[Tutorial] Finding and Using the CConsoleInput Pointer

**Freaky123** · 6th November 2009, 02:13 PM

Finding and Using the CConsoleInput Pointer

Step 1: Finding the CConsoleInput pointer

If you use OllyDBG:

Start OllyDBG
Start the game and don't choose a character.
Now attach OllyDBG to BFHeroes.exe.
Go to the BFHeroes module.
Press right click somewhere on the asm code section and search for a referenced text string.
Type: "easy-bfh-dev-trunk" (without the quotes). There are multiple results but they are like 10 lines away from each other.

Then go to that address...

At that address, you will see the following:

Code:

0040C6D7   EB 06            JMP SHORT BFHeroes.0040C6DF
0040C6D9   891D 3023AA00    MOV DWORD PTR DS:[AA2330],EBX
0040C6DF   53               PUSH EBX
0040C6E0   6A 64            PUSH 64
0040C6E2   8D4E 28          LEA ECX,DWORD PTR DS:[ESI+28]
0040C6E5   8935 CC94A200    MOV DWORD PTR DS:[A294CC],ESI  <----- This DS:[??????] is the address
0040C6EB   E8 10EBFFFF      CALL BFHeroes.0040B200
0040C6F0   8D96 44010000    LEA EDX,DWORD PTR DS:[ESI+144]
0040C6F6   891D 5829B500    MOV DWORD PTR DS:[B52958],EBX
0040C6FC   52               PUSH EDX
0040C6FD   899E 08010000    MOV DWORD PTR DS:[ESI+108],EBX
0040C703   899E 0C010000    MOV DWORD PTR DS:[ESI+10C],EBX
0040C709   FF15 90459100    CALL DWORD PTR DS:[<&MSVCR71.time>]      ; MSVCR71.time
0040C70F   83C4 04          ADD ESP,4
0040C712   68 4C5B9100      PUSH BFHeroes.00915B4C                   ; ASCII "easy-bfh-dev-trunk"
0040C717   8D4C24 10        LEA ECX,DWORD PTR SS:[ESP+10]
the other string is more down here...

Look at the comments in this code for the right address.

If you use IDA:

Start IDA.
Load the BFHeroes.exe process into IDA and wait until it is finished loading.
In the strings window, search for "easy-bfh-dev-trunk" (without the quotes).
Then, double click that string and follow the reference to where it is used (there are multiple but they are like 10 lines away from each other)

You will see the following:

Code:

.text:0040C6DF loc_40C6DF:                             ; CODE XREF: sub_40C480+257j
.text:0040C6DF                 push    ebx
.text:0040C6E0                 push    64h
.text:0040C6E2                 lea     ecx, [esi+28h]
.text:0040C6E5                 mov     dword_A294CC, esi <----- dword_?????? is the address
.text:0040C6EB                 call    sub_40B200
.text:0040C6F0                 lea     edx, [esi+144h]
.text:0040C6F6                 mov     dword_B52958, ebx
.text:0040C6FC                 push    edx             ; time_t *
.text:0040C6FD                 mov     [esi+108h], ebx
.text:0040C703                 mov     [esi+10Ch], ebx
.text:0040C709                 call    ds:time
.text:0040C70F                 add     esp, 4
.text:0040C712                 push    offset aEasyBfhDevTrun ; "easy-bfh-dev-trunk"
.text:0040C717                 lea     ecx, [esp+24h+var_14]
the other string is more down here...

Look at the comments in this code for the right address.

Step 2: Now, to use it in your code (Credits to GetModuleHandle)

Code:

//Classes
class CMainConsole
{
public:
    virtual void Function0();
    BYTE m_bOpen; //0004
};
MainConsole = (CMainConsole*) ClassManager->GetClassByName( &string( "MainConsole" ) );

class CUnknown
{
public:
    bool ProcessInputs;
};

class CConsoleInput
{
public:
                char unknown0[20];
    CUnknown* Console; //0014
};
CConsoleInput** ConsoleInput = (CConsoleInput**) 0xA294CC; //Here the address from previous


//To open it
if ( GetAsyncKeyState( VK_NUMPAD1 ) & 1)
{
    if ( MainConsole->m_bOpen ) 
    {
        MainConsole->m_bOpen = false; 
        (*ConsoleInput)->Console->ProcessInputs = false; 
    } else {
        MainConsole->m_bOpen = true;
        (*ConsoleInput)->Console->ProcessInputs = true;
    }
}
//Credits GetModuleHandle

Credits:
- Freaky123 for finding new pointer and creating the tutorial.
- smoochy for testing and help.
- patrick451 for giving a old version of BFHeroes.exe.
- GetModuleHandle for the classes and the script.

**Winslow** · 6th November 2009, 02:24 PM

Excellent job Freaky123, this will definitely be very helpful to many. Added to the Battlefield Heroes Threads list. Thanks for posting, +rep.

**SEGnosis** · 6th November 2009, 02:41 PM

Good shiz ^_^

**learn_more** · 6th November 2009, 04:14 PM

nice, thanks for writing this.

have some green bubbles

**Kiwinz** · 6th November 2009, 07:16 PM

Excellent work, everything is well documented

Have some Rep for your share .

**smoochy** · 6th November 2009, 09:35 PM

well done

+rep when i spread some more around!

**Roverturbo** · 6th November 2009, 10:01 PM

<wise words here>. Plus reputation.

**SEGnosis** · 7th November 2009, 03:07 AM

Quote:

Originally Posted by Roverturbo

<wise words here>. Plus reputation.

Shh Dont let him know the script!

**jumpstart201** · 30th May 2010, 09:53 PM

strange.. About a month ago I did this without hassle and easily found the address and added it to my project.

But now (v1.26) I've searched using both programs for the easy-bfh-dev-trunk but it is nowhere to be found

I have found similar things such as easy-bfh-test-trunk and easy-bfh-test-release, but now no dev anywhere? Help appreciated, thanks in advance!

**Canaiba** · 30th May 2010, 09:57 PM

Awesome share!

Rep +

**Winslow** · 30th May 2010, 10:31 PM

Quote:

Originally Posted by jumpstart201

strange.. About a month ago I did this without hassle and easily found the address and added it to my project.

But now (v1.26) I've searched using both programs for the easy-bfh-dev-trunk but it is nowhere to be found

I have found similar things such as easy-bfh-test-trunk and easy-bfh-test-release, but now no dev anywhere? Help appreciated, thanks in advance!

Search for the following: "dev.easy.ea.com" and you should see the CConsoleInput pointer referenced slightly above there.

Try creating a signature scan for it, similar to how is done for ClassManager, that way you don't have to update it for every new version.

**jumpstart201** · 31st May 2010, 05:36 PM

Quote:

Originally Posted by Winslow

Search for the following: "dev.easy.ea.com" and you should see the CConsoleInput pointer referenced slightly above there.

Try creating a signature scan for it, similar to how is done for ClassManager, that way you don't have to update it for every new version.

*Searches google for signature scan tutorials* thanks! i got it now

wonder where easy-bfh-dev-trunk went though

**sepiantum** · 27th July 2010, 11:53 PM

Can't seem to find it. Any help? I search easy-bfh-dev-trunk and it's not there. I've attached a screen shot.

**LilHacker** · 28th July 2010, 12:11 AM

Quote:

Originally Posted by sepiantum

Can't seem to find it. Any help? I search easy-bfh-dev-trunk and it's not there. I've attached a screen shot.

same here i've tried this many times on at least 3 separate occasions and still couldnt find it, but when and after we find it, we do we do now??

**smoochy** · 28th July 2010, 12:35 AM

this method no longer works as of the 1.28 update im pretty sure.

you can still bring up the console and look at text, but you cant type anything..

**Freaky123** · 28th July 2010, 02:24 PM

I will look at this later.. I will find another reference maybe

**jhonkarter** · 6th August 2010, 01:31 AM

With this data I can make a aimbot? type the FreeAIm?

**smoochy** · 6th August 2010, 04:34 AM

negative.

this WOULD have allowed you type type text like in BF2 when you press ~ you get console, this is the code for HEROES, but it doesn't work at the moment.

look @ the aimbot thread for heroes!

**Freaky123** · 6th August 2010, 02:36 PM

Quote:

Originally Posted by jhonkarter

With this data I can make a aimbot? type the FreeAIm?

Learn c++ first then spend some time with reversing and asm.. then start asking stupid questions please!

**Freaky123** · 8th August 2010, 08:59 PM

If someone needs the newest offset its: 0x14A494C

Have fun with it..

ps. I will update the tutorial soon