├── kdmapper.exe ├── modern_warfare ├── core │ ├── overlay │ │ ├── hijack │ │ │ ├── hijack.h │ │ │ └── hijack.cpp │ │ └── renderer │ │ │ ├── internal.h │ │ │ ├── renderer.cpp │ │ │ ├── fonts.cpp │ │ │ ├── renderer.h │ │ │ ├── colors.cpp │ │ │ ├── internal.cpp │ │ │ └── scene.cpp │ ├── game │ │ ├── offsets.h │ │ ├── sdk.h │ │ └── sdk.cpp │ ├── driver │ │ └── driver.h │ ├── utils │ │ ├── vectors.cpp │ │ ├── vectors.h │ │ └── xor.h │ └── main.cpp ├── modern_warfare.vcxproj.filters └── modern_warfare.vcxproj ├── modern_warfare_driver ├── core │ ├── main.cpp │ └── utils │ │ ├── memory.h │ │ └── imports.h ├── modern_warfare_driver.vcxproj.filters ├── modern_warfare_driver.inf └── modern_warfare_driver.vcxproj ├── README.md ├── modern_warfare.sln └── .gitignore /kdmapper.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vmfunc/ewc/master/kdmapper.exe -------------------------------------------------------------------------------- /modern_warfare/core/overlay/hijack/hijack.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #pragma comment(lib, "Dwmapi.lib") 6 | 7 | namespace hijack { 8 | extern HWND hijacked_hwnd; 9 | extern RECT window_rect; 10 | extern D2D1_SIZE_U window_size; 11 | 12 | bool init(); 13 | } 14 | -------------------------------------------------------------------------------- /modern_warfare/core/overlay/renderer/internal.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "../hijack/hijack.h" 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #pragma comment(lib, "Dwrite") 9 | 10 | #pragma comment(lib, "Dwmapi.lib") 11 | #pragma comment(lib, "d2d1.lib") 12 | 13 | 14 | namespace renderer { 15 | namespace internal { 16 | extern ID2D1Factory* d2d; 17 | extern ID2D1HwndRenderTarget* render_target; 18 | extern IDWriteFactory* factory; 19 | 20 | bool init( ); 21 | void shutdown( ); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /modern_warfare/core/overlay/renderer/renderer.cpp: -------------------------------------------------------------------------------- 1 | #include "renderer.h" 2 | #include 3 | 4 | 5 | namespace renderer { 6 | bool init( ) { 7 | if (!internal::init()) { 8 | std::cout << "[-] renderer internal init failed" << std::endl; 9 | return false; 10 | } 11 | 12 | if (!colors::init()) { 13 | std::cout << "[-] renderer colors init failed" << std::endl; 14 | return false; 15 | } 16 | 17 | if (!fonts::init()) { 18 | std::cout << "[-] renderer fonts init failed" << std::endl; 19 | return false; 20 | } 21 | 22 | return true; 23 | } 24 | 25 | void shutdown() { 26 | scene::shutdown(); 27 | internal::shutdown(); 28 | colors::shutdown(); 29 | fonts::shutdown(); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /modern_warfare/core/overlay/renderer/fonts.cpp: -------------------------------------------------------------------------------- 1 | #include "renderer.h" 2 | 3 | 4 | namespace renderer { 5 | namespace fonts { 6 | IDWriteTextFormat* watermark_font = nullptr; 7 | IDWriteTextFormat* tahoma_font = nullptr; 8 | 9 | bool init( ) { 10 | if (FAILED(internal::factory->CreateTextFormat(L"Tahoma", NULL, DWRITE_FONT_WEIGHT_REGULAR, DWRITE_FONT_STYLE_NORMAL, DWRITE_FONT_STRETCH_NORMAL, 22, L"en-us", &watermark_font))) { 11 | return false; 12 | } 13 | 14 | if (FAILED(internal::factory->CreateTextFormat(L"Tahoma", NULL, DWRITE_FONT_WEIGHT_REGULAR, DWRITE_FONT_STYLE_NORMAL, DWRITE_FONT_STRETCH_NORMAL, 13.0, L"en-us", &tahoma_font))) { 15 | return false; 16 | } 17 | 18 | return true; 19 | } 20 | 21 | void shutdown( ) { 22 | watermark_font->Release( ); 23 | tahoma_font->Release( ); 24 | } 25 | } 26 | } -------------------------------------------------------------------------------- /modern_warfare/core/overlay/renderer/renderer.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "internal.h" 3 | #include "../../utils/vectors.h" 4 | 5 | namespace renderer { 6 | namespace colors { 7 | extern ID2D1SolidColorBrush* white_color; 8 | extern ID2D1SolidColorBrush* red_color; 9 | extern ID2D1SolidColorBrush* green_color; 10 | extern ID2D1SolidColorBrush* blue_color; 11 | extern ID2D1SolidColorBrush* black_color; 12 | 13 | bool init(); 14 | void shutdown(); 15 | } 16 | 17 | namespace fonts { 18 | extern IDWriteTextFormat* watermark_font; 19 | extern IDWriteTextFormat* tahoma_font; 20 | bool init(); 21 | void shutdown(); 22 | } 23 | 24 | namespace scene { 25 | void start(); 26 | void begin(); 27 | void end(); 28 | void clear(); 29 | void shutdown(); 30 | 31 | void text(vec2_t pos, const wchar_t* text, ID2D1SolidColorBrush* color, IDWriteTextFormat* font); 32 | void box(int x, int y, int width, int height, int thick, ID2D1SolidColorBrush* color); 33 | } 34 | 35 | bool init(); 36 | void shutdown(); 37 | } -------------------------------------------------------------------------------- /modern_warfare/core/overlay/renderer/colors.cpp: -------------------------------------------------------------------------------- 1 | #include "renderer.h" 2 | 3 | namespace renderer { 4 | namespace colors { 5 | ID2D1SolidColorBrush* white_color = nullptr; 6 | ID2D1SolidColorBrush* red_color = nullptr; 7 | ID2D1SolidColorBrush* green_color = nullptr; 8 | ID2D1SolidColorBrush* blue_color = nullptr; 9 | ID2D1SolidColorBrush* black_color = nullptr; 10 | 11 | bool init( ) { 12 | internal::render_target->CreateSolidColorBrush( D2D1::ColorF( D2D1::ColorF::White ), &white_color ); 13 | internal::render_target->CreateSolidColorBrush( D2D1::ColorF( D2D1::ColorF::Red ), &red_color ); 14 | internal::render_target->CreateSolidColorBrush( D2D1::ColorF( D2D1::ColorF::Green ), &green_color ); 15 | internal::render_target->CreateSolidColorBrush( D2D1::ColorF( D2D1::ColorF::Blue ), &blue_color ); 16 | internal::render_target->CreateSolidColorBrush( D2D1::ColorF( D2D1::ColorF::Black ), &black_color ); 17 | return true; 18 | } 19 | 20 | void shutdown( ) { 21 | white_color->Release( ); 22 | red_color->Release( ); 23 | green_color->Release( ); 24 | blue_color->Release( ); 25 | black_color->Release( ); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /modern_warfare/core/overlay/renderer/internal.cpp: -------------------------------------------------------------------------------- 1 | #include "internal.h" 2 | #include 3 | 4 | 5 | namespace renderer { 6 | namespace internal { 7 | ID2D1Factory* d2d = nullptr; 8 | ID2D1HwndRenderTarget* render_target = nullptr; 9 | IDWriteFactory* factory = nullptr; 10 | 11 | bool init() { 12 | if (FAILED(D2D1CreateFactory(D2D1_FACTORY_TYPE_SINGLE_THREADED, &d2d))) { 13 | std::cout << "[-] failed to create render factory" << std::endl; 14 | return false; 15 | } 16 | 17 | if (FAILED(DWriteCreateFactory(DWRITE_FACTORY_TYPE_SHARED, __uuidof(IDWriteFactory), reinterpret_cast((&factory))))) { 18 | std::cout << "[-] failed to create write factory" << std::endl; 19 | return false; 20 | } 21 | 22 | if (FAILED(d2d->CreateHwndRenderTarget(D2D1::RenderTargetProperties(D2D1_RENDER_TARGET_TYPE_DEFAULT, D2D1::PixelFormat(DXGI_FORMAT_UNKNOWN, D2D1_ALPHA_MODE_PREMULTIPLIED)), 23 | D2D1::HwndRenderTargetProperties(hijack::hijacked_hwnd, hijack::window_size), &render_target))) { 24 | std::cout << "[-] failed to create render target" << std::endl; 25 | return false; 26 | } 27 | 28 | return true; 29 | } 30 | 31 | void shutdown( ) { 32 | d2d->Release( ); 33 | factory->Release( ); 34 | render_target->Release( ); 35 | } 36 | } 37 | } -------------------------------------------------------------------------------- /modern_warfare/core/game/offsets.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* UPDATED - 2021-08-09 */ 4 | 5 | namespace offsets 6 | { 7 | constexpr auto camera_base = 0x14417F80; 8 | constexpr auto camera_pos = 0x1D8; 9 | constexpr auto game_mode = 0x0; 10 | constexpr auto local_index = 0x27540; 11 | constexpr auto name_array = 0x17226E58; 12 | constexpr auto name_array_padding = 0x4C70; 13 | constexpr auto ref_def_ptr = 0x1721BBB0; 14 | constexpr auto score_base = 0x0; 15 | constexpr auto weapon_definition = 0x0; 16 | constexpr auto client_info = 0x17219218; 17 | constexpr auto client_base = 0x9DBF8; 18 | 19 | namespace bones 20 | { 21 | constexpr auto bone_base = 0x0; 22 | constexpr auto distribute = 0x0; 23 | constexpr auto size = 0x150; 24 | constexpr auto visible = 0x0; 25 | } 26 | 27 | namespace directx 28 | { 29 | constexpr auto command_queue = 0x0; 30 | constexpr auto swap_chain = 0x0; 31 | } 32 | 33 | namespace other 34 | { 35 | constexpr auto recoil = 0x0; 36 | } 37 | 38 | namespace player 39 | { 40 | constexpr auto dead_1 = 0x64BD; 41 | constexpr auto dead_2 = 0x7FB0; 42 | constexpr auto pos_info = 0x448; 43 | constexpr auto size = 0x3AA8; 44 | constexpr auto stance = 0x76C; 45 | constexpr auto team_id = 0x2DF4; 46 | constexpr auto valid = 0x488; 47 | constexpr auto weapon_index = 0x0; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /modern_warfare/core/game/sdk.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include "..\utils\vectors.h" 5 | 6 | namespace sdk { 7 | extern HANDLE process_id; 8 | extern uintptr_t module_base; 9 | extern uintptr_t peb; 10 | extern HWND hwnd; 11 | 12 | extern uintptr_t client_info; 13 | extern uintptr_t client_info_base; 14 | 15 | struct ref_def_view { 16 | vec2_t tan_half_fov; 17 | char pad[0xC]; 18 | vec3_t axis[3]; 19 | }; 20 | 21 | struct ref_def_t { 22 | int x; 23 | int y; 24 | int width; 25 | int height; 26 | ref_def_view view; 27 | }; 28 | 29 | extern struct ref_def_t ref_def; 30 | 31 | void set_game_hwnd(); 32 | 33 | bool in_game(); 34 | 35 | int player_count(); 36 | 37 | int local_index(); 38 | 39 | class player_t { 40 | public: 41 | player_t(uintptr_t address) { 42 | this->address = address; 43 | } 44 | 45 | uintptr_t address{}; 46 | 47 | bool is_valid(); 48 | 49 | bool dead(); 50 | 51 | int team_id(); 52 | 53 | vec3_t get_pos(); 54 | }; 55 | 56 | bool w2s(vec3_t world_position, vec2_t& screen_position); 57 | 58 | float units_to_m(float units); 59 | } 60 | 61 | namespace decryption { 62 | uintptr_t get_client_info(); 63 | 64 | uintptr_t get_client_info_base(); 65 | 66 | uint64_t get_bone(); 67 | 68 | uint32_t get_bone_index(uint32_t index); 69 | 70 | uintptr_t get_ref_def(); 71 | } 72 | -------------------------------------------------------------------------------- /modern_warfare/core/overlay/hijack/hijack.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "hijack.h" 3 | 4 | namespace hijack { 5 | HWND hijacked_hwnd{}; 6 | RECT window_rect{}; 7 | D2D1_SIZE_U window_size{}; 8 | 9 | bool init() { 10 | hijacked_hwnd = FindWindowW(L"CEF-OSC-WIDGET", L"NVIDIA GeForce Overlay"); 11 | if (!hijacked_hwnd) { 12 | std::cout << "[-] failed to find target window handle" << std::endl; 13 | return false; 14 | } 15 | 16 | auto apply_window_styles = []() { 17 | // style trasnperant 18 | SetWindowLongW(hijacked_hwnd, -20, static_cast((static_cast(GetWindowLongW(hijacked_hwnd, -20)) | 0x20))); 19 | 20 | // transparency 21 | MARGINS margin = { -1, -1, -1, -1 }; 22 | DwmExtendFrameIntoClientArea(hijacked_hwnd, &margin); 23 | if (!SetLayeredWindowAttributes(hijacked_hwnd, 0x000000, 0xFF, 0x02)) { 24 | std::cout << "[-]" << " failed to set hijacked window attributes" << std::endl; 25 | return false; 26 | } 27 | 28 | SetWindowDisplayAffinity(hijacked_hwnd, WDA_EXCLUDEFROMCAPTURE); 29 | 30 | return true; 31 | }; 32 | 33 | if (!apply_window_styles()) { 34 | return false; 35 | } 36 | 37 | ShowWindow(hijacked_hwnd, SW_SHOW); 38 | GetClientRect(hijacked_hwnd, &window_rect); 39 | window_size = D2D1::SizeU(window_rect.right - window_rect.left, window_rect.bottom - window_rect.top); 40 | 41 | return true; 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /modern_warfare_driver/core/main.cpp: -------------------------------------------------------------------------------- 1 | #include "utils\memory.h" 2 | #include "utils\imports.h" 3 | 4 | NTSTATUS hook_handler(PVOID called_param) 5 | { 6 | COPY_MEMORY* m = (COPY_MEMORY*)called_param; 7 | 8 | if (m->get_pid) { 9 | m->pid = memory::get_process_id(m->process_name); 10 | } 11 | else if (m->base) { 12 | PEPROCESS process; 13 | if (NT_SUCCESS(PsLookupProcessByProcessId(m->pid, &process))) { 14 | m->buffer = (void*)memory::get_module_base_x64(process); 15 | } 16 | } 17 | else if (m->peb) { 18 | PEPROCESS process; 19 | if (NT_SUCCESS(PsLookupProcessByProcessId(m->pid, &process))) { 20 | m->buffer = (void*)PsGetProcessPeb(process); 21 | } 22 | } 23 | else if (m->read) { 24 | memory::read_kernel_memory(m->pid, (PVOID)m->address, m->buffer, m->size); 25 | } 26 | else if (m->write) { 27 | memory::write_kernel_memory(m->pid, m->buffer, (PVOID)m->address, m->size); 28 | } 29 | 30 | return STATUS_SUCCESS; 31 | } 32 | 33 | void real_entry() { 34 | DbgPrintEx(0, 0, "real entry called.\n"); 35 | 36 | if (memory::call_kernel_function(&hook_handler)) { 37 | DbgPrintEx(0, 0, "function hooked.\n"); 38 | } 39 | else { 40 | DbgPrintEx(0, 0, "failed to hook function.\n"); 41 | } 42 | } 43 | 44 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) 45 | { 46 | UNREFERENCED_PARAMETER(driver_object); 47 | UNREFERENCED_PARAMETER(registry_path); 48 | return STATUS_SUCCESS; 49 | } -------------------------------------------------------------------------------- /modern_warfare_driver/modern_warfare_driver.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /modern_warfare/core/overlay/renderer/scene.cpp: -------------------------------------------------------------------------------- 1 | #include "renderer.h" 2 | #include "../../game/sdk.h" 3 | #include 4 | 5 | namespace renderer { 6 | namespace scene { 7 | void start() { 8 | begin(); 9 | clear(); 10 | } 11 | 12 | void begin() { 13 | internal::render_target->BeginDraw(); 14 | } 15 | 16 | void end() { 17 | internal::render_target->EndDraw(); 18 | 19 | // code below is really just for convience, without the if statement you would have to 20 | // manually close each window as when clicking onto the game the focus doesnt close the 21 | // other window. Comment it out and u will see what I mean. the statement fixes it 22 | // by brigning overlay to topmost (removes flag imdeallty) then putting game winodw 23 | // right under it 24 | 25 | static bool toggle = true; 26 | if (GetForegroundWindow() == sdk::hwnd) { 27 | if (toggle) { 28 | SetWindowPos(hijack::hijacked_hwnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 29 | SetWindowPos(hijack::hijacked_hwnd, HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE); 30 | ShowWindow(hijack::hijacked_hwnd, SW_SHOW); 31 | toggle = false; 32 | } 33 | } 34 | else { 35 | ShowWindow(hijack::hijacked_hwnd, SW_HIDE); 36 | toggle = true; 37 | } 38 | 39 | // sets game window under overlay 40 | SetWindowPos(sdk::hwnd, hijack::hijacked_hwnd, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE); 41 | } 42 | 43 | void clear() { 44 | internal::render_target->Clear(); 45 | } 46 | 47 | void text(vec2_t pos, const wchar_t* text, ID2D1SolidColorBrush* color, IDWriteTextFormat* font) { 48 | internal::render_target->DrawTextA( text, lstrlenW( text ), font, pos.rect(), color, D2D1_DRAW_TEXT_OPTIONS_NONE, DWRITE_MEASURING_MODE_NATURAL ); 49 | } 50 | 51 | void box(int x, int y, int width, int height, int thick, ID2D1SolidColorBrush* color) { 52 | internal::render_target->DrawRectangle(D2D1::RectF(x, y, x + width, y + height), color, thick); 53 | } 54 | 55 | void shutdown() { 56 | begin(); 57 | clear(); 58 | end(); 59 | } 60 | } 61 | } -------------------------------------------------------------------------------- /modern_warfare/core/driver/driver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "../game/sdk.h" 10 | 11 | typedef struct _COPY_MEMORY { 12 | void* buffer; 13 | ULONG64 address; 14 | ULONG size; 15 | HANDLE pid; 16 | bool get_pid; 17 | bool base; 18 | bool peb; 19 | bool read; 20 | bool write; 21 | const char* module_name; 22 | const char* process_name; 23 | }COPY_MEMORY; 24 | 25 | namespace driver { 26 | static std::once_flag flag; 27 | 28 | template 29 | uint64_t call_hook(const A ... arguments) 30 | { 31 | std::call_once(flag, [] { LoadLibrary("user32.dll"); }); 32 | void* control_function = GetProcAddress(LoadLibrary("win32u.dll"), "NtOpenCompositionSurfaceSectionInfo"); 33 | const auto control = static_cast(control_function); 34 | return control(arguments ...); 35 | } 36 | 37 | static HANDLE get_process_id(const char* process_name) { 38 | COPY_MEMORY m{}; 39 | m.get_pid = true; 40 | m.process_name = process_name; 41 | call_hook(&m); 42 | 43 | return m.pid; 44 | } 45 | 46 | static uintptr_t get_module_base_address(const char* module_name) { 47 | COPY_MEMORY m{}; 48 | m.base = true; 49 | m.pid = sdk::process_id; 50 | m.module_name = module_name; 51 | call_hook(&m); 52 | 53 | return (uintptr_t)m.buffer; 54 | } 55 | 56 | static uintptr_t get_peb() { 57 | COPY_MEMORY m{}; 58 | m.peb = true; 59 | m.pid = sdk::process_id; 60 | call_hook(&m); 61 | 62 | return (uintptr_t)m.buffer; 63 | } 64 | 65 | template 66 | type read(ULONG64 address) { 67 | type buffer{}; 68 | 69 | COPY_MEMORY m{}; 70 | m.read = true; 71 | m.pid = sdk::process_id; 72 | m.address = address; 73 | m.buffer = &buffer; 74 | m.size = sizeof(type); 75 | 76 | call_hook(&m); 77 | return buffer; 78 | } 79 | 80 | template 81 | void write(ULONG64 address, type value, ULONG size = sizeof(value)) 82 | { 83 | COPY_MEMORY m{}; 84 | m.write = true; 85 | m.pid = sdk::process_id; 86 | m.address = address; 87 | m.buffer = &value; 88 | m.size = size; 89 | 90 | call_hook(&m); 91 | } 92 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # external_warzone_cheat 4 | ### External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil 5 | 6 | ## Offsests are NOT up to date 7 | 8 | modern wareafee or warzone or blizzardds whatever their anti cheat is not very good ,,... (excpet their hwid bans are pretty anouning) anywayws thier anti cheat is only usemrode so of course our sexy manual mapped drievr will be veyr nice for this game.... the ovrrlay is pretty fine except for the tranprant flag that gets added [here](https://github.com/NMan1/external_warzone_cheat/blob/7774b0ed2b498ce880edd19a7388f938ac207f6c/modern_warfare/core/overlay/hijack/hijack.cpp#L18) since the nvidia overlay deosnt have the transprent flag we add that but that can be alittle suspicouss for the anit cheat since a new flag has been added to a legit window. The top most is taken care of [here](https://github.com/NMan1/external_warzone_cheat/blob/7774b0ed2b498ce880edd19a7388f938ac207f6c/modern_warfare/core/overlay/renderer/scene.cpp#L40). So if u really care but its really not a massive deal if ur just poarniod u can find a way to rmeove the transprant flag or hook getwindowlong to reutnr nothing who cares its not worth the effort their anticheat is dog shit actually they also maybe take [screenshots too so maybe u should compentsate for that hint hint](https://github.com/NMan1/external_warzone_cheat/blob/7774b0ed2b498ce880edd19a7388f938ac207f6c/modern_warfare/core/overlay/hijack/hijack.cpp#L28) [this](https://www.unknowncheats.me/forum/anti-cheat-bypass/220597-overlay-window-using-ws_ex_topmost-2.html) or [this](https://www.unknowncheats.me/forum/anti-cheat-bypass/349662-method-using-ws_ex_layered-style-overlay.html) can help u regarding the WS_EX_TRANSPARENT fkag. 9 | 10 | esp is very basic but u can expand it if u want there is a draw box function. 11 | no recoil is commented out cuz offset not work but if u want to ad that probaly just create a new thread so esp and recoil are sepreate. 12 | 13 | DEL key unoads overlay and cheat. 14 | 15 | Compile x64 release, kdmapper driver. Run modern_wareafre_client.exe when in game 16 | 17 | # Vids 18 | 19 | https://user-images.githubusercontent.com/44145464/122661983-2b12a680-d155-11eb-844f-a86223c0f5a0.mp4 20 | 21 | https://user-images.githubusercontent.com/44145464/122662032-7c229a80-d155-11eb-84cb-53dfba539db9.mp4 22 | 23 | 24 | # Credits: 25 | 26 | https://github.com/es3n1n/nvidia-overlay-renderer/ 27 | - for the hijacking structure 28 | 29 | albxrn for function hook pasta 30 | 31 | unkowncheats modern warefare fourm for offsets and decprytion 32 | -------------------------------------------------------------------------------- /modern_warfare/core/utils/vectors.cpp: -------------------------------------------------------------------------------- 1 | #include "vectors.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | float bits_to_float(std::uint32_t i) { 8 | union convertor_t 9 | { 10 | float f; 11 | unsigned long ul; 12 | }tmp; 13 | 14 | tmp.ul = i; 15 | return tmp.f; 16 | } 17 | 18 | vec3_t::vec3_t(void) { 19 | x = y = z = 0.0f; 20 | } 21 | 22 | vec3_t::vec3_t(float fx, float fy, float fz) { 23 | x = fx; 24 | y = fy; 25 | z = fz; 26 | } 27 | 28 | vec3_t::~vec3_t(void) { 29 | }; 30 | 31 | void vec3_t::init(float ix, float iy, float iz) { 32 | x = ix; y = iy; z = iz; 33 | } 34 | 35 | vec3_t vec3_t::clamp(void) { 36 | x = std::clamp(x, -89.0f, 89.0f); 37 | y = std::clamp(std::remainder(y, 360.0f), -180.0f, 180.0f); 38 | z = std::clamp(z, -50.0f, 50.0f); 39 | return vec3_t(x, y, z); 40 | } 41 | 42 | vec3_t vec3_t::clamped() { 43 | vec3_t clamped = *this; 44 | clamped.clamp(); 45 | return clamped; 46 | } 47 | 48 | float vec3_t::normalize_float() { 49 | vec3_t res = *this; 50 | float l = res.length(); 51 | if (l != 0.0f) { 52 | res /= l; 53 | } 54 | else { 55 | res.x = res.y = res.z = 0.0f; 56 | } 57 | return l; 58 | } 59 | 60 | float vec3_t::distance_to(const vec3_t& other) { 61 | vec3_t delta; 62 | delta.x = x - other.x; 63 | delta.y = y - other.y; 64 | delta.z = z - other.z; 65 | 66 | return delta.length(); 67 | } 68 | 69 | void vec3_t::normalize(void) { 70 | auto vec_normalize = [&](vec3_t& v) { 71 | auto l = v.length(); 72 | 73 | if (l != 0.0f) { 74 | v.x /= l; 75 | v.y /= l; 76 | v.z /= l; 77 | } 78 | else { 79 | v.x = v.y = 0.0f; v.z = 1.0f; 80 | } 81 | 82 | return l; 83 | }; 84 | 85 | vec_normalize(*this); 86 | } 87 | 88 | vec3_t vec3_t::normalized(void) { 89 | vec3_t vec(*this); 90 | vec.normalize(); 91 | 92 | return vec; 93 | } 94 | 95 | float vec3_t::length(void) { 96 | auto sqr = [](float n) { 97 | return static_cast(n * n); 98 | }; 99 | 100 | return sqrt(sqr(x) + sqr(y) + sqr(z)); 101 | } 102 | 103 | float vec3_t::length_2d_sqr(void) const { 104 | return (x * x + y * y); 105 | } 106 | 107 | float vec3_t::dot(const vec3_t other) { 108 | return (x * other.x + y * other.y + z * other.z); 109 | } 110 | 111 | float vec3_t::dot(const float* other) { 112 | const vec3_t& a = *this; 113 | 114 | return(a.x * other[0] + a.y * other[1] + a.z * other[2]); 115 | } 116 | 117 | D2D1_RECT_F vec2_t::rect() { 118 | return D2D1::RectF(static_cast(x), static_cast(y), static_cast(INT_MAX), static_cast(INT_MAX)); 119 | } 120 | -------------------------------------------------------------------------------- /modern_warfare/modern_warfare.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | 44 | 45 | Source Files 46 | 47 | 48 | Source Files 49 | 50 | 51 | Source Files 52 | 53 | 54 | Source Files 55 | 56 | 57 | Source Files 58 | 59 | 60 | Source Files 61 | 62 | 63 | Source Files 64 | 65 | 66 | Source Files 67 | 68 | 69 | Source Files 70 | 71 | 72 | -------------------------------------------------------------------------------- /modern_warfare_driver/modern_warfare_driver.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; modern_warfare_driver.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=modern_warfare_driver.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | PnpLockDown=1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 12 16 | modern_warfare_driver_Device_CoInstaller_CopyFiles = 11 17 | 18 | ; ================= Class section ===================== 19 | 20 | [ClassInstall32] 21 | Addreg=SampleClassReg 22 | 23 | [SampleClassReg] 24 | HKR,,,0,%ClassName% 25 | HKR,,Icon,,-5 26 | 27 | [SourceDisksNames] 28 | 1 = %DiskName%,,,"" 29 | 30 | [SourceDisksFiles] 31 | modern_warfare_driver.sys = 1,, 32 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 33 | 34 | ;***************************************** 35 | ; Install Section 36 | ;***************************************** 37 | 38 | [Manufacturer] 39 | %ManufacturerName%=Standard,NT$ARCH$ 40 | 41 | [Standard.NT$ARCH$] 42 | %modern_warfare_driver.DeviceDesc%=modern_warfare_driver_Device, Root\modern_warfare_driver ; TODO: edit hw-id 43 | 44 | [modern_warfare_driver_Device.NT] 45 | CopyFiles=Drivers_Dir 46 | 47 | [Drivers_Dir] 48 | modern_warfare_driver.sys 49 | 50 | ;-------------- Service installation 51 | [modern_warfare_driver_Device.NT.Services] 52 | AddService = modern_warfare_driver,%SPSVCINST_ASSOCSERVICE%, modern_warfare_driver_Service_Inst 53 | 54 | ; -------------- modern_warfare_driver driver install sections 55 | [modern_warfare_driver_Service_Inst] 56 | DisplayName = %modern_warfare_driver.SVCDESC% 57 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 58 | StartType = 3 ; SERVICE_DEMAND_START 59 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 60 | ServiceBinary = %12%\modern_warfare_driver.sys 61 | 62 | ; 63 | ;--- modern_warfare_driver_Device Coinstaller installation ------ 64 | ; 65 | 66 | [modern_warfare_driver_Device.NT.CoInstallers] 67 | AddReg=modern_warfare_driver_Device_CoInstaller_AddReg 68 | CopyFiles=modern_warfare_driver_Device_CoInstaller_CopyFiles 69 | 70 | [modern_warfare_driver_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 72 | 73 | [modern_warfare_driver_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 75 | 76 | [modern_warfare_driver_Device.NT.Wdf] 77 | KmdfService = modern_warfare_driver, modern_warfare_driver_wdfsect 78 | [modern_warfare_driver_wdfsect] 79 | KmdfLibraryVersion = $KMDFVERSION$ 80 | 81 | [Strings] 82 | SPSVCINST_ASSOCSERVICE= 0x00000002 83 | ManufacturerName="" ;TODO: Replace with your manufacturer name 84 | ClassName="Samples" ; TODO: edit ClassName 85 | DiskName = "modern_warfare_driver Installation Disk" 86 | modern_warfare_driver.DeviceDesc = "modern_warfare_driver Device" 87 | modern_warfare_driver.SVCDESC = "modern_warfare_driver Service" 88 | -------------------------------------------------------------------------------- /modern_warfare/core/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "driver/driver.h" 3 | #include "game/offsets.h" 4 | #include "overlay/hijack/hijack.h" 5 | #include "overlay/renderer/renderer.h" 6 | #include 7 | 8 | #define ERROR(msg) std::cout << "[-] " << msg << std::endl; std::cin.get(); exit(EXIT_FAILURE); 9 | #define ASSERT(cond, msg) if (!cond) { ERROR(msg) } 10 | 11 | int main() { 12 | sdk::process_id = driver::get_process_id("ModernWarfare.exe"); 13 | ASSERT(sdk::process_id, "failed to find pid"); 14 | 15 | sdk::module_base = driver::get_module_base_address("ModernWarfare.exe"); 16 | ASSERT(sdk::module_base, "failed to module base"); 17 | 18 | sdk::peb = driver::get_peb(); 19 | ASSERT(sdk::peb, "failed to find peb"); 20 | 21 | sdk::set_game_hwnd(); 22 | ASSERT(sdk::hwnd, "failed to find window handle"); 23 | 24 | ASSERT(hijack::init(), "failed to hijack nvidia overlay"); 25 | ASSERT(renderer::init(), "failed to initlize renderer"); 26 | 27 | sdk::client_info = decryption::get_client_info(); 28 | ASSERT(sdk::client_info, "failed to find client_info"); 29 | 30 | sdk::client_info_base = decryption::get_client_info_base(); 31 | ASSERT(sdk::client_info_base, "failed to find client_info_base"); 32 | 33 | auto ref_def_ptr = decryption::get_ref_def(); 34 | ASSERT(ref_def_ptr, "failed to find ref_def_ptr"); 35 | 36 | std::cout << "[-] log" << std::endl; 37 | std::cout << " [~] pid: " << std::hex << sdk::process_id << std::endl; 38 | std::cout << " [~] base: " << std::hex << sdk::module_base << std::endl; 39 | std::cout << " [~] peb: " << std::hex << sdk::peb << std::endl; 40 | std::cout << " [~] hwnd: " << std::hex << sdk::hwnd << std::endl; 41 | std::cout << " [~] client_info: " << std::hex << sdk::client_info << std::endl; 42 | std::cout << " [~] client_info_base: " << std::hex << sdk::client_info_base << std::endl; 43 | 44 | sdk::ref_def = driver::read(ref_def_ptr); 45 | 46 | while (!GetAsyncKeyState(VK_DELETE)) { 47 | renderer::scene::start(); 48 | 49 | renderer::scene::text(vec2_t(sdk::ref_def.width-115, 5), L"overflow", renderer::colors::red_color, renderer::fonts::watermark_font); 50 | 51 | sdk::player_t local(sdk::client_info_base + (sdk::local_index() * offsets::player::size)); 52 | auto local_pos = local.get_pos(); 53 | auto local_team = local.team_id(); 54 | 55 | for (int i = 0; i < 150; i++) { 56 | sdk::player_t player(sdk::client_info_base + (i * offsets::player::size)); 57 | if (!player.is_valid() || player.dead()) { 58 | continue; 59 | } 60 | 61 | if (player.team_id() == local_team) { 62 | continue; 63 | } 64 | 65 | vec2_t screen; vec3_t pos = player.get_pos(); 66 | if (sdk::w2s(pos, screen)) { 67 | auto dist = sdk::units_to_m(local_pos.distance_to(pos)); 68 | 69 | if (dist < 225) { 70 | wchar_t buf[6]; 71 | swprintf(buf, sizeof(buf), L"[%.1f]m", dist); // not very efficent 72 | renderer::scene::text(screen, buf, renderer::colors::red_color, renderer::fonts::tahoma_font); 73 | } 74 | } 75 | } 76 | renderer::scene::end(); 77 | 78 | sdk::ref_def = driver::read(decryption::get_ref_def()); 79 | } 80 | renderer::shutdown(); 81 | 82 | // no recoil 83 | //while (true) { 84 | // if (GetAsyncKeyState(VK_LBUTTON)) { 85 | // DWORD64 r12 = client_info + offsets::other::recoil; 86 | // DWORD64 rsi = r12 + 0x4; 87 | // DWORD edx = driver::read(r12 + 0xC); 88 | // DWORD ecx = edx; 89 | // ecx = ecx ^ (DWORD)r12; 90 | // DWORD eax = ecx + 2; 91 | // eax = eax * ecx; 92 | // ecx = edx; 93 | // ecx = ecx ^ (DWORD)rsi; 94 | // driver::write(r12, eax, sizeof(float)); 95 | // eax = ecx + 2; 96 | // eax = ecx + 2; 97 | // eax = eax * ecx; 98 | // driver::write(rsi, eax, sizeof(float)); 99 | // } 100 | //} 101 | 102 | return 0; 103 | } 104 | -------------------------------------------------------------------------------- /modern_warfare.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30709.64 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "modern_warfare_client", "modern_warfare\modern_warfare.vcxproj", "{4A69FC80-8531-4350-B836-A1076D2FD136}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "modern_warfare_driver", "modern_warfare_driver\modern_warfare_driver.vcxproj", "{30EAC4AD-21EC-4982-B136-2BB9C1361551}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|ARM = Debug|ARM 13 | Debug|ARM64 = Debug|ARM64 14 | Debug|x64 = Debug|x64 15 | Debug|x86 = Debug|x86 16 | Release|ARM = Release|ARM 17 | Release|ARM64 = Release|ARM64 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Debug|ARM.ActiveCfg = Debug|Win32 23 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Debug|ARM64.ActiveCfg = Debug|Win32 24 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Debug|x64.ActiveCfg = Debug|x64 25 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Debug|x64.Build.0 = Debug|x64 26 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Debug|x86.ActiveCfg = Debug|Win32 27 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Debug|x86.Build.0 = Debug|Win32 28 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Release|ARM.ActiveCfg = Release|Win32 29 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Release|ARM64.ActiveCfg = Release|Win32 30 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Release|x64.ActiveCfg = Release|x64 31 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Release|x64.Build.0 = Release|x64 32 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Release|x86.ActiveCfg = Release|Win32 33 | {4A69FC80-8531-4350-B836-A1076D2FD136}.Release|x86.Build.0 = Release|Win32 34 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|ARM.ActiveCfg = Debug|ARM 35 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|ARM.Build.0 = Debug|ARM 36 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|ARM.Deploy.0 = Debug|ARM 37 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|ARM64.ActiveCfg = Debug|ARM64 38 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|ARM64.Build.0 = Debug|ARM64 39 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|ARM64.Deploy.0 = Debug|ARM64 40 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|x64.ActiveCfg = Debug|x64 41 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|x64.Build.0 = Debug|x64 42 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|x64.Deploy.0 = Debug|x64 43 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|x86.ActiveCfg = Debug|Win32 44 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|x86.Build.0 = Debug|Win32 45 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Debug|x86.Deploy.0 = Debug|Win32 46 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|ARM.ActiveCfg = Release|ARM 47 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|ARM.Build.0 = Release|ARM 48 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|ARM.Deploy.0 = Release|ARM 49 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|ARM64.ActiveCfg = Release|ARM64 50 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|ARM64.Build.0 = Release|ARM64 51 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|ARM64.Deploy.0 = Release|ARM64 52 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|x64.ActiveCfg = Release|x64 53 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|x64.Build.0 = Release|x64 54 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|x64.Deploy.0 = Release|x64 55 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|x86.ActiveCfg = Release|Win32 56 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|x86.Build.0 = Release|Win32 57 | {30EAC4AD-21EC-4982-B136-2BB9C1361551}.Release|x86.Deploy.0 = Release|Win32 58 | EndGlobalSection 59 | GlobalSection(SolutionProperties) = preSolution 60 | HideSolutionNode = FALSE 61 | EndGlobalSection 62 | GlobalSection(ExtensibilityGlobals) = postSolution 63 | SolutionGuid = {F07BEE3F-562E-4CF1-A73A-62601F46C319} 64 | EndGlobalSection 65 | EndGlobal 66 | -------------------------------------------------------------------------------- /modern_warfare/core/utils/vectors.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | extern float bits_to_float(std::uint32_t i); 8 | #define M_PI 3.14159265358979323846 9 | #define M_RADPI 57.295779513082f 10 | #define M_PI_F ((float)(M_PI)) // Shouldn't collide with anything. 11 | #define RAD2DEG( x ) ( (float)(x) * (float)(180.f / M_PI_F) ) 12 | #define DEG2RAD( x ) ( (float)(x) * (float)(M_PI_F / 180.f) ) 13 | 14 | #define FLOAT32_NAN_BITS ( std::uint32_t ) 0x7FC00000 // not a number! 15 | #define FLOAT32_NAN bits_to_float( FLOAT32_NAN_BITS ) 16 | #define VEC_T_NAN FLOAT32_NAN 17 | 18 | #define ASSERT( _exp ) ( (void ) 0 ) 19 | 20 | template 21 | T clip_number(const T& n, const T& lower, const T& upper) { 22 | if (n < lower) return lower; 23 | if (n > upper) return upper; 24 | return n; 25 | } 26 | 27 | class vec3_t { 28 | public: 29 | vec3_t(); 30 | vec3_t(float, float, float); 31 | ~vec3_t(); 32 | 33 | float x, y, z; 34 | 35 | vec3_t& operator+=(const vec3_t& v) { 36 | x += v.x; y += v.y; z += v.z; return *this; 37 | } 38 | vec3_t& operator-=(const vec3_t& v) { 39 | x -= v.x; y -= v.y; z -= v.z; return *this; 40 | } 41 | vec3_t& operator*=(float v) { 42 | x *= v; y *= v; z *= v; return *this; 43 | } 44 | bool operator==(const vec3_t& v) { 45 | return (x == v.x) && (y == v.y); 46 | } 47 | vec3_t operator+(const vec3_t& v) { 48 | return vec3_t{ x + v.x, y + v.y, z + v.z }; 49 | } 50 | vec3_t operator-(const vec3_t& v) { 51 | return vec3_t{ x - v.x, y - v.y, z - v.z }; 52 | } 53 | vec3_t operator*(float fl) const { 54 | return vec3_t(x * fl, y * fl, z * fl); 55 | } 56 | vec3_t operator*(const vec3_t& v) const { 57 | return vec3_t(x * v.x, y * v.y, z * v.z); 58 | } 59 | vec3_t& operator/=(float fl) { 60 | x /= fl; 61 | y /= fl; 62 | z /= fl; 63 | return *this; 64 | } 65 | auto operator-(const vec3_t& other) const -> vec3_t { 66 | auto buf = *this; 67 | 68 | buf.x -= other.x; 69 | buf.y -= other.y; 70 | buf.z -= other.z; 71 | 72 | return buf; 73 | } 74 | 75 | auto operator/(float other) const { 76 | vec3_t vec; 77 | vec.x = x / other; 78 | vec.y = y / other; 79 | vec.z = z / other; 80 | return vec; 81 | } 82 | 83 | float& operator[](int i) { 84 | return ((float*)this)[i]; 85 | } 86 | float operator[](int i) const { 87 | return ((float*)this)[i]; 88 | } 89 | 90 | inline float Length2D() const 91 | { 92 | return sqrt((x * x) + (y * y)); 93 | } 94 | void crossproduct(vec3_t v1, vec3_t v2, vec3_t cross_p) const //ijk = xyz 95 | { 96 | cross_p.x = (v1.y * v2.z) - (v1.z * v2.y); //i 97 | cross_p.y = -((v1.x * v2.z) - (v1.z * v2.x)); //j 98 | cross_p.z = (v1.x * v2.y) - (v1.y * v2.x); //k 99 | } 100 | vec3_t Cross(const vec3_t& vOther) const 101 | { 102 | vec3_t res; 103 | crossproduct(*this, vOther, res); 104 | return res; 105 | } 106 | 107 | void init(float ix, float iy, float iz); 108 | vec3_t clamp(); 109 | vec3_t clamped(); 110 | vec3_t normalized(); 111 | float normalize_float(); 112 | float distance_to(const vec3_t& other); 113 | void normalize(); 114 | float length(); 115 | float length_2d_sqr(void) const; 116 | float dot(const vec3_t other); 117 | float dot(const float* other); 118 | }; 119 | 120 | // has to be hear 121 | inline vec3_t operator*(float lhs, const vec3_t& rhs) { 122 | return vec3_t(rhs.x * lhs, rhs.x * lhs, rhs.x * lhs); 123 | } 124 | 125 | struct matrix_t 126 | { 127 | matrix_t() { } 128 | matrix_t( 129 | float m00, float m01, float m02, float m03, 130 | float m10, float m11, float m12, float m13, 131 | float m20, float m21, float m22, float m23) 132 | { 133 | mat_val[0][0] = m00; mat_val[0][1] = m01; mat_val[0][2] = m02; mat_val[0][3] = m03; 134 | mat_val[1][0] = m10; mat_val[1][1] = m11; mat_val[1][2] = m12; mat_val[1][3] = m13; 135 | mat_val[2][0] = m20; mat_val[2][1] = m21; mat_val[2][2] = m22; mat_val[2][3] = m23; 136 | } 137 | 138 | //----------------------------------------------------------------------------- 139 | // Creates a matrix where the X axis = forward 140 | // the Y axis = left, and the Z axis = up 141 | //----------------------------------------------------------------------------- 142 | void init(const vec3_t& xAxis, const vec3_t& yAxis, const vec3_t& zAxis, const vec3_t& vecOrigin) 143 | { 144 | mat_val[0][0] = xAxis.x; mat_val[0][1] = yAxis.x; mat_val[0][2] = zAxis.x; mat_val[0][3] = vecOrigin.x; 145 | mat_val[1][0] = xAxis.y; mat_val[1][1] = yAxis.y; mat_val[1][2] = zAxis.y; mat_val[1][3] = vecOrigin.y; 146 | mat_val[2][0] = xAxis.z; mat_val[2][1] = yAxis.z; mat_val[2][2] = zAxis.z; mat_val[2][3] = vecOrigin.z; 147 | } 148 | 149 | //----------------------------------------------------------------------------- 150 | // Creates a matrix where the X axis = forward 151 | // the Y axis = left, and the Z axis = up 152 | //----------------------------------------------------------------------------- 153 | matrix_t(const vec3_t& xAxis, const vec3_t& yAxis, const vec3_t& zAxis, const vec3_t& vecOrigin) 154 | { 155 | init(xAxis, yAxis, zAxis, vecOrigin); 156 | } 157 | 158 | inline void set_origin(vec3_t const& p) 159 | { 160 | mat_val[0][3] = p.x; 161 | mat_val[1][3] = p.y; 162 | mat_val[2][3] = p.z; 163 | } 164 | 165 | inline void invalidate(void) 166 | { 167 | for (int i = 0; i < 3; i++) 168 | { 169 | for (int j = 0; j < 4; j++) 170 | { 171 | mat_val[i][j] = VEC_T_NAN; 172 | } 173 | } 174 | } 175 | 176 | float* operator[](int i) { ASSERT((i >= 0) && (i < 3)); return mat_val[i]; } 177 | const float* operator[](int i) const { ASSERT((i >= 0) && (i < 3)); return mat_val[i]; } 178 | float* base() { return &mat_val[0][0]; } 179 | const float* base() const { return &mat_val[0][0]; } 180 | 181 | float mat_val[3][4]; 182 | }; 183 | 184 | class vec2_t { 185 | public: 186 | float x, y; 187 | 188 | vec2_t() { 189 | x = 0; y = 0; 190 | }; 191 | vec2_t(float X, float Y) { 192 | x = X; y = Y; 193 | }; 194 | vec2_t(vec3_t vec) { 195 | x = vec.x; y = vec.y; 196 | } 197 | 198 | inline vec2_t operator*(const float n) const { 199 | return vec2_t(x * n, y * n); 200 | } 201 | inline vec2_t operator+(const vec2_t& v) const { 202 | return vec2_t(x + v.x, y + v.y); 203 | } 204 | inline vec2_t operator-(const vec2_t& v) const { 205 | return vec2_t(x - v.x, y - v.y); 206 | } 207 | inline void operator+=(const vec2_t& v) { 208 | x += v.x; 209 | y += v.y; 210 | } 211 | inline void operator-=(const vec2_t& v) { 212 | x -= v.x; 213 | y -= v.y; 214 | } 215 | 216 | bool operator==(const vec2_t& v) const { 217 | return (v.x == x && v.y == y); 218 | } 219 | bool operator!=(const vec2_t& v) const { 220 | return (v.x != x || v.y != y); 221 | } 222 | 223 | inline float length() { 224 | return sqrt((x * x) + (y * y)); 225 | } 226 | 227 | D2D1_RECT_F rect(); 228 | }; 229 | -------------------------------------------------------------------------------- /modern_warfare_driver/core/utils/memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "imports.h" 3 | 4 | namespace memory { 5 | PVOID get_system_module_base(const char* module_name) { 6 | ULONG bytes = 0; 7 | NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes); 8 | 9 | if (!bytes) 10 | return 0; 11 | 12 | PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, 0x454E4F45); // 'ENON' 13 | 14 | status = ZwQuerySystemInformation(SystemModuleInformation, modules, bytes, &bytes); 15 | 16 | if (!NT_SUCCESS(status)) 17 | return 0; 18 | 19 | PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules; 20 | PVOID module_base = 0, module_size = 0; 21 | 22 | for (ULONG i = 0; i < modules->NumberOfModules; i++) 23 | { 24 | if (strcmp((char*)module[i].FullPathName, module_name) == 0) 25 | { 26 | module_base = module[i].ImageBase; 27 | module_size = (PVOID)module[i].ImageSize; 28 | break; 29 | } 30 | } 31 | 32 | if (modules) 33 | ExFreePoolWithTag(modules, 0); 34 | 35 | if (module_base <= 0) 36 | return 0; 37 | 38 | return module_base; 39 | } 40 | 41 | ULONG64 get_module_base_x64(PEPROCESS proc) { 42 | return (ULONG64)PsGetProcessSectionBaseAddress(proc); 43 | } 44 | 45 | HANDLE get_process_id(const char* process_name) { 46 | ULONG buffer_size = 0; 47 | ZwQuerySystemInformation(SystemProcessInformation, NULL, NULL, &buffer_size); 48 | 49 | auto buffer = ExAllocatePoolWithTag(NonPagedPool, buffer_size, 'mder'); 50 | if (!buffer) { 51 | DbgPrintEx(0, 0, "failed to allocate pool (get_process_id)"); 52 | return 0; 53 | } 54 | 55 | ANSI_STRING process_name_ansi = {}; 56 | UNICODE_STRING process_name_unicode = {}; 57 | RtlInitAnsiString(&process_name_ansi, process_name); 58 | if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&process_name_unicode, &process_name_ansi, TRUE))) { 59 | DbgPrintEx(0, 0, "failed to convert string (get_process_id)"); 60 | RtlFreeUnicodeString(&process_name_unicode); 61 | return 0; 62 | } 63 | 64 | auto process_info = (PSYSTEM_PROCESS_INFO)buffer; 65 | if (NT_SUCCESS(ZwQuerySystemInformation(SystemProcessInformation, process_info, buffer_size, NULL))) { 66 | while (process_info->NextEntryOffset) { 67 | if (!RtlCompareUnicodeString(&process_name_unicode, &process_info->ImageName, true)) { 68 | DbgPrintEx(0, 0, "process name: %wZ | process ID: %d\n", process_info->ImageName, process_info->UniqueProcessId); 69 | RtlFreeUnicodeString(&process_name_unicode); 70 | return process_info->UniqueProcessId; 71 | } 72 | process_info = (PSYSTEM_PROCESS_INFO)((BYTE*)process_info + process_info->NextEntryOffset); 73 | } 74 | } 75 | else { 76 | ExFreePoolWithTag(buffer, 'mder'); 77 | return 0; 78 | } 79 | } 80 | 81 | PVOID get_system_module_export(const char* module_name, LPCSTR routine_name) 82 | { 83 | PVOID lpModule = memory::get_system_module_base(module_name); 84 | 85 | if (!lpModule) 86 | return NULL; 87 | 88 | return RtlFindExportedRoutineByName(lpModule, routine_name); 89 | } 90 | 91 | bool write_to_read_only_memory(void* address, void* buffer, size_t size) { 92 | 93 | PMDL Mdl = IoAllocateMdl(address, size, FALSE, FALSE, NULL); 94 | 95 | if (!Mdl) 96 | return false; 97 | 98 | // Locking and mapping memory with RW-rights: 99 | MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess); 100 | PVOID Mapping = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority); 101 | MmProtectMdlSystemAddress(Mdl, PAGE_READWRITE); 102 | 103 | // Write your buffer to mapping: 104 | RtlCopyMemory(Mapping, buffer, size); 105 | 106 | // Resources freeing: 107 | MmUnmapLockedPages(Mapping, Mdl); 108 | MmUnlockPages(Mdl); 109 | IoFreeMdl(Mdl); 110 | 111 | return true; 112 | } 113 | 114 | bool call_kernel_function(void* kernel_function_address) { 115 | if (!kernel_function_address) 116 | return false; 117 | 118 | PVOID* dxgk_routine 119 | = reinterpret_cast(memory::get_system_module_export("\\SystemRoot\\System32\\drivers\\dxgkrnl.sys", "NtOpenCompositionSurfaceSectionInfo")); 120 | 121 | if (!dxgk_routine) { 122 | return false; 123 | } 124 | 125 | BYTE dxgk_original[] = { 0x4C, 0x8B, 0xDC, 0x49, 0x89, 0x5B, 0x18, 0x4D, 0x89, 0x4B, 0x20, 0x49, 0x89, 0x4B, 0x08 }; 126 | 127 | BYTE shell_code_start[] 128 | { 129 | 0x48, 0xB8 // mov rax, [xxx] 130 | }; 131 | 132 | BYTE shell_code_end[] 133 | { 134 | 0xFF, 0xE0, // jmp rax 135 | 0xCC // 136 | }; 137 | 138 | RtlSecureZeroMemory(&dxgk_original, sizeof(dxgk_original)); 139 | memcpy((PVOID)((ULONG_PTR)dxgk_original), &shell_code_start, sizeof(shell_code_start)); 140 | uintptr_t test_address = reinterpret_cast(kernel_function_address); 141 | memcpy((PVOID)((ULONG_PTR)dxgk_original + sizeof(shell_code_start)), &test_address, sizeof(void*)); 142 | memcpy((PVOID)((ULONG_PTR)dxgk_original + sizeof(shell_code_start) + sizeof(void*)), &shell_code_end, sizeof(shell_code_end)); 143 | write_to_read_only_memory(dxgk_routine, &dxgk_original, sizeof(dxgk_original)); 144 | 145 | return true; 146 | } 147 | 148 | bool read_kernel_memory(HANDLE pid, PVOID address, PVOID buffer, SIZE_T size) { 149 | if (!address || !buffer || !size) 150 | return false; 151 | 152 | SIZE_T bytes = 0; 153 | PEPROCESS process; 154 | if (!NT_SUCCESS(PsLookupProcessByProcessId(pid, &process))) { 155 | DbgPrintEx(0, 0, "process lookup failed (read)"); 156 | return false; 157 | } 158 | 159 | return MmCopyVirtualMemory(process, address, PsGetCurrentProcess(), buffer, size, KernelMode, &bytes) == STATUS_SUCCESS; 160 | } 161 | 162 | bool write_kernel_memory(HANDLE pid, PVOID address, PVOID buffer, SIZE_T size) { 163 | if (!address || !buffer || !size) 164 | return false; 165 | 166 | SIZE_T bytes = 0; 167 | PEPROCESS process; 168 | if (!NT_SUCCESS(PsLookupProcessByProcessId(pid, &process))) { 169 | DbgPrintEx(0, 0, "process lookup failed (write)"); 170 | return false; 171 | } 172 | 173 | return MmCopyVirtualMemory(PsGetCurrentProcess(), address, process, buffer, size, KernelMode, &bytes) == STATUS_SUCCESS; 174 | } 175 | 176 | NTSTATUS protect_virtual_memory(HANDLE pid, PVOID address, ULONG size, ULONG protection, ULONG& protection_out) 177 | { 178 | if (!pid || !address || !size || !protection) 179 | return STATUS_INVALID_PARAMETER; 180 | 181 | NTSTATUS status = STATUS_SUCCESS; 182 | PEPROCESS target_process = nullptr; 183 | 184 | if (!NT_SUCCESS(PsLookupProcessByProcessId(reinterpret_cast(pid), &target_process))) 185 | { 186 | return STATUS_NOT_FOUND; 187 | } 188 | 189 | //PVOID address = reinterpret_cast( memory_struct->address ); 190 | //ULONG size = (ULONG)( memory_struct->size ); 191 | //ULONG protection = memory_struct->protection; 192 | ULONG protection_old = 0; 193 | 194 | KAPC_STATE state; 195 | KeStackAttachProcess(target_process, &state); 196 | 197 | status = ZwProtectVirtualMemory(NtCurrentProcess(), &address, &size, protection, &protection_old); 198 | 199 | KeUnstackDetachProcess(&state); 200 | 201 | if (NT_SUCCESS(status)) 202 | protection_out = protection_old; 203 | 204 | ObDereferenceObject(target_process); 205 | return status; 206 | } 207 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.vspscc 94 | *.vssscc 95 | .builds 96 | *.pidb 97 | *.svclog 98 | *.scc 99 | 100 | # Chutzpah Test files 101 | _Chutzpah* 102 | 103 | # Visual C++ cache files 104 | ipch/ 105 | *.aps 106 | *.ncb 107 | *.opendb 108 | *.opensdf 109 | *.sdf 110 | *.cachefile 111 | *.VC.db 112 | *.VC.VC.opendb 113 | 114 | # Visual Studio profiler 115 | *.psess 116 | *.vsp 117 | *.vspx 118 | *.sap 119 | 120 | # Visual Studio Trace Files 121 | *.e2e 122 | 123 | # TFS 2012 Local Workspace 124 | $tf/ 125 | 126 | # Guidance Automation Toolkit 127 | *.gpState 128 | 129 | # ReSharper is a .NET coding add-in 130 | _ReSharper*/ 131 | *.[Rr]e[Ss]harper 132 | *.DotSettings.user 133 | 134 | # TeamCity is a build add-in 135 | _TeamCity* 136 | 137 | # DotCover is a Code Coverage Tool 138 | *.dotCover 139 | 140 | # AxoCover is a Code Coverage Tool 141 | .axoCover/* 142 | !.axoCover/settings.json 143 | 144 | # Coverlet is a free, cross platform Code Coverage Tool 145 | coverage*.json 146 | coverage*.xml 147 | coverage*.info 148 | 149 | # Visual Studio code coverage results 150 | *.coverage 151 | *.coveragexml 152 | 153 | # NCrunch 154 | _NCrunch_* 155 | .*crunch*.local.xml 156 | nCrunchTemp_* 157 | 158 | # MightyMoose 159 | *.mm.* 160 | AutoTest.Net/ 161 | 162 | # Web workbench (sass) 163 | .sass-cache/ 164 | 165 | # Installshield output folder 166 | [Ee]xpress/ 167 | 168 | # DocProject is a documentation generator add-in 169 | DocProject/buildhelp/ 170 | DocProject/Help/*.HxT 171 | DocProject/Help/*.HxC 172 | DocProject/Help/*.hhc 173 | DocProject/Help/*.hhk 174 | DocProject/Help/*.hhp 175 | DocProject/Help/Html2 176 | DocProject/Help/html 177 | 178 | # Click-Once directory 179 | publish/ 180 | 181 | # Publish Web Output 182 | *.[Pp]ublish.xml 183 | *.azurePubxml 184 | # Note: Comment the next line if you want to checkin your web deploy settings, 185 | # but database connection strings (with potential passwords) will be unencrypted 186 | *.pubxml 187 | *.publishproj 188 | 189 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 190 | # checkin your Azure Web App publish settings, but sensitive information contained 191 | # in these scripts will be unencrypted 192 | PublishScripts/ 193 | 194 | # NuGet Packages 195 | *.nupkg 196 | # NuGet Symbol Packages 197 | *.snupkg 198 | # The packages folder can be ignored because of Package Restore 199 | **/[Pp]ackages/* 200 | # except build/, which is used as an MSBuild target. 201 | !**/[Pp]ackages/build/ 202 | # Uncomment if necessary however generally it will be regenerated when needed 203 | #!**/[Pp]ackages/repositories.config 204 | # NuGet v3's project.json files produces more ignorable files 205 | *.nuget.props 206 | *.nuget.targets 207 | 208 | # Microsoft Azure Build Output 209 | csx/ 210 | *.build.csdef 211 | 212 | # Microsoft Azure Emulator 213 | ecf/ 214 | rcf/ 215 | 216 | # Windows Store app package directories and files 217 | AppPackages/ 218 | BundleArtifacts/ 219 | Package.StoreAssociation.xml 220 | _pkginfo.txt 221 | *.appx 222 | *.appxbundle 223 | *.appxupload 224 | 225 | # Visual Studio cache files 226 | # files ending in .cache can be ignored 227 | *.[Cc]ache 228 | # but keep track of directories ending in .cache 229 | !?*.[Cc]ache/ 230 | 231 | # Others 232 | ClientBin/ 233 | ~$* 234 | *~ 235 | *.dbmdl 236 | *.dbproj.schemaview 237 | *.jfm 238 | *.pfx 239 | *.publishsettings 240 | orleans.codegen.cs 241 | 242 | # Including strong name files can present a security risk 243 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 244 | #*.snk 245 | 246 | # Since there are multiple workflows, uncomment next line to ignore bower_components 247 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 248 | #bower_components/ 249 | 250 | # RIA/Silverlight projects 251 | Generated_Code/ 252 | 253 | # Backup & report files from converting an old project file 254 | # to a newer Visual Studio version. Backup files are not needed, 255 | # because we have git ;-) 256 | _UpgradeReport_Files/ 257 | Backup*/ 258 | UpgradeLog*.XML 259 | UpgradeLog*.htm 260 | ServiceFabricBackup/ 261 | *.rptproj.bak 262 | 263 | # SQL Server files 264 | *.mdf 265 | *.ldf 266 | *.ndf 267 | 268 | # Business Intelligence projects 269 | *.rdl.data 270 | *.bim.layout 271 | *.bim_*.settings 272 | *.rptproj.rsuser 273 | *- [Bb]ackup.rdl 274 | *- [Bb]ackup ([0-9]).rdl 275 | *- [Bb]ackup ([0-9][0-9]).rdl 276 | 277 | # Microsoft Fakes 278 | FakesAssemblies/ 279 | 280 | # GhostDoc plugin setting file 281 | *.GhostDoc.xml 282 | 283 | # Node.js Tools for Visual Studio 284 | .ntvs_analysis.dat 285 | node_modules/ 286 | 287 | # Visual Studio 6 build log 288 | *.plg 289 | 290 | # Visual Studio 6 workspace options file 291 | *.opt 292 | 293 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 294 | *.vbw 295 | 296 | # Visual Studio LightSwitch build output 297 | **/*.HTMLClient/GeneratedArtifacts 298 | **/*.DesktopClient/GeneratedArtifacts 299 | **/*.DesktopClient/ModelManifest.xml 300 | **/*.Server/GeneratedArtifacts 301 | **/*.Server/ModelManifest.xml 302 | _Pvt_Extensions 303 | 304 | # Paket dependency manager 305 | .paket/paket.exe 306 | paket-files/ 307 | 308 | # FAKE - F# Make 309 | .fake/ 310 | 311 | # CodeRush personal settings 312 | .cr/personal 313 | 314 | # Python Tools for Visual Studio (PTVS) 315 | __pycache__/ 316 | *.pyc 317 | 318 | # Cake - Uncomment if you are using it 319 | # tools/** 320 | # !tools/packages.config 321 | 322 | # Tabs Studio 323 | *.tss 324 | 325 | # Telerik's JustMock configuration file 326 | *.jmconfig 327 | 328 | # BizTalk build output 329 | *.btp.cs 330 | *.btm.cs 331 | *.odx.cs 332 | *.xsd.cs 333 | 334 | # OpenCover UI analysis results 335 | OpenCover/ 336 | 337 | # Azure Stream Analytics local run output 338 | ASALocalRun/ 339 | 340 | # MSBuild Binary and Structured Log 341 | *.binlog 342 | 343 | # NVidia Nsight GPU debugger configuration file 344 | *.nvuser 345 | 346 | # MFractors (Xamarin productivity tool) working folder 347 | .mfractor/ 348 | 349 | # Local History for Visual Studio 350 | .localhistory/ 351 | 352 | # BeatPulse healthcheck temp database 353 | healthchecksdb 354 | 355 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 356 | MigrationBackup/ 357 | 358 | # Ionide (cross platform F# VS Code tools) working folder 359 | .ionide/ 360 | 361 | # Fody - auto-generated XML schema 362 | FodyWeavers.xsd 363 | -------------------------------------------------------------------------------- /modern_warfare_driver/core/utils/imports.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | typedef struct PiDDBCacheEntry 9 | { 10 | LIST_ENTRY List; 11 | UNICODE_STRING DriverName; 12 | ULONG TimeDateStamp; 13 | NTSTATUS LoadStatus; 14 | char _0x0028[16]; 15 | }PIDCacheobj; 16 | 17 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 18 | 19 | typedef struct _IMAGE_DATA_DIRECTORY 20 | { 21 | ULONG VirtualAddress; 22 | ULONG Size; 23 | } IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY; 24 | 25 | typedef struct _IMAGE_OPTIONAL_HEADER64 26 | { 27 | USHORT Magic; 28 | UCHAR MajorLinkerVersion; 29 | UCHAR MinorLinkerVersion; 30 | ULONG SizeOfCode; 31 | ULONG SizeOfInitializedData; 32 | ULONG SizeOfUninitializedData; 33 | ULONG AddressOfEntryPoint; 34 | ULONG BaseOfCode; 35 | ULONGLONG ImageBase; 36 | ULONG SectionAlignment; 37 | ULONG FileAlignment; 38 | USHORT MajorOperatingSystemVersion; 39 | USHORT MinorOperatingSystemVersion; 40 | USHORT MajorImageVersion; 41 | USHORT MinorImageVersion; 42 | USHORT MajorSubsystemVersion; 43 | USHORT MinorSubsystemVersion; 44 | ULONG Win32VersionValue; 45 | ULONG SizeOfImage; 46 | ULONG SizeOfHeaders; 47 | ULONG CheckSum; 48 | USHORT Subsystem; 49 | USHORT DllCharacteristics; 50 | ULONGLONG SizeOfStackReserve; 51 | ULONGLONG SizeOfStackCommit; 52 | ULONGLONG SizeOfHeapReserve; 53 | ULONGLONG SizeOfHeapCommit; 54 | ULONG LoaderFlags; 55 | ULONG NumberOfRvaAndSizes; 56 | struct _IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 57 | } IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64; 58 | 59 | typedef struct _IMAGE_FILE_HEADER 60 | { 61 | USHORT Machine; 62 | USHORT NumberOfSections; 63 | ULONG TimeDateStamp; 64 | ULONG PointerToSymbolTable; 65 | ULONG NumberOfSymbols; 66 | USHORT SizeOfOptionalHeader; 67 | USHORT Characteristics; 68 | } IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER; 69 | 70 | typedef struct _IMAGE_NT_HEADERS64 71 | { 72 | ULONG Signature; 73 | struct _IMAGE_FILE_HEADER FileHeader; 74 | struct _IMAGE_OPTIONAL_HEADER64 OptionalHeader; 75 | } IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64; 76 | 77 | typedef struct _IMAGE_SECTION_HEADER 78 | { 79 | UCHAR Name[8]; 80 | union 81 | { 82 | ULONG PhysicalAddress; 83 | ULONG VirtualSize; 84 | } Misc; 85 | ULONG VirtualAddress; 86 | ULONG SizeOfRawData; 87 | ULONG PointerToRawData; 88 | ULONG PointerToRelocations; 89 | ULONG PointerToLinenumbers; 90 | USHORT NumberOfRelocations; 91 | USHORT NumberOfLinenumbers; 92 | ULONG Characteristics; 93 | } IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER; 94 | 95 | extern "C" NTSYSAPI 96 | PIMAGE_NT_HEADERS 97 | NTAPI 98 | RtlImageNtHeader(PVOID Base); 99 | 100 | 101 | typedef enum _SYSTEM_INFORMATION_CLASS 102 | { 103 | SystemBasicInformation, 104 | SystemProcessorInformation, 105 | SystemPerformanceInformation, 106 | SystemTimeOfDayInformation, 107 | SystemPathInformation, 108 | SystemProcessInformation, 109 | SystemCallCountInformation, 110 | SystemDeviceInformation, 111 | SystemProcessorPerformanceInformation, 112 | SystemFlagsInformation, 113 | SystemCallTimeInformation, 114 | SystemModuleInformation = 0x0B 115 | } SYSTEM_INFORMATION_CLASS, 116 | * PSYSTEM_INFORMATION_CLASS; 117 | 118 | typedef struct _SYSTEM_PROCESS_INFO 119 | { 120 | ULONG NextEntryOffset; 121 | ULONG NumberOfThreads; 122 | LARGE_INTEGER WorkingSetPrivateSize; 123 | ULONG HardFaultCount; 124 | ULONG NumberOfThreadsHighWatermark; 125 | ULONGLONG CycleTime; 126 | LARGE_INTEGER CreateTime; 127 | LARGE_INTEGER UserTime; 128 | LARGE_INTEGER KernelTime; 129 | UNICODE_STRING ImageName; 130 | KPRIORITY BasePriority; 131 | HANDLE UniqueProcessId; 132 | HANDLE InheritedFromUniqueProcessId; 133 | ULONG HandleCount; 134 | ULONG SessionId; 135 | ULONG_PTR UniqueProcessKey; 136 | SIZE_T PeakVirtualSize; 137 | SIZE_T VirtualSize; 138 | ULONG PageFaultCount; 139 | SIZE_T PeakWorkingSetSize; 140 | SIZE_T WorkingSetSize; 141 | SIZE_T QuotaPeakPagedPoolUsage; 142 | SIZE_T QuotaPagedPoolUsage; 143 | SIZE_T QuotaPeakNonPagedPoolUsage; 144 | SIZE_T QuotaNonPagedPoolUsage; 145 | SIZE_T PagefileUsage; 146 | SIZE_T PeakPagefileUsage; 147 | SIZE_T PrivatePageCount; 148 | LARGE_INTEGER ReadOperationCount; 149 | LARGE_INTEGER WriteOperationCount; 150 | LARGE_INTEGER OtherOperationCount; 151 | LARGE_INTEGER ReadTransferCount; 152 | LARGE_INTEGER WriteTransferCount; 153 | LARGE_INTEGER OtherTransferCount; 154 | }SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO; 155 | 156 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 157 | { 158 | HANDLE Section; 159 | PVOID MappedBase; 160 | PVOID ImageBase; 161 | ULONG ImageSize; 162 | ULONG Flags; 163 | USHORT LoadOrderIndex; 164 | USHORT InitOrderIndex; 165 | USHORT LoadCount; 166 | USHORT OffsetToFileName; 167 | UCHAR FullPathName[256]; 168 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION; 169 | 170 | typedef struct _RTL_PROCESS_MODULES 171 | { 172 | ULONG NumberOfModules; 173 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 174 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 175 | 176 | typedef struct _PEB_LDR_DATA { 177 | ULONG Length; 178 | BOOLEAN Initialized; 179 | PVOID SsHandle; 180 | LIST_ENTRY ModuleListLoadOrder; 181 | LIST_ENTRY ModuleListMemoryOrder; 182 | LIST_ENTRY ModuleListInitOrder; 183 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 184 | 185 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 186 | BYTE Reserved1[16]; 187 | PVOID Reserved2[10]; 188 | UNICODE_STRING ImagePathName; 189 | UNICODE_STRING CommandLine; 190 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 191 | 192 | typedef void(__stdcall* PPS_POST_PROCESS_INIT_ROUTINE)(void); // not exported 193 | 194 | typedef struct _PEB { 195 | BYTE Reserved1[2]; 196 | BYTE BeingDebugged; 197 | BYTE Reserved2[1]; 198 | PVOID Reserved3[2]; 199 | PPEB_LDR_DATA Ldr; 200 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 201 | PVOID Reserved4[3]; 202 | PVOID AtlThunkSListPtr; 203 | PVOID Reserved5; 204 | ULONG Reserved6; 205 | PVOID Reserved7; 206 | ULONG Reserved8; 207 | ULONG AtlThunkSListPtr32; 208 | PVOID Reserved9[45]; 209 | BYTE Reserved10[96]; 210 | PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; 211 | BYTE Reserved11[128]; 212 | PVOID Reserved12[1]; 213 | ULONG SessionId; 214 | } PEB, * PPEB; 215 | 216 | typedef struct _LDR_DATA_TABLE_ENTRY { 217 | LIST_ENTRY InLoadOrderModuleList; 218 | LIST_ENTRY InMemoryOrderModuleList; 219 | LIST_ENTRY InInitializationOrderModuleList; 220 | PVOID DllBase; 221 | PVOID EntryPoint; 222 | ULONG SizeOfImage; // in bytes 223 | UNICODE_STRING FullDllName; 224 | UNICODE_STRING BaseDllName; 225 | ULONG Flags; // LDR_* 226 | USHORT LoadCount; 227 | USHORT TlsIndex; 228 | LIST_ENTRY HashLinks; 229 | PVOID SectionPointer; 230 | ULONG CheckSum; 231 | ULONG TimeDateStamp; 232 | // PVOID LoadedImports; 233 | // // seems they are exist only on XP !!! PVOID 234 | // EntryPointActivationContext; // -same- 235 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 236 | 237 | extern "C" __declspec(dllimport) NTSTATUS NTAPI ZwProtectVirtualMemory 238 | ( 239 | HANDLE ProcessHandle, 240 | PVOID* BaseAddress, 241 | PULONG ProtectSize, 242 | ULONG NewProtect, 243 | PULONG OldProtect 244 | ); 245 | 246 | extern "C" NTKERNELAPI PVOID NTAPI RtlFindExportedRoutineByName(_In_ PVOID ImageBase, _In_ PCCH RoutineName); 247 | 248 | extern "C" NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength); 249 | 250 | extern "C" NTKERNELAPI PPEB PsGetProcessPeb(IN PEPROCESS Process); 251 | 252 | extern "C" NTSYSAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(PVOID Base); 253 | 254 | extern "C" NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process); 255 | 256 | extern "C" NTSTATUS NTAPI MmCopyVirtualMemory 257 | ( 258 | PEPROCESS SourceProcess, 259 | PVOID SourceAddress, 260 | PEPROCESS TargetProcess, 261 | PVOID TargetAddress, 262 | SIZE_T BufferSize, 263 | KPROCESSOR_MODE PreviousMode, 264 | PSIZE_T ReturnSize 265 | ); 266 | 267 | typedef struct _COPY_MEMORY { 268 | void* buffer; 269 | ULONG64 address; 270 | ULONG size; 271 | HANDLE pid; 272 | bool get_pid; 273 | bool base; 274 | bool peb; 275 | bool read; 276 | bool write; 277 | const char* module_name; 278 | const char* process_name; 279 | }COPY_MEMORY; -------------------------------------------------------------------------------- /modern_warfare/core/utils/xor.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | /* 3 | * Copyright 2017 - 2018 Justas Masiulis 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * http://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | #define JM_XORSTR_DISABLE_AVX_INTRINSICS 1 19 | 20 | #ifndef JM_XORSTR_HPP 21 | #define JM_XORSTR_HPP 22 | 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #define xorstr(str) \ 29 | ::jm::make_xorstr( \ 30 | []() { return str; }, \ 31 | std::make_index_sequence{}, \ 32 | std::make_index_sequence<::jm::detail::_buffer_size()>{}) 33 | #define xorstr_(str) xorstr(str).crypt_get() 34 | 35 | #ifdef _MSC_VER 36 | #define XORSTR_FORCEINLINE __forceinline 37 | #else 38 | #define XORSTR_FORCEINLINE __attribute__((always_inline)) 39 | #endif 40 | 41 | // you can define this macro to get possibly faster code on gcc/clang 42 | // at the expense of constants being put into data section. 43 | #if !defined(XORSTR_ALLOW_DATA) 44 | // MSVC - no volatile 45 | // GCC and clang - volatile everywhere 46 | #if defined(__clang__) || defined(__GNUC__) 47 | #define XORSTR_VOLATILE volatile 48 | #endif 49 | 50 | #endif 51 | #ifndef XORSTR_VOLATILE 52 | #define XORSTR_VOLATILE 53 | #endif 54 | 55 | namespace jm { 56 | 57 | namespace detail { 58 | 59 | template 60 | struct unsigned_; 61 | 62 | template<> 63 | struct unsigned_<1> { 64 | using type = std::uint8_t; 65 | }; 66 | template<> 67 | struct unsigned_<2> { 68 | using type = std::uint16_t; 69 | }; 70 | template<> 71 | struct unsigned_<4> { 72 | using type = std::uint32_t; 73 | }; 74 | 75 | template 76 | struct pack_value_type { 77 | using type = decltype(C); 78 | }; 79 | 80 | template 81 | constexpr std::size_t _buffer_size() 82 | { 83 | return ((Size / 16) + (Size % 16 != 0)) * 2; 84 | } 85 | 86 | template 87 | struct tstring_ { 88 | using value_type = typename pack_value_type::type; 89 | constexpr static std::size_t size = sizeof...(Cs); 90 | constexpr static value_type str[size] = { Cs... }; 91 | 92 | constexpr static std::size_t buffer_size = _buffer_size(); 93 | constexpr static std::size_t buffer_align = 94 | #ifndef JM_XORSTR_DISABLE_AVX_INTRINSICS 95 | ((sizeof(str) > 16) ? 32 : 16); 96 | #else 97 | 16; 98 | #endif 99 | }; 100 | 101 | template 102 | struct _ki { 103 | constexpr static std::size_t idx = I; 104 | constexpr static std::uint64_t key = K; 105 | }; 106 | 107 | template 108 | constexpr std::uint32_t key4() noexcept 109 | { 110 | std::uint32_t value = Seed; 111 | for (char c : __TIME__) 112 | value = static_cast((value ^ c) * 16777619ull); 113 | return value; 114 | } 115 | 116 | template 117 | constexpr std::uint64_t key8() 118 | { 119 | constexpr auto first_part = key4<2166136261 + S>(); 120 | constexpr auto second_part = key4(); 121 | return (static_cast(first_part) << 32) | second_part; 122 | } 123 | 124 | // clang and gcc try really hard to place the constants in data 125 | // sections. to counter that there was a need to create an intermediate 126 | // constexpr string and then copy it into a non constexpr container with 127 | // volatile storage so that the constants would be placed directly into 128 | // code. 129 | template 130 | struct string_storage { 131 | std::uint64_t storage[T::buffer_size]; 132 | 133 | XORSTR_FORCEINLINE constexpr string_storage() noexcept : storage{ Keys... } 134 | { 135 | using cast_type = 136 | typename unsigned_::type; 137 | constexpr auto value_size = sizeof(typename T::value_type); 138 | // puts the string into 64 bit integer blocks in a constexpr 139 | // fashion 140 | for (std::size_t i = 0; i < T::size; ++i) 141 | storage[i / (8 / value_size)] ^= 142 | (std::uint64_t{ static_cast(T::str[i]) } 143 | << ((i % (8 / value_size)) * 8 * value_size)); 144 | } 145 | }; 146 | 147 | } // namespace detail 148 | 149 | template 150 | class xor_string { 151 | alignas(T::buffer_align) std::uint64_t _storage[T::buffer_size]; 152 | 153 | // _single functions needed because MSVC crashes without them 154 | XORSTR_FORCEINLINE void _crypt_256_single(const std::uint64_t* keys, 155 | std::uint64_t* storage) noexcept 156 | 157 | { 158 | _mm256_store_si256( 159 | reinterpret_cast<__m256i*>(storage), 160 | _mm256_xor_si256( 161 | _mm256_load_si256(reinterpret_cast(storage)), 162 | _mm256_load_si256(reinterpret_cast(keys)))); 163 | } 164 | 165 | template 166 | XORSTR_FORCEINLINE void _crypt_256(const std::uint64_t* keys, 167 | std::index_sequence) noexcept 168 | { 169 | (_crypt_256_single(keys + Idxs * 4, _storage + Idxs * 4), ...); 170 | } 171 | 172 | XORSTR_FORCEINLINE void _crypt_128_single(const std::uint64_t* keys, 173 | std::uint64_t* storage) noexcept 174 | { 175 | _mm_store_si128( 176 | reinterpret_cast<__m128i*>(storage), 177 | _mm_xor_si128(_mm_load_si128(reinterpret_cast(storage)), 178 | _mm_load_si128(reinterpret_cast(keys)))); 179 | } 180 | 181 | template 182 | XORSTR_FORCEINLINE void _crypt_128(const std::uint64_t* keys, 183 | std::index_sequence) noexcept 184 | { 185 | (_crypt_128_single(keys + Idxs * 2, _storage + Idxs * 2), ...); 186 | } 187 | 188 | // loop generates vectorized code which places constants in data dir 189 | XORSTR_FORCEINLINE constexpr void _copy() noexcept 190 | { 191 | constexpr detail::string_storage storage; 192 | static_cast(std::initializer_list{ 193 | (const_cast(_storage))[Keys::idx] = 194 | storage.storage[Keys::idx]... }); 195 | } 196 | 197 | public: 198 | using value_type = typename T::value_type; 199 | using size_type = std::size_t; 200 | using pointer = value_type *; 201 | using const_pointer = const pointer; 202 | 203 | XORSTR_FORCEINLINE xor_string() noexcept { _copy(); } 204 | 205 | XORSTR_FORCEINLINE constexpr size_type size() const noexcept 206 | { 207 | return T::size - 1; 208 | } 209 | 210 | XORSTR_FORCEINLINE void crypt() noexcept 211 | { 212 | alignas(T::buffer_align) std::uint64_t keys[T::buffer_size]; 213 | static_cast(std::initializer_list{ 214 | (const_cast(keys))[Keys::idx] = 215 | Keys::key... }); 216 | 217 | _copy(); 218 | 219 | #ifndef JM_XORSTR_DISABLE_AVX_INTRINSICS 220 | _crypt_256(keys, std::make_index_sequence{}); 221 | if constexpr (T::buffer_size % 4 != 0) 222 | _crypt_128(keys, std::index_sequence{}); 223 | #else 224 | _crypt_128(keys, std::make_index_sequence{}); 225 | #endif 226 | } 227 | 228 | XORSTR_FORCEINLINE const_pointer get() const noexcept 229 | { 230 | return reinterpret_cast(_storage); 231 | } 232 | 233 | XORSTR_FORCEINLINE const_pointer crypt_get() noexcept 234 | { 235 | crypt(); 236 | return reinterpret_cast(_storage); 237 | } 238 | }; 239 | 240 | template 241 | XORSTR_FORCEINLINE constexpr auto 242 | make_xorstr(Tstr str_lambda, 243 | std::index_sequence, 244 | std::index_sequence) noexcept 245 | { 246 | return xor_string, 247 | detail::_ki()>...>{}; 248 | } 249 | 250 | } // namespace jm 251 | 252 | #endif // include guard -------------------------------------------------------------------------------- /modern_warfare/modern_warfare.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {4a69fc80-8531-4350-b836-a1076d2fd136} 25 | modernwarfare 26 | 10.0 27 | modern_warfare_client 28 | 29 | 30 | 31 | Application 32 | true 33 | v142 34 | Unicode 35 | 36 | 37 | Application 38 | false 39 | v142 40 | true 41 | Unicode 42 | 43 | 44 | Application 45 | true 46 | v142 47 | MultiByte 48 | 49 | 50 | Application 51 | false 52 | v142 53 | true 54 | MultiByte 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | false 79 | 80 | 81 | true 82 | 83 | 84 | false 85 | 86 | 87 | 88 | Level3 89 | true 90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | true 92 | 93 | 94 | Console 95 | true 96 | 97 | 98 | 99 | 100 | Level3 101 | true 102 | true 103 | true 104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 105 | true 106 | 107 | 108 | Console 109 | true 110 | true 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 119 | true 120 | stdcpp17 121 | "SDK Path\Include" 122 | 123 | 124 | Console 125 | true 126 | "SDK Path\Lib" 127 | 128 | 129 | 130 | 131 | Level3 132 | true 133 | true 134 | true 135 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 136 | true 137 | stdcpp17 138 | "SDK Path\Include" 139 | 140 | 141 | Console 142 | true 143 | true 144 | true 145 | "SDK Path\Lib" 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /modern_warfare_driver/modern_warfare_driver.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {30EAC4AD-21EC-4982-B136-2BB9C1361551} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | modern_warfare_driver 45 | 10.0.20348.0 46 | 47 | 48 | 49 | Windows10 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | KMDF 54 | Universal 55 | 56 | 57 | Windows10 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | KMDF 62 | Universal 63 | 64 | 65 | Windows10 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | KMDF 70 | Universal 71 | Spectre 72 | 73 | 74 | Windows10 75 | false 76 | WindowsKernelModeDriver10.0 77 | Driver 78 | KMDF 79 | Universal 80 | Spectre 81 | 82 | 83 | Windows10 84 | true 85 | WindowsKernelModeDriver10.0 86 | Driver 87 | KMDF 88 | Universal 89 | 90 | 91 | Windows10 92 | false 93 | WindowsKernelModeDriver10.0 94 | Driver 95 | KMDF 96 | Universal 97 | 98 | 99 | Windows10 100 | true 101 | WindowsKernelModeDriver10.0 102 | Driver 103 | KMDF 104 | Universal 105 | 106 | 107 | Windows10 108 | false 109 | WindowsKernelModeDriver10.0 110 | Driver 111 | KMDF 112 | Universal 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | DbgengKernelDebugger 124 | 125 | 126 | DbgengKernelDebugger 127 | 128 | 129 | DbgengKernelDebugger 130 | true 131 | 132 | 133 | DbgengKernelDebugger 134 | 135 | 136 | DbgengKernelDebugger 137 | 138 | 139 | DbgengKernelDebugger 140 | 141 | 142 | DbgengKernelDebugger 143 | 144 | 145 | DbgengKernelDebugger 146 | 147 | 148 | 149 | stdcpp17 150 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.20348.0\km;%(AdditionalIncludeDirectories) 151 | TurnOffAllWarnings 152 | false 153 | false 154 | 155 | 156 | /INTEGRITYCHECK %(AdditionalOptions) 157 | real_entry 158 | 159 | 160 | 161 | 162 | C:\Program Files (x86)\Windows Kits\10\Include\10.0.20348.0\km;%(AdditionalIncludeDirectories) 163 | stdcpp17 164 | TurnOffAllWarnings 165 | false 166 | false 167 | 168 | 169 | /INTEGRITYCHECK %(AdditionalOptions) 170 | real_entry 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | -------------------------------------------------------------------------------- /modern_warfare/core/game/sdk.cpp: -------------------------------------------------------------------------------- 1 | #include "sdk.h" 2 | #include "..\driver\driver.h" 3 | #include "offsets.h" 4 | 5 | namespace sdk { 6 | HANDLE process_id = NULL; 7 | uintptr_t module_base = NULL; 8 | uintptr_t peb = NULL; 9 | HWND hwnd = NULL; 10 | 11 | uintptr_t client_info = NULL; 12 | uintptr_t client_info_base = NULL; 13 | 14 | BOOL CALLBACK enum_windows(HWND hwnd, LPARAM param) { 15 | DWORD process_id; 16 | GetWindowThreadProcessId(hwnd, &process_id); 17 | if (process_id == param) 18 | { 19 | sdk::hwnd = hwnd; 20 | return false; 21 | } 22 | return true; 23 | } 24 | 25 | void set_game_hwnd() { 26 | EnumWindows(enum_windows, (LPARAM)sdk::process_id); 27 | } 28 | 29 | bool in_game() { 30 | return driver::read(sdk::module_base + offsets::game_mode) > 1; 31 | } 32 | 33 | int player_count() { 34 | return driver::read(sdk::module_base + offsets::game_mode); 35 | } 36 | 37 | int local_index() { 38 | auto local_index = driver::read(sdk::client_info + offsets::local_index); 39 | return driver::read(local_index + 0x1FC); 40 | } 41 | 42 | bool player_t::is_valid() { 43 | return driver::read(address + offsets::player::valid); 44 | } 45 | 46 | bool player_t::dead() { 47 | auto dead1 = driver::read(address + offsets::player::dead_1); 48 | auto dead2 = driver::read(address + offsets::player::dead_2); 49 | return dead1 || dead2; 50 | } 51 | 52 | int player_t::team_id() { 53 | return driver::read(address + offsets::player::team_id); 54 | } 55 | 56 | vec3_t player_t::get_pos() { 57 | auto local_pos = driver::read(address + offsets::player::pos_info); 58 | return driver::read(local_pos + 0x40); 59 | } 60 | 61 | vec3_t get_camera_position() { 62 | auto camera = driver::read(sdk::module_base + offsets::camera_base); 63 | if (!camera) 64 | return {}; 65 | 66 | return driver::read(camera + offsets::camera_pos); 67 | } 68 | 69 | bool world_to_screen(vec3_t world_location, vec2_t& out, vec3_t camera_pos, int screen_width, int screen_height, vec2_t fov, vec3_t matricies[3]) { 70 | auto local = world_location - camera_pos; 71 | auto trans = vec3_t{ 72 | local.dot(matricies[1]), 73 | local.dot(matricies[2]), 74 | local.dot(matricies[0]) 75 | }; 76 | 77 | if (trans.z < 0.01f) { 78 | return false; 79 | } 80 | 81 | out.x = ((float)screen_width / 2.0) * (1.0 - (trans.x / fov.x / trans.z)); 82 | out.y = ((float)screen_height / 2.0) * (1.0 - (trans.y / fov.y / trans.z)); 83 | 84 | if (out.x < 1 || out.y < 1 || (out.x > sdk::ref_def.width) || (out.y > sdk::ref_def.height)) { 85 | return false; 86 | } 87 | 88 | return true; 89 | } 90 | 91 | bool w2s(vec3_t world_position, vec2_t& screen_position) { 92 | return world_to_screen(world_position, screen_position, get_camera_position(), ref_def.width, ref_def.height, ref_def.view.tan_half_fov, ref_def.view.axis); 93 | } 94 | 95 | float units_to_m(float units) { 96 | return units * 0.0254; 97 | } 98 | 99 | ref_def_t ref_def; 100 | } 101 | 102 | namespace decryption { 103 | uintptr_t get_client_info() { 104 | uint64_t RAX = 0, RBX = 0, RCX = 0, RDX = 0, R8 = 0, RDI = 0, RSI = 0, R9 = 0, R10 = 0, R11 = 0, R12 = 0, R13 = 0, R14 = 0, R15 = 0; 105 | 106 | RBX = driver::read(sdk::module_base + 0x17224118); 107 | R8 = sdk::peb; // mov r8,gs:[rax] 108 | RAX = sdk::module_base; 109 | RBX += RAX; 110 | RAX = RBX; 111 | RAX >>= 0x10; 112 | RBX ^= RAX; 113 | RAX = RBX; 114 | RCX = 0x0; 115 | RAX >>= 0x20; 116 | RAX ^= RBX; 117 | RCX = _rotl64(RCX, 0x10); 118 | RCX ^= driver::read(sdk::module_base + 0x660D10A); 119 | RCX = _byteswap_uint64(RCX); 120 | RBX = driver::read(RCX + 0x13); 121 | RBX *= RAX; 122 | RAX = 0x76D048452DCF6909; 123 | RBX -= R8; 124 | R8 = ~R8; 125 | RBX *= RAX; 126 | RAX = sdk::module_base + 0x2C8CD073; 127 | R8 += RAX; 128 | RBX ^= R8; 129 | return RBX; 130 | } 131 | 132 | uintptr_t get_client_info_base() { 133 | uint64_t RAX = 0, RBX = 0, RCX = 0, RDX = 0, RSP = 0, R8 = 0, RDI = 0, RSI = 0, R9 = 0, R10 = 0, R11 = 0, R12 = 0, R13 = 0, R14 = 0, R15 = 0; 134 | 135 | RAX = driver::read(sdk::client_info + offsets::client_base); 136 | RBX = sdk::peb; // mov rbx,gs:[rcx] 137 | // test rax,rax 138 | // je 00007FF77524D6C8h 139 | RCX = RBX; 140 | RCX <<= 0x21; 141 | RCX = _byteswap_uint64(RCX); 142 | RCX &= 0xF; 143 | // cmp rcx,0Eh 144 | // ja 00007FF77524D2A4h 145 | switch (RCX) { 146 | case 0: { 147 | R9 = driver::read(sdk::module_base + 0x660D140); 148 | RCX = 0x0; 149 | RCX = _rotl64(RCX, 0x10); 150 | RCX ^= R9; 151 | RCX = _byteswap_uint64(RCX); 152 | RAX *= driver::read(RCX + 0xB); 153 | RCX = RAX; 154 | RCX >>= 0x18; 155 | RAX ^= RCX; 156 | RCX = RAX; 157 | RCX >>= 0x30; 158 | RAX ^= RCX; 159 | RCX = sdk::module_base; 160 | RAX ^= RCX; 161 | RCX = RAX; 162 | RCX >>= 0x8; 163 | RAX ^= RCX; 164 | RCX = RAX; 165 | RCX >>= 0x10; 166 | RAX ^= RCX; 167 | RCX = RAX; 168 | RCX >>= 0x20; 169 | RAX ^= RCX; 170 | RCX = 0x345963FE4F9F5BC7; 171 | RAX *= RCX; 172 | RCX = 0x1BC0D0E9288C6DB3; 173 | RAX += RCX; 174 | RAX += RBX; 175 | RCX = sdk::module_base; 176 | RAX -= RCX; 177 | return RAX; 178 | } 179 | case 1: { 180 | R11 = sdk::module_base + 0x6064722A; 181 | R10 = driver::read(sdk::module_base + 0x660D140); 182 | RCX = RBX; 183 | RCX ^= R11; 184 | RAX -= RCX; 185 | RCX = RAX; 186 | RCX >>= 0x11; 187 | RAX ^= RCX; 188 | RCX = RAX; 189 | RCX >>= 0x22; 190 | RAX ^= RCX; 191 | RAX ^= RBX; 192 | RCX = sdk::module_base + 0x28AB; 193 | RCX = ~RCX; 194 | RCX -= RBX; 195 | RAX += RCX; 196 | RCX = 0x16A1C31B3D93A83F; 197 | RAX *= RCX; 198 | RCX = 0xD0C234BF8A55764B; 199 | RAX *= RCX; 200 | RCX = 0x0; 201 | RCX = _rotl64(RCX, 0x10); 202 | RCX ^= R10; 203 | RCX = _byteswap_uint64(RCX); 204 | RAX *= driver::read(RCX + 0xB); 205 | RCX = 0xB75E6F62B4DBBCC1; 206 | RAX *= RCX; 207 | return RAX; 208 | } 209 | case 2: { 210 | R14 = sdk::module_base + 0x30A5; 211 | R10 = driver::read(sdk::module_base + 0x660D140); 212 | RCX = RAX; 213 | RCX >>= 0x15; 214 | RAX ^= RCX; 215 | RCX = RAX; 216 | RCX >>= 0x2A; 217 | RAX ^= RCX; 218 | RCX = RBX; 219 | RCX = ~RCX; 220 | RCX ^= R14; 221 | RAX -= RCX; 222 | RCX = 0x0; 223 | RCX = _rotl64(RCX, 0x10); 224 | RCX ^= R10; 225 | RCX = _byteswap_uint64(RCX); 226 | RAX *= driver::read(RCX + 0xB); 227 | RCX = 0x5D11A30DE94FFEDE; 228 | RAX += RCX; 229 | RCX = RAX; 230 | RCX >>= 0x1B; 231 | RAX ^= RCX; 232 | RCX = RAX; 233 | RCX >>= 0x36; 234 | RAX ^= RCX; 235 | RAX ^= RBX; 236 | RCX = 0x1D2CA89A1A1BE3D9; 237 | RAX ^= RCX; 238 | RCX = 0xDD63D27B22050957; 239 | RAX *= RCX; 240 | return RAX; 241 | } 242 | case 3: { 243 | R14 = sdk::module_base + 0x7B3CDBC1; 244 | R10 = driver::read(sdk::module_base + 0x660D140); 245 | RDX = RBX; 246 | RDX = ~RDX; 247 | RCX = R14; 248 | RCX = ~RCX; 249 | RDX *= RCX; 250 | RAX += RDX; 251 | RCX = RAX; 252 | RCX >>= 0x26; 253 | RCX ^= RAX; 254 | RAX = RCX + RBX; 255 | RCX = sdk::module_base; 256 | RAX -= RCX; 257 | RAX -= 0x7736E4C5; 258 | RCX = 0xA4C7B3171334DA2E; 259 | RAX ^= RCX; 260 | RCX = 0x667B75570F23711D; 261 | RAX *= RCX; 262 | RCX = 0x7E05078E8B5B3EDA; 263 | RAX -= RCX; 264 | RCX = 0x0; 265 | RCX = _rotl64(RCX, 0x10); 266 | RCX ^= R10; 267 | RCX = _byteswap_uint64(RCX); 268 | RAX *= driver::read(RCX + 0xB); 269 | return RAX; 270 | } 271 | case 4: { 272 | R9 = driver::read(sdk::module_base + 0x660D140); 273 | RAX ^= RBX; 274 | RCX = 0x0; 275 | RCX = _rotl64(RCX, 0x10); 276 | RCX ^= R9; 277 | RCX = _byteswap_uint64(RCX); 278 | RCX = driver::read(RCX + 0xB); 279 | RSP = 0x64DE26759A457153; 280 | RCX *= RSP; 281 | RAX *= RCX; 282 | RCX = RAX; 283 | RCX >>= 0x24; 284 | RAX ^= RCX; 285 | RCX = 0x49AF5B2E74070925; 286 | RAX *= RCX; 287 | RCX = 0xB5CC279242DD0301; 288 | RAX *= RCX; 289 | return RAX; 290 | } 291 | case 5: { 292 | R11 = driver::read(sdk::module_base + 0x660D140); 293 | R15 = sdk::module_base + 0x6BA9; 294 | RDX = sdk::module_base + 0x5F9E55C9; 295 | RDX = ~RDX; 296 | RDX ^= RBX; 297 | RCX = RAX; 298 | RAX = 0xBF5978C960F6BB4B; 299 | RAX ^= RCX; 300 | RAX += RDX; 301 | RDX = sdk::module_base + 0x28877536; 302 | RCX = RAX; 303 | RCX >>= 0x18; 304 | RAX ^= RCX; 305 | RCX = RAX; 306 | RCX >>= 0x30; 307 | RAX ^= RCX; 308 | RCX = RBX; 309 | RCX = ~RCX; 310 | RCX *= R15; 311 | RAX ^= RCX; 312 | R8 = 0x0; 313 | R8 = _rotl64(R8, 0x10); 314 | R8 ^= R11; 315 | RCX = RBX; 316 | RCX *= RDX; 317 | RDX = RAX; 318 | RDX -= RCX; 319 | RCX = 0x84229F2B4FE6843B; 320 | R8 = _byteswap_uint64(R8); 321 | RAX = driver::read(R8 + 0xB); 322 | RAX *= RDX; 323 | RAX *= RCX; 324 | RAX ^= RBX; 325 | return RAX; 326 | } 327 | case 6: { 328 | R15 = sdk::module_base + 0xE397; 329 | R10 = driver::read(sdk::module_base + 0x660D140); 330 | RCX = sdk::module_base; 331 | RAX += RCX; 332 | RCX = sdk::module_base; 333 | RAX += RCX; 334 | RCX = 0x4030351D523D85BB; 335 | RAX += RCX; 336 | RCX = RBX; 337 | RCX ^= R15; 338 | RAX += RCX; 339 | RCX = 0x71A01F36E5BF55AF; 340 | RAX *= RCX; 341 | RCX = RAX; 342 | RCX >>= 0x10; 343 | RAX ^= RCX; 344 | RCX = RAX; 345 | RCX >>= 0x20; 346 | RCX ^= RAX; 347 | RDX = 0x0; 348 | RDX = _rotl64(RDX, 0x10); 349 | RDX ^= R10; 350 | RDX = _byteswap_uint64(RDX); 351 | RAX = driver::read(RDX + 0xB); 352 | RDX = sdk::module_base + 0x31AFF9CE; 353 | RAX *= RCX; 354 | RCX = RBX; 355 | RCX *= RDX; 356 | RAX -= RCX; 357 | return RAX; 358 | } 359 | case 7: { 360 | R10 = driver::read(sdk::module_base + 0x660D140); 361 | R15 = sdk::module_base + 0x9CF0; 362 | RCX = RAX; 363 | RCX >>= 0x19; 364 | RAX ^= RCX; 365 | RCX = RAX; 366 | RCX >>= 0x32; 367 | RAX ^= RCX; 368 | RCX = sdk::module_base; 369 | RCX += 0x16E9; 370 | RCX += RBX; 371 | RAX ^= RCX; 372 | RDX = 0x0; 373 | RDX = _rotl64(RDX, 0x10); 374 | RDX ^= R10; 375 | RCX = RBX; 376 | RDX = _byteswap_uint64(RDX); 377 | RCX ^= R15; 378 | RDX = driver::read(RDX + 0xB); 379 | RAX *= RDX; 380 | RAX -= RCX; 381 | RCX = RAX; 382 | RCX >>= 0xA; 383 | RAX ^= RCX; 384 | RCX = RAX; 385 | RCX >>= 0x14; 386 | RAX ^= RCX; 387 | RCX = RAX; 388 | RCX >>= 0x28; 389 | RAX ^= RCX; 390 | RCX = 0x201300BD919020EB; 391 | RAX *= RCX; 392 | RCX = 0x136871F8B2311042; 393 | RAX += RCX; 394 | RCX = 0xE0229051A9F3C38B; 395 | RAX ^= RCX; 396 | return RAX; 397 | } 398 | case 8: { 399 | R15 = sdk::module_base + 0x6C04; 400 | R10 = driver::read(sdk::module_base + 0x660D140); 401 | RCX = 0x0; 402 | RCX = _rotl64(RCX, 0x10); 403 | RCX ^= R10; 404 | RCX = _byteswap_uint64(RCX); 405 | RDX = driver::read(RCX + 0xB); 406 | RCX = 0x866F75E98D0D53B1; 407 | RDX *= RAX; 408 | RAX = RBX; 409 | RAX *= R15; 410 | RDX += RAX; 411 | RDX ^= RBX; 412 | RAX = RDX; 413 | RAX >>= 0x20; 414 | RAX ^= RDX; 415 | RAX ^= RCX; 416 | RCX = 0x9E0D951F0C28F90B; 417 | RAX *= RCX; 418 | RCX = 0x78503CB374B04FAD; 419 | RAX *= RCX; 420 | RCX = RAX; 421 | RCX >>= 0x2; 422 | RAX ^= RCX; 423 | RCX = RAX; 424 | RCX >>= 0x4; 425 | RAX ^= RCX; 426 | RCX = RAX; 427 | RCX >>= 0x8; 428 | RAX ^= RCX; 429 | RCX = RAX; 430 | RCX >>= 0x10; 431 | RAX ^= RCX; 432 | RCX = RAX; 433 | RCX >>= 0x20; 434 | RAX ^= RCX; 435 | return RAX; 436 | } 437 | case 9: { 438 | R14 = sdk::module_base + 0x6CFB74E0; 439 | R11 = sdk::module_base + 0x7F309832; 440 | R9 = driver::read(sdk::module_base + 0x660D140); 441 | RCX = 0x0; 442 | RCX = _rotl64(RCX, 0x10); 443 | RCX ^= R9; 444 | RCX = _byteswap_uint64(RCX); 445 | RAX *= driver::read(RCX + 0xB); 446 | RAX ^= RBX; 447 | RAX ^= R14; 448 | RCX = RAX; 449 | RCX >>= 0x17; 450 | RAX ^= RCX; 451 | RCX = RAX; 452 | RCX >>= 0x2E; 453 | RAX ^= RCX; 454 | RCX = 0xD7356E290A5B1FBA; 455 | RAX += RCX; 456 | RCX = sdk::module_base; 457 | RAX ^= RCX; 458 | RCX = 0xD80D8A31210F08D3; 459 | RAX *= RCX; 460 | RCX = R11; 461 | RCX = ~RCX; 462 | RCX ^= RBX; 463 | RAX -= RCX; 464 | RCX = RAX; 465 | RCX >>= 0x9; 466 | RAX ^= RCX; 467 | RCX = RAX; 468 | RCX >>= 0x12; 469 | RAX ^= RCX; 470 | RCX = RAX; 471 | RCX >>= 0x24; 472 | RAX ^= RCX; 473 | return RAX; 474 | } 475 | case 10: { 476 | R9 = driver::read(sdk::module_base + 0x660D140); 477 | R11 = sdk::module_base + 0x6AD2A7C4; 478 | RAX -= RBX; 479 | RAX ^= RBX; 480 | RCX = 0x29222BE3E0E2FFB; 481 | RAX ^= R11; 482 | R11 = sdk::module_base; 483 | RAX *= RCX; 484 | RCX = 0x5BB04B85CD9365D; 485 | RAX -= RBX; 486 | RAX += RCX; 487 | RAX += R11; 488 | RCX = 0x0; 489 | RCX = _rotl64(RCX, 0x10); 490 | RCX ^= R9; 491 | RCX = _byteswap_uint64(RCX); 492 | RAX *= driver::read(RCX + 0xB); 493 | RCX = 0x5FC588EC700475F3; 494 | RAX *= RCX; 495 | RCX = RAX; 496 | RCX >>= 0xC; 497 | RAX ^= RCX; 498 | RCX = RAX; 499 | RCX >>= 0x18; 500 | RAX ^= RCX; 501 | RCX = RAX; 502 | RCX >>= 0x30; 503 | RAX ^= RCX; 504 | return RAX; 505 | } 506 | case 11: { 507 | R10 = driver::read(sdk::module_base + 0x660D140); 508 | R14 = sdk::module_base + 0xCF97; 509 | RDX = R14; 510 | RDX = ~RDX; 511 | RDX++; 512 | RDX += RBX; 513 | RAX ^= RDX; 514 | RCX = sdk::module_base + 0xCA22; 515 | RAX += RBX; 516 | RDX = sdk::module_base; 517 | RAX += RCX; 518 | RCX = RBX; 519 | RCX = ~RCX; 520 | RCX -= RDX; 521 | RCX -= 0x1236; 522 | RAX ^= RCX; 523 | RCX = 0x48502E6384BA9941; 524 | RAX *= RCX; 525 | RCX = 0x5EB925E16D423E1E; 526 | RAX -= RCX; 527 | RCX = 0x0; 528 | RCX = _rotl64(RCX, 0x10); 529 | RCX ^= R10; 530 | RCX = _byteswap_uint64(RCX); 531 | RAX *= driver::read(RCX + 0xB); 532 | RCX = 0xE5AB625D3BB65BBF; 533 | RAX *= RCX; 534 | RCX = RAX; 535 | RCX >>= 0x1F; 536 | RAX ^= RCX; 537 | RCX = RAX; 538 | RCX >>= 0x3E; 539 | RAX ^= RCX; 540 | return RAX; 541 | } 542 | case 12: { 543 | R15 = sdk::module_base + 0xEE34; 544 | R10 = driver::read(sdk::module_base + 0x660D140); 545 | RCX = RBX + 1; 546 | RCX *= R15; 547 | RAX += RCX; 548 | RAX ^= RBX; 549 | RCX = 0xBF0F6EC504339C71; 550 | RAX *= RCX; 551 | RCX = 0x62753D45ABF968CD; 552 | RAX -= RCX; 553 | RCX = 0x28C82E52D21EB6AB; 554 | RAX -= RCX; 555 | RCX = 0x0; 556 | RCX = _rotl64(RCX, 0x10); 557 | RCX ^= R10; 558 | RCX = _byteswap_uint64(RCX); 559 | RAX *= driver::read(RCX + 0xB); 560 | RCX = RAX; 561 | RCX >>= 0xB; 562 | RAX ^= RCX; 563 | RCX = RAX; 564 | RCX >>= 0x16; 565 | RAX ^= RCX; 566 | RCX = RAX; 567 | RCX >>= 0x2C; 568 | RAX ^= RCX; 569 | RCX = sdk::module_base; 570 | RAX ^= RCX; 571 | return RAX; 572 | } 573 | case 13: { 574 | R10 = driver::read(sdk::module_base + 0x660D140); 575 | RCX = 0x0; 576 | RCX = _rotl64(RCX, 0x10); 577 | RCX ^= R10; 578 | RCX = _byteswap_uint64(RCX); 579 | RAX *= driver::read(RCX + 0xB); 580 | RCX = RAX; 581 | RCX >>= 0x2; 582 | RAX ^= RCX; 583 | RCX = RAX; 584 | RCX >>= 0x4; 585 | RAX ^= RCX; 586 | RCX = RAX; 587 | RCX >>= 0x8; 588 | RAX ^= RCX; 589 | RCX = RAX; 590 | RCX >>= 0x10; 591 | RAX ^= RCX; 592 | RCX = RAX; 593 | RCX >>= 0x20; 594 | RAX ^= RCX; 595 | RDX = RAX; 596 | RDX >>= 0x22; 597 | RDX ^= RAX; 598 | RCX = 0xAB96BD5255F50EEF; 599 | RAX = sdk::module_base + 0x4795B778; 600 | RAX = ~RAX; 601 | RAX ^= RBX; 602 | RAX += RDX; 603 | RAX *= RCX; 604 | RAX -= RBX; 605 | RCX = 0x697DECF064AB09C3; 606 | RAX *= RCX; 607 | RCX = RBX; 608 | RSP = sdk::module_base + 0xE842; 609 | RCX *= RSP; 610 | RAX += RCX; 611 | return RAX; 612 | } 613 | case 14: { 614 | R9 = driver::read(sdk::module_base + 0x660D140); 615 | RCX = RAX; 616 | RCX >>= 0xB; 617 | RAX ^= RCX; 618 | RCX = RAX; 619 | RCX >>= 0x16; 620 | RAX ^= RCX; 621 | RCX = RAX; 622 | RCX >>= 0x2C; 623 | RAX ^= RCX; 624 | RCX = 0x0; 625 | RCX = _rotl64(RCX, 0x10); 626 | RCX ^= R9; 627 | RCX = _byteswap_uint64(RCX); 628 | RCX = driver::read(RCX + 0xB); 629 | RSP = 0xF2B84228009F892B; 630 | RCX *= RSP; 631 | RAX *= RCX; 632 | R10 = 0x21D0F0E2660F5094; 633 | RCX = RBX; 634 | RCX = ~RCX; 635 | RSP = sdk::module_base + 0x2E00; 636 | RCX *= RSP; 637 | RCX += R10; 638 | RAX += RCX; 639 | RCX = RAX; 640 | RCX >>= 0x10; 641 | RAX ^= RCX; 642 | RCX = RAX; 643 | RCX >>= 0x20; 644 | RAX ^= RCX; 645 | RCX = 0x1E450D45A88B3DC9; 646 | RAX *= RCX; 647 | RCX = RAX; 648 | RCX >>= 0x17; 649 | RAX ^= RCX; 650 | RCX = RAX; 651 | RCX >>= 0x2E; 652 | RAX ^= RCX; 653 | return RAX; 654 | } 655 | case 15: { 656 | R9 = driver::read(sdk::module_base + 0x660D140); 657 | RCX = sdk::module_base; 658 | RAX ^= RCX; 659 | RCX = 0x104FF8B4C43406AD; 660 | RAX += RCX; 661 | RCX = 0x16DB4431461A3E29; 662 | RAX *= RCX; 663 | RCX = 0x0; 664 | RCX = _rotl64(RCX, 0x10); 665 | RCX ^= R9; 666 | RCX = _byteswap_uint64(RCX); 667 | RAX *= driver::read(RCX + 0xB); 668 | RCX = RAX; 669 | RCX >>= 0x13; 670 | RAX ^= RCX; 671 | RCX = RAX; 672 | RCX >>= 0x26; 673 | RAX ^= RCX; 674 | RCX = sdk::module_base; 675 | RAX -= RCX; 676 | RAX += 0xFFFFFFFFFFFF9A85; 677 | RAX += RBX; 678 | RCX = 0x11B2D7215841BEB4; 679 | RSP = sdk::module_base; 680 | RCX -= RSP; 681 | RAX += RCX; 682 | return RAX; 683 | } 684 | default: 685 | return 0; 686 | } 687 | } 688 | 689 | uint64_t get_bone() { 690 | uint64_t RAX = sdk::module_base, RBX = sdk::module_base, RCX = sdk::module_base, RDX = sdk::module_base, R8 = sdk::module_base, RDI = sdk::module_base, R9 = sdk::module_base, R10 = sdk::module_base, R11 = sdk::module_base, R12 = sdk::module_base, R13 = sdk::module_base, R14 = sdk::module_base, R15 = sdk::module_base, RSI = sdk::module_base, RSP = sdk::module_base, RBP = sdk::module_base; 691 | RDX = driver::read(sdk::module_base + 0x15B582C8); 692 | 693 | if (!RDX) 694 | return 0; 695 | R8 = sdk::peb; 696 | R8 = (~R8); 697 | // test rdx,rdx 698 | // je near ptr 00000000024FFDFEh 699 | RAX = R8; 700 | RAX = _rotl64(RAX, 0x28); 701 | RAX &= 0xF; 702 | switch (RAX) 703 | { 704 | case 0: 705 | { 706 | R14 = sdk::module_base + 0x4D63FF68; 707 | R11 = sdk::module_base + 0xE7E; 708 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 709 | RAX = 0x38330DCD6D3EE86B; 710 | RDX *= RAX; 711 | RAX = 0x62FA53C3F4793FE6; 712 | RDX ^= RAX; 713 | RAX = R8; 714 | RAX = (~RAX); 715 | RDX += RAX; 716 | RAX = sdk::module_base + 0x572A; 717 | RDX += RAX; 718 | RAX = RDX; 719 | RAX >>= 0x1A; 720 | RDX ^= RAX; 721 | RAX = RDX; 722 | RAX >>= 0x34; 723 | RDX ^= RAX; 724 | RCX = R14; 725 | RCX = (~RCX); 726 | RCX += R8; 727 | RAX = 0xBA6195B9FE5C98BF; 728 | RAX += RDX; 729 | RDX = RCX; 730 | RDX ^= RAX; 731 | // mov rax,[rbp+598h] 732 | RAX -= R11; 733 | RAX = 0; // Special case 734 | RAX = _rotl64(RAX, 0x10); 735 | RAX ^= RBX; 736 | RAX = (~RAX); 737 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 738 | RDX -= R8; 739 | return RDX; 740 | } 741 | case 1: 742 | { 743 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 744 | 745 | R11 = sdk::module_base + 0xE7E; 746 | R12 = sdk::module_base + 0x3FC; 747 | RCX = R8 + R12; 748 | RAX = RDX + R8; 749 | RDX = RCX; 750 | RDX ^= RAX; 751 | RAX = 0xB0D1385078A56D19; 752 | RDX *= RAX; 753 | // mov rax,[rbp+598h] 754 | RAX -= R11; 755 | RAX = 0; // Special case 756 | RAX = _rotl64(RAX, 0x10); 757 | RAX ^= RBX; 758 | RAX = (~RAX); 759 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RAX = driver::read(RAX + 0x15); 760 | RDX *= RAX; 761 | RAX = sdk::module_base; 762 | RDX -= RAX; 763 | RAX = RDX; 764 | RAX >>= 0x1D; 765 | RDX ^= RAX; 766 | RAX = RDX; 767 | RAX >>= 0x3A; 768 | RDX ^= RAX; 769 | RAX = 0xD1151DF1B15559FB; 770 | RDX *= RAX; 771 | RAX = 0x14B61D0484FBBE03; 772 | RDX *= RAX; 773 | return RDX; 774 | } 775 | case 2: 776 | { 777 | R11 = sdk::module_base + 0xE7E; 778 | R10 = driver::read(sdk::module_base + 0x6CC41F9); 779 | RAX = 0xCC268FDEC36DA697; 780 | RDX *= RAX; 781 | // mov rax,[rbp+598h] 782 | RAX -= R11; 783 | RAX = 0; // Special case 784 | RAX = _rotl64(RAX, 0x10); 785 | RAX ^= R10; 786 | RAX = (~RAX); 787 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 788 | RAX = sdk::module_base + 0x40F5FF82; 789 | RAX = (~RAX); 790 | RAX -= R8; 791 | RDX ^= RAX; 792 | RAX = RDX; 793 | RAX >>= 0x19; 794 | RDX ^= RAX; 795 | RAX = RDX; 796 | RAX >>= 0x32; 797 | RDX ^= RAX; 798 | RAX = 0x70067EEE063A673C; 799 | RDX += RAX; 800 | RDX -= R8; 801 | RAX = sdk::module_base; 802 | RDX ^= RAX; 803 | return RDX; 804 | } 805 | case 3: 806 | { 807 | R11 = sdk::module_base + 0xE7E; 808 | R9 = driver::read(sdk::module_base + 0x6CC41F9); 809 | RAX = RDX; 810 | RAX >>= 0x12; 811 | RDX ^= RAX; 812 | RAX = RDX; 813 | RAX >>= 0x24; 814 | RDX ^= RAX; 815 | RAX = RDX; 816 | RAX >>= 0x1F; 817 | RDX ^= RAX; 818 | RAX = RDX; 819 | RAX >>= 0x3E; 820 | RDX ^= RAX; 821 | RAX = 0x57A81BEC6516033D; 822 | RDX += RAX; 823 | // mov rax,[rbp+598h] 824 | RAX -= R11; 825 | RAX = 0; // Special case 826 | RAX = _rotl64(RAX, 0x10); 827 | RAX ^= R9; 828 | RAX = (~RAX); 829 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 830 | RAX = RDX; 831 | RAX >>= 0x7; 832 | RDX ^= RAX; 833 | RAX = RDX; 834 | RAX >>= 0xE; 835 | RDX ^= RAX; 836 | RAX = RDX; 837 | RAX >>= 0x1C; 838 | RDX ^= RAX; 839 | RAX = RDX; 840 | RAX >>= 0x38; 841 | RDX ^= RAX; 842 | RAX = 0x96699980B562505; 843 | RDX *= RAX; 844 | RAX = sdk::module_base; 845 | RDX ^= RAX; 846 | return RDX; 847 | } 848 | case 4: 849 | { 850 | R11 = sdk::module_base + 0xE7E; 851 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 852 | RAX = 0x1B512279D332955D; 853 | RDX -= RAX; 854 | // mov rax,[rbp+598h] 855 | RAX -= R11; 856 | RAX = 0; // Special case 857 | RAX = _rotl64(RAX, 0x10); 858 | RAX ^= RBX; 859 | RAX = (~RAX); 860 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 861 | RAX = RDX; 862 | RAX >>= 0x22; 863 | RDX ^= RAX; 864 | RDX ^= R8; 865 | RAX = 0x3EE6F0C8BA258B0A; 866 | RDX += RAX; 867 | RAX = sdk::module_base + 0x2415; 868 | RAX -= R8; 869 | RDX += RAX; 870 | RAX = 0x8A1CDFF81DB6DFF; 871 | RDX *= RAX; 872 | RDX += R8; 873 | return RDX; 874 | } 875 | case 5: 876 | { 877 | R10 = driver::read(sdk::module_base + 0x6CC41F9); 878 | R11 = sdk::module_base + 0xE7E; 879 | // mov rax,[rbp+598h] 880 | RAX -= R11; 881 | RAX = 0; // Special case 882 | RAX = _rotl64(RAX, 0x10); 883 | RAX ^= R10; 884 | RAX = (~RAX); 885 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 886 | RAX = sdk::module_base; 887 | RDX -= RAX; 888 | RAX = 0x547FD4FF3C645CA9; 889 | RDX *= RAX; 890 | RAX = RDX; 891 | RAX >>= 0xF; 892 | RDX ^= RAX; 893 | RAX = RDX; 894 | RAX >>= 0x1E; 895 | RDX ^= RAX; 896 | RAX = RDX; 897 | RAX >>= 0x3C; 898 | RDX ^= RAX; 899 | RAX = RDX; 900 | RAX >>= 0xC; 901 | RDX ^= RAX; 902 | RAX = RDX; 903 | RAX >>= 0x18; 904 | RDX ^= RAX; 905 | RAX = RDX; 906 | RAX >>= 0x30; 907 | RDX ^= RAX; 908 | RAX = 0x781D9F1F2D40889D; 909 | RDX += RAX; 910 | RAX = sdk::module_base; 911 | RDX -= RAX; 912 | RAX = 0x954A92102762092A; 913 | RDX ^= RAX; 914 | return RDX; 915 | } 916 | case 6: 917 | { 918 | R11 = sdk::module_base + 0xE7E; 919 | R14 = sdk::module_base + 0x4F53; 920 | R10 = driver::read(sdk::module_base + 0x6CC41F9); 921 | RAX = 0x7C9D860BE61BBC43; 922 | RDX *= RAX; 923 | RAX = R14; 924 | RAX *= R8; 925 | RDX -= RAX; 926 | RDX ^= R8; 927 | RDX += R8; 928 | RAX = RDX; 929 | RAX >>= 0x1F; 930 | RDX ^= RAX; 931 | RAX = RDX; 932 | RAX >>= 0x3E; 933 | RDX ^= RAX; 934 | RAX = 0x7034B0F1930C5EDC; 935 | RDX -= RAX; 936 | // mov rax,[rbp+598h] 937 | RAX -= R11; 938 | RAX = 0; // Special case 939 | RAX = _rotl64(RAX, 0x10); 940 | RAX ^= R10; 941 | RAX = (~RAX); 942 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RAX = driver::read(RAX + 0x15); 943 | RDX *= RAX; 944 | RAX = 0x7B2C304B4173C6F7; 945 | RDX -= RAX; 946 | return RDX; 947 | } 948 | case 7: 949 | { 950 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 951 | R11 = sdk::module_base + 0xE7E; 952 | R12 = sdk::module_base + 0xB0FF; 953 | RDX -= R8; 954 | RAX = RDX; 955 | RAX >>= 0x28; 956 | RDX ^= RAX; 957 | RAX = 0xF27E20A569493D17; 958 | RDX *= RAX; 959 | RAX = 0x4A436F8C9A9684F2; 960 | RDX += RAX; 961 | // mov rax,[rbp+598h] 962 | RAX -= R11; 963 | RAX = 0; // Special case 964 | RAX = _rotl64(RAX, 0x10); 965 | RAX ^= RBX; 966 | RAX = (~RAX); 967 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RAX = driver::read(RAX + 0x15); 968 | RSP = 0x746D10714AE9CA49; 969 | RAX *= RSP; 970 | RDX *= RAX; 971 | RCX = R12; 972 | RCX = (~RCX); 973 | RAX = R8; 974 | RAX = (~RAX); 975 | RCX *= RAX; 976 | RDX += RCX; 977 | RAX = RDX; 978 | RAX >>= 0x1D; 979 | RDX ^= RAX; 980 | RAX = RDX; 981 | RAX >>= 0x3A; 982 | RDX ^= RAX; 983 | return RDX; 984 | } 985 | case 8: 986 | { 987 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 988 | R11 = sdk::module_base + 0xE7E; 989 | R13 = sdk::module_base + 0x1987; 990 | R12 = sdk::module_base + 0x59DAB869; 991 | RAX = sdk::module_base; 992 | RDX += RAX; 993 | RCX = sdk::module_base + 0xC5; 994 | RAX = RDX; 995 | RCX *= R8; 996 | RDX = 0xCC9633BEB940B34E; 997 | RDX ^= RAX; 998 | RDX += RCX; 999 | RAX = RDX; 1000 | RAX >>= 0x1B; 1001 | RDX ^= RAX; 1002 | RAX = RDX; 1003 | RAX >>= 0x36; 1004 | RDX ^= RAX; 1005 | RAX = 0xAA9085BB5AF94951; 1006 | RDX *= RAX; 1007 | // mov rax,[rbp+598h] 1008 | RAX -= R11; 1009 | RAX = 0; // Special case 1010 | RAX = _rotl64(RAX, 0x10); 1011 | RAX ^= RBX; 1012 | RAX = (~RAX); 1013 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 1014 | RAX = R8; 1015 | RAX = (~RAX); 1016 | RAX ^= R12; 1017 | RDX -= RAX; 1018 | RAX = R8 + R13; 1019 | RDX += RAX; 1020 | return RDX; 1021 | } 1022 | case 9: 1023 | { 1024 | R11 = sdk::module_base + 0xE7E; 1025 | R10 = driver::read(sdk::module_base + 0x6CC41F9); 1026 | RAX = RDX; 1027 | RAX >>= 0x28; 1028 | RDX ^= RAX; 1029 | // mov rax,[rbp+598h] 1030 | RAX -= R11; 1031 | RAX = 0; // Special case 1032 | RAX = _rotl64(RAX, 0x10); 1033 | RAX ^= R10; 1034 | RAX = (~RAX); 1035 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RAX = driver::read(RAX + 0x15); 1036 | RDX *= RAX; 1037 | RAX = sdk::module_base; 1038 | RDX += RAX; 1039 | RAX = sdk::module_base; 1040 | RDX ^= RAX; 1041 | RAX = 0x2EB32E09A3A9483F; 1042 | RDX ^= RAX; 1043 | RAX = sdk::module_base; 1044 | RDX -= R8; 1045 | RDX -= RAX; 1046 | RDX -= 0x4CF2; 1047 | RAX = sdk::module_base; 1048 | RDX += RAX; 1049 | RAX = 0x5B85E9BB26723E73; 1050 | RDX *= RAX; 1051 | return RDX; 1052 | } 1053 | case 10: 1054 | { 1055 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 1056 | R11 = sdk::module_base + 0xE7E; 1057 | RAX = R8; 1058 | RAX -= sdk::module_base; 1059 | RAX += 0xFFFFFFFFCDBB51AB; 1060 | RDX += RAX; 1061 | RAX = RDX; 1062 | RAX >>= 0x17; 1063 | RDX ^= RAX; 1064 | RAX = RDX; 1065 | RAX >>= 0x2E; 1066 | RDX ^= RAX; 1067 | RAX = 0xC12A2DA65C4961CD; 1068 | RDX *= RAX; 1069 | RAX = sdk::module_base; 1070 | RDX += RAX; 1071 | RAX = 0xF9373B84DED5636B; 1072 | RDX ^= RAX; 1073 | RAX = 0x91CDED26ACFB0DBB; 1074 | RDX ^= RAX; 1075 | RAX = RDX; 1076 | // mov rcx,[rbp+598h] 1077 | RDX = sdk::module_base; 1078 | RCX -= R11; 1079 | RAX ^= RDX; 1080 | RCX = 0; // Special case 1081 | RCX = _rotl64(RCX, 0x10); 1082 | RCX ^= RBX; 1083 | RCX = (~RCX); 1084 | if (!((void*)(RCX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX = driver::read(RCX + 0x15); 1085 | RDX *= RAX; 1086 | return RDX; 1087 | } 1088 | case 11: 1089 | { 1090 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 1091 | R11 = sdk::module_base + 0xE7E; 1092 | R15 = sdk::module_base + 0x5A01ECB2; 1093 | RAX = RDX; 1094 | RAX >>= 0x11; 1095 | RDX ^= RAX; 1096 | RAX = RDX; 1097 | RAX >>= 0x22; 1098 | RDX ^= RAX; 1099 | RAX = 0xDE0B65ACC065BF3F; 1100 | RDX *= RAX; 1101 | RAX = sdk::module_base; 1102 | RDX ^= RAX; 1103 | RAX = 0x1641BCAE40423EA9; 1104 | RDX *= RAX; 1105 | RCX = sdk::module_base + 0x1; 1106 | RAX = sdk::module_base + 0x1AF73A5E; 1107 | RAX = (~RAX); 1108 | RAX += R8; 1109 | RCX += RAX; 1110 | RDX += RCX; 1111 | // mov rax,[rbp+598h] 1112 | RAX -= R11; 1113 | RAX = 0; // Special case 1114 | RAX = _rotl64(RAX, 0x10); 1115 | RAX ^= RBX; 1116 | RAX = (~RAX); 1117 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 1118 | RAX = R15; 1119 | RAX *= R8; 1120 | RDX -= RAX; 1121 | return RDX; 1122 | } 1123 | case 12: 1124 | { 1125 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 1126 | R11 = sdk::module_base + 0xE7E; 1127 | R12 = sdk::module_base + 0xE486; 1128 | RAX = RDX; 1129 | RAX >>= 0x10; 1130 | RDX ^= RAX; 1131 | RAX = RDX; 1132 | RAX >>= 0x20; 1133 | RDX ^= RAX; 1134 | RAX = 0xF9625ECE5BB27C2F; 1135 | RDX *= RAX; 1136 | RAX = RDX; 1137 | RAX >>= 0x25; 1138 | RDX ^= RAX; 1139 | RAX = sdk::module_base; 1140 | RDX -= RAX; 1141 | RAX = sdk::module_base + 0xE0F2; 1142 | RAX = (~RAX); 1143 | RAX *= R8; 1144 | RDX ^= RAX; 1145 | // mov rcx,[rbp+598h] 1146 | RCX -= R11; 1147 | RCX = 0; // Special case 1148 | RAX = RDX; 1149 | RCX = _rotl64(RCX, 0x10); 1150 | RCX ^= RBX; 1151 | RDX = 0xD0C187FCC55A5035; 1152 | RAX ^= RDX; 1153 | RCX = (~RCX); 1154 | if (!((void*)(RCX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX = driver::read(RCX + 0x15); 1155 | RDX *= RAX; 1156 | RAX = R12; 1157 | RAX ^= R8; 1158 | RDX -= RAX; 1159 | return RDX; 1160 | } 1161 | case 13: 1162 | { 1163 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 1164 | R11 = sdk::module_base + 0xE7E; 1165 | R12 = sdk::module_base + 0xEEA3; 1166 | RAX = 0x5C08B7D7B4223813; 1167 | RDX ^= RAX; 1168 | RAX = RDX; 1169 | RAX >>= 0x1C; 1170 | RDX ^= RAX; 1171 | RAX = RDX; 1172 | RAX >>= 0x38; 1173 | RDX ^= RAX; 1174 | RAX = R12; 1175 | RAX ^= R8; 1176 | RDX += RAX; 1177 | RAX = 0x1D4CED329660DAAB; 1178 | RDX *= RAX; 1179 | // mov rcx,[rbp+598h] 1180 | RCX -= R11; 1181 | RCX = 0; // Special case 1182 | RCX = _rotl64(RCX, 0x10); 1183 | RCX ^= RBX; 1184 | RAX = sdk::module_base; 1185 | RDX -= RAX; 1186 | RCX = (~RCX); 1187 | RAX = R8 + 0xFFFFFFFFD665307A; 1188 | RAX += RDX; 1189 | if (!((void*)(RCX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX = driver::read(RCX + 0x15); 1190 | RDX *= RAX; 1191 | RAX = RDX; 1192 | RAX >>= 0xC; 1193 | RDX ^= RAX; 1194 | RAX = RDX; 1195 | RAX >>= 0x18; 1196 | RDX ^= RAX; 1197 | RAX = RDX; 1198 | RAX >>= 0x30; 1199 | RDX ^= RAX; 1200 | RAX = sdk::module_base; 1201 | RDX += RAX; 1202 | return RDX; 1203 | } 1204 | case 14: 1205 | { 1206 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 1207 | R11 = sdk::module_base + 0xE7E; 1208 | R15 = sdk::module_base + 0x1E21A51C; 1209 | R13 = sdk::module_base + 0x225E76E1; 1210 | R12 = sdk::module_base + 0x1CCE7CED; 1211 | RAX = R15; 1212 | RAX *= R8; 1213 | RDX -= RAX; 1214 | RDX += R8; 1215 | RCX = R8; 1216 | RCX = (~RCX); 1217 | RDX += R13; 1218 | RDX += RCX; 1219 | RAX = RDX; 1220 | RAX >>= 0xF; 1221 | RDX ^= RAX; 1222 | RAX = RDX; 1223 | RAX >>= 0x1E; 1224 | RDX ^= RAX; 1225 | RAX = RDX; 1226 | RAX >>= 0x3C; 1227 | RDX ^= RAX; 1228 | RAX = 0xC1EAFB913E323975; 1229 | RDX *= RAX; 1230 | RAX = sdk::module_base; 1231 | RDX -= RAX; 1232 | RAX = R12; 1233 | RAX *= R8; 1234 | RDX += RAX; 1235 | // mov rax,[rbp+598h] 1236 | RAX -= R11; 1237 | RAX = 0; // Special case 1238 | RAX = _rotl64(RAX, 0x10); 1239 | RAX ^= RBX; 1240 | RAX = (~RAX); 1241 | if (!((void*)(RAX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX *= driver::read(RAX + 0x15); 1242 | return RDX; 1243 | } 1244 | case 15: 1245 | { 1246 | R11 = sdk::module_base + 0xE7E; 1247 | R15 = sdk::module_base + 0x3EF00DB9; 1248 | R12 = sdk::module_base + 0x49C6D582; 1249 | R13 = sdk::module_base + 0x10E06777; 1250 | RBX = driver::read(sdk::module_base + 0x6CC41F9); 1251 | RAX = 0xF02A39098305851B; 1252 | RDX *= RAX; 1253 | RAX = 0x42A2DDF2A13458E5; 1254 | RDX *= RAX; 1255 | RAX = R12; 1256 | RAX ^= R8; 1257 | RAX += R8; 1258 | RDX += RAX; 1259 | RAX = RDX; 1260 | RAX >>= 0x14; 1261 | RDX ^= RAX; 1262 | RAX = RDX; 1263 | RAX >>= 0x28; 1264 | RDX ^= RAX; 1265 | RAX = R8 + R15; 1266 | RDX ^= RAX; 1267 | // mov rcx,[rbp+598h] 1268 | RCX -= R11; 1269 | RCX = 0; // Special case 1270 | RCX = _rotl64(RCX, 0x10); 1271 | RAX = R8; 1272 | RAX = (~RAX); 1273 | RCX ^= RBX; 1274 | RAX *= R13; 1275 | RCX = (~RCX); 1276 | RAX ^= RDX; 1277 | if (!((void*)(RCX + 0x15))) return 0xFFFFFFFFFFFFFFFF; RDX = driver::read(RCX + 0x15); 1278 | RDX *= RAX; 1279 | return RDX; 1280 | } 1281 | default: 1282 | return 0; 1283 | } 1284 | } 1285 | 1286 | uint32_t get_bone_index(uint32_t index) { 1287 | uint64_t RAX = 0, RBX = 0, RCX = 0, RDX = 0, R8 = 0, RDI = 0, R9 = 0, R10 = 0, R11 = 0, R12 = 0, R13 = 0, R14 = 0, RSI = 0, RSP = 0, RBP = 0; 1288 | RBX = index; 1289 | RCX = RBX * 0x13C8; 1290 | RAX = 0x76BCF2ED12008595; 1291 | RBX = sdk::module_base; 1292 | RAX = _umul128(RAX, RCX, &RDX); 1293 | R10 = 0xE09B4B5F1CC2E2BF; 1294 | RDX >>= 0xC; 1295 | RAX = RDX * 0x227F; 1296 | RCX -= RAX; 1297 | RAX = 0xCED712414B44733D; 1298 | R8 = RCX * 0x227F; 1299 | RAX = _umul128(RAX, R8, &RDX); 1300 | RDX >>= 0xD; 1301 | RAX = RDX * 0x279B; 1302 | R8 -= RAX; 1303 | RAX = 0x8ACAD5AD8637C643; 1304 | RAX = _umul128(RAX, R8, &RDX); 1305 | RCX = R8; 1306 | R8 &= 0x1; 1307 | RDX >>= 0xC; 1308 | RAX = RDX * 0x1D83; 1309 | RCX -= RAX; 1310 | RAX = R8 + RCX * 0x2; 1311 | RAX = driver::read(RBX + RAX * 0x2 + 0x6CCE950); 1312 | R8 = RAX * 0x13C8; 1313 | RAX = R10; 1314 | RAX = _umul128(RAX, R8, &RDX); 1315 | RAX = R10; 1316 | RDX >>= 0xD; 1317 | RCX = RDX * 0x2479; 1318 | R8 -= RCX; 1319 | R9 = R8 * 0x48AA; 1320 | RAX = _umul128(RAX, R9, &RDX); 1321 | RDX >>= 0xD; 1322 | RAX = RDX * 0x2479; 1323 | R9 -= RAX; 1324 | RAX = 0x204081020408103; 1325 | RAX = _umul128(RAX, R9, &RDX); 1326 | RAX = R9; 1327 | RAX -= RDX; 1328 | RAX >>= 0x1; 1329 | RAX += RDX; 1330 | RAX >>= 0x7; 1331 | RCX = RAX * 0xFE; 1332 | RAX = 0xCD85689039B0AD13; 1333 | RAX = _umul128(RAX, R9, &RDX); 1334 | RAX = R9; 1335 | RAX -= RDX; 1336 | RAX >>= 0x1; 1337 | RAX += RDX; 1338 | RAX >>= 0x6; 1339 | RCX += RAX; 1340 | RAX = RCX * 0x8E; 1341 | RCX = R9 + R9 * 0x8; 1342 | RCX <<= 0x4; 1343 | RCX -= RAX; 1344 | RSI = driver::read(RCX + RBX + 0x6CD5F60); 1345 | 1346 | return RSI; 1347 | } 1348 | 1349 | struct ref_def_key { 1350 | int ref0; 1351 | int ref1; 1352 | int ref2; 1353 | }; 1354 | 1355 | uintptr_t get_ref_def() { 1356 | ref_def_key crypt = driver::read(sdk::module_base + offsets::ref_def_ptr); 1357 | uint64_t baseAddr = sdk::module_base; 1358 | 1359 | DWORD lower = crypt.ref0 ^ (crypt.ref2 ^ (uint64_t)(baseAddr + offsets::ref_def_ptr)) * ((crypt.ref2 ^ (uint64_t)(baseAddr + offsets::ref_def_ptr)) + 2); 1360 | DWORD upper = crypt.ref1 ^ (crypt.ref2 ^ (uint64_t)(baseAddr + offsets::ref_def_ptr + 0x4)) * ((crypt.ref2 ^ (uint64_t)(baseAddr + offsets::ref_def_ptr + 0x4)) + 2); 1361 | 1362 | return (uint64_t)upper << 32 | lower; 1363 | } 1364 | } 1365 | --------------------------------------------------------------------------------