[solved] New Cheat

[ethanara]

Hi,
as somebody maybe can see, i will try learning hex.
now to topic:
there is this cheat, lf2.net
my question is:
how can i make a new cheat(for ex. lfe) to do something (for ex. unlock some bgs)
i now it will take a lot of work, but im willing to do it
Ethanara
ps. if you know the OLLYDBG place of the lf2.net cheat, please say it, it would be helpfull

[Xidd]

lol at offtopicness - hes asking how to make a new cheat guys...

cheat stuff starts at:

0043B565 . 83FB 4C CMP EBX,4C

lotsa code there and analyzing it would take time. doesn't look very pleasent imo... if you sink enough time into it im sure youll be able to figure it out

nothing really fancy occurs there

[Ramond]

OK guys, no more discussions about... "the cheat" and let's stay on topic now :P

*Disposald all the offtopicness*

[ethanara]

Thx xidd so now we Can see all the cheats
Knoen untill now and see the adresses?
So if i want to make the new cheat i should just analyse it and copy it?
ps. what does the command jnz mean?

[Eddie]

The instruction jnz means - Jump Not Zero.

To use an example, here we go:

ASM-Code: 0043B565 . 83FB 4C CMP EBX,4C 0043B568 . 0F85 A2000000 JNZ lf2.0043B610

CMP command would be Compare EBX and 4C.
It actually subtracts 4C from EBX to recieve a value.
Lets say that EBX is equal to 78. 4C is hexadecimal and translates to 76 in decimal system.
2 =/= 0 (does not equal).
This means that the next line, JNZ (Jump Not Zero) will cause the program to jump to the address 0043B610.

Hopefully this example helps you to understand it.
If the value returned was not 0, then the program would carry on just reading the code after the JNZ line.


Edit:
Also, unsure as to whether this will help you at all but I have got you some of the Fx keys in hexadecimal numbers.

F1 = 70
F2 = 71
F3 = 72
F4 = 73
F5 = 74
F6 = 75
F7 = 76
F8 = 77
F9 = 78
F10 = 79
F11 = 7A
F12 = 7B

I don't know whether this will help you at all, but it's probably worth a shot. These are for VK_Fx's or Virtual Key Fx's. Basically this means that when the key is pressed, this is what the computer would read as a Hexadecimal number to know what you are doing.

In shortest terms, if you can find constants or variables which contain those values AFTER the cheat start which Xidd pointed out, you will be more than likely on the right track to being able to edit the cheats for LF2.


Edit2:
@Xidd - I hate to say this but I think you may be wrong (OOOOH, AAAAAARRRRRRRGH, THE PAIN!) in terms of the starting point for the cheats. I think that may be the general starting point for all key strokes and inputs. I was fiddling about and found that even when I pressed my attack keys, after setting a breakpoint the line under. The game reverted to the OllyDBG screen... good or bad news?

I hope this helps,


Eddie

[Xidd]

JNZ = jump if not equal =]

not sure how fkeys apply here tbh - he was asking about cheats like lf2.net. single key cheats could be made via the dll use GetASyncKey without much hassle - kinda like how they do in game Trainers (cheat programs)

anyway - im quite glad to say that im not wrong :twisted: ofc it breaks when you press a button... it has to check every key input to see if you started typing in the cheat

ASM-Code: 0043B54E . 85C0 TEST EAX,EAX ; check if count is 0 0043B550 . B9 02000000 MOV ECX,2 0043B555 . B2 64 MOV DL,64 0043B557 . 8893 78534500 MOV BYTE PTR DS:[EBX+455378],DL 0043B55D . 8D71 01 LEA ESI,DWORD PTR DS:[ECX+1] 0043B560 . 8D79 03 LEA EDI,DWORD PTR DS:[ECX+3] 0043B563 . 75 14 JNZ SHORT 0043B579 ; jump if count isn't 0 0043B565 . 83FB 4C CMP EBX,4C ; L 0043B568 . 0F85 A2000000 JNZ 0043B610 0043B56E . 892D 7C854500 MOV DWORD PTR DS:[45857C],EBP 0043B574 . E9 A1000000 JMP 0043B61A 0043B579 > 3BC5 CMP EAX,EBP ; check if count is 1 0043B57B . 75 10 JNZ SHORT 0043B58D 0043B57D . 83FB 46 CMP EBX,46 ; F 0043B580 . 75 6D JNZ SHORT 0043B5EF 0043B582 . 890D 7C854500 MOV DWORD PTR DS:[45857C],ECX 0043B588 . E9 8D000000 JMP 0043B61A 0043B58D > 3BC1 CMP EAX,ECX ; check if count is 2 0043B58F . 75 0D JNZ SHORT 0043B59E 0043B591 . 83FB 32 CMP EBX,32 ; 2 0043B594 . 75 5E JNZ SHORT 0043B5F4 0043B596 . 8935 7C854500 MOV DWORD PTR DS:[45857C],ESI 0043B59C . EB 7C JMP SHORT 0043B61A 0043B59E > 3BC6 CMP EAX,ESI ; check if count is 3 0043B5A0 . 75 14 JNZ SHORT 0043B5B6 0043B5A2 . 81FB BE000000 CMP EBX,0BE ; . 0043B5A8 . 75 4F JNZ SHORT 0043B5F9 0043B5AA . C705 7C854500>MOV DWORD PTR DS:[45857C],4 0043B5B4 . EB 64 JMP SHORT 0043B61A 0043B5B6 > 83F8 04 CMP EAX,4 ; check if count is 4 0043B5B9 . 75 0D JNZ SHORT 0043B5C8 0043B5BB . 83FB 4E CMP EBX,4E ; N 0043B5BE . 75 3E JNZ SHORT 0043B5FE 0043B5C0 . 893D 7C854500 MOV DWORD PTR DS:[45857C],EDI 0043B5C6 . EB 52 JMP SHORT 0043B61A 0043B5C8 > 3BC7 CMP EAX,EDI ; check if count is 5 0043B5CA . 75 11 JNZ SHORT 0043B5DD 0043B5CC . 83FB 45 CMP EBX,45 ; E 0043B5CF . 75 35 JNZ SHORT 0043B606 0043B5D1 . C705 7C854500>MOV DWORD PTR DS:[45857C],6 0043B5DB . EB 3D JMP SHORT 0043B61A 0043B5DD > 83F8 06 CMP EAX,6 ; check if count is 6 0043B5E0 . 75 2E JNZ SHORT 0043B610 0043B5E2 . 83FB 54 CMP EBX,54 ; T 0043B5E5 . 75 24 JNZ SHORT 0043B60B 0043B5E7 . 8815 71544500 MOV BYTE PTR DS:[455471],DL ; set cheat flag 0043B5ED . EB 2B JMP SHORT 0043B61A 0043B5EF > 83FB 4C CMP EBX,4C ; L 0043B5F2 . EB 1A JMP SHORT 0043B60E 0043B5F4 > 83FB 46 CMP EBX,46 ; F 0043B5F7 . EB 15 JMP SHORT 0043B60E 0043B5F9 > 83FB 32 CMP EBX,32 ; 2 0043B5FC . EB 10 JMP SHORT 0043B60E 0043B5FE > 81FB BE000000 CMP EBX,0BE ; . 0043B604 . EB 08 JMP SHORT 0043B60E 0043B606 > 83FB 4E CMP EBX,4E ; N 0043B609 . EB 03 JMP SHORT 0043B60E 0043B60B > 83FB 45 CMP EBX,45 ; E 0043B60E > 74 0A JE SHORT 0043B61A 0043B610 > C705 7C854500>MOV DWORD PTR DS:[45857C],0 ; reset count

there is a counter which goes up to 6 and a bunch of checks to see if you have pressed the correct key at the correct time. if you didnt the counter is reset to 0.

if everything went well then 455471h becomes 64h - that is the lf2.net cheat flag

it is checked here:

ASM-Code: 0041C669 . 803D 71544500>CMP BYTE PTR DS:[455471],64 ; check the lf2.net flag 0041C670 . 75 17 JNZ SHORT 0041C689 0041C672 . 8D8424 340400>LEA EAX,DWORD PTR SS:[ESP+434] 0041C679 . 50 PUSH EAX 0041C67A . C605 71544500>MOV BYTE PTR DS:[455471],75 0041C681 . E8 EAA5FFFF CALL 00416C70 ; lf2.net

that calls 00416C70 which sets ANOTHER flag to say that the cheat is enabled (this is the actual status of the cheat - not the input flag)

MOV DWORD PTR DS:[458428],EAX

now if you go to the character selection part - I'm sure you will find some check involving the address 458428.

so as you can see im not wrong :D

[Eddie]

Hmm, glad to see you aren't wrong and thank you for correcting me. For some reason I had F keys in my mind...

Isn't JNE = Jump If Not Equal
JNZ I was pretty sure was Jump If Not Zero or Jump If Zero Flag Not Set

Although I'm pretty sure you could also use JNE instead of JNZ in almost any situation.

And yeah, thanks for correcting me, I wondered why it started doing that and assumed naturally it was because it was key input for anything.

Xidd 1 : Eddie 0


Well done, you've spurred me into more HEX thinking. Damn you Xidd... DAMN YOU!



Eddie

[ethanara]

if everything went well then 455471h becomes 64h - that is the lf2.net cheat flag

why 64h?
and where can i see the thingy of what the cheat do if i push lf2.net?

[Xidd]

"why 64h?" because thats how it works... the number has no signifiance

what do you mean "where can i see the thingy of what the cheat do if push lf2.net?"...

i explained the whole process in my previous post.

if you mean what reads that adress, look here :http://lf-empire.de/forum/showthread.php?tid=2360

0042A71F > 833D 28844500 >CMP DWORD PTR DS:[458428],1 //check if lf2.net is enabled

anyway i think you are thinking about this the wrong way.

first you have to detect the keys pressed(hard-ish) - afterwards you can change any bit of code to see if the cheat is enabled or not(easy-ish)...

[ethanara]

i mean that if you push lf2.net, where does it check "okay, he pushed that, so now i should do this and this"