Some code I found

[TheSyndicate]

I don't want to release the information because people that don't understand how this works will abuse it, but if you're smart enough with Cheat Engine, you can figure out how to turn on the Scout's Oracle forever and essentially "see through walls." Nobody on your team sees it, but you still get the +25 points for Oracle assists for every person you highlight but don't kill. It's also located in AI_CLASS_PCClient_R.

[featermouse27]

how do u use it i am new to hacking i dont know how i think i did it once for combat arms but i was not sure because i did not know what to look for, so my question is how do u hack?

---------- Post added at 10:56 PM ---------- Previous post was at 10:37 PM ----------

i wont i really want to know there no point playin online if u dont know because damn near everybody do it
just show or teach me i wont tell nobody i might forget anyway after i do it

---------- Post added at 11:14 PM ---------- Previous post was at 10:56 PM ----------

i wont i really want to know there no point playin online if u dont know because damn near everybody do it
just show or teach me i wont tell nobody i might forget anyway after i do it

[TheSyndicate]

The recent patch has changed the offsets, as is expected. I'm about to write a DLL that can be injected to give infinite oracle and infinite blitz for the scout / assault classes. I might look into some other stuff like chams and what not but, I doubt it.

Edit: If anyone knows how to determine the base address of a loaded DLL, that'd be great.

Edit 2: I found what controls the player coordinates and I've been able to make a "skywalker" cheat (for those of you who used to play Socom). It's really neat being able to walk on the sky and get to places nobody's been before. I'm investigating how to make a "jump" code (hold a button to rise into the air) as I type this, but it's strange code to fiddle with.

[zlyczit]

I don't want to release the information because people that don't understand how this works will abuse it, but if you're smart enough with Cheat Engine, you can figure out how to turn on the Scout's Oracle forever and essentially "see through walls." Nobody on your team sees it, but you still get the +25 points for Oracle assists for every person you highlight but don't kill. It's also located in AI_CLASS_PCClient_R.

Only thing I found so far is how to do norecoil and nospread (in CE - dissect code and look for recoil in referenced strings - the complete write up was posted here some time ago but now it's deleted). Interesting thing - critical hit is based on the spread. With nospread you get your maximum critical chance (for particular weapon) permanently. I've tried to change critical value with CE by the way but it seems to be protected by the game. I'm quite sure I tracked down the base pointer. Could you share some details how to find the oracle timer or whatever it is that controls it TheSyndicate? Some hint maybe? I would like to learn something new.

As for abusing the cheats... Honestly I rarely see clean players in GRO. Around 70% is using nospread&norecoil.

[quelo]

TheSyndicate, can you give a video how far are you?can u make this?

[TheSyndicate]

TheSyndicate, can you give a video how far are you?can u make this? [Video_Removed]

Hi. I can't even tell what's going on in the video, to be honest, but with the "skywalker" cheat, I've been able to get inside objects / onto non-accessible solid buildings in the distance. I haven't done much research with the coordinates I've found but I've discovered that they're controlled by vectors. I think with where I'm at I'll be able to create some neat things dealing with coordinates, I just have to spend the time figuring out how to do so. A lot of stuff is controlled by the server like your health, ammo, grenades, etc. You can modify your weapon ammo to be 99, but you'll still reload when the server knows you need to do so. I've been able to remove all writes to the player health but the server still keeps track and you die when enough damage has been dealt.

Everything I've found can be located using simple searches and trace backs with CheatEngine. I'll be looking into some teleportation stuff today. I really wish the distance to the shot was updated when zooming in. You know, like 50m, 60m, 100m, etc. Then I could make a "Zoom Teleport" cheat.

Edit: I wrote a C++ application to make the cheating process a little easier. I need to figure out how to enumerate the base address of different DLLs to really make it shine. I'll be looking into more advanced stuff later this evening.

[Mywk]

Mate I got to ask, what have you search for overriding the skills time cooldown?
I tried with oracle, searching for the time, freezing it won't do, also tried to check what write to that address, no help at all.
Also tried searching for 1 when skill is up and 0 when it is not or changed value and turning it on and off, I get about 4 values but they are of no use and not related to AI_CLASS_PCClient_R.

I'm a lowbie reverser so just a bit help will be really appreciated

-- Edit: By Nop'ing some functions I'm able to see the enemies position by tricking the game into thinking they are in my team, therefore revealing their positions, but its a really bad method since I stop seeing close-by team-mates.


Yup, it blows, but it works, plus I got to change the values back to their original before the game ends or it crashes, aand it always says I have low health even if not, eheh

[TheSyndicate]

Only thing I found so far is how to do norecoil and nospread (in CE - dissect code and look for recoil in referenced strings - the complete write up was posted here some time ago but now it's deleted). Interesting thing - critical hit is based on the spread. With nospread you get your maximum critical chance (for particular weapon) permanently. I've tried to change critical value with CE by the way but it seems to be protected by the game. I'm quite sure I tracked down the base pointer. Could you share some details how to find the oracle timer or whatever it is that controls it TheSyndicate? Some hint maybe? I would like to learn something new.

As for abusing the cheats... Honestly I rarely see clean players in GRO. Around 70% is using nospread&norecoil.

I was under the assumption the server controls critical hit % because I've had mine at 99% with no spread at one point but I don't think it did much in terms of damage. Weapon modifications aren't that big a deal to me though. I have to admit, my "infinite oracle" isn't as straightforward as it sounds in technical terms, but it works the same way. Essentially, your power boost status is either set to "activate" or "de-activate." You can find that boolean by searching on and off. But, you don't simply change it to a 0x01. You have to trace back by finding what writes to the address (I think there are two main addresses, one that writes 0x00 and another that writes 0x01, look for the one that writes 0x00). Once you do, there will be some jumps really close to where you end up (you don't have to go far at all, trust me). Modify the jumps and you'll see that they affect the way your power boost works. Change the "Jne" to "Je" and then turn on your oracle, then turn it off. It'll keep going forever. It's a static offset, so once you find where the JNE is, all you need to do to find it next time is look at the base address of AI_Class_PCClient_R > AIBootClass_DLL and add the offset.

If you have any trouble maybe I can help you out via PM.

Mate I got to ask, what have you search for overriding the skills time cooldown?
I tried with oracle, searching for the time, freezing it won't do, also tried to check what write to that address, no help at all.
Also tried searching for 1 when skill is up and 0 when it is not or changed value and turning it on and off, I get about 4 values but they are of no use and not related to AI_CLASS_PCClient_R.

I'm a lowbie reverser so just a bit help will be really appreciated

-- Edit: By Nop'ing some functions I'm able to see the enemies position by tricking the game into thinking they are in my team, therefore revealing their positions, but its a really bad method since I stop seeing close-by team-mates.


Yup, it blows, but it works, plus I got to change the values back to their original before the game ends or it crashes, aand it always says I have low health even if not, eheh

You're on the right track with searching 0x00 and 0x01. See my above quote for more information. That's a pretty slick little trick to seeing enemy positions. I've been trying to figure out how to find enemy coordinates / positions. I'd love to try to find a way in-game to make them show up as opposed to trying to write chams and all that.

I'll make a little video showing some of the stuff I've been working on.

Edit: The video I made was far too laggy. I'll download FRAPS and do it again later. I honestly need to start working on an in-game menu because the separate C++ trainer takes far too long to fiddle with.

[Mywk]

@TheSyndicate I'l try playing around with that, as for chams and others I'd say its better to make a External one, since it seems the game is sooner or later have a protection (like PB or something) it would be much better (search for MW3 External ESP Source Code and you will find a awesome project to play with).

In my "trick", I think the only thing I did was to prevent the game from connecting the players from the other team to mine, or the data to be connected, therefore writing them as if they were from my own team, even if it's not the best way to do it and it may crash the game it is indeed the easiest one :P

-- Edit: Since you want to play with memory and not with chams, just find out what writes the game interface, I can't help much since, even if I know a lot about several programming languages, I'm a lowbie reverser.

Got this from checking what writes the HP but it is used by a lot of functions:
add [esi+4C],ebp
mov ecx,[esi+18]
mov eax,[esi+54]

It is part of what write the game interface during a match, if you want to try to do what I did and find out a bit more you could just follow the instructions, anyway, to do what I did just change the esi+18 to esi+16 (or any number below 18).

I got to ask, are you strictly using Cheat Engine or a debugger like Olly or a disassembler like IDA?

-- Edit2: Could you post the sequence of instructions that come before the JNE? I found several and changing them did nothing!
The instructions from the address are: INC when activate and DEC when deactivate or am I in the wrong address?

-- Edit3: Still having trouble with the JNE, will be really thankful if you tell me the set of instructions that come before the JNE

[TheSyndicate]

@TheSyndicateIn my "trick", I think the only thing I did was to prevent the game from connecting the players from the other team to mine, or the data to be connected, therefore writing them as if they were from my own team, even if it's not the best way to do it and it may crash the game it is indeed the easiest one :P

Could you tell me the general location for what you're modifying to have a way of seeing the enemies locations?

I got to ask, are you strictly using Cheat Engine or a debugger like Olly or a disassembler like IDA?

-- Edit2: Could you post the sequence of instructions that come before the JNE? I found several and changing them did nothing!
The instructions from the address are: INC when activate and DEC when deactivate or am I in the wrong address?

-- Edit3: Still having trouble with the JNE, will be really thankful if you tell me the set of instructions that come before the JNE

I'm only using CheatEngine. I'm not really good at using IDA or any of that. I don't know much about hacking PC games to be honest with you. I used to hack PSP games way back in the day so I used to work with a lot of MIPS. I should probably try to get used to IDA, eh?

Search for 0x01 when you're using your boost, search for 0x00 when you aren't. You'll know it's right if you set it to 01 and it activates then immediately de-activates. Find what writes to that and go from there.

[Mywk]

@TheSyndicate Search for player HP, 100 when full health and 0 when dead (it is not the same as in-game, its percentage), check what writes it, then you will find this piece of code in one of them:
add [esi+4C],ebp
mov ecx,[esi+18]
mov eax,[esi+54]

Change the esi+18 to esi+anyNumber and after you get killed you will see the enemies like that
You can also, instead, nop the add [esi+4C],ebp and you will have totally different kind of ESP but includes allies and enemies.

Regarding the Oracle I did that, found the value that instantly changes to 0 and 1 (2 different values, and two more that change after some seconds of deactivation), thing is, i can't find the right JNE, could you show me some instructions that are before or after the JNE you usually change?

To be honest I don't really know how to use IDA correctly, for cracks I use Olly and for game hacking I use Cheat Engine
No good tutorials or books available in how to use IDA, or if they are I can't seem to find anything decent!

-- Edit: To show you how the kind-of-ESP looks if you nop add [esi+4C],ebp


It looks dummy and also shows people from your team.

[TheSyndicate]

@TheSyndicate Search for player HP, 100 when full health and 0 when dead (it is not the same as in-game, its percentage), check what writes it, then you will find this piece of code in one of them:
add [esi+4C],ebp
mov ecx,[esi+18]
mov eax,[esi+54]

Change the esi+18 to esi+anyNumber and after you get killed you will see the enemies like that
You can also, instead, nop the add [esi+4C],ebp and you will have totally different kind of ESP but includes allies and enemies.

Regarding the Oracle I did that, found the value that instantly changes to 0 and 1 (2 different values, and two more that change after some seconds of deactivation), thing is, i can't find the right JNE, could you show me some instructions that are before or after the JNE you usually change?

To be honest I don't really know how to use IDA correctly, for cracks I use Olly and for game hacking I use Cheat Engine
No good tutorials or books available in how to use IDA, or if they are I can't seem to find anything decent!

-- Edit: To show you how the kind-of-ESP looks if you nop add [esi+4C],ebp


It looks dummy and also shows people from your team.

It would seem you've stumbled upon the aspect of the game that does most of the drawing. I've achieved some interesting effects while playing around in that area, but the coolest part is seeing everyone's location. We need to go deeper with that function. I was able to remove the draw lines that connect myself to my teammates. I'm sure we can find a better way to show enemy locations + put together a cheat to draw lines to the enemy players as well.

As for the infinite oracle, it's AI_Class_PCClient_R > AIBootClass_DLL + 0x90477

I don't understand why one line of code would control so much, but such seems to be the case. I wish I had more time to RE.

[Mywk]

@TheSyndicate That, in theory, should be something like this: Check what uses those drawing functions, then inside one of them there must be a place where the game enumerates all players and check who belongs to each team, to do a memory "wallhack" we would just need to make other players being tagged as our own team and draw them, so that MUST have something to do with this -> mov ecx,[esi+18]

I finally found the JNE you were talking about, after all I was not even close to it, still wondering how the hell you get there! I got it working!

Let me know if you find anything new regarding the functions that write the interface

-- Edit: The whole team sees it, need to find a way around that and to remove those +25 ^^

[TheSyndicate]

@TheSyndicate That, in theory, should be something like this: Check what uses those drawing functions, then inside one of them there must be a place where the game enumerates all players and check who belongs to each team, to do a memory "wallhack" we would just need to make other players being tagged as our own team and draw them, so that MUST have something to do with this -> mov ecx,[esi+18]

I finally found the JNE you were talking about, after all I was not even close to it, still wondering how the hell you get there! I got it working!

Let me know if you find anything new regarding the functions that write the interface

-- Edit: The whole team sees it, need to find a way around that and to remove those +25 ^^

From my experience, the whole team doesn't see it. I could be wrong, but I've never had anyone ask or mention it while I was playing. I think the +25 is calculated on the client machine, not the server. Maybe we can find where that +25 is calculated, if you know what I mean.

On the other hand, I still don't understand why that one line is going to control so much stuff. Because ESI is constantly changing, we probably need to trace backward / higher to locate what's determining who is and isn't on our team. It still doesn't make a whole lot of sense that one minor modification leads to revealing everyone's location, though...

[Mywk]

@TheSyndicate I'm playing with a friend and he says its possible to see them the whole time in front of me. It works with any skill