Page 1 of 2 12 LastLast
Results 1 to 15 of 29
  1. #1
    HL-SDK's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    56
    Reputation
    11
    Thanks
    26

    Rebuilding CCBACharacter members

    Code:
    mov     edx, [esi+3Ch]
    mov     eax, dword_377ED910
    mov     ecx, [eax]
    push    edx
    push    offset aTrue_1  ; "true "
    push    offset aCcbacharacterf ; "== CCBACharacterFX::UpdateAimAt(%s) hSe"...
    push    eax
    mov     eax, [ecx+18h]
    call    eax
    mov     eax, dword_377ED910
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    push    offset aTrue    ; "TRUE"
    push    offset aBhandleyawS ; "  bHandleYaw : %s"
    push    eax
    call    edx
    fld     dword ptr [esi+88h]
    mov     eax, dword_377ED910
    fstp    [esp+5Ch+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 14h
    push    offset aM_cs_fpitchacc ; "  m_cs.fPitchAccel : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+8Ch]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_cs_fyawaccel ; "  m_cs.fYawAccel   : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+80h]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_cs_fpitchvel ; "  m_cs.fPitchVel   : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+84h]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_cs_fyawvelF ; "  m_cs.fYawVel     : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+78h]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_cs_fpitchF ; "  m_cs.fPitch      : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+7Ch]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_cs_fyawF ; "  m_cs.fYaw        : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+5E8h]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_faimpitchvel ; "  m_fAimPitchVel   : %f"
    push    eax
    call    edx
    mov     eax, dword_377ED910
    mov     ecx, [eax]
    fld     dword ptr [esi+5ECh]
    mov     edx, [ecx+18h]
    add     esp, 8
    fstp    [esp+48h+var_48]
    push    offset aM_ftwistyawvel ; "  m_fTwistYawVel   : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+5E0h]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_fpitchF ; "  m_fPitch         : %f"
    push    eax
    call    edx
    fld     dword ptr [esi+5E4h]
    mov     eax, dword_377ED910
    fstp    [esp+50h+var_48]
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    add     esp, 8
    push    offset aM_fyawF ; "  m_fYaw           : %f"
    push    eax
    call    edx
    mov     eax, dword_377ED910
    mov     ecx, [eax]
    mov     edx, [ecx+18h]
    push    offset asc_376E9E88 ; "======================================="...
    push    eax
    call    edx
    add     esp, 18h
    You see that
    mov eax, dword_377ED910
    mov ecx, [eax]
    mov edx, [ecx+18h]
    loads EDX with a pointer to a relatively interesting function.
    My guess is that it is a console output function. I haven't been able to debug the game yet. Assistance with that would be greatly appreciated.

    Anyway, for some more important stuff, esi should be a player pointer (not tested)

    typedef struct playerangles_s
    {
    float fPitch;
    float fYaw;
    float fPitchVel;
    float fYawVel;
    float fPitchAccel;
    float fYawAccel;
    } playerangles_t


    typedef struct player_s
    {
    //Waste 0x78? bytes here
    playerangles_t m_cs;
    } player_t

    player_t* otherguy = GetOtherGuy(); //Probably same for local player.
    otherguy->m_cs.fPitch;
    otherguy->m_cs.fYaw;

    In the function from which I obtained these addresses, ecx held a value that was stored in esi soon on, which leads me to believe this is a __thiscall function. There is a function argument passed, I do not know its purpose.

    Using RTTI, I found it is a member of CCBACharacterFX.


    More questionably useful information later.

    ---
    EDIT

    Oh, and I was pretty serious about the debugging ability. If I am able to sit in IDA and breakpoint functions, it makes everything MUCH easier. My "unpacked?" version of CShell still has some packed code in it, in particularly useful locations like member functions. Having this data would be incredibly useful as well. I give my thanks to MPGH and all of the helpful people here.
    Last edited by HL-SDK; 09-26-2010 at 04:27 PM.

  2. The Following 4 Users Say Thank You to HL-SDK For This Useful Post:

    [MPGH]AVGN (09-26-2010),CodeDemon (09-26-2010),IcySeal (09-26-2010),whit (09-26-2010)

  3. #2
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,784
    My Mood
    Sad
    HOLY SHOOT ! Something original from someone amazing.

    Too bad code tags are mutilated at 3 characters in mobile theme (and I cant get out of it)

  4. #3
    Stephen's Avatar
    Join Date
    Jun 2009
    Gender
    male
    Location
    Engine.exe
    Posts
    4,690
    Reputation
    184
    Thanks
    1,147
    My Mood
    Aggressive
    Wow, Someone who knows how to code O.O
    Last edited by Stephen; 09-26-2010 at 04:38 PM.

  5. #4
    IcySeal's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Posts
    300
    Reputation
    34
    Thanks
    148
    My Mood
    Amused
    Quote Originally Posted by Stephen View Post
    Wow, Someone who knows how to code O.O
    So rare these days ya know?

  6. #5
    CodeDemon's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Location
    vagina
    Posts
    1,074
    Reputation
    50
    Thanks
    936
    My Mood
    Fine
    Quote Originally Posted by Stephen View Post
    Wow, Someone who knows how to code O.O
    QFT, Nice share! Welcome to the CA Source Code Section!

  7. #6
    Stephen's Avatar
    Join Date
    Jun 2009
    Gender
    male
    Location
    Engine.exe
    Posts
    4,690
    Reputation
    184
    Thanks
    1,147
    My Mood
    Aggressive
    Struct and names are wrong.

  8. #7
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,784
    My Mood
    Sad
    Quote Originally Posted by Stephen View Post
    Struct and names are wrong.
    What are you talking about? S:

    You can name your structs however you want . . .

  9. #8
    HL-SDK's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    56
    Reputation
    11
    Thanks
    26
    Please pardon me if this double post is unnessecary. I'd say it is worth the extra info

    [php]
    struct CCBAPlayerStats
    {
    vtable_ptr vtable;

    char padding[0x18]; //0x1C (offset) - 0x04 (vtable)

    player_ammocount* ammocount; /ay

    char padding[0x08]; //0x24 (offset) - 0x1C (others)

    player_info01* info_01; /ay
    }[/php]


    There are actually a huge number of vfuncs for this class. They are probably worth investigating.

    ---
    EDIT

    Stephen, if you have updated information on these classes and structures, please let me know. I'd kill for a MAC/linux binary or some debugging symbols.

  10. #9
    Stephen's Avatar
    Join Date
    Jun 2009
    Gender
    male
    Location
    Engine.exe
    Posts
    4,690
    Reputation
    184
    Thanks
    1,147
    My Mood
    Aggressive
    o.O .

    Code:
    ---
    EDIT
    
    Stephen, if you have updated information on these classes and structures, please let me know. I'd kill for a MAC/linux binary or some debugging symbols.[/QUOTE]
    I would too. Ima get my friend in here. see what he can do
    Last edited by Stephen; 09-26-2010 at 04:45 PM.

  11. #10
    mmbob's Avatar
    Join Date
    Dec 2009
    Gender
    male
    Location
    ja
    Posts
    655
    Reputation
    70
    Thanks
    1,156
    My Mood
    Bitchy
    Quote Originally Posted by freedompeace View Post
    What are you talking about? S:

    You can name your structs however you want . . .
    There are names defined by the FEAR sdk for these classes.
    @OP Soooo.... yeah?

  12. #11
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,784
    My Mood
    Sad
    Quote Originally Posted by mmbob View Post
    There are names defined by the FEAR sdk for these classes.
    @OP Soooo.... yeah?
    Yes, but as a programmer, you can name the structures to whatever name suits you

  13. #12
    Mr.Magicman's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Sitting in my cave full of thoughts learning Asembly
    Posts
    2,103
    Reputation
    16
    Thanks
    646
    My Mood
    Cold
    Quote Originally Posted by freedompeace View Post
    Yes, but as a programmer, you can name the structures to whatever name suits you
    You do have a point.

  14. #13
    HL-SDK's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    56
    Reputation
    11
    Thanks
    26
    If anyone is interested in helping, like I mentioned: an improved CShell unpacking and some debugging help would be greatly appreciated. I won't be able to / feel like going much further without debugging. Currently I am in the CCBAPlayerMgr class looking at the 'target manager'

    This would probably serve as the basis for a triggerbot, using a variable that changes when your crosshair is over another player.

    [php]pTargetMgr = *(DWORD *)(playerMgr_ + 28);[/php]
    There is a CPlayerMgr in addition to CCBAPlayerMgr. I can find much less about it due to a lack of cross references.
    Last edited by HL-SDK; 09-26-2010 at 05:28 PM.

  15. #14
    CodeDemon's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Location
    vagina
    Posts
    1,074
    Reputation
    50
    Thanks
    936
    My Mood
    Fine
    Quote Originally Posted by HL-SDK View Post
    If anyone is interested in helping, like I mentioned: an improved CShell unpacking and some debugging help would be greatly appreciated. I won't be able to / feel like going much further without debugging. Currently I am in the CCBAPlayerMgr class looking at the 'target manager'

    This would probably serve as the basis for a triggerbot, using a variable that changes when your crosshair is over another player.

    [php]pTargetMgr = *(DWORD *)(playerMgr_ + 28);[/php]
    I'm guessing you used the CShell from my sticky? I'll see if I can get you one that is unpacked a bit better. But I am leaving at the moment unfortunately.

  16. #15
    HL-SDK's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    56
    Reputation
    11
    Thanks
    26
    I am using your 9-22 posted version, yes.

    A better one would definitely help, although I'm not sure what can be done to improve the unpacking.
    Last edited by HL-SDK; 09-26-2010 at 05:35 PM.

Page 1 of 2 12 LastLast

Similar Threads

  1. Members
    By Dmx in forum General
    Replies: 12
    Last Post: 09-06-2008, 09:13 PM
  2. true mpgh members
    By iverson954360 in forum Spammers Corner
    Replies: 16
    Last Post: 12-11-2006, 06:13 PM
  3. members butttt0n
    By EleMentX in forum General
    Replies: 6
    Last Post: 06-17-2006, 12:18 AM
  4. Some sites by members
    By A7X Oblivian in forum General
    Replies: 16
    Last Post: 03-20-2006, 07:07 AM
  5. 2000th Member Reached!
    By arunforce in forum News & Announcements
    Replies: 5
    Last Post: 01-03-2006, 07:19 AM