1. Originally kept this for myself but since I'm bored and stuck in the toilet ( Blame spicy food ), I decided to do this.

MW3 Packet Checksums.

Why? Because you don't necessarily need MW3 open to forge packets.

Code:
struct Packet{
int magic; // -1
char data[];
unsigned short checksum;
}
Packets undergo the following process before they're sent:

- The packet gets a 32 bit header ( All 1's )
- The 16 bit CRC is added from the below function ( byte swapped )
- The final packet is GZip compressed ( With OOB packets; Huffman is used if it's a game packet )

Code:
unsigned short NET_CalcChecksum( char* src, size_t length )
{
unsigned long checksum = 0;
unsigned long partA = 0, partB = 0, partC = 0;
size_t len_a = 0;
auto* s = src;

for( auto i = 0; i < ( ( length - 4 ) >> 2 ) + 1; i ++ )
{
partA += ( s[ i + 1 ] & 0xff ) | ( ( s[ i ] << 8 ) & 0xff );
partB += ( s[ i + 3 ] & 0xff ) | ( ( s[ i + 2 ] << 8 ) & 0xff );
s += 4;
}

len_a = length - 4 * ( ( ( length - 4 ) >> 2 ) + 1 );

for( auto i = len_a; i; i -= 2 )
partC += ( src[ i + 1 ] & 0xff ) | ( ( src[ i ] << 8 ) & 0xff );

checksum = partA + partB + partC + ( src[ 0 ] & 0xff );

for( auto i = ( checksum >> 16 ) & 0xffff; checksum >> 16; i = checksum >> 16 )
checksum = i + ( checksum >> 16 );

return ( ~checksum ) & 0xffff;
}
The procedure is:

Code:
auto NET_SendPacket( char* src, size_t len )
{
size_t outLen = 0;

char* dst = ( char* ) calloc( len + 6 ), dst2 = nullptr;
memcpy( &dst[ 4 ], src, len )

*PINT( dst ) = -1;
auto m_crc = NET_CalcChecksum( dst, len + 4 );

dst[ len + 4 ] = m_crc >> 16;
dst[ len + 5 ] = m_crc & 0xff;

GZip_Compress( dst, dst2, len + 6, &outLen );

auto result = sendto( router->sock, dst2, outLen, 0, reinterpret_cast< sockaddr* >( & netChan->remoteAddr ), sizeof( netChan->remoteAddr ) );
free( dst );
free( dst2 );

return result == ( len + 6 );
}

2. ## The Following User Says Thank You to Hitokiri~ For This Useful Post:

[MPGH]JamesBond (08-11-2015)

3. Code:
partyminplayers: 0x132FD24
cg_fov: 0xB08738
g_compassShowEnemies: 0x1C293E4
dvarOffset: 0xC
Credits: AuT03x3C

4. Originally Posted by AuT03x3C
Code:
partyminplayers: 0x132FD24
cg_fov: 0xB08738
g_compassShowEnemies: 0x1C293E4
dvarOffset: 0xC
Credits: AuT03x3C
Why do dvars need credits?

5. ## The Following User Says Thank You to Hitokiri~ For This Useful Post:

[MPGH]JamesBond (08-11-2015)

6. fov: 059E4EC4
noclip: 01C2CA0C
health: 01A62FC4
ingame_name: 01C2C850
party_maxplayers: 05C6763C
party_minplayers: 059DA838
primary ammo: 01C29868
mapname: 00A01870
ClientCleanName: 005C39B0
Ingame: 008DBD84

Credits: eithan

7. ## The Following 2 Users Say Thank You to JamesBond For This Useful Post:

type9500 (12-28-2015),xDasEinhorn (08-16-2015)

8. Here are a few playerstate addresses I updated, these all require host and can be applied per client. To apply to any player just do: address + (client * 0x38EC), for the playermodel addresses do: address + (client * 0x274)

Code:
X Pos: 0x01C2945C
Y Pos: 0x01C29460
Z Pos: 0x01C29464
X Velocity: 0x01C29468
Y Velocity: 0x01C2946C
Z Velocity: 0x01C29470
Team: 0x01C2C810
No-Clip: 0x01C2CA0C
On-Host Red Boxes: 0x01C29450 Note: 16 for Red Boxes, 40 for Thermal, 24 for Thermal & Red Box
Speed Multiplier: 0x01C2C7FC
All Perks: 0x01C2992B Note: Write and array of 16 255s -> { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
Playermodel Head: 0x01A63044 Note: Can crash the match
Playermodel Body: 0x01A62F90
All perks gives you all regular perks + some hidden ones such as dive to prone, less recoil, sprint while crouched, extended mags, explosive bullets. The address may actually start a few places before but I never could be bothered testing that.

Credits:
LughMods for Speed and All Perks, I just converted them to PC
@NightmareTX for Playermodel, stolen from NinjaHack

9. Originally Posted by Hitokiri~

Why do dvars need credits?
Because there are many people who don't know how to find them.

10. Originally Posted by AuT03x3C
Because there are many people who don't know how to find them.
Like me

11. Originally Posted by Hitokiri~
Code:
auto NET_SendPacket( char* src, size_t len )
{
size_t outLen = 0;

char* dst = ( char* ) calloc( len + 6 ), dst2 = nullptr;
memcpy( &dst[ 4 ], src, len )

*PINT( dst ) = -1;
auto m_crc = NET_CalcChecksum( dst, len + 4 );

dst[ len + 4 ] = m_crc >> 16;
dst[ len + 5 ] = m_crc & 0xff;

GZip_Compress( dst, dst2, len + 6, &outLen );

auto result = sendto( router->sock, dst2, outLen, 0, reinterpret_cast< sockaddr* >( & netChan->remoteAddr ), sizeof( netChan->remoteAddr ) );
free( dst );
free( dst2 );

return result == ( len + 6 );
}
Do you know why?
It can launch an UB (undefined behavior).
The heap manager must deduce how to take ownership of the memory block.
So it will have to use separate structure to list all allocated blocks.
Call free() on addresses returned by malloc() functions

12. Originally Posted by Raydenman
Do you know why?
It can launch an UB (undefined behavior).
The heap manager must deduce how to take ownership of the memory block.
So it will have to use separate structure to list all allocated blocks.
Call free() on addresses returned by malloc() functions
Hey puto, read the whole source and you'll see I freed the memory.
I'm not just some wanna-be coder. I actually know what I'm doing.

13. ## The Following User Says Thank You to Hitokiri~ For This Useful Post:

[MPGH]JamesBond (05-12-2016)

14. Originally Posted by Hitokiri~

Hey puto, read the whole source and you'll see I freed the memory.
I'm not just some wanna-be coder. I actually know what I'm doing.
Free two times is WRONG.
Originally Posted by Raydenman
It can launch an UB (undefined behavior).

15. Originally Posted by Raydenman
Free two times is WRONG.
Free two times you're a fucking retard.

Code:
size_t outLen = 0;

char* dst = ( char* ) calloc( len + 6 ) , dst2 = nullptr;
memcpy( &dst[ 4 ], src, len )

*PINT( dst ) = -1;
auto m_crc = NET_CalcChecksum( dst, len + 4 );

dst[ len + 4 ] = m_crc >> 16;
dst[ len + 5 ] = m_crc & 0xff;

GZip_Compress( dst, dst2, len + 6, &outLen );

auto result = sendto( router->sock, dst2, outLen, 0, reinterpret_cast< sockaddr* >( & netChan->remoteAddr ), sizeof( netChan->remoteAddr ) );
free( dst );
free( dst2 );

return result == ( len + 6 );

16. ## The Following User Says Thank You to Hitokiri~ For This Useful Post:

[MPGH]JamesBond (05-12-2016)

17. Originally Posted by Hitokiri~

Free two times you're a fucking retard.

Code:
size_t outLen = 0;

char* dst = ( char* ) calloc( len + 6 ) , dst2 = nullptr;
memcpy( &dst[ 4 ], src, len )

*PINT( dst ) = -1;
auto m_crc = NET_CalcChecksum( dst, len + 4 );

dst[ len + 4 ] = m_crc >> 16;
dst[ len + 5 ] = m_crc & 0xff;

GZip_Compress( dst, dst2, len + 6, &outLen );

auto result = sendto( router->sock, dst2, outLen, 0, reinterpret_cast< sockaddr* >( & netChan->remoteAddr ), sizeof( netChan->remoteAddr ) );
free( dst );
free( dst2 );

return result == ( len + 6 );
Be careful with what you say, beast

mmm yes I didn't note, you called two different pointers, so it's ok.
If it was free(dst) and free(dst) no.
I would add a check after making allocations through malloc, calloc to know if it was allocated.

GZip_Compress( dst, dst2, len + 6, &outLen );
?

18. Originally Posted by Raydenman
Be careful with what you say, beast

mmm yes I didn't note, you called two different pointers, so it's ok.
If it was free(dst) and free(dst) no.
I would add a check after making allocations through malloc, calloc to know if it was allocated.

GZip_Compress( dst, dst2, len + 6, &outLen );
?
GZip ( my implementation ) allocates a pointer itself ( hence the second free )
Either way, it was meant as an example and not to be taken in literal terms.
I don't provide C&P content. It's the theory that matters. Needless to say my code worked flawlessly.

19. Force host: 0x132FD24 offset: 0xC

Name change: "iw5mp.exe"+0x58EC500 offset: 0x156

My index in lobby (to determinate which player you are without checking names) : 0x8FD0F0

Lobby size: 0x1329314 | 0x5C6763C

Main weapon change (p1) : 0x1C296BC | 0x1C297E4 | 0x1C29864
Secondary weapon change (p1): 0x1C296B4 | 0x1C2984C | 0x1C297D4

Akimbo main (p1): 0x1C29709

UVA (p1) : 0x1C2C8BC

Rename player in match(p1): 0x1C3013C

20. can you find com_maxfps ? would be really nice

Page 19 of 22 First ... 91718192021 ... Last