Tutorial How to do AssaultCube always headshot

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Hey guys,

today I'm showing you how to do the "always headshot" hack (for AssaultCube v1.2)
(DL Link: https://github.com/assaultcube/AC/releases)

Q & A:

Q: Does it work for all weapons?
A: No, just sniper.

Q: Does this work only offline?
A: No, it also works in online multiplayer mode.

Q: Why don't we just change the instruction that decreases health?
A: Because health is server sided

Q: Why are we using headshots?
A: Because they're definitley ALWAYS oneshotting ppl.

Q: What do I need to do this hack?
A: basic knowledge of assembler, cheat engine and IDA

So now, let's begin the hacking. First off we select the sniper and spawn some enemies in single player mode deathmatch. Then we open the console with ^ and enter "/idlebots 1".
Now, bots won't attack us and it's easier to work.. What we need now, is the instruction decreasing the health. As we know already, everybody has 100 HP at start.
So now we search for 4 Bytes -> 100. Now we're shooting at some bot. We will NOT shoot at his head because then he dies :(. After shooting we search for decreased value
and notice an address with value 18. (You can just search for 18,too,explanation later). Now we see "what writes the address" (Rightclick on address..).

We find:
ac_client.exe+29D1F - 29 7B 04 - sub [ebx+04],edi

With our basic knowledge of assembler, we know that edi gets subtracted from [ebx+04] and that [ebx+4] is the health itself.

Now we breakpoint the instruction and shoot someone. We find out that edi is 0x00000052 which is 82 in dec.
After all we try to find out whether or not the function calculates the damage itself or not. So we breakpoint

ac_client.exe+29C49 - 8B 7D 08 - mov edi,[ebp+08]

Because there, edi is actually set.

Pasting 0x00429C49 in IDA tells us, that [ebp+08] and therefore the damage is just an argument being passed to the decrease func.

So we need to find the function calling the decrease function..

We breakpoint
ac_client.exe+29C20 - 55 - push ebp
which is the beginning of the decrease function. Now we press Ctrl+G and enter [Your esp register value, you can see it on the right]. This gets us to the call at

ac_client.exe+26B91 - E8 8A300000 - call ac_client.exe+29C20

So what do we know about the call? We know that it pushes the damage and then the call gets executed and then decrease func gets called.

We find

ac_client.exe+26B8A - 52 - push edx

Changing edx at this point would change the damage afterall, but we know its serversided. So we need to dig deeper, 2 lines above we see:

ac_client.exe+26B84 - 8B 55 08 - mov edx,[ebp+08]

This is where the damage is set again. We therefor go to 0x00426B84 in IDA. We see that [ebp+08] is recognized as arg_0.

Going to the top of the function which is at 0x004269F0 we see that 5 arguments are passed, among them obviously our damage.

We will now watch our stack - in memory view, press ctrl+D and paste your ESP value.
at offset 4, we see our 82 so the damage. Now, we press continue and shoot someone in the head.. We see, that the argument has changed to 246 which is 82*3.
What we have acknowledged by that is, that the function we're currently in does NOT calculate our damage. So same trick again, Ctrl+G and paste [your esp value].

ac_client.exe+60AB7 - E8 345FFCFF - call ac_client.exe+269F0

calls our function. Knowing that the first argument always gets pushed last, we see this:

ac_client.exe+60AB4 - 53 - push ebx

Now, we compare our values from EBX with our damage and yea they are the same obviously..... So know we have to find out where ebx is set.

Scrolling up to the function beginning we see:

ac_client.exe+608BD - 8B 9C 24 14010000 - mov ebx,[esp+00000114]

And in IDA thats an arg again (arg_0).

Ctrl+G [esp] shows us

ac_client.exe+60B64 - E8 47FDFFFF - call ac_client.exe+608B0

and the latest pushed arg is

ac_client.exe+60B43 - 50 - push eax

EAX gets set at

ac_client.exe+60B39 - 8B 44 24 1C - mov eax,[esp+1C]

and pasting it into IDA it says [esp+1C] is actually another argument.

Breakpointing
ac_client.exe+60AD0 - 83 EC 0C - sub esp,0C
and viewing the stack shows us that ESP+4 is the damage. We now go to the caller, ctrl+g [esp]

And find

ac_client.exe+61795 - E8 36F3FFFF - call ac_client.exe+60AD0

Just if you ask yourself why we are doing this so deep - breakpointing and seeing the arguments will show you that the damage doesn't get calculated in the functions
we analyzed,

ac_client.exe+61789 - 53 - push ebx
is the damage

Scrolling up we find something interesting - under certain conditions, this gets executed:

ac_client.exe+61769 - 8D 1C 5B - lea ebx,[ebx+ebx*2]

Let's take a look at this:
ac_client.exe+61762 - 83 7C 24 1C 02 - cmp dword ptr [esp+1C],02
if [esp+1C] is 2,

ac_client.exe+61769 - 8D 1C 5B - lea ebx,[ebx+ebx*2]
ac_client.exe+6176C - B1 01 - mov cl,01
ac_client.exe+6176E - 88 4C 24 18 - mov [esp+18],cl

gets executed. What do we know about the headshot damage? It's 246, which is 3 times 82.
So
ac_client.exe+61769 - 8D 1C 5B - lea ebx,[ebx+ebx*2]
multiplies ebx (the damage) by 3.

But only if:
- [esp+1C] is 2
- esi is NOT [0050F4F4]
- and ebp is 5

let's just breakpoint
ac_client.exe+61751 - 85 ED - test ebp,ebp
and shoot someone but not in the head.

We see that, in fact EBP is 5. Steppin through with F8 we see that it meets every condition but
cmp dword ptr [esp+1C],02
So now we do the same thing with shooting someone in the head and see that the condition is met if we aimed at the head.

So why dont we remove the conditon and multiply our damage by 3 and set CL to 1 and then [esp+18] to 1, too?

ac_client.exe+61767 - 90 - nop
ac_client.exe+61768 - 90 - nop

Let's now shoot someone in the leg.

We notice that he gets killed by 1 shot. Also it says "you HEADSHOT ..."

Removing this condition we always headshot. Trying this out online we will find out that it works there too.

right-clicking

ac_client.exe+61748 - 8B 6A 04 - mov ebp,[edx+04]

"Find out what addresses the instruction accesses"
and shooting with our pistol and then the sniper will show us that [edx+04] is the weapon ID.




I hope that, despite of the length being caused from the in-depth explanations, you could follow this little tutorial which I was requested to do.
Have fun and if you have questions, ask me :)


A video of the hack (playing online):
https://www.youtube.com/watch?v=X26ueiXeEyc
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Neoster, it seems I was wrong! :D

Thanks for taking the time to make the tutorial till0sch :)

One quick note, how exactly is AssaultCube handling everything? I thought it was all of your information is client sided, and on servers everyone has their information sent and received through packets. (This could explain why health doesn't increase when changing it as the server handles your health itself (?))
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,118
78,998
2,392
Awesome tutorial till0sch!!!


One quick note, how exactly is AssaultCube handling everything? I thought it was all of your information is client sided, and on servers everyone has their information sent and received through packets
Depending on the function, either:
1) the Client or the Server do the calculation
2)Both Client and server do the caluclations

In either case the game code has to decide which side is the authority. The side that has the authority will replicate that information when necessary to the other side. Or the other way around.
The client trusts that the server has the correct health value and will use the servers health value when it is replicated to the client.
The server trusts that the client did the dmg function correctly and takes it's value as fact.

I highly recommend reading these, it is for Unreal Engine but the concept is generic:

https://wiki.beyondunreal.com/Introduction_to_replication
https://wiki.beyondunreal.com/Every...ow_about_replication_(but_were_afraid_to_ask)
 

squeenie

Hacker
Meme Tier VIP
Dank Tier Donator
Mar 6, 2013
677
5,478
37
This is a beautiful tut and you are the man
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Nice tutorial! :)

But why does it only work with snipers?
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Nice tutorial! :)

But why does it only work with snipers?
Offline it works with every weapon. Online only with Snipers since servers seem to store your weapon or sth
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Offline it works with every weapon. Online only with Snipers since servers seem to store your weapon or sth
Hmm, doesn't sound that convincing ^^
How about faking the id by hooking the function? So you can pretend it's a sniper you're hitting with? Does that work? :D
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Hmm, doesn't sound that convincing ^^
How about faking the id by hooking the function? So you can pretend it's a sniper you're hitting with? Does that work? :D
I'm sure if you reversed the functions you could probably send in the client ID and the amount of damage you want done. Of course, it may not be possible lol

EDIT: There are parameters for the damage function, and one is the weapon damage type ID.

Here's info on the Take Damage Funct.
C++:
Take Damage Funct Begin - 429C20
Health Sub - 429D1F
Take Damage Funct End - 429D29

3 Parameters

EBX is the player ID
EAX is the type of weapon you shoot them with
EDX Hold the amount of damage taken

	0 = Knife
	1 = Pistol
	2 = Carbine
	3 = Shotgun
	4 = Submachine gun
	5 = Sniper Rifle
	6 = ARifle
	8 = Grenade
	9 = Akimbo

00426B84  |.  8B55 08       MOV EDX,DWORD PTR [EBP+8]                ;  Amount of damage taken
00426B87  |.  8B45 10       MOV EAX,DWORD PTR [EBP+10]               ;  Type of weapon used to cause the damage
00426B8A  |.  52            PUSH EDX                                 ; /Arg1
00426B8B  |.  8D9E F4000000 LEA EBX,DWORD PTR [ESI+F4]               ; |Player's ID
00426B91  |.  E8 8A300000   CALL ac_clien.00429C20                   ; \Take Damage Call
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
I'm sure if you reversed the functions you could probably send in the client ID and the amount of damage you want done. Of course, it may not be possible lol

EDIT: There are parameters for the damage function, and one is the weapon damage type ID.

Here's info on the Take Damage Funct.
C++:
Take Damage Funct Begin - 429C20
Health Sub - 429D1F
Take Damage Funct End - 429D29

3 Parameters

EBX is the player ID
EAX is the type of weapon you shoot them with
EDX Hold the amount of damage taken

	0 = Knife
	1 = Pistol
	2 = Carbine
	3 = Shotgun
	4 = Submachine gun
	5 = Sniper Rifle
	6 = ARifle
	8 = Grenade
	9 = Akimbo

00426B84  |.  8B55 08       MOV EDX,DWORD PTR [EBP+8]                ;  Amount of damage taken
00426B87  |.  8B45 10       MOV EAX,DWORD PTR [EBP+10]               ;  Type of weapon used to cause the damage
00426B8A  |.  52            PUSH EDX                                 ; /Arg1
00426B8B  |.  8D9E F4000000 LEA EBX,DWORD PTR [ESI+F4]               ; |Player's ID
00426B91  |.  E8 8A300000   CALL ac_clien.00429C20                   ; \Take Damage Call
afaik it gets the weaponID from ur playerbase and just passes it

I think this was pb +374 or 384 +4 i will check it out asap
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Hmm, doesn't sound that convincing ^^
How about faking the id by hooking the function? So you can pretend it's a sniper you're hitting with? Does that work? :D
Do I look like I'm here to convince people? If you want reverse it just do it
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
afaik it gets the weaponID from ur playerbase and just passes it

I think this was pb +374 or 384 +4 i will check it out asap
Ah. Would passing people's ID's through the take damage function cause them damage (Online)? Or would that not work. I know that offline it would quite easily.

EDIT:
Couldn't you just reverse the function that determines how much damage is done and make it constantly do 1 hit kills?

Like find out what's at DWORD PTR [EBP+8] and reverse whatever it is :p
 
Last edited:

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Ah. Would passing people's ID's through the take damage function cause them damage (Online)? Or would that not work. I know that offline it would quite easily.

EDIT:
Couldn't you just reverse the function that determines how much damage is done and make it constantly do 1 hit kills?

Like find out what's at DWORD PTR [EBP+8] and reverse whatever it is :p
It does work. Take a look at
ac_client.exe+6173A - 3B FD - cmp edi,ebp
this

I will release a hack on that. You can just do sth like an aimbot but you don't care whether walls are in between or whatever. You can just kill someone if you know their CN and it works online.


I'm currently programming an online only hack which does only feature a memory triggerbot yet - but it will have the onehit kills too...
Also will it enable another feature - Whereever you shoot, the hack will make you shoot at your nearest enemy.....

Also shoot through walls

AnomanderRake has fortunatley released the game mode variables which I will use.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
It does work. Take a look at
ac_client.exe+6173A - 3B FD - cmp edi,ebp
this

I will release a hack on that. You can just do sth like an aimbot but you don't care whether walls are in between or whatever. You can just kill someone if you know their CN and it works online.


I'm currently programming an online only hack which does only feature a memory triggerbot yet - but it will have the onehit kills too...
Also will it enable another feature - Whereever you shoot, the hack will make you shoot at your nearest enemy.....

Also shoot through walls

AnomanderRake has fortunatley released the game mode variables which I will use.
Nice find! Good luck :)
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods