Coding Some Stuff To BF3 [asm]

[cold123321]

Hello!

My code:

Code:

#include <windows.h>

DWORD ingameID;
HANDLE ingame;

DWORD WINAPI Game(LPVOID)
{
	bool ammo = false;
	HMODULE hModule = GetModuleHandleA("bf3.exe"); // I need help here
	while (1) {
		if(GetAsyncKeyState(VK_NUMPAD1)|| GetAsyncKeyState(VK_NUMPAD1) &1) { ammo = true;}
		if(ammo) { // enable unlimited ammo
			__asm { I need help here
				pushad;
				add [ebx+18],#21;
				jmp 00FC6097;
				popad;
			};
		} else { // lets disable it
			__asm { 
				pushad;
				add [ebx+18],eax;
				jmp 00FC6097;
				popad
			}
		}
	}
	return 0;
}

int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
	DisableThreadLibraryCalls(hInstance); //Disables some callbacks
	switch(dwReason)
	{
	case DLL_PROCESS_ATTACH:
		ingame = CreateThread(0,0,Game,0,0,&ingameID);
		break;
	case DLL_PROCESS_DETACH:
		break;
	}
	return true;
}

So I commented two parts I need some help with.
The base address I need to "hook" somehow is this: "bf3.exe"+BC6088
What that assembly code does is creating unlimited ammo, but I need help to make sure it's executed at the right part.

I'm not sure if I even did it with the rest of the code. But hopefully it's ok.

[.::SCHiM::.]

Hello!

My code:

Code:

#include <windows.h>

DWORD ingameID;
HANDLE ingame;

DWORD WINAPI Game(LPVOID)
{
	bool ammo = false;
	HMODULE hModule = GetModuleHandleA("bf3.exe"); // I need help here
	while (1) {
		if(GetAsyncKeyState(VK_NUMPAD1)|| GetAsyncKeyState(VK_NUMPAD1) &1) { ammo = true;}
		if(ammo) { // enable unlimited ammo
			__asm { I need help here
				pushad;
				add [ebx+18],#21;
				jmp 00FC6097;
				popad;
			};
		} else { // lets disable it
			__asm { 
				pushad;
				add [ebx+18],eax;
				jmp 00FC6097;
				popad
			}
		}
	}
	return 0;
}

int WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
	DisableThreadLibraryCalls(hInstance); //Disables some callbacks
	switch(dwReason)
	{
	case DLL_PROCESS_ATTACH:
		ingame = CreateThread(0,0,Game,0,0,&ingameID);
		break;
	case DLL_PROCESS_DETACH:
		break;
	}
	return true;
}

So I commented two parts I need some help with.
The base address I need to "hook" somehow is this: "bf3.exe"+BC6088
What that assembly code does is creating unlimited ammo, but I need help to make sure it's executed at the right part.

I'm not sure if I even did it with the rest of the code. But hopefully it's ok.

First, please rephrase your question, I don't understand what you're trying to do here.

Second, this is going to go wrong:

Code:

				pushad;
				add [ebx+18],eax;
				jmp 00FC6097;
				popad

I do no know what is at address 00FC6097, but execution is not going to return to the popad instruction after it. You'll need a call instruction for that. If you don't use a call instruction the game will crash when returning to a function (unless is expects registers popped) which is not likely.

If you need to hook bf3.exe + BC6088, it'll look like this:

Code:

              mov eax, hModule 
              add eax, 0BC6088h             ; this is where we'll hook

              call Label
Label:    pop ebx                            ; this is where we'll jump too
                                                       ; ex. ebx = hook location (change where needed)

 mov byte ptr[eax], 0E9h
 mov ecx, eax
 sub ecx, ebx
 sub ecx, 5             ; if this doesn't work, try sub ebx, ecx (i can't remember which one is the right one)
 mov dword ptr[eax+1], ecx]

That code you can use to hook, I don't understand why you don't do this in C++ though.

[cold123321]

Hello, thanks for answering me! Well, what I want to accomplish is enabling unlimited ammo.
It works, and I can kill people.

The code to enable unlimited ammo in Assembly is this:

Code:

add [ebx+18],21;
jmp 00FC6097;

Which is somehow running here: bf3.exe + BC6088.

I'm trying to learn C++ game hacking, thats why I'm using C++ for this.
Originally this is a Cheat Engine 6.1 assembly code:

Code:

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
add [ebx+18],21
jmp 00FC6097

originalcode:
add [ebx+18],eax
jmp 00FC6097

exit:
jmp returnhere

"bf3.exe"+BC6088:
jmp newmem
returnhere:

[DISABLE]
dealloc(newmem)
"bf3.exe"+BC6088:
add [ebx+18],eax
jmp 00FC6097

I thought it was easy, but it doesn't look like so. I would happy if you could help me out!

[.::SCHiM::.]

Hello, thanks for answering me! Well, what I want to accomplish is enabling unlimited ammo.
It works, and I can kill people.

The code to enable unlimited ammo in Assembly is this:

Code:

add [ebx+18],21;
jmp 00FC6097;

Which is somehow running here: bf3.exe + BC6088.

I'm trying to learn C++ game hacking, thats why I'm using C++ for this.
Originally this is a Cheat Engine 6.1 assembly code:

Code:

alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem:
add [ebx+18],21
jmp 00FC6097

originalcode:
add [ebx+18],eax
jmp 00FC6097

exit:
jmp returnhere

"bf3.exe"+BC6088:
jmp newmem
returnhere:

[DISABLE]
dealloc(newmem)
"bf3.exe"+BC6088:
add [ebx+18],eax
jmp 00FC6097

I thought it was easy, but it doesn't look like so. I would happy if you could help me out!

Ok so

add [ebx+18],eax
jmp 00FC6097

is running at "bf3.exe"+BC6088?

If you just need to change that too something else, this is what you have to do:

Code:

char UnlimAmmo* = "\x83\x43\x18\x21\xE9\xFA\x5E\x18\x89"; // this is the same as add dword ptr[ebx+18], 21 jmp ****

unsigned long OldProt =NULL;
bf3 += 0xbc6088;


VirtualProtect( bf3 , sizeof("\x83\x43\x18\x21\xE9\xFA\x5E\x18\x89"), 0x40, &OldProt);

memcpy( (void*) bf3 , (void*)UnlimAmmo, sizeof("\x83\x43\x18\x21\xE9\xFA\x5E\x18\x89"));

note that the jump will fail, you'll have to fix the offset using a debugger like ollydbg and see how big the jump has to bee (it will not work right now, but this should give you an idea)

[cold123321]

Hey and thanks!
But itsn't supposed to be:

Code:

char UnlimAmmo[] = "\x83\x43\x18\x21\xE9\xFA\x5E\x18\x89"; // this is the same as add dword ptr[ebx+18], 21 jmp ****

Instead of:

Code:

char UnlimAmmo* = "\x83\x43\x18\x21\xE9\xFA\x5E\x18\x89"; // this is the same as add dword ptr[ebx+18], 21 jmp ****

Because, I got an error with it =P

Could I do this:

Code:

HMODULE hModule = GetModuleHandleA("bf3.exe");
hModule += 0xbc6088;

To get the base address? =P

Anyway, I'm not so good, so I try to figure it out.


EDIT:
Also I'm using 64-bit system (windows 7) so I can't use Ollydbg.

[Nico]

Olly works fine on Win 7 x64.

[0xC0D3]

Whats in ECX? if it's the base then shouldn't it be base+0x18 (0xbc6088+0x18)?

[[MPGH]master131]

char UnlimitedAmmo[] and char UnlimitedAmmo* are the same... Well, technically an array is a const pointer but essentially it does the same thing.