[MW2]Reversing radar jammer

c, c++, php, html, sql ..etc discussion. also includes codes and source codes.
Post Reply
TeamRetox
Allie
Allie
Posts: 222
Joined: Sat Jun 06, 2009 3:48 pm

[MW2]Reversing radar jammer

Post by TeamRetox »

Code: Select all

0050B860  /$ 51             PUSH ECX
0050B861  |. 833D E4497F00 >CMP DWORD PTR DS:[7F49E4],0
0050B868  |. 75 66          JNZ SHORT iw4mp.0050B8D0
0050B86A  |. D9EE           FLDZ
0050B86C  |. D905 7C1E8F00  FLD DWORD PTR DS:[8F1E7C]
0050B872  |. D8D1           FCOM ST(1)
0050B874  |. DFE0           FSTSW AX
0050B876  |. F6C4 41        TEST AH,41
0050B879  |. 7B 40          JPO SHORT iw4mp.0050B8BB
[b]0050B87B  |. 8B0D D430A000  MOV ECX,DWORD PTR DS:[A030D4] 		; "radarjamDistMax" dvar
0050B881  |. D941 10        FLD DWORD PTR DS:[ECX+10] 			; load the radarjamDistMax float onto the stack[/b]
0050B884  |. D8D9           FCOMP ST(1) 				; compare ST(1) to ST and pop
0050B886  |. DFE0           FSTSW AX 					; Store status word in AX
0050B888  |. F6C4 05        TEST AH,5 					; test AH to 5
0050B88B  |. 7B 2E          JPO SHORT iw4mp.0050B8BB			; Jump If Parity Odd o__O
[b]0050B88D  |. A1 6C30A000    MOV EAX,DWORD PTR DS:[A0306C] 		; "radarjamDistMin" dvar
0050B892  |. D940 10        FLD DWORD PTR DS:[EAX+10] 			; load the radarjamDistMax float onto the stack[/b]
0050B895  |. D91C24         FSTP DWORD PTR SS:[ESP] 			; Store and pop
[b]0050B898  |. D941 10        FLD DWORD PTR DS:[ECX+10] 			; load the radarjamDistMin float onto the stack again
0050B89B  |. D90424         FLD DWORD PTR SS:[ESP] 			; load ESP which whe popped above[/b]
0050B89E  |. D9C0           FLD ST 					; load all ST registers? o__O
0050B8A0  |. DEEA           FSUBP ST(2),ST 				; Substract ST from ST(2) and pop
0050B8A2  |. D9C9           FXCH ST(1)					; Exchange registers
0050B8A4  |. D91C24         FSTP DWORD PTR SS:[ESP] 			; Store and pop
0050B8A7  |. D9C2           FLD ST(2)					; Load ST(2)
0050B8A9  |. D90424         FLD DWORD PTR SS:[ESP]			; Load ESP again which whe popped above
[b]0050B8AC  |. DDE1           FUCOM ST(1)					; Compare ST(1) to ST, leave result encoded into status word. see http://www.ousob.com/ng/masm/ng3c76c.php
0050B8AE  |. DFE0           FSTSW AX					; Store status word in AX
0050B8B0  |. DDD9           FSTP ST(1)					; store and pop ST(1)
0050B8B2  |. F6C4 44        TEST AH,44					; test 44 to AH
0050B8B5  |. 7A 08          JPE SHORT iw4mp.0050B8BF			; Jump If Parity Even o__O this one shud be followed to 50B8BF[/b]
0050B8B7  |. DDD9           FSTP ST(1)					; store and pop ST(1)
0050B8B9  |. DDD9           FSTP ST(1)					; store and pop ST(1)
0050B8BB  |> DDD8           FSTP ST					; Store and pop ST
0050B8BD  |. 59             POP ECX					; pop ECX
0050B8BE  |. C3             RETN					; return
[b]0050B8BF  |> DDDB           FSTP ST(3)					; store and pop ST(3)
0050B8C1  |. D8D1           FCOM ST(1)					; compare ST(1) to ST
0050B8C3  |. DFE0           FSTSW AX					; Store the status word in AX
0050B8C5  |. F6C4 01        TEST AH,1					; test AH to 1
0050B8C8  |. 75 0A          JNZ SHORT iw4mp.0050B8D4			; Jump if not zero, must be followed to 50B8D4[/b]
0050B8CA  |. DDD8           FSTP ST					; store and pop ST
0050B8CC  |. DDD8           FSTP ST					; store and pop ST
0050B8CE  |. DDD8           FSTP ST					; store and pop ST
0050B8D0  |> D9E8           FLD1					; load floats from stack
0050B8D2  |. 59             POP ECX					; pop ECX
0050B8D3  |. C3             RETN					; return
[b]0050B8D4  |> DEE9           FSUBP ST(1),ST				; subtract ST from ST(1)
0050B8D6  |. 8B0D B030A000  MOV ECX,DWORD PTR DS:[A030B0]		; "thermalBlurFactorScope" Thermal blur is used for the noise
0050B8DC  |. 8079 10 00     CMP BYTE PTR DS:[ECX+10],0			; compare it to 0
0050B8E0  |. DEF1           FDIVRP ST(1),ST				; Divide reversed and pop, so ST(1)/ST?
0050B8E2  |. D9E8           FLD1					; Load floats from stack
0050B8E4  |. DEE1           FSUBRP ST(1),ST				; Substract reversed? ST(1)-ST?
0050B8E6  |. D91C24         FSTP DWORD PTR SS:[ESP]			; Store the result in ESP
0050B8E9  |. 74 23          JE SHORT iw4mp.0050B90E			; Jump if its equal, probably from the thermalblur test?
0050B8EB  |. D90424         FLD DWORD PTR SS:[ESP]			; Load float into ESP
0050B8EE  |. DC0D 284C7100  FMUL QWORD PTR DS:[714C28]			; multiply ST by the value @ 714C28
0050B8F4  |. DC0D 50C97200  FMUL QWORD PTR DS:[72C950]			; Multiply ST by the value @ 72C950
0050B8FA  |. D91C24         FSTP DWORD PTR SS:[ESP]			; Store and pop ESP
0050B8FD  |. D90424         FLD DWORD PTR SS:[ESP]			; Load from stack into ESP
0050B900  |. E8 3B951A00    CALL iw4mp.006B4E40				; Make a call, probably to draw the noise?[/b]
0050B905  |. D91C24         FSTP DWORD PTR SS:[ESP]			; Store and pop ESP
0050B908  |. D90424         FLD DWORD PTR SS:[ESP]			; Load from stack into ESP
0050B90B  |. D91C24         FSTP DWORD PTR SS:[ESP]			; Store and pop ESP
0050B90E  |> D90424         FLD DWORD PTR SS:[ESP]			; Load from stack into ESP
0050B911  |. 59             POP ECX					; pop ECX
0050B912  \. C3             RETN					; return
Wieeee... staring at olly for too long gives you a brainphuck.
Theres 4 methods to disable radar jamming from the perkfags:
1.
write 0xC3(return) at 50B860
2.
Detour the function, __asm pushad, exec orig, __asm popad
3.

Code: Select all

__asm
{
    mov EAX, DWORD PTR DS:[A0306C]; //radarjamdistmin
    mov [EAX+0x10], 0;
    mov EAX, DWORD PTR DS:[A030D4]; //radarjamdistmax
    mov [EAX+0x10], 0;
}
4.

Code: Select all

__asm
{
    mov EAX, DWORD PTR DS:[A030B0]; //thermal blur level
    mov [EAX+0x10], 0;
}
Post Reply