Solved CSGO CInput GetUserCMD

  • CSGO recently moved logic from 'client_panorama.dll' to 'client.dll', you must update all code that uses 'client_panorama.dll' and replace it with 'client.dll' or the code will not work.
Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

norgor

Newbie
Full Member
Jul 30, 2012
23
272
0
Hello, i was wondering how to get the pointer to the CInput class in CSGO.
I have recently hooked CreateMove, it worked just fine!
But im having problems with getting the pointer, i've been reading and searching all over many different forums. But everything i tried crashed.

I want the pointer to alter the UserCMD before it's sent to the server.
The cheat is internal.

This is what i am using currently(it keeps crashing) :
C++:
IBaseClientDLL* pClient = (IBaseClientDLL*)CreateInterface("VClient016", NULL);
DWORD *pdwClientVMT = (DWORD*)pClient;
m_pInput = *(CInput**)( pdwClientVMT[ 21 ] + 0x5F );
All help will be greatly appreciated!
 

rN'

Jr.Hacker
Meme Tier VIP
Jan 19, 2014
340
5,268
41
Nevermind that, the pointer was just incorrect. How do i get the correct CVerifiedUserCmd pointer when i already have CUserCmd?.
Next time reverse the CUserCMD? Then you know how to do that..

C++:
namespace Hooks
{
	VOID WINAPI CreateMove( int sequence_number, float input_sample_frametime, bool active )
	{
		g_pCreateMoveVMTHook->UnHook();
		g_pClient->CreateMove( sequence_number, input_sample_frametime, active );
		g_pCreateMoveVMTHook->ReHook();

		se::CInput::CVerifiedUserCmd* pVerfiedCmd = *( se::CInput::CVerifiedUserCmd** )( ( DWORD )g_pInput + 0xE8 );
		if( !pVerfiedCmd )
			return;

		se::CInput::CVerifiedUserCmd* pVerfied = &pVerfiedCmd[ sequence_number % 150 ];
		se::CUserCMD* pCmd = g_pInput->GetUserCmd( 0, sequence_number ); // to do: GetUserCMD Hook

		if( !pCmd || !pVerfied )
			return;

		g_pAimbot->Main( pCmd );

		pVerfied->m_cmd = *pCmd;
		pVerfied->m_crc = pCmd->GetChecksum();
	}
}
 

brinkz

Coder
Meme Tier VIP
Sep 3, 2012
209
1,688
12
Because this is just wrong and on UC there is the reason why it is wrong as well.
Shouldn't be too hard to find out why when you'd reverse the function yourself.
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
I couldn't find anything! :(
My best bet is 5f is wrong or vtable index. idk however havent looked myself. newb on the engine still, although its one of the easiest ive seen
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
I'll continue searching until i find something then!
Just take a look at the function with a debugger or ida or whatever, just like brinkz said...
 

norgor

Newbie
Full Member
Jul 30, 2012
23
272
0
I've been searching everywhere, i used OllyDBG and IDA, but i couldn't find it. Any help on how to find it?
 

rN'

Jr.Hacker
Meme Tier VIP
Jan 19, 2014
340
5,268
41
C++:
PDWORD pdwClient = *reinterpret_cast< PDWORD_PTR* >( g_pClient );
Works for me without crash
 

norgor

Newbie
Full Member
Jul 30, 2012
23
272
0
I just changed it, but it still doesn't work.
Does anyone know what's wrong?
C++:
IBaseClientDLL* pClient = (IBaseClientDLL*)CreateInterface("VClient016", NULL);
PDWORD pdwClientVMT = *reinterpret_cast< PDWORD_PTR* >(pClient);
m_pInput = *(CInput**)( pdwClientVMT[ 21 ] + 0x5F );
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
I just changed it, but it still doesn't work.
Does anyone know what's wrong?
C++:
IBaseClientDLL* pClient = (IBaseClientDLL*)CreateInterface("VClient016", NULL);
PDWORD pdwClientVMT = *reinterpret_cast< PDWORD_PTR* >(pClient);
m_pInput = *(CInput**)( pdwClientVMT[ 21 ] + 0x5F );
We've already told you what you need to look for..
 

norgor

Newbie
Full Member
Jul 30, 2012
23
272
0
Ok i got everything to work, but i cant walk in gamel.

the code i currently have is:
C++:
void __fastcall hkCreateMove(IBaseClientDLL* ecx, int sequence_number, float input_sample_frametime, bool active)
{
	CreateMove(ecx,sequence_number, input_sample_frametime, active);
}
Anyone knows what's wrong?
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Ok i got everything to work, but i cant walk in gamel.

the code i currently have is:
C++:
void __fastcall hkCreateMove(IBaseClientDLL* ecx, int sequence_number, float input_sample_frametime, bool active)
{
	CreateMove(ecx,sequence_number, input_sample_frametime, active);
}
Anyone knows what's wrong?
Show me how you hook and i'll tell you what do you need to replace the 3rd line with...
 

norgor

Newbie
Full Member
Jul 30, 2012
23
272
0
Hook function:
C++:
typedef void (* __fastcall CMove)(int sequence_number, float input_sample_frametime, bool active);
CMove CreateMove;

DWORD *HookVMTFunc(DWORD** dwVMT, DWORD* dwHookAddress, INT Index,int offset = 0)
{
	DWORD flOldProtect = 0;
	VirtualProtect((void*)((*dwVMT) + (Index * 4) + offset), 4, PAGE_EXECUTE_READWRITE, &flOldProtect);
	DWORD* pOrgFunc = ((DWORD*)(*dwVMT)[Index] + offset);
	((*dwVMT + offset)[Index]) = (DWORD)dwHookAddress;
	VirtualProtect((void*)((*dwVMT) + (Index * 4) + offset), 4, flOldProtect, &flOldProtect);
	return pOrgFunc;
}
Code i use to hook:
C++:
CreateMove = (CMove)(HookVMTFunc((DWORD**)pClient, (DWORD*)&hkCreateMove, 21));
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Hook function:
C++:
typedef void (* __fastcall CMove)(int sequence_number, float input_sample_frametime, bool active);
CMove CreateMove;

DWORD *HookVMTFunc(DWORD** dwVMT, DWORD* dwHookAddress, INT Index,int offset = 0)
{
	DWORD flOldProtect = 0;
	VirtualProtect((void*)((*dwVMT) + (Index * 4) + offset), 4, PAGE_EXECUTE_READWRITE, &flOldProtect);
	DWORD* pOrgFunc = ((DWORD*)(*dwVMT)[Index] + offset);
	((*dwVMT + offset)[Index]) = (DWORD)dwHookAddress;
	VirtualProtect((void*)((*dwVMT) + (Index * 4) + offset), 4, flOldProtect, &flOldProtect);
	return pOrgFunc;
}
Code i use to hook:
C++:
CreateMove = (CMove)(HookVMTFunc((DWORD**)pClient, (DWORD*)&hkCreateMove, 21));
looks okay to be honest.
 

rN'

Jr.Hacker
Meme Tier VIP
Jan 19, 2014
340
5,268
41
C++:
#ifndef _CVMTHOOK_H_ 
#define _CVMTHOOK_H_ 
#include <Windows.h> 
 
class CVMTHookManager 
{ 
public: 
	CVMTHookManager( void ) 
	{ 
		memset( this, 0, sizeof( CVMTHookManager ) ); 
	} 
 
	CVMTHookManager( PDWORD* ppdwClassBase ) 
	{ 
		bInitialize( ppdwClassBase ); 
	} 
 
	~CVMTHookManager( void ) 
	{ 
		UnHook(); 
	} 
	bool bInitialize( PDWORD* ppdwClassBase ) 
	{ 
		m_ppdwClassBase = ppdwClassBase; 
		m_pdwOldVMT = *ppdwClassBase; 
		m_dwVMTSize = dwGetVMTCount( *ppdwClassBase ); 
		m_pdwNewVMT = new DWORD[ m_dwVMTSize ]; 
		memcpy( m_pdwNewVMT, m_pdwOldVMT, sizeof( DWORD ) * m_dwVMTSize ); 
		*ppdwClassBase = m_pdwNewVMT; 
		return true; 
	} 
	bool bInitialize( PDWORD** pppdwClassBase ) // fix for pp 
	{ 
		return bInitialize( *pppdwClassBase ); 
	} 
 
	void UnHook( void ) 
	{ 
		if ( m_ppdwClassBase ) 
		{ 
			*m_ppdwClassBase = m_pdwOldVMT; 
		} 
	} 
 
	void ReHook( void ) 
	{ 
		if ( m_ppdwClassBase ) 
		{ 
			*m_ppdwClassBase = m_pdwNewVMT; 
		} 
	} 
 
	int iGetFuncCount( void ) 
	{ 
		return ( int ) m_dwVMTSize; 
	} 
 
	DWORD dwGetMethodAddress( int Index ) 
	{ 
		if ( Index >= 0 && Index <= ( int )m_dwVMTSize && m_pdwOldVMT != NULL ) 
		{ 
			return m_pdwOldVMT[ Index ]; 
		} 
		return NULL; 
	} 
 
	PDWORD pdwGetOldVMT( void ) 
	{ 
		return m_pdwOldVMT; 
	} 
 
	DWORD dwHookMethod( DWORD dwNewFunc, unsigned int iIndex ) 
	{ 
		if ( m_pdwNewVMT && m_pdwOldVMT && iIndex <= m_dwVMTSize && iIndex >= 0 ) 
		{ 
			m_pdwNewVMT[ iIndex ] = dwNewFunc; 
			return m_pdwOldVMT[ iIndex ]; 
		} 
 
		return NULL; 
	} 
 
private: 
	DWORD dwGetVMTCount( PDWORD pdwVMT ) 
	{ 
		DWORD dwIndex = 0; 
 
		for ( dwIndex = 0; pdwVMT[ dwIndex ]; dwIndex++ ) 
		{ 
			if ( IsBadCodePtr( ( FARPROC ) pdwVMT[ dwIndex ] ) ) 
			{ 
				break; 
			} 
		} 
		return dwIndex; 
	} 
	PDWORD*	m_ppdwClassBase; 
	PDWORD	m_pdwNewVMT, m_pdwOldVMT; 
	DWORD	m_dwVMTSize; 
}; 
 
#endif
C++:
CVMTHookManager* g_pCreateMoveHook = new CVMTHookManager( ( PDWORD* )g_pClient, 21 );
g_pCreateMove->dwHookMethod( ( DWORD )hkCreateMove, 21 );
I'm using this HookManager. But maybe you are failing at verfiy your cmd
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods