RISE OF THE TOMB RAIDER Health hacking

Aug 5, 2017
46
0
6
#21
this is the registers of my hero health address
RAX=00000000C590D060
RBX=00000000C590C8D0
RCX=00000000858496A0
RDX=00000000000001C2
RSI=0000000000000080
RDI=000000000000012C
RBP=00000000C5B6AE50
RSP=000000000014E390
RIP=0000000143356C18
R8 =00000000B4793538
R9 =FFFFFFFF00000000
R10=00000000ABB87890
R11=0000000000000030
R12=0000000000000001
R13=0000000000000000
R14=000000000000FFFF
R15=0000000142276930

your code made all enemies in god mode :)

i also hope if you can explain your code little to me
 

TheByteSize

Expert Cheater
Mar 4, 2017
154
0
16
#24
[rax+2c] which point to an address that contains lara's hp. So I looked back at [rax] which has address that contains something. That hex was there and I assume that's the ID for lara.
anyway, which part of the code don't you understand?
 

Kalas

Cat'n America!
Fearless Donors
Table Maker
Mar 3, 2017
525
50
28
#25
Could you check if the code you inject at Is even writing to your real value instead for a graphical cause It may just be a display value which could explain why you are having issues.

Just don't use cmp or anything,
Code:
mov [rax+2C],(float)999
If It does work then try to cmp with: RSI=0000000000000080 // Try even R12 I believe I saw It has a unique offset.


PS: Downloading right now just to test this issue, I think I made a CT for this game back then so I remember making Unlimited Health as well.
 
Aug 5, 2017
46
0
6
#27
Kalas post_id=17842 time=1505802910 user_id=271 said:
Could you check if the code you inject at Is even writing to your real value instead for a graphical cause It may just be a display value which could explain why you are having issues.

Just don't use cmp or anything,
Code:
mov [rax+2C],(float)999
If It does work then try to cmp with: RSI=0000000000000080 // Try even R12 I believe I saw It has a unique offset.


PS: Downloading right now just to test this issue, I think I made a CT for this game back then so I remember making Unlimited Health as well.
it write to the real health value
 
Aug 5, 2017
46
0
6
#28
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
working fine so far although a little bit lagging
 

TheByteSize

Expert Cheater
Mar 4, 2017
154
0
16
#29
pharaon post_id=17988 time=1505938303 user_id=7613 said:
TheByteSize post_id=17812 time=1505778598 user_id=616 said:
change
cmp [rdi],xxxxxx
to
cmp [rdi],40CDFEA0
infinite health for all enemies as well
That's odd. I was hitting the patrols with climber pickaxes without taking any damage and still manage to kill them.
 
Aug 5, 2017
46
0
6
#30
this on work
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
but this one does not work
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R13,0
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
any explanation
 

Kalas

Cat'n America!
Fearless Donors
Table Maker
Mar 3, 2017
525
50
28
#31
pharaon post_id=18128 time=1506098258 user_id=7613 said:
this on work
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
but this one does not work
Code:
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R13,0
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
any explanation
Hmm cause you use different registers..?
 
Aug 5, 2017
46
0
6
#32
i know i use different register
but why the compare to the second register not working
 

Kalas

Cat'n America!
Fearless Donors
Table Maker
Mar 3, 2017
525
50
28
#33
Becayse Lara is in the R12 register and not the R13.
 

Kalas

Cat'n America!
Fearless Donors
Table Maker
Mar 3, 2017
525
50
28
#35
pharaon post_id=18136 time=1506103673 user_id=7613 said:
how can i know which register is for lara and which is not
By testing, as you tested R12 and R13, sometimes they both can work but this time you see R12 works fine for your Lara and still subtracting health from Enemies :)
 
Aug 5, 2017
46
0
6
#36
is the code right this way?

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)9999
jmp return

health1:
jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)
 

Kalas

Cat'n America!
Fearless Donors
Table Maker
Mar 3, 2017
525
50
28
#37
Yep

Could just do

cmp r12,1
jne code
mov [rax+2C](float)999
jmp return
 
Aug 5, 2017
46
0
6
#38
how about this code
Code:
{ Game   : ROTTR.exe
  Version: 
  Date   : 2017-09-26
  Author : DeskTop

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)


newmem:
cmp R12,1
jne code
push eax
mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
pop eax
jmp return

code:
  movss [rax+2C],xmm6
  jmp return

laraGODmode:
push eax
mov eax,(float)9999
movd xmm0,eax

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 70 2C

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "ROTTR.exe"+3356C18

"ROTTR.exe"+3356BF4: 48 8B 01                                      -  mov rax,[rcx]
"ROTTR.exe"+3356BF7: 0F 28 F1                                      -  movaps xmm6,xmm1
"ROTTR.exe"+3356BFA: FF 90 08 01 00 00                             -  call qword ptr [rax+00000108]
"ROTTR.exe"+3356C00: 84 C0                                         -  test al,al
"ROTTR.exe"+3356C02: 75 34                                         -  jne ROTTR.exe+3356C38
"ROTTR.exe"+3356C04: 48 8B 83 A8 02 00 00                          -  mov rax,[rbx+000002A8]
"ROTTR.exe"+3356C0B: 66 0F 6E 40 28                                -  movd xmm0,[rax+28]
"ROTTR.exe"+3356C10: 0F 5B C0                                      -  cvtdq2ps xmm0,xmm0
"ROTTR.exe"+3356C13: 0F 2E F0                                      -  ucomiss xmm6,xmm0
"ROTTR.exe"+3356C16: 74 20                                         -  je ROTTR.exe+3356C38
// ---------- INJECTING HERE ----------
"ROTTR.exe"+3356C18: F3 0F 11 70 2C                                -  movss [rax+2C],xmm6
// ---------- DONE INJECTING  ----------
"ROTTR.exe"+3356C1D: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C24: F3 0F 2C 41 2C                                -  cvttss2si eax,[rcx+2C]
"ROTTR.exe"+3356C29: 89 41 28                                      -  mov [rcx+28],eax
"ROTTR.exe"+3356C2C: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C33: E8 68 78 FC FF                                -  call ROTTR.exe+331E4A0
"ROTTR.exe"+3356C38: 0F 28 74 24 20                                -  movaps xmm6,[rsp+20]
"ROTTR.exe"+3356C3D: 48 83 C4 30                                   -  add rsp,30
"ROTTR.exe"+3356C41: 5B                                            -  pop rbx
"ROTTR.exe"+3356C42: C3                                            -  ret 
"ROTTR.exe"+3356C43: CC                                            -  int 3 
}
 

Kalas

Cat'n America!
Fearless Donors
Table Maker
Mar 3, 2017
525
50
28
#39
Again you are adding unneeded stuff, just do mov [rax+2C],(float)9999

But in general I think that yea It should work.
 

seikur0

Expert Cheater
Table Maker
Aug 26, 2017
205
39
28
#40
Code:
mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
This should totally crash your game..

Do this:
Code:
cmp R12,1
jne code
mov ecx,(float)9999
movd xmm6,ecx

code:
  movss [rax+2C],xmm6
  jmp return
ecx, because it gets overwritten after that. (Also it may not be necessary to overwrite xmm6.)
 
Top Bottom