Tutorial CS::GO Radar hack

  • CSGO recently moved logic from 'client_panorama.dll' to 'client.dll', you must update all code that uses 'client_panorama.dll' and replace it with 'client.dll' or the code will not work.
Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Flash

Newbie
Nov 27, 2015
4
52
0
Sup guys! Here's a method to make a radar hack.
You need:
Cheat Engine
OllyDbg

1. Start a local game
2. Join a team
3. Add a bot in opposite team
4. Set sv_cheats 1 and bot_stop 1
5. Walk up to the bot so you see it on your radar
6. Search for value 1 as type 1 byte
7. Turn around or walk a bit so the bot doesn't show on radar anymore
8. Next search for 0
9. Repeat steps 5 to 8 until you have a few values left
Then try freezing some of them, walk away from the bot and it should stay visible on the radar.
Do that until you have 1 value left.

Alright, now I open debugger, go to the address that I found earlier.
Right-click it, Breakpoint -> Memory Breakpoint, Access

And it hits on an instruction that looks like this:
14C41803 |> 8A8437 1D0D0000 MOV AL,BYTE PTR DS:[EDI+ESI+D1D]

Remove your memory breakpoint and put a regular breakpoint on it.

Add a few more bots & add the addresses right after the one you found as 1 byte also, if you found eg 12345030, then you add 12345031 12345032 12345033 12345034 etc.
Try freeze them all to 1 and you should see all enemies on radar all the time.

Alright, now take a look at what's in EDI and ESI.

If we run/break a few times we see that EDI moves similiar to this:
EDI 00000002
EDI 00000003
EDI 00000006
It's obvious that it's player index in the array.

ESI 20A428A8
ESI 2725AE10
ESI should look similar to this (addresses vary ofc. depending on allocation base of the modules)

In your memory-scanner (CE) search for the first ESI value, 20A428A8 as 4 bytes (remember to tick the Hex box).

We find it in a bunch of places.
Disconnect your server & make a new one.

Now when we break on
14C41803 |> 8A8437 1D0D0000 MOV AL,BYTE PTR DS:[EDI+ESI+D1D]
check the value of ESI (our pointer) and look in CE if some of the addresses we found before holds the new ESI.

I found 2 static places for this:
client.dll+4CE070
client.dll+4D4BA4

So now we know that:
*(client.dll+4CE070) = ESI
*(ESI + index + D1D) set to 1 to show on radar

To be sure of finding things on next update I search for the address of client.dll+4CE070 and find that it's found static at:
14B02E70 /$ A1 70E0F614 MOV EAX,DWORD PTR DS:[14F6E070]
14B02E75 |. 85C0 TEST EAX,EAX
14B02E77 |. 74 06 JE SHORT client.14B02E7F
14B02E79 |. 05 A8040000 ADD EAX,4A8
14B02E7E |. C3 RETN
14B02E7F |> 33C0 XOR EAX,EAX
14B02E81 \. C3 RETN

So we make a byte-signature for this so we easily can find it:
A1 ?? ?? ?? ?? 85 C0 74 06 05

Alright, now let's code this up in C++.
C++:
//n! yo
#include <Windows.h>

// FindPattern & DataCompare by dom1n1k
BOOL DataCompare( BYTE* pData, BYTE* bMask, char * szMask )
{
	for( ; *szMask; ++szMask, ++pData, ++bMask )
		if( *szMask == 'x' && *pData != *bMask )
			return FALSE;

	return ( *szMask == NULL );
}

DWORD FindPattern( DWORD dwAddress, DWORD dwLen, BYTE *bMask, char * szMask )
{
	for( DWORD i = 0; i < dwLen; i++ )
		if( DataCompare( (BYTE*)( dwAddress + i ), bMask, szMask ) )
			return (DWORD)( dwAddress + i );

	return 0;
}

DWORD MainThread( LPVOID lpArgs )
{
	HMODULE hClient = GetModuleHandleA( "client.dll" );
	while(hClient == NULL) { hClient = GetModuleHandleA( "client.dll" ); }
	
	DWORD dwDrawOnRadar = FindPattern((DWORD)hClient, 0x005E5000, (BYTE*)"\xA1\x00\x00\x00\x00\x85\xC0\x74\x06\x05", "x????xxxxx") + 1;
	dwDrawOnRadar = *(DWORD*)dwDrawOnRadar;
	
	while(1)
	{
		// Loop through all indexes in the array
		for(int i = 0;i < 0x4F;i++) // at 0x50 seems to be start of clan name
		{
			// Short explanation, in the code we reversed,
			// ESI is dwDrawOnRadar (pointer)
			// EDI is i (player index)
			BYTE* pDrawOnRadar = (BYTE*)((*(DWORD*)dwDrawOnRadar) + 0xD1D + i);
			
			// 1 = draw on radar
			*pDrawOnRadar = 1;
		}

	}

	return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH)
	{
		DWORD dwThreadID = 0;
		HANDLE hThread = CreateThread( NULL, NULL, (LPTHREAD_START_ROUTINE)MainThread, NULL, NULL, &dwThreadID );
	}
	
	return TRUE;
}
Have fun!


I'm not responsible for anything that could damage ur Steam account!
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
noice tutorial! thanks for sharing
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
dont forget to sleep in those loops else cpu usage 4 dayz
 

username123

Newbie
May 14, 2016
1
32
0
2 Questions:
1.If i write into the variable pdrawonradar, is the hack detected by vac, assuming the rest of my code is secure? Or is it ok to write there in memory because its not readonly? Im asking because im wondering how to implement some hack functions without writing into memory.
2. For private only radar hack (no copy paste) can i do it internal or do i have to make it ring0?
Sorry for bad english.
 

blinkapec

Newbie
Nov 13, 2013
2
102
0
Is this method still working? I can't try it for now, but yesterday I was looking at every enemy's coordinates in entity list, and they were updated only when somebody saw enemy. Am I doing something wrong, or it was some update?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods