Console Checks?

[HellSpider]

Hi.

I was cheating approx a year ago in CA EU and decided to have a look at the stuff again, however the info is kinda scattered.

What I'm looking for is some insight on different checks applied to prevent cheating. I'm not looking for any cheats, I can figure out them later.

So the main question is related to the console commands. The console function is rather easy to find, the inner part of it is however virtualized by Themida. But fortunately it can be resolved.

So far I've figured out that there is atleast two checks to ensure that only the engine calls the console function.

The first one is a check for the current thread ID. The engine stores the ID on startup and compares the ID with the thread ID every time the console function is called.

The other check is comparing if the thread module EP is in the range of the engine EP.

But I'd like to know if there are more checks I should be aware of because when I tried some few console commands (after bypassing the two checks) the game quits (doesn't crash) after the command has been applied (I can see the effect of the command just before it quits).

Appreciate any insight.

EDIT:

Seems like there was something strange in my check bypass. The commands work fine now.

[flameswor10]

It's called in Engine.exe

[HellSpider]

It's called in Engine.exe

What is called? The check? If so yeah, it was virtualized by Themida but I can post a picture of the unvirtualized check. Just thought there was more checks because of my game closing unexpectedly, but it was just a invalid memory location issue in my bypass code part.

[Gordon`]

cant seem to find any other check except that it checks the returnaddress of the function. i removed that check and im able to execute all console commands just fine.

[HellSpider]

cant seem to find any other check except that it checks the returnaddress of the function. i removed that check and im able to execute all console commands just fine.

Oh there is a check for stuff like that too? Well it doesn't matter as I call the top layer console function (with just 1 argument), the return address will thus always be one from Engine.exe.

However, my console commands didn't work before I changed my DLL EP in the stack to some address in the range of Engine.exe. And I had to move my DLL thread ID to a data location.

Which version are you playing? EU too?

[Gordon`]

Yes EU, but this check is also present in NA. You can cleary see it when you look inside of CLTBase::RunConsoleCommand.

[HellSpider]

Yes EU, but this check is also present in NA. You can cleary see it when you look inside of CLTBase::RunConsoleCommand.

Can you throw me the function address you are refering to? Still new with these CLTBase LTClient etc stuffs.

[Gordon`]

search for any console command like "RestartRender" and you'll find the cltbase just a few lines above.

edit:

Code:

375BC01C    8B0D 905D8F37   MOV ECX,DWORD PTR DS:[378F5D90]            ; <-- CLTBase
375BC022    8B91 08020000   MOV EDX,DWORD PTR DS:[ECX+208]             ; offset to CLTBase::RunConsoleCommand
375BC028    68 7C238137     PUSH cshell.3781237C                     ; ASCII "RestartRender"
375BC02D    FFD2            CALL EDX                                   ; call to CLTBase::RunConsoleCommand
375BC02F    A1 78539337     MOV EAX,DWORD PTR DS:[37935378]
375BC034    83C4 04         ADD ESP,4                                  ; fix the stack after calling, cause the calling convention is __cdecl. you can also see that the function is only taking 1 parameter (4 divided by 4 is 1)