Closed IntelSDM closed 3 months ago
Really appreciate this!
from what i have understood its a static dictionary containing all of the now obfuscated entries, we can simply iterate this dict in order to find whatever we need.
For baseplayer stuff, (objectclasstype +0x20) == localplayer's BasePlayer, in which case, we can update a map 'playerinventorymap'. I have changed out AdminFlag for interactive debug, so i will also need to update PlayerEyes like this ^ too.
That is where i am at thusfar, id appreciate if you could provide code on iterating the Objectlist.
As for determining our localplayer's BasePlayer, would you just check if (objectclasstype +0x20) == (gameassembly + class LocalPlayer) or is that not how parent works?
Again, thanks for all of this info, its more than UC has had over the last couple of days.
uint64_t objectlist = mem.Read
Then just check the actual name is == to the class you want. Object will be the address for it. parent will be the parent for it. }
This should be enough for you to figure it out. I don't want to give too much out as I know facepunch is using this repo.
As I have spent the past day all nighting this new system I noticed all the new pointer encryption (not class encryption) were targeted at this cheat in particular. At random fields that are minor cheat features. So they clearly used this project as it perfectly disables this project yet all my major rage features such as anti aim have no encryption causing any issues.
By the look of it they are honey potting this repo so i advise you not to update it otherwise they will spam pointer encryption which you will need shellcode to circumvent.
So, don't update this repo or any public repos regarding the new encryption stuff for at least 2 months. It isn't worth giving them any ideas to change everything again. Going through all the pointer encryption, it was targeted at this cheat.
Even though you can completely circumvent all their encryption by using 4 lines of shellcode to call the get functions, I wouldn't advise giving them more of a reason to invest time into this encryption system. Give them their little win.
Thats somewhat disheartening, sounds like it will be too much effort to keep this publically updated. I apologise to anyone who was using this while i was updating it, the info in this thread should be enough to update your own private fork if you plan to keep using it.
Thanks for all of the info on the wrapper class and whatnot.
I did mention that i would swap out adminflag for interactive debug, so i thought i would drop the code for it incase anyone is looking to add this to their fork too. You would need to implement metick's InputManager in order to read the keyboard + retrieving PlayerEyes will obviously need to be done through the wrapper.
` double previousYaw = 0.0; int moveCam; Vector3 targetmovement{ 0.0f , 1.5f, 0.0f }; float camSpeed = 0.00015f; float camSpeedMultiplier = 5; float camDrag = 0.99f; bool camFlyToLook = true; bool camFast = false; Vector3 camVelocity = { 0.0f, 0.0f, 0.0f }; Vector3 forward = { 0.0f, 0.0f, 1.0f }; Vector3 right = { 1.0f, 0.0f, 0.0f }; Vector3 up = { 0.0f, 1.0f, 0.0f };
std::chrono::steady_clock::time_point startTime, endTime;
float deltaTime = 0.0f;
startTime = std::chrono::steady_clock::now();
while(ThreadRunning)
{
endTime = std::chrono::steady_clock::now();
std::chrono::duration<float, std::milli> duration = endTime - startTime;
deltaTime = duration.count();
startTime = std::chrono::steady_clock::now();
Quaternion currentRotation = TargetProcess.Read<Quaternion>(Eyes_C + 0x4C);
double currentYaw = GetYawRad(currentRotation);
double deltaRotation = currentYaw - previousYaw;
previousYaw = currentYaw;
if (deltaRotation != 0)
targetmovement = RotateY(targetmovement, deltaRotation);
if (TargetProcess.GetKeyboard()->IsKeyDown(0x52)) // R = reset viewpoint
{
camVelocity = Vector3();
targetmovement = Vector3();
}
if (TargetProcess.GetKeyboard()->IsKeyDown(0x51)) { // Q
camFlyToLook = !camFlyToLook; // camera goes where you are facing toggle
}
if (TargetProcess.GetKeyboard()->IsKeyDown(0xA0)) { // left shift faster movment
camFast = true;
}
else {
camFast = false;
}
moveCam = 0;
if (TargetProcess.GetKeyboard()->IsKeyDown(0x57)) // W forwards
{
camVelocity += forward;
moveCam = 1;
}
if (TargetProcess.GetKeyboard()->IsKeyDown(0x53)) // S backwards
{
camVelocity -= forward;
moveCam = -1;
}
if (TargetProcess.GetKeyboard()->IsKeyDown(0x41)) { // A left
camVelocity -= right;
}
if (TargetProcess.GetKeyboard()->IsKeyDown(0x44)) { // D right
camVelocity += right;
}
if (camFlyToLook)
{
camVelocity.y += GetForwardDirection(currentRotation).y * moveCam;
}
else
{
if (TargetProcess.GetKeyboard()->IsKeyDown(0xA2)) { // left ctrl go down
camVelocity -= up;
}
if (TargetProcess.GetKeyboard()->IsKeyDown(0x20)) { // spacebar go up
camVelocity += up;
}
}
if (camFast)
targetmovement += camVelocity * deltaTime * camSpeed * camSpeedMultiplier;
else
targetmovement += camVelocity * deltaTime * camSpeed;
camVelocity *= camDrag;
TargetProcess.Write<Vector3>(Eyes, targetmovement); //move our eyes to the calculated value
}
TargetProcess.Write<Vector3>(Eyes, { 0.0f , 1.5f, 0.0f }); //restore our eyes to their proper position
}`
Eyes_C = just the localplayer eye class
Eyes_C ] + 0xB8 ] = Eyes
alrohewitt is there any where i can contact you like discord or something, recently just bought a dma card on the pretence of using this wouldn't mind paying for access to your private branch.
I wouldnt subject anyone else to my terrible programming especially at a cost.
I would advise you to look elsewhere, considering how much help IntelSDM provided me, i will recomend you https://fbi.moe/
received with many thanks can i subject your code? i was struggling with drawing to prefabs and now back to 0
So changing like before is not working anymore right? I will need to make my own loop thought the class that I want to get info bout? Im knew building cheats in general, I was waiting my DMA board arrive to continue improving this code, but now with this encryption Im a little confused.
This information is outdated now but still provides some valid information.
@arlohewitt Since you wanted this in another issue, here is the encryption wrapper: Go to any encrypted class instance(base networkable for instance) Then go into the class encryption container class. Control click onto the inheritor of the class: Find the static class for that in script.json.
Ok so read the dictionary in your code like this: Class = Read gameassembly + class static = Read Class + 0xb8 Dictionary = Read Static + 0x0 Objectlist = Read Dictionary + 0x18 Objectlist size = Read objectlist + 0x18
Then loop the list: object = read I objectclasstype = read object parent = read objectclasstype + 0x20 nameptr = read objectclasstype + 0x10 name = read as char array(char addname[36]) at the nameptr address
ListDictionary`2 is the names of basenetworkable list and visible playerlist. first instance is base networkable, 2nd is visibleplayerlist Baseplayer is localbaseplayer To read stuff for baseplayer you need to incrementally keep updating a map with the pointers for lets say playerinventory The pointer to the baseplayer is the parent. So store a map with parent as key and object as value and then call it playerinventorymap. Then just update that map enough and you can just grab it from that map. Do that to all those hidden classes, if implemented correctly there is little performance impact.
That's how you circumvent the obfuscation wrapper. I would give you the code and all but i am too burnt out right now so you have to deal with the pseudo code as my code is a right mess from the 700 commits my rust cheat has gotten.