CoSMOS Gamehacking Tool

First time user!

So I thought I'd give COSMOS a try on South Park: The Stick of Truth. After trial and error, I was able to locate three addresses that handle health.

1353D368 - Double
1353D2E8 - Double
19F08D28 - Float

All three change, but only the Float appears to update if I change the value. So woot to me! 😀

Now I assume the next step is a script that basically does the job of constantly inject the max HP value. I'm not sure how to do this. I have programming experience but I've never written trainer scripts. Could someone direct me to the correct documentation, or provide some guidelines?

Much appreciated.

Right click on the float address and select 'Find out what access' to find game code which accesses your health address in memory.

A window shows up and as soon as your health gets accesses, it will log the memory address of the function. If you found one, double click on it to jump to that adress in memory viewer.

Then right click on it and select 'Inject here'. Then you can choose between:

- offset injection. This requires that the function is located inside the a memory module (dll or game exe) and the injection is then based on the offset (base address of module + offset = injection point). Obviously as soon as the module changes due to a patch your injection script breaks. This method is kinda outdated nowadays.
- AOB (array of bytes) injection. This will try to find a unique byte pattern either inside module or inside the whole process. You can expect this to be the best way as it probably works through several patches.

After that step you are inside the script editor. You need to understand assembly language to know how to freeze / move values. As CoSMOS has nearly the same script syntax as CoSMOS you can adopt any tutorial for CoSMOS. If you have any specific question feel free to ask.

Thanks, 0x09! You're a gentleman and a scholar.

My quick background. The programming languages I know is C#, JavaScript, jQuery, MVC Razor, and few others. I understand the fundamentals of OOP but I've never been able to wrap my head around machine code like Assembly. I know of Assembly from the 90's demoscene but I never could get it. However, the Internet today has a wealth of online resources for learning ASM, plus the CH community can help.

Update: I bought the Assembly Language Adventures: Complete Course for $5 on Udemy. I spend more than $5 at Starbucks.




[Edited by tommy3467, 9/18/2017 4:27:50 PM]

For scripts the basic assembly knowledge should be fine.
You have to know the difference between byte, word, dword, qword, float and double.
You have to know the mov and cmp (possible fld and fstp) command as well.
Also you should know about the registers (eax, ecx, etc).

After that the rest is pretty much learning by doing. But of course, if you fully learn assembly it will only have a positive effect.

Does anyone know why the "Find out what access" is grayed out?

i.imgur.com/gOUmJ08.png

Also, I noticed the float address for hp changes each battle as you can see in my screenshot. Is this what you meant by "Find out what access" so that I can trace all these addresses back to function? Kind of like a reverse engineer.

[Edited by tommy3467, 9/18/2017 8:19:40 PM]

I figured out the grayed out "Find out what accesses to." It's not available in Beginner mode. I switched to Expert. Would it be worth adding this prompt? "This is a feature of Expert mode. Please switch your Experience Level to this."

Thanks, 0x09! With your guidance above I was able to get the script editor part. Now comes the ASM part!

i.imgur.com/vU31B7f.png

Hmmm...

movss moves a float value to/from the xmm register.
In your case it moves the float value stored in ecx+18 into xmm0.
This is important because if it would be the other way around (moving float value from register into ecx+18) you would have to write your code behind the original code.

Anyway it should be enough to write a single line behind 'codecave:'

mov dword ptr[ecx+18],(float)999

So it moves the float value 999 into ecx+18 and then execute the original code. And it does that each time the function gets accessed. As a float value takes 4 bytes in memory, we're using mov dword.

If your maximum health is stored nearby you can also do something better like:

fld dword ptr[ecx+18+4]
fstp dword ptr[ecx+18]

Assuming your maximum health is stored at ecx+1C this code will load the float value stored in ecx+1C (pushes it into FPU stack) and paste it into ecx+18 (pops from FPU stack).