How to OPK (one position kill)

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
Artykalamata
Cheater
Cheater
Posts: 30
Joined: Fri Jul 14, 2017 11:58 am
Reputation: 29

How to OPK (one position kill)

Post by Artykalamata »

Step 1: Find the instruction that writes entity positions.

You can do that by searching for the player position

Image

and find out what writes to it.

Image

Find out if the instruction is writing to all entities, not only the player.

Image



Step 2: Find the flag that saperates player/enemy.

You can do that by dissecting the entity structures.

Image

As you can see, in my case, offset entity+44 works fine.
0xC5 is the player and 0x81 is the enemy
Note those values down.



Step 3: Doing the injection.

Auto assemble at the start of the instructions that write the entity positions (posX)

Image

and add the remaining instructions for posY and potential posZ if you are in 3D.

Image

We need to add two functionalities now.
1. save the player position
2. load the enemy position to the saved player position.

I think this part is best shown by commenting my code as an example. (copy into CE editor to get syntax highlighting)

Code: Select all

[ENABLE]

aobscanmodule(INJECT_opk,Engine.dll,F2 0F 10 44 24 40 F2 0F 11 46)
alloc(newmem,$1000,"Engine.dll"+24E3ED)
alloc(container,256) // allocate some memory so we can store data there

label(code)
label(return)

label(save_flag)
label(load_flag)
label(x_pos)
label(y_pos)

registersymbol(save_flag)
registersymbol(load_flag)
registersymbol(x_pos)
registersymbol(y_pos)

container: //this is our container to store flags/player_pos
save_flag:
dd 0
load_flag:
dd 0
x_pos:
dd 0
y_pos:
dd 0

newmem:
  cmp [save_flag],1
  je save // jmp to save if save_flag is set
  cmp [load_flag],1
  je load // jmp to load if load_flag is set
  jmp code

save: //here we save to current player pos to our container
  cmp byte [rsi+44],0xC5 // cmp if instruction is trying to write to
                         // entity with player flag (step 2)
                         // (rsi == entitybase)
  jne code               // jmp to the original code if not

  mov [save_flag],(int)0 //reset save flag
  movsd xmm0,[rsp+40] // copy this part from the original code but write pos to
  movsd [x_pos],xmm0  // our container instead
  mov eax,[rsp+48]
  mov [y_pos],eax
  jmp code // jump back to the original code

load: //here we load the saved player pos to enemies
  cmp byte [rsi+44],0x81 // cmp if instruction is trying to write to
                         // entity with enemy flag (step 2)
                         // (rsi == entitybase)
  jne code               // jmp to the original code if not

  push rax // push rax on stack so we can work with it
  mov rax,[x_pos]   // move the player x_pos on rax
  mov [rsi+48],rax  // and into enemy
  mov rax,[y_pos]   // move the player y_pos on rax
  mov [rsi+50],rax  // and into enemy
  pop rax // pop rax from stack
  jmp return

code:
  movsd xmm0,[rsp+40] //X
  movsd [rsi+48],xmm0 //X
  mov eax,[rsp+48] //Y
  mov [rsi+50],eax //Y
  jmp return

INJECT_opk:
  jmp newmem
  db 90 90 90 90 90 90 90 90 90 90 90 90 90
return:
registersymbol(INJECT_opk)

[DISABLE]

INJECT_opk:
  db F2 0F 10 44 24 40 F2 0F 11 46 48 8B 44 24 48 89 46 50

unregistersymbol(INJECT_opk)
unregistersymbol(x_pos)
unregistersymbol(y_pos)
unregistersymbol(save_flag)
unregistersymbol(load_flag)
dealloc(container)
dealloc(newmem)
{
// ---------- INJECTING HERE ----------
"Engine.dll"+24A07D: F2 0F 10 44 24 40        -  movsd xmm0,[rsp+40]
"Engine.dll"+24A083: F2 0F 11 46 48           -  movsd [rsi+48],xmm0
"Engine.dll"+24A088: 8B 44 24 48              -  mov eax,[rsp+48]
"Engine.dll"+24A08C: 89 46 50                 -  mov [rsi+50],eax
// ---------- DONE INJECTING  ----------
}


Step 4: Adding hotkeys to save_flag and load_flag.

save:
just add the address "save_flag" to the cheat table and
add hotkey "Set value to: 1"
cause in the script we reset this flag to 0 once player position is saved.

load:
add following auto assemble script so we can toggle the load manually

Code: Select all

[ENABLE]
load_flag:
dd 1


[DISABLE]
load_flag:
dd 0
add hotkey "Toggle script"

Image

Step 5: Enjoy ;)
Image

User avatar
SunBeam
Administration
Administration
Posts: 4702
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 4286

Re: How to OPK (one position kill)

Post by SunBeam »

Just for reference, this is called "vac" in most MP tools :) From 'vacuum' (sucking all AIs to one spot). If you're good with math, you can add in some processing to arrange the AIs in circle, square, etc. or x inches apart from each other, in a straight line and so on :D

Post Reply

Who is online

Users browsing this forum: No registered users