Welcome
Ladies and Gents:

These forums are now closed and registration disabled.

Please join us at our new forum on Proboards. Our hope is that these new forums are more stable, provide more and better features, and allow continuation of the project forums in a safer, more secure, long term environment.

me3explorer.proboards.com

--The ME3Explorer Team

ME3 On The Hook

Technical research related to the structure of Mass Effect game files.

ME3 On The Hook

Postby WarrantyVoider » 24 Mar 2013, 16:13

WARNING: THIS IS ADVANCED STUFF FOR CODERS ONLY, IF YOU CANT READ C# or C++, please leave!

Today Im releasing my current side work of hooking Mass Effect 3, with the goal to implement LAN functionality! So far I have kept it secret, because I wasnt sure if I ever could pull something like this off, but it actually works! Well right now I created a new Source Forge Project called "ME3 On The Hook", where I put my current code (C#) for my DllInjector and the code (C++) for the hook dll, you can download it here:



Image

here also a vid of its usage:
Spoiler:


current list of commands:

Spoiler:
dump all
writes all objects to "ME3OTH.txt" in me3.exe folder

line on - line off
shows/hides the white line

move d l
moves player in direction d ("x","y" or "z") by distance l

msg text
sets message in mainmenu

watch garrus/shep
swap camera



the idea is to inject an dll into me3's memory, and let it create a new thread inside me3. Then it detours the ProcessEvent function from the VMT of the HUD.PostRender and Player.Tick object, to be able to intercept events from the render loop and player updates. Then it also starts a little tcp server on 127.0.0.1:28999 and listens for commands. So far the code is just a POC but given the entire SDK provided, you can create and inject unreal code "on the fly" and in realtime as if you had the dev tools. This would already be enough to write a simple aimbot or wallhack, but I dont want to research into that, Im more interested in creating an external LAN functionality, so every coder is invited to look into it and maybe help me ;p

I also want to remind, that the actual SDK for the dll was created by "The Feckless" see here

greetz WV

here some binary for testing

PS: some more info:
http://me3explorer.freeforums.org/hooking-t279.html
http://me3explorer.freeforums.org/how-to-use-ollydbg-as-memory-hexeditor-t288.html
http://me3explorer.freeforums.org/versions-and-offsets-t297.html
http://www.unknowncheats.me/forum/unreal-3-engine/69951-tutorial-vtable-hooking-vmt-hooking-unreal-engine-c.html#post749464
http://me3explorer.freeforums.org/writing-an-dll-injector-t296.html
http://me3explorer.freeforums.org/get-md5-hash-from-file-t66.html

Here the current offsets.txt for c&p
3BD1A01979478587F28949B7E78194C2, 01AAF304;
EE6A726A09A4492C0E2638AEFAB4525E, 01AB5634;
1D09C01C94F01B305F8C25BB56CE9AB4, 01AB5634;
A15B4B8607E41E5F8687166CC82F3616, 01ACF7D4;
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby WarrantyVoider » 24 Mar 2013, 20:57

Here some example usage of the code, isnt that awesome easy?! 8-)

void MyPostRenderer(ABioHUD * hud)
{
FColor c;
c.A=255;
c.R=255;
c.G=255;
c.B=255;
if(DrawTestLine)
hud->Draw2DLine(0,0,100,100,c);
}

...
if ( ! strcmp ( pUFunc->GetFullName(), "Function SFXGame.BioHUD.PostRender" ) )
{
ABioHUD * hud = static_cast<ABioHUD *> (pCallObject);
MyPostRenderer(hud);
}
...
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby WarrantyVoider » 24 Mar 2013, 22:00

here another one :D

else if(!strncmp(szBuff,"mess",4))
{
USFXGUI_MainMenu_Message_Text * menu = (USFXGUI_MainMenu_Message_Text*) UObject::FindObject< UObject > ( "SFXGUI_MainMenu_Message_Text Transient.SFXGUI_MainMenu_Message_Text");
wchar_t * str = L"...Lolololol Warranty Voider was here...\0";
Log(menu->Message.Data);
Log("\n...\n");
menu->Message = FString(str);
}


Image

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby WarrantyVoider » 25 Mar 2013, 15:40

how about teleporting around?

else if(!strncmp(szBuff,"move",4))
{
ASFXPlayerController* player = (ASFXPlayerController*) UObject::FindObject< UObject > ( "SFXPlayerController TheWorld.PersistentLevel.SFXPlayerController");
FVector pos = player->Pawn->location;
char * d = szBuff + 5;
char * v = szBuff + 7;
float l = atof(v);
if(!strncmp(d, "x", 1))
pos.X += l;
if(!strncmp(d, "y", 1))
pos.Y += l;
if(!strncmp(d, "z", 1))
pos.Z += l;
player->Pawn->location = pos;
sprintf(szBuff, "location : X=%f Y=%f Z=%f Distance = %d\n", pos.X, pos.Y, pos.Z, l);
ret = send(sock, szBuff, 256, 0);
while(recv(sock, szBuff, 1, 0)==0) {}
}


example usage:
move z 100.0


this will let you fly in mid-air until you move again ingame
Spoiler:
Image
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby WarrantyVoider » 27 Mar 2013, 06:51

watch garrus!
else if(!strncmp(szBuff,"test",4))
{
ASFXPlayerController* player = (ASFXPlayerController*) UObject::FindObject< UObject > ( "SFXPlayerController TheWorld.PersistentLevel.SFXPlayerController");
USkeletalMeshComponent * mesh = (USkeletalMeshComponent *) UObject::FindObject< UObject > ( "SkeletalMeshComponent PersistentLevel.SFXPawn_Garrus.BioPawnSkeletalMeshComponent");
player->Pawn->Mesh = mesh;
}


always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby WarrantyVoider » 01 Apr 2013, 21:35

Ok here comes my next target: simply printing some text on the screen! that sounds simpler as it is, it took me a while before I realized I needed to use malloc() for new strings, I hope the code explains itself:

Spoiler:
wchar_t* msgs[10];
FVector PlayerOldPos;

void LogMessage(wchar_t *text)
{
for(int i = 9; i > 0; i--)
msgs[i] = msgs[i - 1];
msgs[0] = text;
}

void DebugPlayerPos(FVector pos)
{
if(pos.X != PlayerOldPos.X || pos.Y != PlayerOldPos.Y || pos.Z != PlayerOldPos.Z)
{
PlayerOldPos = pos;
wchar_t *PlayerPosText = (wchar_t *)malloc(sizeof(wchar_t) * 1024);
swprintf(PlayerPosText, 1024, L"Player Pos : X = %f ; Y = %f ; Z = %f", pos.X, pos.Y, pos.Z);
LogMessage(PlayerPosText);
}
}

void RenderText(wchar_t *text, float x, float y, UCanvas *can)
{
can->SetDrawColor( 0, 255, 255, 255 );
can->SetPos( x, y );
FLinearColor drawColor;
drawColor.R = 0.0f;
drawColor.G = 1.0f;
drawColor.B = 0.0f;
drawColor.A = 1.0f;
FVector2D glowBorder;
glowBorder.X = 2;
glowBorder.Y = 2;
FFontRenderInfo renderInfo;
renderInfo.bClipText = true;
renderInfo.bEnableShadow = true;
renderInfo.GlowInfo.bEnableGlow = false;
renderInfo.GlowInfo.GlowColor = drawColor;
renderInfo.GlowInfo.GlowInnerRadius = glowBorder;
renderInfo.GlowInfo.GlowOuterRadius = glowBorder;
can->DrawTextW(FString(text), 1, 1.0f, 1.0f, &renderInfo);
}

void MyPostRenderer(ABioHUD * hud)
{
for(int i = 0; i < 10; i++)
if(msgs[i])
RenderText(msgs[i], 0, (float)(i * 10), hud->Canvas);
}

void __declspec(naked) ProcessEventHooked ()
{
__asm mov pCallObject, ecx;
__asm
{
push eax
mov eax, dword ptr [esp + 0x8]
mov pUFunc, eax
mov eax, dword ptr [esp + 0xC]
mov pParms, eax
mov eax, dword ptr [esp + 0x10]
mov pResult, eax
pop eax
}
__asm pushad
if ( pUFunc )
{
if ( ! strcmp ( pUFunc->GetFullName(), "Function SFXGame.BioHUD.PostRender" ) )
{
ABioHUD * hud = static_cast<ABioHUD *> (pCallObject);
MyPostRenderer(hud);
}
if (! strcmp ( pUFunc->GetFullName(), "Function SFXGame.BioPlayerController.PlayerTick"))
{
ABioPlayerController * player = static_cast<ABioPlayerController *> (pCallObject);
if(player && player->Pawn)
DebugPlayerPos(player->Pawn->location);
}
if (! strcmp ( pUFunc->GetFullName(), "Function SFXGame.sfxplayercontroller.Destroyed"))
{
}
}
__asm popad
__asm
{
push pResult
push pParms
push pUFunc
call ProcessEventOrig
retn 0xC
}
}



greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby WarrantyVoider » 03 Apr 2013, 11:58

well if I can display text, I want to enter text aswell, this was a bit trickier...

Image

and here the new code:

Spoiler:
wchar_t*	msgs[20];
char inputbuff[1024];
wchar_t inputbuffw[1024];
int inputpos;

void AddChar(char c)
{
if(inputpos<1022)
{
inputbuff[inputpos++] = (char)c;
inputbuff[inputpos] = '_';
inputbuff[inputpos + 1] = (char)0;
ctow(inputbuff, inputbuffw);
}
}

void RemoveChar()
{
if(inputpos>0)
{
inputpos--;
inputbuff[inputpos] = '_';
inputbuff[inputpos + 1] = ' ';
ctow(inputbuff, inputbuffw);
}
}

void ReadCommand()
{
inputbuff[inputpos] = ' ';
inputbuff[inputpos + 1] = ' ';
ctow(inputbuff, inputbuffw);
LogMessage(inputbuffw);
if(!strncmp(inputbuff, "help", 4))
{
LogMessage(L"==========");
LogMessage(L"\"move d l\" - teleports player a distance l in direction d (x/y/z)");
LogMessage(L"\"help\" - displays this");
LogMessage(L"press shift + F10 to toggle console on/off");
LogMessage(L"===Help===");
}
else if(!strncmp(inputbuff,"move",4))
{
ASFXPlayerController* player = (ASFXPlayerController*) UObject::FindObject< UObject > ( "SFXPlayerController TheWorld.PersistentLevel.SFXPlayerController");
if(!player) return;
if(!player->Pawn) return;
FVector pos = player->Pawn->location;
char * d = inputbuff + 5;
char * v = inputbuff + 7;
float l = (float)atof(v);
if(!strncmp(d, "x", 1))
pos.X += l;
if(!strncmp(d, "y", 1))
pos.Y += l;
if(!strncmp(d, "z", 1))
pos.Z += l;
player->Pawn->location = pos;
wchar_t szBuff[1024];
swprintf(szBuff, L"location : X=%f Y=%f Z=%f Distance = %d\n", pos.X, pos.Y, pos.Z, l);
LogMessage(szBuff);
}
}

LRESULT CALLBACK LowLevelKeyboardProc( int nCode, WPARAM wParam, LPARAM lParam )
{
KBDLLHOOKSTRUCT* pKeyBoard = ( KBDLLHOOKSTRUCT* )lParam;
bool vShift = GetKeyState( VK_SHIFT ) < 0;
if ( wParam == WM_SYSKEYDOWN || wParam == WM_KEYDOWN )
{
int code = pKeyBoard->vkCode;
if(DrawDebugText)
{
if(code >= 32 && code <= 64)
AddChar((char)code);
if(code >= 65 && code <= 90 && vShift)
AddChar((char)code);
if(code >= 65 && code <= 90 && !vShift)
AddChar((char)code + 32);
if(code >= 91 && code <= 95)
AddChar((char)code);
if(code >= 123 && code <= 125)
AddChar((char)code);
if(code == VK_BACK)
RemoveChar();
if(code == 13)
ReadCommand();
}
if(code == VK_F10 && vShift)
DrawDebugText = !DrawDebugText;
}
return 0;
}

DWORD WINAPI ReadKeyboard(LPVOID lpParam)
{
Log("Starting Inputcontroller...\n");
swprintf(inputbuffw, L"_\0", NULL);
MSG msg;
HINSTANCE appInstance = GetModuleHandle( NULL );
SetWindowsHookEx( WH_KEYBOARD_LL, LowLevelKeyboardProc, appInstance, 0 );
while(1)
while( GetMessage( &msg, NULL, 0, 0 ) > 0 )
{
TranslateMessage( &msg );
DispatchMessage ( &msg );
}
}

void StartServer(int port)
{
...
HANDLE hThread;
DWORD dwThreadId;
hThread = CreateThread(NULL, 0, ReadKeyboard, NULL, 0, &dwThreadId); CloseHandle(hThread);
...
}


greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby WarrantyVoider » 11 Apr 2013, 08:05

lol, you can spawn a console window from within a form app?! thats so lol...
{
AllocConsole();
freopen("conin$","r",stdin);
freopen("conout$","w",stdout);
freopen("conout$","w",stderr);
HWND consoleHandle = GetConsoleWindow();
MoveWindow(consoleHandle,1,1,680,480,1);
printf("[me3oth] Console initialized.\n");
}


so I get a console window with me3 icon, nice^^
Image

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: ME3 On The Hook

Postby TheFeckless » 11 Apr 2013, 18:04

Nice job ! It's nice to see someone using my sdks not only for cheating :)

User avatar
TheFeckless
User
 
Posts: 1
Joined: 11 Apr 2013, 17:59
Has thanked: 0 time
Have thanks: 4 time

Re: ME3 On The Hook

Postby WarrantyVoider » 11 Apr 2013, 19:09

hahaha, I cant believe YOU registered at my forum :D you are very welcome here ;p thanks for the sdk!

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Next

Return to Technical Research

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred