API tools faq
paste
Advertisement
dcomicboy

in depth god mode

dcomicboy
Feb 20th, 2012
116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.87 KB | None | 0 0
raw download clone embed print report
  1. Hey everyone!
  2.  
  3. Today I'm going to teach you how to find "god-mode" (invulnerability to all attacks). Now, "god-mode" can be found in many ways using Cheat-Engine & there's really an infinite amount of methods you can use to get to achieve the same result but I'm going to show you what I believe to be the three main methods;
  4.  
  5. Knock-back/blink Exploitation (Most likely to work)
  6. HP Exploitation
  7. Collision Nullification (Requires usage of method #1)
  8.  
  9.  
  10.  
  11. 1. Knockback/blink exploitation
  12. In most games when you get hit there's a certain amount of time in which you're unable to get hit. When you're in a tight situation & if you were to stay in one the same location as many many monsters, you'd be barraged with constant hits. By implimenting a timer that makes you temporarily invulnerable it can also create a huge security flaw, this is because the timer can be frozen which can make users permenantly invunlrerable. (note: you'll have to take one hit for it to activate) The easiest method of finding an exploit for this in a game with a blink/knockback timer is to find the boolean or the variable that defines your state. This can be done with Cheat Engine but it requires speed/pausing the process. You can do the following:
  13.  
  14. 1. Stay in a stationary & safe position (away from anything that can force you to blink) & then search for an "Unknown Initial Value" with Cheat Engine.
  15. 2. Now go & get do something to get put into a blinking state then quickly search for a changed value.
  16. 3. Repeat 2-3 until you have a few addresses then check to see if they're triggered by going into that blinking state.
  17.  
  18. Now we should have some very useful addresses when it comes to the blinking state. There are usually two ways of setting the blink state as I said before. There may be a boolean (possibly a 0 when in an idle state & a 1 when blinking) or there may be a speed for the interval between blinking (usually increases when getting hit) you should freeze them when you're in the blinking state. You may have just discovered "blink god-mode" in your game!
  19.  
  20. If you've discovered the hack then congratulations However for those of you who have discovered that you disconnect when trying this there's probably a check to see if you always have the boolean/blink speed at the same value but don't fret! Although you may not be able to change the variable without disconnecting you can have the variable change and still stay in the blinking state. To do this we must do some memory editing (beware, some games check to see if the memory has been modified). Right click on the variable that you usually freeze & click "Find out what accesses this address". Now go & get hit then wait a few seconds... You should see a few things appear, we're hoping for an instruction with a MOV or a CMP. For any MOVs. We should look for an instruction which stores the value of the blink-state variable in a register. (so something alone the lines of MOV EAX, [400300]) Then after that there should be a TEST or a CMP which checks the register which the value of your blink-state is stored in. After that we'll be looking for a condition jump like JNE, JE, JA, etc. Here's an example of what we'll be looking for:
  21. Code:
  22. MOV EAX, [400300] // Moves the value of the blink-state into the EAX register
  23. CMP EAX, 0 // Checks to see if the blink-state is true (in boolean values, 1 usually = true). It may skip the MOV & just CMP [400300], 0
  24. JNE 400400 // Jumps if blink-state is true
  25.  
  26. As you can see, this will check if the value of your blink-state is 0 (example of a boolean check) and if it isn't 0 (disabled) it will jump to the "blink activator". Now, how do we fix this?! Well, in this case we turn the JNE into a JMP or we can make the EAX (in the CMP or the MOV) a 0 by setting a debug register. This may vary in other cases but you get my drift, it involves changing the jump or the CMP. (CMP is much better because changing jumps can be dangerous)
  27.  
  28.  
  29.  
  30. 2. HP Exploitation
  31. Well this is a bit easier but less likely to work because it's much more orthodox & generic to check the client's HP value to that of the server. There are many ways of doing this;
  32. Stop HP From Changing
  33. Stop Death Sequence From Occuring
  34. Decrease Damage Taken
  35.  
  36. i) Stop HP From Changing
  37. This is pretty straight forward, simply look for your HP value then freeze it (note: there may be a few, some for GUI elements [HP bar, etc] & the real one)
  38.  
  39. ii) Stop Death Sequence From Occuring
  40. Well, you can look for a CMP or a MOV;
  41. Code:
  42. MOV EAX, [600300] // Moves HP value into EAX,
  43. CMP EAX, 0 // Compares HP to 0, can skip MOV by doing CMP [600300], 0
  44. JE 600700 // Death Sequence
  45.  
  46. As shown, the HP is compared to 0 and it will jump to the death sequence if the HP is equal to 0. Another way of doing this is to check for a boolean for death and then freezing it.
  47.  
  48. iii) Decrease Damage Taken
  49. Two methods:
  50. The first method involves the following following: Get hit then search for the damage that you had just taken, then get hit again and do it again. You should end up with a value, freeze it at 0. (This may result in a "miss-mode" effect)
  51. The second method involves looking for what reads to the HP address and then looking for some kind of decrease which will eventually bring apon the DEC operand, look for something like this;
  52. Code:
  53. MOV EAX, [500300] // Moves value of HP into EAX register
  54. SUB EAX, ECX // Subtracts ECX from EAX
  55.  
  56. You can easily combat this by changing ECX into a 0 or using a deub-register to change the value of ECX into 0. Hopefully now you'll have a working damage reduction hack
  57.  
  58.  
  59.  
  60. 3. Collision Nullification
  61. This is probably the best variant of god-mode because it stops you from getting hit at all simply due to the fact you don't collide with the monsters in the first place. The concept revolves around the idea that there's a boolean to see if you're currently in contact with a monster & if so it initiates the damage calculation. We combat this by trying to find the boolean then freezing it or manipulating it. We can find the boolean by doing the following;
  62.  
  63. 1. Stay in a stationary & safe position (away from anything that can hit you) & then search for an "Unknown Initial Value" with Cheat Engine.
  64. 2. Now go & stand on/over a monster then quickly search for a changed value.
  65. 3. Repeat 2-3 until you have a few addresses then check to see if they're triggered by touching monsters.
  66.  
  67. After this we'll have a value that we may be able to freeze to achieve a state in which we don't get hit We can also do this by changing a CMP/TEST or a conditional jump, we should look for something like the following:
  68.  
  69. Code:
  70.  
  71. MOV EAX, [430100] // Address storing boolean for contact with monster
  72. CMP EAX, 1 // Checks if you are touching a monster, can be CMP [430100], 1
  73. JE 400100 // The code to initiate damage calcuation
  74.  
  75.  
  76. We can stop this from jumping by NOPing it (making the jump a no-operation instruction). This will potentially result in a god-mode
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!