bouclier (02-11-2016),CrypticMods (02-07-2018),shryder (03-10-2016)
Since I lost interest in finishing my multihack, I might as well post my offsets & structs
Don't forget to give credits
FAQ
Q: WTF Is this?
A: This is only for cheat coding. If you don't understand it, ignore it, or if you don't know how to use them, read question 2
Q: How do I use this?
A: Learn C++: Buy some books about it & read them.
Please forgive me if an offset doesn't work, I haven't tested all of them yet, but they should be correct.
Also, it could be possible that I fucked up somewhere while copying the offsets from my hack, but everything seems OK for me
Last edited by wara286; 02-11-2016 at 10:56 AM.
bouclier (02-11-2016),CrypticMods (02-07-2018),shryder (03-10-2016)
Hi, I'm kind of new when it comes to reversing (messed with the source engine before but that's it) and I was wondering how you were able to find offsets because when I open iw4mp into ida pro/ollydbyg I can't find any string and I don't really know what I have to do in this situation? I'm currently trying to dump the file and to re analyze it it's currently loading?
So could you give me some hints on how to reverse it ?
Sure, no problem
First things first, you're on the right way with dumping the executable to get the non-packed version.
I personally use the command line program peDump, but you can do the same with OllyDbg or some other program.
When you open up the dumped executable in IDA Pro, you can now see a list of strings.
Another good tip is to download the Quake 3 Source, it's free, and because as you know mw2 is using a modified version of the quake3 engine, it can be useful when reversing functions that are in the iw4mp binary as well as in the quake source.
The entity, cgs and cg structs can be found in cg_init, which is the only function that uses the string "white" to load a shader.
The function which is using the string "white" inside CG_Init is also your R_RegisterShader function.
Below this you will see a function which is using some "fonts/..." string: this is your R_RegisterFont function.
R_RegisterFont will return the registered font, if you scan for xrefs to the font, you will find some kind of DrawEngineText function.
The same can be done to find your R_DrawStretchPic function.
CG_Draw2D, is function that can be hooked to draw your menu and initialize your aimbot. It can be found by searching for the string "cg_DrawDamageDirection".
The return value of the function that uses this string is written to an address which, when you find the xref that reads from it, will lead you CG_Draw2D.
CL_WritePacket can be found by searching for the string "Overflow compressed msg buf in CL_WritePacket()".
Usercmd_t as well as cl_cmdNumber can be found by reversing the CL_WritePacket function.
In the function which can be found by searching for "AimTarget_GetTagPos: Cannot find tag [%s] on entity\n" are three calls above the call to Com_Error which uses the string you just searched for as a parameter.
These two calls are GetTagPtr and GetTagPos.
The structs can be found using the program reClass.
I hope that you found my post usefull
bouclier (02-11-2016)
thank you for your hints )) just a last question if you don't mind is this the source that you're talking about ******.com/id-Software/Quake-III-Arena/tree/master/code because I've found a lot of different ones?
Last edited by bouclier; 02-11-2016 at 01:32 PM.
bouclier (02-11-2016)
Now I have been reversing the game and I found it if anyone wants 0x8A41A0 it's the index of the local player u use it like that
I didn't test this code but it should work I think anyway the offset is correct I just wanted to contribute since wara helped me I might post other things in the futureCode:#define LOCALINDEX 0x8A41A0 to retrieve its value *(int*)LOCALINDEX and to use it you can do it like that (size of ceentity being 0x204) DWORD* GetLocalPlayerPtr() return (CENTITYOFFSET + 0x204 * *(int*)LOCALINDEX)
EDIT IM REALLY DUMB YOU COULD GET IT WITH THE CG_T CLASS BUT FOR SOME REASON IN IDA THEY USE THE OFFSET DIRECTLY INSTEAD OF DOING CG_T OFFSET + 0x104
Last edited by bouclier; 02-18-2016 at 10:15 AM.
Some enums:
Code:typedef enum { EV_NONE, EV_FOLIAGE_SOUND, EV_STOP_WEAPON_SOUND, EV_SOUND_ALIAS, EV_SOUND_ALIAS_AS_MASTER, EV_STOPSOUNDS, EV_STANCE_FORCE_STAND, EV_STANCE_FORCE_CROUCH, EV_STANCE_FORCE_PRONE, EV_STANCE_INVALID, EV_ITEM_PICKUP, EV_AMMO_PICKUP, EV_NOAMMO, EV_EMPTYCLIP, EV_EMPTY_OFFHAND_PRIMARY, EV_EMPTY_OFFHAND_SECONDARY, EV_OFFHAND_END_NOTIFY, EV_RESET_ADS, EV_RELOAD, EV_RELOAD_FROM_EMPTY, EV_RELOAD_START, EV_RELOAD_END, EV_RELOAD_START_NOTIFY, EV_RELOAD_ADDAMMO, EV_RAISE_WEAPON, EV_FIRST_RAISE_WEAPON, EV_PUTAWAY_WEAPON, EV_WEAPON_ALT, EV_WEAPON_SWITCH_STARTED, EV_PULLBACK_WEAPON, EV_FIRE_WEAPON, EV_FIRE_WEAPON_LASTSHOT, EV_FIRE_RICOCHET, EV_RECHAMBER_WEAPON, EV_EJECT_BRASS, EV_FIRE_WEAPON_LEFT, EV_FIRE_WEAPON_LASTSHOT_LEFT, EV_EJECT_BRASS_LEFT, EV_HITCLIENT_FIRE_WEAPON, EV_HITCLIENT_FIRE_WEAPON_LASTSHOT, EV_HITCLIENT_FIRE_WEAPON_LEFT, EV_HITCLIENT_FIRE_WEAPON_LASTSHOT_LEFT, EV_SV_FIRE_WEAPON, EV_SV_FIRE_WEAPON_LASTSHOT, EV_SV_FIRE_WEAPON_LEFT, EV_SV_FIRE_WEAPON_LASTSHOT_LEFT, EV_MELEE_SWIPE, EV_FIRE_MELEE, EV_PREP_OFFHAND, EV_USE_OFFHAND, EV_SWITCH_OFFHAND, EV_MELEE_HIT, EV_MELEE_MISS, EV_MELEE_BLOOD, EV_FIRE_TURRET, EV_FIRE_SENTRY, EV_FIRE_QUADBARREL_1, EV_FIRE_QUADBARREL_2, EV_BULLET_HIT, EV_BULLET_HIT_SHIELD, EV_BULLET_HIT_EXPLODE, EV_BULLET_HIT_CLIENT_SMALL, EV_BULLET_HIT_CLIENT_LARGE, EV_BULLET_HIT_CLIENT_EXPLODE, EV_BULLET_HIT_CLIENT_SHIELD, EV_EXPLOSIVE_IMPACT_ON_SHIELD, EV_EXPLOSIVE_SPLASH_ON_SHIELD, EV_GRENADE_BOUNCE, EV_GRENADE_STICK, EV_GRENADE_REST, EV_GRENADE_EXPLODE, EV_GRENADE_PICKUP, EV_GRENADE_LETGO, EV_ROCKET_EXPLODE, EV_ROCKET_EXPLODE_NOMARKS, EV_FLASHBANG_EXPLODE, EV_CUSTOM_EXPLODE, EV_CUSTOM_EXPLODE_NOMARKS, EV_CHANGE_TO_DUD, EV_DUD_EXPLODE, EV_DUD_IMPACT, EV_TROPHY_EXPLODE, EV_BULLET, EV_PLAY_FX, EV_PLAY_FX_ON_TAG, EV_STOP_FX_ON_TAG, EV_PLAY_FX_ON_TAG_FOR_CLIENTS, EV_PHYS_EXPLOSION_SPHERE, EV_PHYS_EXPLOSION_CYLINDER, EV_PHYS_EXPLOSION_JOLT, EV_RADIUSDAMAGE, EV_PHYS_JITTER, EV_EARTHQUAKE, EV_GRENADE_SUICIDE, EV_DETONATE, EV_NIGHTVISION_WEAR, EV_NIGHTVISION_REMOVE, EV_MISSILE_REMOTE_BOOST, EV_OBITUARY, EV_NO_PRIMARY_GRENADE_HINT, EV_NO_SECONDARY_GRENADE_HINT, EV_TARGET_TOO_CLOSE_HINT, EV_TARGET_NOT_ENOUGH_CLEARANCE_HINT, EV_LOCKON_REQUIRED_HINT, EV_VEHICLE_COLLISION, EV_VEHICLE_SUSPENSION_SOFT, EV_VEHICLE_SUSPENSION_HARD, EV_FOOTSTEP_SPRINT, EV_FOOTSTEP_RUN, EV_FOOTSTEP_WALK, EV_FOOTSTEP_PRONE, EV_JUMP, EV_LANDING_DEFAULT, EV_LANDING_BARK, EV_LANDING_BRICK, EV_LANDING_CARPET, EV_LANDING_CLOTH, EV_LANDING_CONCRETE, EV_LANDING_DIRT, EV_LANDING_FLESH, EV_LANDING_FOLIAGE, EV_LANDING_GLASS, EV_LANDING_GRASS, EV_LANDING_GRAVEL, EV_LANDING_ICE, EV_LANDING_METAL, EV_LANDING_MUD, EV_LANDING_PAPER, EV_LANDING_PLASTER, EV_LANDING_ROCK, EV_LANDING_SAND, EV_LANDING_SNOW, EV_LANDING_WATER, EV_LANDING_WOOD, EV_LANDING_ASPHALT, EV_LANDING_CERAMIC, EV_LANDING_PLASTIC, EV_LANDING_RUBBER, EV_LANDING_CUSHION, EV_LANDING_FRUIT, EV_LANDING_PAINTEDMETAL, EV_LANDING_RIOTSHIELD, EV_LANDING_SLUSH, EV_LANDING_PAIN_DEFAULT, EV_LANDING_PAIN_BARK, EV_LANDING_PAIN_BRICK, EV_LANDING_PAIN_CARPET, EV_LANDING_PAIN_CLOTH, EV_LANDING_PAIN_CONCRETE, EV_LANDING_PAIN_DIRT, EV_LANDING_PAIN_FLESH, EV_LANDING_PAIN_FOLIAGE, EV_LANDING_PAIN_GLASS, EV_LANDING_PAIN_GRASS, EV_LANDING_PAIN_GRAVEL, EV_LANDING_PAIN_ICE, EV_LANDING_PAIN_METAL, EV_LANDING_PAIN_MUD, EV_LANDING_PAIN_PAPER, EV_LANDING_PAIN_PLASTER, EV_LANDING_PAIN_ROCK, EV_LANDING_PAIN_SAND, EV_LANDING_PAIN_SNOW, EV_LANDING_PAIN_WATER, EV_LANDING_PAIN_WOOD, EV_LANDING_PAIN_ASPHALT, EV_LANDING_PAIN_CERAMIC, EV_LANDING_PAIN_PLASTIC, EV_LANDING_PAIN_RUBBER, EV_LANDING_PAIN_CUSHION, EV_LANDING_PAIN_FRUIT, EV_LANDING_PAIN_PAINTEDMETAL, EV_LANDING_PAIN_RIOTSHIELD, EV_LANDING_PAIN_SLUSH, EV_MANTLE }entity_event_t; /** * entity_t->EntityType **/ typedef enum { ET_GENERAL, ET_PLAYER, ET_CORPSE, ET_ITEM, ET_MISSLE, ET_INVISIBLE_ENTITY, ET_SCRIPTMOVER, ET_SOUND_BLEND, ET_FX, ET_LOOP_FX, ET_PRIMARY_LIGHT, ET_TURRENT, ET_HELICOPTER, ET_PLANE, ET_VEHICLE, ET_VEHICLE_COLLMAP, ET_VEHICLE_CORPSE, ET_VEHICLE_SPAWNER } entityType_t;
Can you please Post the "Unlock All" Offset for MW2? i really need it!
can you provide a sample code on how to use it?
i already made a force dvar change but i don't know how to use this one ,thank you
In your header file:
In your init function:Code:typedef struct { vec3 Recoil; //0x0000 vec3 Origin; //0x000C char pad_0x0018[0xC]; //0x0018 float rViewAngleX; //0x0024 float rViewAngleY; //0x0028 char pad_0x002C[0x14]; //0x002C float wViewAngleX; //0x0040 float wVireAngleY; //0x0044 } viewMatrix_t;
In your update function (Once per frame):Code:viewMatrix_t* viewMatrix = (viewMatrix_t*)0xBC7690;
This is how you use structs and their addresses.Code:viewMatrix->Recoil[0] = 0x0; viewMatrix->Recoil[1] = 0x0; viewMatrix->Recoil[2] = 0x0;
You can also find a lot of tutorials here on mpgh.
But after all it's the best thing to learn proper c++ / c coding because if you don't really know how to code in c / c++, you will get frustrated soon.
I know that it sucks in the beginning, but the best advise is to read some books on c / c++.
shryder (03-08-2016)
Although visual studio is clever enough to optimize that code, it's bad practice initializing floats with ints and thus having the implicit integer to float conversion! Also I have never seen people write 0x0 for 0, in this case rather write this code in C++:
Code:viewMatrix->Recoil = { 0.0f, 0.0f, 0.0f };
What are theese adresses for wh norecoil or what?
Mind pointing me in the right direction for using this for a wallhack? Currently have recoil as well as hooked EndScene in d3d9 but not sure how to go about using your pointers for a wallhack? How would i get a list of players? I tried hooking gettagpos and saving the ents passed to it but that didnt seem to work. Thanks