Executing console commands for CS:S?

[Phizo]

I'm making a 'Counter Strike: Source' hack in C++. I thought it would be a good start since it doesn't use DMA (Dynamic Memory Allocation) as it holds all the memory in static addresses, which are easy to find since there is no DMA.

Anyway, I was wondering. How could I execute console commands? I heard something about PushToConsole() and SetConsoleVariable() being used for stuff like that.

You need to execute 'sv_cheats 1' to execute other commands on other people servers, I wanted to get that as well as 'noclip' working. It doesn't have to be undetectable or anything, I just want it for LAN and stuff.

(You will see sv_cheats in my code. I was trying to edit the memory for it, obviously it didn't work because it's local memory, it won't affect the server :\. Was worth a try anyway).

Preview code: (I've added a lot more, just not sure if I should release it or not since it's VAC-Proof).

Code:

#include "stdafx.h"
#include <iostream>
#include <Windows.h>

using namespace std;

int main ()
{
	HWND hWnd = FindWindow(0, L"Counter-Strike Source"); // Finds the window titled "Counter-Strike Source".

	if (hWnd == 0) // If it can't find the window, then:
	{
		cout << "I could not locate the window, either you've opened this before you opened CS:S, or this program has a bug." << endl;
	}
	else
	{
		DWORD pr0c3zz;
		GetWindowThreadProcessId(hWnd, &pr0c3zz); // Locates the process through the window.
		HANDLE trollpr0c3zz = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pr0c3zz); // Gives access to process.
		if (!trollpr0c3zz) // If it can't access the process, then:
		{
			cout << "Could not locate CS:S process (hl2.exe)" << endl;
		}
		else
		{
			int sv_cheats = 1; // Activate cheat mode..
			int r_drawothermodels_on = 2, r_drawothermodels_off = 1; // Wallhack on/off.
			int r_DrawModelLightOrigin_on = 1, r_DrawModelLightOrigin_off = 0; // Light region on/off.
			int showdata_on = 2, showdata_off = 0; // Show network data on/off.

			int cheatsAddr = 0x0FD0E764; // Cheat mode.
			int wallhackAddr = 0x243AEC3C; // Wallhack.
			int gravityAddr = 0x0FCD81FC; // Light region.
			int ndataAddr = 0x243EBD8C; // Show network data/usage.

				bool LightRegion = false, Wallhack = false, NDATA = false;

					cout << "Welcome to Phizo's Counter Strike: Source hack: Version 1.0" << endl;
					cout << "The hotkeys toggle on and off incase you want to turn them off.\n" << endl;
					cout << "Open console: ~" << endl;
					cout << "Draw light region: F3" << endl;
					cout << "Enable wallhack: F6" << endl;
					cout << "Show network data/usage: Delete" << endl;

			while(1) // Loops so the memory keeps rewriting itself if it's changed.
				{
					WriteProcessMemory(trollpr0c3zz, (LPVOID)cheatsAddr, &sv_cheats, sizeof(sv_cheats), NULL);

                if (GetAsyncKeyState(VK_F3)&1) // If the "F3" hotkey is pressed then it will write the new data to the memory address.
						LightRegion = !LightRegion;

						if (LightRegion)
						{
						WriteProcessMemory(trollpr0c3zz, (LPVOID)gravityAddr, &r_DrawModelLightOrigin_on, sizeof(r_DrawModelLightOrigin_on), NULL);
						}
						else
						{
						WriteProcessMemory(trollpr0c3zz, (LPVOID)gravityAddr, &r_DrawModelLightOrigin_off, sizeof(r_DrawModelLightOrigin_off), NULL);
						}

				if (GetAsyncKeyState(VK_F6)&1)
					Wallhack = !Wallhack;

					if (Wallhack)
					{
					WriteProcessMemory(trollpr0c3zz, (LPVOID)wallhackAddr, &r_drawothermodels_on, sizeof(r_drawothermodels_on), NULL);
					}
					else
					{
					WriteProcessMemory(trollpr0c3zz, (LPVOID)wallhackAddr, &r_drawothermodels_off, sizeof(r_drawothermodels_off), NULL);
					}

					if (GetAsyncKeyState(VK_DELETE)&1)
					NDATA = !NDATA;

					if (NDATA)
					{
					WriteProcessMemory(trollpr0c3zz, (LPVOID)ndataAddr, &showdata_on, sizeof(showdata_on), NULL);
					}
					else
					{
					WriteProcessMemory(trollpr0c3zz, (LPVOID)ndataAddr, &showdata_off, sizeof(showdata_off), NULL);
					}
			} // End of loop.
				
		}
		CloseHandle(trollpr0c3zz); // Removes access to the process when it is not needed.
		}
	system("pause");
	return 0;
}

Thanks a lot .

[ket_]

was it even possible to set sv_cheats=1 ? if your not server owner ?

[Phizo]

was it even possible to set sv_cheats=1 ? if your not server owner ?

As I said in the original post. It was an unsuccessful test.

Please read next time.

[ket_]

As I said in the original post. It was an unsuccessful test.

Please read next time.

I'm not talking about your post. i'm talking in a global scope lol

some time back i know someone was talking about this but i think all that was fake bs someone prove i'm wrong :/ .

[Phizo]

I'm not talking about your post. i'm talking in a global scope lol

some time back i know someone was talking about this but i think all that was fake bs someone prove i'm wrong :/ .

Oh, my bad .

Yes, there was (not sure if it still works) a glitch to do it manually. You create your own server, go into console and type in "sv_cheats 329" or anything like that. Then go to Cheat Engine and type in "329" with 4 bytes selected because it's an integer. Then go back to console and type in "sv_cheats 1" and go back to Cheat Engine and search for "1" using the "Next search" button. There should be a static memory address, you double click it to put it on the cheat list and freeze the value. Then you enter a public server and it should be enabled still, since it's stuck on that value.

Let me know if it still works .

[Nico]

Tried getting engine interfaces from engine.dll to do that?

[.::SCHiM::.]

Oh, my bad .

Yes, there was (not sure if it still works) a glitch to do it manually. You create your own server, go into console and type in "sv_cheats 329" or anything like that. Then go to Cheat Engine and type in "329" with 4 bytes selected because it's an integer. Then go back to console and type in "sv_cheats 1" and go back to Cheat Engine and search for "1" using the "Next search" button. There should be a static memory address, you double click it to put it on the cheat list and freeze the value. Then you enter a public server and it should be enabled still, since it's stuck on that value.

Let me know if it still works .

If you're sure the address is correct, the problem may lie in how your compiler treats sizes and signed-ness.

More specifically, the pointer you're trying to set (sv_cheats) may not have the same size (in bytes) as your native int type (your compiler). Or perhaps the compiler treats ints as signed by default while the pointer is unsigned. You could try the following:

Code:

DWORD SV_CHEATS = 1;
...
...
WriteProcessMemory(foo, bar, &SV_CHEATS , 4, bar); // sizeof( DWORD ) == 4 this sizetype should be guaranteed by your compiler/windows.h file. Since they are inherited form lower-level languages.

[Phizo]

Tried getting engine interfaces from engine.dll to do that?

Do you mean this?

Code:

HMODULE hClient = NULL;
	while(hClient == NULL)
	{
		hClient = LoadLibraryW(L"client.dll");
		Sleep(100);
	}
	HMODULE hConsole = NULL;
	while(hConsole == NULL)
	{
		hConsole = LoadLibraryW(L"GameUI.dll");
		Sleep(100);
	}
	HMODULE hEngine = NULL;
	while(hEngine == NULL)
	{
		hEngine = LoadLibraryW(L"engine.dll");
		Sleep(100);
	}
	Sleep(2000);

CreateInterfaceFn GameUIInterface = (CreateInterfaceFn)GetProcAddress(hConsole, "CreateInterface");
CreateInterfaceFn EngineInterface = (CreateInterfaceFn)GetProcAddress(hEngine, "CreateInterface");
CreateInterfaceFn ClientInterface = (CreateInterfaceFn)GetProcAddress(hClient, "CreateInterface");
MSysSurface = (IMatSystemSurface*)EngineInterface(MAT_SYSTEM_SURFACE_INTERFACE_VERSION, NULL);
icvar = (ICvar*)EngineInterface(CVAR_INTERFACE_VERSION, NULL);
pModelInfoClient = ( IVModelInfoClient* )ClientInterface( VMODELINFO_CLIENT_INTERFACE_VERSION, NULL );
pGameConsole = (IGameConsole *)GameUIInterface(GAMECONSOLE_INTERFACE_VERSION, NULL);

I did not write this code. Just wondering, it seems valid.

[Nico]

It works like that, just with the IVEngineClient.

[Phizo]

If you're sure the address is correct, the problem may lie in how your compiler treats sizes and signed-ness.

More specifically, the pointer you're trying to set (sv_cheats) may not have the same size (in bytes) as your native int type (your compiler). Or perhaps the compiler treats ints as signed by default while the pointer is unsigned. You could try the following:

Code:

DWORD SV_CHEATS = 1;
...
...
WriteProcessMemory(foo, bar, &SV_CHEATS , 4, bar); // sizeof( DWORD ) == 4 this sizetype should be guaranteed by your compiler/windows.h file. Since they are inherited form lower-level languages.

I'm positive that it's the correct address. I recorded the address with Cheat Engine, I went back to the game console and change the value, went back to Cheat Engine and it changed the value of the memory address to the same value as I set for sv_cheats.

It works like that, just with the IVEngineClient.

Ahhh...sorry? I'm not really getting it.

[kibbles18]

tier0.msg
--

[Phizo]

tier0.msg
--

Ahhh....?

Why does everyone have to be so confusing. :\.

[kibbles18]

Look in debugger

[Phizo]

Look in debugger

I'll check it out in Ollydbg. Thanks.

[Hell_Demon]

Get access to the IVEngineClient in engine.dll using CreateInterface(exported from engine dll) and use ClientCmd