Chopperboxes

[cardoow]

Since a lot of people ask how to do chopper esp, i posted this a while ago on another forum

Chewperbewxerz function

Code:

.text:000000014029AE10                 push    rbx
.text:000000014029AE12                 sub     rsp, 20h
.text:000000014029AE16                 mov     ebx, ecx
.text:000000014029AE18                 call    sub_1402A2A50 //entity isalive and type checks
.text:000000014029AE1D                 lea     rdx, loc_1402A2B20
.text:000000014029AE24                 mov     ecx, ebx
.text:000000014029AE26                 call    sub_140554D70 //some more client and entity checks
.text:000000014029AE2B                 mov     ecx, ebx
.text:000000014029AE2D                 add     rsp, 20h
.text:000000014029AE31                 pop     rbx
.text:00000001402A2890                 mov     r11, rsp
.text:00000001402A2893                 push    r13
.text:00000001402A2895                 sub     rsp, 80h
.text:00000001402A289C                 movsxd  rdx, cs:dword_14158177C
.text:00000001402A28A3                 mov     r13d, ecx
.text:00000001402A28A6                 lea     rcx, dword_141581600
.text:00000001402A28AD                 mov     rax, rdx
.text:00000001402A28B0                 imul    rax, 5D8h
.text:00000001402A28B7                 cmp     dword ptr [rax+rcx+0FAC04h], 0
.text:00000001402A28BF                 jz      loc_1402A2A3C
.text:00000001402A28C5                 mov     [r11-10h], rbp
.text:00000001402A28C9                 mov     [r11-18h], rsi
.text:00000001402A28CD                 mov     [r11-20h], rdi
.text:00000001402A28D1                 mov     [r11-28h], r12
.text:00000001402A28D5                 mov     r12, cs:qword_141580D40
.text:00000001402A28DC                 mov     [r11-30h], r14
.text:00000001402A28E0                 mov     r14d, [rax+rcx+0FAC0Ch]
.text:00000001402A28E8                 mov     [r11-38h], r15
.text:00000001402A28EC                 mov     [r11+8], rbx
.text:00000001402A28F0                 movaps  [rsp+88h+var_48], xmm6
.text:00000001402A28F5                 xor     ebp, ebp
.text:00000001402A28F7                 lea     rdi, unk_141699B4C
.text:00000001402A28FE                 lea     rsi, unk_14167C20C
.text:00000001402A2905                 lea     rcx, unk_14168B77C
.text:00000001402A290C                 nop     dword ptr [rax+00h]
.text:00000001402A2910
.text:00000001402A2910 loc_1402A2910:                          ; CODE XREF: sub_14029AE10+7BFBj
.text:00000001402A2910                 cmp     ebp, edx
.text:00000001402A2912                 jz      loc_1402A29F8
.text:00000001402A2918                 cmp     dword ptr [rsi-8], 0
.text:00000001402A291C                 jz      loc_1402A29F8
.text:00000001402A2922                 test    r14d, r14d
.text:00000001402A2925                 jz      short loc_1402A2930
.text:00000001402A2927                 cmp     r14d, [rsi]
.text:00000001402A292A                 jz      loc_1402A29F8
.text:00000001402A2930
.text:00000001402A2930 loc_1402A2930:                          ; CODE XREF: sub_14029AE10+7B15j
.text:00000001402A2930                 test    byte ptr [rdi+104h], 1
.text:00000001402A2937                 jz      loc_1402A29F8
.text:00000001402A293D                 mov     eax, [rsi+0Ch]
.text:00000001402A2940                 shr     eax, 6
.text:00000001402A2943                 test    al, 1
.text:00000001402A2945                 jnz     loc_1402A29F8
.text:00000001402A294B                 mov     eax, [rdi]
.text:00000001402A294D                 cmp     eax, 1
.text:00000001402A2950                 jz      short loc_1402A295B
.text:00000001402A2952                 cmp     eax, 12h
.text:00000001402A2955                 jnz     loc_1402A29F8
.text:00000001402A295B
.text:00000001402A295B loc_1402A295B:                          ; CODE XREF: sub_14029AE10+7B40j
.text:00000001402A295B                 test    byte ptr [rdi+4], 20h
.text:00000001402A295F                 jnz     loc_1402A29F8
.text:00000001402A2965                 cmp     [rdi+74h], edx
.text:00000001402A2968                 jz      loc_1402A29F8
.text:00000001402A296E                 lea     rdx, [rdi-0FCh]
.text:00000001402A2975                 mov     ecx, r13d
.text:00000001402A2978                 call    sub_1402A3010
.text:00000001402A297D                 lea     rax, [rsp+88h+arg_8]
.text:00000001402A2985                 lea     r9, [rsp+88h+arg_18]
.text:00000001402A298D                 mov     [rsp+88h+var_60], rax
.text:00000001402A2992                 lea     rax, [rsp+88h+arg_10]
.text:00000001402A299A                 lea     r8, [rsp+88h+var_58]
.text:00000001402A299F                 movaps  xmm6, xmm0
.text:00000001402A29A2                 lea     rdx, [rdi-0FCh]
.text:00000001402A29A9                 mov     ecx, r13d
.text:00000001402A29AC                 mov     [rsp+88h+var_68], rax
.text:00000001402A29B1                 call    sub_1402A2B90
.text:00000001402A29B6                 test    al, al
.text:00000001402A29B8                 jz      short loc_1402A29EB
.text:00000001402A29BA                 movss   xmm3, [rsp+88h+arg_8]
.text:00000001402A29C3                 movss   xmm2, [rsp+88h+arg_10]
.text:00000001402A29CC                 movss   xmm1, [rsp+88h+arg_18]
.text:00000001402A29D5                 movss   xmm0, [rsp+88h+var_58]
.text:00000001402A29DB                 movss   dword ptr [rsp+88h+var_60], xmm6
.text:00000001402A29E1                 mov     [rsp+88h+var_68], r12
.text:00000001402A29E6                 call    sub_1402A27C0 //draw the boxes
.text:00000001402A29EB
.text:00000001402A29EB loc_1402A29EB:                          ; CODE XREF: sub_14029AE10+7BA8j
.text:00000001402A29EB                 mov     edx, cs:dword_14158177C
.text:00000001402A29F1                 lea     rcx, unk_14168B77C
.text:00000001402A29F8
.text:00000001402A29F8 loc_1402A29F8:                          ; CODE XREF: sub_14029AE10+7B02j
.text:00000001402A29F8                                         ; sub_14029AE10+7B0Cj ...
.text:00000001402A29F8                 add     rsi, 5D8h
.text:00000001402A29FF                 inc     ebp
.text:00000001402A2A01                 add     rdi, 238h
.text:00000001402A2A08                 cmp     rsi, rcx
.text:00000001402A2A0B                 jl      loc_1402A2910
.text:00000001402A2A11                 movaps  xmm6, [rsp+88h+var_48]
.text:00000001402A2A16                 mov     r15, [rsp+88h+var_38]
.text:00000001402A2A1B                 mov     r14, [rsp+88h+var_30]
.text:00000001402A2A20                 mov     r12, [rsp+88h+var_28]
.text:00000001402A2A25                 mov     rdi, [rsp+88h+var_20]
.text:00000001402A2A2A                 mov     rsi, [rsp+88h+var_18]
.text:00000001402A2A2F                 mov     rbp, [rsp+88h+var_10]
.text:00000001402A2A34                 mov     rbx, [rsp+88h+arg_0]
.text:00000001402A2A3C
.text:00000001402A2A3C loc_1402A2A3C:                          ; CODE XREF: sub_14029AE10+7AAFj
.text:00000001402A2A3C                 add     rsp, 80h
.text:00000001402A2A43                 pop     r13
.text:00000001402A2A45                 retn

a way on how to enable it is by using this addy -->0x141581610<--
and set the byte to 0x8 for thermalvision( have to be in a correct spot otherwise it will flicker)
or set the byte to 0x10 which gives you chewperbewxerz at all time.
Fix the ninja stuff yourself, its pretty easy to find from my reference.

--->Addresses 3.3.3<---
New address for the function is 0x14029B280
New address for the byte patch is 0x1416FF690


--->Addresses 3.4.3<---
New address for the function is 0x14029BFC0
New address for the byte patch is 0x141711590

[plsdontbug]

Amazing, they really did a great job while making a game this time, they even built in a esp for us this time xD

[cardoow]

Amazing, they really did a great job while making a game this time, they even built in a esp for us this time xD

this time? you must be kiddin me! its build in almost every cod version

[BullDog12345]

so were do we put the code

sry kinda new to hacking with ESP stuff

[Lovroman]

so were do we put the code

sry kinda new to hacking with ESP stuff

In CE(add address as byte and change value to 10) or your application's code.

[BullDog12345]

okays thnks Lovroman

[BullDog12345]

sry im back again this si still confusing @Lovroman can you give me a vid tutorial on how to do this please

thnx @BullDog12345

[cardoow]

1. Open game
2. Open CE
3. Add 0x1416FF690 to your address list
4. Freeze the value
5. Change the value to 0x10
6. Have phun

[ImMalkah]

sry im back again this si still confusing @Lovroman can you give me a vid tutorial on how to do this please

thnx @BullDog12345

You can't just jump straight into these kinds of things, first you must learn the language basics like read some books or watch videos .

[monkiii]

I get an confusing flicker, while Im using 0x141711590
And when I freeze the value, its still switching between 0 and 10.

Any Ideas?

[cardoow]

Are u freezing it in CE?

[monkiii]

as I said, Im hitting the checkbox but its still switching.. and Im ingame the models are blinking white..

[cardoow]

You cant just freeze it in CE because the thread on which the value gets set is called way more times in a frame then your CE call it, thats why its flickering.
You have to hook in game and search for a right spot

[GTEUK1]

Finding out what writes to the address also helps to try and find the static

I am looking at a way to NOP the writing of it which would negate the timer

Set a timer to 50ms otherwise but do not expect to use any scoped weapons with precision

[cardoow]

Finding out what writes to the address also helps to try and find the static

I am looking at a way to NOP the writing of it which would negate the timer

Set a timer to 50ms otherwise but do not expect to use any scoped weapons with precision

good luck


What i did, search where its getting set right before the function where they draw the boxes