Tweet
Introduction:
The code in this tutorial automatically fires the players weapon if the AI crosses the crosshairs path.
The game in this tutorial: 25 to life
System: PS2
How the codes works:
- This code checks to see if the crosshairs path = 0 or 1. 0 means that the AI are not in the crosshairs path. 1 means that the AI is in the crosshairs path.
- We take the result from above and determine if we need to trigger the weapon.
Now let's take a look at the source
Pseudocode
How to hack the code:
PART 1: Crosshairs
First we need to find the function that determines if the AI is front of the crosshairs. To do this load up the game(or a game of your choice) and set your crosshairs on the AI. Run an unknown memory scan of 4 bytes(may need to use 1-2 bytes depending on how the game works) using the debugger of your choice. Now move your crosshairs away from the AI and run a scan of changed. With the crosshairs pointing away from all AI, start searching for unchanged addresses. This will eliminate the vast majority of DMA search results. Repeat this process until you have a few results left.
Test your results by pointing the crosshairs at the AI to see if the value changes consistently(usually 0 and 1). If it does then you have found the address. Now we need to see what is writing to that address. Use your debugger to see what writes to the address when you aim the crosshairs at the AI. This should find the address that is loading the value.
If you are using 25 to life for this tutorial then you should have found this address:
0x0014df78
The data for it is:
lw v0, $00dc(s1)
I set a breakpoint on this address to make sure it was loading a 0 or 1 in to v0.
Once we know that v0 is in fact loading 0 or 1 then we can look for a branch, which happens to be right below our address. We will use this branch to hook to our function.
What we know so far:
Address 0x0014df78 is loading 0 or 1 in to v0 to determine if an AI is in front of the crosshairs.
Address 0x0014df7c is checking v0 so we will use it as a hook to our function.
PART 2: Fire weapon
Now we need a way to fire the weapon without pressing the fire weapon button. You can try using the method in PART1 but it rarely works for firing a weapon. First you need to find the ammo deduction function. Search for an unknown 4bytes value in game. Fire the weapon a couple times and search for a decreased value. Do this until you have a few results. Now find out what is writing to this address.
You should come to this address: 0x001a4628 (will be different if you are using a different game)
Go to the start of the function and find the pointer(or pointer/referal depending on the game) which should be: 0x0063522c
You will now see many pointers in this area. This takes a lot of testing to see what each function does. I highly suggest using an emulator with save states for this. You will need to go above and below the pointer and check the other functions by either reading through the strings(if they have any) or disabling the functions and seeing what happens.
After a while of testing you should find this address: 0x006351b4
This address points to: 0x001a3d90
Follow this function and the first branch is checking if the weapon is supposed to fire. Disable the branch and the weapon fires constantly. Replace the original data and the weapon should stop firing. If so then this address will work. If not then you will have to keep looking through the function.
What we know so far:
Address 0x001a3dcc is checking if the weapon is supposed to fire or not. Disabling it forces the weapon to fire.
PART 3: Writing the function
All we need to do now is to write a function. Here's how we will do it:
Address:
0x0014df78 = CROSSHAIRS. loads 0 or 1 in to v0.
0x0014df7c = HOOK. branch below crosshairs.
0x001a3dcc = FIRE_WEAPON. branch that determins if gun is firing.
1: Use address 0x0014df7c to jump&link to our function which we can write @ 0x000a0200.
2: Now we need to create a stack to preserve the return address. (this may not apply to the game you are hacking depending on where you hook at).
3: Now we need to check v0 to see if it equals 0. If it does then we write the original data to the FIRE_WEAPON addrss above. If it does not equal 0 then we write zero to the FIRE_WEAPON address.
4: (only if you created a stack) load the return address out of the stack and return to the original CROSSHAIRS function.
Your function should be very close to this:
Auto Shoot
200A0200 27BDFFF8 --create stack
200A0204 FFBF0000 --store RA in stack
200A0208 3C08001A --load upper half of FIRE_WEAPON
200A020C 10400004 --Check if v0 = 0
200A0210 00000000
200A0214 AD003DCC ----If v0 != 0 then; save zero in to FIRE_WEAPON
200A0218 10000004 ----branch to end
200A021C 00000000
200A0220 3C091443 ----If v0 = 0 then; save 0x14430007 data in to FIRE_WEAPON
200A0224 25290007 ---- ""
200A0228 AD093DCC ---- ""
200A022C DFBF0000 --restore RA
200A0230 03E00008 --jump to RA
200A0234 27BD0008 --pop stack
2014DF7C 0C028080 --Hook to 0x000A0200
I'm taking tutorial requests.
The code in this tutorial automatically fires the players weapon if the AI crosses the crosshairs path.
The game in this tutorial: 25 to life
System: PS2
How the codes works:
- This code checks to see if the crosshairs path = 0 or 1. 0 means that the AI are not in the crosshairs path. 1 means that the AI is in the crosshairs path.
- We take the result from above and determine if we need to trigger the weapon.
Now let's take a look at the source
Code:
//preserve ra addiu sp, sp, $fff8 sd ra, $0000(sp) //v0 holds 0 or 1. 0 = not shooting, 1 = shooting lui t0, $001A beq v0, zero :DO_NOT_SHOOT nop //Force player to fire weapon sw zero, $3DCC(t0) beq zero, zero :END nop DO_NOT_SHOOT: //store original data in to auto shoot code lui t1, $1443 addiu t1, t1, $0007 sw t1, $3DCC(t0) END: ld ra, $0000(sp) jr ra addiu sp, sp, $0008 //hooks directly to the above function address $2014df7c jal $000a0200
Pseudocode
Code:
IF AI_IN_PATH_OF_CROSSHAIRS = 1 THEN FIRE_WEAPON; ELSE DO_NOT_FIRE_WEAPON; END
How to hack the code:
PART 1: Crosshairs
First we need to find the function that determines if the AI is front of the crosshairs. To do this load up the game(or a game of your choice) and set your crosshairs on the AI. Run an unknown memory scan of 4 bytes(may need to use 1-2 bytes depending on how the game works) using the debugger of your choice. Now move your crosshairs away from the AI and run a scan of changed. With the crosshairs pointing away from all AI, start searching for unchanged addresses. This will eliminate the vast majority of DMA search results. Repeat this process until you have a few results left.
Test your results by pointing the crosshairs at the AI to see if the value changes consistently(usually 0 and 1). If it does then you have found the address. Now we need to see what is writing to that address. Use your debugger to see what writes to the address when you aim the crosshairs at the AI. This should find the address that is loading the value.
If you are using 25 to life for this tutorial then you should have found this address:
0x0014df78
The data for it is:
lw v0, $00dc(s1)
I set a breakpoint on this address to make sure it was loading a 0 or 1 in to v0.
Once we know that v0 is in fact loading 0 or 1 then we can look for a branch, which happens to be right below our address. We will use this branch to hook to our function.
What we know so far:
Address 0x0014df78 is loading 0 or 1 in to v0 to determine if an AI is in front of the crosshairs.
Address 0x0014df7c is checking v0 so we will use it as a hook to our function.
PART 2: Fire weapon
Now we need a way to fire the weapon without pressing the fire weapon button. You can try using the method in PART1 but it rarely works for firing a weapon. First you need to find the ammo deduction function. Search for an unknown 4bytes value in game. Fire the weapon a couple times and search for a decreased value. Do this until you have a few results. Now find out what is writing to this address.
You should come to this address: 0x001a4628 (will be different if you are using a different game)
Go to the start of the function and find the pointer(or pointer/referal depending on the game) which should be: 0x0063522c
You will now see many pointers in this area. This takes a lot of testing to see what each function does. I highly suggest using an emulator with save states for this. You will need to go above and below the pointer and check the other functions by either reading through the strings(if they have any) or disabling the functions and seeing what happens.
After a while of testing you should find this address: 0x006351b4
This address points to: 0x001a3d90
Follow this function and the first branch is checking if the weapon is supposed to fire. Disable the branch and the weapon fires constantly. Replace the original data and the weapon should stop firing. If so then this address will work. If not then you will have to keep looking through the function.
What we know so far:
Address 0x001a3dcc is checking if the weapon is supposed to fire or not. Disabling it forces the weapon to fire.
PART 3: Writing the function
All we need to do now is to write a function. Here's how we will do it:
Address:
0x0014df78 = CROSSHAIRS. loads 0 or 1 in to v0.
0x0014df7c = HOOK. branch below crosshairs.
0x001a3dcc = FIRE_WEAPON. branch that determins if gun is firing.
1: Use address 0x0014df7c to jump&link to our function which we can write @ 0x000a0200.
2: Now we need to create a stack to preserve the return address. (this may not apply to the game you are hacking depending on where you hook at).
3: Now we need to check v0 to see if it equals 0. If it does then we write the original data to the FIRE_WEAPON addrss above. If it does not equal 0 then we write zero to the FIRE_WEAPON address.
4: (only if you created a stack) load the return address out of the stack and return to the original CROSSHAIRS function.
Your function should be very close to this:
Auto Shoot
200A0200 27BDFFF8 --create stack
200A0204 FFBF0000 --store RA in stack
200A0208 3C08001A --load upper half of FIRE_WEAPON
200A020C 10400004 --Check if v0 = 0
200A0210 00000000
200A0214 AD003DCC ----If v0 != 0 then; save zero in to FIRE_WEAPON
200A0218 10000004 ----branch to end
200A021C 00000000
200A0220 3C091443 ----If v0 = 0 then; save 0x14430007 data in to FIRE_WEAPON
200A0224 25290007 ---- ""
200A0228 AD093DCC ---- ""
200A022C DFBF0000 --restore RA
200A0230 03E00008 --jump to RA
200A0234 27BD0008 --pop stack
2014DF7C 0C028080 --Hook to 0x000A0200
I'm taking tutorial requests.
Comment