0
"[Enable]"
000080
Auto Assembler Script
[ENABLE]
alloc( EPhysicsHandler_Hook, 1024 )
registersymbol( EPhysicsHandler_Hook )
label( p0 )
registersymbol( p0 )
label( p1 )
registersymbol( p1 )
label( p2 )
registersymbol( p2 )
label( back )
label(exit)
EPhysicsHandler_Hook+100:
p0:
dd 0
EPhysicsHandler_Hook+104:
p1:
dd 0
EPhysicsHandler_Hook+108:
p2:
dd 0
EPhysicsHandler_Hook:
cmp [ecx+2A4],(float)1.0
jne exit
push ebx
mov [p1],ecx
mov ebx,[ecx+160]
mov [p0],ebx
mov ebx,[ecx+10C]
mov [p2],ebx
pop ebx
exit:
movzx edx,byte ptr [ecx+104]
jmp back
aobscan( dwEPhysicsHook_AOB, 0FB691????????83FA0E0F87????????FF2495????????8B11 )
label( dwEPhysicsHook )
registersymbol( dwEPhysicsHook )
dwEPhysicsHook_AOB:
dwEPhysicsHook:
jmp EPhysicsHandler_Hook
db 90 90
back:
aobscan( GetIndex_AOB, 558BEC83EC148B4130565733FF )
label( GetIndex )
registersymbol( GetIndex )
GetIndex_AOB:
GetIndex:
aobscan( SetIndex_AOB, 558BEC5153568BF18B4618578975FC85C0 )
label( SetIndex )
registersymbol( SetIndex )
SetIndex_AOB:
SetIndex:
[DISABLE]
dwEPhysicsHook:
movzx edx,byte ptr [ecx+104]
unregistersymbol( dwEPhysicsHook )
unregistersymbol( p2 )
unregistersymbol( p1 )
unregistersymbol( p0 )
unregistersymbol( EPhysicsHandler_Hook )
dealloc( EPhysicsHandler_Hook )
22
"[Character]"
FF0000
1
255
"[Mana]"
FF0000
1
248
"Mana"
80000008
4 Bytes
p1
A60
308
"Mana Delta (subtraction on cast)"
80000008
4 Bytes
p1
1228
249
"Mana Max"
80000008
4 Bytes
p1
A64
307
"Mana Recharge Timer (keep it on - to instant recharge)"
80000008
Float
p1
1224
254
"[Health]"
FF0000
1
15
"Health"
80000008
4 Bytes
p1
344
247
"Health Max"
80000008
4 Bytes
p1
348
256
"[Air]"
FF0000
1
250
"Air"
80000008
Float
p1
AB8
251
"Air Max"
80000008
Float
p1
ABC
257
"[Speed]"
FF0000
1
253
"Speed"
80000008
Float
p1
318
252
"Speed Modifier (changes on draw/hide weapons/sprint/crouch)"
80000008
Float
p1
58C
260
"[Inventory]"
FF0000
1
266
"[Resources]"
FF0000
1
261
"Slot"
1
80000008
4 Bytes
p1
48
C8
59C
304
"Item"
80000008
String
100
1
1
p1
0
38
48
C8
59C
294
"Content"
80000008
4 Bytes
p1
4C
C8
59C
292
"Slot"
1
80000008
4 Bytes
p1
C
C8
59C
302
"Item"
80000008
String
100
1
1
p1
0
38
C
C8
59C
295
"Content"
80000008
4 Bytes
p1
10
C8
59C
296
"Slot"
1
80000008
4 Bytes
p1
18
C8
59C
306
"Item"
80000008
String
100
1
1
p1
0
38
18
C8
59C
297
"Content"
80000008
4 Bytes
p1
1C
C8
59C
298
"Slot04"
1
80000008
4 Bytes
p1
24
C8
59C
305
"Item"
80000008
String
100
1
1
p1
0
38
24
C8
59C
299
"Content"
80000008
4 Bytes
p1
28
C8
59C
291
"Sokolov's Health Elixir"
80000008
4 Bytes
p1
D4
59C
262
"Piero's Spiritual Remedy"
80000008
4 Bytes
p1
D8
59C
267
"[Ammo]"
FF0000
1
265
"Regular/Bullet"
80000008
4 Bytes
p1
0
BC
59C
268
"Regular/Bullet Max"
80000008
4 Bytes
p1
4
BC
59C
269
"Explosive Bullet"
80000008
4 Bytes
p1
8
BC
59C
270
"Explosive Bullet Max"
80000008
4 Bytes
p1
C
BC
59C
271
"Crossbow/Wristbow Bolt"
80000008
4 Bytes
p1
10
BC
59C
272
"Crossbow/Wristbow Bolt Max"
80000008
4 Bytes
p1
14
BC
59C
273
"Sleep Dart"
80000008
4 Bytes
p1
18
BC
59C
274
"Sleep Dart Max"
80000008
4 Bytes
p1
1C
BC
59C
275
"Incendiary Bolt"
80000008
4 Bytes
p1
20
BC
59C
276
"Incendiary Bolt Max"
80000008
4 Bytes
p1
24
BC
59C
277
"Springrazor"
80000008
4 Bytes
p1
28
BC
59C
278
"Springrazor Max"
80000008
4 Bytes
p1
2C
BC
59C
279
"Grenade"
80000008
4 Bytes
p1
30
BC
59C
280
"Grenade Max"
80000008
4 Bytes
p1
34
BC
59C
281
"Sticky Grenade"
80000008
4 Bytes
p1
38
BC
59C
282
"Sticky Grenade Max"
80000008
4 Bytes
p1
3C
BC
59C
283
"Explosive Bolt"
80000008
4 Bytes
p1
40
BC
59C
284
"Explosive Bolt Max"
80000008
4 Bytes
p1
44
BC
59C
285
"Arc Mine"
80000008
4 Bytes
p1
48
BC
59C
286
"Arc Mine Max"
80000008
4 Bytes
p1
4C
BC
59C
287
"Chokedust"
80000008
4 Bytes
p1
50
BC
59C
288
"Chokedust Max"
80000008
4 Bytes
p1
54
BC
59C
289
"Stun Mine"
80000008
4 Bytes
p1
58
BC
59C
290
"Stun Mine Max"
80000008
4 Bytes
p1
5C
BC
59C
321
"[Spells]"
FF0000
1
330
"[Blink]"
FF0000
1
324
"ID"
80000008
String
100
1
1
p1
0
0
3C
8C
58
38
320
"Cooldown Time"
80000008
Float
p1
138
58
38
343
"Mana Consumption"
80000008
4 Bytes
p1
8C
8C
58
38
325
"Distance"
80000008
Float
p1
160
8C
58
38
326
"Height"
80000008
Float
p1
164
8C
58
38
331
"[Dark Vision]"
FF0000
1
345
"ID"
80000008
String
100
1
1
p1
0
0
3C
8C
64
38
333
"Mana Consumption"
80000008
4 Bytes
p1
8C
8C
64
38
332
"Duration Counter"
80000008
Float
p1
94
64
38
334
"[Bend Time]"
FF0000
1
344
"ID"
0
80000008
String
100
1
1
p1
0
0
3C
8C
5C
38
336
"Mana Consumption"
80000008
4 Bytes
p1
8C
8C
5C
38
354
"SloMo Value (default: 0.89)"
80000008
Float
p1
188
8C
5C
38
356
"Duration (default: 8)"
80000008
Float
p1
18C
8C
5C
38
357
"[Summon Assassin]"
FF0000
1
358
"ID"
80000008
String
100
1
1
p1
0
0
3C
8C
60
38
360
"Mana Consumption"
80000008
4 Bytes
p1
8C
8C
60
38
361
"Distance"
80000008
Float
p1
1A8
8C
60
38
23
"[Scripts]"
FF0000
1
21
"Cheat Handler"
80000008
Auto Assembler Script
[ENABLE]
alloc( KeyHandlerThread, 4096 )
registersymbol( KeyHandlerThread )
CreateThread( KeyHandlerThread )
label( Toggle )
label( Toggler )
registersymbol( Toggler )
label( KeyHandlerOff )
registersymbol( KeyHandlerOff )
label( ExitKeyHandler )
label( bPlayersOnly )
registersymbol( bPlayersOnly )
label( TogglePlayersOnly )
label( TogglePlayersOnly_exit )
label( ToggleFly )
label( bFly )
registersymbol( bFly )
label( ToggleFly_exit )
label( ToggleGhost )
label( bGhost )
registersymbol( bGhost )
label( ToggleGhost_exit )
label( ToggleGod )
label( bGod )
registersymbol( bGod )
label( ToggleGod_exit )
label( ToggleSloMo1 )
label( ToggleSloMo2 )
label( ToggleSloMo3 )
/*
label( dwTable )
label( s )
label( string )
label( GetIndexes )
label( GetIndexes_exit )
label( GetIndexes_loop )
*/
KeyHandlerThread+300:
Toggler:
dd 1
KeyHandlerThread+304:
KeyHandlerOff:
dd 0
KeyHandlerThread+308:
bPlayersOnly:
dd 0
KeyHandlerThread+30C:
bFly:
dd 0
KeyHandlerThread+310:
bGhost:
dd 0
KeyHandlerThread+314:
bGod:
dd 0
/*
KeyHandlerThread+318:
dwTable:
dd 0
KeyHandlerThread+800:
string:
db '[Index]: %08X - %08X',0
KeyHandlerThread+900:
s:
dd 0
*/
KeyHandlerThread:
push 0a
call kernel32.Sleep
cmp [KeyHandlerOff],1
je ExitKeyHandler
push 71 //F2
call GetAsyncKeyState
test ax,ax
jne Toggle
cmp [Toggler],1
jne KeyHandlerThread
push 61 //VK_NUMPAD1
call GetAsyncKeyState
test ax,ax
jne TogglePlayersOnly
push 62 //VK_NUMPAD2
call GetAsyncKeyState
test ax,ax
jne ToggleFly
push 63 //VK_NUMPAD3
call GetAsyncKeyState
test ax,ax
jne ToggleGhost
/*
push 60 //VK_NUMPAD0
call GetAsyncKeyState
test ax,ax
jne GetIndexes
*/
push 65 //VK_NUMPAD5
call GetAsyncKeyState
test ax,ax
jne ToggleGod
push 67 //VK_NUMPAD7
call GetAsyncKeyState
test ax,ax
jne ToggleSloMo1
push 68 //VK_NUMPAD8
call GetAsyncKeyState
test ax,ax
jne ToggleSloMo2
push 69 //VK_NUMPAD9
call GetAsyncKeyState
test ax,ax
jne ToggleSloMo3
jmp KeyHandlerThread
TogglePlayersOnly:
xor [bPlayersOnly],1
cmp [bPlayersOnly],0
je @f
mov ecx,[p0]
or dword ptr [ecx+2EC],400
jmp TogglePlayersOnly_exit
@@:
mov ecx,[p0]
and dword ptr [ecx+2EC],FFFFF2FF
TogglePlayersOnly_exit:
push C8
call kernel32.Sleep
jmp KeyHandlerThread
ToggleFly:
xor [bFly],1
cmp [bFly],0
je @f
push 0
push 397
mov ecx,[p2]
call GetIndex
mov ebx,[p1]
mov ecx,[ebx+10C]
mov ecx,[ecx+18]
mov [ecx+10],eax
mov [ecx+28],eax
mov byte ptr [ebx+104],4
mov ecx,[ebx+1B0]
mov [ecx+298],(float)2.0
mov [ebx+318],(float)40.0
jmp ToggleFly_exit
@@:
push 0
push 393
mov ecx,[p2]
call GetIndex
mov ebx,[p1]
mov ecx,[ebx+10C]
mov ecx,[ecx+18]
mov [ecx+28],eax
push 0
push 64
mov ecx,[p2]
call SetIndex
mov ebx,[p1]
mov byte ptr [ebx+104],1
mov ecx,[ebx+1B0]
mov [ecx+298],(float)0.3
mov [ebx+318],(float)1.0
ToggleFly_exit:
push C8
call kernel32.Sleep
jmp KeyHandlerThread
ToggleGhost:
xor [bGhost],1
cmp [bGhost],0
je @f
mov ebx,[p1]
mov byte ptr [ebx+127],80
jmp ToggleGhost_exit
@@:
mov ebx,[p1]
mov byte ptr [ebx+127],50
ToggleGhost_exit:
push C8
call kernel32.Sleep
jmp KeyHandlerThread
ToggleGod:
xor [bGod],1
cmp [bGod],0
je @f
mov ebx,[p2]
mov byte ptr [ebx+38C],40
jmp ToggleGod_exit
@@:
mov ebx,[p2]
mov byte ptr [ebx+38C],0
ToggleGod_exit:
push C8
call kernel32.Sleep
jmp KeyHandlerThread
ToggleSloMo1:
mov ebx,[p0]
mov [ebx+384],(float)0.5
push C8
call kernel32.Sleep
jmp KeyHandlerThread
ToggleSloMo2:
mov ebx,[p0]
mov [ebx+384],(float)1.0
push C8
call kernel32.Sleep
jmp KeyHandlerThread
ToggleSloMo3:
mov ebx,[p0]
mov [ebx+384],(float)1.5
push C8
call kernel32.Sleep
jmp KeyHandlerThread
/*
GetIndexes:
mov eax,dwTable
GetIndexes_loop:
cmp [eax],0
je GetIndexes_exit
push eax // table address
mov edx,[eax]
push [edx+28] // +28
push edx // Index
push string
push 104 // MAX_PATH
push s // buffer
call sprintf_s
add esp,14
push s
call OutputDebugStringA
pop eax
add eax,4
jmp GetIndexes_loop
GetIndexes_exit:
push C8
call kernel32.Sleep
jmp KeyHandlerThread
*/
Toggle:
xor [Toggler],1
push 96
call kernel32.Sleep
jmp KeyHandlerThread
ExitKeyHandler:
ret
[DISABLE]
KeyHandlerOff:
dd 1
unregistersymbol( bGod )
unregistersymbol( bGhost )
unregistersymbol( bFly )
unregistersymbol( bPlayersOnly )
unregistersymbol( KeyHandlerOff )
26
"SloMo"
80000008
Float
p0
384
146
"PlayersOnly"
80000008
4 Bytes
bPlayersOnly
147
"Fly"
80000008
4 Bytes
bFly
148
"Ghost"
80000008
4 Bytes
bGhost
246
"God"
80000008
4 Bytes
bGod
25
"[Debug]"
C0C0C0
1
5
"p0"
1
80000008
4 Bytes
p0
11
"SloMo"
80000008
Float
p0
384
6
"PlayersOnly (2xx->6xx)"
1
80000008
4 Bytes
p0
2EC
3
"p1"
1
80000008
4 Bytes
p1
2
"EPhysics"
1
80000008
Byte
p1
104
18
"WalkingSpeed"
80000008
Float
p1
2F0
17
"WalkingFriction"
80000008
Float
p1
284
1B0
20
"FlyingSpeed"
80000008
Float
p1
2F8
19
"FlyingFriction"
80000008
Float
p1
298
1B0
12
"WallHack (50xxxxxx -> 80xxxxxx)"
1
80000008
Byte
p1
127
4
"p2"
1
80000008
4 Bytes
p2
13
"Axis_X"
1
80000008
4 Bytes
p2
10
18
14
"Axis_Y"
1
80000008
4 Bytes
p2
28
18
16
"God (01138000 - enemies don't attack; xxxxxx40 - god)"
1
80000008
Byte
p2
38C
68
"Enemies Ignore You"
80000008
Auto Assembler Script
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(stealth)
registersymbol(stealth)
aobscan(stealthaob,0f b6 81 ac 00 00 00 c3 cc cc cc)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
mov [ecx+000000AC],(int)0
originalcode:
movzx eax,byte ptr [ecx+000000AC]
exit:
jmp returnhere
stealthaob:
stealth:
jmp newmem
nop
nop
returnhere:
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
stealth:
movzx eax,byte ptr [ecx+000000AC]
//Alt: db 0F B6 81 AC 00 00 00
unregistersymbol(stealth)
Activate
86
0
Deactivate
18
86
1
p0
0F7B0100
p1
0F7B0104
p2
0F7B0108
dwEPhysicsHook
006A2C01
GetIndex
00463320
SetIndex
0042F120
Toggler
23FC0300
KeyHandlerOff
23FC0304
bPlayersOnly
23FC0308
bFly
23FC030C
bGhost
23FC0310
bGod
23FC0314
stealth
00B48110