Caveblazers Trainer +5

[BooBoo]

DDSTrainers proudly presents

Caveblazers Trainers and Cheat for PC

Caveblazers +5 Trainer v1.0.3f Steam : [Link] : Free Trainer + Premium Trainer

Caveblazers +5 Trainer v1.0.3d Steam : [Link]

Caveblazers +5 Trainer v1.0.3b Steam : [Link]

Caveblazers +3 Trainer v1.0.0 Steam : [Link]

Game : [Link]

Author: BooBoo

Options: +5

Code: Select all

Numpad 1 = Infinite Health
Numpad 2 = Easy Gold
Numpad 3 = Easy Kills
Numpad 4 = Fly Mode
Numpad 5 = Unlimited Bombs

Instructions:

While playing pause the game and press the key F1
to activate the trainer.

Easy Gold:
This option will give you a ton of gold each time
that you pick up a gold coin.

Fly Mode:

Activate the option first, then jump to enable
the effect. Deactivate to disable the effect.

Unlimited Bombs:

This option will give you 99 bombs each time that
you use a bomb. You need 2 bombs in your inventory
for this option to work.

All the options are self-explanatory. If you need
help with any of the options, please post all your
questions on the trainer's support page on our blog.

Enjoy!

[Sigan]

I found the health and gold values as doubles, but I can't find any other values. Did you find pointers, or use an AOB Injection?? I'm just curious.

[BooBoo]

I found the health and gold values as doubles, but I can't find any other values. Did you find pointers, or use an AOB Injection?? I'm just curious.

Nope, I didn't use pointers they are unreliable. I did a little bit of reversing until I found an Injection point for the player only.

[Sigan]

I can't figure out how to do that on this game. I'm obviously not very educated in this stuff, but I know a little. Can you show me how to find them? I want to be able to make my own...

[Sigan]

I guess what I'm asking is, how do I get passed the code that it pushes it onto the stack with? I can find many different values, but when I go to see what writes to them, all I get is the part where it says

Code: Select all

"Caveblazers.exe"+109EB1: 89 1F                 -  mov [edi],ebx

and

Code: Select all

"Caveblazers.exe"+109F03: DD 1F                 -  fstp qword ptr [edi]

I can't find any other injection points, and I don't really know how to find anything better than that. Can you give me a clue? Reference a topic where it's covered?

[BooBoo]

Here you go, [Link]

This guy explains pretty much everything in detail. although I don't recommend his methods because values from the stack are shared with alot of objects in this game and can lead to crashes.

[Rudo]

Here you go, [Link]

This guy explains pretty much everything in detail. although I don't recommend his methods because values from the stack are shared with alot of objects in this game and can lead to crashes.

Interesting. So which method did you use to hack this game? (or GameMaker games in general) Would be nice if you share some intel

[Sigan]

Interesting. So which method did you use to hack this game? (or GameMaker games in general) Would be nice if you share some intel

I agree... If you could kindly share some of your secrets, I'd love to learn more.

[BooBoo]

Actually, I am working on a series of tutorials to share with the community on how to reverse some of the more difficult games. Stay tuned!

[Sigan]

Sure thing. Will do! I appreciate that. I'm trying the method outlined in the video, and it's not quite working. I've managed to make my health read 0 instead of 9999, and my gold reads 99999 immediately after the game is turned on (which is good). The problem is, anytime anything takes damage, other than myself, the game crashes. If I take damage, well... my health is zero already so, I just die. I've had the same experience with maxHealth. Would it be rude to ask you to look over this code and tell me what you think?

Code: Select all

[ENABLE]

aobscanmodule(findPlayer,Caveblazers.exe,DD 1F 5F 5E 5D 5B 59) // should be unique
alloc(newmem,$1000)
alloc(infHealthz,4)
alloc(maxHealthz,4)
alloc(infGoldz,4)

label(code)
label(originalcode)
label(return)
//label(infHealth)
label(altinfHealth)
//label(maxHealth)
label(infGold)

globalalloc(_Health,4)
globalalloc(_Gold,4)

infHealthz:
  dq (double)999

maxHealthz:
  dq (double)999

infGoldz:
  dq (double)99999

newmem:

code:
  push edx
  mov edx,[ebp-98]
  pushf
  cmp edx,186FA
  je altinfHealth
{  cmp edx,1870E
  je maxHealth
}  cmp edx,188BF
  je infGold
  jmp originalcode


altinfHealth:
  popf
  pop edx
  fstp st(0)
  pop edi
  pop esi
  pop ebp
  jmp return

{
infHealth:
  fstp st(0)
  fld qword ptr [infHealthz]
  mov edx,[ebp-AC]
  mov [_Health],edx
  jmp originalcode

maxHealth:
  fstp st(0)
  fld qword ptr [maxHealthz]
  jmp originalcode
}
infGold:
  fstp st(0)
  fld qword ptr [infGoldz]
  mov edx,[ebp-AC]
  mov [_Gold],edx
  jmp originalcode

originalcode:
  popf
  pop edx
  fstp qword ptr [edi]
  pop edi
  pop esi
  pop ebp
  jmp return

findPlayer:
  jmp newmem
return:
registersymbol(findPlayer)

[DISABLE]

findPlayer:
  db DD 1F 5F 5E 5D

unregistersymbol(findPlayer)
dealloc(newmem)
dealloc(infHealthz)
dealloc(maxHealthz)
dealloc(infGoldz)
{
// ORIGINAL CODE - INJECTION POINT: "Caveblazers.exe"+109F03

"Caveblazers.exe"+109EEF: 39 58 08              -  cmp [eax+08],ebx
"Caveblazers.exe"+109EF2: 0F 85 95 02 00 00     -  jne Caveblazers.exe+10A18D
"Caveblazers.exe"+109EF8: 89 78 08              -  mov [eax+08],edi
"Caveblazers.exe"+109EFB: 5F                    -  pop edi
"Caveblazers.exe"+109EFC: 5E                    -  pop esi
"Caveblazers.exe"+109EFD: 5D                    -  pop ebp
"Caveblazers.exe"+109EFE: 5B                    -  pop ebx
"Caveblazers.exe"+109EFF: 59                    -  pop ecx
"Caveblazers.exe"+109F00: C3                    -  ret 
"Caveblazers.exe"+109F01: DD 00                 -  fld qword ptr [eax]
// ---------- INJECTING HERE ----------
"Caveblazers.exe"+109F03: DD 1F                 -  fstp qword ptr [edi]
"Caveblazers.exe"+109F05: 5F                    -  pop edi
"Caveblazers.exe"+109F06: 5E                    -  pop esi
"Caveblazers.exe"+109F07: 5D                    -  pop ebp
// ---------- DONE INJECTING  ----------
"Caveblazers.exe"+109F08: 5B                    -  pop ebx
"Caveblazers.exe"+109F09: 59                    -  pop ecx
"Caveblazers.exe"+109F0A: C3                    -  ret 
"Caveblazers.exe"+109F0B: 8B 00                 -  mov eax,[eax]
"Caveblazers.exe"+109F0D: 89 07                 -  mov [edi],eax
"Caveblazers.exe"+109F0F: 5F                    -  pop edi
"Caveblazers.exe"+109F10: 5E                    -  pop esi
"Caveblazers.exe"+109F11: 5D                    -  pop ebp
"Caveblazers.exe"+109F12: 5B                    -  pop ebx
"Caveblazers.exe"+109F13: 59                    -  pop ecx
}

Edit: I'm still working with it, so I've got some stuff remarked out while I'm testing, but the code is basically the same for all three things.

[BooBoo]

Your code looks fine, but like I told you before, the game uses the same stack values for other stuff. your game is crashing because you are moving 9999 into other unknown addys.

[Sigan]

Ok, sure. So, I'm trying a different approach now to find where the value for health is stored on-the-fly. I'm moving ebp into the global variable [_playerBase], and then I'm calling on [_playerBase]-AC in my code list. Now, it's crashing anytime I get hit, or something else gets hit, while the code is running, and I'm not sure why. This will still cause a crash when I get hit, for some reason.

Pleeeeeassee.... what am I doing wrong? You mentioned injecting in the wrong place. I hear you, but where else is there to inject, and how can I make Cheat Engine show me the pointers?

Also, keep in mind that I know that if I can find one of these three pointers, I can find all three based on offsets being the same every time. maxHealth is always stored at +140 from Health, and gold at +1c50 from Health. So, if I can find one of these pointers, I can point to all of them with math.

Code: Select all

[ENABLE]

aobscanmodule(INJECT,Caveblazers.exe,DD 1F 5F 5E 5D 5B 59) // should be unique
alloc(newmem,$1000)
label(code)
label(originalcode)
label(return)
label(findPlayer)
globalalloc(_playerBase,4)

newmem:

code:
  push edx
  mov edx,[ebp-98]
  pushf
  cmp edx,186FA
  je findPlayer
  jmp originalcode

findPlayer:
  mov [_playerBase],ebp
  jmp originalcode

originalcode:
  popf
  pop edx
  fstp qword ptr [edi]
  pop edi
  pop esi
  pop ebp
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db DD 1F 5F 5E 5D

unregistersymbol(INJECT)
dealloc(newmem)

[pgain2004]

So I can find the health and gold as doubles, but once I changed them, the game restarted. That's kind of an anti-cheat mechanism, right? How do I bypass it?

edit1:OK I know there's a value= max-health - current-health, if these 3 value doesn't fit the equation, game restarts. How about gold? I assume it would be the same as quanity of items, but trying *2 *8 *10 found notthing.

edit2:Alright, gold value is 2(3) double *1 and another double *29(maybe also a random value?)

edit3:And the quanity of items are just single double value, no anti-cheat mechanism for it.

[BooBoo]

Bump - Updated the Trainer to version 1.0.3b Enjoy!

[Holmes 25-MC]

Hello BooBoo...
This is the problem with the old trainer +3 (caveblazers 1.0.0) and the new trainer +5 (caveblazers 1.0.3c), whenever you meet the boss Azguard, as soon as the fight ends, my character freezes, No longer moves, the arrow keys respond when I press the "Escape" key to return to the menu, the selection works with the arrow keys, when I select "Resume", I return to the boss's table to find my character Unable to move ... so premature end of the game. This problem occurs only with the boss Azguard, with the other bosses, everything works perfectly.
Thanks BooBoo for trying to figure out what is blocking at the end of the fight against the Azguard boss.