Hi there.
I read a little bit about BF2 here and found the screens of s.b. changing the team ingame without suiciding. I followed the minimap tut from BFV and found the addy of the 1 byte, that makes you change ur team and see all enemy soldiers in blue.

No i have a problem, when writing a code cave with tsearch, i get the addy of the byte (DMA) and the function in BF2.EXE, that calls it. So far it's working, but it doesn't make any sense yet :)
c4urself:

4C2B10 mov [esi+0xD8],edi This is the addy, that puts ur team number at the beginning. 1 for MEC, 2 for USMC.
A bigger cut:

.text:004C2AE5 mov eax, [esi+0B8h]
.text:004C2AEB mov ecx, dword_953134
.text:004C2AF1 mov [ebp+var_8], eax
.text:004C2AF4 push 0
.text:004C2AF6 lea eax, [ebp+var_8]
.text:004C2AF9 push eax
.text:004C2AFA push 8
.text:004C2AFC mov [ebp+var_4], edi
.text:004C2AFF mov edx, [ecx]
.text:004C2B01 push 0
.text:004C2B03 call dword ptr [edx+10h]
.text:004C2B06 mov dword ptr [esi+0E8h], 0
.text:004C2B10 mov [esi+0D8h], edi ;here we are!
.text:004C2B16 mov ecx, dword_902DC8
.text:004C2B1C mov edx, [ecx]
.text:004C2B1E push esi
.text:004C2B1F call dword ptr [edx+2Ch]
.text:004C2B22 cmp byte ptr [esi+0D4h], 0
.text:004C2B29 jnz short loc_4C2B4E


Some things are really strange, when changing the addy with tsearch manually:
You are on the other team, instantly.
You get the message: Teamkill! (in singleplayer - i just tested this in singleplayer, because i can pause the game with "gameLogic .togglePause".
You can take your own flag, but not the other one (change ur own outpost to an enemies one).
But what remains, is that the "enemy bots" try to kill u, as if you didn't change the team.
And of course u see all the enemys in blue, but none of ur teammates.

No i've written a little code cave, just to test, if it's the real one, for tsearch:
offset 0x10abf
cmp edi,1
je 0x10ad4
mov edi,1
mov [esi+0D8h],edi
jmp 4C2B16
mov edi,2
mov [esi+0D8h],edi
jmp 4C2B16

offset 0x4c2b10
jmp 10abf
When i now start the game, I can't click on MEC :D, it just don't work. But thats what the codecave does. My question is now, after taking the DMA addy and saving the [offset] with "LEA ax,[esi+0D8h]" or whatever, how can i change it with an hotkey? I didn't find a TMK to use it with hotkeys (e.g. F12 for setting it to "1" and F11 for "2"). So i thought to directly making a HotkeyHook in the Codecave, but i found no examples for that on the net. Could please s.b. help me?
Thx in advance!

I am not taking the credit for finding this nor for the hack itself, i just get tired, to start tsearch everytime and search manually :)

greets

PS: @Mods: i have another account here, "p3n1" - but i changed the email and didn't get the new verification mail...

PS: @Mods: i have another account here, "p3n1" - but i changed the email and didn't get the new verification mail...

So, after 23 hours i finally got the mail, so now i'll just take the one account "p3n1". How can I delete the other one? Don't find the button...

you need to find out what code is putting that 1 or 2 into the EDI register in the first place, find out where in memory that 1/2 is read from and change THAT value, that should get you on the right track. :devious:

thx man!
i think, i'll take a closer look at that. but do i really need to do this? all i want, is a hotkay, that changes the value of the address i allready got (esi+0d8h).

but maybe you are right...
here's the whole function:

.text:004C2AD0 sub_4C2AD0 proc near ; DATA XREF: .rdata:0082BE20
.text:004C2AD0
.text:004C2AD0 var_8 = dword ptr -8
.text:004C2AD0 var_4 = dword ptr -4
.text:004C2AD0 arg_0 = dword ptr 8
.text:004C2AD0
.text:004C2AD0 push ebp
.text:004C2AD1 mov ebp, esp
.text:004C2AD3 sub esp, 8
.text:004C2AD6 push esi
.text:004C2AD7 push edi
.text:004C2AD8 mov edi, [ebp+arg_0]
.text:004C2ADB mov esi, ecx
.text:004C2ADD cmp [esi+0D8h], edi
.text:004C2AE3 jz short loc_4C2B4E
.text:004C2AE5 mov eax, [esi+0B8h]
.text:004C2AEB mov ecx, dword_953134
.text:004C2AF1 mov [ebp+var_8], eax
.text:004C2AF4 push 0
.text:004C2AF6 lea eax, [ebp+var_8]
.text:004C2AF9 push eax
.text:004C2AFA push 8
.text:004C2AFC mov [ebp+var_4], edi
.text:004C2AFF mov edx, [ecx]
.text:004C2B01 push 0
.text:004C2B03 call dword ptr [edx+10h]
.text:004C2B06 mov dword ptr [esi+0E8h], 0
.text:004C2B10 mov [esi+0D8h], edi
.text:004C2B16 mov ecx, dword_902DC8
.text:004C2B1C mov edx, [ecx]
.text:004C2B1E push esi
.text:004C2B1F call dword ptr [edx+2Ch]
.text:004C2B22 cmp byte ptr [esi+0D4h], 0
.text:004C2B29 jnz short loc_4C2B4E
.text:004C2B2B mov ecx, dword_95C5FC
.text:004C2B31 mov eax, [ecx]
.text:004C2B33 call dword ptr [eax+2Ch]
.text:004C2B36 cmp eax, esi
.text:004C2B38 jnz short loc_4C2B4E
.text:004C2B3A mov edx, [esi]
.text:004C2B3C mov ecx, esi
.text:004C2B3E call dword ptr [edx+50h]
.text:004C2B41 push eax
.text:004C2B42 call sub_54A3E0
.text:004C2B47 mov ecx, eax
.text:004C2B49 call sub_54A230
.text:004C2B4E
.text:004C2B4E loc_4C2B4E:
; CODE XREF: sub_4C2AD0+13
; sub_4C2AD0+59
.text:004C2B4E pop edi
.text:004C2B4F pop esi
.text:004C2B50 mov esp, ebp
.text:004C2B52 pop ebp
.text:004C2B53 retn 4
.text:004C2B53 sub_4C2AD0 endp


I'll fire up OllyDbg to see, where this function is called from...
But the Hotkey Fuction is that, what i really need. Got to go to work now, after that i'll check it again...

Let me start by saying that i never did a BF hack before.
I just wanted to test the demo, i got anoyed by the fact that the build in radar/esp was distracting me from the actual enemy (I make radars/esp for unreal based games so i'm used to looking at it for target spotting :) )

I started to look at the BF code and found a virtual function that does this
0055A8A0 8B81D8000000 mov eax,[ecx+000000D8h]

Let me call this function GetTeam() for easy reference, because what it does is return the teamnumber (1 or 2)

GetTeam() has an entry in 3 virtual function tables at
0x0082BE24
0x0086110C
0x0087C498

Only the entry at 0x0082BE24 seems to be interesting (it gets called the most)

K what i did now is hook the GetTeam() and logged the the returnaddress so i know where it gets called from. Here is the output of this log. It is sorted by the ammount of calls it received from that returnaddres when i kept it running for about 1 min in a single player game.

==================================
Address 0x717ff1
Count 35550
==================================
==================================
Address 0x717ffd
Count 35550
==================================
==================================
Address 0x718017
Count 18960
==================================
==================================
Address 0x718023
Count 18960
==================================
==================================
Address 0x71f8c2
Count 18960
==================================
==================================
Address 0x71f8ce
Count 18960
==================================
==================================
Address 0x71faa2
Count 18960
==================================
==================================
Address 0x71fadb
Count 18960
==================================
==================================
Address 0x71fae7
Count 18960
==================================
==================================
Address 0x71fab9
Count 9480
==================================
==================================
Address 0x71827b
Count 9480
==================================
==================================
Address 0x718288
Count 9480
==================================
==================================
Address 0x7182a6
Count 9480
==================================
==================================
Address 0x7182b2
Count 9480
==================================
==================================
Address 0x36cf481
Count 8295
==================================
==================================
Address 0x36cf48e
Count 8295
==================================
==================================
Address 0x36cf5ba
Count 8295
==================================
==================================
Address 0x36cedcb
Count 8295
==================================
==================================
Address 0x36cedd7
Count 8295
==================================
==================================
Address 0x36cf05f
Count 8295
==================================
==================================
Address 0x36cf06b
Count 8295
==================================
==================================
Address 0x3742b95
Count 8295
==================================
==================================
Address 0x71d6e2
Count 7110
==================================
==================================
Address 0x579fbe
Count 3555
==================================
==================================
Address 0x4435e4
Count 2700
==================================
==================================
Address 0x54bcbc
Count 1203
==================================
==================================
Address 0x5f6961
Count 640
==================================
==================================
Address 0x4ade37
Count 150
==================================
==================================
Address 0x7b017a
Count 39
==================================
==================================
Address 0x545ea7
Count 32
==================================
==================================
Address 0x4a5f8e
Count 16
==================================
==================================
Address 0x6f2bac
Count 16
==================================
==================================
Address 0x4a5447
Count 16
==================================
==================================
Address 0x49407f
Count 15
==================================
==================================
Address 0x4af318
Count 15
==================================
==================================
Address 0x4af53a
Count 15
==================================
==================================
Address 0xf9dbba4
Count 15
==================================
==================================
Address 0x4a5fd6
Count 12
==================================
==================================
Address 0x55356e
Count 8
==================================
==================================
Address 0x4af4b2
Count 6
==================================
==================================
Address 0x73b9a4
Count 1
==================================

An other thing i tested was returning the same teamnumber in the hooked GetTeam() ex. team 2. The result of that was that the round was over in 1 sec (single player) cos the game thought all players where on the same team and all flags where captured by that team.

At this point i got bored and went to sleep :P
I hope it can help some of the regular BF hackers cos like i said i never made a BF hack before.

Greets HelioS

Let me start by saying that i never did a BF hack before.
I just wanted to test the demo, i got anoyed by the fact that the build in radar/esp was distracting me from the actual enemy (I make radars/esp for unreal based games so i'm used to looking at it for target spotting :) )

I started to look at the BF code and found a virtual function that does this
0055A8A0 8B81D8000000 mov eax,[ecx+000000D8h]

Let me call this function GetTeam() for easy reference, because what it does is return the teamnumber (1 or 2)

GetTeam() has an entry in 3 virtual function tables at
0x0082BE24
0x0086110C
0x0087C498

Only the entry at 0x0082BE24 seems to be interesting (it gets called the most)

K what i did now is hook the GetTeam() and logged the the returnaddress so i know where it gets called from. Here is the output of this log. It is sorted by the ammount of calls it received from that returnaddres when i kept it running for about 1 min in a single player game.

==================================
Address 0x717ff1
Count 35550
==================================
==================================
Address 0x717ffd
Count 35550
==================================
==================================
Address 0x718017
Count 18960
==================================
==================================
Address 0x718023
Count 18960
==================================
==================================
Address 0x71f8c2
Count 18960
==================================
==================================
Address 0x71f8ce
Count 18960
==================================
==================================
Address 0x71faa2
Count 18960
==================================
==================================
Address 0x71fadb
Count 18960
==================================
==================================
Address 0x71fae7
Count 18960
==================================
==================================
Address 0x71fab9
Count 9480
==================================
==================================
Address 0x71827b
Count 9480
==================================
==================================
Address 0x718288
Count 9480
==================================
==================================
Address 0x7182a6
Count 9480
==================================
==================================
Address 0x7182b2
Count 9480
==================================
==================================
Address 0x36cf481
Count 8295
==================================
==================================
Address 0x36cf48e
Count 8295
==================================
==================================
Address 0x36cf5ba
Count 8295
==================================
==================================
Address 0x36cedcb
Count 8295
==================================
==================================
Address 0x36cedd7
Count 8295
==================================
==================================
Address 0x36cf05f
Count 8295
==================================
==================================
Address 0x36cf06b
Count 8295
==================================
==================================
Address 0x3742b95
Count 8295
==================================
==================================
Address 0x71d6e2
Count 7110
==================================
==================================
Address 0x579fbe
Count 3555
==================================
==================================
Address 0x4435e4
Count 2700
==================================
==================================
Address 0x54bcbc
Count 1203
==================================
==================================
Address 0x5f6961
Count 640
==================================
==================================
Address 0x4ade37
Count 150
==================================
==================================
Address 0x7b017a
Count 39
==================================
==================================
Address 0x545ea7
Count 32
==================================
==================================
Address 0x4a5f8e
Count 16
==================================
==================================
Address 0x6f2bac
Count 16
==================================
==================================
Address 0x4a5447
Count 16
==================================
==================================
Address 0x49407f
Count 15
==================================
==================================
Address 0x4af318
Count 15
==================================
==================================
Address 0x4af53a
Count 15
==================================
==================================
Address 0xf9dbba4
Count 15
==================================
==================================
Address 0x4a5fd6
Count 12
==================================
==================================
Address 0x55356e
Count 8
==================================
==================================
Address 0x4af4b2
Count 6
==================================
==================================
Address 0x73b9a4
Count 1
==================================

An other thing i tested was returning the same teamnumber in the hooked GetTeam() ex. team 2. The result of that was that the round was over in 1 sec (single player) cos the game thought all players where on the same team and all flags where captured by that team.

At this point i got bored and went to sleep :P
I hope it can help some of the regular BF hackers cos like i said i never made a BF hack before.

Greets HelioS


interresting, thanks for sharing.

really interesting, i'l take a closer look at these, because the final release should look like, that all enemys are red on the minimap and "spotted" :)

regarding to the 1 sec round, i experienced something like that - i started on usmc, the round continued until the mec had no base left, but more than 120 tickets. i changed my team to red (instant) without joining it... as long as i stayed on mec the round continued. but after all other remaining mec's got killed, i changed again to my real team and the round was over :)

i see, we got a lot work to do :)

i really am not all that up on ollydbg. can someone share with me how to "hook" a line of code and do what helios did? i found the address 55a8a0 using tsearch and then did a dma defeat to do a maphack. however, it would be nice to know how to get ollydbg to show me the areas of code are calling that function at 55a8a0. how do you find "functions" in the first place? my knowledge of olly is really lacking (and debuggers in general).

thanks!

Usually when they mean hook, they injected their own dll that has coding to hook the function and log it themselves, not through olly.

thanks spon. can you use olly to tell you which line of code called other code? for instance, breakpointing line X and then have olly pause at line y when line y calls line x?

thanks-

i repeated this in a server it was quite funny how pissed people got ( germans i think)


they kept yelling at me to switch teams and start dieing when i do it LOL


they kept getting Teamkills when they tried to kill me to


it was great fun...

I hooked the Constructor of the Player and logged the Player address to file.
I hooked the constructor before i even logged in into my account.

Constructor Address: 004C89E0 SUB_L004C89E0:

This is the output of the log when i joined a server with 11 or 14 players in it
ObjAddress 0x2be6a7c
ObjAddress 0xd23238c
ObjAddress 0xd2073cc
ObjAddress 0xd2d918c
ObjAddress 0xd4ef264
ObjAddress 0xd531634
ObjAddress 0xd523ecc
ObjAddress 0xd520b54
ObjAddress 0xd50b0f4
ObjAddress 0xd507dac
ObjAddress 0xd4eff7c
ObjAddress 0x2c51b0c
ObjAddress 0x382abaf4
ObjAddress 0xd487914
ObjAddress 0x2c2e634

It seems that ObjAddress 0x2be6a7c is always the same

After the Player object is constructed the pointer to it probably gets stored in a dynamic array. If you find the address of that array you can access any player or object within the game.

Helios, how are you finding these specific functions? How did you discover that the "contructor" function was at 004c89e0? this is the type of stuff i need to learn, using tools to help me to find the various functions of the program. for instance, there has to be a function in the game that draws the mini-map. it probably calls other subfunctions. one of those functions or sub-fuctions likely draws the little icons (player dots and player vehicles) on top of the terrain on the mini map. how would i go about isolating that function and the address it begins at? also, part of the function likely has a check to see what team you are on and then draws the icons based on that team. also, there is probably a line of code that actually draws in a RGB value for the color of the player dots on the map. anyways, this is just an example. how would i find the code that displays or doesn't display the enemy tags when you put the mouse over an enemy? the list goes on and on. is ollydbg good for this sort of thing, or do i need more tools? it's nice that olly lets you step through the program line execution, but you can't make heads or tails of that and plus it's insanity to move through that much code line by line trying to make sense of it.

btw, yes the player's team address is stored in a dynamic array. there is a static pointer that can be found that you can use to find the dynamic array but this static pointer likely changes places on each person's machine but stays static for that computer (we ran into this in the past with vietnam and certain dynamic address pointers). at any rate, if you find the code that reads that address (as you pointed out above the location of that code) then you can code cave and capture the address that way, you can use SEH and detours to send info about a register (ecx+0xd8) to another address in memory for reading, or use DMA defeat by finding the static base pointer. most if not all these methods are discussed, but the most difficult (but most elegant) is the SEH/detours route.

interesting. i am wanting to learn more about how to find specific code and isolate functions like i discussed above-

best,
cal

I made my own Array to store those Players in and looped through them midgame

TeamNum for Player (0x2be6a7c) = 2
TeamNum for Player (0xd23238c) = 1
TeamNum for Player (0xd2073cc) = 1
TeamNum for Player (0xd2d99ec) = 1
TeamNum for Player (0xd4dce2c) = 2
TeamNum for Player (0xd4e83b4) = 2
TeamNum for Player (0xd527fcc) = 2
TeamNum for Player (0xd521224) = 2
TeamNum for Player (0xd51b4bc) = 1
TeamNum for Player (0xd506934) = 2
TeamNum for Player (0xd50847c) = 1
TeamNum for Player (0xd4ecdac) = 2
TeamNum for Player (0xd4ddbcc) = 1
TeamNum for Player (0xd4dfdbc) = 2
TeamNum for Player (0xd4ae5cc) = 2
TeamNum for Player (0xd4097b4) = 2
TeamNum for Player (0xd35700c) = 2
TeamNum for Player (0x2c5d354) = 2
TeamNum for Player (0x2be5b9c) = 2
TeamNum for Player (0xe9d800c) = 1
TeamNum for Player (0xd38a204) = 2
TeamNum for Player (0xd389b34) = -1083547860
TeamNum for Player (0xd389464) = -1083547860
TeamNum for Player (0xd386a54) = 2
TeamNum for Player (0xd38519c) = 2
TeamNum for Player (0xd384acc) = 2
TeamNum for Player (0xd3843fc) = 2
TeamNum for Player (0xd383d2c) = 1
TeamNum for Player (0xd38365c) = 2
TeamNum for Player (0xd381e54) = 2
TeamNum for Player (0xd3fe95c) = 2
TeamNum for Player (0x382ef31c) = 2
TeamNum for Player (0x382d9f54) = 2

Where it sais -1083547860 the player prolly became invalid or died, ... got overwritten by other data so it messed up the teamnum

PS: It would be a lot easier if we had and SDK for this game :P

We been begging for SDKs for the BF series for years now. I highly doubt we will ever get one.

Helios, how are you finding these specific functions? How did you discover that the "contructor" function was at 004c89e0? this is the type of stuff i need to learn
cal
Do you know c++?
Just think about it if you do...
When an object is created, the pointer to the DMA variable is populated with an address. Just BP the future pointer's address before the constructor is called. The constructor will populate this address and can be found meanwhile with the BREAKPOINT-on-WRITE. :laugh:

Oh yeah, also there is the Vtables which should point to the constructors, can be found by looking thru an IDA analysis.
Correct me if i'm wrong HelioS...
I'm not thinking too clearly right now :vis:

Though I don't like this demo so far as much as many others, I am sure glad that it brings Pro's like HelioS here to the Battlefield section. :cool:

Exactly i folowed the vfTable i mentioned earlier where the GetTeam() funtion is in.
It pointed me to the constructor(s).
I think i player in BF has 2 constructors but only one is called.
Hmm come to think about it the other one could be the destructor.
I need to test some more :)

i have ida pro and also ollydbg. is this the only two tools i need? sorry if i seem newbish on this, but i haven't been doing much of this reversing- mainly finding addresses and trying to make my hacks where pb won't find what it does to these addresses. at any rate, not even sure what a constructor is, so maybe i need some help in finding some tutorials on this stuff so i don't tie up this thread (unless that is ok).

also glad to see HelioS here-

thanks goggles-
cal

caliber, as I told you before, its using C++ and a dll he made himself. Its not olly or ida pro. He used C++ to make his own dll to inject into the process, and knowledge of memory and how programs work to log that stuff. He didnt use tools.

@caliber1942
two or three days ago, i had no idea too, which tools to use. here comes a little introduction to the tools, i used. tha does not mean, everyone uses the same tools, but they are a good choice. i did some cracks before, game hacking is new to me...

IDA - good for quick n dirty disassembling, more dirty than quick - kinda like w32dasm

ollydbg - best debugger out there besides softice, but it's not low level (system level) - comes with great plugins and a nice trace funtion. if u got an autohack addy from tsearch (as described in tsearchs help) you can attach olly to bf2 (if i load bf2 within olly, it crashes . start a bf2 singleplayer server, and pause it with the console command (gameLogic.togglePause) then atl+tab to olly, attach to process, go to autohack address and set a memory breakpoint, run bf2 again, wait until it breakes and look under "K" or cache for the functions that referenced the addy. then u can use ida to analyze the code...

i'm just to drunken, to get along with the cheats today, it has to wait until friday...

other tools or sites i recommend to go to or to search for: (please note, that i will not post working links, just suggestions for google...)

memeory search tool: tsearch, usa_mimi
debuggers, analyzer: ida, ollydbg (+ollydump), w32dasm, debuggy
code patcher, tmk like: programmerstools (@google), they got all kinds of tools
other links(@google): gamehacking, zor

gotta have some sleep...

thanks for the heads-up, p3n1, that's the kind of info i was looking for. wasn't sure how to use olly to find those functions ("K" cache thingie). i need to use ida more to see what it shows me as compared to other code disassm.

spon, i realize what you said before. just wanting some tips to use the tools better and get ahold of what olly and ida can do for me. i can write my own .dlls then and provide data for the forum at that point then, too-

thanks, for the tips=

Some more info:

Helios---> I may be wrong or misunderstood your post about the return addresses and such and it looks like your list may be incorrect. now realize i am new to this and maybe i don't understand what info you are trying to give us. however, i made my own list of calls to address 55A8A0 and here they are (i did this for both bf2.exe and the RendDX9.dll):

bf2.exe
-------
0579fb8 / 721196
07180ba / 72060c / 7213ac
07180c6 / 72060c / 7213ac
0718275
0718282
07182a0
07182ac
0717feb / 72060c / 7213ac
0717ff7 / 72060c / 7213ac
0718011 / 72060c / 7213ac
071801d / 72060c / 7213ac
071f8bc / 72147e
071f8c8 / 72147e
071fa9c / 72147e
071fab3 / 72147e
071fad5 / 72147e
071fae1 / 72147e
0717feb / 71fa55 / 72147e
0717ff7 / 71fa55 / 72147e
0718011 / 71fa55 / 72147e
071801d / 71fa55 / 72147e
07180c6 / 71fa55 / 72147e
071d6dc / 7214d2
04435de
054bcb6 / 49ba51 / 40bca7 / 402994 / 402b93 / 402c34 / 7d6088
-------
RendDX9.dll
-------
036cf47b / 36d1102 / 36d1a4d / 35fc942
036cf488 / 36d1102 / 36d1a4d / 35fc942
036cf5b4 / 36d1102 / 36d1a4d / 35fc942
036cedc5 / 36cf030 / 36d1111 / 36d1a4d / 35fc942
036cedd1 / 36cf030 / 36d1111 / 36d1a4d / 35fc942
036cf059 / 36d1111 / 36d1a4d / 35fc942
036cf065 / 36d1111 / 36d1a4d / 35fc942
03742b8f / 3743162 / 36d1a68 / 35fc942



it looks like your addresses are actually the next line of code. for instance:

Address 0x579fbe
Count 3555

address 579fbe is the line of code after the code at address 579fb8, which actually makes the CALL to the address at 55A8A0. once again maybe i misread your message and i don't "get" what you were trying to show us with that list of addresses. i verified my addresses and they all CALL the function at 55A8A0 which appears to be the function to GetTeam(). The "/" and addresses after the address is other functions that may have been the calling function (layers of them). So:

07180ba / 72060c / 7213ac

the function called at 7213ac called the function that the call at 72060c is in and the call at 72060c is calling the function that the call at 7180ba is in, which ends up being the call to 55a8a0. but 07180ba is the line of code that is making the CALL to 55a8a0, not 072060c or 07213ac...........understand? confused yet?

i did this by pausing the game while playing singleplayer and then breakpointing and logging the addresses. interestingly, it loops through these addresses over and over as you would expect, nearly the same order each time, although addresses that have lots of previous functions calling them such as:

07180ba / 72060c / 7213ac

appear to be in loops and repeat several times within the main loop. i am hoping that this info and also some trial and error and maybe learning the tools more will help me to isolate the code where the game decides which players to display based on the player's teamnumber, the friendlies or the enemies-

by the way, i still am learning IDA (and olly for that matter). what and where is the VfTable within IDA? How do i access it and also how did you find GetTeam() from it (or did you just make that name up yourself after you decided that this is what the code does?) thanks again, and sorry if am stupid and said something wrong here.

best,
cal

Atm i'm using PE-Explorer, OllyDebug and TSearch
IDA is fine too, but i like PE-Explorer (don't ask me why :P )

The GetTeam() function is just named by me, because i found out what it did.
My ReturnAddresses for GetTeam() are correct because i hooked the actual function and logged the address from _ReturnAddress() (google is your friend)
It is not the calling address but the address of the operation right after GetTeam() ends

I found Player names within the Player class but it seems the names are only stored there on singleplayer games and not in multiplayer.


I did some extra testing on a dedicated server in my LAN with 2 people connected to it.
I looked up the Address of the enemy and attached the TSearch debugger and put the breakpoint on the enemy address.
Here are my findings


Me just connected to the server

563F53: mov edx,[esi]
563F80: mov edx,[esi]
563F9D: mov edx,[esi]
563FD4: mov edx,[esi]
563FE0: mov eax,[esi]
563FF1: mov edx,[esi]
589132: mov eax,[esi]
58ADD2: mov edx,[edi]
59B6AE: mov edx,[edi]
59B6D1: mov eax,[edi]
59B6EF: mov edx,[edi]
4BFFD6: mov eax,[esi]
4C2A6F: mov eax,[esi]
4C2AA0: mov eax,[esi]
4C2AAB: mov edx,[esi]
40BE26: mov eax,[ecx]
5CEF96: mov edx,[eax]
779AE7: mov edx,[eax]


Enemy is not visible, Me opening score menu
36CF1A2: mov edx,[edi]
36CE4F5: mov eax,[ebx]
36CE631: mov eax,[ebx]
36CE63D: mov edx,[ebx]
36D0D27: mov eax,[ebx]
36CD006: mov eax,[ecx]
717FE7: mov eax,[edi]
71800D: mov eax,[edi]
720886: mov edx,[edi]
71F88E: mov eax,[edi]
71F89D: mov edx,[edi]
71F8C2: mov edx,[edi]
71F9D1: mov edx,[edi]
71FA6B: mov edx,[edi]
71FA98: mov eax,[edi]
71FADB: mov edx,[edi]
71FAFD: mov edx,[edi]
71FB08: mov eax,[edi]
6F084B: mov eax,[esi]
6F0859: mov edx,[esi]
71FC41: mov eax,[edi]
71FDF4: mov edx,[edi]
71FE00: mov eax,[edi]
715D9E: mov edx,[ebx]
715DF2: mov eax,[ebx]
4A4868: mov eax,[ecx]
4A4649: mov edx,[esi]
4A4655: mov eax,[esi]
4A46FA: mov edx,[esi]
4A4709: mov eax,[esi]
4A4719: mov edx,[esi]
6F08EA: mov edx,[edi]
6F29DA: mov eax,[ecx]
6F0918: mov eax,[edi]
6F0E7C: mov edx,[edi]
73EE05: mov edx,[esi]
73EE47: mov edx,[esi]
73EF06: mov edx,[esi]
73EF4C: mov edx,[esi]
73EF7C: mov edx,[esi]
73EFBA: mov edx,[esi]
73F47D: mov edx,[esi]
73F540: mov eax,[esi]
73F6BD: mov edx,[esi]
73F6E7: mov edx,[esi]
73F6F8: mov eax,[esi]
73F70D: mov edx,[esi]
73F723: mov edx,[esi]
73F73E: mov eax,[esi]
73F753: mov edx,[esi]
73F76E: mov edx,[esi]
73F78A: mov eax,[esi]
73F7A6: mov edx,[esi]
73F7C2: mov eax,[esi]
73F7DE: mov edx,[esi]
73F7FA: mov eax,[esi]
73F95A: mov edx,[esi]
73F97E: mov edx,[esi]
4A2CEA: mov eax,[esi]
4A2E96: mov eax,[ecx]
4A2CF9: mov edx,[esi]


Enemy on side of screen, not on crosshair, no tags visible

36CF452: mov edx,[eax]
36CF486: mov eax,[ecx]
36CCFB6: mov eax,[ecx]
36CF34C: mov eax,[esi]
36CF38D: mov edx,[esi]
36CEACF: mov eax,[esi]
36CEB69: mov edx,[edi]
36CEC2E: mov eax,[edi]
36CEC3A: mov edx,[edi]
36CEC97: mov eax,[edi]
36CEDCB: mov edx,[edi]
36CEEAE: mov eax,[edi]
36CEEEC: mov edx,[edi]
36CF057: mov edx,[ecx]
5BDDD9: mov edx,[eax]


Enemy on crosshair, tags visible

36D0A29: mov edx,[edi]
36D0B37: mov eax,[edi]



Enemy shot and killed

7798BA: mov edx,[eax]
6F97C0: mov edx,[edi]
6F97DF: mov edx,[edi]
6F988C: mov eax,[edi]
6F9C05: mov edx,[edi]
6F9C4A: mov eax,[edi]
6F9D76: mov eax,[ecx]
4F9283: mov edx,[eax]
4C4A70: mov edx,[ebx-0xC]
4C3458: mov eax,[edi]
556804: mov eax,[edi]
55680E: mov edx,[edi]
556830: mov eax,[edi]
556848: mov ebx,[edi]
59D2DF: mov edx,[eax]
5BB934: mov edx,[eax]
5BDD75: mov eax,[ecx]
71FBBE: mov eax,[edi]
71FBCC: mov edx,[edi]
4AAF7E: mov eax,[esi]
4B4700: mov eax,[esi]
4B4709: mov edx,[esi]
6F2BA2: mov edx,[edi]
6F2BBC: mov eax,[edi]
729453: mov edx,[ebx]
74374C: mov edx,[edi]
4B4772: mov eax,[esi]
4B47A0: mov eax,[esi]
4B47B3: mov edx,[esi]
49DEAD: mov eax,[ecx]
49F929: mov eax,[esi]
49F936: mov edx,[esi]
49F941: mov eax,[esi]
49F967: mov edx,[esi]
49F974: mov eax,[esi]
558791: mov edx,[eax]
4C6DCD: mov eax,[esi]
4C225D: mov edx,[esi]
4C226B: mov eax,[esi]
4A21FA: mov edx,[edi]
4A226E: mov edx,[edi]
4A2314: mov eax,[edi]
5D19B2: mov edx,[edi]
5D1A04: mov ebx,[edi]
5D122C: mov edx,[eax]
4A2365: mov eax,[edi]
7294ED: mov edx,[edi]
5587A3: mov edx,[eax]
49F9C9: mov edx,[esi]
49F9D4: mov eax,[esi]
49FA1E: mov edx,[esi]
49FA49: mov edx,[esi]
6F2B51: mov eax,[edi]
7295A6: mov edx,[ebx]
4B47D3: mov edx,[esi]
4B47E6: mov eax,[esi]
4B47F8: mov edx,[esi]
4B4806: mov eax,[esi]
4B4814: mov edx,[esi]
5D1105: mov edx,[eax]
4B482D: mov edx,[esi]
4B48C9: mov eax,[esi]
49FB7B: mov eax,[esi]
4A2205: mov eax,[edi]
55613B: mov eax,[ebx]
556194: mov ebx,[ebx]
5D1A4B: mov eax,[ecx]
5CFA95: mov edx,[eax]
5561ED: mov edx,[eax]
4A2355: mov esi,[edi]
4F7B67: mov edx,[esi]
54928C: mov edi,[esi]
549297: mov eax,[esi]
58930E: mov eax,[ecx]
55A46A: mov edx,[edi]
55A481: mov eax,[ebx]
54942B: mov eax,[ecx]
59D1C6: mov edx,[eax]
59C735: mov edx,[eax]
58A626: mov edx,[eax]
4A1E15: mov eax,[esi]
6F2D3B: mov edx,[edi]
7293DB: mov eax,[ebx]
36CFC1E: mov edx,[ecx]


Enemy left server

49F78B: mov eax,[esi]
49F7FF: mov eax,[esi]
49F82A: mov eax,[esi]
49F8CB: mov edx,[esi]
49F8D9: mov eax,[esi]
36D0CEB: mov edx,[ecx]
4A360A: mov edx,[edi]
4A3626: mov edx,[edi]
49F8FF: mov eax,[esi]
4C7C8C: mov dword ptr [edi],0x82BD48
6A3685: mov dword ptr [ecx],0x8942B8
7C910E00: mov [eax+0x4],edx


Match ended

7C911430: cmp edi,[eax+0x4]
7C911443: mov [eax+0x4],ecx
7C910DF5: mov edx,[ecx+0x4]
7C910E05: mov [ecx+0x4],eax
7C912281: mov ecx,[edx+0x4]
3D12CA9: mov esi,ebx


Me disconnected from server

7C910F2B: cmp ecx,[edx+0x4]
7C910F50: mov [eax+0x4],ecx

this is what i figured, that most of the work is going to be done in the RendDX9.dll instead of the bf2.exe. i think sparten found this out already. nice work again, Helios.

best,
cal