Aliens vs Predator 2010 (AvP3 / AvP2010) - hacks, hacking and exploits

From Knowledge Database

Jump to: navigation, search
Article is Not Completed / Updating
This Article is either not completed or under constant updating. If you wish to add or correct something in/to this article, then contact article author or one of the moderators (see on main page)



Notice - There has been many updates to AvP since these hacks and exploits were made. This means that lot of these hacks and exploits may not work anymore. If that is the case, follow this link to a forum thread and post there about them.


Contents

Overview and History

  • Aliens vs Predator 2010 for PC (Personal Computer) was Release Date: Feb 19, 2010
  • Aliens vs Predator 2010 (AvP 2010) or Aliens vs Predator 3 (AvP 3) hacks and hacking.

2010 Hack discussion was originally opened on Sethioz's forum on Thursday February 04, 2010 2:06 pm by PinPoint. Sethioz removed the discussion, because there were no actual hacks and he wanted his post to be first, so he can easily edit and add new hacks.

avp 3 hacks and aliens vs predator 2010 hacks

Soon Paraxxxito:: joined and created Journal aliens vs predator 2010 hacks research. Sethioz linked this Journal to his first post about AvP hacks on his forum for easy access to the visitors.

  • Sethioz have found bypass to crash issues. He found out that crash only occurs if you keep hack/s enabled over longer perdiod of time or during the loading places. Trick is to enable the ASM script and as soon as you have what you wanted, you have to disable it.
  • So far there are lot of unique hacks available, mostly made by Sethioz, Paraxxxito::, Nooblet666 and PinPoint. Sethioz's Ammo Type Hack is very well kept secret, because of the earlier stealings of his hacks by several people.

Exploits

Overview

Application: Alien versus Predator
http://www.sega.com/games/aliens-vs-predator/
Versions: <= 2.22 (build Apr 26 2010)
Platforms: Windows
Bugs:

  • A invalid memory access in packet 0x66
  • B out of memory allocation in packet 0x66
  • C NULL pointer in packet 0x66
  • D NULL pointer in packet 0x0c
  • E invalid memory access in packet 0x0c



Exploitation: remote, versus server
Date: 07 May 2010
Author:

Luigi Auriemma
e-mail: [email protected]
web:    aluigi.org

Explanation

  • A invalid memory access in packet 0x66

The packet 0x66 is used for sending the Steam ticket to the server, and the size of such ticket is a 32bit field read by the server, allocated with an alignment of 0x400 and then copied from the packet into the new memory. If the specified ticket size is bigger than the memory where is located the source packet (about 1800 bytes) then the server will crash due to the tentative of reading over the allocated memory.

Exist also some variants caused by the usage of negative values (sometimes it's necessary to resend the packet to see their effects) where happen other crashes caused by the access to different places of memory.


  • B out of memory allocation in packet 0x66

Exactly as above, but if the memory can't be allocated the server will terminate immediately with the following error: "***** OUT OF MEMORY! attempted allocation size: %u ****"


  • C NULL pointer in packet 0x66

If the packet containing the Steam ticket is smaller than the minimum expected (for example 0 bytes) then the server will crash due to a NULL pointer dereference.


  • D NULL pointer in packet 0x0c

Another NULL pointer dereference can be exploited with a too small 0xc packet.

  • E invalid memory access in packet 0x0c

The 0x0c packet has a field that contains the number of chars that compose the chat message sent by the client. The server takes this 32bit field, checks if it's lower/equal than 0x800 and then launches a checksum function over the received chat message using this specific size.

The problem is that the packets used in the game have a size of max 0x400 bytes so 0x800 (which is the limit chosed by developers probably in confusion with the max size of the packets and the fact that the messages are in 16bit unicode, so 0x400 * 2) goes over the memory allocated for the incoming packet. The result is the crash of the server due to the reading access of the unallocated memory after the packet.


Exploitation Tool and Code

or download here Media:Avp3dos.rar

Fake players flooding (DoS)

  • these players will be invisible to everybody, but server administrator, this means that if you are looking the player list, it will appear as empty, however it is impossible to join the server if server has been attacked with fake players. error message will be "server full"
  • this can be done by using TCPFP and Join Packet of AvP3
  • AvP3 Join Packet is available here Media:Avp3joinpacket.rar
  • download and unpack avp3joinpacket.rar, it unpacks into avp3joinpacket.dat
  • tcpfp has to be ran using the following command
tcpfp -f "C:\Sethioz\exploits\avp3joinpacket.dat" -m 30 127.0.0.1 0000
  • -f specifies the path to the file
  • -m is number of connections (number of fake players at time, if you wish to fill server with fake players, then check how much is max players. if it is 20, then you should put 22-25 connections maximum.
  • 127.0.0.1 - replace with the targeted server's ip
  • 0000 - replace with the targeted server's port


Available Hacks

1.  Unlimited:
     - ammo without reload for all human weapons
     - stims/shards
     - grenades for pulse rifle
2.  Unlimited health
3.  Unlimited predator energy
4.  Speed type
5.  Vision customizing
     - brightness
     - contrast
     - clear visions
     - textures
     - skin brightness (glow)
6.  Weapon customizing
     - clip size
     - bullets per shot
     - rate of fire
     - ammo left
     - grenades in clip
     - max grenades
     - grenades per shot
     - bullet spread
     - ammo type
     - vectors per round
7.  Crosshairs
8.  Cloak
9.  See cloaked characters
10. Wallhack
11. Auto Focus Mode
12. Vision customizing 2
      - brightness
      - textures

Hack Demonstration Videos

Trainers

  • +2 Ammo trainer by Sethioz (works online) This trainer changes max ammo and ammo in clip to 1 million so it is not needed to reload, gives nearly unlimited ammo. It is strongly recommended to read the included read me file, which will explain that game will crash if trainer is not disabled after getting 1 million ammo. Disabling the trainer will not take the ammo away. It might not work after AvP updates.

Tools

Tutorials



1. Unlimited:

     - ammo without reload for all human weapons
     - stims/shards
     - grenades for pulse rifle

2. Unlimited health

  • Can be done in 2 different ways
  • By following Finding Unknown Values
  • Or by game specific search
  • It is suggested to use Cheat Engine in this one
  • select marine and select easy difficulty
  • search for 128 float
  • get hit and do "decreased value"
  • keep filtering correspondingly to what happens to health, until you end up with 2-10 addresses
  • Max health on easy difficulty is 128, however once you get hit and health fills up, then it might not be 128 anymore, it might be 128.3289432 for example.
  • It is suggested not to do exact search more than once (only first search)
  • Following searches can be ranged from 127 - 129 while health is full.
  • Now it is possible to write the ASM script already.
  • Here is example script
  • Upper window
offset 5463FC
hex 9090909090
  • Bottom window
offset 5463FC
hex 324356F32E
  • These are not actual addresses or values, only an example.

3. Unlimited predator energy

  • Float type has to be used
  • 1 bar of predator energy is equal to value of 5 (float)
  • There will be 3 addresses at end of the search
  • However you can not change the value or game will crash
  • It is needed to use Tsearch's autohack
  • Middle address should be right
  • Use autohack to find breakpoint
  • shoot, if seen is 2 breakpoints, it is wrong address, move on
  • shoot again, if seen is 1 breakpoint, then it is right address
  • use TMK to get the address and values for EasyWrite
  • make an ASM script

4. Speed type

  • Here is used Tsearch (not Olly or any other debugger)
  • Float data type is needed
  • Here are values to search
  • Alien character values
stop - 0
walk - 0.5
run - 1
sprint - 2
  • Once right address have been found (there will be 2-3), breakpoint it using AutoHack
  • in this example it is
6A9741
  • substract 2 from it (in hex).
  • so it will be
6A973F
  • Now use EasyWrite to write an ASM script
  • this goes into upper window (on)
   offset 0x10DD7
   mov dword ptr ds:[esi+10],0x41200000
   ret
   offset 0x6A973F
   call 0x10DD7
  • this goes into bottom window (off)
   offset 0x6A973F
   hex F30F114E10

5. Vision customizing

     - brightness
     - contrast
     - clear visions
     - textures
     - skin brightness (glow)
  • Brightness
  • Bytes data type is used
  • 63 - heat vision
  • 0 - normal


  • Brightness 2
  • Float Data type is used
  • nomal vision = 0.7999999523
  • heat vision = 1.999999583e-002
  • alien vision = 0.5
  • marine vision = 1.5


  • Brightness for all characters
  • Float Data type is used
  • marine = 7
  • predator normal = 7
  • predator heat = 10
  • predator alien = 7
  • alien = 9
  • in menus = 10


  • Contrast on heat vision
  • Float Data type is used
  • normal vision = 0.75
  • heat vision = 1.200000048
  • alien vision = 0.75


  • Clear / Blue vision modes
  • Float Data type is used
  • heat vision = 1
  • normal vision = 0
  • alien vision = 0 (do not use this for searching)
  • is possible to filter it down to about 6
  • only one is needed, need to find right one
  • set value to 2 for dark blue and red heat vision
  • set value to 0 for clear heat vision with highlighting


  • Textures
  • Float value type used
  • Search 0.1800000072 normal vision mode
  • Search 0.25 heat vision mode
  • Search 0.6000000238 alien vision mode




6. Weapon customizing

  • Float data type is used on all of these
  • Basic Mathematical skills required
  • First is necessary to find ammo in clip (See Hack number 1 above)
  • In this example Ammo in Clip has the following address
4A637D00
  • Now it is necessary to add +4 (in HEX) to this address, in order to get Clip size
4A637D00 + 4 = 4A637D04
  • So ammo in clip is stored on
4A637D04
  • Here are rest of the hacks
  • It is necessary to add the value shown in [ ] to the ammo in clip in order to get the desired hack
4A6370D0 ammo in clip
4A6370D4 [+ 4] clip size
4A6370F8 [+ 28] bullet spread
4A637110 [+ 40] bullets per shot
4A637104 [+ 34] weapon range
4A637108 [+ 38] rate of fire
  • Ammo Type - very well kept secret by Sethioz
  • Vectors per round - This is also very well kept secret
  • Here is screenshot of the addresses and values
  • This screenshot is of Olly Debugger's memory dump view

File:Avp2010memoryview.JPG

  • this screenshot demonstrates the view of memory for better understanding of the memory allocation in this game.
  • How to get it working without searching
mov DWORD PTR DS:[ECX+10],0x4CBEBC20 
  • this function will set your ammo in clip to 999999
  • fire rate is also in ECX register, but 38 bytes seperate from ammo in clip. what you do, is very easy:
mov DWORD PTR DS:[ECX+38],0x43FA0000
  • this sets your fire rate for any weapon to 500
  • notice the +38 part. this is the "magic" part. you just calculate, just like you need to do in order to find the address for spread, rate of fire ..etc. spread would be +28 in the function.

these are examples, use your mathematics skills

  • values are behind "0x". like "0xyour_value_here"
  • it is in float and reversed.
  • in hex, 500 float will look like this
00 00 FA 43
  • and into easy write you put this
43FA0000
  • This means reversed byte order

7. Crosshairs

  • 4 Bytes search is used
  • search 1 on the desired corsshair
  • 0 on other weapons (crosshairs)
  • short explanation how it works.

game allocates 1 address for each weapon. like so:

Pulse Rifle address 0x10FF
Pistol address 0x23BB
Shotgun address 0x244F
  • if player has taken out pistol, then value on address 0x10FF is set to 1 and 0 on rest of the addresses, when player has taken out shotgun then value on 0x10FF will be 0 and 1 on 0x244F. setting value to 1 on each address, will give player all crosshairs at once.
  • filtering will end with about 4 addresses, find the one that actually changes the crosshair. freeze it on 1 and change weapon, if you have 2 crosshairs at once, you have found the address for the weapon you was filtering for.
  • then find breakpoint and NOP the function while you have your favorite crosshair (weapon) out.
  • See Breakpoints and NOP for detailed article on how it works.
  • you can also have multiple crosshairs stacked on top of eachother, when all of them have been changed to 1


  • How to disable crosshair
  • once you have breakpointed it in Tsearch. select the breakpoint and go to disassembler tab
  • right click on first line and select "register"
  • go to register tab
  • select EAX from drop down box and thick the checkbox
  • replace value with 0
  • How to enable all crosshairs at once
  • same as disabling, but you replace with value of 1

8. Cloak

  • Float data type is used
  • 1 when predator is cloaked
  • 0 when predator is uncloaked


9. See cloaked characters

  • hack number 8 must be done first
  • once have been found the address
  • breakpoint has put on it
  • should get 4-5 breakpoints.
  • they have been added into "cheat list" under 1 byte
  • all of them should have value of 20 (one might not be 20)
  • value is changed to something else, like 10.
  • now predators will become white and cloaked characters will be blinking white.
  • This tutorial is not complete, See Aliens vs Predator 2010 (avp 3 / avp 2010) - hacks & hacking for complete progress and info.

10. Wallhack


11. Auto Focus Mode

  • 4 Byte data type is used
  • Search 1 when focus mode is active
  • Search 0 when focus mode is inactive
  • Once correct address is found change value from 0 to 1 and freeze it
  • Press focus mode key
  • Now focus mode will remain active
  • Same method applies for online playing
  • No need to see what reads and writes to the address its static




Sethioz 15:33, 8 May 2010 (UTC)

Personal tools