- Jan 21, 2017
- Game Name
- Call of Duty: Black ops
- Tutorial Link
- How long you been coding/hacking?
- 2 years
- Coding Language
- C/C++, x86 asm
I'm going to use black ops 1 for this, but as all the cod games are built on the exact same engine, you should be able to do this in all of them, or most of them excluding maybe the newest ones.
Things to keep in mind:
1. Call of Duty is based on a modified version of the Quake 3 engine ie IdTech3
2. Quake 3 Arena is open source, so its available as a reference as essentially 90% of the CoD engine source.
3. The *essential* cod guide: Guide - How to Hack Call of Duty Games & Quake Engine Games
Go ahead and open the game executable in IDA, you should already know how to do this.
This method just uses strings existing in the Quake source code that persisted into call of duty games. In Quake, the CARMACK prefixed functions in "Client Game" as "CG_". This enables us to find LOTS of engine functions very quickly as a lot of them log debug info and they reference their own name.
Press Shift + F12 to open the strings window.
Press CTRL + F to filter strings.
Like mentioned before, the prefix used for a lot of engine functions is "CG_" so we will filter based on that.
You will notice that dvars are also prefixed with cg, but they are lowercase. Right click on the filter box and click "Match case", or don't if you also want to see dvar names.
Your output will look something like this:
For this example I am going to choose CG_Obituary. Double click on the string you want.
You should see something like this:
Normally when you want to find where a string is xref'd, you would click on the "aCg_obituary", but there are actually no xrefs to it. For some reason, all of these strings are prefixed by \x15 and if you look this up on the ascii table you find its referred to as a "Negative Acknowledgment". IDA doesn't put this byte and the ascii string tailing it as one thing, so we actually have to find xrefs to this byte.
Upon doing so we get an xref, and we can jump to it and spam F5.
And here we go we just found and decompiled CG_Obituary and we didn't have to do any debugging or reverse engineering at all its just right there.
This looks pretty bad, the decompiled output SHOULD show us the ascii string. Luckily fixing this in IDA is pretty easy. Highlight both the "byte" and the trailing string, and press U to undefine them both. Then, highlight all of the bytes that should be part of the string like so:
With this selection, press A to define an ascii string. Now in the decompiler output, it will show the string properly.
Now you can just scroll to the top (or press page up a few times to jump to the top) and rename the function.
A few extra tips:
You can also do this same technique for other kinds of engine functions. For example, rendering functions are prefixed with "R_".
Looking at the quake source I linked above, you can decipher the parameters of a lot of these functions much easier. They are modified for this game, they dont match 100%, but its definitely helpful to have the q3arena source pulled up.
I looked so much on other forums for how to find these engine functions, and most of the people finding them were using a leaked PDB. This is way faster and easier. Hope this helps and I'll probably be making more small tutorials like this and hopefully get better at making them now. I'll see about making some video tutorials, and I'd also like to make some videos for the GH youtube channel if possible it sounds like fun.