[AssaultCube]Get local player entity
[AssaultCube]Get local player entity
renderhud.cpp
The very first line is interesting.
ENT_CAMERA is defined as 2
Now the last line I pasted above:
We have ourselves a string 
Well what do you know, its the first result you find with olly
So, which of these is the camera1, and which is player1(which we are interested in?)
There's multiple ways to find out
First method:
Looking at the C++ code, if it was checked to be below ENT_CAMERA, it would become camera1.
So, in assembly, if JB is taken, it was the camera, thus EAX is camera, ECX is player1
So our C++ code to get player1 is:
The other way to see which is the camera1 and which is player1 is the following:
equiv C++ code:
isspectating checks if the player's state is equal to CS_SPECTATE, which is 5.
So now we have our player1 pointer.
All that is left is get ourselves the function that checks if there is a wall between position 1 and 2, and we can make ourselves a fully functionl aimbot.
I'll post up the visibilty check function when I find it.
Code:
void gl_drawhud(int w, int h, int curfps, int nquads, int curvert, bool underwater)
{
playerent *p = camera1->type<ENT_CAMERA ? (playerent *)camera1 : player1;
...more code here...
if(lastmillis < damageblendmillis)
{
static Texture *damagetex = NULL;
if(!damagetex) damagetex = textureload("packages/misc/damage.png", 3);
Code:
playerent *p = camera1->type<ENT_CAMERA ? (playerent *)camera1 : player1; bool spectating = player1->isspectating();
Now the last line I pasted above:
Code:
if(!damagetex) damagetex = textureload("packages/misc/damage.png", 3);
Well what do you know, its the first result you find with olly
Code:
00408F70 /$ 55 PUSH EBP 00408F71 |. 8BEC MOV EBP,ESP 00408F73 |. 83E4 C0 AND ESP,FFFFFFC0 00408F76 |. 81EC 34010000 SUB ESP,134 00408F7C |. A1 50E84C00 MOV EAX,DWORD PTR DS:[4CE850] 00408F81 |. 8078 6B 02 CMP BYTE PTR DS:[EAX+6B],2 00408F85 |. 8B0D 203C4D00 MOV ECX,DWORD PTR DS:[4D3C20] 00408F8B |. 53 PUSH EBX 00408F8C |. 56 PUSH ESI 00408F8D |. 57 PUSH EDI 00408F8E |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX 00408F92 |. 72 04 JB SHORT ac_clien.00408F98 00408F94 |. 894C24 34 MOV DWORD PTR SS:[ESP+34],ECX 00408F98 |> 8A41 6A MOV AL,BYTE PTR DS:[ECX+6A] 00408F9B |. 3C 05 CMP AL,5
There's multiple ways to find out
First method:
Code:
00408F7C |. A1 50E84C00 MOV EAX,DWORD PTR DS:[4CE850] 00408F81 |. 8078 6B 02 CMP BYTE PTR DS:[EAX+6B],2 ; <- compare to 2 00408F85 |. 8B0D 203C4D00 MOV ECX,DWORD PTR DS:[4D3C20] ..more.. 00408F8E |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX 00408F92 |. 72 04 JB SHORT ac_clien.00408F98; <- below 2? jump 00408F94 |. 894C24 34 MOV DWORD PTR SS:[ESP+34],ECX
So, in assembly, if JB is taken, it was the camera, thus EAX is camera, ECX is player1
So our C++ code to get player1 is:
Code:
playerent *pPlayer1 = (playerent*)0x004D3C20;
Code:
00408F98 |> 8A41 6A MOV AL,BYTE PTR DS:[ECX+6A] 00408F9B |. 3C 05 CMP AL,5
Code:
player1->isspectating();
So now we have our player1 pointer.
All that is left is get ourselves the function that checks if there is a wall between position 1 and 2, and we can make ourselves a fully functionl aimbot.
I'll post up the visibilty check function when I find it.
Just wanted to say nice tut HD. When I have time I'll sit down and read through them all, its just been rather crazy lately. Im probably gonna be pretty scarce the next few days. I got some serious stuff I need to get done irl. =L
Similar Threads
- 1Last post
- 8Last post
- 6Last post
- 5Last post
- 2Last post