Author Topic: [Information] Reversing and Dissecting Mount and Blade: Warband  (Read 473 times)

0 Members and 1 Guest are viewing this topic.

Seb

  • Relentless Teamkiller
  • **
  • Posts: 72
    • View Profile
    • Aimjunkies.com
Hey guys, after spending a couple weeks reversing the game on and off, making my own aimbot and a few fun features, I've decided to share some information so you guys can create your own cheats/hacks.

Part 1: The Game
We know a few things about the game by jumping right into it:
  • The game is x86
  • The game is quite old, meaning it will use a lot of old methods
  • The game uses directx as a renderer
  • The game is multiplayer
  • You're allowed to host your own servers, meaning there is some sort of packet connection here

By knowing these, you can start on a few things, which should be easy to find.
First of all, by knowing the game is run in an x86 environment, this makes it a lot easier to dissect and look into in a dissembler like IDA.
By throwing the game into IDA and letting it generate, we can tell after a quick browse that the game has left a lot of named functions in and it also uses some sort of scripting language.
By running Class Informer and taking a quick look into the results, we can see a lot of classes which you may recognize in the game. Most notable of these classes is probably the 'Agent' class, which is inherited from the 'rglSimple_game_object' class.
From this information, we can assume that all game specific functionality classes have the prefix 'rgl' in it. We can also assume that since Agent is derived from the simple game object, it will contain all of that game objects information within its own pointer. 

We'll return to more engine things later, but we can move on for now to look into more interesting things...

Part 2: The Agent
The 'Agent' in this game may also be called an Entity or an Object. It is your player and every other player in the game.
The Agent has many jobs, here we can list a few:
  • Store player health
  • Store player position
  • Store current aim direction

Let's first take a look at this class that we found inside of Class Informer. If we trace it and then xref what it brings us to, we can find the constructor for the agent class, Agent::Agent() (Which you can see here: https://prnt.sc/klfj45)
Looking through this class we can see a few static variables which you can explore yourself inside of reclass or any other memory viewer.
Now, knowing that this function is only called when an agent is added to the entity list, we can xref the function and go to the one which is calling it. After a brief analysis, you'll find that this is the function which actually stores and adds agents to the entity list.

If you really wanted to dig in deep, you could keep cross referencing the functions until you got to the main tick of the game, but that isn't exactly what you want, unless you just wanted to console one of the games threads instead of making your own. (There's no point since the game has no AC)
What's better, is the Agent::Tick function, which you may have guessed, runs every single tick.
This agent tick function will be run every single time before any other agent function, which means if you need to, you could override them.
That sounds really tedious though and you should really only use that for thread management or as a constant loop.
If you dissect and look into this function more, you will find a lot of function calls, and most of these will lead to other agent functions.

There are many functions which can be extremely abused if you know what you are doing. One such function is Agent::add_stun (http://prntscr.com/klg8bm), which does exactly what it's named, accessing the network data entity and doing whatever to it.
Just to help you guys start, here's a little signature: 81 EC ? ? ? ? 56 8B F1 8B 86 ? ? ? ? 8B 0C C5 ? ? ? ?
I'll add more to the tutorial if there is an actual interest to learn instead of just copy and paste.
Thanks for reading, good luck.


JohnFlower

  • Klass Klown
  • ***
  • Posts: 336
  • ich habe einen klenin penis
    • View Profile
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #1 on: August 22, 2018, 01:00:32 pm »
Hey guys, after spending a couple weeks reversing the game on and off, making my own aimbot and a few fun features, I've decided to share some information so you guys can create your own cheats/hacks.

Part 1: The Game
We know a few things about the game by jumping right into it:
  • The game is x86
  • The game is quite old, meaning it will use a lot of old methods
  • The game uses directx as a renderer
  • The game is multiplayer
  • You're allowed to host your own servers, meaning there is some sort of packet connection here

By knowing these, you can start on a few things, which should be easy to find.
First of all, by knowing the game is run in an x86 environment, this makes it a lot easier to dissect and look into in a dissembler like IDA.
By throwing the game into IDA and letting it generate, we can tell after a quick browse that the game has left a lot of named functions in and it also uses some sort of scripting language.
By running Class Informer and taking a quick look into the results, we can see a lot of classes which you may recognize in the game. Most notable of these classes is probably the 'Agent' class, which is inherited from the 'rglSimple_game_object' class.
From this information, we can assume that all game specific functionality classes have the prefix 'rgl' in it. We can also assume that since Agent is derived from the simple game object, it will contain all of that game objects information within its own pointer. 

We'll return to more engine things later, but we can move on for now to look into more interesting things...

Part 2: The Agent
The 'Agent' in this game may also be called an Entity or an Object. It is your player and every other player in the game.
The Agent has many jobs, here we can list a few:
  • Store player health
  • Store player position
  • Store current aim direction

Let's first take a look at this class that we found inside of Class Informer. If we trace it and then xref what it brings us to, we can find the constructor for the agent class, Agent::Agent() (Which you can see here: https://prnt.sc/klfj45)
Looking through this class we can see a few static variables which you can explore yourself inside of reclass or any other memory viewer.
Now, knowing that this function is only called when an agent is added to the entity list, we can xref the function and go to the one which is calling it. After a brief analysis, you'll find that this is the function which actually stores and adds agents to the entity list.

If you really wanted to dig in deep, you could keep cross referencing the functions until you got to the main tick of the game, but that isn't exactly what you want, unless you just wanted to console one of the games threads instead of making your own. (There's no point since the game has no AC)
What's better, is the Agent::Tick function, which you may have guessed, runs every single tick.
This agent tick function will be run every single time before any other agent function, which means if you need to, you could override them.
That sounds really tedious though and you should really only use that for thread management or as a constant loop.
If you dissect and look into this function more, you will find a lot of function calls, and most of these will lead to other agent functions.

There are many functions which can be extremely abused if you know what you are doing. One such function is Agent::add_stun (http://prntscr.com/klg8bm), which does exactly what it's named, accessing the network data entity and doing whatever to it.
Just to help you guys start, here's a little signature: 81 EC ? ? ? ? 56 8B F1 8B 86 ? ? ? ? 8B 0C C5 ? ? ? ?
I'll add more to the tutorial if there is an actual interest to learn instead of just copy and paste.
Thanks for reading, good luck.


Now this is what we need around here. You are a true man Seb.

Risal

  • Poptart
  • *
  • Posts: 6
    • View Profile
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #2 on: August 22, 2018, 05:11:41 pm »
Exactly what I was looking for. Keep it up! Don't spoon feed but explain stuff  :icon_thumbsup

EDIT:
Just looked into it but for some reason IDA Pro does not show any real function names for me:
https://imgur.com/vP45RpS Using the latest freeware version. Am I doing something wrong?

EDIT 2:
Looks like this is caused by not using the ClassInformer plugin, however I am unable to find a version for the 5.0 IDA version. Neither for 7.0. Any idea?
« Last Edit: August 22, 2018, 07:51:43 pm by Risal »

Seb

  • Relentless Teamkiller
  • **
  • Posts: 72
    • View Profile
    • Aimjunkies.com
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #3 on: August 23, 2018, 12:05:06 am »
Exactly what I was looking for. Keep it up! Don't spoon feed but explain stuff  :icon_thumbsup

EDIT:
Just looked into it but for some reason IDA Pro does not show any real function names for me:
https://imgur.com/vP45RpS Using the latest freeware version. Am I doing something wrong?

EDIT 2:
Looks like this is caused by not using the ClassInformer plugin, however I am unable to find a version for the 5.0 IDA version. Neither for 7.0. Any idea?

You don't see the names because I named them myself. Ive gone through almost 100 different functions, analyzing them and naming them as I discover what they do within the game.

I use IDA 6.8, you can find the program for free if you really try.

Risal

  • Poptart
  • *
  • Posts: 6
    • View Profile
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #4 on: August 23, 2018, 02:08:22 am »
Exactly what I was looking for. Keep it up! Don't spoon feed but explain stuff  :icon_thumbsup

EDIT:
Just looked into it but for some reason IDA Pro does not show any real function names for me:
https://imgur.com/vP45RpS Using the latest freeware version. Am I doing something wrong?

EDIT 2:
Looks like this is caused by not using the ClassInformer plugin, however I am unable to find a version for the 5.0 IDA version. Neither for 7.0. Any idea?

You don't see the names because I named them myself. Ive gone through almost 100 different functions, analyzing them and naming them as I discover what they do within the game.

I use IDA 6.8, you can find the program for free if you really try.

Oh interesting. Well you said:"By throwing the game into IDA and letting it generate, we can tell after a quick browse that the game has left a lot of named functions in and it also uses some sort of scripting language." which confused me and I thought the functions actually have names. I know that this is normally not the case but I thought maybe it actually is in this case.
Did you also name the classes yourself? I am unable to find a working class informer for my 7.0 version (which is free btw.)

Seb

  • Relentless Teamkiller
  • **
  • Posts: 72
    • View Profile
    • Aimjunkies.com
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #5 on: August 23, 2018, 04:08:04 am »
Oh interesting. Well you said:"By throwing the game into IDA and letting it generate, we can tell after a quick browse that the game has left a lot of named functions in and it also uses some sort of scripting language." which confused me and I thought the functions actually have names. I know that this is normally not the case but I thought maybe it actually is in this case.
Did you also name the classes yourself? I am unable to find a working class informer for my 7.0 version (which is free btw.)

By named functions, I meant from the strings since you can see some of the source code within the strings themselves.
I named some of the classes, but they're inspired from how the game names them.
Normally for any other game, I would stick with just 'Entity', but this game clearly names them 'Agents'

gogol

  • First Post
  • *
  • Posts: 1
    • View Profile
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #6 on: August 23, 2018, 07:56:29 pm »
Hello, I have some questions. As you might know there is a bug with "flying carts" in PW/PK and I discovered one interesting phenomenon using this bug. Generally, when you fly very very high and someone connects to server while you were there, then after you come back to earth this person who connected will not able to see texture of your character. For him your character's texture will be somewhere else, but you still can damage him and he can also see what you type in chat, so you become some kind of invisible for him. And I wonder what does technically cause that? Some bug in connecting? Are there some separate beings for character and other stuff? Also I think unblockable is based on this separating fact too. So do you have any leads about that?

Seb

  • Relentless Teamkiller
  • **
  • Posts: 72
    • View Profile
    • Aimjunkies.com
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #7 on: August 23, 2018, 11:06:47 pm »
The engine is only so limited. I have never heard of this bug or experienced it, probably because I rarely play anymore, but I'd imagine it would have something to do with the camera messing up the texture generation on your character since you're too high in the air. I'd imagine the math they use to render enemy players is pretty low and that's why all the maps are really flat. Also, the server may consider you outside of the world and therefor not attempt to send your data to the enemy, since the engine expects you to fall to your death or die soon since you are out of bounds.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #8 on: September 06, 2018, 11:59:04 pm »
interesting but you have missed a couple of basics out , they are very new to this for instance how do they trace a function without an xref on a newer version if the tut is out of date etc etc. good all round effort though. :smile
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

snake123adfs

  • Cheater Apprentice
  • *
  • Posts: 13
    • View Profile
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #9 on: September 14, 2018, 10:36:18 pm »
The engine is only so limited. I have never heard of this bug or experienced it, probably because I rarely play anymore, but I'd imagine it would have something to do with the camera messing up the texture generation on your character since you're too high in the air. I'd imagine the math they use to render enemy players is pretty low and that's why all the maps are really flat. Also, the server may consider you outside of the world and therefor not attempt to send your data to the enemy, since the engine expects you to fall to your death or die soon since you are out of bounds.

seb could you PM me, I really would like to learn how to create cheats for warband, I have no coding experience.

ZOldDude

  • The Unknown Rank!
  • Administrator
  • MasstKer
  • *
  • Posts: 20874
  • Old School TKC
    • View Profile
    • Admin
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #10 on: September 14, 2018, 10:43:58 pm »
snake123adfs...did you have to evacuate?

*While we crash and burn, small, low tech, agrarian societies such as the Hmong in the mountains of Laos will continue on without so much as blinking an eye.*

snake123adfs

  • Cheater Apprentice
  • *
  • Posts: 13
    • View Profile
Re: [Information] Reversing and Dissecting Mount and Blade: Warband
« Reply #11 on: September 14, 2018, 10:46:24 pm »
snake123adfs...did you have to evacuate?

No I didn't, but why must you snoop around and find out personal info about me? I have just come here to learn how to code, and can my thread I posted be approved? I'm going to be updating it daily on my progress.