in CoD4: MW they pushed 4, in MW2 they push 104
So find command -> push 104
the third result should be the one shown below:
Code: Select all
0045FB74 . 51 PUSH ECX
0045FB75 . D91C24 FSTP DWORD PTR SS:[ESP]
0045FB78 . 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0045FB7C . 52 PUSH EDX
0045FB7D . 68 04010000 PUSH 104
0045FB82 . 50 PUSH EAX
0045FB83 . 53 PUSH EBX
0045FB84 . 55 PUSH EBP
0045FB85 . E8 46240B00 CALL iw4mp.00511FD0
Just replacing that push 104 with push 82 will result in a VAC ban(detected).
Found out that the call right below takes the 104 off the stack.
So lets modify the stack :)
Make sure you have detours 1.5 installed!
And we'll want to know what the function looks like, so open up IW4MP.exe in IDA pro.
Go to the function list and locate Sub_511FD0
Press enter while selecting that line, select the function name at the top and right click -> set function type.
it should show you this:
int __cdecl sub_511FD0(int, int, int, int, int, float)
Lets start with the C++ side ;D
Code: Select all
#include <detours.h>
#include <intrin.h>
#pragma intrinsic(_ReturnAddress)
int (__cdecl *osub_511FD0)(int a, int b, int c, int d, int e, float f)
int __cdecl xsub_511FD0(int a, int b, int c, int d, int e, float f)
{
return osub_511FD0(a,b,c,d,e,f);
}
No problem, you can check where the function returns with
Code: Select all
if(_ReturnAddress() == 0x45FB8A)
{
//if it gets here it returns to the correct location(where we want to modify the stack from).
}
so our full code would be:
Code: Select all
#include <detours.h>
#include <intrin.h>
#pragma intrinsic(_ReturnAddress)
int (__cdecl *osub_511FD0)(int a, int b, int c, int d, int e, float f)
int __cdecl xsub_511FD0(int a, int b, int c, int d, int e, float f)
{
if(_ReturnAddress() == 0x45FB8A)
{
if(c==0x104)
{
return osub_511FD0(a,b,0x82,d,e,f);
}
else
{
__asm mov [esp+0x30], 0x82;
__asm jmp osub_511FD0;
}
}
return osub_511FD0(a,b,c,d,e,f);
}