Solved CSGO How to use offsets?

  • CSGO recently moved logic from 'client_panorama.dll' to 'client.dll', you must update all code that uses 'client_panorama.dll' and replace it with 'client.dll' or the code will not work.
Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Amonomen

Resident A$$hole
Dank Tier Donator
May 1, 2016
22
373
1
For the past few days, I've been watching every video, reading every tutorial I can find on aim bots, esp, etc...

I am well versed in programming, but getting into reading and modifying the memory of running software is somewhat new to me.

I see a lot of people mentioning netvar dumps and offset dumps when it comes to CS:GO. So, logically, I set my course on understanding how and why these exist.

Many tutorials mention getting offsets from someone else's offset dumper, however, I have no interest in using someone else's script (no offense!) as my goal here is to learn.

I've searched this forum and a few others and it seems I cannot find many details on this topic other than the fact that ollydbg is the tool of choice.

After playing around with olly, I figured out how to obtain these offsets. The problem I have now is what do I do with these offsets?

For example, I have m_iHealth from DT_BasePlayer with a value of 0xFC. Presumably, that means the health variable is 0xFC bytes from the beginning of the DT_BasePlayer struct in memory.

This takes me to cheat engine, since I now know where my HP is in relation to the struct that holds all the information that I need about my player. First thing I do is start up my local CS:GO server, join it on my client, then do an initial search for 100 of a 4 byte type. I get many results so I begin to damage myself and narrow in on the target address. After getting the list down to about 20 or so results, I begin working through the list trying to find something that resembles a structure with my health, location and angle. I eventually find a result and begin a pointer scan. I set my pointer scan to go to 10 offsets and most other settings were left in their defaults. First go around, I get around 250 million results. So I close the game, and start the whole process over. Find the address, plug it into the pointer scan, run the scan. 0 results. This was repeated a few times with the same results every time. I thought maybe I was doing something wrong? So I informed myself a bit more on pointer scanning and found that my procedure was correct. Just for S&G I tried it with 5 offset max and couldn't get it to go below 256,000 results. I eventually picked a few of these results, 50 or so, and added them to my current table just to test it while I played a few games. For a while, most of them worked. About 10 games in, none of them worked anymore.

Is there an easier way to do this?

Thanks!
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,205
78,998
2,400
Amonomen

Welcome to GH everything you need to learn is right here on GuidedHacking!

Pointer scanner is fickle, if you don't do it 1000% perfectly it will fail you. Learn how to find offsets and base addresses with this tutorial:

If you know the offset for health and you have the health address, you can subtract the offset from the health address and that will yield the player base address. Then you can do a pointer scan for the player base address if you like.

5 Max Offset level is plenty for pointer scan, I rarely use pointers over 3 levels.

Go here for our CSGO tutorials:
How to Get Started with CS:GO Hacking - Guided Hacking
 
Last edited:

Amonomen

Resident A$$hole
Dank Tier Donator
May 1, 2016
22
373
1
Thanks for the prompt response! I will review those videos again, maybe I missed something. (not hard to do with a toddler running around the house... lol). I think the problem may be that I am just assuming that all of the player related data I am after (location, looking direction, team ID, etc...) is stored in a single struct.
 

PwndDepot

I has a status
Dank Tier VIP
Trump Tier Donator
Dank Tier Donator
Nov 5, 2014
239
7,748
19
Yeah you shouldn't need over 5, and I think for counter strike you only need 1 (for source at least). However, and easier way to filter your pointer scan results is to right click on your address and click "find out what accesses the address". Whatever instruction shows up should give you an offset to look for. This way, when you do your pointer scan, you can add this offset where it says "pointers must end in specific offset". This should reduce your list significantly. But as Rake said, pointer scan is not very accurate, and in my experience it will not give you very consistent results.
 

Amonomen

Resident A$$hole
Dank Tier Donator
May 1, 2016
22
373
1
After playing with it a bit more, I found a pointer that I am comfortable is indeed static. However, it has offsets that don't correspond to anything from the offset dumps I have from my client.

A bit more investigation and it appears this pointer points to a list of players. The offset between each player is 1EC, which I I think I saw somewhere is the size of the entity struct. Interestingly, though, the last offset on the static pointer I found is greater than 1EC. Maybe the static pointer I have points to a struct which contains the entity list as a child struct? Before I go on, the static pointer I am referring to is "client.dll"+00A7C568 -> 31C -> 1A4 -> 0 -> 224 which points to my player's HP.

At this point, I am curious as to what other instructions relating to my HP are using for offsets, so I find what accesses this address.. and I get an offset of 38. As it turns out, the offset 38 doesnt appear anywhere in my offset dumps I generated earlier today. So I went to another value near the HP, LocX and found the instructions using that address have an offset of -14 which points right back to HP-38.

Anyway, the grey area here for me is how to use these offset dumps.

I have an excerpt of the file I am referring to that I will paste below.
C++:
DT_CSPlayer : public DT_BasePlayer, DT_BaseCombatCharacter, DT_BaseFlex, DT_BaseAnimatingOverlay, DT_BaseAnimating, DT_BaseEntity
|__AnimTimeMustBeFirst_______________________________ -> 0x0000 ( void* )
 |__m_flAnimTime_____________________________________ -> 0x025C ( int )
 |__m_flSimulationTime_______________________________ -> 0x0264 ( int )
 |__m_cellbits_______________________________________ -> 0x0074 ( int )
 |__m_cellX__________________________________________ -> 0x007C ( int )
 |__m_cellY__________________________________________ -> 0x0080 ( int )
 |__m_cellZ__________________________________________ -> 0x0084 ( int )
 |__m_vecOrigin______________________________________ -> 0x0134 ( Vec3 )
 |__m_angRotation____________________________________ -> 0x0128 ( Vec3 )
 |__m_nModelIndex____________________________________ -> 0x0254 ( int )
 |__m_fEffects_______________________________________ -> 0x00EC ( int )
 |__m_nRenderMode____________________________________ -> 0x0257 ( int )
 |__m_nRenderFX______________________________________ -> 0x0256 ( int )
 |__m_clrRender______________________________________ -> 0x0070 ( int )
 |__m_iTeamNum_______________________________________ -> 0x00F0 ( int )
 |__m_iPendingTeamNum________________________________ -> 0x00F4 ( int )
 |__m_CollisionGroup_________________________________ -> 0x0470 ( int )
 |__m_flElasticity___________________________________ -> 0x0398 ( float )
 |__m_flShadowCastDistance___________________________ -> 0x039C ( float )
 |__m_hOwnerEntity___________________________________ -> 0x0148 ( int )
 |__m_hEffectEntity__________________________________ -> 0x0994 ( int )
 |__moveparent_______________________________________ -> 0x0144 ( int )
 |__m_iParentAttachment______________________________ -> 0x02E8 ( int )
 |__m_iName__________________________________________ -> 0x0150 ( char[ 260 ] )
 |__movetype_________________________________________ -> 0x0000 ( int )
 |__movecollide______________________________________ -> 0x0000 ( int )
 |__m_Collision______________________________________ -> 0x0318 ( void* )
  |__m_vecMins_______________________________________ -> 0x0320 ( Vec3 )
  |__m_vecMaxs_______________________________________ -> 0x032C ( Vec3 )
...
It appears to me to be a class structure that extends multiple other classes with the offsets of where in memory each of the values are in relation to the beginning of the class. Is this correct?
It also appears there are sub classes or sub structs within each of these base classes with what appears to be a pointer to the beginning of the sub class/struct. Is this correct?


I apologize if I have asked questions which have already been answered elsewhere and if so, please point me towards those answers.

Thanks again!
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods