Tutorial How to Find Entity List - Wolfenstein Hack Tutorial

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
767
22,668
47


Game: Wolfenstein The New Order
Engine: idTech 5
Studio: Machine Games
Version: Steam
Buy: Steam

Apart from being ridiculous in size for what the game offers Wolfenstein The New Order is a pretty fun game. I’ve always been a fan of the idTech engine back in day when it was just known as the “Doom” and “Quake” engine.

Wolfenstein runs on the idTech 5 engine and I believe they’re planning on releasing the idTech 7 engine very soon with Doom Eternal coming out very soon. While id Software tends to release it’s engine code to the community there hasn’t been a release since idTech 4 (which sucks).

However: blackboxing it alot more fun than whiteboxing it. Considering the underlying structure of the engine is probably somewhat identical to how it was back in the day I wanted to see if I could get access to the console.

+set com_allowconsole 1
Add this to your launch parameters on Steam or to the shortcut and you’ll be able to pull down the Console using CTRL+ ~ (which worked for me).

console-1024x604.png

She hasn’t aged a day!

Well that’s the console? What about this dev console you promised me? With the console open press the F10 key and you should see this:

cannot-be-set.png

Is that right MachineGames? Challenge accepted.

First enable the dev console cvar:
cvaradd devgui 1
Now remap the key to something else like F8:
bind F8 cvaradd devgui 1
Jump back into the game and you should be greeted by this:
devgui-1024x194.png

Now the fun can begin!

But why do you need this?

WE need this because we’re going to attempt to locate the game’s entity list. Now you can do this completely blind without knowing anything about the game; however if the tools are available you might as well use them!

It can be extraordinarily difficult to locate the game’s entity list without some type of frame of reference. In our case we’re going to use an enemy’s health value (because it should be fairly unique) and it’s a value we can directly effect.

Use the arrow keys to select the AI tab and pause the enemy AI (enter to select). Then press enter on the option to enable the AI UI. If you did this correctly you’ll have access to all the internal AI states.

oh-yes.png

As you can see here.

You’ll need to use the numkeys to select the different AI options. Select ‘1’ to get a list of all the currently spawned enemies in the area. The menu is on the bottom right in the picture.

A quick look at the list in the area my character is in game shows one enemy who has a different amount of health to the rest. So we’ll focus on him.

We’ve already learnt two very important key pieces of information from this UI that will help speed up the process.
  1. Certain enemies have different health values (sounds obvious but not all games do this).
  2. The health values are most likely stored as a float in memory.
ce-first-scan.png

47,922 is alot we’ll need to narrow this down.

Find the enemy that you’re looking in game and do a small amount of damage to them.

Protip: Float values can behave strangely in memory (due to rounding and what not) it’s better to search for a range than a exact value. After searching again I found 2 values then it’s a simple matter to change them and observe the effects in game.

My particular value was 0x8BE44DF0. If you open this address in ReclassEx you can see what the memory around this value looks like:

reclass-1-1024x130.png

Pretty standard.

Finding the base entity
So now we’ve located our health value we need to find the base entity that owns this value. Because more than likely in code this value will be stored in a structure belonging to the enemy class.

So how do we find the enemy class? We Right Click and select find out what accesses this address.

ce-2.png


A quick look at the disassembled code shows RCX+10h which screams to me RCX is the base pointer of the object at owns the health value. You can either subtract 10h from the original value or copy the value of RCX.

Dumping that value into ReclassEx shows that yes, it’s owned by a class called AVidAIHealth.

reclass-2-1024x62.png

Cool

This is where a lot of new guys will get stuck. In object orientated programming its not uncommon for classes to be inside classes with inheritance everywhere. I know just from looking at the class name that this is most likely not the base entity class we are looking for.

So how do we find it? Well if you take a look at the disassembled code above that function is receiving the value we just located from somewhere so now we need to find where that is.

So what accesses 8BE44DE0 (your health address – 10h)? Let’s find out:

ce-3.png

So a copy of the initial address is being stored in RBX.
 

Attachments

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
767
22,668
47
We know straight away that RCX is a base pointer so something because the code adding the offset of 0xB130 to the base value. So quick maths here:

8BE39CB0 + B130 = 8BE44DE0 (Our original health value)
reclass-3-1024x87.png

Oh yeaaaaah.

Okay now we’re getting somewhere.

The entity list

So now that we’ve found the base entity class. We can locate the actual entity list. Because we want to find entities we need to know a valid address of one entity first. Because they will most likely be pointers stored in an array in memory somewhere (with me so far?).

Do a scan for the address we just found (8 bytes hex) you should get a bunch of hits:

ce-4.png

Now for the fun part.

Remember one important thing: this memory address is stored in an array. It could be at the start, in the middle or at the end. We need to locate the correct address and determine where the start of the array is.

0x4BE33B18 seems pretty unique lets scope out that area of memory:

reclass-4.png

Looks pretty close to want we want.

The list has both 0x8BE39CB0 and 0x8BE55000 which on closer inspection are both entities of the same type. Now to check if 0x8BE39CB0 is the start of the the array.

reclass-5.png

Null bytes baby!

Surviving a reboot

Now we have our entity list we need to make sure we don’t loose it after a game restart or system reboot. 0x4BE33B18 is not a static (fixed) address so we’ll have to dive into the game’s code and find a fixed address we can use to calculate this one.

Lazy mode: Sometimes searching for the address will reveal a static pointer you can read however not in this case. We have to get creative.

Add the address to Cheat Engine and see what writes to the address. Then reload a save or checkpoint.

So it was at this point my game crashed hard and I lost most of my stuff however. I’d already located the entity list at this point and it was simple enough to retrace my steps.

ce-5.png

This is what we want

You can see here that a static address is being moved into RAX which is accessing our entity list. But what is this mysterious value? Lets go check it out:

reclass-6-1024x129.png

Oh the game base class? Yes please!

So, once we have this value which we can get by reading wolfneworder_x64.exe+1da60E0. We now have a fixed point in memory we can use to find our entity class. Let’s use some more maths:

wolfneworder_x64.exe+1da60E0 = 0x7FF660C160E0 -> 000000002CCDB050.
0x2CCF5B18 (entity list) - 0x2CCDB050 (game local) = 0x1AAC8.
So to calculate every time the game starts where our entity list will be:

0x2CCDB050 (game local) + 0x1AAC8 = 0x2CCF5B18.
Done! It’s always advisable to double check with a game restart or by rebooting your system. Cheat table here for lazy people:
WolfTNO Entity List Cheat Table:
<?xml version="1.0" encoding="utf-8"?>
<CheatTable CheatEngineTableVersion="28">
  <CheatEntries>
    <CheatEntry>
      <ID>1</ID>
      <Description>"Base pointer game"</Description>
      <ShowAsHex>1</ShowAsHex>
      <VariableType>8 Bytes</VariableType>
      <Address>wolfneworder_x64.exe+1da60E0</Address>
    </CheatEntry>
    <CheatEntry>
      <ID>2</ID>
      <Description>"Entity List"</Description>
      <ShowAsHex>1</ShowAsHex>
      <VariableType>8 Bytes</VariableType>
      <Address>wolfneworder_x64.exe+1da60E0</Address>
      <Offsets>
        <Offset>1AAC8</Offset>
      </Offsets>
    </CheatEntry>
  </CheatEntries>
</CheatTable>
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,573
78,998
2,316
Released from the Premium forum to the masses!
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts