Thread: Console Checks?

Results 1 to 8 of 8
  1. #1
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep

    Exclamation Console Checks?

    Hi.

    I was cheating approx a year ago in CA EU and decided to have a look at the stuff again, however the info is kinda scattered.

    What I'm looking for is some insight on different checks applied to prevent cheating. I'm not looking for any cheats, I can figure out them later.

    So the main question is related to the console commands. The console function is rather easy to find, the inner part of it is however virtualized by Themida. But fortunately it can be resolved.

    So far I've figured out that there is atleast two checks to ensure that only the engine calls the console function.

    The first one is a check for the current thread ID. The engine stores the ID on startup and compares the ID with the thread ID every time the console function is called.

    The other check is comparing if the thread module EP is in the range of the engine EP.

    But I'd like to know if there are more checks I should be aware of because when I tried some few console commands (after bypassing the two checks) the game quits (doesn't crash) after the command has been applied (I can see the effect of the command just before it quits).

    Appreciate any insight.

    EDIT:

    Seems like there was something strange in my check bypass. The commands work fine now.
    Last edited by HellSpider; 05-21-2011 at 02:02 PM.

  2. #2
    flameswor10's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Posts
    12,528
    Reputation
    981
    Thanks
    10,404
    My Mood
    In Love
    It's called in Engine.exe
    No I do not make game hacks anymore, please stop asking.


    Been MPGH Minion: 6 July 2011 - 1 August 2012

  3. #3
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by flameswor10 View Post
    It's called in Engine.exe
    What is called? The check? If so yeah, it was virtualized by Themida but I can post a picture of the unvirtualized check. Just thought there was more checks because of my game closing unexpectedly, but it was just a invalid memory location issue in my bypass code part.

    Last edited by HellSpider; 05-22-2011 at 01:58 AM.

  4. #4
    Gordon`'s Avatar
    Join Date
    Dec 2007
    Gender
    male
    Posts
    283
    Reputation
    24
    Thanks
    325
    cant seem to find any other check except that it checks the returnaddress of the function. i removed that check and im able to execute all console commands just fine.


  5. #5
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by Gordon` View Post
    cant seem to find any other check except that it checks the returnaddress of the function. i removed that check and im able to execute all console commands just fine.
    Oh there is a check for stuff like that too? Well it doesn't matter as I call the top layer console function (with just 1 argument), the return address will thus always be one from Engine.exe.

    However, my console commands didn't work before I changed my DLL EP in the stack to some address in the range of Engine.exe. And I had to move my DLL thread ID to a data location.

    Which version are you playing? EU too?

  6. #6
    Gordon`'s Avatar
    Join Date
    Dec 2007
    Gender
    male
    Posts
    283
    Reputation
    24
    Thanks
    325
    Yes EU, but this check is also present in NA. You can cleary see it when you look inside of CLTBase::RunConsoleCommand.


  7. #7
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by Gordon` View Post
    Yes EU, but this check is also present in NA. You can cleary see it when you look inside of CLTBase::RunConsoleCommand.
    Can you throw me the function address you are refering to? Still new with these CLTBase LTClient etc stuffs.
    Last edited by HellSpider; 05-23-2011 at 01:30 PM.

  8. #8
    Gordon`'s Avatar
    Join Date
    Dec 2007
    Gender
    male
    Posts
    283
    Reputation
    24
    Thanks
    325
    search for any console command like "RestartRender" and you'll find the cltbase just a few lines above.

    edit:

    Code:
    375BC01C    8B0D 905D8F37   MOV ECX,DWORD PTR DS:[378F5D90]            ; <-- CLTBase
    375BC022    8B91 08020000   MOV EDX,DWORD PTR DS:[ECX+208]             ; offset to CLTBase::RunConsoleCommand
    375BC028    68 7C238137     PUSH cshell.3781237C                     ; ASCII "RestartRender"
    375BC02D    FFD2            CALL EDX                                   ; call to CLTBase::RunConsoleCommand
    375BC02F    A1 78539337     MOV EAX,DWORD PTR DS:[37935378]
    375BC034    83C4 04         ADD ESP,4                                  ; fix the stack after calling, cause the calling convention is __cdecl. you can also see that the function is only taking 1 parameter (4 divided by 4 is 1)
    Last edited by Gordon`; 05-23-2011 at 06:25 PM.


  9. The Following User Says Thank You to Gordon` For This Useful Post:

    HellSpider (05-24-2011)