Post: Tutorial Collection [GHOSTS]
06-27-2014, 12:08 AM #1
Notorious
Caprisuns Is Back
(adsbygoogle = window.adsbygoogle || []).push({}); Hello NGU,

This is going to be a thread where I will be posting tutorials related to call of duty Ghost's. I hope this will help you make thing's and find thing's on your own! Please leave feedback on what I should add or what I should fix. In these tutorials I will be showing you how to find everything you need for a mod menu and/or a tool! I will work on making this series for other call of duties!

*NOTE SOME SECTIONS ARE NOT FINISHED + I WILL BE ADDING MORE TUTS. BUT AS OF RIGHT NOW I AM NOT WORKING ON IT ANYMORE, SAY WHATEVER YOU WANT, I DONT CARE*

Tutorial #1: Finding Client offsets!

Alright, if you don't know what I mean by "Client Offsets" I mean that we are going to be finding thing's near the address G_Client! Such thing's include: Player speed, Ammo, UAV, and thing's like that!

So let's get started!

What you will need for this part of the tutorial is:
Jailbroken PS3
ProDG Debugger / Target Manager
IDA Pro w/ PS3 Plugins and Loaders


Ok so what we will need to do is load up cod ghosts, get in a game and stay there.
Now we should open up IDA Pro. When you first open it, it will look something like this:

You must login or register to view this content.


If this is your first time using IDA Pro then you will most likely have a whole bunch of other tabs opened in IDA. But you should X out of all of them except: IDA View - A, Hex View - A, and now you need to open the string's window. This is how you do it:

You must login or register to view this content.

Now, the only window's that we need open are: Strings window, IDA View-A, Hex View-A.
So once you only have those on your desktop, it is a good idea to save your desktop so that every time you load IDA it will have those 3 windows automatically opened. This is how you do it:

You must login or register to view this content.


Before we start to do anything, we need to wait for everything in the .ELF file is loaded. You will be able to know when everything is loaded if you see this in the bottom left corner:

You must login or register to view this content.

So once everything is loaded, we can now start to look for the addresses that we need to find client offsets!
Ok so now we will go into the strings window of IDA. And we will press ALT + T to open up a search box. In here, we will search for the string: "The current map name"
This string will lead us to these addresses: g_entity, playerstate.
So what you want to do when you search the string is double click the string and it will bring you to a thing that says "XREF" this is called a cross reference. You need to double click the cross reference where it has "sub_number" and then right click the screen and go to Graph View. This will make it easier to navigate. So when you did all of that, your screen will look something like this:

You must login or register to view this content.

Now you need to keep scrolling down until you see a box that look's like this:

You must login or register to view this content.

The "0x280" is the G_Entity size.
The "0x3700" is the playerstate size.
Now we need to scroll up a little bit and you will see a some what large box like this:

You must login or register to view this content.

In this box you will find G_Entity and Playerstate.
Here they are:

You must login or register to view this content.

Notice how G_Entity is at the top of that box, and Playerstate is in the middle. So you can keep that in mind for new updates.
We will be finding the following offsets with these addresses:
Origin (Can be used to teleport)
Ammo
Name (in game, but same method for lobby)
God Mode


Now we will need to go into debugger and go to each of these addresses to find our client offsets. So this is the addresses that we found:
G_Entity: 0x00E04480
Playerstate: 0x00F44480


Alright, I am going to assume that you never opened ProDG Debugger, so it will look like this when you first open it:

You must login or register to view this content.

But now we need to open up some new view's. To do this just follow this picture:

You must login or register to view this content.

We will need to open the following view's:
Register's
Breakpoint's
Memory


Alright, so let's start looking for offset's. We will start with G_Entity. Here we go. You will need to go to the memory tab in Debugger at the top bar. And press "Attach Process". Now your game will freeze but don't panic, this window will pop up:

You must login or register to view this content.

Click that option that is in the red box I made. And now go to Target Manager like this:

You must login or register to view this content.

Now your PS3 will not be frozen. Now you are ready to find these offsets. So what you will do is in the Memory view of debugger, you will paste the G_Entity address and search it. It will look something like this:

You must login or register to view this content.

But now we should turn on auto-update while we are doing this to find future offsets. This is how you do it:

You must login or register to view this content.

So let's look for godmode. This one is really easy. All we have to do is jump to the G_Entity address and then you will see 4 bytes: 00 64 00 00. you will find them somewhere over here:

You must login or register to view this content.

Now you can change them to something like this for god mode: 0F FF FF FF
Now you will need to get the address. To do this just press CTRL + I on the bytes of God Mode!
Here is the address for ghost's 1.13: 0x00e0462a
So there you go, you found god mode! Now we will look our in-game name! This is a really easy thing to find! And this is how you do it. You will want to press CTRL + F in debugger. And where it say's "Find What:" You will put your name. Like so:

You must login or register to view this content.

I also recommend to check the box that says "Match Case" but then be sure to type in your exact name. So once you press Find Next, you will be brought to your name. BUT it may not be the right address. You will have to edit it and then check to see if your name changed. So I will do that and then show you all the one that worked! Here it is:
0x00f4752c
I searched my name and it was like the second one that popped up and when I edited it, it changed my name in the game!


Tutorial #2 - Finding Hud Address's

What you will need for this tutorial:
IDA PRO w/ PS3 Plugin's / Loader's

Alright the addresses that we will need to find is:
G_HudElems
G_LocalizedStringIndex
G_MaterialIndex


Ok, so open up IDA pro with the ghost's .elf file. Now load up the string's and type "Hud Elem String" Now double click the string and load the cross reference (XREF) and it will look something like this when you load it:

You must login or register to view this content.

So now that you got G_Hudelems, we need to find G_LocalizedStringIndex, and G_MaterialIndex.
To find G_LocalizedStringIndex, all you ave to do is search "localized string" in the IDA strings window. Make sure it is the one that looks like this:
You must login or register to view this content.
Now double click the string and the XREF is the address as so:
You must login or register to view this content.
Now we need to find G_MaterialIndex. This is pretty much the same concept. All you have to do is search for "material". But be careful, there are two strings that say exactly "material" the one we are looking for is the one in a function. Here is what we are looking for:

You must login or register to view this content.

And now you have found all of the addresses that you need to update hud elements!!


Tutorial #3 - Finding Keyboard

So this part will show you how to find all the addresses to update the keyboard! I am sure many people want to know how to do this.
So these are the addresses that we need to find:
Open Keyboard
KeyBoard Prompt Callback
Process Events
UI_SafelocalizedString
Return Result


So let's start with the first address. This one is the easiest! So wat you have to do is search the string "menu prompt" note that there are two of these strings. But we want the string that is near these strings:
    
MENU_CLAN_NAME_EXISTS
MENU_CLAN_NAME_IS_OFFENSIVE
MENU_CLAN__NAME_IS_TOO_SHORT
MENU_CLAN_NAME_IS_INVALID
CLANS_NAME_YOUR_CLAN

So then when you loaded all the way to the function, you want to scroll to the bottom of that function and the first address that we need is the last address being called in the function! Like so:

You must login or register to view this content.



Tutorial #4 - FPS

This tutorial is going to be simple. In this tutorial I will teach you how to enable FPS, change the size, change the position, change the text, and find the function address. So let's start with finding the function address. All we have to do is go in IDA with the ghost's elf and search in the string's "fps: %f" and now double click it and load the XREF. Now it will look something like this:

You must login or register to view this content.

Now that is the function address where you can write powerpc functions such as button monitoring to make an eboot to bind mods. Now we will find the address to enable the fps text so we can see it on our screen. This is how you do it:

You must login or register to view this content.

Now go into Hex View and look here:

You must login or register to view this content.

And that is how you enable FPS! There is also another way of doing it which would be changing the 'beq' to 'bne'.
Now let's get all of the size/position and stuff.. So to do this, go back to the main function of FPS:

You must login or register to view this content.

And double click that flt_ and it will bring you to a screen like this:

You must login or register to view this content.

Now you can play around with those addresses to figure out which is the size and position. But now you need to find the address where you type your text. To do this all you need to do is go in debugger and search "fps:" and that address is where you customize the text! So there you have everything you need to enable fps and do all of that stuff!


Tutorial #5 - How to find Character Commands!

This part will be on how to find SV_GameSendServerCommands! This is not that hard btw. All you need is to find SV_GameSendServerCommand. Now to find this you can look at my other thread on how to find addresses! So once you have this address, you want to press X on it to find all the places where it is located. Now I am jut going to press a random XREF. This is the function that I got:

You must login or register to view this content.

Do you see the '%c' and the '%s' these rep characters and strings! Now we will look at register 4 which is the actual command. Now look at the byte that is being loaded in that register, in this case it is 0x65. Which is 'e'. This is a command for GameSendServerCommand! Now we already know that this is to print the killfeed because it was released. But to find out what it does you can just test it! Now to find out what letter the HEX value is, you just press 'R' on the byte! Hope this was helpful!


Tutorial #6 - Keeping it all updated

Don't you think it will be time consuming to update all of this every update? Well what if I told you that there is a really fast way to update all of the addresses that you have found! There is something called an "IDC Script" what we will be using this for is to look for certain binary values near an address that we found. Don't worry I will explain this very well and make it easy to understand!

You will need the following thing's for this part:
HxD Editor
IDA Pro w/ PS3 Plugins and Loader's
Notepad (I prefer Notepad++)


Ok, first you are going to need the address you are updating. For example I will use SetClientViewAngles. Let's take a look at the function for it in IDA. Here it is:

You must login or register to view this content.

So now what we are trying to find is "Unique" Bytes. To find these you need to look for powerpc instructions that you don't see as often. In this case we should stay away from instructions like b, lis, beq, addic, etc. So what you wan't to do is scroll down from the function and just look for some unique bytes. I will find them for me and then show you. Here they are:
You must login or register to view this content.
I will briefly explain this line of ppc. So the 'lfs' stands for "load floating-point single". The first operand of this instruction is going to be where it is stored. And then the rest will just load 0x1D8 + r4 into the float register. Now we need to verify that it is unique. To do this, we will open up HxD editor and drag the ghost's elf in it. Now go back to IDA to where your unique bytes are. So click on the beginning of the ppc line and then go to Hex View - A. Now copy the first 8 bytes of memory. Now go into HxD, press CTRL + F and where it say's Datatype you put Hex-values and check 'All' in the search direction. Now paste your bytes in the box and press ok. Now it will bring you to where those bytes are located. And now press F3 to go to the next location. If it brings you to the next location then it is NOT unique. However, if it brings up a message like this:

You must login or register to view this content.

Then it IS unique! In this case mine WERE unique!! Alright, so now that we have our unique bytes, we are ready to start making our IDC Script. So open up Notepad++ or any text editing program. But I definitely prefer Notepad++. So the first thing that we will write is:

    
#include <idc.idc>


Now we need to add a function that will search for the unique bytes and subtract the difference. So then it will find the address for all the updates above! So here is the function:

    
static searchBinary(name, binary, offset, length)
{
auto currentAddress, lastAddress;
for(currentAddress=0; currentAddress != BADADDR; currentAddress=currentAddress+4)
{
currentAddress = FindBinary(currentAddress, SEARCH_DOWN, binary);
if(currentAddress == BADADDR)
{
Message("%s not found!\n", name);
break;
}
currentAddress = currentAddress - offset;
MakeUnknown(currentAddress, length, 0);
MakeCode(currentAddress);
MakeFunction(currentAddress, currentAddress + length);
if(MakeNameEx(currentAddress, name, SN_NOCHECK|SN_NOWARN) != 1)
MakeNameEx(currentAddress, name, 0);
Message("\t%s offset: 0x%08X\n", name, currentAddress);
break;
}
}


Now let's make a little function for updating the address that we want by calling our other function. Here is mine:

    
static findAddress()
{
searchBinary(setClientViewAngles, "C0 24 01 D8 FC 40 F8 90", "0x80", 0x1BCool Man (aka Tustin);
}

The first argument is the name that we will rename the function to. The second argument is the unique bytes. The third argument is the offset, to get this you need to subtract the address where you found the unique bytes from the address you are updating. And the third argument is the length, I just keep it the same every time.

Now we need to make the main function which will call this function. Here it is:

    
static main()
{
findAddress();
return 0;
}


Now put it all together and save it as a .idc file by just renaming the extension. Now you are ready to open it in IDA which I will show you how right now:

You must login or register to view this content.

And then from there all you have to do is load the IDC script that you made. I hope you all found this part useful and I hope you all learned from it!


THINGS TO DO:
ADD BUTTON MONITORING TUT
ADD REVERSING TUT (OR LEARN HERE: You must login or register to view this content.
ADD ORGANIZING TUT
(I HAD ALL OF THESE BUT I DIDN'T FINISH SO I REMOVED THEM!)


Credits to the following people who have taught me a lot of things:
    
BadLuckBian
Bitwise
Shark
Last edited by Notorious ; 06-27-2014 at 12:51 AM.

The following 22 users say thank you to Notorious for this useful post:

One, RawDog2002, ALI ALHILFI, Asian, Bitwise, FusionIsDaName, iMoDz-Baptiste, iTпDM, Mango_Knife, MegaMister, John, Obris, MysteryAviate, robson29, rodrigovidal, RouletteBoi, Shark, SnaY, Swaqq, Thirst, Laser, Xx-GIPPI-xX
06-27-2014, 12:10 AM #2
MegaMister
Former Mega Staff
Originally posted by Prime
Hello NGU,

This is going to be a thread where I will be posting tutorials related to call of duty Ghost's. I hope this will help you make thing's and find thing's on your own! Please leave feedback on what I should add or what I should fix. In these tutorials I will be showing you how to find everything you need for a mod menu and/or a tool! I will work on making this series for other call of duties!

*NOTE SOME SECTIONS ARE NOT FINISHED + I WILL BE ADDING MORE TUTS. BUT AS OF RIGHT NOW I AM NOT WORKING ON IT ANYMORE, SAY WHATEVER YOU WANT, I DONT CARE*

Tutorial #1: Finding Client offsets!

Alright, if you don't know what I mean by "Client Offsets" I mean that we are going to be finding thing's near the address G_Client! Such thing's include: Player speed, Ammo, UAV, and thing's like that!

So let's get started!

What you will need for this part of the tutorial is:
Jailbroken PS3
ProDG Debugger / Target Manager
IDA Pro w/ PS3 Plugins and Loaders


Ok so what we will need to do is load up cod ghosts, get in a game and stay there.
Now we should open up IDA Pro. When you first open it, it will look something like this:

You must login or register to view this content.


If this is your first time using IDA Pro then you will most likely have a whole bunch of other tabs opened in IDA. But you should X out of all of them except: IDA View - A, Hex View - A, and now you need to open the string's window. This is how you do it:

You must login or register to view this content.

Now, the only window's that we need open are: Strings window, IDA View-A, Hex View-A.
So once you only have those on your desktop, it is a good idea to save your desktop so that every time you load IDA it will have those 3 windows automatically opened. This is how you do it:

You must login or register to view this content.


Before we start to do anything, we need to wait for everything in the .ELF file is loaded. You will be able to know when everything is loaded if you see this in the bottom left corner:

You must login or register to view this content.

So once everything is loaded, we can now start to look for the addresses that we need to find client offsets!
Ok so now we will go into the strings window of IDA. And we will press ALT + T to open up a search box. In here, we will search for the string: "The current map name"
This string will lead us to these addresses: g_entity, playerstate.
So what you want to do when you search the string is double click the string and it will bring you to a thing that says "XREF" this is called a cross reference. You need to double click the cross reference where it has "sub_number" and then right click the screen and go to Graph View. This will make it easier to navigate. So when you did all of that, your screen will look something like this:

You must login or register to view this content.

Now you need to keep scrolling down until you see a box that look's like this:

You must login or register to view this content.

The "0x280" is the G_Entity size.
The "0x3700" is the playerstate size.
Now we need to scroll up a little bit and you will see a some what large box like this:

You must login or register to view this content.

In this box you will find G_Entity and Playerstate.
Here they are:

You must login or register to view this content.

Notice how G_Entity is at the top of that box, and Playerstate is in the middle. So you can keep that in mind for new updates.
We will be finding the following offsets with these addresses:
Origin (Can be used to teleport)
Ammo
Name (in game, but same method for lobby)
God Mode


Now we will need to go into debugger and go to each of these addresses to find our client offsets. So this is the addresses that we found:
G_Entity: 0x00E04480
Playerstate: 0x00F44480


Alright, I am going to assume that you never opened ProDG Debugger, so it will look like this when you first open it:

You must login or register to view this content.

But now we need to open up some new view's. To do this just follow this picture:

You must login or register to view this content.

We will need to open the following view's:
Register's
Breakpoint's
Memory


Alright, so let's start looking for offset's. We will start with G_Entity. Here we go. You will need to go to the memory tab in Debugger at the top bar. And press "Attach Process". Now your game will freeze but don't panic, this window will pop up:

You must login or register to view this content.

Click that option that is in the red box I made. And now go to Target Manager like this:

You must login or register to view this content.

Now your PS3 will not be frozen. Now you are ready to find these offsets. So what you will do is in the Memory view of debugger, you will paste the G_Entity address and search it. It will look something like this:

You must login or register to view this content.

But now we should turn on auto-update while we are doing this to find future offsets. This is how you do it:

You must login or register to view this content.

So let's look for godmode. This one is really easy. All we have to do is jump to the G_Entity address and then you will see 4 bytes: 00 64 00 00. you will find them somewhere over here:

You must login or register to view this content.

Now you can change them to something like this for god mode: 0F FF FF FF
Now you will need to get the address. To do this just press CTRL + I on the bytes of God Mode!
Here is the address for ghost's 1.13: 0x00e0462a
So there you go, you found god mode! Now we will look our in-game name! This is a really easy thing to find! And this is how you do it. You will want to press CTRL + F in debugger. And where it say's "Find What:" You will put your name. Like so:

You must login or register to view this content.

I also recommend to check the box that says "Match Case" but then be sure to type in your exact name. So once you press Find Next, you will be brought to your name. BUT it may not be the right address. You will have to edit it and then check to see if your name changed. So I will do that and then show you all the one that worked! Here it is:
0x00f4752c
I searched my name and it was like the second one that popped up and when I edited it, it changed my name in the game!


Tutorial #2 - Finding Hud Address's

What you will need for this tutorial:
IDA PRO w/ PS3 Plugin's / Loader's

Alright the addresses that we will need to find is:
G_HudElems
G_LocalizedStringIndex
G_MaterialIndex


Ok, so open up IDA pro with the ghost's .elf file. Now load up the string's and type "Hud Elem String" Now double click the string and load the cross reference (XREF) and it will look something like this when you load it:

You must login or register to view this content.

So now that you got G_Hudelems, we need to find G_LocalizedStringIndex, and G_MaterialIndex.
To find G_LocalizedStringIndex, all you ave to do is search "localized string" in the IDA strings window. Make sure it is the one that looks like this:
You must login or register to view this content.
Now double click the string and the XREF is the address as so:
You must login or register to view this content.
Now we need to find G_MaterialIndex. This is pretty much the same concept. All you have to do is search for "material". But be careful, there are two strings that say exactly "material" the one we are looking for is the one in a function. Here is what we are looking for:

You must login or register to view this content.

And now you have found all of the addresses that you need to update hud elements!!


Tutorial #3 - Finding Keyboard

So this part will show you how to find all the addresses to update the keyboard! I am sure many people want to know how to do this.
So these are the addresses that we need to find:
Open Keyboard
KeyBoard Prompt Callback
Process Events
UI_SafelocalizedString
Return Result


So let's start with the first address. This one is the easiest! So wat you have to do is search the string "menu prompt" note that there are two of these strings. But we want the string that is near these strings:
    
MENU_CLAN_NAME_EXISTS
MENU_CLAN_NAME_IS_OFFENSIVE
MENU_CLAN__NAME_IS_TOO_SHORT
MENU_CLAN_NAME_IS_INVALID
CLANS_NAME_YOUR_CLAN

So then when you loaded all the way to the function, you want to scroll to the bottom of that function and the first address that we need is the last address being called in the function! Like so:

You must login or register to view this content.



Tutorial #4 - FPS

This tutorial is going to be simple. In this tutorial I will teach you how to enable FPS, change the size, change the position, change the text, and find the function address. So let's start with finding the function address. All we have to do is go in IDA with the ghost's elf and search in the string's "fps: %f" and now double click it and load the XREF. Now it will look something like this:

You must login or register to view this content.

Now that is the function address where you can write powerpc functions such as button monitoring to make an eboot to bind mods. Now we will find the address to enable the fps text so we can see it on our screen. This is how you do it:

You must login or register to view this content.

Now go into Hex View and look here:

You must login or register to view this content.

And that is how you enable FPS! There is also another way of doing it which would be changing the 'beq' to 'bne'.
Now let's get all of the size/position and stuff.. So to do this, go back to the main function of FPS:

You must login or register to view this content.

And double click that flt_ and it will bring you to a screen like this:

You must login or register to view this content.

Now you can play around with those addresses to figure out which is the size and position. But now you need to find the address where you type your text. To do this all you need to do is go in debugger and search "fps:" and that address is where you customize the text! So there you have everything you need to enable fps and do all of that stuff!


Tutorial #5 - Keeping it all updated

Don't you think it will be time consuming to update all of this every update? Well what if I told you that there is a really fast way to update all of the addresses that you have found! There is something called an "IDC Script" what we will be using this for is to look for certain binary values near an address that we found. Don't worry I will explain this very well and make it easy to understand!

You will need the following thing's for this part:
HxD Editor
IDA Pro w/ PS3 Plugins and Loader's
Notepad (I prefer Notepad++)


Ok, first you are going to need the address you are updating. For example I will use SetClientViewAngles. Let's take a look at the function for it in IDA. Here it is:

You must login or register to view this content.

So now what we are trying to find is "Unique" Bytes. To find these you need to look for powerpc instructions that you don't see as often. In this case we should stay away from instructions like b, lis, beq, addic, etc. So what you wan't to do is scroll down from the function and just look for some unique bytes. I will find them for me and then show you. Here they are:
You must login or register to view this content.
I will briefly explain this line of ppc. So the 'lfs' stands for "load floating-point single". The first operand of this instruction is going to be where it is stored. And then the rest will just load 0x1D8 + r4 into the float register. Now we need to verify that it is unique. To do this, we will open up HxD editor and drag the ghost's elf in it. Now go back to IDA to where your unique bytes are. So click on the beginning of the ppc line and then go to Hex View - A. Now copy the first 8 bytes of memory. Now go into HxD, press CTRL + F and where it say's Datatype you put Hex-values and check 'All' in the search direction. Now paste your bytes in the box and press ok. Now it will bring you to where those bytes are located. And now press F3 to go to the next location. If it brings you to the next location then it is NOT unique. However, if it brings up a message like this:

You must login or register to view this content.

Then it IS unique! In this case mine WERE unique!! Alright, so now that we have our unique bytes, we are ready to start making our IDC Script. So open up Notepad++ or any text editing program. But I definitely prefer Notepad++. So the first thing that we will write is:

    
#include <idc.idc>


Now we need to add a function that will search for the unique bytes and subtract the difference. So then it will find the address for all the updates above! So here is the function:

    
static searchBinary(name, binary, offset, length)
{
auto currentAddress, lastAddress;
for(currentAddress=0; currentAddress != BADADDR; currentAddress=currentAddress+4)
{
currentAddress = FindBinary(currentAddress, SEARCH_DOWN, binary);
if(currentAddress == BADADDR)
{
Message("%s not found!\n", name);
break;
}
currentAddress = currentAddress - offset;
MakeUnknown(currentAddress, length, 0);
MakeCode(currentAddress);
MakeFunction(currentAddress, currentAddress + length);
if(MakeNameEx(currentAddress, name, SN_NOCHECK|SN_NOWARN) != 1)
MakeNameEx(currentAddress, name, 0);
Message("\t%s offset: 0x%08X\n", name, currentAddress);
break;
}
}


Now let's make a little function for updating the address that we want by calling our other function. Here is mine:

    
static findAddress()
{
searchBinary(setClientViewAngles, "C0 24 01 D8 FC 40 F8 90", "0x80", 0x1BCool Man (aka Tustin);
}

The first argument is the name that we will rename the function to. The second argument is the unique bytes. The third argument is the offset, to get this you need to subtract the address where you found the unique bytes from the address you are updating. And the third argument is the length, I just keep it the same every time.

Now we need to make the main function which will call this function. Here it is:

    
static main()
{
findAddress();
return 0;
}


Now put it all together and save it as a .idc file by just renaming the extension. Now you are ready to open it in IDA which I will show you how right now:

You must login or register to view this content.

And then from there all you have to do is load the IDC script that you made. I hope you all found this part useful and I hope you all learned from it!


THINGS TO DO:
ADD BUTTON MONITORING TUT
ADD REVERSING TUT
ADD ORGANIZING TUT
(I HAD ALL OF THESE BUT I DIDN'T FINISH SO I REMOVED THEM!)


Credits to the following people who have taught me a lot of things:
    
BadLuckBian
Shark


AMAZING tutorial man! REALLY!
Good job Mike! :p

The following user thanked MegaMister for this useful post:

Notorious
06-27-2014, 12:44 AM #3
iTпDM
Vault dweller
Thanks Notorious Good Job <3

The following user thanked iTпDM for this useful post:

Notorious
06-27-2014, 06:47 AM #4
Shark
Retired.
Originally posted by Prime
Hello NGU,

This is going to be a thread where I will be posting tutorials related to call of duty Ghost's. I hope this will help you make thing's and find thing's on your own! Please leave feedback on what I should add or what I should fix. In these tutorials I will be showing you how to find everything you need for a mod menu and/or a tool! I will work on making this series for other call of duties!

*NOTE SOME SECTIONS ARE NOT FINISHED + I WILL BE ADDING MORE TUTS. BUT AS OF RIGHT NOW I AM NOT WORKING ON IT ANYMORE, SAY WHATEVER YOU WANT, I DONT CARE*

Tutorial #1: Finding Client offsets!

Alright, if you don't know what I mean by "Client Offsets" I mean that we are going to be finding thing's near the address G_Client! Such thing's include: Player speed, Ammo, UAV, and thing's like that!

So let's get started!

What you will need for this part of the tutorial is:
Jailbroken PS3
ProDG Debugger / Target Manager
IDA Pro w/ PS3 Plugins and Loaders


Ok so what we will need to do is load up cod ghosts, get in a game and stay there.
Now we should open up IDA Pro. When you first open it, it will look something like this:

You must login or register to view this content.


If this is your first time using IDA Pro then you will most likely have a whole bunch of other tabs opened in IDA. But you should X out of all of them except: IDA View - A, Hex View - A, and now you need to open the string's window. This is how you do it:

You must login or register to view this content.

Now, the only window's that we need open are: Strings window, IDA View-A, Hex View-A.
So once you only have those on your desktop, it is a good idea to save your desktop so that every time you load IDA it will have those 3 windows automatically opened. This is how you do it:

You must login or register to view this content.


Before we start to do anything, we need to wait for everything in the .ELF file is loaded. You will be able to know when everything is loaded if you see this in the bottom left corner:

You must login or register to view this content.

So once everything is loaded, we can now start to look for the addresses that we need to find client offsets!
Ok so now we will go into the strings window of IDA. And we will press ALT + T to open up a search box. In here, we will search for the string: "The current map name"
This string will lead us to these addresses: g_entity, playerstate.
So what you want to do when you search the string is double click the string and it will bring you to a thing that says "XREF" this is called a cross reference. You need to double click the cross reference where it has "sub_number" and then right click the screen and go to Graph View. This will make it easier to navigate. So when you did all of that, your screen will look something like this:

You must login or register to view this content.

Now you need to keep scrolling down until you see a box that look's like this:

You must login or register to view this content.

The "0x280" is the G_Entity size.
The "0x3700" is the playerstate size.
Now we need to scroll up a little bit and you will see a some what large box like this:

You must login or register to view this content.

In this box you will find G_Entity and Playerstate.
Here they are:

You must login or register to view this content.

Notice how G_Entity is at the top of that box, and Playerstate is in the middle. So you can keep that in mind for new updates.
We will be finding the following offsets with these addresses:
Origin (Can be used to teleport)
Ammo
Name (in game, but same method for lobby)
God Mode


Now we will need to go into debugger and go to each of these addresses to find our client offsets. So this is the addresses that we found:
G_Entity: 0x00E04480
Playerstate: 0x00F44480


Alright, I am going to assume that you never opened ProDG Debugger, so it will look like this when you first open it:

You must login or register to view this content.

But now we need to open up some new view's. To do this just follow this picture:

You must login or register to view this content.

We will need to open the following view's:
Register's
Breakpoint's
Memory


Alright, so let's start looking for offset's. We will start with G_Entity. Here we go. You will need to go to the memory tab in Debugger at the top bar. And press "Attach Process". Now your game will freeze but don't panic, this window will pop up:

You must login or register to view this content.

Click that option that is in the red box I made. And now go to Target Manager like this:

You must login or register to view this content.

Now your PS3 will not be frozen. Now you are ready to find these offsets. So what you will do is in the Memory view of debugger, you will paste the G_Entity address and search it. It will look something like this:

You must login or register to view this content.

But now we should turn on auto-update while we are doing this to find future offsets. This is how you do it:

You must login or register to view this content.

So let's look for godmode. This one is really easy. All we have to do is jump to the G_Entity address and then you will see 4 bytes: 00 64 00 00. you will find them somewhere over here:

You must login or register to view this content.

Now you can change them to something like this for god mode: 0F FF FF FF
Now you will need to get the address. To do this just press CTRL + I on the bytes of God Mode!
Here is the address for ghost's 1.13: 0x00e0462a
So there you go, you found god mode! Now we will look our in-game name! This is a really easy thing to find! And this is how you do it. You will want to press CTRL + F in debugger. And where it say's "Find What:" You will put your name. Like so:

You must login or register to view this content.

I also recommend to check the box that says "Match Case" but then be sure to type in your exact name. So once you press Find Next, you will be brought to your name. BUT it may not be the right address. You will have to edit it and then check to see if your name changed. So I will do that and then show you all the one that worked! Here it is:
0x00f4752c
I searched my name and it was like the second one that popped up and when I edited it, it changed my name in the game!


Tutorial #2 - Finding Hud Address's

What you will need for this tutorial:
IDA PRO w/ PS3 Plugin's / Loader's

Alright the addresses that we will need to find is:
G_HudElems
G_LocalizedStringIndex
G_MaterialIndex


Ok, so open up IDA pro with the ghost's .elf file. Now load up the string's and type "Hud Elem String" Now double click the string and load the cross reference (XREF) and it will look something like this when you load it:

You must login or register to view this content.

So now that you got G_Hudelems, we need to find G_LocalizedStringIndex, and G_MaterialIndex.
To find G_LocalizedStringIndex, all you ave to do is search "localized string" in the IDA strings window. Make sure it is the one that looks like this:
You must login or register to view this content.
Now double click the string and the XREF is the address as so:
You must login or register to view this content.
Now we need to find G_MaterialIndex. This is pretty much the same concept. All you have to do is search for "material". But be careful, there are two strings that say exactly "material" the one we are looking for is the one in a function. Here is what we are looking for:

You must login or register to view this content.

And now you have found all of the addresses that you need to update hud elements!!


Tutorial #3 - Finding Keyboard

So this part will show you how to find all the addresses to update the keyboard! I am sure many people want to know how to do this.
So these are the addresses that we need to find:
Open Keyboard
KeyBoard Prompt Callback
Process Events
UI_SafelocalizedString
Return Result


So let's start with the first address. This one is the easiest! So wat you have to do is search the string "menu prompt" note that there are two of these strings. But we want the string that is near these strings:
    
MENU_CLAN_NAME_EXISTS
MENU_CLAN_NAME_IS_OFFENSIVE
MENU_CLAN__NAME_IS_TOO_SHORT
MENU_CLAN_NAME_IS_INVALID
CLANS_NAME_YOUR_CLAN

So then when you loaded all the way to the function, you want to scroll to the bottom of that function and the first address that we need is the last address being called in the function! Like so:

You must login or register to view this content.



Tutorial #4 - FPS

This tutorial is going to be simple. In this tutorial I will teach you how to enable FPS, change the size, change the position, change the text, and find the function address. So let's start with finding the function address. All we have to do is go in IDA with the ghost's elf and search in the string's "fps: %f" and now double click it and load the XREF. Now it will look something like this:

You must login or register to view this content.

Now that is the function address where you can write powerpc functions such as button monitoring to make an eboot to bind mods. Now we will find the address to enable the fps text so we can see it on our screen. This is how you do it:

You must login or register to view this content.

Now go into Hex View and look here:

You must login or register to view this content.

And that is how you enable FPS! There is also another way of doing it which would be changing the 'beq' to 'bne'.
Now let's get all of the size/position and stuff.. So to do this, go back to the main function of FPS:

You must login or register to view this content.

And double click that flt_ and it will bring you to a screen like this:

You must login or register to view this content.

Now you can play around with those addresses to figure out which is the size and position. But now you need to find the address where you type your text. To do this all you need to do is go in debugger and search "fps:" and that address is where you customize the text! So there you have everything you need to enable fps and do all of that stuff!


Tutorial #5 - How to find Character Commands!

This part will be on how to find SV_GameSendServerCommands! This is not that hard btw. All you need is to find SV_GameSendServerCommand. Now to find this you can look at my other thread on how to find addresses! So once you have this address, you want to press X on it to find all the places where it is located. Now I am jut going to press a random XREF. This is the function that I got:

You must login or register to view this content.

Do you see the '%c' and the '%s' these rep characters and strings! Now we will look at register 4 which is the actual command. Now look at the byte that is being loaded in that register, in this case it is 0x65. Which is 'e'. This is a command for GameSendServerCommand! Now we already know that this is to print the killfeed because it was released. But to find out what it does you can just test it! Now to find out what letter the HEX value is, you just press 'R' on the byte! Hope this was helpful!


Tutorial #6 - Keeping it all updated

Don't you think it will be time consuming to update all of this every update? Well what if I told you that there is a really fast way to update all of the addresses that you have found! There is something called an "IDC Script" what we will be using this for is to look for certain binary values near an address that we found. Don't worry I will explain this very well and make it easy to understand!

You will need the following thing's for this part:
HxD Editor
IDA Pro w/ PS3 Plugins and Loader's
Notepad (I prefer Notepad++)


Ok, first you are going to need the address you are updating. For example I will use SetClientViewAngles. Let's take a look at the function for it in IDA. Here it is:

You must login or register to view this content.

So now what we are trying to find is "Unique" Bytes. To find these you need to look for powerpc instructions that you don't see as often. In this case we should stay away from instructions like b, lis, beq, addic, etc. So what you wan't to do is scroll down from the function and just look for some unique bytes. I will find them for me and then show you. Here they are:
You must login or register to view this content.
I will briefly explain this line of ppc. So the 'lfs' stands for "load floating-point single". The first operand of this instruction is going to be where it is stored. And then the rest will just load 0x1D8 + r4 into the float register. Now we need to verify that it is unique. To do this, we will open up HxD editor and drag the ghost's elf in it. Now go back to IDA to where your unique bytes are. So click on the beginning of the ppc line and then go to Hex View - A. Now copy the first 8 bytes of memory. Now go into HxD, press CTRL + F and where it say's Datatype you put Hex-values and check 'All' in the search direction. Now paste your bytes in the box and press ok. Now it will bring you to where those bytes are located. And now press F3 to go to the next location. If it brings you to the next location then it is NOT unique. However, if it brings up a message like this:

You must login or register to view this content.

Then it IS unique! In this case mine WERE unique!! Alright, so now that we have our unique bytes, we are ready to start making our IDC Script. So open up Notepad++ or any text editing program. But I definitely prefer Notepad++. So the first thing that we will write is:

    
#include <idc.idc>


Now we need to add a function that will search for the unique bytes and subtract the difference. So then it will find the address for all the updates above! So here is the function:

    
static searchBinary(name, binary, offset, length)
{
auto currentAddress, lastAddress;
for(currentAddress=0; currentAddress != BADADDR; currentAddress=currentAddress+4)
{
currentAddress = FindBinary(currentAddress, SEARCH_DOWN, binary);
if(currentAddress == BADADDR)
{
Message("%s not found!\n", name);
break;
}
currentAddress = currentAddress - offset;
MakeUnknown(currentAddress, length, 0);
MakeCode(currentAddress);
MakeFunction(currentAddress, currentAddress + length);
if(MakeNameEx(currentAddress, name, SN_NOCHECK|SN_NOWARN) != 1)
MakeNameEx(currentAddress, name, 0);
Message("\t%s offset: 0x%08X\n", name, currentAddress);
break;
}
}


Now let's make a little function for updating the address that we want by calling our other function. Here is mine:

    
static findAddress()
{
searchBinary(setClientViewAngles, "C0 24 01 D8 FC 40 F8 90", "0x80", 0x1BCool Man (aka Tustin);
}

The first argument is the name that we will rename the function to. The second argument is the unique bytes. The third argument is the offset, to get this you need to subtract the address where you found the unique bytes from the address you are updating. And the third argument is the length, I just keep it the same every time.

Now we need to make the main function which will call this function. Here it is:

    
static main()
{
findAddress();
return 0;
}


Now put it all together and save it as a .idc file by just renaming the extension. Now you are ready to open it in IDA which I will show you how right now:

You must login or register to view this content.

And then from there all you have to do is load the IDC script that you made. I hope you all found this part useful and I hope you all learned from it!


THINGS TO DO:
ADD BUTTON MONITORING TUT
ADD REVERSING TUT (OR LEARN HERE: You must login or register to view this content.
ADD ORGANIZING TUT
(I HAD ALL OF THESE BUT I DIDN'T FINISH SO I REMOVED THEM!)


Credits to the following people who have taught me a lot of things:
    
BadLuckBian
Bitwise
Shark


your thing for finding keyboard is incomplete ;o, you forgot about all the pointers and shit
06-27-2014, 10:01 AM #5
xXcodgmRTE
Climbing up the ladder
Do how to find offsets
06-27-2014, 01:09 PM #6
Notorious
Caprisuns Is Back
Originally posted by Shark View Post
your thing for finding keyboard is incomplete ;o, you forgot about all the pointers and shit


lol i know
06-27-2014, 02:57 PM #7
Y lie m8, we all kno u dnt use np++, u use You must login or register to view this content.
06-27-2014, 03:21 PM #8
SC58
Former Staff
Originally posted by Shark View Post
your thing for finding keyboard is incomplete ;o, you forgot about all the pointers and shit


Right, all you need to do it load the ps3 plugin and it will show the ps3 keyboard functions cellosk ect
06-27-2014, 03:31 PM #9
Notorious
Caprisuns Is Back
Originally posted by Bitwise View Post
Y lie m8, we all kno u dnt use np++, u use You must login or register to view this content.


lol yeah i use that too
06-27-2014, 04:41 PM #10
Notorious
Caprisuns Is Back
Originally posted by ReaperLobbies View Post
Do how to find offsets


I can not believe you are asking this question. Wow learn to read! Next time actually look at the thread, because finding offsets is the first section!!!!!!!!!!!!!!!!!!!

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo