Hey guys!


I decided to make a public hack "BFV Multihack" (written in Visual C++ 7.0) for all those cheaters that have not the skill to program their own (there are enough). This hack is and will be only a NOP-Hack, that means, I am not going to change the offsets when PB detects it. Also it is a hack for Non-PB servers, (for those players that want to have fun with the cheats) because it soon will be detected.

The current features are:
- maphack
- nametags
- 3d-map-hack
- hotkeys for the cheats (;))

I soon will add:
- working no fog
- accuracy (if I get it :D) and zoom maybe


DISCLAIMER:
"BFV Multihack" doesnt interfere with Punkbuster - it doesnt care about (it is made for Non-PB-Servers!), so there is no reason for EB to global ban you.
There is always a risk of being global GUID banned (though there is no reason in this hack); so use it at your own risk!
If you want to be on the secure side, then ONLY join Non-PB-Servers!


OK, now guys have fun with it and cheat the game! :D:D



PS: To all other "private hackers": OK I know, soon your own NOP-Hacks also wont work anymore on PB-Servers; but I think if you managed to do it, you should also be able to "skin the cat" in a different way ;) The community wants a hack, and I think, it is not wrong to release one public hack then.

PPS: Bug reports are always welcomed. ;)

The file you submitted, "BFV Multihack v0.9" was uploaded to our download section under BF1942 (http://www.mpcdownloads.com/_mpc_d0wn_h4x_/BF1942/)

Within acouple weeks/months, I'll see how many public hacks/cheats there are for vietnam and maybe we will create a sub-folder for it under the BF1942 download section. In the mean time it will go under the main BF1942 folder. :D Excellent work test0r. :classic:

Good job dude.

So, repeating what I just said on the BF1942 forum, is it OK to diable PB, play on a non-PB server with this, quit the game, stop the hack, enable PB and then play on a PB enabled server and not get any grief?

Can they scan files and registry? Do they care if you possess a cheat if you don't execute it on a PB server?

Double checking cos I'm paranoid.

Thanks,

Joe

boo.

They can't care about if you simply possess it. You are not Violating PB's EULA by possessing it, it's attempting to do it thats the violation.

yeah right, joebongo, then you are on the secure side. If you dont run the hack, Punkbuster detects nothing.

Thanks test0r.
Its typical that U release just as I finnished my own map and tag, will try to step it up and read up on how to do this without noping on the weekend.
One thing I get a "Error reading from memory" on your fog, the rest works just fine.

Just a thought, could be that I am still running the 1st version? (nudge nudge) =).
Got the propper game sitting in a box on my desk, been to lazy to install it, will do it in the morning.

it will probably only work for a week or less and then the methods you used will be eliminated for all other hackers as well as your hack being instantly detected by pb. however, the begging masses who put no work into all of this will appreciate it- while it works. it was nice of you to release this, but i think this is what they (PB) have been waiting for. it's been kind of boring for them since daz quit-

well test0r you can say you were the first to test the waters! it will be interesting to see how this plays out now. the private hackers can all see how this will affect us, as well, especially if we have to modify to defeat what PB throws back at us.

this hack is for the community. I think you and other private hackers are skilled enough, to program a PB proof hack again. Its not that hard (you can manage that all simply without just nopping)...

As I mentioned I wont change the offset anymore in this hack. I dont want to fight again Punkbuster, want to help the people that wanna have fun with the hacks (soon they also only can be "unfair" on Non-PB-Servers).

Yes I dont want to fight again Punkbuster - in my eyes that is a war PB always will win and no public hack will be undetected for a long time (Daz's was undetected for a few days...).


k, CaptainCox...dont know why you are having problems...
Has anyone else those problems with the fog?

This hack is just a normal nop hack.
I think test0r also said DON'T USE ON PB.
U can not use this on PB servers as PB will detect a simple nop and get U kicked for 2min, directly, at least thats the case on BF42.
Havent actualy played this on PB servers yet, will do when I am ready=).

From my little knowledge about hacks this stuff is realy basic and not some big secret.

ok, got the error too, but only when not ingame. The same with you?

test0r, when I switch on the fog and get the error I tab back in the game, all is fog like 80% like a sunday in London, I mean milky white or somet and when I press the fog button again it goes back to normal =(
Did u install some quick keys from ingame?

the thing is, the values I read out are different when you first enable fog when the game is not loaded, that you are really playing. You should first push "no fog" when the map is loaded. Tell me, does that helP??

I will soon implement hotkeys, btw...

nice work dude, that was fast, when do you think you're going to release something else for BFV?

great job test0r! Love it alredy

ah i just got my personal one finished......sucks being one step behind u guys all the time lol :( good work bro! Congrats

Great work, test0r!

Works fine here too, except for fog.
Everything gets milky white, the fog is up to my nose.
But no error msgs. I use Geforce FX 5200 Ultra 256MB.

But the 3d-map is king! Thanks!

THank,my GOD

very nice test0r thanks man.

Good job man and many thanks.
heh im still trying to create my own hack though :o

test0r, tried the way U said, after the map is loaded.
No go man still like a day in a Turkish bath, white steam.:cry:
Could it be that you have somehow reversed the value or somet?
Cheers.

Greets,

good work so far.
As others notices - the fog thing might not work at all (for you but not for the others) the way you implemented it.

You reading one of the distance values from offset that seems to me like a heap address 25xxxx (i checked the memory map of the process).
The heap page size is 0x1000 there but you read from offsets beyond these.
Check the values you read into buffer for 0 before doing any pointer arithmetic on these ;)

Heap addresses might not be the same in other game sessions because the object data memory is allocated dynamically.

You have to find a better suited (real static) address not these dynamic ones.

Regards

That or I thought maybe test0r did find one of the fog addresses, but the wrong one. In vietnam(dont know about 1942) you can change the color of the fog. What I think might have happened is test0r is editting the fog address that has to do with the color, not distance. This is just a guess tho. bflover's could also be right, I am not upto my heap page info.

nope spontaneous, you can change the fog very well. The thing is the following:
I readout the store place for the base address of the view dist
then i add an offset to it to get the view dist address and then its value- This value I do write to the fog end address and fog_end-1 to the fog begin address. The thing with the no fog works perfect (also on your machines, because you get white screens, so it is doing something ;)). Now think logical, if I dont get a base address from the static store place (e.g. it is 0) then I also cant read out the real view distance - an error is produced (the message box) - and my hack uses the initial value 0 for view dist. So the fog end is set to 0 and you get a whole white "fogged" screen in front of you.

Ok there are two static "store places" for the base address for view distance. I took the one that is 0 (on my PC) when a map isnt loaded. But as bf194lover said those "static" addresses might not be the same in your "heap" (on my PC, always, tested if, also when restarting game).

I will take the other static store address and I believe it will work on your PCs too then :D


Wait a few minutes for v0.91 ;)

OK, the fog error should now be fixed in v0.91. Please test it and tell me if it works for you too (download on first page) ;)

Again, Have fun with it! :D

So you know, I pinned this topic so its easy to find the non-pb hack easy.

thanks test0r, the hack works great. Ive been using it pb servers(ill test it). Its easy to get a key from EA if it gets banned or ill buy a new one for 34 bucks. It makes the game a little fun for me because im so bad at computer games even with the hack. Now i see those buggers comming for me lol thanks buddy

can someone confirm, that no fog is working now, without an error?
Thx btw, spontaneous ;)

ill test it, but im wondering, Would this work with PB? or will PB catch me right when i use it?

like he said before use at your own risk on PB servers but u will get caught no doubt about it. maybe not for a couple of dsys but u will and not get banned but timed out. but that still gay cause chances are u are gonna use it on a server that u always play on and now they know u are a cheater! :)

depends on Evenbalance already added it to the "cheat detection list", but it will be detected soon, so then only use it on Non-PB-Servers

so it WILL work right now BUT soon it wont since PB always releases updates as hacks get released. Btw they are spying on us as we speak!

noone answers my questions...:(

Does the fog work now in v0.91?

no dont work for me :(

test0r do you have any plans of releaseing your source?

Fog works not for me, vs. 0.91 :(

Originally posted by targeted
Its easy to get a key from EA if it gets banned

I DONT THINK SO!!!

cuz, vietnam is brand new, no one would believe u the trick " i lost my cd-key" and so on... maybe in 2-3 months.....

I ask myself why it isnt working... hm

can you describe me how it isnt working? do you still get a white screen?

Nope fog doesnt work for me.
(i get a white screen)

I have a question though, if we get banned for cheating are we getting our CDKEYS banned or our IP banned from that certain server that we were playing on or are we just being kicked for 2 mins?

depends on the settings of the server

Sorry, iam speak a little bit english....

When i use "View Distance/No Fog", iam become a screen with "Error writing to memory"...
And my BF Vietnam Screen ist white...

Greets,

well it wont work.
One offset is ok but the other one you are using is completely bogus ;)

Offending code:


.text:0040178E push 4 ; nSize
.text:00401790 lea ecx, [esp+1Ch+var_4]
.text:00401794 push ecx ; lpBuffer
.text:00401795 push 1D34668h ; lpBaseAddress
.text:0040179A call ReadMemory


Dump virtual memory map for 0x1D34668 in bfv process space:


Memory map, item 48

Address=01C40000
Size=00401000 (4198400.)
Owner= 01C40000 (itself)
Section=
Type=Priv 00021004
Access=RW
Initial access=RW


01C40000+00401000=02041000
01D34668 in valid page range, ok

Dump memory 0x01D34668


01D34658 00 00 00 00 00 00 00 00 4D 65 6E 75 2F 54 65 78 ........Menu/Tex
01D34668 74 75 72 65 2F 4D 61 69 6E 2F 42 75 74 74 6F 6E ture/Main/Button
01D34678 73 2F 47 65 72 6D 61 6E 2F 6E 65 77 5F 74 6F 75 s/German/new_tou
01D34688 72 2E 74 67 61 00 00 00 00 00 00 00 00 00 00 00 r.tga...........


Whoops .. doesnt look like something we want.

All subsequent "use" of the read data (e.g. pointer arithmetic) will fail or produce additional bogus data

You still have to look for the (semi) static one ;)

Regards.

this is the method of defeating the DMA in an easier way (there is an tutorial from Max_Power), but it seems not to works always. I already noticed that weeks ago when I tested something different. So the address where the Base Address should be isnt static... it seems to be on my computer but it isnt...

So I come to the conclusion that the only perfect way is code caving and storing the base address at a real static location (do you mean that right?)

ok guys, I currently implement real DMA-defeating (in form of code caving) for the fog/view distance, so then it will work on any computer!

v0.92 with working NO FOG will be there in a few hours...:D

sounds good :)

Originally posted by SomeUserName on 26th March 2004 at 18:18
test0r do you have any plans of releaseing your source?


Hmm, let me speak for him... oke test0r? :P
The source to this hack is al in the bf1942 forum :)
Search and make your own :)

yeah you are right...

You can also take OllyDbg and look at how my hack works and which offsets it uses :)



OK now back to business.
I tried defeating DMA with the normal way (simply going to a code cave and storing the base address e.g. ecx to a free static address). I think you know how to do that. Yes, I read/write-breakpointed the DMA view distance address (the addr that contains view dist value) and tried any of the popped-up breakpoints (there are 4). I removed enough asm code (and filled the rest with nops) and built the JMP to my code cave there (sure I created the complete code cave before that). The code cave worked perfect and the base addr always was stored at the right place. So far so good, and as I mentioned, I tried it with any of these 4 breakpoints, but now the problem is: I dont get a static value for my base addr. Yes, the value in there isnt always my view dist base addr. It always changes also to another address - which means the code which accesses my view dist DMA is also used by another address, better, all those 4 codes (yep I tested it - BP those addresses too and the same codes access also those different addresses)...

LOL believe me or not, but I guessed something like that when the "DMA-defeating - easier way" didnt work. View distance seems to be not "DMA-defeat-able", I came to this conclusion after very long testing...

I am very, very sure that I didnt make a mistake - I tried many combinations (e.g. with a different order of the code in my code cave...).


OK now here my easywrite "testing" code (this is only one of those 4 possibilities). Try it out in T-Search, you will see that you dont get the View distance base address (you have to add 0x2C to that base address, then you SHOULD have your view dist DMA):

enabling code (top window):
________________________________
// CODE CAVE
offset AEE3EF
// removed code
fdiv dword ptr [ebp+0x2C]
mov [esi],eax
// store base addr and jump back
mov [0AEE402],ebp
jmp 9F77FB

// ENTRY POINT
offset 9F77F6
// jump to my code cave
jmp 0AEE3EF
-----

disabling code (bottom window):
________________________________
// ENTRY POINT
offset 9F77F6
// rewrite old asm
fdiv dword ptr [ebp+0x2C]
mov [esi],eax

// CODE CAVE
offset AEE3EF
// delete all cave code
hex 00000000000000000000000000000000

// clear the store addr
offset AEE402
hex 00000000


You have to readout AEE402 (4bytes) in t-search - thats the base address

hey guys I want to here your opinion about that.

I will only implement no fog then I think...

OK, v0.92 is now available. I removed the "not-working" fog feature (working on that for the next version). I finally implemented the Hotkeys now, so you can now directly enable/disable the cheats ingame without TABing back to the hack window.

Here the download link (or go to the first post in this thread):
http://www.mpcheatz.de/mpc/forum/attachment.php?s=&postid=326009


PS: Tell me what you think about what I found out with the view distance (to all those "skilled" hackers like caliber, spontaneous etc..;))

wow very great!!! but PLEASE dont use on pb servers THX !!!

The file you submitted, "BFV Multihack v0.92" was uploaded to our download section under BF1942 (http://www.mpcdownloads.com/_mpc_d0wn_h4x_/BF1942/)

Thanks again testor. :p

Nice work on the hack mate, thanks ;)

Great Job and thanks for working on the fog!!!

isnt there anyone that defeated the view-distance DMA? I think it is impossible, but what are your results?

yea test0r, I am working on fog myself right now. I also need to do all static as it is for a couple friends too. I will let you know after some testing myself. I been kinda busy the last few days but I will be working on it more this week. Also if you could hook me up with a version with the fog in and I will take a look at what your doing.

I found it :)

NOPing for food: I think you did it with the "DMA defeating - easier way" right? This is the problem. That doesnt work for view distance. The static address you read out (which contains the needed base address) is ALWAYS the same on your PC, but on others that doesnt work. So I did the other, normal way of defeating DMA by jumping at the breakpoint location to my code cave (look the easywrite code above) and then storing the base address at a specific static address. But also that doesnt work (as I explained above).

I think PunkBuster has patched this hack. I got banned from the server i was playing on (thank god) :)

i defeated DMA on both fog and viewdistance. in fact i linked them so that when i kill the fog, the viewdistance goes up. at any rate, it works fine on MY computer, but who knows if it works elsewhere. not sure why it wouldn't- i used no code caves and the regular defeat dma method (resolve to static base pointer). interested to hear if others are finally getting kicked with testor's hack-

Originally posted by ThaElement
I think PunkBuster has patched this hack. I got banned from the server i was playing on (thank god) :)

GUID or global?

Joe

ok caliber you tried the easier way...like me

Can you PM me the easywrite code of it? I think it wont work on my PC, but I want to test it. Thx ;)



I got banned from the server i was playing on (thank god)


He got banned from the server he was playing joebongo :D

Originally posted by caliber1942 on 27th March 2004 at 22:42
i defeated DMA on both fog and viewdistance. in fact i linked them so that when i kill the fog, the viewdistance goes up. at any rate, it works fine on MY computer, but who knows if it works elsewhere. not sure why it wouldn't- i used no code caves and the regular defeat dma method (resolve to static base pointer). interested to hear if others are finally getting kicked with testor's hack-

Me too, the fogstart and fogend are both set to the view distance when I use my hack...

test0r, don't assume that someone else can't do something just because you can't do it yourself. Think of it this way, if there is no way to find the address, the game wounldn't be able to keep track of the address...now we all know that isn't the case.

NOPing for food: I dont say that you cant create hacks, why did I want to have feeback from you about that?
You did the easier way (like tut from Max_POwer) of defeating DMA right? OK I did it too, and I also tried the complicated way. And what I did too was testing on other users PCs (yes you cheaters tested it all) and what do I get? errors? So the easier way of getting the needed base address is not working. Now I tried the complicated way with code caving - And there I get different values for the base value - so also not working.

Send me your hack, or better PM me the address you readout to get the base address for view distance - (you then add 0x2C to...).

If you are right, I correct myself here, so please PM it to me.
Thanx ;)

so now pb is gonna get smart to nopping????

they always been smart about NOPing commands. They just have not rolled out the 1st cheat list updates for PB in vietnam yet so NOP commands are not detected yet. NOP commands are detected in BF1942

Maybe they are doing the log thing for bans...

I highly doubt it. For them to do perm bans, they have to have the sig. of a hack that violates the EULA. Just detection of an offset is subject to only 2 min temp local bans. Plus you just have to look at something. Have they released any updates really for pb vietnam yet?
http://www.punkbuster.com/index.php?page=support-bfv.php

See another thing is with 1942 they had previous hacks released before pb came into play. They had something to work off of for detecting hacks before it even came out. With vietnam, they have only 1 thing to work off of and that was just released a couple days ago for NON-pb servers. So they have very little to work off of so far. I am sure that they have enough to work off of cause of the help we been giving each other in these forums that a pb update is coming very soon that will show 2 min bans for simple hacks.

test0r- have you fixed your code for viewdistance yet? i didn't do any of my coding with tsearch or easywrite at all, i basically found the static pointer (defeated the DMA) and the offset from the base pointer and then wrote the code into my trainer directly. however, the process was EXACTLY like the FOG. not sure why you can't do this. i basically changed the viewdistance to a number i could search for and then located it within tsearch and then defeated the DMA and found the static pointer, just like i did with the fog. at any rate, sometimes when you do a search for the base pointer, you get more than one address listed as the static pointer and so you have to test using several maps and using several different numbers of opponents (coop mode) and maybe switch teams, etc. to narrow it down to the right one. maybe you are doing something wrong along the way... (don't have the right dynamic address, don't have the right dynamic base point address, possibly your breakpoint and debug was on the wrong address, possibly you are using the wrong static pointer after defeating the dma). anyways, the process was exactly the same as fog. it is no different. not sure why you can't crack this nut-

yeah right caliber, that is the point it is like the fog, but the static pointer isnt static - understand ? ;) I also narrowed it down (after testing) to 2 static pointers, which I tried both in the two hack versions of my hack.

Hey caliber I am not a noob at programming and hacking ;) I have done no mistake.

So plz can you PM me your offset? If it works on my PC too, I'll correct me ;)

test0r, didn't mean to sound like i was calling you a noob. that wasn't my intention. my point is that i don't understand why there would be any difference in the method used to store the viewdistance and the fog. i DID notice when doing the mem searches that there were several addresses which contained the viewdistance (dma addresses) AND that there were several addresses which pointed to those (one of which was the ACTUAL static address). at any rate, i had to test each of the addresses and narrow it down to one. i did this like i said above, playing different maps, different types of games, different numbers of players.

however, i have NOT tested this on other computers and i never intend to since it is a private hack. it does work here, but it might just "seem" like i found the static address, like you are saying.

tell you what, send me YOUR viewdistance address and i'll see if it is the same as mine. if not then we'll talk more-

sorry if i somehow pissed you off before. it was not intentional- my hacking skills are marginal so i am definitely not trying to tell people how awesome i am and how crappy they are. just trying to help!

yeah but one thing to make sure: you also search for the base address (e.g. when esi+0x2C, you search for the value of esi right?), not the real DMA address?

Hey I asked you the first time to PM it to me (immediately please! ;)). Please do it, I want to test it. I also dont need to send it to you. Look at my released v0.9 hack (on mpcdownloads) and look if it works on your machine.

i am hesitant to send you my private addresses so that you can put them in the pubic hack and expose them to PB in a direct way like that- but anyways, check your pm

OK, is that right what I am doing?

added your address in t-search (4 bytes).
The value I get for this is 256!
Then I add 0x2C to 0x100 (dec.: 256) - forget about it....what I said

But I am right in what I did, correct?

not sure what you are doing there, 256 sounds way wrong..... hmmm- i hestitate to write the following because i don't want to sound like i am telling you something you already know, but:

1) the address i sent you via PM is the static base pointer address (at least it is on my computer). it shouldn't change from game to game. let's say that address i sent you was 480000 (it wasn't but let's say it was).

2) ok you access the value at 480000 (must be of type LONG and 4 bytes). this value is the address of the dynamic pointer address. let's say it is 7800000 (hex).

3) you then add the 0x2C to the 7800000 and you arrive at 780002C (hex), which is the dynamic address for the viewdistance.

4) 780002C is where you will write your FLOAT value (4 bytes) representing the new value for the VIEWDISTANCE.

some tips:

1) the value at 480000 is four bytes, so it actually takes up space in the addresses from 480000 to 480003 which represents a LONG value. the value there is a pointer to the dynamic base pointer. this value will change from game to game and computer to computer.

2) the value 7800000 (dynamic base pointer) changes from game to game. this is why you can't just use the address you poke the new viewdistance into via tsearch. it doesn't stay the same. that's why we have to find the static address pointer first and then work from there to arrive at the dynamic address for the viewdistance.

now, i didn't get what you were saying with your question test0r but i hope this helped-
anyways, using the address in tsearch that i gave you if you get 256 and you have it set at four bytes) then that is not correct. it should be some large number (in otherwords an address). if you are doing it right and getting a 256 with that address then i guess my address isn't a globally working address or you are only getting a single byte value instead of the entire four bytes which represents the address. i can't imagine that the address i got would change from computer to computer since it is the same process as the fog-

I Have an extra cd key I would be willing to give it up for the cause as a tester account let me know if you guys need it.......btw that crazy name tag cheat is so cool sneak up and kinfe them lol

What is a tester account please?

i hate to say it testr0r but i think you are doing something wrong. however you could be right. therefore i will test my hack on a machine at home (i only do use it currently on my power laptop) and also with my brother's computer. if it works on all three then i am going to have to say you are doing something incorrect. if it doesn't then this will be most confusing... i will say that the address i pm you is pretty far down in the code. the fog ones are much closer to the beginning of the code (lower address).

btw, you could have pm those addresses instead of posting them. some "public" users are actually anti cheat and could just jot those down and send them in without having to deconstruct the hack. anyways, i know i am too paranoid about this but i hate when we give out specific code and specific addresses on the threads-

yes you are right. But I CAN say, that I am nothing doing wrong with your address...
Test it and tell us if it works.
Please also tell me if you had the same fog address as I posted (I deleted the post so they are no longer there for AC's ;)). Hey normally I dont post any offsets that shouldnt be public. But just open my hack with OllyDbg and look in the code. There it stands...so in this case it doesnt matter very much ;)

one of the offsets WAS the same for FOG. i only change one, i don't worry about the fogbegin. anyways, when i get to test this i will let you know what happens-

Thanx alot for the hack its awesome to see someone release a hack for bfv.

yes it is pretty easy with fog (and it works ;)). The fog begin is 4 bytes behind the fog end in memory. The base addresses are the same for both, you only have to add fogend_offset-4 to the base :D

awaiting your testing results, caliber, for my next hack version (though I already tested your address on my machine, which didnt work)

and no, you dont have to worry about that I steal your offsets: I want to find out myself, so I would try it again on my own ;)

not a problem. closing on a house this week and finishing up moving, so haven't been doing much on the computers at home. go ahead and work on some other hacks. i promise i will let you know as soon as i have tested-

i already have zoom worked out but i haven't even worked on tags yet.. bwhahhaa. everybody already has tags/3dmap. maybe you can send me the offsets for that one and save me some work.. haha

Hehe, you once said that you have much fun when hacking the game. So try it first, if you dont get it (impossible ;)) I'll help you lol :D


BTW, accuracy is also very simple, already added it to my hack...

thanks. you are right. getting the address would spoil the fun. i don't think i have actually played the game as much as i have spent time hacking it. heh-

caliber1942, boy do I know that feeling. It seems like most of my playing time turned into making my own hack time. My brother is like, come on man I wanna play with you and I am always busy working on the hack. Thats why I took a couple days just to play and no work on the hack at all.

yeah, today i just ended up using the time i had to mess with this to just play. i have radar/map, no fog, and zoom with my hack and it was fun. sniping became kind of the thing i enjoyed the most. however, being able to capture the flags gave me a lot of points in most games. the action is usually up close. it's definitely different then bf1942 and dc.

I've been watching this thread and now im wondering on when test0r is going to add fog to his hack? Im not pressuring him, just would like it soon since you've guys got it working.

ok, I think I will release v0.99 today - am working on it. I already added Accuracy and I think I then also will add NoFog. The thing is (why I waited) that view distance is not working - only fog. I think for the NoFog-Hack I will simply set fog to 1000, so you have "no Fog" on any map.

I dont think that anyone needs a "fog-zoom" feature like in DrKenneths hack e.g. If you want to see all, you want absolutly no fog and not only "a part" of it away - right?

Testor,

How about adding a "all on/all off" hotkey?
Makes it much easier to activate.

Other than that, great stuff! Keep it coming!

ok, if you want it you get it :D

Yea, thats one of the options i had to have for myself in my hack. An all on/off button.

have a little question for you. Are there any very "special" needed features you can enable when you make a console hack? I mean, is there a command that enables that feature.

If so, tell me that console command, because I made a console hack and dont know if I should implement it in my hack, because currently I dont know the commands that do something what my hack doesnt do (e.g. renderer.fogstart, renderer.fogend).

BTW, also figured out that setting game.viewdistance to a bigger value as set in the map's RFA doesnt work...


So just tell me those (very great) commands plz ;) (Maybe you have a complete list of BFV console commands?)
Thx! :D

i do think that the viewdistance makes a great difference when you turn the fog off. otherwise you only can see a short distance, there is just no fog haze. if you don't have a greater viewdistance, then having the fog off will only be of a small benefit. you can probably make a code cave that writes the dynamic location of the viewdistance to an address that you know of and just read from that to determine the dynamic address at runtime and then you can have your trainer write to that address. and NO i still haven't tested my hack on other computers although i did e-mail my brother a copy of the hack. we'll see what he says (if it works there). anyways, the workaround is a code cave that stores the dynamic address for the viewdistance into an empty address space for reading by your trainer.

lol caliber yes you are right. But go read this thread again ;)
There is a very long post from me, where I descirbed that I tried the second DMA-defeating method with code caving. Short: I tried any of the BP locations and I also got a base address at my static "position"/address - but that value wasnt always the same - it changed e.g. when shooting while minimized - it seemed that the listed asm code (in autohack wnd) also are used by another part of BFV.. (and yes I tried many combinations, directions at any instruction of the listed BPs)...So I think the conclusion of this is: If the "easier method" of defeating-DMA doesnt work, then any other method wont work too...

Hope your brother will answer you soon (am very interested) ;)





again:

anyone knows a "nice" console command that SHOULD be unlocked?

game.vertexfogenable 1/0
I found the command once in IDA Pro but didnt really know where to go from there. I dont know if editting this value would change viewdistance at all. Thats the only one I found so far. I can look for viewdistance in IDA Pro once and see if I can find a console command.

game.viewdistance or game.setviewdistance, but as I mentioned it doesnt work (no bigger than map view dist).

I tried renderer.vertexfogenable 0/1 which doesnt work also (but yes the console hack is on), will try yours...

i see what you are saying. however, you don't need to find anything but the actual address. you would do this in the code cave. for instance, let's say the address is 1F5663E1 or something which holds the value (float) for the viewdistance. ok we know this address changes (dynamic) but we know that when we autohack and debug in tsearch that several areas of the bf1942 access that address. for instance there might be the command mov eax, (ebp+0x9C) or something. i won't post the actual code or actual offset, this is just a fake for instance command. the command mov eax, (ebp+0x9C) might be at the memory location of 5E7761 or somewhere. however, we know that that instruction will always be at that same location (mov eax, (ebp+0x9C) is at the location 5E7761 every time we play the game). we know that ebp+0x9C points to the address which is holding the float value for the viewdistance. so you basically make a code change at location 5E7761 which jumps to your code cave (let's say we place our code cave at location 430000). the command mov eax, (ebp+0x9C) might take up 8 bytes of space or something so you have to make sure that your jmp takes up 8 bytes by using nops at the end of it or some useless code that takes up the space if it doesn't match up with that command. you with me so far? then you store the value that you want the viewdistance to be at another address (like at 420000 or something). store it in four bytes (float) for a high value like 1000 or 3000 or something. ok then the code cave at 430000 would be like so:

430000 mov (ebp+0x9C), (420000) ; copy contents of 420000 to viewdistance address
430008 mov eax, (ebp+0x9C) ; restore original command
430011 jmp 5E7769 ; jump back to code beyond original command

in this way you could dynamically change the viewdistance by simply writing to the address at 420000. then the code cave would get that value each time that the section of code at 5E7761 is called. now like i said, ALL the commands and addresses and offsets are made up here, as well as the amount of space the commands take up in memory so just use this as a guide on doing the code cave. i can't see a reason why this wouldn't work. although defeating the DMA is much easier if it works (which it seems it won't work in your case and possibly mine, although not tested).

what ya think-

yep, thats how I would do it. Thats why I was so into learning how to do the console unlock hack but never figured it out. See because when you can change the value inside the game, you can breakpoint it to get the correct static address for viewdistance no matter what addresses you have been using.

Greets,

430000 mov (ebp+0x9C), (420000) ; copy contents of 420000 to viewdistance address
430008 mov eax, (ebp+0x9C) ; restore original command
430011 jmp 5E7769 ; jump back to code beyond original command

in this way you could dynamically change the viewdistance by simply writing to the address at 420000. then the code cave would get that value each time that the section of code at 5E7761 is called


This is very similar i did it once ago in my helper dll ;)

Snip from my helper code ;)

...

float g_currentViewDistance = 1000.0;

__declspec(naked) void ViewDistance_Cave()
{
__asm
{
..... ; instructions left for brevity
MOV EDI, g_currentViewDistance
MOV DWORD PTR SS:[EBP+02Ch], EDI
MOV EDI, <immediate return address>
JMP EDI
}
}


This way one only need to change the value of "g_currentViewDistance" to achieve the desired results

There is a more elegant way if you dont "automagically" bring code/data area into enemy process space or dont want extra data cave/address for float value...
Just modify the immediate value of the register load operand each time.

Example:

....
MOV EDI, 11223344 ; immediate value, "11223344" is filled with view distance float value (sizeof(float) == 4)
MOV DWORD PTR SS:[EBP+02Ch], EDI

// MOV EDI, 11223344 = 0xBF,0x44,0x33,0x22,0x11

Write the view distance (float) value to address of immediate operand.
WriteProcessMemory( ... operand_address, ..., &currentViewDistance, sizeof(float), ....)

Regards

caliber: This is the way I did. I did it exactly as you said! But that cant be done if the part of the code is also used by other addresses (others than view dist). The thing is the address that 420000 (e.g.) contains CHANGES. And as I said I tried any instruction listed in the autohack window. You have to find a real static instruction that only is used by the view dist (so that edp+0x9C stays the same when BFV running) and I didnt find any of them.

As I mentioned for example, the address (in 420000) changed when I shot and then minimized the game (and I kept shooting). You can not say me that you take this solution if the address changes every time you shoot (you can find that out by simply adding the "store" address (420000) to the t-search cheat list and looking at its value)...

Maybe you Spont or caliber could try the method now and then post your practical results ;)



bf194lover: yes would work but did you test that ebp+0x2C always points to the same address? If not (what my results are) you write 1000.0f or so also to another address. OK the program doesnt crash, but I think no elegant solution

Hi,

bf194lover: yes would work but did you test that ebp+0x2C always points to the same address? If not (what my results are) you write 1000.0f or so also to another address. OK the program doesnt crash, but I think no elegant solution

Of course it works everywhere... everytime.

The code examples i posted are _injected_ code which is called when getting/calc distance values.
No need to know where [ebp+2C] or every other dynamic address points to because the code is called in context of bfv module = always valid.

Of course if you dont inject code/code cave there is no reliable way to get dynamic addresses.

Regards

yeah ok, but if the addresses changes as I said then you cannot really get the valid current view distance - understand? because when ebp+2C sometimes points to another address (not the view dist) then I cannot get it into my trainer and reset if needed. In your example you only write a value to it - this can be done too by me...

Anyways, can you PM me the exact address of the instruction where you jump to your code cave (think it is one of the addresses listed in autohack window).

but if the addresses changes as I said then you cannot really get the valid current view distance - understand? because when ebp+2C sometimes points to another address (not the view dist) then I cannot get it into my trainer and reset if needed. In your example you only write a value to it - this can be done too by me...

Of course the dynamic address is only valid in context of bfv module execution flow - that is the code/function referring to it.
Say dereference dynamic pointer when accessed.

You try to "capture" the address and use it like a "static" pointer which will never work reliably
(e.g. run some code, get [ebp-2C] value and "transfer" it to trainer, run writeprocessmemory( address, distance float) to it.
That way you never know when the game engine drops it and allocates new area for variable data (e.g. pointer changes).

Just use code _in place_ (correct context) to modify the value.
There is no need to transfer the pointer value to a trainer.


In your example you only write a value to it - this can be done too by me...


So whats wrong? I can change the distance value at any time from injector/trainer - i know where to replace the "static" immediate operand.
Regards.

You dont understand me.

What I figured out is that: the asm that access the view distance are also used by another variable/address - I added this one to T-Search (I looked at my store address (I write to from my code cave) and added 0x2C to it - and yes when BPing this one, the specific asm code of view dist is listed) and found out that it is also a float, but that it has to do with the "draw routine" of the weapons (first person). The default value of it is 1000.0, but e.g. when you change it to 1 the weapon isnt completly rendered/drawn when shooting. So this means: If I (always) write to the view dist address at this point (look at your example), then that value is also written to the "weapon render" address/value - when BFV executes that code (every game loop).

I dont know why but it is true, that BF executes this part of code 3 times (there is also another third address - also float - default 40000.0). Hope you now understand what I mean.

Seems i didnt pay too much attention .. sorry ;)
Yes the function is used at least 3 times for calculation.
The caller is the same every time.



COND: ViewDist = 40000.000000000000000
COND: ViewDistAddr = 10B8FCFC
COND: ViewDist = 100.0000000000000000
COND: ViewDistAddr = 10B8FCFC
COND: ViewDist = 100.0000000000000000
COND: ViewDistAddr = 1D27158C
COND: ViewDist = 40000.000000000000000
COND: ViewDistAddr = 10B8FCFC
COND: ViewDist = 100.0000000000000000
COND: ViewDistAddr = 015182AC
COND: ViewDist = 1000.000000000000000
COND: ViewDistAddr = 015182AC
...


Dump float vector (ebp relative):


40000.0:

1D292508 1.711459e-38 1.401298e-45 1.046935e-38 9.275532e-39
1D292518 2.938880e-39 1.010205e-38 0.0 1.000000
1D292528 1.000000 1.047198 0.1000000 40000.00
1D292538 0.7500000 1.000000 1.000000 -0.2588190
1D292548 0.0 -0.9659258 0.0 0.0
1D292558 1.000000 0.0 0.0 0.9659258

100.0:

10C3A438 1.711459e-38 2.802597e-45 0.0 0.0
10C3A448 1.000000 1.000000 0.0 1.000000
10C3A458 1.000000 1.047198 0.1000000 100.0000
10C3A468 0.7500000 1.000000 1.000000 -0.2588190
10C3A478 0.0 -0.9659258 0.0 0.0
10C3A488 1.000000 0.0 0.0 0.9659258


Not much difference ... lets try the susceptible ones with more conditional logs:


COND: Value08 = 0.0
COND: Value0C = 0.0
COND: Value2C = 100.0000000000000000
COND: ViewDistAddress = 10C3A464
COND: -------------------------------------
COND: Value08 = 1.0469351659395822480e-38
COND: Value0C = 9.2755322482958664740e-39
COND: Value2C = 40000.000000000000000
COND: ViewDistAddress = 1D292534
COND: -------------------------------------
COND: Value08 = 0.0
COND: Value0C = 0.0
COND: Value2C = 100.0000000000000000
COND: ViewDistAddress = 10C3A464
COND: -------------------------------------
COND: Value08 = 0.0
COND: Value0C = 0.0
COND: Value2C = 100.0000000000000000
COND: ViewDistAddress = 10C3A464
COND: -------------------------------------
COND: Value08 = 1.0469351659395822480e-38
COND: Value0C = 9.2755322482958664740e-39
COND: Value2C = 40000.000000000000000
COND: ViewDistAddress = 1D292534
COND: -------------------------------------


Looks good, another one, now with reverse match:

(FLOAT [ebp-08] == 0.0) && ( FLOAT [ebp-2C] != 100.0)

No output. Good.
That means we have at least 2 ways to differentiate between viewdistance calc and other calculations.

Pseudo code:

if( [ebp-08] == 0.0 && [ebp-0C] == 0.0)
{
// do viewdistance stuff
}

Should be easy to implement.

Regards.

Uhm well ... forget it ;)

Another session = float vector values same.
Anyway i managed to determine real distance calculations by comparing the value to these 2 constants.
I conditionally logged (negative match) the constants and they were always the same in game session.
It works but the results are the same as using the hacked/unlocked console command. It cannot exceed a predefined limit but works for lower ranges as expected.

Did anyone managed to exceed ViewDistance to abitrary high (>1500.0) values?

Regards

ok, it makes me happy that I was right ;)

I now try to understand what exactly you posted there above (I think output of OllyDbg right?) :D

Yes its ollydbg output minus the real caller/callee addresses ;)

I placed a few conditional log breakpoints to log certain floats and addresses.
Though the logging/windowed mode slows the game down its acceptable if you can watch the values/results of calculations real time in logger window while moving around in game.

I simply use fogEnd = viewDistance-1.0, fogStart = viewDistance-2.0 after adjusting viewDistance (to limit) for now.

bf194lover, yes i managed to successfully change the value of gameviewdistance beyond the rfa setting. ie if in rfa its set to 600, i can change it 1500. how? simply by activating the code cave before the map loads ;)

can you tell me what the float vector values mean (are they simply a dump of the floats next to the view distance float?)


EDIT: lol ok yes they are some float values next to it. I didnt read the above good enough. Now I got it - not that hard :D


@chilli: if you choose one of the four instructions (there should be listed 4 BPs in autohack window) to store the needed address, it seems to be static. But under some conditions also those addresses change (as I mentioned e.g. when you keep shooting and then minimize game), so you never get a 100% static address at the location you read from...

i only have liste 2 in my autohack window tes0r

ok maybe when not ingame?
ingame you should have 4 instructions

how? simply by activating the code cave before the map loads

Oh well i forgot that one because i usually enable all the stuff after map load...
I combine it with pb profiler hooks -> dont want to capture unnessary traffic before/on map load.

Of course it works now (tried some 2000 ... 5000) distances on airplane maps.

But under some conditions also those addresses change (as I mentioned e.g. when you keep shooting and then minimize game), so you never get a 100% static address at the location you read from...

To make sure it works all the time (shoot, minimize..) you need to test for certain conditions when the code cave for viewDistance is entered.

Regards

yeah sure bf194lover, I understand it already :D

But how did you get the view distance work now (which conditions do you test?).
And did you change something since your last try to get it over 1500.0 or did you simply enable it before map load?


@chilli: Empty your Private Message Box - it is full! I cannot send you the PM.

And did you change something since your last try to get it over 1500.0 or did you simply enable it before map load?

Nope ... just forgot to apply before map load.
I use a large value before map load and later "fine-tune" it to a lower distance in game because its a real cpu resource hog to play with large dist values.
FogStart and FogEnd are automagically adjusted after new Distance value (-2.0, -1.0).

Example code:


float g_currentViewDistance = 15000.0;
const float FLOAT1 = 1000.0;
const float FLOAT2 = 40000.0;

__declspec(naked) void ViewDistance_Cave()
{
__asm
{
..... ; omitted for brevity
MOV EDI, FLOAT1
CMP EDI, DWORD PTR SS:[EBP+02Ch]
JE SHORT label1
MOV EDI, FLOAT2
CMP EDI, DWORD PTR SS:[EBP+02Ch]
JE SHORT label1
MOV EDI, g_currentViewDistance
MOV DWORD PTR SS:[EBP+02Ch], EDI
label1:
MOV EDI, <immediate return addr>
JMP EDI
}
}



It might be not the optimal way but it works in every situation(for now).
Both values are constants (for now) ... maybe they need to be re-checked one day ;)