Im tryin to make a few cheats for a game some friends and i play and am havign a huge problem resolving a DMA. The normal methiod is not pulling through and im going insane trying time and time again with no luck. I read once that olly can locate registers with the quickness so i decided to give it a shot but im having a hell of a time figuring it out and could really use some help!

Say I have this line:
0064FB41 MOV EDX,DWORD PTR SS:[EBP+3D8]
Is there a way to make Olly find EBP?? thanx!

Greetings!

well if you paused at instruction, ollydbg calculates the resulting addresses and values automagically for you.
They get displayed in little pane at bottom of CPU window.
e.g.:

SS:[zzzzzzzz]=xxxxxxxx
EDX=yyyyyyy

You can of course highlight the instrution and use context menu "follow in dump" -> "memory address" to get some more data around that location displayed or to "cast" the values to desired types (like toggling to "float" display to view game float vector variables)

Anyway this value [ebp+3D8] will usually gain you nothing, because its a dynamically created game structure/variable set.
You have to patch the instruction reading/processing these values to overcome the dynamic memory address problem.
Either patch it directly at the location or use code caves.

Code caves give you the advantage of placing/injecting larger code sequences into target.
Additionally anti cheat programs which look for well known offsets (like punkbuster) get defeated by avoiding well known patch locations (placing the code some instructions before checkpoint).
The code cave has to replicate the skipped instructions too.

Use a "jump trampoline" to jump to your injected code, execute your desired code there and/or execute some replicated code.
Then jump back to next original instruction not overwritten by trampoline to resume execution.

Regards,

A. Focht

some helpful URLs

fly.to/mtc ("http://fly.to/mtc")
xcheater.com/tutorials.aspx ("http://xcheater.com/tutorials.aspx")

but if your asm line does always the same thing – e.g. decrement only your life – you can easy nop this line

Some useful message boards where you can get help if you happen to own one of these multiplayer games

MPC: http://mpc.mpcheatz.de/forum/
("http://mpc.mpcheatz.de/forum/
")
UC: http://ucforum.net/
("http://ucforum.net/
")

Almost everything is covered there.
Lots of stuff to study and/or play with.

My advice: build you own hack - it will increase chances to defeat pathetic crap like punkbuster

Regards

Hay, thanx a ton for the replies! I guess im goin to have to use a code cave. The address i posted is a breakpoint of the DMA im tryin to hack. The value of [ebp+3D8] is my DMA. I've been reading a lot about code caving and what not but im still a noob when it comes to codeing with asm. I was wondering how i would make the value of a address i jump to have the value of [ebp+3D8]? Then in vb i could just read that address and I got my DMA to write to. thanx again!

mov eax, [ebp+3d8]
jump eax

that should do it

Hi again,

not sure what you trying to accomplish... please post a larger code snippet (including the part with [ebp+3D8]) and what you are trying to do with that value (modifiy it, skip it ...).

Regards

Wow, I sure like this forum a lot...people here are actually willing to help and share their knowledge, its cool. Anyways, this is for a zoom hack for BFV,I know [EBP+3D8] points to my DMA, so im tryin to put it somewhere i can read to get my DMA. Once i have a way find to the DMA, for now im just going to modify it to 0.2 and once PB is updated i'll be able make a code cave for it too.
Here is a little more of that code:
0064FB41 |> 8B95 D8030000 MOV EDX,DWORD PTR SS:[EBP+3D8]
0064FB47 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
0064FB49 |. 6A 00 PUSH 0
0064FB4B |. 68 00280000 PUSH 2800
0064FB50 |. 8BCE MOV ECX,ESI
0064FB52 |. 8996 4C020000 MOV DWORD PTR DS:[ESI+24C],EDX
0064FB58 |. FF50 28 CALL DWORD PTR DS:[EAX+28]
0064FB5B |. 85DB TEST EBX,EBX
Thanx for the code necr0 but for the life of me i coulden't get it to work...here is what i triedi did it in TS' easywite cuz i didnt know how to write asm in olly)
offset 10001
mov eax,[ebp+3d8]
jmp eax
mov edx,[ebp+3D8]
jmp 0x64FB47
offset 64FB41
jmp 0x10001
nop
If i try it w/o the code necr0 gave me, the jmps work great, so I dont think my cave is the prob.
thanx

Hi again,

well the only lines that seem to be usefull are


0064FB41 |> 8B95 D8030000 MOV EDX,DWORD PTR SS:[EBP+3D8]

and

0064FB52 |. 8996 4C020000 MOV DWORD PTR DS:[ESI+24C],EDX


... are you sure that you got the right DMA for zoom?

Usually the FOV = "field of view" is a float value which gets read before rendering stuff. Example:


// load the value into fpu stack
fld dword ptr [esi+0x24C]
// so something with it....


Finding zoom DMA shouldnt be that hard.
When i made some hacks for myself i used TSearch (*g*).
Just search for float 1.0 when unzoomed (after map load) and then zoom in and do search for float 0.5.
It should go down to a few addresses. Try to change em (write some float to it) and watch if it really works (some locations only update their values occording to a single location).

Many ppl use the code cave to move the DMA value to some location (unused page), known to their trainer, to write it from the trainer process.
I find this way to cumbersome ... why not using the code cave to contain the "update" itself.
When the FOV should be changed, the cave code is "updated".

Example (assumes [ebp+3D8] contains FOV dma):


jmp code_cave_location
nop
reentry:


code cave:

mov eax,[ebp+3d8]
// write float 0.5 = 3F000000h (1.0 = 3F800000h)
mov dword [eax], 3F000000h
jmp reentry


So the opcodes of code cave read as follows:


0041C280 > 8B85 D8030000 MOV EAX, DWORD PTR SS:[EBP+3D8]
0041C286 C700 0000003F MOV DWORD PTR DS:[EAX], 3F000000
0041C28C - E9 xxxxxx JMP xxxxxxx


So if you were to change the FOV value you just replace the immediate of second opcode in your trainer and write the whole code cave again.
E.g. C700 0000003F -> C700 00803F (1.0)

Dont forget to place the code cave a few opcodes before the relating line (replicate the other instructions in code cave) to avoid getting caught by pb offsets.

Regards,

A. Focht

Hay man,

HELL YA!! You've solved the problem I cant tell u how long ive been working on. Worked great, thanx a lot!! At first when id right-click to zoom my screen would get all tweaked out getting all inverted, looking in different directions and what not. Finally after about an hour of wanting to dowse my computer in gasoline i realized from ur example that u have to write the the float value backwards from what it shows up in hex. After that it took me prob 30 mintz to make 3 other hacks that have been giving me hell. Thanx again!

Putting ethics of cheating in online games aside...
Doesn't PB take random screenshots of client screens to prevent this kind of exploits?

psyCKO...the way i look at it is the other players get their edge by playin 24-7 and fortunately i have a life, so i get my edge by cheating...un’ethical’ mayb…but im having my fun, and everyone else is having theirs. Im not one of those ‘l33t hax0rz’ going around bustin a 100-1 ratio ruining the game for everyone else.

As for the screen shots, the admin can take those on request, if ur like me and make ur self just as good as the next guy u don’t gotta worry about that.

Greetings,

ethics ... well i got interested in hacks just for the sole purpose "what is possible" in multiplayer game that comes with a certain kind of protection and additional punkbuster.

I rather seldom play online ... if a new pb version is released my first thing to do is to dump/fix/decrypt client dlls to get a hand on how the anti-cheat side has evolved.
I usually give hints to both sides in forums how things can be hacked and how the stuff can be detected to help ppl understand what is behind.
There were lots ppl who didnt know anything about game hacking and are now able to code their own (private) hacks which is a good thing (tm) IMHO rather than begging for cheats (no-brainer).

Anyway ... for the screenshot case, yes it can be hacked.
I explained some methods to defeat/avoid it in some mpc threads a while ago. .. some ppl actually implemented it in their hacks (the ultimate one - hooking DDraw's COM interface is still missing hehe).

Regards