Hacking game (Prince of Persia: Warrior Within)
In this thread I propose to share the experience of hacking the game (using Artmoney, Chemax, Tsearch, HxD and many other programs and trainers). The game is many times passed on Hard without cheating, so with comments like EW, cheater! pass by. The goal of this theme is to learn the mechanisms and features of the game, how will it in any situation.My hacking Prince of Persia: SoT and WW. Article 1
It all started long ago in a distant galaxy. Although no! It was not so. At the time I was filming a video about the bugs after WW various tipov (zip bug of passing through walls via rollback time). Followed closely by a group of kindred blades, and the first time I posted a video there. In this group once posted editor save Timeline2. Its opportunities include: changing the primary and secondary of swords, the sword for more strength, the current and maximum health, the amount of sand tanks, game features the Prince or the Sand spirit, locations, timeline, level of difficulty.
I was interested in the possibility of replacing the swords at different stages of the game. Even a series of videos filmed with the codename Operation sword bearer [https://vk.com/videos-150539102?section=album_5]
From the very beginning of the project I wanted to try to fight the Dahaka at the different swords. But with the help of Timeline2 me do failed: saveeditor changes the swords only at the save points (the fountains), and if you run to the battle not with the Water sword, you'll fight Cuilleen. The decision was as follows: to know the value of swords in the memory game and replace directly during the battle with the Dahaka. The search for unknown values in Artmoney nothing. So I went the other way: I took the last save in the game, made a copy, replaced the sword in the copy through saveeditor and made a comparison of copy and original HEX-code. The results were as follows:
The difference was in 1 offset. After checking all the swords and the lack of a sword, found that the sword code consists of 4 bytes. HEX-code of the swords on the figure highlighted in yellow. In memory HEX codes swords are in the opposite order.
Eagle sword - 00 00 00 00. Wooden stick - 00 00 00 01. A Sword Spider - 00 00 00 02. Snake sword - 00 00 00 03. Lion's sword - 00 00 00 04. Broken Lion sword - 00 00 00 05. Scorpion Sword - 00 00 00 06. The water sword - 00 00 00 07.
To find these values in memory is like a needle in a haystack... No! Let it be in the sand pile! So I took the HEX values before the sword of the save game and tried to find these bytes with the bytes of the sword using a HEX memory editor TSearch. Coincidences were only a few. But does this address [D18044] not quite as I expected. This address tells the game what sword to use when loading saves/check points. This address after starting a new game begins to run only after the first checkpoint. And I was able to try the battle with the Dahaka different swords! In addition, the address is static, which allowed me to create a simple trainer sWWord [https://vk.com/doc-150539102_474812966?dl=b57ec41cf83900024a]
My hacking Prince of Persia: SoT and WW. Part 2.
Inspired by the success of hacking the main sword, I decided to continue hacking, using Timeline2 and compare saves. The choice fell on the extra sword. Under the same scenario, one for the main sword, I found the address. Several times the sword had managed to replace, but then to repeat the success failed. Addresses that work, no. HEX codes swords can be obtained by comparing the saves, but it is a very long sword very much. There is an article BlackDaemon'and one of the founders of Timeline2 and 3, where he indicates that these HEX-codes [http://www.pspx.ru/forum/showthread.php?t=105741]. The article was written for PSP versions of games POP: Revelations and POP: Rival Swords (extended analogues of WW and T2T), so the last column is not really suitable for the PC version.
Sad but true
During these events, something made me set SOT obtained for free from UPLAY. Nostalgia, maybe... I thought, why not hack and SOT swords? Swords I got hacked. Saves with swords posted [3 links: https://www.playground.ru/cheats/prince_of_persia_the_sands_of_time_sohranenie_savegame_poetapnoe_prohozhdenie_s_kazhdym_vidom_mechej_1_8_1_4_serpent_mln-84106/; https://www.playground.ru/cheats/prince_of_persia_the_sands_of_time_sohraneniya_savegames_novye_urovni_slozhnosti_hard_impossible_megaimpossible_megaeasy_1_8_1_4_serpent_mln-84722/; https://www.playground.ru/cheats/prince_of_persia_the_sands_of_time_sohraneniya_savegames_novye_urovni_slozhnosti_meganormal_megahard_1_8_1_4_serpent_mln-85395/]. It's all good. But... it was not so! It was not as easy as with WW: for the SOT was not done to his Timeline. What should I do? I took 2 saves: before and after taking 2 sword. But there were many differences.
And there was another difficulty: the protection of the game changes from saving.
Then I decided to search in the memory game using TSearch. Found. It turned out that the sword meets half of the offset. HEX codes swords for half of the offset as follows: 1 the sword - 0, 2 sword 2, sword 3 - 4, 4 sword - 6. All in all, for half of the 16 possible offset values from 0 to F. I checked them all - they are stored only familiar 4 sword. But it turned out that not everything is so simple with this address. As you progress through the game the address changes its position in the memory game. Then I began to explore shift 2 sword in 3. Slowly I began to form a table of addresses at different percentages of the game. This was facilitated by the structure of 3 bytes in front of the sword and 1.5 as byte (in the screenshot comparison saves this structure is highlighted in yellow).
These structures around the sword are responsible for the total and current at the time of save/check points the number of sand tanks, cups for the number of absorbed sand cloud and the number of absorbed monsters to create a new semiring. Fully completed structure looks like this: 50 A5 14 60 0A
Thanks to these structures, I found almost all the addresses for all %. But, sometimes, the same % was a different address, sometimes the address from one % were other. In the end I was ready for the table for all percentages other than 0 and 2, when the Prince no Sands, the structure around the sword is filled with zeros, and the address of the sword is zero. (98 sword does not change the script). How to find zeros in the memory game? I thought that was impossible. But I did find these addresses. This helped me WW. How? About that next time.
My hacking Prince of Persia: SoT and WW. Part 3.
Suspending studies SoT, I went back to WW. Again tried unsuccessfully hacking 2 sword. Then started looking for addresses to create the equivalent of saveeditor that would work with memory games, not saved games.
All of the following addresses work the same way. Change the value. Die. Loaded. The resulting change in the game. They work only after the first checkpoint. Script changes can block the ability of hacking (e.g., getting a new sword)
1. The value of life in WW to Hard. These was 2. Addresses D18038 and D1803A. The first address is the current value in the save game or checkpoint, and the second - the maximum under the same conditions. Number 2-byte, in theory their value can be between 0-65535 (0000-FFFF). An interesting effect occurs when zero lives - the Prince dies in a simple jump. The range of values of life for the Hard 66-166 [66, 78, 88, 100, 111, 122, 133, 144, 154, 166]
2. 2-byte value for the number of tanks filled with sand when loading from saves or checkpoints located at D1803C. Theoretically, there is also 65535, but the big value drags the game crashes. Installing 15, of departure not found.
3. The following address D1803E. 2-byte. Open sand force. Value range: 0-9. [0 - None; 1 - Recall; 2 - Eye of the Storm; 3 - Breath of Fate; 4 - 4 Sand Tanks; 5 - the Ravages of Time; 6 - 5 Sand Tanks; 7 - Wind of Fate; 8 - 6 Sand Tanks; 9 - Cyclone of Fate]
4. The following address D18040. 2-byte. Here located information about a particular health upgrades. The number of binary. The number of units it indicates the number of upgrades taken, and the position of each unit in the number corresponds to a particular upgrade. That the address changes when taking upgrades I noticed, binary the essence of this address caught DedGameOver.
5. D18042 - strength 2nd weapon. 2 bytes. 0-65535. If you put 0, you can do 1 hit.
Skin Prince to replace failed. Don't know why, but it does not work. In saveeditor working through memory working. If you're interested, here are the values from Timeline2 (the reverse order as in hexa): No Prince - E3 0E 00 04; Yes Prince - 08 28 48 2B; Yes Sand Wraith - 64 00 EF 3B
As you may have suspected, all of these addresses are adjacent to each other. In General it turns out a structure, it looks like this:
Now comes the fun part! How I managed to hack swords in SoT at the beginning of the game where you need to look for zeroes? The structure of the WW has 2 health value (e.g., 64 00 64 00). Randomly wandering around the HEX-code memory SoT, I found similar structure, only there the number of 4-byte (64 00 00 00 64 00 00 00). I found this structure at the beginning of SoT, changed the value, which should be the sword, and... succeeded! You can still put all the Sands and half rings (but after receiving the dagger), put a little health in order to complicate the game, or, conversely, great to simplify. You can turn off the power of the Sands. Besides there are a lot of bugs. For example, when using 3 or 4 swords on the Hindus (the third sword of some Indians to kill only single punches; when you hit the fourth Indian the corpse of a dead predecessor disappears). At negative health, the stakes and the saves do not work. Bugs with HUDом. And more. This is all I used in my video. [ https://vk.com/videos-150539102?section=album_7 ] For ordinary people scuffling with Hexham - an impossible task, and to write fit trainer was too hard for me. So I decided to put in the form of saves. Loaded at the beginning, started with the new parameter, something did not work - loaded the following. [3 links: https://www.playground.ru/cheats/prince_of_persia_the_sands_of_time_sohranenie_savegame_poetapnoe_prohozhdenie_s_kazhdym_vidom_mechej_1_8_1_4_serpent_mln-84106/ ; https://www.playground.ru/cheats/prince_of_persia_the_sands_of_time_sohraneniya_savegames_novye_urovni_slozhnosti_hard_impossible_megaimpossible_megaeasy_1_8_1_4_serpent_mln-84722/ ; https://www.playground.ru/cheats/prince_of_persia_the_sands_of_time_sohraneniya_savegames_novye_urovni_slozhnosti_meganormal_megahard_1_8_1_4_serpent_mln-85395/ ]
