Figured I would drop what I am working on here. It is not nearly done yet, I have to document the source, add vision checks with bsp parsing etc but for now this is what I have:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>
#include <Math.h>
#include <float.h>
#define HEAD 10
#define BODY 2
#define M_PI 3.14159265358979323846
char process[] = "csgo.exe";
char dname [] = "client.dll";
char ename [] = "engine.dll";
HANDLE proc;//process handle
DWORD dll;//adress of the dll
DWORD playerbase = 0x00a74cdc ;//the base adress of the local player
DWORD entitybase = 0x04a16c14;//base of the entity list
DWORD toff = 0x000000f0;//offset for the team number
DWORD coff = 0x00002410;//offset of the crosshair id
DWORD spbase;//this will be the static adressess to the player base wich will be calculated
DWORD pid;//the process id
DWORD engine;
DWORD cstate=0x005ce294;
DWORD aoff=0x00004ce0;
DWORD angoff;
DWORD bonemat=0x0A78;
DWORD vecorigin=0x00000134;
DWORD vecoff=0x00000104;
DWORD offl=0x0000025b;
DWORD dormant=0xe9;
int rage=0;
int head=0;
int first=0;
int teams[32];
int fir=1;
int teamnum;
int factor=50;//list corresponding to the crosshair ids that will store each player's teams. This is far quicker than reading the team from that adress so this avoids missed shots.
int mpow(int base, int pow);//just a basic power function nothing special here
HANDLE getHandle(char pname[]);//gets the handle of the process
void fire();//clicks the mouse firing the gun
DWORD modBase(LPSTR mname);//gets the adress of a dll or any mod for that matter
void buildList();//builds the team list in teams[24]
void printList();
void aim(int id,float smooth);
int entry();
double getHyp(int id);
double getVec(float *src, float *dest);
int main()
{
/*
FILE * file = fopen("aim.txt","r");
int s;
char names[12][40];
DWORD addr[11];
for(s=0;s<12;s++)
{
if(s<11)
{
if(fscanf(file, "%s %x", &names[s], &addr[s])==EOF)
s=12;
}else
{
if(fscanf(file, "%s %d", &names[s], &factor)==EOF)
s=12;
}
}
for(s=0;s<11;s++)
{
printf("\n%s",names[s]);
}
for(s=0;s<11;s++)
{
if(names[s]=="playerbase")
{
playerbase=addr[s];
printf("%x",addr[s]);
}
if(names[s]=="entitybase")
entitybase=addr[s];
if(names[s]=="offsetteam")
toff=addr[s];
if(names[s]=="offsetcrosshair")
coff=addr[s];
if(names[s]=="viewangles")
aoff=addr[s];
if(names[s]=="bonematrix")
bonemat=addr[s];
if(names[s]=="vecorigin")
vecorigin=addr[s];
if(names[s]=="vecoffsets")
vecoff=addr[s];
if(names[s]=="lifestate")
offl=addr[s];
if(names[s]=="dormant")
dormant=addr[s];
if(names[s]=="cstate")
cstate=addr[s];
}
printf("\n%d", factor);
*/
while(!proc)//while proccess is null keep on trying to get that damn handle
proc=getHandle(process);
int pressing=mpow(2,((sizeof(short)*-1));//calculates the pressing value
short pressed=1;//pressed value these are both for monitoring key input
dll=modBase(dname);//gets the dll adress
engine=modBase(ename);
DWORD ptemp;
ReadProcessMemory(proc, (LPCVOID)(engine+cstate),&ptemp,sizeof(ptemp),NULL);
angoff=ptemp+aoff;
ReadProcessMemory(proc, (LPCVOID)(dll+playerbase),&ptemp,sizeof(ptemp),NULL);//stores the result of dll+playerbase into ptemp getting the final adress
spbase=ptemp;
buildList();
ReadProcessMemory(proc, (LPCVOID)(spbase+toff),&teamnum,sizeof(teamnum),NULL);//gets the team of the local player
teamnum=5-teamnum;//flips the team to enemy team 2 to 3 and 3 to 2
int running = 1;//boolean saying running
int persistant=0;
float smooth=0.0f;
while(running)
{
short i=GetAsyncKeyState(VK_NUMPAD1);
if((i&pressing||i&pressed))//if numpad 1 was pressed or is currently being pressed
running=0;//stop the program
i=GetAsyncKeyState(VK_NUMPAD4);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
buildList();//rebuild the list ie. player leaves team changes etc.
i=GetAsyncKeyState(VK_NUMPAD2);
if((i&pressing||i&pressed))//if numpad 2 was pressed or is currently being pressed
{
if(!rage)
{
int i;
for(i=0;i<32;i++)
{
teams[i]=0;
}
rage=1;
for(i=0;i<32;i++)
{
printf("\n%d:%d",i,teams[i]);
}
}
}
i=GetAsyncKeyState(VK_NUMPAD3);
if((i&pressing||i&pressed))//if numpad 3 was pressed or is currently being pressed
{
if(rage)
{
int i;
for(i=0;i<32;i++)
{
teams[i]=0;
}
}
rage=0;
}
i=GetAsyncKeyState(VK_NUMPAD5);
if((i&pressing||i&pressed))//if numpad 3 was pressed or is currently being pressed
fir=0;;
i=GetAsyncKeyState(VK_NUMPAD7);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
head=0;//rebuild the list ie. player leaves team changes etc.
i=GetAsyncKeyState(VK_NUMPAD8);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
head=2;//rebuild the list ie. player leaves team changes etc.
i=GetAsyncKeyState(VK_NUMPAD9);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
head=10;//rebuild the list ie. player leaves team changes etc.
i=GetAsyncKeyState(VK_NUMPAD6);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
fir=1;//rebuild the list ie. player leaves team changes etc.
i=GetAsyncKeyState(VK_INSERT);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
{
persistant=0;//rebuild the list ie. player leaves team changes etc.
smooth=0;
}
i=GetAsyncKeyState(VK_DELETE);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
{
persistant=1;//rebuild the list ie. player leaves team changes etc.
smooth=factor;
}
if(!rage)
{
int CrosshairID;
ReadProcessMemory(proc, (LPCVOID)(coff+spbase),&CrosshairID,sizeof(CrosshairID),NULL);//gets the id of the entity the player is aiming at
if(CrosshairID>0&&CrosshairID<25&&running)//if the id is within the proper range
{
if(teams[CrosshairID-1])//and if the team of the entity is an enemy
{
if(teams[CrosshairID-1]==teamnum)
{
if(!persistant)
{
if(head)
aim(CrosshairID-1,smooth);
if(fir)
fire();//shoot
printf("\n%d\n",CrosshairID-1);
}else
{
if(head)
{
int ai=1;
DWORD e;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&e,sizeof(e),NULL);
while(ai)
{
aim(CrosshairID-1,smooth);
byte life;
ReadProcessMemory(proc, (LPCVOID)(e+offl),&life,sizeof(life),NULL);
ai=(life==0);
i=GetAsyncKeyState(VK_SHIFT);
if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
ai=0;//rebuild the list ie. player leaves team changes etc.
}
}
}
}
}
else
{
printf("%d",CrosshairID);
int team;
DWORD ptemp;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&team,sizeof(team),NULL);//get the entity's team
teams[CrosshairID-1]=team;
}
}
}else
{
int j;
int min=0;
double mn=0;
int f=0;
for(j=0;j<32;j++)
{
DWORD ptemp;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((j)*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
if(ptemp)
{
int team;
ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&team,sizeof(team),NULL);//get the entity's team
unsigned int dorm;
ReadProcessMemory(proc, (LPCVOID)(ptemp+dormant),&dorm,sizeof(dorm),NULL);
if((team==2||team==3)&&!dorm)
{
if(team==teamnum)
{
byte life;
ReadProcessMemory(proc, (LPCVOID)(ptemp+offl),&life,sizeof(life),NULL);
if(life==0)
{
double dyst=getHyp(j);
if(!f)
{
min=j;
mn=dyst;
f=1;
}else
{
if(dyst<mn&&mn!=0)
{
mn=dyst;
min=j;
}
}
}
}
}
}
}
DWORD b;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((min)*0x10)),&b,sizeof(b),NULL);
byte life;
ReadProcessMemory(proc, (LPCVOID)(b+offl),&life,sizeof(life),NULL);
if(mn>0)
aim(min,smooth);
int CrosshairID;
/*ReadProcessMemory(proc, (LPCVOID)(coff+spbase),&CrosshairID,sizeof(CrosshairID),NULL);
int team;
DWORD ptemp;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&team,sizeof(team),NULL);//get the entity's team
if(team==teamnum)
fire();*/
}
}
return 0;
}
void getAngle( float *src, float *dst, float *angles )
{
float vector[]={src[0]-dst[0],src[1]-dst[1],src[2]-dst[2]};
float hyp=sqrt(vector[0]*vector[0]+vector[1]*vector[1]+vector[2]*vector[2]);
float pitch=asinf(vector[2]/hyp)*(180/M_PI);
float yaw=atanf(vector[1]/vector[0])*(180/M_PI);
angles[0]=pitch;
angles[1]=yaw;
angles[2]=0.0f;
if(vector[0]>=0.0)
angles[1]+=180.0f;
}
double getVec( float *src, float *dst)
{
double delta[3] = { (src[0]-dst[0]), (src[1]-dst[1]), (src[2]-dst[2]) };
double hyp = sqrt(delta[0]*delta[0] + delta[1]*delta[1]);
return hyp;
}
HANDLE getHandle(char pname[])
{
DWORD dwPid=0;//the pid
HANDLE proc, hProc;//handles
PROCESSENTRY32 pe32 = {sizeof(PROCESSENTRY32)};//creats a pe32 entry
while(!dwPid)//while we dont have a pid
{
printf("Searching for csgo process...\n");
printf("Make sure the game is running!\n");
hProc=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(Process32First(hProc, &pe32))//place process in pe32
{
do
{
if(!strcmp(pe32.szExeFile,pname))//compare pe32 pname to the pname
{
dwPid=pe32.th32ProcessID;//set pid to the pid of the process if the process names matched
break;
}
}while(Process32Next(hProc,&pe32));//move to next process
}
sleep(10);
}
pid=dwPid;
proc=OpenProcess (PROCESS_ALL_ACCESS,FALSE,dwPid);//open process Handle
return proc;//return the Handle
}
double getHyp(int id)
{
int i;
float porg[3];
for(i=0;i<3;i++)
{
float t;
ReadProcessMemory(proc, (LPCVOID)(spbase+vecorigin+(i*sizeof(float))),&t,sizeof(float),NULL);
porg[i]=t;
}
float r;
ReadProcessMemory(proc, (LPCVOID)(spbase+(vecoff+(2*sizeof(float)))),&r,sizeof(float),NULL);
porg[2]=porg[2]+r;
DWORD enem;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+(id*0x10)),&enem,sizeof(enem),NULL);
//printf("\nAddress of enem %x", enem);
float eorg[3];
/*for(i=0;i<3;i++)
{
float t;
printf("\n\nAddr%d:0x%x",i,(enem));//+0x00000134+(i*0x4)));
ReadProcessMemory(proc, (LPCVOID)(enem+0x00000134+(i*0x4)),&t,4,NULL);
printf(":%f", t);
eorg[i]=t;
}*/ DWORD mat;
ReadProcessMemory(proc, (LPCVOID)(enem+bonemat),&mat,sizeof(mat),NULL);
float t;
ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x0C),&t,sizeof(float),NULL);
eorg[0]=t;
ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x1C),&t,sizeof(float),NULL);
eorg[1]=t;
ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x2C),&t,sizeof(float),NULL);
eorg[2]=t;
return getVec(porg,eorg);
}
void aim(int id,float smooth)
{
int i;
float porg[3];
for(i=0;i<3;i++)
{
float t;
ReadProcessMemory(proc, (LPCVOID)(spbase+vecorigin+(i*sizeof(float))),&t,sizeof(float),NULL);
porg[i]=t;
}
float r;
ReadProcessMemory(proc, (LPCVOID)(spbase+(vecoff+(2*sizeof(float)))),&r,sizeof(float),NULL);
porg[2]=porg[2]+r;
DWORD enem;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+(id*0x10)),&enem,sizeof(enem),NULL);
//printf("\nAddress of enem %x", enem);
float eorg[3];
/*for(i=0;i<3;i++)
{
float t;
printf("\n\nAddr%d:0x%x",i,(enem));//+0x00000134+(i*0x4)));
ReadProcessMemory(proc, (LPCVOID)(enem+0x00000134+(i*0x4)),&t,4,NULL);
printf(":%f", t);
eorg[i]=t;
}*/ DWORD mat;
ReadProcessMemory(proc, (LPCVOID)(enem+bonemat),&mat,sizeof(mat),NULL);
float t;
ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x0C),&t,sizeof(float),NULL);
eorg[0]=t;
ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x1C),&t,sizeof(float),NULL);
eorg[1]=t;
ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x2C),&t,sizeof(float),NULL);
eorg[2]=t;
float ang[3];
getAngle(porg,eorg,ang);
//printf("\n%f:%f",ang[0],ang[1]);
//printf("Adress ang off %x", angoff);
if(smooth)
{
byte a1[sizeof(float)*3];
memcpy(&a1,ang,sizeof(float)*3);
float an1;
float an2;
ReadProcessMemory(proc, (LPCVOID)(angoff),&an1,sizeof(float),NULL);
ReadProcessMemory(proc, (LPCVOID)(angoff+sizeof(float)),&an2,sizeof(float),NULL);
float temp[2];
temp[0]=(float)(an1+((ang[0]-an1)/smooth));
temp[1]=(float)(an2+((ang[1]-an2)/smooth));
if(temp[0]<=FLT_MAX&&temp[0]>=FLT_MIN)
ang[0]=temp[0];
if(temp[1]<=FLT_MAX&&temp[1]>=FLT_MIN)
ang[1]=temp[1];
}
printf("\nAng1=%f",ang[0]);
printf("\nAng1=%f",ang[1]);
byte a1[sizeof(float)*3];
memcpy(&a1,ang,sizeof(float)*3);
WriteProcessMemory(proc,(LPVOID)(angoff),a1,sizeof(float)*3,NULL);
if(!smooth)
{
if(fir)
{
int CrosshairID;
ReadProcessMemory(proc, (LPCVOID)(coff+spbase),&CrosshairID,sizeof(CrosshairID),NULL);//gets the id of the entity the player is aiming at
if(CrosshairID>0&&CrosshairID<25)//if the id is within the proper range
{
int ts;
DWORD shoot;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&shoot,sizeof(shoot),NULL);//get the base of the current entity
ReadProcessMemory(proc, (LPCVOID)(shoot+toff),&ts,sizeof(ts),NULL);//get the entity's team
if(ts==teamnum)
{
fire();
}
}
}
}
}
void fire()
{
mouse_event( MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0 );
Sleep(1);
mouse_event( MOUSEEVENTF_LEFTUP, 0, 0, 0, 0 );
}
void buildList()
{
int i;
for(i=0;i<32;i++)//loop through the entity list up to 24 this is generally the max player limit in cs go change this to something larger if you are going to play on 32 people servers etc
{
/*
DWORD ptemp;
ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+(i*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
int t;
ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&t,sizeof(t),NULL);//get the entity's team
printf("%d\n", t);
if(t==3||t==2)//if the id matches the teamnumbers in cs go
teams[i]=t; //set the entity's team to that
else
teams[i]=-1;//else set it to -1 cause we definetely do not want to shoot at it*/
teams[i]=0;
}
}
DWORD modBase(LPSTR mname)
{
HANDLE hModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);//create a Handle for a module using the pid
MODULEENTRY32 mEntry;
mEntry.dwSize = sizeof(mEntry);
do
if (!strcmp(mEntry.szModule, mname))//if the module == mname
{
CloseHandle(hModule); //close the module we have selected
return (DWORD)mEntry.modBaseAddr;//return the adress of the one we found
}
while (Module32Next(hModule, &mEntry));
return 0;
}
//do i need to explain this
int mpow(int base, int pow)
{
int i=0;
int sum=1;
for(i=0;i<pow;i++)
{
sum=sum*base;
}
return sum;
}
With this I sacrificed some usability for speed so any time you change teams or there is team change etc you have to restart the hack to get the new player ids etc...
So basically how you use it:
Launch once in game and all players are in
Then you need a numpad:
To control aiming:
7-No aim
8-Aim for body
9-Aim for head
Control rage (This will aim at people without you first pointing to them) hack:
2-On
3-Off
Triggerbot (shoots if your crosshair is on player does not work with smooth aim currently):
6-On
5-Off
Smooth Aim:
Ins-On
Del-Off
Shift-Unlock from target
By the way the commented out stuff is for a config file to change offsets and the smoothing factor.
Notes:
for now if you want to change the smoothing factor change the variable factor on line 38 (50 is not very noticeable bump it to maybe 100)
I also attached a C file that can be compiled as a DLL for injection into a benign program to try to hide from VAC currently the executable is not detected though.
For how the math works check this out:
http://www.unknowncheats.me/forum/counterstrike-global-offensive/137492-math-behind-hack-1-coding-better-aimbot-stop-using-calcangle.html
