Author Topic: Intriguing, but too novice to do anything. Need a push.  (Read 712 times)

0 Members and 1 Guest are viewing this topic.

Scing

  • Relentless Teamkiller
  • **
  • Posts: 90
    • View Profile
Intriguing, but too novice to do anything. Need a push.
« on: December 07, 2010, 11:50:20 am »
OK. So, we know that if you JMP MrM's posted offset, it'll keep it stalling until a certain message is sent. Issue is myself and another can't get WPE or others mentioned here to work to send, or even sniff the correct packet out to bypass BE with that method.

Now, I'm a utter n00b when it comes to debugging/decompiling. But, I know when I look into OllyDBG and read certain ASCII dumps like:
CPU Dump
Address   ASCII dump
00C4B0FE  ...?AUAcceptedKeyMessage@@....Œ?,

How exactly do I trace that to the actual (not sure of word) editing/tracing and following where it goes and what it's doing?

I know 1= on, 0=off, and understand the concept of JMP,NOP, not so much EAX, CMP, LEA.

I also know that many times it has been said that you can make the game pretty much do whatever you want by altering these said things, but can someone help point me in the right direction as far as what exactly I need to do?

Somewhere in there has to be a way that says, Ooh, you have naughty things, JMP, Sends info back to server, Oooh you not naughty Im a tard.

Any help on this matter? =P

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: Intriguing, but too novice to do anything. Need a push.
« Reply #1 on: December 07, 2010, 03:48:18 pm »
you should look at offset 0x10002E45 to start with.

and the function at 26F0 , this should really be in dev section but fuck it i feel generous today.
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Coronel_Niel

  • Insane Joker
  • ****
  • Posts: 846
  • Why can't I pick my own profile picture...
    • View Profile
Re: Intriguing, but too novice to do anything. Need a push.
« Reply #2 on: December 07, 2010, 06:51:59 pm »
I know 1= on, 0=off, and understand the concept of JMP,NOP, not so much EAX, CMP, LEA.



1 = True, 0 = False or visa versa.

EAX and the following are registers that hold values, some of them could be address's or other things that will them be put into the Assembly Code. You need to create a breakpoint to find the values of EAX ect.

Side note:
64 bit users will get even more confused when you breakpoint into a float. There is 8 more registers added, xmm0 to xmm8. These then work with EAX ect to put the assembly code to work.

If you look at this code I posted a long time ago: (TUTORIAL TIME)

00582C47 = movss [eax+edi*4],xmm0

In this, I have found the address that edits your health. Now to work on it. First I made a breakpoint on the address and found this>

EAX = Your base health.
EDI = A intiger between 0 and 4.
xmm0 = The number your health is edited with.

Thing is, there is 5 health address's, if not more. One for each arm and leg, one for your overall health, one for your body armour, the list goes on. Thing is, they are all 4 away from your base health, of the EAX register.
So, if EDI is 1, the end address is EAX + 4. If EDI is 2, the end address is EAX + 8.
This means that:
EDI is edited for what part of you is hurt, arm, leg ect.
It is added to EAX, which is the address for your base health.
It then edits the final address with xmm0, or the number it will then be.

Side Notes:
Why xmm0? I have 64bit, and this complicates it a little. If you feel brave, google it.



How to find this yourself:

Download and install a beta patch to begin with, the latest version.
Load a PBO with debugging features.
Start Arma 2 or OA, then go into the editor.
Add a simple character down, then start it up.
In your debugger, set your health to 0.1212. Then do a float search for 0.1212.
Go back to arma 2, and set your health to 0.1234. Then do a float search for 0.1234.
Rinse and repeat untill you have 4 addresses, all changing when you edit this.
Add them all to your cheat table.

Now for the debugging.
Attach your debugger, and then search for the address that changes your findings. Then go hurt yourself, NOT ussing your PBO but actual ingame things, IE getting shot or falling.
When you get a finding, open it up in your memory editor.
The address's assembly code should loook similar to the one posted above, just with a different address.
Put a breakpoint on this bit of code, then go hurt yourself again. When you do, the game should freeze and your breakpoint should give you a lot of address's for EAX ect.

EAX should be the base address of your health.
EDI should be a number between 1 and 5.
xmm0 (You need to open something else to see this) should be the number your health just got edited to.

There you have it. NOP that address, and you have a working health hack.
"Now we are going to watch my boys do it" - Joopig

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: Intriguing, but too novice to do anything. Need a push.
« Reply #3 on: December 07, 2010, 07:14:29 pm »
read it niel, quite accurate , good explanation's , elligable , well done   :smile
« Last Edit: December 07, 2010, 07:19:43 pm by MrMedic »
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Pride

  • Klass Klown
  • ***
  • Posts: 332
    • View Profile
Re: Intriguing, but too novice to do anything. Need a push.
« Reply #4 on: December 09, 2010, 12:31:54 pm »
you should look at offset 0x10002E45 to start with.

and the function at 26F0 , this should really be in dev section but fuck it i feel generous today.

If I'm reading it right, it's doing an AND operation to compare the base address of wsock32.dll to the address of the function of RecvTo...

...not sure what that really achieves.

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: Intriguing, but too novice to do anything. Need a push.
« Reply #5 on: December 09, 2010, 01:23:54 pm »
well im not going to spoon feed it to you think about it.
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157

Coronel_Niel

  • Insane Joker
  • ****
  • Posts: 846
  • Why can't I pick my own profile picture...
    • View Profile
Re: Intriguing, but too novice to do anything. Need a push.
« Reply #6 on: December 09, 2010, 07:48:30 pm »
Checking for any extra DLL's and cutting out wsock32.dll from the list?
"Now we are going to watch my boys do it" - Joopig