Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - snake123adfs

Pages: [1]
1
nvm that was not the base address

2
just got IDA 6.8 pro and class informer installed.

edit: OK so can MrMedic or Seb help me out here.


I would like to know the significance of the following information.


Quote
mb_warband.exe+2B12F3C - > X
mb_warband.exe+2B12F3C+4 -> Y
mb_warband.exe+2B12F3C+4+ 4 - > Z

^^^ Those are pointers to the dynamic addresses for X,Y,Z, but I can't find them through cheat engine on NW. I got them from a thread from 2014, so did the game's pointers change from all the patches?

Quote
005D956B - FF D0  - call eax
005D956D - D9 85 00600000  - fld dword ptr [ebp+00006000]
005D9573 - D9 86 18020000  - fld dword ptr [esi+00000218] <<
005D9579 - DAE9 - fucompp
005D957B - DFE0 - fnstsw ax

EAX=004570E0
EBX=0005BE00
ECX=5A2336D0
EDX=007C4104
ESI=0A5B6440
EDI=4C9E3DF8
ESP=0314EF08
EBP=4D6ED468
EIP=005D9579

^^^ I have no clue what all these are, other than that 005D956D - D9 85 00600000  - fld dword ptr [ebp+00006000] is health.


Quote
-> 0x4B63D9
-> 0x4AF73F
-> 0x4AF8B4
-> 0x816CE0
-> 0x5B19AA
->  0x5D6674
->  0xE0B1C8
->  0x423557
->  0x5D793A
->  0x8681B0
->  0x4AF73F
->  0x4AB2D9

^^^ and those are functions I can find in IDA correct?

Like I said, I'm literally brand new to all this stuff lol, and have a massive amount of questions.

sooooo, I started up NW again, found the health address and stuff like that because it changed since last time, got the ebp, searched for it in hex 4 byte aaaaannnddd theres 15,000 addresses and no green static addresses.

3
You seem to actually be trying, I'll help you out a little, can you send me your discord name?
ok i just created a discord, my name on there is snake123adfs

And yes I am trying lol, I set a goal and I'm not stopping till I finish it goddamnit lol.

4
Yes I know I am coming off as an idiot lol, I just started learning about reverse engineering yesterday, any help would be much appreciated from you guys.

5
just viewed this

Quote
here are some usefull functions i have dumped for you all , these can be used for:

admin control bypass ( any server ).
autoblock
auto attack
auto chamber
aimbot
kick distance evade / auto kick opponent
cycle ents ( built in so no need to check just hook and away you go all relevant data is there for you )
and there is an unblockable in there ( works on v1.73 and probably all future versions.)



-> 0x4B63D9
-> 0x4AF73F
-> 0x4AF8B4
-> 0x816CE0
-> 0x5B19AA
->  0x5D6674
->  0xE0B1C8
->  0x423557
->  0x5D793A
->  0x8681B0
->  0x4AF73F
->  0x4AB2D9
Localbase 2  -> 0x5D7BAD
-> 0x499E34
have fun.  sorry admin control bypass ( any server ) removed ( can crash servers and i dont support that )

 

These are functions in IDA correct? I only have IDA freeware 7.0, and I don't have class informer.

I have a fucking landslide of questions to ask lol

6
"when you finally find the value and your sure its your health , find out what access it

jump to that location ( of the offset that is actually changing it , usually a float store [fstp] sometimes a double , mostly int or dword though warband is uncommon in most aspects actually )

now we have this address that is changing health

fstp [ebx+6000] ( local )

ok now you see the ebx .. ( ignore the + 6000 as its irrelivant at this point )

the ebx is what is known as the base .. or local , or local player pointer , this ebx is pointing to the start of you , ie your player' - mrmedic

this is confusing, looking at the addresses I posted I don't see anything that says this "fstp [ebx+6000] ( local )" there is no ebx+6000, there are ebp and the other prefixes, as well as 00006000 but there is no ebx or +6000

but then worm on the otherhand said "fst dword ptr [esi+00006000]   (Static Addr : mb_warband.exe+D25F4)
ESI - > Base
Base + 0x6000 - > Health.
"

005D956D - D9 85 00600000  - fld dword ptr [ebp+00006000] ebp .. points to your local ( base )... the +6000 is the offset from you to health address.

well done btw you are getting there , keep trying.

Thanks. Do you know how to find the X,Y,Z coordinates of my player? I think finding Z would be easy, just go on a flat map and jump on a box and search for a value that increased.

But X and Y seems like itd take a really long time.

just to clarify, 005D956D  is the pointer to the dynamic health address right?

btw im doing all of this on a multiplayer server is that alright or should I take it offline?


double edit: just got it down to 19 addresses from moving ot other parts of the map

still stuck at 19 addresses..... but I think this dynamic address might be it 01D9948C


these are what accesses it

0046D3F0 - 89 15 8894D901  - mov [mb_warband.exe+1999488],edx
0046D3F6 - 8B 48 08  - mov ecx,[eax+08]
0046D3F9 - 89 0D 8C94D901  - mov [mb_warband.exe+199948C],ecx <<
0046D3FF - 8B 50 0C  - mov edx,[eax+0C]
0046D402 - 8D 44 24 20  - lea eax,[esp+20]

EAX=0314F85C
EBX=0087B3F0
ECX=4023D700
EDX=43A0570A
ESI=00DE0658
EDI=00000000
ESP=0314F850
EBP=00DE0658
EIP=0046D3FF

004E95C7 - 8B 0D 8894D901  - mov ecx,[mb_warband.exe+1999488]
004E95CD - 89 4B 44  - mov [ebx+44],ecx
004E95D0 - 8B 15 8C94D901  - mov edx,[mb_warband.exe+199948C] <<
004E95D6 - 89 53 48  - mov [ebx+48],edx
004E95D9 - A1 9094D901 - mov eax,[mb_warband.exe+1999490]

EAX=43ABA666
EBX=52825E18
ECX=43A0570A
EDX=4023D700
ESI=0763B600
EDI=0005BE00
ESP=0314F7D0
EBP=0314F85C
EIP=004E95D6


triple edit

I just found 4 dynamic addresses that decrease when I crouch are these the ones I need for the Z coordinate? The address I posted above I think had to do with how high I was on the map

These are from the 4 dynamic addresses that decreased when I crouched

00473F54 - 05 28020000 - add eax,00000228
00473F59 - B9 8A000000 - mov ecx,0000008A
00473F5E - 81 C2 28020000 - add edx,00000228 <<
00473F64 - F3 A5 - repe movsd
00473F66 - 3B C5  - cmp eax,ebp

EAX=4F9C6700
EBX=00DD8DF0
ECX=00000078
EDX=4F9C64D8
ESI=4F9C6520
EDI=4F9C62F8
ESP=0314F85C
EBP=4F9C6700
EIP=00473F64

00473F54 - 05 28020000 - add eax,00000228
00473F59 - B9 8A000000 - mov ecx,0000008A
00473F5E - 81 C2 28020000 - add edx,00000228 <<
00473F64 - F3 A5 - repe movsd
00473F66 - 3B C5  - cmp eax,ebp

EAX=4F9C6700
EBX=00DD8DF0
ECX=00000074
EDX=4F9C64D8
ESI=4F9C6530
EDI=4F9C6308
ESP=0314F85C
EBP=4F9C6928
EIP=00473F64


00473249 - 56 - push esi
0047324A - 8B 74 24 10  - mov esi,[esp+10]
0047324E - B9 8A000000 - mov ecx,0000008A <<
00473253 - F3 A5 - repe movsd
00473255 - 5E - pop esi

EAX=0314F054
EBX=00DE807C
ECX=00000078
EDX=0314F054
ESI=0314F09C
EDI=4F9C6520
ESP=0314E994
EBP=0314E9C4
EIP=00473253

00473F54 - 05 28020000 - add eax,00000228
00473F59 - B9 8A000000 - mov ecx,0000008A
00473F5E - 81 C2 28020000 - add edx,00000228 <<
00473F64 - F3 A5 - repe movsd
00473F66 - 3B C5  - cmp eax,ebp

EAX=4F9C6700
EBX=00DD8DF0
ECX=00000074
EDX=4F9C64D8
ESI=4F9C6530
EDI=4F9C6308
ESP=0314F85C
EBP=4F9C6700
EIP=00473F64

00473249 - 56 - push esi
0047324A - 8B 74 24 10  - mov esi,[esp+10]
0047324E - B9 8A000000 - mov ecx,0000008A <<
00473253 - F3 A5 - repe movsd
00473255 - 5E - pop esi

EAX=0314F054
EBX=00DE807C
ECX=00000074
EDX=0314F054
ESI=0314F0AC
EDI=4F9C6530
ESP=0314E994
EBP=0314E9C4
EIP=00473253


These are all that access the addresses


so when standing on completley flat land, my player height is set at 77, if I go up a hill, 2 of the dynmaic address values will change slightly to 78 or 79.

but no matter where I am, when i crouch, two addresses go to 4 and two go to 6


7
Took me a while to read all of that, but there is already so much information on these forums which I have posted and then some more obscure info posted by Medic. You may want to throw the executable into IDA and analyze the functions which have already been analyzed.
Regarding the two health value, one is for the UI and the other is for your actual player.
Games have a lot of different reasons for using multiple health values at times.

executable? what do you mean, all I have found is the addresses, and which value will I use, the one for the player or the UI?

I am literally brand new to this stuff.

Also how do I find the X,Y,Z coordinates of my player?

Question, is it possible to make a Health Cheat on Multiplayer? Where my health gets replenished or I have 10x more health?

I tried changing the health values with cheat engine, I had someone stab my character to do a bit of damage then I would change the value in cheat engine. The health bar would go full, but it was just superficial, the actual value of my characters health would not change.

BTW, I went to buy IDA Pro, and it is just too expensive for me. I have the freeware version will that do? For some reason I can't find out how to install class informer on IDA

edit: trying to find X and Y, think I have found the dynamic addresses, and they are 00DE0670 which has a small value of 8.349216836E-15 and 01D99488 which has a value of 179.4599915


These are what  access 00DE0670:
0062501C - 89 44 8F F4  - mov [edi+ecx*4-0C],eax
00625020 - 8B 44 8E F8  - mov eax,[esi+ecx*4-08]
00625024 - 89 44 8F F8  - mov [edi+ecx*4-08],eax <<
00625028 - 8B 44 8E FC  - mov eax,[esi+ecx*4-04]
0062502C - 89 44 8F FC  - mov [edi+ecx*4-04],eax

EAX=2816688F
EBX=0000001A
ECX=00000006
EDX=00000002
ESI=0314E47C
EDI=00DE0660
ESP=0314E3FC
EBP=0314E404
EIP=00625028

0046BDEB - 73 21 - jae mb_warband.exe+6BE0E
0046BDED - 8B 4C 24 14  - mov ecx,[esp+14]
0046BDF1 - 8B 54 A9 04  - mov edx,[ecx+ebp*4+04] <<
0046BDF5 - 2B C6  - sub eax,esi
0046BDF7 - 8B 04 85 4C70DD00  - mov eax,[eax*4+mb_warband.exe+9D704C]

EAX=00000011
EBX=0314F858
ECX=00DE0660
EDX=2816688F
ESI=0000000B
EDI=0314F82C
ESP=0314F7F4
EBP=00000003
EIP=0046BDF5

0046BDD4 - D3 E2  - shl edx,cl
0046BDD6 - F7 D0  - not eax
0046BDD8 - 23 14 AF   - and edx,[edi+ebp*4] <<
0046BDDB - 8B 7C 24 1C  - mov edi,[esp+1C]
0046BDDF - 23 07  - and eax,[edi]

EAX=FFFE0000
EBX=0314F858
ECX=00000006
EDX=00166880
ESI=00000011
EDI=00DE0660
ESP=0314F7E0
EBP=00000004
EIP=0046BDDB

00625014 - 89 44 8F F0  - mov [edi+ecx*4-10],eax
00625018 - 8B 44 8E F4  - mov eax,[esi+ecx*4-0C]
0062501C - 89 44 8F F4  - mov [edi+ecx*4-0C],eax <<
00625020 - 8B 44 8E F8  - mov eax,[esi+ecx*4-08]
00625024 - 89 44 8F F8  - mov [edi+ecx*4-08],eax

EAX=2816688F
EBX=0000001D
ECX=00000007
EDX=00000001
ESI=0314E47C
EDI=00DE0660
ESP=0314E3FC
EBP=0314E404
EIP=00625020


And these are what access 01D99488:

0046D3E9 - 8B 50 04  - mov edx,[eax+04]
0046D3EC - D9 5C 24 08  - fstp dword ptr [esp+08]
0046D3F0 - 89 15 8894D901  - mov [mb_warband.exe+1999488],edx <<
0046D3F6 - 8B 48 08  - mov ecx,[eax+08]
0046D3F9 - 89 0D 8C94D901  - mov [mb_warband.exe+199948C],ecx

EAX=0314F85C
EBX=0087B3F0
ECX=4382C3D7
EDX=433375C2
ESI=00DE0658
EDI=00000000
ESP=0314F850
EBP=00DE0658
EIP=0046D3F6

004E95BF - A1 8494D901 - mov eax,[mb_warband.exe+1999484]
004E95C4 - 89 43 40  - mov [ebx+40],eax
004E95C7 - 8B 0D 8894D901  - mov ecx,[mb_warband.exe+1999488] <<
004E95CD - 89 4B 44  - mov [ebx+44],ecx
004E95D0 - 8B 15 8C94D901  - mov edx,[mb_warband.exe+199948C]

EAX=4382C3D7
EBX=52825E18
ECX=433375C2
EDX=00000000
ESI=07605FC0
EDI=0005BE00
ESP=0314F7D0
EBP=0314F85C
EIP=004E95CD


BTW I got these from Worm's thread
mb_warband.exe+2B12F3C - > X
mb_warband.exe+2B12F3C+4 -> Y
mb_warband.exe+2B12F3C+4+ 4 - > Z

But when I put them into cheat engine it cant find the addresses




 

8
"when you finally find the value and your sure its your health , find out what access it

jump to that location ( of the offset that is actually changing it , usually a float store [fstp] sometimes a double , mostly int or dword though warband is uncommon in most aspects actually )

now we have this address that is changing health

fstp [ebx+6000] ( local )

ok now you see the ebx .. ( ignore the + 6000 as its irrelivant at this point )

the ebx is what is known as the base .. or local , or local player pointer , this ebx is pointing to the start of you , ie your player' - mrmedic

this is confusing, looking at the addresses I posted I don't see anything that says this "fstp [ebx+6000] ( local )" there is no ebx+6000, there are ebp and the other prefixes, as well as 00006000 but there is no ebx or +6000

but then worm on the otherhand said "fst dword ptr [esi+00006000]   (Static Addr : mb_warband.exe+D25F4)
ESI - > Base
Base + 0x6000 - > Health.
"

9
I have downloaded cheat engine, loaded it up with Napoleonic wars, I'm on my own server, trying to find the memory address for health, read in a thread from 2014 that the default value for health is 60, so I put 60 in the value box,value type set to 4 bytes, do a scan, get 70,000 results, then I jump off a mountain, takes about 3/4th of my Health away. do a searched for decreased value, 12 results show up, hit scan again, and they all just disappear. Has the memory addresses and values for the game changed over the years?

edit: used my noggin, think I found out what I did wrong, going to try to find the health address by first searching for unknown and narrowing it down

well RIP, I got it narrowed down to 12 addresses, and the next time I jumped off the cliff and injured myself and search decreased value all the addresses disappeared

double edit: searching float instead of 4 bytes now, see if that will work

triple edit: I think the memory for health may either be 0A5B6658 or 4D6F3468, both have values of 56 instead of 60.

yeah that is definitely it,  just jumped off and injured myself and the value went to 16. NW sets the default health to 56, not 60 like Native I guess.

why are there two addresses for health btw?

quad edit: Right Clicked on address 0A5B6658 and clicked to find out what acceses it and this is what showed up

005D9573 - D9 86 18020000  - fld dword ptr [esi+00000218]

005D956B - FF D0  - call eax
005D956D - D9 85 00600000  - fld dword ptr [ebp+00006000]
005D9573 - D9 86 18020000  - fld dword ptr [esi+00000218] <<
005D9579 - DAE9 - fucompp
005D957B - DFE0 - fnstsw ax

EAX=004570E0
EBX=0005BE00
ECX=5A2336D0
EDX=007C4104
ESI=0A5B6440
EDI=4C9E3DF8
ESP=0314EF08
EBP=4D6ED468
EIP=005D9579


then I did the same for the other address 4D6F3468

and got this:

005A73CF - D8 9E 00600000  - fcomp dword ptr [esi+00006000]
005D956D - D9 85 00600000  - fld dword ptr [ebp+00006000]
0052AF57 - D9 80 00600000  - fld dword ptr [eax+00006000]

005A73CA - D9EE - fldz
005A73CC - 83 C4 08 - add esp,08
005A73CF - D8 9E 00600000  - fcomp dword ptr [esi+00006000] <<
005A73D5 - DFE0 - fnstsw ax
005A73D7 - F6 C4 05 - test ah,05

EAX=00000020
EBX=0086AB40
ECX=00000000
EDX=00862E30
ESI=4D6ED468
EDI=0314F454
ESP=0314F3F0
EBP=0A5B673C
EIP=005A73D5

005D9565 - 8B 82 DC000000  - mov eax,[edx+000000DC]
005D956B - FF D0  - call eax
005D956D - D9 85 00600000  - fld dword ptr [ebp+00006000] <<
005D9573 - D9 86 18020000  - fld dword ptr [esi+00000218]
005D9579 - DAE9 - fucompp

EAX=004570E0
EBX=0005BE00
ECX=5A2336D0
EDX=007C4104
ESI=0A5B6440
EDI=4C9E3DF8
ESP=0314EF08
EBP=4D6ED468
EIP=005D9573


0052AF50 - 8B CE  - mov ecx,esi
0052AF52 - E8 D943EEFF - call mb_warband.exe+F330
0052AF57 - D9 80 00600000  - fld dword ptr [eax+00006000] <<
0052AF5D - DC 0D 18EF7B00  - fmul qword ptr [mb_warband.exe+3BEF18]
0052AF63 - 57 - push edi

EAX=4D6ED468
EBX=472658C0
ECX=4C9E3DF8
EDX=00000000
ESI=082A3B2C
EDI=0000000F
ESP=03139C20
EBP=0314E538
EIP=0052AF5D



OK So when I had gotten all that information, it was when my character was still injured, so i restored his health, and checked the addresses again to see what writes to them, and now nothing is showing under 4D6F3468, but 0A5B6658 is still showing the one address that accesses it

what 0A5B6658 is now showing after healing my player fully

005D956B - FF D0  - call eax
005D956D - D9 85 00600000  - fld dword ptr [ebp+00006000]
005D9573 - D9 86 18020000  - fld dword ptr [esi+00000218] <<
005D9579 - DAE9 - fucompp
005D957B - DFE0 - fnstsw ax

EAX=004570E0
EBX=0005BE00
ECX=5A2336D0
EDX=007C4104
ESI=0A5B6440
EDI=4C9E3DF8
ESP=0314EF08
EBP=4D6ED468
EIP=005D9579






10
found this guys videos https://www.youtube.com/watch?v=XgV76LapvGs

gunna start there

11
snake123adfs...did you have to evacuate?

No I didn't, but why must you snoop around and find out personal info about me? I have just come here to learn how to code, and can my thread I posted be approved? I'm going to be updating it daily on my progress.

12
The engine is only so limited. I have never heard of this bug or experienced it, probably because I rarely play anymore, but I'd imagine it would have something to do with the camera messing up the texture generation on your character since you're too high in the air. I'd imagine the math they use to render enemy players is pretty low and that's why all the maps are really flat. Also, the server may consider you outside of the world and therefor not attempt to send your data to the enemy, since the engine expects you to fall to your death or die soon since you are out of bounds.

seb could you PM me, I really would like to learn how to create cheats for warband, I have no coding experience.

13
Hello everyone!! I currently am very bored out of mind, and have no small term goals, so I have decided I will try to make an Autokick hack for warband. I have very limited programming experience, like noob level from years ago when I tried to start coding and failed.

I know it has been said that I can learn from the downloads section but I have no idea what to download from there. Anyone can link me to a thread for a legit beginner?

Edit: am taking notes from this thread http://tkc-community.net/forum/index.php/topic,16834.0.html and trying to understand it, is very hard.

double edit: just read this from another thread "get the vector rotation of the player ( you ) then check if the enemy is in a certain zone + distance from you if they are then send a kick command"

so that means when I create the program I will need some if functions that will run when I press the kick button E correct?




Pages: [1]