1
Mount and Blade / Bannerlord Hack
« on: January 15, 2020, 09:53:05 am »
Well, they gave me beta access lol
[youtube]lyhoAk17mAo[/youtube]
[youtube]lyhoAk17mAo[/youtube]
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Mount and Blade / [Information] Reversing and Dissecting Mount and Blade: Warband
« on: August 22, 2018, 07:22:17 am »
Hey guys, after spending a couple weeks reversing the game on and off, making my own aimbot and a few fun features, I've decided to share some information so you guys can create your own cheats/hacks.
Part 1: The Game
We know a few things about the game by jumping right into it:
By knowing these, you can start on a few things, which should be easy to find.
First of all, by knowing the game is run in an x86 environment, this makes it a lot easier to dissect and look into in a dissembler like IDA.
By throwing the game into IDA and letting it generate, we can tell after a quick browse that the game has left a lot of named functions in and it also uses some sort of scripting language.
By running Class Informer and taking a quick look into the results, we can see a lot of classes which you may recognize in the game. Most notable of these classes is probably the 'Agent' class, which is inherited from the 'rglSimple_game_object' class.
From this information, we can assume that all game specific functionality classes have the prefix 'rgl' in it. We can also assume that since Agent is derived from the simple game object, it will contain all of that game objects information within its own pointer.
We'll return to more engine things later, but we can move on for now to look into more interesting things...
Part 2: The Agent
The 'Agent' in this game may also be called an Entity or an Object. It is your player and every other player in the game.
The Agent has many jobs, here we can list a few:
Let's first take a look at this class that we found inside of Class Informer. If we trace it and then xref what it brings us to, we can find the constructor for the agent class, Agent::Agent() (Which you can see here: https://prnt.sc/klfj45)
Looking through this class we can see a few static variables which you can explore yourself inside of reclass or any other memory viewer.
Now, knowing that this function is only called when an agent is added to the entity list, we can xref the function and go to the one which is calling it. After a brief analysis, you'll find that this is the function which actually stores and adds agents to the entity list.
If you really wanted to dig in deep, you could keep cross referencing the functions until you got to the main tick of the game, but that isn't exactly what you want, unless you just wanted to console one of the games threads instead of making your own. (There's no point since the game has no AC)
What's better, is the Agent::Tick function, which you may have guessed, runs every single tick.
This agent tick function will be run every single time before any other agent function, which means if you need to, you could override them.
That sounds really tedious though and you should really only use that for thread management or as a constant loop.
If you dissect and look into this function more, you will find a lot of function calls, and most of these will lead to other agent functions.
There are many functions which can be extremely abused if you know what you are doing. One such function is Agent::add_stun (http://prntscr.com/klg8bm), which does exactly what it's named, accessing the network data entity and doing whatever to it.
Just to help you guys start, here's a little signature: 81 EC ? ? ? ? 56 8B F1 8B 86 ? ? ? ? 8B 0C C5 ? ? ? ?
I'll add more to the tutorial if there is an actual interest to learn instead of just copy and paste.
Thanks for reading, good luck.
Part 1: The Game
We know a few things about the game by jumping right into it:
- The game is x86
- The game is quite old, meaning it will use a lot of old methods
- The game uses directx as a renderer
- The game is multiplayer
- You're allowed to host your own servers, meaning there is some sort of packet connection here
By knowing these, you can start on a few things, which should be easy to find.
First of all, by knowing the game is run in an x86 environment, this makes it a lot easier to dissect and look into in a dissembler like IDA.
By throwing the game into IDA and letting it generate, we can tell after a quick browse that the game has left a lot of named functions in and it also uses some sort of scripting language.
By running Class Informer and taking a quick look into the results, we can see a lot of classes which you may recognize in the game. Most notable of these classes is probably the 'Agent' class, which is inherited from the 'rglSimple_game_object' class.
From this information, we can assume that all game specific functionality classes have the prefix 'rgl' in it. We can also assume that since Agent is derived from the simple game object, it will contain all of that game objects information within its own pointer.
We'll return to more engine things later, but we can move on for now to look into more interesting things...
Part 2: The Agent
The 'Agent' in this game may also be called an Entity or an Object. It is your player and every other player in the game.
The Agent has many jobs, here we can list a few:
- Store player health
- Store player position
- Store current aim direction
Let's first take a look at this class that we found inside of Class Informer. If we trace it and then xref what it brings us to, we can find the constructor for the agent class, Agent::Agent() (Which you can see here: https://prnt.sc/klfj45)
Looking through this class we can see a few static variables which you can explore yourself inside of reclass or any other memory viewer.
Now, knowing that this function is only called when an agent is added to the entity list, we can xref the function and go to the one which is calling it. After a brief analysis, you'll find that this is the function which actually stores and adds agents to the entity list.
If you really wanted to dig in deep, you could keep cross referencing the functions until you got to the main tick of the game, but that isn't exactly what you want, unless you just wanted to console one of the games threads instead of making your own. (There's no point since the game has no AC)
What's better, is the Agent::Tick function, which you may have guessed, runs every single tick.
This agent tick function will be run every single time before any other agent function, which means if you need to, you could override them.
That sounds really tedious though and you should really only use that for thread management or as a constant loop.
If you dissect and look into this function more, you will find a lot of function calls, and most of these will lead to other agent functions.
There are many functions which can be extremely abused if you know what you are doing. One such function is Agent::add_stun (http://prntscr.com/klg8bm), which does exactly what it's named, accessing the network data entity and doing whatever to it.
Just to help you guys start, here's a little signature: 81 EC ? ? ? ? 56 8B F1 8B 86 ? ? ? ? 8B 0C C5 ? ? ? ?
I'll add more to the tutorial if there is an actual interest to learn instead of just copy and paste.
Thanks for reading, good luck.
3
Mount and Blade / Some Classes
« on: May 19, 2018, 05:18:50 am »
Don't know if anyone still comes on here, but it's been a while, so I'll dump some stuff from my old cheat if anyone wants to learn.
All you need is the projection/view matrix and you have yourself an ESP.
Current mission is not hard to find, but here's a sig anyways: A1 ? ? ? ? 8B 48 20 8B 14 31
Code: [Select]
class Agent
{
public:
char pad_0x0000[0x4]; //0x0000
unsigned char Type; //0x0004
char pad_0x0005[0x3B]; //0x0005
D3DXVECTOR3 Position; //0x0040
char pad_0x004C[0x768]; //0x004C
__int32 Team; //0x07B4
}; //Size=0x0804
class GameObjectManager
{
public:
Agent* Start; //0x0000
Agent* End; //0x0004
Agent* GetAgent(int idx)
{
return (Agent*)((DWORD)Start + (idx * 0x6200));
}
DWORD NumAgents()
{
DWORD dif = reinterpret_cast<DWORD>(End) - reinterpret_cast<DWORD>(Start);
return dif / 0x6200;
}
}; //Size=0x0008
class Game
{
public:
char pad_0x0000[0x20]; //0x0000
GameObjectManager* pGameManager; //0x0020
char pad_0x0024[0xA0]; //0x0024
}; //Size=0x00C4
class cur_mission
{
public:
Game* pGame; //0x0000
}; //Size=0x0440
All you need is the projection/view matrix and you have yourself an ESP.
Current mission is not hard to find, but here's a sig anyways: A1 ? ? ? ? 8B 48 20 8B 14 31
4
Mount and Blade / Mount and Blade Reversing and Sig thread
« on: March 15, 2017, 08:33:16 am »
Spent and hour re-reversing this game, deciding to dump all the structs and vtables which I thought were useful here. Will update later with sigs and other shit to functions, glhf
Code: [Select]
// Give me some credit if you use any of this shit -Seb
class Windows;
class cYesNo;
class cSelection;
class cStarting;
class cLoading;
class cInitial;
class cEscape;
class cMap;
class cInventory;
class cParty;
class cTactical;
class cCharacter;
class cQuests;
class cConversation;
class cOptions;
class cGraphics;
class cControls;
class cTerrainGen;
class cLoadSave;
class cMenu;
class cStats;
class cGameLog;
class cPresentation;
class cNotes;
class cCredits;
class cQuitAds;
class cProfile;
class cMultiplayerClient;
class cMultiplayerServer;
class cBannerSelection;
class cQuickBattle;
class cGroup;
class cFaceGen;
class Party;
class AgentOffsets;
class N0000020A;
class N0000020D;
class N00000210;
class N00000213;
class N00000216;
class N00000219;
class N0000021C;
class N0000021F;
class N00000222;
class N00000225;
class N00000228;
class N0000022B;
class N0000022E;
class N00000231;
class N00000234;
class N00000237;
class N0000023A;
class N0000023D;
class N00000240;
class N00000243;
class N00000249;
class N0000024C;
class N0000024F;
class N00000255;
class N00000258;
class N0000025B;
class N0000025E;
class N00000261;
class N00000264;
class N00000267;
class AgentGamer;
class Agent;
class Missile;
class SimpleGameObject;
class GameObject;
class Windows
{
public:
cYesNo* pYesNo; //0x0000
cSelection* pSelection; //0x0004
cStarting* pStarting; //0x0008
cLoading* pLoading; //0x000C
cInitial* pInitial; //0x0010
cEscape* pEscape; //0x0014
cMap* pMap; //0x0018
cInventory* pInventory; //0x001C
cParty* pParty; //0x0020
cQuests* pQuests; //0x0024
cTactical* pTactical; //0x0028
cCharacter* pCharacter; //0x002C
cConversation* pConversation; //0x0030
cOptions* pOptions; //0x0034
cGraphics* pGraphics; //0x0038
cControls* pControls; //0x003C
cLoadSave* pLoadSave; //0x0040
cTerrainGen* pTerrainGen; //0x0044
cMenu* pMenu; //0x0048
cStats* pStats; //0x004C
cGameLog* pGameLog; //0x0050
cNotes* pNotes; //0x0054
cPresentation* pPresentation; //0x0058
cCredits* pCredits; //0x005C
cQuitAds* pQuitsAds; //0x0060
cProfile* pProfile; //0x0064
cMultiplayerClient* pMultiplayerClient; //0x0068
cMultiplayerServer* pMultiplayerServer; //0x006C
cBannerSelection* pBannerSelection; //0x0070
cQuickBattle* pQuickBattle; //0x0074
cGroup* pGroup; //0x0078
cFaceGen* pFaceGen; //0x007C
char pad_0x0080[0x40]; //0x0080
}; //Size=0x00C0
class cYesNo
{
public:
N0000020A* Entry; //0x0000
}; //Size=0x0004
class cSelection
{
public:
N00000237* Entry; //0x0000
}; //Size=0x0004
class cStarting
{
public:
N0000023A* Entry; //0x0000
}; //Size=0x0004
class cLoading
{
public:
N0000023D* Entry; //0x0000
}; //Size=0x0004
class cInitial
{
public:
N00000240* Entry; //0x0000
}; //Size=0x0004
class cEscape
{
public:
N00000243* Entry; //0x0000
}; //Size=0x0004
class cMap
{
public:
virtual Constructor; //
virtual sub_588E20; //
virtual nullsub; //
virtual UIElements; //
virtual nullsub; //
virtual UITime; //
virtual nullsub; //
virtual sub_588CE0; //
virtual sub_588D80; //
virtual sub_5838D0; //
virtual sub_589AF0; //
}; //Size=0x0004
class cInventory
{
public:
N00000249* Entry; //0x0000
}; //Size=0x0004
class cParty
{
public:
N0000024C* Entry; //0x0000
}; //Size=0x0004
class cTactical
{
public:
virtual Constructor?; //
virtual sub_5A83F0; //
virtual nullsub; //
virtual PlayerUI; //
virtual nullsub; //
virtual UIElements; //
virtual sub_5A3E50; //
virtual nullsub; //
virtual nullsub; //
virtual nullsub; //
virtual sub_59FF60; //
}; //Size=0x0004
class cCharacter
{
public:
N00000255* Entry; //0x0000
}; //Size=0x0004
class cQuests
{
public:
N0000024F* Entry; //0x0000
}; //Size=0x0004
class cConversation
{
public:
N00000258* Entry; //0x0000
}; //Size=0x0004
class cOptions
{
public:
N0000025B* Entry; //0x0000
}; //Size=0x0004
class cGraphics
{
public:
N0000025E* Entry; //0x0000
}; //Size=0x0004
class cControls
{
public:
N00000261* Entry; //0x0000
}; //Size=0x0004
class cTerrainGen
{
public:
N00000267* Entry; //0x0000
}; //Size=0x0004
class cLoadSave
{
public:
N00000264* Entry; //0x0000
}; //Size=0x0004
class cMenu
{
public:
N00000234* Entry; //0x0000
}; //Size=0x0004
class cStats
{
public:
N00000231* Entry; //0x0000
}; //Size=0x0004
class cGameLog
{
public:
N0000022E* Entry; //0x0000
}; //Size=0x0004
class cPresentation
{
public:
N00000213* Entry; //0x0000
}; //Size=0x0004
class cNotes
{
public:
N0000022B* Entry; //0x0000
}; //Size=0x0004
class cCredits
{
public:
N00000216* Entry; //0x0000
}; //Size=0x0004
class cQuitAds
{
public:
N00000219* Entry; //0x0000
}; //Size=0x0004
class cProfile
{
public:
N0000021C* Entry; //0x0000
}; //Size=0x0004
class cMultiplayerClient
{
public:
N0000021F* Entry; //0x0000
}; //Size=0x0004
class cMultiplayerServer
{
public:
N00000222* Entry; //0x0000
}; //Size=0x0004
class cBannerSelection
{
public:
N00000225* Entry; //0x0000
}; //Size=0x0004
class cQuickBattle
{
public:
N00000228* Entry; //0x0000
}; //Size=0x0004
class cGroup
{
public:
N00000210* Entry; //0x0000
}; //Size=0x0004
class cFaceGen
{
public:
N0000020D* Entry; //0x0000
}; //Size=0x0004
class Party
{
public:
unsigned char N000002BB; //0x0000
unsigned char N000002FD; //0x0001
unsigned char N00000300; //0x0002
char pad_0x0003[0x1]; //0x0003
DWORD N000002BC; //0x0004
DWORD N000002BD; //0x0008
char pad_0x000C[0x8]; //0x000C
DWORD N000002C0; //0x0014
N000002C1; //0x0018
N000002C3; //0x0020
N000002C5; //0x0028
char pad_0x0030[0x10]; //0x0030
}; //Size=0x0040
class AgentOffsets
{
public:
DWORD dword_8B84BC; //0x0000
qword_8B84C0; //0x0004
qword_8B84C8; //0x000C
qword_8B84D0; //0x0014
char pad_0x001C[0x24]; //0x001C
}; //Size=0x0040
class N0000020A
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000020D
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000210
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000213
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000216
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000219
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000021C
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000021F
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000222
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000225
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000228
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000022B
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000022E
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000231
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000234
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000237
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000023A
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000023D
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000240
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000243
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000249
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000024C
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000024F
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000255
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000258
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000025B
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N0000025E
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000261
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000264
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N00000267
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class AgentGamer
{
public:
AgentGameObject; //0x0000
nullsub2; //0x0004
N000002A4; //0x0008
char pad_0x000C[0x34]; //0x000C
}; //Size=0x0040
class Agent
{
public:
virtual Constructor; //
virtual nullsub2; //
virtual nullsub2; //
virtual void Function3(); //
virtual void Function4(); //
virtual void Function5(); //
virtual void Function6(); //
virtual void Function7(); //
virtual void Function8(); //
virtual void Function9(); //
char pad_0x0000[0x8]; //0x0000
char pad_0x000C[0x34]; //0x000C
}; //Size=0x0040
class Missile
{
public:
Constructor; //0x0000
sub_5025F0; //0x0004
nullsub; //0x0008
char pad_0x000C[0x34]; //0x000C
}; //Size=0x0040
class SimpleGameObject
{
public:
rglSimple_game_object; //0x0000
nullsub; //0x0004
nullsub; //0x0008
char pad_0x000C[0x4C]; //0x000C
}; //Size=0x0058
class GameObject
{
public:
Constructor; //0x0000
nullsub; //0x0004
nullsub; //0x0008
char pad_0x000C[0x34]; //0x000C
}; //Size=0x0040
5
Mount and Blade / Server IP Finder
« on: December 22, 2016, 12:06:44 am »
Server IP Finder
http://tkc-community.net/forum/index.php?action=downloads;sa=view;down=455
Just decided to release this little tool. Just run the inject at the main menu, also make sure the injector and dll are in the same folder.
Closing the Console which it opens will also close the game. Have fun.
http://tkc-community.net/forum/index.php?action=downloads;sa=view;down=455
Just decided to release this little tool. Just run the inject at the main menu, also make sure the injector and dll are in the same folder.
Closing the Console which it opens will also close the game. Have fun.
6
Mount and Blade / Menu using In-Game Renderer
« on: December 13, 2016, 09:15:48 am »
Hey guys, I've been reversing the game a lot lately and I recently stumbled upon the Widget base within IDA. From my previous reversing thread I figured out basically any popup is created using a widget and they're all named differently. By finding the base vtable I believe I can completely make my own in-game menu using this widget system. Here's an example of what it looks like. I want to know if anyone's done this before and if it's worked out?
7
Mount and Blade / Reversing M&B
« on: December 04, 2016, 05:38:08 am »
Hey guys, this is the first post I've ever made on these forums and I just started looking into Mount and Blade: Warband yesterday with no previous info on the game. I just found this site a few hours ago and did some browsing. I've decided to dump what little info I have here, and it would be great if someone could point me in the right direction next. Sorry that it's probably really messy
Code: [Select]
class Interfaces;
class cLocalHud;
class N000000A9;
class cCharacter;
class cConversation;
class cOptions;
class cGraphics;
class cControls;
class cSaveLoad;
class cTerrainGeneration;
class cMenu;
class cStats;
class cGameLog;
class cNotes;
class N000000CF;
class N000000D3;
class N000000D7;
class cProfile;
class cMultiplayerClient;
class cServers;
class N000000E7;
class cBanner;
class Movement;
class Interfaces
{
public:
cLocalHud* LocalHud; //0x0000
cCharacter* Character; //0x0004
cConversation* ConversationWindow; //0x0008
cOptions* Options; //0x000C
cGraphics* Graphics; //0x0010
cControls* Controls; //0x0014
cSaveLoad* SaveLoad; //0x0018
cTerrainGeneration* TerrainGeneration; //0x001C
cMenu* Menu; //0x0020
cStats* Stats; //0x0024
cGameLog* GameLog; //0x0028
cNotes* Notes; //0x002C
char pad_0x0030[0xC]; //0x0030
cProfile* Profile; //0x003C
cMultiplayerClient* MultiplayerClient; //0x0040
cServers* Servers; //0x0044
cBanner* Banner; //0x0048
}; //Size=0x004C
class cLocalHud
{
public:
char pad_0x0000[0x13C]; //0x0000
N000000A9* HudContainer; //0x013C
char pad_0x0140[0x3C]; //0x0140
float CrosshairAlpha1; //0x017C
float CrosshairAlpha2; //0x0180
float CrosshairAlpha3; //0x0184
char pad_0x0188[0x5C]; //0x0188
__int32 Money; //0x01E4
char pad_0x01E8[0x30]; //0x01E8
float Health; //0x0218
char pad_0x021C[0xC]; //0x021C
float Ammo; //0x0228
char pad_0x022C[0x18]; //0x022C
}; //Size=0x0244
class N000000A9
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cCharacter
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cConversation
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cOptions
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cGraphics
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cControls
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cSaveLoad
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cTerrainGeneration
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cMenu
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cStats
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cGameLog
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cNotes
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N000000CF
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N000000D3
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N000000D7
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cProfile
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cMultiplayerClient
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cServers
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class N000000E7
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class cBanner
{
public:
char pad_0x0000[0x4]; //0x0000
}; //Size=0x0004
class Movement
{
public:
Vector3 Position; //0x0000
char pad_0x000C[0xC]; //0x000C
float SideVelocity; //0x0018
float ForwardVelocity; //0x001C
char pad_0x0020[0x34]; //0x0020
float TickCount; //0x0054
char pad_0x0058[0x4]; //0x0058
__int32 Button; //0x005C
char pad_0x0060[0x8A8]; //0x0060
}; //Size=0x0908
Pages: [1]