Guide Getting Started How to find the Entity List

[Rake]

Game Name

N/A

Anticheat

N/A

Tutorial Link

N/A

How long you been coding/hacking?

N/A

Coding Language

N/A

What is an entity?
In it's simplest terms, an entity is an object which is an instance of a class. An entity is typically an actor. An actor is something that interacts with other objects in the game. In terms of game hacking, an entity is typically referring to a player object. When you're playing online the objects which contain the information about yourself and the other players are referred to entities. These objects typically contain the player's location, angle, health information and more but not all variables are required to be in this class.

What is an Entity List?
An entitylist is a container of entity objects. In some games the entitylist contains all the entities in the game, not just the player objects.

An entitylist can be many different types of containers

• an array of entity pointers (most common)
• an array of entity objects
• a linked list of entity objects
• a linked list of nodes which point to entity objects
• an array of nodes which contain pointers to entity objects (actually a linked list underneath)

Quake Engine / COD Engine Games = array of entity objects

Assault Cube = array of entity pointers

Unreal Engine = a linked list of all entity objects (not just players). Sometimes it will have seperate lists containing only the player objects

CSGO = an array of nodes which point to entity objects

An array of player objects looks like this:

struct player
{
    int health;
}

player entityList[32];

An array of player pointers looks like this:

struct player
{
    int health;
}

player* entityList[32];

How to find an Entity List?
Before you try to find an entity list you need to figure out what type of container it is. If you know the game engine, you already know what type it will be.

• Start by finding the address of multiple player objects and yourself, write them down
• Verify the are of the same class: check the vTable pointers, do they point to the same vtable?
• Compare the addresses of the objects, do you see any pattern?
• If you subtract bot 1's address from bot 2 address, you get the difference in bytes between the two objects.
• Now subtract bot 3's address from bot 4's address. Is this the same difference as between bot 1 and 2?
• If so, this is the size of the player object and it's most likely an array of objects because they are contiguously placed in memory.
• If so, then find the first object in the array, and you have the address of entityList[0], if it's a static address then you have the entitylist address
• If it's a dynamic address, find a pointer to it or use pattern scanning to get the correct address at runtime

If they are not contiguous in memory, then these are dynamically located and the game would need pointers to get to them, therefore there is an array of player object pointers.

• In this case, create a list of pointers to these objects, by scanning for them in Cheat Engine
• Compare where these pointers are in memory, are some of the pointers near each other?
• If so then this is probably the array of player object pointers
• On x64 if you see a loop that looks like "mov eax, [ecx + 8 * ebx]" then ECX points to the array of pointers, 8 is the size of a pointer, and ebx is the iterator or player ID.
• On x86 you will see a 4 instead of an 8.

If it's niether an array of objects or an array of pointers, then it's either a linked list or an abstract form of the other possibilities.

If it's a single linked list, there will be a pointer in each object which points to the next object, called the Forward Link or Next Link, just look inside the object for pointers, see if the objects they point to are of the same type by comparing offsets and especially the vTable pointer.

If it's a double linked list, each object will contain a forward link and back link, pointing to the previous and next node in the linked list.

Video Tutorials

Call of Duty / Quake Engine Entitylists
https://guidedhacking.com/threads/how-to-hack-call-of-duty-games-quake-engine-games.11155/


Unreal Engine EntityList
It's a linked list read:
https://guidedhacking.com/threads/unreal-engine-game-hacking.14278/


Try the Guided Hacking Entity List Finder
https://guidedhacking.com/resources/gh-entity-list-finder.36/


Tutorials

• Tutorial - How to find Entity List Pointer in AC!
• Tutorial - How to Find Entity List - Wolfenstein Hack Tutorial
• Source Code - How To Loop Through Entity List Internally

Related threads:
Solved - Help With Finding the Entity List in AC
Help - Finding Dynamic Entity List MMORPG
Help - Player array

 

[Killerzwerg]

Hey Guys,
I have some issue with with my AC internal hack...
dont know why it doesn't show the right health and address

DWORD WINAPI MainThread(LPVOID param)
{
    //Init
    Init();

    //create the console
    AllocConsole();                        //attaches consoel    
    freopen("CONOUT$", "w", stdout);    //sets cout to be used with our newly created console

    while (true)
    {
        for (int i = 1; i < 32; i++)
        {
            int *iHealth = (int*)(*(DWORD*)0x50F4F8 + (0x4 * i) + 0xF8);
            std::cout << "Player[" << i << "]: Health-> " << *iHealth << std::endl;
            std::cout << "Player[" << i << "]: Health Address-> " << iHealth << std::endl;
        }
        Sleep(50);
        system("cls");
    }
    
    while (!GetAsyncKeyState(VK_END))
        return 0;

    FreeLibraryAndExitThread((HMODULE)param, 0);
    return 0;
}

hope you can help me to solve it.

Thank you in advance
Killerzwerg

 

[Rake]

The forum has C++ syntax highlighting whhhhhhhy god is it so impossible for people to use this beautiful board I spent weeks working on and hundreds of dollars providing for you....blaaaaaaaaaaaaargh /endrant

Change to

int *iHealth = (int*)(*(DWORD*)(*(DWORD*)0x50F4F8 + (0x4 * 2)) + 0xF8);

And check this thread out Source Code - How To Loop Through Entity List Internally

 

[Killerzwerg]

The forum has C++ syntax highlighting whhhhhhhy god is it so impossible for people to use this beautiful board I spent weeks working on and hundreds of dollars providing for you....blaaaaaaaaaaaaargh /endrant

Change to

int *iHealth = (int*)(*(DWORD*)(*(DWORD*)0x50F4F8 + (0x4 * 2)) + 0xF8);

And check this thread out Source Code - How To Loop Through Entity List Internally

thank you so much

 

[Killerzwerg]

thank you so much

But now I have another problem. When no entity is in the game the game crasches
Killerzwerg

 

[inter 2008]

But now I have another problem. When no entity is in the game the game crasches
Killerzwerg

Because your pointer is not readable / invalid

#define MEM_WRITE (PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)
#define MEM_READ (PAGE_EXECUTE_READ | PAGE_READONLY | MEM_WRITE)
#define MEM_EXEC (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)

bool IsValidExecPtr(void * Ptr)
{
    if (!Ptr)
        return false; //Ptr is a nullptr
   
    MEMORY_BASIC_INFORMATION MBI{ 0 };
    if (!VirtualQuery(Ptr, &MBI, sizeof(MEMORY_BASIC_INFORMATION)))
        return false; //VirtualQuery fail = definitly not a valid pointer

    if ((MBI.State == MEM_COMMIT) && (MBI.Protect & MEM_EXEC) && !(MBI.Protect & PAGE_GUARD))
        return true; //memory is commited, page has (at least) execute access and isn't a guard page

    return false;
}

bool IsValidReadPtr(void * Ptr)
{
    if (!Ptr)
        return false; //Ptr is a nullptr
   
    MEMORY_BASIC_INFORMATION MBI{ 0 };
    if (!VirtualQuery(Ptr, &MBI, sizeof(MEMORY_BASIC_INFORMATION)))
        return false; //VirtualQuery fail = definitly not a valid pointer

    if ((MBI.State == MEM_COMMIT) && (MBI.Protect & MEM_READ) && !(MBI.Protect & PAGE_GUARD))
        return true; //memory is commited, page has (at least) read access and isn't a guard page

    return false;
}

bool IsValidWritePtr(void * Ptr)
{
    if (!Ptr)
        return false; //Ptr is a nullptr

    MEMORY_BASIC_INFORMATION MBI{ 0 };
    if (!VirtualQuery(Ptr, &MBI, sizeof(MEMORY_BASIC_INFORMATION)))
        return false; //VirtualQuery fail = definitly not a valid pointer
   
    if ((MBI.State == MEM_COMMIT) && (MBI.Protect & MEM_WRITE) && !(MBI.Protect & PAGE_GUARD))
        return true; //memory is commited, page has (at least) read and write access and isn't a guard page

    return false;
}

usage example:

if (!IsValidReadPtr(iHealth))
    continue;

 

[Rake]

Bro please read the link I sent you there is code that shows you how to check if valid ent

 

[HACKEDHACKER]

In many games, the first entity is generally you so you could also look for your localPlayer pointer and see what holds it. One of them will have you along with everyone else in it.

 

[JohannesJoestar]

You know those times when you try too hard and miss the simples of things. I think this might've been one of those things for me. I would always go calculate 5 or 6 entities and try to see how far they apart.

 

[Fr3akNL]

Hi guys,

I followed a tutorial to write a triggerbot on this forum (my apologies but I dont remember which tutorial it was so can't refer to the creator).
I understand the code, and have been able to rewrite it myself and make the code more organized and put the functions in classes.
The main issue here though is that the triggerbot also shoots on teammates, as it only checks if the crosshair ID != 0.

Main question: How do I loop EXTERNALLY through the entitylist and store the found entities?

Code:

int TriggerBot::startTrigger()
{
    mMem mMem;
    mMem.getProcID();
    mMem.getModule();
    baseAddress = mMem.ModuleBaseAddress;

    HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, mMem.procID);
    if (pHandle)
    {
        while (1)
        {
            ReadProcessMemory(pHandle, (void*)(baseAddress + pOffset), &playerBase, sizeof(DWORD), NULL);
            ReadProcessMemory(pHandle, (void*)(playerBase + cOffset), &cID, sizeof(DWORD), NULL);
            ReadProcessMemory(pHandle, (void*)(baseAddress + entityList), &eList, sizeof(DWORD), NULL);


            for (int i = 0; i < 32; i++)
            {
               
            }

            if (GetAsyncKeyState(VK_LSHIFT) && cID > 0)
            {
                sendKeyPress();
            }
            Sleep(1);
        }
    }

    return 0;
}

 

[tvojama]

Oneshots "tutorial" I assume
For a tirggerbot of this kind you don't need an entity list I do it this way and it works perfectly.

    ReadProcessMemory(processHandle, (BYTE*)(ClocalPlayer + CrosshairOffset), &CrosshairEntityID, sizeof(int), NULL); //Reads whats in our crosshair
    ReadProcessMemory(processHandle, (BYTE*)(ClocalPlayer + TeamOffset), &OurTeam, sizeof(int), NULL); //Reads our team, does not need to be in a loop but ehh

    ReadProcessMemory(processHandle, (BYTE*)(ClientDLLAddress + EntityBase + (CrosshairEntityID - 1)* LoopDistance), &CBaseEntity, sizeof(DWORD), NULL); //Reads the entity in our sight
    ReadProcessMemory(processHandle, (BYTE*)(CBaseEntity + TeamOffset), &EntityTeam, sizeof(int), NULL); //Reads the entites team including our teammates

    if ((EntityTeam != OurTeam) && (EntityTeam != 0)) //If the corsshairid is not equal our team or zero, shoot
    {
        sendKeyPress();
        Sleep(10);
    }

 

[Rake]

Look at Tutorial - How to loop over the entity list IN DEPTH tutorial

 

[Fr3akNL]

Oneshots "tutorial" I assume
For a tirggerbot of this kind you don't need an entity list I do it this way and it works perfectly.

    ReadProcessMemory(processHandle, (BYTE*)(ClocalPlayer + CrosshairOffset), &CrosshairEntityID, sizeof(int), NULL); //Reads whats in our crosshair
    ReadProcessMemory(processHandle, (BYTE*)(ClocalPlayer + TeamOffset), &OurTeam, sizeof(int), NULL); //Reads our team, does not need to be in a loop but ehh

    ReadProcessMemory(processHandle, (BYTE*)(ClientDLLAddress + EntityBase + (CrosshairEntityID - 1)* LoopDistance), &CBaseEntity, sizeof(DWORD), NULL); //Reads the entity in our sight
    ReadProcessMemory(processHandle, (BYTE*)(CBaseEntity + TeamOffset), &EntityTeam, sizeof(int), NULL); //Reads the entites team including our teammates

    if ((EntityTeam != OurTeam) && (EntityTeam != 0)) //If the corsshairid is not equal our team or zero, shoot
    {
        sendKeyPress();
        Sleep(10);
    }

Thanks for this solution! This is a very good alternative, not what I initially wanted but this serves its purpose.
Just once question, where did you get the LoopDistance from?

 

[Fr3akNL]

Look at Tutorial - How to loop over the entity list IN DEPTH tutorial

Thanks, I was looking for this ^^

 

[tvojama]

Thanks for this solution! This is a very good alternative, not what I initially wanted but this serves its purpose.
Just once question, where did you get the LoopDistance from?

I found it by following Fleep in his triggerbot tutorial in css. You find your base entity pointers and then look through them looking for other pointers. You know you found it when you find entities health value on the health offset. Then you just look how many bytes is it away from your player. Fleep has done a better job of explaining it, check out his tut

 

[inter 2008]

Hi guys,

I followed a tutorial to write a triggerbot on this forum (my apologies but I dont remember which tutorial it was so can't refer to the creator).
I understand the code, and have been able to rewrite it myself and make the code more organized and put the functions in classes.
The main issue here though is that the triggerbot also shoots on teammates, as it only checks if the crosshair ID != 0.

Main question: How do I loop EXTERNALLY through the entitylist and store the found entities?

Code:

int TriggerBot::startTrigger()
{
    mMem mMem;
    mMem.getProcID();
    mMem.getModule();
    baseAddress = mMem.ModuleBaseAddress;

    HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, mMem.procID);
    if (pHandle)
    {
        while (1)
        {
            ReadProcessMemory(pHandle, (void*)(baseAddress + pOffset), &playerBase, sizeof(DWORD), NULL);
            ReadProcessMemory(pHandle, (void*)(playerBase + cOffset), &cID, sizeof(DWORD), NULL);
            ReadProcessMemory(pHandle, (void*)(baseAddress + entityList), &eList, sizeof(DWORD), NULL);


            for (int i = 0; i < 32; i++)
            {
              
            }

            if (GetAsyncKeyState(VK_LSHIFT) && cID > 0)
            {
                sendKeyPress();
            }
            Sleep(1);
        }
    }

    return 0;
}

Hello, you would want to do something like this:

std::vector<DWORD> EntityList;

void GetValues(int iIndex)

    {

            ReadProcessMemory(Process.hProcess, LPVOID(dwEntityList[iIndex] + 0xFC), &iHealth, sizeof(int), NULL);

        }

    }

 

[op1x3r]

I looked at both instructions and neither had the array indexing thingy. I followed the tutorial step by step, but I have gotten only 2 values while the video shows 4, what should I do?
I tried looking into other addresses (Like health & etc), but wasn't able to find the entity list

 

[Rake]

I looked at both instructions and neither had the array indexing thingy. I followed the tutorial step by step, but I have gotten only 2 values while the video shows 4, what should I do?
I tried looking into other addresses (Like health & etc), but wasn't able to find the entity list

are you in an empty map? The entity list won't be looping if there is an empty entity list. Try on a team deathmatch games with bots, it should work fine. If it doesn't, are you using AC 1.2.0.2?

 

[Rake]

I just re-wrote this guide, if you have links or other things to add to this guide please reply.