Go Back

Torchlight Part #1

Just like with Trine, the health of the player character is lowered / increased using the same function. This means if you make the player invulnerable, the enemies will also be invulnerable.

Now we could do the same as with Trine, allocate memory and then redirect the program flow to our injected memory. But I wanted to do something different, so for Torchlight I decided to use a code cave.

Basically this means that we look for a piece of unused memory that has already been allocated and use that to inject our code. Up until today I never used a code cave for this purpose, I have to be honest I never thought about using code caves for anything.

But it works, its "safe" (as safe as code injection can be). The only trick is to find a code cave big enough to fit the code that you want. Luckily Cheat Engine has a nice function which searches for code caves, including a desired size.

Torchlight had an additional fun factor which I never played with before, both health and mana are stored as floating points. Now this in itself isn't something new, but I never worked with floating point assembly instructions (at least not changed them).

The instruction for unlimited health was at 490649h (fstp dword ptr [esi+394]) and the two instructions for unlimited mana are at 490894h and 4908C3h (both fstp dword ptr [esi+3b8]).

All three instructions use fstp, the description for this function is "Copy ST(0) to m32fp and pop register stack". The last part causes an issue if you only nop the instruction. Not executing the instruction causes the register stack to stay the same which caused several other issues in the game (including gfx errors and crashes).

To get around this issue you have to execute a "fstp st(0)" whenever you do not execute the original instruction. This causes the register stack to pop into nothingness.

As with Trine, we have to figure out how to identify the player. With Torchlight its a bit easier then Trine. There's a pointer to the Player structure at [[E2B6A4h]+1Ch], so we can use this in our code redirection to check who's health (or mana) is getting lowered.

In part #2 I'll show some assembly code which can be used (in the code cave) to accomplish exactly that. I have some code lying around but I want to play with it a bit more before releasing it.

Posted by: Da_Teach on Tuesday, January 19, 2010  •  Torchlight Codecave Cheat Engine

  • Facebook
  • Twitter
  • DZone It!
  • Digg It!
  • StumbleUpon
  • Technorati
  • Del.icio.us
  • NewsVine
  • Reddit
  • Blinklist
  • Add diigo bookmark