OllyDBG - Find Speed Address (Text - Hard to Understand)

[Lovroman]

Fantastic tutorial! I was just wondering how I would send a command to the console on zombies. They took away the console so you can use it anymore...Anyways if you look at the strings, there are commands like god, giveall, ufo etc. But no MOV or anything like that, just a Call. I know call means to call the address or function but how would I put that in cheat engine or visual studio?

Code:

        [DllImport("kernel32.dll")]
        private static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, int dwProcessId);
        [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)]
        private static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
        [DllImport("kernel32.dll", SetLastError=true, ExactSpelling=true)]
        private static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint dwFreeType);
        [DllImport("kernel32.dll")]
        private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, [Out] int lpNumberOfBytesWritten);

Code:

public void Send(string cmd)
{
    try
    {
        Process[] processesByName = Process.GetProcessesByName("t6zm");
        if (Process.GetProcessesByName("t6mp").Length != 0)
        {
            this.callBytes = BitConverter.GetBytes(0x5c6f10);
        }
        else if (processesByName.Length != 0)
        {
            this.callBytes = BitConverter.GetBytes(0x6b9d20);//Change this to the call address you found
        }
        if (cmd == null)
        {
            MessageBox.Show("Please type in a cmd before pressing <Send>.", "Error", MessageBoxButtons.OK);
        }
        if (_cBuf_addTextFuncAddress == IntPtr.Zero)
        {
            IntPtr ptr;
            _cBuf_addTextFuncAddress = VirtualAllocEx(ProcessHandle, IntPtr.Zero, (uint) Stubs.WrapperTocBuf_AddText.Length, 0x3000, 0x40);
            this.cmdBytes = Encoding.ASCII.GetBytes(cmd + '\0');
            cmdAddress = VirtualAllocEx(ProcessHandle, IntPtr.Zero, (uint) this.cmdBytes.Length, 0x3000, 0x40);
            int lpNumberOfBytesWritten = 0;
            WriteProcessMemory(ProcessHandle, cmdAddress, this.cmdBytes, (uint) this.cmdBytes.Length, lpNumberOfBytesWritten);
            Array.Copy(BitConverter.GetBytes(cmdAddress.ToInt32()), 0, Stubs.WrapperTocBuf_AddText, 9, 4);
            Array.Copy(this.callBytes, 0, Stubs.WrapperTocBuf_AddText, 0x10, 4);
            WriteProcessMemory(ProcessHandle, _cBuf_addTextFuncAddress, Stubs.WrapperTocBuf_AddText, (uint) Stubs.WrapperTocBuf_AddText.Length, lpNumberOfBytesWritten);
            CreateRemoteThread(ProcessHandle, IntPtr.Zero, 0, _cBuf_addTextFuncAddress, IntPtr.Zero, 0, out ptr);
            if ((_cBuf_addTextFuncAddress != IntPtr.Zero) && (cmdAddress != IntPtr.Zero))
            {
                VirtualFreeEx(ProcessHandle, _cBuf_addTextFuncAddress, (UIntPtr) Stubs.WrapperTocBuf_AddText.Length, 0x8000);
                VirtualFreeEx(ProcessHandle, cmdAddress, (UIntPtr) this.cmdBytes.Length, 0x8000);
            }
            _cBuf_addTextFuncAddress = IntPtr.Zero;
        }
    }
    catch (ArgumentNullException)
    {
    }
}

Code:

 private void button1_Click(object sender, EventArgs e)
{
    Process[] processesByName = Process.GetProcessesByName("t6zm");
    Process[] processArray2 = Process.GetProcessesByName("t6mp");
    byte[] NOPBuffer = new byte[] { 0x90, 0x90 };
    if (processArray2.Length != 0)
    {
        if (ProcessID != processArray2[0].Id)
        {
            ProcessID = processArray2[0].Id;
            ProcessHandle = OpenProcess(0x1f0fff, false, ProcessID);
            WriteProcessMemory(ProcessHandle, 0x8c923a, NOPBuffer, (uint) NOPBuffer.Length, 0);
        }
        Send(textBox1.Text);
    }
    else if (processesByName.Length != 0)
    {
        if (ProcessID != processesByName[0].Id)
        {
            ProcessID = processesByName[0].Id;
            ProcessHandle = OpenProcess(0x1f0fff, false, ProcessID);
            WriteProcessMemory(ProcessHandle, 0x8c7e7a, NOPBuffer, (uint) NOPBuffer.Length, 0);
        }
        Send(textBox1.Text);
    }
}

MP addresses are up to date, but ZM aren't, so yea, you'll have to replace them.
Thanks to barata for the console source.

[Tester9000]

Great stuff right there! Just one more question. Lets say I wanted to turn the lagometer on(I don't really care but it just falls as a good example). In the picture there is a call for lagometer but nothing else. I was just wondering how you would pull an address out of that or anything? Such like BlackOps.exe+HexNumbers. I know I could also just send the command "lagometer 1" but im trying this for future occurances. Also OllyDBG crashes MP everytime before I can get any Dvars, or it just doesn't pick them up at all.



-Sorry for download, it wont let me post the actual picture....

[Lovroman]

Great stuff right there! Just one more question. Lets say I wanted to turn the lagometer on(I don't really care but it just falls as a good example). In the picture there is a call for lagometer but nothing else. I was just wondering how you would pull an address out of that or anything? Such like BlackOps.exe+HexNumbers. I know I could also just send the command "lagometer 1" but im trying this for future occurances. Also OllyDBG crashes MP everytime before I can get any Dvars, or it just doesn't pick them up at all.



-Sorry for download, it wont let me post the actual picture....

If if I'm not wrong, lagometer DVAR is cg_drawLagometer, so you should take an other screenie..

[Tester9000]

I know that, setting dvars via console or config isn't case here though. I was just wondering if you could pull an address out of the call function, or someway call it again to toggle it.

[Lovroman]

I know that, setting dvars via console or config isn't case here though. I was just wondering if you could pull an address out of the call function, or someway call it again to toggle it.

From this function, you, most likely, won't be able to get an address(which you could use to enable lagometer) because this function registers shaders(tracer, icons, lagometer..all of them sound like names of shaders)..
I'm not 100% sure about what kind of function you're talking about, so you should find an other example..

[Tester9000]

Ohhh...I see what your talking about, your right the lagometer example was a terrible example, not ever the right dvar, like you said. Sooo sorry. Lemme find another picture. Also do you still play BO1 for pc? If we add each other we don't have to cloud up the forum with my stupid questions .

[Lovroman]

Ohhh...I see what your talking about, your right the lagometer example was a terrible example, not ever the right dvar, like you said. Sooo sorry. Lemme find another picture. Also do you still play BO1 for pc? If we add each other we don't have to cloud up the forum with my stupid questions .

Sometimes I do, but I don't play it a lot..
Yea, you can add me on Steam.

[Tester9000]

Sometimes I do, but I don't play it a lot..
Yea, you can add me on Steam.

Code:

004AF9AC  |. 68 68729A00    PUSH BlackOps.009A7268                   ;  ASCII "god"
004AF9B1  |. 52             PUSH EDX
004AF9B2  |. E8 39320A00    CALL BlackOps.00552BF0
004AF9B7  |. 83C4 08        ADD ESP,8
004AF9BA  |. 85C0           TEST EAX,EAX
004AF9BC  |. 75 12          JNZ SHORT BlackOps.004AF9D0
004AF9BE  |. 56             PUSH ESI
004AF9BF  |. E8 BC681900    CALL BlackOps.00646280
004AF9C4  |. 83C4 04        ADD ESP,4
004AF9C7  |. 5F             POP EDI
004AF9C8  |. 5E             POP ESI
004AF9C9  |. 81C4 44040000  ADD ESP,444
004AF9CF  |. C3             RETN
004AF9D0  |> 8D4424 4C      LEA EAX,DWORD PTR SS:[ESP+4C]

This is all of the "god" command section, now in your post of code, there is a line that states:
this.callBytes = BitConverter.GetBytes(0x6b9d20);//Change this to the call address you found
There is no MOV in this section, just some calls, pushes, and jumps.
Where would I pull out the address in this.
PS: Same name?

[Lovroman]

Code:

004AF9AC  |. 68 68729A00    PUSH BlackOps.009A7268                   ;  ASCII "god"
004AF9B1  |. 52             PUSH EDX
004AF9B2  |. E8 39320A00    CALL BlackOps.00552BF0
004AF9B7  |. 83C4 08        ADD ESP,8
004AF9BA  |. 85C0           TEST EAX,EAX
004AF9BC  |. 75 12          JNZ SHORT BlackOps.004AF9D0
004AF9BE  |. 56             PUSH ESI
004AF9BF  |. E8 BC681900    CALL BlackOps.00646280
004AF9C4  |. 83C4 04        ADD ESP,4
004AF9C7  |. 5F             POP EDI
004AF9C8  |. 5E             POP ESI
004AF9C9  |. 81C4 44040000  ADD ESP,444
004AF9CF  |. C3             RETN
004AF9D0  |> 8D4424 4C      LEA EAX,DWORD PTR SS:[ESP+4C]

This is all of the "god" command section, now in your post of code, there is a line that states:
this.callBytes = BitConverter.GetBytes(0x6b9d20);//Change this to the call address you found
There is no MOV in this section, just some calls, pushes, and jumps.
Where would I pull out the address in this.
PS: Same name?

You aren't looking for a MOV, you're looking for a call.
Search for a few other console functions/DVARs like restart, record, ... and if you find one of these calls, then it, most likely, is the call that you're looking for.
PS:lovroman2
:]

[Tester9000]

You aren't looking for a MOV, you're looking for a call.
Search for a few other console functions/DVARs like restart, record, ... and if you find one of these calls, then it, most likely, is the call that you're looking for.
PS:lovroman2
:]

Oh, good thinking. Because they all should go to one address; the console. They seem to all have this call: CALL BlackOps.00552BF0.Now what do I do with it? Just pick it up and throw it? lol
PS: sent friend request

[Lovroman]

Oh, good thinking. Because they all should go to one address; the console. When I do find the call however, what do I do with it? Just pick it up and throw it? lol
PS: sent friend request

When you find it, "fix" the code to work with BO1 and find the cheat protection address(search for "cheat protected" or something like this, scroll up and then you will find a jump, I'm not sure which one, tho).

[Tester9000]

When you find it, "fix" the code to work with BO1 and find the cheat protection address(search for "cheat protected" or something like this, scroll up and then you will find a jump, I'm not sure which one, tho).

Thats where I'm stuck. How do I "fix" the code to work with BO1. Other than that, I already found the address to remove cheats. Works online 2 :P.

[Lovroman]

Thats where I'm stuck. How do I "fix" the code to work with BO1. Other than that, I already found the address to remove cheats. Works online 2 :P.

Change Process[] processesByName = Process.GetProcessesByName("t6zm"); to Process[] processesByName = Process.GetProcessesByName("t5zm"); or w/e BO1's process name is.
And don't forget to change addresses, ofcourse!

[Tester9000]

Change Process[] processesByName = Process.GetProcessesByName("t6zm"); to Process[] processesByName = Process.GetProcessesByName("t5zm"); or w/e BO1's process name is.
And don't forget to change addresses, ofcourse!

Well yea, thats a no brainer...What i'm confused about is
this.callBytes = BitConverter.GetBytes(0x6b9d20);//Change this to the call address you found
Where do I pull the underlined portion ^^^ From this code:
004AF9B2 |. E8 39320A00 CALL BlackOps.00552BF0
And will i have to apply an offset of 88,78,18?

[Lovroman]

Well yea, thats a no brainer...What i'm confused about is
this.callBytes = BitConverter.GetBytes(0x6b9d20);//Change this to the call address you found
Where do I pull the underlined portion ^^^ From this code:
004AF9B2 |. E8 39320A00 CALL BlackOps.00552BF0
And will i have to apply an offset of 88,78,18?

No, you won't have to apply any offset.
Replace 0x6b9d20 with 0x00552BF0 and you're good to go!