This is another mmorpg game and i'm trying to actualy try to hack this game.
I'm pretty poor in reversing and this is my first game i actualy tryed to find xyz coordinates on my own. Now i'm not sure if i'm actualy doing this right and could use some help.
Firstly i search for the values of the x and y coordinates. I found the pointers and i was succesfull to alter the xyz floats in CE. Ofc this game has DMA (dynamic memory allocation) so i have to search for esi register address everytime i want the pointer to work. So i tought to analize rift.exe with my static debugger (IDA) and then search for my pointer again. Ofc i hit a wall when i realised that i can't do much there because i have no way ( no idea actualy ) to find the ESI. When i debug in olly and see the ESI it goes outside the rift.exe module and use that address as my pointer address to make my pointer to work. To go back to the DMA problem i tought to do the same as they did in World of Warcraft to rebase the program in ida to 0x1000 and then find the address. However ida gets stuck alot and it takes ages to rebase.. but still think this is the best solution.
Anyway,
So when i make a pointer in CE, esi + D0 it find the X coordinates and i can changes them in CE to my liking and it will put me there.
Now my question is, how can i find the address ( ESI ) in ida for my pointer to work?
Linked the fuction underhere if you want to take a look. This is from ida.
Code: Select all
.text:00C39800 ; =============== S U B R O U T I N E =======================================
.text:00C39800
.text:00C39800 ; Attributes: bp-based frame
.text:00C39800
.text:00C39800 ; int __stdcall sub_C39800(int, float)
.text:00C39800 sub_C39800 proc near ; CODE XREF: sub_89FA80+193p
.text:00C39800 ; sub_CC1880+1Bp ...
.text:00C39800
.text:00C39800 var_38 = dword ptr -38h
.text:00C39800 var_24 = dword ptr -24h
.text:00C39800 var_20 = byte ptr -20h
.text:00C39800 arg_0 = dword ptr 8
.text:00C39800 arg_4 = dword ptr 0Ch
.text:00C39800
.text:00C39800 push ebp
.text:00C39801 mov ebp, esp
.text:00C39803 and esp, 0FFFFFFF0h
.text:00C39806 mov eax, [ebp+arg_0]
.text:00C39809 fld dword ptr [eax]
.text:00C3980B sub esp, 28h
.text:00C3980E push esi
.text:00C3980F mov esi, ecx
.text:00C39811 fstp dword ptr [esi+0D0h] ; X coordinates
.text:00C39817 push edi
.text:00C39818 fld dword ptr [eax+4]
.text:00C3981B fstp dword ptr [esi+0D4h] ; Y coordinates
.text:00C39821 fld dword ptr [eax+8]
.text:00C39824 fstp dword ptr [esi+0D8h] ; Z coordinates
.text:00C3982A fld dword ptr [eax+0Ch]
.text:00C3982D fstp dword ptr [esi+0DCh]
.text:00C39833 mov eax, [esi+8]
.text:00C39836 test eax, eax
.text:00C39838 jz short loc_C3987D
.text:00C3983A mov eax, [eax+74h]
.text:00C3983D fld dword ptr [eax+4]
.text:00C39840 mov ecx, [esi+10h]
.text:00C39843 fmul ds:dbl_1071108
.text:00C39849 mov edx, [ecx]
.text:00C3984B mov edx, [edx+1Ch]
.text:00C3984E lea edi, [esp+30h+var_20]
.text:00C39852 fstp [esp+30h+var_24]
.text:00C39856 push edi
.text:00C39857 fld [esp+34h+var_24]
.text:00C3985B push ecx
.text:00C3985C fadd [ebp+arg_4]
.text:00C3985F lea eax, [esi+0A0h]
.text:00C39865 fstp [esp+38h+var_24]
.text:00C39869 fld [esp+38h+var_24]
.text:00C3986D fstp [esp+38h+var_38]
.text:00C39870 push eax
.text:00C39871 call edx
.text:00C39873 mov eax, edi
.text:00C39875 push eax
.text:00C39876 mov ecx, esi
.text:00C39878 call sub_C4C3A0
.text:00C3987D
.text:00C3987D loc_C3987D: ; CODE XREF: sub_C39800+38j
.text:00C3987D pop edi
.text:00C3987E pop esi
.text:00C3987F mov esp, ebp
.text:00C39881 pop ebp
.text:00C39882 retn 8
.text:00C39882 sub_C39800 endp
.text:00C39882
.text:00C39882 ; ---------------------------------------------------------------------------
.text:00C39885 align 10h
.text:00C39890
PS: Addresses shown here are from ida and rift.exe Patch date of 04/03/2011.