wav's haxxxx

1. unsigned char ucGetOffsets ( DWORD dwPID )
2. {
3.     PIMAGE_DOS_HEADER lpImageDosHeader;
4.     PIMAGE_NT_HEADERS lpImageNtHeaders;
5.     PIMAGE_SECTION_HEADER lpSectionHeader;
6.  
7.     HANDLE snapshot;
8.     MODULEENTRY32 me32;
9.  
10.     int i;
11.  
12.     DWORD dwTemp;
13.  
14.     pbPage = ( PBYTE )malloc ( ( sizeof ( int ) ) * 1024 );
15.  
16.     if ( pbPage == 0 )
17.         return 0;
18.  
19.     pbEntityData = ( PBYTE )malloc ( 0x133C );
20.  
21.     if ( pbEntityData == 0 )
22.         return 0;
23.    
24.     me32.dwSize = sizeof ( me32 );
25.  
26.     snapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPMODULE, dwPID );
27.  
28.     if ( snapshot != INVALID_HANDLE_VALUE )
29.     {
30.         if ( Module32First ( snapshot, &me32 ) )
31.         {
32.             do {
33.                 if ( !strcmp ( me32.szModule, "client.dll" ) )
34.                 {
35.                     g_dwClientBase = ( DWORD ) me32.modBaseAddr;
36.                     g_dwClientSize = me32.modBaseSize;
37.                    
38.                 }
39.                 if ( !strcmp ( me32.szModule, "engine.dll" ) )
40.                 {
41.                     g_dwEngineBase = ( DWORD ) me32.modBaseAddr;
42.                     g_dwEngineSize = me32.modBaseSize;
43.                 }
44.  
45.                 if ( g_dwClientBase && g_dwClientSize && g_dwEngineBase && g_dwEngineSize )
46.                     break;
47.  
48.             } while ( Module32Next ( snapshot, &me32 ) );
49.         }
50.  
51.         CloseHandle ( snapshot );
52.     }
53.  
54.     if ( g_dwClientBase == 0 )
55.         return 0;
56.  
57.     if ( g_dwClientSize == 0 )
58.         return 0;
59.  
60.     if ( g_dwEngineBase == 0 )
61.         return 0;
62.  
63.     if ( g_dwEngineSize == 0 )
64.         return 0;
65. /*
66.     dwTemp = dwExternalFindPattern ( g_dwClientBase, g_dwClientSize, ( PBYTE )"\x8B\x0D\x00\x00\x00\x00\x0F\xB7\x06\x8B\x91\x3C\x80\x01\x00", "xx????xxxxxxxx?", 0x2 )
67.  
68.     ReadProcessMemory ( hProcess, ( PVOID )dwTemp, ( PVOID )dwTemp, 0x4, NULL );
69.  
70.     ReadProcessMemory ( hProcess, ( PVOID )dwTemp, ( PVOID )g_dwBaseEntityTablePointer, 0x4, NULL );
71.  
72.     g_dwBaseEntityTablePointer + 0x1804A = maxplayers & if == 0xFFFF -> not connected
73.  
74.     if ( g_dwBaseEntityTablePointer == 0 )
75.         return 0;
76. */
77.     ReadProcessMemory ( hProcessHL2, ( PVOID )g_dwClientBase, ( PVOID )pbPage, 0x1000, NULL );
78.  
79.     lpImageDosHeader = ( PIMAGE_DOS_HEADER )( ( DWORD )pbPage );
80.  
81.     if ( lpImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE )
82.     {
83.         lpImageNtHeaders = ( PIMAGE_NT_HEADERS )( ( DWORD )pbPage + lpImageDosHeader->e_lfanew );
84.  
85.         if ( lpImageNtHeaders->Signature == IMAGE_NT_SIGNATURE )
86.         {
87.             lpSectionHeader = IMAGE_FIRST_SECTION ( lpImageNtHeaders );
88.                  
89.             for ( i = 0; i < lpImageNtHeaders->FileHeader.NumberOfSections; i++ )
90.             {
91.                 if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".text" ) )
92.                 {
93.                     g_dwClientTextSectionBase = lpSectionHeader->VirtualAddress;
94.                     g_dwClientTextSectionSize = lpSectionHeader->SizeOfRawData;
95.                 }
96.                 if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".rdata" ) )
97.                 {
98.                     g_dwClientRDataSectionBase = lpSectionHeader->VirtualAddress;
99.                     g_dwClientRDataSectionSize = lpSectionHeader->SizeOfRawData;
100.                 }
101.  
102.                 if ( g_dwClientTextSectionBase && g_dwClientTextSectionSize && g_dwClientRDataSectionBase && g_dwClientRDataSectionSize )
103.                     break;
104.  
105.                 lpSectionHeader++;
106.             }
107.    
108.             if ( g_dwClientRDataSectionBase == 0 )
109.                 return 0;
110.            
111.             if ( g_dwClientRDataSectionSize == 0 )
112.                 return 0;
113.  
114.             g_dwClientTextSectionBase += g_dwClientBase;
115.             g_dwClientRDataSectionBase += g_dwClientBase;
116.  
117.             g_dwAbsOriginOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_AnimTimeMustBeFirst", "xxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BaseEntity", "xxxxxxxxxxxxx", ( PBYTE )"m_vecOrigin", "xxxxxxxxxxx" );
118.  
119.             if ( g_dwAbsOriginOffset == 0 )
120.                 return 0;
121.  
122.             printf ( "g_dwAbsOriginOffset: 0x%X\n", g_dwAbsOriginOffset );
123.  
124.             g_dwEyeAnglesOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_DODSharedLocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_DODPlayer", "xxxxxxxxxxxx", ( PBYTE )"m_angEyeAngles[0]", "xxxxxxxxxxxxxxxxx" );
125.  
126.             if ( g_dwEyeAnglesOffset == 0 )
127.                 return 0;
128.  
129.             printf ( "g_dwEyeAnglesOffset: 0x%X\n", g_dwEyeAnglesOffset );
130.  
131.             g_dwFOVOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_LocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BasePlayer", "xxxxxxxxxxxxx", ( PBYTE )"m_iFOV", "xxxxxx" );
132.  
133.             if ( g_dwFOVOffset == 0 )
134.                 return 0;
135.  
136.             printf ( "g_dwFOVOffset: 0x%X\n", g_dwFOVOffset );
137.  
138.             g_dwHealthOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_LocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BasePlayer", "xxxxxxxxxxxxx", ( PBYTE )"m_iHealth", "xxxxxxxxx" );
139.  
140.             if ( g_dwHealthOffset == 0 )
141.                 return 0;
142.  
143.             printf ( "g_dwHealthOffset: 0x%X\n", g_dwHealthOffset );
144.  
145.             g_dwLifeStateOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_LocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BasePlayer", "xxxxxxxxxxxxx", ( PBYTE )"m_lifeState", "xxxxxxxxxxx" );
146.  
147.             if ( g_dwLifeStateOffset == 0 )
148.                 return 0;
149.  
150.             printf ( "g_dwLifeStateOffset: 0x%X\n", g_dwLifeStateOffset );
151.  
152.             g_dwTeamOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_AnimTimeMustBeFirst", "xxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BaseEntity", "xxxxxxxxxxxxx", ( PBYTE )"m_iTeamNum", "xxxxxxxxxx" );
153.            
154.             if ( g_dwTeamOffset == 0 )
155.                 return 0;
156.  
157.             printf ( "g_dwTeamOffset: 0x%X\n", g_dwTeamOffset );
158.  
159.         }
160.     }
161.  
162.     ReadProcessMemory ( hProcessHL2, ( PVOID )g_dwEngineBase, ( PVOID )pbPage, 0x1000, NULL );
163.  
164.     lpImageDosHeader = ( PIMAGE_DOS_HEADER )( ( DWORD )pbPage );
165.  
166.     if ( lpImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE )
167.     {
168.         lpImageNtHeaders = ( PIMAGE_NT_HEADERS )( ( DWORD )pbPage + lpImageDosHeader->e_lfanew );
169.  
170.         if ( lpImageNtHeaders->Signature == IMAGE_NT_SIGNATURE )
171.         {
172.             lpSectionHeader = IMAGE_FIRST_SECTION ( lpImageNtHeaders );
173.                  
174.             for ( i = 0; i < lpImageNtHeaders->FileHeader.NumberOfSections; i++ )
175.             {
176.                 if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".text" ) )
177.                 {
178.                     g_dwEngineTextSectionBase = lpSectionHeader->VirtualAddress;
179.                     g_dwEngineTextSectionSize = lpSectionHeader->SizeOfRawData;
180.                 }
181.                 if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".rdata" ) )
182.                 {
183.                     g_dwEngineRDataSectionBase = lpSectionHeader->VirtualAddress;
184.                     g_dwEngineRDataSectionSize = lpSectionHeader->SizeOfRawData;
185.                 }
186.  
187.                 if ( g_dwEngineTextSectionBase && g_dwEngineTextSectionSize && g_dwEngineRDataSectionBase && g_dwEngineRDataSectionSize )
188.                     break;
189.  
190.                 lpSectionHeader++;
191.             }
192.          
193.             if ( g_dwEngineRDataSectionBase == 0 )
194.                 return 0;
195.            
196.             if ( g_dwEngineRDataSectionSize == 0 )
197.                 return 0;
198.  
199.             g_dwEngineTextSectionBase += g_dwEngineBase;
200.             g_dwEngineRDataSectionBase += g_dwEngineBase;
201.  
202.             dwTemp = dwExternalFindPattern ( g_dwEngineRDataSectionBase, g_dwEngineRDataSectionSize, ( PBYTE )"g_ClientDLL->Init", "xxxxxxxxxxxxxxxxx", 0 );
203.  
204.             if ( dwTemp == 0 )
205.                 return 0;
206.              
207.             bMask[0] = '\x68';
208.             bMask[5] = '\x00';
209.  
210.             memcpy ( &bMask[1], &dwTemp, 4 );
211.  
212.             dwTemp = dwExternalFindPattern ( g_dwEngineTextSectionBase, g_dwEngineTextSectionSize, ( PBYTE )bMask, "xxxxx?", 0x18 );
213.  
214.             ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwCGlobalVars, 0x4, NULL );
215.  
216.             if ( g_dwCGlobalVars == 0 )
217.                 return 0;
218.  
219.             printf ( "g_dwCGlobalVars 0x%X\n", g_dwCGlobalVars );
220.         }
221.     }
222.  
223.     dwTemp = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )"\xC6\x44\x24\x47\xFF", "xxxxx", 0x20 );
224.  
225.     ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &dwTemp, 0x4, NULL );
226.  
227.     ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwPlayerResource, 0x4, NULL );
228.  
229.     if ( g_dwPlayerResource == 0 )
230.         return 0;
231.  
232.     printf ( "g_dwPlayerResource 0x%X\n", g_dwPlayerResource );
233.  
234.     dwTemp = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )"\x66\x81\x7E\x7A\xFF\xFF\x74\x40", "xxxxxxxx", -0xB );
235.  
236.     ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &dwTemp, 0x4, NULL );
237.  
238.     ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwLocalBaseEntity, 0x4, NULL );
239.  
240.     if ( g_dwLocalBaseEntity == 0 )
241.         return 0;
242.  
243.     printf ( "g_dwLocalBaseEntity 0x%X\n", g_dwLocalBaseEntity );
244.  
245.     dwTemp = dwExternalFindPattern ( g_dwEngineTextSectionBase, g_dwEngineTextSectionSize, ( PBYTE )"\x89\x54\x24\x2C\x89\x44\x24\x30", "xxxxxxxx", 0xF );
246.  
247.     ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &dwTemp, 0x4, NULL );
248.  
249.     ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwBaseEntityTable, 0x4, NULL );
250.    
251.     if ( g_dwBaseEntityTable == 0 )
252.         return 0;
253.  
254.     printf ( "g_dwBaseEntityTable 0x%X\n", g_dwBaseEntityTable );
255. }
256. //========================================================================================
257. DWORD dwExternalFindPattern ( DWORD dwAddress, DWORD dwLen, unsigned char *pbMask, char *pszMask, DWORD dwOffset )
258. {
259.     DWORD dwDelta, dwTemp;
260.  
261.     dwTemp = dwAddress;
262.    
263.     if ( pbPage == 0 )
264.         return 0;
265.  
266.     do{
267.         ReadProcessMemory ( hProcessHL2, ( PVOID )dwAddress, ( PVOID )pbPage, 0x1000, NULL );
268.  
269.         dwDelta = dwFindPattern ( ( DWORD )pbPage, 0x1000, pbMask, pszMask );
270.  
271.         if ( dwDelta )
272.         {
273.             if ( dwOffset != 0 )
274.                 dwDelta += dwOffset;
275.  
276.             dwDelta -= ( DWORD )pbPage;
277.            
278.             dwDelta += dwAddress;
279.  
280.             return dwDelta;
281.         }
282.        
283.         dwAddress += 0x1000;
284.  
285.  
286.     }while ( dwAddress < dwTemp + dwLen );
287.  
288.     return 0;
289. }
290. //========================================================================================
291. DWORD dwGetNetworkedVarOffset ( unsigned char *pbDataTableMask1, char *pszMask1, unsigned char *pbDataTableMask2, char *pszMask2, unsigned char *pbPropMask, char *pszMask3 )
292. {    
293.     DWORD dwDataTable1, dwDataTable2, dwProp, dwDelta, dwTemp;
294.    
295.     bMask[0] = '\x68';
296.     bMask[5] = '\x00';
297.  
298.     dwDataTable1 = dwExternalFindPattern (  g_dwClientRDataSectionBase, g_dwClientRDataSectionSize, pbDataTableMask1, pszMask1, 0 );
299.    
300.     if ( dwDataTable1 == 0 )
301.         return 0;
302.  
303.     memcpy ( &bMask[1], &dwDataTable1, 4 );
304.  
305.     dwDataTable1 = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )bMask, "xxxxx?", 0 );
306.  
307.     dwDataTable2 = dwExternalFindPattern (  g_dwClientRDataSectionBase, g_dwClientRDataSectionSize, pbDataTableMask2, pszMask2, 0 );
308.  
309.     if ( dwDataTable2 == 0 )
310.         return 0;
311.  
312.     memcpy ( &bMask[1], &dwDataTable2, 4 );
313.  
314.     dwDataTable2 = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )bMask, "xxxxx?", 0 );
315.  
316.     dwDelta = dwDataTable2 - dwDataTable1;
317.  
318.     dwProp = dwExternalFindPattern ( g_dwClientRDataSectionBase, g_dwClientRDataSectionSize, pbPropMask, pszMask3, 0 );
319.  
320.     if ( dwProp == 0 )
321.         return 0;
322.  
323.     memcpy ( &bMask[1], &dwProp, 4 );
324.  
325.     dwProp = dwExternalFindPattern ( dwDataTable1, dwDelta, ( PBYTE )bMask, "xxxxx?", 0 );
326.  
327.     dwProp -= 0x4; /* This may need to changed for some props, for most it should work perfectly fine. */
328.    
329.     ReadProcessMemory ( hProcessHL2, ( PVOID )dwProp, &dwTemp, 4, NULL );
330.  
331.     return dwTemp;
332. }