Battlefield 2 - Mini FAQ

Hacking Any Battlefield Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Battlefield 2 - Mini FAQ

Postby AlaXul » Sat Aug 19, 2006 10:14 am

To get things started I will post the BF2 mini FAQ I made a while back on here. You can find the full FAQ and various tutorials and tools here:

http://www.mpcforum.com/showthread.php?t=132351

__________________________________________________ __
Question Index

- How to run BF2 in a window?
- How to get rid of the intro movies?
- How to pause BF2 in v1.22+
- Why can't I attach the debugger while following the tutorials?
- What is a DMA address?
- How do I find a DMA address?
- What is a Static Pointer?
- What is a Register?
- What is a Code Cave?
- What is PB?
- What is a Base and Offset address?
- How do I calculate the above formula?
- How do I find the Base address?
- How do I find the offset?
- How do I defeat PB?
- How does PB detect my cheats?
- What is a MD5 Hash?
- Can a MD5 Hash be cracked?
- Should I bother to crack this stuff?
- I've made my own cheats, but they only work in single player. Why?
- Some people claim they have managed to get detected BF2 cheats working even though no one else can even while following their directions exactly.
- I've created my Code Cave but when I start the game it crashes. Why?
- How do I find the DMA address that the Pointer uses?
- I saw a friendly player show up as red. Is this a hack?
- HEX misc points.
- Are there anymore BF2 Wall Glitches?

___________________BF2 Mini FAQ__________________
Tips & Tricks

- How to run BF2 in a window?
* Create a shortcut with the window option
* "BF2.exe" +playNow 1 +menu 1 +fullscreen 1"

- How to get rid of the intro movies?
* rename "\Program Files\EA GAMES\Battlefield 2\mods\bf2\movies"
* to something else. eg: movies.bak

- How to pause BF2 in v1.22+
* in console type: gamelogic.togglepause
* or There is a util that has been posted in the forums that will do it.
* or Create an ASM loop

__________________________________________________ _
Typical Questions:

- Why can't I attach the debugger while following the tutorials?
* You need to reset the debug port. Follow Faldo's tutorial attached below.
* Try using Winject, if that fails using Faldo's tut's will always work. If you followed them and it still did not work, you did something wrong. There are three commonly different ways that this is done. Try each.
* If you have Windows XP 64bit then try this: [Tool] HelioS-Reset-DebugPort (32bit/64bit)

- What is a DMA address?
* Dynamic Memory Address is a random location where an application can store temporary values. This often changes from PC to PC, game to game, level to level, etc. Values stored in DMA's are typically not scanned by PB.

- How do I find a DMA address?
* You can do it the hard way, by searching for value changes over time with a memory scanner like Tsearch, gamehack, or any other tool.
* or The faster way is to locate a Static Pointer that will show you the location of the DMA address. A simple Code Cave will allow you to copy the value of the DMA to a static address and read the value.

- What is a Static Pointer?
* It's a peice of ASM code that stores the location of the DMA address in a register.

- What is a Register?
* A section of the CPU that stores values before execution

- What is a Code Cave?
* A redirection of ASM code to a new location where there is more space to add additional code or to modify the string without PB detecting the changes.
* Example of a simple Code Cave:

Code:
RendDX9
111111 jmp 55555 ;Jump to Cave start
111112 mov eax etc etc ; original next ASM line

Cave
55555 je short rendDX9.99999 ; Original Line
55556 jmp 111112 ; Return from cave to next ASM line
- What is PB?
* Punk Buster, an application that checks for changes to the BF2 game in an attempt to prevent cheating.

- What is a Base and Offset address?
* A BASE address is the memory location where an application or DLL starts. The OFFSET is how many bytes from the start the section of code of interest is located.

- How do I calculate the above formula?
* In Windows, click on START / RUN / CALC
* Ensure in VIEW it's set to Scientific
* Click on the HEX button
* Enter your values "DLLbase + Offset = Target Address

- How do I find the Base address?
* OlleyDbg will list it under the Executables view
* GameHack will list it under the loaded modules view
* There are tools on this forum that will display the info

- How do I find the offset?
* You can discover the code yourself and subtract the DLLbase to get the offset
* Search the forums for many posts that give the offsets

- How do I defeat PB?
* Go read up on how PB works, you'll come up with many ways. There is also a link above that takes you to a Tut on how to do it in the most simple way.

- How does PB detect my cheats?
* PB has a number of tricks, the most common being doing an MD5 hash of a section of static memory. If any changes occure to this section the MD5 checksum will be invalid and PB will know that changes have been made.

- What is a MD5 Hash?
* MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function with a 128-bit hash value.

- Can a MD5 Hash be cracked?
* Yes, it's simply a question of Time and CPU power. There has also been work done using Rainbow tables to create a database of many encrytion standard hashes. This allows for simple queries to crack the hash rather then a brute force attack. A typical ASCII char set used in an MD5 hash creates a Database of around 1 Tarabyte. There are online services that allow access to this.

- Should I bother to crack this stuff?
* Not if you're reading this Mini FAQ and doing these tut's and are hearing this stuff for the first time. I suggest you simply go out and get yourself laid, you'll have much better success in that venture.

- I've made my own cheats, but they only work in single player. Why?
* In BF2 there are client side cheats and server side cheats. Server side cheats such as Ammo, Health, Damage, etc... are calculated on the Server side of the connection. The only way to cheat here is to have access to the Server memory. Client side cheats, typically visual aids, are calculated on your PC, and therefore can be changes during online play. Things like MiniMap, TAGS, FOG, Distance, etc..

- Some people claim they have managed to get detected BF2 cheats working even though no one else can even while following their directions exactly.
* Often these people have no understanding of what is happening and post their interpretation of the events. You are better off making your own cheats based on the info on this site and save yourself a lot of trouble. The bonus of this is that these techniques apply to all games / software and will save you years of head aches later.

- I've created my Code Cave but when I start the game it crashes. Why?
* Assuming your ASM is correct, chances are the memory you choose for your cave is used by BF2 while the game runs. Try using a different location and watch the area of memory while playing the game to see if it changes. Just because CheatEngine says this is a good cave locations, does not mean it is not used while the game runs.

- How do I find the DMA address that the Pointer uses?
* You need to copy the value of the Pointer register to a empty memory location and then read that value.


Code:
eg: 041B14F2 fld [ecx+100] ; Original Pointer

Create Cave
~ 041B14F2 jmp 123456 ; 123456 = Cave location

Cave
~ 123456 fld [ecx+100]
~ 123457 mov [123470], ecx ; Copy the value of ECX to empty memory location of 123470
~ 123458 add [123470], 100 ; Add 100 to empty location of 123470, that way you do not have to do this by hand.
~ 123459 jmp 041B14F3 ; jump back and continue with original codeNow simply read the value of 123470 as a Hex String. This value will be the DMA address.

- I saw a friendly player show up as red. Is this a hack?
* No, this is a bug with BF2. On occasion the packet containing the player team information becomes corrupt and the server displays the player on the incorrect side.

- HEX misc points.
* HEX = numbers 0 to 15 represented as 0123456789ABCDEF
* Base Address = The location in memory where a program or DLL start
* 0x123456, the 0x is not a HEX value, it simply means HEX
* An offset is how many bytes need to be added to the base address to find the target code.

- Are there anymore BF2 Wall Glitches?
* As of 1.22 the old spinning turret glitch has been fixed. There are still however item spawn glitches that I am aware of that will push you inside buildings.
* As of 1.3 there are several, one common one is to use a commander dropped jeep on top of a building and drop down between walls to get through them.
* As of 1.3 you can use a boat spawning to push you under the docks.
* As of 1.3 you can use a boat to drive under the aircraft carrier.

FAQ by: AlaXul
User avatar
AlaXul
Sir Hacks-A-Lot
 
Posts: 34
Joined: Thu Jul 27, 2006 7:50 am

Return to Battlefield *

Who is online

Users browsing this forum: No registered users and 0 guests

cron