neverfail.cpp
Code:
/* MW2 1.0.174
00586C60 |. 85C9 |TEST ECX,ECX
00586C62 |. 0F84 BD000000 |JE iw4mp.00586D25 ; NOP to see nametags in FFA also
00586C68 |. 8B86 70010000 |MOV EAX,DWORD PTR DS:[ESI+170]
00586C6E |. 8BD0 |MOV EDX,EAX
00586C70 |. 69D2 2C050000 |IMUL EDX,EDX,52C
00586C76 |. 3B8A 0C588E00 |CMP ECX,DWORD PTR DS:[EDX+8E580C]
00586C7C |. 0F85 A3000000 |JNZ iw4mp.00586D25 ; NOP to draw enemy tags too
00586C82 |. 8B15 CCB27E00 |MOV EDX,DWORD PTR DS:[7EB2CC]
00586C88 |. 8D0CFF |LEA ECX,DWORD PTR DS:[EDI+EDI*8]
00586C8B |. 8D0448 |LEA EAX,DWORD PTR DS:[EAX+ECX*2]
00586C8E |. 8D2C40 |LEA EBP,DWORD PTR DS:[EAX+EAX*2]
00586C91 |. 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14]
00586C95 |. 3B42 10 |CMP EAX,DWORD PTR DS:[EDX+10]
00586C98 |. 8D2CAD 50707D00 |LEA EBP,DWORD PTR DS:[EBP*4+7D7050]
00586C9F |. 7F 1E |JG SHORT iw4mp.00586CBF
00586CA1 |. E8 5AFDFFFF |CALL iw4mp.00586A00 ; IsEntityVisible
00586CA6 |. 84C0 |TEST AL,AL
00586CA8 |. 74 15 |JE SHORT iw4mp.00586CBF ; NOP to draw tags thru walls
00586CAA |. 807D 08 00 |CMP BYTE PTR SS:[EBP+8],0
00586CAE |. 75 19 |JNZ SHORT iw4mp.00586CC9
this information is from my thread in MW2-section on UC-forum about nametag hack, here:
http://www.*****************/forum/call-duty-6-modern-warfare-2/60544-nametag-hack.html
just updated for 174
*/
int main()
{
// first we set up our hardware breakpoints..
// for Windows XP Minesweeper
// 01002FF5 |. FF05 9C570001 INC DWORD PTR DS:[100579C] ; increase timer
wBreakpoint = 0x01002FF5;
printf("wBreakpoint = %p\n", wBreakpoint);
// 00586C62 |. 0F84 BD000000 |JE iw4mp.00586D25 ; NOP to see nametags in FFA also
aBreakpoint1 = 0x00586C62;
printf("aBreakpoint1 = %p\n", aBreakpoint1);
// 00586C7C |. 0F85 A3000000 |JNZ iw4mp.00586D25 ; NOP to draw enemy tags too
aBreakpoint2 = 0x00586C7C;
printf("aBreakpoint2 = %p\n", aBreakpoint2);
// 00586CA8 |. 74 15 |JE SHORT iw4mp.00586CBF ; NOP to draw tags thru walls
aBreakpoint3 = 0x00586CA8;
printf("aBreakpoint3 = %p\n", aBreakpoint3);
// give ourselves debugging-privileges
SetDebugPrivilege(TRUE);
// wait for game to start
DWORD dwProcessID = 0;
DWORD dwGame = 0;
printf("Looking for game process..\n");
while(dwProcessID == 0)
{
dwProcessID = GetProcessID(L"iw4mp.exe");
if(dwProcessID != 0)
dwGame = 2;
if(dwProcessID == 0)
{
dwProcessID = GetProcessID(L"winmine.exe");
if(dwProcessID != 0)
dwGame = 1;
}
Sleep(100);
}
printf("dwProcessID = %p\n", dwProcessID);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
// start debugging process so we get access
BOOL bDebugging = DebugActiveProcess(dwProcessID);
printf("bDebugging = %d\n", bDebugging);
if(bDebugging == TRUE)
{
// get thread ID of the main thread in process
DWORD dwThreadID = GetProcessThreadID(dwProcessID);
// gain access to the thread
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadID);
// here we set the hardware breakpoints in the thread context
CONTEXT context;
context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
if(GetThreadContext(hThread, &context))
{
if(dwGame == 1) // Minesweeper
{
context.Dr0 = wBreakpoint;
context.Dr7 = 0x00000001;
}
else // expect Modern Warfare 2
{
context.Dr0 = aBreakpoint1;
context.Dr1 = aBreakpoint2;
context.Dr2 = aBreakpoint3;
context.Dr7 = (1<<0)|(1<<2)|(1<<4);
}
SetThreadContext(hThread, &context);
}
CloseHandle(hThread);
hThread = NULL;
// now we need to loop to catch debug events
DEBUG_EVENT DebugEvent;
BOOL bContinueDebugging = false;
while(1)
{
WaitForDebugEvent(&DebugEvent, INFINITE);
switch(DebugEvent.dwDebugEventCode)
{
case EXCEPTION_DEBUG_EVENT:
// exception occured!
if(DebugEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP)
{
// this means a breakpoint has triggered!
if(DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)wBreakpoint ||
DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)aBreakpoint1 ||
DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)aBreakpoint2 ||
DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)aBreakpoint3)
{
// the triggered breakpoint is one of ours..
if(hThread = OpenThread(THREAD_ALL_ACCESS, false, DebugEvent.dwThreadId))
{
CONTEXT Context;
Context.ContextFlags = CONTEXT_FULL;
// stop the thread for continuing to run while we check the breakpoints
DWORD dwSuspended = SuspendThread(hThread);
// get the context of the thread
BOOL bGetThreadContext = GetThreadContext(hThread, &Context);
BOOL SetCxt = false;
if(dwGame == 1) // Minesweeper
{
if(DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)wBreakpoint)
{
// skip the INC instruction so timer is not increased
Context.Eip += 6;
SetCxt = true;
}
}
else // expect Modern Warfare 2
{
if(DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)aBreakpoint1)
{
// Eip is current address, we increment it by 2 so we get past the JE
Context.Eip += 6;//0x00586E78;
SetCxt = true;
}
else if(DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)aBreakpoint2)
{
// Eip is current address, we increment it by 6 so we get past the JNZ
Context.Eip += 6;//0x00586E92;
SetCxt = true;
}
else if(DebugEvent.u.Exception.ExceptionRecord.ExceptionAddress == (void*)aBreakpoint3)
{
// Eip is current address, we increment it by 2 so we get past the JE
Context.Eip += 2;//0x00586EBA;
SetCxt = true;
}
}
// set the context so our changes are made (if needed)
if(SetCxt)
BOOL bSetThreadContext = SetThreadContext(&hThread, &Context);
// resume the thread so program continues to run
DWORD dwResumed = ResumeThread(hThread);
bContinueDebugging = true;
}
}
}
if(bContinueDebugging)
{
// DBG_CONTINUE to tell the program we have handled the exception
ContinueDebugEvent(DebugEvent.dwProcessId, DebugEvent.dwThreadId, DBG_CONTINUE);
bContinueDebugging = false;
}
else // if the exception was not handled by our exception-handler, we want the program to handle it, so..
ContinueDebugEvent(DebugEvent.dwProcessId, DebugEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
break;
default:
ContinueDebugEvent(DebugEvent.dwProcessId, DebugEvent.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
}
}
}
else
printf("Unable to debug process\n");
system("pause>nul");
return 0;
}
neverfail.h
Code:
//n! yo
#include <Windows.h>
#include <stdio.h>
#include <tlhelp32.h>
DWORD aBreakpoint1 = 0;
DWORD aBreakpoint2 = 0;
DWORD aBreakpoint3 = 0;
DWORD wBreakpoint = 0;
// gets process id of given image name
DWORD GetProcessID(WCHAR* szExeName)
{
PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(Process32First(hSnapshot, &pe))
while(Process32Next(hSnapshot, &pe))
if(!wcscmp(pe.szExeFile, szExeName))
return pe.th32ProcessID;
return NULL;
}
// gets the main thread of given process
DWORD GetProcessThreadID(DWORD dwProcessID)
{
THREADENTRY32 te = { sizeof(THREADENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if(Thread32First(hSnapshot, &te))
while(Thread32Next(hSnapshot, &te))
if(te.th32OwnerProcessID == dwProcessID)
return te.th32ThreadID;
return NULL;
}
DWORD GetThreads(DWORD dwProcessID)
{
THREADENTRY32 te = { sizeof(THREADENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
DWORD dwThreadCount = 0;
if(Thread32First(hSnapshot, &te))
{
while(Thread32Next(hSnapshot, &te))
{
if(te.th32OwnerProcessID == dwProcessID)
{
//printf("Thread %d (%d)\n", dwThreadCount, te.th32ThreadID);
dwThreadCount++;
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
CONTEXT context;
context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
if(GetThreadContext(hThread, &context))
{
context.Dr0 = aBreakpoint1;
context.Dr1 = aBreakpoint2;
context.Dr2 = aBreakpoint3;
context.Dr7 = 0x00000001;
SetThreadContext(hThread, &context);
}
CloseHandle(hThread);
}
}
}
return dwThreadCount;
}
// set debug privilege on/off
BOOL SetDebugPrivilege(BOOL State)
{
HANDLE hToken;
TOKEN_PRIVILEGES token_privileges;
DWORD dwSize;
ZeroMemory(&token_privileges, sizeof(token_privileges));
token_privileges.PrivilegeCount = 1;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
return FALSE;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &token_privileges.Privileges[0].Luid))
{
CloseHandle(hToken);
return FALSE;
}
if(State)
token_privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
token_privileges.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED;
if(!AdjustTokenPrivileges ( hToken, FALSE, &token_privileges, 0, NULL, &dwSize))
{
CloseHandle(hToken);
return FALSE;
}
return CloseHandle(hToken);
}
