[Coding] Small base for x64 external cheats

This is a discussion on [Coding] Small base for x64 external cheats within the Counter-Strike: Hack Chat board part of the Counter-Strike Forum category; I previously eluded to this here . One of the issues when writing an external that doesn't have the same ...

Results 1 to 8 of 8
  1. #1
    AbrasiveZealot's Avatar
    AbrasiveZealot is offline Master Hacker

    Array
    Join Date
    May 2011
    Location
    ctf_2fort
    Posts
    666
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    11
    Reputation
    542

    [Coding] Small base for x64 external cheats

    I previously eluded to this here. One of the issues when writing an external that doesn't have the same architecture as the target, is that you cant use the normal methods of discovering loaded modules. I didn't find a solid answer anywhere myself, and after modifying my code a bit I thought I'd share it. You can use this to target both 32-bit, and 64-bit games.

    Nothing super special here, just for any newbies who want to code in 64-bit.

    Result:


    Sauce:
    Code:
    #include <TlHelp32.h>
    #include <windows.h>
    #include <Psapi.h>
    #include <iostream>
    #include <string>
    #include <vector>
    
    using namespace std;
    
    #include "Sigs.h"
    
    class CProcess
    {
    public:
    
    	char TargetApplication[MAX_PATH] = "csgo.exe";
    	char TargetWindow[MAX_PATH] = "Counter-Strike: Global Offensive";
    
    	PROCESSENTRY32 pGame;
    	HANDLE hProcess;
    
    	DWORD_PTR dwBaseAddress;
    
    	DWORD_PTR dwClient;
    	DWORD_PTR dwEngine;
    	DWORD_PTR dwGameOverlay;
    	DWORD_PTR dwMaterialSystem;
    	DWORD_PTR dwMatchmaking;
    	DWORD_PTR dwServer;
    	DWORD_PTR dwServerBrowser;
    	DWORD_PTR dwSteamApi;
    	DWORD_PTR dwSteamClient;
    	DWORD_PTR dwVGui;
    	HWND hwnd_Target;
    
    	typedef struct _ModuleListInfo
    	{
    		string ModuleName;
    		DWORD_PTR BaseAddress;
    	}ModuleListInfo, PModuleListInfo;
    	vector<ModuleListInfo> ModListInfo;
    	ModuleListInfo Modules;
    
    	BOOL ShowInitialization = true;
    	BOOL PrintedModules = false;
    	BOOL ShowErrorPopups = true;
    
    	void ClearShit(void)
    	{
    		ZeroMemory(&pGame, sizeof(pGame));
    		ZeroMemory(&hProcess, sizeof(hProcess));
    
    		ZeroMemory(&dwBaseAddress, sizeof(dwBaseAddress));
    
    		ZeroMemory(&dwClient, sizeof(dwClient));
    		ZeroMemory(&dwEngine, sizeof(dwEngine));
    		ZeroMemory(&dwGameOverlay, sizeof(dwGameOverlay));
    		ZeroMemory(&dwMaterialSystem, sizeof(dwMaterialSystem));
    		ZeroMemory(&dwMatchmaking, sizeof(dwMatchmaking));
    		ZeroMemory(&dwServer, sizeof(dwServer));
    		ZeroMemory(&dwServerBrowser, sizeof(dwServerBrowser));
    		ZeroMemory(&dwSteamApi, sizeof(dwSteamApi));
    		ZeroMemory(&dwSteamClient, sizeof(dwSteamClient));
    		ZeroMemory(&dwVGui, sizeof(dwVGui));
    		ZeroMemory(&hwnd_Target, sizeof(hwnd_Target));
    
    		ModListInfo.erase(ModListInfo.begin(), ModListInfo.end());
    	}
    
    	BOOL DataCompare(BYTE* pData, BYTE* bMask, char * szMask)
    	{
    		for (; *szMask; ++szMask, ++pData, ++bMask)
    			if (*szMask == 'x' && *pData != *bMask)
    				return FALSE;
    
    		return (*szMask == NULL);
    	}
    
    	DWORD64 FindPatternEx(HANDLE hProcess, BYTE *bMask, char *szMask, DWORD64 dwAddress, DWORD64 dwLength)
    	{
    		DWORD64 dwReturn = 0;
    		DWORD64 dwDataLength = strlen(szMask);
    		BYTE *pData = new BYTE[dwDataLength + 1];
    		SIZE_T dwRead;
    
    		for (DWORD64 i = 0; i < dwLength; i++)
    		{
    			DWORD64 dwCurAddr = dwAddress + i;
    			BOOL bSuccess = ReadProcessMemory(hProcess, (LPCVOID)dwCurAddr, pData, dwDataLength, &dwRead);
    
    			if (!bSuccess || dwRead == 0)
    			{
    				continue;
    			}
    
    			if (DataCompare(pData, bMask, szMask))
    			{
    				dwReturn = dwAddress + i;
    				break;
    			}
    		}
    
    		delete[] pData;
    		return dwReturn;
    	}
    
    	DWORD_PTR FindProcess(const char *ccName, PROCESSENTRY32 *pEntry)
    	{
    		PROCESSENTRY32 pEntry32;
    		pEntry32.dwSize = sizeof(PROCESSENTRY32);
    
    		HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    		if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
    
    		if (!Process32First(hSnapshot, &pEntry32))
    		{
    			CloseHandle(hSnapshot);
    			return 0;
    		}
    		do
    		{
    			if (!_strcmpi(pEntry32.szExeFile, ccName))
    			{
    				memcpy((void *)pEntry, (void *)&pEntry32, sizeof(PROCESSENTRY32));
    				CloseHandle(hSnapshot);
    				return pEntry32.th32ProcessID;
    			}
    		} while (Process32Next(hSnapshot, &pEntry32));
    		CloseHandle(hSnapshot);
    
    		return 0;
    	}
    
    	DWORD_PTR FindThread(DWORD_PTR dwProcess)
    	{
    		THREADENTRY32 tEntry32;
    		tEntry32.dwSize = sizeof(THREADENTRY32);
    
    		HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    		if (hSnapshot == INVALID_HANDLE_VALUE) return 0;
    
    		if (!Thread32First(hSnapshot, &tEntry32))
    		{
    			CloseHandle(hSnapshot);
    			return 0;
    		}
    		do
    		{
    			if (tEntry32.th32OwnerProcessID == dwProcess)
    			{
    				CloseHandle(hSnapshot);
    				return tEntry32.th32ThreadID;
    			}
    		} while (Thread32Next(hSnapshot, &tEntry32));
    		CloseHandle(hSnapshot);
    
    		return 0;
    	}
    
    	// Save Module Names and Addresses (Cross-Bit Compliant)
    	BOOL EnummerateModules_t(HANDLE processHandle)
    	{
    		//DWORD_PTR   baseAddress;
    		HMODULE     *moduleArray;
    		LPBYTE      moduleArrayBytes;
    		DWORD       bytesRequired;
    		char FileName_Path[MAX_PATH] = "";
    		char FileName_Rev[MAX_PATH] = "";
    		char FileName[MAX_PATH] = "";
    
    		if (EnumProcessModulesEx(processHandle, NULL, 0, &bytesRequired, LIST_MODULES_ALL))
    		{
    			if (bytesRequired)
    			{
    				moduleArrayBytes = (LPBYTE)LocalAlloc(LPTR, bytesRequired);
    
    				if (moduleArrayBytes)
    				{
    					unsigned int moduleCount;
    					moduleCount = bytesRequired / sizeof(HMODULE);
    					moduleArray = (HMODULE *)moduleArrayBytes;
    
    					if (EnumProcessModulesEx(processHandle, moduleArray, bytesRequired, &bytesRequired, LIST_MODULES_ALL))
    					{
    						for (DWORD64 i = 0; i < moduleCount; i++)
    						{
    							if ((DWORD_PTR)moduleArray[i])
    							{
    								ZeroMemory(&FileName, sizeof(FileName));
    								ZeroMemory(&FileName_Path, sizeof(FileName_Path));
    								ZeroMemory(&FileName_Rev, sizeof(FileName_Rev));
    
    								GetModuleFileNameEx(hProcess, moduleArray[i], FileName_Path, sizeof(FileName_Path));
    
    								int l = 0;
    								int l2 = 0;
    
    								for (DWORD64 c = sizeof(FileName_Path); c > 0; c--)
    								{
    									if (FileName_Path[c] == NULL) continue;
    									if (FileName_Path[c] != 92)
    									{
    										FileName_Rev[l] = FileName_Path[c];
    										l = l + 1;
    									}
    									else
    									{
    										c = 1;
    									}
    								}
    
    								for (int q = sizeof(FileName_Rev); q > -1; q--)
    								{
    									if (FileName_Rev[q] != NULL && FileName_Rev[q] != 1)
    									{
    										FileName[l2] = FileName_Rev[q];
    										l2 = l2 + 1;
    									}
    									else continue;
    								}
    
    								Modules = { FileName, (DWORD_PTR)moduleArray[i] };
    								ModListInfo.push_back(Modules);
    							}
    						}
    					}
    					else
    					{
    						LocalFree(moduleArrayBytes);
    						return false;
    					}
    						LocalFree(moduleArrayBytes);
    				}
    			}
    		}
    		else return false;
    
    		if (ShowInitialization && !PrintedModules)
    		{
    			cout << "" << endl;
    			cout << "Loaded Modules: " << endl;
    
    			for (unsigned i = 0; i < ModListInfo.size(); i++)
    			{
    				cout << "[" << (int)i << "] " << ModListInfo[i].ModuleName << ": 0x" << hex << uppercase << ModListInfo[i].BaseAddress << nouppercase << dec << endl;
    			}
    
    			cout << "" << endl;
    			cout << "" << endl;
    			PrintedModules = true;
    		}
    
    		return true;
    	}
    
    	// Get Module Base Address From Saved List
    	DWORD_PTR GetModuleAddressFromList(string lpModuleName, DWORD_PTR &dwBaseAddress)
    	{
    		const char* ListModuleName;
    		const char* RequestedModuleName = lpModuleName.c_str();
    
    		for (int i = 0; i < ModListInfo.size(); i++)
    		{
    			ListModuleName = ModListInfo[i].ModuleName.c_str();
    
    			if (!strcmp(ListModuleName, RequestedModuleName)) dwBaseAddress = (DWORD_PTR)ModListInfo[i].BaseAddress;
    		}
    
    		if (dwBaseAddress)
    		{
    			if (ShowInitialization) cout << "Found " << lpModuleName << ": 0x" << hex << uppercase << dwBaseAddress << nouppercase << dec << endl;
    			return dwBaseAddress;
    		}
    		else
    		{
    			char buffer[MAX_PATH];
    			int j;
    
    			j = sprintf(buffer, "Unable To Find %s", lpModuleName);
    			if(ShowErrorPopups) MessageBox(NULL, buffer, "Error", MB_OK);
    
    			return false;
    		}
    	}
    
    	void SetDebugPrivilege()
    	{
    		HANDLE hProcess = GetCurrentProcess(), hToken;
    		TOKEN_PRIVILEGES priv;
    		LUID luid;
    
    		OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
    		LookupPrivilegeValue(0, "seDebugPrivilege", &luid);
    		priv.PrivilegeCount = 1;
    		priv.Privileges[0].Luid = luid;
    		priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    		AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0);
    		CloseHandle(hToken);
    		CloseHandle(hProcess);
    	}
    
    	void Initialize()
    	{
    		// Find Game Process
    		while (!FindProcess(TargetApplication, &pGame)) Sleep(100);
    		SetDebugPrivilege();
    		if (ShowInitialization) cout << "Debug Levels Set" << endl;
    
    		
    		if (FindProcess(TargetApplication, &pGame))
    		{
    			// Find Game Thread
    			while (!(FindThread(pGame.th32ProcessID))) Sleep(50);
    			if (ShowInitialization) cout << "Found Game Thread" << endl;
    
    			// Get Handle To Process
    			int Error = 0;
    			for (int i = 0; i < 201; i++)
    			{
    				if (hProcess) i = 201;
    
    				if (Error < 200 && hProcess == 0x0)
    				{
    					hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pGame.th32ProcessID), Sleep(50);
    					if (!hProcess) Error = Error + 1;
    				}
    				else if (Error > 199 && ShowErrorPopups) MessageBox(NULL, "Unable To Open Process", "Error", MB_OK);
    			}
    			if (ShowInitialization) cout << "Obtained Handle To Process" << endl;
    
    
    			// Find Game Window
    			Error = 0;
    			for (int i = 0; i < 201; i++)
    			{
    				if (hwnd_Target) i = 201;
    
    				if (Error < 200 && !hwnd_Target)
    				{
    					hwnd_Target = FindWindow(NULL, TargetWindow), Sleep(50);
    					if (!hwnd_Target) Error = Error + 1;
    				}
    				else if (Error > 199 && ShowErrorPopups) MessageBox(NULL, "Unable To Find Game Window", "Error", MB_OK);
    			}
    			if (ShowInitialization) cout << "Found Game Window" << endl;
    
    			if (EnummerateModules_t(hProcess))
    			{
    				// Get Module Addresses
    				GetModuleAddressFromList("client.dll", dwClient);
    				GetModuleAddressFromList("engine.dll", dwEngine);
    				GetModuleAddressFromList("gameoverlayrenderer.dll", dwGameOverlay);
    				GetModuleAddressFromList("materialsystem.dll", dwMaterialSystem);
    				GetModuleAddressFromList("matchmaking.dll", dwMatchmaking);
    				GetModuleAddressFromList("server.dll", dwServer);
    				GetModuleAddressFromList("serverbrowser.dll", dwServerBrowser);
    				GetModuleAddressFromList("steam_api.dll", dwSteamApi);
    				GetModuleAddressFromList("steamclient.dll", dwSteamClient);
    				GetModuleAddressFromList("vguimatsurface.dll", dwVGui);
    
    				// Erase module list after getting wanted addresses
    				ModListInfo.erase(ModListInfo.begin(), ModListInfo.end());
    
    				if (ShowInitialization)
    				{
    					cout << "" << endl;
    					cout << "" << endl;
    				}
    			}
    		}
    		else
    		{
    			ClearShit();
    			Initialize();
    		}
    	}
    };
    
    extern CProcess gProcess;
    Click for cookies.

  2. The Following User Says Thank You to AbrasiveZealot For This Useful Post:


  3. #2
    Zoosy is offline Newbie
    Array
    Join Date
    Jun 2016
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    -4
    Is external or internal safer?

  4. #3
    AbrasiveZealot's Avatar
    AbrasiveZealot is offline Master Hacker

    Array
    Join Date
    May 2011
    Location
    ctf_2fort
    Posts
    666
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    11
    Reputation
    542
    Quote Originally Posted by Zoosy View Post
    Is external or internal safer?
    If you know what you're doing, and you don't release your code, they're both safe. The trick is knowing what you're doing.
    Click for cookies.

  5. The Following 2 Users Say Thank You to AbrasiveZealot For This Useful Post:


  6. #4
    Zoosy is offline Newbie
    Array
    Join Date
    Jun 2016
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    -4
    Quote Originally Posted by AbrasiveZealot View Post
    If you know what you're doing, and you don't release your code, they're both safe. The trick is knowing what you're doing.
    I mean, for general cheating. What's more likely to get detected in say, a public cheat?

  7. #5
    Atex's Avatar
    Atex is offline Premium Member


    Array
    Join Date
    Aug 2012
    Posts
    1,748
    Mentioned
    30 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    13
    Reputation
    1021
    Quote Originally Posted by Zoosy View Post
    I mean, for general cheating. What's more likely to get detected in say, a public cheat?
    dumb question. depends on if the coder knows what he is doing.


  8. The Following 3 Users Say Thank You to Atex For This Useful Post:


  9. #6
    Zoosy is offline Newbie
    Array
    Join Date
    Jun 2016
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    -4
    Quote Originally Posted by Atex View Post
    dumb question. depends on if the coder knows what he is doing.
    rude

  10. #7
    Atex's Avatar
    Atex is offline Premium Member


    Array
    Join Date
    Aug 2012
    Posts
    1,748
    Mentioned
    30 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    13
    Reputation
    1021
    Quote Originally Posted by Zoosy View Post
    rude
    "rude" but not wrong.


  11. The Following 2 Users Say Thank You to Atex For This Useful Post:


  12. #8
    fisherprice is offline Wannabe Member
    Array
    Join Date
    May 2016
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    4
    Reputation
    1
    Disavow can make a new hardware cheat now lul

Similar Threads

  1. Replies: 1
    Last Post: 03-06-2016, 11:05 PM
  2. Thoughts on Coding Cheats
    By ohwtfizzle in forum Entertainment
    Replies: 0
    Last Post: 03-22-2015, 06:38 AM
  3. [C++ / Video] How to code an external base
    By Excidium in forum Counter-Strike: Source Hacks
    Replies: 67
    Last Post: 07-08-2013, 11:05 AM
  4. External Base
    By LOLYOU in forum Counter-Strike: Source Hacks
    Replies: 12
    Last Post: 03-09-2013, 10:22 PM
  5. C# External coding from the start.
    By kclo4 in forum Counter-Strike Forum
    Replies: 7
    Last Post: 02-16-2013, 08:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •