was it even possible to set sv_cheats=1 ? if your not server owner ?
I'm making a 'Counter Strike: Source' hack in C++. I thought it would be a good start since it doesn't use DMA (Dynamic Memory Allocation) as it holds all the memory in static addresses, which are easy to find since there is no DMA.
Anyway, I was wondering. How could I execute console commands? I heard something about PushToConsole() and SetConsoleVariable() being used for stuff like that.
You need to execute 'sv_cheats 1' to execute other commands on other people servers, I wanted to get that as well as 'noclip' working. It doesn't have to be undetectable or anything, I just want it for LAN and stuff.
(You will see sv_cheats in my code. I was trying to edit the memory for it, obviously it didn't work because it's local memory, it won't affect the server :\. Was worth a try anyway).
Preview code: (I've added a lot more, just not sure if I should release it or not since it's VAC-Proof).
Thanks a lot .Code:#include "stdafx.h" #include <iostream> #include <Windows.h> using namespace std; int main () { HWND hWnd = FindWindow(0, L"Counter-Strike Source"); // Finds the window titled "Counter-Strike Source". if (hWnd == 0) // If it can't find the window, then: { cout << "I could not locate the window, either you've opened this before you opened CS:S, or this program has a bug." << endl; } else { DWORD pr0c3zz; GetWindowThreadProcessId(hWnd, &pr0c3zz); // Locates the process through the window. HANDLE trollpr0c3zz = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pr0c3zz); // Gives access to process. if (!trollpr0c3zz) // If it can't access the process, then: { cout << "Could not locate CS:S process (hl2.exe)" << endl; } else { int sv_cheats = 1; // Activate cheat mode.. int r_drawothermodels_on = 2, r_drawothermodels_off = 1; // Wallhack on/off. int r_DrawModelLightOrigin_on = 1, r_DrawModelLightOrigin_off = 0; // Light region on/off. int showdata_on = 2, showdata_off = 0; // Show network data on/off. int cheatsAddr = 0x0FD0E764; // Cheat mode. int wallhackAddr = 0x243AEC3C; // Wallhack. int gravityAddr = 0x0FCD81FC; // Light region. int ndataAddr = 0x243EBD8C; // Show network data/usage. bool LightRegion = false, Wallhack = false, NDATA = false; cout << "Welcome to Phizo's Counter Strike: Source hack: Version 1.0" << endl; cout << "The hotkeys toggle on and off incase you want to turn them off.\n" << endl; cout << "Open console: ~" << endl; cout << "Draw light region: F3" << endl; cout << "Enable wallhack: F6" << endl; cout << "Show network data/usage: Delete" << endl; while(1) // Loops so the memory keeps rewriting itself if it's changed. { WriteProcessMemory(trollpr0c3zz, (LPVOID)cheatsAddr, &sv_cheats, sizeof(sv_cheats), NULL); if (GetAsyncKeyState(VK_F3)&1) // If the "F3" hotkey is pressed then it will write the new data to the memory address. LightRegion = !LightRegion; if (LightRegion) { WriteProcessMemory(trollpr0c3zz, (LPVOID)gravityAddr, &r_DrawModelLightOrigin_on, sizeof(r_DrawModelLightOrigin_on), NULL); } else { WriteProcessMemory(trollpr0c3zz, (LPVOID)gravityAddr, &r_DrawModelLightOrigin_off, sizeof(r_DrawModelLightOrigin_off), NULL); } if (GetAsyncKeyState(VK_F6)&1) Wallhack = !Wallhack; if (Wallhack) { WriteProcessMemory(trollpr0c3zz, (LPVOID)wallhackAddr, &r_drawothermodels_on, sizeof(r_drawothermodels_on), NULL); } else { WriteProcessMemory(trollpr0c3zz, (LPVOID)wallhackAddr, &r_drawothermodels_off, sizeof(r_drawothermodels_off), NULL); } if (GetAsyncKeyState(VK_DELETE)&1) NDATA = !NDATA; if (NDATA) { WriteProcessMemory(trollpr0c3zz, (LPVOID)ndataAddr, &showdata_on, sizeof(showdata_on), NULL); } else { WriteProcessMemory(trollpr0c3zz, (LPVOID)ndataAddr, &showdata_off, sizeof(showdata_off), NULL); } } // End of loop. } CloseHandle(trollpr0c3zz); // Removes access to the process when it is not needed. } system("pause"); return 0; }
Last edited by Phizo; 09-29-2011 at 11:57 AM.
was it even possible to set sv_cheats=1 ? if your not server owner ?
Oh, my bad .
Yes, there was (not sure if it still works) a glitch to do it manually. You create your own server, go into console and type in "sv_cheats 329" or anything like that. Then go to Cheat Engine and type in "329" with 4 bytes selected because it's an integer. Then go back to console and type in "sv_cheats 1" and go back to Cheat Engine and search for "1" using the "Next search" button. There should be a static memory address, you double click it to put it on the cheat list and freeze the value. Then you enter a public server and it should be enabled still, since it's stuck on that value.
Let me know if it still works .
Tried getting engine interfaces from engine.dll to do that?
If you're sure the address is correct, the problem may lie in how your compiler treats sizes and signed-ness.
More specifically, the pointer you're trying to set (sv_cheats) may not have the same size (in bytes) as your native int type (your compiler). Or perhaps the compiler treats ints as signed by default while the pointer is unsigned. You could try the following:
Code:DWORD SV_CHEATS = 1; ... ... WriteProcessMemory(foo, bar, &SV_CHEATS , 4, bar); // sizeof( DWORD ) == 4 this sizetype should be guaranteed by your compiler/windows.h file. Since they are inherited form lower-level languages.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
Do you mean this?
I did not write this code. Just wondering, it seems valid.Code:HMODULE hClient = NULL; while(hClient == NULL) { hClient = LoadLibraryW(L"client.dll"); Sleep(100); } HMODULE hConsole = NULL; while(hConsole == NULL) { hConsole = LoadLibraryW(L"GameUI.dll"); Sleep(100); } HMODULE hEngine = NULL; while(hEngine == NULL) { hEngine = LoadLibraryW(L"engine.dll"); Sleep(100); } Sleep(2000); CreateInterfaceFn GameUIInterface = (CreateInterfaceFn)GetProcAddress(hConsole, "CreateInterface"); CreateInterfaceFn EngineInterface = (CreateInterfaceFn)GetProcAddress(hEngine, "CreateInterface"); CreateInterfaceFn ClientInterface = (CreateInterfaceFn)GetProcAddress(hClient, "CreateInterface"); MSysSurface = (IMatSystemSurface*)EngineInterface(MAT_SYSTEM_SURFACE_INTERFACE_VERSION, NULL); icvar = (ICvar*)EngineInterface(CVAR_INTERFACE_VERSION, NULL); pModelInfoClient = ( IVModelInfoClient* )ClientInterface( VMODELINFO_CLIENT_INTERFACE_VERSION, NULL ); pGameConsole = (IGameConsole *)GameUIInterface(GAMECONSOLE_INTERFACE_VERSION, NULL);
It works like that, just with the IVEngineClient.
I'm positive that it's the correct address. I recorded the address with Cheat Engine, I went back to the game console and change the value, went back to Cheat Engine and it changed the value of the memory address to the same value as I set for sv_cheats.
Ahhh...sorry? I'm not really getting it.
Last edited by Phizo; 09-29-2011 at 11:55 AM.
Look in debugger
Get access to the IVEngineClient in engine.dll using CreateInterface(exported from engine dll) and use ClientCmd
Ah we-a blaze the fyah, make it bun dem!