Engine Wallhack without mem editing

**cardoow** · 02-07-2010, 08:30 PM

Hi Dudes,

with wpm we just write push 0x82 to create a wallhack...
after that push you can see a call to some function( i dont know what it is )
but i put a breakpoint in that function and found out that it takes
the pushed value from the stack...
so what i did is changing the value on the stack so you will have wallhack without
using wpm

Code:

void __declspec(naked) nUnknownFunction()
{	
	__asm pushad
	__asm cmp DWORD PTR [esp+0x20], 0x45FB8A //check if returnaddress is cg_player
	__asm jne DoCall //if not equal jump over the next line
	__asm mov [esp+0x30], 0x82 // move the 0x82 value to the stack
DoCall:
	__asm popad
	__asm jmp [pUnknownFunction]
}

v1.0.182

Code:

player returnaddress 		= 0x45FB8A
weapon returnaddress 		= 0x58C1F7
explosive returnaddress		= 0x58C62C
chopper returnaddress 		= 0x4626CF
sentry returnaddress            = 0x58C2C2

v1.0.184

Code:

player returnaddress 		= 0x48971A
weapon returnaddress 		= 0x58C197
explosive returnaddress		= 0x58C5CC
chopper returnaddress 		= 0x47060F
sentry returnaddress            = 0x58C26C

have fun

ps. this is not InterlockedExchangeAdd

**CallMeEclipse** · 02-07-2010, 08:40 PM

Nice boots +Rep

**raiders** · 02-07-2010, 08:40 PM

Quote:

Originally Posted by cardoow

Hi Dudes,

with wpm we just write push 0x82 to create a wallhack...
after that push you can see a call to some function( i dont know what it is )
but i put a breakpoint in that function and found out that it takes
the pushed value from the stack...
so what i did is changing the value on the stack so you will have wallhack without
editing memory

Code:

void __declspec(naked) nUnknownFunction()
{    
    _asm pushad
    _asm cmp DWORD PTR [esp+0x20], 0x45FB8A //check if returnaddress is cg_player
    _asm jne DoCall //if not equal jump over the next line
    _asm mov [esp+0x30], 0x82 // move the 0x82 value to the stack
DoCall:
    _asm popad
    _asm jmp [pUnknownFunction]
}

have fun

ps. this is not InterlockedExchangeAdd

Technically its mem editing, you gotta hook

but good job.

**cardoow** · 02-07-2010, 08:48 PM

Quote:

Originally Posted by raiders

Technically its mem editing, you gotta hook

but good job.

yeah true, but i like this way cause i had crashes when i get out game and rejoin... i also dont like wpm

anyway i think its easier to make a hook undetected then wpm

**smoochy** · 02-09-2010, 02:17 PM

nice work.

can finally re-play mw2 so i will try this.

plus rep!

Hahaz · 07-16-2010, 01:07 PM

sorry bumping old thread, but i really need to know how to find this... coz i want add it on my trainer, any signature for this?

Quote:

player returnaddress
weapon returnaddress
explosive returnaddress
chopper returnaddress
sentry returnaddress

Credits will be given.

EDIT: nvm i alreay found it.

**cardoow** · 08-10-2010, 12:35 PM

Quote:

Originally Posted by Dominic95

EDIT: nvm i alreay found it.

even though you figured it out, i will still explain for other people.

this is the entitytype struct i use:

Code:

enum EntTypes
{
	TYPE_SMOKE			=	0,
	TYPE_HUMAN			=       1,
	TYPE_DEAD			=	2,
	TYPE_WEAPON			=	3,
	TYPE_EXPLOSIVE		        =	4,
	TYPE_VEHICLE		        =	6,
	TYPE_LIGHT			=	8,
	TYPE_DEADEXPLOSIVE              =	110,
};

this is the addcentity function:

Code:

004E59C0  /$ 56             PUSH ESI
004E59C1  |. 8B7424 0C      MOV ESI,DWORD PTR SS:[ESP+C]
004E59C5  |. 83BE 64010000 >CMP DWORD PTR DS:[ESI+164],0
004E59CC  |. 57             PUSH EDI
004E59CD  |. 8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
004E59D1  |. 74 05          JE SHORT iw4mp.004E59D8
004E59D3  |. E8 F8040A00    CALL iw4mp.00585ED0
004E59D8  |> 8B86 E0000000  MOV EAX,DWORD PTR DS:[ESI+E0]
004E59DE  |. 83F8 0E        CMP EAX,0E                               ;  Switch (cases 0..E)
004E59E1  |. 0F87 8F000000  JA iw4mp.004E5A76
004E59E7  |. FF2485 7C5A4E0>JMP DWORD PTR DS:[EAX*4+4E5A7C]
004E59EE  |> 57             PUSH EDI                                 ;  Case B of switch 004E59DE
004E59EF  |. E8 BC140A00    CALL iw4mp.00586EB0
004E59F4  |. 83C4 04        ADD ESP,4
004E59F7  |. 5F             POP EDI
004E59F8  |. 5E             POP ESI
004E59F9  |. C3             RETN
004E59FA  |> 8BD7           MOV EDX,EDI                              ;  Case 0 of switch 004E59DE
004E59FC  |. E8 2F130A00    CALL iw4mp.00586D30
004E5A01  |. 5F             POP EDI
004E5A02  |. 5E             POP ESI
004E5A03  |. C3             RETN
004E5A04  |> 56             PUSH ESI                                 ;  Case 1 of switch 004E59DE
004E5A05  |. 57             PUSH EDI
004E5A06  |. E8 D5A70A00    CALL iw4mp.005901E0
004E5A0B  |. 83C4 08        ADD ESP,8
004E5A0E  |. 5F             POP EDI
004E5A0F  |. 5E             POP ESI
004E5A10  |. C3             RETN
004E5A11  |> 56             PUSH ESI                                 ;  Case 2 of switch 004E59DE
004E5A12  |. 57             PUSH EDI
004E5A13  |. E8 C815FCFF    CALL iw4mp.004A6FE0
004E5A18  |. 83C4 08        ADD ESP,8
004E5A1B  |. 5F             POP EDI
004E5A1C  |. 5E             POP ESI
004E5A1D  |. C3             RETN
004E5A1E  |> 57             PUSH EDI                                 ;  Case 3 of switch 004E59DE
004E5A1F  |. E8 8C130A00    CALL iw4mp.00586DB0
004E5A24  |. 83C4 04        ADD ESP,4
004E5A27  |. 5F             POP EDI
004E5A28  |. 5E             POP ESI
004E5A29  |. C3             RETN
004E5A2A  |> 57             PUSH EDI                                 ;  Case 4 of switch 004E59DE
004E5A2B  |. E8 70150A00    CALL iw4mp.00586FA0
004E5A30  |. 83C4 04        ADD ESP,4
004E5A33  |. 5F             POP EDI
004E5A34  |. 5E             POP ESI
004E5A35  |. C3             RETN
004E5A36  |> 8B86 DC000000  MOV EAX,DWORD PTR DS:[ESI+DC]            ;  Case D of switch 004E59DE
004E5A3C  |. 50             PUSH EAX
004E5A3D  |. 57             PUSH EDI
004E5A3E  |. E8 DDEAF5FF    CALL iw4mp.00444520
004E5A43  |. 83C4 08        ADD ESP,8
004E5A46  |> 57             PUSH EDI                                 ;  Case 6 of switch 004E59DE
004E5A47  |. 8BC6           MOV EAX,ESI
004E5A49  |. E8 A2180A00    CALL iw4mp.005872F0
004E5A4E  |. 83C4 04        ADD ESP,4
004E5A51  |. 5F             POP EDI
004E5A52  |. 5E             POP ESI
004E5A53  |. C3             RETN
004E5A54  |> 57             PUSH EDI                                 ;  Case 7 of switch 004E59DE
004E5A55  |. E8 56060A00    CALL iw4mp.005860B0
004E5A5A  |. 83C4 04        ADD ESP,4
004E5A5D  |. 5F             POP EDI
004E5A5E  |. 5E             POP ESI
004E5A5F  |. C3             RETN
004E5A60  |> 56             PUSH ESI                                 ;  Case A of switch 004E59DE
004E5A61  |. E8 3A0A0A00    CALL iw4mp.005864A0
004E5A66  |. 83C4 04        ADD ESP,4
004E5A69  |. 5F             POP EDI
004E5A6A  |. 5E             POP ESI
004E5A6B  |. C3             RETN
004E5A6C  |> 56             PUSH ESI                                 ;  Cases C,E of switch 004E59DE
004E5A6D  |. 57             PUSH EDI
004E5A6E  |. E8 FD5AFBFF    CALL iw4mp.0049B570
004E5A73  |. 83C4 08        ADD ESP,8
004E5A76  |> 5F             POP EDI                                  ;  Default case of switch 004E59DE
004E5A77  |. 5E             POP ESI
004E5A78  \. C3             RETN
004E5A79     8D49 00        LEA ECX,DWORD PTR DS:[ECX]
004E5A7C   . FA594E00       DD iw4mp.004E59FA                        ;  Switch table used at 004E59E7
004E5A80   . 045A4E00       DD iw4mp.004E5A04
004E5A84   . 115A4E00       DD iw4mp.004E5A11
004E5A88   . 1E5A4E00       DD iw4mp.004E5A1E
004E5A8C   . 2A5A4E00       DD iw4mp.004E5A2A
004E5A90   . 765A4E00       DD iw4mp.004E5A76
004E5A94   . 465A4E00       DD iw4mp.004E5A46
004E5A98   . 545A4E00       DD iw4mp.004E5A54
004E5A9C   . 765A4E00       DD iw4mp.004E5A76
004E5AA0   . 765A4E00       DD iw4mp.004E5A76
004E5AA4   . 605A4E00       DD iw4mp.004E5A60
004E5AA8   . EE594E00       DD iw4mp.004E59EE
004E5AAC   . 6C5A4E00       DD iw4mp.004E5A6C
004E5AB0   . 365A4E00       DD iw4mp.004E5A36
004E5AB4   . 6C5A4E00       DD iw4mp.004E5A6C

so for human you see type 1, so check up to case 1 in the switch.
and you will find this:

Code:

004E5A04  |> 56             PUSH ESI                                 ;  Case 1 of switch 004E59DE
004E5A05  |. 57             PUSH EDI
004E5A06  |. E8 D5A70A00    CALL iw4mp.005901E0
004E5A0B  |. 83C4 08        ADD ESP,8
004E5A0E  |. 5F             POP EDI
004E5A0F  |. 5E             POP ESI
004E5A10  |. C3             RETN

follow the call iw4mp.005901E0.
then scroll down a bit till you find some code like this:

Code:

0059037C   . 52             PUSH EDX
0059037D   . 68 04010000    PUSH 104
00590382   . 50             PUSH EAX
00590383   . 53             PUSH EBX
00590384   . 55             PUSH EBP
00590385   . E8 76C1F7FF    CALL iw4mp.0050C500
0059038A   . 83C4 18        ADD ESP,18

you see here is the value 104 pushed to the stack, and we need to change that. So follow the call below and check the stack in structbuild.

no you need to check the returnaddress, for example in this case the
return address is 0x59038A. So lets build some code!

Code:

void __declspec(naked) nUnknownFunction()
{	
	__asm pushad
	__asm cmp DWORD PTR [esp+0x20], 0x59038A //check if returnaddress is cg_player, since esp+0x20 holds the returnaddress
	__asm jne DoCall //if not equal jump over the next line
	__asm mov [esp+0x30], 0x82 // move the 0x82 value to the stack, since esp+0x30 holds the 0x104 value
DoCall:
	__asm popad
	__asm jmp [pUnknownFunction]
}

now detour it: (for people with polio)

Code:

pUnknownFunction = (UnknownFunction_)DetourFunction( (PBYTE)0x50C500, (PBYTE)nUnknownFunction);

**kolbybrooks** · 08-10-2010, 05:46 PM

If you want to make it undetected, you wouldn't detour it; You'd want to try crashing your game any way possible..

hint hint.