Source Code CSS & CSGO How to call CL_Move function

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

rN'

Jr.Hacker
Meme Tier VIP
Jan 19, 2014
340
5,268
41
Just wanted to show you how to find the Pointer/Offset to CL_Move, bSendPacket, Command Number & choked Command Number.
1. Open OllyDBG and attach Counter-Strike: Global Offensive
2. Click on engine in Executable modules
3. Search for "connection problem"
4. Scroll to the begin of CL_Move

C++:
[COLOR="#FF0000"]5D9EC4C0[/COLOR]   55               PUSH EBP                                 ; Begin of CL_Move
5D9EC4C1   8BEC             MOV EBP,ESP
5D9EC4C3   83EC 4C          SUB ESP,4C
5D9EC4C6   53               PUSH EBX
5D9EC4C7   56               PUSH ESI
5D9EC4C8   57               PUSH EDI
5D9EC4C9   8B3D C47CE05D    MOV EDI,DWORD PTR DS:[5DE07CC4]
5D9EC4CF   8AF9             MOV BH,CL
5D9EC4D1   F3:0F1145 F8     MOVSS DWORD PTR SS:[EBP-8],XMM0
5D9EC4D6   83BF E8000000 02 CMP DWORD PTR DS:[EDI+E8],2
5D9EC4DD   0F8C 78030000    JL engine.5D9EC85B
5D9EC4E3   E8 C8ED1200      CALL engine.5DB1B2B0
5D9EC4E8   84C0             TEST AL,AL
5D9EC4EA   0F84 6B030000    JE engine.5D9EC85B
5D9EC4F0   8B0D 886FE05D    MOV ECX,DWORD PTR DS:[5DE06F88]          ; engine.5DEC28E8
5D9EC4F6   B3 01            MOV BL,1
5D9EC4F8   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC4FA   8B40 18          MOV EAX,DWORD PTR DS:[EAX+18]
5D9EC4FD   FFD0             CALL EAX
5D9EC4FF   84C0             TEST AL,AL
5D9EC501   74 0F            JE SHORT engine.5D9EC512
5D9EC503   80BF 404C0000 00 CMP BYTE PTR DS:[EDI+4C40],0
5D9EC50A   0F84 4B030000    JE engine.5D9EC85B
5D9EC510   32DB             XOR BL,BL
5D9EC512   8B8F 90000000    MOV ECX,DWORD PTR DS:[EDI+90]
5D9EC518   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC51A   8B40 18          MOV EAX,DWORD PTR DS:[EAX+18]
5D9EC51D   FFD0             CALL EAX
5D9EC51F   84C0             TEST AL,AL
5D9EC521   74 1E            JE SHORT engine.5D9EC541
5D9EC523   8B0D D435E15D    MOV ECX,DWORD PTR DS:[5DE135D4]          ; engine.5DE135B8
5D9EC529   81F9 B835E15D    CMP ECX,engine.5DE135B8
5D9EC52F   75 07            JNZ SHORT engine.5D9EC538
5D9EC531   A1 E835E15D      MOV EAX,DWORD PTR DS:[5DE135E8]
5D9EC536   EB 05            JMP SHORT engine.5D9EC53D
5D9EC538   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC53A   FF50 34          CALL DWORD PTR DS:[EAX+34]
5D9EC53D   85C0             TEST EAX,EAX
5D9EC53F   74 2C            JE SHORT engine.5D9EC56D
5D9EC541   F2:              PREFIX REPNE:                            ; Superfluous prefix
5D9EC542   0F1087 F0000000  MOVUPS XMM0,DQWORD PTR DS:[EDI+F0]
5D9EC549   66:0F2F05 70DE09>COMISS XMM0,DWORD PTR DS:[5E09DE70]
5D9EC551   77 18            JA SHORT engine.5D9EC56B
5D9EC553   8B8F 90000000    MOV ECX,DWORD PTR DS:[EDI+90]
5D9EC559   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC55B   8B80 E8000000    MOV EAX,DWORD PTR DS:[EAX+E8]
5D9EC561   FFD0             CALL EAX
5D9EC563   84C0             TEST AL,AL
5D9EC565   74 04            JE SHORT engine.5D9EC56B
5D9EC567   84FF             TEST BH,BH
5D9EC569   75 02            JNZ SHORT engine.5D9EC56D
5D9EC56B   32DB             XOR BL,BL
5D9EC56D   83BF E8000000 06 CMP DWORD PTR DS:[EDI+E8],6
5D9EC574   0F85 8F000000    JNZ engine.5D9EC609
5D9EC57A   8B87 284C0000    MOV EAX,DWORD PTR DS:[EDI+4C28]
5D9EC580   40               INC EAX
5D9EC581   0387 244C0000    ADD EAX,DWORD PTR DS:[EDI+4C24]
5D9EC587   833D A834E15D 00 CMP DWORD PTR DS:[5DE134A8],0
5D9EC58E   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
5D9EC591   7E 13            JLE SHORT engine.5D9EC5A6
5D9EC593   A1 C47CE05D      MOV EAX,DWORD PTR DS:[5DE07CC4]
5D9EC598   83B8 E8000000 00 CMP DWORD PTR DS:[EAX+E8],0
5D9EC59F   0F94C0           SETE AL
5D9EC5A2   84C0             TEST AL,AL
5D9EC5A4   75 56            JNZ SHORT engine.5D9EC5FC
5D9EC5A6   A1 E0B5095E      MOV EAX,DWORD PTR DS:[5E09B5E0]
5D9EC5AB   8D4F 08          LEA ECX,DWORD PTR DS:[EDI+8]
5D9EC5AE   8B30             MOV ESI,DWORD PTR DS:[EAX]
5D9EC5B0   E8 BB3A0100      CALL engine.5DA00070
5D9EC5B5   F3:0F1005 A434E1>MOVSS XMM0,DWORD PTR DS:[5DE134A4]
5D9EC5BD   84C0             TEST AL,AL
5D9EC5BF   F3:0F5C45 F8     SUBSS XMM0,DWORD PTR SS:[EBP-8]
5D9EC5C4   0F94C0           SETE AL
5D9EC5C7   0FB6C0           MOVZX EAX,AL
5D9EC5CA   50               PUSH EAX
5D9EC5CB   51               PUSH ECX
5D9EC5CC   8B0D E0B5095E    MOV ECX,DWORD PTR DS:[5E09B5E0]          ; client.1C000CC0
5D9EC5D2   F3:0F110424      MOVSS DWORD PTR SS:[ESP],XMM0
5D9EC5D7   FF75 FC          PUSH DWORD PTR SS:[EBP-4]
5D9EC5DA   FF56 54          CALL DWORD PTR DS:[ESI+54]
5D9EC5DD   8B0D 846FE05D    MOV ECX,DWORD PTR DS:[5DE06F84]          ; engine.5DE06270
5D9EC5E3   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC5E5   8B40 10          MOV EAX,DWORD PTR DS:[EAX+10]
5D9EC5E8   FFD0             CALL EAX
5D9EC5EA   84C0             TEST AL,AL
5D9EC5EC   74 0E            JE SHORT engine.5D9EC5FC
5D9EC5EE   8B0D 846FE05D    MOV ECX,DWORD PTR DS:[5DE06F84]          ; engine.5DE06270
5D9EC5F4   FF75 FC          PUSH DWORD PTR SS:[EBP-4]
5D9EC5F7   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC5F9   FF50 24          CALL DWORD PTR DS:[EAX+24]
5D9EC5FC   84DB             TEST BL,BL
5D9EC5FE   0F84 92000000    JE engine.5D9EC696
5D9EC604   E8 67FCFFFF      CALL engine.5D9EC270
5D9EC609   84DB             TEST BL,BL
5D9EC60B   0F84 4A020000    JE engine.5D9EC85B
5D9EC611   8B8F 90000000    MOV ECX,DWORD PTR DS:[EDI+90]
5D9EC617   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC619   8B40 1C          MOV EAX,DWORD PTR DS:[EAX+1C]
5D9EC61C   FFD0             CALL EAX
5D9EC61E   84C0             TEST AL,AL
5D9EC620   0F84 DF000000    JE engine.5D9EC705
5D9EC626   8B0D 886FE05D    MOV ECX,DWORD PTR DS:[5DE06F88]          ; engine.5DEC28E8
5D9EC62C   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC62E   8B40 18          MOV EAX,DWORD PTR DS:[EAX+18]
5D9EC631   FFD0             CALL EAX
5D9EC633   84C0             TEST AL,AL
5D9EC635   0F85 CA000000    JNZ engine.5D9EC705
5D9EC63B   83BF E8000000 06 CMP DWORD PTR DS:[EDI+E8],6
5D9EC642   0F85 BD000000    JNZ engine.5D9EC705
5D9EC648   8B8F 90000000    MOV ECX,DWORD PTR DS:[EDI+90]
5D9EC64E   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC650   8B40 68          MOV EAX,DWORD PTR DS:[EAX+68]
5D9EC653   FFD0             CALL EAX
5D9EC655   8B8F 90000000    MOV ECX,DWORD PTR DS:[EDI+90]
5D9EC65B   D95D FC          FSTP DWORD PTR SS:[EBP-4]
5D9EC65E   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC660   8B40 58          MOV EAX,DWORD PTR DS:[EAX+58]
5D9EC663   FFD0             CALL EAX
5D9EC665   F3:0F1045 FC     MOVSS XMM0,DWORD PTR SS:[EBP-4]
5D9EC66A   0F57C9           XORPS XMM1,XMM1
5D9EC66D   D95D F8          FSTP DWORD PTR SS:[EBP-8]
5D9EC670   F3:0F5C45 F8     SUBSS XMM0,DWORD PTR SS:[EBP-8]
5D9EC675   0F2FC1           COMISS XMM0,XMM1
5D9EC678   76 37            JBE SHORT engine.5D9EC6B1
5D9EC67A   8B8F 90000000    MOV ECX,DWORD PTR DS:[EDI+90]
5D9EC680   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC682   8B40 58          MOV EAX,DWORD PTR DS:[EAX+58]
5D9EC685   FFD0             CALL EAX
5D9EC687   F3:0F1045 FC     MOVSS XMM0,DWORD PTR SS:[EBP-4]
5D9EC68C   D95D F8          FSTP DWORD PTR SS:[EBP-8]
5D9EC68F   F3:0F5C45 F8     SUBSS XMM0,DWORD PTR SS:[EBP-8]
5D9EC694   EB 1E            JMP SHORT engine.5D9EC6B4
5D9EC696   8B8F 90000000    MOV ECX,DWORD PTR DS:[EDI+90]
5D9EC69C   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC69E   FF90 BC000000    CALL DWORD PTR DS:[EAX+BC]
5D9EC6A4   FF87 284C0000    INC DWORD PTR DS:[EDI+4C28]
5D9EC6AA   5F               POP EDI
5D9EC6AB   5E               POP ESI
5D9EC6AC   5B               POP EBX
5D9EC6AD   8BE5             MOV ESP,EBP
5D9EC6AF   5D               POP EBP
5D9EC6B0   C3               RETN
5D9EC6B1   0F28C1           MOVAPS XMM0,XMM1
5D9EC6B4   8B0D 8473E05D    MOV ECX,DWORD PTR DS:[5DE07384]          ; engine.5DE07368
5D9EC6BA   51               PUSH ECX
5D9EC6BB   F3:0F110424      MOVSS DWORD PTR SS:[ESP],XMM0
5D9EC6C0   8B01             MOV EAX,DWORD PTR DS:[ECX]
5D9EC6C2   FF50 3C          CALL DWORD PTR DS:[EAX+3C]
5D9EC6C5   A1 90CD065E      MOV EAX,DWORD PTR DS:[5E06CD90]
5D9EC6CA   B9 90CD065E      MOV ECX,engine.5E06CD90
5D9EC6CF   FF90 A8000000    CALL DWORD PTR DS:[EAX+A8]
5D9EC6D5   83BF 4C010000 FF CMP DWORD PTR DS:[EDI+14C],-1
5D9EC6DC   74 6A            JE SHORT engine.5D9EC748
5D9EC6DE   8D4F 08          LEA ECX,DWORD PTR DS:[EDI+8]
5D9EC6E1   E8 EA74FCFF      CALL engine.5D9B3BD0
5D9EC6E6   68 0029D65D      PUSH engine.5DD62900                     ; ASCII "connection problem"
5D9EC6EB   68 C032D55D      PUSH engine.5DD532C0                     ; ASCII "Requesting full game update (%s)...
...
5. *Calculate the begin of CL_Move - engine base

6. Now take a look at CL_Move:
C++:
void CL_Move(float accumulated_extra_samples, bool bFinalTick )
{
    if ( !cl.IsConnected() )
        return;

    if ( !Host_ShouldRun() )
        return;

    // only send packets on the final tick in one engine frame
    bool bSendPacket = true;   

    // Don't create usercmds here during playback, they were encoded into the packet already
    if ( demoplayer->IsPlayingBack() )
    {
        if ( cl.ishltv )
        {
            // still do it when playing back a HLTV demo
            bSendPacket = false;
        }
        else
        {
            return;
        }
    }

    // don't send packets if update time not reached or chnnel still sending
    // in loopback mode don't send only if host_limitlocal is enabled

    if ( ( !cl.m_NetChannel->IsLoopback() || host_limitlocal.GetInt() ) &&
         ( ( net_time < cl.m_flNextCmdTime ) || !cl.m_NetChannel->CanPacket()  || !bFinalTick ) )
    {
        bSendPacket = false;
    }

    if ( cl.IsActive() )
    {
        VPROF( "CL_Move" );

        int nextcommandnr = cl.lastoutgoingcommand + cl.chokedcommands + 1;

        // Have client .dll create and store usercmd structure
        g_ClientDLL->CreateMove(
            nextcommandnr,
            host_state.interval_per_tick - accumulated_extra_samples,
            !cl.IsPaused() );

        // Store new usercmd to dem file
        if ( demorecorder->IsRecording() )
        {
            // Back up one because we've incremented outgoing_sequence each frame by 1 unit
            demorecorder->RecordUserInput( nextcommandnr );
        }

        if ( bSendPacket )
        {
            CL_SendMove();
        }
        else
        {
            // netchanll will increase internal outgoing sequnce number too
            cl.m_NetChannel->SetChoked();   
            // Mark command as held back so we'll send it next time
            cl.chokedcommands++;
        }
    }

    if ( !bSendPacket )
        return;

        // Request non delta compression if high packet loss, show warning message
    bool hasProblem = cl.m_NetChannel->IsTimingOut() && !demoplayer->IsPlayingBack() &&    cl.IsActive();

    // Request non delta compression if high packet loss, show warning message
    if ( hasProblem )
    {
        con_nprint_t np;
        np.time_to_live = 1.0;
        np.index = 2;
        np.fixed_width_font = false;
        np.color[ 0 ] = 1.0;
        np.color[ 1 ] = 0.2;
        np.color[ 2 ] = 0.2;
       
        float flTimeOut = cl.m_NetChannel->GetTimeoutSeconds();
        Assert( flTimeOut != -1.0f );
        float flRemainingTime = flTimeOut - cl.m_NetChannel->GetTimeSinceLastReceived();
        Con_NXPrintf( &np, "WARNING:  Connection Problem" );
        np.index = 3;
        Con_NXPrintf( &np, "Auto-disconnect in %.1f seconds", flRemainingTime );

        cl.ForceFullUpdate(); // sets m_nDeltaTick to -1
    }

    if ( cl.IsActive() )
    {
        NET_Tick mymsg( cl.m_nDeltaTick, host_frametime_unbounded, host_frametime_stddeviation );
        cl.m_NetChannel->SendNetMsg( mymsg );
    }

    //COM_Log( "cl.log", "Sending command number %i(%i) to server\n", cl.m_NetChan->m_nOutSequenceNr, cl.m_NetChan->m_nOutSequenceNr & CL_UPDATE_MASK );

    // Remember outgoing command that we are sending
    cl.lastoutgoingcommand = cl.m_NetChannel->SendDatagram( NULL );

    cl.chokedcommands = 0;

    // calc next packet send time

    if ( cl.IsActive() )
    {
        // use full update rate when active
        float commandInterval = 1.0f / cl_cmdrate->GetFloat();
        float maxDelta = min ( host_state.interval_per_tick, commandInterval );
        float delta = clamp( net_time - cl.m_flNextCmdTime, 0.0f, maxDelta );
        cl.m_flNextCmdTime = net_time + commandInterval - delta;
    }
    else
    {
        // during signon process send only 5 packets/second
        cl.m_flNextCmdTime = net_time + ( 1.0f / 5.0f );
    }

}
In that we can see the variable bSendPacket:
C++:
bool bSendPacket = true;
Search for the initialization from bSendPacket in OllyDBG:
C++:
[COLOR="#FF0000"]5D9EC4F6[/COLOR]   B3 01            MOV BL,1                                 ; bSendPacket = true
7. Calculate the Base + 1 (because we are going to write the second byte in opcode) and substract the engine base

* You need the begin of CL_Move for Counter-Strike: Source. You must modify in Counter-Strike: Source like bSendPacket via WPM<BYTE>( Engine + Cl_MOVE + bSendPacket, 0 );

8. Take a look in at CL_Move again and search for "nextcommandnr":
C++:
int nextcommandnr = cl.lastoutgoingcommand + cl.chokedcommands + 1;
9. Look for an EAX register is written to the pointer EDI+Offset. EDI is our Engine Pointer.
C++:
5D9EC57A   8B87 284C0000    MOV EAX,DWORD PTR DS:[EDI+4C28]          ; chokedcommandnr
5D9EC580   40               INC EAX
5D9EC581   0387 244C0000    ADD EAX,DWORD PTR DS:[EDI+4C24]          ; commandnr
Optional:
C++:
class CL_Move
{
public:
    void    SetPacket( bool bActive = true );
    int    GetCommandNumber( void );
    int    GetChokedCommandNumber( void );
};

void CL_Move::SetPacket( bool bActive )
{
    if( bActive )
        g_pMemory->Write< bool >( g_pMemory->GetModule( "engine" )->GetBase() + OFFSET_SENDPACKET, 1 );
    g_pMemory->Write< bool >( g_pMemory->GetModule( "engine" )->GetBase() + OFFSET_SENDPACKET, 0 );
}
int CL_Move::GetCommandNumver( void )
{
    return g_pMemory->Read< int >( g_pMemory->Read< DWORD >( g_pMemory->GetModule( "engine" ) + OFFSET_ENGINEPOINTER ) + 0x4C24 );
}
int CL_Move::GetChokedCommandNumber( void )
{
    return g_pMemory->Read< int >( g_pMemory->Read< DWORD >( g_pMemory->GetModule( "engine" ) + OFFSET_ENGINEPOINTER ) + 0x4C28 );
}
Best regards
 
Last edited by a moderator:
  • Like
Reactions: XdarionX and c5
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods