Diablo 1 The Hell 2

Upload your cheat tables here (No requests)
delion
Novice Cheater
Novice Cheater
Posts: 20
Joined: Mon Aug 19, 2019 11:33 am
Reputation: 0

Re: Diablo 1 The Hell 2

Post by delion » Wed Sep 04, 2019 8:05 am

Tivrusky wrote:
Wed Sep 04, 2019 4:28 am
hmm... somehow with this changed loot i'm getting nothing than trash (gold/ rare mana pots) from normal mobs ( magic find is ON )

Tivrusky
Novice Cheater
Novice Cheater
Posts: 23
Joined: Fri Aug 30, 2019 2:21 am
Reputation: 10

Re: Diablo 1 The Hell 2

Post by Tivrusky » Wed Sep 04, 2019 5:12 pm

ello,

thats right delion,
My new direction for the loot cheat is to only change the drops for named monsters (bosses and rares)
I've made it so now you can give all named monster extra loot on top of there normal drops.
Once you active the cheat it will show the current bonus drops (default 10) but you can change this to your liking.

Let me know if you like the cheat this way or the old way.

Who will be first to set it to something crazy like 100 extra drops?
Post a screenshot if the game doesn't crash :D

Laters!
Attachments
TH2v1.0037.CT
(34.09 KiB) Downloaded 18 times

User avatar
SunBeam
Administration
Administration
Posts: 3042
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1414

Re: Diablo 1 The Hell 2

Post by SunBeam » Wed Sep 04, 2019 5:55 pm

Why don't you make a list of the bosses' names, get an entity list (what you're hitting) and compare the entity->name to your custom list? :P

Tivrusky
Novice Cheater
Novice Cheater
Posts: 23
Joined: Fri Aug 30, 2019 2:21 am
Reputation: 10

Re: Diablo 1 The Hell 2

Post by Tivrusky » Wed Sep 04, 2019 6:26 pm

Hah, yeah I tried that but im still getting the hang of reading assembly and I haven't worked out how this game is doing things. ^_^

I will learn in the end.

Thanks

User avatar
SunBeam
Administration
Administration
Posts: 3042
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1414

Re: Diablo 1 The Hell 2

Post by SunBeam » Wed Sep 04, 2019 6:27 pm

Welp, I'm not sure how many of you know (or CARE for that matter), but I found these in. Which means there's some way to get that shit activated (I've not yet looked for a console):

Image

That function is called from 9 places, some of which feature PeekMessageA API (standard user32.dll messaging routines). Note that I've not yet opened the game, so all of this might already be available to the connoisseurs. Else, let's dig in and see what else we can find. More on the "how god works" to get to "aha, so this is my player", to then get to "so my player has this inventory", to then get to other cool shit :D Including what I said earlier.

BR,
Sun

Tivrusky
Novice Cheater
Novice Cheater
Posts: 23
Joined: Fri Aug 30, 2019 2:21 am
Reputation: 10

Re: Diablo 1 The Hell 2

Post by Tivrusky » Wed Sep 04, 2019 6:57 pm

Im Amazed! I need to learn more!
Is this Cheat Engine?

User avatar
SunBeam
Administration
Administration
Posts: 3042
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1414

Re: Diablo 1 The Hell 2

Post by SunBeam » Wed Sep 04, 2019 8:37 pm

Tivrusky wrote:
Wed Sep 04, 2019 6:57 pm
Im Amazed! I need to learn more!
Is this Cheat Engine?
x64dbg -> https://x64dbg.com

Alright, got several options working. It seems the developers (or Mordor guy) patched the dialog box (game window) WM_COMMAND handler to return 0 when ALT key is pressed :) The keys are:
  • Alt+G for God Mode
  • Alt+F for Free Spells
  • Alt+Q to cause an IsDebuggerPresent check + INT3 so game insta-crashes
The key check includes a simple IsDebuggerPresent verification, to know if the game's under a debugger or not (mine's patched via the ScyllaHide plugin).

The patches:

God Mode

ON:

Code: Select all

015702EB | C605 2D27A101 01                           | MOV BYTE PTR DS:[1A1272D],1                         |
015702F2 | C605 2B27A101 01                           | MOV BYTE PTR DS:[1A1272B],1                         |
OFF:

Code: Select all

015702FB | C605 2D27A101 00                           | MOV BYTE PTR DS:[1A1272D],0                         |
01570302 | C605 2B27A101 00                           | MOV BYTE PTR DS:[1A1272B],0                         |
Looks like in the past (or in the old version of the game, perhaps the original) God Mode was achieved this way:

Code: Select all

0157030D | 0FB605 702DA101                            | MOVZX EAX,BYTE PTR DS:[1A12D70]                     |
01570314 | 85C0                                       | TEST EAX,EAX                                        |
01570316 | 74 1A                                      | JE th2.1570332                                      |
01570318 | B9 9090FFFF                                | MOV ECX,FFFF9090                                    |
0157031D | 66:890D F6AB4500                           | MOV WORD PTR DS:[45ABF6],CX                         |
01570324 | BA 9090FFFF                                | MOV EDX,FFFF9090                                    |
01570329 | 66:8915 FFAB4500                           | MOV WORD PTR DS:[45ABFF],DX                         |
01570330 | EB 17                                      | JMP th2.1570349                                     |
01570332 | B8 7F150000                                | MOV EAX,157F                                        |
01570337 | 66:A3 F6AB4500                             | MOV WORD PTR DS:[45ABF6],AX                         |
0157033D | B9 750C0000                                | MOV ECX,C75                                         |
01570342 | 66:890D FFAB4500                           | MOV WORD PTR DS:[45ABFF],CX                         |
By patching some locations with NOPs :) Of course, due to ASLR and new OSes, that kinda stopped working. Something tells me writing the 0x1 bytes at those addresses somehow has the same effect :P

The two 0x1 BOOLs above have 2 effects: no damage on your player AND auto-killing whoever hits you (1-hit auto-kill) :D

Free Spells

Does a bit more than the above; aside from toggling some bools, it actually iterates through the game available spells and adds them to your SPELLS window. I think casting them also doesn't consume mana :P (hence the BOOLs).

I'll post a quick table in a bit :P Lemme test shit out first.

BR,
Sun

User avatar
SunBeam
Administration
Administration
Posts: 3042
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1414

Re: Diablo 1 The Hell 2

Post by SunBeam » Wed Sep 04, 2019 9:26 pm

For Gold, you have the formula right here:

Code: Select all

01645459 | 6905 F4CDC801 A0A50100   | IMUL EAX,DWORD PTR DS:[1C8CDF4],1A5A0 |
01645463 | 0305 18CEC801            | ADD EAX,DWORD PTR DS:[1C8CE18]        |pointer
01645469 | 8945 F8                  | MOV DWORD PTR SS:[EBP-8],EAX          |
..
01645477 | 2B45 C4                  | SUB EAX,DWORD PTR SS:[EBP-3C]         |subtracts while at Cain and identifying something
0164547A | 8B4D F8                  | MOV ECX,DWORD PTR SS:[EBP-8]          |
0164547D | 8981 CC010000            | MOV DWORD PTR DS:[ECX+1CC],EAX        |writes to Gold
Ah.. but that's just the visual value ;) The real one is read here:

Image

Sneaky, sneaky :D

Ah.. so the formula actually reads Gold from the actual inventory object. It takes into account which slot is the object situated in your inventory. And this Gold object has an ID.

In the same function I see that the engine compares the actual level you're at with the maximum, which, as per the code, is 50 ("CMP EAX,32" up in the screenshot).

This is an iterator through all of the objects in your inventory:

Code: Select all

01626D2C | 8B55 F8                                    | MOV EDX,DWORD PTR SS:[EBP-8]                        |
01626D2F | 83C2 01                                    | ADD EDX,1                                           |
01626D32 | 8955 F8                                    | MOV DWORD PTR SS:[EBP-8],EDX                        |
01626D35 | 8B45 FC                                    | MOV EAX,DWORD PTR SS:[EBP-4]                        |
01626D38 | 8B4D F8                                    | MOV ECX,DWORD PTR SS:[EBP-8]                        |
01626D3B | 3B88 FC5A0100                              | CMP ECX,DWORD PTR DS:[EAX+15AFC]                    | A
01626D41 | 7D 5C                                      | JGE th2.1626D9F                                     |
01626D43 | 6955 F8 4B040000                           | IMUL EDX,DWORD PTR SS:[EBP-8],44B                   |
01626D4A | 8B45 FC                                    | MOV EAX,DWORD PTR SS:[EBP-4]                        |
01626D4D | 83BC10 822E0000 0B                         | CMP DWORD PTR DS:[EAX+EDX+2E82],B                   | B:'\v'
01626D55 | 75 46                                      | JNE th2.1626D9D                                     |
01626D57 | 694D F8 4B040000                           | IMUL ECX,DWORD PTR SS:[EBP-8],44B                   |
01626D5E | 8B55 FC                                    | MOV EDX,DWORD PTR SS:[EBP-4]                        |
01626D61 | 8B840A 3E2F0000                            | MOV EAX,DWORD PTR DS:[EDX+ECX+2F3E]                 |
01626D68 | 3B05 FC9CBE01                              | CMP EAX,DWORD PTR DS:[1BE9CFC]                      |
01626D6E | 7E 16                                      | JLE th2.1626D86                                     |
01626D70 | 694D F8 4B040000                           | IMUL ECX,DWORD PTR SS:[EBP-8],44B                   |
01626D77 | 8B55 FC                                    | MOV EDX,DWORD PTR SS:[EBP-4]                        |
01626D7A | A1 FC9CBE01                                | MOV EAX,DWORD PTR DS:[1BE9CFC]                      |
01626D7F | 89840A 3E2F0000                            | MOV DWORD PTR DS:[EDX+ECX+2F3E],EAX                 |
01626D86 | 694D F8 4B040000                           | IMUL ECX,DWORD PTR SS:[EBP-8],44B                   |
01626D8D | 8B55 FC                                    | MOV EDX,DWORD PTR SS:[EBP-4]                        |
01626D90 | 8B45 EC                                    | MOV EAX,DWORD PTR SS:[EBP-14]                       |
01626D93 | 03840A 3E2F0000                            | ADD EAX,DWORD PTR DS:[EDX+ECX+2F3E]                 |
01626D9A | 8945 EC                                    | MOV DWORD PTR SS:[EBP-14],EAX                       |
01626D9D | EB 8D                                      | JMP th2.1626D2C                                     |
01626D9F | 8B4D FC                                    | MOV ECX,DWORD PTR SS:[EBP-4]                        |
I currently have 10 objects in there ([EAX+15AFC] == 0xA). The first inventory object is located at offset 0x2E82 (or close to that; the code is checking a certain byte for 0xB, the Gold identifier); then all the rest of the objects are 0x44B apart from the first one. So an inventory item memory block is 0x44B bytes big.

Then 0xBC from 0x2E82 is the quantity.

As far as IDs: 0xB = Gold; 0xC = Ring of <bla>; etc. - haven't identified all of them. I'm assuming you could unpack the .mpqs and get a list of them. Bottom line is I can write a Lua script that simply reads-up your inventory and displays it in CE's window :D

EDIT: So 0x2E82-0x1C would be the start of the first object in your inventory ;) Note that 'the first object' doesn't mean the object in the FIRST inventory slot. What you see on-screen isn't represented identically in memory.

User avatar
SunBeam
Administration
Administration
Posts: 3042
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 1414

Re: Diablo 1 The Hell 2

Post by SunBeam » Wed Sep 04, 2019 10:40 pm

Tivrusky wrote:
Wed Sep 04, 2019 5:12 pm
ello,

thats right delion,
My new direction for the loot cheat is to only change the drops for named monsters (bosses and rares)
I've made it so now you can give all named monster extra loot on top of there normal drops.
Once you active the cheat it will show the current bonus drops (default 10) but you can change this to your liking.

Let me know if you like the cheat this way or the old way.

Who will be first to set it to something crazy like 100 extra drops?
Post a screenshot if the game doesn't crash :D

Laters!
Checked your table. Some items are off in your "Player Stats" list, mainly due to offsetting of the actual object whose quantity you want to list. Example: "Gold" shows the address I mentioned above, the visual one. Try to change your Gold, you'll see it auto-resets to the previous value ;)

Gold offset (of the first pile) is 0x2F3E.

Tivrusky
Novice Cheater
Novice Cheater
Posts: 23
Joined: Fri Aug 30, 2019 2:21 am
Reputation: 10

Re: Diablo 1 The Hell 2

Post by Tivrusky » Thu Sep 05, 2019 9:30 am

Ty SunBeam,

I've just been adding to the table that was already started.

The main things I added are the gold cheat and the boss drops cheat.

centuryfile
Novice Cheater
Novice Cheater
Posts: 22
Joined: Wed Jul 03, 2019 11:30 am
Reputation: 8

Re: Diablo 1 The Hell 2

Post by centuryfile » Thu Sep 05, 2019 2:25 pm

I decided to tweak the table a little, added separate mf value so it would be easier to tweak it when you're item hunting via save/reload, added old loot cheat because it made easier to get elixir drops (use only one loot cheat at the same time) and added hex values for perks just in case.

There's some other minor things that I'd like to see, such as a dedicated respec option that would set all perk values to 0 and making so that only one loot cheat could work at the same time to prevent accidental crashes.
Attachments
TH2v1.0037_edit.CT
(38.64 KiB) Downloaded 24 times

delion
Novice Cheater
Novice Cheater
Posts: 20
Joined: Mon Aug 19, 2019 11:33 am
Reputation: 0

Re: Diablo 1 The Hell 2

Post by delion » Thu Sep 05, 2019 4:56 pm

any way to remove cooldown of spells?
just imagine what can be done with spell 24 ("Selected spell" from the table) with no cd)

Aranderius
What is cheating?
What is cheating?
Posts: 3
Joined: Tue Sep 03, 2019 8:08 pm
Reputation: 0

Re: Diablo 1 The Hell 2

Post by Aranderius » Thu Sep 05, 2019 7:05 pm

When I try to change the perks, all that happens is my perks get reset so I can pretty much respec.
However, I don't see a way to add more perk levels since it's capped to your character level.

delion
Novice Cheater
Novice Cheater
Posts: 20
Joined: Mon Aug 19, 2019 11:33 am
Reputation: 0

Re: Diablo 1 The Hell 2

Post by delion » Thu Sep 05, 2019 8:35 pm

Aranderius
try to experiment with the last two bytes of HEX perks (the largest number of perks gave me A0 - 96free points)

Tivrusky
Novice Cheater
Novice Cheater
Posts: 23
Joined: Fri Aug 30, 2019 2:21 am
Reputation: 10

Re: Diablo 1 The Hell 2

Post by Tivrusky » Thu Sep 05, 2019 8:50 pm

Evening,

Nice Idea on the spell cooldown.

Added Cast Spells in Town and Ignore Spell Cooldown

Let the madness begin!
Attachments
TH2v1.0037_edit.CT
cast in town and ignore cooldown
(39.67 KiB) Downloaded 18 times

Post Reply