Hey guys, after spending a couple weeks reversing the game on and off, making my own aimbot and a few fun features, I've decided to share some information so you guys can create your own cheats/hacks.
Part 1: The GameWe know a few things about the game by jumping right into it:
- The game is x86
- The game is quite old, meaning it will use a lot of old methods
- The game uses directx as a renderer
- The game is multiplayer
- You're allowed to host your own servers, meaning there is some sort of packet connection here
By knowing these, you can start on a few things, which should be easy to find.
First of all, by knowing the game is run in an x86 environment, this makes it a lot easier to dissect and look into in a dissembler like IDA.
By throwing the game into IDA and letting it generate, we can tell after a quick browse that the game has left a lot of named functions in and it also uses some sort of scripting language.
By running Class Informer and taking a quick look into the results, we can see a lot of classes which you may recognize in the game. Most notable of these classes is probably the 'Agent' class, which is inherited from the 'rglSimple_game_object' class.
From this information, we can assume that all game specific functionality classes have the prefix 'rgl' in it. We can also assume that since Agent is derived from the simple game object, it will contain all of that game objects information within its own pointer.
We'll return to more engine things later, but we can move on for now to look into more interesting things...
Part 2: The AgentThe 'Agent' in this game may also be called an Entity or an Object. It is your player and every other player in the game.
The Agent has many jobs, here we can list a few:
- Store player health
- Store player position
- Store current aim direction
Let's first take a look at this class that we found inside of Class Informer. If we trace it and then xref what it brings us to, we can find the constructor for the agent class, Agent::Agent() (Which you can see here:
https://prnt.sc/klfj45)
Looking through this class we can see a few static variables which you can explore yourself inside of reclass or any other memory viewer.
Now, knowing that this function is only called when an agent is added to the entity list, we can xref the function and go to the one which is calling it. After a brief analysis, you'll find that this is the function which actually stores and adds agents to the entity list.
If you really wanted to dig in deep, you could keep cross referencing the functions until you got to the main tick of the game, but that isn't exactly what you want, unless you just wanted to console one of the games threads instead of making your own. (There's no point since the game has no AC)
What's better, is the Agent::Tick function, which you may have guessed, runs every single tick.
This agent tick function will be run every single time before any other agent function, which means if you need to, you could override them.
That sounds really tedious though and you should really only use that for thread management or as a constant loop.
If you dissect and look into this function more, you will find a lot of function calls, and most of these will lead to other agent functions.
There are many functions which can be extremely abused if you know what you are doing. One such function is Agent::add_stun (
http://prntscr.com/klg8bm), which does exactly what it's named, accessing the network data entity and doing whatever to it.
Just to help you guys start, here's a little signature: 81 EC ? ? ? ? 56 8B F1 8B 86 ? ? ? ? 8B 0C C5 ? ? ? ?
I'll add more to the tutorial if there is an actual interest to learn instead of just copy and paste.
Thanks for reading, good luck.