Problem finding team address

Hacking Any Unreal Tournament Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Problem finding team address

Postby Dimple » Thu Dec 30, 2010 10:07 pm

I'm working on an aimbot for UT 2003, it's working but the problem is that it also aims at allies. So I would need to find the info which are enemies and which are allies. I think the info should be stored in the player struct (can you confirm this L. Spiro?). First I thought I'd try changing the team and searching for differences, but the player is killed every time I change team so the struct is also destroyed, and the data moves. I have tried to search the player structure for values like 1 or 2 but I haven't been able to find anything. Any tips on how to continue?
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: Problem finding team address

Postby L. Spiro » Thu Dec 30, 2010 10:25 pm

Pretty sure it is just a number indicating on which team the player is.
Save two players from different teams to a binary file and compare them for single bytes that are low enough to be a team index (for 2 teams, one will be 0 and one will be 1).


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Problem finding team address

Postby Dimple » Sun Jan 02, 2011 2:18 am

I've been trying that but I still haven't found it...
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: Problem finding team address

Postby Dimple » Tue Jan 04, 2011 12:43 am

Are you absolutely sure that they will be 0 and 1?

I've been trying to compare my own player's structure to the enemy's structure using a simple C program. First I calculate the addresses where the structures start (this works), then I copy the structures into arrays:
(beginning and beginning2 are the addresses where the structures begin.)
Code: Select all
unsigned char memory[SIZE_OF_STRUCT];
unsigned char memory2[SIZE_OF_STRUCT];

UINT_PTR tmp;
int i;

tmp = beginning;
   for(i=0;i<SIZE_OF_STRUCT;i++)
   {

      if(!ReadProcessMemory(hProcess, (LPVOID)tmp, &memory[i], sizeof(memory[i]), NULL))
         ErrorExit(TEXT("compare_memory"));

      tmp += sizeof(memory[i]);

   }

   tmp = beginning2;
   for(i=0;i<SIZE_OF_STRUCT;i++)
   {

      if(!ReadProcessMemory(hProcess, (LPVOID)tmp, &memory2[i], sizeof(memory2[i]), NULL))
         ErrorExit(TEXT("compare_memory"));

      tmp += sizeof(memory2[i]);

   }


Then I compare the two arrays to find the offsets where my structure has 0 and the enemy has 1 (or the other way around):
Code: Select all
int p = 0;

   for(i=0;i<SIZE_OF_STRUCT;i++)
   {
      if(memory[i] == 1)
      {
         if(memory2[i] == 0)
         {
            printf("Found 1, i = %i, +0x%X\n", i, i);
         }
      }

      if(memory2[i] == 1)
      {
         if(memory[i] == 0)
         {
            printf("Found 2, i = %i, +0x%X\n", i, i);
         }
      }

   }

I'm not actually sure how big the structures are but I have tried with different values and still no luck. Am I doing something wrong here?
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: Problem finding team address

Postby L. Spiro » Tue Jan 04, 2011 10:45 pm

No I am not sure the values will be 0 and 1.
Why not store 10 players from 1 team and see what they have in common versus what is different from players on another team?


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Problem finding team address

Postby Dimple » Wed Jan 05, 2011 3:04 am

If you weren't sure then it was an excellent guess. I managed to confirm (yesterday night about 1 am :P) that it indeed is a byte that is 0 when on the red team and 1 when on the blue team. I found it only for the player itself, though. And it was quite far from where I was looking for it. Freezing or changing it doesn't affect anything, though, and I think that suggests that it's not actually the right one. I'm guessing it's related to that the player is different and has the same info stored in other places, too. I'm just guessing, though.

That is a great idea. I will probably try that today.

I'm a bit confused about how the game stores the values right now. Because I assumed that the team-byte should be located in the same structure as the hp and the coordinates but this doesn't seem to be the case. Could it be that it's not stored in the structure of the player but it is stored in the structures of the enemies/teammates? Or could there be more than one structure for each player? Or maybe there is one structure and additional variables or arrays or something...
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: Problem finding team address

Postby L. Spiro » Wed Jan 05, 2011 7:57 pm

If there are a bunch of team properties that would be the same for every player on that team, instead of replicating all that data for each player it would be simpler to make one team-data structure and give each player a pointer to that structure.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Problem finding team address

Postby Dimple » Sat Jan 08, 2011 5:29 am

That sounded reasonable so I decided to test it. I made a program that reads the structures of 10 enemy's into an array, compares the values and then displays the results. I read the values as int (4 bytes) because I was looking for an address after all. I also made it only print values that are greater than 0x100000 to reduce the number of hits (don't know how safe that was). Still I get over 100 hits, though. Would you happen to have any tricks to reduce the number of hits (can't add bots anymore)?
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: Problem finding team address

Postby L. Spiro » Sat Jan 08, 2011 6:00 am

If you are scanning player data structures for pointers, do not use “int”.
Either use void * or UINT_PTR.

Since you will want to manipulate the address a bit, you need to use UINT_PTR.

Since you are scanning for results that are pointers, you can ignore results that are not divisible by 4.

Code: Select all
UINT_PTR uiptrPointerTarget = (*reinterpret_cast<UINT_PTR *>(pvAddress));
if ( uiptrPointerTarget & 0x03 ) { continue; } // Pointer does not point to a location that is a multiple of 4.
if ( ::IsBadReadPtr( reinterpret_cast<VOID *>(uiptrPointerTarget), sizeof( DWORD ) ) ) { continue; } // Pointer does not point to a valid address.


This is assuming DLL injection is used to check addresses.
If you are reading the process remotely, use ::ReadProcessMemory() instead of indirection ((*reinterpret_cast<UINT_PTR *>(pvAddress))) and use ::ReadProcessMemory() instead of ::IsBadReadPtr() to check if the area of RAM where the pointer points is valid (if it fails then the pointer points to an invalid location).


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Problem finding team address

Postby Dimple » Sat Jan 08, 2011 8:48 am

OK, I changed "int" to "UINT_PTR" and added those checks. They dropped the results from over a hundred to 39 (which is still a bit much but way better than before). I already have an idea, though. I will post here if it doesn't lead anywhere. Thanks for the help.
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: Problem finding team address

Postby Dimple » Tue Jan 11, 2011 1:57 am

Ok, so now it's time to post again. I had limited the possibilities to 39 addresses but there were still too many to go through all of them manually. So I compared the addresses with the ones that are in my player's own structure since all the bots were enemies, and looked for addresses that were different. Now I had 5 left so I started going through them manually. However, none of them were pointing to any team structures since they always pointing at the same location for bots, no matter which team they were on (tested this). Do you think it's possible that comparing the bots' structures to the player's structure could mess things up or does it mean that such pointer doesn't exist?

Next I thought I could try just comparing bytes in the structures again. I should have found the address already if it's stored that way in the structure but I'm running out of ideas...
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: Problem finding team address

Postby L. Spiro » Tue Jan 11, 2011 9:09 am

If there is no pointer to a team structure there is a team index.

Also try pointers to team names. However this would have appeared if you tried pointers to structures.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Problem finding team address

Postby cobr_h » Wed Jan 12, 2011 5:45 am

If you have a look on the NoCoolDown topic I've made for cabal, maybe it helps you find it out.

What I've done was finding the actual skill (in you case, the team) structure. After finding the team structure, I just followed the opposite direction, looking for pointers for that address range sucessively until I got to an static address. You probably will stop by a dynamically allocated structure which is one player's structure, until you get to a static list of address to player structures.

Link for my post: http://memoryhacking.com/forums/viewtopic.php?f=32&t=8663&sid=83054faa4109191ffd198ea146e4a527

I am sure that is easily extended to scripting addresses.
cobr_h
Acker
 
Posts: 72
Joined: Wed Dec 02, 2009 6:15 am


Return to Unreal Tournament *

Who is online

Users browsing this forum: No registered users and 0 guests

cron