How to make unl. SP with CE

[Nowne]

If you don't have kernel debugger enabled, follow this few steps:
Disable your Anti Virus (or it will be blocked)
Open CE.
Go to Edit->Settings.
Got to Extra.
And enable "Use kernelmode debugger" and do NOT check "Use global routines"
Now you can go on!

-----------------------------------------------------

First, we need to find the SP Addie, its very easy:
Go to the Trainingroom, make sure you have 100 SP,
then search in CE for 100 ( 4 Bytes ).
Then go ingame, and lower the SP to 1 ( In OP7 not in CE ).
Now search for decreased value in CE.
You normally have 1 Addie left ( if you have more, use the right one ), for me its "00C16418".
Now do a rightclick on that Addie and click "Find out what writes to this adress".
Go ingame and sprint a lil' bit.
Then go to CE and look what Adresses were logged:
"0047d9ef - 89 48 24 - mov [eax+24],ecx"
This is the right one, rightclick on it and click "Show this Adress in disassembler".
Now some ASM Code pops up, because much of you don't know Assembler, i translated the code to C-Code:

Code:

sp_check_func   proc near               
.text:0047D9C0 
.text:0047D9C0
.text:0047D9C0 arg_0           = dword ptr  4
.text:0047D9C0
.text:0047D9C0                 push    edi
.text:0047D9C1 ; 9:   SP_value = (a1 + 360);
.text:0047D9C1                 lea     edi, [esi+168h]
.text:0047D9C7 ; 10:   sub_6802FD(a1 + 360, 4);
.text:0047D9C7                 push    4
.text:0047D9C9                 push    edi
.text:0047D9CA                 call    sub_6802FD
.text:0047D9CF ; 11:   if ( *(a1 + 360) <= 100 )
.text:0047D9CF                 mov     eax, [edi]
.text:0047D9D1                 add     esp, 8
.text:0047D9D4                 cmp     eax, 64h
.text:0047D9D7                 jg      short loc_47D9DF
.text:0047D9D9 ; 12:     *SP_value = *(a1 + 360) - a2;
.text:0047D9D9                 sub     eax, [esp+4+arg_0]
.text:0047D9DD                 mov     [edi], eax
.text:0047D9DF ; 13:   if ( *SP_value < 1 )
.text:0047D9DF
.text:0047D9DF loc_47D9DF:                             ; CODE XREF: sp_check_func+17j
.text:0047D9DF                 cmp     dword ptr [edi], 1
.text:0047D9E2                 jge     short loc_47D9EA
.text:0047D9E4 ; 14:     *SP_value = 1;
.text:0047D9E4                 mov     dword ptr [edi], 1
.text:0047D9EA ; 15:   *(*(a1 + 4) + 36) = *SP_value;
.text:0047D9EA
.text:0047D9EA loc_47D9EA:                             ; CODE XREF: sp_check_func+22j
.text:0047D9EA                 mov     eax, [esi+4]
.text:0047D9ED                 mov     ecx, [edi]
.text:0047D9EF                 mov     [eax+24h], ecx
.text:0047D9F2 ; 16:   sprintf((*(a1 + 4) + 61), off_6B6E3C, *SP_value);
.text:0047D9F2                 mov     edx, [edi]
.text:0047D9F4                 mov     eax, [esi+4]
.text:0047D9F7                 push    ebx
.text:0047D9F8                 push    edx
.text:0047D9F9                 add     eax, 3Dh
.text:0047D9FC                 push    offset off_6B6E3C ; char *
.text:0047DA01                 push    eax             ; char *
.text:0047DA02                 call    _sprintf
.text:0047DA07 ; 17:   if ( sub_441120(*SP_value) )
.text:0047DA07                 mov     eax, [edi]
.text:0047DA09                 mov     ecx, [esi+28h]
.text:0047DA0C                 add     esp, 0Ch
.text:0047DA0F                 push    eax
.text:0047DA10                 lea     ebx, [ecx+0D8h]
.text:0047DA16                 call    sub_441120
.text:0047DA1B                 test    al, al
.text:0047DA1D                 pop     ebx
.text:0047DA1E                 jz      short loc_47DA8A
.text:0047DA20 ; 19:     v3 = *(*(a1 + 40) + 348);
.text:0047DA20                 mov     ecx, [esi+28h]
.text:0047DA23 ; 20:     v4 = *(a1 + 308) * *(a1 + 292);
.text:0047DA23                 fld     dword ptr [esi+134h]
.text:0047DA29                 mov     eax, [ecx+15Ch]
.text:0047DA2F                 fmul    dword ptr [esi+124h]
.text:0047DA35 ; 27:     if ( v3 >= 2 )
.text:0047DA35                 cmp     eax, 2
.text:0047DA38 ; 21:     *(a1 + 300) = dword_6ADE08[v3];
.text:0047DA38                 mov     edx, ds:dword_6ADE08[eax*4]
.text:0047DA3F                 mov     [esi+12Ch], edx
.text:0047DA45 ; 22:     v5 = v4 * *(a1 + 300);
.text:0047DA45                 fmul    dword ptr [esi+12Ch]
.text:0047DA4B ; 23:     *(a1 + 304) = dword_6ADE18[v3];
.text:0047DA4B                 mov     ecx, ds:dword_6ADE18[eax*4]
.text:0047DA52                 mov     [esi+130h], ecx
.text:0047DA58 ; 24:     v6 = *(a1 + 24);
.text:0047DA58                 mov     ecx, [esi+18h]
.text:0047DA5B ; 25:     *(a1 + 208) = v5 * *v6;
.text:0047DA5B                 fmul    dword ptr [ecx]
.text:0047DA5D                 fstp    dword ptr [esi+0D0h]
.text:0047DA63 ; 26:     *(a1 + 212) = *(v6 + 4) * *(a1 + 312) * *(a1 + 296) * *(a1 + 304);
.text:0047DA63                 fld     dword ptr [ecx+4]
.text:0047DA66                 fmul    dword ptr [esi+138h]
.text:0047DA6C                 fmul    dword ptr [esi+128h]
.text:0047DA72                 fmul    dword ptr [esi+130h]
.text:0047DA78                 fstp    dword ptr [esi+0D4h]
.text:0047DA7E                 jl      short loc_47DA8A
.text:0047DA80 ; 28:       *(a1 + 488) = sub_47DCC0;
.text:0047DA80                 mov     dword ptr [esi+1E8h], offset sub_47DCC0
.text:0047DA8A ; 30:   result = sub_6802C1(a1 + 360, 4);
.text:0047DA8A
.text:0047DA8A loc_47DA8A:                             ; CODE XREF: sp_check_func+5Ej
.text:0047DA8A                                         ; sp_check_func+BEj
.text:0047DA8A                 push    4
.text:0047DA8C                 push    edi
.text:0047DA8D                 call    sub_6802C1
.text:0047DA92 ; 31:   *(a1 + 484) = sub_47DAB0;
.text:0047DA92                 add     esp, 8
.text:0047DA95                 mov     dword ptr [esi+1E4h], offset sub_47DAB0
.text:0047DA9F ; 32:   *(a1 + 288) = 0;
.text:0047DA9F                 mov     dword ptr [esi+120h], 0
.text:0047DAA9 ; 33:   return result;
.text:0047DAA9                 pop     edi
.text:0047DAAA                 retn    4
.text:0047DAAA sp_check_func   endp

We need this short Code:

Code:

0047D9DF ;     if ( *SP_value < 1 )
0047D9DF                 cmp     dword ptr [edi], 1
0047D9E2                 jge     short loc_47D9EA
0047D9E4 ;     *SP_value = 1;
0047D9E4                 mov     dword ptr [edi], 1

This means:
If SP is smaller than 1, then set SP to 1.
This Code is used, to make SP not negative.
We need to manipulate the code like this:

Code:

0047D9DF ;     if ( *SP_value < 40 )
0047D9DF                 cmp     dword ptr [edi], 28
0047D9E2                 jge     short loc_47D9EA
0047D9E4 ;     *SP_value = 100;
0047D9E4                 mov     dword ptr [edi], 64

This means:
If SP is smaller than 40, then set SP to 100.
To manipulate ASM Code, just doubleklick at the specefic Adress.
How to make Unl. SP:
1)
Rightklick in the Disassembler window, click "Go to Adress".
Type "0047D9DF" Press "OK".
Doubleclick on that marked Adress then change:

cmp dword ptr [edi], 1

to

cmp dword ptr [edi], 28

2)

Rightklick in the Disassembler window, click "Go to Adress".
Type "0047D9E4" Press "OK".
Doubleclick on that marked Adress then change:

mov dword ptr [edi], 00000001

to

mov dword ptr [edi], 64


If you want, you can make a script, search on google for CE Script Tutorial.

I hope i helped,
Greetz Nowne aka. iNSTiNCT

[Lonesome Cowboy]

Umm, is this visual only?

[ruffeli]

dont working when i press FIND WHO WRITES TO THIS ADDRESS my game SHUTDOWN /REG CLOSE

[Nowne]

Oh, i forgot something, i will add this now, and its not serversided
EDIT: fixd, look at top of the tut, and follow these steps

[ruffeli]

Oh, i forgot something, i will add this now, and its not serversided
EDIT: fixd, look at top of the tut, and follow these steps

tnx i can hack all game tnx

[xbeatsszzx]

Nice gj on the tut.

[ruffeli]

tnx working when its lower of 46 i get 100 sp WORKED +REP

[Comet]

/Stickied.
Good job.

If Any Questions Post Here.

[Geecko]

or simply u can nop out the asm code that makes sp decreasing....and ull get full 100 sp...
btw ur way doesnt work, i got my account banned...

[Nowne]

It works for me and others, do u used the newest CE version?

[Wiirtuallca]

thx for telling, i might put it into my pub release :]

[pala0095]

tnx i can hack all game

[roflboy1]

whats CE? man??????

[Bubbles Kittys]

thanks + rep given

[dexha]

This Working ??