RISE OF THE TOMB RAIDER Health hacking

[pharaon]

im trying to separate the hero life than enemies life by different registries the hero register RDI=000000000000012C is always the same and is different for the enemies

i tried this code but it's not working

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)

newmem:
pushf
cmp RDI,000000000000012C
jne code
popf
mov [rax+2C],(float)450
jmp return

code:
popf
movss [rax+2C],xmm6
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

[Bloodybone]

After Testing arround i found out that you can only use je for some od reason ... So mabe this will work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(hero)

newmem:
pushf
cmp RDI,000000000000012C
je hero
popf
jmp code

hero:
mov [rax+2C],(float)450
popf
jmp return

code:
movss [rax+2C],xmm6
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

[pharaon]

i had to adjust it because it crashes the game
[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(hero)

newmem:
pushf
cmp RDI,000000000000012C
je hero
jmp code

hero:
popf
mov [rax+2C],(float)450
jmp return

code:
popf
movss [rax+2C],xmm6
jmp return

health1:
jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)


but it's still not working and laura die

[Bloodybone]

Maybe instead of using "cmp RDI,000000000000012C" use "cmp RDI,12C" it works for me but if that doesn't work compare the enemies and laura another way like through the Dissect data/Structures or through the stack (I prefere the Dissect data/Structures method)

[seikur0]

I wouldn't push the flags to the stack here, in 99.999999% of the cases you do an instruction and use the flags immediately afterwards, after that they become obsolete, so no need to preserve them.

And instead of alloc(newmem,$1000,"ROTTR.exe"+3356C18) you can use alloc(newmem,$1000,health1), so the memory gets reserved near the aob.

Last but not least rdi might be a pretty weird register to find the identification of the player in, they are mainly used for moving strings in memory. As Bloodybone already stated it might be better to find some other way to identify the player.
It could be, that an rdi of 12C always means you have the player health. But player health maybe doesn't always lead to an rdi of 12c?

[Kalas]

just do:

newmem:

cmp rdi,000000000000012C
jne code
mov [rax+2C],(float)450
jmp return

If the cmp doesn't work try to find a new way to cmp in dissect data.

[pharaon]

tried throw Dissect data/Structures but the offset keep changing what should i do

[Kalas]

tried throw Dissect data/Structures but the offset keep changing what should i do

Find a new one, I suggest looking for 1 and 0 those are usually remain the same.

I would export the Dissect Data Structure to a notepad and another one to compare, may take a bit of time but you could just use a small size cause usually you can find a good offset to cmp in only the very first lines.

[TheByteSize]

if you sure RDI contain identifier for your char health ID.
copy that RDI to one of r8d~r15d then do comparison.

Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.

[pharaon]

tried throw Dissect data/Structures but the offset keep changing what should i do

Find a new one, I suggest looking for 1 and 0 those are usually remain the same.

I would export the Dissect Data Structure to a notepad and another one to compare, may take a bit of time but you could just use a small size cause usually you can find a good offset to cmp in only the very first lines.

tried and still some enemies share me with offset value

that is the code i got so far and some enemies still show up with same value

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp [rax+B04],1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

[pharaon]

Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.

please explain how can i do that

[TheByteSize]

Another way to is to check the data around [rax+2C], usually there is an identifier for player character near the Health address.

please explain how can i do that

find the address that contain your char health then add that to your table then right click and browse that address location then looks around and see anything that obvious, you may find that 12C around there.

[pharaon]

find the address that contain your char health then add that to your table then right click and browse that address location then looks around and see anything that obvious, you may find that 12C around there.

this is what i found

Code: Select all

ROTTR.exe+3356BD1 - 66 66 66 66 66 66 2E 0F1F 84 00 00000000  - nop cs:[rax+rax+00000000]
ROTTR.exe+3356BE0 - 53                    - push rbx
ROTTR.exe+3356BE1 - 48 83 EC 30           - sub rsp,30 { 48 }
ROTTR.exe+3356BE5 - 48 89 CB              - mov rbx,rcx
ROTTR.exe+3356BE8 - 48 8B 0D 39A74FFF     - mov rcx,[ROTTR.exe+2851328] { [858496A0] }
ROTTR.exe+3356BEF - 0F29 74 24 20         - movaps [rsp+20],xmm6
ROTTR.exe+3356BF4 - 48 8B 01              - mov rax,[rcx]
ROTTR.exe+3356BF7 - 0F28 F1               - movaps xmm6,xmm1
ROTTR.exe+3356BFA - FF 90 08010000        - call qword ptr [rax+00000108]
ROTTR.exe+3356C00 - 84 C0                 - test al,al
ROTTR.exe+3356C02 - 75 34                 - jne ROTTR.exe+3356C38
ROTTR.exe+3356C04 - 48 8B 83 A8020000     - mov rax,[rbx+000002A8]
ROTTR.exe+3356C0B - 66 0F6E 40 28         - movd xmm0,[rax+28]
ROTTR.exe+3356C10 - 0F5B C0               - cvtdq2ps xmm0,xmm0
ROTTR.exe+3356C13 - 0F2E F0               - ucomiss xmm6,xmm0
ROTTR.exe+3356C16 - 74 20                 - je ROTTR.exe+3356C38
ROTTR.exe+3356C18 - F3 0F11 70 2C         - movss [rax+2C],xmm6
ROTTR.exe+3356C1D - 48 8B 8B A8020000     - mov rcx,[rbx+000002A8]
ROTTR.exe+3356C24 - F3 0F2C 41 2C         - cvttss2si eax,[rcx+2C]
ROTTR.exe+3356C29 - 89 41 28              - mov [rcx+28],eax
ROTTR.exe+3356C2C - 48 8B 8B A8020000     - mov rcx,[rbx+000002A8]
ROTTR.exe+3356C33 - E8 6878FCFF           - call ROTTR.exe+331E4A0
ROTTR.exe+3356C38 - 0F28 74 24 20         - movaps xmm6,[rsp+20]
ROTTR.exe+3356C3D - 48 83 C4 30           - add rsp,30 { 48 }
ROTTR.exe+3356C41 - 5B                    - pop rbx

[TheByteSize]

Yup, that 12C is at -04 position from [rax+2c] address.
[Link]
this code should do the trick.

oops there is bug in the code I posted.

[pharaon]

how are you displaying your memory that way because mine look like this

[Link]

but the code didn't work it decrease my health then crash the game