[SOURCE] Old Room Tool

[-[Mr]Zida[n]]

OLD ROOM TOOL

Room Tool

i decided to make the old room tool source public. the tool does not work (only if you run the game on a 2017 client, yes the tool is working on a 2017 client).

due to gamebreaking i decided to remove kick and blacklist options.

to make it work you need to update all the ALLOCS addresses from dbginfo.ini AND game manager address from inside source code.

i will not help you update the tool, for more questions dm.

the tool runs in
original owner:

[NocturneCheats]

Quote:

Originally Posted by -[Mr]Zida[n]

to make it work you need to update all the ALLOCS addresses from dbginfo.ini

 line 10971

FUNC WRITEDBGINFO()
INIWRITE($DBGINFO,"S4Client","base",MAKEHEX($DWBAS E))
INIWRITE($DBGINFO,"S4Client","ProcessID",$IOPID)
INIWRITE($DBGINFO,"Allocs","dwMFunction",MAKEHEX($ DWMFUNCTION))
INIWRITE($DBGINFO,"Allocs","dwBuffer",MAKEHEX($DWB UFFER))
INIWRITE($DBGINFO,"Allocs","dwWA_View",MAKEHEX($DW WA_VIEW))
INIWRITE($DBGINFO,"Allocs","dwWA_Send",MAKEHEX($DW WA_SEND))
INIWRITE($DBGINFO,"Allocs","dwBindStruct",MAKEHEX( $DWBINDSTRUCT))
INIWRITE($DBGINFO,"Allocs","dwHHook",MAKEHEX($DWHH OOK))
INIWRITE($DBGINFO,"Allocs","dwMessageBuffer",MAKEH EX($DWMESSAGEBUFFER))
ENDFUNC

you don't have to update alloc addresses because it already does that at line 10971, all you need to do (possibly) is update addresses at S4Lib.au3 [line 10930 ~ 10955]

 line 10930~10955

$OFF_CGAMEMANAGER=24080528
$OFF_CTEAMMANAGER=24088060
$OFF_CCHATPROXY=24195200
$OFF_GETPLAYERIDBYINDEX=13901504
$OFF_GETACTORCLASS=7785248
$OFF_GETPLAYERCOUNTPERTEAM=13901056
$OFF_GETINSTANCEGS=718480
$OFF_MASTERCHANGEREQ=12096240
$OFF_SUICIDEREQ=11895904
$OFF_KILLREQ=11971696
$OFF_SENDMESSAGE=3788309
$OFF_WRITEAS_VIEWHOOK=$OFF_SENDMESSAGE+3701
$OFF_WRITEAS_WRITEHOOK=$OFF_WRITEAS_VIEWHOOK+100
$OFF_VIEWPUSH=$OFF_WRITEAS_VIEWHOOK+23
$OFF_WRITEPUSH=$OFF_WRITEAS_WRITEHOOK+23
$SPACES="{M-2000,0}"
$OFF_GETINSTANCECROOM=718000
$OFF_SENDBIND=12502896
$OFF_HOSTIDHOOK=12928195
$OFF_HOSTIDBJ=$OFF_HOSTIDHOOK+8
$OFF_CHATBYPASS=3786408
$OFF_CRASH0=12650816
$OFF_LVLCHECKMAIN=9775079
$OFF_LVLCHECKSEC=3767488
$OFF_LVLCHECKTHRD=$OFF_LVLCHECKSEC+11
$OFF_S4BOT_HOOK=12746866

[-[Mr]Zida[n]]

Quote:

Originally Posted by NocturneCheats

you don't have to update alloc addresses because it already does that at line 10971, all you need to do (possibly) is update addresses at S4Lib.au3 [line 10930 ~ 10955]

 S4Lib.au3

#Region Decl
$targetProcess = "S4Client.exe"
Dim $iPID, $hHandle, $dwBase, $AllocStat = False, $iOPID, $dwMFunction, $dwBuffer, $dwWA_View, $dwWA_Send, $dwBindStruct, $dwHHook, $dwMessageBuffer
Dim $Array_PlayerID[20]
$Array_PlayerID[0] = 0

;REG - Offsets
$off_CGameManager = 0x16F7090
$off_CTeamManager = 0x16F8DFC
$off_CChatProxy = 0x1713080

;Pattern: 55 8B EC 83 EC 40 89 4D F4 C7 45 F8 00 00 00 00 8B 45 F4 8B 48 08 89 4D E4 8B
$off_GetPlayerIDByIndex = 0xD16030

;Pattern: 55 8B EC 83 EC 20 89 4D F0 8B 45 F0 8B 48 04 89 4D F4 8B 55 F4 8B 45 F4 8B 4A 04 2B 08 C1 F9 02 89 4D E8 C7 45 FC 00 00 00 00 EB 09 8B 55 FC 83 C2 01 89 55 FC 8B 45 FC 3B 45 E8 73 5D (2nd)
$off_GetActorClass = 0x762520

;Pattern: 55 8B EC 83 EC 3C 89 4D F4 C7 45 F8 00 00 00 00 8B 45 F4 8B 48 08 89 4D E4
$off_GetPlayerCountPerTeam = 0xD15E70

;Pattern: 55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC 0C A1 ?? ?? ?? ?? 33 C5 50 8D 45 F4 64 A3 00 00 00 00 C7 45 E8 ?? ?? ?? ?? C6 (8)
$off_GetInstanceGS = 0xAF330
;Pattern: 55 8B EC 51 89 4D FC 8D 45 08 50 68 ?? ?? ?? ?? 6A 01 8B 4D FC E8 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 8B E5 5D C2 08
$off_MasterChangeReq = 0xB6E980

$off_SuicideReq = 0xB58460 ;<-
;Pattern: 55 8B EC 83 EC 44 89 4D F4 8D 45 1C 50 8D 4D 14 51
$off_KillReq = 0xB6AC70

;89 11 8B 45 A4 89 41 04 8B 55 A8 89 51 08 66 - E75
$off_SendMessage = 0x393ED0
;$off_WriteAs_ViewHook = 0x390530 ;3909B0
$off_WriteAs_ViewHook = $off_SendMessage + 0xE75
$off_WriteAs_WriteHook = $off_WriteAs_ViewHook + 0x64

$off_ViewPush = $off_WriteAs_ViewHook + 0x17
$off_WritePush = $off_WriteAs_WriteHook + 0x17
;$Spaces = _StringRepeat(" ", 350)
$Spaces = "{M-2000,0}"

;55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC 0C A1 ?? ?? ?? ?? 33 C5 50 8D 45 F4 64 A3 00 00 00 00 C7 45 E8 ?? ?? ?? ?? C6 (6)
$off_GetInstanceCRoom = 0xAF150
;55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 81 EC B4 00 00 00 A1 ?? ?? ?? ?? 33 C5 50 8D 45 F4 64 A3 00 00 00 00 89 4D 80 8D 8D 60 FF FF FF
$off_SendBind = 0xBCDD80

;C7 44 24 20 00 00 00 00 8B 4C 24 28 (sec)
$off_HostIDHook = 0xC344F3
$off_HostIDBJ = $off_HostIDHook + 0x8

;0F 84 ?? ?? ?? ?? 8B 95 C4 FE FF FF 83
$off_ChatBypass = 0x3945D8
;55 8B EC 51 89 4D FC 8B 45 FC 83 78 1C 00 75 07 (1)
$off_crash0 = 0xBF19A0

;74 1E 8B 4D 08 51 8B
$off_lvlcheckmain = 0x93DD27
;77 59 8B
$off_lvlchecksec = 0x38FBE0
$off_lvlcheckthrd = $off_lvlchecksec + 0xB

;89 8D 50 FE FF FF 8B 55 BC
$off_S4Bot_Hook = 0xC07EB2

;####################### Files & Settings
$KickList = @ir & "\KickList.ini"
$dbginfo = @ir & "\dbginfo.ini"
#EndRegion Decl

Func S4BotAntiCrash()
$page = VirtualAllocEx($hHandle, 0, 128, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
$S4Bot_Hook = $dwBase + $off_S4Bot_Hook
$S4Bot_backJump = $S4Bot_Hook + 5
$S4Bot_endJump = $S4Bot_Hook + 0xADF

Local $wByte = "0x898D50FEFFFF83BDC4FEFFFF000F85"
$wByte &= Byte_Reverse(Calc($S4Bot_backJump, $page + 0xD)) & "E9"
$wByte &= Byte_reverse(Calc($S4Bot_endJump, $page + 0x13))
WriteProcessMemory($hHandle, $page, $wByte, "Byte[" & (StringLen($wByte) / 2) - 1 & "]")

;Detour
$wByte = "0xE9" & Byte_Reverse(Calc($page, $S4Bot_Hook)) & "90"
WriteProcessMemory($hHandle, $S4Bot_Hook, $wByte, "Byte[" & (StringLen($wByte) / 2) - 1 & "]")
EndFunc

Func WriteDbgInfo()
;FileDelete("dbginfo.ini")
IniWrite($dbginfo, "S4Client", "base", MakeHex($dwBase))
IniWrite($dbginfo, "S4Client", "ProcessID", $iOPID)
IniWrite($dbginfo, "Allocs", "dwMFunction", MakeHex($dwMFunction))
IniWrite($dbginfo, "Allocs", "dwBuffer", MakeHex($dwBuffer))
IniWrite($dbginfo, "Allocs", "dwWA_View", MakeHex($dwWA_View))
IniWrite($dbginfo, "Allocs", "dwWA_Send", MakeHex($dwWA_Send))
IniWrite($dbginfo, "Allocs", "dwBindStruct", MakeHex($dwBindStruct))
IniWrite($dbginfo, "Allocs", "dwHHook", MakeHex($dwHHook))
IniWrite($dbginfo, "Allocs", "dwMessageBuffer", MakeHex($dwMessageBuffer))
EndFunc

#Region Functions
Func TeleportTo()
$dwLocalActor = ReadProcessMemory($hHandle, $dwBase + $off_CGameManager, "dword")
$dwLocalActor = ReadProcessMemory($hHandle, $dwLocalActor + 0x124)
$dwLocalCCollision = ReadProcessMemory($hHandle, $dwLocalActor + 0x118, "dword")

$iPlayerID = GetSelectedPlayerID()
If $iPlayerID = 0 Then Return 0
$dwCTeamManager = ReadProcessMemory($hHandle, $dwBase + $off_CTeamManager, "dword")
$dwActorClass = Call_GetActorClass($dwCTeamManager, $iPlayerID)

$CCollisionObject = ReadProcessMemory($hHandle, $dwActorClass + 0x118)
$corA = ReadProcessMemory($hHandle, $CCollisionObject + 0x684, "Byte[12]")

WriteProcessMemory($hHandle, $dwLocalCCollision + 0x684, $corA, "Byte[12]")
EndFunc ;==>TeleportTo

Func CCActor()
$iPlayerID = GetSelectedPlayerID()
If $iPlayerID = 0 Then Return 0
$dwCTeamManager = ReadProcessMemory($hHandle, $dwBase + $off_CTeamManager, "dword")
ClipPut(Hex(Call_GetActorClass($dwCTeamManager, $iPlayerID),8))
EndFUnc
#EndRegion BaseFuncs

Func GetInstance()
$dwInstance = ReadProcessMemory($hHandle, $dwBase + $off_CGameManager, "dword")
$dwInstance = ReadProcessMemory($hHandle, $dwInstance + 0x138, "dword")
Return ReadProcessMemory($hHandle, $dwInstance + 0x10, "dword")
EndFunc

Func Call_GetActorClass($ecx, $iPlayerID)
#cs
Structure:
6A 00
68 <playerid>
8B 0D <Byterev: Buffer(instance)>
E8 <Byterev: Calc: GetActorClass>
A3 <Byterev: Buffer(result)>
C3
#ce
Local $wByte = "0x6A0068"

$ret = WriteProcessMemory($hHandle, $dwBuffer, "0x" & Byte_Reverse($ecx), "Byte[4]")
If $ret <> 0 Then
Return 0
EndIf

$wByte &= Byte_Reverse($iPlayerID) & "8B0D"
$wByte &= Byte_Reverse($dwBuffer)
$wByte &= "E8" & Byte_Reverse(Calc($dwBase + $off_GetActorClass, $dwMFunction + 0xD))
$wByte &= "A3" & Byte_Reverse($dwBuffer) & "C3"
$ret = WriteProcessMemory($hHandle, $dwMFunction, $wByte, "Byte[" & StringLen($wByte) / 2 - 1 & "]")
If $ret <> 0 Then
Return 0
EndIf

$ret = DllCall("kernel32.dll", "int", "CreateRemoteThread", "int", $hHandle, "ptr", 0, "int", 0, "int", $dwMFunction, "ptr", 0, "int", 0, "int", 0)
If $ret = 0 Then
Return 0
EndIf

$read = $ecx
Do
$read = ReadProcessMemory($hHandle, $dwBuffer, "int")
Until $read <> $ecx
Return $read
EndFunc ;==>Call_GetActorClass
#EndRegion S4Lib Calls

#Region Other shit
Func Calc($dwCall, $dwAddress, $i = 0)
If Not IsInt($dwCall) Then $dwCall = Dec(StringReplace($dwCall, "0x", ""))
If Not IsInt($dwAddress) Then $dwAddress = Dec(StringReplace($dwAddress, "0x", ""))

If $i = 1 Then
Local $tmp = $dwCall
$dwCall = $dwAddress
$dwAddress = $tmp
EndIf

Return Hex($dwCall - $dwAddress - 5, 8)
EndFunc ;==>Calc

Func Byte_Reverse($sBytes)
;If StringInStr($sBytes, "0x") = 1 Then StringReplace($sBytes, "0x", "")
If IsInt($sBytes) Then
$sBytes = Hex($sBytes, 8)
$sBytes = StringReplace($sBytes, "0x", "")
EndIf
$sBytes = StringReplace($sBytes, "0x", "")
Local $sReversed = ""
For $i = StringLen($sBytes) - 1 To 1 Step -2
$sReversed &= StringMid($sBytes, $i, 2)
Next
Return $sReversed
EndFunc ;==>Byte_Reverse

Func MakeHex($Val)
If StringInStr($Val, "0x") = 0 And IsInt($Val) = 0 Then Return "0x" & $Val
If IsInt($Val) Then Return "0x" & Hex($Val,8)
Return $Val
EndFunc
#EndRegion Other shit

[NocturneCheats]

Quote:

Originally Posted by -[Mr]Zida[n]

...

I have it as well, i'm telling you that there is no sense updating alloc addresses at dbginfo. All you have to do is update addresses inside s4lib.au3 (which you didn't post and i wrote exact lines that people need to know)

+ just because crash option removed from context menu doesn't mean you actually removed it (I can still see the address and pattern of it).

[Lxkas]

That's a crazy release, you're the GOAT. (I updated it, and it works flawlessly, so it's still usable.)

[TestoBla]

[-[Mr]Zida[n]]

Quote:

Originally Posted by TestoBla

the tool is not working, you need to update the addresses. this is just the source code.