[MPGH]Flengo (01-09-2013),gibam761 (01-09-2013),kssiobr (01-11-2013),[MPGH]master131 (01-09-2013),Otaviomorais (01-09-2013),supercarz1991 (01-09-2013),teehee15 (01-09-2013),The Decoder (01-12-2013)
.::NℰOH4X::.
Finding LTClient || Tutorial #1 by .::NℰOH4X:: ||
Requirements:
-master131's Module Dumper
-LordPE
-OllyDbg
-------------------------------------------------------------------------------------------
*VIDEO TUTORIAL*
-------------------------------------------------------------------------------------------
*TEXT TUTORIAL*
First off , we will need to dump cshell.dll to access it via Ollydbg .
1.)Follow master131's tutorial here , Thanks @master131: ---->https://www.mpgh.net/forum/207-combat...le-dumper.html
2.)Once you have followed the process of dumping cshell.dll and removing the .dmp extension (Tip : that extension may be hidden and you will need to untick hide extensions in your folder options in control panel / appearance ! )
we can now move forward to the next process , opening it in OllyDbg .
Your screen should now look like this :
Now , once you've opened it and it looks like the above image , right click anywhere , and click on Search for -> All Referenced Text Strings .
Your screen should now look like this :
Ok once you screen looks like the above image , scroll ALL the way up than scroll like two or one arrow key down and find " ASCII "invalid vector<T> subscript" " , once you find it CLICK on it than right click on it and click on search for text and type in "ILTModelClient.Default" , once you do , it'll take you to it , !
Here's an image when finding ( ASCII "invalid vector<T> subscript" ) :
* Don't mind the square the invalid vector string is behind it *
Once you get the ILTModelClient.Default highlighted , Press CTRL + L 2 Times ! on the second time it will highlight the red CPU selection press it again rapidly one more time and it should go back to ILTModelClient.Default ! , *It'll take a few tries to get it right !* ,right click on it and click on "Follow in disassembler ! " .
Here is how it should look after doing CTRL + L 2 Times :
Now keep scrolling up till you see the first black dot !
It should look like this ! :
there should be 8 numbers highlighted in gray in the left . Take those numbers and add a 0x in front of them !
If you did everything right LTClient should be : 0x3781D678
--------------------------------------------------------------------------------------------------------------
~NℰOH4X~
I hope this helped anyone wanting to find the LTClient Address , with this method , it can be used to find other different addresses in cshell.dll .
If this tutorial is too confusing , I will make a video in the afternoon step by step !
Thanks .
~NℰOH4X~
Last edited by N3OH4X; 01-09-2013 at 05:43 AM.
[MPGH]Flengo (01-09-2013),gibam761 (01-09-2013),kssiobr (01-11-2013),[MPGH]master131 (01-09-2013),Otaviomorais (01-09-2013),supercarz1991 (01-09-2013),teehee15 (01-09-2013),The Decoder (01-12-2013)
funny how many times this has been posted and i still can't do it on any other lithtech based game EXCEPT ca
commando: You're probably the best non-coder coder I know LOL
I'll try it myself on a other game using that engine and will report with results @supercarz1991
oh i've been trying on my own personal FPS game that's on the lithtech Jupiter Engine lol @N3OH4X
commando: You're probably the best non-coder coder I know LOL
N3OH4X (01-09-2013)
Oh , what FPS Game would that be ?
and if you wanna discuss and get to know each other , you're welcomed to add my MSN , n3oh4x@live.com
commando: You're probably the best non-coder coder I know LOL
N3OH4X (01-09-2013)
Find a Command String ( Push to console command ) that you are familiar with such as FogEnable SkyFog e.t.c
find references to it it will point to a push near a call which will be to a virtual function. ( PTC ) find what sets the offset
Register + Offset to virtual function
Register will hold the LTClient. if it points to a function none virtual see what the function does it will show you the LTClient
and using this method you can reverse the entire thing
Acea (01-10-2013),Code_over_Pussy (01-10-2013),N3OH4X (01-10-2013),supercarz1991 (01-10-2013)