Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mesengr

Pages: 1 2 [3] 4
Vietcong 1 & 2 / Re: Something to work on
« on: April 15, 2008, 11:37:34 am »
UPDATE... It kinda works... when the host server is a Dedicated Server, you are able to select a weapon and spawn and play! And the admin cannot kick you no matter how many times he tries!

LMAO... even AUTO-TEAMKILL-KICK cannot get rid of you... and your ping is always low (but not "host-ping"). You probably can't get kicked for AUTO-KICK-HIGH-PING anyways.

Have not tested it in hradba206 servers yet... but it works in unprotected servers.

Only problem is you can't really play... all the players are frozen... sitting ducks either way :icon_biggrin2

Obviously, there's still more work to be done... it would be great if we could still actually play... also, if you leave and re-join, you cannot select a weapon immediately.

Vietcong 1 & 2 / Re: Something to work on
« on: April 15, 2008, 11:11:40 am »
I took a look at this. Here's what I have so far:

(1) Notice that you actually get 2 static locations for PLAYERID: one from game.dll and one from logs.dll
(2) I traced the code all the way back to when it actually takes the PLAYERID from the network-input-buffer.

(3) Hint #1: check out the pointer at address 0xe9e9cc
(4) Hint #2: the instruction that makes this happen is mov [edx],eax -- exactly 0x6194 bytes before the instruction you mentioned :)
(5) Interesting side note: 0xe9f238 seems to be a network-input-buffer... changes constantly, and lots of data gets read from there.... useful for future hacks?

(6) Anyways, now we've found the exact instruction where PLAYERID is received by the client.
(7) So we modify the code to mov[edx],107 (code cave...)
(8] Now, both game.dll & logs.dll works with the 107h value
(9) When you select "US Army" and then select "Soldier"... the HOST (i.e., the SERVER) gets a SELECT WEAPON menu.

If you play around with it, there's a few other interesting things that happen. e.g., the client "stays" in the game even after you leave and rejoin (then there's 3 players).

I think this is progress... or it might just be taking us a longer route...

MrMedic or others who have done this... are we on the right track?

Off Topic / Re: Racing Games
« on: April 13, 2008, 03:55:45 am »
Here's an old racing game I was addicted to: Midtown Madness 2

The single-player is boring. But the multiplayer is unbelievably fun. It's like playing tag over the internet, with fast cars on city streets.

Not the most realistic, but there's a lot of fun and skill involved in feinting your opponents out, making the turns fast as possible, handling the different cars, making split-second decisions, etc. Very addictive, very fun. When you play team vs team, it's all about strategy and communication.

There's hundreds of websites dedicated to this game. Tons of custom cars to download. There's a good number of players still active on GameSpy and other networks.

Free downloads are out there somewhere (torrents, edonkey, rapidshare).

General Modding & Programming / Other Games / Re: Books
« on: April 11, 2008, 12:33:09 pm »
This thread lists a lot of resources as well:

General Modding & Programming / Other Games / Books
« on: April 11, 2008, 12:26:41 pm »
Does anyone know of any books to recommend that could help out game hackers?

It could be on C programming, Windows architecture, D3D, Graphics, Reverse engineering, ASM, Networking, etc.

I really hope people contribute to this, especially the more advanced hackers.

I'll start with a couple that's helped me out so far:

Assembly Language for Intel-Based Computers
by Kip Irvine
ISBN: 0132383101
Probably the best resource to learn assembly language, for beginners and experts alike.

Hacker Disassembling Uncovered
by Kris Kaspersky
ISBN: 1931769648
This book was recommended by Subsky last year. I have only read half of it so far, and it's already proven to be a great book on reverse coding. If you're trying to make sense of disassembled game code, this book will juice up your thinking process. Subsky credits this book for enabling him to create the Hradba Bypass... that's saying a lot!

Vietcong 1 & 2 / Re: hradba
« on: April 11, 2008, 11:55:58 am »
i mod .Cbf files and im trying .Dll files but i want to learn how to make trainers 2 make some more hacks for vc

I would suggest you try to make trainers first, before trying .DLL files. If you don't understand how to make a trainer, you'll be completely lost with .DLL files. But if you're serious about it, don't give up!  :icon_thumbsup

Vietcong 1 & 2 / Re: No roil help in making *NOT begging*
« on: April 11, 2008, 12:21:57 am »
Are all the values loaded this way?
If so all weapon mods can be done in memory and i think it would make it more professional and a lot easier..

So far, I've figured out the multiplying values for recoil, zoom, aimswing, and accuracy. They each have separate multipliers, but the concept is the same: read data from cbf, multiply by a constant, and store/use the modified value.

It's much more professional and easier to use: you could toggle the hack on/off during gameplay; and you change only a few instructions (per hack) to have it affect all weapons.

Vietcong 1 & 2 / Re: No roil help in making *NOT begging*
« on: April 11, 2008, 12:16:06 am »
I dont understand how 2 find the "address 0x8d8480", also step 6, how 2 multiply and dont really know what 2 search for in T-Search

From your previous posts, I assumed you know how to use Cheat Engine or T-Search. In either program, there is a functionality that lets you view the memory of a process. You need to View Memory and jump to that address.

From that address, you want to look at four bytes of memory. Without getting into Big/Little Endian stuff... you should be able to right-click on that memory location and ADD TO LIST or something of that nature. When you add it, add it as a FLOATING-POINT VALUE.

Then, in your list, the floating point value inside that address should be displayed. This value is the multiplier. Multiply the recoil values by this multiplier, and the results are what are actually stored in the game's memory. These are the values you want to search for.

I guess I'm not too good at explaining things. When I get home, I'll post screenshots if you want.

Vietcong 1 & 2 / Re: No roil help in making *NOT begging*
« on: April 10, 2008, 10:46:08 am »
Been a while since I checked out this forum... good to see it's still active.  :icon_biggrin2

Anyways, what you're trying to do is more complicated than t-searching, because when Vietcong loads the recoil values for each weapon, it actually multiplies them with a value to change it before storing it in memory.

Big hint: the address 0x8d8480 holds the multiplying value. (How I figured that out is a much longer story, for another time.)


(1) Run vietcong.exe
(2) At the Ptero-Engine-II Setup window... do NOT launch the game yet.
(3) Open up Cheat Engine/T-Search/etc. and look inside memory location 0x8d8480
(4) Let's say the floating-point value in there is 1.567e-003 (just an example... it's actually something else...)
(5) From the cbf file, you see for M16 [fully automatic]: `w_b_shot_force_move 0.5  -4.78  1  0.09  -0.89  0.1
(6) Multiply the recoil values by the floating-point value you discovered in Step 4.
(7) Fully load the game (click OK at the setup window).
(8] Search (floating point) for the new values. You should find them.
(9) If no results, try searching by range instead of exact value. Or use T-Search's built-in calculator to do the floating-point math...

You could take it further and figure out which instruction loads these recoil values during gameplay... and force it to load ZERO for every weapon!

Let me know if this makes sense.

In the D3D Starter Kit, if I want to read from/write to the game process's memory, do I need to go through the WriteProcessMemory API? Or could I just directly reference to the memory address I'm trying to poke/peek?

Vietcong 1 & 2 / Re: Ways to Get Around Hradba #138
« on: November 11, 2007, 01:13:57 am »
Progress is slow (I'm only working on this one day per week) but I'm still moving forwards. I've found the functions, now I have to figure out what to do with them.

Is it possible to do accomplish these things without actually patching the DLL files? That is, would it still work the same if I poke the proper code into the proper addresses once they get loaded into memory? I realize I would have to re-locate and re-poke the hradba.dll code every time I join a server, but that's not a big deal.

I am still a beginner at reverse-engineering, so I am stuck at a few points. For example, I have found the function that scans the game.dll code. I have stepped through the code (in the module hradba.dll) to see the sequence of jumps if the game.dll code was not modified. Based on that, I tried forcing-jumps/nop'ng the appropriate conditional jumps. So far, this does not work -- #138 still gets detected. Is this the wrong approach to modifying the function?

Off Topic / Re: official : i am leaving tkc
« on: November 05, 2007, 05:23:19 am »
Speaking for myself, I am new at hacking altogether, and I have very little skills at it at this early stage. I am recreating a lot of old Vietcong hacks in order to learn the techniques of hacking. I think this is the only reason why anyone rehashes old hacks; after all, one of the goals of this community is to help others develop their skills.

I do appreciate the work and help you've contributed to this community. Your accomplishments are one of the inspirations that's motivating me to keep trying and learning the art of game hacking.

Vietcong 1 & 2 / Re: Crosshairs
« on: October 28, 2007, 11:54:04 am »
After a long day, I successfully created a DLL and its injector using the D3D Starter Kit. Now, a crosshair is there 100% of the time, I can toggle it on/off, and I can alt+tab out of fullscreen-mode and back in without any problems. Woohoo!   :icon_biggrin2

However, I still need to get around the Hradba #149 detection. After searching this forum, I found two different ways to do this. (1) Same steps as getting VCHook 3 undetected, or (2) Patching hradba.dll to always give a Status:OK. The latter is much more powerful, because using the same technique, I can bypass a lot of other Hradba detections (read Subsky's post and also his tips).

Just felt like posting this... maybe it will help someone else in the future.

Vietcong 1 & 2 / Re: Crosshairs
« on: October 28, 2007, 02:12:38 am »
Thank you all for taking the time to reply. I still would prefer a crosshair I could use in Fullscreen mode, because Fullscreen mode gives me better FPS than Windowed mode. I will attempt to create an undetected hook that gives me this functionality, using the resource Subsky posted (that site has a ton of information!).  :icon_cool2

Vietcong 1 & 2 / Re: Crosshairs
« on: October 27, 2007, 05:40:53 pm »
set srvvm status ... Use this to find the DMA address/value that controls the HUD so that you can toggle it on/off manually.

I figured this one out already, using the same procedure you posted about joining-as-VC-in-COOP  :icon_biggrin2. But the problem still exists, even with the HUD on: when I am using binoculars or right-click-aiming, the crosshair disappears.

Game Deception Forums is another great game hacking site where many talented game hackers share direct3D snippets of code- such as how to create a crosshair like in VCHook.

Thanks a lot for sharing this resource, I will look through it. :icon_thumbsup

On a side note: the address in memory that toggles the HUD never changes, so is it still a DMA address?

Pages: 1 2 [3] 4