I've been working on a trainer for a while for ShadowFlare (http://www.shadowflare.us for anyone who wants to know what it is).

I found all the addresses, when i restart the game, they have changed (DMA)

I seen some tut's that say about using autohack to find Poke codes. Can these codes be easily converted to something i can use in VB? And will they resolve these stinking DMA Problems im having?


Also, in the game you have 8 "quick item slots" you can use to put in health/magic/pet health recovery items. I would like to make it so there is ALWAYS a health "tablet" in slot one, and always a magic one in slot 2. Ive done "changed, hasnt changed, hasnt, has, hasnt, has, ect." and can only get down to 73 addresses (way too many).

Ive tried 1, 2, 4, and 8 byte searches, and cant come up with anything that will work.

Has anyone done any items slot hacking on RPG's and have any advice?


Thankz in advance
-Mad

go to ghu.as.ro and look under the gamehacking section and find the "defeating DMA" tutorial's.

Heh, you got your name in binary.. ;-)

Anyways, ive gone though a couple tutorials, but none of them seem to apply to what im trying to do. What comes up in my search is different (of course)...

I went thru one, it said to find the address, enable debugger, turn on auto hack. Changed the amount of exp i had, came up with this line:

41357B: mov [esi+0xE8],eax

The 0x means thats hex... (i lurnt dat one) heh

I subtracted E8 from my address (5624300) and got 5624218
I then converted that into decimal (90325528)

Then i searched for that value with tsearch and found 11 Addresses. How can i narrow these down? (the right way)

I went back to main menu, started a new character, and 2 of those addresses had the same value (90325528) instead of 11 of them... Then i went back and started another character, none of them have that value

I have those 2 values tho, they are 578F030 and 578F050


Am i on the right path here? I will get this done. Somehow.
(hopefully without talking someone into going and download shadowflare from the website and helping me thru it, cough cough, its free cough..)

heh

yep your on the right path, under the gamehacking section again on ghu.as.ro there is a tut called "Defeating DMA - Pointer Searching (using Tsearch)" by Eedok and at the bottom it says "Possible problem and solution" and there it tell's you how to narrow them down :)

Alright, so basically i just want the one closest to the programs entry point. Would that be the lowest address i come up with?




Tried it a few times and i come up with different addresses and values each time. Ive reopened the game and the addresses's values either change or are non existant. I get the same ASM line each time i turn on autohack tho...
I did try the suggested method on that tut you said about ka0s, but the problem isnt narrowing them down anymore, its that none of the pointer values im searching for will stay the same.


Thankz for moving my post... :cool:


Another note: I seem to get the same address for the experience every once in a while, actually, quite often. It seems it only moves _sometimes_ or something... This is getting stranger every second.. Am i correct in SUBTRACTING E8 from my address (which has been 5624300 alot lately)??

It doesnt seem right since it always has the same ASM line claiming it moved +E8, but the addresses are different....
/me Confused!






I think i got the pointer address. Now im stuck on a VB problem.. I have a post in the coding section about it..

Im sure ill have more tsearch based questions to come... (scared yet?)

It would be so much easier if you simply used the mov instruction to put the value you want in the eax register - then it will automatically do the rest for you. I also suggest using SoftICE instead of TSearch for debugging.

I suppose though, if you want to continue trying to use offsets like that, you need to locate the value of the register ESI before doing anything, then compare that to the address you get when you subtract E8 from the address you get. Of course, this is generally considered a waste of time, when it would be far more efficient to insert a call to a cave in the code before the mov instruction which inputs your desired value into eax after repairing the code you broke to make the call instruction to the cave.