unsigned char ucGetOffsets ( DWORD dwPID ) { PIMAGE_DOS_HEADER lpImageDosHeader; PIMAGE_NT_HEADERS lpImageNtHeaders; PIMAGE_SECTION_HEADER lpSectionHeader; HANDLE snapshot; MODULEENTRY32 me32; int i; DWORD dwTemp; pbPage = ( PBYTE )malloc ( ( sizeof ( int ) ) * 1024 ); if ( pbPage == 0 ) return 0; pbEntityData = ( PBYTE )malloc ( 0x133C ); if ( pbEntityData == 0 ) return 0; me32.dwSize = sizeof ( me32 ); snapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPMODULE, dwPID ); if ( snapshot != INVALID_HANDLE_VALUE ) { if ( Module32First ( snapshot, &me32 ) ) { do { if ( !strcmp ( me32.szModule, "client.dll" ) ) { g_dwClientBase = ( DWORD ) me32.modBaseAddr; g_dwClientSize = me32.modBaseSize; } if ( !strcmp ( me32.szModule, "engine.dll" ) ) { g_dwEngineBase = ( DWORD ) me32.modBaseAddr; g_dwEngineSize = me32.modBaseSize; } if ( g_dwClientBase && g_dwClientSize && g_dwEngineBase && g_dwEngineSize ) break; } while ( Module32Next ( snapshot, &me32 ) ); } CloseHandle ( snapshot ); } if ( g_dwClientBase == 0 ) return 0; if ( g_dwClientSize == 0 ) return 0; if ( g_dwEngineBase == 0 ) return 0; if ( g_dwEngineSize == 0 ) return 0; /* dwTemp = dwExternalFindPattern ( g_dwClientBase, g_dwClientSize, ( PBYTE )"\x8B\x0D\x00\x00\x00\x00\x0F\xB7\x06\x8B\x91\x3C\x80\x01\x00", "xx????xxxxxxxx?", 0x2 ) ReadProcessMemory ( hProcess, ( PVOID )dwTemp, ( PVOID )dwTemp, 0x4, NULL ); ReadProcessMemory ( hProcess, ( PVOID )dwTemp, ( PVOID )g_dwBaseEntityTablePointer, 0x4, NULL ); g_dwBaseEntityTablePointer + 0x1804A = maxplayers & if == 0xFFFF -> not connected if ( g_dwBaseEntityTablePointer == 0 ) return 0; */ ReadProcessMemory ( hProcessHL2, ( PVOID )g_dwClientBase, ( PVOID )pbPage, 0x1000, NULL ); lpImageDosHeader = ( PIMAGE_DOS_HEADER )( ( DWORD )pbPage ); if ( lpImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE ) { lpImageNtHeaders = ( PIMAGE_NT_HEADERS )( ( DWORD )pbPage + lpImageDosHeader->e_lfanew ); if ( lpImageNtHeaders->Signature == IMAGE_NT_SIGNATURE ) { lpSectionHeader = IMAGE_FIRST_SECTION ( lpImageNtHeaders ); for ( i = 0; i < lpImageNtHeaders->FileHeader.NumberOfSections; i++ ) { if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".text" ) ) { g_dwClientTextSectionBase = lpSectionHeader->VirtualAddress; g_dwClientTextSectionSize = lpSectionHeader->SizeOfRawData; } if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".rdata" ) ) { g_dwClientRDataSectionBase = lpSectionHeader->VirtualAddress; g_dwClientRDataSectionSize = lpSectionHeader->SizeOfRawData; } if ( g_dwClientTextSectionBase && g_dwClientTextSectionSize && g_dwClientRDataSectionBase && g_dwClientRDataSectionSize ) break; lpSectionHeader++; } if ( g_dwClientRDataSectionBase == 0 ) return 0; if ( g_dwClientRDataSectionSize == 0 ) return 0; g_dwClientTextSectionBase += g_dwClientBase; g_dwClientRDataSectionBase += g_dwClientBase; g_dwAbsOriginOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_AnimTimeMustBeFirst", "xxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BaseEntity", "xxxxxxxxxxxxx", ( PBYTE )"m_vecOrigin", "xxxxxxxxxxx" ); if ( g_dwAbsOriginOffset == 0 ) return 0; printf ( "g_dwAbsOriginOffset: 0x%X\n", g_dwAbsOriginOffset ); g_dwEyeAnglesOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_DODSharedLocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_DODPlayer", "xxxxxxxxxxxx", ( PBYTE )"m_angEyeAngles[0]", "xxxxxxxxxxxxxxxxx" ); if ( g_dwEyeAnglesOffset == 0 ) return 0; printf ( "g_dwEyeAnglesOffset: 0x%X\n", g_dwEyeAnglesOffset ); g_dwFOVOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_LocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BasePlayer", "xxxxxxxxxxxxx", ( PBYTE )"m_iFOV", "xxxxxx" ); if ( g_dwFOVOffset == 0 ) return 0; printf ( "g_dwFOVOffset: 0x%X\n", g_dwFOVOffset ); g_dwHealthOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_LocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BasePlayer", "xxxxxxxxxxxxx", ( PBYTE )"m_iHealth", "xxxxxxxxx" ); if ( g_dwHealthOffset == 0 ) return 0; printf ( "g_dwHealthOffset: 0x%X\n", g_dwHealthOffset ); g_dwLifeStateOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_LocalPlayerExclusive", "xxxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BasePlayer", "xxxxxxxxxxxxx", ( PBYTE )"m_lifeState", "xxxxxxxxxxx" ); if ( g_dwLifeStateOffset == 0 ) return 0; printf ( "g_dwLifeStateOffset: 0x%X\n", g_dwLifeStateOffset ); g_dwTeamOffset = dwGetNetworkedVarOffset ( ( PBYTE )"DT_AnimTimeMustBeFirst", "xxxxxxxxxxxxxxxxxxxxxx", ( PBYTE )"DT_BaseEntity", "xxxxxxxxxxxxx", ( PBYTE )"m_iTeamNum", "xxxxxxxxxx" ); if ( g_dwTeamOffset == 0 ) return 0; printf ( "g_dwTeamOffset: 0x%X\n", g_dwTeamOffset ); } } ReadProcessMemory ( hProcessHL2, ( PVOID )g_dwEngineBase, ( PVOID )pbPage, 0x1000, NULL ); lpImageDosHeader = ( PIMAGE_DOS_HEADER )( ( DWORD )pbPage ); if ( lpImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE ) { lpImageNtHeaders = ( PIMAGE_NT_HEADERS )( ( DWORD )pbPage + lpImageDosHeader->e_lfanew ); if ( lpImageNtHeaders->Signature == IMAGE_NT_SIGNATURE ) { lpSectionHeader = IMAGE_FIRST_SECTION ( lpImageNtHeaders ); for ( i = 0; i < lpImageNtHeaders->FileHeader.NumberOfSections; i++ ) { if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".text" ) ) { g_dwEngineTextSectionBase = lpSectionHeader->VirtualAddress; g_dwEngineTextSectionSize = lpSectionHeader->SizeOfRawData; } if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".rdata" ) ) { g_dwEngineRDataSectionBase = lpSectionHeader->VirtualAddress; g_dwEngineRDataSectionSize = lpSectionHeader->SizeOfRawData; } if ( g_dwEngineTextSectionBase && g_dwEngineTextSectionSize && g_dwEngineRDataSectionBase && g_dwEngineRDataSectionSize ) break; lpSectionHeader++; } if ( g_dwEngineRDataSectionBase == 0 ) return 0; if ( g_dwEngineRDataSectionSize == 0 ) return 0; g_dwEngineTextSectionBase += g_dwEngineBase; g_dwEngineRDataSectionBase += g_dwEngineBase; dwTemp = dwExternalFindPattern ( g_dwEngineRDataSectionBase, g_dwEngineRDataSectionSize, ( PBYTE )"g_ClientDLL->Init", "xxxxxxxxxxxxxxxxx", 0 ); if ( dwTemp == 0 ) return 0; bMask[0] = '\x68'; bMask[5] = '\x00'; memcpy ( &bMask[1], &dwTemp, 4 ); dwTemp = dwExternalFindPattern ( g_dwEngineTextSectionBase, g_dwEngineTextSectionSize, ( PBYTE )bMask, "xxxxx?", 0x18 ); ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwCGlobalVars, 0x4, NULL ); if ( g_dwCGlobalVars == 0 ) return 0; printf ( "g_dwCGlobalVars 0x%X\n", g_dwCGlobalVars ); } } dwTemp = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )"\xC6\x44\x24\x47\xFF", "xxxxx", 0x20 ); ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &dwTemp, 0x4, NULL ); ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwPlayerResource, 0x4, NULL ); if ( g_dwPlayerResource == 0 ) return 0; printf ( "g_dwPlayerResource 0x%X\n", g_dwPlayerResource ); dwTemp = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )"\x66\x81\x7E\x7A\xFF\xFF\x74\x40", "xxxxxxxx", -0xB ); ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &dwTemp, 0x4, NULL ); ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwLocalBaseEntity, 0x4, NULL ); if ( g_dwLocalBaseEntity == 0 ) return 0; printf ( "g_dwLocalBaseEntity 0x%X\n", g_dwLocalBaseEntity ); dwTemp = dwExternalFindPattern ( g_dwEngineTextSectionBase, g_dwEngineTextSectionSize, ( PBYTE )"\x89\x54\x24\x2C\x89\x44\x24\x30", "xxxxxxxx", 0xF ); ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &dwTemp, 0x4, NULL ); ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwBaseEntityTable, 0x4, NULL ); if ( g_dwBaseEntityTable == 0 ) return 0; printf ( "g_dwBaseEntityTable 0x%X\n", g_dwBaseEntityTable ); } //======================================================================================== DWORD dwExternalFindPattern ( DWORD dwAddress, DWORD dwLen, unsigned char *pbMask, char *pszMask, DWORD dwOffset ) { DWORD dwDelta, dwTemp; dwTemp = dwAddress; if ( pbPage == 0 ) return 0; do{ ReadProcessMemory ( hProcessHL2, ( PVOID )dwAddress, ( PVOID )pbPage, 0x1000, NULL ); dwDelta = dwFindPattern ( ( DWORD )pbPage, 0x1000, pbMask, pszMask ); if ( dwDelta ) { if ( dwOffset != 0 ) dwDelta += dwOffset; dwDelta -= ( DWORD )pbPage; dwDelta += dwAddress; return dwDelta; } dwAddress += 0x1000; }while ( dwAddress < dwTemp + dwLen ); return 0; } //======================================================================================== DWORD dwGetNetworkedVarOffset ( unsigned char *pbDataTableMask1, char *pszMask1, unsigned char *pbDataTableMask2, char *pszMask2, unsigned char *pbPropMask, char *pszMask3 ) { DWORD dwDataTable1, dwDataTable2, dwProp, dwDelta, dwTemp; bMask[0] = '\x68'; bMask[5] = '\x00'; dwDataTable1 = dwExternalFindPattern ( g_dwClientRDataSectionBase, g_dwClientRDataSectionSize, pbDataTableMask1, pszMask1, 0 ); if ( dwDataTable1 == 0 ) return 0; memcpy ( &bMask[1], &dwDataTable1, 4 ); dwDataTable1 = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )bMask, "xxxxx?", 0 ); dwDataTable2 = dwExternalFindPattern ( g_dwClientRDataSectionBase, g_dwClientRDataSectionSize, pbDataTableMask2, pszMask2, 0 ); if ( dwDataTable2 == 0 ) return 0; memcpy ( &bMask[1], &dwDataTable2, 4 ); dwDataTable2 = dwExternalFindPattern ( g_dwClientTextSectionBase, g_dwClientTextSectionSize, ( PBYTE )bMask, "xxxxx?", 0 ); dwDelta = dwDataTable2 - dwDataTable1; dwProp = dwExternalFindPattern ( g_dwClientRDataSectionBase, g_dwClientRDataSectionSize, pbPropMask, pszMask3, 0 ); if ( dwProp == 0 ) return 0; memcpy ( &bMask[1], &dwProp, 4 ); dwProp = dwExternalFindPattern ( dwDataTable1, dwDelta, ( PBYTE )bMask, "xxxxx?", 0 ); dwProp -= 0x4; /* This may need to changed for some props, for most it should work perfectly fine. */ ReadProcessMemory ( hProcessHL2, ( PVOID )dwProp, &dwTemp, 4, NULL ); return dwTemp; }