CF Hack

[GameHaXx]

G_Force are fighting

---------- Post added at 06:37 PM ---------- Previous post was at 06:36 PM ----------

Lets get some PopCorn

[JimTheGreat]

Omg, you guys posted so much since I was forgetting about my own important thread.

---------- Post added at 08:16 PM ---------- Previous post was at 08:16 PM ----------

i will give some tips here which could help :

1- learn using some winapis .. learning what LoadLibrary and GetModuleHandle do is a good idea

2- learn basics of assembly.. you will need some of them which iam going to explain:

registers : acts like variables in coding , but they are stored in the cpu not the ram
in x86 there is 9 32 bit registers : EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP, EIP
a 16 bit version of them is also available (without the E)
and AX, BX, CX, DX is formed of two 8 bit registers (replacing the X with either L or H)

MOV dest, source command: copies the value of source to dest can appear in different forms like :
MOV [dest], source : copies the value of source to the variable stored in address dest
MOV dest, [source] : copies the value stored in address source to dest
the signs + and * can also appear, only with the []

examples:
mov eax, eax ; nothing happens
mov eax, 100 ; eax equals 0x100 after this operation
mov [40EA00], eax ;value at 0x40EA00 becomes 0x100 after this operation
mov ecx, 40EA00 ;ecx will equal 0x40EA00
mov edx, [ecx] ;edx will equal 0x100

lea dest, [source] command :
almost like mov, but the difference it calculates source expression but without reading a value from it
example:

lea esi, [ecx+edx*2] ; esi equals 0x40EA00 + 0x100 * 2 = 0x40EC00
lea eax, [eax] ; nothing will happen ofc

fld [source] and fstp [dest] :
acts like mov but with floats.

3- download and try to practice ollydbg
OllyDbg v1.10

after finishing these steps get latest unpacked cshell.dll from here
https://www.mpgh.net/forum/242-crossf...-7-2012-a.html

and try to load it in ollydbg .. the stats bar should say "entry point of debugged dll"
if it doesnt say that try making a program that loads the unpacked cshell (if you read info about LoadLibrary you will find it easy!)

make sure you are viewing cshell by right click -> view -> module cshell_whatever

try to search common string refrences used in cshell.. to do that right click then pick search for -> all refrenced text strings
then right click in the new window and pick find then type a string.. u may use these:

ReloadAnimRatio : no reload delay
ChangeWeaponAnimRatio : no change delay
AmmoDamage : no need to explain
CharacterHiddenAlpha / CharacterHiddenWalkAlpha / CharacterHiddenRunAlpha : see ghosts
DistFallDamageStartFrom /DamagePerMeter : no fall damage

for example iam going to DistFallDamageStartFrom as its very easy
so u type DistFallDamageStartFrom in the search box and press enter twice to go to the code

you would see something like this :



there is two useful commands here

MOV EDX,DWORD PTR DS:[10B740F8]
FSTP DWORD PTR DS:[EDX]

translating to c++ will give something like that:

Code:

DWORD myEDX = *(0x10B740F8);
*(myEDX) = something; // (lets say 99999.0f)

correct? no it isnt because in first line you are trying to read from a dword
and in the second line you are trying to write a float value to a dword
lets fix that by type casting to other types:

Code:

DWORD myEDX = *(DWORD*)(0x10B740F8);
*(float*)(myEDX) = 99999.0f;

now thats better but still a problem.. what if the pointer myEDX is not valid?
it will cause the game to crash so we will add a check of NULL pointer

Code:

DWORD myEDX = *(DWORD*)(0x10B740F8);
if (myEDX)
{
    *(float*)(myEDX) = 99999.0f;
}

almost correct! there is only one problem
cshell is loaded at 0x10000000 (press alt + E in ollydbg to check) .. but when the game loads it .. it will probably go to different address
so the easiest way is to convert the address 0x10B740F8 to offset by subtracting 0x10000000 (the result is 0xB740F8)
then convert it back to an address ingame

if you already read about GetModuleHandle, you would have known it takes module name as a parameter and returns base address as HMODULE on success

again, we will type cast the result to DWORD so we can add it to 0xB740F8

so the final code will look like this:

Code:

DWORD CShell = (DWORD)GetModuleHandle(L"CShell.dll");
if (CShell)
{
    DWORD myEDX = *(DWORD*)(0x10B740F8);
    if (myEDX)
    {
        *(float*)(myEDX) = 99999.0f;
    }
}

if you have any problem in any of this steps tell me through pm or in msn

good luck

....
o.o
Um...well I think I get what your saying...



No I don't.

[giniyat101]

G_Force are fighting

---------- Post added at 06:37 PM ---------- Previous post was at 06:36 PM ----------

Lets get some PopCorn

not a fight .. just some trolling around

Omg, you guys posted so much since I was forgetting about my own important thread.

---------- Post added at 08:16 PM ---------- Previous post was at 08:16 PM ----------


....
o.o
Um...well I think I get what your saying...



No I don't.

which part?

[JimTheGreat]

which part?

Well actually do you just mean to understand these of what you said:
"i will give some tips here which could help :

1- learn using some winapis .. learning what LoadLibrary and GetModuleHandle do is a good idea

2- learn basics of assembly.. "

[Deadeys]

Well actually do you just mean to understand these of what you said:
"i will give some tips here which could help :

1- learn using some winapis .. learning what LoadLibrary and GetModuleHandle do is a good idea

2- learn basics of assembly.. "

1:
Its almost the same, LoadLibrary load the dll if it's not loaded already.
They give both the address backs where the DLL is located.

2:
You need to read some assambly code and search the meaning of commands, or you can read an ebook.
Learning assambly takes long, writing assambly is very very hard and will take very much time.

If you want to code for your self without help, then you need to studdy for 1 year or more, I code now for 6 years, almost 7 years. Btw, read also some "good coding practice books", they are very helpfull.



The best tip that anyone can give you is learn from an Ebook, it much faster then learn from source codes, I read more then 7 Ebook. I read (I guess) 3 books before I started with game hacking. After that I learned a little bit assembly by looking at code. I know for sure that I was now better in assembly when I read an assembly book a year ago.

[JimTheGreat]

1:
Its almost the same, LoadLibrary load the dll if it's not loaded already.
They give both the address backs where the DLL is located.

2:
You need to read some assambly code and search the meaning of commands, or you can read an ebook.
Learning assambly takes long, writing assambly is very very hard and will take very much time.

If you want to code for your self without help, then you need to studdy for 1 year or more, I code now for 6 years, almost 7 years. Btw, read also some "good coding practice books", they are very helpfull.



The best tip that anyone can give you is learn from an Ebook, it much faster then learn from source codes, I read more then 7 Ebook. I read (I guess) 3 books before I started with game hacking. After that I learned a little bit assembly by looking at code. I know for sure that I was now better in assembly when I read an assembly book a year ago.

Thanks, now I know what I have to do. @Hassan Close

[giniyat101]

Thanks, now I know what I have to do. @Hassan Close

hassan has no powers here
@Hero

[JimTheGreat]

hassan has no powers here
@Hero

I thought i was in programming section.