#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
#define FL_ONGROUND (1<<0)
using namespace std;
HWND css;
int iFlags;
DWORD dwBasePointer;
HANDLE hProcess;
DWORD m_hClient;
DWORD pID;
DWORD GetModuleSize(char* module)
{
HANDLE hSnap;
MODULEENTRY32 xModule;
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pID);
xModule.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hSnap, &xModule)) {
while (Module32Next(hSnap, &xModule)) {
if (!strncmp((char*)xModule.szModule, module, 8)) {
CloseHandle(hSnap);
return (DWORD)xModule.modBaseSize;
}
}
}
CloseHandle(hSnap);
return 0;
}
DWORD GetModuleBase(LPSTR lpModuleName, DWORD dwProcessId)
{
MODULEENTRY32 lpModuleEntry = {0};
HANDLE hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId);
if(!hSnapShot) return NULL;
lpModuleEntry.dwSize = sizeof(lpModuleEntry);
BOOL bModule = Module32First( hSnapShot, &lpModuleEntry );
while(bModule)
{
if(!strcmp(lpModuleEntry.szModule, lpModuleName ) )
{
CloseHandle( hSnapShot );
return (DWORD)lpModuleEntry.modBaseAddr;
}
bModule = Module32Next( hSnapShot, &lpModuleEntry );
}
CloseHandle( hSnapShot );
return NULL;
}
void SetDebugPrivilege()
{
HANDLE hProcess=GetCurrentProcess(), hToken;
TOKEN_PRIVILEGES priv;
LUID luid;
OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
LookupPrivilegeValue(0, "seDebugPrivilege", &luid);
priv.PrivilegeCount = 1;
priv.Privileges[0].Luid = luid;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0);
CloseHandle(hToken);
CloseHandle(hProcess);
}
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask )
return false;
return (*szMask) == NULL;
}
DWORD dwFindPattern( BYTE* pData, DWORD dwSize, BYTE* bMask, char* szMask )
{
for ( int i = 0; i < dwSize; i ++ )
if ( bDataCompare( (BYTE*)( pData + i ), bMask, szMask ) )
return i;
return NULL;
}
DWORD FindPattern( DWORD dwAddress, DWORD dwSize, PBYTE pbSignature, char* pszSignature )
{
DWORD dwTemp = dwAddress;
BYTE pBuf[ 2048 ] = { 0 };
do
{
if ( ReadProcessMemory( hProcess, ( PVOID )dwTemp, pBuf, 2048, NULL ) == FALSE )
{
printf("External FindPattern RPM : Error!\n");
return NULL;
}
else
{
DWORD dwDelta = dwFindPattern( pBuf, 2048, pbSignature, pszSignature );
if ( dwDelta )
return dwTemp + dwDelta;
dwTemp += 2048 - strlen(pszSignature);
}
} while ( true );
return NULL;
}
DWORD dwBaseEntity;
DWORD dwFlags;
DWORD dwJump;
void offset()
{
DWORD client_size = GetModuleSize("client.dll");
PBYTE LocalBase_sig = (PBYTE)"\x39\x35\x00\x00\x00\x00\x8B\xCF\x0F\x94\xC2";
char *LocalBase = "xx????xxxxx";
DWORD LocalBase_temp = FindPattern(m_hClient, client_size, LocalBase_sig, LocalBase) + 0x2;
ReadProcessMemory(hProcess, (PBYTE*)LocalBase_temp, &dwBaseEntity, sizeof(DWORD), NULL);
PBYTE m_fFlags_sig = (PBYTE)"\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x83\xC4\x30\x68\x00\x00\x00\x00\x6A\x07";
char *m_fFlags = "x????x????x????x????xxxx????xx";
DWORD m_fFlags_temp = 0x0;
m_fFlags_temp = FindPattern(m_hClient, client_size, m_fFlags_sig, m_fFlags) + 0x1;
ReadProcessMemory(hProcess, (PBYTE*)m_fFlags_temp, &dwFlags, 2, NULL);
PBYTE jump_sig = (PBYTE)"\x74\x06\x21\x05\x00\x00\x00\x00\xF6\x05\x4C\x13\x31\x51\x03\x74\x03";
char *jump = "xxxx????xxxxxxxxx";
DWORD jump_temp = FindPattern(m_hClient, client_size, jump_sig, jump) + 0x4;
ReadProcessMemory(hProcess, (PBYTE*)jump_temp, &dwJump, sizeof(DWORD), NULL);
}
void Read()
{
while(true)
{
Sleep(1);
ReadProcessMemory(hProcess, (PBYTE*)dwBaseEntity, &dwBasePointer, sizeof(DWORD), NULL);
ReadProcessMemory(hProcess, (PBYTE*)(dwBasePointer + dwFlags), &iFlags, sizeof(int), NULL);
}
}
int five = 5;
int four = 4;
void BunnyHop(void)
{
while(true)
{
Sleep(1);
if(!GetAsyncKeyState(32))
{
Sleep(10);
continue;
}
WriteProcessMemory(hProcess, (PBYTE*)dwJump, &four, sizeof(int), NULL);
if(iFlags & FL_ONGROUND) {
WriteProcessMemory(hProcess, (PBYTE*)dwJump, &five, sizeof(int), NULL);
Sleep(10);
}
}
}
DWORD GetProcId(const char* ProcName)
{
PROCESSENTRY32 pe32;
HANDLE hSnapshot = NULL;
pe32.dwSize = sizeof( PROCESSENTRY32 );
hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( Process32First( hSnapshot, &pe32 ) )
{
do{
if( strcmp(pe32.szExeFile, ProcName) == 0 )
break;
}while( Process32Next( hSnapshot, &pe32 ) );
}
if( hSnapshot != INVALID_HANDLE_VALUE )
CloseHandle( hSnapshot );
return pe32.th32ProcessID;
}
int main(HINSTANCE hInstance)
{
SetConsoleTitle("External BunnyHop");
while(!FindWindow(NULL, "Counter-Strike Source"))
Sleep(10);
while(!pID) { pID = GetProcId("hl2.exe");Sleep(100); }
while(!hProcess) { hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pID);Sleep(100); }
while(!m_hClient) { m_hClient = GetModuleBase("client.dll", pID);Sleep(100); }
offset();
printf("Scan result:\n");
printf(" [+] LocalBaseEntity: [0x%X]\n", dwBaseEntity - m_hClient);
printf(" [+] m_fFlags: [0x%X]\n", dwFlags);
printf(" [+] Jump State: [0x%X]\n", dwJump - m_hClient);
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Read, NULL, NULL, NULL);
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)BunnyHop, NULL, NULL, NULL);
while(FindWindow(NULL, "Counter-Strike Source"))
Sleep(10);
return 1337;
}
Deutsch
