Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <Windows.h>
- #include <iostream>
- #include <TlHelp32.h>
- #define FL_ONGROUND (1<<0)
- using namespace std;
- HWND css;
- int iFlags;
- DWORD dwBasePointer;
- HANDLE hProcess;
- DWORD m_hClient;
- DWORD pID;
- DWORD GetModuleSize(char* module)
- {
- HANDLE hSnap;
- MODULEENTRY32 xModule;
- hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pID);
- xModule.dwSize = sizeof(MODULEENTRY32);
- if (Module32First(hSnap, &xModule)) {
- while (Module32Next(hSnap, &xModule)) {
- if (!strncmp((char*)xModule.szModule, module, 8)) {
- CloseHandle(hSnap);
- return (DWORD)xModule.modBaseSize;
- }
- }
- }
- CloseHandle(hSnap);
- return 0;
- }
- DWORD GetModuleBase(LPSTR lpModuleName, DWORD dwProcessId)
- {
- MODULEENTRY32 lpModuleEntry = {0};
- HANDLE hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId);
- if(!hSnapShot) return NULL;
- lpModuleEntry.dwSize = sizeof(lpModuleEntry);
- BOOL bModule = Module32First( hSnapShot, &lpModuleEntry );
- while(bModule)
- {
- if(!strcmp(lpModuleEntry.szModule, lpModuleName ) )
- {
- CloseHandle( hSnapShot );
- return (DWORD)lpModuleEntry.modBaseAddr;
- }
- bModule = Module32Next( hSnapShot, &lpModuleEntry );
- }
- CloseHandle( hSnapShot );
- return NULL;
- }
- void SetDebugPrivilege()
- {
- HANDLE hProcess=GetCurrentProcess(), hToken;
- TOKEN_PRIVILEGES priv;
- LUID luid;
- OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
- LookupPrivilegeValue(0, "seDebugPrivilege", &luid);
- priv.PrivilegeCount = 1;
- priv.Privileges[0].Luid = luid;
- priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0);
- CloseHandle(hToken);
- CloseHandle(hProcess);
- }
- bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
- {
- for(;*szMask;++szMask,++pData,++bMask)
- if(*szMask=='x' && *pData!=*bMask )
- return false;
- return (*szMask) == NULL;
- }
- DWORD dwFindPattern( BYTE* pData, DWORD dwSize, BYTE* bMask, char* szMask )
- {
- for ( int i = 0; i < dwSize; i ++ )
- if ( bDataCompare( (BYTE*)( pData + i ), bMask, szMask ) )
- return i;
- return NULL;
- }
- DWORD FindPattern( DWORD dwAddress, DWORD dwSize, PBYTE pbSignature, char* pszSignature )
- {
- DWORD dwTemp = dwAddress;
- BYTE pBuf[ 2048 ] = { 0 };
- do
- {
- if ( ReadProcessMemory( hProcess, ( PVOID )dwTemp, pBuf, 2048, NULL ) == FALSE )
- {
- printf("External FindPattern RPM : Error!\n");
- return NULL;
- }
- else
- {
- DWORD dwDelta = dwFindPattern( pBuf, 2048, pbSignature, pszSignature );
- if ( dwDelta )
- return dwTemp + dwDelta;
- dwTemp += 2048 - strlen(pszSignature);
- }
- } while ( true );
- return NULL;
- }
- DWORD dwBaseEntity;
- DWORD dwFlags;
- DWORD dwJump;
- void offset()
- {
- DWORD client_size = GetModuleSize("client.dll");
- PBYTE LocalBase_sig = (PBYTE)"\x39\x35\x00\x00\x00\x00\x8B\xCF\x0F\x94\xC2";
- char *LocalBase = "xx????xxxxx";
- DWORD LocalBase_temp = FindPattern(m_hClient, client_size, LocalBase_sig, LocalBase) + 0x2;
- ReadProcessMemory(hProcess, (PBYTE*)LocalBase_temp, &dwBaseEntity, sizeof(DWORD), NULL);
- PBYTE m_fFlags_sig = (PBYTE)"\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x83\xC4\x30\x68\x00\x00\x00\x00\x6A\x07";
- char *m_fFlags = "x????x????x????x????xxxx????xx";
- DWORD m_fFlags_temp = 0x0;
- m_fFlags_temp = FindPattern(m_hClient, client_size, m_fFlags_sig, m_fFlags) + 0x1;
- ReadProcessMemory(hProcess, (PBYTE*)m_fFlags_temp, &dwFlags, 2, NULL);
- PBYTE jump_sig = (PBYTE)"\x74\x06\x21\x05\x00\x00\x00\x00\xF6\x05\x4C\x13\x31\x51\x03\x74\x03";
- char *jump = "xxxx????xxxxxxxxx";
- DWORD jump_temp = FindPattern(m_hClient, client_size, jump_sig, jump) + 0x4;
- ReadProcessMemory(hProcess, (PBYTE*)jump_temp, &dwJump, sizeof(DWORD), NULL);
- }
- void Read()
- {
- while(true)
- {
- Sleep(1);
- ReadProcessMemory(hProcess, (PBYTE*)dwBaseEntity, &dwBasePointer, sizeof(DWORD), NULL);
- ReadProcessMemory(hProcess, (PBYTE*)(dwBasePointer + dwFlags), &iFlags, sizeof(int), NULL);
- }
- }
- int five = 5;
- int four = 4;
- void BunnyHop(void)
- {
- while(true)
- {
- Sleep(1);
- if(!GetAsyncKeyState(32))
- {
- Sleep(10);
- continue;
- }
- WriteProcessMemory(hProcess, (PBYTE*)dwJump, &four, sizeof(int), NULL);
- if(iFlags & FL_ONGROUND) {
- WriteProcessMemory(hProcess, (PBYTE*)dwJump, &five, sizeof(int), NULL);
- Sleep(10);
- }
- }
- }
- DWORD GetProcId(const char* ProcName)
- {
- PROCESSENTRY32 pe32;
- HANDLE hSnapshot = NULL;
- pe32.dwSize = sizeof( PROCESSENTRY32 );
- hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
- if( Process32First( hSnapshot, &pe32 ) )
- {
- do{
- if( strcmp(pe32.szExeFile, ProcName) == 0 )
- break;
- }while( Process32Next( hSnapshot, &pe32 ) );
- }
- if( hSnapshot != INVALID_HANDLE_VALUE )
- CloseHandle( hSnapshot );
- return pe32.th32ProcessID;
- }
- int main(HINSTANCE hInstance)
- {
- SetConsoleTitle("External BunnyHop");
- while(!FindWindow(NULL, "Counter-Strike Source"))
- Sleep(10);
- while(!pID) { pID = GetProcId("hl2.exe");Sleep(100); }
- while(!hProcess) { hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pID);Sleep(100); }
- while(!m_hClient) { m_hClient = GetModuleBase("client.dll", pID);Sleep(100); }
- offset();
- printf("Scan result:\n");
- printf(" [+] LocalBaseEntity: [0x%X]\n", dwBaseEntity - m_hClient);
- printf(" [+] m_fFlags: [0x%X]\n", dwFlags);
- printf(" [+] Jump State: [0x%X]\n", dwJump - m_hClient);
- CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Read, NULL, NULL, NULL);
- CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)BunnyHop, NULL, NULL, NULL);
- while(FindWindow(NULL, "Counter-Strike Source"))
- Sleep(10);
- return 1337;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement