OhHeyItsLee wrote: ↑Tue Oct 26, 2021 11:20 am
I've found that the Unlimited Missiles cheat has a tendency to crash the game at random points after the game's been running for a short while...
Interesting; I'd been running into something similar and didn't quite put it together. I used Recifense's table to start poking through the game a little and decided to try rewriting the instructions rather than replacing them with nop. First was the infinite missiles code:
Original:
Code: Select all
mov eax,[rdx+28]
mov r8d,00000001
cmp eax,r8d
cmovb r8d,eax
sub eax,r8d
mov [rdx+28],eax
Update:
Code: Select all
mov eax,[rdx+28]
mov r8d,00000000
cmp eax,r8d
cmovb r8d,eax
sub eax,r8d
mov [rdx+28],eax
By changing the instruction to load a 0 for r8d, we get infinite missiles by changing the "cost" to 0.
I was also able to remove the missile launch timer check by letting the game run the entire check and then forcing the function to return as needed to spam torpedoes. Attaching the debugger and tracing up the stack let me find which function was checking the timer and from that found what to overwrite.
Orig:
Code: Select all
xor al,al
mov rdi,[rsp+000000C8]
mov rsi,[rsp+000000C0]
mov rbx,[rsp+000000D8]
New:
Code: Select all
mov al,1
mov rdi,[rsp+000000C8]
mov rsi,[rsp+000000C0]
mov rbx,[rsp+000000D8]
If you want to try these out you'll need to make the edits to your table manually as these are hacky as heck and will permanently be on; no toggles. Really more a proof of concept than anything. Comment out the existing MOSM lines:
Code: Select all
//AOBScanModule(MOSM,$process,8B 42 28 41 B8 01 00 00 00 41 3B C0 44 0F 42 C0 41 2B C0 89 42 28) //x
// Declaration section
//label(_MonShipMissiles)
//label(_BackMSM)
// Registering Symbols
//registersymbol(iEnableMSM)
//=========================================
MyCode:
// When decreasing Missiles
//_MonShipMissiles:
// mov [pRCX],rcx
//
// cmp dword ptr [iEnableMSM],0
// je _ExitMSM // Jump if feature is disabled
//
// cmp rdi,[pShip]
// je _MonSM00
//
// test rdi,rdi
// jz _ExitMSM
//
// mov rcx,[rdi+000002D0]
// cmp rcx,[pCommon]
// jne _ExitMSM
//
//_MonSM00:
// inc dword ptr [rdx+28]
//
//_ExitMSM:
// mov rcx,[pRCX]
//
// mov eax,[rdx+28] // Original code
// mov r8d,00000001 // Original code
// jmp _BackMSM // Back to main code
// Hacking Points
MOSM:
// jmp _MonShipMissiles
// nop
// nop
// nop
// nop
//_BackMSM:
// Unregistering Symbols
//unregistersymbol(iEnableMSM)
and add the replacement (the MOLT code removes the timer checks). The MOSM target changes a little so make sure you replace it even if it looks similar!
Code: Select all
AOBScanModule(MOSM,$process,41 B8 01 00 00 00 41 3B C0 44 0F 42 C0 41 2B C0 89 42 28 ?? ?? 49 8B C9) // missile decrement
AOBScanModule(MOLT,$process,32 C0 48 8B BC 24 C8 00 00 00 48 8B B4 24 C0 00 00 00 48 8B 9C 24) // missile launch time
// Registering Symbols
registersymbol(MOSM)
registersymbol(MOLT)
// Hacking Points
MOSM:
mov r8d,0
MOLT:
mov al,1
// Unregistering Symbols
unregistersymbol(MOSM)
unregistersymbol(MOLT)
Thank you so much to Recifense for the work so far; there's no way I'd be able to share anything more than bad directions if I couldn't copy their table.
I've been running these for a few hours without issue yet so here's hoping! Something is still broken haha; gonna keep looking. Codes work for a while but they will eventually crash.