Welcome to dEViATED. We provide PC trainers, cheats, mods and game trainers and a gamehacking forum for discussions and help. We have pc cheats, cheat engine tables and mods for various old and new single player games.

These are some of the latest trainers released by us and supported fully.
Assassin's Creed Rogue Trainer
Grand Theft Auto 5 Trainer



Backtracking Functions using debug strings in ollydbg for a game called Midnight Club 2

8 posts in this topic

Posted

Hola everyone,

Although I'm far from an experienced asm programmer, I'm trying to make an attempt at making an anti-kick for this game called Midnight Club 2. That is if I'm able to find the "actual" kick bytes in the game and NOP them. I've done some debugging on my own and maybe some of you can advise me on how to go from here:

Highlighted in red is the boot message in assembly(found in the first picture)

You'll see several user comments which I use to help me with my debugging.

You'll also notice points where I've marked start and end or beginning function and end function those are different functions which have calls or jumps linked back to the orignal function where the boot message debug string is found. I found the functions by setting hardware breakpoints and checking if they were triggered when the boot message would pop up every time a user gets kicked from a game.

So a problem right away that I can already see is I'm not sure if the kick command is going to be found in a call, jump, or a mov dword, eax ptr ... instruction so how I'm try to debug the kick command is:

1.reverse all the jumps

2.nop each call one by one if the game hangs or crashes when i get kicked and the call is noped I may go further into the call

3. then I'll go through and nop the more prone instructions of crashing like mov dword,eax add 5, eax

etc...

Also just by looking at where the boot message is it seems as though the actual kick command is not inside that same function as you can see I've noped most of it, and unless the kick command is inlined into the function I don't see how it can be there. The kick message looks to be part of a huge switch statement which is just for error-handling messages not the actual "kick" function itself.

However, if I do "find references" to the beginning of the function it has two calls to it so I think that the kick function may be somewhere in there.

One of the calls is quite odd considering that if I set bp's on either side of the call command the game freezes. So for some reason it looks like the call is just thrown in the middle of the code for no apparent reason.

The other call however, I was able to find an actual beginning and end point.

Here's the entire switch block in which the boot message is in:

foor3n.png

Below is the full code to the entire switch block but keep in mind that only 00423000 to 00423048 concerns the boot message.(I set bp's to confirm this)


00423000  /$ 8B4424 04	  MOV EAX,DWORD PTR SS:[ESP+4]			 ;  begin of function

00423004  |. 53			 PUSH EBX

00423005  |. 56			 PUSH ESI

00423006  |. 48			 DEC EAX								  ;  Switch (cases 1..C)

00423007  |. 83F8 0B		CMP EAX,0B

0042300A  |. 8BF1		   MOV ESI,ECX

0042300C  |. C786 C0010000 >MOV DWORD PTR DS:[ESI+1C0],7			 ;  noping disables the boot message but the kick bytes still go through

00423016  |. B3 01		  MOV BL,1

00423018  |. 0F87 61010000  JA mc2.0042317F						  ;  jump does nothing when reversed

0042301E  |. FF2485 AC31420>JMP DWORD PTR DS:[EAX*4+4231AC]		  ;  mov eax crashes when nopped

00423025  |> 8B46 60		MOV EAX,DWORD PTR DS:[ESI+60]			;  Case A of switch 00423006

00423028  |. 8B48 68		MOV ECX,DWORD PTR DS:[EAX+68]

0042302B  |. 6A 00		  PUSH 0

0042302D  |. 6A 00		  PUSH 0

0042302F  |. 6A 00		  PUSH 0

00423031  |. 6A 00		  PUSH 0

00423033  |. 6A 00		  PUSH 0

00423035  |. 6A 00		  PUSH 0

00423037  |. 6A 01		  PUSH 1

00423039  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

0042303E  |. 68 801E6300	PUSH mc2.00631E80						;  ASCII "WP_BootMessage"

00423043  |. E8 58480200	CALL mc2.004478A0						;  noping crashes game

00423048  |. EB 46		  JMP SHORT mc2.00423090				   ;  end of function

0042304A  |> A1 A0576900	MOV EAX,DWORD PTR DS:[6957A0]			;  Case 1 of switch 00423006

0042304F  |. 85C0		   TEST EAX,EAX

00423051  |. 75 12		  JNZ SHORT mc2.00423065

00423053  |. 32DB		   XOR BL,BL

00423055  |. C786 C0010000 >MOV DWORD PTR DS:[ESI+1C0],2

0042305F  |. 889E C5010000  MOV BYTE PTR DS:[ESI+1C5],BL

00423065  |> 8B4E 60		MOV ECX,DWORD PTR DS:[ESI+60]

00423068  |. 8B49 68		MOV ECX,DWORD PTR DS:[ECX+68]

0042306B  |. 6A 00		  PUSH 0

0042306D  |. 6A 00		  PUSH 0

0042306F  |. 6A 00		  PUSH 0

00423071  |. 6A 00		  PUSH 0

00423073  |. 6A 00		  PUSH 0

00423075  |. 6A 00		  PUSH 0

00423077  |. 6A 01		  PUSH 1

00423079  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

0042307E  |. 68 6C1E6300	PUSH mc2.00631E6C						;  ASCII "WP_HostLostMessage"

00423083  |. E8 18480200	CALL mc2.004478A0						;  doesnt do anything when nop

00423088  |. 84DB		   TEST BL,BL

0042308A  |. 0F84 17010000  JE mc2.004231A7

00423090  |> 8B56 60		MOV EDX,DWORD PTR DS:[ESI+60]			;  start

00423093  |. 8B4A 68		MOV ECX,DWORD PTR DS:[EDX+68]

00423096  |. 6A 01		  PUSH 1

00423098  |. E8 53480200	CALL mc2.004478F0						;  crashes when noped

0042309D  |. 8B46 60		MOV EAX,DWORD PTR DS:[ESI+60]			;  player gets booted when noped like usual but your stuck in-game and can't leave the game lobby

004230A0  |. 8B48 68		MOV ECX,DWORD PTR DS:[EAX+68]

004230A3  |. 8B11		   MOV EDX,DWORD PTR DS:[ECX]

004230A5  |. FF92 A0000000  CALL DWORD PTR DS:[EDX+A0]

004230AB  |. 8B4E 50		MOV ECX,DWORD PTR DS:[ESI+50]

004230AE  |. 8B01		   MOV EAX,DWORD PTR DS:[ECX]

004230B0  |. 5E			 POP ESI

004230B1  |. 5B			 POP EBX

004230B2  |. C74424 04 0000>MOV DWORD PTR SS:[ESP+4],0			   ;  nop does not affect this

004230BA  |. FF60 60		JMP DWORD PTR DS:[EAX+60]				;  end

004230BD  |> 8B56 60		MOV EDX,DWORD PTR DS:[ESI+60]			;  Case B of switch 00423006

004230C0  |. 8B4A 68		MOV ECX,DWORD PTR DS:[EDX+68]

004230C3  |. 6A 00		  PUSH 0

004230C5  |. 6A 00		  PUSH 0

004230C7  |. 6A 00		  PUSH 0

004230C9  |. 6A 00		  PUSH 0

004230CB  |. 6A 00		  PUSH 0

004230CD  |. 6A 00		  PUSH 0

004230CF  |. 6A 01		  PUSH 1

004230D1  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

004230D6  |. 68 541E6300	PUSH mc2.00631E54						;  ASCII "WP_BadConnectionMessage"

004230DB  |. E8 C0470200	CALL mc2.004478A0

004230E0  |.^EB AE		  JMP SHORT mc2.00423090

004230E2  |> 8B46 60		MOV EAX,DWORD PTR DS:[ESI+60]			;  Case 7 of switch 00423006

004230E5  |. 8B48 68		MOV ECX,DWORD PTR DS:[EAX+68]

004230E8  |. 6A 00		  PUSH 0

004230EA  |. 6A 00		  PUSH 0

004230EC  |. 6A 00		  PUSH 0

004230EE  |. 6A 00		  PUSH 0

004230F0  |. 6A 00		  PUSH 0

004230F2  |. 6A 00		  PUSH 0

004230F4  |. 6A 01		  PUSH 1

004230F6  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

004230FB  |. 68 3C1E6300	PUSH mc2.00631E3C						;  ASCII "WP_SessionSealedMessage"

00423100  |. E8 9B470200	CALL mc2.004478A0

00423105  |.^EB 89		  JMP SHORT mc2.00423090

00423107  |> 8B4E 60		MOV ECX,DWORD PTR DS:[ESI+60]			;  Case 8 of switch 00423006

0042310A  |. 8B49 68		MOV ECX,DWORD PTR DS:[ECX+68]

0042310D  |. 6A 00		  PUSH 0

0042310F  |. 6A 00		  PUSH 0

00423111  |. 6A 00		  PUSH 0

00423113  |. 6A 00		  PUSH 0

00423115  |. 6A 00		  PUSH 0

00423117  |. 6A 00		  PUSH 0

00423119  |. 6A 01		  PUSH 1

0042311B  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

00423120  |. 68 241E6300	PUSH mc2.00631E24						;  ASCII "WP_SessionFullMessage"

00423125  |. E8 76470200	CALL mc2.004478A0

0042312A  |.^E9 61FFFFFF	JMP mc2.00423090

0042312F  |> 8B56 60		MOV EDX,DWORD PTR DS:[ESI+60]			;  Case C of switch 00423006

00423132  |. 8B4A 68		MOV ECX,DWORD PTR DS:[EDX+68]

00423135  |. 6A 00		  PUSH 0

00423137  |. 6A 00		  PUSH 0

00423139  |. 6A 00		  PUSH 0

0042313B  |. 6A 00		  PUSH 0

0042313D  |. 6A 00		  PUSH 0

0042313F  |. 6A 00		  PUSH 0

00423141  |. 6A 01		  PUSH 1

00423143  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

00423148  |. 68 0C1E6300	PUSH mc2.00631E0C						;  ASCII "WP_NotHostingMessage"

0042314D  |. E8 4E470200	CALL mc2.004478A0

00423152  |.^E9 39FFFFFF	JMP mc2.00423090

00423157  |> 8B46 60		MOV EAX,DWORD PTR DS:[ESI+60]			;  Case 3 of switch 00423006

0042315A  |. 8B48 68		MOV ECX,DWORD PTR DS:[EAX+68]

0042315D  |. 6A 00		  PUSH 0

0042315F  |. 6A 00		  PUSH 0

00423161  |. 6A 00		  PUSH 0

00423163  |. 6A 00		  PUSH 0

00423165  |. 6A 00		  PUSH 0

00423167  |. 6A 00		  PUSH 0

00423169  |. 6A 01		  PUSH 1

0042316B  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

00423170  |. 68 F41D6300	PUSH mc2.00631DF4						;  ASCII "WP_JoinFailedMessage"

00423175  |. E8 26470200	CALL mc2.004478A0

0042317A  |.^E9 11FFFFFF	JMP mc2.00423090

0042317F  |> 8B4E 60		MOV ECX,DWORD PTR DS:[ESI+60]			;  Default case of switch 00423006

00423182  |. 8B49 68		MOV ECX,DWORD PTR DS:[ECX+68]

00423185  |. 6A 00		  PUSH 0

00423187  |. 6A 00		  PUSH 0

00423189  |. 6A 00		  PUSH 0

0042318B  |. 6A 00		  PUSH 0

0042318D  |. 6A 00		  PUSH 0

0042318F  |. 6A 00		  PUSH 0

00423191  |. 6A 01		  PUSH 1

00423193  |. 68 901E6300	PUSH mc2.00631E90						;  ASCII "IO_OK"

00423198  |. 68 6C1E6300	PUSH mc2.00631E6C						;  ASCII "WP_HostLostMessage"

0042319D  |. E8 FE460200	CALL mc2.004478A0

004231A2  |.^E9 E9FEFFFF	JMP mc2.00423090

004231A7  |> 5E			 POP ESI								  ;  Case 2 of switch 00423006

004231A8  |. 5B			 POP EBX

004231A9  \. C2 0400		RETN 4

PS: if you notice there is a call right underneath the boot message but to my understanding wouldn't the kick function need to happen before the boot message shows up and hence the kick bytes should happen before the message so I don't think that call is the correct one even though it's inside the function in which the boot message in. Now here are the two calls to this function that I mentioned earlier in which I think the kick bytes might be in(they get called before this function even takes place):
14mc9ko.pngxoqk54.pngCall 1 to the function which holds the boot string(00423000):

Call 2:

21v2pl.png

You'll see user comments beside the second call so you can't miss it and it's a weird one as well. I don't know why either sides of the call make the game hang when bp'd so I don't think anything around the call has to do with the boot function.

There are more calls that branch from each of these ones as well but I won't post them until someone can confirm that the functions that I've already went through and debugged don't have the kick bytes in them.

Sorry that the post is so long but I couldn't find a way to shorten it considering that I know 80% of people don't even play this game.

Please try to look past any grammatical errors it's extremely late here and I need to head off to sleep.

If anyone is interested in helping me keenly and deeply I'm willing to pay you via paypal. Otherwise any help here is appreciated. If you are interested in helping me finish this to the end(outside of the boards on msn or skype)we can negotiate a fair price.

The game has no anti-cheat and memory patching is breeze. Although the game is not open source nor is there any information about the game engine or api available on the net.




Call 1 to the function in which the boot string is in:


00424830  /$ 53			 PUSH EBX								 ;  start of function

00424831  |. 8A5C24 10	  MOV BL,BYTE PTR SS:[ESP+10]

00424835  |. 84DB		   TEST BL,BL

00424837  |. 56			 PUSH ESI

00424838  |. 57			 PUSH EDI

00424839  |. 8BF1		   MOV ESI,ECX

0042483B  |. B8 6C256300	MOV EAX,mc2.0063256C					 ;  ASCII "true"

00424840  |. 75 05		  JNZ SHORT mc2.00424847

00424842  |. B8 64256300	MOV EAX,mc2.00632564					 ;  ASCII "false"

00424847  |> 8B7C24 10	  MOV EDI,DWORD PTR SS:[ESP+10]

0042484B  |. 50			 PUSH EAX

0042484C  |. 6A 00		  PUSH 0

0042484E  |. 57			 PUSH EDI

0042484F  |. 68 00256300	PUSH mc2.00632500						;  ASCII "mcFeNetworkWaitForPlayersScreen::NetworkingPostQuit - playerIndex=%d  reason=%s  stoppedHosting=%s"

00424854  |. E8 F73D1F00	CALL mc2.00618650						;  nop does not work on this call

00424859  |. 83C4 10		ADD ESP,10

0042485C  |. 84DB		   TEST BL,BL

0042485E  |. 0F85 6A010000  JNZ mc2.004249CE						 ;  reversing the jump still

00424864  |. 85FF		   TEST EDI,EDI

00424866  |. 8BCE		   MOV ECX,ESI

00424868  |. 74 0B		  JE SHORT mc2.00424875					;  when the jump is reversed

0042486A  |. E8 41FFFFFF	CALL mc2.004247B0						;  nop does not do $hit

0042486F  |. 5F			 POP EDI

00424870  |. 5E			 POP ESI

00424871  |. 5B			 POP EBX

00424872  |. C2 0C00		RETN 0C

00424875  |> E8 16F7FFFF	CALL mc2.00423F90						;  nop does nothing	 here

0042487A  |. 8B86 C8010000  MOV EAX,DWORD PTR DS:[ESI+1C8]

00424880  |. 85C0		   TEST EAX,EAX

00424882  |. 76 09		  JBE SHORT mc2.0042488D				   ;  nothing

00424884  |. 8BCE		   MOV ECX,ESI

00424886  |. E8 05F0FFFF	CALL mc2.00423890						;  does nothing

0042488B  |. EB 68		  JMP SHORT mc2.004248F5

0042488D  |> 6A 00		  PUSH 0

0042488F  |. 8D8E E0000000  LEA ECX,DWORD PTR DS:[ESI+E0]

00424895  |. E8 561A0200	CALL mc2.004462F0

0042489A  |. 6A 00		  PUSH 0

0042489C  |. 8D8E 10010000  LEA ECX,DWORD PTR DS:[ESI+110]

004248A2  |. E8 491A0200	CALL mc2.004462F0						;  does nothing

004248A7  |. 6A 00		  PUSH 0

004248A9  |. 8D8E 28010000  LEA ECX,DWORD PTR DS:[ESI+128]

004248AF  |. E8 3C1A0200	CALL mc2.004462F0						;  does nothing

004248B4  |. 6A 00		  PUSH 0

004248B6  |. 8D8E 40010000  LEA ECX,DWORD PTR DS:[ESI+140]

004248BC  |. E8 2F1A0200	CALL mc2.004462F0

004248C1  |. 6A 00		  PUSH 0

004248C3  |. 8D8E 58010000  LEA ECX,DWORD PTR DS:[ESI+158]

004248C9  |. E8 221A0200	CALL mc2.004462F0						;  does nothing

004248CE  |. 6A 00		  PUSH 0

004248D0  |. 8D8E 70010000  LEA ECX,DWORD PTR DS:[ESI+170]

004248D6  |. E8 151A0200	CALL mc2.004462F0						;  does nothing - nop

004248DB  |. 6A 00		  PUSH 0

004248DD  |. 8D8E 88010000  LEA ECX,DWORD PTR DS:[ESI+188]

004248E3  |. E8 081A0200	CALL mc2.004462F0						;  does nothing with nop

004248E8  |. 6A 00		  PUSH 0

004248EA  |. 8D8E A0010000  LEA ECX,DWORD PTR DS:[ESI+1A0]

004248F0  |. E8 FB190200	CALL mc2.004462F0						;  does nothing with nop

004248F5  |> 8B8E C0010000  MOV ECX,DWORD PTR DS:[ESI+1C0]

004248FB  |. BB 01000000	MOV EBX,1

00424900  |. 8D41 FD		LEA EAX,DWORD PTR DS:[ECX-3]			 ;  Switch (cases 3..10)

00424903  |. 83F8 0D		CMP EAX,0D

00424906  |. 889E B9010000  MOV BYTE PTR DS:[ESI+1B9],BL

0042490C  |. C686 B8010000 >MOV BYTE PTR DS:[ESI+1B8],0

00424913  |. 889E C5010000  MOV BYTE PTR DS:[ESI+1C5],BL

00424919  |. 0F87 A1000000  JA mc2.004249C0						  ;  no boot message when jump is reversed

0042491F  |. 0FB680 F049420>MOVZX EAX,BYTE PTR DS:[EAX+4249F0]	   ;  nop no effect

00424926  |. FF2485 D449420>JMP DWORD PTR DS:[EAX*4+4249D4]

0042492D  |> 8B4E 60		MOV ECX,DWORD PTR DS:[ESI+60]			;  Case 10 of switch 00424900

00424930  |. 8B49 54		MOV ECX,DWORD PTR DS:[ECX+54]

00424933  |. 8B11		   MOV EDX,DWORD PTR DS:[ECX]

00424935  |. 6A 00		  PUSH 0

00424937  |. FF52 60		CALL DWORD PTR DS:[EDX+60]			   ;  does nothing with nop

0042493A  |. 8B46 60		MOV EAX,DWORD PTR DS:[ESI+60]			;  game pauses/hangs after you leave the game lobby

0042493D  |. 8B48 58		MOV ECX,DWORD PTR DS:[EAX+58]

00424940  |. 6A 00		  PUSH 0

00424942  |. E8 59970200	CALL mc2.0044E0A0						;  does nothing with nop

00424947  |. 8B4E 60		MOV ECX,DWORD PTR DS:[ESI+60]

0042494A  |. 8B49 60		MOV ECX,DWORD PTR DS:[ECX+60]

0042494D  |. 6A 00		  PUSH 0

0042494F  |. E8 0CB50200	CALL mc2.0044FE60						;  does nothing with nop

00424954  |. 8B4E 50		MOV ECX,DWORD PTR DS:[ESI+50]

00424957  |. 8B11		   MOV EDX,DWORD PTR DS:[ECX]

00424959  |. 53			 PUSH EBX

0042495A  |. FF52 60		CALL DWORD PTR DS:[EDX+60]

0042495D  |. 8B4E 50		MOV ECX,DWORD PTR DS:[ESI+50]

00424960  |. E8 3BCC1300	CALL mc2.005615A0						;  does nothing with nop

00424965  |> 8B4424 14	  MOV EAX,DWORD PTR SS:[ESP+14]			;  nop does nothing; Cases 3,4 of switch 00424900

00424969  |. 50			 PUSH EAX

0042496A  |. 8BCE		   MOV ECX,ESI

0042496C  |. E8 8FE6FFFF	CALL mc2.00423000						;  does nothing with nop

00424971  |. 5F			 POP EDI

00424972  |. 5E			 POP ESI

00424973  |. 5B			 POP EBX

00424974  |. C2 0C00		RETN 0C								  ;  end of function




Share this post


Link to post
Share on other sites

Posted

add 5,eax

Good luck finding that Opcode in amongst others :P

But if you are looking for a way to cheat your way through MP matches, im just gonna give you the finger. Cause I don't like people like that :P

1 person likes this

Share this post


Link to post
Share on other sites

Posted

add 5,eax

Good luck finding that Opcode in amongst others :P

But if you are looking for a way to cheat your way through MP matches, im just gonna give you the finger. Cause I don't like people like that :P

Well thanks for responding at least. The game doesn't get more then 10 players online each day but it's still my favourite racing game for pc to this date. Maybe someone who is willing to support multiplayer cheat development won't mind helping me.

Just skimming through ollydbg right now I can't seem to find that op code you mentioned :l sigh

Share this post


Link to post
Share on other sites

Posted

I didnt have time to read the whole message, but from skimming and looking through comments, it sounds like youre trying to avoid being kicked. this is usually something you can achieve through packet editing. You want to set a breakpoint on the Winsocks "recv()" function, and when you are kicked, you should receive the data which your game client then parses to know that you are being kicked, sometimes it is a two step process where the client also send()'s a packet back, depending on the way the game is designed (from a networking aspect) If it is peer to peer, then most likely it wont send anything back. by breaking on recv() youll also have a better starting point as to how that "kicking" message is eventually called and how and where that data is stored.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

I didnt have time to read the whole message, but from skimming and looking through comments, it sounds like youre trying to avoid being kicked. this is usually something you can achieve through packet editing. You want to set a breakpoint on the Winsocks "recv()" function, and when you are kicked, you should receive the data which your game client then parses to know that you are being kicked, sometimes it is a two step process where the client also send()'s a packet back, depending on the way the game is designed (from a networking aspect) If it is peer to peer, then most likely it wont send anything back. by breaking on recv() youll also have a better starting point as to how that "kicking" message is eventually called and how and where that data is stored.

Thank you for the extremely detailed answer, I'll look into this and hopefully post some results. I thought that I could have back tracked to the kicking

I didnt have time to read the whole message, but from skimming and looking through comments, it sounds like youre trying to avoid being kicked. this is usually something you can achieve through packet editing. You want to set a breakpoint on the Winsocks "recv()" function, and when you are kicked, you should receive the data which your game client then parses to know that you are being kicked, sometimes it is a two step process where the client also send()'s a packet back, depending on the way the game is designed (from a networking aspect) If it is peer to peer, then most likely it wont send anything back. by breaking on recv() youll also have a better starting point as to how that "kicking" message is eventually called and how and where that data is stored.

Thanks for response it really means alot. I decided to do what you said and I set bp's wherever recv was being called in the game.

Unfortunately, the bp's don't get triggered when a player get's booted from the game. Isn't there a way to use the debug string and back track to the original function?

Here's a screen of all the recv calls in the game:

2mfygso.png

Share this post


Link to post
Share on other sites

Posted

FYI you will never see ADD 5,eax anywhere at all. As it will never work. ADD eax,5 is correct though.

May I suggest reading some basic/intermediate ASM tuts so you understand the structure of opcodes etc. With some knowledge there you won't be so eager to nop everything to see if it effects anything.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

hmm it uses recvfrom() as well, which is generally used for UDP protocol (peer to peer generally use this too), try those, if you still get nothing, i would go to the code segments where these API's are called..It seems you are a novice so it would probably be futile for me to tell you to find suspicious sequence of code..And like DABhand says, mov 5,eax will blow up your computer, consider reading a basic assembly tutorial. The best ive read is here: http://www.drpaulcarter.com/pcasm/

1 person likes this

Share this post


Link to post
Share on other sites

Posted

A big thanks to both of you. And yes I do acknowledge that I'm a novice when it comes to assembly as a matter of fact I only got into it for this one feature. Otherwise I wouldn't bother touching a new language. Sadly, the only resource I have is you guys since nobody else besides me is trying to hack/code for the game and the game is completely closed source and details about the game's engine is completely unknown as well. Also Genuine I do understand that the "suspicious pieces of code" may be to complex for me to handle but it's the only lead I have even if I don't understand it. The only way I'm going to is if I get the opportunity to do so. I'm also going through asm tutorials as I'm doing this process, and have taken into account the one you gave. So if you have time maybe you can do some analysis of the code and post back here that would be of great help to me.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now