+00000160]
  jmp return

health:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
return:
registersymbol(health)

[DISABLE]
health:
  db D8 64 24 64 D9 98 60 01 00 00
unregistersymbol(health)
dealloc(newmem)
 

Ezilkannan

What is cheating?
Jun 25, 2017
9
0
1
#12
Blayde post_id=28714 time=1514039423 user_id=8084 said:
Ezilkannan post_id=28712 time=1514031174 user_id=6793 said:
Blayde post_id=20988 time=1508416022 user_id=8084 said:
Half-Life v1.1.1.1
This health script affects the monsters too :lol:
UuuuPS :mrgreen:
Code:
[ENABLE]
aobscanmodule(health,hl.dll,D8 64 24 64 D9 98 60 01 00 00)
alloc(newmem,$100)

label(code)
label(return)

newmem:
  cmp [eax+104],0
  jne code
  fstp dword ptr [eax+00000160]
  mov [eax+00000160],(float)100
  jmp return

code:
  fsub dword ptr [esp+64]
  fstp dword ptr [eax+00000160]
  jmp return

health:
  jmp newmem
  nop
  nop
  nop
  nop
  nop
return:
registersymbol(health)

[DISABLE]
health:
  db D8 64 24 64 D9 98 60 01 00 00
unregistersymbol(health)
dealloc(newmem)
That worked! thanks