google-site-verification: googlebaca44933768a824.html Getting Baseentitypointers via sigs - Old Royal Hack Forum

Announcement

Collapse
No announcement yet.

Getting Baseentitypointers via sigs

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Getting Baseentitypointers via sigs

    Hey.
    Im working on an external cheat using rpm. I was using the Radarstruct, but since there are no flags in it it is kinda useless for an aimbot. So i want to change from Radarstruct to the Baseentitys. Pointers to those are at client.dll+0x7063E4. When i'm generating a sig of that memoryregion it looks like this:
    http://imgur.com/mlbfj

    But olly cant even find its own Pattern. KN4CK3R from OSH told me that it might be because it is located in the .data section(i dont really remember what it exactly was) which is normally not in the module size. But after scanning each section of the dll it still does not find anything.
    I have also searched for pointers(i looked up all lvl1,2,3) and its the same problem with those. Olly isnt finding its own pattern and when i scan all sections for them it does also not work.

    My code:
    Code:
    	pbBuffer = (BYTE*)malloc(1024);
	ReadProcessMemory(hProc, (void*)dwClientBase, pbBuffer, 1024, NULL);

	DWORD dwTextBase, dwTextSize, dwRDataBase, dwRDataSize, dwDataBase, dwDataSize, dwRelocBase, dwRelocSize;
	PIMAGE_DOS_HEADER dosimg = (PIMAGE_DOS_HEADER)pbBuffer;
	if(dosimg->e_magic == IMAGE_DOS_SIGNATURE)
	{
		PIMAGE_NT_HEADERS ntimg = (PIMAGE_NT_HEADERS)(pbBuffer + dosimg->e_lfanew);
		if(ntimg->Signature == IMAGE_NT_SIGNATURE)
		{
			PIMAGE_SECTION_HEADER sectionimg = IMAGE_FIRST_SECTION(ntimg);
			for(int i = 0; i < ntimg->FileHeader.NumberOfSections; i++)
			{
				if(strstr((char*)sectionimg->Name, ".text"))
				{
					dwTextBase = sectionimg->VirtualAddress;
					dwTextBase = sectionimg->SizeOfRawData;
				}
				if(strstr((char*)sectionimg->Name, ".rdata"))
				{
					dwRDataBase = sectionimg->VirtualAddress;
					dwRDataSize = sectionimg->SizeOfRawData;
				}
				if(strstr((char*)sectionimg->Name, ".data"))
				{
					dwDataBase = sectionimg->VirtualAddress;
					dwDataSize = sectionimg->SizeOfRawData;
				}
				if(strstr((char*)sectionimg->Name, ".reloc"))
				{
					dwRelocBase = sectionimg->VirtualAddress;
					dwRelocSize = sectionimg->SizeOfRawData;
				}
				printf("[*] %s\tBase\t0x%X\n", sectionimg->Name, sectionimg->VirtualAddress);
				printf("[*] %s\tSize\t0x%X\n", sectionimg->Name, sectionimg->SizeOfRawData);
				sectionimg++;
			}
		}
	}
	dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwTextBase, dwTextSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx");
	printf("[*] Pattern in Textsection:\t0x%X\n", dwPattern);
	dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwRDataBase, dwRDataSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx");
	printf("[*] Pattern in RDatasection:\t0x%X\n", dwPattern);
	dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwDataBase, dwDataSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx");
	printf("[*] Pattern in Datasection:\t0x%X\n", dwPattern);
	dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwRelocBase, dwRelocSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx");
	printf("[*] Pattern in Relocsection:\t0x%X\n", dwPattern);
    Code:
    DWORD dwFindPatternExternal(HANDLE hProcess, DWORD dwStartAdd, DWORD dwSize, unsigned char *pbMask, char *pszMask)
{
	BYTE* pbProcData = (BYTE*) malloc(dwSize);
	if(pbProcData == NULL)
	{
		printf("malloc failed\n");
		return 0;
	}
	if(!hProcess || !dwStartAdd || !dwSize || !pbMask || !pszMask)
	{
		printf("Wrong args\n");
		return 0;
	}

	if(!(ReadProcessMemory(hProcess, (void*)dwStartAdd, (void*)pbProcData, dwSize, NULL)))
	{
		printf("Read Failed\n");
		return 0;
	}
	DWORD dwPattern = NULL;
	if(!(dwPattern = dwFindPattern((DWORD)pbProcData, dwSize, pbMask, pszMask)))
	{
		printf("dwFindPattern failed\n");
		return 0;
	}
	dwPattern -= (DWORD)pbProcData;
	printf("Found Sig at: 0x%X\n", dwPattern);
	return dwStartAdd + dwPattern;
}
    Does anyone have a tip for me or knows how i could do it dynamically else?

    Thanks for your help.
    Tags: None
    #2
    Re: Getting Baseentitypointers via sigs

    Take a look at this:
    http://www.gamedeception.net/threads/19248-External-recvprop-scanner


    Code:
    dwTemp = dwExternalFindPattern ( g_dwEngineTextSectionBase, g_dwEngineTextSectionSize, ( PBYTE )"\x89\x54\x24\x2C\x89\x44\x24\x30", "xxxxxxxx", 0xF );

ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &dwTemp, 0x4, NULL );

ReadProcessMemory ( hProcessHL2, ( PVOID )dwTemp, &g_dwBaseEntityTable, 0x4, NULL );
	
if ( g_dwBaseEntityTable == 0 )
	return 0;
    lolmaoman: Germans are born with a lifetime x22 login engraved into their birth certificates. True story.
    I DONT HAVE TEAMVIEWER AND IM NOT GOING TO GIVE ANY 24/7 ONLINE SUPPORT VIA STEAM, XFIRE OR OTHER IM PROGRAMS SO DONT BOTHER ASKING. THANKS.

    Comment

      #3
      Re: Getting Baseentitypointers via sigs

      No it is not working. The Baseentity table is now also located at client.dll + xxx and not engine.dll. That pattern and the following pointers bring me to 0xBF5007CA which is not the entitypointer array. But thanks for you help anyways.

      Any other ideas?

      Comment

        #4
        Re: Getting Baseentitypointers via sigs

        Originally posted by Delta View Post
        No it is not working. The Baseentity table is now also located at client.dll + xxx and not engine.dll. That pattern and the following pointers bring me to 0xBF5007CA which is not the entitypointer array. But thanks for you help anyways.

        Any other ideas?
        It actually does work, keep in mind that wav scans from enginebase + 0x1000 ( beginning of .text section )
        RVA is hEngineDLL + 0x8FB9
        lolmaoman: Germans are born with a lifetime x22 login engraved into their birth certificates. True story.
        I DONT HAVE TEAMVIEWER AND IM NOT GOING TO GIVE ANY 24/7 ONLINE SUPPORT VIA STEAM, XFIRE OR OTHER IM PROGRAMS SO DONT BOTHER ASKING. THANKS.

        Comment

          #5
          Re: Getting Baseentitypointers via sigs

          That might be a completely dump question but wtf is RVA?

          Are you sure it works? After fixing a typingmistake where i set the dwTextBase to the size (which leaded to the wrong pointer) this is what i get out:

          Comment

            #6
            Re: Getting Baseentitypointers via sigs

            Originally posted by Delta View Post
            That might be a completely dump question but wtf is RVA?

            Are you sure it works? After fixing a typingmistake where i set the dwTextBase to the size (which leaded to the wrong pointer) this is what i get out:
            RVA = relative address, I just realized that my old cheet ain't working either so it might be that it has changed, havent' looked into it yet. I didn't use sigscanning on it tho so that's probably why, CSS updates million times/week these days.
            lolmaoman: Germans are born with a lifetime x22 login engraved into their birth certificates. True story.
            I DONT HAVE TEAMVIEWER AND IM NOT GOING TO GIVE ANY 24/7 ONLINE SUPPORT VIA STEAM, XFIRE OR OTHER IM PROGRAMS SO DONT BOTHER ASKING. THANKS.

            Comment

              #7
              Re: Getting Baseentitypointers via sigs

              Originally posted by mencore View Post
              CSS updates million times/week these days.
              Ye thats why i want to do it via sigs ;D.

              Im gonna test some more stuff but i doubt it will work.

              Comment

              Previous template Next
              Working...
              X

              We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

              By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

              I Agree