/BF1MultiplayerChatCopyPaster

A simple BF1 hack that allows user to copy paste clipboard text in the Multiplayer Chat Box.

Primary LanguageC++MIT LicenseMIT

BF1MultiplayerChatCopyPaster

Nothing much just a toy project. Since Battlefield1 doesn't let you copy paste into the chat box so wanted to try to write a bypass for that (BTW, yes this is tested only on the Steam version, but I believe it would be pretty much same for Origins version except some offset values). It just uses Detours to hook to a specific location of the game in order to modify some certain values to ensure that the text currently clipboard container is containing gets written to the Chat box.

How BF1 handles it's chat message insert?

So far after wasting 6-8 hours I think the game checks for keyboard key state again and again in a loop proably uses GetKeyState WinAPI, a function checks if the specified key is pressed, as of writing the offset to that function is bf1.exe+0xC46610, this checks if the key is pressed then calls bf1.fb::TwinkleOverlayManager::isVisible+0x38E0 function, this checks if the chat overlay is visible and calls bf1.exe+0x650830, eventually after checking if the key which was pressed was a ASCII character the game allocates 2 buffer:

  1. [Not sure, we modify this anyways] To show the text nice and tiday it allocates the buffer with an extra space and stores the ASCII character. Probably from this buffer the Chat Overlay Renderer copies the characters to render the whole text. Address: bf1.exe+0x650B96
  2. Another buffer and there is also the ASCII character is stored, and some other code copies the character and copies the characters this buffer has to another buffer which is the whole Chat Text buffer, this whole Chat Text buffer is later used to send the text to the server. Address: bf1.exe+0x650BE2

We can just hook to an easy address to abuse the Key Press check, address bf1.exe+0x650BF2 was used in this case. While executing this address's code the RAX register still contains the Key Code(RAX >> 32) which was pressed, so simple check if Left Ctrl(0xA2) was pressed and then copy the text from the clipboard container using WinAPI GetClipboardData. During the execution of that address's code RDI + 0x60 is where the 1st buffer address is stored and RDI + 0x68 where this buffer address + 2 (2 for extra space) is stored the game subtracts RDI + 0x68 and RDI + 0x60 and checks the value if not equal to 0 in order to check if it needs to render new characters to the Chat Box Overlay. RDI + 0x40 is where the 2nd buffer address is stored and RDI + 0x48 where the buffer address + 1 is stored (why adding 1? The game subtracts this RDI + 0x48 value with the RDI + 0x40 value, I think this way the game checks if the whole Chat Text Buffer needs an update).

We get the clipboard text make two copies one with one extra space and then store to the respectable places RDI + 0x60 and RDI + 0x68, RDI + 0x40 and RDI + 0x48.