;link.exe kernel32.lib user32.lib /nodefaultlib /nologo /dll /entry:DllMain /rel

1. ;link.exe kernel32.lib user32.lib /nodefaultlib /nologo /dll /entry:DllMain /release /machine:I386 /DYNAMICBASE:NO /filealign:512 /merge:.rdata=.data /merge:.CRT=.rdata /out:"test.exe" main.obj
2.  
3. [BITS 32]
4.  
5.  
6. %define DLL_PROCESS_ATTACH 1
7. %define DLL_THREAD_ATTACH 2
8. %define DLL_THREAD_DETACH 3
9. %define DLL_PROCESS_DETACH 0
10.  
11.  
12. %define ClientModeOffset 0x24FC2B ;deref twice
13.  
14.  
15. extern _MessageBoxA@16
16. extern _CreateThread@24
17. extern _GetModuleHandleA@4
18. extern _GetProcAddress@8
19. extern _IsBadCodePtr@4
20. extern _VirtualAlloc@16
21. extern _GetAsyncKeyState@4
22.  
23.  
24. SECTION .data
25.  
26. dwClient dd 0x00000000
27. fnCreateInterface dd 0x00000000
28.  
29.  
30. pInput dd 0x00000000
31. pClient dd 0x00000000
32. pClientMode dd 0x00000000
33.  
34.  
35. pNewClientVTables dd 0x00000000
36. pNewClientModeVTables dd 0x00000000
37.  
38.  
39. dwOriginalClientModeCreateMove dd 0x00000000
40. dwOriginalCreateMove dd 0x00000000
41.  
42.  
43. szClientDllName db "client.dll", 0
44. szCreateInterfaceExport db "CreateInterface", 0
45. szClientInterfaceVersion db "VClient017", 0
46.  
47.  
48. bSendPacket db 0
49. iAim db 0
50. bCalledFromCreateMove db 0
51.  
52.  
53. SECTION .text
54.  
55.  
56. global _DllMain
57.  
58.  
59.  
60. ;void AnglesNormalize(float &input)
61. _AnglesNormalize:
62. push ebp
63. mov ebp, trigger
64. sub trigger, 8 ;[ebp - 4] = storage for 180.f [ebp - 8] = storage for 360.f, [ebp - 0xC] = storage for -180
65.  
66.  
67. mov eax, dword [ebp + 8] ;float addr
68. mov dword [ebp - 4], __float32__(180.0)
69. mov dword [ebp - 8], __float32__(360.0)
70. mov dword [ebp - 0xC], __float32__(-180.0)
71.  
72.  
73. .loopbegin:
74. movss xmm0, dword [eax]
75. ucomiss xmm0, dword [ebp - 4]
76. jbe .checkforsmallervalue
77. movss xmm1, dword [ebp - 8]
78. subss xmm0, xmm1
79. movss dword [eax], xmm0
80. jmp .loopbegin
81.  
82.  
83. .checkforsmallervalue:
84. ucomiss xmm0, dword [ebp - 0xC]
85. jae .end
86. movss xmm1, dword [ebp - 8]
87. addss xmm0, xmm1
88. movss dword [eax], xmm0
89. jmp .loopbegin
90.  
91.  
92.  
93.  
94. .end:
95. mov trigger, ebp
96. pop ebp
97. ret 0x4
98.  
99.  
100.  
101.  
102. ;void *_GetUserCmd(cmd_num)
103. _GetUserCmd:
104. push ebp
105. mov ebp, trigger
106.  
107.  
108. mov eax, dword [pInput]
109. mov edi, dword [eax + 0xEC]
110.  
111.  
112. ;(cmd_num % 128)
113. mov edx, 0
114. mov eax, dword [ebp + 0x8] ;cmd_num
115. mov ebx, 150 ;multiplayer_backup
116. div ebx
117.  
118.  
119. imul edx, edx, 0x64
120. add edi, edx
121. mov eax, edi
122.  
123.  
124. mov trigger, ebp
125. pop ebp
126. ret 0x4
127.  
128.  
129. _CreateMoveHook:
130. push ebp
131. mov ebp, trigger
132.  
133.  
134. mov byte [bSendPacket], bl
135. mov byte [bCalledFromCreateMove], 1 ;clientmode::createmove is not only being called from createmove
136.  
137.  
138. push dword [ebp + 0x10]
139. push dword [ebp + 0xC]
140. push dword [ebp + 0x8]
141. call dword [dwOriginalCreateMove]
142.  
143.  
144. mov byte [bCalledFromCreateMove], 0 ;we have to make sure that we run code only if it's being called from here
145. mov bl, byte [bSendPacket]
146.  
147.  
148. mov trigger, ebp
149. pop ebp
150. ret 0xC
151.  
152.  
153. ;shitty hook won't let me modify registers lol except eax for some reason
154. _ClientModeCreateMoveHook:
155. push ebp
156. mov ebp, trigger
157. sub trigger, 4 ;[ebp - 4] = storage
158.  
159.  
160. push dword [ebp + 0xC]
161. push dword [ebp + 0x8]
162.  
163.  
164. call dword [dwOriginalClientModeCreateMove]
165.  
166.  
167. cmp byte [bCalledFromCreateMove], 0
168. je .end
169.  
170.  
171. push eax ;save eax on stack 8)))
172.  
173.  
174. mov eax, dword [ebp + 0xC]
175.  
176.  
177. push dword [eax + 0x30] ;buttons
178. pop dword [ebp - 4]
179.  
180. and dword [ebp - 4], 1
181. cmp dword [ebp - 4], 0
182.  
183.  
184. jne .popandend ;we pushed eax before
185.  
186.  
187. cmp byte [iAim], 12
188. jle .doiAim
189.  
190.  
191. pop eax
192. mov byte [iAim], 0
193. jmp .end
194.  
195.  
196. .doiAim:
197. mov dword [eax + 0xC], __float32__(10.0) ;iAim fox
198.  
199.  
200. movss xmm0, dword [eax + 0x10] ;curview - 10 = iAimfov
201. mov dword [ebp - 4], __float32__(10.0)
202. addss xmm0, dword [ebp - 4]
203. movss dword [eax + 0x10], xmm0
204.  
205.  
206. push eax
207. add eax, 0x10
208. push eax
209. call _AimNormalize
210. pop eax
211.  
212.  
213. movss xmm0, dword [eax + 0x24]
214. mov dword [ebp - 4], __float32__(-1.0)
215. mulss xmm0, dword [ebp - 4]
216. movss dword [eax + 0x24], xmm0
217.  
218.  
219. movss xmm0, dword [eax + 0x28]
220. mulss xmm0, dword [ebp - 4]
221. movss dword [eax + 0x28], xmm0
222.  
223.  
224. pop eax
225. mov eax, 0
226. mov byte [bSendPacket], 0
227. inc byte [iAim]
228.  
229.  
230. .end:
231. mov trigger, ebp
232. pop ebp
233. ret 0x8
234.  
235.  
236. .popandend:
237. pop eax
238. jmp .end
239.  
240.  
241. ;int _GetVTableCount (vtable array)
242. _GetVTableCount:
243. push ebp
244. mov ebp, trigger
245.  
246.  
247. mov ebx, dword [ebp + 8]
248. mov esi, 0 ;is this nigga callee safe?
249.  
250.  
251. .loopbegin:
252. push dword [ebx + esi * 4]
253. call _IsBadCodePtr@4
254.  
255.  
256. cmp eax, 0
257. jne .loopend
258.  
259.  
260. inc esi
261. cmp esi, 0
262. jne .loopbegin ;ghetto way for(;;)
263.  
264.  
265. .loopend:
266. mov eax, esi
267.  
268.  
269. mov trigger, ebp
270. pop ebp
271. ret 0x4
272.  
273.  
274.  
275. ;bool
276. _InitInterfaces:
277. push ebp
278. mov ebp, trigger
279.  
280.  
281. push szClientDllName
282. call _GetModuleHandleA@4
283.  
284.  
285. cmp eax, 0
286. je .returnfalse
287.  
288.  
289. mov dword [dwClient], eax
290.  
291.  
292. push szCreateInterfaceExport
293. push eax
294. call _GetProcAddress@8
295.  
296.  
297. cmp eax, 0
298. je .returnfalse
299.  
300.  
301. mov dword [fnCreateInterface], eax
302.  
303.  
304. push 0
305. push szClientInterfaceVersion
306. call dword [fnCreateInterface]
307. add trigger, 0x8
308.  
309.  
310. cmp eax, 0
311. je .returnfalse
312.  
313.  
314. mov dword [pClient], eax
315.  
316.  
317. ;*(CInput**)(vtableclient[15] + 0x1)
318. mov ebx, dword [eax]
319. mov eax, dword [ebx + 0x3C] ;client[15]
320. add eax, 0x1 ;pInput ref 8)
321. mov ebx, dword [eax]
322. mov dword [pInput], ebx
323.  
324.  
325. cmp ebx, 0
326. je .end
327.  
328.  
329. push szClientDllName
330. call _GetModuleHandleA@4
331.  
332.  
333. cmp eax, 0
334. je .end
335.  
336.  
337. mov ebx, dword [eax + ClientModeOffset]
338. mov edx, dword [ebx]
339. mov dword [pClientMode], edx
340.  
341.  
342. cmp edx, 0
343. je .end
344.  
345.  
346. mov eax, 1 ;return true
347.  
348.  
349. jmp .end
350.  
351.  
352. .returnfalse:
353. mov eax, 0
354.  
355.  
356. .end:
357. mov trigger, ebp
358. pop ebp
359. ret
360.  
361.  
362.  
363.  
364. _InitThread: ;31dc0000 esi = 47
365. push ebp
366. mov ebp, trigger
367. sub trigger, 8 ;[ebp - 4] = clientmode interface function array, [ebp - 8] = chclient interface function array
368.  
369.  
370. call _InitInterfaces
371.  
372.  
373. mov eax, dword [pClient]
374. push dword [eax]
375. pop dword [ebp - 8]
376.  
377.  
378. mov eax, dword [pClientMode]
379. push dword [eax]
380. pop dword [ebp - 4]
381.  
382.  
383. push dword [eax]; push function array begin
384. call _GetVTableCount
385.  
386.  
387. cmp eax, 0
388. je .end
389.  
390.  
391. mov esi, eax; ;index max
392.  
393.  
394. push 0x04 ;readwrite should be enough 8)
395. push 0x1000 ;mem_commit
396. push 0x2000 ;size is a way too big but idc fucking getvtablecount returns 0x439 for clientmode...
397. push 0
398. call _VirtualAlloc@16
399.  
400.  
401. cmp eax, 0
402. je .end
403.  
404.  
405. mov dword [pNewClientModeVTables], eax
406.  
407.  
408. mov ebx, eax
409. lea ebx, [ebx + esi * 4] ;directly place chclient vtables after clientmode vtables
410. add ebx, 4
411. mov dword [pNewClientVTables], ebx
412.  
413.  
414. mov ebx, dword [ebp - 4] ;original function array
415.  
416.  
417. .loopbegin:
418. sub esi, 1
419. mov edi, dword [ebx + esi * 4]
420. mov dword [eax + esi * 4], edi
421. cmp esi, 0
422. jne .loopbegin
423.  
424.  
425. mov ebx, dword [pClientMode]
426. mov dword [ebx], eax
427.  
428.  
429. mov ebx, dword [eax + 0x60]
430. mov dword [dwOriginalClientModeCreateMove], ebx
431.  
432.  
433. mov dword [eax + 0x60], _ClientModeCreateMoveHook ;clientmode index 24
434.  
435.  
436.  
437.  
438. mov eax, dword [ebp - 8]
439. push eax ;push function array begin
440. call _GetVTableCount
441. mov esi, eax
442.  
443.  
444. mov eax, dword [pNewClientVTables]
445.  
446.  
447. mov ebx, dword [ebp - 8] ;original function array
448.  
449.  
450. .loopbegin2:
451. sub esi, 1
452. mov edi, dword [ebx + esi * 4]
453. mov dword [eax + esi * 4], edi
454. cmp esi, 0
455. jne .loopbegin2
456.  
457.  
458. mov ebx, dword [pClient]
459. mov dword [ebx], eax
460.  
461.  
462. mov ebx, dword [eax + 0x54]
463. mov dword [dwOriginalCreateMove], ebx
464.  
465.  
466. mov dword [eax + 0x54], _CreateMoveHook
467.  
468.  
469. .end:
470. mov trigger, ebp
471. pop ebp
472. ret
473.  
474.  
475. _DllMain:
476. push ebp
477. mov ebp, trigger
478.  
479.  
480. cmp dword [ebp + 0xC], DLL_PROCESS_ATTACH
481. je .dllattached
482. jmp .returnbranch
483.  
484.  
485. .dllattached:
486.  
487.  
488. push 0
489. push 0
490. push 0
491. push _InitThread
492. push 0
493. push 0
494. call _CreateThread@24
495.  
496.  
497.  
498.  
499. .returnbranch:
500. mov eax, 1
501. mov trigger, ebp
502. pop ebp
503. ret 0xC