From 684a0a797ca425765af75cf8ec047ac80fc7edf0 Mon Sep 17 00:00:00 2001 From: MisterY52 <11368116+MisterY52@users.noreply.github.com> Date: Mon, 25 Nov 2024 22:51:47 +0100 Subject: [PATCH] dtb fix Fix for the dtb value that changes while the process is running. Currently only windows 10 >= 20H1 is supported. --- apex_dma/apex_dma.cpp | 356 ++++++++++++++++++++---------------------- apex_dma/memory.cpp | 122 ++++++++++++--- apex_dma/memory.h | 22 ++- apex_dma/offsets.h | 151 ++++++------------ 4 files changed, 335 insertions(+), 316 deletions(-) diff --git a/apex_dma/apex_dma.cpp b/apex_dma/apex_dma.cpp index 65d6ef2..12a9706 100644 --- a/apex_dma/apex_dma.cpp +++ b/apex_dma/apex_dma.cpp @@ -18,7 +18,7 @@ uintptr_t aimentity = 0; uintptr_t tmp_aimentity = 0; uintptr_t lastaimentity = 0; float max = 999.0f; -float max_dist = 200.0f*40.0f; +float max_dist = 200.0f * 40.0f; int team_player = 0; float max_fov = 15; const int toRead = 100; @@ -28,11 +28,11 @@ bool item_glow = false; bool player_glow = false; extern bool aim_no_recoil; bool aiming = false; +bool shooting = false; extern float smooth; extern int bone; bool thirdperson = false; bool chargerifle = false; -bool shooting = false; bool actions_t = false; bool esp_t = false; @@ -59,8 +59,8 @@ typedef struct player bool visible = false; int health = 0; int shield = 0; - char name[33] = { 0 }; -}player; + char name[33] = {0}; +} player; struct Matrix { @@ -75,13 +75,16 @@ int tmp_all_spec = 0, allied_spectators = 0; ////////////////////////////////////////////////////////////////////////////////////////////////// -void ProcessPlayer(Entity& LPlayer, Entity& target, uint64_t entitylist, int index) +void ProcessPlayer(Entity &LPlayer, Entity &target, uint64_t entitylist, int index) { + char name[33]; + target.get_name(g_Base, index - 1, name); + int entity_team = target.getTeamId(); if (!target.isAlive()) { - if(target.Observing(LPlayer.ptr)) + if (target.Observing(LPlayer.ptr)) { if (LPlayer.getTeamId() == entity_team) tmp_all_spec++; @@ -94,14 +97,16 @@ void ProcessPlayer(Entity& LPlayer, Entity& target, uint64_t entitylist, int ind Vector EntityPosition = target.getPosition(); Vector LocalPlayerPosition = LPlayer.getPosition(); float dist = LocalPlayerPosition.DistTo(EntityPosition); - if (dist > max_dist) return; + if (dist > max_dist) + return; - if(!firing_range) - if (entity_team < 0 || entity_team>50 || entity_team == team_player) return; - - if(aim==2) + if (!firing_range) + if (entity_team < 0 || entity_team > 50 || entity_team == team_player) + return; + + if (aim == 2) { - if((target.lastVisTime() > lastvis_aim[index])) + if ((target.lastVisTime() > lastvis_aim[index])) { float fov = CalculateFov(LPlayer, target); if (fov < max) @@ -112,9 +117,9 @@ void ProcessPlayer(Entity& LPlayer, Entity& target, uint64_t entitylist, int ind } else { - if(aimentity==target.ptr) + if (aimentity == target.ptr) { - aimentity=tmp_aimentity=lastaimentity=0; + aimentity = tmp_aimentity = lastaimentity = 0; } } } @@ -139,41 +144,22 @@ void DoActions() bool tmp_thirdperson = false; bool tmp_chargerifle = false; - while (g_Base!=0 && c_Base!=0) + while (g_Base != 0 && c_Base != 0) { - std::this_thread::sleep_for(std::chrono::milliseconds(30)); + std::this_thread::sleep_for(std::chrono::milliseconds(30)); uint64_t LocalPlayer = 0; apex_mem.Read(g_Base + OFFSET_LOCAL_ENT, LocalPlayer); - if (LocalPlayer == 0) continue; - + if (LocalPlayer == 0) + continue; Entity LPlayer = getEntity(LocalPlayer); team_player = LPlayer.getTeamId(); - if (team_player < 0 || team_player>50) + if (team_player < 0 || team_player > 50) { continue; } - if(thirdperson && !tmp_thirdperson) - { - if(!aiming) - { - apex_mem.Write(g_Base + OFFSET_THIRDPERSON, 1); - apex_mem.Write(LPlayer.ptr + OFFSET_THIRDPERSON_SV, 1); - tmp_thirdperson = true; - } - } - else if((!thirdperson && tmp_thirdperson) || aiming) - { - if(tmp_thirdperson) - { - apex_mem.Write(g_Base + OFFSET_THIRDPERSON, -1); - apex_mem.Write(LPlayer.ptr + OFFSET_THIRDPERSON_SV, 0); - tmp_thirdperson = false; - } - } - uint64_t entitylist = g_Base + OFFSET_ENTITYLIST; uint64_t baseent = 0; @@ -187,15 +173,17 @@ void DoActions() tmp_aimentity = 0; tmp_spec = 0; tmp_all_spec = 0; - if(firing_range) + if (firing_range) { - int c=0; + int c = 0; for (int i = 0; i < 10000; i++) { uint64_t centity = 0; apex_mem.Read(entitylist + ((uint64_t)i << 5), centity); - if (centity == 0) continue; - if (LocalPlayer == centity) continue; + if (centity == 0) + continue; + if (LocalPlayer == centity) + continue; Entity Target = getEntity(centity); if (!Target.isDummy()) @@ -203,11 +191,11 @@ void DoActions() continue; } - if(player_glow && !Target.isGlowing()) + if (player_glow && !Target.isGlowing()) { Target.enableGlow(); } - else if(!player_glow && Target.isGlowing()) + else if (!player_glow && Target.isGlowing()) { Target.disableGlow(); } @@ -222,15 +210,18 @@ void DoActions() { uint64_t centity = 0; apex_mem.Read(entitylist + ((uint64_t)i << 5), centity); - if (centity == 0) continue; - if (LocalPlayer == centity) continue; + + if (centity == 0) + continue; + if (LocalPlayer == centity) + continue; Entity Target = getEntity(centity); if (!Target.isPlayer()) { continue; } - + ProcessPlayer(LPlayer, Target, entitylist, i); int entity_team = Target.getTeamId(); @@ -239,11 +230,11 @@ void DoActions() continue; } - if(player_glow && !Target.isGlowing()) + if (player_glow && !Target.isGlowing()) { Target.enableGlow(); } - else if(!player_glow && Target.isGlowing()) + else if (!player_glow && Target.isGlowing()) { Target.disableGlow(); } @@ -253,24 +244,10 @@ void DoActions() spectators = tmp_spec; allied_spectators = tmp_all_spec; - if(!lock) + if (!lock) aimentity = tmp_aimentity; else aimentity = lastaimentity; - - if(chargerifle) - { - charge_rifle_hack(LocalPlayer); - tmp_chargerifle = true; - } - else - { - if(tmp_chargerifle) - { - apex_mem.Write(g_Base + OFFSET_TIMESCALE + 0x68, 1.f); - tmp_chargerifle = false; - } - } } } actions_t = false; @@ -283,10 +260,10 @@ player players[toRead]; static void EspLoop() { esp_t = true; - while(esp_t) + while (esp_t) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); - while(g_Base!=0 && c_Base!=0) + while (g_Base != 0 && c_Base != 0) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); if (esp) @@ -298,18 +275,19 @@ static void EspLoop() if (LocalPlayer == 0) { next = true; - while(next && g_Base!=0 && c_Base!=0 && esp) + while (next && g_Base != 0 && c_Base != 0 && esp) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); } continue; } Entity LPlayer = getEntity(LocalPlayer); + int team_player = LPlayer.getTeamId(); - if (team_player < 0 || team_player>50) + if (team_player < 0 || team_player > 50) { next = true; - while(next && g_Base!=0 && c_Base!=0 && esp) + while (next && g_Base != 0 && c_Base != 0 && esp) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); } @@ -325,20 +303,20 @@ static void EspLoop() apex_mem.Read(viewMatrix, m); uint64_t entitylist = g_Base + OFFSET_ENTITYLIST; - - memset(players,0,sizeof(players)); - if(firing_range) + + memset(players, 0, sizeof(players)); + if (firing_range) { - int c=0; + int c = 0; for (int i = 0; i < 10000; i++) { uint64_t centity = 0; - apex_mem.Read( entitylist + ((uint64_t)i << 5), centity); + apex_mem.Read(entitylist + ((uint64_t)i << 5), centity); if (centity == 0) { continue; - } - + } + if (LocalPlayer == centity) { continue; @@ -360,10 +338,10 @@ static void EspLoop() Vector EntityPosition = Target.getPosition(); float dist = LocalPlayerPosition.DistTo(EntityPosition); if (dist > max_dist || dist < 50.0f) - { + { continue; } - + Vector bs = Vector(); WorldToScreen(EntityPosition, m.matrix, 1920, 1080, bs); if (bs.x > 0 && bs.y > 0) @@ -376,46 +354,45 @@ static void EspLoop() float boxMiddle = bs.x - (width / 2.0f); int health = Target.getHealth(); int shield = Target.getShield(); - players[c] = - { - dist, - entity_team, - boxMiddle, - hs.y, - width, - height, - bs.x, - bs.y, - 0, - (Target.lastVisTime() > lastvis_esp[c]), - health, - shield - }; - Target.get_name(g_Base, i-1, &players[c].name[0]); + players[c] = + { + dist, + entity_team, + boxMiddle, + hs.y, + width, + height, + bs.x, + bs.y, + 0, + (Target.lastVisTime() > lastvis_esp[c]), + health, + shield}; + Target.get_name(g_Base, i - 1, &players[c].name[0]); lastvis_esp[c] = Target.lastVisTime(); valid = true; c++; } } - } + } else { for (int i = 0; i < toRead; i++) { uint64_t centity = 0; - apex_mem.Read( entitylist + ((uint64_t)i << 5), centity); + apex_mem.Read(entitylist + ((uint64_t)i << 5), centity); if (centity == 0) { continue; } - + if (LocalPlayer == centity) { continue; } Entity Target = getEntity(centity); - + if (!Target.isPlayer()) { continue; @@ -427,7 +404,7 @@ static void EspLoop() } int entity_team = Target.getTeamId(); - if (entity_team < 0 || entity_team>50 || entity_team == team_player) + if (entity_team < 0 || entity_team > 50 || entity_team == team_player) { continue; } @@ -435,7 +412,7 @@ static void EspLoop() Vector EntityPosition = Target.getPosition(); float dist = LocalPlayerPosition.DistTo(EntityPosition); if (dist > max_dist || dist < 50.0f) - { + { continue; } @@ -451,23 +428,22 @@ static void EspLoop() float boxMiddle = bs.x - (width / 2.0f); int health = Target.getHealth(); int shield = Target.getShield(); - - players[i] = - { - dist, - entity_team, - boxMiddle, - hs.y, - width, - height, - bs.x, - bs.y, - Target.isKnocked(), - (Target.lastVisTime() > lastvis_esp[i]), - health, - shield - }; - Target.get_name(g_Base, i-1, &players[i].name[0]); + + players[i] = + { + dist, + entity_team, + boxMiddle, + hs.y, + width, + height, + bs.x, + bs.y, + Target.isKnocked(), + (Target.lastVisTime() > lastvis_esp[i]), + health, + shield}; + Target.get_name(g_Base, i - 1, &players[i].name[0]); lastvis_esp[i] = Target.lastVisTime(); valid = true; } @@ -475,7 +451,7 @@ static void EspLoop() } next = true; - while(next && g_Base!=0 && c_Base!=0 && esp) + while (next && g_Base != 0 && c_Base != 0 && esp) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); } @@ -491,28 +467,29 @@ static void AimbotLoop() while (aim_t) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); - while (g_Base!=0 && c_Base!=0) + while (g_Base != 0 && c_Base != 0) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); - if (aim>0) + if (aim > 0) { if (aimentity == 0 || !aiming) { - lock=false; - lastaimentity=0; + lock = false; + lastaimentity = 0; continue; } - lock=true; + lock = true; lastaimentity = aimentity; uint64_t LocalPlayer = 0; apex_mem.Read(g_Base + OFFSET_LOCAL_ENT, LocalPlayer); - if (LocalPlayer == 0) continue; + if (LocalPlayer == 0) + continue; Entity LPlayer = getEntity(LocalPlayer); QAngle Angles = CalculateBestBoneAim(LPlayer, aimentity, max_fov); if (Angles.x == 0 && Angles.y == 0) { - lock=false; - lastaimentity=0; + lock = false; + lastaimentity = 0; continue; } LPlayer.SetViewAngles(Angles); @@ -526,69 +503,71 @@ static void set_vars(uint64_t add_addr) { printf("Reading client vars...\n"); std::this_thread::sleep_for(std::chrono::milliseconds(50)); - //Get addresses of client vars + // Get addresses of client vars uint64_t check_addr = 0; client_mem.Read(add_addr, check_addr); uint64_t aim_addr = 0; client_mem.Read(add_addr + sizeof(uint64_t), aim_addr); uint64_t esp_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*2, esp_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 2, esp_addr); uint64_t aiming_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*3, aiming_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 3, aiming_addr); uint64_t g_Base_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*4, g_Base_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 4, g_Base_addr); uint64_t next_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*5, next_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 5, next_addr); uint64_t player_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*6, player_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 6, player_addr); uint64_t valid_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*7, valid_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 7, valid_addr); uint64_t max_dist_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*8, max_dist_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 8, max_dist_addr); uint64_t item_glow_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*9, item_glow_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 9, item_glow_addr); uint64_t player_glow_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*10, player_glow_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 10, player_glow_addr); uint64_t aim_no_recoil_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*11, aim_no_recoil_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 11, aim_no_recoil_addr); uint64_t smooth_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*12, smooth_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 12, smooth_addr); uint64_t max_fov_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*13, max_fov_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 13, max_fov_addr); uint64_t bone_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*14, bone_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 14, bone_addr); uint64_t thirdperson_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*15, thirdperson_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 15, thirdperson_addr); + uint64_t shooting_addr = 0; + client_mem.Read(add_addr + sizeof(uint64_t) * 16, shooting_addr); + uint64_t chargerifle_addr = 0; + client_mem.Read(add_addr + sizeof(uint64_t) * 17, chargerifle_addr); uint64_t spectators_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*16, spectators_addr); + client_mem.Read(add_addr + sizeof(uint64_t) * 18, spectators_addr); uint64_t allied_spectators_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*17, allied_spectators_addr); - uint64_t chargerifle_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*18, chargerifle_addr); - uint64_t shooting_addr = 0; - client_mem.Read(add_addr + sizeof(uint64_t)*19, shooting_addr); - + client_mem.Read(add_addr + sizeof(uint64_t) * 19, allied_spectators_addr); uint32_t check = 0; client_mem.Read(check_addr, check); - - if(check != 0xABCD) + + if (check != 0xABCD) { printf("Incorrect values read. Check if the add_off is correct. Quitting.\n"); active = false; return; } + + bool new_client = true; vars_t = true; - while(vars_t) + while (vars_t) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); - if(c_Base!=0 && g_Base!=0) + if (new_client && c_Base != 0 && g_Base != 0) { client_mem.Write(check_addr, 0); + new_client = false; printf("\nReady\n"); } - while(c_Base!=0 && g_Base!=0) + while (c_Base != 0 && g_Base != 0) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); client_mem.Write(g_Base_addr, g_Base); @@ -609,20 +588,20 @@ static void set_vars(uint64_t add_addr) client_mem.Read(shooting_addr, shooting); client_mem.Read(chargerifle_addr, chargerifle); - if(esp && next) + if (esp && next) { - if(valid) + if (valid) client_mem.WriteArray(player_addr, players, toRead); client_mem.Write(valid_addr, valid); - client_mem.Write(next_addr, true); //next + client_mem.Write(next_addr, true); // next bool next_val = false; do { client_mem.Read(next_addr, next_val); std::this_thread::sleep_for(std::chrono::milliseconds(1)); - } while (next_val && g_Base!=0 && c_Base!=0); - + } while (next_val && g_Base != 0 && c_Base != 0); + next = false; } } @@ -633,11 +612,11 @@ static void set_vars(uint64_t add_addr) static void item_glow_t() { item_t = true; - while(item_t) + while (item_t) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); int k = 0; - while(g_Base!=0 && c_Base!=0) + while (g_Base != 0 && c_Base != 0) { std::this_thread::sleep_for(std::chrono::milliseconds(1)); uint64_t entitylist = g_Base + OFFSET_ENTITYLIST; @@ -647,37 +626,39 @@ static void item_glow_t() { uint64_t centity = 0; apex_mem.Read(entitylist + ((uint64_t)i << 5), centity); - if (centity == 0) continue; + if (centity == 0) + continue; Item item = getItem(centity); - if(item.isItem() && !item.isGlowing()) + if (item.isItem() && !item.isGlowing()) { item.enableGlow(); } } - k=1; + k = 1; std::this_thread::sleep_for(std::chrono::milliseconds(600)); } else - { - if(k==1) + { + if (k == 1) { for (int i = 0; i < 10000; i++) { uint64_t centity = 0; apex_mem.Read(entitylist + ((uint64_t)i << 5), centity); - if (centity == 0) continue; + if (centity == 0) + continue; Item item = getItem(centity); - if(item.isItem() && item.isGlowing()) + if (item.isItem() && item.isGlowing()) { item.disableGlow(); } } - k=0; + k = 0; } - } + } } } item_t = false; @@ -694,7 +675,7 @@ int main(int argc, char *argv[]) const char* ap_proc = "r5apex.exe"; //const char* ap_proc = "EasyAntiCheat_launcher.exe"; - //Client "add" offset + // Client "add" offset uint64_t add_off = 0x3f880; std::thread aimbot_thr; @@ -702,11 +683,12 @@ int main(int argc, char *argv[]) std::thread actions_thr; std::thread itemglow_thr; std::thread vars_thr; - while(active) + bool proc_not_found = false; + while (active) { - if(apex_mem.get_proc_status() != process_status::FOUND_READY) + if (apex_mem.get_proc_status() != process_status::FOUND_READY) { - if(aim_t) + if (aim_t) { aim_t = false; esp_t = false; @@ -720,16 +702,24 @@ int main(int argc, char *argv[]) itemglow_thr.~thread(); } - std::this_thread::sleep_for(std::chrono::seconds(1)); - printf("Searching for apex process...\n"); + proc_not_found = apex_mem.get_proc_status() == process_status::NOT_FOUND; + + if (proc_not_found) + { + std::this_thread::sleep_for(std::chrono::seconds(1)); + printf("Searching for apex process...\n"); + } apex_mem.open_proc(ap_proc); - if(apex_mem.get_proc_status() == process_status::FOUND_READY) + if (apex_mem.get_proc_status() == process_status::FOUND_READY) { g_Base = apex_mem.get_proc_baseaddr(); - printf("\nApex process found\n"); - printf("Base: %lx\n", g_Base); + if (proc_not_found) + { + printf("\nApex process found\n"); + printf("Base: %lx\n", g_Base); + } aimbot_thr = std::thread(AimbotLoop); esp_thr = std::thread(EspLoop); @@ -746,22 +736,22 @@ int main(int argc, char *argv[]) apex_mem.check_proc(); } - if(client_mem.get_proc_status() != process_status::FOUND_READY) + if (client_mem.get_proc_status() != process_status::FOUND_READY) { - if(vars_t) + if (vars_t) { vars_t = false; c_Base = 0; vars_thr.~thread(); } - + std::this_thread::sleep_for(std::chrono::seconds(1)); printf("Searching for client process...\n"); client_mem.open_proc(cl_proc); - if(client_mem.get_proc_status() == process_status::FOUND_READY) + if (client_mem.get_proc_status() == process_status::FOUND_READY) { c_Base = client_mem.get_proc_baseaddr(); printf("\nClient process found\n"); @@ -780,4 +770,4 @@ int main(int argc, char *argv[]) } return 0; -} \ No newline at end of file +} diff --git a/apex_dma/memory.cpp b/apex_dma/memory.cpp index ca241e1..f57128a 100644 --- a/apex_dma/memory.cpp +++ b/apex_dma/memory.cpp @@ -1,4 +1,5 @@ #include "memory.h" +#include // Credits: learn_more, stevemk14ebr size_t findPattern(const PBYTE rangeStart, size_t len, const char *pattern) @@ -61,7 +62,7 @@ process_status Memory::get_proc_status() void Memory::check_proc() { - if (status == process_status::FOUND_READY) + if (status == process_status::FOUND_READY || status == process_status::FOUND_NO_ACCESS) { short c; Read(proc.baseaddr, c); @@ -69,7 +70,10 @@ void Memory::check_proc() if (c != 0x5A4D) { status = process_status::FOUND_NO_ACCESS; - close_proc(); + } + else + { + status = process_status::FOUND_READY; } } } @@ -98,6 +102,74 @@ bool kernel_init(Inventory *inv, const char *connector_name) return true; } +bool Memory::testDtbValue(const uint64_t &dtb_val) +{ + proc.hProcess.set_dtb(dtb_val, Address_INVALID); + check_proc(); + if (status == process_status::FOUND_READY) + { + lastCorrectDtbPhysicalAddress = dtb_val; + return true; + } + + return false; +} + +// https://www.unknowncheats.me/forum/apex-legends/670570-quick-obtain-cr3-check.html +bool Memory::bruteforceDtb(uint64_t dtbStartPhysicalAddr, const uint64_t stepPage) +{ + // eac cr3 always end with 0x-----XX000 + // dtbStartPhysicalAddr should be a multiple of 0x1000 + if ((dtbStartPhysicalAddr & 0xFFF) != 0) + return false; + if (dtbStartPhysicalAddr > MAX_PHYADDR) + return false; + + dtbStartPhysicalAddr -= dtbStartPhysicalAddr % stepPage; + dtbStartPhysicalAddr += lastCorrectDtbPhysicalAddress % stepPage; + + auto start = std::chrono::high_resolution_clock::now(); + bool result = false; + uint64_t furtherDistance = GetFurtherDistance(dtbStartPhysicalAddr, 0x0, MAX_PHYADDR); + size_t maxStep = furtherDistance / stepPage; + uint64_t guessDtbAddr = 0; + + for (size_t step = 0; step < maxStep; step++) + { + // bruteforce dtb from middle + guessDtbAddr = dtbStartPhysicalAddr + step * stepPage; + if (guessDtbAddr < MAX_PHYADDR) + { + if (testDtbValue(guessDtbAddr)) + { + result = true; + break; + } + } + // dont forget the other side + if (dtbStartPhysicalAddr > step * stepPage) + { + guessDtbAddr = dtbStartPhysicalAddr - step * stepPage; + if (testDtbValue(guessDtbAddr)) + { + result = true; + break; + } + } + } + + auto end = std::chrono::high_resolution_clock::now(); + auto duration = std::chrono::duration_cast(end - start); + printf("[+] bruteforce dtb %s to find dtb:0x%lx, time:%ldms\n", result ? "success" : "failed", result ? guessDtbAddr : 0x0, duration.count()); + + // In case we cannot get the dtb through this shortcut method. + if (result == false && stepPage != 0x1000) + { + return bruteforceDtb(dtbStartPhysicalAddr, 0x1000); + } + return result; +} + void Memory::open_proc(const char *name) { if (!conn) @@ -126,48 +198,48 @@ void Memory::open_proc(const char *name) if (kernel.get()->process_info_by_name(name, &info)) { status = process_status::NOT_FOUND; + lastCorrectDtbPhysicalAddress = 0; return; } - ProcessInstance<> tmp_proc; - - if (kernel.get()->process_by_info(info, &tmp_proc)) + close_proc(); + if (kernel.get()->clone().into_process_by_info(info, &proc.hProcess)) { - status = process_status::NOT_FOUND; + status = process_status::FOUND_NO_ACCESS; + printf("Error while opening process %s\n", name); + close_proc(); return; } ModuleInfo module_info; - - if (tmp_proc.module_by_name(name, &module_info)) + if (proc.hProcess.module_by_name(name, &module_info)) { - printf("Can't find base module info for process %s. Trying with a new dtb...\n", name); + status = process_status::FOUND_NO_ACCESS; + auto base_section = std::make_unique(8); + uint64_t *base_section_value = (uint64_t *)base_section.get(); + CSliceMut slice(base_section.get(), 8); + uint32_t EPROCESS_SectionBaseAddress_off = 0x520; // win10 >= 20H1 + kernel.get()->read_raw_into(info.address + EPROCESS_SectionBaseAddress_off, slice); + proc.baseaddr = *base_section_value; - for (size_t dtb = 0; dtb <= SIZE_MAX; dtb += 0x1000) + if (!bruteforceDtb(0x0, 0x100000)) { - info.dtb1 = dtb; - kernel.get()->process_by_info(info, &tmp_proc); - - if (!tmp_proc.module_by_name(name, &module_info)) - break; - - if (dtb == SIZE_MAX) - { - printf("Access error for process %s\n", name); - status = process_status::FOUND_NO_ACCESS; - return; - } + close_proc(); + return; } } + else + { + proc.baseaddr = module_info.base; + } - kernel.get()->clone().into_process_by_info(info, &proc.hProcess); - - proc.baseaddr = module_info.base; status = process_status::FOUND_READY; } void Memory::close_proc() { + std::lock_guard l(m); + proc.hProcess.~IntoProcessInstance(); proc.baseaddr = 0; } diff --git a/apex_dma/memory.h b/apex_dma/memory.h index ed5b550..02e02af 100644 --- a/apex_dma/memory.h +++ b/apex_dma/memory.h @@ -17,6 +17,17 @@ typedef WORD *PWORD; static std::unique_ptr> conn = nullptr; static std::unique_ptr> kernel = nullptr; +// set MAX_PHYADDR to a reasonable value, larger values will take more time to traverse. +constexpr uint64_t MAX_PHYADDR = 0xFFFFFFFFF; + +inline uint64_t GetFurtherDistance(uint64_t A, uint64_t Min, uint64_t Max) +{ + uint64_t distanceToMin = (A > Min) ? (A - Min) : (Min - A); + uint64_t distanceToMax = (A > Max) ? (A - Max) : (Max - A); + + return (distanceToMin > distanceToMax) ? distanceToMin : distanceToMax; +} + inline bool isMatch(const PBYTE addr, const PBYTE pat, const PBYTE msk) { size_t n = 0; @@ -51,13 +62,10 @@ private: Process proc; process_status status = process_status::NOT_FOUND; std::mutex m; + uint64_t lastCorrectDtbPhysicalAddress = 0x0; public: - ~Memory() - { - if (kernel) - os_drop(kernel.get()); - } + ~Memory() = default; uint64_t get_proc_baseaddr(); @@ -82,6 +90,10 @@ public: bool WriteArray(uint64_t address, const T value[], size_t len); uint64_t ScanPointer(uint64_t ptr_address, const uint32_t offsets[], int level); + + bool bruteforceDtb(uint64_t dtbStartPhysicalAddr, const uint64_t stepPage); + + bool testDtbValue(const uint64_t &dtb_val); }; template diff --git a/apex_dma/offsets.h b/apex_dma/offsets.h index 5b5f4da..7d090f2 100644 --- a/apex_dma/offsets.h +++ b/apex_dma/offsets.h @@ -1,103 +1,48 @@ -#define ORIGIN 1 -#define STEAM 2 - -#define VERSION STEAM - -#if VERSION == STEAM - - #define OFFSET_ENTITYLIST 0x1eabd08 - #define OFFSET_LOCAL_ENT 0x225a8a8 - #define OFFSET_NAME_LIST 0xc7912b0 - #define OFFSET_THIRDPERSON 0x01e3b190 + 0x6c //thirdperson_override + 0x6c - #define OFFSET_TIMESCALE 0x01841ee0 //host_timescale - - #define OFFSET_TEAM 0x0328 //m_iTeamNum - #define OFFSET_HEALTH 0x0318 //m_iHealth - #define OFFSET_SHIELD 0x01a0 //m_shieldHealth - #define OFFSET_NAME 0x0471 //m_iName - #define OFFSET_SIGN_NAME 0x0468 //m_iSignifierName - #define OFFSET_ABS_VELOCITY 0x0170 //m_vecAbsVelocity - #define OFFSET_VISIBLE_TIME 0x1990 //CPlayer!lastVisibleTime - #define OFFSET_ZOOMING 0x1bd1 //m_bZooming - #define OFFSET_THIRDPERSON_SV 0x36c8 //m_thirdPersonShoulderView - #define OFFSET_YAW 0x223c - 0x8 //m_currentFramePlayer.m_ammoPoolCount - 0x8 - - #define OFFSET_LIFE_STATE 0x0680 //m_lifeState, >0 = dead - #define OFFSET_BLEED_OUT_STATE 0x26e0 //m_bleedoutState, >0 = knocked - - #define OFFSET_ORIGIN 0x017c //m_vecAbsOrigin - #define OFFSET_BONES 0x0da0 + 0x48 //m_nForceBone + 0x48 - #define OFFSET_STUDIOHDR 0xff0 //CBaseAnimating!m_pStudioHdr - #define OFFSET_AIMPUNCH 0x2438 //m_currentFrameLocalPlayer.m_vecPunchWeapon_Angle - #define OFFSET_CAMERAPOS 0x1ed0 //CPlayer!camera_origin - #define OFFSET_VIEWANGLES 0x2534 - 0x14 //m_ammoPoolCapacity - 0x14 - #define OFFSET_BREATH_ANGLES OFFSET_VIEWANGLES - 0x10 - #define OFFSET_OBSERVER_MODE 0x34a4 //m_iObserverMode - #define OFFSET_OBSERVING_TARGET 0x34b0 //m_hObserverTarget - #define OFFSET_OBSERVER_LIST 0x1EADD28 - - #define OFFSET_MATRIX 0x11a350 - #define OFFSET_RENDER 0x74dd028 - - #define OFFSET_WEAPON 0x1934 //m_latestPrimaryWeapons - #define OFFSET_BULLET_SPEED 0x1ea4 //CWeaponX!m_flProjectileSpeed - #define OFFSET_BULLET_SCALE 0x1eac //CWeaponX!m_flProjectileScale - #define OFFSET_ZOOM_FOV 0x15d0 + 0x00b8 //m_playerData + m_curZoomFOV - #define OFFSET_AMMO 0x1554 //m_ammoInClip - - #define OFFSET_ITEM_GLOW 0x02f0 //m_highlightFunctionBits - - #define OFFSET_GLOW_T1 0x292 //16256 = enabled, 0 = disabled - #define OFFSET_GLOW_T2 0x30c //1193322764 = enabled, 0 = disabled - #define OFFSET_GLOW_ENABLE 0x28C //7 = enabled, 2 = disabled - #define OFFSET_GLOW_THROUGH_WALLS 0x26c //2 = enabled, 5 = disabled - -#elif VERSION == ORIGIN - - #define OFFSET_ENTITYLIST 0x1e743a8 - #define OFFSET_LOCAL_ENT 0x2224528 - #define OFFSET_NAME_LIST 0xc2b0b00 - #define OFFSET_THIRDPERSON 0x01e03040 + 0x6c //thirdperson_override + 0x6c - #define OFFSET_TIMESCALE 0x017b7f60 //host_timescale - - #define OFFSET_TEAM 0x0480 //m_iTeamNum - #define OFFSET_HEALTH 0x0470 //m_iHealth - #define OFFSET_SHIELD 0x01a0 //m_shieldHealth - #define OFFSET_NAME 0x05c1 //m_iName - #define OFFSET_SIGN_NAME 0x05b8 //m_iSignifierName - #define OFFSET_ABS_VELOCITY 0x0170 //m_vecAbsVelocity - #define OFFSET_VISIBLE_TIME 0x1AA0 //CPlayer!lastVisibleTime - #define OFFSET_ZOOMING 0x1c81 //m_bZooming - #define OFFSET_THIRDPERSON_SV 0x3728 //m_thirdPersonShoulderView - #define OFFSET_YAW 0x22ec - 0x8 //m_currentFramePlayer.m_ammoPoolCount - 0x8 - - #define OFFSET_LIFE_STATE 0x07d0 //m_lifeState, >0 = dead - #define OFFSET_BLEED_OUT_STATE 0x2790 //m_bleedoutState, >0 = knocked - - #define OFFSET_ORIGIN 0x017c //m_vecAbsOrigin - #define OFFSET_BONES 0x0ec8 + 0x48 //m_nForceBone + 0x48 - #define OFFSET_STUDIOHDR 0x1118 //CBaseAnimating!m_pStudioHdr - #define OFFSET_AIMPUNCH 0x24e8 //m_currentFrameLocalPlayer.m_vecPunchWeapon_Angle - #define OFFSET_CAMERAPOS 0x1f80 //CPlayer!camera_origin - #define OFFSET_VIEWANGLES 0x25e4 - 0x14 //m_ammoPoolCapacity - 0x14 - #define OFFSET_BREATH_ANGLES OFFSET_VIEWANGLES - 0x10 - #define OFFSET_OBSERVER_MODE 0x3534 //m_iObserverMode - #define OFFSET_OBSERVING_TARGET 0x3540 //m_hObserverTarget - - #define OFFSET_MATRIX 0x11A350 - #define OFFSET_RENDER 0x7472E00 - - #define OFFSET_WEAPON 0x1a44 //m_latestPrimaryWeapons - #define OFFSET_BULLET_SPEED 0x1F6C //CWeaponX!m_flProjectileSpeed - #define OFFSET_BULLET_SCALE 0x1F74 //CWeaponX!m_flProjectileScale - #define OFFSET_ZOOM_FOV 0x16e0 + 0xb8 //m_playerData + m_curZoomFOV - #define OFFSET_AMMO 0x1664 //m_ammoInClip - - #define OFFSET_ITEM_GLOW 0x02f0 //m_highlightFunctionBits - - #define OFFSET_GLOW_T1 0x292 //16256 = enabled, 0 = disabled - #define OFFSET_GLOW_T2 0x30c //1193322764 = enabled, 0 = disabled - #define OFFSET_GLOW_ENABLE 0x3f8 //7 = enabled, 2 = disabled - #define OFFSET_GLOW_THROUGH_WALLS 0x400 //2 = enabled, 5 = disabled - -#endif \ No newline at end of file +//v3.0.3.26 + +#define OFFSET_ENTITYLIST 0x2022bf8 +#define OFFSET_LOCAL_ENT 0x24F6288 +#define OFFSET_NAME_LIST 0xd506390 +#define OFFSET_THIRDPERSON 0x01e3b190 + 0x6c // thirdperson_override + 0x6c +#define OFFSET_TIMESCALE 0x01841ee0 // host_timescale + +#define OFFSET_TEAM 0x0338 // m_iTeamNum +#define OFFSET_HEALTH 0x0328 // m_iHealth +#define OFFSET_SHIELD 0x01a0 // m_shieldHealth +#define OFFSET_NAME 0x0481 // m_iName +#define OFFSET_SIGN_NAME 0x0478 // m_iSignifierName +#define OFFSET_ABS_VELOCITY 0x0170 // m_vecAbsVelocity +#define OFFSET_VISIBLE_TIME 0x1990 // CPlayer!lastVisibleTime +#define OFFSET_ZOOMING 0x1be1 // m_bZooming +#define OFFSET_THIRDPERSON_SV 0x36c8 // m_thirdPersonShoulderView +#define OFFSET_YAW 0x223c - 0x8 // m_currentFramePlayer.m_ammoPoolCount - 0x8 + +#define OFFSET_LIFE_STATE 0x0690 // m_lifeState, >0 = dead +#define OFFSET_BLEED_OUT_STATE 0x2760 // m_bleedoutState, >0 = knocked + +#define OFFSET_ORIGIN 0x017c // m_vecAbsOrigin +#define OFFSET_BONES 0x0da8 + 0x48 // m_nForceBone + 0x48 +#define OFFSET_STUDIOHDR 0xff0 // CBaseAnimating!m_pStudioHdr +#define OFFSET_AIMPUNCH 0x2438 // m_currentFrameLocalPlayer.m_vecPunchWeapon_Angle +#define OFFSET_CAMERAPOS 0x1ee0 // CPlayer!camera_origin +#define OFFSET_VIEWANGLES 0x2534 - 0x14 // m_ammoPoolCapacity - 0x14 +#define OFFSET_BREATH_ANGLES OFFSET_VIEWANGLES - 0x10 +#define OFFSET_OBSERVER_MODE 0x34a4 // m_iObserverMode +#define OFFSET_OBSERVING_TARGET 0x34b0 // m_hObserverTarget +#define OFFSET_OBSERVER_LIST 0x02022b50 + 0x20C8 + +#define OFFSET_MATRIX 0x11A350 +#define OFFSET_RENDER 0x77BD448 + +#define OFFSET_WEAPON 0x1934 // m_latestPrimaryWeapons +#define OFFSET_BULLET_SPEED 0x19d8 + 0x04ec // CWeaponX!m_flProjectileSpeed +#define OFFSET_BULLET_SCALE 0x19d8 + 0x04f4 // CWeaponX!m_flProjectileScale +#define OFFSET_ZOOM_FOV 0x15e0 + 0x00b8 // m_playerData + m_curZoomFOV +#define OFFSET_AMMO 0x1590 // m_ammoInClip + +#define OFFSET_ITEM_GLOW 0x02f0 // m_highlightFunctionBits + +#define OFFSET_GLOW_T1 0x292 // 16256 = enabled, 0 = disabled +#define OFFSET_GLOW_T2 0x30c // 1193322764 = enabled, 0 = disabled +#define OFFSET_GLOW_ENABLE 0x28C // 7 = enabled, 2 = disabled +#define OFFSET_GLOW_THROUGH_WALLS 0x26c // 2 = enabled, 5 = disabled