Hello there!

Long ago some bright person made a teleporting trainer for the need for speed series. I really liked the concept. You could drive to the end of the race track, then press a button and it would save your current coordinates. Then you can restart the race and press another button - BAM - It teleports you to where you were earlier, thus skipping alot of driving ;)

Well this is just the concept, not really what I plan on doing, however, Im planning on creating such a trainer for ES:Oblivion, a RPG with a MASSIVE map.
(If I am succesfull at this I would like to try it with NFS carbon ;) )

Okay, basically this is how it works:
The game saves 3 "coordinates" to a location in memory, as a float.
These values look like this:

X: 103.23667721
Y: -7.2387777
Z 33.883872409

(Y being your vertical axiz)

Those would be your characters location in the world. This is exactly the same for racing games- your car's location in the world.

What I want to do is create a trainer that simply writes a value to each of those locations, for example:

These are your current co-ordinates:
X: 123
Y: -1
Z: 455

Enter a new coordinate:
X:
Y:
Z:

[Teleport!]

Now currently I dont have alot of knowledge of asm. . .and reading tutorials simply dont help, as the opcode i get that writes the coordinates look a bit jittery.

I would appreciate it if anyone can help me out here.

Regards
TehAvatar

PS: Obviously its a DMA game, so CE trainers dont help much ;)
+ I can find the addresses easily.

As I said in my PM with you.

You WILL need to know ASM there is no ifs or buts about it.

And you will have to learn about pointers and player structures.

Plus, if the map is so big, I don't think the computer memory can contain it in whole, so teleporting may also mean loading a different area of the map from the disk. How you can make that call to the game engine...?

Plus, if the map is so big, I don't think the computer memory can contain it in whole, so teleporting may also mean loading a different area of the map from the disk. How you can make that call to the game engine...?

Not neccesary, trainer will only warn that tele to a different map is not allowed. there are about 5 or 6 maps, 1 and 0 are the largest. 1 = left half 2 = right half.

Seeing as im in a good mood.

From Whitey's tutorial.


Subject: Save Restore (Teleport)
Game: Bloodrayne 2 Demo
Author: Whitey


Tools Needed:
Memory Searcher(i used cheat engine,tsearch has problems with this game)
Debugger( I used softice but you can use whatever you want)

************************************************** ********


................Introduction
Step 1..........Find Health and getting our structure
Step 2..........Finding our players coordinates
Step 3..........Code Injection
Step 4..........Code into the trainer




************************************************** ********

Introduction
------------

Basically we are going to do a save restore option for bloodrayne2 Demo. What this option does is you can press one key to save a position in the game then another key will teleport you back to that same position. You should have good training skills if you plan on doing this tutorial(searching,debugging,ect). Ill try and go into as much detail as i can, but if you follow all the steps you should have no problem doing this option correctly. On with the tut.....

************************************************** ********


Step 1: Find Health and getting our structure
---------------------------------------------

Ok I am sure you know how to search for your health. If you don't get out of here :-D. Ok now you found your health address. What we want to do is get all of our pointers because we are going to use one of them to do our injection. So...

CTRL+D into softice...

bpm ADDRESS press enter...

Press F5 and softice will break...

Write down the address it breaks at...

Keep hitting F5 and write down all the addresses, and pointers you break at until they start repeating...


This is what I ended up with

5BE285 : PUSH [EBX+39C4]
5BE2B5 :
5BE2D1 :
5BF30A :


There are a lot more but we really only need on of them. Next you want to go threw and set a execution breakpoint on them one at a time and watch the structure inside the pointer and make sure it never changes so you know that pointer is only reading your health, so....

bpx 5BE285 press enter....

F5 and softice will break...

Keep hitting F5 and watch the structure inside 5BE285 witch is EBX(up in the register window), and if it never changes its just for us (witch it don't). This is the address we will be using for our teleport option...

5BE285 : PUSH [EBX+39C4]


Ok you should know how most games work...Your players,weapons,items,ect have there own structures. So inside your player structure will have everything containing your character. So now to get the coordinates.


There are a lot of ways to finding these. A lot of people will take the long approach(using a mem searcher,blah), witch doesn't always work. The quick and easy way is to use the players structure, because they are usually
stored at the top of the structure(if not there there down in the structure somewhere). Health is stored in the player structure. This pointer PUSH [EBX+39C4], EBX is the beginning of the player structure, so whenever
the game needs to get something for your player they just add a value to EBX, for instance your health is [PlayerStructure+39C4]. Your power might be [PlayerStructure+34] or whatever. That's all I am going to explain
on that matter I hope you understand.


Ok now to get the coordinates... We need to set a execution breakpoint on our health pointer and dump our structure, so....


bpx 5BE285 press enter...

Hit F5 and softice will break...

d EBX press enter...


Now up in the dump window the first address will be our player structure. Now all you want to do here is watch the bytes. You are watching for 4 bytes in a row that only change when your player has moved. So I go into
softice and watch a line at the top..I remember what the bytes looked like or you can write them down..then move your character a few steps go back into softice and look for 4 bytes that have changed..your coordinates will
be store in 4 bytes and there are 3 of them x,y,z.. And they will be back to back..

So your data window looks like this

600001 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
600002 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The coordinates will be stored like this

600001 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
600002 00 00 11 11 11 11 22 22 22 22 33 33 33 33 00 00

1 = first coordinate
2 = second coordinate
3 = third coordinate


So I did this step and found 3 dwords in a row where 2 of them changed only when I moved(height coordinate don't change unless you change height). So i took the first dword i found and put it in a memory searcher so i can test. I wrote down the value then i moved my character, went back to the memory searcher and put back the first value i wrote down and sure enough i teleported back to that location.


So the next step is to find out where it is stored in our structure. All you do is this...

First Coordinate Address - PlayerStructure address = how many bytes away

so I ended up with (34) for the first coordinate and the other 2 are 4 bytes away so..

[PlayerStructure+34] = First Coordinate

[PlayerStructure+38] = Second Coordinate

[PlayerStructure+3C] = Third Coordinate


Great now we have our coordinates and there location...

Note!! do not skip this step unless you fully understand it...read it over until you do..


************************************************** ********






Step 3: Code Injection
----------------------

What you will need...

1. Code Cave
2. 2 Empty address for setting 2 flags
3. 3 Empty address for storing away our 3 coordinates (I just make my 3 addresses 4 bytes away).

Ok so first thing is find you a big code cave cause its kind of a big injection. We are going to use that first health pointer to do our teleport injection. We can do that because the pointer holds our player structure. You don't always have to do your injection wherever you break at in softice :-D. Now I am going to show my full injection then I will explain... So here goes..


5BE285: JMP CODE CAVE---------- ORIGINAL INSTRUCTION REPLACED WITH A JUMP TO OUR CAVE
NOP | BALANCE OUT THE BYTES
|
|
CAVE: PUSH [EBX+39C4]-------- ORIGINAL INSTRUCTION
PUSHAD SAVE REGISTERS
CMP [FLAG1],1 TEST IF OUR SAVE KEY WAS PRESSED
JNE SHORT-------------- IF KEY WASNT PRESSED JUMP TO RESTORE ELSE SKIP JUMP
MOV [FLAG1],0 | MOVE ZERO BACK INTO THE FLAG SO FUNCTION DOESNT REPEAT
MOV ECX,3 | MOVE COUNTER INTO ECX
LEA EDI,[STATIC1] | LOAD DESTINATION ADDRESS INTO EDI
LEA ESI,[EBX+34] | LOAD FIRST CORDINATE ADDRESS INTO ESI
REP MOVSD | COPY SOURCE INTO DESTINATION UNTIL ECX=0
|
CMP [FLAG2],1---------- TEST IF RESTORE KEY WAS PRESSED
JNE TO END--------------- IF NOT THEN JUMP TO END
MOV [FLAG2],0 | MOVE ZERO BACK INTO FLAG SO FUNCTION DONT KEEP REPEATING
MOV ECX,3 |
LEA EDI,[EBX+34] | LOAD DESTINATION ADDRESS INTO EDI
LEA ESI,[STATIC1] | LOAD FIRST STORED CORD ADDRESS INTO ESI
REP MOVSD | COPY SOURE INTO DESTINATION UNTIL ECX=0
|
END:---------------------
POPAD RESTORE REGISTERS
JMP BACK TO GAME LOOP JUMP BACK TO GAME LOOP


Pretty simple eh? :-D

************************************************** ********

Step 4: Code into the trainer
-----------------------------

Ok all you need to do is,


For the Save key in your trainer, just inject all that code(make sure you inject your cave before your jump) and inject the value of 1 into the first flag address

For the Restore key in your trainer, inject all that code, and inject the value
of 1 into the second flag address.



So when you press the save hotkey it will put 1 into that flag making it true and put your coordinates away into there static address. And when you press the restore key it will take the coordinates in your static addresses and put then in your actual coordinates addresses making you teleport to that location.

Not to tuff of an option, it may be at first but with a few tries you should have it no problem..

Well that's the end ... Hope this helps a bit...

Happy Training..



Next will be pointers.

Here is a URL to a pointers tutorial (quite indepth)

By Spiro :)


http://www.memoryhacking.com/Misc/Tut/About%20Pointers.htm

Here is a URL to a pointers tutorial (quite indepth)

By Spiro :)


http://www.memoryhacking.com/Misc/Tut/About%20Pointers.htm

Thanks DABhand , I will study these ;)

@DAB: Was browsing through the post and was just about to say something about pushing coords/poping them (save/load), but then I saw your post :D No need to comment further ;)

then why did you? ;p