Jump to content





Welcome to dEViATED. We provide game trainers, cheats and gamehacking tutorials and a gamehacking forum for discussions and help. We have pc game trainers for various old and new games to download and will expand to other platforms. Go ahead and have a look around, you will love our pc trainers!.

Not interested in trainers ? socialize with us, we talk about girls, booze, movies, music and basically anything and everything.

These are some of the latest trainers released by us and supported fully.
Age of Wonders 3 Trainer
Thief Trainer
Castlevania Lord of Shadows 2 Trainer
South Park Stick Of Truth Trainer


Photo
- - - - -

Backtracking Functions using debug strings in ollydbg for a game called Midnight Club 2


  • Please log in to reply
7 replies to this topic

#1 Kazumia

Kazumia

    n00b

  • n00b
  • Pip
  • 5 posts

Posted 28 July 2012 - 07:32 AM

Hola everyone,

Although I'm far from an experienced asm programmer, I'm trying to make an attempt at making an anti-kick for this game called Midnight Club 2. That is if I'm able to find the "actual" kick bytes in the game and NOP them. I've done some debugging on my own and maybe some of you can advise me on how to go from here:
Highlighted in red is the boot message in assembly(found in the first picture)
You'll see several user comments which I use to help me with my debugging.
You'll also notice points where I've marked start and end or beginning function and end function those are different functions which have calls or jumps linked back to the orignal function where the boot message debug string is found. I found the functions by setting hardware breakpoints and checking if they were triggered when the boot message would pop up every time a user gets kicked from a game.
So a problem right away that I can already see is I'm not sure if the kick command is going to be found in a call, jump, or a mov dword, eax ptr ... instruction so how I'm try to debug the kick command is:
1.reverse all the jumps
2.nop each call one by one if the game hangs or crashes when i get kicked and the call is noped I may go further into the call
3. then I'll go through and nop the more prone instructions of crashing like mov dword,eax add 5, eax
etc...
Also just by looking at where the boot message is it seems as though the actual kick command is not inside that same function as you can see I've noped most of it, and unless the kick command is inlined into the function I don't see how it can be there. The kick message looks to be part of a huge switch statement which is just for error-handling messages not the actual "kick" function itself.

However, if I do "find references" to the beginning of the function it has two calls to it so I think that the kick function may be somewhere in there.

One of the calls is quite odd considering that if I set bp's on either side of the call command the game freezes. So for some reason it looks like the call is just thrown in the middle of the code for no apparent reason.
The other call however, I was able to find an actual beginning and end point.

Here's the entire switch block in which the boot message is in:

Posted Image

Below is the full code to the entire switch block but keep in mind that only 00423000 to 00423048 concerns the boot message.(I set bp's to confirm this)
Spoiler


PS: if you notice there is a call right underneath the boot message but to my understanding wouldn't the kick function need to happen before the boot message shows up and hence the kick bytes should happen before the message so I don't think that call is the correct one even though it's inside the function in which the boot message in.

Now here are the two calls to this function that I mentioned earlier in which I think the kick bytes might be in(they get called before this function even takes place):

Posted Image

Posted Image


Call 1 to the function which holds the boot string(00423000):
Spoiler



Call 2:
Posted Image

You'll see user comments beside the second call so you can't miss it and it's a weird one as well. I don't know why either sides of the call make the game hang when bp'd so I don't think anything around the call has to do with the boot function.


There are more calls that branch from each of these ones as well but I won't post them until someone can confirm that the functions that I've already went through and debugged don't have the kick bytes in them.

Sorry that the post is so long but I couldn't find a way to shorten it considering that I know 80% of people don't even play this game.

Please try to look past any grammatical errors it's extremely late here and I need to head off to sleep.


If anyone is interested in helping me keenly and deeply I'm willing to pay you via paypal. Otherwise any help here is appreciated. If you are interested in helping me finish this to the end(outside of the boards on msn or skype)we can negotiate a fair price.
The game has no anti-cheat and memory patching is breeze. Although the game is not open source nor is there any information about the game engine or api available on the net.




#2 DABhand

DABhand

    Experienced Member

  • Full Members
  • PipPipPipPipPip
  • 167 posts

Posted 28 July 2012 - 09:03 PM

add 5,eax

Good luck finding that Opcode in amongst others :P

But if you are looking for a way to cheat your way through MP matches, im just gonna give you the finger. Cause I don't like people like that :P

#3 Kazumia

Kazumia

    n00b

  • n00b
  • Pip
  • 5 posts

Posted 28 July 2012 - 11:52 PM

add 5,eax

Good luck finding that Opcode in amongst others :P

But if you are looking for a way to cheat your way through MP matches, im just gonna give you the finger. Cause I don't like people like that :P


Well thanks for responding at least. The game doesn't get more then 10 players online each day but it's still my favourite racing game for pc to this date. Maybe someone who is willing to support multiplayer cheat development won't mind helping me.

Just skimming through ollydbg right now I can't seem to find that op code you mentioned :l sigh

#4 genuine

genuine

    Experienced Member

  • Administrator
  • 169 posts

Posted 29 July 2012 - 01:01 AM

I didnt have time to read the whole message, but from skimming and looking through comments, it sounds like youre trying to avoid being kicked. this is usually something you can achieve through packet editing. You want to set a breakpoint on the Winsocks "recv()" function, and when you are kicked, you should receive the data which your game client then parses to know that you are being kicked, sometimes it is a two step process where the client also send()'s a packet back, depending on the way the game is designed (from a networking aspect) If it is peer to peer, then most likely it wont send anything back. by breaking on recv() youll also have a better starting point as to how that "kicking" message is eventually called and how and where that data is stored.

#5 Kazumia

Kazumia

    n00b

  • n00b
  • Pip
  • 5 posts

Posted 29 July 2012 - 03:11 AM

I didnt have time to read the whole message, but from skimming and looking through comments, it sounds like youre trying to avoid being kicked. this is usually something you can achieve through packet editing. You want to set a breakpoint on the Winsocks "recv()" function, and when you are kicked, you should receive the data which your game client then parses to know that you are being kicked, sometimes it is a two step process where the client also send()'s a packet back, depending on the way the game is designed (from a networking aspect) If it is peer to peer, then most likely it wont send anything back. by breaking on recv() youll also have a better starting point as to how that "kicking" message is eventually called and how and where that data is stored.


Thank you for the extremely detailed answer, I'll look into this and hopefully post some results. I thought that I could have back tracked to the kicking

I didnt have time to read the whole message, but from skimming and looking through comments, it sounds like youre trying to avoid being kicked. this is usually something you can achieve through packet editing. You want to set a breakpoint on the Winsocks "recv()" function, and when you are kicked, you should receive the data which your game client then parses to know that you are being kicked, sometimes it is a two step process where the client also send()'s a packet back, depending on the way the game is designed (from a networking aspect) If it is peer to peer, then most likely it wont send anything back. by breaking on recv() youll also have a better starting point as to how that "kicking" message is eventually called and how and where that data is stored.



Thanks for response it really means alot. I decided to do what you said and I set bp's wherever recv was being called in the game.
Unfortunately, the bp's don't get triggered when a player get's booted from the game. Isn't there a way to use the debug string and back track to the original function?

Here's a screen of all the recv calls in the game:
Posted Image

#6 DABhand

DABhand

    Experienced Member

  • Full Members
  • PipPipPipPipPip
  • 167 posts

Posted 29 July 2012 - 11:35 AM

FYI you will never see ADD 5,eax anywhere at all. As it will never work. ADD eax,5 is correct though.

May I suggest reading some basic/intermediate ASM tuts so you understand the structure of opcodes etc. With some knowledge there you won't be so eager to nop everything to see if it effects anything.

#7 genuine

genuine

    Experienced Member

  • Administrator
  • 169 posts

Posted 29 July 2012 - 05:39 PM

hmm it uses recvfrom() as well, which is generally used for UDP protocol (peer to peer generally use this too), try those, if you still get nothing, i would go to the code segments where these API's are called..It seems you are a novice so it would probably be futile for me to tell you to find suspicious sequence of code..And like DABhand says, mov 5,eax will blow up your computer, consider reading a basic assembly tutorial. The best ive read is here: http://www.drpaulcarter.com/pcasm/

#8 Kazumia

Kazumia

    n00b

  • n00b
  • Pip
  • 5 posts

Posted 29 July 2012 - 08:42 PM

A big thanks to both of you. And yes I do acknowledge that I'm a novice when it comes to assembly as a matter of fact I only got into it for this one feature. Otherwise I wouldn't bother touching a new language. Sadly, the only resource I have is you guys since nobody else besides me is trying to hack/code for the game and the game is completely closed source and details about the game's engine is completely unknown as well. Also Genuine I do understand that the "suspicious pieces of code" may be to complex for me to handle but it's the only lead I have even if I don't understand it. The only way I'm going to is if I get the opportunity to do so. I'm also going through asm tutorials as I'm doing this process, and have taken into account the one you gave. So if you have time maybe you can do some analysis of the code and post back here that would be of great help to me.



Official Trainer Hosters:  
Affiliates:
 

Like our work ? Why not follow us on deviatedhacking youtube facebook page deviated twitter +deviatedhacking page