Call of Duty: Modern Warfare 2 Message Board  

[12.14.2009 Updated]
Yeeep, I have to say I coun't calculate or find [esi+04]'s address, but I evaded that with my little trick. You can have a try.

Download link:
rapidshare.com/files/320228603/MW2BC.zip
www.filefactory.com/file/a10140d/n/MW2BC.zip
netload.in/dateiD8AUwgiehq/MW2BC.zip.htm
---------------------------------------------------------------
Hi, I am doing my 1st trainer on MW2. I want to force the score 30000 in Body Count so that we can have infinite enemies to have fun.

I found the game memory { 0042b48b - mov [esi+04],eax }
and esi+04 is the address of score 30000.

I tried to use VB6 to compile my trainer and everytime I start it, MW2 crashes, if there is any tip from u it would be very much appreciated.

here is game memory region:
0042B430 - 8b 44 24 04 - mov eax,[esp+04]
0042B434 - 8b 4c 24 08 - mov ecx,[esp+08]
0042B438 - 56 - push esi
0042B439 - 8d 34 08 - lea esi,[eax+ecx]
0042B43C - c1 e6 04 - shl esi,04
0042B43F - 81 c6 80 74 6c 01 - add esi,016c7480
0042B445 - 8b 46 08 - mov eax,[esi+08]
0042B448 - 8b 4e 04 - mov ecx,[esi+04]
0042B44B - 83 e0 1f - and eax,1f
0042B44E - 83 e8 01 - sub eax,01
0042B451 - 83 f8 04 - cmp eax,04
0042B454 - 73 20 - jae 0042b476
0042B456 - 85 c0 - test eax,eax
0042B458 - 51 - push ecx
0042B459 - 75 07 - jne 0042b462
0042B45B - e8 60 7b 06 00 - call 00492fc0
0042B460 - eb 11 - jmp 0042b473
0042B462 - 83 f8 02 - cmp eax,02
0042B465 - 77 07 - ja 0042b46e
0042B467 - e8 74 e4 03 00 - call 004698e0
0042B46C - eb 05 - jmp 0042b473
0042B46E - e8 9d 51 01 00 - call 00440610
0042B473 - 83 c4 04 - add esp,04
0042B476 - 83 66 08 e0 - and dword ptr [esi+08],e0
0042B47A - 8b 46 08 - mov eax,[esi+08]
0042B47D - 8b 4c 24 10 - mov ecx,[esp+10]
0042B481 - 8b 51 04 - mov edx,[ecx+04]
0042B484 - 0b d0 - or edx,eax
0042B486 - 89 56 08 - mov [esi+08],edx
0042B489 - 8b 01 - mov eax,[ecx]
0042B48B - 89 46 04 - mov [esi+04],eax

[Edited by coder47, 12/13/2009 3:40:07 AM]

ok, after a day, I found that every time you quit and restart MW2 the score address{esi+04} is 017ACD24,esi is 017ACD20 and I tried to figure out how to find out esi's address, but no luck. Because if you paly the game again, esi's address will be changed,and then esi+04 will be no more 017ACD24, I hope some of you can give me a tip

[Edited by coder47, 12/13/2009 3:37:51 AM]

baaah....I am not so good at VB.

As far as I can suggest, I would use CoSMOS if I were to make my FIRST trainer.

Important stuff such as replacing the extra bytes of the main code with nops is what CoSMOS does auto.

Where here, you are doing it manually.

I don't know that you know VB or have just used a template downloaded from the net.

And in addition, the game has shared routines with many other functions IMO...So that might add to the game crashes.

yes, CE is a good tool and it has done lots of help. When NOP is filled in MW2 with CE, it also make MW2 crash.

I'm not really good at VB, but as much as I can see you used a fixed memory address to modify, right?

right, that is the problem, and I need find out the address of esi+04 so that the trainer can work, but every time when you start game , esi+04 address is changed, how to find it?

That is code shifting.

I have made a tutorial on tackling such an allocation for CheatHappens.

Here: Link

hi, thanks, I have read that, for me it is something different the oppcode with the corresponding code area:
0042B48B - 89 46 04 - mov [esi+04],eax
and 0042B48B never changes, but when NOP or mov [esi+04],FFFF is injected, the game crashes.

Auto assemble code:
[code]
newmem: //this is allocated memory, you have read,write,execute access
mov [esi+04],0000FFFF <-- I added this line

originalcode:
mov [esi+04],eax <-- I deleted this line
pop esi <--Remained
ret <--Remained

exit:
[/code]

[Edited by coder47, 12/11/2009 10:52:14 PM]