Warrock - Code Snippets

Kazbah__ · 05/18/2013, 12:38

Quote:

Liegt es daran das ich einen Hackshield Bypass brauche.
Und wenn ja woher bekomme ich einen ?

such einfach die detection

MineCore · 05/18/2013, 12:44

Quote:

Originally Posted by Zyzz__

such einfach die detection

Ok moment!
Ich glaube es liegt am autoStart !
Edit:**** ich finde die nicht!

Kazbah__ · 05/18/2013, 13:19

wär auch ein wunder wenn du die in 6 min findest

MineCore · 05/18/2013, 13:30

Quote:

Originally Posted by Zyzz__

wär auch ein wunder wenn du die in 6 min findest

Hab nur 5 Funktionen

Und hab dir eine Pn geschickt !

GigaByte™ · 05/19/2013, 14:18

#Request: Latest Ehsvc dump

Nevermind I have it now. But if anyone wants to upload it for someone else go ahead

Raz9r · 05/19/2013, 19:25

Hey guys,

here is an example for virtual table hooking made easy and typesafe by templates. This requires your compiler to support variadic templates (for VS2012 install the November 2012 CTP).

vtable_hook, vtable_hook_cdecl, vtable_hook_stdcall only differ in their calling conventions used.
Each of them takes the following arguments: The class object pointer, the vtable index for the method, and the hook itself; they return a function pointer to the original function.

So what's the advantage of this method you might ask? It is totally typesafe, no casting at all is needed. That means the compiler is going to tell you if the functions signatures don't match.

Here you go, with a fully functioning example:

Code:

#include <iostream>
#include <utility>
#include <Windows.h>
#include <system_error>

class Class
{
public:
	virtual void		   method0(int arg) { std::cout << arg << std::endl; }
	virtual void __cdecl   method1()		{ std::cout << "in Class::method1" << std::endl; }
	virtual void __stdcall method2()		{ std::cout << "in Class::method2" << std::endl; }
};

void (*original0)(Class *, int)      = nullptr;
void hook0(Class *obj, int arg)    { original0(obj, arg * 2); }

void (__cdecl *original1)(Class *)   = nullptr;
void __cdecl   hook1(Class *obj)   { std::cout << "in hook1" << std::endl; original1(obj); }

void (__stdcall *original2)(Class *) = nullptr;
void __stdcall	 hook2(Class *obj) { std::cout << "in hook2" << std::endl; original2(obj); }

class virtualprotect_guard
{
private:
	DWORD protection_;
	
public:
	virtualprotect_guard(void *ptr, size_t len, DWORD prot)	: protection_(0)
	{
		if (!::VirtualProtect(ptr, len, prot, &protection_))
			throw std::system_error(::GetLastError(), std::system_category());
	}
	
	// might throw, add noexcept(false) if supported
	~virtualprotect_guard()
	{
		if (!::VirtualProtect(ptr, len, protection_, &protection_))
			throw std::system_error(::GetLastError(), std::system_category());
	}
};

template <typename R, class C, typename... T>
R (*vtable_hook(C *object, size_t index, R (*hook)(C *, T...)))(C *, T...)
{
	virtualprotect_guard guard(*reinterpret_cast<void ***>(object))[index], sizeof(void *), PAGE_EXECUTE_READWRITE);
	std::swap(reinterpret_cast<void *&>(hook), (*reinterpret_cast<void ***>(object))[index]);
	return hook;
}

template <typename R, class C, typename... T>
R (__cdecl *vtable_hook_cdecl(C *object, size_t index, R (__cdecl *hook)(C *, T...)))(C *, T...)
{
	virtualprotect_guard guard(*reinterpret_cast<void ***>(object))[index], sizeof(void *), PAGE_EXECUTE_READWRITE);
	std::swap(reinterpret_cast<void *&>(hook), (*reinterpret_cast<void ***>(object))[index]);
	return hook;
}

template <typename R, class C, typename... T>
R (__stdcall *vtable_hook_stdcall(C *object, size_t index, R (__stdcall *hook)(C *, T...)))(C *, T...)
{
	virtualprotect_guard guard(*reinterpret_cast<void ***>(object))[index], sizeof(void *), PAGE_EXECUTE_READWRITE);
	std::swap(reinterpret_cast<void *&>(hook), (*reinterpret_cast<void ***>(object))[index]);
	return hook;
}

int main(int argc, char *argv[])
{
	auto obj = new Class;
	
	original0 = vtable_hook		   (obj, 0, hook0);
	original1 = vtable_hook_cdecl  (obj, 1, hook1);
	original2 = vtable_hook_stdcall(obj, 2, hook2);
	
	obj->method0(5); // prints 5*2
	obj->method1();
	obj->method2();
	
	return 0;
}

SilverRazzer <3 · 05/20/2013, 15:51

Code:

HRESULT GenerateShader(LPDIRECT3DDEVICE9 pD3Ddev, IDirect3DPixelShader9 **pShader, float r, float g, float b )
{
    char szShader[ 256 ];
    ID3DXBuffer *pShaderBuf = NULL;
    sprintf( szShader, "ps.1.1\ndef c0, %f, %f, %f, %f\nmov r0,c0", r, g, b, 1.0f );
    D3DXAssembleShader( szShader, sizeof( szShader ), NULL, NULL, 0, &pShaderBuf, NULL );
    if( FAILED( pD3Ddev->CreatePixelShader((const DWORD*)pShaderBuf->GetBufferPointer(), pShader)) )return E_FAIL;
    return S_OK;
}

Credits: Unknown

if(GetAsyncKeyState(VK_DELETE)) MoveMenu = (!MoveMenu);

if( MoveMenu ) {
   POINT myCursor; 
   GetCursorPos(&myCursor); // get the cursor position.
   if(GetAsyncKeyState(VK_LBUTTON)) {
      menu.x = myCursor.x; // set the x of your menu to the cursor x position.
      menu.y = myCursor.y; // set the y of your menu to the cursor y position.
   }
}

Credits: Crash

[ 21.Mai.2013 - HackShield Bypass ]
[ Credits: Xave & SilverRazzer ]

Code:

DWORD HSDevicePointer;
void VMTHSBYPASS (void)
{   
	   DWORD hEhSvc = (int)GetModuleHandle("EhSvc.dll");
	   if( hEhSvc !=0 )
	   {
		   HSDevicePointer = (hEhSvc+0xA70954);
		   while(1)
		   {
				cTools->WriteMemory((void*)(hEhSvc+0x008518E),(void*)"\xC2\x04\x00",3);
				cTools->WriteMemory((void*)(hEhSvc+0x00A1A0),(void*)"\xC2\x04\x00",3);
				cTools->WriteMemory((void*)(hEhSvc+0x00A713A),(void*)"\x31",1);
				cTools->WriteMemory((void*)(hEhSvc+0x00A481E),(void*)"\x31",1);
				cTools->WriteMemory((void*)(0x0051B92D),(void*)"\xEB",1);

		   Sleep(20);
	       }
	   }
}

I dont know if its work, test it!

Cyno™ · 05/22/2013, 10:19

Quote:

Originally Posted by SilverRazzer <3

Code:

HRESULT GenerateShader(LPDIRECT3DDEVICE9 pD3Ddev, IDirect3DPixelShader9 **pShader, float r, float g, float b )
{
    char szShader[ 256 ];
    ID3DXBuffer *pShaderBuf = NULL;
    sprintf( szShader, "ps.1.1\ndef c0, %f, %f, %f, %f\nmov r0,c0", r, g, b, 1.0f );
    D3DXAssembleShader( szShader, sizeof( szShader ), NULL, NULL, 0, &pShaderBuf, NULL );
    if( FAILED( pD3Ddev->CreatePixelShader((const DWORD*)pShaderBuf->GetBufferPointer(), pShader)) )return E_FAIL;
    return S_OK;
}

Credits: Unknown

if(GetAsyncKeyState(VK_DELETE)) MoveMenu = (!MoveMenu);

if( MoveMenu ) {
   POINT myCursor; 
   GetCursorPos(&myCursor); // get the cursor position.
   if(GetAsyncKeyState(VK_LBUTTON)) {
      menu.x = myCursor.x; // set the x of your menu to the cursor x position.
      menu.y = myCursor.y; // set the y of your menu to the cursor y position.
   }
}

Credits: Crash

[ 21.Mai.2013 - HackShield Bypass ]
[ Credits: Xave & SilverRazzer ]

Code:

DWORD HSDevicePointer;
void VMTHSBYPASS (void)
{   
	   DWORD hEhSvc = (int)GetModuleHandle("EhSvc.dll");
	   if( hEhSvc !=0 )
	   {
		   HSDevicePointer = (hEhSvc+0xA70954);
		   while(1)
		   {
				cTools->WriteMemory((void*)(hEhSvc+0x008518E),(void*)"\xC2\x04\x00",3);
				cTools->WriteMemory((void*)(hEhSvc+0x00A1A0),(void*)"\xC2\x04\x00",3);
				cTools->WriteMemory((void*)(hEhSvc+0x00A713A),(void*)"\x31",1);
				cTools->WriteMemory((void*)(hEhSvc+0x00A481E),(void*)"\x31",1);
				cTools->WriteMemory((void*)(0x0051B92D),(void*)"\xEB",1);

		   Sleep(20);
	       }
	   }
}

I dont know if its work, test it!

Why do you define HSDevice Pointer without even using it?

Why do you loop infinitely , even when the bytes never get restored ?

What if the first GetModuleHandle fails ( For example when HS isn't already loaded ) ?
It will cause that the Bypass doesn't get executed.

Why do you cast the Module Pointer to an "integer" , even if you put it into an long variable without a sign?

Why don't you initialize HSDevicePointer properply for example with 0 ?

As its an endless loop, it will run in a Thread created by CreateThread.
Why don't you declare your function header as DWORD stdcall , taking 1 void * argument ?
It will/can cause a stack corruption.

Why do you post things, that you don't even tested out?

All in all its a very shitty post

~~Xave :)~~ · 05/22/2013, 13:26

HackShield Bypass:

Code:

void HackShieldBP (void)
{
    DWORD hEhSvc = 0;
    do{
    hEhSvc = (DWORD)GetModuleHandle("EhSvc.dll");
    Sleep(300); // Waiting EhSvc.dll Module
    }while(!hEhSvc);

	//==> EhSvc
	cTools->WriteMemory((LPVOID)(hEhSvc+0x008518E),(PBYTE)"\xC2\x04\x00",3);
	cTools->WriteMemory((LPVOID)(hEhSvc+0x00A1A0),(PBYTE)"\xC2\x04\x00",3);
	//==> WarRock
	cTools->WriteMemory((LPVOID)0x5DA8BE,(PBYTE)"\xC3",1);
}

Credits:
.Xave ( EhSvc Addys + Source )
RoBerTo ( WarRock Addy )

Cyno™ · 05/22/2013, 14:53

Quote:

Originally Posted by .χανє

HackShield Bypass:

Code:

void HackShieldBP (void)
{
    DWORD hEhSvc = 0;
    do{
    hEhSvc = (DWORD)GetModuleHandle("EhSvc.dll");
    Sleep(300); // Waiting EhSvc.dll Module
    }while(!hEhSvc);

	//==> EhSvc
	cTools->WriteMemory((LPVOID)(hEhSvc+0x008518E),(PBYTE)"\xC2\x04\x00",3);
	cTools->WriteMemory((LPVOID)(hEhSvc+0x00A1A0),(PBYTE)"\xC2\x04\x00",3);
	//==> WarRock
	cTools->WriteMemory((LPVOID)0x5DA8BE,(PBYTE)"\xC3",1);
}

Credits:
.Xave ( EhSvc Addys + Source )
RoBerTo ( WarRock Addy )

So if you found the EhSvc addys and did the bytes tell us what they normally do and what your patch of their bytes is causing

~~Xave :)~~ · 05/22/2013, 15:06

Quote:

Originally Posted by Cyno™

So if you found the EhSvc addys and did the bytes tell us what they normally do and what your patch of their bytes is causing

0x008518E = MainCallback2 | RETN 4 Disables the void
0x00A1A0 = SelfCRC | RETN 4 Disables the void
0x5DA8BE = MainPacketHandler

Code:

005F1A31    68 BEA85D00     push    005DA8BE // Handler (Type: int Params: (DWORD packetBuffer))
005F1A36    BA 207A0000     mov     edx, 7A20 // OPC
005F1A3B    8BC6            mov     eax, esi
005F1A3D    E8 C3010000     call    005F1C05 // Add Packet Sub

Registers the handler for The EHSVC Packet(31264) -> C3 Returns the Packet and with that all checks inside WarRock.exe are disabled

CyberMask · 05/23/2013, 13:59

Hi guys, i want to share mine Draw Rounded Border code with you
I use normal DrawRectangle to make it.
Look .

Code:

VOID DrawField(INT iFromX,INT iFromY,INT iToX,INT iToY,DWORD dwColor,LPDIRECT3DDEVICE9 pDevice)
{
	D3DRECT Rect = {iFromX,iFromY,(iFromX+iToX),(iFromY+iToY)};
	pDevice->Clear(1,&Rect,(D3DCLEAR_TARGET),dwColor,1.0F,0);
}
VOID DrawBorder(INT iPosX,INT iPosY,INT iToX,INT iToY,INT iWidth,DWORD dwColor,LPDIRECT3DDEVICE9 pDevice)
{
	DrawField(iPosX,(iPosY+iToY-iWidth),iToX,iWidth,dwColor,pDevice);
	DrawField((iPosX+iToX-iWidth),iPosY,iWidth,iToY,dwColor,pDevice);
	DrawField(iPosX,iPosY,iWidth,iToY,dwColor,pDevice);
	DrawField(iPosX,iPosY,iToX,iWidth,dwColor,pDevice);
}

Code:

VOID DrawRoundedBorder ( INT PosX, INT PosY , INT ToX , INT ToY , INT Width , DWORD dwColor , LPDIRECT3DDEVICE9 pDevice )
{
	DrawBorder(PosX,PosY,ToX,1,Width,dwColor,pDevice);
	

	DrawBorder(PosX-1,PosY+1,1,1,Width,dwColor,pDevice);
	DrawBorder(PosX-2,PosY+2,1,1,Width,dwColor,pDevice);
	DrawBorder(PosX-3,PosY+3,1,1,Width,dwColor,pDevice);
	DrawBorder(PosX-4,PosY+4,1,1,Width,dwColor,pDevice);

	DrawBorder(PosX+(ToX),PosY+1,1,1,Width,dwColor,pDevice);
	DrawBorder(PosX+(ToX+1),PosY+2,1,1,Width,dwColor,pDevice);
	DrawBorder(PosX+(ToX+2),PosY+3,1,1,Width,dwColor,pDevice);
	DrawBorder(PosX+(ToX+3),PosY+4,1,1,Width,dwColor,pDevice);

	DrawBorder(PosX-4,PosY+4,1,ToY,Width,dwColor,pDevice);

	DrawBorder(PosX-4,PosY+(ToY+4),1,1,Width,dwColor,pDevice);
	DrawBorder(PosX-3,PosY+(ToY+5),1,1,Width,dwColor,pDevice);
	DrawBorder(PosX-2,PosY+(ToY+6),1,1,Width,dwColor,pDevice);
	DrawBorder(PosX-1,PosY+(ToY+7),1,1,Width,dwColor,pDevice);

	DrawBorder(PosX,PosY+(ToY+7),ToX,1,Width,dwColor,pDevice);

	DrawBorder(PosX+(ToX+3),PosY+(ToY+4),1,1,Width,dwColor,pDevice);
	DrawBorder(PosX+(ToX+2),PosY+(ToY+5),1,1,Width,dwColor,pDevice);
	DrawBorder(PosX+(ToX+1),PosY+(ToY+6),1,1,Width,dwColor,pDevice);
	DrawBorder(PosX+(ToX+0),PosY+(ToY+7),1,1,Width,dwColor,pDevice);

	DrawBorder(PosX+(ToX+3),PosY+4,1,ToY,Width,dwColor,pDevice);
	
	

}

An Example ?

Code:

DrawRoundedBorder(20,30,90,20,1,RED,pDevice);

=

Credits : cybermask,eagl3,cyberrazzer

Kazbah__ · 05/23/2013, 16:53

Quote:

Source DrawRoundedBorder

Hi guys, i want to share mine Draw Rounded Border code with you
I use normal DrawRectangle to make it.
Look .

sure urs ... credits to algorithmus or angel-piece

Angel-Piece2 · 05/23/2013, 20:12

QuickPlant & Defuse By iKito

Code:

Addys:
#define ADR_QuickPlant 0x5118A8
#define ADR_QuickDefuse 0x50DA25

Code:

if(items->menu.player.QuickPlant==0){MemEditing((void *)(ADR_QuickPlant), (PBYTE)"\x0F\x8A\x29\xFE\xFF\FF",6);}
if(items->menu.player.QuickPlant==1){MemEditing((void *)(ADR_QuickPlant), (PBYTE)"\x90\x90\x90\x90\x90\x90",6);}

if(items->menu.player.QuickDefuse==0){MemEditing((void *)(ADR_QuickDefuse), (PBYTE)"\x0F\x8A\xE1\x02\x00\x00",6);}
if(items->menu.player.QuickDefuse==1){MemEditing((void *)(ADR_QuickDefuse), (PBYTE)"\x90\x90\x90\x90\x90\x90",6);}

Credits:
iKito

~~playncheat99~~ · 05/23/2013, 21:43

#Request Speedhack and Unl. Stamina
cuz These codes dont work O.o

Dunno why

Quote:

//SPEED
*(double*)(ADR_Speed) = +200.0f;
//STAMINA
*(float*)(ADR_Stamina1) = 1000;
*(float*)(ADR_Stamina2) = 1000;
*(float*)(ADR_Stamina3) = 0;
*(float*)(ADR_Stamina4) = 0;
*(float*)(ADR_Stamina5) = 0;