📄 fog_tut.html
字号:
<html><head>
<title>YAFT</title>
<style type="text/css">
<!--
h3,h1,ul li a {
color: #FF0000;
}
h3:hover,h1:hover,ul li a:hover{
font-style:italic;
}
-->
</style>
</head>
<body>
<h1>Fog the other way (using codecaves)</h1>
<p><i>by learn_more</i></p>
<ul><li><a href="#Requirements">Requirements</a></li>
<li><a href="#What">What are we trying to do?</a></li>
<li><a href="#How">How are we going to do it?</a></li>
<li><a href="#Start">Let's get started!</a></li>
<li><a href="#What">Now What?</a></li>
<li><a href="#Code">Setting up the codecave</a></li>
<li><a href="#FAQ">FAQ</a></li></ul>
<p> </p>
<h3><a name="Requirements">Requirements:</a></h3>
<p>Basic knowledge of <b>asm</b> <i>(without any knowledge of asm this is very difficult!)</i>, <b>TSearch</b>, <b>ollydbg</b>, <br>
a little <b>experience</b> with<b> gamehacking</b> and a game, (i use bf1942 1.61b)</p>
<p>if you miss any of these things, or you don't know what this is about,<br>
i recommend you read the excellent tutorial "<b>Theories and Methods of Hacking</b>" from <b>Faldo</b><br>
</p>
<h3><a name="What">What are we trying to do?</a></h3>
<p>We are trying to make a fog hack that will work on every computer,<br>
and where the fog distance can be changed easily
</p>
<p> </p>
<p> </p>
<h3><a name="How">How are we going to do it?</a></h3>
<p>First we find the memory address,<br>
and then we look for the instruction that reads it.<br>
when we get there, we see what the options are!<br>
</p>
<p> </p>
<h3><a name="start">Let's get started!</a></h3>
<i>To make it easier to check your hacks and to use tsearch and ollydbg while the game is running,
use windowed mode</i>
<pre><font color="#0000FF">To do this, find a file called "VideoDefault.con" located
in "Battlefield 1942\Mods\bf1942\Settings"-folder.
Open this file with notepad and change the line:
renderer.setFullScreen 1
to
renderer.setFullScreen 0</font></pre>
(Thanks <b>Faldo</b>!)
<p> </p>
<p><br>
First start bf, and start a game (local, singleplayer coop or whatever)<br>
now look in the options what the view distance is (options->video)<br>
attach TSearch to BF<br>
alt-tab to get out bf (click anywhere but on bf to get the mouse pointer visible)<br>
start TSearch, and click on Open Process.<br>
<img src="file:///E|/downloads/C/eigen stuff!/bf1942/tut/images/open_process.gif" width="106" height="70"><br>
Now select BF1942.exe</p>
<p>Click on the search button (underneath the "Open process" button, with the magnifier icon)<br>
<img src="images/search.gif" width="111" height="93"><br>
<br>
In the window that pups up, you should fill out those values: <br>
Search: <b>Exact Value</b><br>
Value: <b>[here you have to type the value you found at the video options]</b><br>
Type: <b>4 Bytes</b></p>
<p>Depending on the value used, there are very many addresses, or not that many (i had around 5000) <br>
<br>
<br>
<b>Eliminate all useless adresses:</b><br>
Switch to BF, and go to Options-> video to change the view distance.<br>
Switch back to TSearch, and click on Search Again<br>
<img src="images/search_again.gif" width="81" height="50"><br>
<br>
Now search for the exact value the view distance is set to now. </p>
<p><b>Repeat this address elimination until you have 10 or less adresses. </b></p>
<p> </p>
<p>In TSearch, click on "Add all line found to the table"<br>
<img src="images/Add_All.gif" width="144" height="57"> </p>
<p><br>
All found addresses are added to the cheat table.<br>
</p>
<p><b>Finding the right Address</b><br>
Change the value of the first address found to 200,<br>
and look at battlefield to see if the view-distance has increased. <br>
<i>(for easier working, pause battlefield at a point where you can see the mist very clear,<br>
for example standing at the coast in the map battle of britain
)</i> <br>
If the distance has increased, <b>remember the address that was correct</b>, and go to the next section.<br>
else:
<br>
Change the value of the first address back to what it was,<br>
and change the second value to 200.<br>
Repeat this until you found the correct address.<br>
<br>
values to change: <b><i>(they don't have to be 86, but that is the last value i used!)</i></b> <br>
<img style="border:1px solid #000000;" src="images/change_this.gif" width="610" height="300"></p>
<p> </p>
<p> </p>
<h3><a name="What">Now what ?</a></h3>
<p><br>
To create a very simple trainer, change the value of this memory address.<br>
<i>Please note that this will only work on your own computer!<br>
</i>To make it work on other computers too, we have to do some more stuff! </p>
<p> </p>
<p><b>Finding the addresses that access your "fog distance"<br>
</b>In TSearch, click on Autohack->Enable Debugger <br>
<img src="images/en_debugger.gif" width="153" height="76"><br>
<br>
Then click on AutoHack->AutoHack window<br>
In the window that opens, click on Edit->Set BreakPoint <br>
<br>
<img src="images/AutoHack.gif" width="620" height="305"> <br>
</p>
<p>Type the memory address you found in the previous step,<br>
<b>and make sure to set the Type to Read/Write</b></p>
<p><img src="images/bpx.gif" width="351" height="79"></p>
<p><br>
<br>
In the Autohack window, atleast one line should be added to the list.<br>
<img style="border:1px solid #000000;" src="images/address.gif" width="250" height="43"></p>
Now what is that?
<ul>
<li><b>The check box:</b> tick it to erase the instruction from memory.</li>
<li><b>The number behind the check box:</b> the memory address this instruction is stored</li>
<li><b>fild dword ptr [eax+0x18]:</b> this is Assembly, the "language" of your processor</li>
</ul>
<p>In this example the fild instruction loads the fog value from the memory.<br>
Since we want to change that value, this instruction is interesting!<br>
<b><i>please write down the address of the function, in my example this would be <font color="#FF0000">6ad28e</font></i></b><br>
<br>
Because eax is used, and we can't directly read from eax (atleast not without a debugger) we are going to create a codecave to have a custom value loaded.</p>
<p> </p>
<p><b>Prototype:<br>
</b>Write a new value at a free place in the memory<br>
Have the fild instructin load that value instead of the original.<br></p>
<p> <b>Let's change that instruction!</b> <br>
Because TSearch is no good for changing functions, close it.<br>
Normally Battlefield closes at the same time, so reopen battlefield and start a new game.<br>
When you respawn, (a big map comes in handy), walk to a point where you can see the fog and pause the game. </p>
<p> </p>
<h3><a name="Code">Setting up the codecave</a></h3>
<p> </p>
<p>Open OllyDbg, and attach it to BF1942. (File->Attach)<br>
OllyDbg is now processing the file in memory, and when it is finished, you see this in the lower right corner:<br>
<img src="images/olly_Paused.gif" width="148" height="101"></p>
<p>press on Run to make sure BattleField is not crashing:<br>
<img src="images/Olly_Run.gif" width="261" height="86"></p>
<p> </p>
<p>the lower right corner now should look like this:<br>
<img src="images/Olly_running.gif" width="128" height="79"></p>
<p><b>If it still does display Paused, click run again!</b> </p>
<p> </p>
<p>Now ollydbg is attached, we are going to take a look at the address where the fog is loaded.<br>
to do so, press control+G and enter the address we found earlier (in this example it is
<b><i><font color="#FF0000">6ad28e</font></i></b>)<br>
Because of some weird reason, we do not end at the correct address immediately,<br>
so repeat this until you are at the right address.
</p>
<p>You should see now somthing like this (without the red border ofcourse):<br>
<img src="images/fild.gif" width="464" height="129"></p>
<p><br>
fild pushes the float value from [eax+18] on top of the stack.<br>
For the fog distance, we want to change this value, so we will need to change this instruction.<br>
Because we do not have enough space to edit the fild instruction in place,<br>
we are going to use a codecave.</p>
<p>Idea behind a codecave:<br>
<img style="border:1px solid #000000;" src="images/codecave.gif" width="631" height="243"> <br>
</p>
<p>First, select the fild instruction, and the mov instruction below it.<br>
Now press control + c to copy it to the clipboard.</p>
<p>Open notepad, and paste the copied lines there.<br>
Also write down the address of the instruction directly behind it.<br>
(In this example it is some FMUL instr.)
</p>
<p><br>
Switch back to Olly, and press control+s<br>
In the screen that appears, enter the following:<br>
Nop<br>
Nop<br>
Nop<br>
Nop<br>
Nop
<br>
<br>
Press Enter one time, it should bring you to the first codecave in BF <br>
This codecave is too far away from the code we are going to patch,<br>
I don't know if it matters, but i like to take a codecave that is a little closer.
</p>
<p><br>
Press control+g and enter the address of the code you want to patch (in this example that is
<b><i><font color="#FF0000">6ad28e</font></i></b>). </p>
<p>When at this address, press control + L a few times until you find a nice codecave:<br>
<img src="images/Code_Cave.gif" width="534" height="310"></p>
<p>We now want to insert some code,<br>
so let's try that.<br>
select the first (or second) line from the codecave, and press space.</p>
<p>In the dialog that appears we enter this: "FILD DWORD PTR DS:[xxxxxxx]" (without the quotes ofcourse)<br>
where xxxxxx is a little codecave a few addresses above the current codecave.<br>
<font color="#FF0000"><b>MAKE SURE THIS SMALL CAVE HAS ATLEAST 4 "FREE" NOP OPERATIONS!</b></font></p>
<p>this is what it should look like now:<br>
<img src="images/point_to.gif" width="468" height="367"></p>
<p> </p>
<p>Write down the address of our custom FILD instruction, because we will need it later. </p>
<p> </p>
<p>Before we forget it, select the address the FILD instruction points to, and press space to add code there.<br>
We want the fog at distance 300(decimal), so this is 12C Hexadecimal.<br>
Enter the code: DD 12C<br>
Assembled this now looks like:<br>
<img src="images/crap_mem.gif" width="342" height="61"></p>
<p>No worries, the data only looks like instructions, but this is because olly did not analyze it properly.<br>
The 12C is also reversed, that's the way it is stored in memory (so the 0000 after it actually appears before the number)</p>
<p>When you select the FILD instruction, the lower pane of the CPU window should say somthing like this:<br>
<img src="images/pointer_ok.gif" width="382" height="58"></p>
<p>Since we need code to jump to our newly created code, the instruction behind the ORIGINAL FILD instruction will likely get corrupted if the code from our jump is too big to fit in 3 bytes.</p>
<p>So we need to recreate the code after our own FILD instruction.<br>
Remember the text we pasted in Notepad?<br>
Let's copy the code that says:<br>
MOV ECX, DWORD PTR DS:[971EAC]</p>
<p>Go to our codecave, and select the first nop behind our custom FILD instruction<br>
Press space to edit code, and paste the MOV ECX instruction.</p>
<p>it should now look like this:<br>
<img src="images/codecave_crap.gif" width="486" height="125"></p>
<p>Because we are a few Memory blocks away from our original code,<br>
we need a normal jump to get back to the normal code,<br>
but this doesnt fit in the 3 bytes that are free.</p>
<p>How are we going to solve this?</p>
<p>lets take a look at the code listing a little bit down. </p>
<p><img src="images/yes_free_bytes.gif" width="430" height="336"></p>
<p>Remember the address we wrote down, along with the instructions?<br>
that is the address we are going to jump back to. </p>
<p>Select the first line from the little codecave, and press space to assemble.</p>
<p>Enter the following code: JMP <font color="#FF0000">006AD297</font> <br>
Where <font color="#FF0000">006AD297</font> is the address you wrote down. (It can differ)</p>
<p> </p>
<p>Now that is sorted, we still need to get to our "jumpgate".<br>
We do that with a JMP SHORT <font color="#FF0000">006AF09B</font>, just after the FILD, MOV instructions in our main codecave. <br>
Where <font color="#FF0000">006AF09B</font> is the address of our "jumpgate"</p>
<p>now our full patched code looks like this:<br>
<img src="images/progress_until_now.gif" width="490" height="420"></p>
<p> </p>
<p>Now we can finish our hack!</p>
<p>Go to the <b>original</b> FILD code.</p>
<p>I like to pause BF at this stage, to make sure the game is not crashing (it still does if you did somthing wrong though) </p>
<p>IMPORTANT: Now select BOTH the FILD and the MOV instruction, to make sure olly nops the whole remaining of the mov instruction.<br>
<img src="images/important_select.gif" width="611" height="97"></p>
<p>press space, and enter this code: JMP <b><font color="#FF0000">006AF071<br>
</font></b>Where <b><font color="#FF0000">006AF071</font></b> is the address of the codecave you wrote down earlier. </p>
<p>Resume battlefield if you did pause it,<br>
and the fog should be at 300%!
</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p>thanks for reading this turorial, </p>
<p>Any questions can be asked at the forums,<br>
Do not ask for compiled trainers, i don't provide them.</p>
<p> </p>
<p>learn_more</p>
<p> </p>
<p> </p>
<p> </p>
<p>Thanks to Faldo for his excellent tutorials! </p>
<p> </p>
<p> </p>
<h3><a name="FAQ">FAQ:</a></h3><p>
<b>Q:</b> when i attach ollydbg to my game, i get a nag about code injected that is not responding<br>
<b>A:</b> in ollydbg goto Options-> Debugging options ->Registers<br>
UNtick the box "Decode SSE registers"</p>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -