Helios described finding code functions within .exe's using IDA pro or PE-Explorer. I would like some further help with this and perhaps some other questions answered. The discussion following this thread may help others, as well.

Ok, the VfTables were mentioned. Where (in what tool and under what heading menu item) is this found? What are they and how do you use them to find certain code? For instance, HelioS found the player constructor code. How did he find this using the VfTables and how did you determine that this was the contstructor code, etc? How would one use these tables or what tools to find the code that shows the tags, for instance, also?

Also, how do you go about finding the other player's addresses? I can find my own address (team address) but how do you go about (what tools and methods) doing this to help find the addresses of the other players? This is useful for breakpointing and then finding when certain things happen. Radar, etc.

Thanks in advance. Hopefully HelioS or others will add input.

best,
cal

I was able to find other peoples' team address by using a conditional breakpoint in Olly. I'm not sure if this is the best method to use, but it seemed to work OK for me.

(I'm writing this without BF2 in front of me, so I won't include any actual code)
Go to the GetTeam() function in OllyDbg.
Right click on the MOV whatever, whatever command, Breakpoint, Conditional Log
Under Expression type ESI or whatever the variable is that you want to log
If you want you can enter something under explanation, but if you're only logging one variable it's not necessary
Change pause program to "Never" otherwise it'll stop everytime that function is called...which would be annoying
Change "Log value of expression" to always
Hit OK

Run the game, and go to the log window (alt-l) or the "L" button at the top. Watch the addresses pour in (:

I'm not sure if this is what you're looking for, but hopefully it'll help someone somehow.

what is Olly?
and
Where can we get it?

OllyDbg, google is your friend.

what is Olly?
and
Where can we get it?


goto this thread (http://www.mpcforum.com/showthread.php?t=79969) as most of the tools mentioned here are the ones ppl use. as to other tools ppl might mention do as spont suggests - google.

hope this helps some.

now back to topic ppl...

xollox. ok thanks! but my next problem is this. once i find the enemy address(es), how do i breakpoint the address itself? for instance, i know i can breakpoint CODE with olly, but how do i breakpoint an ADDRESS with olly and have it show me all the code that is reading from or writing to that address? i could do this with TSEARCH, but i can't have both olly and TSEARCH's autohack running at the same time and once you restart the game, the addresses change.

let's say that i know the address is 0x0d710ac that contains data for enemy player. how do i set up olly to show when something is writing to or reading from that address?

thanks for the help, this is good stuff-

best,
cal

found this for breakpoint address in olly, hope there what ur after cal;

http://www.bwhacks.com/forums/archive/index.php/t-615.html
http://www.idefense.com/iia/labs-software.jsp#olly_bp_man -- olly breakpoint manager plugin
http://webster.cs.ucr.edu/AsmTools/OllyDbg/CMDLINE.HTML

Don't know, if this was allready mentiened here, but for the final version of bf2 you'll need either an unpacker or OllyDump (google for it, i'm too lazy).

I didn't check out those links, but here is what i would do:

Open up the memory window (alt-M or the "M" button at the top)
Go to the section of memory that you're trying to BP.
find the memory address (hint: ctrl-g)
Highlight the memory you want to BP, according to the size of the variable (if it's a 4 byte variable, highlight 4 "blocks"...let me know if that's not clear)
right click, breakpoint, select memory on access or memory on read, depending on what you're going for.

On that note, I have to say that this is rather irritating, as it will probably break all the time. I'd rather use TSearch, which will give you the nice list of addresses. It takes some time to open bf2, open tsearch, search it, close bf2, reopen bf2, attach olly, etc... but I think it's worth it in the end.

Pros use IDA Pro, Olly isn't as powerful fyi.

Pros use IDA Pro, Olly isn't as powerful fyi.

Tell us how to do it in IDA Pro then...

These are the steps I took

1) Use TSearch to find the Team of the local player. (Keep looking for 1 or 2 and change your team inside the game, and keep repeating the process until you find the address).

2) But a breakpoint in either olly or Tsearch (I used TSearch) on you newly found Team address. TSearch will list the pieces of code that access that Team address

3) I used PE-Explorer to look at the pieces of code TSearch listed. I found a small function that only stored the Team inside the eax register and then enden. (I called this function GetTeam() because that's the only thing it does)

4) Find out what piece of code calls the GetTeam() function, in PE-Explorer you just put the marker on the start of the function and press the R key. It will list all the addresses of the callers. In the case of GetTeam() PE-Explorer will only list 2 addresses. If you look at them you'll see that they are inside virtual function tables. If you go to the top of the table and press the R key again PE-explorer will list the addresses that use the vfTable. These addresses will point you to the constructors of the Player object because there is where the vfTables get initiated for every newly created object.

5) I hooked the constructor (I'm not going into details how to do this) and extracted the ecx register from it. This register is a pointer to the newly created object.


I can only explain the basics, the rest you learn by experiance.

...in PE-Explorer you just put the marker on the start of the function and press the R key. It will list all the addresses of the callers.
Didn't know that, IDA has no function for this, besides the "view graph of function calls" - as far as i know. THX, this could save me much time!
Pros use IDA Pro, Olly isn't as powerful fyi.
I think, it depends on what you wanna do - I use Olly for debugging AND unpacking (great for Armadillo, since there isn't a unpacker out), IDA is great for analyzing and looking, how something works -> the graph function is great, to get a quick 'n clean overview over some function or code...
BTW here are the new GetTeam and SetTeam offsets from the HOODLAME RLS:
DEMO:
4c2b10 - SetTeam
55a8a0 - GetTeam

RETAIL:

4c5580 SetTeam
5f3250 GetTeam

Doesn't the X key in IDA list all references to a specific address ?

Doesn't the X key in IDA list all references to a specific address ?
Yes, it does. But in this specific case not. When i e.g. take the getteam q 55A8a0 i get the three virtual functions, but when i try to "x" on one of that, nothing happens. Thats what i meant.

killer replies! thanks to all. haven't had a chance to absorb it all, but just wanted to tell everyone thanks for the input. this is how we all learn. hopefully i will have some info to give back as i have in the past-

best,
cal

That's what we are here for :)
I have to say, i learned a much about gamehacking, writing trainers, reversing etc. the last week - thanx to all. :bunny:

Last night I was fiddling around with Olly and BF2 (got a working minimap hack now..w00t) and found another way to find what is calling the GetTeam() function. Here is how it goes:

Set a breakpoint in the GetTeam() Function (really can be anywhere, but it's easiest if you do it this way) and wait for it to stop.
Remove the Breakpoint
Go to Debug, Trace Into (Ctrl-F11)
Wait for a few minutes (longer=better)
pause the program again, either by hitting pause (F12) or by turning the BP on GetTeam() back on.
Go to the Trace window by hitting the ellipsis (...) button
Right click on the GetTeam() funciton address and hit mark.
You can now scroll through the run trace window (use the + and - keys) and look at what is run immediately before GetTeam(). That is the address that is calling it.

If you notice, it is normally called in pairs. I'd surmise what it is doing is grabbing your team number, then the team number of the "target" person. It then CMPares the two, and conditionally jumps accordingly. If you find the correct conditional jumps after it CMPs the team numbers, you can get a succesfull minimap hack. I'd also imagine you can get a nametag hack as well, but I haven't been able to find that yet.

Thanx for the advice, seems to be quite helpful :)

yes, thanks xollox.. trying to get the hang of these tools. all advice and help with these tools is appreciated-

congrats on the map hack. btw, have you found a way to change color of the tags or the minimap icons? for instance, if you got the minimap hack working, does it display the enemy icons as red?


best,
cal

congrats on the map hack. btw, have you found a way to change color of the tags or the minimap icons? for instance, if you got the minimap hack working, does it display the enemy icons as red?

NP guys, glad I can help.

Yes, the minimap hack works almost exactly like it did in bf1942. All you do is NOP one conditional jump for infantry and one for vehicles. The enemies show up in Red on the minimap, including squad leaders (and I'd imagine commanders as well.) There does appear to be a distance limit on where they show up, but I'm sure that's another conditional jump somewhere to be NOPed (:

I see that you got nametags, does it follow the same basic format of:
Call GetTeam()
...
Call GetTeam()
CMP Team1, Team2
Conditional Jump

this is for the demo:
xollox, i used olly to breakpoint the GetTeam() address and then i noted the value for the ecx register (code was mov eax,[ecx+000000D8h]) and then added the +0xD8 to it. if you keep running after breakpointing and letting it breakpoint there over and over you will see several addresses being stored there. basically these are the addresses of the players within the game. the one that shows up most is YOUR address, but we want to find an opposing team member. i noted each different address in tsearch (remember to take the value of ecx noted by olly and then add 0xD8 to it to get the actual address) and then put it into the cheats list window as a type 4 Byte and note the different teams (will be a 1 or a 2). If you are in the USMC then you want to find a 1. Ok then you want to breakpoint this memory address (for reads and writes) using olly and note the code that calls that memory address. I found several code areas, but there was only one that needed changing. i changed a jz into a jmp and then went to where the jmp was and changed a jz into a nop. there WERE compares but it wasn't as obvious as you put it (wasn't as obvious to see that the compare was Team1, Team2). anyways, look at your PM.

best,
cal

does anyone know how to scroll the code (disassembled code) in PE Explorer (or PEBrowse)? Btw, I have PEBrowser Professional Interactive..... is this the same thing as PE Explorer? maybe that's my problem, i don't have the right thing. any help in finding PE Explorer and what the latest version is (if i don't have the right thing) would be appreciated. I used the link for PE Explorer earlier in this thread to get it, but what was downloaded was PE Browser Professional Interactive.

thanks
cal

Cool, thanks for the tips. I don't have BF2 at work (may be a little obvious I'm not actually doing work, heh), so I'll check that out sometime this evening.
Thanks for the PM.

this is for the demo:
xollox, i used olly to breakpoint the GetTeam() address and then i noted the value for the ecx register (code was mov eax,[ecx+000000D8h]) and then added the +0xD8 to it. (... BIG CUT HERE - Too MUCH TO QUOTE ...) but the link for PE Explorer earlier in this thread to get it, but what was downloaded was PE Browser Professional Interactive.


Isn't that the same thing HelioS mentioned earlier? Nice to see you two working together :)
I think, thats too much work, to repeat the steps for me. Hopefully you'll release a hack soon! I had enough Battlefield the last days, got to concentrate on other things now. But if you really find all Team Addys (or actually have, both of you, cal and xollox), then the way isn't that far to an aimbot, don't you think? I mean, if you got the addys of every single enemy, maybe the whole array constructor/handler, it shouln't be to hard, to find the positions in x,y and z axis. We'll talk later, i'm glad to see you improvements and can't wait for new details/Screenshots.
Keep up the good work :)

Hopefully you'll release a hack soon!

Sorry, man, I don't release publically. The only thing that gets you is 2 days of "fame" before EvenBalance starts kicking for it. It also lets EB disassemble your hack and learn how it works, so they can start kicking based on that method. That means that your public release could hurt people who have written private hacks.
My role here is to help others learn what I have learned, and to learn myself. I'll help you write a hack, but I won't write one for you.

Sorry, man, I don't release publically. The only thing that gets you is 2 days of "fame" before EvenBalance starts kicking for it. It also lets EB disassemble your hack and learn how it works, so they can start kicking based on that method. That means that your public release could hurt people who have written private hacks.
My role here is to help others learn what I have learned, and to learn myself. I'll help you write a hack, but I won't write one for you.

Helping others to learn writing there own hacks, or better: teaching others reversing and programming is never wrong. But for me, i have to say, i do not release for my "fame" or whatsoever. i just wan't the games to be "cheater-free", so everyone has a fair chance. if the programmers trust in such a joke like pb, ppl like me/us have to "teach" them, how to protect the games in a better way, and the fastest way to do so, is releasing hax. Thats my opinion, and its the same for every game i like (sadly to say mostly published by ea, but thats another thing :disappoin
) C&C generals, AA:OPS, Battlefield/Nam/2, Quake 1,2,3,4 etc.
I'll never play games on the net, for which hax are released and *not* fixed. it's more fun for me, to reverse and show them how to code right.
BF2 made a good improvement - the hits and accuracy are serverside. they learned a little bit, but not that much, as you can see.
regards

changed a jz into a jmp and then went to where the jmp was and changed a jz into a nop. there WERE compares but it wasn't as obvious as you put it (wasn't as obvious to see that the compare was Team1, Team2).


**Tip**
The jump you are forcing - follow it and at that line you can see the game stores a value at an address - throw this address into Tsearch (type: float) and you have the value for nametagviewdistance :)

**Edit**
Quote tags fixed for P3n1 :)

thanks muhko, that makes sense. that's why i followed the code from the original jz that was changed into a jmp (to try and make the viewdistance better) and that next jz is where you are talking about where the cmp is made and that is the address holding the nametagviewdistance. I NOP'ped it, and found that the distance improved. instead of NOP'ping it, i will change it to a larger number and see what happens, hopefully get the same effect. appreciate the heads up!

best,
cal

**Tip**
The jump you are forcing - follow it and at that line you can see the game stores a value at an address - throw this address into Tsearch (type: float) and you have the value for nametagviewdistance :)

thx for the good tip, btw ida marks that with an "float". Oh, i love ur "quote" :p

Dame I need help i dont get any thing what u guys say cuz im not relly a hacker that dose them im just a typr that dowloads them and use them....... :alien:

Dame I need help i dont get any thing what u guys say cuz im not relly a hacker that dose them im just a typr that dowloads them and use them....... :alien:
Warnings: 1
Warnings Level: 12
What specific kind of help do you need? S0m3 3duK4t10n in \\'r171ng and r34d1ng maybe? Sorry m8, u gotta say what u want, not complaining bout n0thing. So, please tell me, what kind of help you need...

What specific kind of help do you need? S0m3 3duK4t10n in \\'r171ng and r34d1ng maybe? Sorry m8, u gotta say what u want, not complaining bout n0thing. So, please tell me, what kind of help you need...




I need help on how they do that put enemy tages name over there heads to see were they are at?? how do i do that canu explane to me?

What specific kind of help do you need? S0m3 3duK4t10n in \\'r171ng and r34d1ng maybe? Sorry m8, u gotta say what u want, not complaining bout n0thing. So, please tell me, what kind of help you need...




I need help on how they do that put enemy tages name over there heads to see were they are at??

I need help on how they do that put enemy tages name over there heads to see were they are at??

1st) use the search function
2nd) use itc 0.99
3rd) use tsearch and make it manually
4th) read the last recent topics in this forum, and you'll get the trick
5th) read tutorials, get the tools of the trade and try ur luck

Last night I was fiddling around with Olly and BF2 (got a working minimap hack now..w00t) and found another way to find what is calling the GetTeam() function. Here is how it goes:

Set a breakpoint in the GetTeam() Function (really can be anywhere, but it's easiest if you do it this way) and wait for it to stop.
Remove the Breakpoint
Go to Debug, Trace Into (Ctrl-F11)
Wait for a few minutes (longer=better)
pause the program again, either by hitting pause (F12) or by turning the BP on GetTeam() back on.
Go to the Trace window by hitting the ellipsis (...) button
Right click on the GetTeam() funciton address and hit mark.
You can now scroll through the run trace window (use the + and - keys) and look at what is run immediately before GetTeam(). That is the address that is calling it.

If you notice, it is normally called in pairs. I'd surmise what it is doing is grabbing your team number, then the team number of the "target" person. It then CMPares the two, and conditionally jumps accordingly. If you find the correct conditional jumps after it CMPs the team numbers, you can get a succesfull minimap hack. I'd also imagine you can get a nametag hack as well, but I haven't been able to find that yet.

itried your method, but after removing the breakpoint, and pressing ctrl+f11 i pause elsewhere to an exception and i crash. i wonder how you managed to get over it

itried your method, but after removing the breakpoint, and pressing ctrl+f11 i pause elsewhere to an exception and i crash. i wonder how you managed to get over it

I never ran into that problem...when it gives you the exception, maybe try hitting shift-f9 (or whatever it is that it says down in the status bar) and passing the exception to the program... not sure what else to try.

i put the breakpoint at 55a8a0 with F2. then i remove the breakpoint with F2 again. and i press ctrl-f11. this sequence make me jump at ntdll module then exception...

xollox or caliber could you help me a bit ?
i have put a conditional breakpoint that returns me the adress of an enemy guy. now i went in memory with alt-M , searched that address, selected the 4 blocks (=4 byte) and put break on memory access. now when i press run i dont see olly jumping in other parts of code as you experienced..i always stay at the original breakpoint (even though i removed it). what did i miss from here?

hmm...sounds like you set your conditional breakpoint to break all the time... check that.

i tried nopping that same addy and got a game crash!!!

there's a setting in ollydbg (find the little icon to the right that says settings or config or something) and then look for the security tab and then select to trace over unknown commands. not sure why trace would crash your program. you also might want to select the trace tab under settings and see if you have selected enough memory or buffer or whatever (4M,64M) or something like that so that the trace has more room to store the lines of code that are being executed-

if you are nopping and the game crashes then you are nopping the wrong address(es).

hope this helps.

if

Last night I was fiddling around with Olly and BF2 (got a working minimap hack now..w00t) and found another way to find what is calling the GetTeam() function. Here is how it goes:

Is this an actual function or are you guys just calling it that?

Set a breakpoint in the GetTeam() Function (really can be anywhere, but it's easiest if you do it this way) and wait for it to stop.
Remove the Breakpoint
Go to Debug, Trace Into (Ctrl-F11)
Wait for a few minutes (longer=better)
pause the program again, either by hitting pause (F12) or by turning the BP on GetTeam() back on.
Go to the Trace window by hitting the ellipsis (...) button

I assume you are talkning about olly to do this in. if so, how do i find the get team funtion. Do i used the method mentioned earlier on the previous page with pe explorer. How do i attach pe explorer to the game. i used the cheat engine to make it so i can debug. do i just go attach process??? the game freezes when i do that.



Right click on the GetTeam() funciton address and hit mark.
You can now scroll through the run trace window (use the + and - keys) and look at what is run immediately before GetTeam(). That is the address that is calling it.

If you notice, it is normally called in pairs. I'd surmise what it is doing is grabbing your team number, then the team number of the "target" person. It then CMPares the two, and conditionally jumps accordingly. If you find the correct conditional jumps after it CMPs the team numbers, you can get a succesfull minimap hack. I'd also imagine you can get a nametag hack as well, but I haven't been able to find that yet.

So this just will be the one i need to nop. I am assuming the one for vehichles is nearby???



Sorry if i am understanding all of this wrong, but all these new ways, to me anyways, of hacking are different the vietnam, and I want to learn how to hack with this game to. Sorry for all the redundant questions if they are. I have been reading threads for a week, and have got no where with a map hack!

I'm not sure if you've got it sorted chaotic but to make it clearer for you the addy 55A8A0 you are nopping isnt the right address and will cause the game to crash! It was also the first addy I tried after using the same team1,2 tsearch method. The above addy from my understanding is what ppl are labeling the 'getTeam' function and what you need to do is trace this back to the calling function codes and nop them, there are several and sparten has previously listed them:-
00717FD9
00717FFF
00718025
007180AB
007180CE
007180F1
Once you have nopped these your map hack is a goer, problem then is finding a way to utilise this without pb detecting, also the problem asscoiated with attaching a debugger to the retail version of bf2. If you check my map hack thread there is a little mention of the techniques and a link posted by scruie to another thread that outlines possible ways around pb's memscan! Also check out the 'New Big Problem' thread by caliber as they have links there to a tut by faldo to make attaching a debugger to bf2 retail possible!

I'm not sure if you've got it sorted chaotic but to make it clearer for you the addy 55A8A0 you are nopping isnt the right address and will cause the game to crash! It was also the first addy I tried after using the same team1,2 tsearch method. The above addy from my understanding is what ppl are labeling the 'getTeam' function and what you need to do is trace this back to the calling function codes and nop them, there are several and sparten has previously listed them:-
00717FD9
00717FFF
00718025
007180AB
007180CE
007180F1
Once you have nopped these your map hack is a goer, problem then is finding a way to utilise this without pb detecting, also the problem asscoiated with attaching a debugger to the retail version of bf2. If you check my map hack thread there is a little mention of the techniques and a link posted by scruie to another thread that outlines possible ways around pb's memscan! Also check out the 'New Big Problem' thread by caliber as they have links there to a tut by faldo to make attaching a debugger to bf2 retail possible!

Thanks for the input but 1. I new it was the wrong addy, i was just stating my experience with it. 2. I am trying to hack the retail not the demo. 3. I have no problems at all attaching olly using another method. (Which can't be discussed here). 4. Thanks to sparten, i don't have to worry about PB. 5. Again thanks for the help. I really do appreciate your input!!! :) :) :)

-- -

On that note, does anyone else have any input dealing with questoins above for the RETIAL versoin?!?

Thanks in advance!

Ok then you want to breakpoint this memory address (for reads and writes) using olly and note the code that calls that memory address.


I have got this far but don't know how to breakpoint memory addresses using olly. Please help!

I have got this far but don't know how to breakpoint memory addresses using olly. Please help!
Klick on the "M" in the toolbar, got to specified address and right klick on the selected bytes you want to bp. :beard:

Klick on the "M" in the toolbar, got to specified address and right klick on the selected bytes you want to bp. :beard:


I did that, but all i get in the log is this:

Log data, item 1
Address=005F3250
Message=Memory breakpoint when reading [0CEF1E94]


and the game just keeps sitting there
where am i supposed to see olly jumping to the code that is calling that addy

I did that, but all i get in the log is this:

Log data, item 1
Address=005F3250
Message=Memory breakpoint when reading [0CEF1E94]


and the game just keeps sitting there
where am i supposed to see olly jumping to the code that is calling that addy
it's the right address for the "special" retail version (which has'nt to be discussed here). that's the address i hooked for itc. look after a thread, where s.o. explains, how to trace this function in olly, so you'll get all calls to the function.
regards.

is this addy not the same in the 'special' version as well as the retail versoin??? haven't bothered to check yet

is this addy not the same in the 'special' version as well as the retail versoin??? haven't bothered to check yet
Don't know, since i tried that b4 the debugger tutorial came out, i'm not sure...