Labyrnth
04-18-2008, 02:30 AM
Players and Enemy AI Health sharing the same functions has been getting more and more popular in games.
Today i will give you a brief insight on one such game called:
Zombie Shooter reflexive.com
If you pop open your mem scanner and look for health in 4 bytes you will get an address. Freeze it and you have god mode.
But the game uses DMA so you need to use a pointer or do some code injection. Pointers are level 4.
But what we are looking at today is how a single loop can control both health for AI and Player. The instruction that you find with cheat engine or T-Search is shared by both.
0044d0f8 - 89 7e 68 - mov [esi+68],edi
So you can take the address of this instruction and pop open ollydbg and go to it in code.
Below is the complete loop of the health on this game.
If you look at address 44d0f8 you can see the instruction
0044d0f8 - 89 7e 68 - mov [esi+68],edi
It handles both player and AI health.
So how are we going to find out how this loop does Player health and AI health?
We could get the game in window mode and step trace it.
But thats not good. Simply because this game has a serious problem with trying to get it to window mode.
So what are the options? A break would land us in a fullscreen freeze. So we cant do that.
We will do a trace, so by selecting the whole loop then right clicking and selecting trace selected area we will see whats being executed.
After seeing how this loop does its work you can examine the code and come up with a way to do a structured health hack for the game.
Below is the Players health being handled in this large loop:
What you see with red is traced, and has been used for handling health of the player only.
http://i52.photobucket.com/albums/g36/deerlease/player1.png
http://i52.photobucket.com/albums/g36/deerlease/Player2.png
Below is how the same loop does the Enemy AI health:
http://i52.photobucket.com/albums/g36/deerlease/Enemy1.png
http://i52.photobucket.com/albums/g36/deerlease/Enemy2.png
http://i52.photobucket.com/albums/g36/deerlease/Enemy3.png
Today i will give you a brief insight on one such game called:
Zombie Shooter reflexive.com
If you pop open your mem scanner and look for health in 4 bytes you will get an address. Freeze it and you have god mode.
But the game uses DMA so you need to use a pointer or do some code injection. Pointers are level 4.
But what we are looking at today is how a single loop can control both health for AI and Player. The instruction that you find with cheat engine or T-Search is shared by both.
0044d0f8 - 89 7e 68 - mov [esi+68],edi
So you can take the address of this instruction and pop open ollydbg and go to it in code.
Below is the complete loop of the health on this game.
If you look at address 44d0f8 you can see the instruction
0044d0f8 - 89 7e 68 - mov [esi+68],edi
It handles both player and AI health.
So how are we going to find out how this loop does Player health and AI health?
We could get the game in window mode and step trace it.
But thats not good. Simply because this game has a serious problem with trying to get it to window mode.
So what are the options? A break would land us in a fullscreen freeze. So we cant do that.
We will do a trace, so by selecting the whole loop then right clicking and selecting trace selected area we will see whats being executed.
After seeing how this loop does its work you can examine the code and come up with a way to do a structured health hack for the game.
Below is the Players health being handled in this large loop:
What you see with red is traced, and has been used for handling health of the player only.
http://i52.photobucket.com/albums/g36/deerlease/player1.png
http://i52.photobucket.com/albums/g36/deerlease/Player2.png
Below is how the same loop does the Enemy AI health:
http://i52.photobucket.com/albums/g36/deerlease/Enemy1.png
http://i52.photobucket.com/albums/g36/deerlease/Enemy2.png
http://i52.photobucket.com/albums/g36/deerlease/Enemy3.png