Dragon Age Origins 1.02a Trainer

[cosmin]

RPG Game.Where you must save humanity from darkspwn invasion.
Dragon Age Origins version 1.02a trainer
Options:Specialization points,Talent points,Skill points

I am sorry if this request has been made by some1 else.

	Trainer A trainer is a program written to intercept and alter the memory addresses of a game. Trainers usually have to be running in memory the entire time the game is loaded. Since trainers address specific memory locations, they usually only support a specific version of a game. This file is not supported in multiplayer or online games.

[woglorem]

I've done some work on this game...

From my experience, all stats for all players are updated by a single function.
The function looks like this:


The offset below is from v1.2.9393. You should be able to search for the code to find the offset for your version though.

00790C70 | D94424 04 | FLD DWORD PTR [ESP+4] | <--- inject here
00790C74 | D959 4C | FSTP DWORD PTR [ECX+4C] |
00790C77 | 8B49 44 | MOV ECX, DWORD PTR [ECX+44] |
00790C7A | 85C9 | TEST ECX, ECX |
00790C7C | 74 04 | JE 00790C82 |
00790C7E | C641 20 01 | MOV BYTE PTR [ECX+20], 1 |
00790C82 | C2 0400 | RETN 4 |

In the structure, the first 4 bytes seem to be some sort of structure ID or something... The next 40 bytes are unicode strings that identify what stats you are looking at (i.e. CurrentClass).


Here are some stat-identifiers you may want to play with:
CurrentClass <--- 0=mage, 1=, 2=, 17=dog
Experience
Strength
Dexterity
Willpower
Magic
Cunning
Constitution
Attribute_points
Skill_points
talent_spell_points
specialization_point
Displacement
Flanking_Angle
Spell_Resistance
BaseAttackRating
BaseDefenseRating
Damage_OffHand
Damage_MainHand
Cold_Damage_Bonus
Critical_Range
Electricity_Damage_Bonus
Fatique
Fire_Damage_Bonus
Healing_Effect_Factor
Melee_Crit_Modifier
Missile_Shield
Nature_Damage_Bonus
Ranged_Crit_Modifier
Regeneration_Health
Regeneration_Stamina
Resistance_Mind
Resistance_Physical
Spirit_Damage_Bonus
Threat_Decrease_Rate


In MHS (Thanks L.Spiro... love this prog.):

Code:

FullAccess( DAOrigins.exe+0x00390C70, 2048 )
Alloc( Cave, 1024 )
Label( Exit )           
Label( Return )         
Label( CheckWord )
Label( NextWord )
Label( Cheat )
Label( List )


; Gate
DAOrigins.exe+0x00390C70:
jmp Cave
nop
nop
Return:

	Cave:          

		
		FLD     DWORD PTR [ESP+4]
		FSTP    DWORD PTR [ECX+4C]
		
			push esi
			push edi
			push ecx
			push eax
			 
			mov esi, ecx 
			add esi,4
			
			push  List	
			pop edi
			
			xor ecx,ecx  
		
	CheckWord:
			cmp byte ptr [edi],ff		
			
			je Exit
			cmp byte ptr [esi+ecx*2], 0 
			je Cheat
			mov al,byte ptr [esi+ecx*2]	 
			cmp byte ptr [edi+ecx], al
			jne NextWord
		
			inc ecx
			cmp ecx,0c
			je	Cheat
			jmp CheckWord
	NextWord:
			xor ecx,ecx
			add edi, 10
			jmp CheckWord
	Cheat:
			mov ecx, dword ptr [edi+0c]
			mov dword ptr [esi+48], ecx
	Exit:
			pop eax
			pop ecx
			pop edi
			pop esi
			jmp Return
		
	List:
		db "Experience" 000h 000h 
		dd 04835A400h
		
		db "Strength" 000h 000h 000h 000h 
		dd 04e6e6b28h

		db "Dexterity" 000h 000h 000h 
		dd 04e6e6b28h

		db "Willpower" 000h 000h 000h 
		dd 04e6e6b28h

		db "Magic" 000h 000h 000h 000h 000h 000h 000h 
		dd 04e6e6b28h

		db "Cunning" 000h 000h 000h 000h 000h 
		dd 04e6e6b28h

		db "Constitution" 
		dd 04e6e6b28h

		db "Spell_Resist" 
		dd 04e6e6b28h

		db "specializati" 
		dd 0434b0000h

		db "Flanking_Ang" 
		dd 0434b0000h

		db "Attribute_po" 
		dd 0434b0000h

		db "Skill_points" 
		dd 0434b0000h

		db "talent_spell" 
		dd 0434b0000h

		db "Displacement" 
		dd 04e6e6b28h

		db "Regeneration" 
		dd 0434b0000h

		db "Damage_MainH" 
		dd 0434b0000h

		db "Damage_OffHa" 
		dd 0434b0000h

		db "Healing_Effe" 
		dd 0434b0000h

		db "Melee_Crit_M" 
		dd 0434b0000h

		db "Resistance_M" 
		dd 0434b0000h

		db "Resistance_P" 
		dd 0434b0000h

		db "Ranged_Crit_" 
		dd 0434b0000h

		db "BaseAttackRa" 
		dd 0434b0000h

		db "BaseDefenseR" 
		dd 0434b0000h

		db "Missile_Shie" 
		dd 0434b0000h

		db "Critical_Ran" 
		dd 0434b0000h

		dd 0ffffffffh 0ffffffffh 0ffffffffh 0ffffffffh

[PhreakMe]

I straight up love this game. I couldn't seem to find a torrent for it to play it on PC though =( and i'm just a poor boy and she said see you later boy.

Code:

00790C70 | D94424 04 | FLD DWORD PTR [ESP+4] | <--- inject here
00790C74 | D959 4C | FSTP DWORD PTR [ECX+4C] |
00790C77 | 8B49 44 | MOV ECX, DWORD PTR [ECX+44] |
00790C7A | 85C9 | TEST ECX, ECX |
00790C7C | 74 04 | JE 00790C82 |
00790C7E | C641 20 01 | MOV BYTE PTR [ECX+20], 1 |
00790C82 | C2 0400 | RETN 4 |

You can indeed tell this is part of a class unit structure, the [ecx+highvalues] is a dead give away as well as the FLoating numericals which are commonly used in attributes beings they have %'s and so forth. i.e. if you want to make a health hack, change scan from "4 bytes" to "float" and round =p

[[Psych]]

Actually there is nothing that identifies that code as having anything to do with attributes or anything else for that matter. It could be used for anything. That's just like looking through a disassembly window and trying to ascertain what everything does without any other information (no ascii around, no symbolnames etc. In addition, attributes aren't necessarily stored as FLOATs. Many times they are, but not always. And it's not just attributes that are stored as floats, it could be countless other variables, some which aren't even a concern for the gamehacker. You state by the opcodes that this must be something to do with attributes due to FPU instructions, and the fact they they have a value after the register in brackets. Again, no, lol. And not sure what the hell you're on about with coverting and rounding. I think you've just made youself look a like an idiot (again?) with this trying to sound smart speech.

@woglorem, a good observation there dude. Some nice auto-assembler usage. Good share

[cosmin]

All i need actually are specializataion points how should i look for them with tsearch.
I need to search for 2 first than i use 1 and than search for 1?
I tried this and i had about 970 results.
Should i try a smaller value like 2bytes?

[PhreakMe]

Psych: I know it's not a guarantee, but I am speaking from general experience, the popular appearance of float mnenomics and large classes (virtually all Blizzard games remain consistent to this generic theory of mine) so, I either look like an idiot via mistake, a vague commenter by brief reading, or simply that i've hacked more games than you. I welcome you to look for yourself (SC/D2/W3).

Cosmin: You know you can keep "searching next" to narrow it down to less results, right =x

	Psych Psych, is the main SuperVisor, one of the most talented dude from GH and entire web. Currently holding the Ban Machine title.

[[Psych]]

Lol, somehow I doubt you've done more than me. That's not to sound bigheaded, but your 'general experience' isn't exactly a lot is it. 3 feckin games. The response was about how in the world can looking at 5-10 lines of float instructions bring you to the conclusion that it must be to do with attributes. That's my point. Don't be a prick.

[woglorem]

@COSMIN:
These values are floats.

From my experience with this game, the only interesting stats that are stored as dwords/longs are cash and inventory counts. The rest is stored as floats.

Once you believe you have found the value you are looking for you can single it out by reading the unicode string that is stored at address - 048h... so if you found a value you wanted to check at 02a629110h, open the hex editor and go to 02a629110h - 048h = 02A6290C8h. This should read "s p e c i a l i z a t i o n _ p o i n t ". If it does, you know you got the right value.

On my 32 bit system with 4GB of ram, the stats always seem to be allocated around 025000000h to 032000000h. more frequently in the lower areas than the higher. The reason why it lands here has to do with the order things are loaded and the amount of free memory, so this is by no means a "static", but it may help you single out the values you want from a large list.

Using this knowledge, I could often single out the values from a list with 10 000+ entries, so I didn't have to do all those search-change-search repetitions. It also helps a lot when searching for small values that can't be changed as often as you'd like.

[VegitoSSJ]

To highlight a bit about this game uses floating point values for the important things, (attribute points etc.., health, stamina). The instructions in this game are heavily shared, can be compared to mass effect 2.

[cosmin]

still cant find the addres for specialization points
an some1 give me a link or a post with a small tutorial because i am new to the world of edditing game addreses

[woglorem]

Since you don't have that many spec. points, it is not the easiest thing to hack. Here is a way though...

1. Hack your XP (float) but don't edit the value just yet... NB! The value displayed is actually XP -1 for some reason... If it says you have 49, you actually have 50)
2. Search for spec. points (float). Assuming you are below level 7, this should now be at 0.
3. Up your XP till you reach level 7, but no further (you have to gank a mob for the XP to register as levels)
4. As you now have 1 spec. point, you should make the 2nd search.
5. Up your XP to level 14+ and gank a few mobs (there is no point in going higher than 25 / 186000XP).
6. You should now have 2 spec. points, search for it...
7. Spend a point and search again.
8. Spend a point and search again.

You should now have found your spec. points, and you should be able to add 1 so that you get the 3rd specialization (or add a bunch if you are swapping classes).

Personally, I'd do it a lil differently though...
Using the method detailed in a previous post, you can hack talent points instead. Spec. points are sometimes (but not always) stored somewhere near the talent points...