AssaultCube PlayerBase & Offsets

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
I spent half an hour digging through assault cube and found the player base.


Player Base:"ac_client.exe"+0x109B74/0x509B74
Player Health:0xF8
Player Primary:0x128
Player Primary Clip:0x150
Player Secondary:0x114
Player SecondaryClip:0x13C
Player Grenade Ammo:0x158
Player Armor:0xFC
Player Position XY:0x4
Player Position XY:0x8
Player Position Z:0xC
Player View Angle Verticle:0x44
Player View Angle Horizontal:0x40
Time Between Knifes:0x160
Pistol Timer:0x164
Primary Timer:0x178
Grenade Timer(?):0x180
Mouse Button Down:0x224
Entity Base:"ac_client.exe"+0x110D90/0x510D90
TeamOffset1:0x204
TeamOffset2:0x32C

The grenade timer, when set to zero, lets you throw grenades slightly faster. If anyone knows how to get the crosshair ID, and the entity list, I would be grateful if you shared. I can't find either.

Edit:
I found the entity list and the teamnum. There are two teamnum offsets, and they are inverted. I'd recommend checking both, then seeing which is what to what team (that's a riddle on it's own), then use that for whatever hacks you want.

The entity list has the players each 4 bytes apart.
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Rather than make a new thread for this, I thought I'd post the updated list here.

Client Address: 0x400000
Player Base: "ac_client.exe"+0x109B74/509B74
Player Health: 0xF8
Player A-Rifle: 0x128
Player A-Rifle Clip: 0x150
Player MachineGun: 0x120
Player MachineGun Clip: 0x148
Player Sniper: 0x124
Player Sniper Clip: 0x14C
Player Shotgun: 0x11C
Player Shotgun Clip 0x144
Player Carbine: 0x118
Player Carbine Clip: 0x140
Player Pistol: 0x114
Player Pistol Clip: 0x13C
Player Grenade Ammo: 0x158
Player Armor: 0xFC
Player Position XY: 0x4
Player Position XY: 0x8
Player Position Z: 0xC
Player Yaw: 0x40
Player Pitch: 0x44
Player Roll: 0x48
Time Between Knifes: 0x160
Pistol Timer: 0x164
A-Rifle Timer: 0x178
Machine Gun Timer: 0x170
Sniper Timer: 0x174
Shotgun Timer: 0x16C
Carbine Timer: 0x168
Grenade Timer(?): 0x180
Mouse Button Down: 0x224
Entity Base: "ac_client.exe"+0x110D90/510D90
EntityBase Offsets: 0x0
0x0+(4 bytes each player, starts at 0)
0xF8(for health)
TeamNum1: 0x204
TeamNum2: 0x32C

I got the rest of the weapon ammo offsets, as well as their timers. There's enough here to make a full trainer, all you have to do is put it into code.

Have fun!
 

Cryslacks

<>>>
Dank Tier Donator
Nobleman
Dec 10, 2013
132
1,198
8
Thanks +1
Thanks for releasing, i think many newcomers will find this usefull.
 

Cyrion

Coder
Dank Tier Donator
Nobleman
Dec 31, 2013
107
618
7
You could at least put the offset in order :p Nice job tho.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Thanks +1
Thanks for releasing, i think many newcomers will find this usefull.
You could at least put the offset in order :p Nice job tho.
No problem, it was pretty easy to get these :D

Cyrion, Yeah, I'm pretty lazy when it comes to organizing offsets lol. Here's the list in order:
Client Address: 0x400000
Player Base: "ac_client.exe"+0x109B74/509B74

Player Position XY: 0x4
Player Position XY: 0x8
Player Position Z: 0xC
Player Yaw: 0x40
Player Pitch: 0x44
Player Roll: 0x48
Player Health: 0xF8
Player Armor: 0xFC
Player Pistol: 0x114
Player Carbine: 0x118
Player Shotgun: 0x11C
Player MachineGun: 0x120
Player Sniper: 0x124
Player A-Rifle: 0x128
Player Pistol Clip: 0x13C
Player Carbine Clip: 0x140
Player Shotgun Clip 0x144
Player MachineGun Clip: 0x148
Player Sniper Clip: 0x14C
Player A-Rifle Clip: 0x150
Player Grenade Ammo: 0x158
Time Between Knifes: 0x160
Pistol Timer: 0x164
Carbine Timer: 0x168
Shotgun Timer: 0x16C
Machine Gun Timer: 0x170
Sniper Timer: 0x174
A-Rifle Timer: 0x178
Grenade Timer(?): 0x180
TeamNum1: 0x204
Mouse Button Down(?): 0x224
TeamNum2: 0x32C

Entity Base: "ac_client.exe"+0x110D90/510D90
EntityBase Offsets: 0x0
0x0+(4 bytes each player, starts at 0)

I realized the mouse button down offset may be wrong. I got that when I was in an empty map. I checked again today, and it seems that changes to the name when in a map with bots(?).
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,096
78,998
2,372
For learning purposes these offsets relate to classes:
persistent_entity, physent, entity and playerstate
from the entity.h file in the AssaultCube source code.
 

eDeris

Newbie
Dec 10, 2014
2
62
0
I'm having an issue with finding the second offset! I get a bunch of addresses that don't equal the other 2 addresses. I'm on part 2 of the video series. I'll post pictures. If someone could help, it'd be greatly appreciated! Addresses.PNG
 

dmo

Coder
Full Member
Nobleman
Nov 8, 2014
145
678
5
I'm having an issue with finding the second offset! I get a bunch of addresses that don't equal the other 2 addresses. I'm on part 2 of the video series. I'll post pictures. If someone could help, it'd be greatly appreciated! View attachment 2966
Use Pointer Scanner with lvl 2 should be good to find what you need i think. I know that is nice to find everything manually, but well, let's make our life ease using Point Scan, ty.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,096
78,998
2,372
The pointer to values relating to the player or the bots only has 1 offset.
0x509B74 = Pointer to Base of LocalPlayer structure in memory
According to your picture the above address holds this value: 0x020fa2c0
That is the address of the LocalPlayer structure in memory.
Add +F8 to get your health value.
or Add +0x114 to get the address that holds the value for Pistol Ammo (not in current magazine) (There is another address for ammo in current magazine)

So your pointer for LocalPlayer Base is "0x509b74 + 0"
Your pointer for Health is "0x509b74 + f8"
Your pointer for AmmoPistol is "0x509b74 + 114"

These are all single level pointers
I hope that was helpful!
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
can you explain what is pointer offset ?
A pointer is a static piece of memory that points at memory that may (or may not) be dynamic. An offset is what changes where that pointer is pointing.
 

swordofestel

Newbie
Full Member
Sep 21, 2014
7
163
1
Hi there, I got a question, not sure if this was asked before.
Looking at "ac_client.exe"+0x109B74/0x509B74, 0x509B74 is the base address for the player, but what does "ac_client.exe" + 0x109B74 exactly means? I can use either address to search it up in CE, does it mean that it doesn't really matter which one I use?
And is there a difference between "ac_client.exe"+0x12345678 and ac_client.exe+0x12345678?
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,096
78,998
2,372
what does "ac_client.exe" + 0x109B74 exactly means? I can use either address to search it up in CE, does it mean that it doesn't really matter which one I use?
?
ac_client.exe is a module that is loaded into memory. When you see "ac_client.exe" it means "The place in memory where ac_client.exe is loaded". It is the memory address where ac_client.exe begins. It can load into a different place in memory each time it is loaded. If you are taking your CheatEngine data and trying to code a hack you can view this thread:
https://guidedhacking.com/showthread.php?5781-SpoonFed-Get-Module-Base-Address


I can use either address to search it up in CE, does it mean that it doesn't really matter which one I use?
?
In Cheat Engine you can use either, Cheat Engine will evaluate the value of "ac_client.exe"
 

swordofestel

Newbie
Full Member
Sep 21, 2014
7
163
1
Thanks for the explanation. So the module ac_client.exe may not always be loaded in the same memory address, but the result of adding the module base address and the offset will always give the correct player base address unless the game has been updated?

Also, I just finished Fleep's Assault Cube DLL injection tutorial series a few days ago. I noticed a few differences in the methods used between the trainer and the DLL.

1. FindDmaAdddy: In the trainer, it uses ReadProcessMemory to read the address of the pointer while in the DLL, it does not and uses *(DWORD*)(BaseAddress) and Ptr = *(DWORD*)(Ptr + Offsets).
I got a bit confused on the syntax of the pointers. Here (DWORD*)BaseAddress is declaring a pointer of type DWORD called BaseAddress, then the first * is essentially the same as reading the contents of that memory location? Can you explain a bit on this?

2. Using memcpy instead of WriteProcessMemory is better because it is not intensive on the CPU

I ran into a fatal error crash whenever I activate the hack and shoot. But I found out what's wrong, a silly typo :eek:
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,096
78,998
2,372
the module ac_client.exe may not always be loaded in the same memory address, but the result of adding the module base address and the offset will always give the correct player base address unless the game has been updated?
Correct

1. FindDmaAdddy: In the trainer, it uses ReadProcessMemory to read the address of the pointer while in the DLL, it does not and uses *(DWORD*)(BaseAddress) and Ptr = *(DWORD*)(Ptr + Offsets).
I got a bit confused on the syntax of the pointers. Here (DWORD*)BaseAddress is declaring a pointer of type DWORD called BaseAddress, then the first * is essentially the same as reading the contents of that memory location? Can you explain a bit on this?

That's the difference between internal and external. The trainer was external and you have to use RPM to read the memory of another process. The dll injection your code is internal so you have access to that process.
I'm not 100% on what you are referencing but...
"(DWORD*)BaseAddress" is not declaring a pointer it is called typecasting. It is taking the variable BaseAddress and dereferencing it with the * which means it is taking the value pointed to by BaseAddress(which implies that BaseAddress is itself a pointer), and treating it as if it was a DWORD(that's the type casting bit)

2. Using memcpy instead of WriteProcessMemory is better because it is not intensive on the CPU
Yes it is expensive to use RPM and WPM, by nature of WPM it can only write a byte at a time. memcpy can be used on the internal injected hack because it has access to that memory region

Happy hacking sounds like you're making good progress!
 

swordofestel

Newbie
Full Member
Sep 21, 2014
7
163
1
Correct
I'm not 100% on what you are referencing but...
"(DWORD*)BaseAddress" is not declaring a pointer it is called typecasting. It is taking the variable BaseAddress and dereferencing it with the * which means it is taking the value pointed to by BaseAddress(which implies that BaseAddress is itself a pointer), and treating it as if it was a DWORD(that's the type casting bit)
I am referring to these 3 statements in the FindDmaAddy function.

1. DWORD Ptr = *(DWORD*)(BaseAddress);
2. Ptr = (DWORD)(Ptr + Offsets);
3. Ptr = *(DWORD*)(Ptr + Offsets);

The correct way to read 1 and 3 is type cast into DWORD pointer, deference it, and store in Ptr. And No. 2 is just type cast into DWORD and store in Ptr?
I felt that this concept of pointers is hard to visualise, so I try to come up with my own way of understanding it.
View attachment 3005
Lets say I take ammo for example, the base address is 00509B74.
By following 1, BaseAddress is type casted into DWORD pointer, then deferenced to 0097A700, and stored in Ptr.
Following 3, Ptr works up to 0097A848.
At the last step, Ptr is already a normal address and not a pointer anymore, so it is just (DWORD)(Ptr + Offsets) instead of *(DWORD*)(Ptr + Offsets), maybe that's why Fleep say be careful not to put the * on the last run of the loop.

Wew at the amount of work to understand this. But I hope this understanding is correct as I can "see it" and learn better.
And thanks for the explaination again!

I have another question regarding the hacks. So the dll is made to freeze the health value at 1337, and I went in to an empty map and tried to kil myself with a grenade and I died. I raised the health value to 8000 and reduced the timer update delay from 100ms to 20ms, and I still die from the grenade. Why is this so?
It seems like I will die from burst damage, but not from small damage like bots attacking me.
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
I have another question regarding the hacks. So the dll is made to freeze the health value at 1337, and I went in to an empty map and tried to kil myself with a grenade and I died. I raised the health value to 8000 and reduced the timer update delay from 100ms to 20ms, and I still die from the grenade. Why is this so?
It seems like I will die from burst damage, but not from small damage like bots attacking me.
This is because no matter what, if you are within a certain range of the grenade, you will die. Do a "Find what accesses this" search on the player health. There should be a cmp. That's probably the check if you're dead/alive.

As for the rest, I'm tired and can't really think right now :p
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods