Thread: Aika Zoom with CE and OllyDbg

Aika Zoom hack with CE and OllyDbg

Following tutorial was written for Aika Online, but it will be suitable to any (in general) mmo, where gamer can change zoom (distance between camera and char).

Tools:

• Cheat Engine, MHS
• OllyDbg

Requirements: Basic knowledge in CE

---

So, we start game, scroll our camera to maximum (it’s not obligatory), than start and attach CE and choose float value in 5-50 range.

Of course, we can use unknown value or at least choose e.g. 1-1000 range – it’s depended from game. For Aika, range in 5-50 will be enough.
Begin searching.
Now our aim – small list of addresses where one of them store zoom value. And next steps are same for every memory search process: find addresses, vanish addresses, continue searching “changed” values and so on.
At the end we will get our address and (for Aika) it will store value = 10 (for maximum distance).

Add this address to the list and call “Find out what writes to this address”.

In window with opcodes we can choose and examine any opcode, but for Aika we will pay attention on following instructions:
0048bd9d - fld dword ptr [ecx+14]
0048bddb - fld dword ptr [ecx+14]

Why this values? Hm, it’s another story (also I’ve already described this in some other tutorial, but I forgot where exactly).
Call “Extra info” (just double click) for first instruction:

and for second instruction

What we see here?

0048bdd0 - mov eax,[009f7998]

0048bdd5 - mov ecx,[eax+0003f5f4]

0048bddb - fld dword ptr [ecx+14]

[009f7998] – Base address (for current Aika client)
and offsets: [[[009f7998] + 0003f5f4] + 14]

Every Float Argument has to be pushed on the co-processor stack or the Floating Point Unit Stack (FPU). Hence every Floating point instruction is preceded by a 'F'. Usually every float operation starts with a FLD INSTRUCTION which "LOADS A FLOAT NUMBER ON TOP OF THE FPU STACK". Then it can be stored in a variable with the help of the FST and FSTP Instruction

fld dword ptr [ecx+14] – this operation take from ecx+14 some float value and push it into FPU. This value is our “zoom”.

Let’s add them to CE

Now we have current zoom. But this isn’t end of our tutorial, because we have found not only base address and offsets, but a little bit more…

Now, we open Ollydbg (or any other debugger), and attach it to our game process (or we can just open client without execution). Press ctrl + G and enter address of our first instruction
0048bd9d - fld dword ptr [ecx+14]

Here is a piece of code that has been also shown by CE.

Right after fld instruction we see
0048BDA0 FCOMP dword ptr [5C65E0] ; FLOAT 1.700000
and slightly lower
0048BDDE FCOMP dword ptr [5EC058] ; FLOAT 10.00000

FCOMP (Compare ST(0) to a floating point value and POP ST(0))
This instruction performs a signed comparison between the value in the TOP data register ST(0) and the floating point value from the specified source (Src). The top data register is popped after the comparison is completed. This instruction is used when the value in ST(0) would no longer be needed for further computation after the comparison has been performed.

So, what we have?
5C65E0 – store minimal float value for “zoom”
5EC058 – maximal value.
Of course, these values we have got also from CE, but I like Ollydbg…

Result:

© Dwar