ASM - Speed & NameTags
I contains a speedhack and nametags...
I choosed them to show you the basics how it works because a norecoil, range, rapidfire or superbullet hack works like the nametags hack and a fly, nospread, nxchams and so on hack works like a speedhack
The console addresses will be patched probably after the next patch but I wrote a routine that should find the new nametags addys by itself (proc findaddys). You should use nasmx to compile it but you can translate it easily into other languages.
How it works:
SpeedHack:
I just hooked the d3d9endscene so that I jump to my part of code. Then I call the runconsole (or pushtoconsole) routine from combat arms with the different speedstrings. First I had to nop some bytes in the runconsole routine so that it works
NameTags:
Just noping the right addy
How you can go on:
So if I helped you, you could I write a routine that searches the right runconsole byte pattern so that it wont be patched so easily because I am too lazy to do it and I already did it with a c++ project.
Code:
%include 'C:\Programme\asm\inc\nasmx.inc'
%include 'C:\Programme\asm\inc\kernel32.inc'
%include 'C:\Programme\asm\inc\msvcrt.inc'
%include 'C:\Programme\asm\inc\user32.inc'
extern Sleep
extern MessageBoxA
extern Beep
%define MessageBox MessageBoxA
%define MB_OK 0h
%define NULL 0
%define FALSE 0
%define TRUE 1
%define MB_ICONASTERISK 40h
%define MB_ICONINFORMATION MB_ICONASTERISK
%define VK_NUMPAD0 60h
%define VK_NUMPAD1 61h
%define VK_NUMPAD2 62h
%define VK_NUMPAD4 64h
%define VK_NUMPAD5 65h
%define VK_NUMPAD7 67h
%define VK_NUMPAD8 68h
%define VK_NUMPAD3 63h
%define VK_NUMPAD6 66h
%define VK_NUMPAD9 69h
%define VK_MENU 12h
%define VK_ADD 6Bh
entry DllEntry
[section .text]
proc attachnames
locals none
push 1000
call Sleep
nametags:
loopnames1:
push 100
call Sleep
invoke GetAsyncKeyState, VK_NUMPAD4
shl ax, 1
jnb loopnames1
invoke VirtualProtect, [addynames1], 2, 40h, NULL
mov eax, [addynames1]
mov byte [eax], 90h
mov byte [eax+1], 90h
invoke VirtualProtect, [addynames2], 2, 40h, NULL
mov eax, [addynames2]
mov byte [eax], 90h
mov byte [eax+1], 90h
loopnames2:
push 100
call Sleep
invoke GetAsyncKeyState, VK_NUMPAD5
shl ax, 1
jnb loopnames2
invoke VirtualProtect, [addynames1], 2, 40h, NULL
mov eax, [addynames1]
mov byte [eax], 75h
mov byte [eax+1], 05h
invoke VirtualProtect, [addynames2], 2, 40h, NULL
mov eax, [addynames2]
mov byte [eax], 75h
mov byte [eax+1], 05h
jmp nametags
endproc
d3d9hook:
push szfrunvel
call [addyrc]
add esp, 4
push szsrunvel
call [addyrc]
add esp, 4
push szbrunvel
call [addyrc]
add esp, 4
push ebp
mov ebp, esp
push 0FFFFFFFFh
jmp [rchookback]
proc attachrc
locals none
loopwait:
push 100
call Sleep
invoke GetAsyncKeyState, VK_NUMPAD1
shl ax, 1
jnb loopwait
loopd3d9:
invoke GetModuleHandleA, szD3D9
cmp eax, 0
je loopd3d9
mov [module], eax
mov ecx, 46FBC0h
mov dword [addyrc], ecx
invoke VirtualProtect, [addyrc], 10, 40h, NULL
mov ecx, dword [addyrc]
mov byte [ecx+1Bh], 90h
mov byte [ecx+1Ch], 90h
mov byte [ecx+24h], 90h
mov byte [ecx+25h], 90h
add dword [module], 412Ch
mov eax, [module]
mov dword [rchookback], eax
add dword [rchookback], 7
invoke VirtualProtect, [module], 10, 40h, oldprotect
add dword [module], 2
mov ecx, dword [module]
mov byte [ecx], 0xE9
mov eax, d3d9hook
sub eax, dword [module]
sub eax, 5
mov dword [ecx+1], eax
loopwait2:
push 100
call Sleep
invoke GetAsyncKeyState, VK_NUMPAD2
shl ax, 1
jnb loopwait2
invoke VirtualProtect, [addyrc], 10, 40h, NULL
mov ecx, dword [addyrc]
mov byte [ecx+1Bh], 72h
mov byte [ecx+1Ch], 0Eh
mov byte [ecx+24h], 73h
mov byte [ecx+25h], 05h
jmp loopwait
endproc
proc findaddys
locals none
loopcshell:
invoke GetModuleHandleA, szCshell
cmp eax, 0
je loopcshell
mov [modulecshell], eax
loopclientfx:
invoke GetModuleHandleA, szClientFX
cmp eax, 0
je loopclientfx
mov ecx, [modulecshell]
loopnames1byte:
inc ecx
cmp byte [ecx], 3Bh
jne loopnames1byte
cmp byte [ecx+1], 4Dh
jne loopnames1byte
cmp byte [ecx+3], 75h
jne loopnames1byte
cmp byte [ecx+4], 05h
jne loopnames1byte
cmp byte [ecx+5], 0xBB
jne loopnames1byte
cmp byte [ecx+6], 0x01
jne loopnames1byte
mov dword [addynames1], ecx
add dword [addynames1], 3
mov ecx, [modulecshell]
loopnames2byte:
inc ecx
cmp byte [ecx], 39h
jne loopnames2byte
cmp byte [ecx+1], 44h
jne loopnames2byte
cmp byte [ecx+2], 24h
jne loopnames2byte
cmp byte [ecx+4], 75h
jne loopnames2byte
cmp byte [ecx+5], 05h
jne loopnames2byte
mov dword [addynames2], ecx
add dword [addynames2], 4
invoke CreateThread, 0, 0, attachnames, 0, 0, 0
invoke CreateThread, 0, 0, attachrc, 0, 0, 0
endproc
proc DllEntry, ptrdiff_t hinst, size_t reason, size_t reserved
locals none
mov ecx, 1
cmp [ebp+0Ch], ecx
jne goon
invoke MessageBox, NULL, szContent, szTitle, MB_OK + MB_ICONINFORMATION
invoke CreateThread, 0, 0, findaddys, 0, 0, 0
goon:
mov eax, TRUE
endproc
[section .data]
szTitle: declare(NASMX_TCHAR) NASMX_TEXT('WAIT'), 0x0
szContent: declare(NASMX_TCHAR) NASMX_TEXT('Badburrito Production'), 0x0
szCshell: declare(NASMX_TCHAR) NASMX_TEXT('cshell.dll'), 0x0
szClientFX: declare(NASMX_TCHAR) NASMX_TEXT('ClientFX.fxd'), 0x0
szD3D9: declare(NASMX_TCHAR) NASMX_TEXT('d3d9.dll'), 0x0
szfrunvel: declare(NASMX_TCHAR) NASMX_TEXT('FRunVel 1000.000000'), 0x0
szsrunvel: declare(NASMX_TCHAR) NASMX_TEXT('SRunVel 1000.000000'), 0x0
szbrunvel: declare(NASMX_TCHAR) NASMX_TEXT('BRunVel 1000.000000'), 0x0
[section .bss]
addynames1 : resd 2
addynames2 : resd 2
modulecshell : resd 2
addyrc : resd 2
rchookback : resd 2
module : resd 2
oldprotect : resd 2
