Infernal - Trainer & Gadgets

[کunβeam]

Interesting. Guess you're right to some extent, as in - the game is coded in such manner that even if I don't/do save the flags, it acts identical. I checked the flags out of each function and they are unchanged. Also keep in mind that this code works only on write (it's accessed only when someone shoots, not constantly - not a read routine). No crashing whatsoever for as long as I played the game. We'll see later on (am still @ lvl 3), and will let you people know if I encountered any issues till the end of it

Working on unlimited infernal mana for now. It's a pain in the ass, since the value is "encrypted" (guess an xor somewhere) and what's nastier is that the pointer is stacked...

Quote:

mov ecx,[ebp+c]
...
mov edx,[eax+4]
mov [ecx+4],edx // this is the write routine

[TippeX]

if the param is passed on the stack, the has to come from somewhere

like the mov ecx, [ebp+0ch]
check the start of the proc, back trace
and find where the [ebp+0ch] is set
it'll probably be something like mov eax, [11223344]
or push [11223344] or something similar...

'stacked pointer' is just the param passed on the stack, backtrace and see where it came from...

[کunβeam]

I gave up on mana/god_mode, since I can't possibly train this effin` game the proper way. Every attempt I make seems to have a flaw - either gfx fux up, or I have side-effects. I was on the path of making something which it worked till I changed level, to notice it was only the top layer of what I saw on screen. The real value was somewhere else. There are 2 addresses - one that controls the main bar (the full white) and one that controls the amount underneath (light white)...

While scorching around for new stuff, I found this :

- open up standard_game.feel located in main game folder with Notepad, then find and change this line from 1 to 0

Quote:

Show_commercial_screens 0

Should get rid of 2-3 minutes of splash screens and commercials :|

[sheep]

"what's nastier is that the pointer is stacked..."

haha funny stuff.. the thing is sunbeam .. because u normally steal all your options.. erm.. i mean update other peoples trainers.. THEY have already traced back through the stack to find the start of the original function which is why your lost looking in some functions stack frame like a tool.

if you had put as much effort into actually learning how to reverse beyond the basics it takes to lift others options then you would know all of this.

the fact ur actually comparing a string tells me (without looking at the game) your doing it completely wrong and ill wager my pc on the fact there are 10 to 20 more efficient and secure ways of acheiving the same results..

finally.. stop saying im dead.. ill train games as long as its interesting to do so, a strategical step back and stocktake of my life doesnt constitute death..

[کunβeam]

Nice of you to drop by. What did I steal now ? Anyway, good luck with training it better than I could. I know you can. As long as what you do works, it doesn't matter if the trainer was written from scratch by yourself or generated with some other trainer maker tool. Sure, it looks niftier and it will have more options (trainer coded -> gamehacker knows programming -> let's fux the game up), and I congratulate you for that.

Anything else ? o_O You're dead to me, read better next time

[sheep]

read better?

I suggest you learn how to WRITE english correctly first then perhaps you can correct others on their reading of it.

being dead to me would actually mean your existance meant something to ME.. it doesnt.. and never has.. so no statement needed.

every post makes me laugh a little more, you assume things are problems when really the only problem you face is your complete ineptitude. If things
were left up to idiots like you people would be thinking the STACK is some kind of protection as they do DMA.

so continue posting.. i enjoy a chuckle.. its better than visiting the joke a day site.. you certainly get more chuckle per sentence here

"what's nastier is that the pointer is stacked..." <-- case and point.. haha

[کunβeam]

I don't have to use <abbr> to get people like you to understand what that quote means. At the instance I was in the picture, looking up in the code, the pointer used comes from the stack. Where it's pushed, I don't know. I don't have time to trace, I don't use SoftICE, and I am not sheep. Happy ? There you go, laugh a little more. Assuming people are idiots != what they really are. I would if I could, but I can't so I won't ... bark at you =]

If you gave up writing articles, just cuz you found "idiots" to pay you for what you do, don't lecture me when I try to share something with others. There isn't always a god-given way of training a game. You said it yourself. One is better than the other, which I agree, but don't tell me or suggest to me which is the best. That's my level, that's what I can do. I could've traced like a mad horse for 2 days through an engine I have no idea how it was designed (there's no SDK) to come up with something you'd call proper. And even then, you would still shove a foot in my ass, since you've already categorized me. Besides, god left people on earth with the power of choosing. Want to accept it, fine, you don't like it, start walking. Have fun laughing...

[on-topic]

I've managed to obtain a weapon which kinda blows my "cover" with checking the letter "y" in the string. So, I've modeled the code a bit to check for "my" (from "enemy")

Quote:

[ENABLE]

alloc(cave,512)
label(back)
label(loop)
label(out)
label(enemy)
label(incr)

//9B8140:
cave:
pushad

loop:
mov bl, [eax+14]
cmp bl, 79
je enemy
cmp bl, 0
je out

incr:
inc eax
jmp loop

out:
popad
jmp back

enemy:
mov bl, [eax+13]
cmp bl, 6D
jne incr
popad
sub [eax+538],ecx
jmp back

5CC158:
jmp cave
nop
back:

[DISABLE]

5CC158:
sub [eax+538],ecx

dealloc(cave)

P.S.: I like long fuzzy asm codes. Eat me...

[TippeX]

you dont need to use softice, but u do need to use something to see whats going on, otherwise its all guess work

and your revised code still suffers from boundary issues

as for idiots.. ever heard of the saying 'learn to walk before you can run'
thats exactly the case here.. you're trying to do a nice thing by explaining/teaching others how to code/train... yet, you yourself are teaching bad examples... which is primarialy why i started discussion here.. your asm is lacking, and you think you are better than you are.. ego is a bad thing..

and before you jump on me for saying your asm is lacking, let me point out..
1. the flags thing
2. the pushad thing
3. why you dont use a word check on the data for 'ym' (for your my enemy thing... kills 2 birds with one stone..)

[DABhand]

me being a lazy git that I am would use POP and PUSH on the registers to store em/retrieve em.

But thats just me :P

[TippeX]

yeh well pop and push is fine for the ones you're using
pushad / popad is lazy
thats what i meant

[کunβeam]

Okay. Dropping down attitude. Time to get more formal than 'egotistic'. I don't have any good impressions on me, since : a. I can't code; b. I use backtracing on mostly reversing programs, not games (walking blindly).

@TippeX: Won't "bark" at you, relax Am open minded. Okay, will use only push/pop on a register I use (in this case, ebx). Regarding the other issue, it's a bit complicated to store dwords in full ebx and compare against "enemy". I thought going through the string byte by byte and scanning for what I'm interested would pay off. Also, let me point out that for people that don't know how/what to look for in the game's memory, the method I posted is more than sufficient. Speaking of which, I trained a game a while ago, called Enemy Infestation with a similar opcode on HP (sub [ecx+9C],eax), and in that game you have 2 races - colonists and aliens. ecx held the top of the player structure, and ecx+4 was the ID of the colonist/alien (C01, A03). So, a simple check for "C" on ecx+4 would've been enough to make god mode.

Am not saying there aren't better ways to do it, as sheep fore-mentioned it, am just saying some of you guys are looking for game training closer to your "beliefs" (using player pointers, retrieving offsets to locate it, fiddling with memory), all of which I am not capable of quite doing yet. I always go for the easy way out...

@sheep: I don't know why you like to pick on people for what they try to show others. Also, speaking of "stealing" name what I stole in specific. 'Cuz, you know, writing an article about using WriteProcessMemory on a trainer for updating purposes is not called stealing. Admit you're just pissed. Come to think about it, you're one hell of a person when it comes to letting go

P.S: Who says you have to be sheep or any scholar to write an article ? This "tutorial" is more like informal, and as I mentioned it, I want others to share the experience. If they want to learn anything from it, fine. Am not shoving it up their mouths...

[TippeX]

Quote:

Originally Posted by کunβeam

@TippeX: Won't "bark" at you, relax Am open minded. Okay, will use only push/pop on a register I use (in this case, ebx). Regarding the other issue, it's a bit complicated to store dwords in full ebx and
compare against "enemy".

cmp word ptr [eax],'ym'



the 'value' is backwards

cmp dword ptr [eax],'ymen'

and so on

[کunβeam]

Hmm, I would still have to go through all the string Oh, and how do I detect the boundaries ? I mean, in asm :]

[eax+14] = point_0
...
[eax+24] = point_1

The size is not always the same. So point_1-point_0 will oscillate. Also, the string size has to be a multiple of 4 (nemy=4), starting from the...Wait a minute...

check:
cmp [eax+14], 'ymen'
jne somwhere
inc eax
jmp check

I think that would be it o_O ? And of course, the compare with 0 (end of string)...

Quote:

Originally Posted by TippeX

3. why you dont use a word check on the data for 'ym'

Because I would have a 2 letters words compared against an oscillating sized string. Keep in mind that the string isn't always odd (2,4,6,8...), but then again, the word isn't at the end of the string to have to worry about it I'll rewrite the script in a few hours. Need to attend some courses atm.

Thanks for the tips, TippeX (kinda repetitive - tips, tippex) =]

[TippeX]

Quote:

Originally Posted by کunβeam

Hmm, I would still have to go through all the string Oh, and how do I detect the boundaries ? I mean, in asm :]

check:

cmp byte ptr [eax+13], 'e'
jne advancecheck

cmp [eax+14], 'ymen'
jne somewhere

advancecheck:

cmp byte ptr [eax+14], 00h
je outofhere

inc eax

jmp check

outofhere:

; didnt find the string, so bomb...

somewhere:

cmp byte ptr [eax+14+4], 00h ; is it 'enemy' + terminator?
jne check

; do stuff cos its 'enemy'



something like that... and they're only repetitive cos u aint acting on them when i mention them ;p

[کunβeam]

I understand the code, but it's a little changed. I mean, the situation is I'll record a flash movie, so you get my point. Don't know if you have time to help out, but I'd be glad if you did. "enemy" is not at the end of the string =| So, yeah...

Watch this =] (4 MB in size, ~2 min play-time) » [ video ]