How To make a Hack

[Forged]

For all your curious kids out their this is how you make a maphack.

___________________________________________________

Hi there.... I've been working on a map hack for Age of Wonders 2 which I'm
gonna write some about. If you aren't too experienced with SoftIce and assembler
yet, I would recommend you to work on other kind of options first though(and
practicing SoftIce/assembler)... other than that, there's also gonna be a little
C++ and DirectX... but I'll just tell you what you have to know about that...

Another thing is that you have to run SoftIce in universal mode to make this
work. If SoftIce is running it's own full screen, the game won't be repainting
SoftIce which we need to happen to track down the game's drawing routines.
Well... you can track it down in other ways as well, but this is much faster and
easier so I won't bother with anything else.

If you're not running SoftIce in universal mode... just open up the video
setup/settings and hit the Universal Mode checkbox... now restart the computer.
So, that's it, time to start


Finding the game's drawing-routine
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
The first thing we'll have to do to make this work is to find the routine that
updates the screen... and by that, I mean a call which puts a whole new frame
onto the screen. (the game does this all the time... all games do...)

Start off by entering SoftIce. Right below the code window, you'll see something
like AoW2!CODE+some_number if SoftIce popped up while aow2's code was executing.
If it says something else, you'll have to close and reopen SoftIce until you're
in aow2.

Now that you're there.... this is when you need SoftIce knowledge/experience.
You have to be good at crawling around loops and functions, because that is what
you have to do now. You're gonna step out of loops and functions and execute
loops of code and just any code until SoftIce looks weird, because SoftIce will
look weird once the game updates the screen. Your aim is to get out of as many
loops and functions as possible.... the more functions you return from, the more
likely you are to run across the drawing-routine. This is something that you
HAVE to do on your own... you can appear just anywhere inside the code with
SoftIce, and there's no way I could cover all of it. Just keep in mind to check
that you're inside aow2's code, it has to say AoW2!CODE+some_number below the
code window, otherwise you're gonna have to try closing/opening SoftIce again.

In case you're curious as to what it looks like when you run across this screen
update, put a breakpoint at 4F4A9B, and then hit F10 when SoftIce breaks. This
is what it looks like and this is what you're looking for...

Once you do come across the update.... typing rs in SoftIce and hitting enter
twice will clear it up for you. rs is a command used to hide SoftIce, so that
you can see what is behind it, and it then waits for a key to be hit before it
returns... and once it returns, you'll have a new and fresh view of SoftIce.

If you have trouble getting to this call that paints the screen.... a tip is
that hitting F12 in SoftIce will bring you right below the call which executed
the function you were currently in... I'll show an example, suppose this is the
scenario:

...
push ecx
push eax
call 4785a1
mov ecx, eax
xor ebx, ebx
...


4785a1:
...
mov edx, [edx]
add ecx, edx <----- This is where SoftIce popped up
sub bl, 12
...
ret

Now.... if you hit F12... SoftIce will proceed until it gets to the ret
instruction at the end, execute it... and you're gonna be at the "mov ecx, eax"
instruction.

If you keep doing this and hit F10 ("p" command) to walk you through loops and
code and the like will get SoftIce messed up in time. Once this happens, take
note of the address of the instruction (it'll be a call, always will be...)
which messed up SoftIce.

This will take some messing around... but after doing it a few times you will
get there... you'll just stumble across it soon enough... there isn't really
much I can do to help you get to it.... but if you're familiair with SoftIce I'm
certain you'll find your way.

This is the address which I found: 4F4A9B... now that you've found it, you're
gonna have to trace into(F8) that function and look for a call inside this new
function which messes up SoftIce.... and you do that over and over again...
AND... ultimately, you'll spot a call which jumps into DirectX code (that
is... when it won't say AoW2!CODE+some_value below the code window, it would be
ddraw instead...)

To quickly trace into a function when the highlighted line is below the call...
you just leftclick at the call you wish to trace into, which puts the cursor
right at the call instruction... now hit F7. This will make SoftIce
automatically put a breakpoint on it, and let the game execute till it gets
there. So the call instruction will now be highlighted and you can trace into it


Here are the calls I found by tracing downwards that draws onto the screen:

004F4A9B call [edx+000000C8] (first one)
004F47CB call [edx+48] (found by tracing downwards)
004F541A call [ebx+54] (found by tracing downwards)
00428410 call [eax+1C] (DirectX call)

There... the last one is the DirectX call that puts a new frame on the screen...
as it says ddraw!.text below the code window when you trace into it, you'll know
it's DirectX(DirectDraw) code that you traced into.... and that's as far as we
have to go. Now, we're gonna have a look at this call to mess up the drawing


Continued

 

[Forged]

Switching surfaces
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
I've written down the instructions that call for the screen update(the DirectX
call that is), and here they are:

004283F9 push 10
004283FB mov eax, [ebp-04]
004283FE push eax
004283FF mov eax, [esi+24]
00428402 push eax
00428403 mov eax, [edi+04]
00428406 push eax
00428407 mov eax, [edi]
00428409 push eax
0042840A mov eax, [ebx+24]
0042840D push eax
0042840E mov eax, [eax]
00428410 call [eax+1C]

You should recognize this from SoftIce, where the last instruction being the
call to DirectX. You saw when tracing into it that it's DirectDraw code...
IDirectDrawSurface7 is the latest version of the Direct Draw surface(from
DirectX 7), and if you look up the debug messages, you'll find that it's calling
DirectX 7/8 functions(requires the debug build of the DirectX SDK though)...
this would be enough to look up the IDirectDrawSurface7, but if you'd want a
more sophisticated assumption you can look up how DirectX creates it's surfaces
and break on those functions(I won't cover that, as this is enough).

Now.... as this DirectDraw Surface points to a table with addresses of
functions, what you have to do is check which function [eax+1C] is. Because eax
is the base address, what you do is look up what function +1C points
towards(this is the same for all IDirectDrawSurface7 surfaces)... the address of
each function is 4 bytes long... divide 1C by 4 and you'll get 7. So we look up
the 7th function declared for the surface

What you need now is ddraw.h, which comes with the DirectX SDK for version 7.0
or later(there's a ddraw.h for earlier versions of the SDK as well, but those
versions of ddraw.h are too old).... inside it you'll find this piece of
information:

DECLARE_INTERFCE_( IDirectDrawSurface7, IUnknown )
{
... (6 functions) ...
STDMETHOD(BltFast)(THIS_ DWORD,DWORD,LPDIRECTDRAWSURFACE7, LPRECT, DWORD)
PURE;
... (lots of functions) ...
};

Alright, there.... aow2 is calling BltFast to paint onto the screen. Here's a
reference of this function:

-----------------------------------------------------------
The IDirectDrawSurface7::BltFast method performs a source copy blit or
transparent blit by using a source color key or destination color key.

HRESULT BltFast(DWORD dwX, DWORD dwY, LPDIRECTDRAWSURFACE7 lpDDSrcSurface,
LPRECT lpSrcRect, DWORD dwTrans);

dwX and dwY
The x- and y-coordinates to blit to on the destination surface.

lpDDSrcSurface
Address of an IDirectDrawSurface7 interface for the DirectDrawSurface object
that is the source of the blit.

lpSrcRect
Address of a RECT structure that defines the upper-left and lower-right
corners of the rectangle to blit from on the source surface.

dwTrans
Type of transfer. The following transfers are defined:
DDBLTFAST_DESTCOLORKEY
A transparent blit that uses the destination color key.
DDBLTFAST_NOCOLORKEY
A normal copy blit with no transparency.
DDBLTFAST_SRCCOLORKEY
A transparent blit that uses the source color key.
DDBLTFAST_WAIT
Postpones the DDERR_WASSTILLDRAWING message if the blitter is busy, and returns
as soon as the blit can be set up or another error occurs.
-----------------------------------------------------------

You might have noticed from the code disssembly that it has 6 pushes, while only
5 parameters are shown in the reference.... you can see at the declaration that
it does take 6 parameters. However, the compiler has been told to add the THIS_
variable automatically so that the programmer won't have to bother with it....
which is why only the other 5 parameters are shown in the function reference.

From this, I'll add some comments to the code:

004283F9 push 10 ; dwTrans
004283FB mov eax, [ebp-04]
004283FE push eax ; lpSrcRect
004283FF mov eax, [esi+24]
00428402 push eax ; lpDDSrcSurface
00428403 mov eax, [edi+04]
00428406 push eax ; dwX
00428407 mov eax, [edi]
00428409 push eax ; dwY
0042840A mov eax, [ebx+24]
0042840D push eax ; THIS_
0042840E mov eax, [eax]
00428410 call [eax+1C]

There.... and you should be able to add those yourself as well if you take a
look at the reference/declaration ... just keep in mind that parameters are
pushed from right to left (when you look at the declaration)...

If you notice that dwX and dwY are zero even though it paints all over the
screen.... that's because when they are zero, DirectX will consider it the whole
screen ... you could try changing those or the RECT structure if you'd like
to, you'll find that the screen starts looking weird or that only half of
SoftIce is messed up soon enough

What I've been looking for is just this... the destination surface and the
source surface. Games never paint directly onto the screen... they paint onto a
surface not situated on the screen, so that they can then put everything on
screen later on, otherwise it'll look very strange and far from smooth... as
you'll soon find out First it paints the terrain... then objects/stuff..
and then comes blackness and lighting on top of that... this doesn't happen all
at once on the surface the game paints on which is not the screen(on the screen
it all does come at once)... though it does keep painting this all the time in
that order, which is what we're gonna use to hack the map.

Because THIS_ is a variable that points to the object which calls the
function... and the object is the surface which is shown on the screen(surfaces
call BltFast to paint onto themselves). The surface shown on screen is often
refered to as primary surface. Apparently, THIS_ is located at [ebx+24]... so we
now have the address which stores the primary surface.

Then.... you should see that it uses lpDDSrcSurface to read what is to be
painted onto the primary surface, and this surface is often refered to as
secondary surface(it's something like a backbuffer).

NOW.... what you do is write down the values located at esi+24 and ebx+24... the
values are 4 bytes long... if you take a look at lpDDSrcSurface, it has the lp-
prefix, meaning long pointer(and the rest of the name meaning to a Direct Draw
Source Surface)... and those are 4 bytes... so, now.... we just switch the
surfaces... to do that, you copy the 4 bytes at esi+24 into ebx+24 and the 4
bytes at ebx+24 into esi+24. As the game's other drawing routines write to the
surface pointed to by that memory, they will now be accessing the screen
instead, now that you switched them.

When the surfaces were created by the game... it wanted one to be the surface
shown on the screen, and one to paint to before it's shown. This fact won't
change when you switch them... and when you put the primary surface in place of
the secondary surface, the game will be painting to the screen while it believes
it's just painting to a surface which isn't shown to the player. Then, when it's
done painting, it'll copy what is on the screen to the secondary surface... as
you switched them.

The game isn't really worth playing anymore...... but you can see how the game
paints everything!.... you can see the landscape appear... you can see the trees
grow... how the mountains appear... anything.... ... including the blackness
spreading across the screen


Continued

 

[Forged]

Finding the map-drawing routine
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Our next step is to catch a call which paints the blackness... and to do that
you, do pretty much the same as when trying to catch the call which painted the
whole screen. Open up SoftIce, and then close/open it until you're both inside
AoW2 code and the blackness hasn't yet been painted. Now you're gonna need your
SoftIce knowledge again .... crawl out of loops/functions until you come
along a call which messes up SoftIce. This should have the same effect as
before... just that not all of SoftIce will be painted above... just the part of
the screen which the blackness is painted on. (or... you might come along the
trees being painted or something like that, and they would also be painted above
SoftIce)

Anyway... the call I came across is located at 4653DA... you'll find other
things being painted as well nearby that call if you look around

004653C0 mov edx, ebx
004653C2 mov eax, [ebx+00000260]
004653C8 mov ecx, [eax]
004653CA call [ecx+00000100] ; Paints objects
004653D0 mov edx, ebx
004653D2 mov eax, [ebx+00000260]
004653D8 mov ecx, [eax]
004653DA call [ecx+00000104] ; Paints blackness/some stuff
004653E0 mov eax, [ebx+00000190]
004653E6 mov edx, [eax]
004653E8 call [edx+78] ; Paints blackness/some stuff

However... as these calls also paint some other stuff... that's apparently not
what we want (the rainbow for example, some lightning around glimmery stuff,
objects at the edge of the screen... and more...)

The first call doesn't paint the blackness every time.... but if you follow the
second call, you'll just end up at a Direct3D IM call which isn't what we
want... if we trace the first call a few times, we'll come along this call which
puts the blackness on screen:

004B165A call 0047FAEC

Then, we just trace into that call as well to see what happens... and find some
more interesting code .... and in this new function, you'll find that the
call at 47FB5E also paints the screen..... as there are several conditional
jumps before this point in code, which jumps further down... let's just have a
look at them...

0047FB43 test byte ptr [eax+59], 01
0047FB47 jz 0047FB60
0047FB49 test byte ptr [eax+000000A0], 08
0047FB50 jz 0047FB60

Both of these jump below the call.... perhaps you could try changing them
(turning either of them into jmp instead) and see what happens, it's not the
right one though(but it does affect the graphics)... so we look a bit further
up:

0047FB2B cmp byte ptr [esi+00000112], 00
0047FB32 jnz 0047FB3D
0047FB34 cmp byte ptr [esi+00000113], 00
0047FB3B jz 0047FB6C

Try changing [esi+113] to 0(it should be set to 1 already)... see?... Then, try
setting the byte at [esi+112] to 0(it should also be set to 1 already)......
there, voila

Apparently... these switches cleared the map for us... we can now see everything
and select things where there should have been blackness.... so that's it. Map
hacked .... and this doesn't mess up the graphics for anything but the
blackness...


The cheat
¯¯¯¯¯¯¯¯¯
You should know some about code injection... otherwise, have a look at [sheep]'s
tutorial about it. Anyway.... for the cheat I just injected some code at
47FB2B(where the compare is) to set the flags to show the map... and this is the
little bit of code I injected:

mov word ptr [esi+112], 0
ret

And this is how the cheat turned out:

645FB4 66C786120100000000C3
47FB2B E884641C009090


Thanks

by Slurps
_______________________________________________

 

[Forged]

Originally posted by SoNiC_tHe_IgEl
do u have a german version too?

No but I can ask some1 to translate it if you really need it.

 

[NeverGoingBack]

i could probly translate this for you

awesome forged, awesome

the one i wanted to make though wasnt just for mh though but all hacks, but i think mh is a good example of how most hacks work

 

[NEOxx0]

ok now that you have explained how to make a hack around how long does it take to actually make a hack like that.?

 

[Forged]

Depends on how fast you are and how good you are with softice

 

[bebo8]

heres original text from creater of tut incase u guys want to save it etc

http://www.s-i-n.com/chaos/slurpsmaphack.txt

 

[NeverGoingBack]

i have it in german should i send it to u forged

 

[NeverGoingBack]

here is how to make a map hack (german)

here is the "how to make a map hack" (german)

if you would like any other languages let me know

look for better translations in the future for all languages by
"nevergoingback"

 

[pirateman1]

where can i download softice?

 

[NeverGoingBack]

ok i just looked at the attachment and i dont think it was my program that makes it hard to read ( could be i dont know german ), but how its put together i will edit it so its easyer to understand if you guys want

i dont know if its worth the time and effort to you all?

then again i might just do it for shits and giggles

also pirateman1 if you are a self proclaimed pirate than you shouldnt have any problem finding the software yourself

 

[Unkown2k2]

Wow a actual how to make a hack? You should Lock certain things like this to members only. I think admin can lock a thread so only members can read. It will get Forums 100,000 Members per patch.

 

[Forged]

I dont understand why this was unstuck so I re-stuck it avalon pm me if their was actually a reason for it...

 

[sk8nbiker321]

i think thats as good as i can get with german and french so sry if i got some stuff wrong it was wicked long adn im a lil bored and tired


http://www.angelfire.lycos.com/cgi-auth/webshell?uploadResultCode=200&currentDir=

then go under german and french click on it press open and its all there i dont care i now ur in my account i just made it

attachment is invaild crap so thats not working

 

[NightDrunk]

I think that making a map hack would probably be easier to make in java or activeX than C++ i agree C++ is good but newbie programmers might have a lil trouble with it if you would like to make a hack then i propose you use java much easier.

 

[Forged]

I propose they use vb... But the tutorial was based on c++ which is beter all around so whatever floats their boat.

 

[Maelstorm]

Does anyone knwo a tut on SoftIce ????adn also where the hell can i get a good dissassember (IDA)????
Thx in advance

 

[NeverGoingBack]

ok i made a thread with links to tutorials for various hacking, cracking programs. i hope it helps. maybe it can be added here. also i will update it when i find different or better tutorial sites



also ive been trying to post softice for those who need it for like 2 weeks now but every time i submit a thread with it it just lags and then takes me to yahoo.com and doesnt submit the thread.

???????????????????????????????????????????????????????????

 

[NeverGoingBack]

Here is my thread with alot of good softice tutorial and other tutorials for hacking, and cracking

http://www.battleforums.com/showthread.php?s=&threadid=33489

here are the links.


http://tomsdomain.future.easyspace....y_cracking.html

http://www.geocities.com/r4m5e5/soft.htm

http://home.online.no/~reopsahl/files/c4nsitut.htm

http://home.earthlink.net/~childzplay/crack.html

http://home.online.no/~reopsahl/files/assem.htm

http://www.geocities.com/SiliconVal...648/index1.html