E L I T E B L I N G P U B L I S H I N G

A Complete Guide to the Commander Hack

Table of ContentsFinding the Offsets for the Commander Hack........................... 1

Setting Up The Scene..................................................................... 1Searching for the Addresses........................................................... 2Offsets for Supply and Artillery........................................................ 4

Creating a PB Proof Trainer ..................................................... 6Static DMA Pointer (Static Base Pointer) ........................................ 6From Static DMA to a Trainer ....................................................... 11

Concluding Thoughts ............................................................. 14Credits & Closing Words ............................................................... 15

© E L I T E B L I N G B A T T L E C O D E R S . C O M

1

Finding the Offsets for the Commander HackEvery hack begins with a few offsets, and for the Commander Hack, these are the ForceCommander, Supply, and Artillary.

o find the memory addresses for the commander hack we begin with simple memory searchers such a TSearch or Cheat Engine. Memory searchers are used to search the memory of a game’s process for certain values and then can modify & set breakpoints on that memory address..

Setting Up The SceneAs most game hacking scenes go, we first need to start up BF2 Demo in windowedmode. This can be done by going into the shortcut properties and altering the runtime command of “+fullscreen 1” into “+fullscreen 0”.

Chapter

T

© E L I T E B L I N G B A T T L E C O D E R S . C O M

2

This allows us to run BF2 and debug it at the same time without causing problems. Once you have set the shortcut properties, proceed to run the game and TSearch. In the BF2 Demo, navigate to Single Player and start a Gulf Of Oman single player game.

Searching for the AddressesWhen the server has loaded, apply to be commander, and accept once the invitation comes. Now when you accept the commander position a Boolean Value of 1 has been written in your player’s profile (structure/class) in the game’s memory.

Now Alt-Tab back to TSearch and Click Open Process, and Select the BF2.exe which is our game. Once its attached click the little magnifying glass “Init New Search” and search for the Exact Value 1 with the type set to as Bytes. You will get millions of results.

© E L I T E B L I N G B A T T L E C O D E R S . C O M

3

Next, head back to BF2 and resign from commander position. Now, the memory address for commander would have changed back to 0. So head back to TSearch and use the “Search Next” to search which of the found values has changed to 0. Then head back and apply for commander. Keep doing this back and forth until you end up the a few values.

So after a few turns of applying and resigning, I got down to 17 memory addresses., and they would all change when apply/resigning for commander.

Now add all 17 addresses to the table to the right of the search window by clicking the Add All searches Icon. Now in the table, go through each of the seventeen addresses one by one, changing it to 1 and watching the BF2 Screen to see if you become commander. Most of them will revert back to 0, but the correct address will stay 1 and make you commander at the same time. This is the address we want!.

Note

This address we found is Dynamic, meaning that it changes every time we restart the game, or every time we switch servers. The term for this Dynamic ability is DMA. So to make a commander hack one of the obstacles we need to overcome this DMA.

At this point, we need to set a Memory Breakpoint on that address to see what code accesses it. To do this in TSearch click AutoHack -> Enable Debugger.

© E L I T E B L I N G B A T T L E C O D E R S . C O M

4

Note

It is at this point where you have to do things a little differently from the Retail Version. In the Retail Version of BF2, because of SafeDisc, the game is continually Debugging itself, and therefore we are not able to attach a debugger (fortunately SafeDisc is not in the Demo). Getting past this debug obstacle is called “Resetting the Debug Port”. There are several tutorials on how to do this. Just view my tutorial for “Steal DMA”

Once you’ve clicked “Enable Debugger” go back to the address which you found controlled the ForceCommander, right click on it, and click “AutoHack”. Now go back to the game and apply/resign for commander. After this back in TSearch, go to AutoHack Menu Item -> AutoHack Window.

Now you should have the OFFSET which writes to that address which decides if we are commander or not. The cool thing about this offset is that it is constant for everyone (within that particular version).

At this point a simple trainer would make

Forever making us commander. The only problem with this is BF2.exe (where these modifications are taking place) is completely scanned, so the slightly modification will be detected and a corrupt memory kick will take place. A method to bypass that will be discussed further on.

The point of the whole hack is to write 1 to that particular address, to force commander. Now on to Supplies and Artillery.

Offsets for Supply and Artillery

The procedure for getting to the offsets which control the Supply and Artillery bars in the Commander View is very similar to the procedure for the ForceCommander. There is only one difference!

When the Artillery Bar is filled, the memory value is 0. When it is reloading, the memory value is 1. The same is true for Supplies as well.

So the procedure for these two utilities will go something like dropping a supply crate, pausing the game, and searching for 1. Then once its filled, Searching Next for 0. Then

© E L I T E B L I N G B A T T L E C O D E R S . C O M

5

drop and search next for 1. And keep doing this until you get to a few addresses. Next drop a supply crate and change all the 1s to 0s and see which one immediately refills the supply bar.

Use the AutoHack procedure on that memory address and you will find the offset which controls supply. (And the same for Artillery).

The Offsets which I got were:

Note

So once again, moving 1 to the address “unfills” the bar so our goal is to write a 0 to the address. And since I’m sure most people here want one for v1.4, the same searching method and be used for vehicle drops aswell.

Supply - 00754D01 C640 54 01 MOV BYTE PTR DS:[EAX+54],1

Artillery - 0072E378 C646 3C 01 MOV BYTE PTR DS:[ESI+3C],1

© E L I T E B L I N G B A T T L E C O D E R S . C O M

6

Creating a PB Proof TrainerThis is the more difficult part of this tutorial, and requires that you have some knowledge of debugging and using tools like OllyDBG. Also the ability to implement APIs in programming language is very important..

Static DMA Pointer (Static Base Pointer)

Explained to everyone by SINE, this method is probably the best (and easiest) to make a undetected commander hack. Basically it relies on the fact that BF2 was created in VC++ under very organized hierarchy of classes and structures. Therefore we can get the DMA of the ForceCommander/Supply/Arty by just reading a few specific bytes of the memory and without having to inject code caves or anything else.

The simplistic explanation of Static DMA (the way SINE explained it), is basically this. When we have a DMA address such as [esi + 0x108], the reason its dynamic is because ESI is dynamic. So we need to keep tracing ESI to a point where it is no longer dynamic. Read further on if you don’t understand this at the moment.

For the Static DMA Method, you will require OllyDBG and the offsets for DMA you are trying to hack (e.g. ForceCommander).

So lets go back to our offset for ForceCommander.

Run BF2 and get a single player game started. Then Start up OllyDBG then go to File->Attach and attach to the BF2.exe process. At this point Olly will automatically pause the process for us at some ntdll. To go back to the BF2, go to View->Executable Modules and double-click the BF2 Module. Hit [Ctrl] + G and type in the offset.

Chapter

4C02B3 mov [esi+0x108],al

© E L I T E B L I N G B A T T L E C O D E R S . C O M

7

Now set a breakpoint on that address by pressing F2.

With the breakpoint having been set, head back to the game and apply for commander. When you accept the position, the game should get stuck because Olly has paused the game at the breakpoint. Now as stated before, to get a Static DMA Pointer, we need to find what sets the value of ESI since it is that register which causes the address to be dynamic.

So scroll up from the address until you find a command which sets ESI.

© E L I T E B L I N G B A T T L E C O D E R S . C O M

8

So the problem now is what sets ECX, since ECX doesn’t seem to be Static. To see what sets ECX, we need to see the parameters of this function when it was called because there is nothing else in this function which control ECX. Therefore to see what code called this function, we need to refer to the Stack, the small window on the bottom right corner of Olly.

In Computer Arch. When you call a function, the computer knows where to return by pushing the return address into the stack. So using these return addresses we can determine which function were called and under what parameters. So I followed the first Return and got this function.

The INT3’s are like empty spaces between the functions and tell us where one function ends and the other starts (for the most part). So back to our whole point of finding what sets ECX, in this function we find again that none of the commands here modify ECX, so we need to go back another function. So go back to the Stack and try the second “Return to”

When we try the second Return To, we get more promising results

© E L I T E B L I N G B A T T L E C O D E R S . C O M

9

Ok a lot of information here. We finally see what sets ECX, it is the ASM command;

So our next question is what sets EBX. Looking further up the code, we see that EAX sets EBX

And what sets EAX, well it looks like DWORD PTR [ECX] which means the memory pointer by ECX.

And finally what sets ECX!

004AF8F0 8BCB MOV ECX,EBX

004AF8B7 8BD8 MOV EBX,EAX

004AF8B0 8B01 MOV EAX,DWORD PTR DS:[ECX]

© E L I T E B L I N G B A T T L E C O D E R S . C O M

10

That 95C5FC is a Static Address. So now we have a static pointer. There is one snag to this though. Do u see that “Sneaky Function” I pointed out. Well that function actually modifies one of the pointers, the EAX.

This “Sneaky Function” is actually very complicated. This is because the offset I had originally picked was very bad to use and made our process very complicated. (It seems in hindsight that the only calls to this function are when you become commander, when usually the ForceCommander offset is constantly called, this should have warned me).

004AF8A7 8B0D FCC59500 MOV ECX,DWORD PTR DS:[95C5FC]

© E L I T E B L I N G B A T T L E C O D E R S . C O M

11

From Static DMA to a Trainer

I will be showing you how this is done in C++. First we need to declare some DWORD which we will read the static stuff into.

So the first thing we need to do is read from the static address of 95C5FC.

Following the chain, next we need to do another Read from the ECX Pointer which we stored in dwBuffer1.

DWORD dwBuffer1;

DWORD dwUtilityBase;

DWORD dwLeaderBase;

DWORD dwForceCommander;

DWORD dwSupply;

DWORD dwArtillery;

004AF8A7 8B0D FCC59500 MOV ECX,DWORD PTR DS:[95C5FC]

<< Translates to >>

ReadProcessMemory(hand, (void*)0x95C5FC, &dwBuffer1,sizeof(dwBuffer1),&bytes);

Usually its not this complicated, and since I don’t want to rewrite the tutorial, nor do I want to confuse the beginners. I will pretend that that change to EAX never takes place. So simply, this code that I am going to explain will not work on the demo, it is only to learn the mechanics. But trust me, in other versions tracing is not that complicated.

© E L I T E B L I N G B A T T L E C O D E R S . C O M

12

Now if we look at the rest of the instructions, they just move addresses from one register to another, without any reading or writing.. It is only at the end that we write to a different memory address, and that is the memory at [ESI + 0x108].

The reason why I made dwForceCommander a separate DWORD is because it makes it easier to write to different mem. addresses when having one base address.

So for example, once we get the base address for supply/arty. We can calculate the others by adding these constants.

004AF8B0 8B01 MOV EAX,DWORD PTR DS:[ECX]

<< Translates to >>

ReadProcessMemory(hand,(void*)(dwBuffer1),&dwLeaderBase,sizeof(dwLeaderBase),&bytes);

4C02B3 mov [ESI+0x108],al

<< Translates to >>

dwForceCommander = dwLeaderBase + 0x108;

ReadProcessMemory(hand,(void*)(dwForceCommander),&dwLeaderBase,sizeof(dwLeaderBase),&bytes);

The Central Dogma of DMA is that even though the actual memory addresses of Supply or Artillery may change, the difference (Supply Mem .Address – Artillery Mem. Address) is always constant.. Therefore if we are able to calculate one memory address, we can then just add/subtract to get the others.

dwSupply= dwUtilityBase + 0x54;

dwArtillery = dwUtilityBase + 0x3c;

© E L I T E B L I N G B A T T L E C O D E R S . C O M

13

Now to finish the ForceCommander hack, we need to write the byte value 1 to the force commander address continually! This is because the server will constantly update with the client and set that we are not commander. So we put the WriteProcessMemory in a timer loop to continuously write 1 to that memory address so our client keeps thinking we are the commander.

We can do the same for Supply and Artillery (once you have calculated the static DMA’s, I will leave this up to you), but remember we need to write 0 to fill the bar.

And there you have it, a working commander hack (note this is really not working since I skipped one static DMA step, but if you did it via another offset it will be working).

TimerLoop {

static BYTE one[1] = {0x01};

WriteProcessMemory(hand,(void*)(dwForceCommander),&one,1,&bytes);

}

static BYTE zero[1] = {0x00};

WriteProcessMemory(hand,(void*)(dwCommander2),&zero,1,&bytes);

WriteProcessMemory(hand,(void*)(dwCommander3),&zero,1,&bytes);

© E L I T E B L I N G B A T T L E C O D E R S . C O M

14

Concluding ThoughtsSo that’s about it for this tutorial, please do post any things you want me to add. These are the steps use off the top of my head, but I may have forgotten something.

So once again, I’m sorry for not having the whole offset thing work out, I would go back to correct it, but then I will have to take new screenshots and everything., hopefully you will understand the mechanics behind static DMA. Here is the good Offset for the demo which I used in my trainer.

Chapter

COMMANDER

004C01B0 8A81 08010000 MOV AL,BYTE PTR DS:[ECX+108]

It gets traced back like this…

004C01B0 8A81 08010000 MOV AL,BYTE PTR DS:[ECX+108]

006F18B6 |. 8BCB MOV ECX,EBX

006F1876 |. 8BD8 MOV EBX,EAX

005E2120 > 8B41 60 MOV EAX,DWORD PTR DS:[ECX+60]

006F1867 |. 8B0D FCC59500 MOV ECX,DWORD PTR DS:[95C5FC]

© E L I T E B L I N G B A T T L E C O D E R S . C O M

15

Credits & Closing WordsBig thanks to SINE for explaining the static base pointers method. I highly recommend you read his explanation because mine is really just a summary of his.

http://www.mpcforum.com/showthread.php?t=144780. Definitely read it. I’d also like to thank Sparten for originally releasing the Commander Hack Offsets and Dubbls for making the first public Commander Hack (which got shut down). It was this Commander Hack which got me into the world of Game Hacking.

So this tutorial is for educational purposes only, I don’t want it to harm anyone and if you use it maliciously it is your fault, not mine. I’d like to thank EA Games and DICE for making such an excellent game which I have spent many countless hours playing and enjoying, and now I’m off to buy Battlefield 2142.