Tutorial basic reversing for Unix systems ( MAC / Linux)

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8
It has been a while since i posted something here so I decided to write this quick tut for Unix systems.
In this example I will make a no-recoil hack for CoD4.
I will be using LLDB as the debugger, GDB is also possible.

First you need to look through the engine's SDK for the function name you want to hack.
After looking around a bit you will find a function like this that handles the weapon firing (im too lazy to remove the line numbers):

C++:
void CG_FireWeapon( centity_t *cent ) {
01693   entityState_t *ent;
01694   int       c;
01695   weaponInfo_t  *weap;
01696 
01697   ent = &cent->currentState;
01698   if ( ent->weapon == WP_NONE ) {
01699     return;
01700   }
01701   if ( ent->weapon >= WP_NUM_WEAPONS ) {
01702     CG_Error( "CG_FireWeapon: ent->weapon >= WP_NUM_WEAPONS" );
01703     return;
01704   }
01705   weap = &cg_weapons[ ent->weapon ];
01706 
01707   // mark the entity as muzzle flashing, so when it is added it will
01708   // append the flash to the weapon model
01709   cent->muzzleFlashTime = cg.time;
01710 
01711   // lightning gun only does this this on initial press
01712   if ( ent->weapon == WP_LIGHTNING ) {
01713     if ( cent->pe.lightningFiring ) {
01714       return;
01715     }
01716   }
01717 
01718   // play quad sound if needed
01719   if ( cent->currentState.powerups & ( 1 << PW_QUAD ) ) {
01720     trap_S_StartSound (NULL, cent->currentState.number, CHAN_ITEM, cgs.media.quadSound );
01721   }
01722 
01723   // play a sound
01724   for ( c = 0 ; c < 4 ; c++ ) {
01725     if ( !weap->flashSound[c] ) {
01726       break;
01727     }
01728   }
01729   if ( c > 0 ) {
01730     c = rand() % c;
01731     if ( weap->flashSound[c] )
01732     {
01733       trap_S_StartSound( NULL, ent->number, CHAN_WEAPON, weap->flashSound[c] );
01734     }
01735   }
01736 
01737   // do brass ejection
01738   if ( weap->ejectBrassFunc && cg_brassTime.integer > 0 ) {
01739     weap->ejectBrassFunc( cent );
01740   }
01741 }

Looking at this code you can see the "CG_FireWeapon: ent->weapon >= WP_NUM_WEAPONS" string which will be located in the binary file, on BSDish systems this will be located at the cstring section so looking through that you could find a way to the CG_FireWeapon function. But GDB and LLDB have a command called 'disassemble' or just 'dis' that can take a function name as parameter, so well use that:
C++:
dis -n CG_FireWeapon
This will print the disasm of the function were looking for which is way too long to paste here, but the rest is just like on Windows, You find a call or a jmp and change it. Or you RET where you want to stop.
Whats also very nice about GDB is that it auto shows the function names after a call/jmp:

C++:
   0x618bb:  leal   0x50460(%ebx), %eax
   0x618c1:  movl   %eax, (%esp)
   0x618c4:  calll  0x1cc846                  ; AxisToAngles(float const (*) [3], float*)
   0x618c9:  movl   0x50484(%ebx), %eax
   0x618cf:  movl   %eax, 0xfd250(%ebx)
   0x618d5:  movl   0x50488(%ebx), %eax
   0x618db:  movl   %eax, 0xfd254(%ebx)
   0x618e1:  movl   0x5048c(%ebx), %eax
   0x618e7:  movl   %eax, 0xfd258(%ebx)
   0x618ed:  leal   0x50410(%ebx), %eax
   0x618f3:  movl   %eax, 0x8(%esp)
   0x618f7:  leal   0x50454(%ebx), %eax
   0x618fd:  movl   %eax, 0x4(%esp)
   0x61901:  addl   $0x4613c, %ebx
   0x61907:  movl   %ebx, (%esp)
   0x6190a:  calll  0x39ca6                   ; BG_WeaponFireRecoil(playerState_s const*, float*, float*)
   0x6190f:  movl   -0x28c(%ebp), %ecx
   0x61915:  cmpl   $0xb, 0x4(%ecx)
So this one is pretty clear, you go to 0x39ca6 and place a RET as first instruction and voila you have norecoil.
To replace it in lldb you use the expr command:
C++:
(lldb) expr *(char*)0x39ca6 = 0xC3
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods