Solved Spooky static addresses

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Dupajasia1

Newbie
Full Member
Jan 23, 2015
18
162
0
Hello, I currently try to code a simple ESP hack on C++ for Q3-based game (multiplayer).
First things first, I have passed several Fleep's tuts (including the basic-explaining bunnyhop and ESP) and applied code to some games, but this game is a rather special case, I can't even go past finding info with CE.
First let me explain what I do.
I have, say, 100 HP. CE search. Found 38 addresses, which change simultaneosly. Most of these addresses (like 35) are static, including the one I need. Now I search for my buddy's hp. Found 38 addresses. Now the most interesting part - when I switch to spectators and start spectating him, all his HP values go '??', and ex-mine HP values turn into his HP values, it's like he is considered as my client now. Question - how do I find correct addreses, which are bound to certain client number? Every time I switch to someone is spectator mode, ex-mine values turn into his.
I know this IS possible because such kind of hack was once already made, but because of version updates it became outdated, and its maker seems to have no whish neither to share the source, nor to update it to newer versions.
Excuses if I posted in a wrong section, in such case please move this thread to correct one.
Don't treat me as a n00b or something, nope, I have just never encountered such type of encryption.

Cheers.
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
You seem to have misunderstood me. There are 38 static addresses for EACH parameter I was searching for so far, with approximately 100-120 pointers at address, and these pointers don't change after restart/reboot. And it's only 1 level pointer. Real one could be >15 or alike.
Do you propose looping through every single address, every single pointer, every single pointerlevel? I doubt my lifetime will be enough for this, lol.
And as I said, client's health isn't located in player structure, only entity-structure has it.
Do I get it right that player structure is for client, and entity structure is for every non-player? How can I differ client and server dlls?
And look, for example I calculated the size of entity structure. Next I found HP values of my 2 buddies. If the offset between those addresses isn't the size of entity structure, then there's either something between those 2 entity structures, or I'm in complete shit, right?
I will try to make some research. I and 2 my buddies enter the server. I scan for HP value of Buddy1. Got 38 addresses. Buddy1 disconnects (so his Buddy2 gets his ID). If values change to Buddy2 values, then it's all ok, I guess. Or not?
There is also a solo mode in multiplayer (with bots, like in AC), searching for HP value I found out that one of those 38 addresses is correct (I changed it to 1 and died when I fell). But in multiplayer mode, even if it's same address, but it changes every time I spectate someone. And if I go ghost-mode, values of the last person I spectated remain.
I did not say loop through every address. I said a simple calculation will suffice. "Lets say you have your health address, which is at offset 5 from the base. Lets say ammo is at offset 7. Take the address of your health, add 2, and you should have your ammo."

As for the addies moving around like that, I have no clue. Usually a level 1-2 pointer scan is enough. I say this every single time someone freaks out about so many results, just because there are 500 pointers does not mean they are all incorrect. It just means there are 500 possible paths to your address. If you know the offset health is at, can't you pick one of the pointers in the pointer scan that has the health that offset away from the base? You also might have to use several addresses to make the hack.

One last note, mention the name of the game please. Someone here may have experience in dealing with it. I'm personally having a bit of difficulty understanding what you're going through :p
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Take a look into the player structure, the client number might be stored there.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
it seems to be the same like in AssaultCube:

there's one address holding the playerstruct pointer which you're spectating from
and one which is an entity list, so basically clientnum depending.


Are maybe 2 or more addresses existing, holding the pointer to yourplayerstruct?

Also, the pointer holding the spectator pointer should change when you change the clientnum you are spectating at. There must be another address which doesn't, in other words be client number depending.
 

Dupajasia1

Newbie
Full Member
Jan 23, 2015
18
162
0
The problem is that most of found addresses are static.

till0sch97, could you please explain with more details?
Should I loop through every found address? They ALL change to who-I-spectate player's values. How am I supposed to find playerbase without dynamic addresses?
Also, I tried to 1lvl pointer scan one static address (lol) and I got a list of like 114 pointers, and every pointer always points to this address. Should I loop through every pointer?
Static address type is "modulename.dll"+offset. There are addresses of many types, both client and server dllsnin my 38 addresses, " found list".
Please give me a tip/direction/algorhytm.
P.S Is it possible that addresses can change their type (static/non-static) while process is launched? Because once I found some random dynamic address, got distracted, then I go back and lol it's green.
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
The problem is that most of found addresses are static.
How should I search for playerbase without even having dynamic address? There are, however, several dynamic addresses, but none of them look legit.
Also, I tried to pointer scan one static address (lol) and I got a list of like 114 pointers, and every pointer always points to this address.
Static address type is "modulename.dll"+offset.
Have you ever thought that maybe the player information is grouped along with that static pointer :p? You can try and work your way up in the memory viewer for a beginning, or try out Watch Memory Allocations on the addy in the tools tab in Cheat Engine. All of the entities might be grouped together also, so be on the look out for that.
 

Dupajasia1

Newbie
Full Member
Jan 23, 2015
18
162
0
Yes, it might be so, but there are still 38 addresses. Should any have some distinguishing traits?
I have source code of player-structure and entity-structure available, and yes, I found a clientNum parameter there (and also health parameter is only present in entity struct), and I was able to calculate offset to it (ints and floats - 4 bytes, bool - 1 bytes, vec3_t - 12 bytes), but still it gives me no clue about pointer to player-structure itself.
If you need exact example, I can pm you and send you structures code, I don't think there will be any use though.
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Yes, it might be so, but there are still 38 addresses. Should any have some distinguishing traits?
I have source code of player-structure and entity-structure available, and yes, I found a clientNum parameter there (and also health parameter is only present in entity struct), and I was able to calculate offset to it (ints and floats - 4 bytes, bool - 1 bytes, vec3_t - 12 bytes), but still it gives me no clue about pointer to player-structure itself.
If you need exact example, I can pm you and send you structures code, I don't think there will be any use though.
Use Watch Memory Allocations tool in CE, Get the base of the static address, Put that base into Data/Structure Dissect in CE, Compare values with the player-structure. If something seems off (Like the health isn't under the ammo or smth like that), try another address. Keep in mind that there may be inheritance, and I personally have no idea how that effects the structure of data in memory. Use the offsets you got, and try them out. Lets say you have your health address, which is at offset 5 from the base. Lets say ammo is at offset 7. Take the address of your health, add 2, and you should have your ammo. If not, it's either the wrong address, or possibly inheritance(Again, I don't know how it works out in memory. It may or may not cause conflicts. If someone could chime in if they know, I'd be grateful).
 

Dupajasia1

Newbie
Full Member
Jan 23, 2015
18
162
0
You seem to have misunderstood me. There are 38 static addresses for EACH parameter I was searching for so far, with approximately 100-120 pointers at address, and these pointers don't change after restart/reboot. And it's only 1 level pointer. Real one could be >15 or alike.
Do you propose looping through every single address, every single pointer, every single pointerlevel? I doubt my lifetime will be enough for this, lol.
And as I said, client's health isn't located in player structure, only entity-structure has it.
Do I get it right that player structure is for client, and entity structure is for every non-player? How can I differ client and server dlls?
And look, for example I calculated the size of entity structure. Next I found HP values of my 2 buddies. If the offset between those addresses isn't the size of entity structure, then there's either something between those 2 entity structures, or I'm in complete shit, right?
I will try to make some research. I and 2 my buddies enter the server. I scan for HP value of Buddy1. Got 38 addresses. Buddy1 disconnects (so his Buddy2 gets his ID). If values change to Buddy2 values, then it's all ok, I guess. Or not?
There is also a solo mode in multiplayer (with bots, like in AC), searching for HP value I found out that one of those 38 addresses is correct (I changed it to 1 and died when I fell). But in multiplayer mode, even if it's same address, but it changes every time I spectate someone. And if I go ghost-mode, values of the last person I spectated remain.


UPDATE There is also always one non-dynamic address. No 1level ptrs, 2 2level, and more than 20 I guess with 3level.
 
Last edited:

Dupajasia1

Newbie
Full Member
Jan 23, 2015
18
162
0
I didn't mention it's name because I didn't want my thread to look like I'm asking you to hack certain game instead of me :p
But here you go - Jedi Knight 3: Jedi Academy.

Searching the forum gave nothing - there are only 3 mentions of this game at all, and every time guy who was asking questions was simply ignored.

This game's sourcecodes were released 2 years ago I guess, so everyone has public access to them.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods