Video Tutorial Reverse Engineering - How To Find the CSGO Entity List

  • CSGO recently moved logic from 'client_panorama.dll' to 'client.dll', you must update all code that uses 'client_panorama.dll' and replace it with 'client.dll' or the code will not work.
Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,151
78,998
2,396
Learn how to find the CSGO Entitylist using Cheat Engine and reverse engineer it's structure. In CSGO the entitylist is an array of clientInfo objects, these objects contain pointers to the actual entity. There are many ways to find it, this is just one, but it represents common techniques you will use all the time.

Before you do this video, you should do these video first:

And as always, do the Start Here Guide first.


part of the video is getting the entity list address via the local player address, this part no longer works identical to the video,

Ok so to find the entity list, you do the same thing as the video except you do it on another entity. Pick an entity by finding it's health, remove the offset to get the base address of the entity object. Do "find what accesses" on it and you get this:

1590118196941.png


now it's basically the same as the video shows

You see client.dll + 0x4d43ab4, which is just 0x10 off from the output from the dumpers, so a bit of troubleshooting from there and you'd figure it out



3 Basic steps of this video:
  • Find Entity list in Cheat Engine
  • Reverse it in Reclass
  • Write a C++ DLL to walk the entity list
What we will do:
  • Find the addresses of the local entity object and a bot entity object.
  • Find pointers to both using manual method and pointer scanner
  • Compare objects to confirm same class
  • Trace backwards from entity pointer to get the entitylist
  • Reverse engineer it in Reclass
  • Generate the classes
  • Quick PoC internal DLL using the exported classes

We will use code from a previous video as a base, you can download it from this thread:
https://guidedhacking.com/threads/how-to-hack-any-game-first-internal-hack-dll-tutorial.12142/

Download Reclass: ReClassNET/ReClass.NET

These are the console command I use in the video:
C++:
sv_cheats 1
bot_kick
bot_stop 1
mp_autoteambalance 0
mp_limitteams 5
mp_roundtime_defuse 60
mp_freezetime 0
mp_buytime 99999
ff_damage_reduction_bullets 1
endround
ReClass generated classes:
C++:
#pragma once
#include <Windows.h>
#include <cstdint>

class clientInfo
{
public:
    class ent* entptr; //0x0000
    int32_t N00000262; //0x0004
    class clientInfo* blink; //0x0008
    class clientInfo* flink; //0x000C
}; //Size: 0x0010

class CBaseEntityList
{
public:
    char pad_0000[16]; //0x0000
    class clientInfo entList[64]; //0x0010
}; //Size: 0x0410

class ent
{
public:
    char pad_0000[256]; //0x0000
    int32_t health; //0x0100
}; //Size: 0x0104
At the end of the video I mention that using the ent class in CSGO isn't a good way to go because it updates too frequently, forcing you to update the ent class manually. More about this will be shown in a future video but using the clientInfo structs and CBaseEntityList is a sexier way of walking the entitylist than using i + 0x10. I'm trying to expand people's minds by showing this method, just because everyone is doing it a certain way doesn't mean it's the only way. My main point is I want to teach techniques and use different ways of explaining things to help people understand and learn more.


Download complete Visual Studio solution from the attachment, just update the address of the entitylist and the health offset and it should work.

Here are my video notes, read them at your peril:
Code:
Use -insecure cmd line arg

1) get local player health manual method

search for base address as hex
show green address, show offset
add to table as pointer and address

then do pointer scan method

now to get the bots health, add it as a pointer not an address

bot_add_t

2) Find bot 1 health
"find what accesses" on results
Look for 0x100 offset, this is probably correct one

client.dll+4D06CB4

compare structs for local and bot in struct dissector, this confirms their the same object type

Should now have in cheat table:
Local health, local health pointer, local object addr, local object ptr, bot health, bot health pointer, bot object addr, bot object ptr

3) Find the entity list using what we've already found. Because the local ent and the bot have pointers close together in memory
Now do "find what accesses" on the local object pointer
you should see:
ecx + 64da5b24
Look at full assembly, with module +
mov ecx,[ecx+client.dll+4D05B24]
bingo, but why the 0x10 difference?

PART 2 : Reclass

now look at it in reclass
client.dll+4D06DD4

Show in SDK

Finish reclassing the whole thing
Use Internal Trainer tutorial as a base, export reclass generated classes, walk the entity list and print out health
talk shit, prompt for donations, shoutout my homies
checkout this inheritance on C_CSPlayer:



@LiveOverflow @Icew0lf @NewWinter @ChrisFayte @timb3r @Chucky @cheatwithsharp @SystemX32 @the_nut @titan059 watch till the end for a little shoutout :)
 

Attachments

Last edited:

Erarnitox

🐅
Meme Tier VIP
Trump Tier Donator
May 11, 2018
143
4,873
3
was awesome :)
here is the thread for the dll base:
https://guidedhacking.com/threads/how-to-hack-any-game-first-internal-hack-dll-tutorial.12142/

finished dllmain (for me the list pointer was different):
dllmain.cpp:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <iostream>
#include "mem.h"
#include "csgo_ent.h"

//https://guidedhacking.com/threads/how-to-hack-any-game-first-internal-hack-dll-tutorial.12142/

DWORD WINAPI HackThread(HMODULE hModule)
{
    //Create Console
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"client.dll");

    CBaseEntityList* entList = (CBaseEntityList*)(moduleBase + 0x4D07DC4); //updated address (Rake did use a different one in the video)

    while (true)
    {
        if (GetAsyncKeyState(VK_END) & 1)
        {
            break;
        }

        for (auto e : entList->entList) {
            if (e.entptr) {
                std::cout << e.entptr->health << "\n";
            }
        }

        std::cout << "============" << "\n";
        Sleep(1000);
    }

    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
    return 0;
}


BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        HANDLE hThread = nullptr;
        hThread = CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr);
        if (hThread) {
            CloseHandle(hThread);
        }
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
@Rake thanks again for the tutorial the Reclass part was awesome.
Now i finally know how to make use of Reclass ^^
 
Last edited:
  • Like
Reactions: Elitiok and Rake

sayewivifi

Full Member
Feb 2, 2019
39
228
0
Is there a difference between <client.dll>+4D07DC4 and [<client.dll>+4D07DC4]? In one of your AC tutorials you put [ ]
 

Kleon742

Feature Enthusiast
Moderator
Dank Tier VIP
Dank Tier Donator
Sep 2, 2018
342
16,058
41
Is there a difference between <client.dll>+4D07DC4 and [<client.dll>+4D07DC4]? In one of your AC tutorials you put [ ]
Yes. The "[ ]" is a dereferencing operator.
<ac_client.exe>+10F4F4 //this points to 0x50F4F4 ( this is a pointer to our localPlayer)
[<ac_client.exe>+10F4F4] // this points to 0x297A7D8 (this is the address of our localPlayer)
[<ac_client.exe>+10F4F4] = [0x50F4F4] = 0x297A7D8
 
  • Like
Reactions: Rake

sayewivifi

Full Member
Feb 2, 2019
39
228
0
Yes. The "[ ]" is a dereferencing operator.
<ac_client.exe>+10F4F4 //this points to 0x50F4F4 ( this is a pointer to our localPlayer)
[<ac_client.exe>+10F4F4] // this points to 0x297A7D8 (this is the address of our localPlayer)
[<ac_client.exe>+10F4F4] = [0x50F4F4] = 0x297A7D8
Many thanks mate! This is probably why I got stuck halfway doing the ReClass part
In this case in this video I do not have to deference because that’s already the address of local entity right?
 

Kleon742

Feature Enthusiast
Moderator
Dank Tier VIP
Dank Tier Donator
Sep 2, 2018
342
16,058
41
Many thanks mate! This is probably why I got stuck halfway doing the ReClass part
In this case in this video I do not have to deference because that’s already the address of local entity right?
Yes, but that's the address of the EntityList.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods