RISE OF THE TOMB RAIDER Health hacking

[Kalas]

this on work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

but this one does not work

Code: Select all

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R13,0
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)450
jmp return

health1:
  jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
  db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

any explanation

Hmm cause you use different registers..?

[pharaon]

i know i use different register
but why the compare to the second register not working

[Kalas]

Becayse Lara is in the R12 register and not the R13.

[pharaon]

how can i know which register is for lara and which is not

[Kalas]

how can i know which register is for lara and which is not

By testing, as you tested R12 and R13, sometimes they both can work but this time you see R12 works fine for your Lara and still subtracting health from Enemies

[pharaon]

is the code right this way?

[ENABLE]

aobscanmodule(health1,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)
label(laraGODmode)

newmem:
cmp R12,1
je laraGODmode

code:
movss [rax+2C],xmm6
jmp return

laraGODmode:
mov [rax+2C],(float)9999
jmp return

health1:
jmp newmem
return:
registersymbol(health1)

[DISABLE]

health1:
db F3 0F 11 70 2C

unregistersymbol(health1)
dealloc(newmem)

[Kalas]

Yep

Could just do

cmp r12,1
jne code
mov [rax+2C](float)999
jmp return

[pharaon]

how about this code

Code: Select all

{ Game   : ROTTR.exe
  Version: 
  Date   : 2017-09-26
  Author : DeskTop

  This script does blah blah blah
}

[ENABLE]

aobscanmodule(INJECT,ROTTR.exe,F3 0F 11 70 2C 48 8B 8B A8) // should be unique
alloc(newmem,$1000,"ROTTR.exe"+3356C18)

label(code)
label(return)


newmem:
cmp R12,1
jne code
push eax
mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6
pop eax
jmp return

code:
  movss [rax+2C],xmm6
  jmp return

laraGODmode:
push eax
mov eax,(float)9999
movd xmm0,eax

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 70 2C

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "ROTTR.exe"+3356C18

"ROTTR.exe"+3356BF4: 48 8B 01                                      -  mov rax,[rcx]
"ROTTR.exe"+3356BF7: 0F 28 F1                                      -  movaps xmm6,xmm1
"ROTTR.exe"+3356BFA: FF 90 08 01 00 00                             -  call qword ptr [rax+00000108]
"ROTTR.exe"+3356C00: 84 C0                                         -  test al,al
"ROTTR.exe"+3356C02: 75 34                                         -  jne ROTTR.exe+3356C38
"ROTTR.exe"+3356C04: 48 8B 83 A8 02 00 00                          -  mov rax,[rbx+000002A8]
"ROTTR.exe"+3356C0B: 66 0F 6E 40 28                                -  movd xmm0,[rax+28]
"ROTTR.exe"+3356C10: 0F 5B C0                                      -  cvtdq2ps xmm0,xmm0
"ROTTR.exe"+3356C13: 0F 2E F0                                      -  ucomiss xmm6,xmm0
"ROTTR.exe"+3356C16: 74 20                                         -  je ROTTR.exe+3356C38
// ---------- INJECTING HERE ----------
"ROTTR.exe"+3356C18: F3 0F 11 70 2C                                -  movss [rax+2C],xmm6
// ---------- DONE INJECTING  ----------
"ROTTR.exe"+3356C1D: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C24: F3 0F 2C 41 2C                                -  cvttss2si eax,[rcx+2C]
"ROTTR.exe"+3356C29: 89 41 28                                      -  mov [rcx+28],eax
"ROTTR.exe"+3356C2C: 48 8B 8B A8 02 00 00                          -  mov rcx,[rbx+000002A8]
"ROTTR.exe"+3356C33: E8 68 78 FC FF                                -  call ROTTR.exe+331E4A0
"ROTTR.exe"+3356C38: 0F 28 74 24 20                                -  movaps xmm6,[rsp+20]
"ROTTR.exe"+3356C3D: 48 83 C4 30                                   -  add rsp,30
"ROTTR.exe"+3356C41: 5B                                            -  pop rbx
"ROTTR.exe"+3356C42: C3                                            -  ret 
"ROTTR.exe"+3356C43: CC                                            -  int 3 
}

[Kalas]

Again you are adding unneeded stuff, just do mov [rax+2C],(float)9999

But in general I think that yea It should work.

[seikur0]

Code: Select all

mov eax,(float)9999
movd xmm6,eax
movss [rax+2C],xmm6

This should totally crash your game..

Do this:

Code: Select all

cmp R12,1
jne code
mov ecx,(float)9999
movd xmm6,ecx

code:
  movss [rax+2C],xmm6
  jmp return

ecx, because it gets overwritten after that. (Also it may not be necessary to overwrite xmm6.)

[dl748]

I have a really old LUA script that doesn't use code injection. Just tested and it still works.

Code: Select all

  if HealthLocation == nil then
    HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X")
    HealthLocation2 = AOBScan("45 30 FF FF 50 ?? 48 8B 0D ?? ?? ?? ?? 48 89 C2 45 31 C0","+W-C+X")
  end
  if HealthLocation ~= nil and HealthLocation2 ~= nil then
    count = stringlist_getCount(HealthLocation)
    count2 = stringlist_getCount(HealthLocation2)
    if count == 1 and count2 == 1 then
      address = getAddress(stringlist_getString(HealthLocation,0))
      offset = readInteger(address+3)
      address = address + 6
      if offset >= 0x80000000 then
        address = address - bAnd(bNot(offset),0xFFFFFFFF)
      else
        address = address + offset
      end
      address = readPointer(address)
      local id = readQword(address+0x348)
      address = getAddress(stringlist_getString(HealthLocation2,0))
      offset = readInteger(address+9)
      address = address + 12
      if offset >= 0x80000000 then
        address = address - bAnd(bNot(offset),0xFFFFFFFF)
      else
        address = address + offset
      end
      address = readPointer(address)
      local count = readInteger(address + 0x328)
      address = readPointer(address + 0x330)
      local addr = 0
      for i=0,count-1 do
        local tempaddr = readPointer(address + (i*0x8))
        if tempaddr ~= 0 then
          local tempaddr2 = readPointer(tempaddr + 0x338)
          if tempaddr2 ~= 0 then
            local tempid = readQword(tempaddr2+0x28)
            if id == tempid then
              addr = tempaddr
            end
          end
        end
      end
      if addr ~= 0 then
        address = readPointer(addr+0x60E8)
        if address ~= 0 then
          address = readPointer(address+0x3198)
          address = readPointer(address+0xD8)
          local healthpos = 0x20
          local healthloc = readPointer(address + (healthpos * 0x8))
          registerSymbol("MaxHealthLocation", healthloc + 0x2C4)
          address = readPointer(healthloc + 0x2A8)
          registerSymbol("HealthLocation", address + 0x2C)
          value = readInteger(healthloc+0x2C4)
          writeFloat(address + 0x2C, value)
        end
      end
    end
  end

This gets the internal ID of health, and then loops through though the objects to find that ID and then registers a symbol for HealthLocation and MaxHealthLocation. It then will write the HealthLocation with the float from the MaxHealthLocation. I have newer scripting functions that would make this a lot cleaner.

[pharaon]

^ Either next question would be how that works OR "it's too advanced for me". Just anticipating.

at least he is trying to help not just commenting like you do

[pharaon]

^ Here we go: [Link]. Hope it helps.

thx

[dl748]

It follows a static address down to the correct health pointer by using similar code that the engine uses but in LUA.

1. Follows static pointer down to the ID of the health record.
2. Uses that ID to follow a hash/associative array down to the actual health record.
3. Creates/Updates a Symbol "HealthLocation" with the address of the health (I don't use symbol anymore, but create records in my latest code)

The first tomb raider uses the same exact method, I have updated the first game with my new code but not the latest.

viewtopic.php?f=4&t=4118&p=13996#p13996

HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X") -- Locates assembly code of the static address. I've found its LESS likely that coders will change code that accesses a global variable than they would say, change how health is calculated. Which is why code like this will generally work from version to version instead of code that attacks where health is being modified.

HealthLocation + 3 = Static address (as a code offset, the integer located here is an offset to where the static address is)
[[Static + 0] + 0x348] = Id of the health record

HealthLocation2 + 9 = Static location of the hash
[[Static + 0] + 0x328] = Item count
[[Static + 0] + 0x330] = Address of hash

Loop through items (0,count-1) and read the pointer at HashAddr + (i*8)
[[itemaddr + 0x338]+0x28] = id of item -- find the id that matches the health id

[[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2A8] + 0x2C] = float of health
[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2C4] = int of max health

I prefer this reference [Link]

[pharaon]

It follows a static address down to the correct health pointer by using similar code that the engine uses but in LUA.

1. Follows static pointer down to the ID of the health record.
2. Uses that ID to follow a hash/associative array down to the actual health record.
3. Creates/Updates a Symbol "HealthLocation" with the address of the health (I don't use symbol anymore, but create records in my latest code)

The first tomb raider uses the same exact method, I have updated the first game with my new code but not the latest.

viewtopic.php?f=4&t=4118&p=13996#p13996

HealthLocation = AOBScan("48 8B 0D ?? ?? ?? ?? 30 DB 45 30 ED","+W-C+X") -- Locates assembly code of the static address. I've found its LESS likely that coders will change code that accesses a global variable than they would say, change how health is calculated. Which is why code like this will generally work from version to version instead of code that attacks where health is being modified.

HealthLocation + 3 = Static address (as a code offset, the integer located here is an offset to where the static address is)
[[Static + 0] + 0x348] = Id of the health record

HealthLocation2 + 9 = Static location of the hash
[[Static + 0] + 0x328] = Item count
[[Static + 0] + 0x330] = Address of hash

Loop through items (0,count-1) and read the pointer at HashAddr + (i*8)
[[itemaddr + 0x338]+0x28] = id of item -- find the id that matches the health id

[[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2A8] + 0x2C] = float of health
[[[[[itemaddr + 0x60E8] + 0x3198] + 0xD8] + (0x20 * 0x8)] + 0x2C4] = int of max health

I prefer this reference [Link]

great help man thanks lot