The study of someone else's cheat for FarCry 4
Not so long ago I purchased the game FarCry 4 and I really liked it right away. Over time, I wanted to dig deeper into the guts of this game and write a cheat for it.
Having a little picked in the game with the help of a debugger, I was able to easily learn how to do the following functions: infinite ammo, shooting without reloading, teleportation of the player, rate of fire, remove returns. I also learned how to increase the height of a player’s jump. But when I began to look for how to make a player immortal (it seemed to me that there would be nothing difficult in this), difficulties arose.
To begin with, with the help of Cheat Engine, I found the address of the character's health and put a record on the record. Found instructions that change health. Naturally, as in most games, this instruction is responsible for changing the health of all the characters in the game, whether they are enemies, or their own, or even transport (cars, airplanes). It’s not the first time for me to solve such problems, and I know what needs to be found, how the player differs, say, from a car or from an enemy, to inject a code and add a check before the changing instruction. As a result, this instruction will be executed for all objects - except the player.
But in search of this difference, I spent a few days - and all in vain. I could not find any clues on how to distinguish anything in the game from the player. However, I didn’t despair and decided to go in an entirely honest way - just “look” like other cheats, which have a function of immortality.
')
I started searching for cheats for FarCry 4 on the Internet and found a cheat for the latest version of the game 1.9. Downloaded, antivirus sounded the alarm. The next cheat that I downloaded did not work, but he didn’t get angry with the antivirus. The 3rd downloaded cheat seems to be virus-free and working.
First of all, I decided to check the executable file of the cheat using PEiD.
As you might guess, the inscription “Not a valid PE file” does not bode well. This means that the packers, protectors, and other vermin scoffed at him. But not everything is so bad, because we don’t want to modify this file, it is completely free and so free and is distributed freely. All we need to know is where this cheat comes from, what it reads and where it writes it.
To write data to someone else's process, there is the WinApi function WriteProcessMemory, and for reading ReadProcessMemory. Now we will check if the great and powerful protection of this cheat will stand in front of the API monitor. Before OllyDBG she resisted; after I tried to open it in this debugger, he wrote that he didn’t want to work with invalid files.
We start the game and, under the control of the monitor API, we launch a cheat. The API monitor for this file, as it turned out, has no complaints. Now let's check if it intercepts the calls of the two functions we need. To do this, activate immortality in the reader and look at the result.
First, the cheat read one byte from the memory of the game, and then 3 more times made a record. On the first call, he wrote 5 bytes, on the second, 21 bytes, and on the third call, 5 bytes again. If you think a little, you can guess what's what. First, the original instruction is replaced with an unconditional jump, then the 21-byte code is written to the address where the jump will take place, and finally the unconditional jump to the next instruction, which is located behind the original instruction (which changes health), is added to the end of this code.
However, in fact, I guessed only with the second and third calls, when I first called at FC64.FCE_Engine_GetCloudTypeCount + 21F923, the following instruction is recorded:
Below is the image of the main code, which is written in the second call to the WriteProcessMemor function.
In detail, I did not understand how this cheat makes the player immortal. I decided to just copy this algorithm and add it to my cheat.
I also want to add my personal opinion about the trainer type cheats. I believe that it is almost impossible to protect such cheats from hacking, since their weakness is known, which is that in any case they should call WinApi functions WriteProcessMemory and ReadProcessMemory and no matter how data is encrypted there, they come to these functions in pure the form. I also want to say that if you are going to write serious cheats with unique functionality, then it is better to implement it as a DLL, which when you start the game, inject it into the process - it will not be so easy to find the address.
If the trainer is compiled under .NET, then the API monitor will refuse to work with it. In this case, you can set a breakpoint on the WriteProcessMemory and ReadProcessMemory functions in the debugger, and when it works, look at the contents of the stack and extract the address from which the data will be written from there.
What I wrote above is my personal opinion, and someone may agree with this, but someone does not. I hope you enjoyed this article.
I do not advise you to "copy-paste" the functionality of other cheats, since you are not gaining experience. Also, creating cheats in this way will not be fun.
Having a little picked in the game with the help of a debugger, I was able to easily learn how to do the following functions: infinite ammo, shooting without reloading, teleportation of the player, rate of fire, remove returns. I also learned how to increase the height of a player’s jump. But when I began to look for how to make a player immortal (it seemed to me that there would be nothing difficult in this), difficulties arose.
To begin with, with the help of Cheat Engine, I found the address of the character's health and put a record on the record. Found instructions that change health. Naturally, as in most games, this instruction is responsible for changing the health of all the characters in the game, whether they are enemies, or their own, or even transport (cars, airplanes). It’s not the first time for me to solve such problems, and I know what needs to be found, how the player differs, say, from a car or from an enemy, to inject a code and add a check before the changing instruction. As a result, this instruction will be executed for all objects - except the player.
But in search of this difference, I spent a few days - and all in vain. I could not find any clues on how to distinguish anything in the game from the player. However, I didn’t despair and decided to go in an entirely honest way - just “look” like other cheats, which have a function of immortality.
')
I started searching for cheats for FarCry 4 on the Internet and found a cheat for the latest version of the game 1.9. Downloaded, antivirus sounded the alarm. The next cheat that I downloaded did not work, but he didn’t get angry with the antivirus. The 3rd downloaded cheat seems to be virus-free and working.
First of all, I decided to check the executable file of the cheat using PEiD.
As you might guess, the inscription “Not a valid PE file” does not bode well. This means that the packers, protectors, and other vermin scoffed at him. But not everything is so bad, because we don’t want to modify this file, it is completely free and so free and is distributed freely. All we need to know is where this cheat comes from, what it reads and where it writes it.
To write data to someone else's process, there is the WinApi function WriteProcessMemory, and for reading ReadProcessMemory. Now we will check if the great and powerful protection of this cheat will stand in front of the API monitor. Before OllyDBG she resisted; after I tried to open it in this debugger, he wrote that he didn’t want to work with invalid files.
We start the game and, under the control of the monitor API, we launch a cheat. The API monitor for this file, as it turned out, has no complaints. Now let's check if it intercepts the calls of the two functions we need. To do this, activate immortality in the reader and look at the result.
First, the cheat read one byte from the memory of the game, and then 3 more times made a record. On the first call, he wrote 5 bytes, on the second, 21 bytes, and on the third call, 5 bytes again. If you think a little, you can guess what's what. First, the original instruction is replaced with an unconditional jump, then the 21-byte code is written to the address where the jump will take place, and finally the unconditional jump to the next instruction, which is located behind the original instruction (which changes health), is added to the end of this code.
However, in fact, I guessed only with the second and third calls, when I first called at FC64.FCE_Engine_GetCloudTypeCount + 21F923, the following instruction is recorded:
comiss xmm9, [rbx + 0C].
Below is the image of the main code, which is written in the second call to the WriteProcessMemor function.
In detail, I did not understand how this cheat makes the player immortal. I decided to just copy this algorithm and add it to my cheat.
I also want to add my personal opinion about the trainer type cheats. I believe that it is almost impossible to protect such cheats from hacking, since their weakness is known, which is that in any case they should call WinApi functions WriteProcessMemory and ReadProcessMemory and no matter how data is encrypted there, they come to these functions in pure the form. I also want to say that if you are going to write serious cheats with unique functionality, then it is better to implement it as a DLL, which when you start the game, inject it into the process - it will not be so easy to find the address.
If the trainer is compiled under .NET, then the API monitor will refuse to work with it. In this case, you can set a breakpoint on the WriteProcessMemory and ReadProcessMemory functions in the debugger, and when it works, look at the contents of the stack and extract the address from which the data will be written from there.
What I wrote above is my personal opinion, and someone may agree with this, but someone does not. I hope you enjoyed this article.
I do not advise you to "copy-paste" the functionality of other cheats, since you are not gaining experience. Also, creating cheats in this way will not be fun.
Source: https://habr.com/ru/post/258055/
All Articles