View previous topic :: View next topic |
Author |
Message |
iNoob435 Newbie cheater Reputation: 0
Joined: 16 Jun 2018 Posts: 17
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jun 20, 2018 10:25 am Post subject: |
|
|
The addresses on the left are for the first byte in the row, then the bytes at the top are the last bytes of the address (for the first row, the last digit will be the same for all rows), so the blue selected 0 is 007F10D8 +4 (because it's the fifth byte in the row) = 007F10DC and the yellow highlighted bytes are at 7F108D-8F. The yellow separators appear every 8 bytes.
You'll probably want to convert those addresses to module+offset and the simplest way to do that is probably to go to them in the hex editor and look (otherwise you can use lua's getNameFromAddress, or possibly by adding them to the address list from the hex viewer.... not certain about that one though)
_________________
|
|
Back to top |
|
|
iNoob435 Newbie cheater Reputation: 0
Joined: 16 Jun 2018 Posts: 17
|
Posted: Wed Jun 20, 2018 12:19 pm Post subject: |
|
|
Again thanks for the help
I clicked the blue value by mistake but I get what you mean.
Edit: Although I couldn't make it work though
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jun 20, 2018 12:54 pm Post subject: |
|
|
FreeER wrote: | You'll probably want to convert those addresses to module+offset and the simplest way to do that is probably to go to them in the hex editor and look | meant to say disassembler there not hex editor in case it confuses someone, oops.
"I couldn't make it work though" isn't really enough information to figure out why it didn't work so... ¯\_(ツ)_/¯
_________________
|
|
Back to top |
|
|
iNoob435 Newbie cheater Reputation: 0
Joined: 16 Jun 2018 Posts: 17
|
Posted: Wed Jun 20, 2018 2:12 pm Post subject: |
|
|
If you can help me with it I'd explain . Earlier by that I meant that I found the address and stuff but the address didn't have the same function so I couldn't make norecoil.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jun 20, 2018 2:30 pm Post subject: |
|
|
Hey can you help me?
Right now you're probably wondering with what, maybe you're even thinking about what exactly it could be and whether you could help... but the only reasonable answer is: I don't know if I can help you because you have not explained what you need help with.
Similarly, I don't know if I can help you because I don't know what exactly you need help with. If you do not know how to program in C++
at all then no, not really, go learn C++ with tutorials or courses etc. If you have a syntax error yes, though I really shouldn't have to if you went and learned C++. If you have any other error, ¯\_(ツ)_/¯ if you are using some third party library that I do not know and it does not have documentation then maybe not, if you have some silly mistake buried in 2000 lines of code I probably could but probably would not take the time to do so, if you do not know how to find the base of a module, go watch some tutorials on youtube they cover it (eg search for "C++ pattern scanning game trainer").
I don't make trainers even in CE let alone C++ so I don't know all the details very well, but I have done a couple basic ones (both RPM/WPM + dll) so I know the general idea.
_________________
|
|
Back to top |
|
|
iNoob435 Newbie cheater Reputation: 0
Joined: 16 Jun 2018 Posts: 17
|
Posted: Wed Jun 20, 2018 3:19 pm Post subject: |
|
|
Hehe.
I get what you mean. But my problem is not with C++. I have trouble finding the specific addresses that I need. It's been like only a couple of days with me trynna scan memory addresses so I have a lot of trouble you may say. The previous two questions I asked, I solved em and well, I was able to make a triggerbot and a Infinite UAV hack. However with the norecoil one, I'm completely confused. On the memory viewer I get the 007F108D-F changing the values that associates it with the recoil. However some other address is writing the values on it because changing those values don't work and are simply replaced with a similar value after being changed. So I right click these addresses and there are a few addresses writing to it. But they keep writing constantly like they don't start when I shoot in-game or something. There are three similar addresses that are writing constantly. Whenever I change their opcode to nop the game completely crashes altogether. I'm not sure what address do I change and which one is the recoil one. I've like wasted hours on it but I don't find anything . When I add the values that writing to my program they again have some random values that don't change and nothing reading/writing to them.
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jun 20, 2018 5:30 pm Post subject: |
|
|
if it's a fstp instruction that's writing to it try changing it to fstp st(0) instead of nopping it.
Otherwise they're probably shared instructions, try finding where it's called for the value you care about by setting a breakpoint and opening the breakpoint window and right clicking the breakpoint and set a condition to check for the reg+offset equaling the address of the value you found (it's in lua so remember to prefix numbers with 0x for hex), then let the game hit the breakpoint, remove the breakpoint, and then use the "execute til return" or whatever it's called shortcut shift+F8 iirc. Look 1 instruction up and you should see a call, try skipping over that entire call somehow (nop the pushs, call, pops, change a conditional jmp nearby etc.) and see what happens.
_________________
|
|
Back to top |
|
|
iNoob435 Newbie cheater Reputation: 0
Joined: 16 Jun 2018 Posts: 17
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Thu Jun 21, 2018 12:09 pm Post subject: |
|
|
007F108C is 1 byte before 007F108D and since most 4 byte values are going to start at some multiple of 4 (0, 4, 8, C, 10 etc.) and the middle instruction is clearly writing a "dword" aka a 4 byte value, it makes perfect sense.
And yes, it's a fstp aka "Float STore and Pop" and if you simply nop it then it no longer pops the value from the FPU stack which is likely to cause a crash just like not popping values from the CPU/thread stack. Based on how it's accessing the address it's also possibly also a shared instruction that affects dozens-hundreds-thousands of other addresses and not changing those could crash the game.
_________________
|
|
Back to top |
|
|
iNoob435 Newbie cheater Reputation: 0
Joined: 16 Jun 2018 Posts: 17
|
Posted: Thu Jun 21, 2018 1:26 pm Post subject: |
|
|
Alright thanks. I maybe a bit irritating but on 007F108C the first two opcodes along with addresses mentioned are writing to it. The third one is not there are all. But what confuses me is that there again is fstp dword ptr [edi+esi*4+00000108] opcode is there. So when I calculate this it again refers to 007F108C so how do I get to the right address and which code do I change and change it to what .
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Thu Jun 21, 2018 2:34 pm Post subject: |
|
|
Well if you're just going to overwrite the bytes with 0 repeatedly then use 007F108C and overwrite 5 bytes ¯\_(ツ)_/¯
If you're going to hook the code then hook one if it works you're done, if not try the other, if that doesn't work then hook both ¯\_(ツ)_/¯
The only "right" address is the one that works, don't complicate it more than that
but yeah, it's odd that the third instruction would be reading at ...D as a 4 byte value not ...C
_________________
|
|
Back to top |
|
|
iNoob435 Newbie cheater Reputation: 0
Joined: 16 Jun 2018 Posts: 17
|
Posted: Fri Jun 22, 2018 3:10 am Post subject: |
|
|
Hehe.
I just now think that the recoil is being sent from the server and there maybe no way to counter it other than getting the values from 007F108C and adding opposite value by emulating the recoil into where the player is looking which may be nearly impossible.
|
|
Back to top |
|
|
|