Hacking and Art > General Modding & Programming / Other Games
Creating my first cheat: Autokick
snake123adfs:
Hello everyone!! I currently am very bored out of mind, and have no small term goals, so I have decided I will try to make an Autokick hack for warband. I have very limited programming experience, like noob level from years ago when I tried to start coding and failed.
I know it has been said that I can learn from the downloads section but I have no idea what to download from there. Anyone can link me to a thread for a legit beginner?
Edit: am taking notes from this thread http://tkc-community.net/forum/index.php/topic,16834.0.html and trying to understand it, is very hard.
double edit: just read this from another thread "get the vector rotation of the player ( you ) then check if the enemy is in a certain zone + distance from you if they are then send a kick command"
so that means when I create the program I will need some if functions that will run when I press the kick button E correct?
snake123adfs:
found this guys videos https://www.youtube.com/watch?v=XgV76LapvGs
gunna start there
snake123adfs:
I have downloaded cheat engine, loaded it up with Napoleonic wars, I'm on my own server, trying to find the memory address for health, read in a thread from 2014 that the default value for health is 60, so I put 60 in the value box,value type set to 4 bytes, do a scan, get 70,000 results, then I jump off a mountain, takes about 3/4th of my Health away. do a searched for decreased value, 12 results show up, hit scan again, and they all just disappear. Has the memory addresses and values for the game changed over the years?
edit: used my noggin, think I found out what I did wrong, going to try to find the health address by first searching for unknown and narrowing it down
well RIP, I got it narrowed down to 12 addresses, and the next time I jumped off the cliff and injured myself and search decreased value all the addresses disappeared
double edit: searching float instead of 4 bytes now, see if that will work
triple edit: I think the memory for health may either be 0A5B6658 or 4D6F3468, both have values of 56 instead of 60.
yeah that is definitely it, just jumped off and injured myself and the value went to 16. NW sets the default health to 56, not 60 like Native I guess.
why are there two addresses for health btw?
quad edit: Right Clicked on address 0A5B6658 and clicked to find out what acceses it and this is what showed up
005D9573 - D9 86 18020000 - fld dword ptr [esi+00000218]
005D956B - FF D0 - call eax
005D956D - D9 85 00600000 - fld dword ptr [ebp+00006000]
005D9573 - D9 86 18020000 - fld dword ptr [esi+00000218] <<
005D9579 - DAE9 - fucompp
005D957B - DFE0 - fnstsw ax
EAX=004570E0
EBX=0005BE00
ECX=5A2336D0
EDX=007C4104
ESI=0A5B6440
EDI=4C9E3DF8
ESP=0314EF08
EBP=4D6ED468
EIP=005D9579
then I did the same for the other address 4D6F3468
and got this:
005A73CF - D8 9E 00600000 - fcomp dword ptr [esi+00006000]
005D956D - D9 85 00600000 - fld dword ptr [ebp+00006000]
0052AF57 - D9 80 00600000 - fld dword ptr [eax+00006000]
005A73CA - D9EE - fldz
005A73CC - 83 C4 08 - add esp,08
005A73CF - D8 9E 00600000 - fcomp dword ptr [esi+00006000] <<
005A73D5 - DFE0 - fnstsw ax
005A73D7 - F6 C4 05 - test ah,05
EAX=00000020
EBX=0086AB40
ECX=00000000
EDX=00862E30
ESI=4D6ED468
EDI=0314F454
ESP=0314F3F0
EBP=0A5B673C
EIP=005A73D5
005D9565 - 8B 82 DC000000 - mov eax,[edx+000000DC]
005D956B - FF D0 - call eax
005D956D - D9 85 00600000 - fld dword ptr [ebp+00006000] <<
005D9573 - D9 86 18020000 - fld dword ptr [esi+00000218]
005D9579 - DAE9 - fucompp
EAX=004570E0
EBX=0005BE00
ECX=5A2336D0
EDX=007C4104
ESI=0A5B6440
EDI=4C9E3DF8
ESP=0314EF08
EBP=4D6ED468
EIP=005D9573
0052AF50 - 8B CE - mov ecx,esi
0052AF52 - E8 D943EEFF - call mb_warband.exe+F330
0052AF57 - D9 80 00600000 - fld dword ptr [eax+00006000] <<
0052AF5D - DC 0D 18EF7B00 - fmul qword ptr [mb_warband.exe+3BEF18]
0052AF63 - 57 - push edi
EAX=4D6ED468
EBX=472658C0
ECX=4C9E3DF8
EDX=00000000
ESI=082A3B2C
EDI=0000000F
ESP=03139C20
EBP=0314E538
EIP=0052AF5D
OK So when I had gotten all that information, it was when my character was still injured, so i restored his health, and checked the addresses again to see what writes to them, and now nothing is showing under 4D6F3468, but 0A5B6658 is still showing the one address that accesses it
what 0A5B6658 is now showing after healing my player fully
005D956B - FF D0 - call eax
005D956D - D9 85 00600000 - fld dword ptr [ebp+00006000]
005D9573 - D9 86 18020000 - fld dword ptr [esi+00000218] <<
005D9579 - DAE9 - fucompp
005D957B - DFE0 - fnstsw ax
EAX=004570E0
EBX=0005BE00
ECX=5A2336D0
EDX=007C4104
ESI=0A5B6440
EDI=4C9E3DF8
ESP=0314EF08
EBP=4D6ED468
EIP=005D9579
snake123adfs:
"when you finally find the value and your sure its your health , find out what access it
jump to that location ( of the offset that is actually changing it , usually a float store [fstp] sometimes a double , mostly int or dword though warband is uncommon in most aspects actually )
now we have this address that is changing health
fstp [ebx+6000] ( local )
ok now you see the ebx .. ( ignore the + 6000 as its irrelivant at this point )
the ebx is what is known as the base .. or local , or local player pointer , this ebx is pointing to the start of you , ie your player' - mrmedic
this is confusing, looking at the addresses I posted I don't see anything that says this "fstp [ebx+6000] ( local )" there is no ebx+6000, there are ebp and the other prefixes, as well as 00006000 but there is no ebx or +6000
but then worm on the otherhand said "fst dword ptr [esi+00006000] (Static Addr : mb_warband.exe+D25F4)
ESI - > Base
Base + 0x6000 - > Health.
"
Seb:
Took me a while to read all of that, but there is already so much information on these forums which I have posted and then some more obscure info posted by Medic. You may want to throw the executable into IDA and analyze the functions which have already been analyzed.
Regarding the two health value, one is for the UI and the other is for your actual player.
Games have a lot of different reasons for using multiple health values at times.
Navigation
[0] Message Index
[#] Next page
Go to full version