[Coding] BFBC2 Beta reversal topic

**s0beit** · 02-01-2010, 02:05 PM

PLEASE DO NOT POST KEYS, USERNAMES, OR ANYTHING ELSE HERE OR THERE IS A POSSIBILITY YOU WILL BE KICKED OUT OF THE BETA.

YOU HAVE BEEN WARNED.

Ill kick dis shit off:

PHP Code:

  class EAStringC

{

public:

    __int16        RefCount;            //0000

    __int16        Size;                //0002

    __int16        MaxSize;            //0004

    __int16        Hash;                //0006

    char        Buffer[32];            //0008 (possibly char*)

};

 
class AptNativeFunction

{

public:

    DWORD        ClassPointer;        //0000

    char        Unknown001[ 0x1C ]; //0004

    DWORD        Callback;            //0020

};

 
class CRenderer //015F546C

{

public:

    void*        VTable;                //0000

    char        Unknown001[ 0x08 ];    //0004

    __int32        Unknown002;            //000C

    char        Unknown003[ 0x08 ]; //0010

    __int32        ScreenWidth;        //0018

    __int32        ScreenHeight;        //001C

    __int32        Unknown004;            //0020

    void*        Unknown005;            //0024 ( some table )

};

PHP Code:

  .rdata:0148D400 aEntitymanager  db 'EntityManager',0 

->

.text:012297EC                 push    offset aEntitymanager ; "EntityManager"

.text:012297F1                 lea     ecx, [esi+3040h]

.text:012297F7                 mov     [esi+30h], eax

.text:012297FA                 call    ManagerFunc_Unknown001

 
(which in hex-rays)

ManagerFunc_Unknown001((void *)(this + 0x3040), (int)"EntityManager", 0);

PHP Code:

  .text:00567B3F                 push    offset GBooleanType

.text:00567B44                 push    offset aGame_autoaimen ; "Game.AutoAimEnabled"

.text:00567B49                 call    GetGlobalVariable

.text:00567B4E                 xorps   xmm0, xmm0

.text:00567B51                 mov     GGame_AutoAimEnabled, eax

.text:00567B56

.text:00567B56 loc_567B56:                             ; CODE XREF: sub_56755C+5D4j

.text:00567B56                 mov     ecx, GGame_AutoAimEnabled

BFBC2 appears to use some new kind of scripting system i am not too familiar with, at least thats what it seems like to me.

OK....GO!!!

**learn_more** · 02-01-2010, 02:16 PM

PHP Code:

  class EAStringC
{
public:
    __int16        RefCount;            //0000
    __int16        Size;                //0002
    __int16        MaxSize;            //0004
    __int16        Hash;                //0006
    union {
        char        Buffer[32];            //0008 (possibly char*)
        char*      pBuffer;
    };
};

is maybe easier

(ps: that looks alot like std::string, they have same thing too, that the char has embedded buffer and if it becomes bigger it's a pointer)

**s0beit** · 02-01-2010, 02:17 PM

well its an exported class, look in exports of the main exe.

and its declared as EAStringC (and it has its own functions also, but you obviously have to either rebuild them or import them somehow)

**vidgam904** · 02-01-2010, 02:45 PM

Bfbc2 is written in lua ATM/ bit of XML too, you can see those files in config.zzz

**s0beit** · 02-01-2010, 03:02 PM

yes but LUA really only accounts for the settings on the client, not really anything TRULY important.

**_GHOSTER_** · 02-02-2010, 12:05 AM

GetLocalTeam() -> 0x8D5400

**s0beit** · 02-02-2010, 12:27 AM

0x152AC60 would be the local player pointer then, according to your neat function ghoster.

with pointers at + [0x2C + [0xA8 or 0xB4]] respectively.

( Pointer + 0x2C + 0xB4 + 0x08 ) = Player Name
( Pointer + 0x2C + 0xB4 + 0x54 ) = "EASTL" (Team?)

**_GHOSTER_** · 02-02-2010, 12:32 AM

Yea, if you check the calling functions you can see how it gets enemy team

Code:

MOV EAX,DWORD PTR DS:[ESI+3C]
MOV EDX,DWORD PTR DS:[EAX+4]
LEA ECX,DWORD PTR DS:[ESI+3C]
PUSH EDI
CALL EDX

Where ESI is the player

ESI is then set again by this fucntion 1210200

Inside 1210200 you can see arrays being accessed and an iterator increased, this function accesses some sort of manager.

Now, I am unsure if the class that is ESI has all the other goodies like name, pos, etc. One way to find out...

**s0beit** · 02-02-2010, 12:56 AM

This seems to be the iteration "in motion"

PHP Code:

  int __thiscall sub_681680(void *this, int a2)
{
  int pPlayer; // edi@1
  int v4; // ST18_4@4
  int v5; // esi@5
  int v6; // eax@5
  double v7; // st7@5
  float v8; // ST28_4@5
  float v9; // ST2C_4@5
  float v10; // ST30_4@5
  int result; // eax@9
  float dist_squared; // [sp+4h] [bp-30h]@5
  float v14; // [sp+8h] [bp-2Ch]@1
  int v15; // [sp+Ch] [bp-28h]@1
  void *v16; // [sp+10h] [bp-24h]@1
  char v17; // [sp+24h] [bp-10h]@1

  __asm { movss   xmm0, ds:dword_13D3E6C }
  v16 = this;
  __asm { movss   [esp+48h+var_2C], xmm0 }
  v15 = 0;
  ForgeClassUnknown001((int)CMinimap_Unknown_Type[1], (int)&v17, (int)&GServerSoldierEntityType);
  pPlayer = PLAYER_ITER_001(&v17);
  if ( pPlayer )
  {
    do
    {
      if ( *(_DWORD *)(pPlayer + 0x210) )
      {
        if ( a2 != pPlayer )
        {
          v4 = (*(int (__thiscall **)(int))(*(_DWORD *)(pPlayer + 0x3C) + 4))(pPlayer + 0x3C);
          if ( (*(int (__thiscall **)(int))(*(_DWORD *)(a2 + 0x3C) + 4))(a2 + 0x3C) == v4 )
          {
            v5 = GetOtherFunctionalPointer_001(pPlayer) + 0x30;
            v6 = GetOtherFunctionalPointer_001(v16);
            v7 = *(float *)(v6 + 0x30) - *(float *)v5;
            v6 += 0x30u;
            v8 = v7;
            v9 = *(float *)(v6 + 4) - *(float *)(v5 + 4);
            v10 = *(float *)(v6 + 8) - *(float *)(v5 + 8);
            dist_squared = v8 * v8 + v9 * v9 + v10 * v10;
            sub_DF30BC();
            if ( dist_squared < 15.0 )
            {
              if ( dist_squared < (double)v14 )
              {
                __asm { movss   xmm0, [esp+40h+dist_squared] }
                v15 = pPlayer;
                __asm { movss   [esp+40h+var_2C], xmm0 }
              }
            }
          }
        }
      }
      pPlayer = PLAYER_ITER_001(&v17);
    }
    while ( pPlayer );
    result = v15;
  }
  else
  {
    result = 0;
  }
  return result;
}

which is at the function ghoster provided, at 1210200

[Auto Merged - 3:50:04 UTC]

Win.

I've been dumping and revising this in IRC a lot, now to unleash it.

the "GServerSoldierEntityType" is actually a class in memory, thanks to GHOSTER dumping it rather then somehow unpacking it (dumping was actually nessicary), anyway, it preserved the class in memory and i was able to analyze it.

There is a class hierarchy in BFBC2, the likes of UE3-style

check it.

PHP Code:

  class CMegaEntity
{
public:
    char*                    Name;            //0000
    CMegaEntity*            Mega;            //0004
};

class CScriptableEntityInfo
{
public:
    char*                    Name;            //0000
    __int32                    Unknown001;        //0004
    CMegaEntity*            Mega;            //0008
    __int32                    Index;            //000C
    __int32                    Unknown002;        //0010
    __int32                    Unknown003;        //0014
};

class CScriptableEntity //0x018AF378
{
public:
    unsigned long*            VTable;            //0000
    CScriptableEntityInfo*    Info;            //0004
    CScriptableEntity*        Core;            //0008
    __int32                    Index;            //000C
    __int32                    Unknown001;        //0010
    CScriptableEntity*        Parent;            //0014
    __int32                    Unknown002;        //0018
    __int16                    Index_Unknown_1;//001C
    __int16                    Index_Unknown_2;//001E
    __int32                    Unknown005;        //0020
    CScriptableEntity*        Type;            //0024
    CScriptableEntity*        Group;            //0028
    __int32                    Unknown006;        //002C
    __int32                    Unknown007;        //0030

    inline const char *GetName()
    {
        return this->Info->Name;
    }

    inline CMegaEntity *GetMega()
    {
        return this->Info->Mega;
    }
};

PHP Code:

  DWORD WINAPI lpAccessManagers( LPVOID lpParams )
{
    HMODULE hMain = GetModuleHandle( NULL );

    while( true )
    {
        if( GetAsyncKeyState( VK_INSERT ) & 1 )
        {
            CScriptableEntity* pScriptEnt = ( CScriptableEntity* )0x018AF378;

            while( pScriptEnt )
            {
                if( pScriptEnt->Parent )
                {
                    GLogging.AddToLogFileA( "sent.log", "Scripted Entity [%s] -> Parent [%s]",
                        pScriptEnt->GetName(), pScriptEnt->Parent->GetName() );

                    pScriptEnt = pScriptEnt->Parent;
                }
                else
                {
                    break;
                }
            }
        }

        Sleep( 100 );
    }

    return 0;
}

Outputs:

Code:

[ 21:45:42 ] Scripted Entity [ServerSoldierEntity] -> Parent [ServerControllableEntity]
[ 21:45:42 ] Scripted Entity [ServerControllableEntity] -> Parent [ServerPhysicsEntity]
[ 21:45:42 ] Scripted Entity [ServerPhysicsEntity] -> Parent [ServerEntity]
[ 21:45:42 ] Scripted Entity [ServerEntity] -> Parent [GameEntity]
[ 21:45:42 ] Scripted Entity [GameEntity] -> Parent [LogicEntity]
[ 21:45:42 ] Scripted Entity [LogicEntity] -> Parent [Entity]
[ 21:45:42 ] Scripted Entity [Entity] -> Parent [Entity]
[ 21:45:42 ] Scripted Entity [Entity] -> Parent [Entity]
[ 21:45:42 ] Scripted Entity [Entity] -> Parent [Entity]

then it, sort of loops forever since the "Parent" is itself.

( Check Parent == Parent )( learn_more reminded me in Java i believe this style of system it is not called "Parent", but rather "Super")

**HelpDesk** · 02-03-2010, 04:35 PM

It's odd that soBeit has this

Quote:

.text:00567B3F push offset GBooleanType
.text:00567B44 push offset aGame_autoaimen ; "Game.AutoAimEnabled"
.text:00567B49 call GetGlobalVariable
.text:00567B4E xorps xmm0, xmm0
.text:00567B51 mov GGame_AutoAimEnabled, eax
.text:00567B56
.text:00567B56 loc_567B56: ; CODE XREF: sub_56755C+5D4j
.text:00567B56 mov ecx, GGame_AutoAimEnabled

But I have:

Quote:

.text:00567B3F db 26h ; &
.text:00567B40 db 1Bh
.text:00567B41 db 0CCh ; ¦
.text:00567B42 db 0A0h ; á
.text:00567B43 db 0
.text:00567B44 db 0D7h ; Î
.text:00567B45 db 0BFh ; +
.text:00567B46 db 41h ; A
.text:00567B47 db 0DFh ; ¯
.text:00567B48 db 1Ch
.text:00567B49 db 0B7h ; À
.text:00567B4A db 63h ; c
.text:00567B4B db 0A8h ; ¿
.text:00567B4C db 0Dh
.text:00567B4D db 4Ch ; L
.text:00567B4E db 6Eh ; n
.text:00567B4F db 0Eh
.text:00567B50 db 0E5h ; Õ
.text:00567B51 db 23h ; #
.text:00567B52 db 5Eh ; ^
.text:00567B53 db 0E9h ; Ú
.text:00567B54 db 5
.text:00567B55 db 0EBh ; Ù
.text:00567B56 db 57h ; W
.text:00567B57 db 22h ; "

How could I fix this?

**Big Dave** · 02-03-2010, 04:46 PM

Did you remove securom?
And before you ask no i'm not going to tell you how. Start the game and attach olly then save to executable within olly :x Although that doesn't really remove it completely. But it should be enough.

**HelpDesk** · 02-03-2010, 06:06 PM

Quote:

Originally Posted by Big Dave

Did you remove securom?
And before you ask no i'm not going to tell you how. Start the game and attach olly then save to executable within olly :x Although that doesn't really remove it completely. But it should be enough.

No, because I don't know how :*(

Well, thank you anyway.

**_GHOSTER_** · 02-03-2010, 11:08 PM

Nothing special...maybe it saves someone 10 seconds.

DX Device
GameBase() + 0x11F5778;

**Nov** · 02-03-2010, 11:50 PM

Quote:

Originally Posted by HelpDesk

It's odd that soBeit has this

But I have:

How could I fix this?

Attach debugger to running process instead of opening image from disk..

**s0beit** · 02-04-2010, 01:25 PM

GHOSTER this is probably irrelevant but i have this....

Code:

.text:0059F566                 mov     ecx, dword_15F5770
.text:0059F56C                 call    StoreDirectX9Pointer_Unknown_001

Code:

.text:011E8048                 mov     ecx, esi
.text:011E804A                 mov     [esi+154h], dl
.text:011E8050                 call    StoreDirectX9Pointer

Code:

.text:011D81FB                 mov     ecx, [esi+58h]
.text:011D81FE                 mov     GDevice, ecx

So just saying, it (and other stuff) could also be at:

0x15F5770 + 0x58 as well

( yes i am aware those two base pointers are 4 bytes apart, only, lol )

PHP Code:

  class CRenderer //0x15F5770

{

public:

    char        Unknown001[ 16 ];            //0000

    __int32        ScreenWidth_001;            //0010

    __int32        ScreenHeight_001;            //0014

    __int32        ScreenWidth_002;            //0018

    __int32        ScreenHeight_002;            //001C

    char        Unknown002[ 52 ];            //0020

    void*        UnknownDirectXPtr001;        //0054

    void*        DirectXDevicePointer;        //0058

    void*        UnknownDirectXPtr002;        //005C

    char        Unknown003[ 100 ];            //0060

    __int32        MonitorHz;                    //00C4 [ was 96 for me.. ]

    __int32        ScaleWidth;                    //00C8 [ 1024 ]

    __int32        ScaleHeight;                //00CC [ 576 ]

    char        Unknown003[ 24 ];            //00D0

    __int32        ScreenWidth_003;            //00E8

    __int32        ScreenHeight_003;            //00EC

};

at +2C4 there appears to me a "Core::Vec4" type somewhere in the mix too.

**HelpDesk** · 02-04-2010, 09:56 PM

This game is using havok, kynapse and probably some other libraries isn't there any already reversed structs for them?

**Big Dave** · 02-04-2010, 10:22 PM

Quote:

Originally Posted by HelpDesk

This game is using havok, kynapse and probably some other libraries isn't there any already reversed structs for them?

Prove it. Isn't that just a physics engine anyway? Not a full game engine.

**HelpDesk** · 02-04-2010, 10:27 PM

@s0Beit, ( Pointer + 0x2C + 0xB4 + 0x54 ) = "EASTL" (Team?)
EASTL is ea's implementation of standard stl, not a team

Quote:

Originally Posted by Big Dave

Prove it. Isn't that just a physics engine anyway? Not a full game engine.

Well, IIRC when you start the game there reads after the videos "havok" and some other technologies that they are using. If not then I probably read it from somewhere else.

This kynapse thing can be found when reversing the game. There's "Kynapse" and "Kynapse license manager" strings.
Also "Flexible license manager" and so on.

PHP Code:

                  align 8
.rdata:0143F838 aKaimCdataSKy_0 db 0Ah                  ; DATA XREF: sub_CFF590+C8o
.rdata:0143F838                 db 9,'{',0Ah
.rdata:0143F838                 db 9,'Kaim::CData *%s = Kynapse::DefinitionAddFolder(%s, "%s", KY_NULL'
.rdata:0143F838                 db ');',0Ah,0
.rdata:0143F881                 align 4
.rdata:0143F884 aDefinition     db 'definition',0       ; DATA XREF: sub_CFF590+B8o
.rdata:0143F884                                         ; .text:loc_CFFA26o
.rdata:0143F88F                 align 10h
.rdata:0143F890 asc_143F890     db 9,'}',0Ah,0          ; DATA XREF: sub_CFF590+9Fo
.rdata:0143F890                                         ; sub_CFF590+11Ao
.rdata:0143F894                 align 8
.rdata:0143F898 aKaimCdataSKyna db 9,'{',0Ah            ; DATA XREF: sub_CFF590+84o
.rdata:0143F898                 db 9,'Kaim::CData *%s = Kynapse::DefinitionAddAttribute(%s, "%s", "%s"'
.rdata:0143F898                 db ');',0Ah,0
.rdata:0143F8E0 aKynapseDefinit db 9,'Kynapse::DefinitionAddAttribute(%s, "%s", "%s");',0Ah,0
.rdata:0143F8E0                                         ; DATA XREF: sub_CFF590+49o

**Big Dave** · 02-04-2010, 10:32 PM

Kynapse is something to do with AI. So probably for SP.

**Roverturbo** · 02-04-2010, 10:44 PM

Havok is for physics and kynapse is for the artificial intelligence. How many times do people have to say this, it is a "new game engine"... Also, s0beit knows what EASTL means, he was told prior to your post.