Thread: Aika Zoom with CE and OllyDbg

Aika Zoom hack with CE and OllyDbg

Following tutorial was written for Aika Online, but it will be suitable to any (in general) mmo, where gamer can change zoom (distance between camera and char).

Tools:

• Cheat Engine, MHS
• OllyDbg

Requirements: Basic knowledge in CE

---

So, we start game, scroll our camera to maximum (it’s not obligatory), than start and attach CE and choose float value in 5-50 range.

Of course, we can use unknown value or at least choose e.g. 1-1000 range – it’s depended from game. For Aika, range in 5-50 will be enough.
Begin searching.
Now our aim – small list of addresses where one of them store zoom value. And next steps are same for every memory search process: find addresses, vanish addresses, continue searching “changed” values and so on.
At the end we will get our address and (for Aika) it will store value = 10 (for maximum distance).

Add this address to the list and call “Find out what writes to this address”.

In window with opcodes we can choose and examine any opcode, but for Aika we will pay attention on following instructions:
0048bd9d - fld dword ptr [ecx+14]
0048bddb - fld dword ptr [ecx+14]

Why this values? Hm, it’s another story (also I’ve already described this in some other tutorial, but I forgot where exactly).
Call “Extra info” (just double click) for first instruction:

and for second instruction

What we see here?

0048bdd0 - mov eax,[009f7998]

0048bdd5 - mov ecx,[eax+0003f5f4]

0048bddb - fld dword ptr [ecx+14]

[009f7998] – Base address (for current Aika client)
and offsets: [[[009f7998] + 0003f5f4] + 14]

Every Float Argument has to be pushed on the co-processor stack or the Floating Point Unit Stack (FPU). Hence every Floating point instruction is preceded by a 'F'. Usually every float operation starts with a FLD INSTRUCTION which "LOADS A FLOAT NUMBER ON TOP OF THE FPU STACK". Then it can be stored in a variable with the help of the FST and FSTP Instruction

fld dword ptr [ecx+14] – this operation take from ecx+14 some float value and push it into FPU. This value is our “zoom”.

Let’s add them to CE

Now we have current zoom. But this isn’t end of our tutorial, because we have found not only base address and offsets, but a little bit more…

Now, we open Ollydbg (or any other debugger), and attach it to our game process (or we can just open client without execution). Press ctrl + G and enter address of our first instruction
0048bd9d - fld dword ptr [ecx+14]

Here is a piece of code that has been also shown by CE.

Right after fld instruction we see
0048BDA0 FCOMP dword ptr [5C65E0] ; FLOAT 1.700000
and slightly lower
0048BDDE FCOMP dword ptr [5EC058] ; FLOAT 10.00000

FCOMP (Compare ST(0) to a floating point value and POP ST(0))
This instruction performs a signed comparison between the value in the TOP data register ST(0) and the floating point value from the specified source (Src). The top data register is popped after the comparison is completed. This instruction is used when the value in ST(0) would no longer be needed for further computation after the comparison has been performed.

So, what we have?
5C65E0 – store minimal float value for “zoom”
5EC058 – maximal value.
Of course, these values we have got also from CE, but I like Ollydbg…

Result:

© Dwar

it just keeps helping us with diff tutorials, thanks a lot guys.

ppg

0042BEE2  |> \A1 98799F00   MOV EAX,DWORD PTR DS:[9F7998]

0042BEE7  |.  B9 01000000   MOV ECX,1

0042BEEC  |.  68 0000A040   PUSH 40A00000                            ; /Arg1 = 40A00000

0042BEF1  |.  0FBFB0 FC5803 MOVSX ESI,WORD PTR DS:[EAX+358FC]        ; |

0042BEF8  |.  0FBFB8 FE5803 MOVSX EDI,WORD PTR DS:[EAX+358FE]        ; |

0042BEFF  |.  8988 744F0300 MOV DWORD PTR DS:[EAX+34F74],ECX         ; |

0042BF05  |.  8B15 98799F00 MOV EDX,DWORD PTR DS:[9F7998]            ; |

0042BF0B  |.  897424 20     MOV DWORD PTR SS:[ARG.8],ESI             ; |

0042BF0F  |.  897C24 24     MOV DWORD PTR SS:[ARG.9],EDI             ; |

0042BF13  |.  DB4424 20     FILD DWORD PTR SS:[ARG.8]                ; |

=> 0042BF17  |.  898A 704F0300 MOV DWORD PTR DS:[EDX+34F70],ECX         ; |

Here is a piece of code that manipulates with char data.
0042BF17 MOV DWORD PTR DS:[EDX+34F70],ECX - store Char MaxHP

Does that mean HP can be change?