|
ripped again?
This is the record of hacking the wheelman.
You can see all routines I've found.
After finish searching all routines, i start to analyse the difference from
these routines and find the ture routine to inject the code (you can also
see some inject codes after routine code).
I don't know whether this is the evidence or not. But this is only the proof
i can give u.
I am just a trainer-maker, not a ripper.
time
004F0D4B F3:0F1087 FC000>movss xmm0, dword ptr [edi+FC]
004F0D63 F30F1187 FC000000 movss dword ptr [edi+FC], xmm0
004F0DC7 F3:0F1087 FC000>movss xmm0, dword ptr [edi+FC]
race time
0054CC3F F3:0F1083 E0020>movss xmm0, dword ptr [ebx+2E0]
0054CC64 F30F1183 E0020000 movss dword ptr [ebx+2E0], xmm0
0043C6A7 F3:0F1085 E0020>movss xmm0, dword ptr [ebp+2E0]
stamina
00506A92 F3:0F5847 64 addss xmm0, dword ptr [edi+64]
00506A97 F3:0F1147 64 movss dword ptr [edi+64], xmm0
00506A9C F3:0F1047 64 movss xmm0, dword ptr [edi+64]
//save esi address,ecx+2AC=life
0001FFB0 /EB 07 jmp short 0001FFB9
0001FFB2 |C747 64 0000C84>mov dword ptr [edi+64], 42C80000
0001FFB9 \EB 0A jmp short 0001FFC5
0001FFBB C781 AC020000 0>mov dword ptr [ecx+2AC], 270F
0001FFC5 F3:0F1047 64 movss xmm0, dword ptr [edi+64]
0001FFCA 890D F0FF0100 mov dword ptr [1FFF0], ecx
0001FFD0 C3 retn
EB 07 C7 47 64 00 00 C8 42 EB 0A C7 81 AC 02 00 00 0F 27 00 00 F3 0F 10 47
64 89 0D F0 FF 01 00C3
00506AC9 F3:0F1147 64 movss dword ptr [edi+64], xmm0
00506B40 F3:0F1047 64 movss xmm0, dword ptr [edi+64]
xyh
00A8C766 0F2800 movaps xmm0, dqword ptr [eax]
00A8CB77 0F2898 D0000000 movaps xmm3, dqword ptr [eax+D0]
//ecx-480= stamina.edi
00FCA0A4 0F2986 D0000000 movaps dqword ptr [esi+D0], xmm0
0102E2A1 0F2800 movaps xmm0, dqword ptr [eax]
00FC33C5 0F2986 D0000000 movaps dqword ptr [esi+D0], xmm0
00F94867 8B50 38 mov edx, dword ptr [eax+38]
00F3F147 0F2843 30 movaps xmm0, dqword ptr [ebx+30]
00FAA335 8B50 38 mov edx, dword ptr [eax+38]
00FCA108 0F2986 D0000000 movaps dqword ptr [esi+D0], xmm0
mov
00FCA0A4 0F2986 D0000000 movaps dqword ptr [esi+D0], xmm0
00FC33C5 0F2986 D0000000 movaps dqword ptr [esi+D0], xmm0
00FCA108 0F2986 D0000000 movaps dqword ptr [esi+D0], xmm0
0102E35C 8B11 mov edx, dword ptr [ecx]
0102EC12 8B01 mov eax, dword ptr [ecx]
life
005E6408 39B7 AC020000 cmp dword ptr [edi+2AC], esi //
0045A136 F3:0F2A86 AC020>cvtsi2ss xmm0, dword ptr [esi+2AC]
0052D689 8B8F AC020000 mov ecx, dword ptr [edi+2AC]
0053D905 8B93 AC020000 mov edx, dword ptr [ebx+2AC]
00AFDBD8 83BB AC020000 00 cmp dword ptr [ebx+2AC], 0 //all guy
0001FFB0 391D F0FF0100 cmp dword ptr [1FFF0], ebx
0001FFB6 74 0C je short 0001FFC4
0001FFB8 EB 0A jmp short 0001FFC4
0001FFBA C783 AC020000 00000000 mov dword ptr [ebx+2AC], 0
0001FFC4 83BB AC020000 00 cmp dword ptr [ebx+2AC], 0
0001FFCB C3 retn
39 1D F0 FF 01 00 74 0C EB 0A C7 83 AC 02 00 00 00 00 00 00 83 BB AC 02 00
00 00 C3
0053DD7A 8B83 AC020000 mov eax, dword ptr [ebx+2AC]
0052196B 83B8 AC020000 0>cmp dword ptr [eax+2AC], 0
005E6408 39B7 AC020000 cmp dword ptr [edi+2AC], esi
car life
004A05CF 398E AC020000 cmp dword ptr [esi+2AC], ecx
004A0F7F 83BE AC020000 0>cmp dword ptr [esi+2AC], 0 //all car
[esp+BC]=ebp+34
00496020 DB81 AC020000 fild dword ptr [ecx+2AC]
004A8F85 83BE AC020000 0>cmp dword ptr [esi+2AC], 0
004A28BD 399F AC020000 cmp dword ptr [edi+2AC], ebx
00A564A5 83BB AC020000 00 cmp dword ptr [ebx+2AC], 0
///
eax=0;
0001FFB0 83F8 00 cmp eax, 0
0001FFB3 75 0E jnz short 0001FFC3
0001FFB5 EB 18 jmp short 0001FFCF
0001FFB7 C783 AC020000 0F270000 mov dword ptr [ebx+2AC], 270F
0001FFC1 EB 0C jmp short 0001FFCF
0001FFC3 EB 0A jmp short 0001FFCF
0001FFC5 C783 AC020000 01000000 mov dword ptr [ebx+2AC], 01
0001FFCF 83BB AC020000 00 cmp dword ptr [ebx+2AC], 0
0001FFD6 C3 retn
83 F8 00 75 0E EB 18 C7 83 AC 02 00 00 0F 27 00 00 EB 0C EB 0A C7 83 AC 02
00 00 0A 00 00 00 83BB AC 02 00 00 00 C3
be damage
0087EA7A 2983 AC020000 sub dword ptr [ebx+2AC], eax onlyme
0048B727 399F AC020000 cmp dword ptr [edi+2AC], ebx
004A05CF 398E AC020000 cmp dword ptr [esi+2AC], ecx
0083014C 3B87 A8020000 cmp eax, dword ptr [edi+2A8]
008300C9 F3:0F1087 8C020>movss xmm0, dword ptr [edi+28C]
00989529 D99F A4020000 fstp dword ptr [edi+2A4]
wanted
005E6433 837B 54 00 cmp dword ptr [ebx+54], 0 ebx+5C float
1.0~5.0 ebx+58=0 no wanted (no wanted first)
005E6517 8B43 54 mov eax, dword ptr [ebx+54]
005E651A 85C0 test eax, eax
0001FFB0 /EB 0E jmp short 0001FFC0
0001FFB2 |C743 5C 0000C040 mov dword ptr [ebx+5C], 40C00000
0001FFB9 |C743 58 05000000 mov dword ptr [ebx+58], 5
0001FFC0 \EB 07 jmp short 0001FFC9
0001FFC2 C743 58 00000000 mov dword ptr [ebx+58], 0
0001FFC9 8B43 54 mov eax, dword ptr [ebx+54]
0001FFCC 85C0 test eax, eax
0001FFCE C3 retn
EB 0E C7 43 5C 00 00 C0 40 C7 43 58 05 00 00 00 EB 07 C7 43 58 00 00 00 00
8B 43 54 85 C0 C3
005E677E 837B 54 00 cmp dword ptr [ebx+54], 0
005E6807 8B43 54 mov eax, dword ptr [ebx+54]
005DE1D1 3970 54 cmp dword ptr [eax+54], esi
boost
00511AB1 F3:0F1040 5C movss xmm0, dword ptr [eax+5C]
0001FFB0 /EB 07 jmp short 0001FFB9
0001FFB2 |C740 5C 00009643 mov dword ptr [eax+5C], 43960000
0001FFB9 \F3:0F1040 5C movss xmm0, dword ptr [eax+5C]
0001FFBE C3 retn
EB 07 C7 40 5C 00 00 96 43 F3 0F 10 40 5C C3
00508714 F3:0F1040 5C movss xmm0, dword ptr [eax+5C]
0045FD99 F3:0F5847 5C addss xmm0, dword ptr [edi+5C]
0045FDC2 F3:0F1147 5C movss dword ptr [edi+5C], xmm0
0045FEA3 F3:0F1047 5C movss xmm0, dword ptr [edi+5C]
amoo
reload
004B8512 3981 F0020000 cmp dword ptr [ecx+2F0], eax
004B8536 8B81 F0020000 mov eax, dword ptr [ecx+2F0]
0001FFB0 /EB 0E jmp short 0001FFC0
0001FFB2 |50 push eax
0001FFB3 |8B81 F8020000 mov eax, dword ptr [ecx+2F8]
0001FFB9 |8981 F0020000 mov dword ptr [ecx+2F0], eax
0001FFBF |58 pop eax
0001FFC0 \EB 0A jmp short 0001FFCC
0001FFC2 C781 F4020000 E7030000 mov dword ptr [ecx+2F4], 3E7
0001FFCC 8B81 F0020000 mov eax, dword ptr [ecx+2F0]
0001FFD2 C3 retn
EB 0E 50 8B 81 F8 02 00 00 89 81 F0 02 00 00 58 EB 0A C7 81 F4 02 00 00 E7
03 00 00 8B 81 F0 0200 00 C3
|