[Hack] Nametag Delay Hack

TyranO · #1 12-21-2008, 08:14 PM

Well this is pretty much a failed experiment. I tried to make a nametag hack that just edited delays in order to work. It does work, but there's a problem:

It also makes delays longer for stuff like ammunition and med packs so after a while when there's too much stuff on the screen the enemy tags start to disappear. It was undetected when I tested but consider it detected now as it's public.

Good news though, it's open-source!

To be more precise, I edited the fade delay, another fade delay, the time before the tag appears when you point your gun at the enemy (0.6 seconds to 0 seconds if I remember well) and the death nametag fade delay (pretty useless).

Two of the offsets in dissasembly were protected, had to use VirtualProtectEx. Also, in order to figure out the addresses, I used ReadProcessMemory for reading the 4 bytes of the addresses stored at other addresses. Each byte of the address written in little-endian is read and with some math, stored back into a real, usable address.

Quote:

#include <windows.h>
#include <Tlhelp32.h>
#include <iostream>
#define WRITE(i,w,l) WriteProcessMemory(hProc,reinterpret_cast<LPVOID>( GameDLL + i),w,l,&dSize)

using namespace std;

DWORD GetPID (char* proc);
void EnableDebugPriv();
DWORD GetDLL (char* DllName, DWORD tPid);

int main(void)
{

SetConsoleTitle("TyranO's Nametag Hack);

if(GetPID("BF2.exe") == 0)
{
cout << "Please open BF2 1.41 before loading the hack." << endl << endl;
system("Pause");
return(0);
}
else
{
EnableDebugPriv();
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, GetPID("BF2.exe"));
if(hProc)
{
cout << "BF2 Hack by TyranO loaded!" << endl << endl;
DWORD GameDLL = GetDLL("RendDX9.dll",GetPID("BF2.exe"));
DWORD NullBase = GetDLL("BF2.dll",GetPID("BF2.exe"));
DWORD dSize = 0;
SIZE_T BytesRead = 0;

//Offset 1 (Fade out delay)
DWORD Address1 = 1227505;
DWORD Address2 = 1227506;
DWORD Address3 = 1227507;
DWORD Address4 = 1227508;
DWORD Buffer1 = 0;
DWORD Buffer2 = 0;
DWORD Buffer3 = 0;
DWORD Buffer4 = 0;

// Offset 2 (Fade out delay fix)
DWORD Address5 = 1235082;
DWORD Address6 = 1235083;
DWORD Address7 = 1235084;
DWORD Address8 = 1235085;
DWORD Buffer5 = 0;
DWORD Buffer6 = 0;
DWORD Buffer7 = 0;
DWORD Buffer8 = 0;

// Offset 3 (Death delay)
DWORD Address9 = 1234918;
DWORD Address10 = 1234919;
DWORD Address11 = 1234920;
DWORD Address12 = 1234921;
DWORD Buffer9 = 0;
DWORD Buffer10 = 0;
DWORD Buffer11 = 0;
DWORD Buffer12 = 0;

// Offset 4 (Gun point tag delay)
DWORD Address13 = 1234473;
DWORD Address14 = 1234474;
DWORD Address15 = 1234475;
DWORD Address16 = 1234476;
DWORD Buffer13 = 0;
DWORD Buffer14 = 0;
DWORD Buffer15 = 0;
DWORD Buffer16 = 0;

// Read Offset 1 ( 12BAEF )
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address1), &Buffer1, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address2), &Buffer2, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address3), &Buffer3, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address4), &Buffer4, 1, &BytesRead );

//Read Offset 2 ( 12D888 )
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address5), &Buffer5, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address6), &Buffer6, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address7), &Buffer7, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address8), &Buffer8, 1, &BytesRead );

//Read Offset 3 ( 12D7E4 )
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address9), &Buffer9, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address10), &Buffer10, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address11), &Buffer11, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address12), &Buffer12, 1, &BytesRead );

//Read Offset 4 ( 12D627 )
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address13), &Buffer13, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address14), &Buffer14, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address15), &Buffer15, 1, &BytesRead );
ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address16), &Buffer16, 1, &BytesRead );

DWORD Offset = (Buffer4 * 16777216 + Buffer3* 65536 + Buffer2 * 256 + Buffer1 * 1 - GameDLL + 6);
DWORD Offset2 = (Buffer8 * 16777216 + Buffer7* 65536 + Buffer6 * 256 + Buffer5 * 1 - GameDLL + 0);
DWORD Offset3 = (Buffer12 * 16777216 + Buffer11* 65536 + Buffer10 * 256 + Buffer9 * 1 - GameDLL + 2);
DWORD Offset4 = (Buffer16 * 16777216 + Buffer15* 65536 + Buffer14 * 256 + Buffer13 * 1 - GameDLL + 6);

DWORD FullOffset = Offset + GameDLL;
DWORD FullOffset2 = Offset2 + GameDLL;
DWORD FullOffset3 = Offset3 + GameDLL;
DWORD FullOffset4 = Offset4 + GameDLL;

cout << "Base is: " << GameDLL << endl << endl;
cout << "Offset1 is: " << FullOffset << endl << endl;
cout << "Offset2 is: " << FullOffset2 << endl << endl;
cout << "Offset3 is: " << FullOffset3 << endl << endl;
cout << "Offset4 is: " << FullOffset4 << endl << endl;

// Writing offset 1 (Protected).
unsigned long Protection;
VirtualProtectEx((void*)hProc,(void*)FullOffset,si zeof( Offset ),PAGE_READWRITE, &Protection);
//WRITE (Offset,"\x21\xD7\xE6\xFA\xE0\x31\xF4\x45",8);
WRITE (Offset,"\xF0\x7F",2);
if(dSize == 0)
{
cout << "Failed to write at offset." << endl<< endl;
}
VirtualProtectEx((void*)hProc,(void*)FullOffset,si zeof( Offset ),Protection, 0);

// Writing offset 2 (Not protected).
WRITE (Offset2,"\x08\x8F\xA1\x6F",4);
if(dSize == 0)
{
cout << "Failed to write at offset2." << endl<< endl;
}

// Writing offset 3 (Not protected).
WRITE (Offset3,"\x80\x7F",2);
if(dSize == 0)
{
cout << "Failed to write at offset3." << endl<< endl;
}

// Writing offset 4 (Protected).
VirtualProtectEx((void*)hProc,(void*)FullOffset4,s izeof( Offset4 ),PAGE_READWRITE, &Protection);
WRITE (Offset4,"\x00\x00",2);
if(dSize == 0)
{
cout << "Failed to write at offset4." << endl<< endl;
}
cout << Buffer13;
VirtualProtectEx((void*)hProc,(void*)FullOffset4,s izeof( Offset4 ),Protection, 0);
DWORD WINAPI GetLastError(void);
system("Pause");
}
}
}

// Get PID for process (proc).
DWORD GetPID (char* proc)
{
BOOL working=0;
PROCESSENTRY32 lppe= {0};
DWORD targetPid=0;
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROC ESS ,0);

if (hSnapshot)
{
lppe.dwSize=sizeof(lppe);
working=Process32First(hSnapshot,&lppe);
while (working)
{
if (_stricmp(lppe.szExeFile,proc)==0)
{
targetPid=lppe.th32ProcessID;
break;
}
working=Process32Next(hSnapshot,&lppe);
}
}

CloseHandle( hSnapshot );
return targetPid;
}

// Debug Priviledges.
void EnableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
OpenProcessToken( GetCurrentProcess( ), TOKEN_ADJUST_PRIVILEGES |TOKEN_QUERY, &hToken );
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue );
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL );
CloseHandle( hToken );
}

// Base (6F).
DWORD GetDLL(char* DllName, DWORD tPid)
{
HANDLE snapMod;
MODULEENTRY32 me32;

if (tPid == 0) return 0;
snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid);
me32.dwSize = sizeof(MODULEENTRY32);

if (Module32First(snapMod, &me32)){
do{
if (strcmp(DllName,me32.szModule) == 0){
CloseHandle(snapMod);
return (DWORD) me32.modBaseAddr;
}
}while(Module32Next(snapMod,&me32));
}

CloseHandle(snapMod);
return 0;

}

PlayerH · #2 12-21-2008, 08:51 PM

I dont play Battlefield but thanks for contributin +rape

dimida · #3 01-15-2009, 06:32 PM

can you update this hack ?>
because the names disappear after you kill a player

mafia1930 · #4 05-07-2009, 01:10 AM

Hello I from rossii

) I play not so a long ago and badly know angliskiy and Russian

)) raskazhite in detail

reeda1234 · #5 07-08-2009, 08:46 AM

where do u change this stuff in the bf2 folder thanks guys need help