Page 1 of 2
Perfect 3rd person ^^
Posted: Tue Jul 29, 2008 7:18 am
by Mac Hacker
it requires you to have terminal knowlege and u have to have GDB to edit the memory in hex
This is Halo Full!
dont get any ideas it wont work unless you also edit some things in GDB since otherwise it just changes back once u hit apply
Code: Select all
true 32-bit Integer 01069C04 1
true Float 01069C18 0.2
true Float 01069C20 0.5
true Float 01069C24 3.0
true Float 01069D34 0.2
true Float 01069D3C 0.5
true Float 01069D40 3.0
true Float 01069DD8 0.2
true Float 01069DE0 0.5
true Float 01069DE4 3.0
Posted: Tue Jul 29, 2008 7:26 am
by Slapzy
Nice work!
Posted: Tue Jul 29, 2008 7:32 am
by Mac Hacker
Slappey wrote:Nice work!
thanks now if only sword would reply and make an app tha auto mates it otherwise u havet okeep going into GBD and editing it in assembly using hex awwell xD
sword you have my aim just contact me and i will give you the floats u need and the 32bit integer if you doo not have it
Posted: Tue Jul 29, 2008 7:54 am
by sword
Post 'em here and I can make something for PPC tonight. I don't have my laptop so I won't be able to make a UB version for a little bit.
Nice find in memory, that must have taken a while.
Posted: Tue Jul 29, 2008 8:00 am
by Mac Hacker
sword wrote:Post 'em here and I can make something for PPC tonight. I don't have my laptop so I won't be able to make a UB version for a little bit.
Nice find in memory, that must have taken a while.
posted
but rembere its full only xD i will work on Demo later
Posted: Tue Jul 29, 2008 8:01 am
by sword
So then, simple enough. Breakpoint the values, see what function writes to them, and NOP it. If that doesn't work then I'll write a code injection thinger. Regardless, I can find the function in FV now and maybe just hard code a hack.
Posted: Tue Jul 29, 2008 8:07 am
by Mac Hacker
sword wrote:So then, simple enough. Breakpoint the values, see what function writes to them, and NOP it. If that doesn't work then I'll write a code injection thinger. Regardless, I can find the function in FV now and maybe just hard code a hack.
yep ^^ right on bro
this is directed at me
if your a noob at GDB like me it takes you about an hour to figure all that out xD
Posted: Tue Jul 29, 2008 8:13 am
by sword
Yeah, I've done a bit of memory hacking before on PC. It was just much easier because I had Cheat Engine and OllyDbg. Both were awesome tools. Cheat Engine made it a breeze to find values and write ASM in memory, OllyDbg helped you debug the shit out of a process.
Posted: Tue Jul 29, 2008 8:23 am
by Mac Hacker
sword wrote:Yeah, I've done a bit of memory hacking before on PC. It was just much easier because I had Cheat Engine and OllyDbg. Both were awesome tools. Cheat Engine made it a breeze to find values and write ASM in memory, OllyDbg helped you debug the shit out of a process.
yeah i liike olly and CE i wish there was easyer apps liike those for mac
CE is really easy to use i also wish we had something Like T-Search
that has everything built in you need and i heard can make trainers
Posted: Tue Jul 29, 2008 7:11 pm
by Mac Hacker
any proggress sword?
Posted: Tue Jul 29, 2008 7:18 pm
by Mike1122
theres also this thing called pizzabox for pc. it allows u to give someone on yor team health, infinite ammo, proj swaps all ingame. i got infinite ammo from the guy that told me this but i never found pizzabox on google... or it may be called something else.
also said something about a camera hack but, i never found out anything about it
Posted: Tue Jul 29, 2008 8:19 pm
by sword
Bleh. I got home at 10:30 and have been working on some reversing. I immediately found 7 instructions that write to one or more of the variables that you've listed here, Tyler. Actually, I accidentally found an instruction that updates Halo's main timer duration and have figured out, vaguely, how to modify it. The instruction is at 0x0066cd20 in the memory of Halo FV PPC on an iMac G5. The instruction is lfd f1,24(r1) while the binary instruction is 0xC8210018. Thats an easy one to modify. However, it fucks Halo's ability to network with other computers, so you can't use it in multiplayer. Probably makes Halo expect packets to be flowing to it much faster than possible.
Anyway, I'm about to test a few more things, but right now I'm looking at instructions at the following addresses in particular:
I'm also looking at these following two, but they don't seem as promising:
The code around the past two is the following:
Code: Select all
0x004939cc <unknown_text+584140>: mtctr r0
0x004939d0 <unknown_text+584144>: lwz r3,4(r4)
0x004939d4 <unknown_text+584148>: lwzu r0,8(r4)
0x004939d8 <unknown_text+584152>: stw r3,4(r5)
0x004939dc <unknown_text+584156>: stwu r0,8(r5)
0x004939e0 <unknown_text+584160>: bdnz+ 0x4939d0 <unknown_text+584144>
0x004939e4 <unknown_text+584164>: b 0x4939f4 <unknown_text+584180>
Back to work now.
Posted: Tue Jul 29, 2008 8:45 pm
by sword
Don't mind me here. I'm just double posting.
Anyway, I've found that the instruction at 0x00497184 updates absolute camera position. I believe this because, once in third person, the following happens when you NOP the instruction there:
Here is the original code in the area:
Code: Select all
0x00497170 <unknown_text+598384>: addi r4,r3,-4
0x00497174 <unknown_text+598388>: mtctr r0
0x00497178 <unknown_text+598392>: lwz r3,4(r4)
0x0049717c <unknown_text+598396>: lwzu r0,8(r4)
0x00497180 <unknown_text+598400>: stw r3,4(r5)
0x00497184 <unknown_text+598404>: stwu r0,8(r5)
0x00497188 <unknown_text+598408>: bdnz+ 0x497178 <unknown_text+598392>
0x0049718c <unknown_text+598412>: blr
0x00497190 <unknown_text+598416>: mflr r0
0x00497194 <unknown_text+598420>: stw r31,-4(r1)
0x00497198 <unknown_text+598424>: addis r3,r2,6
0x0049719c <unknown_text+598428>: stw r30,-8(r1)
Here is the modification:
Code: Select all
0x00497170 <unknown_text+598384>: addi r4,r3,-4
0x00497174 <unknown_text+598388>: mtctr r0
0x00497178 <unknown_text+598392>: lwz r3,4(r4)
0x0049717c <unknown_text+598396>: lwzu r0,8(r4)
0x00497180 <unknown_text+598400>: stw r3,4(r5)
0x00497184 <unknown_text+598404>: nop
0x00497188 <unknown_text+598408>: bdnz+ 0x497178 <unknown_text+598392>
0x0049718c <unknown_text+598412>: blr
0x00497190 <unknown_text+598416>: mflr r0
0x00497194 <unknown_text+598420>: stw r31,-4(r1)
0x00497198 <unknown_text+598424>: addis r3,r2,6
0x0049719c <unknown_text+598428>: stw r30,-8(r1)
To do this, make sure your in 3rd person by whatever means you want in Halo FV PPC and then, when you've attached GDB to it, enter the following:
print *(unsigned int *)0x00497184=0x60000000
Posted: Tue Jul 29, 2008 9:18 pm
by sword
I think this may be the camera variable initialization / partial update code. I haven't really looked at it, but I know it updates the camera style enumeration variable (IE first person, warthog, cinematic or whatever).
Code: Select all
0x00493410 <unknown_text+582672>: extsh r0,r3
0x00493414 <unknown_text+582676>: addis r5,r2,6
0x00493418 <unknown_text+582680>: mulli r4,r0,248
0x0049341c <unknown_text+582684>: addis r3,r2,0
0x00493420 <unknown_text+582688>: addi r5,r5,-25688
0x00493424 <unknown_text+582692>: addi r0,r3,-22108
0x00493428 <unknown_text+582696>: addi r6,r4,8
0x0049342c <unknown_text+582700>: add r6,r5,r6
0x00493430 <unknown_text+582704>: lwz r4,8(r6)
0x00493434 <unknown_text+582708>: cmplw r4,r0
0x00493438 <unknown_text+582712>: bne- 0x493460 <unknown_text+582752>
0x0049343c <unknown_text+582716>: addis r3,r2,0
0x00493440 <unknown_text+582720>: lfs f1,4(r6)
0x00493444 <unknown_text+582724>: lwz r3,-25648(r3)
0x00493448 <unknown_text+582728>: lfs f0,16(r3)
0x0049344c <unknown_text+582732>: fcmpu cr0,f1,f0
0x00493450 <unknown_text+582736>: bne- 0x4934a0 <unknown_text+582816>
0x00493454 <unknown_text+582740>: li r0,0
0x00493458 <unknown_text+582744>: sth r0,86(r6)
0x0049345c <unknown_text+582748>: b 0x4934a0 <unknown_text+582816>
0x00493460 <unknown_text+582752>: addis r3,r2,0
0x00493464 <unknown_text+582756>: addi r0,r3,-22092
0x00493468 <unknown_text+582760>: cmplw r4,r0
0x0049346c <unknown_text+582764>: bne- 0x49347c <unknown_text+582780>
0x00493470 <unknown_text+582768>: li r0,1
0x00493474 <unknown_text+582772>: sth r0,86(r6)
0x00493478 <unknown_text+582776>: b 0x4934a0 <unknown_text+582816>
0x0049347c <unknown_text+582780>: addis r3,r2,0
0x00493480 <unknown_text+582784>: addi r0,r3,-22172
0x00493484 <unknown_text+582788>: cmplw r4,r0
0x00493488 <unknown_text+582792>: bne- 0x493498 <unknown_text+582808>
0x0049348c <unknown_text+582796>: li r0,2
0x00493490 <unknown_text+582800>: sth r0,86(r6)
0x00493494 <unknown_text+582804>: b 0x4934a0 <unknown_text+582816>
0x00493498 <unknown_text+582808>: li r0,3
0x0049349c <unknown_text+582812>: sth r0,86(r6)
0x004934a0 <unknown_text+582816>: lha r3,86(r6)
0x004934a4 <unknown_text+582820>: blr
Posted: Tue Jul 29, 2008 9:49 pm
by Mac Hacker
nice work sword ^^ hmm i wonder if you could make hotkeys that can be used in halo to possition camera and stuff? to do machinama