Here is what I wrote so far..

It is not complete :)

please post ANY tips, tricks, hints, offset finds, etc here, They will all be compiled into the tutorial.. :)

Second tutorial is at:
http://forums.maxconsole.net/showthread.php?s=&threadid=782

Third tutorial is at:
http://forums.maxconsole.net/showthread.php?s=&threadid=2545

Heres a link to _HellDasxS_'s great tutorial:
http://forums.maxconsole.net/showthread.php?s=&threadid=2938 (halfway down)

Here is a link to Xor's great tutorial:
http://forums.maxconsole.net/showthread.php?s=&threadid=3099

I'm not sure if anyone has completed the tutorial successfully but I am holding off on writing any more guides until I get feedback on the first one so I can better pick a good example (more advanced, easier, more about reading assembly, etc)

So please post feedback, even if its negative so that I know how to improve the documentation, I have some really neat stuff to write up, that I'm not sure if anyone would be interested in.. =)

im a little lost with the telnet part, i go into command prompt type telnet (xbox ip) but if im in a game it doesnt connect, and if i do it in evox than go into a game it disconnects. what am i doing wrong?

make sure IGR and Debug TSR are turned on

do i need a debug bios or somthing, anything special? i cant get on xbxo right now but ill try those settings later tonight and see if it works.

Tutorial is fine although theres one thing I wanted to ask, I was messing around with T3 and found the ammo and continues (didn't spot Kinsfan had done it already :-) )

But the life bar was a little more elusive..

In your tutorial you selected 3 values as being more likely candidates, what was the reasoning behind this before you knew the locations contents.

Normally its spits out vast lists of locations which request a check of but rarely contain a match, sometimes it spits out single locations which are obviously better choices.

Still usnure as to why the value command offers locations that don't match the exact data, unless its just monitoring locations that match the equiv increase or decrease in value regardless of the actual value they hold??

Originally posted by GNEW
do i need a debug bios or somthing, anything special? i cant get on xbxo right now but ill try those settings later tonight and see if it works.
You need to have at leat Evox 3921 installed, I use 3935 myself.

Just go into the settings menu from the dashboard and set TSR to debug and IGR's to yes then run Tenet from the run part of the start menu, type o and the IP address of your Xbox while a game is running..

You should see the debugger then..Don't expect anything fancy tho :-)

I picked those locations by guessing, for some reason 90+% of the time I guess which one(s) to pay attention to when there are hundreds.. The reason some values come up that don't appear to match your search is because those values are changing in between when they were checked and when you looked, on most of them you can do a db on the address a couple of times and you will see that its changing while you db em.. :)

Originally posted by dootdoo
I picked those locations by guessing, for some reason 90+% of the time I guess which one(s) to pay attention to when there are hundreds.. The reason some values come up that don't appear to match your search is because those values are changing in between when they were checked and when you looked, on most of them you can do a db on the address a couple of times and you will see that its changing while you db em.. :) aha..

I did wonder if you knew the memory map so some locations would match but be places that are not usable or just screen ram etc..

Very good chance that this question has allready been answered....
But, as far as the telnetting to the Xbox is concerned, I have that down to a fine art. Huge cash in SSX3, Extra lives, yadda yadda... Question is, you refer to IDA Pro, however in the how-to it's said to "open IDA and click on a tab".... with what? Is this IDA for windows, or is there an XBOX version? Whats loaded into IDA? is this the .xbe we're loading into it, or the converted .exe?

Thats the only part I'm stuck on, the rest of the tute was awesome, really made it click for me - I'm looking forward to knowing what to do with the Ida thing so I can start training for the pal people :D

--Psy.

ida pro is a windows application, but just about any 32 bit x86 disassembler will do, IDA pro supports FLIRT files which help you identify which sections of code are actually function calls.

w32dasm (very easy to find online since a lot of shareware crackers like it) should work just as well in most cases.

In either case, you load the exe. when you load an exe in ida pro it'll come up with a bunch of options, just click OK. :)

yes IDA Pro is for windows,and you are loadin the converted exe.The tab you click is the one that says "IDA View" but you may not have to click it because it is selected by default (well at least for me it is)

Thanks guys - one simple hiccup and I'mk a-training.

Now, If I may contribute trainers, I'd be stoked. All PAL, which I notice you've a lack of. Starting now, they are working, and I'd like to share them if I may.

Thanks.

OK, Now a question about the .etm file (sort of)

I've found that by Poking Addresses 000b6fcc - 000b6fcd with NOOP (90) I have unlimited ammo in NightFire. Now, when I write an .etm file (tried both - poking it regardless and having it check for 2c,c2) It doesnt seem to be affecting it at all. I've tried it with the TSR on normal, and on debug just for the hell of it as well.

I "Believe" I have the correct Timestamp and Title ID.

Size of Certificate : 0x000001DC
TimeDate Stamp : 0x3DBFB19D (Wed Oct 30 20:17:01 2002)
Title ID : 0x45410026
Title : L"007™: NightFire™"
Alternate Titles IDs : 0x00000000

Does this TSR only work with reasonably new Bios's? I've got RemoteX Version 3935.

I always get the time stamp by doing a db on the spot that you are comparing it to in the asm, cxbx dumps out 2 or 3 times stamps, and I forget which if any are the one we are looking for :)

Originally posted by dootdoo
w32dasm (very easy to find online since a lot of shareware crackers like it) should work just as well in most cases.
yes, you're right... w32dasm is very easy to find...
but what do i click on the w32dsm that match the one in your tutorial with the IDA pro ? ("now in IDA pro, click the VIEW-ASM tab, then go to the jump menu, select jump address and type in 0002a261.") ?

the main window in w32dasm is what you need to look at, and it too also has a go to address feature in the menus

after 5+ hours surfing the net, i finally found a copy of IDA PRO :)
And after 15minutes following your tutorial, i've managed to create a simple trainer for TMNT :D
i can't wait to start hacking some of my games... and also borrowed some games from my friends too... he has more then 90 games in his game library :D
now... if only i can get my hands on a 120gb HDD :D

oh yeah, by the way... the step-by-step procedure for other games is the same for your TMNT tutorial right ??

The step by step for quite a few games is identical to my tutorial, if I get some more feedback as to what people need more help on, or want to learn, then I can write some more advanced guides (some games are trickier then others, true crimes streets of la for example). But I need feedback, and most likely questions about certain games, or how to hunt down things so I know there is an interest, a lot of people grabbed the first tutorial, but I don't know if it made sense, or if they were confused, or if it was below their level.. :)

Maybe I'll write one up on how I did otogi 2 when I wasn't able to use the 'value' command (it hangs it even if you 'fr' first)

Yeah, a nice indepth would be good...

Simple things like number finds are easy for 99% of people but others will get stuck by life bars etc where there's no real clue of a value to search for.

On the C64 etc I'd just count the life losses bit by bit but when you have a large bar its not so easy etc. Also explanations of why some values are not so easy to find ie they may be represented by their screen value ie on C64 & Atari 2 would be 32 which made it harder to find or the programmer might use a diff number and then subtract a value off it then display it etc...

You might want to do a little expo of how you used IDA Pro in a bit more detail as some could find things like that very complex...Just a thought here and there...

Noted and appreciated :)

I was stumped by blood wake because I wasn't paying attention to the behavior of the weapons, and just to the counts on screen =) So I'll be sure to include something like that too.. also ran into that with true crimes, they display a value on screen for if you are a good or bad cop, which is determined by taking goodcop pts - badcop pts.. I only stumbled upon the values when I was going thru the stats pages (by accident) :)

I'm having the same problem. How do you use db to get the proper timestamp? The one I get from cxbx doesn't seem to work (trainers dont work but pokes via telnet work fine)

Any susgestions will be greatly appreciated ;)

do "db 010114 1" and reverse the first 4 bytes to get the proper timestamp

ok.. so if db 010114 1 will dump the needed stamp info, what memory location holds the title id? :) Save a step running xcbx :)

Thanks for the response! It's appreciated..
Think I have more fun trying to cheat then actually playing the games ;P

look at the 4 bytes after the time stamp, put those in the proper human friendly order, it should be something like 10178 or 10184 (it is different game to game), add 8 to the value, and those four bytes, once reversed are what you are looking for..

.db 10114 10
00010114 : 97 b7 9b 3c 78 01 01 00 0e 00 00 00 48 03 01 00 | .7.<x.......H...

97 b7 9b 3c Time Stamp
78 01 01 00 Cert Offset


so the time stamp would be 3C9BB797h
and the cert offset would be 010178

then do a db 10178 10
00010178 : d0 01 00 00 f9 b3 9f 3c 0e 00 57 4d 47 00 61 00 | P...y3.<..WMG.a.

d0 01 00 00 Cert Size
f9 b3 9f 3c Some other time stamp (don't use)
0e 00 57 4d (Title ID)

So your title id would be 4D57000Eh

Dootdoo,

Really appreciate you helping all us newbs out :) I'm having more fun making trainers then actually playing games :P


Thanks for your support. We all can contribute trainers now :)

Do you have susgestions for finding things like life meters with out a known (on the screen) value? Too bad remotex debugger 1.1 didnt have memory snapshots so you could do a </>/= last mem snap to track down tricky values :)



Thanks again.

I've only done a couple 'bar' style value hunt downs, which I find by a) finding a routine that is called before or after it is modified, then I try to isolate where the meter is being changed at (most meters aren't decimal values, so just loo for a bunch of floating point ops). Or on something like otogi, almost all of the values about the character were in one spot, so I did something like db <lowest value> 100 and was looking at the values, I saw that one of them seemed to match up with how many balls of energy total I had (1-6) so I poked it and loaded a level, and my health meter was 'bigger' (had 7 balls) so I break point (mb) the read of that value when I Started a level, saw that the game took # balls * 1000 -> location (in the area I was looking) then elsewhere took that value (balls * 1000), converted to a float and shoved it in a memory location a ways away. so I watched those as I fought, and noticed they only went down when I got hit, so they must be my health.. :)

I'm working on Time Splitters 2 US. So far I have the noreload and inf timed mines patches working great... The health is difficult because of the unknown value. I've tried looking +/- 200 of my offset so far for health values (freeze/dump get shot /freeze/dump type of search) but I've been unable to find it yet... Trying bpx on subs that look interesting in IDA at the moment but I'm still in learning mode so its painfull ;P

Thanks again for helping us newbs out (and your tnmt source for us to copy)

Cheers!

:) Well the health is ALMOST always going to be handled using floating point operators, so I'd look more towards fsub, but you can do subtraction a lot of different ways. :-/

what I do is find the normal values, subtract a bit, lets say the normal values were at 00aabbcc

so I'd do: db aabb00 100

then I'd start the game, let it keep on going, and keep hitting up and enter, watching those values, waiting for something to change, then I'd set bpmb's on those offsets to see if they change when I'm being shot etc..

http://forums.maxconsole.com/showthread.php?s=&threadid=782

Thats where I put my second tutorial for those watching this thread, its for nba jam 2004.

dootdoo could you add a bar style cheat on your guide please. I would like to know how to start searching for an unknown value.

For example in NBA Jam there is the Jam meter. It fills up as you make points and good dunks. Once is full you can do hot spots.

Then it goes back to empty and starts filling up again. A cheat to have it full all the time would be sweet.


But I have no idea on how would a search for a unknown value.

The problem I ran into with nba jam is that I suck at it.. :)

I used to be able to play it a long time ago when it was at the arcade, but I was sucking really bad this time around, I can help you find it, but since I was unable to locate any other in game value, it would be difficult to guess where its at :)

Odds are that its a floating point value. which means that if you search for 20, even if the value it is = 20, it wont be represented like a traditional 20 would be.. so the search would miss it anyways.. :-/

Uhm, drop me a pm and we can discuss it further, and once we reach a solution I'll add it to the tutorial.

What would solve all the problems (well a lot of them) would be for the Evox team to add a greater / less than global option like most trainer progs.

I'm sure some clever programmer could add a front end that does a sample via the DB and then does the compares for you but it would almost certainly be sloooooow as hell.

Here's hoping

well lets see, the memory dump files are 40 megs, so 40 * 3 (one byte ends up ' XXh')is only 120 megs, which would take a chunk of time, but its a lot faster then setting breakpoints everywhere there is a floating point operation :)

But slower than pre hardwired code :D

Hopefully the mega interest in the debugger side will prompt a bit of expansion on that side.

Originally posted by dootdoo
well lets see, the memory dump files are 40 megs, so 40 * 3 (one byte ends up ' XXh')is only 120 megs, which would take a chunk of time, but its a lot faster then setting breakpoints everywhere there is a floating point operation :)

I know with ETT you can take longer dumps and save the log file and use that for compares. Do you happen to know the start and end memory address if I wanted to dump the entire memory? Also, do you know of any better utilities then windiff to compare the log files? Presumably you can take memory dumps and use windiff to compare the files looking for changes, but just messing with it a little bit using 10000 as a byte dump there are a ton of differences, so even this method is very time consuming.

One other question, do you have any samples of timer routines? I would assume they would use the XBOX clock for a true timer so there would be an API call to look for when it is counting up or down in realtime.

I really need a GTA 3 / GTA:VC timer trainer and want to focus on that when I get sometime (unless someone else is looking into this) but just trying to find the best method to find the values since searches cause the game to crash.

I didn't see one in the flirt xbox file so far.. :-/ Maybe if ya know someone that has the sdk they could make a simple program that just does a timer, that we can disassemble and see how it works..

I have the latest SDK but haven't had any time to mess around with it.

I saw that Angelfly created a timer lock trainer for Soul Calibur 2 so I loaded that up and found the routine that decrements the timer. The three lines of code that appear to be invovled are:

cdq
idiv esi
move [ecx+0ch], ebx (this does the decrement - changes the value)

Does think make any sense to you? I could not find anything on CDQ but know that idiv does a floating point division.

I did a search of GTA 3 for CDQ and IDIV and found 502 instances of CDQ and 342 instances of IDIV.

I might try to mess around with it this weekend if I get a chance. Basically look through the cdq/idiv common routines and nop out the mov directly following the idiv and see if that has any affect unless you have any other ideas.

here is the code associated with the seconds on sonic heroes:



loc_3A0C9: ; CODE XREF: sub_3A0A0+Bj
.text:0003A0C9 cmp edx, 3Ch
.text:0003A0CC jl short loc_3A0DC
.text:0003A0CE push 1
.text:0003A0D0 sub edx, 3Ch
.text:0003A0D3 call sub_39D40
.text:0003A0D8 test eax, eax
.text:0003A0DA jz short loc_3A117
.text:0003A0DC
.text:0003A0DC loc_3A0DC: ; CODE XREF: sub_3A0A0+2Cj
.text:0003A0DC mov byte_5586EA, dl
.text:0003A0E2 mov eax, 1
.text:0003A0E7 retn 4


if your trying to find the timer stuff for gta try to see if you find somewhere where eax,ebx,or edx is compared to 60 and then see if near it the code subtracts 60 or makes jumps to sub routines that subtract 60

cdq converts a double word to a quadruple word.. :)

The TNMT tutorial is TOO COMPLICATED (horrible). I've read through it 11 times (yes 11 times) and I don't understand the following (The author skipped ALOT of details):

1) It saids to telnet Xbox --> PC with ETT. I did that and got connected but what the hell do you do afterwards? Then you skipped a whole bunch of steps and told me to search value: 6. OK so i entered "6" in the value textbox and pressed "search" and guess what? The game froze.

2) The guide didn't even specify how to spoke values and where to get the values.

3) I better stick to the Tiger Woods guide for now. (AND NO, IT"S NOT ANY DIFFERENT THAN TNMT GUIDE, IT"S ANOTHER CONFUSING GUIDE. I"LL TRY MY BEST TO UNDERSTAND IT....)

first of all the guide was not horrible, it was great. I don't know what tmnt guiude you read but dootdoo's guide doesn't mention using ETT and it specifically states to simply telnet to your box. If you find the guide that confusing then you really shouldn't be trying to make trainers.I know that the guide is meant to teach people to make trainers but you can't milk a cow unless you know what a cow is ;) I suggest you read some intros to assembly language or some guides on softice (<-another great debugging program).

Originally posted by angelfly
first of all the guide was not horrible, it was great. I don't know what tmnt guiude you read but dootdoo's guide doesn't mention using ETT and it specifically states to simply telnet to your box. If you find the guide that confusing then you really shouldn't be trying to make trainers.I know that the guide is meant to teach people to make trainers but you can't milk a cow unless you know what a cow is ;) I suggest you read some intros to assembly language or some guides on softice (<-another great debugging program).

In case you don't know my friend ETT is a Telnet software. (Do you know a better Telnet software? Cuz ETT kept freezing). And the guide didn't tell me where to findthe values. i.e. "type: value 6" <---- Look man WTF does this mean? i.e.2 "load it into Ida Pro" <---- OK? Tryin' to confuse ppl again... i.e.3 "I will be showing how to do the Continue trainer for TMNT" <---- HUH?

overall, this guide is too horrible....

I know exactly what ETT is but here is what you said "1) It saids to telnet Xbox --> PC with ETT", the guide does not say that.And where it said "type: value 6" it should be easy to assume you type "value 6".As for the telnet client I use the normal telnet that ships with windows.I really don't know what you find so confusing about the direction "load it into IDA Pro" and "I will be showing how to do the Continue trainer for TMNT" means exactly what it says and that is he will be showing how to make a continue trainer for tmnt. I really hate it when people rag on other peoples stuff. If you really find it confusing then learn how to do it and write a better one and stop calling what other people took time out their lives to write in order to help others (which it has helped many) horrible

Originally posted by angelfly
I know exactly what ETT is but here is what you said "1) It saids to telnet Xbox --> PC with ETT", the guide does not say that.And where it said "type: value 6" it should be easy to assume you type "value 6".As for the telnet client I use the normal telnet that ships with windows.I really don't know what you find so confusing about the direction "load it into IDA Pro" and "I will be showing how to do the Continue trainer for TMNT" means exactly what it says and that is he will be showing how to make a continue trainer for tmnt.

Well thnx for your guidance I finally understand some of the confusing points in the guide.

if you have any questions about any specific part I will be happy to try and help you understand it, I did not write the guide to be used with ett, I have no idea how ett works.. :)

As for the value searching, I take a value that is on the screen, and then search for it, get that value to change in the game, then search for the new value.

This is done so that you can narrow down the location of the number of continues.

Ida pro is a piece of software used to disassemble things, it is listed as things you need in order to do the tutorial, you could use wdasm or something else if you are familiar with them, but I don't go into detail on how to use them.

Also, where did you find a tiger woods tutorial? I'd like to read it :)

Originally posted by dootdoo
Also, where did you find a tiger woods tutorial? I'd like to read it :)

This: http://forums.maxconsole.com/showth...s=&threadid=782

I'll read through your tutorials again and learn from it but now I gotta fix my Telnet problem...It freezes on every game when I send the messge "value 6".

DootDoo is it necessary to use IDA pro when locking the values or can this be done another way? Since i can't find IDA pro atm,

I hacked Dreamcast & PS2 saves before and those were easy.
my old DC save site

http://www.angelfire.com/games3/vmuland/falcon/index.html

This XBOX trainer stuff is new to me,i have sucessfully done the value searches ,with your tutorial {thanks}. But as far as locking that value since i don't have IDA pro is where i'm having trouble at.
Any help would be appreciated.
Wanting to join your XBOX trainer team once i get this all figured out.

you can reach me on msn @
falconsvmuworld@hotmail.com

or aim @
falconsvmuworld

Thanks
Falcon3

you can use any disassembler, I just perfer ida pro since thats what I'm used to. Its probably overkill in some situations, and it is a bit slow in loading since it does so many things..

The best alternative would be w32dasm (last I knew it was version 8.9 or something like that)

Thats probably a lot easier to find since its very popular with people that patch windows programs, and it ends up on web sites quite often.

Since there are so many disassemblers out there I didn't want to go thru all of them in the tutorials, but it should be pretty easy to figure out how to adapt the tutorial to use w32dasm's interface, since all we are really doing is finding out what is happening at that location, then changing it.

Ok Thanks for Your Help Dootdoo.

1 question since i was able to find w32dasm ,which file am I loading into it?

I noticed you put the ASM file in the tutorial on TMNT,would I create a ASM file with MXT Evox trainer?

Sorry for all the noob questions,just trying to figure this out.

Thanks again
Falcon3

you load the converted xbe into it (the one you made with cxbx).

The asm file is purely to help people see exactly where I am going, and what I'm patching at that location.

Ok i got it thanks LOL i feel like a noob,I should have some working trainers soon.

Thanks for your help again DootDoo.

no problem, the learning curve on trainers is sharp at the very begining, then it gets a lot easier :)

Getting the tools all working is the biggest hurdle to most I think.

If anyone is/was curious on how to find the values for the TitleId and the TimeStamp the following code will do just that. If someone wants to write something like this in vb or vc++ or something I think it could be a helpful tool to points people to so they can check to see if the trainer they are trying to use is failing because of the title id, the timestamp, or because they misconfigured something. :)

#include <stdio.h>

main(int argc, char *argv[])
{
int offset;
int temp;
FILE *fp;

if(argc!=2)
{
printf("Usage: %s <xbe>\n",argv[0]);
exit(0);
}

if((fp=fopen(argv[1],"r+b"))==NULL)
{
printf("Error opening file <%s>\n",argv[1]);
}

fseek(fp,0x0114, SEEK_SET); /* Go to the offset for TimeStamp */
fread(&temp,1,4,fp);
printf("Timestamp: %4.4X\n",temp);
fread(&offset,1,4,fp); /* Read start address of certificate */
offset-=0x10000; /* adjust address for flatfile */
offset+=8; /* add 8 to get to TitleId value */
fseek(fp,offset, SEEK_SET); /* Go to the offset for TitleId */
fread(&temp,1,4,fp);
printf("Title Id : %4.4X\n",temp);
exit(0);
}

Hmmmm... Seems like my xbox locks up everytime after i type value ##

What could be causing this? I'm using EvoX M7, and EvolutionX V+3935... Xbox V1.1

The game im trying to work on is Morrowind GotY Edition, however this happens to all games I try. Even TMNT.


OR, if anyone wants to make a Maxed out Gold trainer for M-GotY thad be super awesome.

Some things to check:

if you have dhcp on, switch that to static ip instead.
try turning IGR off or on..

:)

Thanks for the great tutorial, dootdoo!
Following the tutorial, I could go all the way down to NOP
and succeeded in making the number stay as I want.
After that, I want to create ETM file, so I don't need to
connect telnet everytime I want to use trainer.
But I am lost. I tried EasyEvoxTrainerMaker, but no success.
How can I apply the 'poke' command to the utility?
Can someone guide me how to make ETM file?
Any help would be appreciated~

where can i find the FIRST tutorial
and what programs do i need to make trainers?can anyone pm me with the answer

the first tutorial is the first post of this thread, and it also contains a link to the second tutorial.

If you have questions on either, please post them here, but be sure to read thru the rest of the thread first since most questions seem to have been answered (at least I hope they have)

student: depends what poke addresses you are trying to do, if you are patching sub or decs, etc then I can help you thru the process, if you are just trying to force a value to be set such as money, that is more difficult. If you have addresses for games that havn't been done, you could ask me if I could write a tutorial on how to do that game and I'll look into it. Its about time for me to release a new tutorial anyways..

thanks dootdoo i wil try the tutorial in february....between 16-20

Hey Dootdoo, I just wanted to know the setup for IGR in your evox.ini file I read somewhere that it is better to use X2 IGR then Evox's IGR. Can you explain how I can set X2 IGR? I can telnet to my xbox just fine. When I have IGR on and TSR set to debug "all" my games lock up. I have every IGR inside of my Evox.ini file set to Yes and TSR is set to debug when I go into "settings" in evox.

Thanks,
Kyle

Originally posted by LifeForce4
Hey Dootdoo, I just wanted to know the setup for IGR in your evox.ini file I read somewhere that it is better to use X2 IGR then Evox's IGR. Can you explain how I can set X2 IGR? I can telnet to my xbox just fine. When I have IGR on and TSR set to debug "all" my games lock up. I have every IGR inside of my Evox.ini file set to Yes and TSR is set to debug when I go into "settings" in evox.

Thanks,
Kyle

You must be using the old version of evox.ini. I would recommend you to update the evox.ini file that came with Evox v3935 and then set TSR to Debug and IGR to Yes. There's only 1 option for IGR in the new evox.ini file. Try it and let us know.

There are three IGR in the evox.ini file:
1) In FTP Section
2) Misc Section
3) RDTools Section

I have Evox 3935 installed and set TSR to Debug and IGR to Yes. It still freezes up when I try to run any game.

Thanks,
Kyle

you dont need igr on, just tsr.. My igr is off :)

i have evox 3935...i think...and my TSR is on debug and IGR is on.....and so far every trainer works for me....and i loooooove it cause i can quit a game whwnever by pressing the reset buttons......thats how i cheat.....

TO: DOOTDOO,

pm me when you want your KOTOR trainer tested...

TO ANYONE: PM ME FOR TRAINER TESTING

dootdoo i am trying to find values in the sims bustin out but every time i try it the game freezes I checked all my settings and everything is correct can you help me out?

hi
im a noob on trainer and i try to make one i have read your tuto but im stock.
I try to make a trainer with sphinx just for learn i think its a easy game to do that .
the first part i have do:
i have start the game after that i have start ett and i have found where is the cash "add " but the max i do is 255$. i have try many time and never go more than 255$
why ?
i have try to use ida but i have not found how to use it i have shearch for the "add" for the cash on it and i have see nothing . i have realy need help for that :P
and how can i make a .etm because i dont want to go all the time on ett to set the cash .
thx

hey guys, is COUNTER-STRIKE TRAINABLE? it gives me DIRTY DISK ERROR, every time, and then freezes up.

ok i have made my first .etm but i want to know if it possible to edit a old .etm because in easyetm we have no place to load a .etm
thx

Originally posted by SnOoPHeLL
ok i have made my first .etm but i want to know if it possible to edit a old .etm because in easyetm we have no place to load a .etm
thx
That's why when you make a trainer using EasyETM, it lets you save the file as .TMD. So no, you can't edit .ETM files with EasyETM, but you can if you remembered to save your work as .TMD using EasyETM.

Originally posted by vintage_guitar
hey guys, is COUNTER-STRIKE TRAINABLE? it gives me DIRTY DISK ERROR, every time, and then freezes up.
Do you know what happens when a game is XBox Live compatible? Did you read the readme file that came with Evox 3935?

Hey I have a few question! I really anxious to do this... So here goes, on you faq at the part that says

I then wen't back to the title screen (Start) and started playing again, now that my life
count is back to 6, so I do a value 6 search..

Check 83d00000:83f58000
83d03088
83d030d0
83d0343c
83d03444
83d034d8
83d03910
83d0395c
83d08084
83d0842c
83d0c2dc
83d0c2e0
83d0c2e4
83d0c2e8
83d0c2ec
83d0c600
83d0c604
83d0c618
83d0c634
83d0c638
83d0c63c
83d0c670
83d17424
83d1781c
83d814c0
83d81830
83d81c1c
Check 00a80000:00b80000
00b72448
Check 83b34000:83c60000
83b97274
83b99a54
Check 83575000:835b5000

From this I would have to say that only three of these addresses look like good targets,
00b72448
83b97274
83b99a54



Did you do one more search again that would narrow it down??

Then on this step

The next step is to look at what data is stored there..

so type: db
10
you should see:

00b72448 : 06 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 | ................
83b97274 : 06 6a 7e d2 06 6c 81 d2 06 6a 7e d2 07 66 79 d0 | .j~R.l.R.j~R.fyP
83b99a54 : 06 67 79 d2 59 a1 af e2 bf dc e1 f4 ff ff ff ff | .gyRY!/b?\at


did you just type the leters "db"???
Cuase when i do it, it comes up with some weird message
i see you have
so type: db
10

Am i suppose to type 10?? I can get 10 on the next line.. So i never get any of those numbers at all.

Next I have value, cuase it narrowed the value down to one canidate and i try to poke that value, but nothing changes. The game im playing is "Fight Night 2004" I wanted to increase my values more in the career mode after trainning, cuase i didnt want to start over and recreated another boxer. So any help would be appreciated!!!

Thanks!

it should read: db address 10

I narrowed it down because 0x83dxxxxx is typically the screen buffer data :) But that was sort of out of the scope of the tutorial, but thats how I narrowed it, but yes, if you can, do an additional search..

Its also helpful to look for values that turn up on dword boundries, those would be addresses that end with '0', '4','8', and 'c'.

so 0x123456 is probably not as likely as 0x123464

:) Good luck with your poking..

Thanks a lot! I got the poking to work!! Now if I can do the rest of the steps I will be in there!!! Thanks a lot. I will let ya know how everything else goes!

I'm running the most recent version of Evox. I've tried static IP and DHCP IP. TSR is set to debug and no matter what I do my game will freeze, once I set TSR to devug some games won't even load (Crimson Skies). Anyone have any ideas?

Beyond Good and Evil troubles...
I'm trying to hack a # of pearls cheat but am having NO luck.

I know each pearl is specific and is put into a different slot in your inventory which would lead me to believe that these are triggered by 0's and 1's (flags?)

What would be the best way to search for this?
The way I HAD been doing it (before I realized it might be flags) was :
1. loading my save game in which I have 1 pearl - searching for a value of 1
2. then loading my save game in which I have 2 pearls - and doing a search for a value of 2
3. loading my save game in which I have 3 pearls etc...

but to no avail.
Does it mess the search up when I load a different saved game VS. changing the value within the CURRENT loaded game? (make sense?)

Advice? I know there is a trainer already out with this cheat NOT included...Im wondering if it proved to be too difficult to hack. In which case - a NOVICE like myself shouldn't even bother.

Please assist n' stuff.

I reall want to get into the wonderful world of xbox trainers. Unfortunately I still can't even connect to my box. I have my ip set to static, the debugger is on, and I have tried both with IGRs on and off. My evox ver. is 3921. Can someone please help!!!!

Originally posted by fleekez
I reall want to get into the wonderful world of xbox trainers. Unfortunately I still can't even connect to my box. I have my ip set to static, the debugger is on, and I have tried both with IGRs on and off. My evox ver. is 3921. Can someone please help!!!!

3921 is your problem, you need to upgrade to 3935

Ok. I'm working on a Marvel vs capcom 2 trainer.
I requested but figured if i can do it myself why waste other peoples time. anyway. Followed dootdoo's instructions and found no problem whatsoever in mimicing the technique. One question though. I found the break and no oped the subtraction but how do i use the EasyETM to create an ETM file. I know the address but what are the values and such. Honestly the EasyETM is harder to understand than the tut. It keeps telling me couldn't make file cuz error. I think i'm putting in screwy values. How do you figure out the old and new values, etc?
I got it to not make ur level go down now just working on starting up with it on max and not letting the comp do the same.
PS-Great TUT

Originally posted by Gamer808
Ok. I'm working on a Marvel vs capcom 2 trainer.
I requested but figured if i can do it myself why waste other peoples time. anyway. Followed dootdoo's instructions and found no problem whatsoever in mimicing the technique. One question though. I found the break and no oped the subtraction but how do i use the EasyETM to create an ETM file. I know the address but what are the values and such. Honestly the EasyETM is harder to understand than the tut. It keeps telling me couldn't make file cuz error. I think i'm putting in screwy values. How do you figure out the old and new values, etc?
I got it to not make ur level go down now just working on starting up with it on max and not letting the comp do the same.
PS-Great TUT You don't need the old values, just put in the new values and whatever offset you want to nop = 90.

Also, make sure all of the boxes in EasyETM has something in it. I know if you don't put anything in the comment box, it will give you an error. Maybe that's the problem, who knows. Just play around with it.

Damn this is getting irritating.
For some reason i made a trrainer..FINALLY.
But it didn't work so iredid values to make it again and EasyETM keeps giving me an error. I put something i comments section. Filled all fields. I tried to make it the same way i made the first, still gives me an error. No matter what i do it gives an error.

____________________________-
Nevermind i think it had to be a certain length on the info and captions. It works for now.
Thanx.

Another quick question.
How do i make a flag turn on at startup.
I found an address and typed
poke 00655694 1
and the "mode" turned on which is what i wanted.
How do i make it turn on at startup.
If i type...
bpmb 0 00655694 w
i get a break at: 0004d13e
I check that address and this is what i find:
.text:0004D134 mov ecx, 20h
.text:0004D139 mov edi, offset dword_655665
.text:0004D13E rep stosd
.text:0004D140 mov eax, dword_6555A0
Am i missing something ?

Originally posted by Gamer808
Another quick question.
How do i make a flag turn on at startup.
I found an address and typed
poke 00655694 1
and the "mode" turned on which is what i wanted.
How do i make it turn on at startup.
If i type...
bpmb 0 00655694 w
i get a break at: 0004d13e
I check that address and this is what i find:
.text:0004D134 mov ecx, 20h
.text:0004D139 mov edi, offset dword_655665
.text:0004D13E rep stosd
.text:0004D140 mov eax, dword_6555A0
Am i missing something ?

what thats doing is its placing 20h dwords of 00000000's (likely) from 655665 ->... this isn't the routine you want..

At what point do you want the feature triggered?
is it possible you can hunt down what checks if its on and just enable it always?

I'm thinking about writing some more tutorials.. what would people like for me to write them on? I can write a few on advanced subjects, or try and write some more newbie guides to help those that are still having a problem.. Please let me know..

Originally posted by dootdoo
I'm thinking about writing some more tutorials.. what would people like for me to write them on? I can write a few on advanced subjects, or try and write some more newbie guides to help those that are still having a problem.. Please let me know.. dootdoo, I would like to see a tut on multiple hooks or a way to handle selection inside the trainer itself. Let me explain this a bit :) Let's say you have 6 addresses, each address holds # of items, so these 6 items have their own address. If the trainer user turns on 2 out of 6, how do you handle this? These addresses need to poke constantly, so how would you go about doing this?

Thanks and let me know if there’s any confusion on my request :D

Is there any way to train xbl games like ghost recon island thunder or pso? I dont see why the evox makers didnt include support for xbl games, since you cant use trainers online anyway.

soulja: the limitation isn't on purpose.. there is/was a conflict between how the tsr works with the network..

hey, i was curious...how did you and acidflash make the trainers for the suffering, tenchu, and riddick? i'm really curious because i've read the first two guides (not long ago so i'm still learning) but i'd still like to know what went into figuring out how to enable the cheats and how you found the cheats themselfs. my thanks

-arsenic

Theres one question I'm seeing go unsanswerd and its the same problem I have.

I set TSR to DEBUG, but the game always freezes up. I got EvoX 3935 and wether i turn IGR to ON, or OFF, the game always freezes. I'm tryin it on FABLE atm and can't seem to connect without Debug on, and with Debug the game freezes up.

any sugestions?

so no one knows? been 2 days and no reply.:confused:

i still haven't a clue...i can connect and all and do everything i need to to write a trainer. but finding the right variables is hell. i get a list that's almost as long as "love and war" every time i search for a number of items or ammount of amunition. i was wondering about how dootdoo and acidflash figured out the addresses to enable the trainers to work for the above mentioned games. not to mention how they narrowed down the massive ammount of addresses to get the trainer working.

-arsenic

Riddick the only value I found with the tsr was ammo, the rest I did the hard way, thats why it took me so long to do the trainer. I dont recall how I did the suffering, but if I recall correctly I set breakpoints on likely health routines, and then traced everything from there. I didn't do tenchu, I just put the menu on it, so I have no idea.

A decent portion of games are incompatible with the tsr, so you either have to do them in ,net, or by guess and check from the assembly.

if anyone cares, k_away's tsr enabling patch for live games does NOT fix fable, I've wasted my entire evening messing with it.. :(

hi. i have just one question. how do u trainer a energy bar coz i cant figure it out. all the guides you have wrote seem to deal with values you can see but most games have an energy bar or health bar that doesnt have and value you can see so how can you trainer a energy bar ?

Is there any way to get into fable with telnet? I'm dying to train the Age Value in Fable, but apparently I'm the only person who has a problem with playing such a cool game with a wrinkled old Geezer. Any help would be appreciated, heck I'll settle for a way to edit the savegame. Thank You.

Originally posted by predator101
Is there any way to get into fable with telnet? I'm dying to train the Age Value in Fable, but apparently I'm the only person who has a problem with playing such a cool game with a wrinkled old Geezer. Any help would be appreciated, heck I'll settle for a way to edit the savegame. Thank You.

I wouldn't mind having that option, but I am having the same problems you are and have not been able to figure it out.

Originally posted by ddkram
hi. i have just one question. how do u trainer a energy bar coz i cant figure it out. all the guides you have wrote seem to deal with values you can see but most games have an energy bar or health bar that doesnt have and value you can see so how can you trainer a energy bar ?

I've posted on this subject several times. The most common ways are finding another value thats connected (like I did in true crimes) it kept track of how many times you got punched, I then traced it to what looked like a health routine. same concept goes for when you can use an item to fill up health.

the next concept is to set breakpoints on likely routines, this is time consuming and a bit annoying, and often times yields few results, I recommend doing searches for floating point ops near the routines for other things, and setting break points on those first.

thirdly, you can find a value in memory, and look at values nearby (+ or - 1000) and see if you can spot any that change, thats how we (acidflash and I) did time splitters 2..

Can't get debug to start on this game. Can get connected but just before it hits the main menu it kills the connection.

Any ideas?

Originally posted by Oraclex
Can't get debug to start on this game. Can get connected but just before it hits the main menu it kills the connection.

Any ideas? Did you try reconnecting?

Originally posted by Goku
Did you try reconnecting?

Yes.

Tried connecting at several different parts of the game. Even ran a ping on the box while played through a mission and it never got a response.

Does anybody know what reasons there can be why some people, such as myself, can not get telnet working while a game is running?
These are the things I have tried: updated evox to 3935, heard that x2 has an igr so changed the bios to evo m8.
My xbox is a 1.4UK with xecutor pro 2.3b and I used slayers 2.6.
I've enabled irg and debugtsr within evox and manually edited evox.ini. In it I found an option 'TSR_TYPE = 2' and can find no information anywhere about what this does and as somebody posted before IGR is found in [MISC], [RDTOOLS] and [FTP]
I have, otherwise, full connectivity between the pc and xbox and tried games which I know other people have written trainers for (Burnout3, Outrun2...)

My thinking is that certain modchips don't work or that my evox.ini is not right.

Therefore, a check by people who have no problems with their setup would be appreciated. Somebody please post a working ini for 3935

Thanks

first off, disable igr.. I think you heard backwards. turn off everything except for ftp. set tsr to debug (last item in the menu).. save, reset.


Just because someone in evox-t trained it doesn't mean its connectable, its possible (pretty likely) that we either live patched it (look at k_aways post on how to make some xbox live games tsr'able), or trained it using another method.

To test, I'd use a game like cabella's deer hunt, or true crimes, etc. Or, try against anything that was done a long time ago (january/feb). Those all should be connectable..

Well, I tried that and I had no luck.
I take it you meant true crime streets of la? It wouldn't telnet but went so slow that the game was amazingly crapper than it should be.
A list of games that people have had success with would be nice if anybody would be kind enough to post.
And these other methods that you mentioned, dootdoo... I might not be able to crack a game the way I'm going right now but let us in on the secret and it may well be the way for me.

For anybody attempting to edit the ini file by hand I discovered what 'TSR_TYPE =2' means 0=off 1=normal and 2=debug.
I disabled the igr settings in [ftp] and [rdtools] and everything now seems to be working, at least for the game I'm messing about with now, glitch in the system.

For anybody else having difficulty, just keep trying!

Originally posted by molcrin
Well, I tried that and I had no luck.
I take it you meant true crime streets of la? It wouldn't telnet but went so slow that the game was amazingly crapper than it should be.
A list of games that people have had success with would be nice if anybody would be kind enough to post.
And these other methods that you mentioned, dootdoo... I might not be able to crack a game the way I'm going right now but let us in on the secret and it may well be the way for me.

I've detailed them multiple times on the forums, but to quickly rehash primarily I refer to: using alternative debugging methods (xdk with .net), or looking into the xbe itself and finding cheat activations, money and health display routines etc, and patching them. ie.. the other ways to train without value searches.. :)

for example, I found several other things to modify in fable without doing a single value search (since I wouldn't even know where to begin altering certain things like attractiveness), I just found a routine that referenced your age, your attractiveness, etc for onscreen display and modified that to do age.. (in all actuality I did notice the routine after hunting down age, but I could of just as easily did it all in ida)

If that's the way you do it, hacking your way through the xbe, and you are able to create trainers for other people to use, then that's the way it shall be done. I like a challenge.
Using a program to find the cheats for you, well, that's just cheating!
For live games, do you have to insert the crack that k_away talked about into the trainer or is it only needed for when you are creating the trainer?

its only needed while creating the trainer, and its not exactly a crack, it just stops the xbox live stuff from initing, allowing evolutionx's socket stuff to work.

Ok I give up trying to hack Manhunt.
If it were on the Speccy or Amiga I'd have no problem. All I used to do was find the routine that is called when it's game over (usually by searching for 'Game Over') then find all the addresses that go there. Have a look at what happens before the call to game over and usually found infinite lives, invulnerablity and sometimes weapons cheats.
Games on the Xbox (and probably the pc) are a lot more complicated!
In Manhunt I didn't expect to find the text 'Game Over' in the code as it has many languages that will be in different files but I did know that the game was written in english, so I had a look for routines that were named something like I was looking for. I found masses of routines that are totally redundant and have been left behind since the original writing and testing, but nothing that helped me in my quest.
I have read that people can hack a game from just the xbe. How is it done?

I'm looking forward to the next, hopefully much more complicated, tutorial.

When i'm searching for values should it be in hex, because when i search for a value like 4b the results come back "Slot 0 Val 4". Is it actually searching for 4b or not?

Also, does anyone know of a semi-easy to understand text on assembly ?

Any help would be appreciated :)

I found that searches need to be in decimal, the 'slot 0 val 4' tells you that your first search was for a value of 4 ignoring the b.
As for the assembly... the best I can come up with is this http://www.intel.com/design/pentium4/manuals/index_new.htm
If you have never done any assembly stuff before don't bother following my link. If you've done some on something like the Amiga then you might be able to follow it

Originally posted by willy282
When i'm searching for values should it be in hex, because when i search for a value like 4b the results come back "Slot 0 Val 4". Is it actually searching for 4b or not?

Also, does anyone know of a semi-easy to understand text on assembly ?

Any help would be appreciated :) molcrin is right that you have to search values in decimal. But 4b hex = 75 decimal. So you would search for 75.

I wanted to try to connect to my xbox when wolfenstein was running ... but i couldnt for some reason, it does connect when im on evox though.

I tried the evox.ini thing turning everything off and leaving tsr on debug and FTP enabled but it still wont work . I have evox 3935.
ill paste my evox.ini here:


SetupNetwork = Yes
StaticIP = Yes
Ip = 10.0.0.155
Subnetmask = 255.255.255.0
Defaultgateway = 10.0.0.138
DNS1 = 10.0.0.138
DNS2 = 10.0.0.138
SetupDelay = 0
SkipIfNoLink = No

[Clock]

JumpToMsDash = No
JumpIfNoLink = Yes
Use24 = Yes
SwapDate = No
SNTP_Server = 216.244.192.3

[FTP]

Enable = Yes
Password = xbox

[Telnet]

Enable = Yes

[RDTOOLS]

Enable = Yes
Name = XBOX_V1.0

[BIOS]

#
ROM = "EvoX 2.0",0x76fd88337b8d8c1f116f85f3984b98b6
ROM = "EvoX 2.1",0x99487615bb30670cb65993388fcf2a63
ROM = "EvoX 2.2",0x220ade778785cfc3c98bb5ea8bbd8608
ROM = "EvoX 2.3",0xd79bc87c2caa1a50dcc7016adf2ccc0a
ROM = "EvoX 2.4",0xe3ce66b99957a92fdac40af951c3f1fd
ROM = "EvoX 2.6",0xdd3de3542bff7b36cdb0dbe078c27fbe
ROM = "EvoX 3.6",0xcb73b4914bb6c70b66e21377989726a0
ROM = "EvoX 3.6ef",0xf754767b388ce7a08bf57304e24c9ae9
ROM = "EvoX D.6",0xc349c2b047a3d6c2de2e1c10185ecf86
ROM = "EvoX D.6ef",0x74c6235497f474bf88b54b3fc52a20b2
ROM = "EvoX M8.256kb",0xf9f606daa68f23aa748cbc98b49e801e
ROM = "EvoX M8.1MB",0xf9f606daa68f23aa748cbc98b49e801e
#
Flash = 0x01d5,"AMD - Am29F080B",0x100000
Flash = 0x01da,"AMD - Am29LV800B",0x100000
Flash = 0x015b,"AMD - Am29LV800B",0x100000
Flash = 0x04d5,"FUJITSU - MBM29F080A",0x100000
Flash = 0xadb0,"Hynix - HY29F002",0x40000
Flash = 0xadd5,"Hynix - HY29F080",0x100000
Flash = 0xbf61,"SST - SST49LF020",0x40000
Flash = 0x20b0,"ST - 29F002",0x40000
Flash = 0x20f1,"ST - M29F080A",0x100000
Flash = 0x89a6,"Sharp - LHF08CH1",0x100000
Flash = 0xda8c,"Winbond - W49F020",0x40000
#Flash = 0x89a6,"SHARP - LH28F008SCT",0x100000,0x20,0xd0,0x10
#Flash = 0x378c,"AMIC - A29002",0x40000
Current = 0xe19b920a8c5d24e47666465fb9819fbb

[Skin_Original]

#
# <Time> =
# <IP> =
# <Name>
# <Version>
# <CD>
# <BIOSVer>
# <KernelVer>
# <RDName>
# <SpaceC>
# <SpaceE>
# <SpaceF>
# <SpaceX>
# <SpaceY>
# <SpaceZ>
#
Text = 30,37,0.5,0x000000,0,"<Time>"
Text = 28,39,0.5,0x808080,0,"<Time>"
Text = 620,420,0.5,0x000000,1,"<Name> V<Version>"
Text = 618,422,0.5,0x808080,1,"<Name> V<Version>"
Text = 620,37,0.5,0x000000,1,"<CD>"
Text = 618,39,0.5,0x808080,1,"<CD>"
Text = 30,420,0.5,0x000000,0,"RD Name : <RDName>"
Text = 28,422,0.5,0x808080,0,"RD Name : <RDName>"
LogoType= 0

[Menu]

Section "Root"
{
Item "SPEL STARTEN",ID_Launch_DVD
Item "XBOX MENU",ID_MS_Dash
Item "RESET",ID_Quick_Reboot
Item "UIT",ID_Power_Off
Item "TRAINERS",ID_trainer
Section "EXTRA"
{
Section "Spelletjes op hd"
{
Section "Backup-Games op hd"
{
AutoAddItem "e:\backupgames\"
AutoAddItem "f:\backupgames\"
SortAll
}
Section "Classic-Games op hd"
{
AutoAddItem "e:\apps\games\"
SortAll
}
}
Section "Programma's op hd"
{
Item "DVD-Player","e:\apps\dvd-player\default.xbe"
Item "MEDIA-Player","e:\apps\media-center\default.xbe"
Item "GBA-emu","e:\apps\gba-emu\default.xbe"
Item "Video-select","e:\apps\video-select\default.xbe"
Item "DVD2XBOX","e:\apps\dvd2xbox\default.xbe"
Item "N64-emu","e:\apps\n64-emu\default.xbe"
Item "Nes-emu","e:\apps\nes-emu\default.xbe"
Item "Snes-emu","e:\apps\snes-emu\default.xbe"
#Item "Config-Magic","e:\apps\Config\default.xbe"
}
}
Section "INFO"
{
Item "Settings",ID_Settings
#Item "Flash BIOS",ID_Flash_Bios
#Item "Backup",ID_Backup
Item "Skins",ID_Skins
}
}

[Action_10]

LogFile = "f:\lock.log"
Info "This function will lock your XBOX Harddisk"
Warning "You will now lock your XBOX harddisk and will be able"
Warning "to boot from an original XBOX bios"
#
hddlockenable

[Action_11]

LogFile = "f:\unlock.log"
Info "This function will unlock your XBOX Harddisk"
Warning "You will now unlock your XBOX harddisk and will not be able"
Warning "to boot from an original XBOX bios"
#



Anything wrong with this ?
im using a smartxx v2 chip

thx in advance

it should have something like

TSR_Type = 2
IGR = No
GameRegion = 2


I'd suggest starting with a blank ini from the latest evox (whatever that is) and adding your tweaks to it..

on top of that, RTCW doesn't to my knowledge work in the tsr, it may with the xlivefix, but I don't know.. :)

where can i get the original evox.ini ?

what about Max x dootdoo? (max points etc..).. and bars... gah bring back 2001. :p

you want a tutorial on max points? :)

yes sir...:D

A new tutorial! (http://forums.maxconsole.com/showthread.php?s=&threadid=3099)

:)

awesome bro ! ill take a look at it right away!

Check it out, super Noob here. I just posted the same thing in the wrong place so I apologize. A buddy of mine thought it would be funny to remove the trainer option from my main evox menu. Now I can't put it back and a trainer was on, Subsequently causing disturbing results in different' games. Aggravation aside, assume that I am not networked to my pc, how do i return that option to the main menu?

Originally posted by therealjosh
Check it out, super Noob here. I just posted the same thing in the wrong place so I apologize. A buddy of mine thought it would be funny to remove the trainer option from my main evox menu. Now I can't put it back and a trainer was on, Subsequently causing disturbing results in different' games. Aggravation aside, assume that I am not networked to my pc, how do i return that option to the main menu? No need to post twice, just read the other thread.

again I apologize. Your help is most appreciated.

I think the tutorial should be easier if you use some print screens and also use the the tool Evox DTSR insted of telnet for newbies. Thanks for a your tutorials dootdoo

Poiuy

...

What do you need to look in an xbe file for trainer options?

Originally posted by mrgrim
What do you need to look in an xbe file for trainer options?

The xbe is like a dll or exe for computers. If you have ever even read a little about how computer hacks/trainers work it will be easy to under stand.

The xbe holds most of the information on values for the game. Like how or when they are supose to be changed. We look in the xbe for these areas where it changes the value. Then depending on what we want to do, we either have it change to something else (more ammo) or stay where it is (health).

Guys feel free to correct me on anything or add what I may have missed.
Kyle

Goku, thanks for telling me about that "TSR trainer". I finally figured out how to set debug mode for Halo 2, it was a bitch. But now for some reason I cant make a trainer. Im stuck on the part were you enter the data in a trainer maker (my case Easy ETM). I can find the address's, values, and even breakpoint values, but I dont really understand what stuff I put in the Easy ETM. So one of you guys that has made a Halo 2 trainer (acidflash and/or dootdoo), can you tell me if im doing something wrong here?

First of all, I go to Split Screen and I telnet with that. Ive tried Slayer, and it messed up, and I havnt tried Single Player. But anywhos...
Ill be playing on Cairo Station (dont think it matters), and I go down the stiars to get the SMG. The SMG has 60 bullets, I believe, so I do a value search of 60. I shoot off 20 bullets, so now I do a value search of 40. Then I shoot off almsot my whole clip so I have 3 bullets left, and I do a value search of....3. I then find the address of 82e435fc. So I poke that to 3C (for 60 bullets). It works, I got a full clip. Wa ho, but now I set a break point on it. I set it to a address of 82e435fc, On Memory Byte, and Write, and click Set Break. I then poke that address to 30, the game freezes. I look at the break values, and it said it broke at 001031f4. So I go to IDA and push "g" and put 001031f4. And I see that little arrow thing pointing to 001031FA. So between the break point and the arrow I get :

.text:001031F4 EB 04 jmp short loc_1031FA
.text:001031F6 ; ---------------------------------------------------------------------------
.text:001031F6
.text:001031F6 loc_1031F6: ; CODE XREF: sub_102FB0+230j
.text:001031F6 8B 4C 24 34 mov ecx, [esp+10h+arg_20]
.text:001031FA
.text:001031FA loc_1031FA: ; CODE XREF: sub_102FB0+244j
.text:001031FA 66 83 79 08 00 cmp word ptr [ecx+8], 0

So then I open Easy ETM. I set a title then I do import, and it puts TitleID to 4D530064 and TimeStamp to 4158CC50 (dont know if those are correct). I click Add/Modify, and for title I just threw in "SMG". And this is the part where im lost, and none of the tutorials really explain this good enough for me to understand.
I set the address as 001031f5 (because iin a tutorial it said dont use the break point), and I kept the Old Value to blank, and put FF in New Value. I did this all the way down to 001031fA. So 001031f5-001031fA. Save it as TMD and ETM. Upload the ETM to my Xbox. I turn TSR to Normal, and IGR to True (I like IGR). Then I reload Evox (I have it sitting as an app to reload), and everything took place. I turn MY trainer on and shut off every other trainer. I load the game via retail disc. Blah blah, the loading screen goes, and I make a "party" under Split Screen. Set it to Zanzibar (default weapon is SMG) and launch it and the game freezes when I pull the trigger. Did I "poke" the wrong address in Easy ETM?
By the way, can you make some tutorial on Halo 2 shit. The only things I would like to know about Halo 2 is: how to get infinity anything (grenades, guns, etc), the tiny, small, w/e, and theat super jump in your newest trainer.

Sorry for the big post! It feels like I wrote a whole tutorial on how to get the breakpoint of a SMG, but I hope someone can help!

Originally posted by Digital Marine
.....launch it and the game freezes when I pull the trigger. Same thing is happening to me with another game and I can't figure out why either. From what you said everything sounds like you did it correctly.


Originally posted by Digital Marine
How to get infinity anything (grenades, guns, etc), the tiny, small, w/e, and theat super jump in your newest trainer. The infinit anything is what you are doing right now. grenades are a little worse to find because you only have 5 values to search for and they are small numbers 0-4. The size options I think dootdoo just looked around in the xbe and found it from my guess. Don't know if he did the same thing with the jump because how would you set a break point for jumping?

Kyle

So evreything is right, but its just my game/xbox or w/e? And thats what I was thinking...how the hell can you set a break point for jumping?!

Originally posted by Digital Marine
So evreything is right, but its just my game/xbox or w/e? I think it has to do with what addresses we put in. I am still working on mine trying to figure out why it locks up. If any one can help us on this, it would be great.

Digital Marine is working with Halo2 and I am trying Metal of Honor: Frontline.

Thanks,
Kyle

I just tried putting in the Old Values for the hell of it, game didnt freeze, and nothing happen. There was no change at all. And LifeForce4, do you happen to have COD: Finest Hour? Maybe we can look at that code together and find some stuff out.

Originally posted by Digital Marine
I just tried putting in the Old Values for the hell of it, game didnt freeze, and nothing happen. There was no change at all. And LifeForce4, do you happen to have COD: Finest Hour? Maybe we can look at that code together and find some stuff out.

I tried different values and adding or removing some addresses none seemed to make it work. It would just lock up when I tried to fire. I also have been spending about 3 hours so far looking for the dumb address with the health bar info on MoH: Frontline.

No I dont have COD:Finest Hour but I am going to the local movie rental place tomorrow so I can rent any game they have. I like the idea with both of us helping each other as we learn.

Why not do a game that no one has a trainer for yet? Then we can work on it through PM's. I was thinking Magic the Gathering: Battlegrounds or Splinter Cell.

Just found out my brother is going to rent COD:FH anyways so we can work on it.

Kyle

Its sad how nobody posts to help...

I set the address as 001031f5 (because iin a tutorial it said dont use the break point), and I kept the Old Value to blank, and put FF in New Value. I did this all the way down to 001031fA. So 001031f5-001031fA. Save it as TMD and ETM. Upload the ETM to my Xbox. I turn TSR to Normal, and IGR to True (I like IGR). Then I reload Evox (I have it sitting as an app to reload), and everything took place.

ok i trained a few things in h2 so maybe i can help. ok my h2 i got (ntsc) this for INF AMMO starts here

00100C0B 90
00100C0C 90
etc
etc
00100C10 90 this is last one after this save it and upload to your box and try it out, only works for the clipped weapons, on my box h2 wouldnt work with igr on so u could try cutting it off. i also have the no reload and inf grenades, but then dootdoo and acid came out with a killer h2 trainer so i just quit working on it. i would have tried helping sooner but i do not look in this thread much so i guess i will look at this thread more. let me know if u need more help. maybe this is just me but when i try to put ff in an etm trainer the trainer never works only when i 90 something out, but i usually always try to 90 out things so maybe i am wrong

tdc00769: Thanks for that I just changed one of my trainers that would lock the game up from FF to 99 and it works now. That is really interesting.

Thanks again,
Kyle

i think if u 90 everything out it turns it off, for instance when i find an ammo routine i 90 out the section that decreses this num and it never dec. i glad i could help someone

Could somebody PLEASE post a link to the other Halo thread where I can find the TSR Trainer? I cannot seem to find the thread at all and since maxconsole doesnt have a search feature it is quite frustrating.

Much thanks and gratitude to everyone on maxconsole who has contributed tutorials or advice and information so that we all may learn to develop our skillz!!! Also much thanks to all of the people who have spent their time writing trainers and sharing them with us all so we may enjoy our games a bit more! :) It is greatly appreciated by me and Im sure everyone else.

-Bugsysiegals

go to the 2nd page of the forum about midway, it is in the halo 2 global not live thread.

I dunno if I wasnt very clear with what Im asking but I think I got the wrong response? I have tried the Global +13 trainer NOT LIVE and it didnt do what Im trying to do. I'm not trying to run a trainer for Halo2 so I can cheat, I'm trying to run Halo2 in TSR Debug mode so I can do value searches , poke memory bytes and learn how to make my own Halo2 hacks/trainers.

Everytime I set TSR to Debug and start the game I get a black screen and the game freezes. At first I thought maybe the game wasnt able to run in Debug mode but then I seen that Digital Marine posted on page 9 of this thread that he was able to get it to run in Debug mode after having Goku tell him about the "TSR Trainer". I then went and found the thread "Still cant connect to Halo 2 via TSR" which is on the 2nd page of this forum. Gokus' response was "Go back to the other Halo 2 threads and look for TSR trainer for Halo 2. Set XBox on Debug, turn on the trainer and enable the option TSR in that trainer."

This leads me to believe that there is a trainer out there that has a TSR enable/disable option WITHIN the trainer itself. I am unable to find this trainer anywhere and the Global +13 NOT LIVE trainer doesnt have that feature in it. I also have just tried to enable that trainer and run the game in TSR Debug mode with no luck.

I really just want to get started debugging some games and making some good cheats but Halo and Halo2 are two of the only games I have left since my house was robbed. :( It would be nice if someone who has gotten this game to run in Debug mode, search values, poke memory bytes and write trainers for this game to reply with the procedure on how they did it.

I would suggest that the reply be posted in the "Still cant connect to Halo 2 via TSR" thread on the 2nd page of this forum so it is easy to find for anybody having the same problem but thats just my opinion. Thanks

-Bugsysiegals

Wow you need to learn how to write lol that was a pain to read. The trainer ".etm" file with TSR Debug on off was made just like any other trainer with Easy ETM. Only difference was we followed k_away's XNET patching tutorial and instead of HEXing the default.xbe we made a trainer to change the values when we wanted.

Check out these links a simple search "Xnet patch" gave me.
http://forums.maxconsole.com/showthread.php?s=&threadid=3170&highlight=xnet+patch
http://forums.maxconsole.com/showthread.php?s=&threadid=2205

Kyle

I really appreciate your attempt to enlighten me on this matter but I am still at a standstill. :) If you read the beginning few lines in the 2nd link you provide it clearly states that "If games HANG/FREEZE when Debug TSR is on, using this trick WILL NOT SOLVE that problem. You should apply this trick if a game works like it should, but you can't telnet to it."

According to that the patch isnt going to fix the game from "HANGING/FREEZING" but maybe I will need to run that patch in order to get the telnet to work. I had previously tried that patch before I ever posted to see if that would allow the game to load but obviously I had no success.

What do I need to do to get the game to load without hanging or freezing? I am going to try a few different bioses and see if I have any luck. It seems to me the only other thing is to make this trainer file but I dont see how that will work when it says it wont stop the game from hanging or freezing and that is my problem.

-Bugsysiegals

Originally posted by bugsysiegals
According to that the patch isnt going to fix the game from "HANGING/FREEZING" but maybe I will need to run that patch in order to get the telnet to work. I had previously tried that patch before I ever posted to see if that would allow the game to load but obviously I had no success.....

-Bugsysiegals

Did you read my first link? Where I had the same problem.

Kyle

Well I finally got the game to load! :) :)

I was using the x2_4977 bios previously. I just tried the M8 bios and it was a SUCCESS!!!!

I cannot telnet to the game yet but I havent run the XNET patch or made the trainer yet. I'm sure it will work once I follow those steps as it seems to have worked for everyone else.

Thanks for all the help and the links. I really appreciate it! Hopefully these posts will be usefull to someone else who is having the same problem.

I cannot wait to start making some trainers!

-Bugsysiegals

ok, tried running with debug on, and game frooze on startup, so i patched it (xlive) and now it loads and plays just fine with debug on, i can connect ok in evox, but i still cant connect while the game is running ?? I know other people have got it workin, what the hell am i doin wrong ??

version 1.1 box
matrix chip
x2 4983 bios (tried evox m8 also via pbl metoo)
evox 3935
DebugTSR = Yes
TSR_Type = 2
IGR = No

basiclly im trying to see what changes after you pick up each skull, and trying to create a trainer for them, anyone else trying this ??

Can u connect when on the evo screen?
If so then i seen that it will not connect with certain bios, this could be a prob. look for the halo 2 threads and it was in there

morpheous1777: Try the M7 bios as dootdoo said to me that was the only one he could connect with halo2. You also might want to update your evox.ini file you should only have one TSR=Debug other then that everything looks ok.

Kyle

I got the game to at least load without freezing with the M8 bios in debug mode. After I make the trainer then I will confirm if it also works for the telnet part.

I have a problem. I converted the .xbe into an .exe. Then I dissassembled the .exe with IDA Pro.

Everything went good until I opened the xbox signature file and it had to go through the whole process again labeling and finding xbox related stuff. It took a very long time to do (566Mhz, 7GB, 128RAM) :( and I think I might have gotten close to it finishing except I got an error because it ate my HardDrive down to 6MB and couldnt write any more info!!

How many MB does it use to dissassemble and convert all the info with the xbox sig? I think I had like 300MB FREE when I started the program. Hopefully its not to much more than that so I can just delete a few albums I have on my HD.

-Bugsysiegals

Originally posted by bugsysiegals
I got the game to at least load without freezing with the M8 bios in debug mode. After I make the trainer then I will confirm if it also works for the telnet part.
-Bugsysiegals

Well if you could make the trainer now that means your telnet is working if you did a value/poke search to fine the addresses.


Originally posted by bugsysiegals
How many MB does it use to dissassemble and convert all the info with the xbox sig? I think I had like 300MB FREE when I started the program. Hopefully its not to much more than that so I can just delete a few albums I have on my HD.

-Bugsysiegals
I never checked the files unpacked but the IDA pro file after IDA packs it back up is 35-40MB in size. Windows requires 10% of the hard drive to be free for it to run correctly.

Kyle

Originally posted by LifeForce4
morpheous1777: Try the M7 bios as dootdoo said to me that was the only one he could connect with halo2. You also might want to update your evox.ini file you should only have one TSR=Debug other then that everything looks ok.

Kyle

YES, that was the problem, used evoxm7 and now i can connect while game is running. now i can finally get started

thanks

retraced what i tried:

h2 freezes with x2 4983
evox tsr = debug
no xlivefix patch
telnet not workin in game

h2 loads with x2 4983
evox tsr = debug
used xlivefix patch
telnet not workin in game

h2 loads with evox m7
evox tsr = debug
no xlivefix patch
telnet working in game......yaaaaaa

Well I finally got the telnet to work!! I Can Re-Confirm that ...

h2 loads and telnets with:
M7 bios
TSR = Debug
NO Xnet patch or xlivefix

h2 works with:
M8 bios
TSR = Debug
NO Xnet patch or xlivefix

HOWEVER; YOU MUST SET THE "IN GAME RESET" OPTION TO OFF!!

If you join a game instead of hosting, why do only certain cheats work? Is it because the existing trainers do not have the system link part of the file patched or is it because the hosts .xbe file operates all conditions of game play for every player in the networked game? I'm hoping that there exists a part of the file that still needs patching. :)

I have noticed that when you run h2 with TSR in Debug mode that you cannot select system link. Is this what the Xnet or xlivefix patches fix? How can we debug the game while playing system link?

The cheating on XBMC and XLINK has gotten way out of hand in my opinion. :rolleyes: It is near impossible, at least for me it seems, to join a room and just play a real game. The cheats are nice to have for campaign mode but if everytime you join a room and the host is cheating, honestly what is the point of even playing anymore?

My only hope for this game and system link is that the server makes it impossible for anyone to use the cheats at all or patching the right part of the game that allows ALL users to use the same cheats. Then in all fairness we could set certain cheats to enable when you you click the right button combo the way highjump, suicide, and cloaking work now. That way we can play fair but if someone insists on cheating then the playing field is fair. By the way, how do you set it up so that I can make my cheats able to turn on and off with certain button combo's?

Lastly, what is the best h2 map editor out there? I have ADI and H2Edit. I cannot get Ch2r to work on my computer for some reason.

P.S. I was just playing on XBMC and I noticed someone running around with what appeared to be 2X running speed!!! Has anybody else seen this too?

-Bugsysiegals

Evox trainers are great but do we have a hero amongst us that could create a program that u can load on ur box that enables u to find a trainer without the use of a pc. I remember years ago I had an action replay for the snes and it allowed u to try and find trainers for all ur games whilst playing them and save them it was pretty much like what we are all trying to do now. you had to switch it on whilst playing the game input ur amount of lives for example then lose 1 switch back to the ar and input the new amount and it would try to find the trainer for u. If someone could write a program like this that would be amazing we could all do it with ease and share all our findings this would take alot of work off dootdoo and acidflash and the likes. If u are our hero speak up and we will all bow b4 u!

I have read every page in this forum section from page 1 to 11 and I only found one problem like mine but it got no answer. The problem is I hae created the trainer up til the point where you need to generate the ETM file.

I click the button it goes to a screen asking where you want to save and when I hit save I get this error:
Easy evox trianer maker\tools\ML.exe C:\winnt\system32\autoexec.nt. The system file is not suitable for running MS-DOS and M$ windows Aplications.
then I click close and I get this message: The etm file was not generated due to error.

I can generate the TMD file but not the ETM. I am running windows 2000 is there a compatibility issue or something with Easy Trainer Maker and Win2k. I really want to see if I can make trianers and if any one could help me move beyond this point I would greatly appreciative.

Sincerely Ghost

Just a quick question

here is what i am after, does anyone know how its done.
sorry if this has already been covered

1. start an xbox game
2. dump onto your computer the active game code (dont know what tools are needed for this)
3. save this
4. change something in the game e.g loose some life
5. dump the active game code again
6. compare this with the original code (look for changes)
7. lose some more life
8. dump code and look for changes
9. etc etc.......

hope some one can help.

cheers

hey Lampo. well it is possible to do what your asking but normal users dont have these kinda tools (including me) the only people who can do this are evox-t with their own software which they dont give out. so unless they make a public release or somone else discovers a way of doing it or evox-t decide to share we cant do much.

Thanks for the speedy reply ddkram

just another quicky would i be able to apply this method to
gamesaves or cached data or can i use the memory dump option in ett
probably a long shot, but you dont know till you ask

cheers

ok well Lampo as far as i know it is currently not possible (i am sure it is possible but not with the public tools that us users have).

if anyone else has any comment on this i would like to hear about it and how they have done it.

Cansomeone help me out with this problem. I am stuck here I really want to get to creating but cant get past the stated problem above.

thanks for your time Sincerely Ghost

well pereghost i have heard of this problem before. the most common thing to do is to check your C:\winnt\system32\autoexec.nt and make sure it exists and make sure it isnt corrupt etc and if you aint sure replace it with one from a windows CD or use a different install then reboot and try again and it should work. please let me know if that works out. and if you need a "autoexec.nt" for winXP just ask and i will PM mine to you.

REQ: Splinter Cell Chaos Therory DEMO
-god mode
-unlimited ammo

Thank you for your reply ddkram. What I ended up doing is copying the autoexec.nt from the repair folder inside windows and it works now. So if there is anyone else who is dealing with this problem just go to search and look in all hard disks and look for the autoexec.nt file and if more than one comes up the one that says from c:/winnt/repair is the one you need to copy over to the system 32 folder.

So thanks again ddkram for all your help..


Now all I need to find out is how to get this robot in kotor 2 from glowing all messed up after getting shot so I can move on in the game. Not even of the first stage still in the fuel depot. Shame ain't it!

no problem pereghost just glad to be of help. if you ever need help with anything else like this post it here and i will see what i can do to help. a few of my friends have had trouble with that in the past. i dont know how it gets corrupted or deleted but i am glad it worked out alright for you.

Is it possible for Someone to create a tutorial on the Newly released xbxmdump, including a quick guide on how to setup your xbox/pc to use it?

this would really help

thanks

XBXMDUMP?? NEVER HEARD OF IT, WHERE CAN IT BE DOWNLOADED?

XBXMDUMP?? NEVER HEARD OF IT, WHERE CAN IT BE DOWNLOADED?

a quick message for ddkram (or anyone else who knows the answer)

a little while ago i posted the below post, can you tell me will the new xbxmdump program now alow me to do this

cheers


Originally posted by Lampo
Just a quick question

here is what i am after, does anyone know how its done.
sorry if this has already been covered

1. start an xbox game
2. dump onto your computer the active game code (dont know what tools are needed for this)
3. save this
4. change something in the game e.g loose some life
5. dump the active game code again
6. compare this with the original code (look for changes)
7. lose some more life
8. dump code and look for changes
9. etc etc.......

hope some one can help.

cheers

thats EXACTLY what this program does :D

Litle problem here, with IDA.

i'm running a copy of IDA Pro 4.8 and every time i load a exe (or xbe) it just show somehting like this:

db 0B8h ; +
db 0FFh
db 0
db 0
db 0
db 0BAh ; ¦
db 32h ; 2
db 0
db 0
db 0
db 0B9h ; ¦
db 80h ; Ç
...

instead of:

push edi
mov edi, eax
call near ptr unk_0_29E6B0
mov eax, 0FFh
mov edx, 32h
mov ecx, 80h

If i select a line i can convert it to instructions by pressing the 'C' key but that's kinda anoying. How can i set IDA to show all instructions? I've been looking all over google but can't find a solution..


First time IDA user and stick'n with W32dASM until i find a fix for this...

it takes a while to convert it all to strings, best thing to do is load the xbe and leave it for a while
check the bottom left hand corner of the screen if its rapidly cycling through numbers its still converting

the thing is, there is nothing hapening in the lower left corner.

after loading the xbe/exe a see it parsing in the lower left corner but then just shows an empty box (autoanalysis state).
and in the log windows it says "you may start to explore the input file right now".

i don't see anything more happening.

I might try another version of IDA...

yeah after it says "you may start to explore the input file right now".

it takes a little while to go through the code and convert it to asm

mine takes about 5-10 mins from loading the xbe to showing the asm

aargh, my bad.
IDA wasn't properly configured.

i had some stuff disabled or set the wrong way in the config..

glad you got it all working :)


lampo

It would be great if the faqs included connection problem solutions. Also etm making problem solutions(I'm meaning the actual process of making the etm from the hex code using what ever etm maker). I had problems in both these areas and never seemed to be able to figure out what I was doing wrong.

It would be great if the faqs included connection problem solutions. Also etm making problem solutions(I'm meaning the actual process of making the etm from the hex code using what ever etm maker). I had problems in both these areas and never seemed to be able to figure out what I was doing wrong.
I agree with everything Nimbus Enorcer has to say because I have been getting the same problem and have not yet to find a solution.

I agree with everything Nimbus Enorcer has to say because I have been getting the same problem and have not yet to find a solution.


well most trainer makers dont use telnet to connect to debug. we use a debug bios with XDK and .net installed on the pc.

and you cant really use etm maker. you have to get a blank or type it all out by hand.

well most trainer makers dont use telnet to connect to debug. we use a debug bios with XDK and .net installed on the pc.

and you cant really use etm maker. you have to get a blank or type it all out by hand.
Yeah I figured that out . That's why you guys can find things easier then using telnet. But hey I 'll just do trainers during vacations now cuz school is starting for me and I won't have any time.

Is there a tutorial where I can hack health bars etc. ?

Any chance you could get a bit more specific on fixing that?

I was using ida pro this morning & it shows everything fine.
Close it, come back a couple hours later & it's doing exactly what you're talking about.
I can right-click & hit code to see it, but even then it doesn't appear the same as before. It skips some lines, others appear that I didnt see the first time around... Like you said, really annoying.

I would like to be able to add weapons to a game from the getgo. I understand about how to search values for things like money, etc. But the only way i can think to search for whether or not you have a particular weapon is to search for a "0" before you have it, search for a "1" after you get it, and die so you dont have it again and search for a "0". But this would result in a crapload of checks. Anyone have another way to do this?

I would like to be able to add weapons to a game from the getgo. I understand about how to search values for things like money, etc. But the only way i can think to search for whether or not you have a particular weapon is to search for a "0" before you have it, search for a "1" after you get it, and die so you dont have it again and search for a "0". But this would result in a crapload of checks. Anyone have another way to do this?

well u can also try Has not Changed.

and also only try Integers 1 2 4's

most of the other stuff wont be used

I looked for this for a while. Pretty invaluable for newbies learning to train .. like me. :)

Most of the links for those tutorials arnt working

Most of the links for those tutorials arnt working
Yes. They are not. For the second and third tut by dootdoo, they don't work, other than that, all of the other links work. I had te second tut but deleted it by accident. I got it from the evox website long time ago. Until someone posts the tuts again, we shall have to wait.

Yeah if someone could please repost the tuts it would be appreciated.

Thanks

Platty

Hi there.

If some kind or evil soul would point me how to search for floating values i would be very very grateful.
I know there is a tutorial(made by xor) posted but it
makes no sense for a newbie like myself. :p
I dont know how many times i read the floating value part but i just dont get it. :(

Hi there.

If some kind or evil soul would point me how to search for floating values i would be very very grateful.
I know there is a tutorial(made by xor) posted but it
makes no sense for a newbie like myself. :p
I dont know how many times i read the floating value part but i just dont get it. :(
Don't worry, I didn't understand either. But this hasn't worked for meyet, but search 17096 when you have 100% health and 0 when you have dead. Thanks to FNG for pointing that out.

Thank you.Will try this when i get home.

Yes. They are not. For the second and third tut by dootdoo, they don't work, other than that, all of the other links work. I had te second tut but deleted it by accident. I got it from the evox website long time ago. Until someone posts the tuts again, we shall have to wait.

How is everybody?
Anyways i was surfing around for a while looking for the 1st, 2nd and 3rd tutorials, and i came across this site that still had the tutorials, here's the link.

http://forums.afterdawn.com/thread_view.cfm/1/194930

Hope that helps.
:)

How is everybody?
Anyways i was surfing around for a while looking for the 1st, 2nd and 3rd tutorials, and i came across this site that still had the tutorials, here's the link.

http://forums.afterdawn.com/thread_view.cfm/1/194930

Hope that helps.
:)
thanks alot. been looking for the second tut.

in splinter cell:CT how would you find solidity of an object, cause bodys can go into water so maby you can turn into water and go through walls, but water sits on and around a solid so maby that wouldn't work, but how could you find solidity of an object

I couldn't wait any longer for a trainer to be released for Battlefield 2 Modern Combat so I tried fiddling on my own. I downloaded all the great tutorials from these forums, and I began to search for values.

I got ett 1.2, loaded my game, and connected via telnet successfully. However, when I search for a value, I get this:



Connected to RemoteX Debuger
Game Freezed
Storing Value, Please Wait


I waited a couple minutes....I get nothing after that. How long does it take to store a value? I am guessing not long...if so, any ideas why my xbox freezes after this? I can't unfreeze it either.

Thanks!

would like for someone to clarify what this is actually telling me to do...

If you see in the memory address said: cmp word ptr [eax], 0 , ok, the breakpoint is the last line, in this case 0013b579: dec word ptr [eax]
I guess you know something about ASM, but i explain it quickly: cmp word ptr [eax], 0 -> Compare 0 with the word value in EAX register (2 bytes).
dec word ptr [eax] -> Decrement in 1 point the value 2 bytes (word value) in EAX register
EAX? What value have EAX? You can see this in ETT, EAX -> 004954e4
Remeber this memory address? Yes, is the memory address that have your blue potions number, for this, if you read the code the line dec word ptr [eax] is decrementing the EAX value in 1 point. In the game if you use a potion, this line decrement 1 point, and the next line compare if you have at least 1 potion (this is made for quit the item in the inventory menu).
Lets go to patch it, look in HEX label in IDA PRO, for see how bytes are the instruction:

In this case is 66 FF 08, 3 bytes -> Reboot the XBOX, and launch the game, connect again using ETT and poke the memory address, 0013b579, with value 90, poke the next byte 0013b57a with value 90 and the next memory address 0013b57b with value 90.

any help would be great :)

I'm having a little trouble relating what's in the tutorials to what want to try do.

In Madden 06 there are few menu options that are grayed out under certian conditions. I want to try poke the addresses and see if I can keep them selectable under those conditions. And then see if they stay functional, or if further training is needed.

What I'm having trouble with is, these aren't really values that would change from what I can see. Unless they changed when grayed out, which brings me to my next problem. The menu labels for these are text based like R Elbow, L Wrist, Attributes. I'm just a little confused on what the best way to find those values would be. If I would just search normally using those label titles or what?

Any help on this is greatly appreciated. As you can tell, I'm a total newb at this. But I'm trying to learn so I can at least attempt what I want to do.

i would like someone to fully explain in a tutorial how to use xdkassist and artmoney in conjunction witheachother assuming you can connect with it also explaining that if you get 011b1738 integre 4 byte as a memory location what do you do with that next ?

weevil
:)

I am actually in the process of writing a simple to follow tutorial. But instead of using XDKAssist I am using xbxmdump.exe which basically does the same thing, and instead of using Artmoney I am using TSearch.

I should have it ready over the weekend.

where can i download tsearch from

Just wanted to say a quick thank you to all the people that make the trainers! I don't know the first thing about making them, so this is great! It's so much fun when after you beat a game without cheats, that you can go through again with the trainers and just have fun. Thanks again!

I need everyone to take a minute and read this thread. Do not post to it, just read. Thank you all so much for your time and effort.

http://forums.maxconsole.net/showthread.php?t=12743

In Evox's debug TSR, once a break point is reached what is the easiest way to find the address of the subroutine's caller? I know it's on the stack but how do I look at the stack? Thanks.

In Evox's debug TSR, once a break point is reached what is the easiest way to find the address of the subroutine's caller? I know it's on the stack but how do I look at the stack? Thanks.

from my recollection (its been awhile), the tsr doesnt show you esps address. If it DOES, then a db address would show you what is on the stack.

if you were really in need of finding esp I can think of a slow and painful way to get it. Basically set a bpx wherever you wanted to get esp, and then you could change the op directly in front of it to move esp into eax, and then view the stack to find the address you are looking for, then either fix the instruction, or reboot and go at it again.
If I misunderstood your question, please repost a clarification :)

Thanks Dootdoo. You're a saint. You answered my question perfectly. I was actually already considering writing a small program to change the op and then fix it automatically. I'll let you know once I make some progress.

hi just quick question i have a game that has godmode in txt is there a way of getting this to enable also is there any tuts on using xdkassas i get addy for ammo can change in game but does not seem to be right addy how do i trace this

.text:00038FC7 lea ecx, [esp+24h+var_18]
.text:00038FCB mov [esp+24h+var_4], edi
.text:00038FCF call sub_216A0
.text:00038FD4 push offset aGodmode_on ; "GODMODE_ON"
.text:00038FD9 lea ecx, [esp+28h+var_18]
.text:00038FDD call sub_22650
.text:00038FE2 mov ecx, [esi+30h]
.text:00038FE5 push 0
.text:00038FE7 lea eax, [esp+28h+var_18]
.text:00038FEB push eax
.text:00038FEC mov [esp+2Ch+var_4], 16h
.text:00038FF4 call sub_23BCA0
.text:00038FF9 lea ecx, [esp+24h+var_18]
.text:00038FFD mov [esp+24h+var_4], edi
.text:00039001 call sub_216A0
.text:00039006 push offset aGodmode_off ; "GODMODE_OFF"
.text:0003900B lea ecx, [esp+28h+var_18]
.text:0003900F call sub_22650
.text:00039014 mov ecx, [esi+30h]
.text:00039017 push 3F800000h
.text:0003901C lea edx, [esp+28h+var_18]
.text:00039020 push edx
.text:00039021 mov [esp+2Ch+var_4], 17h


any help appreciated thx

Hello everyone,
I've got a question and it probably has been asked, but I have been working on some trainers. Some I have no problem with making the trainer. Baldur's Gate DA2, Frontline, so so forth. The relatively simple ones to get myself going with a little knowledge. But some games lockup when when they start with tsr on debug, I have one that starts then locks up when you go to play, others I just can't connect. The game plays but can't use ett to telnet. I have tried to different patches to see if they would work to no avail. What can i do or use to work around this, I have plenty of time to learn. I'm disabled and have the time to try and invest to help out the scene. Like I said I have created a few trainers and worked on a few more, Maybe just alittle shove in the right direction, But not to hard.
Any help would be greatly appreciated and hopefully afterwards I would be able to help others!
8ball

hi just quick question i have a game that has godmode in txt is there a way of getting this to enable also is there any tuts on using xdkassas i get addy for ammo can change in game but does not seem to be right addy how do i trace this

.text:00038FC7 lea ecx, [esp+24h+var_18]
.text:00038FCB mov [esp+24h+var_4], edi
.text:00038FCF call sub_216A0
.text:00038FD4 push offset aGodmode_on ; "GODMODE_ON"
.text:00038FD9 lea ecx, [esp+28h+var_18]
.text:00038FDD call sub_22650
.text:00038FE2 mov ecx, [esi+30h]
.text:00038FE5 push 0
.text:00038FE7 lea eax, [esp+28h+var_18]
.text:00038FEB push eax
.text:00038FEC mov [esp+2Ch+var_4], 16h
.text:00038FF4 call sub_23BCA0
.text:00038FF9 lea ecx, [esp+24h+var_18]
.text:00038FFD mov [esp+24h+var_4], edi
.text:00039001 call sub_216A0
.text:00039006 push offset aGodmode_off ; "GODMODE_OFF"
.text:0003900B lea ecx, [esp+28h+var_18]
.text:0003900F call sub_22650
.text:00039014 mov ecx, [esi+30h]
.text:00039017 push 3F800000h
.text:0003901C lea edx, [esp+28h+var_18]
.text:00039020 push edx
.text:00039021 mov [esp+2Ch+var_4], 17h


any help appreciated thx
Been trying xdkass the addys that show up in window what are these i really want to stert making triners as i think you guys are great thx.

Can anyone say where to get xbxmdump!

How about a better tool, what does everyone use? I think i have everything but this program! Just trying to go by a tutorial, to learn this stuff.

Can anyone say where to get xbxmdump!

http://trainers.maxconsole.net/index.php?dlid=314


Platty

I searched forums I know, but guess forgot to search there, oh well. Anyhow Greatly appreciate you taking the time to respond to my question.

Has anyone had the problem where in Tsearch the first search has results but search next always has 0 results, no matter what I do!

Just began with training yesterday following the BGII Tutorial. No problems making a trainer for the game following the directions. A question on the side though, is there any way to set a value with a trainer (example: Setting Strength defaulted to 250 instead of 12, ect.)? I can of course accomplish it with poke, but that kind of defeats the purpose of trainer making. Sorry if this has been asked before, I did not see a post or tutorial on it.

For those looking for Flirt, I found it here if it helps:
http://www.yates2k.net/xbox/xbox_flirt2.rar
Flirt Signature Xbox 2.0 Final

thx, Pseudodragon

In the trainer guide it says (now in IDA pro, click the VIEW-ASM tab, then go to the jump menu, select jump address
and type in 0002a261.) but were is the view asm-tab in version 4.9? Im new to all this as of today.

In the trainer guide it says (now in IDA pro, click the VIEW-ASM tab, then go to the jump menu, select jump address
and type in 0002a261.) but were is the view asm-tab in version 4.9? Im new to all this as of today.
just the main window with addresses and op codes like suc, add, xor and others.

I have the demo version and .xbe xbox executable is not selectable. So which disassembly data base do I use or do I need the non demo version?

what is op codes, suc, add, xor and others. I recently got the freeware version of ida and there is an option called create asm file. Is that wat I am supposed to select? If someone could walk me through this that would be awesome. If this helps I opened up IDA and selected new(dissemble a new file). Then I open up the .exe file that I exported from the .xbe in CXBX. and this is how far I have gotten.

im trying to learn how to make trainers, i need to know what are/is the best bios to use when doing this>?

Do You know already which BIOS are a best ?

cuz I've tried those bios :
x3_3108
x2_5035
Yoshihiro_K2005-final
cromwell
M7
M8
etc..
with no lucky, can't connect while running the game. except ETT.

any idea ?

thanks in advance .

How bout a video tutorial, so process can be seen from start to finish, TXT guides can be a bit confusing at times. :cool:

I am trying to create some trainers and I am following the guides. I have one question though. When I load the game from evox, I can no longer telnet or even ping my xbox's ip. Can someone help?

Hi, I've been reading the tutorials (those which links aren't dead).... I'm using the telnet, Xdebugger and also the EvolutionX Trainer Maker 1.1 .

But when making the trainer I can only add cheats which activate when game starts....

How du I create IGK!? :confused:

can a trainer that is already finished be edited. i found that the halo 2 trainers work in campaign mode. but there are areas that i can't get to like where to get the scarab gun. i was wanting to make it have 4x the jump height. is this possible and how.

if anyone could lend me there ida pro i ll be happy to start training game"s send to cali_lover_49@yahoo.ca be happy to start helping .........ps team xored rock"s :) :)

:o could someone pls make a noobs guide to trainer making :confused:, outlining everything. i'm 'very' :eek: new to programing and computing languages 'n' stuff and would love :) to lern.

ps. if example game is used could it pls be halo 2.:cool:

pps. if you need to contact me my email and msn is andy_parka@hotmail.com

thanx in advance

I'm doing my best to get going on this, but I'm still unable to connect to my Xbox while a game is running. I can connect fine at the menu, but once a game starts, no go. Here's a copy of my evox.ini could someone tell me where I'm going wrong please?

[Misc]

AutoLaunchGames = No
AutoLaunchDVD = No
DVDPlayer = "f:\apps\dvd2.0\default.xbe"
AutoLaunchAudio = No
#AudioPlayer = "c:\evoxdash.xbe"
MSDashBoard = "c:\evoxdash.xbe"
UseFDrive = Yes
UseGDrive = Yes
SkinName = Original
#SkinName = RuDeDuDe2
UseItems = No
ScreenSaver = 5
Fahrenheit = No
ShadeLevel = 90
EnableSMART = Yes
HDD_Temp_ID = 194
ChameleonLed = 15
TSR_Type = 2
IGR = No
GameRegion = 2

[Network]

SetupNetwork = Yes
StaticIP = Yes
Ip = 192.168.1.102
Subnetmask = 255.255.255.0
Defaultgateway = 192.168.1.1
DNS1 = 24.116.2.34
DNS2 = 24.116.2.38
SetupDelay = 0
SkipIfNoLink = No

[Clock]

JumpToMsDash = No
JumpIfNoLink = Yes
Use24 = Yes
SwapDate = No
SNTP_Server = 0.0.0.0

[FTP]

Enable = Yes
Password = xbox

[Telnet]

Enable = Yes

[RDTOOLS]

Enable = Yes
Name = XBOX_V1.0

[BIOS]

#
ROM = "EvoX 2.0",0x76fd88337b8d8c1f116f85f3984b98b6
ROM = "EvoX 2.1",0x99487615bb30670cb65993388fcf2a63
ROM = "EvoX 2.2",0x220ade778785cfc3c98bb5ea8bbd8608
ROM = "EvoX 2.3",0xd79bc87c2caa1a50dcc7016adf2ccc0a
ROM = "EvoX 2.4",0xe3ce66b99957a92fdac40af951c3f1fd
#
Flash = 0x01d5,"AMD - Am29F080B",0x100000
Flash = 0x04d5,"FUJITSU - MBM29F080A",0x100000
Flash = 0xadd5,"Hynix - HY29F080",0x100000
Flash = 0x20f1,"ST - M29F080A",0x100000
Flash = 0xbf61,"SST - 49LF020",0x40000
#Flash = 0x378c,"AMIC - A29002",0x40000
Current = 0x51d34b730cfe0f8f79d0476a6f15c119

[Skin_Original]

#
# <Time> =
# <IP> =
# <Name>
# <Version>
# <CD>
# <BIOSVer>
# <KernelVer>
# <RDName>
# <SpaceC>
# <SpaceE>
# <SpaceF>
# <SpaceX>
# <SpaceY>
# <SpaceZ>
#
Text = 30,37,0.5,0x000000,0,"<Time>"
Text = 28,39,0.5,0x808080,0,"<Time>"
Text = 620,420,0.5,0x000000,1,"<Name> V<Version>"
Text = 618,422,0.5,0x808080,1,"<Name> V<Version>"
Text = 620,37,0.5,0x000000,1,"<CD>"
Text = 618,39,0.5,0x808080,1,"<CD>"
Text = 30,420,0.5,0x000000,0,"RD Name : <RDName>"
Text = 28,422,0.5,0x808080,0,"RD Name : <RDName>"
LogoType= 0

[Menu]

Section "Root"
{
Item "Launch DVD",ID_Launch_DVD
Item "Trainers",ID_trainer
Item "MS Dashboard",ID_MS_Dash
Item "Reboot",ID_Quick_Reboot
# Item "Power Cycle",ID_Full_Reboot
Item "Power Off",ID_Power_Off
# Item "Lock Harddisk",@210
# Item "Unlock Harddisk",@211
Section "System Utils"
{
Item "Settings",ID_Settings
Item "Flash BIOS",ID_Flash_Bios
Item "Backup",ID_Backup
Item "Skins",ID_Skins
}
Section "Launch Menu"
{
Section "Games"
{
AutoAddItem "e:\games\"
AutoAddItem "f:\games\"
SortAll
}
Section "Apps"
{
AutoAddItem "e:\apps\"
AutoAddItem "f:\apps\"
SortAll
}
}
}

[Action_10]

LogFile = "f:\lock.log"
Info "This function will lock your XBOX Harddisk"
Warning "You will now lock your XBOX harddisk and will be able"
Warning "to boot from an original XBOX bios"
#
hddlockenable

[Action_11]

LogFile = "f:\unlock.log"
Info "This function will unlock your XBOX Harddisk"
Warning "You will now unlock your XBOX harddisk and will not be able"
Warning "to boot from an original XBOX bios"
#

the game is most likely a xbox live game. if it is, then you need the xboxlivefix. it won't work for all games though

I've tried to find this patcher in the downloads section of this site but been unable to. Could you be more specific?

Btw, I think you are correct. NCAA 07 is the game I'm trying so I'm sure it's an Xbox live game

I've tried to find this patcher in the downloads section of this site but been unable to. Could you be more specific?

Btw, I think you are correct. NCAA 07 is the game I'm trying so I'm sure it's an Xbox live game

The archive isn't really complete. Anyway, here is the link http://forums.maxconsole.net/showthread.php?t=2832

If it doesn't work, then you can't use telnet and need to use a debug bios or xdk launcher

Thanks biggie, I'll try that.

I can telnet into UFC Tapout2, i can freeze and unfreeze but when i do a value search it freezes. Any ideas ? Also is there a auto installer that turns ur xbox into a debug xbox ? If so is it in the usual places and what is it called?

I can telnet into UFC Tapout2, i can freeze and unfreeze but when i do a value search it freezes. Any ideas ? Also is there a auto installer that turns ur xbox into a debug xbox ? If so is it in the usual places and what is it called?
i think it is called xbox debug installer. No idea if it is in the usual places.

I got it (debug installer), if you need it.

I got it (debug installer), if you need it.

Yup Yup, thank you Hack0r. Works perfectly :)

Does anyone have ArtMoney SE 7.15 English? I need it to connect to my xbox while in debug...

Hi can anyone tell me if there is any tuts for using this in conjunction with vs.net & artmoney any help appreciated thx.

Hi can anyone tell me if there is any tuts for using this in conjunction with vs.net & artmoney any help appreciated thx.
Hack0r's tutorial. Well the second one. Also look for a thread by xbman with info for using vs.net

thanx !!!!!!!

TMNT hangs after you do a break point (At least it does for me) so just reboot your system
(type reset in the telnet window) or turn the xbox on and off and reload TMNT, and reconnect
with telnet.

now in IDA pro, click the VIEW-ASM tab, then go to the jump menu, select jump address
and type in 0002a261.

.text:0002A250 arg_0 = dword ptr 4
.text:0002A250
.text:0002A250 mov eax, dword_2AA8E0
.text:0002A255 mov edx, [eax+24h]
.text:0002A258 mov ecx, [esp+arg_0]
.text:0002A25C sub edx, ecx
.text:0002A25E mov [eax+24h], edx
.text:0002A261 retn
.text:0002A261 sub_2A250 endp

Look at the instruction before the break, they are moving the value in edx to some memory
location, this is whats updating the value we see on the screen. So where does this edx
value come from?

If you look at the line above that:
.text:0002A25C sub edx, ecx

This means: edx = edx - ecx


where do i find the VIEW-ASM tab? is this in IDA pro 5.3? where can i find something similar in w32dasm?

cheers


PS. also, i am, trying to make a trainer for Harry Potter 2: CoS, and when i try to find the breakpoint #, ican find the number in the box, but after it, all it says is "push 3F000000h"?

what have i done wrong????

How to make IGK 4 trainer i made-- any info would be good

How to make IGK 4 trainer i made-- any info would be good


What game? I would also need your trainer + compile (make.bat stuff)...

can u explain wht should i do--dont wanna hold u buzy with me . i download those files xbtf convertr and

frooger+bat files example i found but i still dont know how to make my own bat --i got file called ofsets IGK

how to make use of it

sry 4 all yr trobl

can u explain wht should i do--dont wanna hold u buzy with me . i download those files xbtf convertr and

frooger+bat files example i found but i still dont know how to make my own bat --i got file called ofsets IGK

how to make use of it

sry 4 all yr trobl


Here are the IGK's:
13 combo's total..

RIGHT THUMB + DPAD:
UP 010151h <-- used in below example
DOWN 010152h
LEFT 010153h
RIGHT 010154h

LEFT THUMB + DPAD:
UP 010155h
DOWN 010156h
LEFT 010157h
RIGHT 010158h

RTHUMB + LTHUMB: 010159h
LTHUMB + BACK : 01015Ah
LTHUMB + START : 01015Bh
RTHUMB + BACK : 01015Ch
RTHUMB + START : 01015Dh

Here is how to tell if an IGK has been toggled:

cmp byte ptr ds:[010151h], 1 ; RTHUMB+DPAD-UP on? (1 on 0 off)
je do something

make sure you find where to hook the IGKs in. (look at HOOKIGK)

if you send me what code you are working on I will look at it.

-acidflash / XORED

i will show you my ASM as soon as i get home-- but when u say hook Igk did u mean i open my asm

-file created by evoTrainerMaker- and add those adreeses --wht should i do aftr-- Thnks 4:D

; /////////////////////////////////////////////////////////
; // Produced by Easy EvoX Trainer Maker v1.0 by DanShUK //
; /////////////////////////////////////////////////////////
; // Trainer Title: Baldur's Gate Dark Alliance+6
; // Title ID: 5655001A
; // Date: 12/5/2010 12:30:10 PM
; /////////////////////////////////////////////////////////
.586p
Code segment use32
org 0
dd offset End_of_file
dw 1 ; Version
dd End_of_header ; Size of header
dd offset Selections
dd offset Selections_Text
dd offset ID_List
dd offset Entry
dd 0 ; Res1
dd 0 ; Res2
db 0 ; Master Enable
End_of_header equ $

; ////////////////////////////////////////////////////////////
; // THIS IS THE CODE THAT WILL BE EXECUTED BEFORE THE GAME //
; ////////////////////////////////////////////////////////////
Entry:
; // CHECK THE XBE TIME AND DATE (VERSION CHECK)
mov edi, 010114h
cmp dword ptr [edi], 03D7809EBh
jne EndZone
; // CLEAR DIRECTION FLAG (FOR STORING PATCH)
cld
; // CHECK THAT TRAINER ITEM "Mx Money" IS ENABLED
cmp [Sel_MxMoney+ebp], 0
je Jmp_PastMxMoney
; // IT IS ENABLED IF WE REACH HERE SO APPLY PATCH
mov edi, 00007865Bh
mov al, 001h
stosb
Jmp_PastMxMoney:
; // CHECK THAT TRAINER ITEM "Inf Red P" IS ENABLED
cmp [Sel_InfRedP+ebp], 0
je Jmp_PastInfRedP
; // IT IS ENABLED IF WE REACH HERE SO APPLY PATCH
mov edi, 0000AEF95h
mov al, 090h
stosb
stosb
stosb
Jmp_PastInfRedP:
; // CHECK THAT TRAINER ITEM "Inf Blue p" IS ENABLED
cmp [Sel_InfBluep+ebp], 0
je Jmp_PastInfBluep
; // IT IS ENABLED IF WE REACH HERE SO APPLY PATCH
mov edi, 0000AED54h
mov al, 090h
stosb
stosb
stosb
Jmp_PastInfBluep:
; // CHECK THAT TRAINER ITEM "Inf Recall" IS ENABLED
cmp [Sel_InfRecall+ebp], 0
je Jmp_PastInfRecall
; // IT IS ENABLED IF WE REACH HERE SO APPLY PATCH
mov edi, 0000622D8h
mov al, 090h
stosb
stosb
stosb
stosb
stosb
stosb
stosb
stosb
Jmp_PastInfRecall:
; // CHECK THAT TRAINER ITEM "Inf Items" IS ENABLED
cmp [Sel_InfItems+ebp], 0
je Jmp_PastInfItems
; // IT IS ENABLED IF WE REACH HERE SO APPLY PATCH
mov edi, 00007B458h
mov al, 090h
stosb
stosb
stosb
stosb
Jmp_PastInfItems:
; // CHECK THAT TRAINER ITEM "Can Have Any Skill" IS ENABLED
cmp [Sel_CanHaySkill+ebp], 0
je Jmp_PastCanHaySkill
; // IT IS ENABLED IF WE REACH HERE SO APPLY PATCH
mov edi, 0000C6534h
mov al, 090h
stosb
stosb
stosb
stosb
stosb
stosb
Jmp_PastCanHaySkill:
EndZone:
ret
; /////////////////////////////////////////////////////////////////////////
; // THIS IS THE END OF THE CODE THAT WILL BE EXECUTED, THE REST IS DATA //
; /////////////////////////////////////////////////////////////////////////

ID_List label dword
dd 05655001Ah
dd 0

Selections label byte
Sel_MxMoney db 0
Sel_InfRedP db 0
Sel_InfBluep db 0
Sel_InfRecall db 0
Sel_InfItems db 0
Sel_CanHaySkill db 0

Selections_Text label byte
dd offset Text_Menu
dd offset Text_Info
dd offset Txt_MxMoney
dd offset Txt_InfRedP
dd offset Txt_InfBluep
dd offset Txt_InfRecall
dd offset Txt_InfItems
dd offset Txt_CanHaySkill
dd 0
Text_Menu db 'Baldur's Gate Dark Alliance+6', 0
Text_Info db 'Made By ayane', 0
db 0
Txt_MxMoney db 'Mx Money', 0
Txt_InfRedP db 'Inf Red P', 0
Txt_InfBluep db 'Inf Blue p', 0
Txt_InfRecall db 'Inf Recall', 0
Txt_InfItems db 'Inf Items', 0
Txt_CanHaySkill db 'Can Have Any Skill', 0

End_of_file equ $
Code ends
end

what trainer options do you want to toggle on / off?

1- Mx money
2- Inf Items

Because Money -when u pick up in game it mx yr money but take another 1 worth 0 untile turn of xbox-load game dosent fix it

Itmes-- U cant drop them--if u have many in this game u cant carry any more:confused:

and in case u missed my other posts abot mashed>>here

Here u can get at 250 mb comparssd
here

http://xboxisozone.com/downloads/1332/Mashed.html


u can get it with sign up direct downlaod


hi -this my uploaded game -mediafier- here

1
http://www.mediafire.com/?wkd2k4c3hzr3v1f

2
http://www.mediafire.com/?95y52ykz9yyqafo

3
http://www.mediafire.com/?yaalt4w5jthnoh0

4
http://www.mediafire.com/?9qimr24ftx95nd6

5

http://www.mediafire.com/?zxtniua11kwr3ec


6
http://www.mediafire.com/?xzsan2qccingj2g


6 parts --sry 4 the troble

thnks

my mystake http://xboxisozone.com/ i ment without sign not with:p


etm xbtf dosnt matter

can u tell wht i do whn u say make bat---i do hv those files --make bat --i download from this sit but idea

how to use it does it convert etm files or asm files --because xbtf converter --says Raw>Xbtf-----:confused: not etm>Xbtf it cant convert etm 2 xbtf --i did use xbtf trainers but i nvr

did make 1

my mystake http://xboxisozone.com/ i ment without sign not with:p


etm xbtf dosnt matter

can u tell wht i do whn u say make bat---i do hv those files --make bat --i download from this sit but idea

how to use it does it convert etm files or asm files --because xbtf converter --says Raw>Xbtf-----:confused: not etm>Xbtf it cant convert etm 2 xbtf --i did use xbtf trainers but i nvr

did make 1

Am I working on Mashed (PAL)? or / Baldur's Gate Dark Alliance+6 ?

-acidflash / XORED

dont blame me --i was lookin 4 help and i found u--i used trainers that has yr nick on it^^

anyway i hv 2 problms

1 is easy --hope so -- 0-0- i made trainer balder gat 1 - and i want to know if adding igk is easy or not--u sayd hook igk but i hv no idea what that means---

2-this wht i really want--mashed pal trainer-- please*_^

1--just need info
2=mashed

dont do any search 4 baldr gate_-------

thnks 4 all ur help