Page 1 of 7 123 ... LastLast
Results 1 to 15 of 102
  1. #1
    RE4CTIVE's Avatar
    Join Date
    Mar 2013
    Gender
    male
    Posts
    99
    Reputation
    10
    Thanks
    63
    My Mood
    Cheerful

    Post How to make a DayZ RPM/WPM Radar [LEECHED]

    This is leeched and none of it is written by me! All credits go to Douggem from another site.




    Most people that use hacks in DayZ run scripts, not that there’s anything wrong with that, but it does tend to be a little risky. The way I understand it is that generally scripts that are run are logged on the server so an admin can see what you’re doing, and making bypasses is just so pedantic and pedestrian. When I first started running hacks in DayZ I made a script that drew a really basic radar on my map screen and it worked great! Then I used someone’s gun box script and got banned. That’s when I started looking into radars and the less risky read process memory based hacks.



    I fired up Cheat Engine and got to work and was able to get my coordinates and a value that represented the range in meters to whatever my reticule was pointing at, but it was going very slowly. That’s when I stumbled on UC and saw all the offset values shared here, and it was easy going after that. But ever since SD’s released hacks like Survival Hack and DayZ Navigator there’s been considerably less content regarding RPM based radars here than when I first started coding mine some months ago, and most of the info is old, outdated, and scattered amongst many very long threads and it’s hard to get the right info. So I decided to compile some data here and make it a little easier for someone to put together an external radar if they don’t already have one setup to work from.

    This guide will not contain snippets or working code, nor will it offer enough help to actually make a radar from scratch. All it will contain is the information you need to read the data from the Arma client that you need - drawing it on a map is up to you.

    Multi Level Pointers

    If you don’t understand multi-level pointers, you’re going to have a bad time. With a few exceptions (view distance, time of day), the data values in Arma2’s memory that you are interested in are in different places each time you run it. Your local player info might be at 0x2b45d678 the first time you run it, and at 0x2f478fb5 the next time you run it, so you can’t just plug a memory address into your program and get the info you need. However, you can find out how the program calculates that memory address and, in turn, calculate it yourself. While the value for your local player info is different each time the game is run, the path to that address is the same every time so we can always find it with no problem. The path is a series of offsets and a base pointer that we have to follow in order to get to our final address.

    For example, the local player object is located at:

    Code:
    [[[0xDFCDD8] + 0x13A8] + 0x4]
    Get used to that notation because it is going to be used throughout this entire discussion. However, I leave off the preceeding brackets which leaves us with this:

    Code:
    0xDFCDD8] + 0x13A8] + 0x4]
    Whch is a little easier to read in my opinion. So what does this garbage mean? 0xDFCDD8 is our base pointer (which represents an address in memory from which our next addresses are calculated), and 0x13A8 and 0x4 are our offsets (which will be explained shortly). The brackets indicate which values are grouped and added together.

    To calculate our player struct’s address from these numbers, you just need to read some memory and do some basic arithmetic. First, we read the value in our base pointer. The value stored in this address will be a pointer to another memory location.


    Code:
    address1 = ReadProcessMemory(0xDFCDD8) // Let’s say this value is 0x243D0000
    Once we’ve read this address, we add the next offset to it and then read the value stored in the resultant address. So, if we read 0x243D0000 from our base pointer, we will add 0x13A8 to it to get 0x243D13A8. We then read that address to get yet another address in memory


    Code:
    address2 = ReadProcessMemory(0x243D13A8) // Let’s say this value is 0x3D456004
    We then take our next offset and add it to our new address and do the same thing.


    Code:
    address3 = ReadProcessMemory(0x3D456008) // This gives us the address of our local player struct
    So in the end we would have something like this.

    Code:
    entityBase = 0xDFCDD8;
    address1 = ReadProcessMemory(entityBase;);
    address2 = ReadProcessMemory(address1 + 0x13A8);
    address3 = ReadProcessMemory(address2 + 0x4); // Final address, our player struct
    You should give your important pointers significant names, so you should have made the third address localPlayer or something like that.


    Code:
    localPlayer = address3;
    You can hand-write all of your multi level pointer deciphering or you could make a function to do it for you.

    Code:
    uint []offsets = {0xDFCDD8, 0x13A8, 0x4}
    getAddress(offsets);
    
    uint getAddress(offsets[])
    {
    	int i;
    	uint address;
    	address = readProcessMemory(offsets[0]);
    	for(i=1; i<(sizeof(offsets)/sizeof(uint)); i++)
    	{
    		address = ReadProcessMemory(address + offsets[i]);
    	}
    	return address;
    }
    Or something like that.

    If you need to read from an array or table, you’ll need to iterate through the array or table. So you’ll need to resolve the address of the table and know the size of each object in the table. For example, if the entities we want to draw are in a table located at:


    Code:
    objTableAddr] + 0x5FC] + 0x0]
    And the size of each entity in that table is 52, we would notate that as:


    Code:
    objTableAddr] + 0x5FC] + 0x0] + i *52]
    And of course, if we want a value that is at an additional offset 4 from the address we get from the table we’re going through, we would get this


    Code:
    Entity: objTableAddr] + 0x5FC] + 0x0] + i *52 + 4]
    For each value i we will get the object of that index in the array. The first object is at index 0, the second at index 1, etc. So to iterate through the whole table, we’d do something like:


    Code:
    int ObjTable = Mem.ReadInt(ObjectTableAddr);
                    int objTablePtr = Mem.ReadInt(ObjTable + 0x5FC);
                    int objTableArrayPtr = Mem.ReadInt(objTablePtr + 0x0);
    
     for (int i = 0; i < objTableSize; i++)
                    {
                        int objPtr = Mem.ReadInt(objTableArrayPtr + (i * 52));
                        int obj1 = Mem.ReadInt(objPtr + 0x4);
    		// handle entity
    Once you can read from and write to mutli-level pointers you can do pretty much everything you need to do for a basic radar. With just read and write process memory, my radar tracks players, vehicles, weapons and other items on the ground, animals, corpses, tents, helo crashes, and has options for infinite ammo, thermal vision, night vision, no-recoil, no-fatigue, setting the time of day, and changing the view distance.




    Finding Players and Vehicles

    Arma keeps track of players, vehicles, and other entities in a number of tables. There is a table specifically for entities that include vehicles and players, and a few other tables that have all kinds of stuff like road cones and traffic signs and tents. To draw all the players, we have to traverse the player table and get the information for each player. It’s actually pretty simple, especially if you’ve ever used pointers as an abstraction for arrays of structs in C and can do
    some pointer arithmetic.

    The table that contains the player and vehicle entities I call the Object Table. I think m101jay’s offset finder calls it that too, but if it doesn’t it will be the first base offset you see in his program. Here is M101jay's offset finder, BTW: ************* - Multiplayer Game Hacks and Cheats - find arma offset

    To iterate through the table, you will need three things: the size of the table, the size of each entity in the table, and a pointer to the beginning of the table. Too easy. Check it out:


    Code:
    ObjectTablePtr: ObjTableBase] + 0x5FC] + 0]
    ObjTableSize: ObjTableBase] + 0x5FC] + 4]
    And the size of each entity in the table is 52. NOT 0x52, just 52. Use a for loop to loop through the table and read the data of each entity. For example,
    Code:
    for (int i = 0; i < objTableSize; i++)
                    {
                        int objPtr = Mem.ReadInt(objTablePtr + (i * 52));
                        objPtr = Mem.ReadInt(objPtr + 0x4); // This will be a pointer to the entity struct
    		....
    Too easy.
    Each entity will either be a player or a vehicle, and you’ll need to handle each slightly differently if you want to be able to differentiate between the two easily. Lucky for us, each entity has an Object Type that is in string form. Players are Soldier, and vehicles are other types such as Car, Motorcycle, Helicopter etc. To get the object type, read:


    Code:
    ObjTypeStringAddress: Entity + 0x3c] + 0x6C]
    That will give you a pointer to the object type string. The actual name starts at + 0x8], the length of the name is at + 0x4].

    Your local player will always be pointed to by the offset:


    Code:
    LocalPlayer: 0xDFCDD8] + 0x13A8] + 0x4]
    So anytime you want information on your player, get it starting from there.

    The player struct

    I’m not going to give an actual built struct of any classes since I don’t keep track of this stuff in re-class because I’m kind of lazy : \ So I’m going to give the actual offsets to each piece of information.

    Coordinates and direction
    This is pretty important to an RPM radar, without coordinates you don’t have much of a map. The coordinates are stored as floats and obviously represent an entity’s position in the game: however, they do not correspond 1:1 with the GPS/map coordinates in game. The X coordinate is in meters instead of decameters, like the in-game map, and the Y coordinate is in meters and also inverted. Instead of starting at 0 at the top of the map and increasing as you traverse south on the map, it starts at 0 at the bottom of the map and increases as you traverse to the north on the map. To turn this into the map coordinate, you need to find out what REAL y coordinate is assigned to the MAP coordinate of y=0. For Chernarus, this value is 15360. So for Chernarus, you’d get your current MAP coordinate in meters by taking the value of the REAL coordinate from 15360, so:

    mapLocY = 15360 - realLocY


    Your function to translate REAL coords (the Direct3d coords in the game memory) to coords on your radar will look something like this:

    LocX = realX * mapRatio + offsetX
    LocY = (inverseValue - realY) * mapRatio + offsetY

    RealX and RealY are the X and Y values you're reading from memory

    MapRatio is the ratio of pixels to meters in the map image you're using in pixels:meter. For example, if your map image is all of Chernarus in a 13km by 13km grid and your image is 13,000 pixels by 13,000 pixels, you'll have a mapRatio of 13000pixels:13000meters or 1. But if your image of Chernarus is 13km by 13km and your image is 1,000 pixels by 1,000 pixels, you'll have a ratio of 1,000pixels:13,000m so a ratio of 1:13, so one pixel on your map would represent 13 meters in game.

    The offsets are how far your image is offset from the x/y grid axis in the game map. For instance, if your map image goes 300m to the left of the Y grid axis of the in game map, your yoffset will be -300*mapRatio

    And inverseValue is the value of your Y coordinate in memory when you're on the Y axis of the grid (I always go to 0,0)

    While you could just draw dots on your radar, dots are like balls which is slang for testicles and unless you’re a chick, using testicles is probably gay. Not that there’s anything wrong with that.

    A cooler solution is to use arrows. I use arrows with a straight line coming out of them to show me where they’re looking. This helps me know if someone is looking directly at me, and also helps me line myself up with someone I see on the radar but don’t see in game, such as someone hiding in a pine tree in a ghille suit.

    The coordinates are floats, the directions are floats in radians.

    Code:
    Coordinates: Player + 0x18]
    X:			+  0x28]
    Y:			+ 0x30]
    Z:			+ 0x2C]
    Y direction: 		+ 0x1C]
    X direction:		+ 0x24]



    The player weapon

    To get the player weapon, we get the Weapon ID and if it isn’t -1 (no weapon), we go through an array of weapons in the player struct to get a pointer to the name of the weapon. It may sound confusing but it’s easy, check this out:


    Code:
    WeaponID: Player + 0x6E0]
    The weaponID will be an integer. Then read these pointers:


    Code:
    weaponNameAddress: Player + 694] + (0x24 * weaponID + 8)] + 0x10] + 4]
    That’ll give you the address of the weapon name string. The actual name starts at weaponNameAddress + 0x8], the length of the name is at weaponNameAddress + 0x4.




    The Player Skin

    I use different colored arrows for different player skins. For example, survivors are red, heroes are green, and bandits/ghilles/camo are purple. I use this because I usually leave heroes alone and go out of my way to kill bandits and people in ghillies.


    Code:
    PlayerSkinStringAddress: player + 0x3C] + 0x30] + 0x8]
    Read the string like you read any other Arma string.

    Corpses

    Corpses are stored in the entity table as players, so if you don’t check if a player is dead, you’re going to have a bunch of George Smiths littering your radar where corpses are. To check if an entity is dead, read the integer value stored at:


    Code:
    IsDead: Player + 0x20C]
    1 is dead, 0 is alive. I have a Show Corpses checkbox on my radar so I can turn on corpses if I’m having trouble finding someone I just killed.



    The red dots are corpses.

    Finding the local player

    The local player’s struct is convenient in that it has its own multi-level pointer that points straight to it:


    Code:
    LocalPlayer: ObjTableBase] + 0x13A8] + 4].
    This is in here twice so there's no excuse for anyone asking how to find out which player is the local one

    From there we can read information about the local player and handle it differently than all the other players. For example, I use a blue arrow for my player and red or purple arrows for enemy players depending on their skins, and use an auto-center feature for when I’m zoomed in based on my local player coords. If you’re in a vehicle, this will point to the entity struct of the vehicle you are in.

    Player Names

    Player names aren’t actually in the player struct, they’re on the scoreboard. You have to get the NameID from the player struct and cross reference it with the Name IDs from the scoreboard - too easy. The offset finder programs will all give you the scoreboard base offset, usually called “PlayerInfo” or something like that.

    To get the player name, first we have to get the NameID. Things like vehicles or AI will have a NameID of 1, which means their only name is stored in their entity struct at:


    Code:
    GenericName: entity + 0xAC8].
    If their name is !=1 and >0, then we can get their name from the scoreboard. The number of players on the scorebord (and thus the size of its array) is:


    Code:
    PlayerCount: playerInfoBase] + 0x24] + 0x1C]
    And the base of the scoreboard array is:


    Code:
    ScoreboardArray: playerInfoBase] + 0x24] + 0x18]
    The size of each entry on the scoreboard is 0xF8, and the NameID is at entry + 4]. So to get each NameID, we would look at:


    Code:
    NameID: playerInfoBase] + 0x24] + 0x18] + i*0xF8 + 4]
    And the player name of each entry on the scoreboard is at:


    Code:
    PlayerNameAddress: playerInfoBase] + 0x24] + 0x18] +i*0xF8 + 0x88]
    So find the NameID of the player you want the name for, iterate through the scoreboard until you find an entry with the same NameID, and then get the PlayerName pointer from that entry. Then read it like any other Arma string (string starts at +8) and you have the player name.

    Range to Reticle:

    This is the range to the point that your crosshair is pointing at. I use it when sniping if playing on a server that doesn’t show the range to something when you scroll wheel. It’s a float value located at:


    Code:
    RangetoReticle: ObjTableBase] + 0x8] + 0x30]
    Vehicles

    Coords, angle, and name

    Much of the data on vehicles is in the exact sample place relative to the Vehicle struct as stuff from the Players. So:


    Code:
    Coordinates: Entity + 0x18]
    X:			+  0x28]
    Y:			+ 0x30]
    Z:			+ 0x2C]
    Y direction: 		+ 0x1C]
    X direction:		+ 0x24]
    The name of the vehicle is in the same place as the name of the player skin:


    Code:
    VehicleNameStringAddress: Entity + 0x3C] + 0x30] + 0x8]
    And remember the object type, which for vehicles will tell you what kind of vehicle (helicopter, car, motorcycle, etc.) is at


    Code:
    ObjTypeStringAddress: Entity + 0x3c] + 0x30] + 0x6C]
    It’s an Arma string, so the actual string is at +0x8.

    Too easy, right?

    Passengers

    Back in the bad-old days we had no way of knowing if a vehicle was occupied or who was in it. But now we know how to find the passengers in vehicles! And it is, as I’m sure you guessed, too easy. Check it out:

    The vehicle entity contains pointers to the players that occupy its seats, this makes it super easy for us to figure out who is in it. Instead of passing the player pointers to the player draw function, though, I do all the work inside my vehicle draw function so that it doesn’t just draw the players on top of the vehicle on the map. On my radar, the list of occupants is drawn next to the vehicle: driver and passengers below the vehicle name, gunners above the vehicle name, like so:

    As I’m sure you guessed, the passengers and gunners are stored in little arrays. So we find the length of the array, MaxPassengers, and then walk through the array. We do the same thing with the gunners. There is only one driver seat, though, so we don’t have to traverse any arrays or tables to find that guy. Oh, if the pointer is null, that means there’s no one in that seat.


    Code:
    DriverPointer: Entity + 0xAB0]
    MaxPassengers: Entity + 0xB00]
    PassengerTablePtr: Entity + 0xAFC]
    MaxGunners: Entity + 0xB60]
    GunnerTablePtr: Entity = 0xB5C]
    The size of each passenger entry is 8, so to go through all the passengers, do something like this:


    Code:
    for (int ii = 0; ii < maxPassengers; ii++)
                                    {
                                        currentPassenger = Mem.ReadInt(passengers + 8 * ii);
    Each gunner entry is 4 bytes long, and each entry contains the info on the gunner as well as the gun the gunner is on.


    Code:
    GunnerPtr: Entity + 0b5c] + i*8] + 2cc]
    GunnerAngle: Entity: + 0v5c] + i*4] + 2f8]
    So to get each gunner, you might have an algorithm like this:

    Code:
     for (int j = 0; j < maxGunners; j++)
                                    {
                                        gunnerptr = Mem.ReadInt(gunnerptrptr + j*4);
                                        gunnerAngle = Mem.ReadFloat(gunnerptr + 0x2f8);
                                        gunner = Mem.ReadInt(gunnerptr + 0x2cc);
    I draw an FOV line for each gunner, just like I do for players on the ground, so I can see if a gunner is looking in my direction.




    Other entites

    You’ve got that whole multi level pointer thing down, right? Because the tables you have to go through to get things like tents, animals, and weapons on the ground is a pain in the ass if you don’t know what you’re doing yet. Actually, it’s a pain in the ass even if you know what you’re doing, because iterating through tables, ergo, iterating through MORE tables sucks more.

    There are three master tables:


    Code:
    MasterOffsets = {0x880, 0xb24, 0xdc8}

    In each master table are four ...slave tables? Slave tables. Four slave tables.


    Code:
    SlaveOffsets = {0x8, 0xB0, 0x158, 0x200};

    Giving us a number of tables equal to whatever four times three to iterate through. To get to the base of each table, we resolve:


    Code:
    ObjectTableAddress] + MasterOffset] + SlaveOffset]
    The size of the table is at


    Code:
    TableSize: ObjectTableAddress] + MasterOffset] + SlaveOffset + 8]
    You should know by now that we need the size of the table to iterate through it without reading garbage data after falling off the end of it like Columbus off the edge of the Earth. The size of each entity in the table is 4 bytes, so to get the address of each entity we will read:


    Code:
    Entity: ObjectTableAddress] + MasterOffset] + SlaveOffset] + i*4 ]
    2EZ.

    Drawing the Entities

    Knowing the address of the entities doesn’t help a lot - we want to draw them on our radar! These tables include all kinds of crap, like road signs. We probably don’t need road signs drawn on our radar. But what about tents and helo crashes? Yes please! I actually draw a number of things from these tables - helo crashes, tents, animals (for when I need to find food), skins on the ground like the camo skin, backpacks, and weaponholders.




    Coordinates
    You should know what to do with this by now:

    Code:
    entity + 0x18]
    X:		+ 0x28]
    Y:		+ 0x30]
    It’s just like player and vehicle entities.

    Entity Name

    The string of the Object Name is stored at entity + 0x3c] + 0x30]. Just like all other Arma strings, the actual string starts at + 8. Here’s what you can expect from the object name:


    Code:
    “TentStorage” - tent
    “UH1Wreck” - helo crash
    “WildBoar”, “Rabbit”, “Cow”, “Sheep”, “Goat”, “Hen” - animals
    “WeaponHolder” - gun, weapon, or ammo on the ground.
    Contents of Weaponholder

    The weaponholder entity contains an array of weapons and ammo in the pile. smdufb posted how to get the contents of the WeaponHolder entity back in December, so I’m just going to copy paste from his thread on the matter:

    Quote:
    If anyone is still looking for this. Heres how you read the contents of a WeaponHolder class.
    ...
    For "Weapons":

    The number of items is at [WeaponHolderPointer+0x21C] +0x10
    The name of the items is at [WeaponHolderPointer+0x21C] +0xC] + i*4] +0x10] +0x4] +(normal arma string so then +4 is the namelen and +8 is the string)

    For "Ammo":

    The number of items is at [WeaponHolderPointer+0x21C] +0x1C
    The name of the items is at [WeaponHolderPointer+0x21C] +0x18] + i*4] +0x8] +0xC] +0x4] +4/8
    This will allow you to see what guns or items are on the ground. I have a text box in my radar that I can search for items in - so I can punch in M16, for example, and see all the M16s on the map.


    Writing to memory

    You can do some fun stuff by just writing to the memory of the arma2oa process - you can set your ammo value, you can turn on night vision or thermal vision, you can turn off recoil, you can turn off your character’s fatigue, you can change the time, etc. Just use writeprocessmemory instead of readprocessmemory, we get the addresses the same way.

    Recoil

    Recoil is a float value. 0 is off, 1 is full recoil, and you can set it to any other value. It makes your character model do funny stuff if you set it in the thousands.

    Code:
    Recoil: ObjTableBase]+0x13A8]+0x4]+0xC28]
    That is, your player entity + 0xC28.
    Time of Day
    The time is stored as the number of ticks since midnight...or something. It’s an int value, and I always set it to 2,000,000 which makes it 11:07AM. This only affects your local computer, everyone else will still be stuck in night time. It’s better than night vision, and some servers have annoying crap like really dense fog at night, which you can totally avoid by setting the time.

    Code:
    Time: 0xE256F8.
    No offsets, just that one address. Very subject to change with patches, but is easy to find. Just take 0x20 from the Distance Offset, which is easy to find.

    Draw distance
    I set mine to 3,000 usually. You’ll be able to see a lot farther, which is very handy for flying helicopters, but also handy for sniping with the M107 or the AS50. Just be careful, landing snipes from outside the draw distance is likely to draw suspicion if it tells everyone how far away you were when you made the shot.


    Code:
    Draw distance: 0xE25718 - it’s a float
    How to find the offset: Jump in the editor, fire up Cheat Engine. Set the view distance to 500, search for floats that equal 500. Set it to 12,000, search for floats that equal 12,000. Repeat until you find the right value. You’ll know you have the right one if you set it to 0 and everything turns black because your draw distance is now 0. Take 0x20 from this offset to get the time offset.

    Ammo

    Ammo is a little complicated because Bohemia saw it fit to obfuscate the values in memory. I made a post about it a while back, thinking I had published something new (I hadn’t, m101jay had posted working functions to do it long ago). I’m going to copy/paste that here:

    Quote:
    Originally Posted by Douggem
    Sup.

    This has been discussed sorta-kinda here before, but the information has been mostly incomplete so I thought I'd post what I've found in case anyone else has been working on an infinite ammo/set ammo write-process-memory function for an external hack.

    First, here is the function that sets your ammunition when you fire or reload:

    Code:
    CPU Disasm
    Address   Hex dump          Command                                  Comments
    004ADEB8  /$  56            PUSH ESI                                 ; arma2oa.004ADEB8(guessed Arg1,Arg2)
    004ADEB9  |.  57            PUSH EDI
    004ADEBA  |.  8B7C24 10     MOV EDI,DWORD PTR SS:[ARG.2] // Move Arg 2 into EDI, arg 2 = int value 2
    004ADEBE  |.  8B07          MOV EAX,DWORD PTR DS:[EDI]   // Read value at EDI and move into EAX, ED is float 2
    004ADEC0  |.  0301          ADD EAX,DWORD PTR DS:[ECX]   // Then add the value at ECX and add it to EAX.  ECX is int1, so this adds 
    
    int1 and int2 together
    004ADEC2  |.  BE B6C8BABA   MOV ESI,BABAC8B6             // Move value BABAC8B6 into ESI
    004ADEC7  |.  33C6          XOR EAX,ESI                  // XOR Eax and ESI, store in ESI.  Basically XOR(int1+ int2, BABAC8B6
    004ADEC9  |.  034424 0C     ADD EAX,DWORD PTR SS:[ARG.1] // Now add arg 1 to EAX.  It's usually 1, I think it's num of rounds fired
    004ADECD  |.  8BD0          MOV EDX,EAX			 // Move EAX into EDX
    004ADECF  |.  33D6          XOR EDX,ESI			 // Now XOR EDX and ESI.  So now we're at XOR(XOR(float1 + float2, BABAC8B6) + 
    
    1, BABAC8B6)
    004ADED1  |.  8BF2          MOV ESI,EDX			 // Move EDX into ESI now
    004ADED3  |.  D1FE          SAR ESI,1			 // Shift the bits in ESI to the left 1 spot
    004ADED5  |.  2BD6          SUB EDX,ESI			 // Subtract ESI from EDX
    004ADED7  |.  8931          MOV DWORD PTR DS:[ECX],ESI
    004ADED9  |.  8917          MOV DWORD PTR DS:[EDI],EDX
    004ADEDB  |.  5F            POP EDI
    004ADEDC  |.  5E            POP ESI
    004ADEDD  \.  C2 0800       RETN 8
    I think it's safe to assume the devs of Arma 2 were trying to obscure how the ammo value was stored to make it hard for people to set their ammunition value.

    Here's what's happening:

    The number of rounds you have in your gun is stored in two values. If you use CE to find what changes when you shoot/reload you'll find two values that appear to be garbage that should represent your ammo. You'll notice they don't even have the same values when you have 30 rounds in your mag after a reload, etc.

    To translate those two numbers into the number of rounds you have, you add them together and then XOR the result with the constant 0xBABAC8B6. That will give you the number of rounds in your gun (i.e. 30). Simple, right?

    To turn that number back into those two garbage values, it's taking the number of rounds you have in your magazine and XORing that value with the constant 0xBABAC8B6. It is then bit shifting the resultant vaule to the left one spot, and that is the first garbage value. The second garbage value is the XOR of the number of rounds and the constant MINUS the first garbage value.

    So,

    garbage1 = (30^ 0xBABAC8B6) << 1
    garbage2 = (30^ 0xBABAC8B6) - garbage1

    Will set the number of rounds in the gun to 30. The caret is the XOR operation, and << is a bit shift

    How do you turn this into infinite ammo, you ask? Well obviously you just need to set those garbage values either to a really really big number or just set them to a number over and over. My radar sets it to 30 every tick (I don't know how to find the correct number of max rounds in a magazine - anyone know?) so I effectively have infinite ammo.

    Those garbage values are at entity] + 0x694] + (i*0x24 + 0x4)] +0xc/0x24].
    i is your gun. I don't know how it determine what number gun you're using, but it's between 0 and 19 I think, and that's how my loop is set up. When I've played around on the editor, the gun I spawn with is in spot 0, and if I pick up another gun it gets put in spot 19. So I just loop through all of them.

    +0xC is the first garbage value, +0x24 is the second. Just do your XORs and bit shifts and set those values and you're done. It will accept any value you can stuff into that integer (and they are integer values BTW). For instance:
    https://lh4.googleuserconten*****m/-D...s1152.png

    I wrote this in a rush as I just sent the new version of my radar to my bros and they want to play, will come back and clean it up after we bust in some heads. Hope this helps someone
    Originally, I iterated through every object in the array and set them all which was a flawed approach. Instead, use this for the value of "i":

    Code:
    entity + 0x6E0
    That is the weapon ID, and using that as the value of i will make it point to your current weapon’s ammo.

    BTW a fun thing to note is you can put any number of bullets in a magazine that you want, and if you drop it and someone picks it up it will still have that amount, so you could leave 999999 round makarov mags laying around! Holla holla get dolla! But that could get you caught (I got banned from a server because someone reported I had 30 round makarov mags). You can find the max number of rounds that go in the current magazine from:
    maxMagCap: entity + 0x694] + weaponID*0x24 + 0x4] + 0x8] + 0x2C] (thanks to M101jay for this one)

    [IMG]https://lh4.googleuserconten*****m/-DrZZQPPs5Wk/UTLs8Wao_BI/AAAAAAAAE7w/R8IkYCWomWk/s1152.png[/IMG]




    Night Vision

    There are two night vision values - one that determines if your night vision is actually ON, and one that is value 1 if you are ENABLED to use NV, and 0 if you aren’t.

    Code:
    NVEnabled: 0x13A4]+ 4]+0xC16]
    That is, local player entity plus 0xC16.


    Thermal Vision

    The game checks to see if you’re looking through a thermal enabled optic and, if you’re not, sets the thermal on value to 0. This means you will have to force it on every frame or tick or something. I just have a separate thread that spins in place, setting the value of thermal on to 1. The address is:

    Code:
    ThermalOn: 13A4]+ 4]+C18]
    i.e. local player entity + 0xC18



    Fatigue

    Hate chasing a guy, aiming, and having your reticle wobble all over the screen? Arma keeps track of your fatigue, it’s a value between 0 (not tired) and 1 (fat guy being chased by lions). Just set it to 0 and your reticle will settle down.

    Fatigue:

    Code:
    Fatigue: 0x13A4]+ 4]+0xC44] - it’s a float
    That is, local player entity + 0xC44.

    Mounted Gun Ammo

    I play on a server that has vehicle mounted guns beyond just the Huey’s M240’s. i.e., it has hmmwv’s with freakin Mk19 grenade launchers! With unlimited ammo we just roll around the whole map blowing people away, it’s awesome! And you can do it too!

    Remember how the pointer to the gunner is at:

    Code:
    GunnerPtr: Entity + 0b5c] + i*4] + 2cc]
    Where Entity is the pointer to the vehicle entity?
    Well the gunner pointer is part of the actual gun’s struct, which is at:


    Code:
    MountedGun: Entity + 0b5c] + i*4]
    And the ammunition for the gun is at:


    Code:
    GunAmmoValues: Entity + 0b5c] + i*4] + 0x54] + 4] + 0xC/0x24]
    Where +0xC is the first ammo value and +0x24 is the second. It’s set the exact same way player ammo is, so see above. Basically, you’re going to:


    Code:
    AmmoValue1 = (ammo^ 0xBABAC8B6) << 1
    AmmoValue2 = (ammo^ 0xBABAC8B6) - AmmoValue1
    Where ammo is the amount of rounds you want to put in the gun.

    That should be more than enough for you leet haxors to make some radars. Just remember, with great power comes great responsibility: don’t hunt Bambis. Just don’t do it. It’s not fun anyway, you should be hunting the geared up guys near the NWAF! And come up with some novelty name, make it funny when you kill people, and be vocal but not insulting in side comms. Be an ASSET to your server, not a liability. People should be afraid of you, but also have a good time when you’re on. Assholes.

    Thanks to everyone on UC who has contributed offsets and stuff on the Arma2 forum, like Griffin, M101jay, and many others I can't keep track of. I only found a few of these offsets myself so this is almost entirely an aggregation of information already on this board.

    Refueling Vehicles

    You know what sucks? Coming upon a flyable huey that's out of fucking gasoline. Then you have to go somewhere and get a bunch of jerry cans, put enough gas in it to fly it to a gas station, and spend the next hour filling it up. That SUCKS. So let's avoid it! A vehicle's fuel is easy to set, check it out. FuelLevel is the current amount of fuel, FuelCap is the maximum fuel capacity of the vehicle, and they are both floats

    Code:
    FuelLevel: Entity + 0x18] + 0xAC]
    FuelCap: entity + 0x3C] + 0x600]
    To top off the tank, just write the value of FuelCap into the address of FuelLevel. Easy.

    Repairing Vehicles

    You know what sucks just as much as an empty Huey? An ATV with two freaking broken wheels when you REALLY need a ride. That shit sucks. But since vehicle damage values are stored client side, it's no problem.

    vehicleDamageValues: Entity + 0xC0]

    The damage values for vehicles are a series of floats between 0 and 1, with 0 being undamaged and 1 being totally damaged (destroyed). Now the number of vehicle parts is different for some vehicles. For example, the bicycle only has 7 parts, while the Ural has 19. This is important to know because if you use a loop to fix all the parts and you fix part 10 on the bicycle you'll overflow and overwrite some other data, possibly crashing your client.

    What I did was went into the editor and looked at the damage values for different vehicles. I set the vehicles to be at ~20% health in the editor so all the damaged parts would have the same value, and I counted how many damaged parts there were. So my repairVehicle function checks the name of the vehicle and then repairs that many parts, so if it's an ATV, for example, my repair loop could be:

    Code:
                for (i = 0; i<j; i++)
                {
                    Mem.WriteFloat(partsAddress + i*4, 0);                
                    part = Mem.ReadFloat(partsAddress + i);
                }
    And before that loop, my function would determine how many parts to fix by

    Code:
    else if (vehicleName.IndexOf("ATV") >= 0)
                {
                    j = 19;
                }
    The Huey, HMMWV, ATV, Hilux, ural, V3, and the UAZ all have 19 parts. The bicycle has 7 parts. I haven't bothered to check any others as those are really the only vehicles I use.




    Again, all credits to Douggem. I can vouch for all of this, ive made my own hack and its all working perfectly. If you would like to correct a value please PM me on MPGH.

  2. The Following 11 Users Say Thank You to RE4CTIVE For This Useful Post:

    AllHax (07-07-2013),Distraught2 (04-29-2013),fakerlol (06-21-2013),joshZ (04-29-2013),rhyomguther (06-22-2013),Roclan (04-29-2013),sk93 (07-19-2013),SwaggerMan123 (05-05-2013),TheFlyingDutchman' (06-17-2013),typh0 (04-29-2013),xCyberxx (12-10-2013)

  3. #2
    Distraught2's Avatar
    Join Date
    Mar 2013
    Gender
    male
    Posts
    110
    Reputation
    14
    Thanks
    26
    Funny how me and @chickeninabiskut were talking about this the other day. He even said "someone will copy/paste" this to MPGH. Thanks for copying it over with the proper credits although i doubt anyone here will use it. Still great information either way.
    Last edited by Distraught2; 04-29-2013 at 01:35 AM.

  4. #3
    Roclan's Avatar
    Join Date
    Aug 2012
    Gender
    male
    Location
    Australia
    Posts
    268
    Reputation
    96
    Thanks
    3,209
    My Mood
    Amused
    Cheat engine <3
    And also how would you get past the BattleEye scans?
    Last edited by Roclan; 04-29-2013 at 01:40 AM.
    [IMG]https://images.akamai.steamuserconten*****m/ugc/392168636454389155/A891D9AED8575CD7FE83756E09EED047FB0CC090/[/IMG]

  5. #4
    RE4CTIVE's Avatar
    Join Date
    Mar 2013
    Gender
    male
    Posts
    99
    Reputation
    10
    Thanks
    63
    My Mood
    Cheerful
    Quote Originally Posted by Distraught2 View Post
    Funny how me and @chickeninabiskut were talking about this the other day. He even said "someone will copy/paste" this to MPGH. Thanks for copying it over with the proper credits although i doubt anyone here will use it. Still great information either way.
    I know :P I didn't see it on MPGH so I thought I better share the info. I hate it how sometimes people don't post credits, but oh well, life goes on

    Quote Originally Posted by Roclan View Post
    Cheat engine <3
    And also how would you get past the BattleEye scans?
    If everyone were to know, wouldnt it be patched? just food for thought.

  6. The Following User Says Thank You to RE4CTIVE For This Useful Post:

    Distraught2 (04-29-2013)

  7. #5
    Roclan's Avatar
    Join Date
    Aug 2012
    Gender
    male
    Location
    Australia
    Posts
    268
    Reputation
    96
    Thanks
    3,209
    My Mood
    Amused
    Quote Originally Posted by RE4CTIVE View Post
    I know :P I didn't see it on MPGH so I thought I better share the info. I hate it how sometimes people don't post credits, but oh well, life goes on



    If everyone were to know, wouldnt it be patched? just food for thought.
    Fair point
    [IMG]https://images.akamai.steamuserconten*****m/ugc/392168636454389155/A891D9AED8575CD7FE83756E09EED047FB0CC090/[/IMG]

  8. #6
    joshZ's Avatar
    Join Date
    Mar 2012
    Gender
    male
    Location
    Japan
    Posts
    1,713
    Reputation
    59
    Thanks
    246
    My Mood
    Bored
    this is great thanks
    Fear the old blood.


  9. #7
    YoloSwagProHax4204Life's Avatar
    Join Date
    Jan 2013
    Gender
    male
    Posts
    28
    Reputation
    10
    Thanks
    6
    Quote Originally Posted by RE4CTIVE View Post
    If everyone were to know, wouldnt it be patched? just food for thought.
    I can't stand comments like this. They can't patch this. They just change the offsets every update. That's just another way of saying you have no idea what you're talking about.

    ---------- Post added at 01:56 AM ---------- Previous post was at 01:53 AM ----------

    Quote Originally Posted by Roclan View Post
    Cheat engine <3
    And also how would you get past the BattleEye scans?
    Why would you need to get past Battleye scans? lul
    Last edited by YoloSwagProHax4204Life; 04-29-2013 at 03:00 AM.

  10. #8
    RE4CTIVE's Avatar
    Join Date
    Mar 2013
    Gender
    male
    Posts
    99
    Reputation
    10
    Thanks
    63
    My Mood
    Cheerful
    Quote Originally Posted by YoloSwagProHax4204Life View Post
    I can't stand comments like this. They can't patch this. They just change the offsets every update. That's just another way of saying you have no idea what you're talking about.

    ---------- Post added at 01:56 AM ---------- Previous post was at 01:53 AM ----------


    Why would you need to get past Battleye scans? lul
    -_-
    you do realize that I was talking about patching whatever exploit was used to bypass BattlEye scans, not the actual address/offsets pasted on this thread.

    But you are right, im not an expert on ArmA 2 hacking, but I'm not stupid either.

  11. #9
    YoloSwagProHax4204Life's Avatar
    Join Date
    Jan 2013
    Gender
    male
    Posts
    28
    Reputation
    10
    Thanks
    6
    Quote Originally Posted by RE4CTIVE View Post
    -_-
    you do realize that I was talking about patching whatever exploit was used to bypass BattlEye scans, not the actual address/offsets pasted on this thread.

    But you are right, im not an expert on ArmA 2 hacking, but I'm not stupid either.
    Scans for what? This stuff is RPM. Battleye can't detect it...Therefore no need to bypass BE scans. " ive made my own hack and its all working perfectly". I detect bullshit. I never called you stupid .
    Last edited by YoloSwagProHax4204Life; 04-29-2013 at 03:24 AM.

  12. The Following User Says Thank You to YoloSwagProHax4204Life For This Useful Post:

    Distraught2 (04-29-2013)

  13. #10
    Douggem's Avatar
    Join Date
    Apr 2013
    Gender
    male
    Posts
    53
    Reputation
    37
    Thanks
    93
    Thanks for giving me credit, I spent a ton of time on this. Hopefully some people here will find it useful and maybe learn something. I'm sincerely flattered to see it copied here.

    Never heard of this place before though maybe I'll hang out for a bit.

  14. The Following 4 Users Say Thank You to Douggem For This Useful Post:

    bLu3eYeZ (04-29-2013),chris685 (07-16-2013),Confin3d (04-29-2013),YoloSwagProHax4204Life (04-29-2013)

  15. #11
    Hankk's Avatar
    Join Date
    Jan 2013
    Gender
    male
    Location
    Canada Eh..
    Posts
    567
    Reputation
    83
    Thanks
    87
    My Mood
    Mellow
    Quote Originally Posted by Douggem View Post
    Thanks for giving me credit, I spent a ton of time on this. Hopefully some people here will find it useful and maybe learn something. I'm sincerely flattered to see it copied here.

    Never heard of this place before though maybe I'll hang out for a bit.
    Welcome To MPGH
    And Great Tut. My Friend ^_^
    Keep Contributing :3
    Herp Derp





    Want.. Moooore... Inturwebz....

    - Obsidian -

  16. #12
    RE4CTIVE's Avatar
    Join Date
    Mar 2013
    Gender
    male
    Posts
    99
    Reputation
    10
    Thanks
    63
    My Mood
    Cheerful
    Quote Originally Posted by YoloSwagProHax4204Life View Post
    Scans for what? This stuff is RPM. Battleye can't detect it...Therefore no need to bypass BE scans. " ive made my own hack and its all working perfectly". I detect bullshit. I never called you stupid .
    Why would I bullshit about making a hack? This is a great tut and even a newbie coder can make working hacks out of this. Like I said, im no expert on ArmA hacking, nor BattlEye. I dont know what it detects, and with all hacking I act cautiously. This is just turning into a "I'm right you're wrong" type of thing on your part, lets leave it at this. Anything else can be sent to me via PM.

    Quote Originally Posted by Douggem View Post
    Thanks for giving me credit, I spent a ton of time on this. Hopefully some people here will find it useful and maybe learn something. I'm sincerely flattered to see it copied here.

    Never heard of this place before though maybe I'll hang out for a bit.
    Its my pleasure, truly. Thank you for letting me post it here, you have my beans.

  17. #13
    eth0's Avatar
    Join Date
    Mar 2013
    Gender
    male
    Posts
    17
    Reputation
    10
    Thanks
    24
    98% of the mpgh members won't even understand this, no point in posting this here.
    Attachment; my result after 10 minutes. Too easy.
    Attached Thumbnails Attached Thumbnails
    capture8sc2c.png  

    Last edited by eth0; 04-29-2013 at 06:27 AM.

  18. #14
    I'M GONNA HAVE TO EAT EVERY F--KING CHICKEN
    MPGH Member
    Chris's Avatar
    Join Date
    Sep 2011
    Gender
    male
    Posts
    1,086
    Reputation
    29
    Thanks
    2,780
    My Mood
    Psychedelic
    You will probably think of me as a noob for asking this but isn't cheat engine detected and so won't you get get banned for using this?

  19. #15
    bLu3eYeZ's Avatar
    Join Date
    Aug 2011
    Gender
    male
    Posts
    325
    Reputation
    10
    Thanks
    74
    My Mood
    Fine


    ---------- Post added at 10:33 AM ---------- Previous post was at 10:27 AM ----------

    Quote Originally Posted by RE4CTIVE View Post
    -_-
    you do realize that I was talking about patching whatever exploit was used to bypass BattlEye scans, not the actual address/offsets pasted on this thread.

    But you are right, im not an expert on ArmA 2 hacking, but I'm not stupid either.
    You truly have no clue what you are talking about.
    You have talked shit this whole thread.
    How can reading process memory be patched by battleye?
    How exactly does any of this code bypass battleye scans?
    You don't understand anything you posted about and you start fighting about it.
    Please kill yourself.






    Quote Originally Posted by darkwrath505 View Post
    You will probably think of me as a noob for asking this but isn't cheat engine detected and so won't you get get banned for using this?
    What does cheat engine have to do with any of this?

    Step-by-Step guide to improving DayZ/ArmA2/ArmA2:OA FPS
    Depending on who you are, I might or might not
    sell dayz hacks, not scripts, hacks. PM if interested.

Page 1 of 7 123 ... LastLast

Similar Threads

  1. [Help Request] How to make a DayZ Key Auto Buy?
    By `Rejected in forum DayZ Help & Requests
    Replies: 15
    Last Post: 03-28-2013, 04:20 AM
  2. [Help Request] How to I make my DayZ server a No-CD Key server?
    By Arrxzon in forum DayZ Help & Requests
    Replies: 2
    Last Post: 03-23-2013, 08:38 PM
  3. [Release] How to make a DayZ keyshop | Free package for entrepreneurs!
    By fragrantparrot in forum DayZ Mod & Standalone Hacks & Cheats
    Replies: 47
    Last Post: 01-16-2013, 11:40 AM
  4. [Help] How to make dayz series
    By karelke in forum DayZ Mod & Standalone Hacks & Cheats
    Replies: 8
    Last Post: 12-26-2012, 12:59 AM
  5. How I make wallhack?
    By RaidenDXX in forum WarRock - International Hacks
    Replies: 6
    Last Post: 01-23-2006, 01:28 PM