How to find DVAR offsets and Write them in C++ (Internal)

[Martin4435]

First start IDA and load the iw5mp.exe





Press SHIFT & F12 to Generate a Stringlist



Press STRG & F and search for your dvar , I choose cg_fov



Click on DATA XREF : sub_



Press F5 to activate Pseudocode





dword_B0A7A8 is the pointeroffset

Code:

Teknomw3 Pointer Offsets
|
dword_B1C9D4 = sub_4A5CF0((int)"cg_gun_x", 0.0, -3.4028235e38, 3.4028235e38, 4);
dword_B1C9B0 = sub_4A5CF0((int)"cg_gun_y", 0.0, -3.4028235e38, 3.4028235e38, 4);
dword_B1C9C0 = sub_4A5CF0((int)"cg_gun_z", 0.0, -3.4028235e38, 3.4028235e38, 4);
dword_8FAB60 = sub_4A3300("cg_drawGun", 1, 4);
dword_B0A7DC = sub_50C760("cg_cursorHints", 4, 0, 4, 1);
dword_8FAA90 = sub_4A3300("cg_weaponHintsCoD1Style", 1, 64);
dword_B0A7BC = sub_50C760("cg_hintFadeTime", 100, 0, 2147483647, 1);
dword_B0A7A8 = sub_4A5CF0((int)"cg_fov", 65.0, 65.0, 80.0, 68);
dword_B04638 = sub_4A5CF0((int)"cg_fovScale", 1.0, 0.2, 2.0, 4);
dword_8FAA58 = sub_4A5CF0((int)"cg_fovMin", 1.0, 1.0, 160.0, 4);
dword_8FAB28 = sub_4A5CF0((int)"cg_viewVehicleInfluence", 1.0, 0.0, 1.0, 68);
dword_8FAB3C = sub_4A3300("cg_draw2D", 1, 4);
dword_8FAA88 = sub_4A3300("cg_drawHealth", 0, 4);
dword_8FAA5C = sub_4A3300("cg_drawBreathHint", 1, 1);
dword_B04748 = sub_4A3300("cg_drawMantleHint", 1, 1);
dword_8FAB70 = sub_4A3300("cg_drawStatsSource", 0, 1);
dword_8FAA74 = sub_4D9310("cg_drawFPS", &off_8AE300, 0, 0);
dword_8F87B8 = sub_4A3300("cg_drawViewpos", 0, 1);
dword_8FAAA0 = sub_4A3300("cg_drawEffectNum", 0, 4);
dword_B04770 = sub_4A3300("cg_drawFPSLabels", 1, 1);
dword_B04710 = sub_4D9310("snd_drawInfo", off_8AE2EC, 0, 0);
dword_B04688 = sub_4A3300("cg_drawScriptUsage", 0, 0);
dword_B04704 = sub_4D9310("cg_drawMaterial", &off_8AE324, 0, 4);
dword_8FAAF4 = sub_4A3300("cg_drawSnapshot", 0, 1);
dword_8FAA9C = sub_4A3300("cg_drawCrosshair", 1, 4);
dword_8FAAE8 = sub_4A3300("cg_drawTurretCrosshair", 1, 1);
dword_B046A4 = sub_4A3300("cg_drawCrosshairNames", 1, 4);
dword_8FAB94 = sub_50C760("cg_drawCrosshairNamesPosX", 300, 0, 640, 0);
dword_B04760 = sub_50C760("cg_drawCrosshairNamesPosY", 180, 0, 480, 0);
dword_B0475C = sub_4A3300("cg_drawDamageFlash", 0, 4);
dword_8FF0F4 = sub_4A3300("cg_drawDamageDirection", 1, 4);
dword_18A06A4 = sub_4A3300("fx_enable", 1, 4);
dword_18A0720 = sub_4A3300("fx_draw", 1, 4);
dword_18A06E4 = sub_4A3300("fx_draw_spotLight", 1, 4);
dword_18A06C8 = sub_4A3300("fx_draw_omniLight", 1, 4);
dword_18A072C = sub_4A3300("fx_cull_elem_spawn", 1, 0);
dword_18A06DC = sub_4A3300("fx_cull_elem_draw", 1, 0);
dword_18A0710 = sub_4A3300("fx_marks", 1, 1);
dword_18A069C = sub_4A3300("fx_marks_smodels", 1, 1);
dword_18A0730 = -6.8056469e38;
dword_18A06F0 = sub_4A3300("fx_freeze", 0, 4);
dword_18A06F4 = sub_4A5CF0((int)"fx_debugBolt", 0.0, 0.0, 1000.0, 4);
dword_18A06F8 = sub_4A3300("fx_count", 0, 4);
dword_18A0700 = sub_4A5CF0((int)"fx_visMinTraceDist", 80.0, 0.0, 1000.0, 4);
dword_18A06CC = sub_4D9310("fx_profileSort", off_8B042C, 0, 4);
dword_18A0728 = sub_50C760("fx_profileSkip", 0, 0, 1000, 4);
dword_18A06BC = sub_4157E0("fx_profileFilter", &byte_7E0A2B, 4);
dword_18A0724 = sub_50C760("fx_profile", 0, 0, 1, 4);
dword_18A0698 = sub_50C760("fx_mark_profile", 0, 0, 1, 4);
dword_18A0704 = sub_4A3300("fx_drawClouds", 1, 4);
dword_18A0718 = sub_4A3300("fx_deferelem", 1, 4);
dword_18A0734 = sub_4A3300("fx_draw_simd", 1, 4);
dword_18A0738 = sub_4A3300("fx_killEffectOnRewind", 0, 4);
dword_18A06B4 = sub_50C760("fx_alphaThreshold", 0, 0, 256, 68);
dword_5F96C1C = sub_50C760("r_imageQuality", 1, 0, 4, 3);
dword_5F96B34 = sub_4A3300("r_detail", 1, 0);
dword_5F96BBC = sub_4A3300("r_normal", 1, 0);
dword_5F969BC = sub_4A3300("r_specular", 1, 1);
dword_5F96B38 = sub_4D9310("r_lightMap", off_8B77A4, 1, 4);
dword_5F96BE8 = sub_4D9310("r_colorMap", off_8B77A4, 1, 4);
dword_5F969C4 = sub_4D9310("r_detailMap", off_8B77B8, 1, 4);
dword_5F96C4C = sub_4D9310("r_normalMap", off_8B77C4, 1, 4);
dword_5F96B18 = sub_4D9310("r_specularMap", off_8B77A4, 1, 4);
dword_5F96A48 = sub_4A3300("r_drawSun", 1, 1);
dword_5F96C18 = sub_4A3300("r_drawDecals", 1, 4);
dword_5F96B14 = sub_50C760("r_dlightLimit", 4, 0, 4, 64);
dword_5F96AD4 = sub_4A3300("r_spotLightShadows", 1, 4);
dword_5F96BA0 = sub_4A3300("r_spotLightEntityShadows", 1, 4);
dword_5F96BDC = sub_4A3300("r_drawWater", 1, 1);
dword_5F96B30 = sub_4A3300("r_lockPvs", 0, 4);
dword_5F96BD4 = sub_4A3300("r_skipPvs", 0, 4);
dword_1060198 = sub_50C760("cl_maxpackets", 30, 15, 100, 0);
dword_1060190 = sub_50C760("cl_packetdup", 2, 0, 5, 1);
dword_8DAF48 = sub_4A5CF0((int)"bg_weaponBobAmplitudeBase", 0.16, 0.0, 1.0, 0);
dword_8DD834 = sub_48AFE0((int)"bg_weaponBobAmplitudeSprinting", 0.02, 0.014, 0.0, 1.0, 140);
dword_8DD8FC = sub_48AFE0((int)"bg_weaponBobAmplitudeStanding", 0.055, 0.025, 0.0, 1.0, 204);
dword_8DAF30 = sub_48AFE0((int)"bg_weaponBobAmplitudeDucked", 0.045000002, 0.025, 0.0, 1.0, 140);
dword_8DB0C8 = sub_48AFE0((int)"bg_weaponBobAmplitudeProne", 0.02, 0.0049999999, 0.0, 1.0, 140);
dword_8DD8A8 = sub_4A5CF0((int)"bg_weaponBobAmplitudeRoll", 1.5, 0.0, 90.0, 140);
dword_8DAF5C = sub_4A5CF0((int)"bg_weaponBobMax", 8.0, 0.0, 36.0, 140);
dword_8DD908 = sub_4A5CF0((int)"bg_weaponBobLag", 0.25, -1.0, 1.0, 140);
dword_1CE77A4 = sub_50C760("com_maxfps", 85, 0, 100, 0);

C++ Code

Code:

template <class Value>
void WritePointer(DWORD pointer, DWORD pointerofs, Value value)
{

	DWORD dwPointer = *(DWORD*)pointer;
	*(Value*)(dwPointer + pointerofs) = value;
	
}

Example

Code:

#include <Windows.h>
#include <iostream>
using namespace std;




template <class Value>
void WritePointer(DWORD pointer, DWORD pointerofs, Value value)
{

	DWORD dwPointer = *(DWORD*)pointer;
	*(Value*)(dwPointer + pointerofs) = value;

}

void Writing()
{
	//GUN X
	WritePointer<float>(0xB1C9D4, 0xC, 0);
	// GUN Y
	WritePointer<float>(0xB1C9B0, 0xC, 12.f);
	// GUN Z
	WritePointer<float>(0xB1C9C0, 0xC, 0);

	//FOV
	WritePointer<float>(0xB0A7A8, 0xC, 120.f);

	//Draw Gun
	WritePointer<int>(0x8FAB60, 0xC, 1);

}

BOOL APIENTRY DllMain(HMODULE hdll, DWORD  reason, LPVOID lpReserved) {
	if (reason == DLL_PROCESS_ATTACH) {

		Writing();


	}
	return TRUE;
}

[COD3RIN]

Nice tutorial...��

[shryder]

Peeeeeeerfect , Just perfect .. its a so good tutorial for beginners , i honestly understand so much stuff from it thank you so much!

[Smoke]

This is an interesting tutorial.

Nice job man!

[Clxrk]

Very good tutorial for!

[Poddzhh]

If i press F5 the code start with "off_" why?

[Silent]

If i press F5 the code start with "off_" why?

That doesn't make sence.

[Poddzhh]

How I can find the ClientInfo ?

[flexarrr]

When i press p5, the pseudo code looks nothing like yours. What am i doing wrong?


This is my pseudo output -> gyazo . com / 117c3ac563093e3236b10346eb23bdbd

[flexarrr]

That doesn't make sence.

why does my pseudocode look nothing like OP's?
Am i doing something wrong

[Silent]

why does my pseudocode look nothing like OP's?
Am i doing something wrong

You dump the process?

[flexarrr]

You dump the process?

Yeah, i dumped iw5mp.exe with x32dbg

[s842891905]

what's going on?? i've got this and i cannot activate pseudocode then
help!!!!!!!!!!!

[flexarrr]

Yeah same, can't do the pseudocode thing