I contains a speedhack and nametags...
I choosed them to show you the basics how it works because a norecoil, range, rapidfire or superbullet hack works like the nametags hack and a fly, nospread, nxchams and so on hack works like a speedhack
The console addresses will be patched probably after the next patch but I wrote a routine that should find the new nametags addys by itself (proc findaddys). You should use nasmx to compile it but you can translate it easily into other languages.
How it works:
SpeedHack:
I just hooked the d3d9endscene so that I jump to my part of code. Then I call the runconsole (or pushtoconsole) routine from combat arms with the different speedstrings. First I had to nop some bytes in the runconsole routine so that it works
NameTags:
Just noping the right addy
How you can go on:
So if I helped you, you could I write a routine that searches the right runconsole byte pattern so that it wont be patched so easily because I am too lazy to do it and I already did it with a c++ project.
Code:
%include 'C:\Programme\asm\inc\nasmx.inc' %include 'C:\Programme\asm\inc\kernel32.inc' %include 'C:\Programme\asm\inc\msvcrt.inc' %include 'C:\Programme\asm\inc\user32.inc' extern Sleep extern MessageBoxA extern Beep %define MessageBox MessageBoxA %define MB_OK 0h %define NULL 0 %define FALSE 0 %define TRUE 1 %define MB_ICONASTERISK 40h %define MB_ICONINFORMATION MB_ICONASTERISK %define VK_NUMPAD0 60h %define VK_NUMPAD1 61h %define VK_NUMPAD2 62h %define VK_NUMPAD4 64h %define VK_NUMPAD5 65h %define VK_NUMPAD7 67h %define VK_NUMPAD8 68h %define VK_NUMPAD3 63h %define VK_NUMPAD6 66h %define VK_NUMPAD9 69h %define VK_MENU 12h %define VK_ADD 6Bh entry DllEntry [section .text] proc attachnames locals none push 1000 call Sleep nametags: loopnames1: push 100 call Sleep invoke GetAsyncKeyState, VK_NUMPAD4 shl ax, 1 jnb loopnames1 invoke VirtualProtect, [addynames1], 2, 40h, NULL mov eax, [addynames1] mov byte [eax], 90h mov byte [eax+1], 90h invoke VirtualProtect, [addynames2], 2, 40h, NULL mov eax, [addynames2] mov byte [eax], 90h mov byte [eax+1], 90h loopnames2: push 100 call Sleep invoke GetAsyncKeyState, VK_NUMPAD5 shl ax, 1 jnb loopnames2 invoke VirtualProtect, [addynames1], 2, 40h, NULL mov eax, [addynames1] mov byte [eax], 75h mov byte [eax+1], 05h invoke VirtualProtect, [addynames2], 2, 40h, NULL mov eax, [addynames2] mov byte [eax], 75h mov byte [eax+1], 05h jmp nametags endproc d3d9hook: push szfrunvel call [addyrc] add esp, 4 push szsrunvel call [addyrc] add esp, 4 push szbrunvel call [addyrc] add esp, 4 push ebp mov ebp, esp push 0FFFFFFFFh jmp [rchookback] proc attachrc locals none loopwait: push 100 call Sleep invoke GetAsyncKeyState, VK_NUMPAD1 shl ax, 1 jnb loopwait loopd3d9: invoke GetModuleHandleA, szD3D9 cmp eax, 0 je loopd3d9 mov [module], eax mov ecx, 46FBC0h mov dword [addyrc], ecx invoke VirtualProtect, [addyrc], 10, 40h, NULL mov ecx, dword [addyrc] mov byte [ecx+1Bh], 90h mov byte [ecx+1Ch], 90h mov byte [ecx+24h], 90h mov byte [ecx+25h], 90h add dword [module], 412Ch mov eax, [module] mov dword [rchookback], eax add dword [rchookback], 7 invoke VirtualProtect, [module], 10, 40h, oldprotect add dword [module], 2 mov ecx, dword [module] mov byte [ecx], 0xE9 mov eax, d3d9hook sub eax, dword [module] sub eax, 5 mov dword [ecx+1], eax loopwait2: push 100 call Sleep invoke GetAsyncKeyState, VK_NUMPAD2 shl ax, 1 jnb loopwait2 invoke VirtualProtect, [addyrc], 10, 40h, NULL mov ecx, dword [addyrc] mov byte [ecx+1Bh], 72h mov byte [ecx+1Ch], 0Eh mov byte [ecx+24h], 73h mov byte [ecx+25h], 05h jmp loopwait endproc proc findaddys locals none loopcshell: invoke GetModuleHandleA, szCshell cmp eax, 0 je loopcshell mov [modulecshell], eax loopclientfx: invoke GetModuleHandleA, szClientFX cmp eax, 0 je loopclientfx mov ecx, [modulecshell] loopnames1byte: inc ecx cmp byte [ecx], 3Bh jne loopnames1byte cmp byte [ecx+1], 4Dh jne loopnames1byte cmp byte [ecx+3], 75h jne loopnames1byte cmp byte [ecx+4], 05h jne loopnames1byte cmp byte [ecx+5], 0xBB jne loopnames1byte cmp byte [ecx+6], 0x01 jne loopnames1byte mov dword [addynames1], ecx add dword [addynames1], 3 mov ecx, [modulecshell] loopnames2byte: inc ecx cmp byte [ecx], 39h jne loopnames2byte cmp byte [ecx+1], 44h jne loopnames2byte cmp byte [ecx+2], 24h jne loopnames2byte cmp byte [ecx+4], 75h jne loopnames2byte cmp byte [ecx+5], 05h jne loopnames2byte mov dword [addynames2], ecx add dword [addynames2], 4 invoke CreateThread, 0, 0, attachnames, 0, 0, 0 invoke CreateThread, 0, 0, attachrc, 0, 0, 0 endproc proc DllEntry, ptrdiff_t hinst, size_t reason, size_t reserved locals none mov ecx, 1 cmp [ebp+0Ch], ecx jne goon invoke MessageBox, NULL, szContent, szTitle, MB_OK + MB_ICONINFORMATION invoke CreateThread, 0, 0, findaddys, 0, 0, 0 goon: mov eax, TRUE endproc [section .data] szTitle: declare(NASMX_TCHAR) NASMX_TEXT('WAIT'), 0x0 szContent: declare(NASMX_TCHAR) NASMX_TEXT('Badburrito Production'), 0x0 szCshell: declare(NASMX_TCHAR) NASMX_TEXT('cshell.dll'), 0x0 szClientFX: declare(NASMX_TCHAR) NASMX_TEXT('ClientFX.fxd'), 0x0 szD3D9: declare(NASMX_TCHAR) NASMX_TEXT('d3d9.dll'), 0x0 szfrunvel: declare(NASMX_TCHAR) NASMX_TEXT('FRunVel 1000.000000'), 0x0 szsrunvel: declare(NASMX_TCHAR) NASMX_TEXT('SRunVel 1000.000000'), 0x0 szbrunvel: declare(NASMX_TCHAR) NASMX_TEXT('BRunVel 1000.000000'), 0x0 [section .bss] addynames1 : resd 2 addynames2 : resd 2 modulecshell : resd 2 addyrc : resd 2 rchookback : resd 2 module : resd 2 oldprotect : resd 2