ASM - Speed & NameTags

Hi I just want to show a short source I just did a few days before,
I contains a speedhack and nametags...
I choosed them to show you the basics how it works because a norecoil, range, rapidfire or superbullet hack works like the nametags hack and a fly, nospread, nxchams and so on hack works like a speedhack
The console addresses will be patched probably after the next patch but I wrote a routine that should find the new nametags addys by itself (proc findaddys). You should use nasmx to compile it but you can translate it easily into other languages.

How it works:
SpeedHack:
I just hooked the d3d9endscene so that I jump to my part of code. Then I call the runconsole (or pushtoconsole) routine from combat arms with the different speedstrings. First I had to nop some bytes in the runconsole routine so that it works

NameTags:
Just noping the right addy:)

How you can go on:
So if I helped you, you could I write a routine that searches the right runconsole byte pattern so that it wont be patched so easily because I am too lazy to do it and I already did it with a c++ project.

Code:

%include 'C:\Programme\asm\inc\nasmx.inc'
%include 'C:\Programme\asm\inc\kernel32.inc'
%include 'C:\Programme\asm\inc\msvcrt.inc'
%include 'C:\Programme\asm\inc\user32.inc'

extern Sleep
extern MessageBoxA
extern Beep

%define MessageBox MessageBoxA
%define MB_OK 0h
%define NULL 0
%define FALSE 0
%define TRUE 1
%define MB_ICONASTERISK 40h
%define MB_ICONINFORMATION MB_ICONASTERISK
%define VK_NUMPAD0 60h
%define VK_NUMPAD1 61h
%define VK_NUMPAD2 62h
%define VK_NUMPAD4 64h
%define VK_NUMPAD5 65h
%define VK_NUMPAD7 67h
%define VK_NUMPAD8 68h
%define VK_NUMPAD3 63h
%define VK_NUMPAD6 66h
%define VK_NUMPAD9 69h
%define VK_MENU	   12h
%define VK_ADD	   6Bh

entry	DllEntry

[section .text]



proc attachnames
locals none
push 1000
call Sleep

nametags:

	loopnames1:
	push 100
	call Sleep
invoke GetAsyncKeyState, VK_NUMPAD4
        shl ax, 1
        jnb loopnames1

invoke VirtualProtect, [addynames1], 2, 40h, NULL

	mov eax, [addynames1]
	mov byte [eax], 90h
	mov byte [eax+1], 90h

invoke VirtualProtect, [addynames2], 2, 40h, NULL

	mov eax, [addynames2]
	mov byte [eax], 90h
	mov byte [eax+1], 90h

	loopnames2:
	push 100
	call Sleep
invoke GetAsyncKeyState, VK_NUMPAD5
        shl ax, 1
        jnb loopnames2

invoke VirtualProtect, [addynames1], 2, 40h, NULL

	mov eax, [addynames1]
	mov byte [eax], 75h
	mov byte [eax+1], 05h

invoke VirtualProtect, [addynames2], 2, 40h, NULL

	mov eax, [addynames2]
	mov byte [eax], 75h
	mov byte [eax+1], 05h

jmp nametags

endproc




d3d9hook:

push szfrunvel
call [addyrc]
add esp, 4

push szsrunvel
call [addyrc]
add esp, 4

push szbrunvel
call [addyrc]
add esp, 4



push ebp
mov ebp, esp
push 0FFFFFFFFh
jmp [rchookback]




proc attachrc
locals none


	loopwait:
	push 100
	call Sleep
invoke GetAsyncKeyState, VK_NUMPAD1
        shl ax, 1
        jnb loopwait

	loopd3d9:
	invoke GetModuleHandleA, szD3D9
	cmp eax, 0
	je loopd3d9

	mov [module], eax


	mov ecx, 46FBC0h
	mov dword [addyrc], ecx


	invoke VirtualProtect, [addyrc], 10, 40h, NULL



	mov ecx, dword [addyrc]

	mov byte [ecx+1Bh], 90h
	mov byte [ecx+1Ch], 90h
	mov byte [ecx+24h], 90h
	mov byte [ecx+25h], 90h



	add dword [module], 412Ch	


	mov eax, [module]
	mov dword [rchookback], eax

	add dword [rchookback], 7

	

	invoke VirtualProtect, [module], 10, 40h, oldprotect
	
	add dword [module], 2

	mov ecx, dword [module]


	mov byte [ecx], 0xE9	
	mov eax, d3d9hook
	sub eax, dword [module]
	sub eax, 5
	mov dword [ecx+1], eax

	loopwait2:
	push 100
	call Sleep
invoke GetAsyncKeyState, VK_NUMPAD2
        shl ax, 1
        jnb loopwait2
	
	

	invoke VirtualProtect, [addyrc], 10, 40h, NULL


	mov ecx, dword [addyrc]

	mov byte [ecx+1Bh], 72h
	mov byte [ecx+1Ch], 0Eh
	mov byte [ecx+24h], 73h
	mov byte [ecx+25h], 05h


	jmp loopwait
	


endproc





proc findaddys
locals none

	loopcshell:
	invoke GetModuleHandleA, szCshell
	cmp eax, 0
	je loopcshell

	mov [modulecshell], eax		

	loopclientfx:
	invoke GetModuleHandleA, szClientFX
	cmp eax, 0
	je loopclientfx



	mov ecx, [modulecshell]

	loopnames1byte:
	inc ecx

	cmp byte [ecx], 3Bh
	jne loopnames1byte
	
	cmp byte [ecx+1], 4Dh
	jne loopnames1byte	

	cmp byte [ecx+3], 75h
	jne loopnames1byte

	cmp byte [ecx+4], 05h
	jne loopnames1byte

	cmp byte [ecx+5], 0xBB
	jne loopnames1byte

	cmp byte [ecx+6], 0x01
	jne loopnames1byte

	mov dword [addynames1], ecx
	add dword [addynames1], 3


	mov ecx, [modulecshell]

	loopnames2byte:
	inc ecx

	cmp byte [ecx], 39h
	jne loopnames2byte
	
	cmp byte [ecx+1], 44h
	jne loopnames2byte

	cmp byte [ecx+2], 24h
	jne loopnames2byte

	cmp byte [ecx+4], 75h
	jne loopnames2byte

	cmp byte [ecx+5], 05h
	jne loopnames2byte

	mov dword [addynames2], ecx
	add dword [addynames2], 4



	invoke	CreateThread, 0, 0, attachnames, 0, 0, 0
	
invoke	CreateThread, 0, 0, attachrc, 0, 0, 0

endproc




proc   DllEntry, ptrdiff_t hinst, size_t reason, size_t reserved
locals none
	mov	ecx, 1
	cmp	[ebp+0Ch], ecx 
	jne	goon
	invoke	MessageBox, NULL, szContent, szTitle, MB_OK + MB_ICONINFORMATION
	invoke	CreateThread, 0, 0, findaddys, 0, 0, 0


	goon:
	mov	eax, TRUE
endproc




[section .data]
    szTitle:      declare(NASMX_TCHAR) NASMX_TEXT('WAIT'), 0x0
    szContent:    declare(NASMX_TCHAR) NASMX_TEXT('Badburrito Production'), 0x0
    szCshell:    declare(NASMX_TCHAR) NASMX_TEXT('cshell.dll'), 0x0
    szClientFX:    declare(NASMX_TCHAR) NASMX_TEXT('ClientFX.fxd'), 0x0
    szD3D9:    declare(NASMX_TCHAR) NASMX_TEXT('d3d9.dll'), 0x0
    szfrunvel:    declare(NASMX_TCHAR) NASMX_TEXT('FRunVel 1000.000000'), 0x0
    szsrunvel:    declare(NASMX_TCHAR) NASMX_TEXT('SRunVel 1000.000000'), 0x0
    szbrunvel:    declare(NASMX_TCHAR) NASMX_TEXT('BRunVel 1000.000000'), 0x0
 




[section .bss] 		
	addynames1 : resd 2
	addynames2 : resd 2
	modulecshell : resd 2
	addyrc : resd 2
	rchookback : resd 2
	module : resd 2	
	oldprotect : resd 2