Bo1 Explosive Bullets By Jo-Milk

/*Bo1 Explosive Bullets By Jo-Milk
This will be updated as it's Fugly
01cedricv2 said he would try to fix it for y'all
Enjoy Port this shit guys works all cods*/
bool ExplosiveBullet[18];

/*struct weaponParms  //size 0x44
{
    float forward[3];
    float right[3];
    float up[3];
    float muzzleTrace[3];
    float gunForward[3];
    WeaponVariantDef* weapVarD;//offset To weapVariantDef
    WeaponDef* weapD;//offset To weapDef
};*/

struct weaponParms
{
    char unk[0x3C];//Location mainly
    int weapVariantDef;//offset To weapVariantDef
    int weapDef;//offset To weapDef
};
char TESTWPJM[] = { 0x3F, 0x59, 0x20, 0x22, 0xBF, 0x07, 0x9E, 0x73, 0x39, 0xD9, 0x68, 0x88, 0xBF, 0x07, 0x9E, 0x74, 0xBF, 0x59, 0x20, 0x23, 0x80, 0x00, 0x00, 0x00, 0xB9, 0xB8, 0x64, 0xE6, 0x39, 0x66, 0x59, 0x61, 0x3F, 0x7F, 0xFF, 0xFF, 0xC4, 0xC9, 0xA4, 0xA3, 0x44, 0xF4, 0x01, 0x89, 0x44, 0x15, 0x7E, 0xB9, 0x01, 0x2A, 0xB2, 0x90, 0x00, 0x00, 0x00, 0x00, 0xD0, 0x0F, 0x4F, 0xB0, 0x01, 0x17, 0x3D, 0x4C, 0x32, 0xAC, 0x2F, 0xE4};
/*|TESTWPJM|This is a struct weaponParms that I dumped of a rocket the first 0x3C bytes are for where the bullet is going the last two are the weapVariantDef and weapDef used to copy the bullet type*/

//it would be cool to make our own weapDef and weapVariantDef since they are mapped in the pdb but I don't have time


void SetMemory(int Address,char* bytes,int length) //writes over structures and variables
{
        for (int i = 0; i < length; i++)
        {
            *(char*)(Address + (i)) = bytes[i];
        }
}


void Bullet_Fire_Stub(int attacker, float spread, weaponParms *wp, int weaponEnt, int gameTime)//look hookstart
{
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
}


/*This hook is very restricted: meaning it will freeze if you add fancy shit*/
void Bullet_Fire_Hook(int attacker, float spread, weaponParms *wp, int weaponEnt, int gameTime)
{
    int client = (attacker-0x12AB290)/0x2F8;//this was the only way to not freeze I'm open for ideas
    if(client < 18)//if a entity bigger then 17 enters the bool array it will freeze
    {
    if(ExplosiveBullet[client] == true)//if explosive bullet true
    {
    SetMemory((int)&TESTWPJM,(char*)wp,0x3C);/*We take the Location from the regular bullet and give it to the rocket the two last integers are the bullet type using weapondef feel free to change those to your likings to have hind rockets or whatever*/
    ((void(*)(int, unsigned int, float,weaponParms *,const float *,int, const float *,int,int))&ParseAddr(0x378518))(0x12AB290 + (client * 0x2F8),0x0665,2,(weaponParms *)TESTWPJM,(float*)0x924700,0,0,0x13950C8+(client * 0x2A38),0x13950C8+(client * 0x2A38));
/*0x378518 Weapon_RocketLauncher_Fire(gentity_s *ent, unsigned int weaponIndex, float spread, weaponParms *wp, const float *gunVel, gentity_s *target, const float *targetOffset) Note:I added more arguments then needed I didn't test without the playerstate_s but when I debugged I saw r10 and r11 equal to playerstate_s*/
    }
    }
Bullet_Fire_Stub(attacker, spread, wp, weaponEnt, gameTime);
}
/*BTW: this code uses (WeaponVariantDef*)0x01173D4C and (WeaponDef*)0x32AC2FE4 is you change it you can have other types of rockets feel free to share you're findings at-> http://www.nextgenupdate.com/forums/showthread.php?t=958430&p=7251379#post7251379*/
/*--------------------------------------------------Extra----------------------------------------------------------------------*/
//read write syscalls
 int32_t sys_dbg_read_process_memory(uint64_t address, void *data, size_t size)
{
    system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
    return_to_user_prog(int32_t);
}

template<typename T>
int32_t ReadProcessMemory(uint32_t address, T data, size_t size)
{
    return sys_dbg_read_process_memory(address, &data, size);
}

int32_t sys_dbg_write_process_memory(uint64_t address, const void *data, size_t size)
{
    system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
    return_to_user_prog(int32_t);
}

template<typename T>
int32_t WriteProcessMemory(uint32_t address, const T value, size_t size)
{
    return sys_dbg_write_process_memory(address, &value, size);
}

void HookFunctionStart(uint32_t functionStartAddress, uint32_t newFunction, uint32_t functionStub)//SC58 showed me this hooking methode
{
    uint32_t normalFunctionStub[8], hookFunctionStub[4];
    sys_dbg_read_process_memory(functionStartAddress, normalFunctionStub, 0x10);//read(saves) first 4 ppc instructions from the function we are hooking
    normalFunctionStub[4] = 0x3D600000 + ((functionStartAddress + 0x10 >> 16) & 0xFFFF);// ppc
    normalFunctionStub[5] = 0x616B0000 + (functionStartAddress + 0x10 & 0xFFFF);// ppc
    normalFunctionStub[6] = 0x7D6903A6;// ppc
    normalFunctionStub[7] = 0x4E800420;// ppc
    sys_dbg_write_process_memory(functionStub, normalFunctionStub, 0x20);//writes the 4 ppc instruction we saved to the stub where we put (nop)s
    hookFunctionStub[0] = 0x3D600000 + ((newFunction >> 16) & 0xFFFF);// ppc
    hookFunctionStub[1] = 0x616B0000 + (newFunction & 0xFFFF);// ppc
    hookFunctionStub[2] = 0x7D6903A6;// ppc
    hookFunctionStub[3] = 0x4E800420;// ppc
    sys_dbg_write_process_memory(functionStartAddress, hookFunctionStub, 0x10);//writes to the function we are hooking 4 ppc instructions to allow to jump to our hook
}

HookFunctionStart(0x2B8400, *(uint32_t*)Bullet_Fire_Hook, *(uint32_t*)Bullet_Fire_Stub);
/* 0x2B83F8 Bullet_Fire we could optimize the hook *just guessing* if r8 = 0x3D0 mfcr r12 or just optimize the code to use it in VM_Notify
I don't have time right now....*/