Author Topic: Mount & Blade Engine Reversal - Player Structures - Wall hack,AutoBlock - Tut  (Read 32808 times)

0 Members and 1 Guest are viewing this topic.

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
Updated tutorial with some patterns & masks for autoblock.

HrothgarVon

  • Intentional Cheater
  • **
  • Posts: 48
    • View Profile
Great Tutorial :3

bettywarband

  • Online Villain
  • ***
  • Posts: 157
    • View Profile
Anyways I am here to help the new reversers that do not know where to start.

Player structures are crucial because eventually they will help you to create anything from Aimbot to ESP etc..
It usually has the following structure:

* Name
* X
* Y
* Z
* Camera X,Y,Z
* Health etc.

Own player data: (Can be found via cheat engine)
Code: [Select]
mb_warband.exe+2B12F3C - > X
mb_warband.exe+2B12F3C+4 -> Y
mb_warband.exe+2B12F3C+4+ 4 - > Z

How did I find player structures and confirmed it :

1) I found my own player data and saved that info. ^^ (X,Y,Z,Health)
2) I have ran another copy of mount & blade warband via sandboxie and therefor I had 2 instances of the game running (different keys).
3) Joined the same server.
4) Tested stuff that is related to the health mechanism in the game.
5)  Found what accesses and writes to that address (of health).

Code: [Select]
fst dword ptr [esi+00006000]   (Static Addr : mb_warband.exe+D25F4)
ESI - > Base
Base + 0x6000 - > Health.


6) Umm interesting.
I put a breakpoint on that instruction and I saw ESI was always changing.
Later on I have understood the importance of this.
Logically speaking,a few things are sure to happen whenever you are connecting to the game:
* Set X,Y,Z of other players on map
* Set health of each player & npc (horse etc..)

The second one was more fitting to me so I utilized it.


What really happens?
The instruction sets the health of each player & horse etc.. on map.
This health is 0x6000 away from the start of the base which is ESI therefor leading me to believe that it is actually the player structure. (ESI that changes).
I checked it via Reclass & Cheat engine and created a class:
Code: [Select]
class CPlayer;
class CPlayer
{
public:
char _0x0000[4];
DWORD Active; //0x0004
char _0x0008[8];
float rotationX; //0x0010  -> Not sure because I never used it
float rotationY; //0x0014  -> Same
char _0x0018[8];
float rotationZ; //0x0020  ->Same
char _0x0024[28];
float positionX; //0x0040
float positionY; //0x0044
float positionZ; //0x0048
char _0x004C[104];
float positionX2; //0x00B4
float positionY2; //0x00B8
float positionZ2; //0x00BC
char _0x00C0[24384];
float Health; //0x6000
char _0x6004[4164];

};//Size=0x7048



How can we use this information to grab all structs?
2 approaches can be used:
1) Grab some ESI values (Which all of them are bases for the player structs) and find the original table.
2)  We can simply hook that function and retrieve ESI each time it is called.

Instead of
Code: [Select]
fst dword ptr [esi+00006000]

We will jump to our own code cave which will store ESI values into our new array
Code: [Select]
jmp ourFunc
nop
nop
nop
nop
nop

ourFunc will be:

Code: [Select]
CPlayer * StructHolder;

__declspec (naked) void ourFunc(){
__asm{
fst dword ptr [esi+24576] // Restore original bytes
fld dword ptr [esp+16]    //Same
}
__asm{
mov StructHolder,esi
}
if(!Contains(cPlayerBase,StructHolder) && StructHolder->Active == 1  && StructHolder->Health > 0){
cPlayerBase[tempCount] = (CPlayer*)StructHolder;
        tempCount++;
}
__asm{
push  returnAddy
retn
}
}

This function simply stores ESI values which correspond to the player struct in a new array of [250];
It will add a new base of struct only if the array does not contain it.
(To stop duplication)


Now what is left is to hook EndScene (Directx9) and display the info:


Code: [Select]
Rotate through array:

sprintf(szMyString, "Player %i , X : %f Y: %f Z : %f" , i,PlayerBase[i]->positionX,PlayerBase[i]->positionY,PlayerBase[i]->positionZ);
g_pFont->DrawText(NULL, szMyString, -1, &rct, DT_NOCLIP, fontColor);

Result:

WorldToScreen must be accountable of course.

Have fun lads.
Sharing is caring.
 :icon_cool2


Btw : It works both for native & napo etc.


For Wall hack | Chams:

Hook Dip (I think 82 in VTable)


 
__declspec(naked) void  DIP(LPDIRECT3DDEVICE9 pDevice,D3DPRIMITIVETYPE Type,int BaseVertexIndex,UINT MinIndex,UINT NumVertices,UINT StartIndex,UINT PrimCount)
{}
    Stride == 68 || Stride == 40
    pDevice->SetRenderState( D3DRS_ZENABLE, D3DZB_FALSE );
Enjoy.


Auto block signatures & masks:

Code: [Select]
Signatures:

Mask:
xx????x????xxxxx????xx????xxxxxxxx
Bytes:
0x0F,0x85,0x00,0x00,0x00,0x00,0xE8,0x00,0x00,0x00,0x00,0x83,0xF8,0xFF,0x0F,0x84,0x00,0x00,0x00,0x00,0x8B,0x15,0x00,0x00,0x00,0x00,0x8B,0x52,0x20,0x8B,0xC8,0x83,0xE0,0x0F


Mask:
x?x????xxx????xxxxxxxx


Bytes:
74 00 68 00 00 00 00 8B  CE E8 00 00 00 00 09 86  14 62 00 00 6A 04 00  


Mask:

xx????xx????xxxxxxxx?xxx?

Bytes:
D9 05 00 00 00 00 D9 05 00 00 00 00 D8 D1 DF E0 F6 C4 05 7A 00 DD D8 EB 00



Mask:
xx????x????xxxxx????xx????xxxxxxxx


Bytes:
0F 85 00 00 00 00 E8 00 00 00 00 83 F8 FF 0F 84 00 00 00 00 8B 15 00 00 00 00 8B 52 20 8B C8 83
E0 0F

xx????xxxxxx????xxxxxxxxxxxx????xxxxxxxxx

0F 84 00 00 00 00 83 7E 30 01 0F 85 00 00 00 00 8D 4C 24 18 51 8D 54 24 2C 52 53 E8 00 00 00 00
8B 44 24 34 83 C4 0C 85 C0 00 00 00 0F 85 91



   

Okay i usuaully deal with the developing and modding of the actual m b scripting system not external engines

however before i even look into this, you do realise that most of this stuff is set server side right?

so even if you for example adjust your character to have 100 per cent accuracy it will still transalate it on the server to 70 per cent accuracy or whatever the stats of that specific gun right

Worm

  • Online Villain
  • ***
  • Posts: 169
    • View Profile
No shit.


bettywarband

  • Online Villain
  • ***
  • Posts: 157
    • View Profile
No shit.



dont `know shit me`
i dont know you or havent spoken to you before, so no need for the agressive reply
i was simply asking an open question

is this intended as a single player or a multiplayer effect

as im not sure how it would have any effect on a non self hosted multiplayer game

mReURO

  • The Central Committee
  • Heckler Apprentice
  • *
  • Posts: 1364
    • View Profile
    • >>>>>> free porn <<<<<<
btw. did worm released the aimbot yet ?

bettywarband

  • Online Villain
  • ***
  • Posts: 157
    • View Profile
is this intended as a single player or a multiplayer effect

its useless what he posted as he cant reverse world to screen so it renders that code totally useless , and most of his code is ripped from another cheat with no credits ( typical ) so in other words its another worm fail, its actually just a post where he is trying to impress me and it hasnt worked. :smile

Yeh i mean almost everything i put on here is or can be done on servers, ive many witnesses who have seen me spawn grenades on servers which arent mine

i just do not want to put open code on here for certain somebodys like dragon to use as once it is out as a free for all it will be patched up completly by the developers

bettywarband

  • Online Villain
  • ***
  • Posts: 157
    • View Profile
MR Medic is our hero, and the reason why all of us are here
by the way ive got an awesome michael brown (ferguson) shooting napoleanic wars movie like my titanic one, coming out tonight about 7pm/8pm europe time
ull like it

After volunteering at the Humane Society, Michael Brown was helping an elderly white woman cross the street, when all of a sudden a cop jumped out of nowhere & shot him in the face

:(

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
MR Medic is our hero, and the reason why all of us are here
by the way ive got an awesome michael brown (ferguson) shooting napoleanic wars movie like my titanic one, coming out tonight about 7pm/8pm europe time
ull like it

After volunteering at the Humane Society, Michael Brown was helping an elderly white woman cross the street, when all of a sudden a cop jumped out of nowhere & shot him in the face

:(

i turned a cop into a lampost a few times on arma  

and a exploding sheep , and a cow , once even a exploding chicken  :smile and yes he did explode.
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

xrow33

  • Intentional Cheater
  • **
  • Posts: 25
    • View Profile
thank for this i will try  :icon_biggrin2

WilliamFromGlory

  • Poptart
  • *
  • Posts: 3
    • View Profile
Interesting :P

dunnohow

  • Intentional Cheater
  • **
  • Posts: 44
    • View Profile
Wehere can I get Worms aimbot?

SethZutar

  • Poptart
  • *
  • Posts: 4
    • View Profile
thanks :icon_laugh

amymor

  • Cheater Apprentice
  • *
  • Posts: 10
  • I Am Ninja In Game
    • View Profile
can u upload this cheat!

 :icon_cry2
how i can download this cheat(aimbot+zoomhack+atoubloc)

i have mbv1.67(steam)+mbv1.58(non-steam)
 plssssssssssssssssssss helm me

i need cooooooooooooooooooooooooooooool cheat


 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2 :icon_cry2

lsutigers527

  • Poptart
  • *
  • Posts: 5
    • View Profile
This is actually quite interesting... great work m8s