Solved Multi-Offset Entity Base

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
I found the entity base for assault cube, but in the structure dissector it goes down through several pointers. How would I go through the several offsets to access the entity base and loop through the players? Like if the entity base is at 0000, then when I enter that pointer I see the bases of all 6 or so players. I then have 0000, 0004, 0008, 000C and so on. Then to access the health, I'd go to the offset F8 in the 6 players bases.

Would I add the first offset for entering the first pointer, the second to enter the second pointer, then the last to access the parts of the base? If so, should I use the FindDMAaddy function that is in several of Fleep's videos?


The address I got for the entity base is "ac_client.exe"+00110D90, and it's offsets are 0, 0+(4 bytes each additional player, starting at 0), then F8 to access the health.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,118
78,998
2,392
Update: Use START HERE Beginners Guide to Learning Game Hacking - Guided Hacking

You only need to use FindDMAAddy once to find your Players struct, and once to find the EntityList. Here is a piece of my code and some extra to clarify, hope it helps:

C++:
DWORD HealthAddress;
DWORD HealthOffset = 0x31C;

DWORD RunSpeedAddress;
DWORD RunSpeedOffset = 0x26C;

DWORD JumpHeightAddress;
DWORD JumpHeightOffset = 0x27C;

/*
CalculatePointer=FindDmaAddy and PawnBaseAddress is myPlayer'sBaseAddress
I only need to call FindDmaAddy once for each player/bot to find the BaseAddress of it's struct.
Then I just add each offset to get to the values I need.  The offsets into the data structure are the same for player/bot data structures
*/
PawnBaseAddress = CalculatePointer(hProcHandle, 3, PawnBasePointerOffsets, PawnBasePointer);

HealthAddress = PawnBaseAddress + HealthOffset;
RunSpeedAddress = PawnBaseAddress + RunSpeedOffset;
JumpHeightAddress = PawnBaseAddress + JumpHeightOffset;

//You could make it easier for practice and only have a match with only you and 1 bot
//So you'd only have to repeat once

Bot1BaseAddress = PawnBaseAddress + EntityLoopDistance
Bot1HealthAddress = Bot1BaseAddress + HealthOffset;
Bot1RunSpeedAddress = Bot1BaseAddress + RunSpeedOffset;
Bot1JumpHeightAddress = Bot1BaseAddress + JumpHeightOffset;
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,118
78,998
2,392
The address I got for the entity base is "ac_client.exe"+00110D90, and it's offsets are 0, 0+(4 bytes each additional player, starting at 0), then F8 to access the health.
Can you answer this so I can try to help I'm confused

You are saying the pointer to the Health Address for the player(you) is a 3 level pointer
Base Address: "ac_client.exe"+00110D90
Offset to next pointer =+0
Offset to next pointer = +0
Offset to health value = +F8

If that correct?
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Yep. The second offset is which player it is. Like offset 0000 would be player #1, and 0004 would be player #2, etc., etc..

I attempted to code it, and whenever I turn the aimbot piece on the game crashes. I'm assuming that I must be writing to something I shouldn't be.
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,118
78,998
2,392
GBM I wanted to sum up part of our chatbox conversation so that other members might learn from it or help out:

So your thought is that using this 3 level pointer:

Base Address: "ac_client.exe"+00110D90
Offset 1 =+0
Offset 2 = +0
Offset 3 = +0

Would put you at the base addess of the player(you) struct. (And that adding F8 to it would be the address that holds your health value)

Your question was: "How would I go through the several offsets to access the entity base and loop through the players?"
You would use the FindDmaAddy function that Fleep uses. That function will return the correct address that you can use for the rest of your code.

Is that address also the beginning of the Entitylist or for all intended purposes it can be used as the beginning of the entity list? I think so.

So the entitylist is a section in memory that holds all the player data structs and if each player data structure is the same size(which they should be because they are of the same class although some games have different classes for bots/humanplayers) hopefully they are stored one after the next in memory. And by taking the base address of one player data struct, adding the structure size would yield the base address of next player data struct, and entityloopdistance would be the number of bytes or size of the player data structure. And I guess their could be a buffer in between each struct but it appears in Source Engine games and Assault cube their is no buffer. So you would read the Player1BaseAddress as first address of your entity list, add the size of the structure(entityloopdistance) to yield Player2BaseAddress. You would then code Player2HealthAddress = Player2BaseAddress + F8 or whatever.

SideNote: In the Unreal Engine there is no entity list there is a huge linked list of objects could be 10,000 could be 200,000, and the players/bots don't reside in any specified area in memory.

you can use the standard methods, but its not the most efficient route for unreal engine. Best route is dumping an sdk
https://guidedhacking.com/threads/how-to-dump-an-unreal-engine-sdk.10660/
https://guidedhacking.com/resources...nreal-sdk-generator-gobject-gnames-finder.26/
 
Last edited:

rickblack28

Jr.Coder
Full Member
Nobleman
Sep 23, 2014
82
573
0
GBM I wanted to sum up part of our chatbox conversation so that other members might learn from it or help out:

So your thought is that using this 3 level pointer:

Base Address: "ac_client.exe"+00110D90
Offset 1 =+0
Offset 2 = +0
Offset 3 = +0

Would put you at the base addess of the player(you) struct. (And that adding F8 to it would be the address that holds your health value)

Your question was: "How would I go through the several offsets to access the entity base and loop through the players?"
You would use the FindDmaAddy function that Fleep uses. That function will return the correct address that you can use for the rest of your code.

Is that address also the beginning of the Entitylist or for all intended purposes it can be used as the beginning of the entity list? I think so.

So the entitylist is a section in memory that holds all the player data structs and if each player data structure is the same size(which they should be because they are of the same class although some games have different classes for bots/humanplayers) hopefully they are stored one after the next in memory. And by taking the base address of one player data struct, adding the structure size would yield the base address of next player data struct, and entityloopdistance would be the number of bytes or size of the player data structure. And I guess their could be a buffer in between each struct but it appears in Source Engine games and Assault cube their is no buffer. So you would read the Player1BaseAddress as first address of your entity list, add the size of the structure(entityloopdistance) to yield Player2BaseAddress. You would then code Player2HealthAddress = Player2BaseAddress + F8 or whatever.

SideNote: In the Unreal Engine there is no entity list there is a huge linked list of objects could be 10,000 could be 200,000, and the players/bots don't reside in any specified area in memory.
so basicly what you are saying is that there is no way to find what entity name is of some object in a game that uses Unreal Engine ?
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
So I tried the FindDmaAddy function, though I think I messed up somewhere. The only other thing that it could be is I got the wrong address, but I don't think that is it because I've had the game restarted several times and the address stays the same. I might have messed somewhere with the read part.

C++:
HANDLE hProcHandle = NULL;
const DWORD Player_Base = {0x509B74};

int NumOfPlayers = 10;

const DWORD dw_healthOffset[] = {0xF8};
const DWORD dw_pos[] = {0x4};

const DWORD EntityPlayer_Base = {0x510D90};
DWORD EntityOffsets[] = {0x0, NULL};
DWORD EntityHealthOffset[] = {0x0, NULL, 0xF8};
DWORD EntityPositionOffset[] = {0x0, NULL, 0x4};
const DWORD EntityLoopDistance = 0x4;

const DWORD dw_angRotation = {0x509BB4};

void WriteToMemory(HANDLE hProcHandle);
void RapidFire();

std::string GameName = "AssaultCube";
LPCSTR LGameWindow = "AssaultCube";

#define F6_KEY 0x75

void Hack();

BYTE InfHealth[] = {0xE8, 0x3, 0x0, 0x0};
BYTE InfAmmo[] = {0x64, 0x0, 0x0, 0x0};
BYTE NoTimer[] = {0x0, 0x0, 0x0, 0x0};
BYTE InfArmor[] = {0xE8, 0x3, 0x0, 0x0};

DWORD dw_HealthOffset[] = {0xF8};
DWORD dw_PrimaryOffset[] = {0x128};
DWORD dw_PrimaryClipOffset[] = {0x150};
DWORD dw_SecondaryOffset[] = {0x114};
DWORD dw_SecondaryClipOffset[] = {0x13C};
DWORD dw_GrenadeOffset[] = {0x158};
DWORD dw_ArmorOffset[] = {0xFC};
DWORD dw_PosX[] = {0x4};
DWORD dw_PosY[] = {0x8};
DWORD dw_PosZ[] = {0xC};
DWORD dw_vAngleVert[] = {0x44};
DWORD dw_vAngleHor[] = {0x40};
DWORD dw_KnifeTime[] = {0x160};
DWORD dw_PistTimer[] = {0x164};
DWORD dw_PrimTimer[] = {0x178};
DWORD dw_GrenadeTimer[] = {0x180};
DWORD MouseButton[] = {0x224};
C++:
struct PlayerList_t
{
	DWORD EntityListed;
	DWORD CBaseEntity;
	DWORD AddressToRead;
	int Team;
	int Health;
	float Position[3];
	float AimbotAngle[3];

	void ReadInformation(int Player)
	{
		EntityListed = Player * EntityLoopDistance;
		EntityOffsets[1] = EntityListed;
		EntityHealthOffset[1] = EntityListed;
		EntityPositionOffset[1] = EntityListed;
		//Loop Through Players
		AddressToRead = FindDmaAddy(2, hProcHandle, EntityOffsets, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &CBaseEntity, sizeof(DWORD), NULL);
		//Finding And Assigning The Health Number
		AddressToRead = FindDmaAddy(3, hProcHandle, EntityHealthOffset, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Health, sizeof(int), NULL);
		//Finding And Assigning The Position Of The Player
		AddressToRead = FindDmaAddy(3, hProcHandle, EntityPositionOffset, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Position, sizeof(float[3]), NULL);
	}
}PlayerList[10];

The only part I'm having an issue with is the aimbot which crashes the game every time I turn it on. Everything else works just fine.

I have found another section that might be the problem. I need the position to be returned to this WPM piece.

C++:
if (targetLoop > 0)
	{
		sort(TargetList, TargetList + targetLoop, CompareTargetEnArray());

		if (!GetAsyncKeyState(0x2))
		{
			AddressToWritez = FindDmaAddy(3, hProcHandle, EntityPositionOffset, EntityPlayer_Base);
			WriteProcessMemory(hProcHandle, (PBYTE*)AddressToWritez, TargetList[0].AimbotAngle, 12, 0);
		}
	}

I've tried a lot of things, and I'm not sure what to do next. I finally got it to stop crashing, but the aimbot just causes the game to randomly shake the screen ever-so slightly. (Could be lag)


Edit:

I did some debugging and it looks like it's reading from the wrong addresses. I'm not sure how to fix that.

Entity Listing
Debug:Health: 0 | 013D22B0
Debug:position: 0 | 0 | 0 | 013D22B4

Entity Listing
Debug:Health: 0 | 013D22DC
Debug:position: 0 | 0 | 0 | 013D22E0

Entity Listing
Debug:Health: 0 | 013D2308
Debug:position: 0 | 0 | 0 | 013D230C

It seems to be going much further than it should even go. The entities are around 01100000, and the pointer for them are around 05000000.
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,118
78,998
2,392
so basicly what you are saying is that there is no way to find what entity name is of some object in a game that uses Unreal Engine ?
Finding an "entity list"?
Externally, difficult from what I have researched, you would have to read the flags bExists and bIsPawn of every single object of class "Actor"(which is 99% of game objects") in memory to create a list of players/bots.
Internally, no problem with an SDK
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
So I've changed up the declarations a bit, and I've changed some of the aimbot code a bit. Hopefully the error sticks out to someone.

C++:
HANDLE hProcHandle = NULL;
const DWORD Player_Base = {0x509B74};

int NumOfPlayers = 10;

const DWORD dw_healthOffset[] = {0xF8};
DWORD dw_pos[] = {0x04};

const DWORD EntityPlayer_Base = {0x510D90};
DWORD EntityOffsets[] = {0x0, 0x0};
DWORD EntityHealthOffset[] = {0x0, 0x0, 0xF8};
DWORD EntityPositionOffset[] = {0x0, 0x0, 0x04};
DWORD PlayerRotationOffset[] = {0x0, 0x0, 0x40};
const DWORD EntityLoopDistance = 0x04;

const DWORD dw_angRotation = {0x509BB4};

void WriteToMemory(HANDLE hProcHandle);
void RapidFire();

std::string GameName = "AssaultCube";
LPCSTR LGameWindow = "AssaultCube";

#define F6_KEY 0x75

void Hack();

BYTE InfHealth[] = {0xE8, 0x3, 0x0, 0x0};
BYTE InfAmmo[] = {0x64, 0x0, 0x0, 0x0};
BYTE NoTimer[] = {0x0, 0x0, 0x0, 0x0};
BYTE InfArmor[] = {0xE8, 0x3, 0x0, 0x0};

DWORD dw_HealthOffset[] = {0xF8};
DWORD dw_PrimaryOffset[] = {0x128};
DWORD dw_PrimaryClipOffset[] = {0x150};
DWORD dw_SecondaryOffset[] = {0x114};
DWORD dw_SecondaryClipOffset[] = {0x13C};
DWORD dw_GrenadeOffset[] = {0x158};
DWORD dw_ArmorOffset[] = {0xFC};
DWORD dw_PosX[] = {0x04};
DWORD dw_PosY[] = {0x08};
DWORD dw_PosZ[] = {0x0C};
DWORD dw_vAngleVert[] = {0x44};
DWORD dw_vAngleHor[] = {0x40};
DWORD dw_KnifeTime[] = {0x160};
DWORD dw_PistTimer[] = {0x164};
DWORD dw_PrimTimer[] = {0x178};
DWORD dw_GrenadeTimer[] = {0x180};
DWORD MouseButton[] = {0x224};
DWORD AddressToWritez;

std::string GameStatus;

bool IsGameAvail;
bool UpdateOnNextRun;
bool AmmoStatus;
bool HealthStatus;
bool GrenadeStatus;
bool TimerStatus;
bool ArmorStatus;
bool AimbotStatus;
//bool RapidFireStatus;

DWORD FindDmaAddy(int PointerLevel, HANDLE hProcHandle, DWORD offsets[], DWORD BaseAddress);
void WriteToMemory(HANDLE hProcHandle);

I'm using the WriteToMemory and FindDmaAddy functions from Fleep's videos, as well as the aimbot template.

C++:
struct MyPlayer_t
{
	DWORD AddressToRead;
	DWORD CLocalPlayer;
	int Health;
	float Position[3];

	void ReadInformation()
	{
		cout << "Player Listing\n";	
		//Finding The Player Base
		ReadProcessMemory(hProcHandle, (PBYTE*)Player_Base, &CLocalPlayer, sizeof(DWORD), NULL);
		//Finding And Assigning The Health Number
		AddressToRead = FindDmaAddy(1, hProcHandle, dw_HealthOffset, Player_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Health, sizeof(int), NULL);
		cout << "Debug|Health: " << Health << " | " << &Health << endl;
		//Finding And Assigning The Position Of The Player
		AddressToRead = FindDmaAddy(1, hProcHandle, dw_pos, Player_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Position, sizeof(float[3]), NULL);
		cout << "Debug|Position: " << Position[0] << " | " << Position[1] << " | " << Position[2] << " | " << &Position[0] << endl;
		system("CLS");
	}
}MyPlayer;

C++:
struct PlayerList_t
{
	DWORD EntityListed;
	DWORD CBaseEntity;
	DWORD AddressToRead;
	int Team;
	int Health;
	float Position[3];
	float AimbotAngle[3];

	void ReadInformation(int Player)
	{
		cout << "Entity Listing\n";
		EntityListed = Player * EntityLoopDistance;
		EntityOffsets[1] = EntityListed;
		EntityHealthOffset[1] = EntityListed;
		EntityPositionOffset[1] = EntityListed;
		//Loop Through Players
		AddressToRead = FindDmaAddy(2, hProcHandle, EntityOffsets, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &CBaseEntity, sizeof(DWORD), NULL);
		//Finding And Assigning The Health Number
		AddressToRead = FindDmaAddy(3, hProcHandle, EntityHealthOffset, CBaseEntity);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Health, sizeof(int), NULL);
		cout << "Debug|Health: " << Health << " | " << &Health << endl;
		//Finding And Assigning The Position Of The Player
		AddressToRead = FindDmaAddy(3, hProcHandle, EntityPositionOffset, CBaseEntity);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Position, sizeof(float[3]), NULL);
		cout << "Debug|Position: " << Position[0] << " | " << Position[1] << " | " << Position[2] << " | " << &Position[0] << endl;
	}
}PlayerList[10];


C++:
struct TargetList_t
{
	float Distance;
	float AimbotAngle[3];

	TargetList_t()
	{

	}

	TargetList_t(float aimbotAngle[], float myCoords[], float enemyCoords[])
	{
		Distance = Get3dDistance(myCoords[0], myCoords[1], myCoords[2],
								 enemyCoords[0], enemyCoords[1], enemyCoords[2]);

		AimbotAngle[0] = aimbotAngle[0];
		AimbotAngle[1] = aimbotAngle[1];
		AimbotAngle[2] = aimbotAngle[2];
	}

	float Get3dDistance(float myCoordsX, float myCoordsZ, float myCoordsY,
						float enX, float enZ, float enY)
	{
		return sqrt(pow(double(enX - myCoordsX), 2.0) + 
					pow(double(enY - myCoordsY), 2.0) +
					pow(double(enX - myCoordsX), 2.0));
	}
};


struct CompareTargetEnArray
{
	bool operator () (TargetList_t & lhs, TargetList_t & rhs)
	{
		return lhs.Distance < rhs.Distance;
	}
};


void CalcAngle(float *src, float *dst, float *angles)
{
	double delta[3] = {(src[0]-dst[0]), (src[1]-dst[1]), (src[2]-dst[2])};
	double hyp = sqrt(delta[0]*delta[0] + delta[1]*delta[1]);
	angles[0] = (float) (asinf(delta[2]/hyp) * 57.295779513082f);
	angles[1] = (float) (atanf(delta[1]/delta[0]) * 57.295779513082f);
	angles[2] = 0;

	if (delta[0] >= 0.0)
	{
		angles[1] += 180.0f;
	}
}


void Aimbot()
{
	TargetList_t * TargetList = new TargetList_t[NumOfPlayers];

	int targetLoop = 0;

	for (int i = 0; i < NumOfPlayers; i++)
	{
		PlayerList[i].ReadInformation(i);

		CalcAngle(MyPlayer.Position, PlayerList[i].Position, PlayerList[i].AimbotAngle);

		TargetList[targetLoop] = TargetList_t(PlayerList[i].AimbotAngle, MyPlayer.Position, PlayerList[i].Position);

		targetLoop++;
	}

	if (targetLoop > 0)
	{
		sort(TargetList, TargetList + targetLoop, CompareTargetEnArray());

		if (!GetAsyncKeyState(0x2))
		{
			AddressToWritez = FindDmaAddy(3, hProcHandle, EntityPositionOffset, EntityPlayer_Base);
			WriteProcessMemory(hProcHandle, (PBYTE*)AddressToWritez, TargetList[0].AimbotAngle, 12, 0);
		}
	}

	targetLoop = 0;
	delete [] TargetList;
}

The player base reads fine, but it's the entity base that continues to read the wrong sections of data.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
I attempted using FindDmaAddy once, and it works nicely! Putting the bots to 1, and changing the loop to 1 moves the camera to a random spot, but when debugging causes me to have an error. It states that I'm writing to an area I don't have proper access to.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
I was finally able to figure out the issue! I can't add offsets at seperate times, I have to do them all at once! I can finally read from the entity bases :D. Now all that's left is getting the aimbot to work. Once that's done, I have everything to make an ESP. Here's the fixed code:

C++:
const DWORD EntityPlayer_Base = {0x510D90};
DWORD CBaseEntity;
DWORD EntityOffsets[] = {0x0, 0x0};
DWORD HealthOffset = 0xF8;
DWORD EntityHealthOffset[] = {0xF8};
DWORD PositionOffset = 0x04;
DWORD EntityPositionOffset[] = {0x04};
DWORD RotationOffset = 0x40;
DWORD PlayerRotationOffset[] = {0x40};
const DWORD EntityLoopDistance = 0x04;

C++:
struct PlayerList_t
{
	DWORD EntityListed;
	DWORD AddressToRead;
	int Team;
	int Health;
	float Position[3];
	float AimbotAngle[3];

	void ReadInformation(int Player)
	{
		EntityListed = Player * EntityLoopDistance;
		EntityOffsets[0] = EntityListed;
		/*cout << "Entity Listing\n";*/
		//Loop Through Players
		AddressToRead = FindDmaAddy(2, hProcHandle, EntityOffsets, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead + (Player * EntityLoopDistance), &CBaseEntity, sizeof(DWORD), NULL);
		//Finding And Assigning The Team Number
		EntityOffsets[1] = dw_TeamOffset[0];
		AddressToRead = FindDmaAddy(2, hProcHandle, EntityOffsets, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Team, sizeof(int), NULL);
		//Finding And Assigning The Health Number
		EntityOffsets[1] = EntityHealthOffset[0];
		AddressToRead = FindDmaAddy(2, hProcHandle, EntityOffsets, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Health, sizeof(int), NULL);
		/*cout << "Debug|Health: " << Health << " | " << &Health << endl;*/
		//Finding And Assigning The Position Of The Player
		EntityOffsets[1] = EntityPositionOffset[0];
		AddressToRead = FindDmaAddy(2, hProcHandle, EntityOffsets, EntityPlayer_Base);
		ReadProcessMemory(hProcHandle, (PBYTE*)AddressToRead, &Position, sizeof(float[3]), NULL);
		/*cout << "Debug|Position: " << Position[0] << " | " << Position[1] << " | " << Position[2] << " | " << &Position[0] << endl;*/
	}
}PlayerList[10];
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods