Modern Warfare 2 - Engine wallhack
Posted: Tue Feb 16, 2010 1:53 pm
Once again, open IW4MP.exe in OllyDBG.
in CoD4: MW they pushed 4, in MW2 they push 104
So find command -> push 104
the third result should be the one shown below:
in MW1 you'd push 12 for a wallhack, in MW2 you need to push 82.
Just replacing that push 104 with push 82 will result in a VAC ban(detected).
Found out that the call right below takes the 104 off the stack.
So lets modify the stack :)
Make sure you have detours 1.5 installed!
And we'll want to know what the function looks like, so open up IW4MP.exe in IDA pro.
Go to the function list and locate Sub_511FD0
Press enter while selecting that line, select the function name at the top and right click -> set function type.
it should show you this:
int __cdecl sub_511FD0(int, int, int, int, int, float)
Lets start with the C++ side ;D
if you find references to -> selected command in olly(inside this function) you'll see multiple calls, but we only want to modify one of them! o__O
No problem, you can check where the function returns with
since assembly pushes params in reversed order, the push 104 would be int c
so our full code would be:
Not sure if the asm part would compile, as I am writing this in here.
in CoD4: MW they pushed 4, in MW2 they push 104
So find command -> push 104
the third result should be the one shown below:
Code: Select all
0045FB74 . 51 PUSH ECX
0045FB75 . D91C24 FSTP DWORD PTR SS:[ESP]
0045FB78 . 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0045FB7C . 52 PUSH EDX
0045FB7D . 68 04010000 PUSH 104
0045FB82 . 50 PUSH EAX
0045FB83 . 53 PUSH EBX
0045FB84 . 55 PUSH EBP
0045FB85 . E8 46240B00 CALL iw4mp.00511FD0
Just replacing that push 104 with push 82 will result in a VAC ban(detected).
Found out that the call right below takes the 104 off the stack.
So lets modify the stack :)
Make sure you have detours 1.5 installed!
And we'll want to know what the function looks like, so open up IW4MP.exe in IDA pro.
Go to the function list and locate Sub_511FD0
Press enter while selecting that line, select the function name at the top and right click -> set function type.
it should show you this:
int __cdecl sub_511FD0(int, int, int, int, int, float)
Lets start with the C++ side ;D
Code: Select all
#include <detours.h>
#include <intrin.h>
#pragma intrinsic(_ReturnAddress)
int (__cdecl *osub_511FD0)(int a, int b, int c, int d, int e, float f)
int __cdecl xsub_511FD0(int a, int b, int c, int d, int e, float f)
{
return osub_511FD0(a,b,c,d,e,f);
}
No problem, you can check where the function returns with
Code: Select all
if(_ReturnAddress() == 0x45FB8A)
{
//if it gets here it returns to the correct location(where we want to modify the stack from).
}
so our full code would be:
Code: Select all
#include <detours.h>
#include <intrin.h>
#pragma intrinsic(_ReturnAddress)
int (__cdecl *osub_511FD0)(int a, int b, int c, int d, int e, float f)
int __cdecl xsub_511FD0(int a, int b, int c, int d, int e, float f)
{
if(_ReturnAddress() == 0x45FB8A)
{
if(c==0x104)
{
return osub_511FD0(a,b,0x82,d,e,f);
}
else
{
__asm mov [esp+0x30], 0x82;
__asm jmp osub_511FD0;
}
}
return osub_511FD0(a,b,c,d,e,f);
}