RISE OF THE TOMB RAIDER Health hacking

[TheByteSize]

how are you displaying your memory that way because mine look like this

[Link]

but the code didn't work it decrease my health then crash the game

right click on bottom windows and choose Display Type > 4 Bytes Hex

[pharaon]

[Link]
if you notice the bytes are inverted dunno why

so why about that the code is not working

what could be wrong

[TheByteSize]

12C is hex decimal for 300 float which is your health so using that would be bad.

[pharaon]

ok i got it ,i'll find the new register
but what about the memory display thing

[TheByteSize]

Try with this code. I don't have access to the game at the moment so I cannot verify.
as for your Memory Address display in backward, I don't know how that happened.

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,health1)

label(prepare2exit)
label(code)
label(return)

newmem:
  push rdi  //preserve rdi
  lea rdi,[rax]  //copy effective address of rax
  cmp [rdi],xxxxxx  //replace this with the hex you see at rax
  jne prepare2exit
  //start check on new health if health change belong to player
  pop rdi  //return rdi to original state
  push rdi  //borrow this register again
  movq [rdi],xmm6  //copy new health
  cmp  [rax+2C],rdi  //check old vs new
  jge prepare2exit  //ignore if old health is higher
  //end of health chang check
code:
  movss [rax+2C],xmm6
// jmp return
prepare2exit:
  pop rdi //return rdi to original state
  jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

[pharaon]

this is the registers of my hero health address
RAX=00000000C590D060
RBX=00000000C590C8D0
RCX=00000000858496A0
RDX=00000000000001C2
RSI=0000000000000080
RDI=000000000000012C
RBP=00000000C5B6AE50
RSP=000000000014E390
RIP=0000000143356C18
R8 =00000000B4793538
R9 =FFFFFFFF00000000
R10=00000000ABB87890
R11=0000000000000030
R12=0000000000000001
R13=0000000000000000
R14=000000000000FFFF
R15=0000000142276930

your code made all enemies in god mode

i also hope if you can explain your code little to me

[TheByteSize]

change
cmp [rdi],xxxxxx
to
cmp [rdi],40CDFEA0

[pharaon]

why 40CDFEA0??
how you get it

[TheByteSize]

[rax+2c] which point to an address that contains lara's hp. So I looked back at [rax] which has address that contains something. That hex was there and I assume that's the ID for lara.
anyway, which part of the code don't you understand?

[Kalas]

Could you check if the code you inject at Is even writing to your real value instead for a graphical cause It may just be a display value which could explain why you are having issues.

Just don't use cmp or anything,

Code: Select all

mov [rax+2C],(float)999

If It does work then try to cmp with: RSI=0000000000000080 // Try even R12 I believe I saw It has a unique offset.


PS: Downloading right now just to test this issue, I think I made a CT for this game back then so I remember making Unlimited Health as well.

[pharaon]

change
cmp [rdi],xxxxxx
to
cmp [rdi],40CDFEA0

infinite health for all enemies as well

[pharaon]

Could you check if the code you inject at Is even writing to your real value instead for a graphical cause It may just be a display value which could explain why you are having issues.

Just don't use cmp or anything,

Code: Select all

mov [rax+2C],(float)999

If It does work then try to cmp with: RSI=0000000000000080 // Try even R12 I believe I saw It has a unique offset.


PS: Downloading right now just to test this issue, I think I made a CT for this game back then so I remember making Unlimited Health as well.

it write to the real health value

[pharaon]

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

working fine so far although a little bit lagging

[TheByteSize]

change
cmp [rdi],xxxxxx
to
cmp [rdi],40CDFEA0

infinite health for all enemies as well

That's odd. I was hitting the patrols with climber pickaxes without taking any damage and still manage to kill them.

[pharaon]

this on work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

but this one does not work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R13,0
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

any explanation