Originally Posted by
Peter8
1
Finding the Offsets for the
Commander Hack
E very hack begins with a few offsets, and for the C ommander
H ack , these are the ForceC ommander, S upply, and A rtillary.
o find the memory addresses for the commander hack we begin with simple memory searchers such a TSearch or Cheat Engine. Memory searchers are used to search the memory of a game’s process for certain values and then can modify & set breakpoints on that memory address..
Setting Up The Scene
As most game hacking scenes go, we first need to start up BF2 Demo in windowed mode. This can be done by going into the shortcut properties and altering the runtime command of “+ fullscreen 1” into “+ fullscreen 0”.
2
This allows us to run BF2 and debug it at the same time without causing problems. O nce you have set the shortcut properties, proceed to run the game and TSearch. In the BF2 Demo, navigate to Single Player and start a Gulf Of Oman single player game.
Searching for the Addresses
When the server has loaded, apply to be commander, and accept once the invitation comes. Now when you accept the commander position a Boolean Value of 1 has been written in your player’s profile (structure/ class) in the game’s memory.
Now Alt-Tab back to TSearch and Click O pen Process, and Select the BF2.exe which is our game. O nce its attached click the little magnifying glass “Init New Search” and search for the Exact Value 1 with the type set to as Bytes. You will get millions of results.
Next, head back to BF2 and resign from commander position. Now, the memory address for commander would have changed back to 0. So head back to TSearch and use the “Search Next” to search which of the found values has changed to 0. Then head back and apply for commander. Keep doing this back and forth until you end up the a few values.
So after a few turns of applying and resigning, I got down to 17 memory addresses.,
and they would all change when apply/ resigning for commander
Next, head back to BF2 and resign from commander position. Now, the memory address for commander would have changed back to 0. So head back to TSearch and use the “Search Next” to search which of the found values has changed to 0. Then head back and apply for commander. Keep doing this back and forth until you end up the a few values.
So after a few turns of applying and resigning, I got down to 17 memory addresses.,
and they would all change when apply/ resigning for commander.
Now add all 17 addresses to the table to the right of the search window by clicking the Add All searches Icon. Now in the table, go through each of the seventeen addresses one by one, changing it to 1 and watching the BF2 Screen to see if you become commander. Most of them will revert back to 0, but the correct address will stay 1 and make you commander at the same time. This is the address we want!.
NOTE: This address we found is Dynamic, meaning that it changes every time we restart the game, or every time we switch servers. The term for this Dynamic ability is DMA. So to make a commander hack one of the obstacles we need to overcome this DMA.
At this point, we need to set a Memory Breakpoint on that address to see what code accesses it. To do this in TSearch click AutoHack -> Enable Debugger
NOTE: At is at this point where you have to do things a little differently from the Retail Version. In the Retail Version of BF2, because of SafeDisc, the game is continually Debugging itself, and therefore we are not able to attach a debugger (fortunately SafeDisc is not in the Demo). Getting past this debug obstacle is called “Resetting the Debug Port”. There are several tutorials on how to do this. Just view my tutorial for “Steal DMA”
Once you’ve clicked “Enable Debugger” go back to the address which you found controlled the ForceCommander, right click on it, and click “AutoHack”. Now go back to the game and apply/ resign for commander. After this back in TSearch, go to AutoHack Menu Item -> AutoHack Window.
Now you should have the OFFSET which writes to that address which decides if we are commander or not. The cool thing about this offset is that it is constant for everyone (within that particular version).
Forever making us commander. The only problem with this is BF2.exe (where these modifications are taking place) is completely scanned, so the slightly modification will be detected and a corrupt memory kick will take place. A method to bypass that will be discussed further on.
WILL BE CONTINUED