Call of Duty Modern Warfare 2 (cod mw2) hacks & hacking

[Sethioz]

my first look into CoD series ever. first impression is that this game is easy to hack and i can probably make some major hacks, which will bring down the sky. don't expect much, because i am not interested in this game at all.

Video demonstration of unlimited ammo

/////////////////////////////////////////////////////////
Available hacks:
/////////////////////////////////////////////////////////

• 1. Unlimited ammo
  - with reload > changing remaining ammo
  - without reload > changing ammo in clip

If you do not know how to use memory tools, then look here:
How to hack / get unlimited ammo in single player games
Basic game hacking tutorial & Toolz for it

/////////////////////////////////////////////////////////
1. Unlimited ammo
/////////////////////////////////////////////////////////
i have made only few tests, don't take 100% word for them.

- you can basically search for both, ammo remaining and ammo in clip, but:
- find ammo remaining for heavy weapon
- this means, if you have sniper and pistol, then sniper is the heavy weapon.
- so you find ammo remaining and then you can do a simple calculation using calculator
- put it on HEX and insert the address you find, then add +80 to get ammo in clip.
- alternatevily you can find ammo in clip and substract 80 to get ammo remaining.

on other weapon's case (light weapon), you need to add/substract 78.
then you can use debugger to find the breakpoint/s and nop the function (all explained in basic game hacking tutorials i linked above)

This calculation method is very important if you want to get infinite ammo for weapons that have only 1 shot (like RPG or such). in this way you never search for values, you simply find the right place and edit them directly.

/////////////////////////////////////////////////////////

I looked around in game's memory and it seems that you can change fire rate, ammo type...and such.
you can look at my all famous hacks to find out how i did it there, this game simply needs more research and time to find those things. read my famous hacks in:
Resident Evil 4
Resident Evil 5
Aliens vs Predator 2010
to find out how i have done it there, method is nearly same.

it might work in multiplayer, i used the MP version of game to make them, i just never joined any server to test.
VAC is enabled in this game, use on your own risk !
i also found out that addresses seem to be static, i restarted game about 3 times and addresses never changed.

UPDATE:
it is possible to hack your experience too, i have not played it at all online, so i do not know if it even shows your max experience, but you can easily change it once you find the value.
i also found some weird value on weapon's specs, if it is set to something it is not suppouse to be, then ammo remaining will go to 0. im guessing it might be "clip type"

[TeamRetox]

Like I said before in this topic: Unlimited ammo is old and every trainer has it(I thought u only focused on 'unique' shit)...
It also won't work online unless you're the host.

Learn disassembly and look for 'CG_FireWeapon', down a bit from there is the recoil function, either nop out the call, or follow it and mov eax,0 + retn for no recoil(and nospread when aiming down the sights).

flash can be found by looking for 'Drawflashdamage', mov eax,0 + retn for noflash(and partial no-stun).

Also, VAC bans for exp hack if you do it while you're in a lobby or ingame(so use it at the main menu after just launching the game).
noflash and no recoil are also detected if you used the methods above.

[Sethioz]

removed the last post cuz it wasn't really hack related.

as ive said before, you should write the whole tutorial, because visitors and members who are looking for hacks will not understand this, they probably even want to know how to open process in olly (which i have actually covered).

only reason why i posted this, is to have topic started by me, so i can update the first post. only thing i might make, is the ammo type, im sure that it is located somewhere near ammo remaining and ammo in clip.

[TeamRetox]

---
A quick tut on getting the D3D device pointer for MW2 :)

First load up iw4mp.exe into olly, and search for -> all intermodular calls.
Sort them by name by clicking on the 'Destination' button above the calls.

Start typing: Direct, you should now see two calls to Direct3DCreate9.
Follow the first one:

Code: Select all

004FC856  |. E8 05D21800    CALL <JMP.&d3d9.Direct3DCreate9>
004FC85B  |. 8BF8           MOV EDI,EAX
004FC85D  |. 85FF           TEST EDI,EDI
004FC85F  |. 74 34          JE SHORT iw4mp.004FC895
004FC861  |. 8B07           MOV EAX,DWORD PTR DS:[EDI]
004FC863  |. 8B50 14        MOV EDX,DWORD PTR DS:[EAX+14]
004FC866  |. 8D4C24 08      LEA ECX,DWORD PTR SS:[ESP+8]
004FC86A  |. 51             PUSH ECX
004FC86B  |. 6A 00          PUSH 0
004FC86D  |. 6A 00          PUSH 0
004FC86F  |. 57             PUSH EDI
004FC870  |. FFD2           CALL EDX
004FC872  |. 85C0           TEST EAX,EAX
004FC874  |. 7C 17          JL SHORT iw4mp.004FC88D

Aww... no absolute addies for us to use(we could still hook Direct3DCreate9 tho, but they will detect that)

Let's try the other one:

Code: Select all

0050DCAB  |. E8 B0BD1700    CALL <JMP.&d3d9.Direct3DCreate9>
0050DCB0  |. 85C0           TEST EAX,EAX ; test against itself
0050DCB2  |. A3 E4727306    MOV DWORD PTR DS:[67372E4],EAX ; BINGO! 0x67372E4 is where they store the device pointer!
0050DCB7  |. 75 13          JNZ SHORT iw4mp.0050DCCC ; jump if D3DCreate9 didnt return a null pointer
0050DCB9  |. 68 745B7800    PUSH iw4mp.00785B74                      ;  ASCII "Direct3D 9 failed to initialize
"
0050DCBE  |. 6A 08          PUSH 8
0050DCC0  |. E8 0B27FFFF    CALL iw4mp.005003D0

0x67372E4 is a pointer to the games IDirect3D9, from which they will call CreateDevice to have the actual device created.

CreateDevice is the 16th virtual function in IDirect3D9, 0x4 is the size of a pointer, 16 = 0x10, 0x4*0x10 = 0x40, so we want to look at where IW4MP
does something like the following:
mov ECX, DWORD PTR DS:[67372E4];
mov EAX, DWORD PTR DS:[ECX+40];
call EAX;

Now this is what I found:

Code: Select all

0050DAB0   $ 83EC 10        SUB ESP,10
0050DAB3   . 53             PUSH EBX
0050DAB4   . 55             PUSH EBP
0050DAB5   . 8B6C24 24      MOV EBP,DWORD PTR SS:[ESP+24]
0050DAB9   . 56             PUSH ESI
0050DABA   . 57             PUSH EDI
0050DABB   . EB 03          JMP SHORT iw4mp.0050DAC0
0050DABD     8D49 00        LEA ECX,DWORD PTR DS:[ECX]
0050DAC0   > 68 085B7800    PUSH iw4mp.00785B08                      ;  ASCII "Creating Direct3D device...
"
0050DAC5   . 6A 08          PUSH 8
0050DAC7   . E8 0429FFFF    CALL iw4mp.005003D0
0050DACC   . 83C4 08        ADD ESP,8
0050DACF   . 33DB           XOR EBX,EBX
0050DAD1   . EB 0D          JMP SHORT iw4mp.0050DAE0
0050DAD3   . 8DA424 0000000>LEA ESP,DWORD PTR SS:[ESP]
0050DADA   . 8D9B 00000000  LEA EBX,DWORD PTR DS:[EBX]
0050DAE0   > 8B3D EC727306  MOV EDI,DWORD PTR DS:[67372EC]
0050DAE6   . 68 F8727306    PUSH iw4mp.067372F8
0050DAEB   . BE F4727306    MOV ESI,iw4mp.067372F4
0050DAF0   . E8 7BF0FFFF    CALL iw4mp.0050CB70
0050DAF5   . 8B5424 2C      MOV EDX,DWORD PTR SS:[ESP+2C]
0050DAF9   . 83C4 04        ADD ESP,4
0050DAFC   . 68 E8727306    PUSH iw4mp.067372E8
0050DB01   . 55             PUSH EBP
0050DB02   . 52             PUSH EDX
0050DB03   . 8B5424 30      MOV EDX,DWORD PTR SS:[ESP+30]
0050DB07   . 52             PUSH EDX
0050DB08   . A2 F0727306    MOV BYTE PTR DS:[67372F0],AL
0050DB0D   . A1 E4727306    MOV EAX,DWORD PTR DS:[67372E4]
0050DB12   . 8B08           MOV ECX,DWORD PTR DS:[EAX]
0050DB14   . 6A 01          PUSH 1
0050DB16   . 57             PUSH EDI
0050DB17   . 50             PUSH EAX
0050DB18   . 8B41 40        MOV EAX,DWORD PTR DS:[ECX+40]
0050DB1B   . FFD0           CALL EAX
0050DB1D   . 8BF0           MOV ESI,EAX
0050DB1F   . 85F6           TEST ESI,ESI
0050DB21   . 7D 28          JGE SHORT iw4mp.0050DB4B
0050DB23   . 6A 64          PUSH 64                                  ; /Timeout = 100. ms
0050DB25   . FF15 A4616D00  CALL DWORD PTR DS:[<&KERNEL32.Sleep>]    ; \Sleep
0050DB2B   . 83C3 01        ADD EBX,1
0050DB2E   . 83FB 14        CMP EBX,14
0050DB31   .^75 AD          JNZ SHORT iw4mp.0050DAE0
0050DB33   . 833D EC727306 >CMP DWORD PTR DS:[67372EC],0
0050DB3A   . 74 5B          JE SHORT iw4mp.0050DB97
0050DB3C   . C705 EC727306 >MOV DWORD PTR DS:[67372EC],0
0050DB46   .^E9 75FFFFFF    JMP iw4mp.0050DAC0
0050DB4B   > A1 E4727306    MOV EAX,DWORD PTR DS:[67372E4]
0050DB50   . 8B08           MOV ECX,DWORD PTR DS:[EAX]
0050DB52   . 8D5424 10      LEA EDX,DWORD PTR SS:[ESP+10]
0050DB56   . 52             PUSH EDX
0050DB57   . 8B15 EC727306  MOV EDX,DWORD PTR DS:[67372EC]
0050DB5D   . 52             PUSH EDX
0050DB5E   . 50             PUSH EAX
0050DB5F   . 8B41 20        MOV EAX,DWORD PTR DS:[ECX+20]
0050DB62   . FFD0           CALL EAX
0050DB64   . 85C0           TEST EAX,EAX
0050DB66   . 7C 1E          JL SHORT iw4mp.0050DB86
0050DB68   . 8B4C24 10      MOV ECX,DWORD PTR SS:[ESP+10]
0050DB6C   . 8B5424 14      MOV EDX,DWORD PTR SS:[ESP+14]
0050DB70   . 890D FC727306  MOV DWORD PTR DS:[67372FC],ECX
0050DB76   . 8915 00737306  MOV DWORD PTR DS:[6737300],EDX
0050DB7C   . 8BC6           MOV EAX,ESI
0050DB7E   . 5F             POP EDI
0050DB7F   . 5E             POP ESI
0050DB80   . 5D             POP EBP
0050DB81   . 5B             POP EBX
0050DB82   . 83C4 10        ADD ESP,10
0050DB85   . C3             RETN
0050DB86   > 8B45 00        MOV EAX,DWORD PTR SS:[EBP]
0050DB89   . A3 FC727306    MOV DWORD PTR DS:[67372FC],EAX
0050DB8E   . 8B4D 04        MOV ECX,DWORD PTR SS:[EBP+4]
0050DB91   . 890D 00737306  MOV DWORD PTR DS:[6737300],ECX
0050DB97   > 5F             POP EDI
0050DB98   . 8BC6           MOV EAX,ESI
0050DB9A   . 5E             POP ESI
0050DB9B   . 5D             POP EBP
0050DB9C   . 5B             POP EBX
0050DB9D   . 83C4 10        ADD ESP,10
0050DBA0   . C3             RETN

now take a closer look at the following, this is what CreateDevice looks like:

Code: Select all

HRESULT CreateDevice(
  [in]           UINT Adapter,
  [in]           D3DDEVTYPE DeviceType,
  [in]           HWND hFocusWindow,
  [in]           DWORD BehaviorFlags,
  [in, out]      D3DPRESENT_PARAMETERS *pPresentationParameters,
  [out, retval]  IDirect3DDevice9 **ppReturnedDeviceInterface
);

And this:

Code: Select all

0050DAFC   . 68 E8727306    PUSH iw4mp.067372E8 ; push parameter
0050DB01   . 55             PUSH EBP ; push parameter
0050DB02   . 52             PUSH EDX ; push parameter
0050DB03   . 8B5424 30      MOV EDX,DWORD PTR SS:[ESP+30] ; store one of the arguments to the function in EDX
0050DB07   . 52             PUSH EDX ; Push parameter
0050DB08   . A2 F0727306    MOV BYTE PTR DS:[67372F0],AL ; No idea
0050DB0D   . A1 E4727306    MOV EAX,DWORD PTR DS:[67372E4] ; Store the pointer to the IDirect3D9 pointer in EAX
0050DB12   . 8B08           MOV ECX,DWORD PTR DS:[EAX] ; Store the address of the actual IDirect3D9 in ECX
0050DB14   . 6A 01          PUSH 1 ; push parameter
0050DB16   . 57             PUSH EDI ; push parameter
0050DB17   . 50             PUSH EAX ; push parameter
0050DB18   . 8B41 40        MOV EAX,DWORD PTR DS:[ECX+40] ; Store the pointer to CreateDevice in EAX
0050DB1B   . FFD0           CALL EAX ; Call EAX, which points to CreateDevice

Since EDX is pushed twice, I just discard one.
That leaves with 6 pushed parameters, since they're pushed in reverse order(last in first out), it would mean the last parameter of CreateDevice is pushed first.

Code: Select all

PUSH iw4mp.067372E8

OH SHIT! COULD THAT BE THE POINTER TO THE DEVICE POINTER? let's hope so, since I am unable to test :)

IDirect3DDevice9 *myDevicePointer = *(IDirect3DDevice9**)0x067372E8;

I hope this helped! :)

Have fun,
Hell_Demon
---

Can't be arsed reuploading pictures etc, so here are my other 2 guides.

No recoil
No flash/stun

[paraxxxito::]

Speed ,Super jump and godmode game version 1.0 razor911 retail
/////////////
float value type
normal speed 1
highter values= super speed 2,3,4
if you have version 1.0 this is the addy 196E2F0 and this 1 109BF14 also change speed but with the difference that if you hit a wall you'll super jump and get out of the map also this addies dosent change value when you spring thats why i didnt posted spring or running values found them by luck looking for thermal vision values

Godmode
///////////////
health initial value on 4 bytes 100
health initial value on float 1.401298464e-043

[Sethioz]

speed makes no sense to me, normal is 1 and then what ? you really need to post them like i do, clean and clear.
anyways, im sure that speed will work online. i deleted the game, but i still have steam with it. i would borrow it, but im planning on selling it, so dont need it VAC banned.

[TeamRetox]

It will probably get VAC banned seeing as you used unlimited ammo on it.

1 = normal, 2 = double, 4 = 4x as high probably

[Sethioz]

still makes no sense. normal speed ? walk run or sprint ?
and i highly doubt it gets you VAC banned. i don't think that VAC scans whole data in memory. once found, it can be set using a small self made trainer. i don't feel like downloading 11gb just to test.

[paraxxxito::]

i dont know if thoses addresses are the original addys of speed but without doubt it affects the game speed not only how fast you move but also ambient effects and also how fast you shot etc heres a video showing the effects

[Sethioz]

somebody should try it in multiplayer.