Skip to content

Instantly share code, notes, and snippets.

@dwendt

dwendt/pwnie.cpp

Created January 18, 2015 17:58
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dwendt/72dea02ad507acaff607 to your computer and use it in GitHub Desktop.
Save dwendt/72dea02ad507acaff607 to your computer and use it in GitHub Desktop.
Download ZIP
pwnadventure (credit to gd / learn_more for copypaste public code mixed in here)
Raw
pwnie.cpp
#include <Windows.h>
#include <Psapi.h>
#include <stdlib.h>
#include <string>
#include <stdio.h>
#pragma comment(lib, "psapi.lib")
DWORD GObjects = 0;
DWORD GNames = 0;
class Vector3 {
public:
float x;
float y;
float z;
Vector3(float xx, float yy, float zz) : x(xx), y(yy), z(zz) {};
Vector3() {};
void set(float xx, float yy, float zz) {
x = xx;
y = yy;
z = zz;
}
};
class IAchievement {
};
class IQuest {
};
class IQuestState {
};
class IItem {
};
class IPlayer {
};
class IActor {
public:
virtual void GetActorInterface(void);
virtual void IsLocalPlayer(void);
virtual void GetLocalPlayer(void);
virtual void GetDescription(void);
virtual void GetTeamName(void);
virtual void GetAvatarIndex(void);
virtual void GetColors(void);
virtual void IsPvPDesired(void);
virtual void SetPvPDesired(bool);
virtual void GetInventory(void);
virtual void GetItemCount(IItem *);
virtual void GetLoadedAmmo(IItem *);
virtual void AddItem(IItem *,UINT,bool);
virtual void RemoveItem(IItem *,UINT);
virtual void AddLoadedAmmo(IItem *,IItem *,UINT);
virtual void RemoveLoadedAmmo(IItem *,UINT);
virtual void GetItemForSlot(UINT);
virtual void EquipItem(UINT,IItem *);
virtual void GetCurrentSlot(void);
virtual void SetCurrentSlot(UINT);
virtual void GetCurrentItem(void);
virtual void GetMana(void);
virtual void UseMana(int);
virtual void SetItemCooldown(IItem *,float,bool);
virtual void IsItemOnCooldown(IItem *);
virtual void GetItemCooldown(IItem *);
virtual void HasPickedUp(char const *);
virtual void MarkAsPickedUp(char const *);
virtual void GetQuestList(UINT *);
virtual void FreeQuestList(IQuest * *);
virtual void GetCurrentQuest(void);
virtual void SetCurrentQuest(IQuest *);
virtual void GetStateForQuest(IQuest *);
virtual void StartQuest(IQuest *);
virtual void AdvanceQuestToState(IQuest *,IQuestState *);
virtual void CompleteQuest(IQuest *);
virtual void IsQuestStarted(IQuest *);
virtual void IsQuestCompleted(IQuest *);
virtual void EnterAIZone(char const *);
virtual void ExitAIZone(char const *);
virtual void UpdateCountdown(int);
virtual void CanReload(void);
virtual void RequestReload(void);
virtual void GetWalkingSpeed(void);
virtual void GetSprintMultiplier(void);
virtual void GetJumpSpeed(void);
virtual void GetJumpHoldTime(void);
virtual void CanJump(void);
virtual void SetJumpState(bool);
virtual void SetSprintState(bool);
virtual void SetFireRequestState(bool);
virtual void TransitionToNPCState(char const *);
virtual void BuyItem(IActor *,IItem *,UINT);
virtual void SellItem(IActor *,IItem *,UINT);
virtual void EnterRegion(char const *);
virtual void Respawn(void);
virtual void Teleport(char const *);
virtual void Chat(char const *);
virtual void GetFastTravelDestinations(char const *);
virtual void FastTravel(char const *,char const *);
virtual void MarkAsAchieved(IAchievement *);
virtual void HasAchieved(IAchievement *);
virtual void SubmitDLCKey(char const *);
virtual void GetCircuitInputs(char const *);
virtual void SetCircuitInputs(char const *,UINT);
virtual void GetCircuitOutputs(char const *,bool *,UINT);
};
class UPlayer {
public:
int m_refs;
int m_id;
int m_target;
int m_timers;
// 0x14
char m_blueprintName[0x18];
// 0x2C
int m_owner;
int m_health; // 0x30
char m_states[0x8];
// 0x3C
int m_forwardMovementFraction;
int m_strafeMovementFraction;
// 0x44
Vector3 m_remotePosition; // 0xC big
Vector3 m_remoteVelocity; // 0xC
//0x5C
char pad0[0xC4];
// 0x120
float walkspeed;
float jumpspeed;
float jumpholdtime;
// +0x120 = walkspeed
// +0x124 = jumpspeed
// +0x128 = holdtime
// +0x50 = isadmion
// +0x4C = weapon
// +0x1C = ammo
__declspec(noinline) void* __thiscall GetMTarget(UPlayer* me) {
int retval = (int)me;
_asm {
push edx
mov edx, retval
mov edx, [edx-0x64]
mov retval, edx
pop edx
}
return (void*)retval;
//return *(void**)((this)-(0x70-0xC));
}
__declspec(noinline) UPlayer* GetRealPlayer(UPlayer* me) {
int retval = (int)me;
_asm {
push edx
mov edx, retval
lea edx, [edx-0x70]
mov retval, edx
pop edx
}
return (UPlayer*)retval;
}
// virtuals
virtual void destructer ( ); // 0x00D64F10 (0x00)
virtual void* GetUE4Actor(void);
virtual bool ShouldWander(void);
virtual bool CanEquip(void);
virtual IPlayer* GetPlayerInterface(void);
virtual void AddRef(void);
virtual void Release(void);
virtual void OnSpawnActor(IActor *);
virtual void OnDestroyActor(void);
virtual void GetBlueprintName(void);
virtual bool CanEquipZ(void);
virtual bool CanBeDamaged(IActor *);
virtual int GetHealth(void);
virtual void GetClipSize(void);
virtual void Damage(IActor *,IItem *,int,int);
virtual void Tick(float);
virtual void CanUse(IPlayer *);
virtual void OnUse(IPlayer *);
virtual void SendEquipItemEvent(UPlayer *,UCHAR,IItem *);
virtual void OnEndAttack(void);
virtual void GetDisplayName(void);
virtual void ShouldWanderC(void);
virtual void IsPvPEnabled(void);
virtual void GetShopItems(UINT &a);
virtual void FreeShopItems(IItem * *);
virtual void GetSellPriceForItem(IItem *);
virtual void GetSellPriceForItemB(IItem *);
virtual void GetLookPosition(void);
virtual void GetLookRotation(void);
virtual void GetOwner(void);
virtual void OnKilled(IActor *,IItem *);
virtual void SendRegionChangeEvent();
virtual void IsValid(void);
virtual void GetDeathMessage(void);
virtual void ShouldWanderB(void);
virtual void ShouldSendPositionUpdates(void);
virtual void ShouldReceivePositionUpdates(void);
virtual void UpdateState();
virtual void TriggerEvent();
virtual void GetMaximumDamageDistance(void);
virtual void SendPlayerJoinedEvent(UPlayer *);
virtual void GetShopItems(void);
virtual void GetValidBuyItems(void);
virtual void GetShopBuyPriceMultiplier(void);
virtual void GetCooldownTime(void);
virtual void SendEvent(UPlayer const &);
virtual void WriteAllEvents(UPlayer &);
virtual void VirtualFunction27 ( );
};
struct PlayerFJ {
UPlayer* localPly;
};
class World {
};
PlayerFJ* g_playerForJoin = 0;
World* g_world = 0;
#define INRANGE(x,a,b) (x >= a && x <= b)
#define getBits( x ) (INRANGE((x&(~0x20)),'A','F') ? ((x&(~0x20)) - 'A' + 0xa) : (INRANGE(x,'0','9') ? x - '0' : 0))
#define getByte( x ) (getBits(x[0]) << 4 | getBits(x[1]))
DWORD findPattern( DWORD rangeStart, DWORD rangeEnd, const char* pattern )
{
const char* pat = pattern;
DWORD firstMatch = 0;
for( DWORD pCur = rangeStart; pCur < rangeEnd; pCur++ )
{
if( !*pat ) return firstMatch;
if( *(PBYTE)pat == '\?' || *(BYTE*)pCur == getByte( pat ) ) {
if( !firstMatch ) firstMatch = pCur;
if( !pat[2] ) return firstMatch;
if( *(PWORD)pat == '\?\?' || *(PBYTE)pat != '\?' ) pat += 3;
else pat += 2; //one ?
} else {
pat = pattern;
firstMatch = 0;
}
}
return NULL;
}
MODULEINFO GetModuleInfo( char *szModule )
{
MODULEINFO modinfo = {0};
HMODULE hModule = GetModuleHandle(szModule);
if(hModule == 0) return modinfo;
GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO));
return modinfo;
}
void *DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(len+5);
DWORD dwback;
DWORD garbage;
VirtualProtect(jmp, len+5, PAGE_EXECUTE_READWRITE, &garbage);
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwback);
memcpy(jmp, src, len); jmp += len;
jmp[0] = 0xE9;
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
VirtualProtect(src, len, dwback, &dwback);
return (jmp-len);
}
typedef void (__fastcall* getPos_t)(PVOID thisptr, Vector3* into);
getPos_t oGetPos = 0;
typedef void (__fastcall *setpos_t)(PVOID thisptr, int unusededx, Vector3* govec);
setpos_t setpos_fn = 0;
template<typename T>
T getVFunc(void* objectptr, unsigned offset) {
return (T)*( (*(DWORD**)objectptr) + offset );
}
__declspec(noinline) void hookVF(void* objectptr, unsigned offset, void* newFunc, DWORD* outOld) {
LPVOID *theVFT = *(LPVOID**)objectptr;
DWORD tmpgrb = 0;
VirtualProtect((LPVOID)((DWORD)theVFT+offset), 8, PAGE_READWRITE,&tmpgrb);
if(outOld)
*outOld = *(DWORD*)(((DWORD)theVFT)+offset);
theVFT[offset/sizeof(LPVOID)] = (LPVOID)newFunc;
}
bool goPos = false;
Vector3 g_desiredPos;
Vector3 g_lastPos;
PVOID g_currentActor = 0;
PVOID g_currentPly = 0;
// (ECX, EDX)
void __fastcall hGetPos(PVOID thisptr, int garb, Vector3* into) {
if(goPos && (thisptr == g_currentActor || thisptr == g_currentPly)) {
*into = g_desiredPos;
if(setpos_fn) {
setpos_fn(g_currentPly,0, &g_desiredPos);
}
return;
} else {
//oGetPos(thisptr, into);
_asm {
mov ecx, thisptr
mov edx, into
push edx
call oGetPos
}
if(thisptr == g_currentActor || thisptr == g_currentPly) g_lastPos = *into;
return;
}
}
bool goHook = false;
DWORD WINAPI OnAttach(LPVOID threadParam)
{
MODULEINFO modInf;
modInf = GetModuleInfo("GameLogic.dll");
HMODULE tmphm = 0;
tmphm = GetModuleHandle("GameLogic.dll");
if(!tmphm) {
MessageBoxA(0,0,"couldn't get module",0);
}
// 71920506
/*
---------------------------
base@ 71900000 sz A4000
---------------------------
base@ 71900000 sz A4000
---------------------------
OK
---------------------------
*/
char tb[1000];
sprintf(tb, "base@ %X sz %X", modInf.lpBaseOfDll, modInf.SizeOfImage);
MessageBoxA(0,tb,tb,0);
// void __thiscall World__AddLocalPlayer(World *this, Player *player, ILocalPlayer *local)
// BYTE* worldAddLocal = (BYTE*)*(DWORD*)(findPattern( (DWORD)modInf.lpBaseOfDll, (DWORD)modInf.SizeOfImage, "55 8B EC 83 EC 10 53 56" ));
DWORD mbase = (DWORD)modInf.lpBaseOfDll;
DWORD mend = mbase+0xA4000;
if(findPattern( mbase, mend, "A1 ?? ?? ?? ?? 83 C4 0C 85 C0 74 05 8D 70 90" ) == 0) {
MessageBoxA(0, 0,"couldn't find localply",0);
return 1;
}
g_playerForJoin = (PlayerFJ*)(PlayerFJ*)*(DWORD*)(findPattern( mbase, mend, "A1 ?? ?? ?? ?? 83 C4 0C 85 C0 74 05 8D 70 90" ) + 1);
// ---------------------------
// milt@ 71978B14
// ---------------------------
// milt@ 71978B14
// ---------------------------
// OK
// ---------------------------
//F3 0F 10 05 ? ? ? ? F3 0F 59 0D ? ? ? ? F3 0F 58 0D ? ? ? ? 0F 2F C8 76 03 0F 28 C8 8B 46 2C
DWORD* sprintmult = (DWORD*)*(DWORD**)(findPattern( mbase, mend, "F3 0F 10 05 ? ? ? ? F3 0F 59 0D ? ? ? ? F3 0F 58 0D ? ? ? ? 0F 2F C8 76 03 0F 28 C8 8B 46 2C" ) + 4);
if(sprintmult != 0) {
sprintf(tb, "mult is @ %X ", sprintmult);
MessageBoxA(0,tb,tb,0);
DWORD tmpgrb = 0;
VirtualProtect((LPVOID)sprintmult, 1024, PAGE_READWRITE,&tmpgrb);
*(float*)sprintmult = 1000.0f;
//(*sprintmult) = (float)5000.0f;
}
Vector3 eggArr[10];
eggArr[0].set(-25045.0, 18085.0, 260.0);
eggArr[1].set(-51570.0, -61215.0, 5020.0);
eggArr[2].set(24512.0, 69682.0, 2659.0);
eggArr[3].set(60453.0, -17409.0, 2939.0);
eggArr[4].set(1522.0, 14966.0, 7022.0);
eggArr[5].set(11604.0, -13131.0, 411.0);
eggArr[6].set(-72667.0, -53567.0, 1645.0);
eggArr[7].set(48404.0, 28117.0, 704.0);
eggArr[8].set(65225.0, -5740.0, 4928.0);
eggArr[9].set(-2778.0, -11035.0, 10504.0);
eggArr[10].set(-6101.0, -10956.0, 10636.0);
unsigned curEgg = 0;
if(setpos_fn == 0) {
setpos_fn = (setpos_t)(findPattern( mbase, mend, "55 8B EC 8B 55 08 F3 0F 7E 02" ) + 0);
}
while (true) {
UPlayer* localPly = *(UPlayer**)g_playerForJoin;
// _asm {
// int 3;
// }
localPly->walkspeed = 1000.0f;
localPly->jumpspeed = 2000.0f;
localPly->jumpholdtime = 50.0f;
UPlayer* baseActor = 0;
baseActor = localPly->GetRealPlayer(localPly);//(UPlayer*)(((DWORD*)g_playerForJoin->localPly)-0x70);
g_currentActor = (void*)localPly->GetMTarget(localPly);
g_currentPly = (PVOID)baseActor;
if(GetAsyncKeyState(VK_F3) & 1) {
goHook = true;
}
if(goHook) {
if(oGetPos != NULL) {
goHook = false;
} else if(localPly->GetMTarget(localPly) != NULL) {
hookVF((void*)(baseActor->m_target), 0x8, (void*)&hGetPos, (DWORD*)&oGetPos);
MessageBoxA(0,"hooked getpos", "hooked getpos", 0);
}
}
if(GetAsyncKeyState(VK_F2) & 1) {
curEgg = (curEgg+1)%11;
}
if(GetAsyncKeyState(VK_F1) & 1) {
//g_playerForJoin->localPly->m_remotePosition = eggArr[curEgg];
//getPos_t getPos = getVFunc<getPos_t>((void*)g_playerForJoin->localPly->m_target, 0x8);
g_desiredPos = eggArr[curEgg];
//baseActor->m_remotePosition = eggArr[curEgg];
// Call ue4actor setpos
/*setpos_t *setpos_fn = (setpos_t*)*((*(DWORD**)g_currentActor)+0x18);*/
goPos = !goPos;
}
if(GetAsyncKeyState(VK_F4) & 1) {
if(!oGetPos) {
MessageBoxA(0,"f3 first", "f3 first",0);
continue;
}
g_desiredPos = g_lastPos;
g_desiredPos.z -= 237.0f;
baseActor->m_remotePosition = g_desiredPos;
goPos = !goPos;
}
Sleep(10);
}
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL, 0, OnAttach, NULL, NULL, NULL);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment