Thread: Call of Duty NoRecoil with Ollydbg

This is just a simple tut to get NoRecoil for CoD2.

We want to first find the function "CG_FireWeapon" in the Quake3SDK(Software Devoupment Kit)

This is the function

/*

================

CG_FireWeapon



Caused by an EV_FIRE_WEAPON event

================

*/

void CG_FireWeapon( centity_t *cent ) {

    entityState_t *ent;

    int                c;

    weaponInfo_t    *weap;



    ent = &cent->currentState;

    if ( ent->weapon == WP_NONE ) {

        return;

    }

    if ( ent->weapon >= WP_NUM_WEAPONS ) {

        CG_Error( "CG_FireWeapon: ent->weapon >= WP_NUM_WEAPONS" );

        return;

    }

    weap = &cg_weapons[ ent->weapon ];



    // mark the entity as muzzle flashing, so when it is added it will

    // append the flash to the weapon model

    cent->muzzleFlashTime = cg.time;



    // lightning gun only does this this on initial press

    if ( ent->weapon == WP_LIGHTNING ) {

        if ( cent->pe.lightningFiring ) {

            return;

        }

    }



    // play quad sound if needed

    if ( cent->currentState.powerups & ( 1 << PW_QUAD ) ) {

        trap_S_StartSound (NULL, cent->currentState.number, CHAN_ITEM, 



cgs.media.quadSound );

    }



    // play a sound

    for ( c = 0 ; c < 4 ; c++ ) {

        if ( !weap->flashSound[c] ) {

            break;

        }

    }

    if ( c > 0 ) {

        c = rand() % c;

        if ( weap->flashSound[c] )

        {

            trap_S_StartSound( NULL, ent->number, CHAN_WEAPON, 



weap->flashSound[ c ] );

        }

    }



    // do brass ejection

    if ( weap->ejectBrassFunc && cg_brassTime.integer > 0 ) {

        weap->ejectBrassFunc( cent );

    }

}

So now we must open CoD2MP_S.exe in olydbg.

Your screen should now look like this

Now we must find CG_FireWeapon in olly.

If you looked at the function you may have noticed there is a text string in there, that will help us save lots of valuable time.

The text string is
"CG_FireWeapon: ent->weapon >= WP_NUM_WEAPONS"

Now that we have a string, so now we can go search for it in olly.

Now your in olly, right click then go to
Search for->All referenced text strings

Notice as it brings up a new box, let it load it is collecting all the strings it finds.

Now you have a new box, there are many text strings, scroll all the way to the top and rightclick, you want to type in the text string we have found.

"CG_FireWeapon: ent->weapon >= WP_NUM_WEAPONS"

Click OK.
Notice Nothing was found, now we have to take into fact CoD2 is a "Highly Modified" quake3.

So lets make this search a little more basic.
Lets just search "CG_FireWeapon"
It seems Olly has found something containing "CG_FireWeapon". Lets do another check to see if there are more, sadly there are not anymore.

So now were stuck looking at a text string containing "CG_FireWeapon"
Which should look like this

Now we can double click that line, it will bring us to where it is located.

Here

Now that is the beginning of CG_FireWeapon(004D70B0), so through all reality you can just get the beginning of the function and detour it to nuthing. But doing that you would Skip all the goodies of CG_FireWeapon, such as your gun sounds so you would have a "silent" weapon, and in most cases would crash the game.

But i want to hear my mp44's roar, when your looking in olly you can see the whole function, function is which in the bracket on the left hand side.

So we are looking for a "CALL", so i just did Trail and Error until i found the correct CALL.

(Which happened to be the second one)

004D7131 |. E8 2AE70100 CALL CoD2MP_s.004F5860

So all we just do now is a simple detour.

//Declare NoRecoil

void (*pNOrecoil)();

void myNOrecoil()

{

//Nuthing in because we don't want anything to happen

}

Then just place this in DllMain

pNOrecoil = (void (__cdecl *)(void))
DetourFunction((PBYTE)0x04F5860,(PBYTE)myNOrecoil) ;

by Zero