Starting with a basic trainer, and evolving/expanding the project in time once I discover more. I'll keep a diary of what I did, so others benefit from this experience. Also, adding some stuff I discovered while analyzing the game or its files. Hope this board allows constant editing of same post (I'd hate to double/triple post)

First off, let me say that I've tested all the trainers available for this game and all of them have only one option available (Unlimited ammo), and even so, that option is global (works for both player and enemy). Well, if they also had god mode, it wouldn't have been a pain in the ass to have enemies with Uzis shooting constantly on your ass :)

Therefore, I've been trying to conceive an ammo feature for the last few hours, and since I couldn't find a base pointer for my player (it shifts like mad, even though the game doesn't use code-shifting), I decided to call in for ingenuity and use another method :X Kinda g4y, but it works pretty nice.

Let me show you what I'm talking about...


[ Diary log #1 ]


Both the enemy and I are using the same function, located here :

http://i14.tinypic.com/49krps0.jpg

That's the code that would normally appear amongst others in your debugger window, when you're trying to see what writes to your ammo address.
sub [eax+538], ecx

// eax = player ammo pointer
// 538 = weapon slot offset
// ecx = the amount deducted from your weapon's ammo
All nice and fine till here. If you nop that sub, both you and your enemies will have unlimited ammo. That's what all the trainers available on gamecopyworld (haven't checked if CH has one - sheep might beat the crap out of this game) do...

We want it one sided, and for that, also taking into account that I wasn't able to find a base pointer for the weapon pointer, I used something else. Noticed this :

http://i12.tinypic.com/351d2kl.jpg

Interesting - "enemy" - that word appears whenever the enemy uses that sub. Problem is the syntax is not always in the same manner. For instance, the pistol will always be "Enemy-pistol-ammo-..." while testing for Uzi, I saw "UZI-ammo-enemy-..."

In case you don't follow so far, I'll use word comparing :) So far - I'm at level 3, where you have to gain access in a cathedral by blowing its walls, right after Doctor Wolf flies out in a chopper - I haven't encountered a weapon to have the letter y in its description, therefore, the script :) - I hope you have Cheat Engine 5.3 installed !
[ENABLE]

alloc(cave,256)
label(back)
label(loop)
label(out)
label(enemy)

//9B8140:
cave:
pushad
loop:
mov bl, [eax+14]
cmp bl, 79
je enemy
cmp bl, 0
je out
inc eax
jmp loop
out:
popad
jmp back
enemy:
popad
sub [eax+538],ecx
jmp back

5CC158:
jmp cave
nop
back:

[DISABLE]

5CC158:
sub [eax+538],ecx

dealloc(cave)
Time to explain what it actually does, and I'm going to sparse it in pieces, so you get the whole idea :

---
[ENABLE]/[DISABLE]

This is common CE syntax, pretty much and quite similar to ON/OFF. What's below the [ENABLE] tag will work as enabling the cheat/turning on the feature. The script will perform, once assigned to your cheat table, what ever is written below the [ENABLE] tag. How far ? Till the [DISABLE] tag. Same thing goes for [DISABLE]. What ever's under it will be written once you deactivate the script (tick/untick in your table). [DISABLE] works as "restore all" feature, except it restores only what you assign under it.
---
alloc(cave,256)

CE allows users to allocate memory of different sizes, which is pretty easy to work with, removing the worry to have to find an empty cave to write your code in. The syntax is as follows : alloc(name,size)
---
label(back)
label(loop)
label(out)
label(enemy)

The use of labels is also possible. Using labels you can set "waypoints" in your code to work faster and easier. Syntax : label(name) - note that numbers aren't supported in any name.
---
dealloc(cave)

The memory you allocate can be easily deallocated. It's also useful to use this code at the end of your script, since the allocated address will always be the same. If you don't use it, CE will keep allocating different addresses to your cave.
---
[DISABLE]

5CC158:
sub [eax+538],ecx

dealloc(cave)

This is the original code, and that's what CE will write when I disable the option. It's the equivalent for a "turn off the cheat" option.
---

Now to the main "plot" :

cave:
pushad
loop:
mov bl, [eax+14]
cmp bl, 79
je enemy
cmp bl, 0
je out
inc eax
jmp loop
out:
popad
jmp back
enemy:
popad
sub [eax+538],ecx
jmp back

5CC158:
jmp cave
nop
back:

What will the code do is to copy the string I mentioned earlier (Enemy-pistol-ammo-standard-8237) letter by letter and move it in a register, then compare it against the letter y. If that letter is encountered when scanning the string, perform normal code. If not, skip the sub [eax+538],ecx instruction. If the sub is skipped, we don't get anything deducted from out ammo, therefore one-sided unlimited ammo...

---
cave:

That is the address I've allocated at the beginning. The syntax for writing to it is : name: Basically, you tell CE to write at address "name", in my case at address "cave" :)
---
pushad

Saving the state of the registers, since we'll perform operations and use them. It's always nice to save the state, as the game might crash if one of the registers you use is overwritten.
---
loop:

This is the first label I declared. Labels can be used as addresses, or part of a code. In this case, "loop" will be an address located immediately below the "pushad". You'll see how the full code looks like in the end.
---
mov bl, [eax+14]
cmp bl, 79
je enemy

I chose to work with ebx, and since I'm operating with letters (bytes), I'll use the lower part of ebx (32b), which is bx (16b) and can be sparsed in 2 (bl, bh - both on 8b). 'l' for lower, 'h' for higher. The text string you saw in the 2nd picture is located at eax+14. The pointer is eax, eax+14 is the address holding the string. So - move in bl the first byte found at address eax+14 -> mov bl, [eax+14].

Further on, on the 2nd line, we compare bl with 79 (letter "y" in hexa). If they match (if y is found within the string), jump to label "enemy", where the game will allow their ammo to decrease :)
---
cmp bl, 0
je out
inc eax
jmp loop

If bl is not 79, compare it against 0. In case you haven't noticed, we only need to compare the string and stop after it. Or we'll hit an endless loop, and game will freeze. So, the cmp I added will check if the whole string has been "scanned" and stop at first 0 that's encountered. If bl is 0, jump to label "out", where the game executes a code that misses the "sub", therefore we don't get any ammo deducted. If bl is not 0, increase our pointer to move on to the next spot, and return to label "loop" to go through the function again, till the whole string is read.
---
out:
popad
jmp back
enemy:
popad
sub [eax+538],ecx
jmp back

Label "out" defines another address in the cave, at which we land from the jump mentioned above. We use "popad" to restore the state of the registers and allow the game to get back in "flow" :) Once the code is used, we jump back to address "back" (you'll see below)

The other label does the same thing, except it does it for the case in which the letter "y" is found in the string.
---
5CC158:
jmp cave
nop
back:

Our original address 5CC158: at which we write what's below it. The original code has 6 bytes (count them in the 2nd pic). A jmp uses only 5 bytes, so we'll use a nop to even out the code. 5+1=6. As I said above, once the out/enemy labels are used, at the end of each other you see "jmp back". Well, if you look at the code, I used in the function "back:" which defines an address located below the "nop". Therefore, "jmp back" means - jump to the address located below that nop. Since the sub had 6 bytes, "jmp back" means jump to 5CC158+6. Hope it's clear...
---

Phew. Long article. Once you copy the script, open up Memory View, press Ctrl+A and paste it the auto-assembler window. From the top menu (in that window), choose "Assign to table". Then check you table. You'll see what I meant with ON/OFF :) Ticking the checkbox in front of the script means ON/ENABLE. Unticking it equals OFF/DISABLE.

Time to show you how it all looks like :

http://i17.tinypic.com/4dlmz9u.jpg

Hope now it's understood.

Hmm. Yeah, double-posting because :

- it needs a separate post;
- I got past the 12 images limit;

So, before judging, read the above :P

Anyway, was analyzing the file in looks for a clue regarding game's version. I don't want to go in-game, so I poped up PE Explorer. Since right-clicking the file and checking "Properties" didn't show a thing about the file, I used that tool.

Surprise :

http://i18.tinypic.com/2cicump.jpg

I've played this game a while ago, it's made by JoWood. Interesting - Archangel...

As for the version, I could only get this out :

http://i11.tinypic.com/2ivbr6v.jpg

Digging on. They use SolidShield, hah...

Woulda been better in the coding section, only the lesser minded come into this area :P


But saying that is the game not using static addies to store pointers for players and enemies?


Remember the health injection I wrote about Fable. Similar to that perhaps?

Haven't read that. I'll start looking for it. Might be. Thing is, with Infernal, I actually found a trace, but it needs more in-depth research.

For instance, sub [eax+538],ecx had a "brother" up ahead like :
mov edx,[esi+56C]
...
mov eax,edx
sub [eax+538],ecx
So, if you look at that, you got 2 offsets : 56C and 538. I looked in-depth for a stable link to esi. Searched for a pointer to it, and found plenty (about 600). Debugged it and all I got were opcodes like "mov eax,[edi]" =| I eventually found a pointer for it, was level 3. Kinda like : B6xxxx + 2F0 + 56C + 538. The pointer was static, but once I changed level or reloaded, everything died. Come to think about it, if this game is similar to Archangel in engine, it's all kinda self-explained. I remember I hit the same issues while playing that game...

I think the method I wrote about is quite simple. I'll read your Fable article, and see if I can find anything matching my situation :)

Oh, almost forgot !

Infernal command lines :

1. /window - start the game in windowed mode (I believe it's 800x600)
2. /safe - start game in safe mode (for some reason, I get an error msg box stating I have to reinstall the game - yeah, missing some files)
3. /nops - am yet to discover what this does (no p - player? - s - something?)
4. /ulkytutft67gfj655gy - no, it's not a joke, it's a command line - I believe it's used to disable some debugging protection features from both LUA/SolidShield - still checking :)

Enjoy ! I'll be back later...

P.S.: Once this thread gets big, you can move it to the Coding section.

P.S.2: Looking for a way to pop that window up - the one you see in that PE Explorer pic :)

why the pushad when you're only using bl

push ebx / pop ebx would be quicker..

also you aren't strictly checking for 'enemy' you're just checking for 'y'
that will probably lead to some false positives being hit and the game
acting strangely..

As I said, I'm checking for 'y' because so far there isn't any weapon that has 'y' in its description. In this case, it works, but for other games I might get pwned :)

Also, I used pushad because I got "burnt" in lots of times. For example, I was training Thief 2 (I'll make an article about it) and I used as you said "push/pop register". I reached to this secret door which was getting opened by a lever. Once pulled, the door wouldn't open. If I used pushad/popad, it did open :) It's a matter of registers synchronization. At state_1, register_1 is value_1. If I push only register_1, the other ones will change state, and once register_1 is poped, the state will get fuxxed. Using pushad/popad I'm making sure the whole state is restored (even flags - ooops, that's pushfd/popfd, my bad).

Returning to the other issue, I've tested the option thoroughly, and I haven't got any false positives :) Player's ammo is clean in text, while the AI's ammo always has "enemy" in the string. Letters 'e', 'n', 'm' are also found with ease in one such string. Letter 'y' is only found at the end of the word 'enemy' and doesn't have any other instance in the string. I got lucky :P

using pushad/popad is just a workaround then, oh and eflags is NOT stored with pushad thats what pushfd/popfd is for

i suggest you brush up on your asm code, there is a different reason for the pushad/popad workaround u do....

dont believe me on the eflags.. try this code then

xor eax,eax
pushad ; < eflags are now 0246h (C 0 P 1 A 0 Z 1 S 0 T 0 D 0 O 0)
inc eax ; < eflags are now 0202h (C 0 P 0 A 0 Z 0 S 0 T 0 D 0 O 0)
popad ; < restore the registers...

flags changed? hell yeh...

I used to believe that pushad stands for push a-d (eAx, eBx, eCx, eDx - A<->D). But I was wrong :) Anyway, I stand true to my beliefs. Hope you don't mind :P

how can u stand true to your beliefs when i just showed you your beliefs were flawed, and that using pushad/popad is just a lame way of fixing a bug caused by bad coding...

POPA/POPAD - Pop All Registers onto Stack (80188+)
POPF/POPFD - Pop Flags off Stack

so its a bit more than a->d
also it is not flags, flags are a different opcode...

why not actually properly learn asm, and the mnemonics, then start teaching eh?

I was sure you'd get me wrong :) I stand true to my beliefs of using pushad rather than normal push. I am aware it doesn't store flags. It isn't lame, it is just logics. You want to tell me if I push/pop a register, the original state will remain unchanged after the pop ? What will happen with the rest of the registers while I push only one ? They don't get saved. So, by the time I pop it, the others would've changed...

I know ASM so far as game training requires it, am not a pro @ it, nor do I like to use excentrisms and talk like "Yeah, but your code isn't 100% ergonomic" or "I could've done better". I am aware there's always room for better.

Also, most of the people are so comfortable nowadays that they like to just reply to others about their flaws/"mistakes", instead of putting their own HAND to writing and explaining. Oh, don't worry, we'll understand it, as complicated as you'd explain it. Show me a really good tutorial that trains a game properly (I mean new games - 2006/2007) and I'll start taking notes...

Sorry if I sound incisive, it's not oriented towards you, it's just that everybody's on my ass lately, no matter how good a post would look like. If I write a code, and post it, those who don't know ASM at all will take it as is. Those who are pro at it will always find room for better and want me to perfect the code to suit their "needs" (they don't actually use the code, but rather enjoy debating around it to no avail)...

One way or another, the code I posted is operational, and as lame as it looks like, it's working - yes, I know, only for this game...

@Tippex: I have a request out of you. Take that code I posted, and make it better. Don't go heuristics like "You should use a player pointer", since I am aware of that. Just that code I posted, your version. Please :) Am curious what changes you'd addition to it. It's not a sarcastic request, but more like a "trying to grasp more XP" request :)

You got all you need : the address to jump from, string location, etc...

i dont do requests, and i also do not have to prove myself.. been there, done that

if you push / pop a register then yes, it will be preserved, thats the whole poinf of the opcode, when coding especially at asm level, the register preservation (and in some cases) flags are for YOU to maintain... most api's will definately destroy eax, ecx and edx.. ebx is usually used within windows messaging and within callback procedures..

fundamental flaws in the code would be your looping
inc eax, could lead you well out of the memory boundaries that would be my only cricicism.. but in trainers, especially with what you're doing its important to preserve / set the flags
take for example your little bit of code, see the sub at the end, thats going to effect the flags and could well screw the game up, as it might branch when it shouldnt etc.. thats where the difference between good code and bad code comes in.... stack balancing + register preservation, is very important

I didn't ask you to prove yourself. I was curious how would your version of that code look like. Also, how would eax go out of the boundaries, when : [1] it's stacked; [2] it only increases so far as bl is not 0; [3] eax gets restored, so nothing crashes; [4] the sub uses the pop'd eax...?

Yeah, I agree - god damn stack gave me so many headaches back in the days. And it still does. Pretty powerful thingie.

(I pity people who have to learn ASM on a relatively sophisticated platform as the x86 CPU and DOS/Windows. Back in the microprocessor days, a Z80 was much easier to understand, not to mention the even simpler good old 65xx series.)

Wow, this section is actually seeing some action :)

Also, how would eax go out of the boundaries, when : [1] it's stacked; [2] it only increases so far as bl is not 0; [3] eax gets restored, so nothing crashes; [4] the sub uses the pop'd eax...?

okay, here goes, u say eax = stack.. fine
cave:

pushad ; preserve registers
loop: ; loop begin
mov bl, [eax+14] ; okay, eax supposedly on the stack
cmp bl, 79 ; is bl = 79
je enemy ; if so, boing out of this routine
cmp bl, 0 ; is bl = 0 (presumably end of string)
je out ; if so, boing out
inc eax ; incriment our pointer by 1
jmp loop ; loop << this is where u can cause a crash eax may be on stack, but the stack does have limits, and this could be reproduced by puting crap in eax
out:
popad ; restore the registers
jmp back ; get out
enemy: ; enemy portion
popad ; restore registers
sub [eax+538],ecx ; and do the mathy thing
jmp back ; then get out

back:


flags not preserved, the sub [eax+538], ecx can adjust the flags


[2] it only increases so far as bl is not 0;


erm, it only increases as far as when byte @ [eax] = 0, it will keep going on until this happens or it finds the 'y'

what i would do is check that the byte @ eax fits within an 'acceptable' character range, then i would do an lstrlen or so on it to calculate its length and work from that... its relatively safer..

like check it fits within 'a->z/0-9' or 'A->Z /0-9' then begin processing
the game could act on the flags, from the code, so the cmp, etc can screw
the flags, ideally what u want to do is to set the flags for when u handle the player portion, (where u set the flags to a good condition), and leave them as-is for the enemy portion..

such code could be like

call check_ammo_amount ; this would be the code that you patch
jz user_has_no_ammo

etc..
where the flags are DEFINATELY important, it depends on how the game was coded, but its worth paying attention to..

and i guess u can pity me joe, cos i started out in the dos days, interrupts, 8 bit, 16 bit, pmode... all fun to learn though :)

Interesting. Guess you're right to some extent, as in - the game is coded in such manner that even if I don't/do save the flags, it acts identical. I checked the flags out of each function and they are unchanged. Also keep in mind that this code works only on write (it's accessed only when someone shoots, not constantly - not a read routine). No crashing whatsoever for as long as I played the game. We'll see later on (am still @ lvl 3), and will let you people know if I encountered any issues till the end of it :)

Working on unlimited infernal mana for now. It's a pain in the ass, since the value is "encrypted" (guess an xor somewhere) and what's nastier is that the pointer is stacked...
mov ecx,[ebp+c]
...
mov edx,[eax+4]
mov [ecx+4],edx // this is the write routine

if the param is passed on the stack, the has to come from somewhere

like the mov ecx, [ebp+0ch]
check the start of the proc, back trace
and find where the [ebp+0ch] is set
it'll probably be something like mov eax, [11223344]
or push [11223344] or something similar...

'stacked pointer' is just the param passed on the stack, backtrace and see where it came from...

I gave up on mana/god_mode, since I can't possibly train this effin` game the proper way. Every attempt I make seems to have a flaw - either gfx fux up, or I have side-effects. I was on the path of making something which it worked till I changed level, to notice it was only the top layer of what I saw on screen. The real value was somewhere else. There are 2 addresses - one that controls the main bar (the full white) and one that controls the amount underneath (light white)...

While scorching around for new stuff, I found this :

- open up standard_game.feel located in main game folder with Notepad, then find and change this line from 1 to 0
Show_commercial_screens 0
Should get rid of 2-3 minutes of splash screens and commercials :|

"what's nastier is that the pointer is stacked..."

haha funny stuff.. the thing is sunbeam .. because u normally steal all your options.. erm.. i mean update other peoples trainers.. THEY have already traced back through the stack to find the start of the original function which is why your lost looking in some functions stack frame like a tool.

if you had put as much effort into actually learning how to reverse beyond the basics it takes to lift others options then you would know all of this.

the fact ur actually comparing a string tells me (without looking at the game) your doing it completely wrong and ill wager my pc on the fact there are 10 to 20 more efficient and secure ways of acheiving the same results..

finally.. stop saying im dead.. ill train games as long as its interesting to do so, a strategical step back and stocktake of my life doesnt constitute death..

Nice of you to drop by. What did I steal now ? Anyway, good luck with training it better than I could. I know you can. As long as what you do works, it doesn't matter if the trainer was written from scratch by yourself or generated with some other trainer maker tool. Sure, it looks niftier and it will have more options (trainer coded -> gamehacker knows programming -> let's fux the game up), and I congratulate you for that.

Anything else ? o_O You're dead to me, read better next time ;)

read better?

I suggest you learn how to WRITE english correctly first then perhaps you can correct others on their reading of it.

being dead to me would actually mean your existance meant something to ME.. it doesnt.. and never has.. so no statement needed.

every post makes me laugh a little more, you assume things are problems when really the only problem you face is your complete ineptitude. If things
were left up to idiots like you people would be thinking the STACK is some kind of protection as they do DMA.

so continue posting.. i enjoy a chuckle.. its better than visiting the joke a day site.. you certainly get more chuckle per sentence here :)

"what's nastier is that the pointer is stacked..." <-- case and point.. haha

I don't have to use <abbr> to get people like you to understand what that quote means. At the instance I was in the picture, looking up in the code, the pointer used comes from the stack. Where it's pushed, I don't know. I don't have time to trace, I don't use SoftICE, and I am not sheep. Happy ? There you go, laugh a little more. Assuming people are idiots != what they really are. I would if I could, but I can't so I won't ... bark at you =]

If you gave up writing articles, just cuz you found "idiots" to pay you for what you do, don't lecture me when I try to share something with others. There isn't always a god-given way of training a game. You said it yourself. One is better than the other, which I agree, but don't tell me or suggest to me which is the best. That's my level, that's what I can do. I could've traced like a mad horse for 2 days through an engine I have no idea how it was designed (there's no SDK) to come up with something you'd call proper. And even then, you would still shove a foot in my ass, since you've already categorized me. Besides, god left people on earth with the power of choosing. Want to accept it, fine, you don't like it, start walking. Have fun laughing...

[on-topic]

I've managed to obtain a weapon which kinda blows my "cover" with checking the letter "y" in the string. So, I've modeled the code a bit to check for "my" (from "enemy")
[ENABLE]

alloc(cave,512)
label(back)
label(loop)
label(out)
label(enemy)
label(incr)

//9B8140:
cave:
pushad

loop:
mov bl, [eax+14]
cmp bl, 79
je enemy
cmp bl, 0
je out

incr:
inc eax
jmp loop

out:
popad
jmp back

enemy:
mov bl, [eax+13]
cmp bl, 6D
jne incr
popad
sub [eax+538],ecx
jmp back

5CC158:
jmp cave
nop
back:

[DISABLE]

5CC158:
sub [eax+538],ecx

dealloc(cave)
P.S.: I like long fuzzy asm codes. Eat me...

you dont need to use softice, but u do need to use something to see whats going on, otherwise its all guess work

and your revised code still suffers from boundary issues

as for idiots.. ever heard of the saying 'learn to walk before you can run'
thats exactly the case here.. you're trying to do a nice thing by explaining/teaching others how to code/train... yet, you yourself are teaching bad examples... which is primarialy why i started discussion here.. your asm is lacking, and you think you are better than you are.. ego is a bad thing..

and before you jump on me for saying your asm is lacking, let me point out..
1. the flags thing
2. the pushad thing
3. why you dont use a word check on the data for 'ym' (for your my enemy thing... kills 2 birds with one stone..)

me being a lazy git that I am would use POP and PUSH on the registers to store em/retrieve em.

But thats just me :P

yeh well pop and push is fine for the ones you're using
pushad / popad is lazy
thats what i meant

Okay. Dropping down attitude. Time to get more formal than 'egotistic'. I don't have any good impressions on me, since : a. I can't code; b. I use backtracing on mostly reversing programs, not games (walking blindly).

@TippeX: Won't "bark" at you, relax :) Am open minded. Okay, will use only push/pop on a register I use (in this case, ebx). Regarding the other issue, it's a bit complicated to store dwords in full ebx and compare against "enemy". I thought going through the string byte by byte and scanning for what I'm interested would pay off. Also, let me point out that for people that don't know how/what to look for in the game's memory, the method I posted is more than sufficient. Speaking of which, I trained a game a while ago, called Enemy Infestation with a similar opcode on HP (sub [ecx+9C],eax), and in that game you have 2 races - colonists and aliens. ecx held the top of the player structure, and ecx+4 was the ID of the colonist/alien (C01, A03). So, a simple check for "C" on ecx+4 would've been enough to make god mode.

Am not saying there aren't better ways to do it, as sheep fore-mentioned it, am just saying some of you guys are looking for game training closer to your "beliefs" (using player pointers, retrieving offsets to locate it, fiddling with memory), all of which I am not capable of quite doing yet. I always go for the easy way out...

@sheep: I don't know why you like to pick on people for what they try to show others. Also, speaking of "stealing" name what I stole in specific. 'Cuz, you know, writing an article about using WriteProcessMemory on a trainer for updating purposes is not called stealing. Admit you're just pissed. Come to think about it, you're one hell of a person when it comes to letting go :)

P.S: Who says you have to be sheep or any scholar to write an article ? This "tutorial" is more like informal, and as I mentioned it, I want others to share the experience. If they want to learn anything from it, fine. Am not shoving it up their mouths...

@TippeX: Won't "bark" at you, relax :) Am open minded. Okay, will use only push/pop on a register I use (in this case, ebx). Regarding the other issue, it's a bit complicated to store dwords in full ebx and
compare against "enemy".


cmp word ptr [eax],'ym'

:)

the 'value' is backwards

cmp dword ptr [eax],'ymen'

and so on

Hmm, I would still have to go through all the string :) Oh, and how do I detect the boundaries ? I mean, in asm :]

[eax+14] = point_0
...
[eax+24] = point_1

The size is not always the same. So point_1-point_0 will oscillate. Also, the string size has to be a multiple of 4 (nemy=4), starting from the...Wait a minute...

check:
cmp [eax+14], 'ymen'
jne somwhere
inc eax
jmp check

I think that would be it o_O ? And of course, the compare with 0 (end of string)...
3. why you dont use a word check on the data for 'ym'
Because I would have a 2 letters words compared against an oscillating sized string. Keep in mind that the string isn't always odd (2,4,6,8...), but then again, the word isn't at the end of the string to have to worry about it ;) I'll rewrite the script in a few hours. Need to attend some courses atm.

Thanks for the tips, TippeX (kinda repetitive - tips, tippex) =]

Hmm, I would still have to go through all the string :) Oh, and how do I detect the boundaries ? I mean, in asm :]


check:

cmp byte ptr [eax+13], 'e'
jne advancecheck

cmp [eax+14], 'ymen'
jne somewhere

advancecheck:

cmp byte ptr [eax+14], 00h
je outofhere

inc eax

jmp check

outofhere:

; didnt find the string, so bomb...

somewhere:

cmp byte ptr [eax+14+4], 00h ; is it 'enemy' + terminator?
jne check

; do stuff cos its 'enemy'



something like that... and they're only repetitive cos u aint acting on them when i mention them ;p

I understand the code, but it's a little changed. I mean, the situation is :) I'll record a flash movie, so you get my point. Don't know if you have time to help out, but I'd be glad if you did. "enemy" is not at the end of the string =| So, yeah...

Watch this =] (4 MB in size, ~2 min play-time) » [ video (http://rapidshare.com/files/26961496/inf1.zip.html) ]

its fucking hilarious when someone tries to defend themselves while at the same time looking idiotic and clueless, 2 days to reverse an engine? (without and SDK) wtf are u on.. your trying to do a simple option, you love to blow shit out of proportion..

Tippex couldnt be more right.. your teaching VERY BAD techniques and not only this, your trying to teach them as if you actually KNOW something which will spawn many other idiots like you who are using 20 lines of asm when 5 will do. You dont even need to know ASM well to do the shit ur doing you just need to read the BASICS which you clearly havent.

If your ego reflected your talent then id have some seriously fucking competition.. shame it doesnt.. and further more couldnt possibly no matter how long u try.. you have been around for a long time.. you should be far better than u are.. i guess as your nice little quotes say on ur forum sig something like.. a mans worth is proven by his work and not his mouth.. thats fucking ironic coming from someone who shouts louder than his talent could possibly carry him.. and as it stands (from ur work) your worth is less than 0.

Right now I don't give a !@#$ who I am, what I can, who are you and what you're capable of. I'm in for learning, and since you never wanted to help out when I was asking for it on iRC, I guess it's no point trying to soften you up. Am not good at training games, might say my training is mediocre. Since I can't do elaborate options as you do, I do what I can. The script you see is my way of training one-sided ammo without putting too much effort into it. Instead of flaming, start helping. You don't want to, fine with me. When will you stop insulting people, I don't know...

First it was "stealing options", now that you got tired of it, you changed to me being a noob. I am a noob, so what ? The asm I need for a game is enough for me to play it in good terms and to also enjoy it.

[off-topic]

On another hand, I've kinda finished C&C3 with your trainer. Brilliant work, and am not kissing ass. F1-F4 + F7 + F6 set to F from time to time :) Quite fast...

Oh and the speed option is quite unique, yet a little tricky for groups. Also, the god-mode doesn't make you that invulnerable, since in time, the HP bar decreases and your unit might get destroyed. Also, you die from getting stepped on (infantry - tanks) and get healed if you have your unit near a war yard.

[/off-topic]

Least but not last, am not teaching anything. I told you. Read carefully what I write (if you don't like "read better"). I said - others might find this experience worth taking a look at.

P.S. : From time to time, take a look at this » http://fileforums.com/search.php?searchid=2641171
and as it stands (from ur work) your worth is less than 0.
Google "sunbeam's tutorials" - then again, we all know what's your opinion about online games (MMORPGs). If you're that good, start hacking online games. You'd get much more than you get at CH :) A trainer like yours, with multiple options for the game, along with a well-built licensing system (exeCryptor kicks ass) would bring you the bux in no time...

If you ask for help with basic ASM programming, I assure you, you will never become a master at it. And don't expect other people to help you as they're not your paid teachers; if they don't want to help (for free), well, you got nothing for nothing so you're even. You see, creative people don't need everything laid out for them, only some guidelines or pointers to general information so that they can learn themselves. (However, you can get that by simply using Google anyway...!)

I wonder what all these problems are about... Back in the microcomputer days, there was no Internet to gather information from and coders were more separated than today. Most probably this made them learn themselves, make their own mistakes, which resulted in deeper knowledge! Now everyone seems to be able to code stuff because it's easy to start with trying Wikipedia's "Hello world!" in any language and think you're already far on the road... Yeah, right. The knowledge you need to properly hack stuff is not available in any school and it takes years to really be able to do it. So, a bit more humbleness, please, if possible...

I personally dont like this string searching myself.

With a bit of practice with Cheatengine and/or Tsearch you can easily go through coding to find the source. Without them properly set up, you can crash the game when trying to break on reads.

Im still thinking on the possibility that there is a unique systems used to check if its the player or anyone else.

Dont have the game so I cant help there, maybe ill see if a demo is still around to have a check.

I'm done. Will post a trainer once I figure this out. Till then, close the thread.

With pleasure...