Post by £åߥ®Ñth on Apr 13, 2008 14:18:06 GMT -5
Here is a pretty good look at whats going on in the bank on TradeWinds 2 "Reflexive.com" Version
---------------------------------------------------------------------------
*Before you continue you must know how to use ollydbg, understand some assembly and have found the money address in a memory scanner.
1. We will open up the game and attach to it with Ollydbg.
2. Hit ctrl+g and type in our address we found in memory with cheat engine or what ever you used. Hit F2 on the address to set a break.
Also it would be a good idea to use ctrl+a to analyze the code.
So we can see the code used in this loop.
3. Now resume olly with F9 and go to the game and deposit $100.00 to the bank. And we break here. Hmmm, esp+4 moved in eax? What is esp+4?
4. Well esp+4 is and address because it is surrounded by [ ].
Now lets have a look at esp in registers window. 331FD98
Lets follow that to the dump window.
5. Ok now we see the address, but what was +4?
331FD98 + 4 = 331FD9C. Now if we count over or click bytes over you can see that the byte 64 is what we need to look at. In the bottom of olly it tells you the address of the bytes you highlighted.
Now, whats 64? Thats very easy if you understand hexadecimal and decimal. 64 hexa = 100 decimal. Remember how much money we deposited? So now you can see we are looking at the deposit.
esp+4 will move 64 hexa into eax. "Moving on now hit F8 to step to our next instruction."
6. If we look at the registers window now we can see 64 was moved into eax.
7. Now we land here, eax is subtracted from ecx+8. Remember what eax is from step 5. 64 hexa/100 dec. So now what is ecx+8?
8. So what is ecx+8. Lets look at ecx in the registers and find out.
We see another address. Man this address looks real close to the one we found in the scans for our memory scanner? Wait a second, it is the address if you add +8. A228D0 + 8 = A228D8 Lets look in the pane window above the dump.
9. Ok we see it is our address but whats this = 3E8 ?
Again, 3E8 hexa = 1000 decimal. So this is how much we have before depositing our $100.00
Both deposit and withdraw work almost the same. I will leave the withdraw discovery up to you.
Below are the 2 loops that directly effect bank transactions. If you do not know how to get to this code in olly or alter it to make a cheat. Im sorry this was not a tutorial on how to cheat. It was showing how the deposit is handled in the game. But knowing this, gives you plenty of insight on what you can use to make a cheat.
---------------------------------------------------------------------------
*Before you continue you must know how to use ollydbg, understand some assembly and have found the money address in a memory scanner.
1. We will open up the game and attach to it with Ollydbg.
2. Hit ctrl+g and type in our address we found in memory with cheat engine or what ever you used. Hit F2 on the address to set a break.
Also it would be a good idea to use ctrl+a to analyze the code.
So we can see the code used in this loop.
3. Now resume olly with F9 and go to the game and deposit $100.00 to the bank. And we break here. Hmmm, esp+4 moved in eax? What is esp+4?
4. Well esp+4 is and address because it is surrounded by [ ].
Now lets have a look at esp in registers window. 331FD98
Lets follow that to the dump window.
5. Ok now we see the address, but what was +4?
331FD98 + 4 = 331FD9C. Now if we count over or click bytes over you can see that the byte 64 is what we need to look at. In the bottom of olly it tells you the address of the bytes you highlighted.
Now, whats 64? Thats very easy if you understand hexadecimal and decimal. 64 hexa = 100 decimal. Remember how much money we deposited? So now you can see we are looking at the deposit.
esp+4 will move 64 hexa into eax. "Moving on now hit F8 to step to our next instruction."
6. If we look at the registers window now we can see 64 was moved into eax.
7. Now we land here, eax is subtracted from ecx+8. Remember what eax is from step 5. 64 hexa/100 dec. So now what is ecx+8?
8. So what is ecx+8. Lets look at ecx in the registers and find out.
We see another address. Man this address looks real close to the one we found in the scans for our memory scanner? Wait a second, it is the address if you add +8. A228D0 + 8 = A228D8 Lets look in the pane window above the dump.
9. Ok we see it is our address but whats this = 3E8 ?
Again, 3E8 hexa = 1000 decimal. So this is how much we have before depositing our $100.00
Both deposit and withdraw work almost the same. I will leave the withdraw discovery up to you.
Below are the 2 loops that directly effect bank transactions. If you do not know how to get to this code in olly or alter it to make a cheat. Im sorry this was not a tutorial on how to cheat. It was showing how the deposit is handled in the game. But knowing this, gives you plenty of insight on what you can use to make a cheat.
TradeWinds 2 1:20 PM 4/13/2008 by: Lab
Deposit Loop to Bank: Tip: Look at ADD and SUB
One is sub money to your pocket, and add to the bank.
----------------------------------------------------------
00410750 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00410754 |. 2941 08 SUB DWORD PTR DS:[ECX+8],EAX
00410757 |. 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
0041075B |. 1951 0C SBB DWORD PTR DS:[ECX+C],EDX
0041075E |. 0141 18 ADD DWORD PTR DS:[ECX+18],EAX
00410761 |. 1151 1C ADC DWORD PTR DS:[ECX+1C],EDX
00410764 |. DF69 18 FILD QWORD PTR DS:[ECX+18]
00410767 |. D959 10 FSTP DWORD PTR DS:[ECX+10]
0041076A |. E8 81FAFFFF CALL tw2_vist.004101F0
0041076F \. C2 0800 RET 8
----------------------------------------------------------
WithDraw Loop from Bank: Tip: Look at ADD and SUB
One is add money to your pocket, and sub is remove it from the bank.
----------------------------------------------------------
00410780 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00410784 |. 0141 08 ADD DWORD PTR DS:[ECX+8],EAX
00410787 |. 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
0041078B |. 1151 0C ADC DWORD PTR DS:[ECX+C],EDX
0041078E |. 2941 18 SUB DWORD PTR DS:[ECX+18],EAX
00410791 |. 1951 1C SBB DWORD PTR DS:[ECX+1C],EDX
00410794 |. DF69 18 FILD QWORD PTR DS:[ECX+18]
00410797 |. D959 10 FSTP DWORD PTR DS:[ECX+10]
0041079A |. E8 51FAFFFF CALL tw2_vist.004101F0
0041079F \. C2 0800 RET 8
----------------------------------------------------------