Results 1 to 2 of 2
  1. 12-19-2016 #1
    brixs
    brixs is offline
    New Member
    brixs's Avatar
    Join Date
    May 2016
    Gender
    male
    Posts
    3
    Reputation
    10
    Thanks
    0
    Send a message via Birdie™ to brixs Philippines

    Question Playpark Game Base and Pointers

    I am a newbie and want to learn something about coding and i started to read
    thread here and other forum,

    i learn some basic by reading others tutorials but its been a week since im trying to figure how to find the correct base and pointers to create simple hack of this game.

    I follow Shadow and Firefox800 tutorials and watch tutorial video's on youtube.

    I successfully unpack SpecialForce.exe and remove Themida Protection on it
    but when i load it on OllyDBG and IDA to view this base pointers and offset,
    everything is different from what they posted on their tutorial


    Start to find base address by searching GetDlgItemTextA base on Shadow this tutorial.


    Game Base
    ------------------------- Base -------------------------------------------------------


    ___:00B3E730 push ebp
    ___:00B3E731 mov ebp, esp
    ___:00B3E733 sub esp, 10h
    ___:00B3E736 mov eax, dword_E1B328
    ___:00B3E73B xor eax, ebp
    ___:00B3E73D mov [ebp+var_4], eax
    ___:00B3E740 mov eax, [ebp+hDlg]
    ___:00B3E743 lea ecx, [ebp+String]
    ___:00B3E746 push 0Ah ; cchMax
    ___:00B3E748 push ecx ; lpString
    ___:00B3E749 push 403h ; nIDDlgItem
    ___:00B3E74E xorps xmm0, xmm0
    ___:00B3E751 mov [ebp+var_8], 0
    ___:00B3E757 push eax ; hDlg
    ___:00B3E758 movq qword ptr [ebp+String], xmm0
    ___:00B3E75D call GetDlgItemTextA
    ___:00B3E763 lea eax, [ebp+String]
    ___:00B3E766 push eax
    ___:00B3E767 call sub_C0C1D2
    ___:00B3E76C add esp, 4
    ___:00B3E76F lea ecx, [eax-1]
    ___:00B3E772 cmp ecx, 0Bh
    ___:00B3E775 ja short loc_B3E78C
    ___:00B3E777 mov dword_E29A54, eax
    ___:00B3E77C mov al, 1
    ___:00B3E77E mov ecx, [ebp+var_4]
    ___:00B3E781 xor ecx, ebp
    ___:00B3E783 call sub_C7C4FA
    ___:00B3E788 mov esp, ebp
    ___:00B3E78A pop ebp
    ___:00B3E78B retn

    --------------------------------- End Base ---------------------------------------------

    And by searching Push 0C6h to find pointer

    Player Pointer
    ___:0059F6D8 dd 8000C30Ch, 0
    ___:0059F6E0 dd offset dword_D2D80C
    ___:0059F6E4 dd 0C4h, 8000C40Ch, 0
    ___:0059F6F0 dd offset dword_D2D80C
    ___:0059F6F4 dd 0C5h, 8000C50Ch, 0
    ___:0059F700 dd offset dword_D2D80C
    ___:0059F704 dd 0C6h, 8000C60Ch, 0
    ___:0059F710 dd offset dword_D2D80C
    ___:0059F714 dd 0C7h, 8000C70Ch, 0
    ___:0059F720 dd offset dword_D2D80C
    ___:0059F724 dd 0C8h, 8000C80Ch, 0
    ___:0059F730 dd offset dword_D2D80C
    ___:0059F734 dd 0C9h, 8000C90Ch, 0

    Base Hook

    ___:006AD280 push ebp
    ___:006AD281 mov ebp, esp
    ___:006AD283 sub esp, 18h
    ___:006AD286 mov eax, dword_E1B328
    ___:006AD28B xor eax, ebp
    ___:006AD28D mov [ebp+var_4], eax
    ___:006AD290 mov edx, [ecx+4]
    ___:006AD293 push ebx
    ___:006AD294 mov ebx, [ebp+arg_0]
    ___:006AD297 push esi
    ___:006AD298 mov eax, [edx]
    ___:006AD29A and ebx, 6
    ___:006AD29D push edi
    ___:006AD29E push 0
    ___:006AD2A0 lea edi, [ecx+8]
    ___:006AD2A3 push edi
    ___:006AD2A4 push offset dword_D2D7CC
    ___:006AD2A9 push edx
    ___:006AD2AA call dword ptr [eax+0Ch]
    ___:006AD2AD mov esi, eax
    ___:006AD2AF test esi, esi
    ___:006AD2B1 jns short loc_6AD2E3
    ___:006AD2B3 mov ecx, dword_1010C34
    ___:006AD2B9 push 0 ; uType
    ___:006AD2BB push 0 ; lpCaption
    ___:006AD2BD push offset aCreatedeviceKe ; "CreateDevice(Keyboard) FAILED"
    ___:006AD2C2 push dword ptr [ecx+19Ch] ; hWnd
    ___:006AD2C8 call MessageBoxA
    ___:006AD2CE pop edi
    ___:006AD2CF mov eax, esi
    ___:006AD2D1 pop esi
    ___:006AD2D2 pop ebx
    ___:006AD2D3 mov ecx, [ebp+var_4]
    ___:006AD2D6 xor ecx, ebp
    ___:006AD2D8 call sub_C7C4FA
    ___:006AD2DD mov esp, ebp
    ___:006AD2DF pop ebp
    ___:006AD2E0 retn 8

    CIRCLE.TGA
    ___:008C5260 push ebp
    ___:008C5261 mov ebp, esp
    ___:008C5263 sub esp, 10h
    ___:008C5266 push esi
    ___:008C5267 mov esi, ecx
    ___:008C5269 call sub_8C8F50
    ___:008C526E mov ecx, esi
    ___:008C5270 call sub_8CA6D0
    ___:008C5275 mov ecx, [esi+4]
    ___:008C5278 mov dword ptr [esi+1C470h], 0
    ___:008C5282 mov dword ptr [esi+1C474h], 0
    ___:008C528C call sub_8E71E0
    ___:008C5291 mov ecx, [esi+4]
    ___:008C5294 call sub_8E7710
    ___:008C5299 mov ecx, [esi+4]
    ___:008C529C call sub_8E74E0
    ___:008C52A1 mov ecx, [esi+4]
    ___:008C52A4 call sub_8E7800
    ___:008C52A1 mov ecx, [esi+4]
    ___:008C52A4 call sub_8E7800
    ___:008C52A9 mov ecx, [esi+4]
    ___:008C52AC call sub_8E7250
    ___:008C52B1 mov ecx, [esi+4]
    ___:008C52B4 call sub_8E7450
    ___:008C52B9 mov ecx, [esi+4]
    ___:008C52BC call sub_8E79C0
    ___:008C52C1 mov ecx, [esi+4]
    ___:008C52C4 call sub_8E7690
    ___:008C52C9 mov ecx, [esi+4]
    ___:008C52CC call sub_8E78F0
    ___:008C52D1 mov dword ptr [esi+8510h], 0FFFFFFFFh
    ___:008C52DB mov byte ptr [esi+8518h], 0FFh
    ___:008C52E2 mov dword ptr [esi+1C458h], 0
    ___:008C52EC mov byte ptr [esi+1C4FCh], 0
    ___:008C52F3 mov dword ptr [esi+1C580h], 0
    ___:008C52FD mov eax, dword_1010C34
    ___:008C5302 mov eax, [eax+18Ch]
    ___:008C5308 movd xmm0, eax
    ___:008C530C cvtdq2pd xmm0, xmm0
    ___:008C5310 shr eax, 1Fh
    ___:008C5313 addsd xmm0, qword_D9B790[eax*8]
    ___:008C531C cvtpd2ps xmm0, xmm0
    ___:008C5320 movss dword ptr [esi+1CE00h], xmm0
    ___:008C5328 mov eax, dword_1010C34
    ___:008C532D mov eax, [eax+190h]
    ___:008C5333 movd xmm0, eax
    ___:008C5337 cvtdq2pd xmm0, xmm0
    ___:008C533B shr eax, 1Fh
    ___:008C533E addsd xmm0, qword_D9B790[eax*8]
    ___:008C5347 lea eax, [esi+1C9F8h]
    ___:008C534D push eax
    ___:008C534E push 0FF000000h
    ___:008C5353 push 15h
    ___:008C5355 cvtpd2ps xmm0, xmm0
    ___:008C5359 push offset aCrosshairCircl ; "crosshair\\circle.tga"
    ___:008C535E push offset aWeapon_4 ; "Weapon"
    ___:008C5363 movss dword ptr [esi+1CE04h], xmm0
    ___:008C536B call sub_666B00
    ___:008C5370 movss xmm0, dword ptr [esi+1CE00h]
    ___:008C5378 mulss xmm0, dword_D0E994
    ___:008C5380 mov dword ptr [ebp+var_10+8], 3F000000h
    ___:008C5387 mov dword ptr [ebp+var_10+0Ch], 3F800000h
    ___:008C538E movss dword ptr [ebp+var_10], xmm0
    ___:008C5393 movss xmm0, dword ptr [esi+1CE04h]
    ___:008C539B mulss xmm0, dword_D0E990
    ___:008C53A3 mov dword ptr [esi+1CA10h], 0
    ___:008C53AD mov dword ptr [esi+1CA14h], 0
    ___:008C53B7 movss dword ptr [ebp+var_10+4], xmm0
    ___:008C53BC movups xmm0, [ebp+var_10]
    ___:008C53C0 mov dword ptr [ebp+var_10+8], 3F000000h
    ___:008C53C7 mov dword ptr [ebp+var_10+0Ch], 3F800000h
    ___:008C53CE movups xmmword ptr [esi+1C9FCh], xmm0
    ___:008C53D5 movss xmm0, dword ptr [esi+1CE00h]
    ___:008C53DD mulss xmm0, dword_D0E9A8
    ___:008C53E5 movss dword ptr [ebp+var_10], xmm0
    ___:008C53EA movss xmm0, dword ptr [esi+1CE04h]
    ___:008C53F2 mulss xmm0, dword_D0E990
    ___:008C53FA mov dword ptr [esi+1CA2Ch], 3F800000h
    ___:008C5404 mov dword ptr [esi+1CA30h], 0
    ___:008C540E movss dword ptr [ebp+var_10+4], xmm0
    ___:008C5413 movups xmm0, [ebp+var_10]
    ___:008C5417 movups xmmword ptr [esi+1CA18h], xmm0
    ___:008C541E movss xmm0, dword ptr [esi+1CE00h]
    ___:008C5426 mulss xmm0, dword_D0E9A8
    ___:008C542E movss dword ptr [ebp+var_10], xmm0
    ___:008C5433 movss xmm0, dword ptr [esi+1CE04h]
    ___:008C543B mulss xmm0, dword_D0E9AC
    ___:008C5443 lea eax, [esi+1CA6Ch]
    ___:008C5449 mov dword ptr [esi+1CA48h], 3F800000h
    ___:008C5453 mov dword ptr [esi+1CA4Ch], 3F800000h
    ___:008C545D mov dword ptr [ebp+var_10+8], 3F000000h
    ___:008C5464 movss dword ptr [ebp+var_10+4], xmm0
    ___:008C5469 mov dword ptr [ebp+var_10+0Ch], 3F800000h
    ___:008C5470 movups xmm0, [ebp+var_10]
    ___:008C5474 push eax
    ___:008C5475 push 0FF000000h
    ___:008C547A movups xmmword ptr [esi+1CA34h], xmm0
    ___:008C5481 mov dword ptr [ebp+var_10+8], 3F000000h
    ___:008C5488 movss xmm0, dword ptr [esi+1CE00h]
    ___:008C5490 mulss xmm0, dword_D0E994
    ___:008C5498 mov dword ptr [ebp+var_10+0Ch], 3F800000h
    ___:008C549F push 15h

    Guerilla Event
    ___:008167D7 lea eax, [esi+31C8h]
    ___:008167DD mov dword ptr [esi+1EE0h], 3DA00000h
    ___:008167E7 push eax
    ___:008167E8 push 0
    ___:008167EA push 0
    ___:008167EC xorps xmm0, xmm0
    ___:008167EF mov dword ptr [esi+1EE4h], 3DD55555h
    ___:008167F9 push offset aInfGuerillaeve ; "Inf\\GuerillaEvent.tga"
    ___:008167FE movups xmmword ptr [eax], xmm0
    ___:00816801 push offset aMenu_0 ; "Menu"
    ___:00816806 movq qword ptr [eax+10h], xmm0
    ___:0081680B call sub_666B00
    ___:00816810 add esp, 14h
    ___:00816813 test eax, eax
    ___:00816815 jns short loc_81682D
    ___:00816817 lea eax, [ebp+var_5A4]
    ___:0081681D push offset aSf_frameSetr_1 ; "SF_Frame::SetResourceFail !!! file name"...
    ___:00816822 push eax
    ___:00816823 call edi ; wsprintfA
    ___:00816825 add esp, 8
    ___:00816828 jmp loc_817FB7
    ___:0081681D push offset aSf_frameSetr_1 ; "SF_Frame::SetResourceFail !!! file name"...
    ___:00816822 push eax
    ___:00816823 call edi ; wsprintfA
    ___:00816825 add esp, 8
    ___:00816828 jmp loc_817FB7
    ___:0081682D ; ---------------------------------------------------------------------------
    ___:0081682D
    ___:0081682D loc_81682D: ; CODE XREF: sub_814A30+1DE5j
    ___:0081682D mov dword ptr [ebp+var_20+8], 3F266666h
    ___:00816834 mov eax, dword ptr [ebp+var_20+8]
    ___:00816837 mov [esi+31D4h], eax
    ___:0081683D mov dword ptr [ebp+var_20+0Ch], 3F266666h
    ___:00816844 mov eax, dword ptr [ebp+var_20+0Ch]
    ___:00816847 mov dword ptr [esi+31CCh], 0
    ___:00816851 mov dword ptr [esi+31D0h], 42FC0000h
    ___:0081685B mov [esi+31D8h], eax
    ___:00816861 mov dword ptr [esi+31DCh], 0FFFFFFFFh
    ___:0081686B mov eax, dword_E269FC
    ___:00816870 cmp byte ptr [eax+0FC49h], 0
    ___:00816877 jz loc_8169EA
    ___:0081687D xorps xmm0, xmm0
    ___:00816880 mov byte ptr [ebp+var_20], 0
    ___:00816884 movq qword ptr [ebp+var_20+1], xmm0
    ___:00816889 mov dword ptr [ebp+var_20+9], 0
    ___:00816890 mov word ptr [ebp+var_20+0Dh], 0
    ___:00816896 mov byte ptr [ebp+var_20+0Fh], 0
    ___:0081689A cmp dword ptr [eax+0FC4Ch], 0
    ___:008168A1 jle loc_816934
    ___:008168A7 push 0Ah
    ___:008168A9 lea ecx, [ebp+var_20]
    ___:008168AC movq qword ptr [ebp+var_20], xmm0
    ___:008168B1 push ecx
    ___:008168B2 mov word ptr [ebp+var_20+8], 0
    ___:008168B8 push dword ptr [eax+0FC4Ch]
    ___:008168BE call sub_C162D8
    ___:008168C3 movups xmm0, xmmword_D0A6E4
    ___:008168CA add esp, 0Ch
    hopping someone here can guide us witch the correct game base, pointer and offset is.

    If you need the unpacked exe file i will upload later. TIA
    Reply With Quote Reply With Quote
  2. 12-20-2016 #2
    brixs
    brixs is offline
    Threadstarter
    New Member
    brixs's Avatar
    Join Date
    May 2016
    Gender
    male
    Posts
    3
    Reputation
    10
    Thanks
    0
    Send a message via Birdie™ to brixs Philippines
    Bump, is there anyone wants to help me
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. [Tutorial] Soldier Front/Special Force (Base and Game Pointer)
    By firefox800 in forum Soldier Front Hacks
    Replies: 2
    Last Post: 05-24-2018, 11:14 PM
  2. [Solved] AK47 base address and pointer offsets
    By ongjx in forum Blackshot Help
    Replies: 2
    Last Post: 03-29-2016, 04:21 PM
  3. MInecraft Base Address and Pointer Cheat Engine
    By Programmer213 in forum C# Programming
    Replies: 9
    Last Post: 06-09-2013, 09:57 PM
  4. [Help] How To Find Base Address and pointers
    By nwouh in forum Soldier Front General
    Replies: 1
    Last Post: 05-10-2013, 07:42 AM
  5. Is this game Hackable and hack suggestions
    By cherokee in forum Hack Requests
    Replies: 23
    Last Post: 09-17-2006, 06:40 PM