Tutorial WorldToScreenMatrix Source Engine

[brinkz]

Hey guys,

So I'm going to show you how to find the WorldToScreenMatrix for Source Engine Games. The example I'm giving is in CS:S
Start off by getting the Pointer to VEngineClient by searching VEngineClient0 as a string in client.dll (depending on the game, you may have to search in the engine.dll).

Now open Reclass and follow these steps:

4 = Add 1024 Bytes to that vtable

Now in CS:S Index 36 Is WorldToScreenMatrix and 37 WorldToViewMatrix. To find it in your game just look for functions that look exactly like this or use Mac bins + IDA.

(Reclass doesn't detect the Function end)

Now go to the function in olly:

Use CE to determinate EDX, follow the function and by reversing it, we get to know:

So what does this mean for us?
Means:

DWORD dwRender = Read( ECX + 0xDC );
VMatrix flMatrix = Read( dwRender + 0x2D4 );

You just need to find a pointer for ECX then, but you can do that fast.

 

[NTvalk]

good stuff Thanks for contributing.

 

[squeenie]

Thanks a lot for posting this man. While I didn't get VEngineClient by following this tutorial something clicked while reading it and I got it now, which is probably better. Thanks again!

 

[brinkz]

No problem guys, i may post some more src engine specific stuff in the feature.

 

[cskimmo69]

When i go in function i get in here.. i noob reverser

 

[brinkz]

Your EDX is wrong.

 

[cskimmo69]

Your EDX is wrong.

In reclass? did i screw something in there?

 

[brinkz]

In reclass? did i screw something in there?

You followed EDX wrong.

 

[cskimmo69]

You followed EDX wrong.

Thanks i got it! but how to get pointer for ECX?

 

[brinkz]

Using Cheat Engine Pointer Scan e.g. or you could simply directly find a pointer for CRender

 

[cskimmo69]

Using Cheat Engine Pointer Scan e.g. or you could simply directly find a pointer for CRender

Where is CRender? i cant find nothing with olly? What should i pointer scan if doing cheat engine?

 

[brinkz]

Where is CRender? i cant find nothing with olly? What should i pointer scan if doing cheat engine?

I explained in one Screenshot what CRender is

 

[cskimmo69]

I explained in one Screenshot what CRender is

EDIT: oops it was so small i didnt see that but how to get the ECX because its needed for CRender?

 

[brinkz]

Yeah last picture. CRender = ECX + 0xDC

 

[cskimmo69]

Yeah last picture. CRender = ECX + 0xDC

but what is the ECX?

 

[brinkz]

but what is the ECX?

You can see that in Reclass.

 

[cskimmo69]

You can see that in Reclass.

is it 30.. 34.. 08??

 

[brinkz]

is it 30.. 34.. 08??

On my Screenshot:
mov ecx, dword ptr [52F2F7C0h]

 

[cskimmo69]

On my Screenshot:
mov ecx, dword ptr [52F2F7C0h]

I was thinking about that because there were mov ecx but i wasnt sure because i thought it should be shorther like 08 or something but thanks im gonna try if this works

 

[cskimmo69]

What do you mean with "ECX + E8 in EAX. This is 2" i get 1 as result in CE