Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[solved] New Cheat
#1
Hi,
as somebody maybe can see, i will try learning hex.
now to topic:
there is this cheat, lf2.net
my question is:
how can i make a new cheat(for ex. lfe) to do something (for ex. unlock some bgs)
i now it will take a lot of work, but im willing to do it ;)
Ethanara
ps. if you know the OLLYDBG place of the lf2.net cheat, please say it, it would be helpfull
I think all eggs have Anatidaephobia: the fear that youre being watching by a duck....
A blogspot project....
Reply
Thanks given by:
#2
lol at offtopicness - hes asking how to make a new cheat guys...

cheat stuff starts at:

0043B565 . 83FB 4C CMP EBX,4C

lotsa code there and analyzing it would take time. doesn't look very pleasent imo... if you sink enough time into it im sure youll be able to figure it out

nothing really fancy occurs there
...
Reply
Thanks given by: ethanara
#3
OK guys, no more discussions about... "the cheat" and let's stay on topic now :P

*Disposald all the offtopicness*
Quote of the Day f***ing Year (Click to View)
The meme is real (Click to View)
Reply
Thanks given by:
#4
Thx xidd so now we Can see all the cheats
Knoen untill now and see the adresses?
So if i want to make the new cheat i should just analyse it and copy it?
ps. what does the command jnz mean?
I think all eggs have Anatidaephobia: the fear that youre being watching by a duck....
A blogspot project....
Reply
Thanks given by:
#5
The instruction jnz means - Jump Not Zero.

To use an example, here we go:
    ASM-Code:
0043B565   . 83FB 4C        CMP EBX,4C
0043B568   . 0F85 A2000000  JNZ lf2.0043B610



CMP command would be Compare EBX and 4C.
It actually subtracts 4C from EBX to recieve a value.
Lets say that EBX is equal to 78. 4C is hexadecimal and translates to 76 in decimal system.
2 =/= 0 (does not equal).
This means that the next line, JNZ (Jump Not Zero) will cause the program to jump to the address 0043B610.

Hopefully this example helps you to understand it.
If the value returned was not 0, then the program would carry on just reading the code after the JNZ line.


Edit:
Also, unsure as to whether this will help you at all but I have got you some of the Fx keys in hexadecimal numbers.

F1 = 70
F2 = 71
F3 = 72
F4 = 73
F5 = 74
F6 = 75
F7 = 76
F8 = 77
F9 = 78
F10 = 79
F11 = 7A
F12 = 7B

I don't know whether this will help you at all, but it's probably worth a shot. These are for VK_Fx's or Virtual Key Fx's. Basically this means that when the key is pressed, this is what the computer would read as a Hexadecimal number to know what you are doing.

In shortest terms, if you can find constants or variables which contain those values AFTER the cheat start which Xidd pointed out, you will be more than likely on the right track to being able to edit the cheats for LF2.


Edit2:
@Xidd - I hate to say this but I think you may be wrong (OOOOH, AAAAAARRRRRRRGH, THE PAIN!) in terms of the starting point for the cheats. I think that may be the general starting point for all key strokes and inputs. I was fiddling about and found that even when I pressed my attack keys, after setting a breakpoint the line under. The game reverted to the OllyDBG screen... good or bad news?

I hope this helps,


Eddie
One day, I shall become, TUTORIAL-MAN: Superhero of writing overly long, overly annoying tutorials which most people probably won't read, but will give it a stab at the first 5 lines!
Reply
Thanks given by:
#6
JNZ = jump if not equal =]

not sure how fkeys apply here tbh - he was asking about cheats like lf2.net. single key cheats could be made via the dll use GetASyncKey without much hassle - kinda like how they do in game Trainers (cheat programs)

anyway - im quite glad to say that im not wrong :twisted: ofc it breaks when you press a button... it has to check every key input to see if you started typing in the cheat

    ASM-Code:
0043B54E   .  85C0          TEST EAX,EAX                             ;  check if count is 0
0043B550   .  B9 02000000   MOV ECX,2
0043B555   .  B2 64         MOV DL,64
0043B557   .  8893 78534500 MOV BYTE PTR DS:[EBX+455378],DL
0043B55D   .  8D71 01       LEA ESI,DWORD PTR DS:[ECX+1]
0043B560   .  8D79 03       LEA EDI,DWORD PTR DS:[ECX+3]
0043B563   .  75 14         JNZ SHORT 0043B579                       ;  jump if count isn't 0
0043B565   .  83FB 4C       CMP EBX,4C                               ;  L
0043B568   .  0F85 A2000000 JNZ 0043B610
0043B56E   .  892D 7C854500 MOV DWORD PTR DS:[45857C],EBP
0043B574   .  E9 A1000000   JMP 0043B61A
0043B579   >  3BC5          CMP EAX,EBP                              ;  check if count is 1
0043B57B   .  75 10         JNZ SHORT 0043B58D
0043B57D   .  83FB 46       CMP EBX,46                               ;  F
0043B580   .  75 6D         JNZ SHORT 0043B5EF
0043B582   .  890D 7C854500 MOV DWORD PTR DS:[45857C],ECX
0043B588   .  E9 8D000000   JMP 0043B61A
0043B58D   >  3BC1          CMP EAX,ECX                              ;  check if count is 2
0043B58F   .  75 0D         JNZ SHORT 0043B59E
0043B591   .  83FB 32       CMP EBX,32                               ;  2
0043B594   .  75 5E         JNZ SHORT 0043B5F4
0043B596   .  8935 7C854500 MOV DWORD PTR DS:[45857C],ESI
0043B59C   .  EB 7C         JMP SHORT 0043B61A
0043B59E   >  3BC6          CMP EAX,ESI                              ;  check if count is 3
0043B5A0   .  75 14         JNZ SHORT 0043B5B6
0043B5A2   .  81FB BE000000 CMP EBX,0BE                              ;  .
0043B5A8   .  75 4F         JNZ SHORT 0043B5F9
0043B5AA   .  C705 7C854500>MOV DWORD PTR DS:[45857C],4
0043B5B4   .  EB 64         JMP SHORT 0043B61A
0043B5B6   >  83F8 04       CMP EAX,4                                ;  check if count is 4
0043B5B9   .  75 0D         JNZ SHORT 0043B5C8
0043B5BB   .  83FB 4E       CMP EBX,4E                               ;  N
0043B5BE   .  75 3E         JNZ SHORT 0043B5FE
0043B5C0   .  893D 7C854500 MOV DWORD PTR DS:[45857C],EDI
0043B5C6   .  EB 52         JMP SHORT 0043B61A
0043B5C8   >  3BC7          CMP EAX,EDI                              ;  check if count is 5
0043B5CA   .  75 11         JNZ SHORT 0043B5DD
0043B5CC   .  83FB 45       CMP EBX,45                               ;  E
0043B5CF   .  75 35         JNZ SHORT 0043B606
0043B5D1   .  C705 7C854500>MOV DWORD PTR DS:[45857C],6
0043B5DB   .  EB 3D         JMP SHORT 0043B61A
0043B5DD   >  83F8 06       CMP EAX,6                                ;  check if count is 6
0043B5E0   .  75 2E         JNZ SHORT 0043B610
0043B5E2   .  83FB 54       CMP EBX,54                               ;  T
0043B5E5   .  75 24         JNZ SHORT 0043B60B
0043B5E7   .  8815 71544500 MOV BYTE PTR DS:[455471],DL              ;  set cheat flag
0043B5ED   .  EB 2B         JMP SHORT 0043B61A
0043B5EF   >  83FB 4C       CMP EBX,4C                               ;  L
0043B5F2   .  EB 1A         JMP SHORT 0043B60E
0043B5F4   >  83FB 46       CMP EBX,46                               ;  F
0043B5F7   .  EB 15         JMP SHORT 0043B60E
0043B5F9   >  83FB 32       CMP EBX,32                               ;  2
0043B5FC   .  EB 10         JMP SHORT 0043B60E
0043B5FE   >  81FB BE000000 CMP EBX,0BE                              ;  .
0043B604   .  EB 08         JMP SHORT 0043B60E
0043B606   >  83FB 4E       CMP EBX,4E                               ;  N
0043B609   .  EB 03         JMP SHORT 0043B60E
0043B60B   >  83FB 45       CMP EBX,45                               ;  E
0043B60E   >  74 0A         JE SHORT 0043B61A
0043B610   >  C705 7C854500>MOV DWORD PTR DS:[45857C],0              ;  reset count


there is a counter which goes up to 6 and a bunch of checks to see if you have pressed the correct key at the correct time. if you didnt the counter is reset to 0.

if everything went well then 455471h becomes 64h - that is the lf2.net cheat flag

it is checked here:

    ASM-Code:
0041C669   .  803D 71544500>CMP BYTE PTR DS:[455471],64              ;  check the lf2.net flag
0041C670   .  75 17         JNZ SHORT 0041C689
0041C672   .  8D8424 340400>LEA EAX,DWORD PTR SS:[ESP+434]
0041C679   .  50            PUSH EAX
0041C67A   .  C605 71544500>MOV BYTE PTR DS:[455471],75
0041C681   .  E8 EAA5FFFF   CALL 00416C70                            ;  lf2.net


that calls 00416C70 which sets ANOTHER flag to say that the cheat is enabled (this is the actual status of the cheat - not the input flag)

MOV DWORD PTR DS:[458428],EAX

now if you go to the character selection part - I'm sure you will find some check involving the address 458428.

so as you can see im not wrong :D
...
Reply
Thanks given by:
#7
Hmm, glad to see you aren't wrong and thank you for correcting me. For some reason I had F keys in my mind...

Isn't JNE = Jump If Not Equal
JNZ I was pretty sure was Jump If Not Zero or Jump If Zero Flag Not Set

Although I'm pretty sure you could also use JNE instead of JNZ in almost any situation.

And yeah, thanks for correcting me, I wondered why it started doing that and assumed naturally it was because it was key input for anything.

Xidd 1 : Eddie 0


Well done, you've spurred me into more HEX thinking. Damn you Xidd... DAMN YOU!



Eddie
One day, I shall become, TUTORIAL-MAN: Superhero of writing overly long, overly annoying tutorials which most people probably won't read, but will give it a stab at the first 5 lines!
Reply
Thanks given by:
#8
Quote:if everything went well then 455471h becomes 64h - that is the lf2.net cheat flag

why 64h?
and where can i see the thingy of what the cheat do if i push lf2.net?
I think all eggs have Anatidaephobia: the fear that youre being watching by a duck....
A blogspot project....
Reply
Thanks given by:
#9
"why 64h?" because thats how it works... the number has no signifiance

what do you mean "where can i see the thingy of what the cheat do if push lf2.net?"...

i explained the whole process in my previous post.

if you mean what reads that adress, look here :http://lf-empire.de/forum/showthread.php?tid=2360

0042A71F > 833D 28844500 >CMP DWORD PTR DS:[458428],1 //check if lf2.net is enabled

anyway i think you are thinking about this the wrong way.

first you have to detect the keys pressed(hard-ish) - afterwards you can change any bit of code to see if the cheat is enabled or not(easy-ish)...
...
Reply
Thanks given by:
#10
i mean that if you push lf2.net, where does it check "okay, he pushed that, so now i should do this and this"
I think all eggs have Anatidaephobia: the fear that youre being watching by a duck....
A blogspot project....
Reply
Thanks given by:




Users browsing this thread: 1 Guest(s)