Modern Warfare 2 - Engine wallhack

get your superiourity here ! be an offline or online GOD of the game. infinite ammo, unlimited nitro, turbo boost, god mode, you name it !
Post Reply
TeamRetox
Allie
Allie
Posts: 222
Joined: Sat Jun 06, 2009 3:48 pm

Modern Warfare 2 - Engine wallhack

Post by TeamRetox »

Once again, open IW4MP.exe in OllyDBG.
in CoD4: MW they pushed 4, in MW2 they push 104
So find command -> push 104
the third result should be the one shown below:

Code: Select all

0045FB74   . 51             PUSH ECX
0045FB75   . D91C24         FSTP DWORD PTR SS:[ESP]
0045FB78   . 8D5424 20      LEA EDX,DWORD PTR SS:[ESP+20]
0045FB7C   . 52             PUSH EDX
0045FB7D   . 68 04010000    PUSH 104
0045FB82   . 50             PUSH EAX
0045FB83   . 53             PUSH EBX
0045FB84   . 55             PUSH EBP
0045FB85   . E8 46240B00    CALL iw4mp.00511FD0
in MW1 you'd push 12 for a wallhack, in MW2 you need to push 82.
Just replacing that push 104 with push 82 will result in a VAC ban(detected).

Found out that the call right below takes the 104 off the stack.
So lets modify the stack :)

Make sure you have detours 1.5 installed!
And we'll want to know what the function looks like, so open up IW4MP.exe in IDA pro.
Go to the function list and locate Sub_511FD0
Press enter while selecting that line, select the function name at the top and right click -> set function type.
it should show you this:
int __cdecl sub_511FD0(int, int, int, int, int, float)

Lets start with the C++ side ;D

Code: Select all

#include <detours.h>
#include <intrin.h>
#pragma intrinsic(_ReturnAddress)

int (__cdecl *osub_511FD0)(int a, int b, int c, int d, int e, float f)
int __cdecl xsub_511FD0(int a, int b, int c, int d, int e, float f)
{
     return osub_511FD0(a,b,c,d,e,f);
}
if you find references to -> selected command in olly(inside this function) you'll see multiple calls, but we only want to modify one of them! o__O
No problem, you can check where the function returns with

Code: Select all

if(_ReturnAddress() == 0x45FB8A)
{
    //if it gets here it returns to the correct location(where we want to modify the stack from).
}
since assembly pushes params in reversed order, the push 104 would be int c

so our full code would be:

Code: Select all

#include <detours.h>
#include <intrin.h>
#pragma intrinsic(_ReturnAddress)

int (__cdecl *osub_511FD0)(int a, int b, int c, int d, int e, float f)
int __cdecl xsub_511FD0(int a, int b, int c, int d, int e, float f)
{
    if(_ReturnAddress() == 0x45FB8A)
    {
        if(c==0x104)
        {
            return osub_511FD0(a,b,0x82,d,e,f);
        }
        else
        {
            __asm mov [esp+0x30], 0x82;
            __asm jmp osub_511FD0;
        }
    }
    return osub_511FD0(a,b,c,d,e,f);
}
Not sure if the asm part would compile, as I am writing this in here.
Post Reply