Announcement

**Helder** · 02-10-2015, 08:21:08 PM

Are you hacking ASM or can you? If so the it all depends on how the game is programed, an example would be a conditional that branches to the enemy or player routine and simple make it so it always branches to the enemy. You would need to find Ram codes for health for enemy and player then put a breakpoint on each to see if it's a shared routine.

**lijian1** · 02-10-2015, 09:08:11 PM

Yes, I can hack ASM. In fact the codes that I posted are only ASM codes or ROM patch codes. I was able to hack them thanks to Kenobi's tutorial on ASM GBA hacking.

I have been trying to make this code for a fews days now. Anyway, OK I'll give it a try.

**lijian1** · 02-17-2015, 11:32:38 PM

I backtraced it and here are the results. The lines that are dashed are the addresses that call the next function up the chain of calls. The most top calls are the most recent like a stack.

When enemy attack on successful contact
-----------------------------------------
089B4350
-089A1104
089A0FB0
-089B3C60
089B37F0
-089A1738
089A16DC
-0889BBE4
0889BB10
-088BA734
088BA6B8
-0897C108
0897A49C

When player attack on successful contact
----------------------------------------
089B4350
-089A9CA4
089A9C80
-089D0FC4
089D0F38
-089D2D38
089D296C
-089D2FD4
089D2DBC
-089D3D78
089D3A40
-089B3864
089B37F0
-089A1738
089A16DC
-0889BBE4
0889BB10
-088BA734
088BA6B8
-089CC8BC
089CC880

It seems that sometimes they both do share the same subroutine and take the same or different branches. But I have tested it them all with and without changes to the registers and it doesn't seem to work. I can verify it by checking the a0 register when sub_089B4350 gets called. For it to work a0 must be the pointer to the enemy and not the player. And changing it won't work because the enemy and player pointers are dynamic not static plus not enough space to make changes unless I used a code cave.

Anyway sub_089D0F38 it where the pointer to enemy get calculated. And sub_0889BB10 is where the pointer to the player gets calculated. So based on the function call chain. It seem that the player pointer always get calculated
way before the enemy even though the player attack first.

So based on that I was able to create this code: 0x001A1100 0x8FA40040. When the enemy attack the player, the enemy will always take the damage. It's working, but no visual effects are shown. Unlike this code

8004889E 8E13
800488D2 0260
800488EA 2400

by Jackel for Marvel VS. Capcom: Clash of The Superheroes.

On the plus side I was also able to create these additional codes for Alien vs. Predator - Requiem.

_C1 Hit anywhere
_L 0x001D2C5C 0x46020101
_C1 Hit anywhere one hit kill
_L 0x001D2C5C 0x46020101
_L 0x001D2C68 0x00000000
_L 0x001D2C78 0x00000000
_L 0x001D2C98 0x00000000

Any ideas? I really need help on make this code with damage visual effect.

**Abystus** · 02-18-2015, 04:25:28 PM

It shouldn't matter that the player and enemy structures are dynamic as the registers will always reflect their current location in memory (they are loaded via pointer into the registers). Just find a spot where the enemy's structure pointer (that attacked) is still loaded in a register (should somewhere before the decrease to health routine is called, though most likely right after your hit anywhere addresses), and then overwrite the player structure address register with the enemy structure register value (may take a tiny custom sub routine if you don't have space). The only glitch that may happen from this is that when you attack the enemy it may reflect the attack on the player. If this is the case, find a unique identifier in the player structure that differentiates it from the enemy structure (usually an offset value you can check against before making the swap in your custom sub routine). In summary, just copy the enemy structure register value into the player structure register before the initial call to decrease the HP and you're done (the rest should follow suit with no modifications to the path the code takes). Here is my quickly whipped up proof of concept example for you (no optimizations to the asm were made due to this being a simple example to follow):

Param Setup Before Call To Damage Routine (As Seen In Debugger):

Enemies Hit Themselves Example (PC - Cheat Engine Script):

Code:

[COLOR="#0000FF"]//|******** Author: Abystus *********|
//|********** Game: BoneTown ********|
//|********* Build: 1.1.1.0 *********|[/COLOR]

[COLOR="#006400"][B][ENABLE][/B][/COLOR]
[COLOR="#0000FF"]//Allocate space for custom routine[/COLOR]
alloc([COLOR="#800080"][B]newmem[/B][/COLOR],2048)

[COLOR="#0000FF"]//Scan to find location for modifications[/COLOR]
aobscanmodule(EnemiesHitThemselves, BoneTown.exe, 83 EC 40 56 57 8B 7C 24 4C 8B 07 50 8B F1)

[COLOR="#0000FF"]//Register symbol for location[/COLOR]
registersymbol(EnemiesHitThemselves)

[COLOR="#0000FF"]//Initialize Exit location[/COLOR]
label(exit)

[COLOR="#0000FF"]//Handle splitting of shared routine[/COLOR]
[COLOR="#800080"][B]newmem[/B][/COLOR]:
mov eax,[edi]           [COLOR="#0000FF"]//(Original) Load attacker structure pointer into eax (attacker)[/COLOR]
push eax                [COLOR="#0000FF"]//(Original) Push eax to stack (attacker)[/COLOR]
mov esi,ecx             [COLOR="#0000FF"]//(Original) Load attacked structure pointer into esi (attacked)[/COLOR]
cmp [esi+1C], C8        [COLOR="#0000FF"]//(Custom)   Test for player (player structure identifier offset at 0x1C)[/COLOR]
jne exit                [COLOR="#0000FF"]//(Custom)   Player not found, exit routine[/COLOR]
mov esi,eax             [COLOR="#0000FF"]//(Custom)   Player has been attacked, replace with attacker structure pointer (attacked)[/COLOR]
jmp exit                [COLOR="#0000FF"]//(Custom)   Exit routine[/COLOR]

[COLOR="#0000FF"]//JMP to Custom Routine[/COLOR]
EnemiesHitThemselves+09:
jmp [COLOR="#800080"][B]newmem[/B][/COLOR]
exit:

[COLOR="#FF0000"][B][DISABLE][/B][/COLOR]
[COLOR="#0000FF"]//Restore Original Instructions[/COLOR]
EnemiesHitThemselves+09:
mov eax,[edi]           [COLOR="#0000FF"]//Load attacker structure pointer into eax (attacker)[/COLOR]
push eax                [COLOR="#0000FF"]//Push eax to stack (attacker)[/COLOR]
mov esi,ecx            [COLOR="#0000FF"] //Load attacked player structure pointer into esi (attacked)[/COLOR]

[COLOR="#0000FF"]//Unregister symbol[/COLOR]
unregistersymbol(EnemiesHitThemselves)

[COLOR="#0000FF"]//Deallocate custom routine[/COLOR]
dealloc([COLOR="#800080"][B]newmem[/B][/COLOR])

Enemies Hit Themselves (Script In Action) *Note: Yes, I know it looks like they are headbutting me, but what is being seen is their attacks (punches) reflecting back upon them.*

**lijian1** · 02-24-2015, 02:15:17 AM

Thanks for the proof of concept example and info Abystus. Somehow some games are easy to hack and some are a little hard to hack for making this kind of code. This game have each its own wrapper functions for each of the different entities for HP, energy, etc manipulation. And entity related functions and pointers are calculated dynamically and call based on the arguments that are passed in. What makes it a little hard was because entity related pointers were already calculated about 2 or more subroutines before the call to the wrapper function. Plus, entities ID changes dynamically so it might be hard to deal with these dynamically cases while the player ID remain static. I also have found out that somehow certain entity have self damage effect while other doesn't. For example the human soldier have self damage effect while the alien doesn't. In addition, regular human can't attack or retaliate so when the enemies attack them so the enemies can't attack itself.

Anyway here are the code.

_C1 Enemy attack self
_L 0x2009BB50 0x0A200040
_L 0x2009BB54 0x00000000
_L 0x2009BB58 0x00000000
_L 0x20000100 0x240303E8
_L 0x20000104 0x14C30002
_L 0x20000108 0x240303E7
_L 0x2000010C 0x8E060004
_L 0x20000110 0x10C20003
_L 0x20000114 0x3C0408AB
_L 0x20000118 0x0A226ED7
_L 0x2000011C 0x00000000
_L 0x20000120 0x0A226EE1
_L 0x201D1BC4 0x8E460048
_C1 Alien can not attack regular human
_L 0x201A4B60 0x0A200080
_L 0x201A4B64 0x00000000
_L 0x20000200 0x27BDFFE0
_L 0x20000204 0xAFB00000
_L 0x20000208 0x3C10089D
_L 0x2000020C 0x36100FCC
_L 0x20000210 0x121F0004
_L 0x20000214 0x8FB00000
_L 0x20000218 0x27BD0020
_L 0x2000021C 0x03E00008
_L 0x20000220 0x00000000
_L 0x20000224 0x0A2692DA
_L 0x20000228 0x00000000

I have also created two different codes but similar based on your POC example for Crisis Core - Final Fantasy VII.
And here it is.

_C1 Enemy attack self (Main attack)
_L 0x00169FB4 0x0A200400
_L 0x20169FB8 0xAFA30004
_L 0x20001000 0x3C0308A4
_L 0x20001004 0x34634050
_L 0x20001008 0x16830004
_L 0x2000100C 0x8FA30004
_L 0x20001010 0x02E02021
_L 0x20001014 0x0A25A7EF
_L 0x20001018 0x00000000
_L 0x2000101C 0x02802021
_L 0x20001020 0x0A25A7EF
_L 0x20001024 0x00000000
_C1 Enemies attack themeselves (Main attack)
_L 0x20169E24 0x24040000

All these codes are ASM code only.

Announcement

[Help] How to make enemy attack themselves when they attack you?

[Help] How to make enemy attack themselves when they attack you?

Comment

Comment

Comment

Comment

Comment