Superjump in 1.6 - Subsky
1) Load a map with hills; one where you have great control over your altitude.
2) Search for Unknown in T-Search.
3) Increase altitude- search for "floating point increased".
4) Decrease altitude- search for "floating point decreased".
5) Repeat steps 2 -> 3 until you have approximately 100-200 hits.
6) Add all these entries to the other window.
7) Starting with the lowest one- replace that value with anything significantly higher (eg. original value + 1000).
Switch into the game, see if you are falling- or have fallen, and are now dead.
9) Repeat steps 7 -> 8 until the above happens.
10) Enable debugger, open autohack window.
11) Set memory breakpoint on this address.
12) A few hits will come up, ignore them. Switch back into game- walk around, shoot etc (DO NOT JUMP).
13) A few more hits will come up, ignore these too.
14) Go back into the game, and jump. You should have a 2 or 3 instructions accessing this altitude co-ord address.
15) For each address; go to the dissembly window, and view the previous instructions.
16) For each instruction; scroll up, and find any FMUL instructions- nop them out, go back into the game and jump.
Why? When calculating your fall due to gravity; some floating point value must be multiplied by 9.8- or some other similar quantity. Knowing this- we can look for x86 instructions that represent floating point multiplication; it is FMUL.
17) Repeat 16 until you seem to just keep going up up up (quite quickly).
* For 1.6 it's:
875D66: fmul dword ptr [eax+0x8]
*EAX is always changing; and so this is the current falling velocity due to gravity.
18) Open easywrite interpreter, insert a jmp from this address to your own code (need to know how to write code caves).
19) Have your code execute an adaptation of the original instruction- multiply it by a constant value; not a variable one; so you go up at a constant (controllable rate).
NOTE: You will need to use
http://babbage.cs.qc.edu/courses/cs341/IEEE-754.html to convert floating point values to hexadecimal. Controllable values are in the rage 0.05 > 0.1.
Your code cave should look something like:
offset 0x10b00 //Code cave address
mov dword ptr [0x10d00], 0x3D8F5C28 //hex repres of 0.05 (I think)
fmul dword ptr [0x10d00] //Multiply by our constant value.
fstp dword ptr [eax+0x8] //Execute overwritten instruction(s)
jmp 0x875d6c //jump to original function + Xbytes (we've overwritten whilst placing a JMP)
offset 875d66
jmp 0x10b00 //Jump to code cave
nop //preserve instruction boundaries
That completes the basic superjump. To come back down; have easywrite replace the overwriten instructions with the original ones, and you'll straight away begin to fall back down.
This will work- but you'll get hurt or die falling down from high distances. To make it easy to control- use something like the above code cave, but instead multiply it by the -negative of that value when you 'turn it off'.
For example:
offset 0x10b00 //Code cave address
mov dword ptr [0x10d00], BD4CCCCC //hex repres of -0.05 (I think)
.... [rest the same]
Use space to toggle.
Superjump gets detected by HRADBA no matter how you do it- patching or ini mods. Next step is to open up HRADBA.dll and find the code that reports/kicks you.
And that's superjump in 1.6 (with HRADBA). Yes, it does work.
Subsky