### Complete Game Hacking Setup Source: https://gamehacking.academy/pages/3/02 A complete C++ example demonstrating how to find a window, get its process ID, open the process, and read memory, including necessary includes. ```c++ #include int main(int argc, char** argv) { HWND wesnoth_window = FindWindow(NULL, "The Battle for Wesnoth - 1.14.9"); DWORD process_id = 0; GetWindowThreadProcessId(wesnoth_window, &process_id); HANDLE wesnoth_process = OpenProcess(PROCESS_ALL_ACCESS, true, process_id); DWORD gold_value = 0; DWORD bytes_read = 0; ReadProcessMemory(wesnoth_process, 0x017EECB8, &gold_value, 4, &bytes_read); return 0; } ``` -------------------------------- ### Install Boxstarter and Get Configuration Source: https://gamehacking.academy/pages/1/04 This command installs Boxstarter from its website and retrieves its configuration. Run this within your VM's PowerShell. ```powershell . { iwr -useb https://boxstarter.org/bootstrapper.ps1 } | iex; Get-Boxstarter -Force ``` -------------------------------- ### Install Paint.NET Source: https://gamehacking.academy/pages/8/04 Use this command to install Paint.NET, a program useful for editing image files. ```shell cinst paint.net ``` -------------------------------- ### Command Line Example for Writing Source: https://gamehacking.academy/pages/7/03 Demonstrates how to use the write operation from the command line, specifying the value to write to the identified addresses. ```bash MemoryScanner.exe write 555 Copy ``` -------------------------------- ### Command Line Example for Filtering Source: https://gamehacking.academy/pages/7/03 Demonstrates how to use the filter operation from the command line, specifying the value to filter by. ```bash MemoryScanner.exe filter 54 Copy ``` -------------------------------- ### Install Wesnoth 1.14.12 Source: https://gamehacking.academy/pages/7/02 Installs a specific version of Wesnoth using Chocolatey. Ensure Chocolatey is installed and configured before running. ```bash choco install wesnoth --version=1.14.12 -y Copy ``` -------------------------------- ### Install Visual Studio 2019 Community Source: https://gamehacking.academy/pages/3/02 Use this command in Command Prompt or Powershell to install Visual Studio 2019 Community Edition. ```bash choco install visualstudio2019community ``` -------------------------------- ### Example Search Execution Source: https://gamehacking.academy/pages/7/03 Demonstrates how to execute the memory search function from the command line, searching for the value 75 in the 'MemoryScanner.exe' process. ```bash MemoryScanner.exe search 75 Copy ``` -------------------------------- ### Reading Process Memory with OpenProcess Source: https://gamehacking.academy/pages/3/02 Example of using OpenProcess to get a handle and then ReadProcessMemory to retrieve a value from a specific memory address. ```c++ HANDLE wesnoth_process = OpenProcess(PROCESS_ALL_ACCESS, true, process_id); DWORD gold_value = 0; DWORD bytes_read = 0; ReadProcessMemory(wesnoth_process, 0x017EECB8, &gold_value, 4, &bytes_read); ``` -------------------------------- ### Install Compression Tools Source: https://gamehacking.academy/pages/6/03 Installs Cmder and gzip on Windows using Chocolatey. These tools are necessary for manipulating and analyzing compressed files. ```bash choco install cmder -y choco install gzip -y ``` -------------------------------- ### Game Main Loop Example (C++) Source: https://gamehacking.academy/pages/2/03 A simplified C++ example of a game's main loop, showing typical rendering functions. ```cpp void main_loop(){ draw_players(); draw_walls(); ... } ``` -------------------------------- ### Install Wireshark using Chocolatey Source: https://gamehacking.academy/pages/6/02 Use Chocolatey, a package manager for Windows, to install Wireshark. Ensure WinPcap driver is installed separately if prompted by Wireshark. ```bash choco install wireshark Copy ``` -------------------------------- ### Install Game Hacking Tools with Boxstarter Source: https://gamehacking.academy/pages/1/04 This command uses Boxstarter to install a package that configures folder options and installs Cheat Engine, x64dbg, and Chocolatey. Run this within your VM's PowerShell after installing Boxstarter. ```powershell Install-BoxstarterPackage -PackageName https://raw.githubusercontent.com/GameHackingAcademy/vmsetup/master/vmsetup.txt -DisableReboots ``` -------------------------------- ### Connect to Wesnoth Server Source: https://gamehacking.academy/pages/6/05 This snippet demonstrates connecting to a Wesnoth server and sending an initial message. It includes socket setup, connection, and data transmission. ```C++ #define DEFAULT_PORT "27015" WSADATA wsaData; int iResult; SOCKET ListenSocket = INVALID_SOCKET; SOCKET ClientSocket = INVALID_SOCKET; struct addrinfo* result = NULL, hints; iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); ZeroMemory(&hints, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = AI_PASSIVE; iResult = getaddrinfo(NULL, DEFAULT_PORT, &hints, &result); ListenSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol); iResult = bind(ListenSocket, result->ai_addr, (int)result->ai_addrlen); freeaddrinfo(result); iResult = listen(ListenSocket, SOMAXCONN); ClientSocket = accept(ListenSocket, NULL, NULL); closesocket(ListenSocket); ``` -------------------------------- ### Install The Battle for Wesnoth Source: https://gamehacking.academy/pages/1/05 Installs version 1.14.9 of 'The Battle for Wesnoth' using Chocolatey. Ensure Powershell is run as an administrator. ```powershell choco install wesnoth --version=1.14.9 -y ``` -------------------------------- ### Install 7zip Package Source: https://gamehacking.academy/pages/8/03 Installs the 7zip utility using the Chocolatey package manager. This tool is used for extracting and repacking game archives. ```powershell cinst 7zip ``` -------------------------------- ### Example Packet Structure (Action) Source: https://gamehacking.academy/pages/6/01 Demonstrates a more concise packet structure for a simple game action, like firing a weapon. This highlights the optimization for minimal data to reduce lag. ```text source: player destination: server data: f1 ``` -------------------------------- ### Cheat Engine Pointer Setup Source: https://gamehacking.academy/pages/2/09 Instructions for setting up a pointer in Cheat Engine with a base address and multiple offsets to find the gold value. ```plaintext Base Address: 0x017EED18 Offset 1: 0xA90 Offset 2: 4 ``` -------------------------------- ### Example Input Handling Function Source: https://gamehacking.academy/pages/1/02 Shows a basic implementation of an input handling function within a game loop, responding to directional key presses. ```javascript function handle_input() { if( keydown == LEFT ) { update_player_position(GO_LEFT); } else if( keydown == RIGHT ) { update_player_position(GO_RIGHT); } } ``` -------------------------------- ### Example Game Main Loop Source: https://gamehacking.academy/pages/1/02 Illustrates a typical structure for a game's main loop, responsible for handling input, updating game state, and rendering. ```javascript function main_loop() { handle_input(); update_score(); play_sound_effects(); draw_screen(); } ``` -------------------------------- ### DLL Injection Setup Source: https://gamehacking.academy/pages/5/09 This code sets up a DLL to be injected into a game process. It defines a hook location and uses `VirtualProtect` to make the memory executable, then overwrites the original instructions with a jump to a code cave. ```C++ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { DWORD old_protect; unsigned char* hook_location = (unsigned char*)0x0040BE78; if (fdwReason == DLL_PROCESS_ATTACH) { CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)injected_thread, NULL, 0, NULL); VirtualProtect((void*)hook_location, 5, PAGE_EXECUTE_READWRITE, &old_protect); *hook_location = 0xE9; *(DWORD*)(hook_location + 1) = (DWORD)&codecave - ((DWORD)hook_location + 5); *(hook_location + 5) = 0x90; ... ``` -------------------------------- ### Example Instructions and Opcodes Source: https://gamehacking.academy/pages/2/07 Illustrates the relationship between assembly instructions and their corresponding opcodes, highlighting differences in length based on operand requirements. This is crucial for understanding how much space is needed for redirection. ```text opcode instruction ---------------------------------------- 8B01 mov eax, dword ptr ds:[ecx] 8D7426 00 lea esi, dword ptr ds:[esi] FF50 28 call dword ptr ds:[eax+28] B0 01 mov al,1 ``` -------------------------------- ### Assembly Call and Return Example Source: https://gamehacking.academy/pages/2/05 Shows a basic assembly code snippet demonstrating the use of 'call' to invoke a function and 'retn' to return. This illustrates fundamental assembly operations for function invocation. ```assembly main: mov eax, 0 call increase_eax mov ebx, eax increase_eax: add eax, 1 mov ecx, eax retn ``` -------------------------------- ### Install HxD Hex Editor Source: https://gamehacking.academy/pages/7/02 Installs the HxD hex editor using Chocolatey. This tool is used to view and search the hexadecimal bytes of executable files. ```bash choco install hxd Copy ``` -------------------------------- ### C++ to Assembly Example Source: https://gamehacking.academy/pages/7/04 Illustrates how a simple C++ variable declaration can be translated into different forms of x86 assembly instructions, highlighting the variability in instruction length. ```cpp int x = 2; ``` ```assembly mov [x], 2 ``` ```assembly mov eax, 2 mov [x], eax ``` -------------------------------- ### Code Cave - Initial Setup Source: https://gamehacking.academy/pages/5/05 The beginning of the code cave. It calls the original overwritten function and stores its return value (eax) into a variable named edi_value. ```cpp DWORD ori_call_address = 0x4607C0; DWORD edi_value = 0; __declspec(naked) void codecave() { __asm { call ori_call_address pushad mov edi_value, eax } } ``` -------------------------------- ### Example Packet Structure (Chat Message) Source: https://gamehacking.academy/pages/6/01 Illustrates a typical packet structure for sending a chat message in a multiplayer game. It shows the source, destination, and data fields. ```text source: player destination: server data: hello ``` -------------------------------- ### Draw Walls Function Example (C++) Source: https://gamehacking.academy/pages/2/03 A C++ function responsible for drawing walls, which includes loading textures and handling errors. ```cpp void draw_walls(){ bool succeeded = load_texture("wall_texture"); if(succeeded == false){ print_error(); } } ``` -------------------------------- ### Code Breakpoint Example (Assembly) Source: https://gamehacking.academy/pages/2/03 This assembly code snippet shows how a string reference might be loaded and passed to a logging function. Setting a breakpoint here can help locate the calling function. ```assembly mov eax, dword ptr ds:[0x23456789] push eax call print_to_log ... ``` -------------------------------- ### Adding Color Bytes to Menu Text Source: https://gamehacking.academy/pages/5/10 Incorporate specific byte sequences (0xc, 0x33) before text to apply color. This example sets up 'ON' and 'OFF' strings with a default red color. ```cpp class Menu { private: const char on_text[5] = { 0xc, 0x33, 'O', 'N', 0 }; const char off_text[6] = { 0xc, 0x33, 'O', 'F', 'F', 0 }; Copy ``` -------------------------------- ### Retrieve Process Identifier using CreateToolhelp32Snapshot Source: https://gamehacking.academy/pages/7/01 This snippet demonstrates how to use CreateToolhelp32Snapshot to get a snapshot of all running processes. It initializes the PROCESSENTRY32 structure and iterates through the snapshot to find a specific process. ```C++ #include #include int main(int argc, char** argv) { HANDLE snapshot = 0; PROCESSENTRY32 pe32 = { 0 }; pe32.dwSize = sizeof(PROCESSENTRY32); snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); Process32First(snapshot, &pe32); do { } while (Process32Next(snapshot, &pe32)); return 0; } ``` -------------------------------- ### Switch Statement Example Source: https://gamehacking.academy/pages/2/05 Illustrates a switch statement used to execute different code branches based on a selected option. This is a common control flow structure in many programming languages. ```cpp switch( option_selected ) { case "Terrain Description": show_terrain_description(location); break; case "Recruit": recruit_unit(location); break; case ... } ``` -------------------------------- ### Illustrative Code Cave with New Functionality Source: https://gamehacking.academy/pages/2/06 This example shows a hypothetical code cave that modifies a register and calls a different function before the original target function. ```assembly mov eax, 123 call some_other_function call 0xDEADBEEF jmp back ``` -------------------------------- ### Function Call Chain Example Source: https://gamehacking.academy/pages/2/05 Demonstrates a chain of function calls representing the 'bubbling up' concept in debugging. This shows how a high-level action like recruiting a unit involves multiple lower-level functions. ```javascript function handle_context_menu() { ... case "Recruit": recruit_unit(location); break; ... } ... function recruit_unit(location) { ... check_location(location); find_unit_in_unit_list(); ... } ... function find_unit_in_unit_list() { ... get_unit(); get_unit_cost(); subtract_unit_cost(); ... } ... function subtract_unit_cost() { ... check_player_gold(); subtract_gold(); ... } ... function subtract_gold() { player_money = player_money - cost_of_unit; } ``` -------------------------------- ### Define a Player Class in C++ Source: https://gamehacking.academy/pages/1/02 An example of a 'Player' class in C++ that encapsulates player data like 'money' and 'name', along with a method to increase money. This illustrates object-oriented programming principles. ```cpp class Player { int money; string name; function increase_money() { money = money + 1; } } ``` -------------------------------- ### Example Player Structure in C/C++ Source: https://gamehacking.academy/pages/5/06 This C/C++ struct defines a typical player structure in a game, including position, orientation, model path, name, and alive status. It serves as a reference for reversing the structure in memory. ```cpp struct Player { float x; float y; float z; float yaw; float pitch; char model_texture_path[128]; char name[128]; bool alive; } ``` -------------------------------- ### Establish Server Connection Source: https://gamehacking.academy/pages/6/05 Initializes and connects a server socket to a specified address and port. Ensure Winsock is initialized before use. ```c SOCKET ServerSocket = INVALID_SOCKET; ZeroMemory(&hints, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; iResult = getaddrinfo("127.0.0.1", "15000", &hints, &result); ServerSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol); iResult = connect(ServerSocket, result->ai_addr, (int)result->ai_addrlen); freeaddrinfo(result); ``` -------------------------------- ### Setting up glDepthRange Function Pointer Source: https://gamehacking.academy/pages/5/03 Demonstrates how to obtain a function pointer for the glDepthRange function, similar to how glDepthFunc is handled. This is necessary for dynamic manipulation of clipping planes. ```c++ void (__stdcall* glDepthRange)(double, double) = NULL; ... glDepthRange = (void(__stdcall*)(double, double))GetProcAddress(openGLHandle, "glDepthRange"); ``` -------------------------------- ### Get Kernel32 Module Handle Source: https://gamehacking.academy/pages/7/01 Retrieves a handle to the kernel32.dll module, which is necessary for obtaining the address of LoadLibraryA. ```cpp HMODULE kernel32base = GetModuleHandle(L"kernel32.dll"); ``` -------------------------------- ### Function Prologue and Epilogue Source: https://gamehacking.academy/pages/2/02 Illustrates the standard instructions for setting up and tearing down a function's stack frame. ```assembly push ebp mov ebp, esp sub esp, ... ... leave ret ``` -------------------------------- ### Retrieving Process ID with GetWindowThreadProcessId Source: https://gamehacking.academy/pages/3/02 Example of using GetWindowThreadProcessId to obtain the process ID associated with a given window handle. ```c++ DWORD process_id = 0; GetWindowThreadProcessId(wesnoth_window, &process_id); ``` -------------------------------- ### Conditional Triggerbot Execution Source: https://gamehacking.academy/pages/5/10 An example of how to conditionally execute the triggerbot's functionality based on a boolean flag, allowing for easy toggling. ```cpp if(triggerbot_enabled) { triggerbot->execute(edi_value); } ``` -------------------------------- ### Incrementing Instruction Pointer in Main Loop Source: https://gamehacking.academy/pages/7/04 Example of how to call decode_operand and increment the instruction pointer within a main disassembly loop. ```c case 0x1: printf("ADD "); i++; i += decode_operand(buffer, i); break; ``` -------------------------------- ### Basic DLL Structure Source: https://gamehacking.academy/pages/4/04 This is the standard DLL entry point structure used in previous lessons. It includes the DllMain function which is called when the DLL is loaded or unloaded. ```c #include BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { DWORD old_protect; if (fdwReason == DLL_PROCESS_ATTACH) { //hooking code } return true; } ``` -------------------------------- ### Remove Argument Check Source: https://gamehacking.academy/pages/6/02 This snippet shows how to remove the argument check from the Winsock example code. This is useful when you are hardcoding the server IP address. ```c if (argc != 2) { printf("usage: %s server-name\n", argv[0]); return 1; } Copy ``` -------------------------------- ### Print Error Function Example (C++) Source: https://gamehacking.academy/pages/2/03 A C++ function that prints an error message to a log, typically called when a critical operation fails. ```cpp void print_error(){ print_to_log("Couldn't find wall texture"); } ``` -------------------------------- ### Get Current Player Count Source: https://gamehacking.academy/pages/5/06 Retrieves the memory address for the current number of players in the game. This value is used to iterate over the enemy list. ```c++ int* current_players = (int*)(0x50F500); ``` -------------------------------- ### Open Process Handle with OpenProcess Source: https://gamehacking.academy/pages/7/01 This snippet demonstrates how to obtain a handle to a target process using the OpenProcess function. It requires the process identifier obtained from previous steps and specifies the desired access rights. ```C++ HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, true, pe32.th32ProcessID); ``` -------------------------------- ### Basic C++ Main Function Structure Source: https://gamehacking.academy/pages/3/02 Set up a standard C++ main function. This serves as the entry point for your program where you will place your memory reading logic. ```c++ int main(int argc, char** argv) { return 0; } Copy ``` -------------------------------- ### Get Wesnoth Process Handle Source: https://gamehacking.academy/pages/7/02 This C++ snippet demonstrates how to find the process ID of 'wesnoth.exe' and obtain a handle to it using Windows API functions. ```c++ #include #include #include int main(int argc, char** argv) { HANDLE snapshot = 0; PROCESSENTRY32 pe32 = { 0 }; pe32.dwSize = sizeof(PROCESSENTRY32); snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); Process32First(snapshot, &pe32); do { if (wcscmp(pe32.szExeFile, L"wesnoth.exe") == 0) { HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, true, pe32.th32ProcessID); CloseHandle(process); break; } } while (Process32Next(snapshot, &pe32)); return 0; } ``` -------------------------------- ### Get OpenGL Function Pointers Source: https://gamehacking.academy/pages/5/04 Retrieve the addresses of OpenGL functions using GetProcAddress. This step is crucial for dynamically linking to OpenGL functions at runtime. ```cpp glColor4f = (void(__stdcall*)(float, float, float, float))GetProcAddress(openGLHandle, "glColor4f"); glEnable = (void(__stdcall*)(unsigned int))GetProcAddress(openGLHandle, "glEnable"); glDisable = (void(__stdcall*)(unsigned int))GetProcAddress(openGLHandle, "glDisable"); glEnableClientState = (void(__stdcall*)(unsigned int))GetProcAddress(openGLHandle, "glEnableClientState"); glDisableClientState = (void(__stdcall*)(unsigned int))GetProcAddress(openGLHandle, "glDisableClientState"); ``` -------------------------------- ### Pushing Parameters Before Function Call Source: https://gamehacking.academy/pages/2/02 Shows how to push multiple values onto the stack before calling a function. ```assembly push 5 push eax call 0x12345678 ``` -------------------------------- ### Disabling Unit Recruitment by NOPing Instructions Source: https://gamehacking.academy/pages/4/03 This example shows how to disable the unit recruitment functionality by replacing the relevant assembly instructions with NOP (No Operation) operations. ```assembly push ecx mov ecx, esi call 0xF42CF7 ``` -------------------------------- ### Hooking Instructions in DllMain Source: https://gamehacking.academy/pages/4/04 This snippet demonstrates how to hook three specific call instructions within the Flare.exe module. It calculates addresses, modifies memory protection, and overwrites instructions to redirect execution to custom code caves. ```c HANDLE flare_base; DWORD mouse_call_address; DWORD mouse_return_address; DWORD player_call_address; DWORD player_return_address; DWORD loop_call_address; DWORD loop_return_address; ... if (fdwReason == DLL_PROCESS_ATTACH) { //hooking code flare_base = GetModuleHandle(L"flare.exe"); // mouse hook mouse_call_address = (DWORD)flare_base + 0x54210; unsigned char* hook_location = (unsigned char*)((DWORD)flare_base + 0xECBC8); mouse_return_address = (DWORD)hook_location + 5; VirtualProtect((void*)hook_location, 5, PAGE_EXECUTE_READWRITE, &old_protect); *hook_location = 0xE9; *(DWORD*)(hook_location + 1) = (DWORD)&mouse_codecave - ((DWORD)hook_location + 5); // player hook player_call_address = (DWORD)flare_base + 0x20840; hook_location = (unsigned char*)((DWORD)flare_base + 0xCAC4); player_return_address = (DWORD)hook_location + 5; VirtualProtect((void*)hook_location, 5, PAGE_EXECUTE_READWRITE, &old_protect); *hook_location = 0xE9; *(DWORD*)(hook_location + 1) = (DWORD)&player_codecave - ((DWORD)hook_location + 5); // game loop hook loop_call_address = (DWORD)flare_base + 0x6B180; hook_location = (unsigned char*)((DWORD)flare_base + 0x6BA94); loop_return_address = (DWORD)hook_location + 5; VirtualProtect((void*)hook_location, 5, PAGE_EXECUTE_READWRITE, &old_protect); *hook_location = 0xE9; *(DWORD*)(hook_location + 1) = (DWORD)&loop_codecave - ((DWORD)hook_location + 5); ``` -------------------------------- ### Opening Files for Filtering Source: https://gamehacking.academy/pages/7/03 Opens 'res.txt' for reading and 'res_fil.txt' for writing to prepare for the filtering process. ```cpp FILE* temp_file = NULL; FILE* temp_file_filter = NULL; open_s(&temp_file, "res.txt", "r"); open_s(&temp_file_filter, "res_fil.txt", "w"); Copy ``` -------------------------------- ### Send Initial Message to Server Source: https://gamehacking.academy/pages/6/05 This code snippet shows how to send a predefined message to a connected server after establishing a connection. Ensure the socket is valid before sending. ```C++ const unsigned char first_message[] = "[message]\nmessage=\"ChatBot connected\"\nroom=\"lobby\"\nsender=\"ChatBot\"\n[/message]"; send_data(first_message, sizeof(first_message), ConnectSocket); ``` -------------------------------- ### Wait for Thread Execution and Get Exit Code Source: https://gamehacking.academy/pages/7/01 Waits for the remote thread to complete its execution and retrieves its exit code. This ensures the DLL has been loaded before proceeding. ```cpp WaitForSingleObject(thread, INFINITE); GetExitCodeThread(thread, &exitCode); ``` -------------------------------- ### Opening File for Writing and Writing Values Source: https://gamehacking.academy/pages/7/03 Opens 'res.txt' for reading, iterates through each address, and uses 'WriteProcessMemory' to write the 'passed_val' to that address. ```cpp FILE* temp_file = NULL; open_s(&temp_file, "res.txt", "r"); DWORD address = 0; while (fscanf_s(temp_file, "%x\n", &address) != EOF) { DWORD bytes_written = 0; WriteProcessMemory(process, (void*)address, &passed_val, 4, &bytes_written); } close(temp_file); Copy ``` -------------------------------- ### View Beginning of PK3 File Contents Source: https://gamehacking.academy/pages/8/03 This Powershell command displays the first 10 lines of a pk3 file to help identify its format. It's useful for determining if the file is an archive. ```powershell type .\zUrT43_001.pk3 | select -first 10 ``` -------------------------------- ### Yaw Difference Values Source: https://gamehacking.academy/pages/5/09 These are example yaw_dif values obtained by debugging in Visual Studio for different enemy screen positions (looking at, far left, far right). ```text Looking at enemy: yaw_dif -0.307769775 Enemy on far left of screen: yaw_dif 34.9015427 Enemy on far right of screen: yaw_dif -39.5185280 ``` -------------------------------- ### Get glDrawElements Function Address Source: https://gamehacking.academy/pages/5/03 This code snippet illustrates how to obtain the memory address of the 'glDrawElements' function once the OpenGL module handle is available. It uses GetProcAddress for this purpose. ```c++ unsigned char* hook_location; ... if (openGLHandle != NULL) { hook_location = (unsigned char*)GetProcAddress(openGLHandle, "glDrawElements"); } ``` -------------------------------- ### Construct Packet with Size and Data Source: https://gamehacking.academy/pages/6/04 Builds a packet by first copying the size of the compressed data (as a DWORD) into the packet buffer, followed by the compressed data itself. ```c unsigned char buff_packet[DEFAULT_BUFLEN] = { 0 }; memcpy(buff_packet + 3, &compress_len, sizeof(compress_len)); memcpy(buff_packet + 4, buffer, compress_len); Copy ``` -------------------------------- ### Memory Breakpoint Example (Assembly) Source: https://gamehacking.academy/pages/2/03 This assembly code illustrates a memory breakpoint scenario. The breakpoint pauses execution on the instruction that writes the modified gold value back to memory. ```assembly mov eax, dword ptr ds:[0x05500ABC] mov ebx, dword ptr ds:[0x12345678] sub eax, ebx -> mov dword ptr ds:[0x05500ABC], eax mov esi, ebx ``` -------------------------------- ### Handle Menu Input (Navigation) Source: https://gamehacking.academy/pages/5/10 Implements input handling for menu navigation using GetAsyncKeyState. It increments or decrements the cursor position for UP and DOWN key presses, with '& 1' ensuring single press registration. ```cpp void Menu::handle_input() { if (GetAsyncKeyState(VK_DOWN) & 1) { cursor_position++; } else if (GetAsyncKeyState(VK_UP) & 1) { cursor_position--; } ``` -------------------------------- ### Get State String Source: https://gamehacking.academy/pages/5/10 A helper method for the Menu class that returns 'On' or 'Off' based on the boolean state of a menu item. Used for displaying the current status of features. ```cpp const char* Menu::get_state(int item) { return item_enabled[item] ? "On" : "Off"; } ``` -------------------------------- ### Game Loop Code Cave - Get Player Gold Source: https://gamehacking.academy/pages/4/03 A naked function code cave that retrieves the player's gold amount using a series of pointer dereferences. ```C++ DWORD *gold_base, *gold; ... __declspec(naked) void gameloop_codecave() { __asm { pushad } gold_base = (DWORD*)((DWORD)wyrmsun_base + 0x0061A504); gold = (DWORD*)(*gold_base + 0x78); gold = (DWORD*)(*gold + 4); gold = (DWORD*)(*gold + 8); gold = (DWORD*)(*gold + 4); gold = (DWORD*)(*gold); gold = (DWORD*)(*gold + 0x14); Copy ``` -------------------------------- ### Basic Scene Rendering Order Source: https://gamehacking.academy/pages/5/03 Illustrates the typical order of drawing game elements. This order can lead to player models being obscured by level geometry. ```c++ draw_player(); draw_guns(); draw_doors(); draw_level_walls(); ``` -------------------------------- ### Initialize DLL Entry Point Source: https://gamehacking.academy/pages/3/03 This code snippet shows how to modify the DllMain function to execute code only when the DLL is first loaded into a process. ```cpp BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ) { if (fdwReason == DLL_PROCESS_ATTACH) { // Code to execute when the process is loaded } return true; } ``` -------------------------------- ### Initialize Search Function Source: https://gamehacking.academy/pages/7/03 Defines the entry point for the memory search function, accepting the process handle and the value to search for. ```c++ void search(const HANDLE process, const int passed_val) { Copy ``` -------------------------------- ### Code Cave Example for Gold Storage Source: https://gamehacking.academy/pages/2/08 This assembly code demonstrates a code cave that redirects execution to save the player's gold address to a controlled memory location (0x12345678). ```assembly pushad mov dword ptr ds:[0x12345678], edx+4 popad ...original instruction replaced... jmp 0xredirect_location ``` -------------------------------- ### Writing the Int 3 Instruction Source: https://gamehacking.academy/pages/7/05 This snippet demonstrates how to find a target process (Assault Cube) by its executable name and write the 'int 3' opcode (0xCC) to a specific memory address to set a breakpoint. It uses Windows API functions like CreateToolhelp32Snapshot, Process32First, Process32Next, OpenProcess, and WriteProcessMemory. ```C++ HANDLE process_snapshot = NULL; HANDLE process_handle = NULL; DWORD pid; DWORD bytes_written = 0; BYTE instruction_break = 0xcc; PROCESSENTRY32 pe32 = { 0 }; pe32.dwSize = sizeof(PROCESSENTRY32); process_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); Process32First(process_snapshot, &pe32); do { if (wcscmp(pe32.szExeFile, L"ac_client.exe") == 0) { pid = pe32.th32ProcessID; process_handle = OpenProcess(PROCESS_ALL_ACCESS, true, pe32.th32ProcessID); WriteProcessMemory(process_handle, (void*)0x0046366C, &instruction_break, 1, &bytes_written); } } while (Process32Next(process_snapshot, &pe32)); ``` -------------------------------- ### Push and Pop Values on Stack Source: https://gamehacking.academy/pages/2/02 Demonstrates pushing a value onto the stack and then popping it into a register. ```assembly push 5 pop eax ``` -------------------------------- ### Include ZLib Header Source: https://gamehacking.academy/pages/6/04 Include the ZLib header file in your C++ code to access its compression and decompression functionalities. Ensure ZLib is correctly installed and its include path is configured in your project settings. ```cpp #include ``` -------------------------------- ### Triggerbot Class Implementation Source: https://gamehacking.academy/pages/5/10 Provides the implementation for the Triggerbot class methods, including the constructor and the execute method which handles mouse input. ```cpp #include #include "Triggerbot.h" Triggerbot::Triggerbot() { input = { 0 }; } void Triggerbot::execute(int isLookingAtEnemy) { if (isLookingAtEnemy != 0) { input.type = INPUT_MOUSE; input.mi.dwFlags = MOUSEEVENTF_LEFTDOWN; SendInput(1, &input, sizeof(INPUT)); } else { input.type = INPUT_MOUSE; input.mi.dwFlags = MOUSEEVENTF_LEFTUP; SendInput(1, &input, sizeof(INPUT)); } } ``` -------------------------------- ### Instantiating PlayerGeometry Class Source: https://gamehacking.academy/pages/5/10 Creates an instance of the PlayerGeometry class, passing the necessary memory addresses for player data, enemy list, and current player count. This allows the class to access game-specific memory. ```cpp playerGeometry = new PlayerGeometry(0x509B74, 0x50F4F8, 0x50F500); ``` -------------------------------- ### Manage Player Money with an Array and For Loop in C Source: https://gamehacking.academy/pages/1/02 Demonstrates using a C array to store money for multiple players and a for loop to efficiently increment each player's money. Updates the 'current_players' variable to support more players. ```c int money[10] = { 0 }; int current_players = 4; function increase_money() { for(int i = 0; i < current_players; i++) { money[i] = money[i] + 1; } } ``` -------------------------------- ### Game Object Allocation Source: https://gamehacking.academy/pages/2/09 Demonstrates how a game object is allocated in memory with its associated values when a player enters a game. ```plaintext player.game = new Game("Human", 100, 1); ``` -------------------------------- ### Include Windows.h for ReadProcessMemory Source: https://gamehacking.academy/pages/3/02 Include the Windows.h header file to gain access to the ReadProcessMemory function and other Windows API functionalities. ```c++ #include Copy ``` -------------------------------- ### Compare Values Source: https://gamehacking.academy/pages/2/02 Use 'cmp' and 'test' instructions to compare values and set CPU flags for conditional execution. ```assembly cmp eax, 2 test eax, eax ``` -------------------------------- ### Get Main Module Information Source: https://gamehacking.academy/pages/7/06 This C++ snippet retrieves information about the main module of a process, including its base address and size. It's intended to be executed upon the first debug event. ```cpp HMODULE modules[128] = { 0 }; MODULEINFO module_info = { 0 }; DWORD bytes_read = 0; if (!first_break_has_occurred) { EnumProcessModules(process_handle, modules, sizeof(modules), &bytes_read); GetModuleInformation(process_handle, modules[0], &module_info, sizeof(module_info)); ``` -------------------------------- ### Menu Class Item Definitions Source: https://gamehacking.academy/pages/5/10 Defines arrays within the Menu class to store the display text and enabled state for each menu item. This setup is used for displaying and managing feature toggles. ```cpp #define MAX_ITEMS 4 public: const char* items[MAX_ITEMS] = { "Wallhack", "ESP", "Aimbot", "Triggerbot" }; bool item_enabled[MAX_ITEMS] = { false }; ``` -------------------------------- ### PlayerGeometry Constructor Implementation Source: https://gamehacking.academy/pages/5/10 Initializes the PlayerGeometry class by storing the provided player base address, enemy list address, and current players address. ```cpp PlayerGeometry::PlayerGeometry(DWORD p_address, DWORD e_address, DWORD cp_address) { player_offset_address = p_address; enemy_list_address = e_address; current_players_address = cp_address; } ``` -------------------------------- ### Initial Packet Bytes (Gzipped Chat Message) Source: https://gamehacking.academy/pages/6/03 This code snippet represents the byte array of a gzipped chat message, generated using xxd -i. It serves as a starting point for packet modification. ```c const unsigned char packet_bytes[] = { 0x1f, 0x8b, 0x08, 0x08, 0x16, 0x8a, 0x73, 0x60, 0x00, 0x0b, 0x66, 0x69, 0x6c, 0x65, 0x00, 0x8b, 0xce, 0x4d, 0x2d, 0x2e, 0x4e, 0x4c, 0x4f, 0x8d, 0xe5, 0xe2, 0x84, 0xb2, 0x6c, 0x95, 0xaa, 0x94, 0xb8, 0x38, 0x8b, 0xf2, 0xf3, 0x73, 0x6d, 0x95, 0x72, 0xf2, 0x93, 0x92, 0x2a, 0x81, 0xbc, 0xe2, 0xd4, 0xbc, 0x94, 0xd4, 0x22, 0x5b, 0x25, 0x37, 0x37, 0x37, 0x47, 0x47, 0x47, 0x6f, 0x6f, 0x6f, 0x57, 0x57, 0x57, 0x25, 0xae, 0x68, 0x7d, 0xb8, 0x66, 0x2e, 0x00, 0xf3, 0x40, 0xda, 0x7c, 0x48, 0x00, 0x00, 0x00 }; ``` -------------------------------- ### Initial Screen X Coordinate Equation Source: https://gamehacking.academy/pages/5/09 This is the initial equation derived to convert an enemy's yaw difference into a screen X coordinate using the calculated scaling factor F. ```cpp screen_x = 512 + (yaw_dif * -12) ``` -------------------------------- ### Test Data Compression Source: https://gamehacking.academy/pages/6/04 A simple test case to verify the data compression and sending function. It sends a test string and expects a 'packet.gz' file containing the compressed version of the string. ```c const unsigned char version[] = "[test]hello[/test]"; send_data(version, sizeof(version), ConnectSocket); Copy ``` -------------------------------- ### Create a New Thread Source: https://gamehacking.academy/pages/3/03 This code demonstrates how to create a new thread within the current process using the CreateThread API, targeting a specific function to run. ```cpp void injected_thread() { } BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ) { if (fdwReason == DLL_PROCESS_ATTACH) { CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)injected_thread, NULL, 0, NULL); } return true; } ``` -------------------------------- ### Pointer Scan Offsets for Player Money Source: https://gamehacking.academy/pages/4/03 These are example offsets found using Cheat Engine's pointer scan feature to locate the player's money. These values may vary between game sessions. ```plaintext +0x14 [+0] [+0x4] [+0x8] [+0x4] [+0x78] wyrmsun.exe + 0x0061A504 ``` -------------------------------- ### Dynamic Return Address Calculation Source: https://gamehacking.academy/pages/5/03 Demonstrates how to dynamically calculate the return address for a code cave, which is necessary when a static jump location is not available. ```C++ ret_address = (DWORD)(hook_location + 0x6); ``` -------------------------------- ### C++ Direct Memory Modification using Pointers Source: https://gamehacking.academy/pages/3/01 This example illustrates how to use a C++ pointer to directly modify a game's memory at a specific address. It sets an integer value at the address '0x12345678' to 999. ```cpp int *gold = (int*)0x12345678; *gold = 999; ``` -------------------------------- ### Dump Opcodes from Buffer Source: https://gamehacking.academy/pages/7/04 This snippet dumps a specific range of opcodes from the previously read buffer. It requires the buffer to be populated and the START_ADDRESS to be defined. ```c #define START_ADDRESS 0x7ccd91 ... unsigned int i = START_ADDRESS - (DWORD)me32.modBaseAddr; while (i < START_ADDRESS + 0x50 - (DWORD)me32.modBaseAddr) { printf("%x", buffer[i]); i++; printf("\n"); } ``` -------------------------------- ### Recruit Unit Code Cave - Copy Unit Data Source: https://gamehacking.academy/pages/4/03 Dereferences the stored ECX pointer to get the unit's base address and copies the unit's data structure into a buffer. Initializes an 'init' flag. ```C++ DWORD* unitbase; unsigned char unitdata[0x110]; bool init = false; ... unitbase = (DWORD*)(*base); memcpy(unitdata, unitbase, 0x110); init = true; Copy ``` -------------------------------- ### Main Hack Integration of Triggerbot Source: https://gamehacking.academy/pages/5/10 Demonstrates how to include the Triggerbot header and instantiate the class within the main hack's DllMain function for process attachment and detachment. ```cpp #include "Triggerbot.h" ... Triggerbot *triggerbot; ... BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { triggerbot = new Triggerbot(); } else if (fdwReason == DLL_PROCESS_DETACH) { delete triggerbot; } ```