Dank Tier VIP
- Jul 15, 2018
Game: Wolfenstein The New Order
Engine: idTech 5
Studio: Machine Games
Apart from being ridiculous in size for what the game offers Wolfenstein The New Order is a pretty fun game. I’ve always been a fan of the idTech engine back in day when it was just known as the “Doom” and “Quake” engine.
Wolfenstein runs on the idTech 5 engine and I believe they’re planning on releasing the idTech 7 engine very soon with Doom Eternal coming out very soon. While id Software tends to release it’s engine code to the community there hasn’t been a release since idTech 4 (which sucks).
However: blackboxing it alot more fun than whiteboxing it. Considering the underlying structure of the engine is probably somewhat identical to how it was back in the day I wanted to see if I could get access to the console.
Add this to your launch parameters on Steam or to the shortcut and you’ll be able to pull down the Console using CTRL+ ~ (which worked for me).+set com_allowconsole 1
She hasn’t aged a day!
Well that’s the console? What about this dev console you promised me? With the console open press the F10 key and you should see this:
Is that right MachineGames? Challenge accepted.
First enable the dev console cvar:
Now remap the key to something else like F8:cvaradd devgui 1
Jump back into the game and you should be greeted by this:bind F8 cvaradd devgui 1
Now the fun can begin!
But why do you need this?
WE need this because we’re going to attempt to locate the game’s entity list. Now you can do this completely blind without knowing anything about the game; however if the tools are available you might as well use them!
It can be extraordinarily difficult to locate the game’s entity list without some type of frame of reference. In our case we’re going to use an enemy’s health value (because it should be fairly unique) and it’s a value we can directly effect.
Use the arrow keys to select the AI tab and pause the enemy AI (enter to select). Then press enter on the option to enable the AI UI. If you did this correctly you’ll have access to all the internal AI states.
As you can see here.
You’ll need to use the numkeys to select the different AI options. Select ‘1’ to get a list of all the currently spawned enemies in the area. The menu is on the bottom right in the picture.
A quick look at the list in the area my character is in game shows one enemy who has a different amount of health to the rest. So we’ll focus on him.
We’ve already learnt two very important key pieces of information from this UI that will help speed up the process.
- Certain enemies have different health values (sounds obvious but not all games do this).
- The health values are most likely stored as a float in memory.
47,922 is alot we’ll need to narrow this down.
Find the enemy that you’re looking in game and do a small amount of damage to them.
Protip: Float values can behave strangely in memory (due to rounding and what not) it’s better to search for a range than a exact value. After searching again I found 2 values then it’s a simple matter to change them and observe the effects in game.
My particular value was 0x8BE44DF0. If you open this address in ReclassEx you can see what the memory around this value looks like:
Finding the base entity
So now we’ve located our health value we need to find the base entity that owns this value. Because more than likely in code this value will be stored in a structure belonging to the enemy class.
So how do we find the enemy class? We Right Click and select find out what accesses this address.
A quick look at the disassembled code shows RCX+10h which screams to me RCX is the base pointer of the object at owns the health value. You can either subtract 10h from the original value or copy the value of RCX.
Dumping that value into ReclassEx shows that yes, it’s owned by a class called AVidAIHealth.
This is where a lot of new guys will get stuck. In object orientated programming its not uncommon for classes to be inside classes with inheritance everywhere. I know just from looking at the class name that this is most likely not the base entity class we are looking for.
So how do we find it? Well if you take a look at the disassembled code above that function is receiving the value we just located from somewhere so now we need to find where that is.
So what accesses 8BE44DE0 (your health address – 10h)? Let’s find out:
So a copy of the initial address is being stored in RBX.
327.2 KB Views: 18