Perfect 3rd person ^^

sword · Post by **sword** » Tue Jul 29, 2008 10:16 pm

I think I may have just found the camera position updating algorithm. Its 388 instructions in length, so I'm a little wary that it may not be everything, but at least its a start.

I just got a disassembly of 0x497080 -> 0x497204, printed it out, and I'm currently finding the instructions I don't understand and then understanding them with a PPC assembly quick reference.

The hack will have to wait for tomorrow, I'm going to sleep in a little bit.

sword doing stuff · Post by **sword doing stuff** » Wed Jul 30, 2008 9:32 am

0x497178->0x497188 are the instructions that I think are updating the values. I'm writing code for a code cave on paper and am going to see if it works later on tonight.

sword · Post by **sword** » Wed Jul 30, 2008 5:25 pm

NEVER MIND ABOUT THAT ONE LOL.

I'm back to the same thing as before. I've found the function that modifies the camera values, now I've got to write an asm injection that'll change the way the values are updated. I've found the location for the code cave with no problem, now its just time to write that asm. WOO.

SilentK · Post by **SilentK** » Wed Jul 30, 2008 5:41 pm

I'm not sure of all this garbage mac assembly lol. I can tell you what you need to do though.

There is a perspective byte switch. 0 if the camera is attached to you(first person) and 1 if the camera is detached(3rd person). I'm not sure if Mac has memory searching tools or not, but just enter and exit a hog and search for 0/1. Once you have the address, you need to breakpoint it on write, step in a hog and see what writes to it when it pops. Just nop that instruction and you can freeze write to the perspective switch and change your perspective. Then all you gotta do is change your relative camera position. I forget details, but I can check it out.

Oh, and HEY SWORD =p

Jazz · Post by **Jazz** » Wed Jul 30, 2008 7:02 pm

i am too much of a swbf player... this is a bit too deep for me, hacking wise, so i really hope you succeed!

sword · Post by **sword** » Thu Jul 31, 2008 2:18 pm

SilentK wrote:I'm not sure of all this garbage mac assembly lol. I can tell you what you need to do though.

There is a perspective byte switch. 0 if the camera is attached to you(first person) and 1 if the camera is detached(3rd person). I'm not sure if Mac has memory searching tools or not, but just enter and exit a hog and search for 0/1. Once you have the address, you need to breakpoint it on write, step in a hog and see what writes to it when it pops. Just nop that instruction and you can freeze write to the perspective switch and change your perspective. Then all you gotta do is change your relative camera position. I forget details, but I can check it out.

Oh, and HEY SWORD =p

Hey, yeah, I found the instruction that writes to the byte. Actually, its not just 0 / 1. I've found that 0 is first person attached, 1 is third person, and 2 is cinematic. 4 byte enumeration.

I just am having trouble with the relative camera position. Either I have the wrong memory offsets for the camera coordinates or Halo updates the camera faster than 10ms. I found a new set of values last night that I'm going to run with. I've also found a function that writes to the values, but it also controls several other values. I'm going with a good 'ol code cave to ensure that it doesn't write to the values I don't want it to. If that doesn't work then its back to searching.

Tyler, the values you had found do pertain to the camera, but they're only in use while you are in the warthog. Close, though.

Oh, and HEY SILENT!

Mac Hacker · Post by **Mac Hacker** » Thu Jul 31, 2008 2:38 pm

sword wrote:
SilentK wrote:I'm not sure of all this garbage mac assembly lol. I can tell you what you need to do though.

There is a perspective byte switch. 0 if the camera is attached to you(first person) and 1 if the camera is detached(3rd person). I'm not sure if Mac has memory searching tools or not, but just enter and exit a hog and search for 0/1. Once you have the address, you need to breakpoint it on write, step in a hog and see what writes to it when it pops. Just nop that instruction and you can freeze write to the perspective switch and change your perspective. Then all you gotta do is change your relative camera position. I forget details, but I can check it out.

Oh, and HEY SWORD =p
Hey, yeah, I found the instruction that writes to the byte. Actually, its not just 0 / 1. I've found that 0 is first person attached, 1 is third person, and 2 is cinematic. 4 byte enumeration.

I just am having trouble with the relative camera position. Either I have the wrong memory offsets for the camera coordinates or Halo updates the camera faster than 10ms. I found a new set of values last night that I'm going to run with. I've also found a function that writes to the values, but it also controls several other values. I'm going with a good 'ol code cave to ensure that it doesn't write to the values I don't want it to. If that doesn't work then its back to searching.

Tyler, the values you had found do pertain to the camera, but they're only in use while you are in the warthog. Close, though.

Oh, and HEY SILENT!

drat back to drawing board <>_<> thanks for keeping me up to date sword ^^

lewbylew · Post by **lewbylew** » Thu Jul 31, 2008 11:06 pm

just to go WAY offtopic, Tyler, have you actually met Tom Morello

, I went to see him live, he was so awesomeness!

SilentK · Post by **SilentK** » Thu Jul 31, 2008 11:32 pm

Logout's 3rd person code cave

Code: Select all

00400308    A3 04034000     MOV DWORD PTR DS:[400304],EAX
0040030D    03C3            ADD EAX,EBX
0040030F    3D C03A6A00     CMP EAX,halo.006A3AC0
00400314    74 26           JE SHORT halo.0040033C
00400316    3D C43A6A00     CMP EAX,halo.006A3AC4
0040031B    74 1F           JE SHORT halo.0040033C
0040031D    3D C83A6A00     CMP EAX,halo.006A3AC8
00400322    74 18           JE SHORT halo.0040033C
00400324    3D CC3A6A00     CMP EAX,halo.006A3ACC
00400329    74 11           JE SHORT halo.0040033C
0040032B    A1 04034000     MOV EAX,DWORD PTR DS:[400304]
00400330    8B1410          MOV EDX,DWORD PTR DS:[EAX+EDX]
00400333    41              INC ECX
00400334    891418          MOV DWORD PTR DS:[EAX+EBX],EDX
00400337  - E9 87800400     JMP halo.004483C3
0040033C    41              INC ECX
0040033D    A1 04034000     MOV EAX,DWORD PTR DS:[400304]
00400342    C605 5E396A00 0>MOV BYTE PTR DS:[6A395E],1
00400349  - E9 75800400     JMP halo.004483C3

Address of camera position he is modifing:

Code: Select all

x - 0x006A3A78
y - 0x006A3A7C
z - 0x006A3A80

Assembly instruction that writes the perspective switch

Code: Select all

00445B8B    66:C741 56 0000 MOV WORD PTR DS:[ECX+56],0

Assembly that writes camera

Code: Select all

004483BC    8B1410          MOV EDX,DWORD PTR DS:[EAX+EDX]
004483BF    41              INC ECX
004483C0    891418          MOV DWORD PTR DS:[EAX+EBX],EDX

Mac Hacker · Post by **Mac Hacker** » Fri Aug 01, 2008 7:38 am

Von Mixer wrote:just to go WAY offtopic, Tyler, have you actually met Tom Morello , I went to see him live, he was so awesomeness!

i wish he is my idol i finally learned gorilla radio on electric lead ^^

cQuence · Post by **cQuence** » Tue Aug 05, 2008 9:59 pm

Meh i always wanted it so the player is on the left side and closer in

sword · Post by **sword** » Wed Aug 06, 2008 3:55 pm

SilentK wrote:Logout's 3rd person code cave

Code: Select all

00400308    A3 04034000     MOV DWORD PTR DS:[400304],EAX
0040030D    03C3            ADD EAX,EBX
0040030F    3D C03A6A00     CMP EAX,halo.006A3AC0
00400314    74 26           JE SHORT halo.0040033C
00400316    3D C43A6A00     CMP EAX,halo.006A3AC4
0040031B    74 1F           JE SHORT halo.0040033C
0040031D    3D C83A6A00     CMP EAX,halo.006A3AC8
00400322    74 18           JE SHORT halo.0040033C
00400324    3D CC3A6A00     CMP EAX,halo.006A3ACC
00400329    74 11           JE SHORT halo.0040033C
0040032B    A1 04034000     MOV EAX,DWORD PTR DS:[400304]
00400330    8B1410          MOV EDX,DWORD PTR DS:[EAX+EDX]
00400333    41              INC ECX
00400334    891418          MOV DWORD PTR DS:[EAX+EBX],EDX
00400337  - E9 87800400     JMP halo.004483C3
0040033C    41              INC ECX
0040033D    A1 04034000     MOV EAX,DWORD PTR DS:[400304]
00400342    C605 5E396A00 0>MOV BYTE PTR DS:[6A395E],1
00400349  - E9 75800400     JMP halo.004483C3

Address of camera position he is modifing:

Code: Select all

x - 0x006A3A78
y - 0x006A3A7C
z - 0x006A3A80

Assembly instruction that writes the perspective switch

Code: Select all

00445B8B    66:C741 56 0000 MOV WORD PTR DS:[ECX+56],0

Assembly that writes camera

Code: Select all

004483BC    8B1410          MOV EDX,DWORD PTR DS:[EAX+EDX]
004483BF    41              INC ECX
004483C0    891418          MOV DWORD PTR DS:[EAX+EBX],EDX

Hahahahahahaha! I finally saw this post and just realized something: I found the mac equivalent of all of the functions and instructions there and my code cave does exactly the same thing as his! I've never seen this before either. Seems Logout and I think alike.

cQuence · Post by **cQuence** » Wed Aug 06, 2008 5:26 pm

Add to my post about the 3rd person

I like the 3rd person to look like this if oyu can do it like this.
http://www.youtube.com/watch?v=MuAeU3td ... re=related

Mac Gaming Mods

Perfect 3rd person ^^

Who is online