Trainer

[xXxCocoFangxXx]

I am working on making a Trainer for Halo 1 on the Xbox.

It needs to be in .etm or .xbtf so it will work with Xored or Evo-x.

I haven't seen ANY of these kinds of Trainers for Halo 1, and I thought the community would need one because the IPS Trainers for Halo 1 are complicated to use, and with this one you don't need to patch the default.xbe for Halo 1 or put Halo on your HDD.

I need some people that know what they are doing and would be willing to help, if you are interested, contact me! =]

[xXxCocoFangxXx]

Anyone??

I really need help, you will credit where due also! =]

[bricksarefun]

I've talked to xbox7887 multiple times about something like this, the ips trainer and dev trainer combined, but I doubt he's gonna help.

[xXxCocoFangxXx]

Finally someone posts! lol


I talked to him also, but he didn't really tell me anything, if you want to help just tell me! =]

I don't care who helps, as long as you can! =]

Once we get something done I will need beta testers also, but that's later, you will get credit also if you help!

[bricksarefun]

I personally know nothing about trainers, but I could beta test later, I also have an idea on how to get it working. Get on AIM.

[xbox7887]

Heres the source to the Halo 1 trainer I released in the screencap package (minus the gamefreeze code since that information was given to me by Kornman00). It's really poorly written but maybe you can learn a few things from it. There's also a bunch of random code snippets that don't really do anything since I was too lazy to finish

Code: Select all

;//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
;//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
;//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
;//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
;///Third array memory addresses:								       	   		///
;///															///
;///		xbox		pc		label					       	  			///
;///			       	   											///
;///1.		0x2814E8	0x2714E8	x camera coord								///
;///2.		0x2714EC	0x2714EC	y camera coord								///
;///3.		0x2714F0	0x2714F0	z camera coord						     		///
;///4.		0x2714F4	0x2714F4	x camera shift (forward/back)				     		///
;///5.		0x2714F8	0x2714F8	y camera shift (left/right)					    	///
;///6.		0x2714FC	0x2714FC	z camera shift (up/down)						///					///
;///9.		0x271500	0x271500	camera depth								///
;///10.		0x271504	0x271504	field of view								///
;///11.		0x271508	0x271508	i forward look vector- cos(h)*cos(v)					///
;///12.		0x27150C	0x27150C	j forward look vector- sin(h)*cos(v)					///
;///13		0x271510	0x271510	k forward look vector- sin(v)						///
;///14.		0x271514	0x271514	i up look vector- opposite(cos(h)*sin(v))				///
;///15.		0x271518	0x271518	j up look vector- opposite(sin(h)*sin(v))				///
;///16.		0x27151C	0x27151C	k up look vector- cos(v)						///
;//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
	.586p
	.xmm 			;adds support for xmm registers
	.model tiny,stdcall 	;adds support for PROC w/ args

TEMPVAR 			equ 010004h ;defines the starting address of the variable table

;NVidia GPU: Framebuffer address - This is always the same
NV_CRTC_FB_ADDR			equ 0FD600800h
 
;GetSystemTimeAsFileTime(x) address
Sys2FileTime			equ 0247B3h

;CreateDirectoryA(x,x) address
Create_Dir			equ 014ACCh
 
;Nt Function Addresses
NtClose                         equ 01D664Ch
NtCreateFile                    equ 01D66F4h
NtReadFile                      equ 01D66F0h
NtWriteFile                     equ 01D66ECh

GetBase		macro	Reg
		call	$+5
		pop	Reg
		sub	Reg,$-1
		endm

Code		segment	use32
		org	0
		dd	offset	End_of_file
		dw	1		; Version
		dd	End_of_header	; Size of header
		dd	offset	Selections
		dd	offset	Selections_Text
		dd	offset	ID_List
		dd	offset	Entry
		dd	0		; Res1
		dd	0		; Res2
		db	0		; Master Enable

End_of_header	equ	$
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////
storepushret PROC
        	mov 	byte ptr [edi],068h
        	mov 	dword ptr [edi+1], esi
        	mov	byte ptr [edi+5], 0c3h
        	ret
storepushret ENDP
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////
doonce db 0
Screenshot PROC ;INPUTS: (NV_CRTC_FB_ADDR, Sys2FileTime, Create_Dir, NtClose, NtCreateFile, NtReadFile, NtWriteFile)
	;-----Sets up filename information-----
	pushad
	getbase ebp			;gets base address of trainer
	cmp	doonce[ebp],0		;checks to see if its been run yet
	jne	endsetup		;jumps if has
	inc	byte ptr ds:[doonce+ebp] ;otherwise indicate its been run
	lea	esi, [ebp+ObjectAttributes] ;loads ObjectAttributes address 
	add	dword ptr [esi+4], ebp	;adjusts address
	lea	esi, [ebp+ObjectName]	;loads ObjectName address
	add	dword ptr [esi+4], ebp	;adjusts address

	;-----Creates $s directory-----
	xor	eax, eax		;resets eax
	push	eax			;lpSecurityAttributes		(null)
	lea	eax, [ebp+DirName]	;loads directory name address		
	push	eax			;lpPathName
	mov	eax, Create_Dir		;CreateDirectoryA(x,x) address
	call	eax			;calls function

	;-----Concatenates timestamped filename-----
	endsetup:
	lea 	esi, [ebp+Filetime]	;loads filetime address
	mov	eax, Sys2FileTime	;GetSystemTimeAsFileTime(x) address
	push	esi			;address to store FILETIME struct
	call	eax			;call GetSystemTimeAsFileTime(x)
	mov	ebx, dword ptr [esi]	;stores first dword
	mov	ecx, dword ptr [esi+4]	;stores second dword
	mov	dword ptr [esi], ecx	;switches dword order
	mov	dword ptr [esi+4], ebx	;switches dword order
	lea 	edx, [ebp+ITOA]		;loads address of ascii character table
	lea 	edi, [ebp+NumA+15]	;loads address of last byte in filename			
	xor	eax, eax		;resets eax
	mov	ebx, dword ptr [esi+4]	;stores second dword of filetime
	mov	ecx, 8			;loop counter (number of string characters)
	ConvASCII:			;converts ebx into ascii characters
	mov	al, bl			;stores first part of data to be converted
	and	al, 0Fh			;returns last digit of byte
	mov	al, [edx + eax]		;reads equivilant ascii character from table
	mov	byte ptr [edi], al	;stores as part of ascii filename
	shr	ebx, 4			;shifts data and reads next nibble
	dec	edi			;stores next address in filename to be written
	loop	ConvASCII		;loops through until every byte has been converted
	mov	ebx, dword ptr [esi]	;stores first dword of filetime
	mov	ecx, 8			;loop counter (number of string characters)
	ConvASCII2:			;converts ebx to ascii characters
	mov	al, bl			;stores first part of data to be converted
	and	al, 0Fh			;returns last digit of byte
	mov	al, [edx + eax]		;reads equivilant ascii character from table
	mov	byte ptr [edi], al	;stores as part of ascii filename
	shr	ebx, 4			;shifts data and reads next nibble
	dec	edi			;stores next address in filename to be written
	loop	ConvASCII2		;loops through until every byte has been converted
	xor 	eax, eax		;resets eax

	;-----Creates FileHandle-----
	push	000000060h			;CreateOptions		(FILE_SYNCHRONOUS_IO_NONALERT + FILE_NON_DIRECTORY_FILE)
	push	000000005h			;CreateDisposition	(FILE_OVERWRITE_IF)
	push	000000001h			;ShareAccess		(FILE_SHARE_READ)
	push	000000080h			;FileAttributes		(FILE_ATTRIBUTE_NORMAL)
	push	eax				;AllocationSize		(NULL)
	lea	esi, [ebp+IOStatusBlock]	;loads IOStatusBlock address
	push	esi				;IOStatusBlock
	lea	esi, [ebp+ObjectAttributes]	;loads ObjectAttributes address
	push	esi				;ObjectAttributes
	push	0C0000000h			;DesiredAccess		(GENERIC_WRITE + GENERIC_READ)
	lea     esi, [ebp+FileHandle]		;loads FileHandle address
	push	esi				;FileHandle
	call	dword ptr ds:[NtCreateFile]	;calls NtCreateFile

	;-----Writes File-----
	push	eax				;ByteOffset		(NULL)
	push	1228800				;Length			(640*480*4)
	mov	esi, dword ptr ds:[NV_CRTC_FB_ADDR] ;stores framebuffer address
	or	esi, 080000000h			;gets real framebuffer address
	push	esi				;framebuffer address from the GPU
	lea	esi, [ebp+IOStatusBlock]	;loads IOStatusBlock address
	push	esi				;IOStatusBlock
	push	eax				;ApcContext		(NULL)
	push	eax				;ApcRoutine		(NULL)
	push	eax				;Event			(NULL)
	lea	esi, [ebp+FileHandle]		;loads FileHandle address
	push	dword ptr [esi]			;FileHandle
	call	dword ptr ds:[NtWriteFile]	;calls NtWriteFile

	;-----Closes FileHandle-----
	lea	esi, [ebp+FileHandle]		;loads FileHandle address
	push	dword ptr [esi]			;FileHandle address
	call	dword ptr ds:[NtClose]		;calls NtClose
	popad
	ret
Screenshot ENDP
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////
InGameKeys PROC
		pushad
		getbase ebp				;gets base address of trainer
		mov	ax, word ptr [ebp+gamepad]	;loads gamepad data
		mov	bx, word ptr [ebp+oldpad]	;loads old press
		cmp	ax, bx				;compares with new press
		je	heldkey				;jumps if no change
		cmp	dword ptr ds:[0271100h], 0	;checks perspective
		jne	nodevpress			;jumps past if not in devcam

		;PUT DEV CONTROLS THAT ONLY EXECUTE ONCE PER PRESS HERE

nodevpress:
		firstperson:
		cmp	ax, 021h
		jne	thirdperson
		mov	dword ptr ds:[0271100h], 0011E750h ;1p perspective

		thirdperson:
		cmp	ax, 022h
		jne	chasecam
		mov	dword ptr ds:[0271100h], 00011DF50h ;3p perspective

		chasecam:
		cmp	ax, 024h
		jne	devcam
		mov	dword ptr ds:[0271100h], 000120730h ;chasecam perspective

		devcam:
		cmp	ax, 028h
		jne	screencap
		mov	dword ptr ds:[0271100h], 000000000h ;debug perspective

		screencap:
		cmp	ax, 0A0h ;rthumb+back
		jne	nochange
		call	Screenshot				;takes screenshot
		jmp	nochange

heldkey:	;-----code that is executed multiple times per press-----
		cmp	dword ptr ds:[0271100h], 000000000h
		jne	nodevhold

		;PUT DEV CONTROLS THAT REQUIRE HOLDING HERE

nodevhold:


nochange:
		;-----stores old press-----
		lea	ebx, [ebp+oldpad]
		mov	word ptr [ebx], ax
		popad
		ret
InGameKeys ENDP
mincamspeed:
	dd	0.02f
maxcamspeed:
	dd	4.0f
minlookspeed:
	dd	0.01f
maxlookspeed:
	dd	0.15f
camstate:
	db 18h dup(0)
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////
Entry:
		mov	edi, 010114h
		cmp	dword ptr [edi], 03BC779C7h
		jne	EndZone
		cld

		cmp	[Sel_Memdump+ebp], 0
		je	EndZone

		mov	edi, 000E398Bh
	   	lea 	esi, [igks+ebp] ;ingame keys
		call 	storepushret
;---------------------------------------------------------------------------------------------------------------
		;initialize space in xbe header for variables (256 bytes total)
		xor 	eax, eax ;init to  0
		mov 	edi, TEMPVAR ;stores starting address of variable table
		mov 	ecx, 040h
		rep 	stosd

		;assigns initial variables
		mov 	esi, TEMPVAR ;stores starting address of variable table
               	mov 	dword ptr [esi], 03DCCCCCDh   		;initial camera speed (0.1)
               	mov 	dword ptr [esi+4], 03C23D70Ah 		;camera increment/adjustment speed (0.01)
               	mov 	dword ptr [esi+8], 03FC8F5C3h 		;1.57 radians (90 degrees)
								;temp calculating address [esi+0Ch]
								;artificial i look vector [esi+10h]
								;artificial j look vector [esi+14h]
								;artificial k look vector [esi+18h]
;---------------------------------------------------------------------------------------------------------------
		mov	edi, 011FD27h ;disable perspective switch command
		mov	al, 090h
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb

		mov	edi, 011FDDFh ;disable perspective switch command
		mov	al, 090h
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb

		mov	edi, 011FE86h ;disable perspective switch command
		mov	al, 090h
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb

		mov	edi, 011FFA2h ;disable perspective switch command
		mov	al, 090h
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb

		mov	edi, 012005Ah ;disable perspective switch command
		mov	al, 090h
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb

 		mov	edi, 0120216h ;disable perspective switch command
		mov	al, 090h
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb

 		mov	edi, 012004Eh ;disable perspective switch command
		mov	al, 090h
		stosb
		stosb
		stosb
		stosb
		stosb
		stosb

EndZone:
		ret
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////
gamepad:
	dw	0
oldpad:
	dw	0
igks:		;hook @ 0E398Bh
;000E398B	lea	ecx, [esp+3Ch+var_18]
;000E398F	push	ecx
;000E3990	push	eax
;000E3991	call	sub_1D138D
		lea 	ecx, [esp+24h]
		push 	ecx
		push 	eax
		pushad
		getbase ebp
		;lea	eax, dword ptr [eax+14h]	;loads XINPUT_GAMEPAD address
		lea	eax, dword ptr [ecx+4]

		;-----builds bitmask16 for entire gamepad-----
		xor	edx, edx			;resets edx
		mov	cx, 0100h			;initial bitmask value
		mov	bl, byte ptr [eax]		;copies wButtons
		buildgamepad:
		mov	dl, byte ptr [eax+2]		;loads button
		cmp	edx, 03Fh			;checks for 25% press
		jle	notpressed			;jumps if less than
		add	bx, cx				;enables bitmask
		notpressed:
		shl	cx, 1				;gets next bitmask value
		inc	eax				;gets next button address
		cmp	cx, 04000h			;checks if it assigned all bitmasks (excluding triggers)
		jne	buildgamepad			;jumps if hasnt

		lea	eax, [ebp+gamepad]		;loads gamepad address
		mov	word ptr [eax], bx		;stores new gamepad state
		call	InGameKeys			;executes code based on key presses
		popad
		push	00E3991h
		ret
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////
ObjectAttributes:		; (OBJECT ATTRIBUTES)
	dd	0		; HANDLE RootDirectory
	dd	ObjectName	; PANSI_STRING ObjectName
	dd	00000040h	; ULONG Attributes
ObjectName:			; (PANSI_STRING)
	dw	26;		; USHORT Length (THIS MUST BE CORRECT LENGTH OF FileName!!)
	dw	26;		; USHORT MaximumLength (I think this ones flexible)
	dd	FileName	; PCHAR Buffer
FileHandle:
	dd	0
IoStatusBlock:
	dd	0
	dd	0
FileName:
	db	"\??\T:\$s\"
NumA:
	db	"0000000000000000",0
ITOA:
	db	"0123456789ABCDEF"	
Filetime:
	dd	0	;lowtime
	dd	0	;hightime
DirName:
	db	"T:\$s",0
;///////////////////////////////////////////////////////////////////////////////////////////////////////////////
ID_List		label	dword
		dd	04D530004h
		dd	0

Selections	label	byte

Sel_Memdump	db	0

Selections_Text	label	byte

		dd	offset	Text_Menu
		dd	offset	Text_Info
		dd	offset	Txt_Memdump
		dd	0

Text_Menu	db	'Halo 1 Developers Edition (v1.0)', 0
Text_Info	db	'Made by: xbox7887', 0
		db	' ', 0
		db	' ', 0
		db	'POWEReD & ENDoRSED BY KHUONG', 0
		db	'http://www.xboxtrainers.net', 0
		db	'+10000 respect :P', 0
		db	0

Txt_Memdump	db	'Devcam', 0

End_of_file	equ	$

Code		ends
		end

[bricksarefun]

Xbox, you said the gamefreeze thing was given to you, why was it never put into a trainer?

[xbox7887]

It was, but I took it out of the source because it's not my information to give out...

[bricksarefun]

It was, but I took it out of the source because it's not my information to give out...

The devcam you released didn't have it, unless you updated it and I didn't notice.

[xXxCocoFangxXx]

Thanks for that source, I'm sure it will come in handy, but I still need some people to help me.

Some things I want to put in this Trainer is the inf ammo, and inf health, that kind of stuff, because I need to use this for Campaign and making Gamesaves.


I don't think I can make a devcam or anything, because I am not that good yet, that is why I need some help.

[bricksarefun]

I have that one app, xbox trainer maker, i'm guessing it makes trainers. I'm gonna try it out and see if it can help at all.

[xXxCocoFangxXx]

I have no clue if that will work, but I will look at it also.

[bricksarefun]

I have no clue if that will work, but I will look at it also.

I checked, it's Halo2 only. I just patched my default.xbe with the ips patch, found it on my HD a few minutes ago. This is a question directed at xbox, but can be answered by anyone who knows, how did you get the source from the etm, I was trying to get the patched xbe's source, but I don't know how really.
EDIT: Coco get on AIM.

[-DeToX-]

I don't think that trainer maker will do it alone. I beleive you need IDA pro, XboxDisasm and other crap to get a raw dump of memory, break, poke a value, break for changes, get a memory address, then an XBE address, then you would put it in the Trainer maker i beleive.

Unless im thinking of a different program.

[xbox7887]

LAWL, I don't think you guys understand the amount of work and skill that goes into making these damn things

Here's a few pointers that may help you get started (and if you don't know anything about x86 assembly you might want to learn that as well - http://modseven.de/dictionary.php)...download xdkassist, artmoney, ida pro, trainer source (masm compiler), and please just forget all about that trainer maker tool, it won't help you at all since you'll be writing it in notepad or some other ide instead. Typically you will have all of those programs open, your xbe disassembled, xdkassist connected and performing memdumps while searching for changes in the values with artmoney. Once you find the addresses of the values, you can set breakpoints with xdkassist and get the address of the command that writes to those values which allows you to go over to the disassembly and do what you please with the code, whether it be nop'ing out the command or hooking into the gamecode and jumping to your custom codecave inside the trainer. If you have the xdk installed on your computer you may also want to look into debugging with visual studios 2003 which makes things a hell of alot easier.

Now the problem with training halo 1 is that all of these methods described above will not work ;P The only way in would be to disassemble the xbe and look through millions of lines of assembly. I got around this by writing a little trainer that dumped the memory directly to the hdd, but this process was slow and tedious and is the main reason I never finished my halo 2 devcam port to halo 1. Basically you would have better luck hacking halo 2 than anything else, it's fairly easy and I'll always be there to help out...

[-DeToX-]

Yep. Not as easy as you may think, I remember I tried going for Trainer making and once I figured the amount of work, I decided I'll just leave it to Xbox since he's got the skills.

[xXxCocoFangxXx]

I just want to make a quick easy Trainer for Halo 1 so I can use it with Campaign.


I am VERY glad you are here to help me Xbox, =]