Anubiset (11-17-2011)
Anubiset (11-17-2011)
Hey I am interested in the spread/recoil hacks and was able to succesfully alter the stats for the AR, the shotgun even the SMG, but the pistol no matter what I do will not work after compiling in visual studio 2008 express. Even if I don't change anything at all, when I open the cube project and build+compile it, the pistol, shotgun and smg don't work. VS 2008 creates an ac_client.lik file that links something but I'm not sure exactly what it's supposed to do or if it has anything to do with my predicament.
AC Sourcecode tells us:
We wan't ge***ient, but that has nothing easy to search for...Code:playerent *ge***ient(int cn) // ensure valid entity { return players.inrange(cn) ? players[cn] : NULL; } void ini***ient() { clientmap[0] = 0; newname("unarmed"); changeteam(rnd(2), false); }
Lets take ini***ient, which has "unarmed"!
Rough estimation of what we will encounter:
1. the string "unarmed" will be somewhere near the top of the function
2. near the bottom we should find something to do with teams.
RVSF and CLA are the team names in AC, so we'll encounter one of those probably.
First unarmed I encountered with olly contined stuff with 'your current name is', so, its not the one we want.
But the second unarmed I find is a whole lot more interesting!
It contains both unarmed and team related stuff
Now if you scroll up a bit from there, you'll see this function:
now compare that to this:Code:004205C0 /$ 85C0 TEST EAX,EAX 004205C2 |. 7C 12 JL SHORT ac_clien.004205D6 004205C4 |. 3B05 983C4D00 CMP EAX,DWORD PTR DS:[4D3C98] 004205CA |. 7D 0A JGE SHORT ac_clien.004205D6 004205CC |. 8B0D 903C4D00 MOV ECX,DWORD PTR DS:[4D3C90] 004205D2 |. 8B0481 MOV EAX,DWORD PTR DS:[ECX+EAX*4] 004205D5 |. C3 RETN 004205D6 |> 33C0 XOR EAX,EAX 004205D8 \. C3 RETN
Did we just find ourselves the function???Code:playerent *ge***ient(int cn) // ensure valid entity { return players.inrange(cn) ? players[cn] : NULL; }
YES!
First off eax is tested against itself, and its followed JL(jump if lower), thts probably because there are no players for negative indexes.
next off its compared to the value at DWORD pointer 0x4D3C98, and then tested with JGE(jump if greater/equal)
Which is because there are no players after playercount-1, so if the index specified is equal to the playercount or bigger, we return 0.
Now
0x4D3C90 is moved into ECX, thats the base address for the player list.
Now take a look at this:
What do you think that does?Code:MOV EAX,DWORD PTR DS:[ECX+EAX*4]
if you didnt think 'oh, they add the index we specified * 4 because a pointer is 4 bytes on my 32 bit OS to the base address we just saw', then you're either a retard or you suck at assembly.
Anyway, its exactly what I just written above. They take the base pointer 0x4D3C90, add 4*index to it to get the pointer of the player we want.
Now finally some C++ code:
Feel free to add this to the AssaultCube tutorials posted by Hell_Demon(kinda weird to talk about yourself in third person o__O)Code:int playercount = *(DWORD*)0x004D3C98; for(int i = 0; i < playercount-1; i++) { DWORD pTable = *(DWORD*)0x004D3C90; playerent *pPlayer = (playerent*)(pTable+(0x4*playercount)); pPlayer->health = 0; }
edit: the *** is t-c-l, no idea why they block it...
renderhud.cpp
The very first line is interesting.Code:void gl_drawhud(int w, int h, int curfps, int nquads, int curvert, bool underwater) { playerent *p = camera1->type<ENT_CAMERA ? (playerent *)camera1 : player1; ...more code here... if(lastmillis < damageblendmillis) { static Texture *damagetex = NULL; if(!damagetex) damagetex = textureload("packages/misc/damage.png", 3);
ENT_CAMERA is defined as 2Code:playerent *p = camera1->type<ENT_CAMERA ? (playerent *)camera1 : player1; bool spectating = player1->isspectating();
Now the last line I pasted above:
We have ourselves a stringCode:if(!damagetex) damagetex = textureload("packages/misc/damage.png", 3);
Well what do you know, its the first result you find with olly
So, which of these is the camera1, and which is player1(which we are interested in?)Code:00408F70 /$ 55 PUSH EBP 00408F71 |. 8BEC MOV EBP,ESP 00408F73 |. 83E4 C0 AND ESP,FFFFFFC0 00408F76 |. 81EC 34010000 SUB ESP,134 00408F7C |. A1 50E84C00 MOV EAX,DWORD PTR DS:[4CE850] 00408F81 |. 8078 6B 02 CMP BYTE PTR DS:[EAX+6B],2 00408F85 |. 8B0D 203C4D00 MOV ECX,DWORD PTR DS:[4D3C20] 00408F8B |. 53 PUSH EBX 00408F8C |. 56 PUSH ESI 00408F8D |. 57 PUSH EDI 00408F8E |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX 00408F92 |. 72 04 JB SHORT ac_clien.00408F98 00408F94 |. 894C24 34 MOV DWORD PTR SS:[ESP+34],ECX 00408F98 |> 8A41 6A MOV AL,BYTE PTR DS:[ECX+6A] 00408F9B |. 3C 05 CMP AL,5
There's multiple ways to find out
First method:
Looking at the C++ code, if it was checked to be below ENT_CAMERA, it would become camera1.Code:00408F7C |. A1 50E84C00 MOV EAX,DWORD PTR DS:[4CE850] 00408F81 |. 8078 6B 02 CMP BYTE PTR DS:[EAX+6B],2 ; <- compare to 2 00408F85 |. 8B0D 203C4D00 MOV ECX,DWORD PTR DS:[4D3C20] ..more.. 00408F8E |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX 00408F92 |. 72 04 JB SHORT ac_clien.00408F98; <- below 2? jump 00408F94 |. 894C24 34 MOV DWORD PTR SS:[ESP+34],ECX
So, in assembly, if JB is taken, it was the camera, thus EAX is camera, ECX is player1
So our C++ code to get player1 is:
The other way to see which is the camera1 and which is player1 is the following:Code:playerent *pPlayer1 = (playerent*)0x004D3C20;
equiv C++ code:Code:00408F98 |> 8A41 6A MOV AL,BYTE PTR DS:[ECX+6A] 00408F9B |. 3C 05 CMP AL,5
isspectating checks if the player's state is equal to CS_SPECTATE, which is 5.Code:player1->isspectating();
So now we have our player1 pointer.
All that is left is get ourselves the function that checks if there is a wall between position 1 and 2, and we can make ourselves a fully functionl aimbot.
I'll post up the visibilty check function when I find it.
This one was slightly harder to find.
I know bots made use of CBot::IsVisible, but none of those contained strings.
So I wen't to look for TraceLine itself, after finding it, I chose to do Find all references
One of the references was
in BotManager, it uses player1, so it would give us a way to confirm we have the right function once we find it in olly.Code:TraceLine(player1->o, dest, player1, true, &tr);
So I double clicked it, and WHT THE FUCK!! YAY! ITS A COMMAND! =D
telebot!
Knowing from past usage of COMMAND, its a define takes two arguments, the first one is the name of the command and at the same time the name of the function it's calling, the second argument is what amount of arguments it has.
the define calls a function with 3 arguments, the first one being the text string, 2nd being the pointer to the function, and the third being the paramcount.
COMMAND(telebot, ARG_NONE);
"telebot" is what we will search for with olly!
it was quite easy to find, since its the only telebot command
ARG_NONE is 4(push 4, last param).Code:00491BE0 . 6A 04 PUSH 4 00491BE2 . 68 90524700 PUSH ac_clien.00475290 00491BE7 . 68 0CDF4900 PUSH ac_clien.0049DF0C ; ASCII "telebot" 00491BEC . E8 8FDEFBFF CALL ac_clien.0044FA80 00491BF1 . 83C4 0C ADD ESP,0C 00491BF4 . A2 A0084E00 MOV BYTE PTR DS:[4E08A0],AL 00491BF9 . C3 RETN
PUSH ac_clien.00475290 is the pointer to the telebot function.
Control+G in olly and go to 00475290
!tr.collided = !true = false = 0Code:TraceLine(player1->o, dest, player1, true, &tr); if (!tr.collided)
So 0x0046B910 is traceline!Code:...lots of arguments... 00475368 |. E8 A365FFFF CALL ac_clien.0046B910 ; \ac_clien.0046B910 0047536D |. 83C4 24 ADD ESP,24 00475370 |. 807C24 3C 00 CMP BYTE PTR SS:[ESP+3C],0 ;<-- compared to 0 ;) 00475375 |. 0F85 96000000 JNZ ac_clien.00475411
usage:Code:void (*TraceLine)(vec from, vec to, dynent *pTracer, bool CheckPlayers, traceresult_s *tr, bool SkipTags) = (void (__cdecl *)(vec,vec,dynent *,bool,traceresult_s *,bool))0x0046B910; bool IsVisible(vec v1, vec v2, dynent *tracer, bool SkipTags) { traceresult_s tr; TraceLine(v1, v2, tracer, (tracer!=NULL), &tr, SkipTags); return !tr.collided; }
Now you have everyting to make a fully functional aimbotCode:bool bEnemyVisible = IsVisible(player1->o, players[i]->o, NULL, false);
noshuman (08-08-2013)
Had some problems with TraceLine(for some reason it teleports enemies to me)
So here's the aimbot release, currently checks if enemy and yourself are alive and on different teams if its a team game.
Aims for the closest enemy(through walls) and is bound to right mouse button.
.DLL (05-18-2012),147jerry147 (07-13-2013),2unbaned acc (08-30-2012),aaaazer (08-23-2015),ActualCheats (01-20-2016),AC_Addict (12-01-2012),Akisuzi (04-27-2010),almario1 (02-04-2014),antonio96 (06-26-2011),beaubeau123 (08-20-2011),blablalba (05-29-2014),Blackz96 (12-01-2012),c5n5o5 (01-22-2015),CarbonCaliber (08-22-2012),Chillaaa1 (05-02-2010),Chronicle l33t (06-06-2016),Ciao1234567890 (07-20-2012),CODfan3221 (11-16-2014),Conservatation (05-11-2012),daggero (07-10-2012),Dannydk27 (05-28-2013),derderkiller (05-06-2013),DJPartyball (01-23-2016),Doom Lord (01-04-2015),edwardjiang (08-20-2012),Eleindar (06-22-2014),fabien91 (07-01-2012),firetheviking (10-27-2012),fusiondevil (07-21-2013),Gangstahyena (12-09-2013),garfargone (09-02-2012),gkcha0z (05-07-2014),Hacker Fail (03-16-2015),Herpmcderp (11-25-2015),holly hacker (11-09-2013),Holmboy (01-11-2013),huns14 (12-28-2013),idris11212 (10-26-2012),iggysmith (11-01-2012),iHaqDoesU (05-04-2015),jallalah (11-20-2014),jedaru762 (05-25-2012),JoaquinZero (03-17-2016),junhou (01-05-2013),Ketynho (06-08-2011),kyrpä1 (02-17-2013),L3CKTR1K (09-15-2012),lfc3333 (05-03-2015),lizzy12 (01-04-2013),lnsert (08-18-2012),M0nkey (12-16-2012),Magicjava (04-09-2014),major_defect (04-29-2012),MarioSuckGamer (01-02-2016),Matz123 (09-29-2012),Mazin64 (09-14-2015),Mechanistal (07-13-2015),mikehill2003 (06-27-2011),Mojang (04-25-2012),momo102 (09-05-2012),moreno111 (05-06-2012),MrTMJ98 (11-16-2012),nico9551 (03-14-2014),Nordmela12 (07-30-2011),okta (09-26-2012),optikon (09-26-2011),PhilipSCA (03-28-2016),pickles1234 (01-11-2014),Pollones (08-14-2011),pop300 (12-29-2012),Psychsam (04-12-2013),Rhaeder (09-23-2012),RwYeAsNt (04-05-2013),snakeater96 (06-14-2013),SushiTheWasabi (07-04-2015),ThaigoG46 (07-18-2011),theproadam (06-13-2014),timvirus (10-04-2012),trueleet (08-10-2014),vadepker (10-14-2014),wasusuge (06-13-2012),werespirit1 (08-04-2012),wesleyharris123 (09-07-2012),xanthas (07-01-2011),xnile (02-10-2014),ZoeyLove (07-10-2014),zygous125 (08-02-2012),[EPiC] Rev (12-27-2013),[P]owne[D] (11-21-2012)
Hell_Demon (05-28-2010)
Interesting, i'd love to rape their anticheat. I'll redo some of the tutorials once it's released(and if I can find the time).
Ah we-a blaze the fyah, make it bun dem!
mwb1234 (05-28-2010)
Learn to code before trying to copy stuff...
Ah we-a blaze the fyah, make it bun dem!