Memory Hacking Software

[sh33pb0y]

Hello all,

In order to get more comfortabel with memory and memory editing I decided to create a 'cvar viewer' for Enemy territory(a nice free downloadable game), everything is working fine for cvars like com_maxfps(which is set to 85) or r_gamma(which is set to 1.3) problems arise for all cvars with an integer value less than 10, for example, r_picmip is set to 1(so where is the 1 stored???).

It comes down to this: I search the cvar names as ascii strings(com_maxfps, r_picmip etc.), when I find com_maxfps the value of this cvar is close to the com_maxfps string. After the value another cvar string follows. I can modify the 85 that I find and it changes nicely in the game, no problem so far.

Here is what I find in the memory for com_maxfps:

Code: Select all

0245649C  63 6F 6D 5F 6D 61 78 66 70 73 00 00 11 4A 1D 00  com_maxfps..J.
024564AC  1C 00 00 00 04 00 00 00 C8 64 45 02 88 64 45 02  ......ÈdEˆdE
024564BC  11 4A 1D 00 38 35 00 AA 11 4A 1D 00 1C 00 00 00  J.85.ªJ....
024564CC  04 00 00 00 E4 64 45 02 AC 64 45 02 11 4A 1D 00  ...ädE¬dEJ.
024564DC  38 35 00 AA 11 4A 1D 00 28 00 00 00 04 00 00 00  85.ªJ.(......
024564EC  0C 65 45 02 C8 64 45 02 11 4A 1D 00 63 6F 6D 5F  .eEÈdEJ.com_
024564FC  68 75 6E 6B 4D 65 67 73                          hunkMegs


However with r_picmip the value '1' is nowhere to be found, in fact - if I write 00's between the r_picmip string and the next cvar string, nothing changes in-game, the r_picmip value is still 1.

Here is what I find for r_picmip:

Code: Select all

02452793  72 5F 70 69 63 6D 69 70 00 11 4A 1D 00 2C 00 00  r_picmip.J.,..
024527A3  00 04 00 00 00 CC 27 45 02 7C 27 45 02 11 4A 1D  ....Ì'E|'EJ
024527B3  00 75 69 5F 72 5F 73 75 62 64 69 76 69 73 69 6F  .ui_r_subdivisio
024527C3  6E 73                                            ns

So nulling everything between r_picmip and ui_r_subdivision has no effect.

Now the thing that I can't get my head around:
- I set r_picmip to 2.0000 in-game, then search for 2.0000 with MHS, and it finds 2.0000 somewhere 'random' in the memory but the r_picmip string is nowhere near it. If I change this 2.0000 value that I found into 3.0000 everything changes nicely in-game.

So now I restart the game(r_picmip is still 2.0000) and I search 2.0000 again, and guess what, r_picmip and 2.0000 are grouped together, if I change to 3.000 in-game the memory updates nicely.
Next I change r_picmip to 1, the 3.000 disappears in memory and is replaced by hex 04. I change r_picmip back to 2.000, the 04 is still in place, the value 2.000 is somewhere completely different again with no r_picmip string to be found near it, so the whole circus starts again.

I hope my problem is a bit clear to you and I hope that you can help me find values of cvars that are in range 0-9, I just can't understand why 'double' values and values of 10 and more are right after the cvar name and that 0-9 values are somewhere different.

Thanks in advance

[L. Spiro]

My guess is that values below 10 are so common that it tries to save space by setting up some kind of sharing system.

But in any case, you should probably find out how the game is handling both cases via Auto-Hack and following the code.


L. Spiro

[sh33pb0y]

You're right, I have not worked with your tool before but after reading through some tutorials I got a step closer to my goal - I guess with a little more work I can sort this out, else I know where to post for help

[sh33pb0y]

Ok I got it figured out I guess:

There is a place in the memory where it stores pointers to the cvar strings, directly followed by pointers to the cvar values. If the value is >= 10 or if it is a value like '1.000' the address will look like:

Code: Select all

Address      hex
013C91EC  88
013C91ED  6A
013C91EE  3D
013C91EF  02
013C91F0  AC
013C91F1  6A
013C91F2  3D
013C91F3  02


The cvar I am searching is at address: 023D6A88, the value of this cvar is stored at 023D6AAC (in this case it is close to the cvar string but that's because I just restarted the game as I explained above in my first post).
Currently this cvar value is 14 (which is stored at 023D6AAC).

So that's the way it knows where to look for the 'higher' values of a cvar. Now int values that are < 10, I change the cvar at 023D6A88 value to 1:

Code: Select all

Address      hex
013C91EC  88
013C91ED  6A
013C91EE  3D
013C91EF  02
013C91F0  3C
013C91F1  E7
013C91F2  52
013C91F3  00


Guess what is at address 0052E73C, yes: 1
2 is stored at 0052E754
3 at 0052E76C

So in conclusion, you were right that it is sharing the common int values of 0-9 , it was quite fun to figure this out, but I didnt expect the result to be so easy , on the other hand I guess most solutions are easy once you know them.

So, I thought about finding the cvar values this way:
- ASCII string search for the cvar name(e.g. cl_freelook)
- Hex search for the address of the cvar name(if cvar is at address 023D6A88, hex search for 886A3D02)
- The address of the cvar value is stored directly after the result from the last search, read the address that we find here.

Is this the easiest way or is there a more advanced way Im not aware of yet

[L. Spiro]

If you want to find a pointer, use the Pointer Search. Value: 023D6A88.


L. Spiro

[sh33pb0y]

Yes but I am creating a C++ program that finds the values automatically, thats why I convert the hex I am searching to chars first, then do an ascii search. With your tool I just do a pointer search.

I am now trying different games to see if it is the same there.
It works in both ET and sof2 now but it seems that Call of Duty 2 is different even though they are all quake engine games.

[sh33pb0y]

Ok I have been looking around in the cod2 memory a while now and I have no trouble finding the cvar value and cvar name in the memory, the problem is how they are 'linked'.

In ET I just searched for pointers to the value and pointers to the cvar name, they were both next to each other.
If I search for pointers to the value and name in cod2 they are in completely different places.

I wonder now, is there a way for me to easily see what has changed in the memory? For example:
I change the value of r_picmip, then in memory the pointer to the value of r_picmip should change. I know there is an option in the hex editor to give changes in memory a color, but can I automatically 'jump' to these changes? As scrolling through the entire editor looking for a particular colour isn't a fun job

I hope you can point me in the right way with this.

Thanks.

[L. Spiro]

There is no way to do that. And I don’t mean just in MHS.

It is impossible to take a snapshot of the whole process and check for differences while keeping your computer running at a decent speed. Even if it was possible, you would find so many changes it would be pointless.

And it is not the right way to approach this situation anyway. Regular searches are all you need.

MHS gives you the most search types and the most powerful search types. The rest is up to your creativity.


L. Spiro

[sh33pb0y]

Ok, thanks for pulling me off the wrong track. I've been thinking about a different way to approach this and got the following:

I searched one of the cvar names in memory and searched for a pointer to its address. I figured when you type 'cvarlist' in the game console something has to loop through all the cvars and find the corresponding values.

So with MHS I found what accesses the pointer after doing the cvarlist command in console, I know how the cvars are stored in ET so with that information I could figure out the exact way the cvarlist command finds the cvars and the values in Olly(didnt need olly for this in particular but I'm used to it).

Now all that's left is do the same for CoD2, I started just looking around abit and found that the cvars in cod2 are somewhat restricted, some values must be in a certain range, or the value is some text and they are stored differently(some values are shared like in ET). Doing this in ET first with knowing how the cvars are stored beforehand really helped me a lot towards the goal of becoming more comfortable with ASM, Olly and MHS.

Thanks again for saving me a lot of time, I will post when I get some results out of this.. or when I'm really stuck somewhere

[sh33pb0y]

Ok everything is working as it should for all games now. On to the next 'project' .

Thanks again for help, you're doing a great job.

[L. Spiro]

No problem.


L. Spiro