Let's Hack: ELEX, Ep. 6 - Custom Health Regeneration! (CreateThread via Cheat Engine)

POST-RECORDING NOTES: First and foremost, make sure to check the description as I have a ton of links there! Now, to clarify some stuff from the video:

0:50 - You could likely use Lua to make keeping track of multiple addresses a much more manageable thing.

14:20 - The math of a pointer like [rcx+rax*4+20] would be worked out as follows: rax*4, then that result + 20, and finally rcx + that result.

24:12 - You can reference addresses you specify [likeThis] in a createthread script itself, but if you have a symbol from another script that you want the createthread script to see, you need to use the double brackets [[likeThis]].

29:46 - That last jump to wait, after inc, isn't actually needed. Execution would just flow from the inc directly into wait.

StephenChapman

This was awesome Stephen, , great job!!! I didn't know about the calling convention order of registers in a createthread at all.. Its incredible to see how much you've learned and grown over the course of time.. Awesome vid tut bro. I look forward to the 32 bit :D

chrisfayte

Great stuff man really interesting to see this go from simple cheats to adding new functionality to the game. Keep it up!

gingerbreadbot

Once again a great video chock-full of knowledge, I'll be sure to watch this one multiple times; there is a lot of new info in this one I didn't know about.

birn

I have a challenging cheat for you to try! There is a class called outlaw with two abilities in the form of chems "Pick-Me-Up" and "Scrap Scanner" that I'm desperately trying to nail down as simple toggles. I'm still learning (from your videos) and your expertise coupled with this challenge tells me you'd make a great video on figuring out how this can be achieved.

UTubeBrowzer

0:30-ish hm, not something I've really done but with a different approach shared instructions shouldn't actually make this much harder for enemies (at least no harder than separating out the player), find something that constantly accesses all the enemies (it doesn't need to be their health, _anything_ will work as long as it gives you access to the base address for the enemy) and find some way to determine which are enemies (dissect data/structure spider, registers, stack, etc. same as you would for the player) and then simply increase their health if it's below the max and possibly greater than 0 (yeah, that'll take a bit of assembly). Adjusting how fast health is regained is as simple as adjusting how much is added each time, since it's a fast/constant access you'll want to use small numbers, obviously integers limit you to whole numbers which may cause problems particularly for games where health is a small number. To do better than that... without a list that you could access would probably be fairly difficult, or at least require some real thought :) If you're lucky you might be able to find some unused space in the enemy structure (padding bytes, etc.) and use it for a timer value but otherwise you'd need to get space elsewhere and manage it... in assembly (not the easiest thing) or create a dll to inject that lets you manage the memory from a higher level language.

7:25 it wrote the same address because they are all at the same base address, notice that the addresses each increase by 4. (order of appearance) e14, e18, e24, e1c, e20 or in numeric order e14, e18, e1c, e20, e24. It's possible there's an array of health values and if you got the base of that (rcx+20, rax/edx is the array index) you could loop through all of them. The code does a check for the index being >= 99 (jnl) so there's likely a limit of 0x100 health values at a time.

14:50 instead of pushing/poping rbx you could have used rax since it's over written by the original code anyways.


24:20 sure you can use [address] in a script :) The thing is that "healthBase" is the address that you stored another address in (it's a pointer), so
mov rax, healthBase // makes rax the address of the memory that you've stored the address of the health base
mov rax, [healthBase] // gives the actual address of the health base
mov rax, [[healthBase]] // _effectively_ reads the health value (assuming offset of 0 for simplicity)
// ^ invalid x86 assembly, handled by CE when script is enabled to calculate the address of [healthBase] as a constant/static value
// and assembled into memory as "mov rax, [the constant calculated address]"
// the above is nearly equivalent then to
mov rax, [healthBase] // calculation done by CE when script is enabled
mov rax, [rax] // equivalent assembled code


33:20 yes, thank you ParkourPenguin ! I learned quite a bit from those scripts at one point :)

A bit simpler with a lua script though, well a combination of asm and lua script. Write the script to obtain the healthBase and register a symbol and then it's a simple matter of creating a timer in lua instead of understanding createThread (though that's not too bad if you don't actually care about freeing the memory allocated for the thread and so just ret instead of setting up the unorthodox call to VirtualFree that returns to the function that started the thread instead of the (now freed) thread itself)

[ENABLE]
{$lua}
if syntaxcheck then return end
healthBaseTimer = createTimer()
healthBaseTimer.Interval = 2000 -- 2 seconds
healthBaseTimer.OnTimer = function(timer)
local healthBasePtr = getAddressSafe('healthBase') -- nil on failure
if not healthBasePtr then return end -- quit this time if not registered for whatever reason (tries again after interval)
local healthBase = readPointer(healthBasePtr)
if not healthBase or healthBase == 0 then return end -- or we can't read the address (not actually sure if this can be nil but) or it's 0
-- otherwise we have the information to actually do the job
local maxHealth = readInteger(healthBase+0x24)
local currentHealth = readInteger(healthBase+0x20)
if currentHealth < maxHealth then
writeInteger(healthBase+0x20, currentHealth + 1)
end
end
{$asm}

[DISABLE]
{$lua}
if syntaxcheck then return end
healthBaseTimer.destroy()
{$asm}

FreeER

Awesome video pal i'm loving the advanced stuff, you always leave me wanting more lol, thank you for taking the time to do your tutorials

byteninja

I just discovered ur channel and I'm so glad I did.

gearcode

I think you should also make some DnSpy and IDA pro videos.Btw nice job on the whole series...and hope you keep it up.

laxusflash

Brilliant tutorial bro, seeing a lot of cool stuff lately keep It up man learning a lot. Thanks.

cheatstrainers

I would like to see a World of Warcraft tutorial, maybe a trainer for speedhack, teleport, etc. Anyways, keep--up the good work!

mihaimyh

Whoo! Yes! Another vid! I had a question Stephen When I find a value how can I save it to a table to always be found in game?
even if I exit out of the game.
Like for example I want to be able to change the value of my LP and Attribute points whenever.

Zaylin

I've never used cheat engine before and I'm likely to check out your tutorial on that.
However, I was wondering if this, or say, the infinite health code/method from video #3 would work on ammo, cause I don't care about infinite hp or max funds if i can get inf ammo for my ranged weapons.
Thank you.

TenchixRyoko

The video is really interesting, just a small question, can i replace the virtual free function by the "dealloc(healthRegen)" ??

sieutruc

hey stephen, could you show how you can find an ingame window from a game via cheatengine? like i'm pressing a button in the game and a new window with a confirmation pops up. I want to call that window not only in the menu but from anywhere with a hotkey. do you know how you could search after that window?? maybe do a video?

pls no ultimap...

sasaha

Just started playing with cheat engine not to long ago. Trying to use it for the game (we need to go deeper) wondering if can do video on that game to help me. Thanks

adamdarby

Hi, I have a certain problem. After using the cheat engine, I instantly die in HAZARD zones, like radiation. I can't find fix anywhere. Can you help me?

ryutak

other thing, when i search a value in cheat engine, then open memory region. i couldnt find the value i searched

mangatv

I have a querstion, in my case the value is a float point.
When I do the inc [[healthBase]+90], instead increasing by 1, increase by
How I increase by one a float point?

luanribeiro

Do you any chance, accept requests from viewers to cheat on a game?

midas