eVc
24th March 2004, 04:43
If your curious how CvarHacks work...i basically disassembled JAMP.EXE using IDA
(You can use any win32 dissasembler) and searched part of the string which was displayed
in console saying i cant change the cvar ("cheat protected").
Then i looked for the last conditional jump before that string was pushed and inversed it.
Heres The Cvar Protection Function Which It Patches (ASM)
.text:004398A2 test ah, 2
.text:004398A5 jz short loc_0_4398E0
.text:004398A7 mov ecx, dword_0_B5148C
.text:004398AD mov eax, [ecx+20h]
.text:004398B0 test eax, eax
.text:004398B2 jnz short loc_0_4398E0 <------- jump if its allowed ;)
.text:004398B4 mov edx, [esp+8+arg_0]
.text:004398B8 push edx
.text:004398B9 push offset aSIsCheatProtec ; "%s is cheat protected.\n"
.text:004398BE call sub_0_437080
.text:004398C3 add esp, 8
.text:004398C6 pop esi
.text:004398C7 pop ebx
.text:004398C8 pop edi
.text:004398C9 mov eax, ebp
.text:004398CB pop ebp
.text:004398CC retn
NOTE:
.text:004398B2 jnz short loc_0_4398E0 <------- jump if its allowed ;)
^ the address to patch will be 004398B2 (0x4398B2)
-----------------------
PSEUDO PATCH ROUTINE:
-----------------------
if
// If It Reads JNE/JNZ (If you want...Search For JNZ <LOCATION> to be more accurate)
ReadProcessMemory(jamp.exe, 0x4398B2, 75, 1, 1);
then
// Change From JNE [Jump If Not Equal] (x75) to JE [Jump If Equal] (x74)
WriteProcessMemory(jamp.exe, 0x4398B2, 74, 1, 1);
else
// Didn't Read The JNZ Value..So its already patched or incorrect binary version
MessageBox(0,"Incorrect JKA version or its already patched.","CvarHack Error",0);
-------------------------
Always patch a few seconds after the process has been created (bcos the engine does some sort of CRC checks before it creates the window).
Now using this you should be able to write your own cvarhacks when theres updates without waiting for a release by someone else :classic:
(You can use any win32 dissasembler) and searched part of the string which was displayed
in console saying i cant change the cvar ("cheat protected").
Then i looked for the last conditional jump before that string was pushed and inversed it.
Heres The Cvar Protection Function Which It Patches (ASM)
.text:004398A2 test ah, 2
.text:004398A5 jz short loc_0_4398E0
.text:004398A7 mov ecx, dword_0_B5148C
.text:004398AD mov eax, [ecx+20h]
.text:004398B0 test eax, eax
.text:004398B2 jnz short loc_0_4398E0 <------- jump if its allowed ;)
.text:004398B4 mov edx, [esp+8+arg_0]
.text:004398B8 push edx
.text:004398B9 push offset aSIsCheatProtec ; "%s is cheat protected.\n"
.text:004398BE call sub_0_437080
.text:004398C3 add esp, 8
.text:004398C6 pop esi
.text:004398C7 pop ebx
.text:004398C8 pop edi
.text:004398C9 mov eax, ebp
.text:004398CB pop ebp
.text:004398CC retn
NOTE:
.text:004398B2 jnz short loc_0_4398E0 <------- jump if its allowed ;)
^ the address to patch will be 004398B2 (0x4398B2)
-----------------------
PSEUDO PATCH ROUTINE:
-----------------------
if
// If It Reads JNE/JNZ (If you want...Search For JNZ <LOCATION> to be more accurate)
ReadProcessMemory(jamp.exe, 0x4398B2, 75, 1, 1);
then
// Change From JNE [Jump If Not Equal] (x75) to JE [Jump If Equal] (x74)
WriteProcessMemory(jamp.exe, 0x4398B2, 74, 1, 1);
else
// Didn't Read The JNZ Value..So its already patched or incorrect binary version
MessageBox(0,"Incorrect JKA version or its already patched.","CvarHack Error",0);
-------------------------
Always patch a few seconds after the process has been created (bcos the engine does some sort of CRC checks before it creates the window).
Now using this you should be able to write your own cvarhacks when theres updates without waiting for a release by someone else :classic: