Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obfuscation Wrapper #71

Closed
IntelSDM opened this issue Jul 6, 2024 · 8 comments
Closed

Obfuscation Wrapper #71

IntelSDM opened this issue Jul 6, 2024 · 8 comments
Labels
documentation Improvements or additions to documentation

Comments

@IntelSDM
Copy link
Owner

IntelSDM commented Jul 6, 2024

@arlohewitt Since you wanted this in another issue, here is the encryption wrapper:
Go to any encrypted class instance(base networkable for instance)
image
Then go into the class encryption container class.
Control click onto the inheritor of the class:
image
Find the static class for that in script.json.

Ok so read the dictionary in your code like this:
Class = Read gameassembly + class
static = Read Class + 0xb8
Dictionary = Read Static + 0x0
Objectlist = Read Dictionary + 0x18
Objectlist size = Read objectlist + 0x18

Then loop the list:
object = read I
objectclasstype = read object
parent = read objectclasstype + 0x20
nameptr = read objectclasstype + 0x10
name = read as char array(char addname[36]) at the nameptr address

ListDictionary`2 is the names of basenetworkable list and visible playerlist. first instance is base networkable, 2nd is visibleplayerlist
Baseplayer is localbaseplayer
To read stuff for baseplayer you need to incrementally keep updating a map with the pointers for lets say playerinventory
The pointer to the baseplayer is the parent. So store a map with parent as key and object as value and then call it playerinventorymap. Then just update that map enough and you can just grab it from that map. Do that to all those hidden classes, if implemented correctly there is little performance impact.

That's how you circumvent the obfuscation wrapper. I would give you the code and all but i am too burnt out right now so you have to deal with the pseudo code as my code is a right mess from the 700 commits my rust cheat has gotten.
@IntelSDM IntelSDM pinned this issue Jul 6, 2024
@arlohewitt
Copy link
Contributor

arlohewitt commented Jul 6, 2024
edited
Loading

Really appreciate this!

from what i have understood its a static dictionary containing all of the now obfuscated entries,
we can simply iterate this dict in order to find whatever we need.

For baseplayer stuff, (objectclasstype +0x20) == localplayer's BasePlayer, in which case, we can update a map 'playerinventorymap'.
I have changed out AdminFlag for interactive debug, so i will also need to update PlayerEyes like this ^ too.

That is where i am at thusfar, id appreciate if you could provide code on iterating the Objectlist.

As for determining our localplayer's BasePlayer, would you just check if (objectclasstype +0x20) == (gameassembly + class LocalPlayer) or is that not how parent works?

Again, thanks for all of this info, its more than UC has had over the last couple of days.

@IntelSDM
Copy link
Owner Author

IntelSDM commented Jul 7, 2024

uint64_t objectlist = mem.Read<uint64_t>(Dictionary + 0x18);
uint32_t objectlistsize = mem.Read<uint32_t>(objectlist + 0x18);
for (size_t i = 0; i < objectlistsize; i++)
{
uint64_t object = mem.Read<uint64_t>(ObjectList + (0x20 + (i * 8)));
Objectclasstype = mem.Read<uint64_t>(object);
nameptr = mem.Read<uint64_t>(Objectclasstype + 0x10); // this is not the name but the pointer pointing to a char array to the class name
parent = mem.Read<uint64_t>(object + 0x20);

Then just check the actual name is == to the class you want. Object will be the address for it. parent will be the parent for it.
}

This should be enough for you to figure it out. I don't want to give too much out as I know facepunch is using this repo.

As I have spent the past day all nighting this new system I noticed all the new pointer encryption (not class encryption) were targeted at this cheat in particular. At random fields that are minor cheat features. So they clearly used this project as it perfectly disables this project yet all my major rage features such as anti aim have no encryption causing any issues.
By the look of it they are honey potting this repo so i advise you not to update it otherwise they will spam pointer encryption which you will need shellcode to circumvent.

So, don't update this repo or any public repos regarding the new encryption stuff for at least 2 months. It isn't worth giving them any ideas to change everything again. Going through all the pointer encryption, it was targeted at this cheat.

Even though you can completely circumvent all their encryption by using 4 lines of shellcode to call the get functions, I wouldn't advise giving them more of a reason to invest time into this encryption system. Give them their little win.

@arlohewitt
Copy link
Contributor

arlohewitt commented Jul 7, 2024
edited
Loading

Thats somewhat disheartening, sounds like it will be too much effort to keep this publically updated.
I apologise to anyone who was using this while i was updating it, the info in this thread should be enough to update your own private fork if you plan to keep using it.

Thanks for all of the info on the wrapper class and whatnot.

I did mention that i would swap out adminflag for interactive debug, so i thought i would drop the code for it incase anyone is looking to add this to their fork too.
You would need to implement metick's InputManager in order to read the keyboard + retrieving PlayerEyes will obviously need to be done through the wrapper.

` double previousYaw = 0.0;
int moveCam;
Vector3 targetmovement{ 0.0f , 1.5f, 0.0f };
float camSpeed = 0.00015f;
float camSpeedMultiplier = 5;
float camDrag = 0.99f;
bool camFlyToLook = true;
bool camFast = false;
Vector3 camVelocity = { 0.0f, 0.0f, 0.0f };
Vector3 forward = { 0.0f, 0.0f, 1.0f };
Vector3 right = { 1.0f, 0.0f, 0.0f };
Vector3 up = { 0.0f, 1.0f, 0.0f };

std::chrono::steady_clock::time_point startTime, endTime;
float deltaTime = 0.0f;

startTime = std::chrono::steady_clock::now();


while(ThreadRunning)
{
	endTime = std::chrono::steady_clock::now();

	std::chrono::duration<float, std::milli> duration = endTime - startTime;
	deltaTime = duration.count();

	startTime = std::chrono::steady_clock::now();

	Quaternion currentRotation = TargetProcess.Read<Quaternion>(Eyes_C + 0x4C);

	double currentYaw = GetYawRad(currentRotation);

	double deltaRotation = currentYaw - previousYaw;

	previousYaw = currentYaw;

	if (deltaRotation != 0)
		targetmovement = RotateY(targetmovement, deltaRotation);

	if (TargetProcess.GetKeyboard()->IsKeyDown(0x52)) // R = reset viewpoint
	{
		camVelocity = Vector3();
		targetmovement = Vector3();
	}

	if (TargetProcess.GetKeyboard()->IsKeyDown(0x51)) { // Q
		camFlyToLook = !camFlyToLook; // camera goes where you are facing toggle
	}

	if (TargetProcess.GetKeyboard()->IsKeyDown(0xA0)) { // left shift faster movment
		camFast = true;
	}
	else {
		camFast = false;
	}

	moveCam = 0;

	if (TargetProcess.GetKeyboard()->IsKeyDown(0x57)) // W forwards
	{
		camVelocity += forward;
		moveCam = 1;
	}

	if (TargetProcess.GetKeyboard()->IsKeyDown(0x53)) // S backwards
	{
		camVelocity -= forward;
		moveCam = -1;
	}

	if (TargetProcess.GetKeyboard()->IsKeyDown(0x41)) { // A left
		camVelocity -= right;
	}
	if (TargetProcess.GetKeyboard()->IsKeyDown(0x44)) { // D right
		camVelocity += right;
	}

	if (camFlyToLook)
	{
		camVelocity.y += GetForwardDirection(currentRotation).y * moveCam;
	}
	else
	{
		if (TargetProcess.GetKeyboard()->IsKeyDown(0xA2)) { // left ctrl go down
			camVelocity -= up;
		}
		if (TargetProcess.GetKeyboard()->IsKeyDown(0x20)) { // spacebar go up
			camVelocity += up;
		}
	}


	if (camFast)
		targetmovement += camVelocity * deltaTime * camSpeed * camSpeedMultiplier;
	else
		targetmovement += camVelocity * deltaTime * camSpeed;

	camVelocity *= camDrag;

	TargetProcess.Write<Vector3>(Eyes, targetmovement); //move our eyes to the calculated value
}
TargetProcess.Write<Vector3>(Eyes, { 0.0f , 1.5f, 0.0f }); //restore our eyes to their proper position

}`

Eyes_C = just the localplayer eye class

Eyes_C ] + 0xB8 ] = Eyes

@mesaruk
Copy link

mesaruk commented Jul 7, 2024
edited
Loading

alrohewitt is there any where i can contact you like discord or something, recently just bought a dma card on the pretence of using this wouldn't mind paying for access to your private branch.

@arlohewitt
Copy link
Contributor

arlohewitt commented Jul 7, 2024
edited
Loading

I wouldnt subject anyone else to my terrible programming especially at a cost.

I would advise you to look elsewhere,
considering how much help IntelSDM provided me, i will recomend you https://fbi.moe/

@mesaruk
Copy link

mesaruk commented Jul 7, 2024

received with many thanks can i subject your code? i was struggling with drawing to prefabs and now back to 0

@kayehMDA
Copy link

So changing like before is not working anymore right? I will need to make my own loop thought the class that I want to get info bout? Im knew building cheats in general, I was waiting my DMA board arrive to continue improving this code, but now with this encryption Im a little confused.

@IntelSDM IntelSDM added the documentation Improvements or additions to documentation label Aug 7, 2024
@IntelSDM
Copy link
Owner Author

IntelSDM commented Aug 7, 2024

This information is outdated now but still provides some valid information.

@IntelSDM IntelSDM closed this as completed Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arlohewitt @IntelSDM @mesaruk @kayehMDA