Part III.V (3.5):
I've come across a couple of new things I'd like to share with those who are TiTs (Trainers in Training).
So, instead of preparing a whole new document with just some new additions, I'm just going to post the new additions; as a result, save myself from a lot of revision and editing.
Let's go ahead and dive right in...
First, I just recently figured this out, but it's important to note because this will make training just a little easier for those who don't have .NET. So, in XDKA, you know that you can set breaks... right?... Yes, of course... however before I mentioned that after you break you select "Go" (f4), but nothing ever happened (and I told you to use .NET). Well the answer to that problem (which was always there, but that nobody told me) is to select "Go" and then select "Continue Thread" (f5):
After clicking that, another box comes up:
Make sure it's 28, and then click OK, and then your game should resume!
I wish I would have found this out later, but oh well.
Moving on, I'm now going to cover a problem I recently encountered with the ever popular Grand Theft Auto: San Andreas game. I noticed that there a was trainer out there (not surprisingly), but that the trainer didn't have an option I've always wanted... which was to have invincible cars. If you already couldn't have guessed it by now, I made the option, but ran into some issues. Therefore, the bulk of this tutorial is going to explain what the problem was and how I solve it.
The first thing I did when training this game was to make sure I wasn't running the trainer. When I ran the trainer and the debug bios at the same time, I noticed that Art Money was finding "Out of Range" addresses, even though XDKA was patching it. Therefore, make sure you're not running any trainers and make sure you have PLENTY of time to do the next part, which was to do an unknown search.
In the search box, I checked 4 byte float only (custom), pressed OK, and from there I did the dump->filter->was not changed 3 times, then decreased the car's health, then dump->filter->was decreased, then I dump->filter->was not changed, lost health, then dump->filter->was decreased, until I came up with roughly 1000 addresses. I then dragged them into the other box, and looked through them to find a number that looked reasonable (there were a lot of 0's and negatives, but only 1 address looked good, and it was about 400.56 or something like that). After I found the good address, I decided to poke the address with 1000.0 (00007A44h), and BAM! my car stopped smoking. From there I set a break on it, I got into the car, and ran into a wall... and got this...
001F4608 jmp 001F4612
001F460A mulss xmm0,dword ptr ds:[391134h] <= Damage value into xmm register
001F4612 movss xmm1,dword ptr [ebx+4C0h] <= Health value into xmm register
001F461A subss xmm1,xmm0 <= Health-Damage
001F461E movss dword ptr [ebx+4C0h],xmm1 <= New Health
001F4626 cmp byte ptr ds:[4563F4h],0
EAX = 00000000 EBX = 00EED4F8 ECX = 00000000 EDX = 00000000
ESI = 00000384 EDI = 00000000 EIP = 001F4626 ESP = D0031D50
EBP = D0031D9C EFL = 00000246
To explain what's going on, basically it's taking a damage value, shoving into into a xmm register, taking my health value, shoving that into a xmm register, then it subtracts my health from the damage value, and then shoves it back into the health address.
So, I decided to see if it was shared with other cars, so I set 0x001F461A on execute. I then punched the car, and got a break. So... I now knew that this address was shared. With that being said, I decided to search for a static indicator (anything in
bold is health):
Not Controlled by me nor AI:
0x00EF2A30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 ff f0 12 f9 00 ...................??.?.
0x00EF2A48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cd cc 4c 3e 01 b4 00 00 ................??L>.?..
0x00EF2A60 00 50 00 be 00 57 22 3f 00 00 40 40 01 00 00 00 00 00 00 00 00 00 00 00 .P.?.W"?..@@............
0x00EF2A78
00 00 7a 44 00 00 00 00 00 00 00 00 00 00 00 00 10 03 18 0c 00 00 00 00 ..zD....................
0x00EF2A90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c bf ......................??
Controlled by me:
0x00EED970 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ff a0 18 f9 00 ...................? .?.
0x00EED988 00 00 00 00 68 a3 02 bd 00 00 00 00 00 00 80 3f 00 00 00 00 01 00 00 00 ....h?.?......??........
0x00EED9A0 80 50 00 c0 00 a3 83 3b 00 00 a0 40 02 0d 8f 3d 00 00 00 00 00 00 00 00 ?P.?.??;.. @..?=........
0x00EED9B8
00 00 7a 44 00 00 00 00 00 00 00 00 00 00 00 00 46 32 18 0c 00 00 00 00 ..zD............F2......
0x00EED9D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 45 3c .....................?E<
0x00EED9E8 5d 81 88 bf 95 fd e9 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]??????>................
0x00EED970 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ff a0 18 f9 00 ...................? .?.
0x00EED988 00 00 00 00 34 04 6f b7 00 00 00 00 00 00 80 3f 00 00 00 00 01 00 00 00 ....4.o?......??........
0x00EED9A0 80 50 00 c0 00 a3 83 3b 00 00 a0 40 01 0d 8f 3d 00 00 00 00 00 00 00 00 ?P.?.??;.. @..?=........
0x00EED9B8
e4 d5 6e 44 00 00 00 00 00 00 00 00 00 00 00 00 c0 47 18 0c 00 00 00 00 ??nD............?G......
0x00EED9D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 45 3c .....................?E<
0x00EED9E8 5d 81 88 bf 95 fd e9 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]??????>................
0x00EED970 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ff a0 18 f9 00 ...................? .?.
0x00EED988 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cd cc 4c 3e 01 00 00 00 ................??L>....
0x00EED9A0 80 50 00 c0 00 a3 83 3b 00 00 a0 40 00 0d 8f 3d 00 00 00 00 00 00 00 00 ?P.?.??;.. @..?=........
0x00EED9B8
5a 47 67 44 00 00 00 00 00 00 00 00 00 00 00 00 f0 6b 18 0c 00 00 00 00 ZGgD............?k......
0x00EED9D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 45 3c .....................?E<
0x00EED9E8 5d 81 88 bf 95 fd e9 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]??????>................
AI controlled:
0x00EF2A30 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 03 00 00 ff f8 17 f9 00 ...................??.?.
0x00EF2A48 00 00 00 00 f0 0e b4 be 00 00 00 00 0a 23 6c 3f 00 00 00 00 01 b4 00 00 ....?.??.....#l?.....?..
0x00EF2A60 00 50 00 be 00 57 22 3f 00 00 40 41 01 00 00 00 00 00 00 00 00 00 00 00 .P.?.W"?..@A............
0x00EF2A78
00 00 7a 44 00 00 00 00 00 00 00 00 00 00 00 00 86 95 18 0c 00 00 00 00 ..zD............??......
0x00EF2A90 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c3 41 00 c0 c3 41 00 00 8c bf .............??A.??A..??
0x00EF2AA8 00 80 d9 39 02 0b 8e 3f 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .??9..??................
0x00EE92C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ff f8 17 f9 00 ...................??.?.
0x00EE92E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3f 01 5a 00 00 ..................??.Z..
0x00EE92F8 00 f0 00 ff 00 00 00 00 00 00 00 00 01 89 ef c1 00 00 00 00 00 00 00 00 .?.?.........???........
0x00EE9310
00 00 7a 44 00 00 00 00 00 00 00 00 00 00 00 00 a8 a9 18 0c 00 00 00 00 ..zD............??......
0x00EE9328 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c3 41 00 c0 c3 41 00 57 13 42 .............??A.??A.W.B
0x00EE9340 c2 e8 d1 41 fa 4a ab 41 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ???A?J?A................
0x00EEA6F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ff f8 17 f9 00 ...................??.?.
0x00EEA710 00 00 00 00 00 88 2b bb 00 00 00 00 00 00 80 3f 00 00 00 00 01 aa 00 00 .....?+?......??.....?..
0x00EEA728 00 f0 00 3e 00 60 76 c0 00 00 00 00 01 64 ed 40 00 00 00 00 00 00 00 00 .?.>.`v?.....d?@........
0x00EEA740
00 00 7a 44 00 00 00 00 00 00 00 00 00 00 00 00 cb bd 18 0c 00 00 00 00 ..zD............?......
0x00EEA758 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c3 41 00 c0 c3 41 00 b9 93 00 .............??A.??A.??.
0x00EEA770 36 62 ee c0 8e 68 d8 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6b???h??................
So, I looked through these breaks and tried to find something static; unfortunately, nothing stayed the same or differentiated a player's car, a "still car" (which is just not controlled by player nor AI), or an AI's car.
Therefore, I did the next best thing... which was to look at the base (ebx) and see if anything there was static (anything in
bold is an indicator):
My Car:
0x00EFF980 80 00 40 80 80 50 00 10 80 00 00 30 00 00 00 00 00 00 04 00 00 00 00 00 ?.@??P..?..0............
0x00EFF998 00 00 00 00 00 80 00 00 80 00 00 00 00 00 00 10 00 00 00 02 00 00 00 00 .....?..?...............
0x00EFF9B0 90 ef 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 2a 0b 01 ??8................. *..
0x00EFF9C8 b0 2a 2d 01 a1 00 20 18 aa 31 26 02 c8 0e 56 00 00 00 00 00 0e fe 00 00 ?*-.?. .?1&.?.V......?..
0x00EFF9E0 00 00 00 00 00 00
02 00 00 00 c8 42 83 05 16 0c 02 02 00 10 00 00 00 00 ..........?B?...........
0x00EFF9F8 00 00 00 00 00 00 00 00 33 06 12 30 e0 5d 49 31 00 00 00 00 00 00 00 00 ........3..0?]I1........
0x00EEDEC8 10 00 40 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..@?....................
0x00EEDEE0 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 00 00 00 01 20 ..................?....
0x00EEDEF8 00 00 00 11 00 00 00 00 00 00 01 00 14 00 88 10 02 02 00 00 09 00 00 40 ..............?........@
0x00EEDF10 90 ef 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 1a 0b 01 ??8.................?...
0x00EEDF28 b0 20 2d 01 a1 00 20 18 34 6b 37 02 a0 00 56 00 00 00 00 00 bd a3 00 00 ? -.?. .4k7. .V.....??..
0x00EEDF40 00 00 00 00 00 00
02 00 00 00 c8 42 4e 85 16 0c 02 02 00 10 00 00 00 00 ..........?BN?..........
0x00EEDF58 00 00 00 00 00 00 00 00 03 5c a8 30 74 f5 0a 31 00 00 00 00 00 00 00 00 .........\?0t?.1........
0x00EEFD10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 40 00 04 40 00 11 00 00 00 ...............@..@.....
0x00EEFD28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 ........................
0x00EEFD40 00 00 00 00 10 04 00 64 00 00 02 00 42 84 80 01 00 00 00 00 00 00 00 00 .......d....B??.........
0x00EEFD58 90 ef 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 73 0b 01 ??8.................?s..
0x00EEFD70 b0 23 2d 01 a1 00 20 18 c8 2f 32 02 00 0b 56 00 00 00 00 00 74 2a 00 00 ?#-.?. .?/2...V.....t*..
0x00EEFD88 00 00 00 00 00 00
02 a8 00 00 c8 42 8f ef 16 0c 02 02 00 10 00 00 00 00 .......?..?B??..........
0x00EEFDA0 00 00 00 00 00 00 00 00 25 d5 6d 30 9f 24 45 31 00 00 00 00 00 00 00 00 ........%?m0?$E1........
Still car:
0x00EE1F00 00 00 00 00 14 00 88 10 00 02 00 00 09 00 00 48 00 00 00 0c 00 00 00 80 ......?........H.......?
0x00EE1F18 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ..... ..........@.......
0x00EE1F30 10 00 48 02 02 00 20 04 00 50 08 00 50 00 80 00 00 20 00 08 00 20 00 00 ..H... ..P..P.?.. ... ..
0x00EE1F48 90 ef 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 84 0b 01 ??8.................4?..
0x00EE1F60 70 25 2d 01 81 00 20 18 a3 71 ea 01 f0 06 56 00 00 00 00 00 89 6f 00 00 p%-.?. .?q?.?.V.....?o..
0x00EE1F78 00 00 00 00 00 00
22 04 00 00 c8 42 b2 c5 0c 0c 02 00 00 10 00 00 00 00 ......"...?B??..........
0x00EE1F90 00 00 00 00 00 00 00 00 72 4a 59 39 cc a7 cf b7 00 00 00 00 00 00 00 00 ........rJY9??........
0x00EE14E8 00 00 00 00 08 00 00 00 21 20 00 02 20 00 00 00 00 20 10 11 00 64 22 c0 ........! .. .... ...d"?
0x00EE1500 04 40 42 10 00 08 00 00 00 04 01 00 00 40 00 80 00 00 00 00 00 00 00 00 .@B..........@.?........
0x00EE1518 00 00 00 00 04 00 00 48 00 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 .......H................
0x00EE1530 90 ef 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 b2 0a 01 ??8.................??..
0x00EE1548 b0 22 2d 01 81 00 20 18 73 44 b1 01 98 ff 55 00 00 00 00 00 71 8f 00 00 ?"-.?. .sD?.??U.....q?..
0x00EE1560 00 00 00 00 00 00
22 00 00 00 c8 42 4d de 0c 0c 02 00 00 10 00 00 00 00 ......"...?BM?..........
0x00EE1578 00 00 00 00 00 00 00 00 7a 08 b9 37 99 57 83 39 00 00 00 00 00 00 00 00 ........z.?7?W?9........
AI:
0x00EEC080 ff ff f7 ff ff 7f df bd ff ff ff ff ff fb ff ff 7f ff ff ff fd f7 ff ff ?????????????????????
0x00EEC098 be ff ff ff ff ff bf ef ff ff 7f ff f7 df ff ff fb ff bf ff ff ff ff ff ???????????????????????
0x00EEC0B0 77 df 7f ff 7f 7f ff bf ff be 57 ff ff ef bf 3d ff ff ff ff ff ff ff ff w??????W????=????????
0x00EEC0C8 90 ef 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 53 0b 01 ??8.................?S..
0x00EEC0E0 b0 26 2d 01 81 00 20 18 6f 6c 1e 02 00 06 56 00 00 00 00 00 7e 08 00 00 ?&-.?. .ol....V.....~...
0x00EEC0F8 00 00 00 00 00 00
1a 5f 00 00 c8 42 6f 7d 0c 0c 02 00 00 10 00 00 00 00 ......._..?Bo}..........
0x00EEC110 00 00 00 00 00 00 00 00 0a 04 b9 b8 54 ba 90 b9 00 00 00 00 00 00 00 00 ..........??T???........
My next thought was: 'Success! I'm done! All I need to do is setup a hook and within that hook do a compare (cmp dword ptr ds:[ebx+36h], 02h), and everything is set.'
But... as you could have imagined, this game was not going down without a fight. It turns out that I just touched the tip of the iceberg. I found what changes the health when you crash, but what about: even more crash addresses, and bullets, and explosions, and/or car gets flipped upside down! Each type of way to get damage practically had its own address(es)... here's what I found:
Crashes ALL cars:
001F4608 jmp 001F4612
001F460A mulss xmm0,dword ptr ds:[391134h]
001F4612 movss xmm1,dword ptr [ebx+4C0h]
001F461A subss xmm1,xmm0
001F461E movss dword ptr [ebx+4C0h],xmm1
001F4626 cmp byte ptr ds:[4563F4h],0
EAX = 00000000 EBX = 00EED4F8 ECX = 00000000 EDX = 00000000
ESI = 00000384 EDI = 00000000 EIP = 001F4626 ESP = D0031D50
EBP = D0031D9C EFL = 00000246
2nd Crash?:
001FCDE4 cmp eax,edi
001FCDE6 xorps xmm0,xmm0
001FCDE9 movss dword ptr [ebx+4C0h],xmm0
001FCDF1 mov word ptr [ebx+4DEh],di
EAX = 010B5644 EBX = 00EED4F8 ECX = D0031E98 EDX = 00000004
ESI = 00EED4F8 EDI = 00000000 EIP = 001FCDF1 ESP = D0031EB0
EBP = D0031EE4 EFL = 00000206
Explosion(0's out car):
002241EB call 00104C13
002241F0 jmp 00224278
002241F5 xorps xmm0,xmm0
002241F8 or eax,0FFFFFFFFh
002241FB movss dword ptr [ebx+4C0h],xmm0
00224203 call 00103118
EAX = FFFFFFFF EBX = 00EED4F8 ECX = 00EEDA04 EDX = 003677FA
ESI = 00EB7180 EDI = D0031BA8 EIP = 00224203 ESP = D0031B40
EBP = D0031B88 EFL = 00000286
2nd explosion?:
001F3932 movss xmm0,dword ptr [ebx+4C0h]
001F393A comiss xmm0,dword ptr ds:[390B7Ch]
001F3941 jbe 001F3953
001F3943 subss xmm0,dword ptr ds:[390698h]
001F394B movss dword ptr [ebx+4C0h],xmm0
001F3953 mov esi,ebx
EAX = 00000000 EBX = 00EED4F8 ECX = 00000000 EDX = 00EED53C
ESI = 00EEDA74 EDI = FFFFFFFF EIP = 001F3953 ESP = D0031EFC
EBP = D0031F50 EFL = 00000202
Bullet hit car:
002240B5 movss dword ptr [ebp-8],xmm0
002240BA subss xmm0,dword ptr [ebp+10h]
002240BF movss dword ptr [ebx+4C0h],xmm0
002240C7 je 002240DB
EAX = 00000005 EBX = 00EED4F8 ECX = 00EEDA04 EDX = 00000005
ESI = 00EB7180 EDI = D0031D3C EIP = 002240C7 ESP = D0031CD4
EBP = D0031D1C EFL = 00000206
Upside down:
001F3A60 jbe 001F3A65
001F3A62 movaps xmm0,xmm3
001F3A65 movss dword ptr [ebx+4C0h],xmm0
001F3A6D ucomiss xmm2,xmm3
EAX = 00000004 EBX = 00EF2FD0 ECX = 00000000 EDX = 00EF3014
ESI = 00EF30B0 EDI = 00000000 EIP = 001F3A6D ESP = D0031EF0
EBP = D0031F3C EFL = 00000203
2nd Upside down:
00102310 mov eax,esi
00102312 call 00103072
00102317 pop ecx
00102318 movss dword ptr [eax+4C0h],xmm0
00102320 push edi
EAX = 00EFD150 EBX = 006C8CD8 ECX = 00000000 EDX = 00000000
ESI = FFFFFFFF EDI = 00000000 EIP = 00102320 ESP = D0031FF0
EBP = D0032040 EFL = 00000246
For motorcycle crashes:
00203DCB subss xmm2,xmm0
00203DCF movss xmm0,dword ptr ds:[390654h]
00203DD7 comiss xmm0,xmm2
00203DDA movss dword ptr [esi+4C0h],xmm2
00203DE2 jb 00203DF1
EAX = 00EF5830 EBX = 00EB7180 ECX = 00000000 EDX = 00F3DD00
ESI = 00EF5830 EDI = 00000000 EIP = 00203DE2 ESP = D0031EDC
EBP = D0031EEC EFL = 00000203
Motorcyle ka-boom (when crash, and fall off, auto kills cycle):
00203DE0 add byte ptr [eax],al
00203DE2 jb 00203DF1
00203DE4 comiss xmm1,xmm0
00203DE7 jbe 00203DF1
00203DE9 movss dword ptr [esi+4C0h],xmm0
00203DF1 pop ebx
EAX = 00EEF340 EBX = 00EB7180 ECX = 00000000 EDX = 00F89E58
ESI = 00EEF340 EDI = 00000000 EIP = 00203DF1 ESP = D0031EDC
EBP = D0031EEC EFL = 00000202
To fast forward, I basically created 8 hooks and 1 nop and a total of 14 compares (the Motorcyle ka-boom address was not comparing correctly even though the ID's matched the compares, so I had to kill it). However, instead of covering how I did all 8 hooks, I wanted to focus on the Upside down part because it caused the most trouble.
Basically, you have the ID's for the EBX base: 02=player, 22=still car, 1a=AI, but what happens when the car goes upside down... well now, for some odd reason, we have an additional ID.
So, I set a break on write on the health address, flipped the car over, and found all the addresses that were changing the health (each time I found one, I nopped it, until the car didn't explode).
For the first upside down address it was simple, the base was ebx and ebx only had two ID's: 02 I'm in the car and 22 I'm out.
So my hooked looked like this:
hook6:
push ebp
getbase ebp
cmp Sel_Item1[ebp],1
jne isoff6
cmp byte ptr ds:[ebx+36h], 02h ; the compare to the IN CAR ID
jne check6
jmp isdone6
check6:
cmp byte ptr ds:[ebx+36h], 22h ; the compare to the OUT OF CAR ID
jne isoff6
jmp isdone6
isdone6: ;if the compare is good, it'll jump here and SKIP the address that moves the new health into our health address
pop ebp
push 001F3A6Dh
ret
isoff6:
movss dword ptr [ebx+4C0h],xmm0
pop ebp
push 001F3A6Dh
ret
So, my health will not change when I'm IN the car and when I bail out of it!
But... for some ODD reason, there was another address that, even though the first address was hooked, it still killed the car:
00102310 mov eax,esi
00102312 call 00103072
00102317 pop ecx
00102318 movss dword ptr [eax+4C0h],xmm0
00102320 push edi
EAX = 00EFD150 EBX = 006C8CD8 ECX = 00000000 EDX = 00000000
ESI = FFFFFFFF EDI = 00000000 EIP = 00102320 ESP = D0031FF0
EBP = D0032040 EFL = 00000246
Now instead of the EBX base, we have an EAX base. EAX worked the same way as EBX, but had an extra ID. It had: 02- In car 22-Out of car 4a- 10-15 feet away from car. So instead of having just two compares, I had 3!
My hook looked like this:
hook7:
push ebp
getbase ebp
cmp Sel_Item1[ebp],1
jne isoff7
cmp byte ptr ds:[eax+36h], 02h ; compare IN car
jne check7
jmp isdone7
check7:
cmp byte ptr ds:[eax+36h], 4ah ; compare AWAY car
jne check78
jmp isdone7
check78:
cmp byte ptr ds:[eax+36h], 22h ; compare OUT car
jne isoff7
jmp isdone7
isdone7:
pop ebp
push 00102320h
ret
isoff7:
movss dword ptr [eax+4C0h],xmm0
pop ebp
push 00102320h
ret
The reason I was having such a hard time was because of the 4a. You had to stand a certain distance before the 22 turned to a 4a. Also, the upside down was linked to a couple of other addresses, so I had to add some 22 (out of car compares until it finally stopped exploding). I spent roughly 2 hours figuring out why the heck my car wouldn't stop exploding when it was upside down...
Now, if you're asking, "What was the point of this tutorial?" Then the answer is simple, "How to continue past a break point when using XDKA", "How to setup up multiple hooks and multiple compares for 1 option", and lastly my all-time favorite, "How much time and work 1 (ONE) option can take and how much code it takes to get the right effect."
In closing, with a few (12) more hooks and (1 nop) the invincible car is 100%! You can't take damage from crashes, from being upside down, bullets, explode from explosions (another car blows up, or you 'accidently' shoot your car with a rocket or attach a satchel and blow it up), your tires won't pop, and you won't take VISUAL damage!
Hope that helped.
Enjoy.
Last edited by Hack0r on Wed Jul 25, 2007 12:18 am; edited 1 time in total
_________________
If we knew what it was we were doing it would not be called research, would it?
Albert Einstein
Hack0r/Evox-T
