Internal Hack Referencing Player Vector

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,105
78,998
2,374
The honorable Spock had shared his source for his internal aimbot using MS detours here:
https://bitbucket.org/Zavyr/qframework-assault-cube
Big thanks to Spock for sharing. I'm using his hook code to create my first internal aimbot.

So instead of reading the player vector data into my own local vector I just want to reference the games player vector but no matter what I do when I debug it, it looks like this:



If my code was correct wouldn't it populate that vector and show me the class variables of each element like in my localplayer:




I think I am doing it right, my question is WHY when I debug in VS doesn't it fill out the playervector fields with the data....
Superspinne was helping me but we couldn't figure out the exact issue so thanks Superspinne!


C++:
C++:
//GuidedHacking.com
//All Credits go to Spock on this one!
//All addresses are for Single player bot modes


#include <Windows.h>
#include <vector>
#include "detours.h"
using namespace std;


struct Vec3Pos
{
    float x, y, z;
};


struct Vec3Angle
{
    float yaw, pitch, roll;
};


class PlayerClass
{
public:
    char _0x0000[4];
    Vec3Pos locationhead; //0x0004 
    char _0x0010[36];
    Vec3Pos location; //0x0034 
    float angleyaw; //0x0040 
    float anglepitch; //0x0044 
    float angleroll; //0x0048 
    char _0x004C[172];
    __int32 health; //0x00F8 
    __int32 armor; //0x00FC 
    char _0x0100[292];
    BYTE N002C274F; //0x0224 
    char name[16]; //0x0225 
    char _0x0235[247];
    BYTE team; //0x032C 
    char _0x032D[11];
    BYTE state; //0x0338 
};


//function to hook:
typedef void(__cdecl *gl_drawHUD) (int w, int h, int curfps, int nquads, int curvert, bool underwater);
gl_drawHUD drawTheHUD;


//my function:
void myFunction(int w, int h, int curfps, int nquads, int curvert, bool underwater)
{
    drawTheHUD(w, h, curfps, nquads, curvert, underwater);

    //these lines work perfectly fine
    PlayerClass * localPlayer = (PlayerClass*)*(DWORD*)(0x509B74);
    localPlayer->health = 999;
    PlayerClass * firstplayerinvector = (PlayerClass*)*(DWORD*)*(DWORD*)0x510d90;


    //none of these lines seem to work, what's the problem?
    //vector<PlayerClass*> * playerVector = (vector<PlayerClass*>*)0x510d90;
    //vector<PlayerClass*> * playerVector1 = (vector<PlayerClass*>*)0x50F4F8;
    //vector<PlayerClass> * playerVector3 = (vector<PlayerClass>*)(*(DWORD*)(0x510D90));

    vector<PlayerClass*> * playerVector2 = (vector<PlayerClass*>*)(*(DWORD*)(0x510D90));
}




DWORD WINAPI internalAimbot(LPVOID param)
{


    while (!GetModuleHandle("ac_client.exe"))
    {
        Sleep(200);
    }


    drawTheHUD = (gl_drawHUD)((DWORD)GetModuleHandleA("ac_client.exe") + 0xAAF0);


    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)drawTheHUD, myFunction);
    DetourTransactionCommit();


    return NULL;
}


BOOL WINAPI DllMain(HINSTANCE instance, DWORD reason, LPVOID reserved)
{
    switch (reason) {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, internalAimbot, 0, 0, 0);
        DisableThreadLibraryCalls(instance);
        break;
    }


    return TRUE;
}

[COLOR=#000000][/COLOR]

 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Credits to Spock for all of this:

So essentially you can read the player's address through their client ID, then check if the pointer is NULL (EZPZ)
C++:
typedef DWORD* (_fastcall *_GetClientById)(int cn);
_GetClientById GetClientById = _GetClientById((DWORD)GetModuleHandle(NULL) + 0x27320);

DWORD * pLocal = *(DWORD**)(0x50F4F4); // Local player
So, we get the GetClientById funct set up, then create our local player (Which you can do as a global :D).

Inside of your functions to loop through the entities, do something similar to this:
C++:
for (int i = 0; i < 32; i++)
{
    DWORD * Entity = (DWORD*)GetClientById(i);

   //You can make a class for the entity, such as using your PlayerClass to grab health easily
    if (!Entity || Entity == pLocal || Entity[0xF8 / sizeof(DWORD)] <= 0 || Entity[0xF8 / sizeof(DWORD)] > 100)
        continue;

   //Do whatever you want with the entity here
}
You can just use GetClientById to grab the entity address, and use that to loop through them. If you use the SDK, you can replace the DWORDs with playerent pointers. Btw, afaik this will work online as well.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,105
78,998
2,374
Anyone else have any thoughts on creating a local pointer in my .dll that points to the games vector and using it to access elements of that vector. The idea is to not use an array, just to use the games vector which manages itself so I don't have to.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Anyone else have any thoughts on creating a local pointer in my .dll that points to the games vector and using it to access elements of that vector. The idea is to not use an array, just to use the games vector which manages itself so I don't have to.
Look in the source for functions that access this vector, or functions that pass it as a parameter. Then reverse the function and grab the vector address there.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,105
78,998
2,374
Straight from source clientgame.cpp:
C++:
playerent *player1 = newplayerent();          // our client //   0x50F4F4???
vector<playerent *> players;                  // other clients //    0x50F4F8???

Are you saying that 0x50F4F8 is just where the vector allocates the elements of the vector but that the "vector" address is somehwere different? I was thinking about that too, I should create a vector in my own program and view it in memory to see it's internals maybe.

But then again Spock didn't do that he just did this:
C++:
vector<playerent*> *botArray = (vector<playerent*>*)0x50F4F8; // Array of bots.
Calling all Spocks!!!
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,105
78,998
2,374


The vector is a template/container that manages it's own internal array. The address of the vector can be found using the addressof(&) operator but the array is stored elsewhere.
Based on this I don't believe Spock's code works unless I am completely retarded.

So we have 0x50F4F8 which I know now is the address of the internal array that the vector manages. But in order to assign a pointer to the vector as requested I must find the actual address of the vector. Hmmmm!
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
I think you have 1 address (0x0x50F4F4) which uses 4 byte pointers which lead directly to the structure.
So every element first off may contain a pointer to an element of that structure


I always thought this was the way vectors stored stuff..
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,105
78,998
2,374
StackOverFlow said:
1)
The internals of the vector are implementation specific, but a typical implementation will contain 3 pointers; one each to keep track of start of array, size of vector and capacity of vector.

2)
Note that vector inherits from _Vector_val, which contains the following members:

C++:
pointer _Myfirst;   // pointer to beginning of array
pointer _Mylast;    // pointer to current end of sequence
pointer _Myend; // pointer to end of array
_Alty _Alval;   // allocator object for values
3)
A typical (though by no means mandatory) implementation of vector is to have three consecutive words:

C++:
struct TypicalVector
{
    T * start;
    T * end;
    T * capacity;
};
Based on StackOverflow and my testvector investigation from my last post it would make sense that 0x50F4F8 is the pointer labeled "pointer _Myfirst" or "T * start"

But I've been unable to trace backwards and find anything...depends on implementation but supposedly the vector is placed on the stack and the array it manages resides on the heap...
 

HalfWayToHell333

Jr.Coder
Silenced
Full Member
Nobleman
Jun 23, 2014
80
783
3
Maybe iam missing a Point but,
If you store Pointers in a vector , then the Compiler cant realy optimize the Output.
If you use Instances instead , the Compiler can align the Objects in Memory , which will make the tracing easier.
Maybe it´s usefull.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,105
78,998
2,374
Also curious if the compiler can turn a vector into an array as an optimization
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Try vector<PlayerClass*> * playerVector2 = (PlayerClass*)(0x50F4F4));

Just curious if it would work.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods