nice to know u fixed it but this is how i and many ppl do it:
hfCode:void (*CG_SendConsoleCommand)(int a1,int a2,char *cvar) = (void (__cdecl *)(int,int,char *))0x5F01A0;//current offset
i've made a dll to inject into black ops. heres what i got:
as you can see, im trying to get the dll to send an arbitrary command to the console, when i press f5. However, after injecting the dll, pressing f5 will crash the game. any ideas on how to fix this?Code:#include <windows.h> void SendCommandToConsole(char * dCmd) { DWORD dwCall = 0x0044de80;//address for sendcommandtoconsole function __asm { PUSH dCmd; PUSH 0; PUSH 0; CALL dwCall; ADD ESP, 0x0C; } } DWORD WINAPI LoopFunction(LPVOID lpvoid) { while (true) { if (GetAsyncKeyState(VK_F5) & 1) { SendCommandToConsole("test command?"); } } Sleep(100); return 0; } BOOL WINAPI DllMain(HMODULE hmodule, DWORD reason, LPVOID lpvoid) { if (reason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hmodule); CreateThread(0, 0, LoopFunction, 0, 0, 0); } return TRUE; }
im not sure if this matters, but im using patch 1, SKIDROW version.
edit:
the offset is wrong, updated the offset using the signatures provided by another forum member. but its still broken
edit2:
i tried another way of sending command to console:
and i called the function like this:Code:void (*CG_SendConsoleCommand)(int a1,int a2,char *cvar) = (void (__cdecl *)(int,int,char *))0x5F01A0;//current offset
still crashesCode:CG_SendConsoleCommand(0,0,"test command");
Last edited by gruez; 11-17-2010 at 02:30 PM.
nice to know u fixed it but this is how i and many ppl do it:
hfCode:void (*CG_SendConsoleCommand)(int a1,int a2,char *cvar) = (void (__cdecl *)(int,int,char *))0x5F01A0;//current offset
it hasn't been fixed, i just found out the offset was wrong. but after updating the offset, it's still broken
CG_SendConsoleCommand(1,1,"cg_drawFPS 1"); just an example
edit1:
u can find SendConsoleCommand by searching for the "quit" string:
004EF9F6 |. 68 70FAA500 PUSH BlackOps.00A5FA70 ; ASCII "quit"
004EF9FB |. 56 PUSH ESI
004EF9FC |. E8 4F68FEFF CALL BlackOps.004D6250
004EFA01 |. 83C4 04 ADD ESP,4
004EFA04 |. 50 PUSH EAX
004EFA05 |. 56 PUSH ESI
004EFA06 |. E8 95071000 CALL BlackOps.005F01A0 <- SendConsoleCommand here
004EFA0B |. 83C4 0C ADD ESP,0C
u can either use the way i posted or just fix the function u posted hope this helps
Last edited by shaunm2; 11-17-2010 at 03:34 AM.
your offset wasnt wrong it was just the offset of another functionCode:typedef void (*SendConsoleCommand_)(int a1, char *command); SendConsoleCommand_ SendConsoleCommand = (SendConsoleCommand_)0x44DE80;
Hell_Demon (11-17-2010)
i tried both of the offsets you provided me, still doesnt work. maybe someone can get it to work? here is my entire solution folder:
Last edited by gruez; 11-17-2010 at 02:54 PM.
you need to call this is a game engine function (EndFrame/RenderScene) if it works the same way in cod4/mw2
gruez (11-20-2010)
so any idea on how to do that? im pretty experienced as a programmer, but i completely new to reverse engineering/hacking.
not true, you can also call this on hooked api's or other engine functions
you still fucked it up in that base dude!
check what i posted, its not the same function!!Code:void (*CG_SendConsoleCommand)(int a1,int a2,char *cvar) = (void (__cdecl *)(int,int,char *))0x0044de80;//current offset void SendCommandToConsole(char * dCmd) { DWORD dwCall = 0x0044de80;//address for sendcommandtoconsole function __asm { PUSH dCmd; PUSH 0; CALL dwCall; ADD ESP, 0x0C; } }
and your asm is wrong, your stack cleaning isnt the right size
also i think you need to push 1 instead of 0
Last edited by cardoow; 11-18-2010 at 07:17 AM.
i dont understand how im supposed to hook the function. im assuming you put a jmp to my dll at the beginning of a engine function?
i found this on another site, but im still puzzled how to "hook" it
Code:void _cdecl cEngine_t::RegisterTags( ) { //Register your tags hire #ifdef COD5BOT_DEBUG LOG.Log ( "[DEBUG_LOG] cEngine_t::RegisterTags( )","Hooked"); #endif ENGINE.orig_RegisterTags( ); } void _cdecl cEngine_t::ClientFrame( ) { //Draw your rendering Functions #ifdef COD5BOT_DEBUG LOG.Log ( "[DEBUG_LOG] cEngine_t::ClientFrame( )","Hooked"); #endif ENGINE.orig_ClientFrame( ); } void _cdecl cEngine_t::ShoutDown( ) { void * clDo = NULL; __asm mov clDo, eax //Do detourRemoves hire or save your lates configs #ifdef COD5BOT_DEBUG LOG.Log ( "[DEBUG_LOG] cEngine_t::ShoutDown( )","Hooked"); #endif __asm mov eax, clDo ENGINE.orig_ShoutDown( ); } void _cdecl cEngine_t::CG_Init( int serverMessageNum, int serverCommandSequence, int clientNum, int unk ) { //Register your shaders hire #ifdef COD5BOT_DEBUG LOG.Log ( "[DEBUG_LOG] cEngine_t::CG_Init( int serverMessageNum, int serverCommandSequence, int clientNum, int unk)","Hooked"); #endif ENGINE.orig_CG_Init( serverMessageNum, serverCommandSequence, clientNum, unk ); } void _cdecl cEngine_t::CL_Init( ) { //Register your fonts hire #ifdef COD5BOT_DEBUG LOG.Log ( "[DEBUG_LOG] cEngine_t::CL_Init( ), "Hooked"; #endif ENGINE.orig_CL_Init( ); } void _cdecl cEngine_t::CG_FireWeaponRecoil( int a1, int a2, signed int a3, __int16 a4, unsigned int a5, int a6 ) { //do a sound or what ever #ifdef COD5BOT_DEBUG LOG.Log ( "[DEBUG_LOG] cEngine_t::CG_FireWeaponRecoil( int a1, int a2, signed int a3, __int16 a4, unsigned int a5, int a6 )","Hooked"); #endif } DWORD WINAPI cEngine_t::HooK( LPVOID ) { aERROR.EnableHandler( ); if( ENGINE.isOn == 1 ) { DetourFunction( ( PBYTE )0x592140, ( PBYTE )&ENGINE.CL_Init ); __asm MOV [ ENGINE.orig_CL_Init ], EAX; DetourFunction( ( PBYTE )0x457A30, ( PBYTE )&ENGINE.CG_Init ); __asm MOV [ ENGINE.orig_CG_Init ], EAX; DetourFunction( ( PBYTE )0x548D30, ( PBYTE )&ENGINE.RegisterTags ); __asm MOV [ ENGINE.orig_RegisterTags ], EAX; DetourFunction( ( PBYTE )0x43A550, ( PBYTE )&ENGINE.ClientFrame ); __asm MOV [ ENGINE.orig_ClientFrame ], EAX; DetourFunction( ( PBYTE )0x4807A0, ( PBYTE )&ENGINE.CG_FireWeaponRecoil ); DetourFunction( ( PBYTE )0x44B390, ( PBYTE )&Obituary.CG_Obituary ); __asm MOV [ Obituary.orig_CG_Obituary ], EAX; DetourFunction( ( PBYTE )0x49D150, ( PBYTE )&ENGINE.ShoutDown ); __asm MOV [ ENGINE.orig_ShoutDown ], EAX; LOG.Log ( "HooK","is: Enable" ); } else { LOG.Log ( "HooK","is: Disable" ); } return 0; }
Last edited by gruez; 11-18-2010 at 03:28 PM.
jep that is how you do it, with detours