Announcement

**Lawgiver** · 09-30-2009, 05:30 PM

Originally posted by aVitamin

i hope this finally motivates people to investigate more in external cheats...just for learning purpose ofc

Not until VAC finally improves and i can't disable it with 1 detour. party002

**aVitamin** · 09-30-2009, 05:50 PM

that's why i added "just for learning purpose ofc" because i nearly smelled that someone is going to post "why should we put much affort into extern haxxx if vac don't detect shit except pee 7"

**entername** · 09-30-2009, 09:09 PM

Thanks aVitamin. Hopefully I'll attempt to do something external (inb4 I fail).

**fibre** · 09-30-2009, 11:29 PM

cool stuff : )

**aVitamin** · 10-01-2009, 09:20 AM

i really don't know how people can not see the obvious advantages of real extern cheats...what anti-cheat bans because of running a completly seperate running executable that only reads from the users pc memory and let windows do the rest? how would they justify the ban? we don't change ANY memory at all....it's not about preventing vac or other anti-cheats from detecting us...it's about beeing innovative and thinking about dirrerent ways to implement different features by exploiting the allowed possibilities....

just think about it for some minutes party21

furthermore it's a nice practice of understanding assembly and understanding how the game works...

(btw: things that have not been done before and which therefore are very rare can achieve a higher amount of profit

)

so far so good...

**aVitamin** · 10-01-2009, 10:15 AM

just to give you an idea how to realize autooffsets also externally...

write a signature for the following function:

Code:

engine.dll+25080  > 833D 344C3720 00 CMP DWORD PTR DS:[20374C34],0
engine.dll+25087  > 0F84 2C010000    JE engine.200251B9
engine.dll+2508D  > 68 F4602E20      PUSH engine.202E60F4               ; ASCII "g_ClientDLL->Init"
engine.dll+25092  > E8 09AD0400      CALL engine.2006FDA0
engine.dll+25097  > A1 04625320      MOV EAX,DWORD PTR DS:[20536204]
engine.dll+2509C  > 8B0D 344C3720    MOV ECX,DWORD PTR DS:[20374C34]    ; store the pointer to the CHLClient VTable in ECX [20374C34 it the address of the pointer to the CHLClient VTable]
engine.dll+250A2  > 8B11             MOV EDX,DWORD PTR DS:[ECX]         ; store the address of the CHLClient VTable in EDX [ECX is the pointer to the VTable address]
engine.dll+250A4  > 83C4 04          ADD ESP,4
engine.dll+250A7  > 68 606E3620      PUSH engine.20366E60
engine.dll+250AC  > 50               PUSH EAX
engine.dll+250AD  > 50               PUSH EAX
engine.dll+250AE  > FF12             CALL DWORD PTR DS:[EDX]            ; calls IBaseClientDLL::Init [EDX = VTable of CHLClient + 0x4 * 0]

code an algorithm that uses ReadProcessMemory to read some memory and store it into a buffer.
search for the signature inside of the buffer and keep the relative offsets from buffer to the base addresse of the engine.dll in mind

rebuild the process from engine.dll+2509C to engine.dll+250A2 using ReadProcessMemory inside of your cheat.

get the address of IBaseClientDLL::Init using the using the information we already got (all the shit we read using RPM before)(yes, we can accomplish this with RPM again...orly)

once you got the address of the Init function you can go from there and try to get the addresses of the VTable of the different classes...:

Code:

24086B40   . 83EC 08        SUB ESP,8                          ;  IBaseClientDLL::Init
24086B43   . E8 A8520200    CALL client.240ABDF0
24086B48   . 6A 01          PUSH 1
24086B4A   . 6A 01          PUSH 1
24086B4C   . 6A 01          PUSH 1
24086B4E   . 6A 01          PUSH 1
24086B50   . 6A 02          PUSH 2
24086B52   . 6A 00          PUSH 0
24086B54   . 68 CDCC0C40    PUSH 400CCCCD
24086B59   . 68 CDCC0C40    PUSH 400CCCCD
24086B5E   . E8 4D9D1C00    CALL client.242508B0
24086B63   . 8B4424 34      MOV EAX,DWORD PTR SS:[ESP+34]
24086B67   . 8D4C24 2C      LEA ECX,DWORD PTR SS:[ESP+2C]
24086B6B   . 6A 01          PUSH 1
24086B6D   . 51             PUSH ECX
24086B6E   . A3 8C2C3924    MOV DWORD PTR DS:[24392C8C],EAX    ;  store the pointer to the CGlobalVarsBase VTable at the address 24392C8C
24086B73   . E8 C8021900    CALL client.24216E40
24086B78   . 8D5424 34      LEA EDX,DWORD PTR SS:[ESP+34]
24086B7C   . 6A 01          PUSH 1
24086B7E   . 52             PUSH EDX
24086B7F   . E8 7CA71C00    CALL client.24251300
24086B84   . 6A 00          PUSH 0
24086B86   . 68 400C3124    PUSH client.24310C40               ;  ASCII "VEngineClient012"
24086B8B   . FF5424 44      CALL DWORD PTR SS:[ESP+44]
24086B8F   . 83C4 38        ADD ESP,38
24086B92   . 85C0           TEST EAX,EAX
24086B94   . A3 64EA3B24    MOV DWORD PTR DS:[243BEA64],EAX    ;  store the pointer to the IVEngineClient VTable at the address 243BEA64

why do we need this?
we need this to get the addresses of functions like SetViewAngles, GetClientEntity, etc. dynamically(yes we could also simply scan the whole dlls. for the different functions signatures directly BUT this way is much cleaner imo)

from the function addresses we can simply add relative offsets to get the offsets to the addresses of the ViewAngles, EntityArray, etc. because this is what we are trying to accomplish.

since we are operating from a seperate process we can not call these functions without changing any memory thats why we need to understand what these functions exactly do and then we can simply read from the relevant addresses.

in fact that's the basic principle how I am going to code an extern boneaimbot, an advanced esp(box, name, weapon, health...nearly everything is possible), etc.

it's all about getting the needed information from the games memory using RPM and make use of it.

once you got all needed informations you can use windows to set the cursor on aimspots or use GDI to overlay the window and draw flickerfree on it.

so, that kind of outlined the basic idea...i hope some of youf get dfinally interested

**selig** · 10-03-2009, 03:06 AM

@ Vit: I am in the process in reversing Classes to get a decent 2D Radar working.

**demize** · 10-03-2009, 03:16 AM

Originally posted by selig View Post

@ Vit: I am in the process in reversing Classes to get a decent 2D Radar working.

... sounds pretty leet >.>

**DerB?r** · 03-27-2011, 01:22 PM

Re: [CS:S/Info] extern GetBonePosition

Have someone the newest offset?
Idk how to find it :/ .

**leethacker** · 03-31-2011, 07:55 PM

Re: [CS:S/Info] extern GetBonePosition

use a hex editor and hl.exe > google

**DerB?r** · 06-28-2011, 04:49 PM

Re: [CS:S/Info] extern GetBonePosition

Mh. noone have the new offset? Or can tell me how to find it? :/

EDIT: is 0x6D8 right?

**udevil_666** · 06-28-2011, 05:14 PM

Re: [CS:S/Info] extern GetBonePosition

man respect, you have much knowledge, i im afraid im too old to learn new tricks and ive smoked alot of weed over the years, so i leave the experimental nasa codes to you special and gifted guys, keep up the good work,,

**DerB?r** · 07-31-2011, 04:23 PM

Re: [CS:S/Info] extern GetBonePosition

Mh, noone have the newest offset? :/

**extern4ever** · 07-31-2011, 06:52 PM

Re: [CS:S/Info] extern GetBonePosition

Code:

ReadProcessMemory( g_hProcess, ( PVOID )( m_dwBaseEntity + 0x788 ), &m_dwBoneMatrix, 4, NULL );

Code:

Vector CPlayer::GetBonePosition( int iBone )
{
	Vector vecBone;

	ReadProcessMemory( g_hProcess, ( PVOID )( m_dwBoneMatrix + 0x30 * iBone + 0x0C ), &vecBone.x, 4, NULL );
	ReadProcessMemory( g_hProcess, ( PVOID )( m_dwBoneMatrix + 0x30 * iBone + 0x1C ), &vecBone.y, 4, NULL );
	ReadProcessMemory( g_hProcess, ( PVOID )( m_dwBoneMatrix + 0x30 * iBone + 0x2C ), &vecBone.z, 4, NULL );

	return vecBone;
}

hf

**DrD** · 08-09-2011, 12:00 AM

Re: [CS:S/Info] extern GetBonePosition

I'm an idiot

**extern4ever** · 08-09-2011, 12:07 AM

Re: [CS:S/Info] extern GetBonePosition

Originally posted by DrD View Post

Give credits to hupo at UC forum. It's clear you stole this info.

roflmao, u mean he stoled it

BoneMatrixBase

http://www.uc-forum.com/forum/counterstrike-source/70047-bonematrixbase.html

Hello does anyone knows how to get the Offset for BoneMatrixBase ? 09-30-2009 avitamin: Code: DWORD dwBoneMatrixBase = *(DWORD*)(dwBaseEntity + 0x670)...

look at dates

i know trollin is hard but never give up

**DrD** · 08-09-2011, 03:04 AM

Re: [CS:S/Info] extern GetBonePosition

Sorry, My mistake I looked at the wrong date. Anyways, thanks for your contribution

**doey55** · 08-13-2011, 03:39 AM

Re: [CS:S/Info] extern GetBonePosition

cool now I will see some priv hacks sold cuz of this thread :( some of us worked hard to get this information

**extern4ever** · 08-13-2011, 04:03 AM

Re: [CS:S/Info] extern GetBonePosition

Originally posted by doey55 View Post

cool now I will see some priv hacks sold cuz of this thread :( some of us worked hard to get this information

ahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha

**DrD** · 10-17-2011, 10:24 PM

Re: [CS:S/Info] extern GetBonePosition

Does anyone have the updated address?

**doey55** · 10-20-2011, 05:39 PM

Re: [CS:S/Info] extern GetBonePosition

It hasn't changed you scammer ;)

**Stuped** · 04-07-2012, 05:13 PM

Re: [CS:S/Info] extern GetBonePosition

Code:

for (int i = 1 ; i <= 32; i++)
{
       ReadProcessMemory(hGame, (LPCVOID)(dwClientDLL + 0x7073E4 + (-0x10 + (i * 0x10))), &baseplayers[i].EntBase, sizeof(baseplayers[i].EntBase), 0);
       ReadProcessMemory(hGame, (LPCVOID)(baseplayers[i].EntBase + 0x788), &baseplayers[i].BoneBase, 4, 0);

       ReadProcessMemory(hGame, (LPCVOID)(baseplayers[i].BoneBase + (0x30 * 14) + 0x0C), &baseplayers[i].HeadBone[0], sizeof(float), 0);
       ReadProcessMemory(hGame, (LPCVOID)(baseplayers[i].BoneBase + (0x30 * 14) + 0x1C), &baseplayers[i].HeadBone[1], sizeof(float), 0);
       ReadProcessMemory(hGame, (LPCVOID)(baseplayers[i].BoneBase + (0x30 * 14) + 0x2C), &baseplayers[i].HeadBone[2], sizeof(float), 0);			

}

The Struct looks like that

Code:

struct baseplayer
{
	DWORD EntBase;
	DWORD BoneBase;
	float HeadBone[3];
} baseplayers[64] = {0};

I tried like this, but it doesn't work, could someone of you take a look at the code above and at the offsets?
Would be great, so Thanks in Advance! :)

**fenja** · 04-07-2012, 06:48 PM

Re: [CS:S/Info] extern GetBonePosition

0x78C

**Stuped** · 04-07-2012, 07:12 PM

Re: [CS:S/Info] extern GetBonePosition

it worked, thank you a lot! :D

**DerB?r** · 06-20-2012, 09:35 PM

Re: [CS:S/Info] extern GetBonePosition

My bone esp works perfectly however the bones while in sequences of moving tend to jump in the direction the Ent is moving..
Someone knows why and how to fix that?

Announcement

[CS:S/Info] extern GetBonePosition

[CS:S/Info] extern GetBonePosition

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment