You wanted the method, heres all the help I can give. Any firther help, will need doing over IM.
I'll start with how I found the routines, then i'll go into a quicker method.
Use tsearch to search your current HP value with 4 bytes as the search criteria. It may find many entries, so try and get a unique value. Log onto Qonquer or something, where you can give youself a high HP.
Once you've found the right address, add it to the cheat list. Next, enable debugger, and then right click the cheat and select AutoHack. If you go back into the game and do any function that will raise or lower your HP, it will add 2 offsets to the autohack window.
The offset you want for HP starts
mov [eax], ecx
At this point, your hp is held in the ecx register.
The offset you eant for MP starts
mov ebx, eax
At this point, your MP is held in the eax register.
It would be nice to just insert a new line after that to put HP into a fixed address, but unfortunately, that will mess up the addresses and references of all the code after it. We need to redirect the code to an empty space, then insert our new code, and redirect back to where we called from.
For redirecting, we will use a relative jump, which occupies 5 bytes in machine code, so you will need to copy the code that alread exists in these 5 bytes, and include it in the code where we have redirected to.
Code:
[OFFSET] | [OP-CODE] | [ASM]
004F802F | 8908 | MOV DWORD PTR DS:[EAX],ECX
004F8031 | 50 | PUSH EAX
004F8032 | 8BCE | MOV ECX,ESI
We need some empty block of memory to put our new code in. I use any bytes between 00010BCO and 00010FF0, those are all free. For this example, i'm putting the new code in 10C00.
So at address 004F802F, we put a jump relative to 00010C00.
Code:
004F802F | E9CC8BB1FF | JMP 10C00
The new routine contains the old bit of code we had to move, and the new lines to write a fixed offset, and jump back to the calling code.
The code is writine our HP to a fixed offset, where we can read HP from using any bot. the offset here is 10BC0
We jump back to 4F8034.
Code:
00010C00 | 8908 | MOV DWORD PTR DS:[EAX],ECX
00010C02 | 890DC00B0100 | MOV [10BC0], ECX
00010C08 | 50 | PUSH EAX
00010C09 | 8BCE | MOV ECX,ESI
00010C0B | E91F744E00 | JMP 4F8034
Use the opcodes shown beside the ASM along with teh WriteProcessMemory function to insert this code from your programming language. Then the ReadProcessMemory function to read HP from the fixed offset. You should read 4 bytes for HP.
Thats all of it done, but a bit messy to keep doing if the offsets change. The quick way I use now is to open Conquer in OllyDbg, put Conquer in the CPU window, and then search for sequence of commands. Search for the sequence I wrote above, and it'll find the offset quickly. You just then need to change the code to match the addresses.
You could incorperate a search into your program, by using ReadProcessMemory, and search the whole block for the bytes, then adjust the opcodes accordingly. Wouldn't be too difficult to make.
---
I'll do MP quickly.
Open Conquer in Olly and search sequence of commands.
Code:
MOV EBX,EAX
MOV EAX,DWORD PTR DS:[ESI]
MOV ECX,ESI
In this case, the code occupies 6 bytes, and out jump is only 5 bytes. We need to fill in the missing byte with a NOP (no operation) [opcode 90h].
We jump to a location that won't collide with out HP code.
Code:
004CAA6D | E98E62B4FF | JMP 10D00
004CAA72 | 90 | NOP
Our new code again contains the old routine, writing to the fixed offset, and relative jump back to the calling code. The fixed offset i write to in this case is 10BC4. We jump back to 4CAA73
Code:
00010D00 | 8BD8 | MOV EBX,EAX
00010D02 | A3C40B0100 | MOV [10BC4], EAX
00010D08 | 8B06 | MOV EAX,DWORD PTR DS:[ESI]
00010D0A | 8BCE | MOV ECX,ESI
00010D0C | E9629D4B00 | JMP 4CAA73
You can use TSearch EasyWrite to test your routines before putting them into your programming language.
//Credit to ultimatehaker for first descovery, and helping me to do this.
