Controlling other players in A2OA

Scripters take control of people with three script functions:

  • RemoteControl
  • changeCamera
  • SelectPlayer

Only one of those is necessary. SelectPlayer actually does changeCamera on its own, and remoteControl is for controlling turrets, not players.

This image has been resized. Click this bar to view the full image. The original image is sized 1027×765.

Name: 		selectPlayer
Name (Long): 	selectplayer
Arg1: 		unit
Description: 	Switch player to given unit.
Example Use: 	selectPlayer aP
Category: 	General
Function: 	0x7ADF17

That’s selectPlayer. It does a lot. It messes with the AIBrain in the entities, then does things with the network managers and network clients if you’re in multiplayer, and sends a message to the server in one of those networkManager functions. That message is important, because it tells the server to give your client locality over the target. This is why if you set your local player pointer to the entity of another player, nothing you do to them ‘sticks’. If you move, you get pulled back. If you fire, their ammo goes down but no bullet comes out. All you can do is things on the scroll wheel, and that’s why: you don’t have locality of that entity, so the server doesn’t accept your changes to it.

So by calling selectPlayer, we can get locality of the target. Then, any changes we make ‘stick’, and the previous owner of the entity’s changes don’t ‘stick’. So when you take control of someone, whenever they move, they get pulled back. When they fire, the ammo count goes down but no bullet comes out. Sounds familiar, right?

Calling selectPlayer is easy. The first argument is a buffer in which it can build a gameValue object, just make an 8 byte buffer for that. The second argument is sometimes the GameState object, and sometimes 0. selectPlayer never actually uses this argument, so passing it 0 is safe. The third argument is what I call unitInfo, it’s the link object that points to an entity. Like dfcdd8] + 13a8].

And that’s all there is to it. Give it a second or two and you’ll be controlling your target completely.

PHP Code:
selectPlayer( buffer, 0, target );

Framing other entities for kills in A2OA

Wouldn’t it be cool if we could shoot someone and frame some other player for the kill?

This image has been resized. Click this bar to view the full image. The original image is sized 1905×916.

When your client calculates damage and sends a message to the server about it, your client includes what entity did the damage. In regular Arma a player can have AI team mates, so the server can’t just assume that the actual player did all the damage that gets sent from his client. So Arma keeps track of who fired a bullet and uses that information to determine who did the damage, and sends that information to the server. The server then sends this damage to the receiving client, and that client applies the damage. In the event of a death, the client of the victim applies the damage, sees that there is a death, and writes the kill message using the name of the entity that fired the bullet that caused the death.

You can see where this is going, right?
The ‘Munition’ Class

PHP Code:
    class Munition : public Entity {
char _0x0040[444];
UnitInfo* parent; //0x01FC

Munition shares some base classes with all other in-game entities. What you’re interested in is the parent pointer – which is at 0x1FC. BTW UnitInfo is the class at DFCDD8] + 13A8], the one that contains a pointer to your actual player at +4. That first value is a reference count, BTW.

So anyway, the ‘parent’ of the munition is who is credited with doing the damage. So if you change the parent of a bullet you fire to someone else, they get ‘credit’ for the kill. Which means if you shoot someone 50m away from you and they’re 4km away from you, the kill message will say they killed your target from 4km away. Do this a few times and the person will most assuredly get server banned.

What’s more, you know how some custom anti-hacks redirect damage over a certain amount? So you set your bullet damage to 5000000 and shoot someone and you fall over dead – this is because the custom anti-hack on their client saw that the damage they were being dealt was an impossible amount, so it redirected the damage to you. Well, what if you shoot a 500000 damage bullet and ‘frame’ someone else as the parent? The custom anti hack very politely kills THEM instead. Fun, huh?

I’ve used this to get streamers banned from servers by framing them for impossible kills, or getting lower level admins banned by framing them for a server wipe. The sky is the limit!

BTW the table of munitions in the simulation is here:

PHP Code:
class World
char _0x0000[8];
InGameUI* inGameUI; //0x0008
char _0x000C[16];
DisplayMain* displayMain; //0x001C
char _0x0020[1496];
void* displayMainMap; //0x05F8
AutoArray<EntityEntry>* entityTable;
GameDataNamespace* gameDataNamespace; //0x0600
AutoArray<Munition*> munitions; //0x07DC <----Munitions right here!!
char _0x07E8[148];
EntitiesDistributed* table1; //0x087C

Note: if you change a bullets parent to someone else before it has left your hitbox area, you will shoot yourself. Have you ever teleported bullets into yourself and noticed your own bullets will never hit your player? That’s because they spawn inside of your hit box area. So make sure the bullet is like 1m away from you before setting the parent to someone else.

Protip: increase the reference count on the unit info you set as parent, otherwise when the bullet impacts and disappears it could free the unitinfo of the parent.

Event Handler script executor POC w/Source

In the thread Entity event handlers I talked about the player event handlers and how they’re stored in the entity class. I also theorized about using them for script injection, which I have implemented here. 


This image has been resized. Click this bar to view the full image. The original image is sized 1906×1035.

How to use the code: 

1: Initialize the tbb4Malloc_bi malloc function pointer. If you forget to do this, the system will use regular c malloc, which will still work but will cause crashes when Arma goes to free your strings when you leave a game. You don’t need to do this for each object, you only have to do it once.

2: Create an A2EventHandler object and pass it a pointer to the first event handler in the class of the unit you want to install the event handler in. This is at entity + 0x2AC.

3: Add or remove event handlers as you please. You can remove all event handlers for a given event, remove all event handlers on all events, remove a specific handler (uses strcmp, so you have to know the text of the event) and of course add an event handler to an event. Just pass it the script text you want it to execute.

PHP Code:
HMODULE hMalloc GetModuleHandle("tbb4malloc_bi.dll");
if(hMalloc) { A2OA::A2EventHandler::setMalloc( (A2OA::A2Malloc)((UINT)hMalloc 0x7A90) ); }
Unitunit getRealPlayer(PWorld);
if (unit) { A2OA::A2EventHandler eventHandlersunit->eventHandlers );
eventHandlers.addEventHandlerEHAnimChanged"hint 'You're movin!';"); }

The easiest thing to attach to is AnimChanged, which basically fires at all times. Just remember to remove your event handler, probably within the event itself (removeEventHandlers AnimChanged; ExecVm whatever)

Included executor

Included is a working script executor using this method. It will read a file from your User\Documents directory and put its contents in an event handler on AnimChanged, which means it will be executed almost instantly. It is up to YOU to remove the event handler within your script (should be the first thing), and to make your script work with this system. You can put whatever you want in it, but if you just want to run your menu or whatever, you should put it in a folder and use ExecVM or something probably.

Example Uses:

Remove your HandleDamage event handlers to get God mode in DayZ
Remove your Fired event handlers to shoot people in safe zones
Add an event handler to HandleDamage to fake an infiSTAR detecton on the person that shot you, banning them. 


Doug’s Projects

Source code for some of these projects is available at just log in with the credentials given in the resume!

ObRegisterCallbacks research

I reversedObRegisterCallbacks and the structures it creates in order to research a solution to Anti-cheat kernel modules protecting game processes.  You can see the results here:


SKiDE is a script development tool targeted at Arma 3.  It has common IDE features such as syntax highlighting and auto completion, but it also has some Arma specific features like enumeration of script threads and script variables.  It will also, if connected to the game, show the value of variables in a script if the user hovers the mouse over the variable.  SKiDE is still early in development but is already complete enough to be a very strong tool for script development as it offers the user a real-time glimpse into the execution of their scripts.

Peacekeeper Drone

Peacekeeper is an application that acts as a radar for Real Virtuality games.  It reads memory from the target game, finds and parses data structures in the game’s memory, and presents it to the user in the form of a map.  It also allows a small degree of object manipulation, such as changing the user’s weapon properties.  For example, the user can increase the damage his weapon does, eliminate the weapon’s recoil, or make his handgun shoot missiles.

Source available at by logging in with the credentials included in the resume.

Continue reading

HiRez anti-cheat analysis part 1

I LOVE Tribes.  It’s one of my favorite series and Tribes Ascend is definitely my favorite game to play (Tribes 1 would be, but it’s not very populated these days).  Because I love Tribes, and because the fun of Tribes is the challenge, I don’t cheat on it.  I would find zero pleasure in playing Tribes with hacks, even something simple like ESP or a radar to see incoming cappers or cloaked infiltrators.  The fun of Tribes is in the challenge and feeling like you earned those caps and blue plates.

But, there’s a lot of hemming and hawing regarding HiRez’s apparently flawed anti-cheat system for Tribes and Smite.  Supposedly, it’s quick to hand out bans for false-positive detections and innocuous things like having Cheat Engine installed or using some injected…something in Skyrim (I don’t play Skyrim so I have no idea WTF you guys are talking about).  So I decided to take a look at HiRez’s anti-cheat system to see what’s going on.  I’ll be writing these as I go through it and will share my thoughts about what I see as I work toward reversing it. Continue reading

Spawning items in DayZ/Arma2OA

This is a copy of the article I wrote on UnknownCheats regarding manually spawning items and weapons through memory manipulation in Arma2OA.  I would add that Arma uses its own memory manager, tbb4malloc_bi.dll by default.  Arma also has a garbage collection system, so when an item’s references reaches 0 OR the game loads a new mission, the garbage collector frees the item.  If you use regular malloc to allocate the memory you use to spawn an item, you will crash when Arma tries to garbage collect that item, because the Arma memory manager is trying to free something it didn’t allocate.  To get around this, you can just  call Arma’s memory manager’s Alloc function that way it can free the alloc’d item.  I popped open tbb4malloc_bi.dll and found the address of the function (it’s in the export table) and made a function pointer to it in my version:

_MemAlloc = 0;
HMODULE hMalloc =  GetModuleHandle(“tbb4malloc_bi.dll”);
_MemAlloc = (MemAlloc)((char *)hMalloc + 0x7A90);
if(*(DWORD *)_MemAlloc != 0x56ec8b55)
_MemAlloc = 0;

I then made a memory allocation function that calls the right version (_MemAlloc or malloc) depending on what’s available

void *allocateMem(SIZE_T size)
return _MemAlloc(size);
return malloc(size);

You can’t use a single pointer and set it to either _MemAlloc or malloc because they have different calling conventions, so this was my solution.  Maybe not especially elegant, but it works, and my users that use different memory managers can still use the hack.  I could find all the allocation functions for each possible memory manager (Arma offers quite a few) but…it’s not that big a priorty really.

Anyway, here is the original article:

Continue reading