Вопрос Can't hook CHLClient::CreateMove

[Naqix]

Been trying for hours. Whenever I use my cmd pointer to access something, it crashes.

screenshot of the crash:

Пожалуйста, авторизуйтесь для просмотра ссылки.

The code for the CreateMove proxy and the function it calls:

static void __stdcall CreateMove(int sequenceNumber, float inputSampleFrametime, bool isActive, bool& sendPacket) noexcept
{
    // process original CHLClient::CreateMove -> CInput::CreateMove
    h::CreateMoveOriginal(i::client, 0, sequenceNumber, inputSampleFrametime, isActive);

    UserCmd* cmd = i::input->GetUserCmd(sequenceNumber);
    VerifiedUserCmd* verifiedCmd = i::input->GetVerifiedUserCmd(sequenceNumber);

    // check do we have valid commands, finished signing on to server and not playing back demos (where our commands are ignored)
    if (!cmd || !isActive || !cmd->commandNumber)
        return;

    verifiedCmd->userCmd = *cmd;
    verifiedCmd->hashCrc = cmd->GetChecksum();
}

__declspec(naked) void __stdcall h::CreateMoveProxy(BaseClientDll* thisptr, int edx, int sequenceNumber, float inputSampleFrametime, bool isActive)
{
    __asm
    {
        push ebp
        mov ebp, esp;
        push ebx; // bSendPacket
        push esp;
        push dword ptr[isActive]; // ebp + 16
        push dword ptr[inputSampleFrametime]; // ebp + 12
        push dword ptr[sequenceNumber]; // ebp + 8
        call CreateMove
            pop ebx
            pop ebp
            retn 0Ch
    }
}

 

[Abybachup]

Been trying for hours. Whenever I use my cmd pointer to access something, it crashes.

screenshot of the crash:

Пожалуйста, авторизуйтесь для просмотра ссылки.

The code for the CreateMove proxy and the function it calls:

static void __stdcall CreateMove(int sequenceNumber, float inputSampleFrametime, bool isActive, bool& sendPacket) noexcept
{
    // process original CHLClient::CreateMove -> CInput::CreateMove
    h::CreateMoveOriginal(i::client, 0, sequenceNumber, inputSampleFrametime, isActive);

    UserCmd* cmd = i::input->GetUserCmd(sequenceNumber);
    VerifiedUserCmd* verifiedCmd = i::input->GetVerifiedUserCmd(sequenceNumber);

    // check do we have valid commands, finished signing on to server and not playing back demos (where our commands are ignored)
    if (!cmd || !isActive || !cmd->commandNumber)
        return;

    verifiedCmd->userCmd = *cmd;
    verifiedCmd->hashCrc = cmd->GetChecksum();
}

__declspec(naked) void __stdcall h::CreateMoveProxy(BaseClientDll* thisptr, int edx, int sequenceNumber, float inputSampleFrametime, bool isActive)
{
    __asm
    {
        push ebp
        mov ebp, esp;
        push ebx; // bSendPacket
        push esp;
        push dword ptr[isActive]; // ebp + 16
        push dword ptr[inputSampleFrametime]; // ebp + 12
        push dword ptr[sequenceNumber]; // ebp + 8
        call CreateMove
            pop ebx
            pop ebp
            retn 0Ch
    }
}

update cinput

 

[ReturnAddr]

update struct CInput
Click RMB with pressed ctrl to "input" where "i::input" and update this struct

 

[fidachyo]

__declspec( naked ) void __stdcall client_dll::create_move_proxy( int seq_number, float input_sample_frame_time, bool active ) {
        __asm {
            push ebp
            mov  ebp, esp
            push ebx
            push esp
            push dword ptr[ active ]
            push dword ptr[ input_sample_frame_time ]
            push dword ptr[ seq_number ]
            call create_move
            pop  ebx
            pop  ebp
            retn 0Ch
        }
    }

    void __stdcall client_dll::create_move( int seq_number, float input_sample_frame_time, bool active, bool& send_packet ) {
        o_create_move( csgo::g_client_dll, seq_number, input_sample_frame_time, active );

        if ( !csgo::g_local_player || !csgo::g_local_player->alive( ) )
            return;

        send_packet = true;

        auto cmd = csgo::g_input->user_cmd( seq_number );

        if ( !cmd || !cmd->m_command_number )
            return;
           
        const auto verified_cmd = csgo::g_input->vfyd_cmd( seq_number );

        verified_cmd->m_cmd = *cmd;
        verified_cmd->m_crc = cmd->check_sum( );
    }

    namespace client_dll {
        void __stdcall create_move_proxy( int seq_number, float input_sample_frame_time, bool active );
        void __stdcall create_move( int seq_number, float input_sample_frame_time, bool active, bool& send_packet );

        using o_create_move_t = void( __thiscall* )( csgo::client_dll_t* const, int, float, bool );
        inline o_create_move_t o_create_move{};
    }

        static const auto create_move_target = sdk::g_mem->virt_func<void*>( csgo::g_client_dll, 22u );
       
        if ( MH_CreateHook( create_move_target, &client_dll::create_move_proxy, reinterpret_cast< void** >( &client_dll::o_create_move ) ) != MH_OK )
            throw std::runtime_error( "failed to initialize create_move. (outdated index?)" );

    struct input_t {
        VFUNC( user_cmd( int slot, int sequence_number ), 8, user_cmd_t* ( __thiscall* )( void*, int, int ), slot, sequence_number );

        user_cmd_t* user_cmd( int sequence_number ) {
            return &m_cmds[ sequence_number % MULTIPLAYER_BACKUP ];
        }

        vfyd_cmd_t* vfyd_cmd( int sequence_number ) {
            return &m_vfyd_cmds[ sequence_number % MULTIPLAYER_BACKUP ];
        }

        char                    pad0[12]{};
        bool                    m_track_ir_available{};
        bool                    m_mouse_initialized{};
        bool                    m_mouse_active{};
        char                    pad1[154]{};
        bool                    m_camera_in_third_person{};
        char                    pad2[2]{};
        sdk::vec3_t                m_camera_offset{};
        char                    pad3[56]{};
        user_cmd_t*                m_cmds{};
        vfyd_cmd_t*                m_vfyd_cmds{};
    };

 

[Naqix]

update struct CInput
Click RMB with pressed ctrl to "input" where "i::input" and update this struct

The struct is updated already.

 

[Naqix]

__declspec( naked ) void __stdcall client_dll::create_move_proxy( int seq_number, float input_sample_frame_time, bool active ) {
        __asm {
            push ebp
            mov  ebp, esp
            push ebx
            push esp
            push dword ptr[ active ]
            push dword ptr[ input_sample_frame_time ]
            push dword ptr[ seq_number ]
            call create_move
            pop  ebx
            pop  ebp
            retn 0Ch
        }
    }

    void __stdcall client_dll::create_move( int seq_number, float input_sample_frame_time, bool active, bool& send_packet ) {
        o_create_move( csgo::g_client_dll, seq_number, input_sample_frame_time, active );

        if ( !csgo::g_local_player || !csgo::g_local_player->alive( ) )
            return;

        send_packet = true;

        auto cmd = csgo::g_input->user_cmd( seq_number );

        if ( !cmd || !cmd->m_command_number )
            return;
          
        const auto verified_cmd = csgo::g_input->vfyd_cmd( seq_number );

        verified_cmd->m_cmd = *cmd;
        verified_cmd->m_crc = cmd->check_sum( );
    }

    namespace client_dll {
        void __stdcall create_move_proxy( int seq_number, float input_sample_frame_time, bool active );
        void __stdcall create_move( int seq_number, float input_sample_frame_time, bool active, bool& send_packet );

        using o_create_move_t = void( __thiscall* )( csgo::client_dll_t* const, int, float, bool );
        inline o_create_move_t o_create_move{};
    }

 static const auto create_move_target = sdk::g_mem->virt_func<void*>( csgo::g_client_dll, 22u );
      
        if ( MH_CreateHook( create_move_target, &client_dll::create_move_proxy, reinterpret_cast< void** >( &client_dll::o_create_move ) ) != MH_OK )
            throw std::runtime_error( "failed to initialize create_move. (outdated index?)" );

 struct input_t {
        VFUNC( user_cmd( int slot, int sequence_number ), 8, user_cmd_t* ( __thiscall* )( void*, int, int ), slot, sequence_number );

        user_cmd_t* user_cmd( int sequence_number ) {
            return &m_cmds[ sequence_number % MULTIPLAYER_BACKUP ];
        }

        vfyd_cmd_t* vfyd_cmd( int sequence_number ) {
            return &m_vfyd_cmds[ sequence_number % MULTIPLAYER_BACKUP ];
        }

        charpad0[12]{};
        bool m_track_ir_available{};
        bool m_mouse_initialized{};
        bool m_mouse_active{};
        charpad1[154]{};
        bool m_camera_in_third_person{};
        charpad2[2]{};
        sdk::vec3_t m_camera_offset{};
        charpad3[56]{};
        user_cmd_t* m_cmds{};
        vfyd_cmd_t* m_vfyd_cmds{};
    };

still crashes:

Пожалуйста, авторизуйтесь для просмотра ссылки.

 

[fidachyo]

still crashes:

Пожалуйста, авторизуйтесь для просмотра ссылки.

did you do 1 in 1?

 

[Naqix]

did you do 1 in 1?

well, yes

 

[fidachyo]

well, yes

too little info, i cant help you

 

[Naqix]

too little info, i can't help you

What info do you need? I'm not getting much info myself other than the fact that I crash whenever my cmd pointer is used.

 

[ReturnAddr]

The struct is updated already.

bad update btw

 

[Naqix]

bad update btw

What do you mean with "bad update btw"? My struct was updated, I tried the struct that the guy sent(they were the same btw). So how is it the struct?

 

[ReturnAddr]

What do you mean with "bad update btw"? My struct was updated, I tried the struct that the guy sent(they were the same btw). So how is it the struct?

compile in debug? injector is mmap or lla?

 

[Naqix]

compile in debug? injector is mmap or lla?

I obv compile in debug as that's where I have my debug info generated, however the release build also crashes. As far as it goes for the injector, I use processhacker with -insecure, but does that really matter?

 

[PanHack]

can you show ur getusercmd ?

 

[Naqix]

can you show ur getusercmd ?

    UserCmd * GetUserCmd(int sequenceNumber) {
        return &commands [sequenceNumber % 150];
    }
    VerifiedUserCmd * GetVerifiedUserCmd(int sequenceNumber) {
        return &verifiedCommands [sequenceNumber % 150];
    }

 

[Naqix]

Anyone has a clue? I still have the same problem:

Пожалуйста, авторизуйтесь для просмотра ссылки.

 

[tift0]

Anyone has a clue? I still have the same problem:

Пожалуйста, авторизуйтесь для просмотра ссылки.

 

[Naqix]

Hidden content

class UserCmd
{
public:
    virtual ~UserCmd() { }

    CRC32_t GetChecksum(void) const
    {
        CRC32_t crc;
        CRC32_Init(&crc);

        CRC32_ProcessBuffer(&crc, &commandNumber, sizeof(commandNumber));
        CRC32_ProcessBuffer(&crc, &tickCount, sizeof(tickCount));
        CRC32_ProcessBuffer(&crc, &viewPoint, sizeof(viewPoint));
        CRC32_ProcessBuffer(&crc, &aimDirection, sizeof(aimDirection));
        CRC32_ProcessBuffer(&crc, &forwardMove, sizeof(forwardMove));
        CRC32_ProcessBuffer(&crc, &sideMove, sizeof(sideMove));
        CRC32_ProcessBuffer(&crc, &upMove, sizeof(upMove));
        CRC32_ProcessBuffer(&crc, &buttons, sizeof(buttons));
        CRC32_ProcessBuffer(&crc, &impulse, sizeof(impulse));
        CRC32_ProcessBuffer(&crc, &weaponSelect, sizeof(weaponSelect));
        CRC32_ProcessBuffer(&crc, &weaponSubType, sizeof(weaponSubType));
        CRC32_ProcessBuffer(&crc, &randomSeed, sizeof(randomSeed));
        CRC32_ProcessBuffer(&crc, &mouseDeltaX, sizeof(mouseDeltaX));
        CRC32_ProcessBuffer(&crc, &mouseDeltaY, sizeof(mouseDeltaY));

        CRC32_Final(&crc);
        return crc;
    }

    int commandNumber;
    int tickCount;
    vectorviewPoint;
    Vector aimDirection;
    float forwardMove;
    float sideMove;
    float upMove;
    int buttons;
    uint8_t impulse;
    int weaponSelect;
    int weaponSubType;
    int randomSeed;
    short mouseDeltaX;
    short mouseDeltaY;
    bool hasBeenPredicted;
    Vector headAngles;
    Vector headOffset;