Introduction
Hey all,
I saw someone asking Dave for the latest no-recoil offset so I thought I would write a tutorial so you can find it yourselves. You will need ollydbg, Call of duty 4 with the 1.5 patch installed, some C++ knowledge (If you actually want to make something useful) and a brain (perhaps some patience also).
Credits: RunningBon, Quicktime, Quake3 SDK
Where to start
We all ready have a good idea on where to start as RunningBon (game deception) wrote a tutorial on Quake 3 client based no-recoil a long time ago. However, the tutorial he wrote was for RTCW:ET which is very different to Call of duty.
In call of duty the guns are mainly fired when scoped through an overlay thus, the recoil function in ET and COD4 will be much different.
First we need to start by finding the following function (Quake 3 1.3 sdk for reference):
As you can see, usually we would change the function that is called when the player shoots, however as there is no SDK for call of duty 4 and the recoil is much different it isn't as easy. However, we can suspect that there should be some similar function calls within the same area ... In call of duty 4, I believe there to be two or more functions regarding recoil.Code:void CG_FireWeapon( centity_t *cent ) { //REMOVED USELESS CRAP if ( ent->weapon >= WP_NUM_WEAPONS ) { CG_Error( "CG_FireWeapon: ent->weapon >= WP_NUM_WEAPONS" ); return; } weap = &cg_weapons[ ent->weapon ]; cg.lastFiredWeapon = ent->weapon; //----(SA) added // mark the entity as muzzle flashing, so when it is added it will // append the flash to the weapon model cent->muzzleFlashTime = cg.time; // RF, kick angles if (ent->number == cg.snap->ps.clientNum) { CG_WeaponFireRecoil( ent->weapon ); // This would usually be what we want to change.. }
Open up Call of duty 4 1.5 and hit 'Start a new server'... Wait for the map to load then join the game as any class you like. Attach ollydbg to the process.
Finding the offset
First we need to find the recoil function. From the SDK we know there should be a string we can search for which is within the function. This will help us to locate it.
As you attached ollydbg, the game should be paused. Go to view > executable modules. Now, find the module: iw3mp and double click it. The window should change/appear.
When the new window appears, right click it and go to search for > all referenced text strings. This should bring up yet another window. This window has all the text strings within the module (or at least ones it can identify).
Right click the new referenced text strings window and hit the 'search for' option. Type in: CG_FireWeapon . It should bring up one result: 'ASCII 15,"CG_FireWeapon: weapon" ...
Hit enter on the result. I believe that this is the function CG_FireWeapon. Anyway, you should see code similar to mine below:
The game should be still paused, hit the play button to un-pause it (its a blue triangle). Go back into the game and shoot your gun through the scope, there should be recoil.Code:00457DB7 3BD8 CMP EBX,EAX 00457DB9 72 17 JB SHORT iw3mp.00457DD2 00457DBB 68 5C1D6D00 PUSH iw3mp.006D1D5C ; ASCII 15,"CG_FireWeapon: weapon" 00457DC0 6A 01 PUSH 1 00457DC2 E8 B9550A00 CALL iw3mp.004FD380 00457DC7 83C4 08 ADD ESP,8 00457DCA 5F POP EDI 00457DCB 5E POP ESI 00457DCC 5D POP EBP 00457DCD 5B POP EBX 00457DCE 83C4 18 ADD ESP,18 00457DD1 C3 RETN 00457DD2 8BD3 MOV EDX,EBX 00457DD4 C1E2 04 SHL EDX,4 00457DD7 03D3 ADD EDX,EBX 00457DD9 8D0495 D8837400 LEA EAX,DWORD PTR DS:[EDX*4+7483D8] 00457DE0 8B149D 386B7300 MOV EDX,DWORD PTR DS:[EBX*4+736B38] 00457DE7 C681 C1010000 01 MOV BYTE PTR DS:[ECX+1C1],1 00457DEE 894424 18 MOV DWORD PTR SS:[ESP+18],EAX 00457DF2 A1 DCE07400 MOV EAX,DWORD PTR DS:[74E0DC] 00457DF7 F640 20 06 TEST BYTE PTR DS:[EAX+20],6 00457DFB 895424 10 MOV DWORD PTR SS:[ESP+10],EDX 00457DFF 74 12 JE SHORT iw3mp.00457E13 ; Fun offset :x 00457E01 8B75 00 MOV ESI,DWORD PTR SS:[EBP] 00457E04 3BB0 E8000000 CMP ESI,DWORD PTR DS:[EAX+E8] 00457E0A 75 07 JNZ SHORT iw3mp.00457E13 00457E0C B8 01000000 MOV EAX,1 00457E11 EB 02 JMP SHORT iw3mp.00457E15 00457E13 33C0 XOR EAX,EAX 00457E15 8B7424 2C MOV ESI,DWORD PTR SS:[ESP+2C] 00457E19 0FB6F8 MOVZX EDI,AL 00457E1C A1 B4C18501 MOV EAX,DWORD PTR DS:[185C1B4] 00457E21 8078 0C 00 CMP BYTE PTR DS:[EAX+C],0 00457E25 897C24 14 MOV DWORD PTR SS:[ESP+14],EDI 00457E29 74 15 JE SHORT iw3mp.00457E40 00457E2B 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C] 00457E2F 50 PUSH EAX 00457E30 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C] 00457E34 50 PUSH EAX 00457E35 52 PUSH EDX 00457E36 51 PUSH ECX 00457E37 56 PUSH ESI 00457E38 E8 13E9FFFF CALL iw3mp.00456750 00457E3D 83C4 14 ADD ESP,14 00457E40 85FF TEST EDI,EDI
ALT + Tab back into ollydbg, scroll down to the first JE below the "CG_FireWeapon: Weapon" string (I marked in the code above as fun offset). It should look like this:
Double click the offset, it should bring up the assemble window. This window allows you to change the memory. Change the JE to JNE (jump if equals to jump if not equals). Your new offset should look like this:Code:00457DFF 74 12 JE SHORT iw3mp.00457E13
Tab back into the game and start shooting through the scope! There should be no recoil ... Enjoy.Code:00457DFF 75 12 JNZ SHORT iw3mp.00457E13
I believe there are multiple ways within this function to obtain the same result. I found two/three when messing around with it. My reversing skills are not super awesome so please correct me where ever you see fit.
Making use of the offset (C++):
As my change is a memory modification we will utilize C++ to create a DLL (dynamic link library) which we will inject into Call of duty 4. We create a DLL as it is the most simplest route (in my opinion) for what we are trying to accomplish. However, for those who love to create executables you could easily accomplish the same result by making a trainer.
Anyway, what we want to do is change:
To:Code:00457DFF 74 12 JE SHORT iw3mp.00457E13
We can accomplish this in a range of different ways but the easiest to understand would be to use the function WriteProcessMemory (more information on this function can be found on the msdn website).Code:00457DFF 75 12 JNZ SHORT iw3mp.00457E13
Here is the code for the DLL (Project & Binary also attached):
This code should be 100% working for call of duty 4 1.5, I tested it on Lan & a non punkbuster server. BTW, the project was created with visual studio 2008 which you can obtain for free from the m1crosoft website. Enjoy.Code:/* Call of duty 4 1.5 No recoil Tutorial Solution - Credits: Quicktime, RunningBon... */ //Includes #include <windows.h> HANDLE CallOfDuty4 = GetCurrentProcess(); BYTE NoRecoil[] = {0x75, 0x12}; // 00457DFF 75 12 JNZ SHORT iw3mp.00457E13 BOOL WINAPI DllMain (HINSTANCE hModule, DWORD dwAttached, LPVOID lpvReserved) { if (dwAttached == DLL_PROCESS_ATTACH) { WriteProcessMemory(CallOfDuty4, (void*)0x00457DFF, &NoRecoil, 2, 0); } return 1; }
Download:
COD4 1.5 No Recoil Solution (Source Code) - http://www.ucdownloads.com/downloads...o=file&id=2928
COD4 1.5 No Recoil Binary/Compiled DLL (For non-coders? :/) - http://www.ucdownloads.com/downloads...o=file&id=2929
Reply With Quote
lol
.
Bookmarks