Most of the ASM is just checking if the call is coming from the player, then setting eax+1d4 to 500.0f. EAX seems to be the player pointer. But this is a common trainer technique, he's found a function that either read the player speed variable, or allowed him access to the base player pointer to where he could manipulate. I'm going to guess the former, considering the amount of callback checks he's doing.
I had to do something similar for my FONV trainer for Infinite ammo:
Code: Select all
ammohook:
mov ecx,[ebp-34] //Original Code.
mov [ecx+04],eax //Original Code.
cmp ebx,#1 //Check if the player is dropping an item from inventory.
je ammoreturn //Return if they are.
push ebx //Preserve EBX to the stack.
mov ebx,[FalloutNV.exe+DDEA3C] //Derefrence the pPlayer address to EBX.
cmp [esp+374],ebx //Check for if pPlayer is on the stack.
pop ebx //Return EBX to its previous state.
jne ammoreturn //If it's not the player, return.
mov edi,[esp+2F4] //Move the original to EDI.
mov [ecx+04],edi //Push EDI in to the ammo address.
mov edi,#0 //Restore EDI.
jmp ammoreturn //Return.
cliphook:
mov ecx,[ebp+08] //Original code.
mov [eax+04],ecx //Original code.
push ebx //Preserve EBX to the stack.
mov ebx,[FalloutNV.exe+DDEA3C] //Derefrence the pPlayer address to EBX.
cmp [esp+1C],ebx //Check for if pPlayer is on the stack.
pop ebx //Return EBX to its previous state.
jne clipreturn //If it's not, return.
cmp [ebp+278],#0 //Check if it's a thrown weapon.
jne clipreturn //If it's not, return.
inc ecx //Add 1 to our shot counter.
mov [eax+04],ecx //Push it to the shot counter address.
jmp clipreturn //Return.