Here is part II in the series of tutorials for hacking BF2. As stated before, this is a work in progress, but I decided to make tutorials for the forum so that those of you wondering the techniques used to hack the code of the program. It will be released in parts as each section is done. Thanks to all coders and those of you who helped in my knowledge (from way back years ago to today's forum members) who made this possible and to those of you who downloaded the previous tuts and gave me props and feedback. My goal is to do these tutorials for all facets of the game. As stated before, this will be done only on the demo version of BF2, although the techniques are exactly the same for retail version.

Download, enjoy, and possibly learn. Hopefully people are using this and appreciating them because it takes alot of time and effort to do them, especially to make it newb friendly. More coming soon-

PS: I still can't upload these damn .rar's one at the time or any way at all. Only the first .rar goes through for some reason. I am not an ***** and so I don't know why I am having probs. anyways,

As usual, I would appreciate one of the mods moving this to the download section and then editing this message accordingly.


Best,
Cal

EDIT, Uploaded, Nice work again man.
Best Cpt Cox ;)


MOD NOTE: Please check the following link for new updated download links: CLICK (http://www.mpcforum.com/showthread.php?t=132351)

yeahhhhh!!! Checking it out now. Mirrored it here too....

http://s41.yousendit.com/d.aspx?id=24Q59JGCAX2AG37F67S88HZMIF

or

http://tap.herejezus.nl/bf2hacktut2.rar

Tap

great work mate :)

thxxxxxxxxxxxxxxxxx

(k) tnx

thanks for the replies and also thanks to cpt cox for working out the rars.

cpt cox, could you also update the bf2 tutorials sticky to point to this thread?

thanks again,
cal

again real nice work man! i'll read it now...

What good is this if I may ask? A hack made with these tools is detected anyway Or did I miss something? I hope so.

What good is this if I may ask? A hack made with these tools is detected anyway.


there are other ways, this is teachin ppl the basics; a starting point so they can move onto the 'more advanced' techniques. if u look at the thread entitled 'a couple of noobs' in the BF general section you'll find this other method, read the posts by mcmike and spart and u'll begin to understand.

again cal nice work - will be handy. on behalf of the community thanks.

yea thx for putting the first steps of the ladder accessible to the average joe. someone has to pass the few knowledge we have..and more advanced ppl than us are also encouragd to write tutorials for us :) if I may ...here i have a tut request: CS segment override ;)

What good is this if I may ask? A hack made with these tools is detected anyway Or did I miss something? I hope so.

the good is you will have to evolve, hints and tips for making this type of hacks working again has allready been posted in the forum. it may not be posted directly how to do it but if you take your time and use the search you will finde a lot of useable info.

yea thx for putting the first steps of the ladder accessible to the average joe. someone has to pass the few knowledge we have..and more advanced ppl than us are also encouragd to write tutorials for us :) if I may ...here i have a tut request: CS segment override ;)
i am not sure, what is meant by code segment overwrite, but there's a common technique, that some viruses use and some exe binders, too. the definition of the code segment is put in the pe header, at the allocation table i think. if some dll is now loaded and can't be allocated at the fixed address pointed to in the pe header, it will be allocated dynamically an the change will be written to the relocation table. (google is your friend :D)
so if you want to relocate or overwrite the cs, than you'll have to patch the pe-header so it points to your new cs, let it be executed and point to the old cs at the end of your cs. anything else is beyond my knowledge, since im new to this, too.

thanks for this start of info..is it possible that PB scans the PE header for "hijacking" lol

p3n1 new to this, u sounded just like a pro! this sounds like whats been discussed by mcmike, spart and the others and when time allows its what i'm hopin to get workin in Bf before gettin BF2.

p3n1 new to this, u sounded just like a pro! this sounds like whats been discussed by mcmike, spart and the others and when time allows its what i'm hopin to get workin in Bf before gettin BF2.
im new to pe header and stuff like that, that's right, but i have a little more experience in programming and cracking, so that i got to know some things about PEs.
i read the "noobs" thread in battlefield general and it seems to me, that this 'noobs' thread is more likely the place for such a discussion, though it is more a thread about pb hacking in general and advanced. i personally think, there are hundred of ways to confuse/hack the scanning of pb.

this tutorial here and all other are a good chance for newbs to get started, even to get encouraged to learn some assembly/higher language.
it is good, to hack the singleplayer levels first, and to see that something own is working, before thinking about avoiding pb detection.

greets

hope will be a really good avoiding pb detection tut from you Cal

but what p3n1 says this stuff rulz i am new to this stuff and i getting better and better @ it

thanks for the nice comments. these tutorials were not meant to learn how to fool pb. that COULD be another tutorial for later. these tuts were to help you learn how to hack the game, specifically bf2 (plus learn the tools). no matter how experienced the hacker is, all of us had to do these steps to find the addresses necessary to make these hacks work. so if you follow the tut, you know how to do it it (for the future). for those of you who are bitching about that these tuts don't describe how to defeat pb and why bother, then you just don't get it.....

hopefully the tags tut will be done this week. probably i will go into fog and viewdistance next. if you want to pb proof your own hacks, then these tuts aren't going to help you with that endeavor.

best,
cal


best,
cal

Cool Cal nice work man, looking foward to more tuts.

well maybe we need tuts for PB proofing with bf2 scpecifically..not just methods that are described in 2 sentences with winks and evil grins that only experts can catch the subtlety and are able to implement it in 2 hours...

well maybe we need tuts for PB proofing with bf2 scpecifically..not just methods that are described in 2 sentences with winks and evil grins that only experts can catch the subtlety and are able to implement it in 2 hours...

How long time do you think the so called "experts" used to learn thos methods.
to long just to see it get blasted away, just cause some n00b pick it up from a step by step "tutorial" and release it to the public in a hack.

So for now you will just have to learn it the hard way, just like the rest of us.

frankly the hard way is really too hard. i, as many ppl here ,have a job and when coming back home i dont want to spend my free time "ollying" and googling just to see if im in the right direction or not. i respect ppl here that spend their free time on it, but personally my aim is to make a hack to play games, not to learn windows SDK programming (which is a nice research topic but out of my interest/free time). so i just stick to non pb servers, and hope one day, one of the expert posts comprehensive tut on how to defeat PB.
knowing that as experts, you already know several ways of defeating PB, so one less shouldnt be a problem for you. and honestly i think experts motivation to their research is more about discovering and learning things rather than playing any game with hacks on.
talking about tutorials, i want to thank the ppl who take time to write them for the communauty. i appreciated faldos mini tut concerning debugging, and i'd like to see more of those "advanced" topics that have practical use for gamehacking.

dude it's allways going to be a fight, pb will realise what's being explioted and fix it..and we will find another exploit..and so on and so forth :)

Any tips to further narrow the address besides guess and check and change each to NOP, JMP, JE, JNZ and so forth takes quite a lot of time on the list of like 30.

don't know exactly what you are asking, wake-

if you look i think i gave you the other addresses to NOP in tutorial II for the minimap (towards the end of the tut). remember that you can use TRACE to run from line to line of code and check the registers to see what is being compared to what and follow the flow of the code based on that.

YES those addresses where found by trial and error over time and by using the registers to see what was being compared and by seeing the result of the changes in the game-

best,
cal

Hey Cal, just like to say, I made a once detected hack now undetectable by PB, im not gonna release it as public for obvious reasons, but thx to your tutorials, and some other information that IS available if you look through these forums, I got it working.

I been messing with all sorts of trainers for some of my offline games, So i can say the information in your tuts in done in such a way you understand the principles, so well, you can use it on others stuff too, thx again man.

thank you for leaving your nice comments. i took alot of time to try and explain it completely and so that people with zero knowledge could go through them and learn a little more each time (starting from the tut in battlefield general forum). being able to bring this knowledge to other games is a bonus and i am glad to hear that you were able to do that. congrats on making your hack work with pb.

best,
cal

I concur With Russ. I never thought I would be able to make hacks until I read Cal's tut's too. With other tut's on codecaving etc I have also managed to make a PB proof hack. I will also keep mine private to keep noob cheaters going as long as possible.
Tony

Well, I've been on this forum, and others for a while and recently got GUID banned for using a BF2 hack which has given me the encouragement to try and find out how to create my own hacks. I'm not a noob with regards to PC's and can do a fair amount with them but have never even looked at programming which is why I haven't even contemplated creating my own hack. However this evening, I was just looking thru the forum and I thought I'd just take a look to see exactly how hard these hacks are to make. I've just completed the first tutorial and will do this one in the morning. To actually see me switch teams before my very eyes was quite pleasing.

Thanks for the effort u've put in Cal. Hopefully, I'll be able to make my own private pb proof hack within a few months

Cheers again

Yay! Just another great bunch of 1st class tuts! Thanks a lot, Cal, very, very nice!

-The Hacker-....NICE SPAM my friend! surely should get a warning? lol he posted in all the tut threads with 1-2 word answers. whats the point?
SnagglePuss

-the_Hacker- quit spamming and begging. Reviewed your posts and deleted some - maybe a name change to -the_Beggar- is in order...

hi,

A little questioan.

Are your tutorials compatible with BF2 Version 1.2 ???

Because I have a problem with Tsearch,
and in other Threads is standing, that tsearch and ollydbg in version 1.2 not functionally.?!

mfg
zuzi

sry for my english ^^ I'm a german. hehe

all tutorials is compatible with any version of BF2.

You have to make sure your hacking skills are compatible with 1.2...
;)

tsearch and olly won't debug the retail version of bf2, only the demo. to debug and hack the retail you need to find the threads that discuss doing this (faldo made one) or use winject to reset the debugger.

the priniciples are the same for both the demo and the retail. if you can hack the demo and get understanding from it, you should be able to move over to retail, althought the numbers will be different for retail than demo-

best,
cal

since this is part two thread ill post here.....

BF2 retail!!!

in part two i get all the way to were i have got my address list and un breakpoint it by right clicking and selecting breakpoint->toggle.....

well i click play button in olly and go in game to find an enemy as instructed in tut.....i alt-tab back in

about 5 seconds after being in game it freezes???

cant do anything, just freezes!!

i have tried many times and get same results!!

any suggestions...Anyone???

thanx

possibly safedisk protection is kicking in and has found the you have debugged the game (you reset the debug port to be able to attach olly to the game, etc.). are you doing this in single player mode even though it is retail? not sure how to help you if you are getting caught. i haven't tried the tuts methods on version 1.12 retail and they may have improved the debug checks. anyone else have this problem or have a solution? wish i could be there to give you a hand and see what is going on for myself.

best,
cal

possibly safedisk protection is kicking in and has found the you have debugged the game (you reset the debug port to be able to attach olly to the game, etc.). are you doing this in single player mode even though it is retail? not sure how to help you if you are getting caught. i haven't tried the tuts methods on version 1.12 retail and they may have improved the debug checks. anyone else have this problem or have a solution? wish i could be there to give you a hand and see what is going on for myself.

best,
cal

thanx for the reply....yes i reset debug port......and yes it is in single player, i made a single player account!!

hey cal just some advice, try and get BF2 retail 1.2!!
try to see if ur tut will work for version 1.2!!

for everyone else, i noticed people saying they have PB proof hacks, if so how did they get past this part??

any advice would be great!!

thanx,
chris

Hi, its probably just me, but I can't download the tut attatchment files, when i click them I just get a blank page, tried with IE and Firefox. :confused:

Hi, its probably just me, but I can't download the tut attatchment files, when i click them I just get a blank page, tried with IE and Firefox. :confused:

No i think the defacement messed up the links.
This is what i had saved on my computer (hopefully its the correct one)
http://rapidshare.de/files/18233555/bf2hacktut2.rar.html

Thnx for that, thought it was just me :)
Would it be possible for you to upload the rest of the tuts assuming you still have them. Would be very grateful.
Thanks

Thnx for that, thought it was just me :)
Would it be possible for you to upload the rest of the tuts assuming you still have them. Would be very grateful.
Thanks

http://www.unknowncheats.com/forum/showthread.php?t=37945

Caliber1942's tutorials work no problem with v1.22. All you need to do is reset the Debug port, different meathods work for different people / cpu's.
Here is Faldo's solution.


How to debug an already debugged process

--------------------------------------------------------------------------------

Some gamedevelopers try to stop hackers from debugging their game process. One pretty popular method lately is to make windows believe that the process is already being debugged. That way, Windows won't let another debugger attach to it.
In theory, we need to fool Windows, telling it there is no debugger attached to the process. In method, we reset 4 sets of bytes that defines the debugging state of the process (aka debugport).

When i first started looking at this problem, i used a very clumbsy and painfull method. I acctually kept looking for differences in the memory while a process was debugged and when it was not. It worked, but here's a much faster way:


Tools needed:
- Cheatengine 5.0 (found in the tools thread)

The following method will be devided in 2 parts, since the method is different depending on what CPU you have. One part is used for AMD Athlon family (XP, 64bit...), the other is for the rest (all Intel, AMD Sempron etc...)
Also, this method has only been tested on Windows XP servicepack 2. So i can't garantee it will work on any other system.


Method:
1. Run Cheatengine and open the "Settings" window. Go to "extra" and check "Read/Write process memory". Click "Ok"

Note: Ignore the message saying "...some functions may not completely work" since you don't really need those functions for this anyway.

2. Open the processlist (top right of the main CE window). Open the game process from the list by double-clicking it. Do not attach it.

3. In the main CE window, double-click the text in the middle top where it gives you the PID and process name (IE: 00001214-BF2.EXE) and write down the PEProcess address.

4. Open the "Memory view" window. In the lower part of the window (Hex View) right click anywhere and select "Goto address". Enter the address you wrote down and add the hex number BC ie: 85528BC0+BC.

NOTE:The Offset "BC" may be different on other versions of windows or SP1.

Untill this step everything is the same for Athlon aswell as other CPU users.
If you have an Athlon CPU, follow the following steps, if you have some other CPU, go to step 5b.

5a. IE: If the address you wrote down was 85528BC0 you should have the address 85528C7C (85528BC0+BC) at the top left of the Hex View window.
To the right of this address, all you see as hex code is a bunch of "??". That's perfectly normal, don't worry. Above the addresses in the Hex View window you'll also see something called "Physical address", write down that address (ie: 551977C)

6a. Exit the Memory Viewer and open the process list again. Double-click the "[Physical Memory]" process.

7a. Open the Memory Viewer and this time enter the physical address in the "goto address" field.

8a. You'll now see the physical address as the first line in your hex view. After that address you'll see 4 sets of hexnumbers (ie: 68 72 75 85). The list of numbers goes on, but you need to change those 8 numbers to 0s (ie: 00 00 00 00).

You'll now be able to attach Olly, or any other debugger aswell for that matter.


5b. IE: If the address you wrote down was 85528BC0 you should have the address 85528C7C (85528BC0+BC) at the top left of the Hex View window.
To the right of this address, you'll see 4 sets of hexnumbers (ie: 68 72 75 85). The list of numbers goes on, but you need to change those 8 numbers to 0s (ie: 00 00 00 00).

You'll now be able to attach Olly, or any other debugger aswell for that matter.

Troubleshooter:
CheatEngine is not the most stable program ever, so it tends to show a warningbox saying "Access violation at address..." sometimes. To solve this, enter the settings window and just click "OK".

Outro:
This method can also be used to attach multiple debuggers to the same process, like T-Search Autohack and Ollydbg at the same time!

http://www.unknowncheats.com/forum/showthread.php?t=37945

hmm, followed links, tried to download the tut files, but all i get is

twix41, you do not have permission to access this page.

You can get these tutorials and tools from the new Thread I just made.

http://www.mpcforum.com/showthread.php?t=132351

hmm, followed links, tried to download the tut files, but all i get is

twix41, you do not have permission to access this page.


Just visit http://www.unknowncheats.com and make an account. Then visit the BF section and you will find all the goodies and a few other stuff.

None of the download links work, they just transfer you to an empty page =S

None of the download links work, they just transfer you to an empty page =S


MPC lost some download links. Please check this thread for working links: LINK (http://www.mpcforum.com/showthread.php?t=132351)

i think i must thank you too :) for these awesome tuts :)
i am at the 3. tutorial now,but i cant find the RendDx9.dll`s. (for the nametags)
so i found the (same) breaks but if i try to search them i don`t see any JE,JNZ,JMP`s or CALL`s.
y ?

Hey Guys,

I´m new here and form Germany!
I´m very interesting in coding own hacks but i have a big problem:
The tutorials here are in English and my english isn´t very good. -read the Text and u know what i mean... ;-)

So does anybody know a tutorial about coding own bf2 hacks or a good community in German??

This Forum here is very very good, but in English - and that´s my Prob!

I know. It´s a stupid question- sorry about that... But please help, if u can...

lol
i´m from germany ,too but im always trying to understand each sentence in Caliber`s Tuts and it isnt a difficult language,which Caliber is using in his tuts ;) so if i can understand it all,everybody can....and on this page u find one german section somewhere...

A while back there was a translated version of the Tuts published. You should search the forums.

i think i must thank you too :) for these awesome tuts :)
i am at the 3. tutorial now,but i cant find the RendDx9.dll`s. (for the nametags)
so i found the (same) breaks but if i try to search them i don`t see any JE,JNZ,JMP`s or CALL`s.
y ?

I remember having the same problem it took me forever to find, It doesnt look exactly as the code example, I think I used his second method the one in t-search for tags you probably wont find a line that starts ff ff ff ff ff ff and then the next one is 01 00 00 00, mine was a little different.... Pretty much I got frustrated and started changing any 01 to an 02 just to see what would happen so the one I found looked like this xx xx xx xx ff ff ff ff and then I found an 01, hope that helps... Sick with it...:)
By the way I lived in Bitburg for a year....

hey guys when i attach the bf2 process then ollydbg pauses the game but when i unpause the game later on ollydbg terminates it.

Does anyone know why this is happeneing? or any alternate way of completing the tutorial?

Thanks