Tutorial AssaultCube noscope patch

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

FireAway

Newbie
Apr 16, 2016
1
1,818
0
Hey guys, first post ever. After watching and reading a bunch of tutorials, I decided to share what I've learned in hope that someone else finds it useful.
I'm basically making this tutorial to teach myself and get some feedback from the community.

A little background:
I have little to no C++, C# or ASM knowledge, but I do know Python and Java.
I decided to use x64dbg over Ollydgb or Immunity Debugger because I prefer it, prefer the look of it, and figured there are already enough Ollydbg tutorials out there and something new would be cool.
I apologize if any information is wrong, or misrepresented. I welcome constructive criticism.

Tools:
AssaultCube
x64dbg
Notepad++ (General note taking and Python coding)
Python 2.7 (I recommend Anaconda)

Python libs (needed for injector only):
- hackManager
- winappdbg


Thanks to:
Everyone who contributes to the GuidedHacking community.
Fleep (Video tutorials on Ollydbg)
Styxâ„¢ (Creating a File Patcher)
SirFroweey (Creator of hackManager)


Overview:
Part 1. Finding the address
Part 2. Making a patcher in Python
Part 3. Making an injector in Python



Part 1: Finding the address

1. Open AssaultCube and attach x32dbg to it (I'm assuming you can figure this out - shortcut is ALT-A).
We are using x32dbg (the 32bit version of x64dbg) because ac_client.exe is 32 bit. x64dbg comes with both versions.



2. Click on the Symbols tab, and double click on the ac_client.exe module.





3. Right click in the CPU window and go to Search for->Current Module->String references.





4. At the bottom, search for "scope". Double-click on the first result (I'm making a guess that the method that draws the scope might also load the overlay image.)





5. Start setting breakpoints at various locations around the address with the string "packages/misc/scope.png".



You can right click and go to Breakpoint->Toggle, double click on the hex code, or press F2 to set breakpoints.

If AssaultCube is paused, (You can see the status in the bottom left corner in x32dbg) press F9 to run it. You will have to do this everytime a breakpoint pauses the game.




6. Go back to AssaultCube, and try to scope in (right click). If one of the breakpoints are triggered, it means that it is likely inside the drawScope() function.

However just because a breakpoint is not triggered does not mean it is not in the function. I recommend putting breakpoints on jumps and calls.

Spoiler: I don't know assembly that well and am really just using trial and error.



7. Use breakpoints to determine the "scope" of the function. By scope I mean where it begins and where it ends.

Rinse and repeat with the breakpoints until you find where the function begins and ends.

Use comments generously as that will help you determine what things do.

Functions usually end with a return (ret), so looking for a function start right after one and a function end at one can help.

Once you have the the beginning and end, select it all and right click and go to Add Function. This will help us find it easily later.
(To view your added functions, click the little "fx" button on the toolbar.)



Hint: The drawScope() function starts at 408080, and ends at 4084FA.
You can find the offset (if you wish) by double clicking on the address to set a base.





8. Inside this function, systematically reverse all the jump instructions.

For example, The first jump in the function looks like:

C++:
408093 ==> jne 0x4080b3
In order to reverse it, you would change jne (jump if not equal) to je (jump if equal).

So it would look like:

C++:
408093 ==> je 0x4080b3
A full list of jump instructions with descriptions

After every edit, make sure to test it in AC and then if it does nothing, change it back. This will reduce the risk of crashes.
If it does crash, x32dbg will save our comments and our function.



9. Success! We luckily found the if statement that decides to draw the scope or not on our second try!

Usually things are harder to find, but this was just a lucky break.

At 4080B7, when you reverse the jne, you no longer see the scope when you right click in AC but it still zooms in.

Notice how when you change the assembly, the hex changes as well. Changes in the hex are highlighted in red.




The only change is an 85 to an 84 - a single byte change - but it makes a world of difference in-game.



10. The whole line of bytes starts at 4080B7, but notice how the next line starts at 4080BD.

D = 13 (in hex)
13 - 7 = 6

And lo and behold, there's 6 bits in the line.

This means that the byte we want to change (85 to 84) is located at the address 4080B8 (start of line + 1 since our byte is second).

What to take away:

noscope address = 4080B8
To enable our hack, we need to change the byte at our address to 84.
To disable it, we need to change it back to 85.

Now we have the that information, we can move on to coding the patcher or injector.


Thanks for reading, hope you learned something.

FireAway
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods