Author Topic: Mount & Blade Engine Reversal - Player Structures - Wall hack,AutoBlock - Tut  (Read 30699 times)

0 Members and 1 Guest are viewing this topic.

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
Anyways I am here to help the new reversers that do not know where to start.

Player structures are crucial because eventually they will help you to create anything from Aimbot to ESP etc..
It usually has the following structure:

* Name
* X
* Y
* Z
* Camera X,Y,Z
* Health etc.

Own player data: (Can be found via cheat engine)
Code: [Select]
mb_warband.exe+2B12F3C - > X
mb_warband.exe+2B12F3C+4 -> Y
mb_warband.exe+2B12F3C+4+ 4 - > Z

How did I find player structures and confirmed it :

1) I found my own player data and saved that info. ^^ (X,Y,Z,Health)
2) I have ran another copy of mount & blade warband via sandboxie and therefor I had 2 instances of the game running (different keys).
3) Joined the same server.
4) Tested stuff that is related to the health mechanism in the game.
5)  Found what accesses and writes to that address (of health).

Code: [Select]
fst dword ptr [esi+00006000]   (Static Addr : mb_warband.exe+D25F4)
ESI - > Base
Base + 0x6000 - > Health.


6) Umm interesting.
I put a breakpoint on that instruction and I saw ESI was always changing.
Later on I have understood the importance of this.
Logically speaking,a few things are sure to happen whenever you are connecting to the game:
* Set X,Y,Z of other players on map
* Set health of each player & npc (horse etc..)

The second one was more fitting to me so I utilized it.


What really happens?
The instruction sets the health of each player & horse etc.. on map.
This health is 0x6000 away from the start of the base which is ESI therefor leading me to believe that it is actually the player structure. (ESI that changes).
I checked it via Reclass & Cheat engine and created a class:
Code: [Select]
class CPlayer;
class CPlayer
{
public:
char _0x0000[4];
DWORD Active; //0x0004
char _0x0008[8];
float rotationX; //0x0010  -> Not sure because I never used it
float rotationY; //0x0014  -> Same
char _0x0018[8];
float rotationZ; //0x0020  ->Same
char _0x0024[28];
float positionX; //0x0040
float positionY; //0x0044
float positionZ; //0x0048
char _0x004C[104];
float positionX2; //0x00B4
float positionY2; //0x00B8
float positionZ2; //0x00BC
char _0x00C0[24384];
float Health; //0x6000
char _0x6004[4164];

};//Size=0x7048



How can we use this information to grab all structs?
2 approaches can be used:
1) Grab some ESI values (Which all of them are bases for the player structs) and find the original table.
2)  We can simply hook that function and retrieve ESI each time it is called.

Instead of
Code: [Select]
fst dword ptr [esi+00006000]

We will jump to our own code cave which will store ESI values into our new array
Code: [Select]
jmp ourFunc
nop
nop
nop
nop
nop

ourFunc will be:

Code: [Select]
CPlayer * StructHolder;

__declspec (naked) void ourFunc(){
__asm{
fst dword ptr [esi+24576] // Restore original bytes
fld dword ptr [esp+16]    //Same
}
__asm{
mov StructHolder,esi
}
if(!Contains(cPlayerBase,StructHolder) && StructHolder->Active == 1  && StructHolder->Health > 0){
cPlayerBase[tempCount] = (CPlayer*)StructHolder;
        tempCount++;
}
__asm{
push  returnAddy
retn
}
}

This function simply stores ESI values which correspond to the player struct in a new array of [250];
It will add a new base of struct only if the array does not contain it.
(To stop duplication)


Now what is left is to hook EndScene (Directx9) and display the info:


Code: [Select]
Rotate through array:

sprintf(szMyString, "Player %i , X : %f Y: %f Z : %f" , i,PlayerBase[i]->positionX,PlayerBase[i]->positionY,PlayerBase[i]->positionZ);
g_pFont->DrawText(NULL, szMyString, -1, &rct, DT_NOCLIP, fontColor);

Result:

WorldToScreen must be accountable of course.

Have fun lads.
Sharing is caring.
 :icon_cool2


Btw : It works both for native & napo etc.


For Wall hack | Chams:

Hook Dip (I think 82 in VTable)


 
__declspec(naked) void  DIP(LPDIRECT3DDEVICE9 pDevice,D3DPRIMITIVETYPE Type,int BaseVertexIndex,UINT MinIndex,UINT NumVertices,UINT StartIndex,UINT PrimCount)
{}
    Stride == 68 || Stride == 40
    pDevice->SetRenderState( D3DRS_ZENABLE, D3DZB_FALSE );
Enjoy.


Auto block signatures & masks:

Code: [Select]
Signatures:

Mask:
xx????x????xxxxx????xx????xxxxxxxx
Bytes:
0x0F,0x85,0x00,0x00,0x00,0x00,0xE8,0x00,0x00,0x00,0x00,0x83,0xF8,0xFF,0x0F,0x84,0x00,0x00,0x00,0x00,0x8B,0x15,0x00,0x00,0x00,0x00,0x8B,0x52,0x20,0x8B,0xC8,0x83,0xE0,0x0F


Mask:
x?x????xxx????xxxxxxxx


Bytes:
74 00 68 00 00 00 00 8B  CE E8 00 00 00 00 09 86  14 62 00 00 6A 04 00  


Mask:

xx????xx????xxxxxxxx?xxx?

Bytes:
D9 05 00 00 00 00 D9 05 00 00 00 00 D8 D1 DF E0 F6 C4 05 7A 00 DD D8 EB 00



Mask:
xx????x????xxxxx????xx????xxxxxxxx


Bytes:
0F 85 00 00 00 00 E8 00 00 00 00 83 F8 FF 0F 84 00 00 00 00 8B 15 00 00 00 00 8B 52 20 8B C8 83
E0 0F

xx????xxxxxx????xxxxxxxxxxxx????xxxxxxxxx

0F 84 00 00 00 00 83 7E 30 01 0F 85 00 00 00 00 8D 4C 24 18 51 8D 54 24 2C 52 53 E8 00 00 00 00
8B 44 24 34 83 C4 0C 85 C0 00 00 00 0F 85 91



   
« Last Edit: October 16, 2014, 06:21:11 pm by Worm »

ZOldDude

  • The Unknown Rank!
  • Administrator
  • MasstKer
  • *
  • Posts: 20874
  • Old School TKC
    • View Profile
    • Admin
I am here to help the new reversers that do not know where to start.

Player structures are crucial because eventually they will help you to create anything from Aimbot to ESP etc..
It usually has the following structure:

* Name
* X
* Y
* Z
* Camera X,Y,Z
* Health etc.

Own player data: (Can be found via cheat engine)
Code: [Select]
mb_warband.exe+2B12F3C - > X
mb_warband.exe+2B12F3C+4 -> Y
mb_warband.exe+2B12F3C+4+ 4 - > Z

How did I find player structures and confirmed it :

1) I found my own player data and saved that info. ^^ (X,Y,Z,Health)
2) I have ran another copy of mount & blade warband via sandboxie and therefor I had 2 instances of the game running (different keys).
3) Joined the same server.
4) Tested stuff that is related to the health mechanism in the game.
5)  Found what accesses and writes to that address (of health).

Code: [Select]
fst dword ptr [esi+00006000]   (Static Addr : mb_warband.exe+D25F4)
ESI - > Base
Base + 0x6000 - > Health.


6) Umm interesting.
I put a breakpoint on that instruction and I saw ESI was always changing.
Later on I have understood the importance of this.
Logically speaking,a few things are sure to happen whenever you are connecting to the game:
* Set X,Y,Z of other players on map
* Set health of each player & npc (horse etc..)

The second one was more fitting to me so I utilized it.


What really happens?
The instruction sets the health of each player & horse etc.. on map.
This health is 0x6000 away from the start of the base which is ESI therefor leading me to believe that it is actually the player structure. (ESI that changes).
I checked it via Reclass & Cheat engine and created a class:
Code: [Select]
class CPlayer;
class CPlayer
{
public:
char _0x0000[4];
DWORD Active; //0x0004
char _0x0008[8];
float rotationX; //0x0010  -> Not sure because I never used it
float rotationY; //0x0014  -> Same
char _0x0018[8];
float rotationZ; //0x0020  ->Same
char _0x0024[28];
float positionX; //0x0040
float positionY; //0x0044
float positionZ; //0x0048
char _0x004C[104];
float positionX2; //0x00B4
float positionY2; //0x00B8
float positionZ2; //0x00BC
char _0x00C0[24384];
float Health; //0x6000
char _0x6004[4164];

};//Size=0x7048



How can we use this information to grab all structs?
2 approaches can be used:
1) Grab some ESI values (Which all of them are bases for the player structs) and find the original table.
2)  We can simply hook that function and retrieve ESI each time it is called.

Instead of
Code: [Select]
fst dword ptr [esi+00006000]

We will jump to our own code cave which will store ESI values into our new array
Code: [Select]
jmp ourFunc
nop
nop
nop
nop
nop

ourFunc will be:

Code: [Select]
CPlayer * StructHolder;

__declspec (naked) void ourFunc(){
__asm{
fst dword ptr [esi+24576] // Restore original bytes
fld dword ptr [esp+16]    //Same
}
__asm{
mov StructHolder,esi
}
if(!Contains(cPlayerBase,StructHolder) && StructHolder->Active == 1  && StructHolder->Health > 0){
cPlayerBase[tempCount] = (CPlayer*)StructHolder;
        tempCount++;
}
__asm{
push  returnAddy
retn
}
}

This function simply stores ESI values which correspond to the player struct in a new array of [250];
It will add a new base of struct only if the array does not contain it.
(To stop duplication)


Now what is left is to hook EndScene (Directx9) and display the info:


Code: [Select]
Rotate through array:

sprintf(szMyString, "Player %i , X : %f Y: %f Z : %f" , i,PlayerBase[i]->positionX,PlayerBase[i]->positionY,PlayerBase[i]->positionZ);
g_pFont->DrawText(NULL, szMyString, -1, &rct, DT_NOCLIP, fontColor);

Result:

WorldToScreen must be accountable of course.

Have fun lads.
Sharing is caring.
 :icon_cool2


Btw : It works both for native & napo etc.


For Wall hack | Chams:

Hook Dip (I think 82 in VTable)


 
__declspec(naked) void  DIP(LPDIRECT3DDEVICE9 pDevice,D3DPRIMITIVETYPE Type,int BaseVertexIndex,UINT MinIndex,UINT NumVertices,UINT StartIndex,UINT PrimCount)
{}
    Stride == 68 || Stride == 40
    pDevice->SetRenderState( D3DRS_ZENABLE, D3DZB_FALSE );
Enjoy.
   

Quote
I am here to help the new reversers that do not know where to start.

Thank you.  :icon_thumbsup

*While we crash and burn, small, low tech, agrarian societies such as the Hmong in the mountains of Laos will continue on without so much as blinking an eye.*

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
Wall hack works as expected.

 :icon_thumbsup

Boris

  • Moderator
  • Online Villain
  • *
  • Posts: 143
  • The Original Boris
    • View Profile
    • TKC-Community
Any word on that cheat table?

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
Any word on that cheat table?

Player table?
Just search for the player base struct addresses in cheat engine.

Boris

  • Moderator
  • Online Villain
  • *
  • Posts: 143
  • The Original Boris
    • View Profile
    • TKC-Community
Any word on that cheat table?

Player table?
Just search for the player base struct addresses in cheat engine.


Sorry but I am fucking awful at cheat engine address findings :( could you put it in dumb words pl0x

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
^ I don't feel like spoon feeding people.
Anyways my project is currently on hold because of IRL reasons.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
^ I don't feel like spoon feeding people.
Anyways my project is currently on hold because of IRL reasons.


btw nice wallhack .. love the rocks showing through walls ( are the rocks dangerous or is your wallhack failing )

btw are you stuck on your 'aimbot' i see you mention world to screen , are you having problems finding it.
« Last Edit: October 12, 2014, 11:11:30 pm by MrMedic »
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Any word on that cheat table?

Player table?
Just search for the player base struct addresses in cheat engine.


Sorry but I am fucking awful at cheat engine address findings :( could you put it in dumb words pl0x

yes it is blatantly obvious as you don't even know how to zoom on warband even without a cheat , but in this case i will help as your obviously trying to learn something which is good.

for player data , lets do local to simplify it.

many games have in fact got a table that resides in memory namely ( more commonly known as either local , base , or localplayer  )

ok how to find it .. a simple method would be this

( any game ) start a single player game or multi player game ( if you wish multiplayer values )

climb a ladder

attach a debugger or cheat engine in this case

search unknown ( or 60 in the case of warband as the initial health is set to 60 f)

jump down as to injure yourself but not kill you

search decreased

repeat .. ie climb the ladder , jump down , search decreased .. ok

when you finally find the value and your sure its your health , find out what access it

jump to that location ( of the offset that is actually changing it , usually a float store [fstp] sometimes a double , mostly int or dword though warband is uncommon in most aspects actually )

now we have this address that is changing health

fstp [ebx+6000] ( local )

ok now you see the ebx .. ( ignore the + 6000 as its irrelivant at this point )

the ebx is what is known as the base .. or local , or local player pointer , this ebx is pointing to the start of you , ie your player

now from this base , local etc we can do for instance

base .. add 6000 will point to your little guy's health ..


 ie the game does this

base (ebx ) adds 6000 and can read your little guys health bar .. ( some games has he eaten and is he big and strong or is the monster fully armoured whatever the case may be its stored at base + 6000  .. )

now if we do this

mov dword ptr LOCALPLAYER,ebx

in a hook we can allways get with 100% accuracy the local player , every time take that to the bank..

so to change the monsters health we would do

if (LOCALPLAYER) // sanity check
*(float*)(LOCALPLAYER+0x6000/*health*/)=60.f; // make health 60 ( full )


if you still dont understand then im afraid i cant help you out anymore, you'l have to go read a book and maybe do some courses to get a better basic understanding of the language.



if you cant get it to work after reading this , go buy some pork pies , sit there and get fatter until he releases it , which may be a very long time judging by how worm bangs on about helping people then makes excuses when he hits a brick wall  .. real life got in the way  :icon_laugh and his failures at reversing , also his bullshit claims and general basic low level skill set , you could be waiting for a very very long time.

hell may freeze over first ( or maybe even Palestine  :smile )

anyway good luck.  
« Last Edit: October 13, 2014, 02:02:31 am by MrMedic »
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
^ I don't feel like spoon feeding people.
Anyways my project is currently on hold because of IRL reasons.


btw nice wallhack .. love the rocks showing through walls ( are the rocks dangerous or is your wallhack failing )

btw are you stuck on your 'aimbot' i see you mention world to screen , are you having problems finding it.

It seems like you don't know anything.
You don't need to find WorldToScreen.
You will need to get :
1) ProjMatrix & camera and than code your own.
Seems like your retardation is kicking in.
Do you even know the definition of w2s?


I smell a butt-hurt kid.  :icon_laugh

Please stop commenting bullshit around this thread.
If you got nothing to contribute just fuck off kindly.
We don't need more bragging.
"H0ly shit guyz I created a hakz0r for l3 sh1tty g4m3"
-Thanks.


Fact is :
Some of us do have lives -  I know it's hard for you to understand and I hope you will in the future.
Not all of us are sitting 24/7 on a computer bragging about shitz.
 :icon_razz2

FriendsKnow

  • Guest
It's actually a tutorial on hacking theory(not bad);but I don't think new 'reverses' will know what to do with that code.you should give a template with commented sections out.

+ basic/intermediate knowledge on memory hacking c++ and asm is required to understand it.

you didn't mention it.
« Last Edit: October 13, 2014, 11:05:32 am by FriendsKnow »

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
I can release the hack right now if that's what you mean. << he wont because he is full of shit  :smile
I am still perfecting the source code. << removing copy paste
I don't want my shit to look like Mr medic's coding habits. << like the screenshot below ?
 :icon_thumbsup

release it now  :icon_laugh





worms attempt ..


myne ..


you like?
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
I can release the hack right now if that's what you mean. << he wont because he is full of shit  :smile
I am still perfecting the source code. << removing copy paste
I don't want my shit to look like Mr medic's coding habits. << like the screenshot below ?
 :icon_thumbsup

release it now  :icon_laugh





worms attempt ..


myne ..


you like?
Top kek.
You are trying too hard mate.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
heres myne






you like? :smile
« Last Edit: October 14, 2014, 11:12:41 pm by MrMedic »
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
As I have said already - I did patch your shit.
Just because of your butt-hurt friend I have decided to release video:

https://www.youtube.com/watch?v=oqA3GFJ7Ow4&feature=youtu.be

I am create a tutorial on patching your shit mainly because you allowed me to.
I can release the Autoblock patch right now but it's too shitty compared to those in this section so it's not worth it.
You will also beg the admin to remove it right away.
Top kek.
Anyday.