Thread replies: 11
Thread images: 2
Thread images: 2
Anonymous
Thread for memory hacks and other cool shit? 2016-12-28 07:43:12 Post No. 58205258
[Report] Image search: [Google]
Thread for memory hacks and other cool shit? 2016-12-28 07:43:12 Post No. 58205258
[Report] Image search: [Google]
File: ayyyyy.png (165KB, 1218x1162px) Image search:
[Google]
165KB, 1218x1162px
Thread for memory hacks and other cool shit?
Anonymous
2016-12-28 07:43:12
Post No. 58205258
[Report]
I started debugging the game and noticed that "stack pointer" used by developers for in-game scripts is an unsigned short. This means that when a return with an empty stack is executed, basically address is taken from this->stack[65535]. Script array is located in bss segment, so these addresses are constant. I calculated all possible addresses that can be used as return value and it turned out that some of these potential addresses are located in script space, that is used for script variables. One of these potential variables was a temp timer in ms for hardware store shopkeeper. This timer is updated when player enters his spawn zone and is either current time in ms if he spawned normally and if he was despawned after he was killed or robbed it's time in ms that passed since he despawned.
So basically we have an option to jump to any part of main script by manipulating this timer. Of course, using timer in ms to choose address is kinda tricky, so we have to use a time window. KYFC starting thread is located at bytes 53475-53716 of script file. This means that shopkeeper timer should be set to a value between 53475 and 53716. Approximately 20% of timer values is a valid address to something that doesn't crash. Some of these addresses only create a trigger at mansion, some start mission immediately.
>Another thing is that for that variable to be used as an address the property buy script should be in a script with id 67. There are 128 scripts in array and game fills it starting with last, id 127. It means there should be 60 scripts running at the moment we buy property. At the start of the game there are 51. We need 9 more, so we complete The Party 10 times: The Party starting script is removed since we complete it and it creates 10 new ones for next mission. After it we just need money to start trick.
https://www.youtube.com/watch?v=scNlMFQk2is
>>
RTE for ps3 is okay
>>
https://www.youtube.com/watch?v=p5T81yHkHtI
>>
Last one I have
https://www.youtube.com/watch?v=JxgEXDnXD6M
>>
>>58205422
that's the old one
http://www.youtube.com/watch?v=3UnB1fomvAw
>>
>>58205849
fuck that's cool - I love how the IP goes AWOL at the end of these hacks : 3
>>
Good thread but I fear nobody will post in it because it is not about some consumer shillable bullshit.
Did you mention the game you did the memory hack for?
>>
File: 1479024402979.jpg (75KB, 395x504px) Image search:
[Google]
75KB, 395x504px
I just want an Auction House bot for ArcheAge
>>
>>58205899
its from the speed run of GTA vice city - included at the bottom of the post
>>
http://guidedhacking.com/index.php
>>
>>58205889
mhm
for others wondering what the fuck, here's the gist of it;
- only plain old controller/button inputs are used, no ROM or RAM hacking (a bit blurred here since it uses the buttons to achieve arbitrary RAM modification)
1. the game is reset during saving at a very specific time to corrupt the pokemon and item lists
2. the corrupted lists mirror parts of memory not intended for these lists, and can be manipulated by switching /tossing items or switching pokemon
3. the first part is effectively changing the list to spell out and cause the execution of a program which reads the buttons and stores them in memory -- a program loader, basically
4. the second part is the loaded program
this is an example of "arbitrary code execution", you effectively break out of the constraints of the game and are able to do anything you want, even replace the game you were playing with something else (limited to the system memory, you can't modify ROM, obviously)
Thread posts: 11
Thread images: 2
Thread images: 2