RISE OF THE TOMB RAIDER Health hacking

Aug 5, 2017
45
0
6
#1
im trying to separate the hero life than enemies life by different registries the hero register RDI=000000000000012C is always the same and is different for the enemies

i tried this code but it's not working
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)

newmem:
pushf
cmp RDI,000000000000012C
jne code
popf
mov [rax+2C],(float)450
jmp return

code:
popf
movss [rax+2C],xmm6
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
 

Bloodybone

Novice Cheater
Aug 3, 2017
103
0
16
#2
After Testing arround i found out that you can only use je for some od reason ... So mabe this will work
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(hero)

newmem:
pushf
cmp RDI,000000000000012C
je hero
popf
jmp code

hero:
mov [rax+2C],(float)450
popf
jmp return

code:
movss [rax+2C],xmm6
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
 
Aug 5, 2017
45
0
6
#3
i had to adjust it because it crashes the game
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(hero)

newmem:
pushf
cmp RDI,000000000000012C
je hero
jmp code

hero:
popf
mov [rax+2C],(float)450
jmp return

code:
popf
movss [rax+2C],xmm6
jmp return

health1:
jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)


but it's still not working and laura die
 

Bloodybone

Novice Cheater
Aug 3, 2017
103
0
16
#4
Maybe instead of using "cmp RDI,000000000000012C" use "cmp RDI,12C" it works for me but if that doesn't work compare the enemies and laura another way like through the Dissect data/Structures or through the stack (I prefere the Dissect data/Structures method)
 

seikur0

Novice Cheater
Aug 26, 2017
161
1
16
#5
I wouldn't push the flags to the stack here, in 99.999999% of the cases you do an instruction and use the flags immediately afterwards, after that they become obsolete, so no need to preserve them.

And instead of alloc(newmem,$1000,"ROTTR.exe"+3356C18) you can use alloc(newmem,$1000,health1), so the memory gets reserved near the aob.

Last but not least rdi might be a pretty weird register to find the identification of the player in, they are mainly used for moving strings in memory. As Bloodybone already stated it might be better to find some other way to identify the player.
It could be, that an rdi of 12C always means you have the player health. But player health maybe doesn't always lead to an rdi of 12c?
 

Kalas

Cat'n America!
Fearless Donors
Mar 3, 2017
478
4
18
#6
just do:

newmem:

cmp rdi,000000000000012C
jne code
mov [rax+2C],(float)450
jmp return

If the cmp doesn't work try to find a new way to cmp in dissect data.
 
Aug 5, 2017
45
0
6
#7
tried throw Dissect data/Structures but the offset keep changing what should i do
 

Kalas

Cat'n America!
Fearless Donors
Mar 3, 2017
478
4
18
#8
pharaon post_id=17731 time=1505693788 user_id=7613 said:
tried throw Dissect data/Structures but the offset keep changing what should i do
Find a new one, I suggest looking for 1 and 0 those are usually remain the same.

I would export the Dissect Data Structure to a notepad and another one to compare, may take a bit of time but you could just use a small size cause usually you can find a good offset to cmp in only the very first lines.
 

TheByteSize

Novice Cheater
Mar 4, 2017
153
0
16
#9
if you sure RDI contain identifier for your char health ID.
copy that RDI to one of r8d~r15d then do comparison.

Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.
 
Aug 5, 2017
45
0
6
#10
Kalas post_id=17754 time=1505730225 user_id=271 said:
pharaon post_id=17731 time=1505693788 user_id=7613 said:
tried throw Dissect data/Structures but the offset keep changing what should i do
Find a new one, I suggest looking for 1 and 0 those are usually remain the same.

I would export the Dissect Data Structure to a notepad and another one to compare, may take a bit of time but you could just use a small size cause usually you can find a good offset to cmp in only the very first lines.

tried and still some enemies share me with offset value

that is the code i got so far and some enemies still show up with same value

Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp [rax+B04],1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
 
Aug 5, 2017
45
0
6
#11
TheByteSize post_id=17782 time=1505760609 user_id=616 said:
Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.
please explain how can i do that
 

TheByteSize

Novice Cheater
Mar 4, 2017
153
0
16
#12
pharaon post_id=17787 time=1505762581 user_id=7613 said:
TheByteSize post_id=17782 time=1505760609 user_id=616 said:
Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.
please explain how can i do that
find the address that contain your char health then add that to your table then right click and browse that address location then looks around and see anything that obvious, you may find that 12C around there.
 
Aug 5, 2017
45
0
6
#13
TheByteSize post_id=17789 time=1505763205 user_id=616 said:
find the address that contain your char health then add that to your table then right click and browse that address location then looks around and see anything that obvious, you may find that 12C around there.
this is what i found
Code:
ROTTR.exe+3356BD1 - 66 66 66 66 66 66 2E 0F1F 84 00 00000000  - nop cs:[rax+rax+00000000]
ROTTR.exe+3356BE0 - 53                    - push rbx
ROTTR.exe+3356BE1 - 48 83 EC 30           - sub rsp,30 { 48 }
ROTTR.exe+3356BE5 - 48 89 CB              - mov rbx,rcx
ROTTR.exe+3356BE8 - 48 8B 0D 39A74FFF     - mov rcx,[ROTTR.exe+2851328] { [858496A0] }
ROTTR.exe+3356BEF - 0F29 74 24 20         - movaps [rsp+20],xmm6
ROTTR.exe+3356BF4 - 48 8B 01              - mov rax,[rcx]
ROTTR.exe+3356BF7 - 0F28 F1               - movaps xmm6,xmm1
ROTTR.exe+3356BFA - FF 90 08010000        - call qword ptr [rax+00000108]
ROTTR.exe+3356C00 - 84 C0                 - test al,al
ROTTR.exe+3356C02 - 75 34                 - jne ROTTR.exe+3356C38
ROTTR.exe+3356C04 - 48 8B 83 A8020000     - mov rax,[rbx+000002A8]
ROTTR.exe+3356C0B - 66 0F6E 40 28         - movd xmm0,[rax+28]
ROTTR.exe+3356C10 - 0F5B C0               - cvtdq2ps xmm0,xmm0
ROTTR.exe+3356C13 - 0F2E F0               - ucomiss xmm6,xmm0
ROTTR.exe+3356C16 - 74 20                 - je ROTTR.exe+3356C38
ROTTR.exe+3356C18 - F3 0F11 70 2C         - movss [rax+2C],xmm6
ROTTR.exe+3356C1D - 48 8B 8B A8020000     - mov rcx,[rbx+000002A8]
ROTTR.exe+3356C24 - F3 0F2C 41 2C         - cvttss2si eax,[rcx+2C]
ROTTR.exe+3356C29 - 89 41 28              - mov [rcx+28],eax
ROTTR.exe+3356C2C - 48 8B 8B A8020000     - mov rcx,[rbx+000002A8]
ROTTR.exe+3356C33 - E8 6878FCFF           - call ROTTR.exe+331E4A0
ROTTR.exe+3356C38 - 0F28 74 24 20         - movaps xmm6,[rsp+20]
ROTTR.exe+3356C3D - 48 83 C4 30           - add rsp,30 { 48 }
ROTTR.exe+3356C41 - 5B                    - pop rbx
 

TheByteSize

Novice Cheater
Mar 4, 2017
153
0
16
#14
Yup, that 12C is at -04 position from [rax+2c] address.
https://imgur.com/a/ozNHy
this code should do the trick.

oops there is bug in the code I posted.
 
Aug 5, 2017
45
0
6
#15
how are you displaying your memory that way because mine look like this

https://imgur.com/a/Ld9Mr

but the code didn't work it decrease my health then crash the game
 

TheByteSize

Novice Cheater
Mar 4, 2017
153
0
16
#16
pharaon post_id=17792 time=1505765310 user_id=7613 said:
how are you displaying your memory that way because mine look like this

https://imgur.com/a/Ld9Mr

but the code didn't work it decrease my health then crash the game
right click on bottom windows and choose Display Type > 4 Bytes Hex
 
Aug 5, 2017
45
0
6
#17
https://imgur.com/a/O2swW
if you notice the bytes are inverted dunno why

so why about that the code is not working

what could be wrong
 

TheByteSize

Novice Cheater
Mar 4, 2017
153
0
16
#20
Try with this code. I don't have access to the game at the moment so I cannot verify.
as for your Memory Address display in backward, I don't know how that happened.
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,health1)

label(prepare2exit)
label(code)
label(return)

newmem:
  push rdi  //preserve rdi
  lea rdi,[rax]  //copy effective address of rax
  cmp [rdi],xxxxxx  //replace this with the hex you see at rax
  jne prepare2exit
  //start check on new health if health change belong to player
  pop rdi  //return rdi to original state
  push rdi  //borrow this register again
  movq [rdi],xmm6  //copy new health
  cmp  [rax+2C],rdi  //check old vs new
  jge prepare2exit  //ignore if old health is higher
  //end of health chang check
code:
  movss [rax+2C],xmm6
// jmp return
prepare2exit:
  pop rdi //return rdi to original state
  jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)