Copy Function Beta [For PTC]

**SNal2F** · 06-11-2011

Originally Posted by .::SCHiM::.

Then that'd be the console function not the push to console function.
Get your terms straight.

Anyway, I don't know what you try to achieve by copying the function to a different location (it's not like it will work...). But here it is (the first bit of it, if you want more you'll have to dump it yourself):

Code:

77DF1D78   A1 3C001037      MOV EAX,DWORD PTR DS:[3710003C]
77DF1D7D   8B88 2C001037    MOV ECX,DWORD PTR DS:[EAX+3710002C]
77DF1D83   8B1424           MOV EDX,DWORD PTR SS:[ESP]
77DF1D86   05 00001037      ADD EAX,37100000
77DF1D8B   81C1 00001037    ADD ECX,37100000
77DF1D91   3BD1             CMP EDX,ECX
77DF1D93   72 0E            JB SHORT ntdll.77DF1DA3
77DF1D95   8B40 50          MOV EAX,DWORD PTR DS:[EAX+50]
77DF1D98   03C1             ADD EAX,ECX
77DF1D9A   3BD0             CMP EDX,EAX
77DF1D9C   73 05            JNB SHORT ntdll.77DF1DA3
77DF1D9E   E9 A5630100      JMP ntdll.77E08148
77DF1DA3   C3               RETN
77DF1DA4   CC               INT3
77DF1DA5   CC               INT3
77DF1DA6   CC               INT3
77DF1DA7   CC               INT3
77DF1DA8   A1 08028000      MOV EAX,DWORD PTR DS:[800208]
77DF1DAD   83B8 500A0000 00 CMP DWORD PTR DS:[EAX+A50],0
77DF1DB4   74 0B            JE SHORT ntdll.77DF1DC1
77DF1DB6   8B88 500A0000    MOV ECX,DWORD PTR DS:[EAX+A50]
77DF1DBC   E9 B7B40A00      JMP ntdll.77E9D278
77DF1DC1   33C0             XOR EAX,EAX
77DF1DC3   C3               RETN

Note, copying this doesn't make any sense, for starters you'll have to re-write all offsets

Just so you know

he is copying it to so that when the game calls it he will force the game to call his function it works i do it....hook the console on iltclienttable point to your own function rewrite the function and win, its just like a detour in theory he is just doing it a different way.

https://www.mpgh.net/forum/207-combat...ml#post3030792

**.::SCHiM::.** · 06-11-2011

Originally Posted by SNal2F

he is copying it to so that when the game calls it he will force the game to call his function it works i do it....hook the console on iltclienttable point to your own function rewrite the function and win, its just like a detour in theory he is just doing it a different way.

https://www.mpgh.net/forum/207-combat...ml#post3030792

The game calls ltc functions?

**Stephen** · 06-11-2011

Cool .

**SNal2F** · 06-11-2011

Originally Posted by .::SCHiM::.

The game calls ltc functions?

when i say game i mean where the functions are used , bad term i suppose where they are actually used is what i mean ie cshell but the call in there is to the game.exe which actually has the function

**topblast** · 06-11-2011

Originally Posted by SNal2F

you have it wrong...

that is the code inside the ptc @ 0x208 prior to checks

table -> call ptc ->call sub console

learn to reverse b4 calling someone out.

i know what i am asking, you just misunderstand..... and i know how to reverse. You dont understand what I mean.

Originally Posted by .::SCHiM::.

Then that'd be the console function not the push to console function.
Get your terms straight.

Anyway, I don't know what you try to achieve by copying the function to a different location (it's not like it will work...). But here it is (the first bit of it, if you want more you'll have to dump it yourself):

Code:

77DF1D78   A1 3C001037      MOV EAX,DWORD PTR DS:[3710003C]
77DF1D7D   8B88 2C001037    MOV ECX,DWORD PTR DS:[EAX+3710002C]
77DF1D83   8B1424           MOV EDX,DWORD PTR SS:[ESP]
77DF1D86   05 00001037      ADD EAX,37100000
77DF1D8B   81C1 00001037    ADD ECX,37100000
77DF1D91   3BD1             CMP EDX,ECX
77DF1D93   72 0E            JB SHORT ntdll.77DF1DA3
77DF1D95   8B40 50          MOV EAX,DWORD PTR DS:[EAX+50]
77DF1D98   03C1             ADD EAX,ECX
77DF1D9A   3BD0             CMP EDX,EAX
77DF1D9C   73 05            JNB SHORT ntdll.77DF1DA3
77DF1D9E   E9 A5630100      JMP ntdll.77E08148
77DF1DA3   C3               RETN
77DF1DA4   CC               INT3
77DF1DA5   CC               INT3
77DF1DA6   CC               INT3
77DF1DA7   CC               INT3
77DF1DA8   A1 08028000      MOV EAX,DWORD PTR DS:[800208]
77DF1DAD   83B8 500A0000 00 CMP DWORD PTR DS:[EAX+A50],0
77DF1DB4   74 0B            JE SHORT ntdll.77DF1DC1
77DF1DB6   8B88 500A0000    MOV ECX,DWORD PTR DS:[EAX+A50]
77DF1DBC   E9 B7B40A00      JMP ntdll.77E9D278
77DF1DC1   33C0             XOR EAX,EAX
77DF1DC3   C3               RETN

Note, copying this doesn't make any sense, for starters you'll have to re-write all offsets

Just so you know

this is it

**Departure** · 06-11-2011

That is not it....
Read the assembly and look at the address's(ntdll module).... Its doing a check, not any console functions, what has me confused is its been done in the ntdll module? this was always found in the engine.exe or CShell.dll I dont remember which one it was it now(pretty sure its Engine.exe right before the PTC unwrapped) hence why we get the unwrapped PTC...

Anyway there is that many different calls to sub functions that it would impossible to recreate it,

**SNal2F** · 06-11-2011

Originally Posted by topblast

i know what i am asking, you just misunderstand..... and i know how to reverse. You dont understand what I mean.

this is it

i didnt misunderstand.........if that is what ur looking for look at where the jump goes......then look at what i posted if you looked at the exe prior to that check you would see the original function is what i posted..........so i do know what you mean follow that jump , i mean if your redirecting to your own function why copy it and make modifications to the if statements when we know all it does is call that sub function..............think logically.

read this .........
https://www.mpgh.net/forum/207-combat...ml#post3030792

**pashak** · 06-11-2011

Do other games have ptc?

**whit** · 06-11-2011

Originally Posted by pashak

Do other games have ptc?

Other Lithitech Game do like Crossfire idk bout other engines

**pashak** · 06-11-2011

Originally Posted by whit

Other Lithitech Game do like Crossfire idk bout other engines

Oh ok but let's say I wanted to hack a game like hmm mw2 would it be different? Would it only be memory hacking?

**whit** · 06-11-2011

Originally Posted by pashak

Oh ok but let's say I wanted to hack a game like hmm mw2 would it be different? Would it only be memory hacking?

Idk on that one but i believe so ...

**pashak** · 06-11-2011

Originally Posted by whit

Idk on that one but i believe so ...

What about a inbrowser flash game?

**whit** · 06-11-2011

Originally Posted by pashak

What about a inbrowser flash game?

Nigga i dont know

**pashak** · 06-11-2011

.

**.::SCHiM::.** · 06-12-2011

Originally Posted by Departure

That is not it....
Read the assembly and look at the address's(ntdll module).... Its doing a check, not any console functions, what has me confused is its been done in the ntdll module? this was always found in the engine.exe or CShell.dll I dont remember which one it was it now(pretty sure its Engine.exe right before the PTC unwrapped) hence why we get the unwrapped PTC...

Anyway there is that many different calls to sub functions that it would impossible to recreate it,

That's because I copied it into ntdll.dll because I don't have the current dumped engine.exe. I simply dumped the address of the console function & copied it into olly.

Thread: Copy Function Beta [For PTC]

Thread Tools

Display

The Following User Says Thank You to SNal2F For This Useful Post:

The Following User Says Thank You to topblast For This Useful Post:

The Following User Says Thank You to SNal2F For This Useful Post:

The Following User Says Thank You to whit For This Useful Post:

The Following User Says Thank You to whit For This Useful Post:

The Following User Says Thank You to whit For This Useful Post: