Perfect 3rd person ^^

Mac Hacker · Post by **Mac Hacker** » Tue Jul 29, 2008 7:18 am

it requires you to have terminal knowlege and u have to have GDB to edit the memory in hex

This is Halo Full!
dont get any ideas it wont work unless you also edit some things in GDB since otherwise it just changes back once u hit apply

Code: Select all

true	32-bit Integer	01069C04	1
true	Float	01069C18	0.2
true	Float	01069C20	0.5
true	Float	01069C24	3.0
true	Float	01069D34	0.2
true	Float	01069D3C	0.5
true	Float	01069D40	3.0
true	Float	01069DD8	0.2
true	Float	01069DE0	0.5
true	Float	01069DE4	3.0

Slapzy · Post by **Slapzy** » Tue Jul 29, 2008 7:26 am

Nice work!

Mac Hacker · Post by **Mac Hacker** » Tue Jul 29, 2008 7:32 am

Slappey wrote:Nice work!

thanks now if only sword would reply and make an app tha auto mates it otherwise u havet okeep going into GBD and editing it in assembly using hex awwell xD

sword you have my aim just contact me and i will give you the floats u need and the 32bit integer if you doo not have it

sword · Post by **sword** » Tue Jul 29, 2008 7:54 am

Post 'em here and I can make something for PPC tonight. I don't have my laptop so I won't be able to make a UB version for a little bit.

Nice find in memory, that must have taken a while.

Mac Hacker · Post by **Mac Hacker** » Tue Jul 29, 2008 8:00 am

sword wrote:Post 'em here and I can make something for PPC tonight. I don't have my laptop so I won't be able to make a UB version for a little bit.

Nice find in memory, that must have taken a while.

posted

but rembere its full only xD i will work on Demo later

sword · Post by **sword** » Tue Jul 29, 2008 8:01 am

So then, simple enough. Breakpoint the values, see what function writes to them, and NOP it. If that doesn't work then I'll write a code injection thinger. Regardless, I can find the function in FV now and maybe just hard code a hack.

Mac Hacker · Post by **Mac Hacker** » Tue Jul 29, 2008 8:07 am

sword wrote:So then, simple enough. Breakpoint the values, see what function writes to them, and NOP it. If that doesn't work then I'll write a code injection thinger. Regardless, I can find the function in FV now and maybe just hard code a hack.

yep ^^ right on bro

this is directed at me
if your a noob at GDB like me it takes you about an hour to figure all that out xD

sword · Post by **sword** » Tue Jul 29, 2008 8:13 am

Yeah, I've done a bit of memory hacking before on PC. It was just much easier because I had Cheat Engine and OllyDbg. Both were awesome tools. Cheat Engine made it a breeze to find values and write ASM in memory, OllyDbg helped you debug the shit out of a process.

Mac Hacker · Post by **Mac Hacker** » Tue Jul 29, 2008 8:23 am

sword wrote:Yeah, I've done a bit of memory hacking before on PC. It was just much easier because I had Cheat Engine and OllyDbg. Both were awesome tools. Cheat Engine made it a breeze to find values and write ASM in memory, OllyDbg helped you debug the shit out of a process.

yeah i liike olly and CE i wish there was easyer apps liike those for mac
CE is really easy to use i also wish we had something Like T-Search
that has everything built in you need and i heard can make trainers

Mac Hacker · Post by **Mac Hacker** » Tue Jul 29, 2008 7:11 pm

any proggress sword?

Mike1122 · Post by **Mike1122** » Tue Jul 29, 2008 7:18 pm

theres also this thing called pizzabox for pc. it allows u to give someone on yor team health, infinite ammo, proj swaps all ingame. i got infinite ammo from the guy that told me this but i never found pizzabox on google... or it may be called something else.

also said something about a camera hack but, i never found out anything about it

sword · Post by **sword** » Tue Jul 29, 2008 8:19 pm

Bleh. I got home at 10:30 and have been working on some reversing. I immediately found 7 instructions that write to one or more of the variables that you've listed here, Tyler. Actually, I accidentally found an instruction that updates Halo's main timer duration and have figured out, vaguely, how to modify it. The instruction is at 0x0066cd20 in the memory of Halo FV PPC on an iMac G5. The instruction is lfd f1,24(r1) while the binary instruction is 0xC8210018. Thats an easy one to modify. However, it fucks Halo's ability to network with other computers, so you can't use it in multiplayer. Probably makes Halo expect packets to be flowing to it much faster than possible.

Anyway, I'm about to test a few more things, but right now I'm looking at instructions at the following addresses in particular:

Code: Select all

0x00497184
0x00497188
0x00496558

I'm also looking at these following two, but they don't seem as promising:

Code: Select all

0x004939dc
0x004939e0

The code around the past two is the following:

Code: Select all

0x004939cc <unknown_text+584140>:       mtctr   r0
0x004939d0 <unknown_text+584144>:       lwz     r3,4(r4)
0x004939d4 <unknown_text+584148>:       lwzu    r0,8(r4)
0x004939d8 <unknown_text+584152>:       stw     r3,4(r5)
0x004939dc <unknown_text+584156>:       stwu    r0,8(r5)
0x004939e0 <unknown_text+584160>:       bdnz+   0x4939d0 <unknown_text+584144>
0x004939e4 <unknown_text+584164>:       b       0x4939f4 <unknown_text+584180>

Back to work now.

sword · Post by **sword** » Tue Jul 29, 2008 8:45 pm

Don't mind me here. I'm just double posting.

Anyway, I've found that the instruction at 0x00497184 updates absolute camera position. I believe this because, once in third person, the following happens when you NOP the instruction there:

Here is the original code in the area:

Code: Select all

0x00497170 <unknown_text+598384>:       addi    r4,r3,-4
0x00497174 <unknown_text+598388>:       mtctr   r0
0x00497178 <unknown_text+598392>:       lwz     r3,4(r4)
0x0049717c <unknown_text+598396>:       lwzu    r0,8(r4)
0x00497180 <unknown_text+598400>:       stw     r3,4(r5)
0x00497184 <unknown_text+598404>:       stwu    r0,8(r5)
0x00497188 <unknown_text+598408>:       bdnz+   0x497178 <unknown_text+598392>
0x0049718c <unknown_text+598412>:       blr
0x00497190 <unknown_text+598416>:       mflr    r0
0x00497194 <unknown_text+598420>:       stw     r31,-4(r1)
0x00497198 <unknown_text+598424>:       addis   r3,r2,6
0x0049719c <unknown_text+598428>:       stw     r30,-8(r1)

Here is the modification:

Code: Select all

0x00497170 <unknown_text+598384>:       addi    r4,r3,-4
0x00497174 <unknown_text+598388>:       mtctr   r0
0x00497178 <unknown_text+598392>:       lwz     r3,4(r4)
0x0049717c <unknown_text+598396>:       lwzu    r0,8(r4)
0x00497180 <unknown_text+598400>:       stw     r3,4(r5)
0x00497184 <unknown_text+598404>:       nop
0x00497188 <unknown_text+598408>:       bdnz+   0x497178 <unknown_text+598392>
0x0049718c <unknown_text+598412>:       blr
0x00497190 <unknown_text+598416>:       mflr    r0
0x00497194 <unknown_text+598420>:       stw     r31,-4(r1)
0x00497198 <unknown_text+598424>:       addis   r3,r2,6
0x0049719c <unknown_text+598428>:       stw     r30,-8(r1)

To do this, make sure your in 3rd person by whatever means you want in Halo FV PPC and then, when you've attached GDB to it, enter the following:

print *(unsigned int *)0x00497184=0x60000000

sword · Post by **sword** » Tue Jul 29, 2008 9:18 pm

I think this may be the camera variable initialization / partial update code. I haven't really looked at it, but I know it updates the camera style enumeration variable (IE first person, warthog, cinematic or whatever).

Code: Select all

0x00493410 <unknown_text+582672>:       extsh   r0,r3
0x00493414 <unknown_text+582676>:       addis   r5,r2,6
0x00493418 <unknown_text+582680>:       mulli   r4,r0,248
0x0049341c <unknown_text+582684>:       addis   r3,r2,0
0x00493420 <unknown_text+582688>:       addi    r5,r5,-25688
0x00493424 <unknown_text+582692>:       addi    r0,r3,-22108
0x00493428 <unknown_text+582696>:       addi    r6,r4,8
0x0049342c <unknown_text+582700>:       add     r6,r5,r6
0x00493430 <unknown_text+582704>:       lwz     r4,8(r6)
0x00493434 <unknown_text+582708>:       cmplw   r4,r0
0x00493438 <unknown_text+582712>:       bne-    0x493460 <unknown_text+582752>
0x0049343c <unknown_text+582716>:       addis   r3,r2,0
0x00493440 <unknown_text+582720>:       lfs     f1,4(r6)
0x00493444 <unknown_text+582724>:       lwz     r3,-25648(r3)
0x00493448 <unknown_text+582728>:       lfs     f0,16(r3)
0x0049344c <unknown_text+582732>:       fcmpu   cr0,f1,f0
0x00493450 <unknown_text+582736>:       bne-    0x4934a0 <unknown_text+582816>
0x00493454 <unknown_text+582740>:       li      r0,0
0x00493458 <unknown_text+582744>:       sth     r0,86(r6)
0x0049345c <unknown_text+582748>:       b       0x4934a0 <unknown_text+582816>
0x00493460 <unknown_text+582752>:       addis   r3,r2,0
0x00493464 <unknown_text+582756>:       addi    r0,r3,-22092
0x00493468 <unknown_text+582760>:       cmplw   r4,r0
0x0049346c <unknown_text+582764>:       bne-    0x49347c <unknown_text+582780>
0x00493470 <unknown_text+582768>:       li      r0,1
0x00493474 <unknown_text+582772>:       sth     r0,86(r6)
0x00493478 <unknown_text+582776>:       b       0x4934a0 <unknown_text+582816>
0x0049347c <unknown_text+582780>:       addis   r3,r2,0
0x00493480 <unknown_text+582784>:       addi    r0,r3,-22172
0x00493484 <unknown_text+582788>:       cmplw   r4,r0
0x00493488 <unknown_text+582792>:       bne-    0x493498 <unknown_text+582808>
0x0049348c <unknown_text+582796>:       li      r0,2
0x00493490 <unknown_text+582800>:       sth     r0,86(r6)
0x00493494 <unknown_text+582804>:       b       0x4934a0 <unknown_text+582816>
0x00493498 <unknown_text+582808>:       li      r0,3
0x0049349c <unknown_text+582812>:       sth     r0,86(r6)
0x004934a0 <unknown_text+582816>:       lha     r3,86(r6)
0x004934a4 <unknown_text+582820>:       blr

Mac Hacker · Post by **Mac Hacker** » Tue Jul 29, 2008 9:49 pm

nice work sword ^^ hmm i wonder if you could make hotkeys that can be used in halo to possition camera and stuff? to do machinama

Mac Gaming Mods

Perfect 3rd person ^^

Perfect 3rd person ^^

Who is online