Source CS:GO hack | Source on Python 3.7.2

DREDD

Administrator
Administrator

DREDD

Administrator
Administrator
Status
Offline
Joined
Apr 18, 2019
Messages
191
Reaction score
323
External Hacks:

Requirements:
https://www.python.org/ftp/python/3....mbed-amd64.zip

TrigerBot:
Python:
import platform
from ctypes import *
#
# ekknod@2019
#
 
nt = windll.ntdll
k32 = windll.kernel32
u32 = windll.user32
 
 
def array_to_data(address):
    r = 0
    for j in bytearray(reversed(address)):
        r = (r << 8) + j
    return r
 
 
class ProcessList:
    def __init__(self):
        length = c_uint()
        self.snap = create_string_buffer(8)
        nt.NtQuerySystemInformation(57, self.snap, 0x188, pointer(length))
        self.snap = create_string_buffer(length.value + 8192)
        if nt.NtQuerySystemInformation(57, self.snap, length.value + 8192, 0) != 0:
            raise Exception("[!]ProcessList::__init__")
        self.pos = 0
 
    def next(self):
        temp = array_to_data(self.snap[self.pos:self.pos+4])
        if temp != 0:
            self.pos = temp + self.pos
            return True
        return False
 
    def pid(self):
        return int(array_to_data(self.snap[self.pos+0x128:self.pos+0x130]))
 
    def wow64(self):
        return array_to_data(self.snap[self.pos+0x160:self.pos+0x168]) <= 0xffffffff
 
    def teb(self):
        return c_int64(array_to_data(self.snap[self.pos+0x168:self.pos+0x170])).value
 
    def name(self):
        name = create_unicode_buffer(120)
        nt.memcpy(name, c_int64(array_to_data(self.snap[self.pos+0x40:self.pos+0x48])), 120)
        return name.value
 
 
class Process:
    def __init__(self, name):
        temp = c_uint8()
        nt.RtlAdjustPrivilege(20, 1, 0, pointer(temp))
        temp = ProcessList()
        status = False
        while temp.next():
            temp_handle = k32.OpenProcess(0x1fffff, 0, temp.pid())
            if temp.name() == name:
                self.mem = temp_handle
                self.wow64 = temp.wow64()
                if self.wow64:
                    self.peb = self.read_i64(temp.teb() + 0x2030, 4)
                else:
                    self.peb = self.read_i64(temp.teb() + 0x0060, 8)
                status = True
                break
        if not status:
            raise Exception("[!]Process is not running!")
 
    def is_running(self):
        buffer = c_uint32()
        k32.GetExitCodeProcess(self.mem, pointer(buffer))
        return buffer.value == 0x103
 
    def read_string(self, address, length):
        buffer = create_string_buffer(length)
        nt.NtReadVirtualMemory(self.mem, address, buffer, length, 0)
        return buffer.value
 
    def read_unicode(self, address, length):
        buffer = create_unicode_buffer(length)
        nt.NtReadVirtualMemory(self.mem, address, pointer(buffer), length, 0)
        return buffer.value
 
    def read_i16(self, address, length=2):
        buffer = c_uint16()
        nt.NtReadVirtualMemory(self.mem, address, pointer(buffer), length, 0)
        return buffer.value
 
    def read_i32(self, address, length=4):
        buffer = c_uint32()
        nt.NtReadVirtualMemory(self.mem, address, pointer(buffer), length, 0)
        return buffer.value
 
    def read_i64(self, address, length=8):
        buffer = c_uint64()
        nt.NtReadVirtualMemory(self.mem, c_uint64(address), pointer(buffer), length, 0)
        return buffer.value
 
    def write_i16(self, address, value):
        buffer = c_uint16(value)
        return nt.NtWriteVirtualMemory(self.mem, address, pointer(buffer), 2, 0) == 0
 
    def write_i64(self, address, value):
        buffer = c_uint64(value)
        return nt.NtWriteVirtualMemory(self.mem, address, pointer(buffer), 8, 0) == 0
 
    def get_module(self, name):
        if self.wow64:
            a0 = [0x04, 0x0C, 0x14, 0x28, 0x10]
        else:
            a0 = [0x08, 0x18, 0x20, 0x50, 0x20]
        a1 = self.read_i64(self.read_i64(self.peb + a0[1], a0[0]) + a0[2], a0[0])
        a2 = self.read_i64(a1 + a0[0], a0[0])
        while a1 != a2:
            val = self.read_unicode(self.read_i64(a1 + a0[3], a0[0]), 120)
            if str(val).lower() == name.lower():
                return self.read_i64(a1 + a0[4], a0[0])
            a1 = self.read_i64(a1, a0[0])
        raise Exception("[!]Process::get_module")
 
    def get_export(self, module, name):
        if module == 0:
            return 0
        a0 = self.read_i32(module + self.read_i16(module + 0x3C) + (0x88 - self.wow64 * 0x10)) + module
        a1 = [self.read_i32(a0 + 0x18), self.read_i32(a0 + 0x1c), self.read_i32(a0 + 0x20), self.read_i32(a0 + 0x24)]
        while a1[0] > 0:
            a1[0] -= 1
            export_name = self.read_string(module + self.read_i32(module + a1[2] + (a1[0] * 4)), 120)
            if name.encode('ascii', 'ignore') == export_name:
                a2 = self.read_i16(module + a1[3] + (a1[0] * 2))
                a3 = self.read_i32(module + a1[1] + (a2 * 4))
                return module + a3
        raise Exception("[!]Process::get_export")
 
 
class VirtualTable:
    def __init__(self, table):
        self.table = table
 
    def function(self, index):
        return mem.read_i32(mem.read_i32(self.table) + index * 4)
 
 
class InterfaceTable:
    def __init__(self, name):
        self.table_list = mem.read_i32(mem.read_i32(mem.get_export(mem.get_module(name), 'CreateInterface') - 0x6A))
 
    def get_interface(self, name):
        a0 = self.table_list
        while a0 != 0:
            if name.encode('ascii', 'ignore') == mem.read_string(mem.read_i32(a0 + 0x4), 120)[0:-3]:
                return VirtualTable(mem.read_i32(mem.read_i32(a0) + 1))
            a0 = mem.read_i32(a0 + 0x8)
        raise Exception('[!]InterfaceTable::get_interface')
 
 
class InterfaceList:
    def __init__(self):
        table = InterfaceTable('client_panorama.dll')
        self.client = table.get_interface('VClient')
        self.entity = table.get_interface('VClientEntityList')
 
        table = InterfaceTable('engine.dll')
        self.engine = table.get_interface('VEngineClient')
 
        table = InterfaceTable('inputsystem.dll')
        self.input = table.get_interface('InputSystemVersion')
 
 
class NetVarTable:
    def __init__(self, name):
        self.table = 0
        a0 = mem.read_i32(mem.read_i32(vt.client.function(8) + 1))
        while a0 != 0:
            a1 = mem.read_i32(a0 + 0x0C)
            if name.encode('ascii', 'ignore') == mem.read_string(mem.read_i32(a1 + 0x0C), 120):
                self.table = a1
            a0 = mem.read_i32(a0 + 0x10)
        if self.table == 0:
            raise Exception('[!]NetVarTable::__init__')
 
    def get_offset(self, name):
        offset = self.__get_offset(self.table, name)
        if offset == 0:
            raise Exception('[!]NetVarTable::get_offset')
        return offset
 
    def __get_offset(self, address, name):
        a0 = 0
        for a1 in range(0, mem.read_i32(address + 0x4)):
            a2 = a1 * 60 + mem.read_i32(address)
            a3 = mem.read_i32(a2 + 0x2C)
            a4 = mem.read_i32(a2 + 0x28)
            if a4 != 0 and mem.read_i32(a4 + 0x4) != 0:
                a5 = self.__get_offset(a4, name)
                if a5 != 0:
                    a0 += a3 + a5
            if name.encode('ascii', 'ignore') == mem.read_string(mem.read_i32(a2), 120):
                return a3 + a0
        return a0
 
 
class NetVarList:
    def __init__(self):
        table = NetVarTable('DT_BasePlayer')
        self.m_iHealth = table.get_offset('m_iHealth')
        self.m_lifeState = table.get_offset('m_lifeState')
        self.m_nTickBase = table.get_offset('m_nTickBase')
 
        table = NetVarTable('DT_BaseEntity')
        self.m_iTeamNum = table.get_offset('m_iTeamNum')
 
        table = NetVarTable('DT_CSPlayer')
        self.m_iCrossHairID = table.get_offset('m_bHasDefuser') + 0x5C
        self.m_iGlowIndex = table.get_offset('m_flFlashDuration') + 0x18
 
        self.entityList = vt.entity.table - (mem.read_i32(vt.entity.function(5) + 0x22) - 0x38)
        self.clientState = mem.read_i32(mem.read_i32(vt.engine.function(18) + 0x16))
        self.getLocalPlayer = mem.read_i32(vt.engine.function(12) + 0x16)
        self.getState = mem.read_i32(vt.engine.function(26) + 0x07)
        self.button = mem.read_i32(vt.input.function(15) + 0x21D)
 
 
class Player:
    def __init__(self, index):
        self.address = mem.read_i32(nv.entityList + index * 0x10)
 
    def is_valid(self):
        if self.address == 0:
            return False
        if self.get_life_state() != 0:
            return False
        health = self.get_health()
        return 0 < health < 1338
 
    def get_health(self):
        return mem.read_i32(self.address + nv.m_iHealth)
 
    def get_team_num(self):
        return mem.read_i32(self.address + nv.m_iTeamNum)
 
    def get_glow_index(self):
        return mem.read_i32(self.address + nv.m_iGlowIndex)
 
    def get_cross_id(self):
        return mem.read_i32(self.address + nv.m_iCrossHairID)
 
    def get_life_state(self):
        return mem.read_i32(self.address + nv.m_lifeState)
 
    def get_tick_count(self):
        return mem.read_i32(self.address + nv.m_nTickBase)
 
 
def is_button_down(button_code):
    return (mem.read_i32(vt.input.table + (((button_code >> 5) * 4) + nv.button)) >> (button_code & 31)) & 1
 
 
def should_shoot(c_id, t_num):
    target = Player(c_id - 1)
    return target.is_valid() and target.get_team_num() != t_num and target.get_health() > 0
 
 
if __name__ == "__main__":
    global mem
    global vt
    global nv
    if platform.architecture()[0] != '64bit':
        print('[!]64bit python required')
        exit(0)
    try:
        mem = Process('csgo.exe')
        vt = InterfaceList()
        nv = NetVarList()
    except Exception as e:
        print(e)
        exit(0)
    previous_tick = 0
    while mem.is_running():
        if mem.read_i32(nv.clientState + nv.getState) == 6:
            self = Player(mem.read_i32(nv.clientState + nv.getLocalPlayer))
            team_num = self.get_team_num()
            if is_button_down(111) and should_shoot(self.get_cross_id(), team_num):
                current_tick = self.get_tick_count()
                if current_tick - previous_tick > 2:
                    u32.mouse_event(0x0002, 0, 0, 0, 0)
                    u32.mouse_event(0x0004, 0, 0, 0, 0)
                    previous_tick = current_tick
- auto offsets
- netvars
- interfaces

KEY: Mouse5

Aimbot/TriggerBot linux:
Python:
from ctypes import *
import os
import math
cdll.LoadLibrary("libc.so.6")
libc = CDLL('libc.so.6')
#
# ekknod@2019
#


bone_list = [5, 4, 3, 0, 7, 8]
head_only = False
aim_smooth = 5
aim_fov = 0.8 / 180.0
aim_key = 107       # mouse 1
trigger_key = 111   # mouse5
quit_key = 72       # insert


class TimeVal(Structure):
    _fields_ = [('sec', c_long), ('u_sec', c_long)]


class InputEvent(Structure):
    _fields_ = [('time', TimeVal), ('type', c_uint16), ('code', c_uint16), ('value', c_int)]


class Vector3(Structure):
    _fields_ = [('x', c_float), ('y', c_float), ('z', c_float)]


class CUserCmd(Structure):
    _fields_ = [
        ('p_self', c_int64),
        ('cmd_num', c_int32),
        ('tick_count', c_int32),
        ('view_angles', Vector3),
        ('aim_direction', Vector3),
        ('forward_move', c_float),
        ('side_move', c_float),
        ('up_move', c_float),
        ('buttons', c_int32),
        ('impulse', c_int8),
        ('padding_0', c_int8),
        ('padding_1', c_int8),
        ('padding_2', c_int8),
        ('weapon_select', c_int32),
        ('weapon_subtype', c_int32),
        ('random_seed', c_int32),
        ('mouse_dx', c_int16),
        ('mouse_dy', c_int16),
        ('bHasBeenPredicted', c_int8),
        ('padding_3', c_int64),
        ('padding_4', c_int64),
        ('padding_5', c_int64),
        ('padding_6', c_int8),
        ('padding_7', c_int8),
        ('padding_8', c_int8),
    ]


class MouseInput:
    def __init__(self):
        self.handle = -1
        device_name = 'event-mouse'
        for device in os.listdir('/dev/input/by-id/'):
            if device[-device_name.__len__():] == device_name:
                self.handle = libc.open('/dev/input/by-id/' + device, 1)
                break
        if self.handle == -1:
            raise Exception('[!]Input::__init__')

    def __del__(self):
        if self.handle != -1:
            libc.close(self.handle)

    def __send_input(self, input_type, code, value):
        start = InputEvent()
        end = InputEvent()

        libc.gettimeofday(pointer(start.time), 0)
        start.type = input_type
        start.code = code
        start.value = value
        libc.gettimeofday(pointer(end.time), 0)

        libc.write(self.handle, pointer(start), sizeof(start))
        libc.write(self.handle, pointer(end), sizeof(end))

    def click(self):
        self.__send_input(0x01, 0x110, 1)
        libc.usleep(10000)
        self.__send_input(0x01, 0x110, 0)

    def move(self, x, y):
        self.__send_input(0x02, 0, x)
        self.__send_input(0x02, 1, y)


class Process:
    @staticmethod
    def get_process_id(process_name):
        for i in os.listdir('/proc/'):
            try:
                temp_name = os.readlink('/proc/' + i + '/exe')[-len(process_name):]
            except:
                continue
            if temp_name == process_name:
                return i
        return 0

    @staticmethod
    def get_process_base(process_id, skip=True):
        result = 0
        file = open('/proc/' + process_id + '/maps')
        for i in file:
            if i.find('gnu/ld-') != -1:
                result = int(i[0:i.index('-')], 16)
                if skip:
                    break
        return result

    def __init__(self, process_name):
        pid = self.get_process_id(process_name)
        if pid == 0:
            raise Exception('[!]Process::get_process_id')

        self.maps = self.get_process_base(pid, False)
        if self.maps == 0:
            raise Exception('[!]Process::get_process_maps')

        self.dir = '/proc/' + pid + '/mem'
        self.handle = libc.open(self.dir, 2)
        if self.handle == -1:
            raise Exception('[!]Process::open')

        if self.read_i8(self.get_process_base(pid) + 0x12) == 62:
            self.wow64 = False
            self.maps = self.read_i64(self.maps + 0x60)
        else:
            self.wow64 = True
            self.maps = self.read_i32(self.maps + 0x40)

    def __del__(self):
        if self.handle != -1:
            libc.close(self.handle)

    def exists(self):
        return os.access(self.dir, os.F_OK)

    def get_library(self, name):
        maps = self.maps
        offsets = [0x0C, 0x04] if self.wow64 else [0x18, 0x08]
        while 1:
            maps = self.read_i64(maps + offsets[0], offsets[1])
            if maps == 0:
                break
            temp = self.read_i64(maps + offsets[1], offsets[1])
            if temp == 0:
                continue
            library_name = self.read_string(temp, 256)
            if library_name[-name.__len__():] == name:
                return maps
        return 0

    def get_export(self, library, name):
        if library == 0:
            return 0
        offsets = [0x20, 0x10, 0x04] if self.wow64 else [0x40, 0x18, 0x08]
        str_tab = self.read_i64(library + offsets[0] + 5 * offsets[2], offsets[2])
        str_tab = self.read_i64(str_tab + offsets[2], offsets[2])
        sym_tab = self.read_i64(library + offsets[0] + 6 * offsets[2], offsets[2])
        sym_tab = self.read_i64(sym_tab + offsets[2], offsets[2])
        st_name = 1
        sym_tab += offsets[1]
        while st_name != 0:
            sym_name = self.read_string(str_tab + st_name)
            if sym_name == name:
                sym_tab = self.read_i64(sym_tab + offsets[2], offsets[2])
                return sym_tab + self.read_i64(library, offsets[2])
            sym_tab += offsets[1]
            st_name = self.read_i32(sym_tab)
        return 0

    def read_i8(self, address, length=1):
        buffer = c_int8()
        libc.pread(self.handle, pointer(buffer), length, c_long(address))
        return buffer.value

    def write_i8(self, address, value):
        buffer = c_int8(value)
        return libc.pwrite(self.handle, pointer(buffer), 1, c_long(address))

    def read_i16(self, address, length=2):
        buffer = c_int16()
        if libc.pread(self.handle, pointer(buffer), length, c_long(address)) == -1:
            return -1
        return buffer.value

    def write_i16(self, address, value):
        buffer = c_int16(value)
        return libc.pwrite(self.handle, pointer(buffer), 2, c_long(address))

    def read_i32(self, address, length=4):
        buffer = c_int32()
        libc.pread(self.handle, pointer(buffer), length, c_long(address))
        return buffer.value

    def write_i32(self, address, value):
        buffer = c_int32(value)
        return libc.pwrite(self.handle, pointer(buffer), 4, c_long(address))

    def read_i64(self, address, length=8):
        buffer = c_int64()
        libc.pread(self.handle, pointer(buffer), length, c_long(address))
        return buffer.value

    def write_i64(self, address, value):
        buffer = c_int64(value)
        return libc.pwrite(self.handle, pointer(buffer), 8, c_long(address))

    def read_absolute(self, address, offset, length):
        return address + self.read_i32(address + offset) + length

    def read_float(self, address, length=4):
        buffer = c_float()
        libc.pread(self.handle, pointer(buffer), length, c_long(address))
        return buffer.value

    def write_float(self, address, value):
        buffer = c_float(value)
        return libc.pwrite(self.handle, pointer(buffer), 4, c_long(address))

    def read_vec3(self, address):
        buffer = Vector3()
        libc.pread(self.handle, pointer(buffer), 12, c_long(address))
        return buffer

    def read(self, address, buffer, length):
        libc.pread(self.handle, pointer(buffer), length, c_long(address))
        return buffer

    def write(self, address, buffer, length):
        return libc.pwrite(self.handle, pointer(buffer), length, c_long(address))

    def read_string(self, address, length=120):
        buffer = create_string_buffer(length)
        libc.pread(self.handle, pointer(buffer), length, c_long(address))
        return buffer.value


class VirtualTable:
    def __init__(self, table):
        self.table = table

    def function(self, index):
        return mem.read_i64(mem.read_i64(self.table) + index * 8)


class InterfaceTable:
    def __init__(self, name):
        self.table_list = mem.read_i64(mem.get_export(mem.get_library(name), 's_pInterfaceRegs'))
        if self.table_list == 0:
            raise Exception('[!]InterfaceTable::__init__')

    def get_interface(self, name):
        a0 = self.table_list
        while a0 != 0:
            if name == mem.read_string(mem.read_i64(a0 + 0x08))[0:-3]:
                a0 = mem.read_i64(a0)
                if mem.read_i8(a0) != 0x48:
                    a0 += mem.read_i32(a0 + 1 + 3) + 8
                else:
                    a0 = mem.read_i64(mem.read_i64(a0 + (mem.read_i32(a0 + 0 + 3) + 7)))
                return VirtualTable(a0)
            a0 = mem.read_i64(a0 + 0x10)
        raise Exception('[!]InterfaceTable::get_interface')


class NetVarTable:
    def __init__(self, name):
        self.table = 0
        a0 = vt.client.function(8)
        a0 = mem.read_i64(mem.read_i64(a0 + mem.read_i32(a0 + 0 + 3) + 7))
        while a0 != 0:
            a1 = mem.read_i64(a0 + 0x18)
            if name == mem.read_string(mem.read_i64(a1 + 0x18)):
                self.table = a1
                break
            a0 = mem.read_i64(a0 + 0x20)
        if self.table == 0:
            raise Exception('[!]NetVarTable::__init__')

    def get_offset(self, name):
        offset = self.__get_offset(self.table, name)
        if offset == 0:
            raise Exception('[!]NetVarTable::get_offset')
        return offset

    def __get_offset(self, address, name):
        a0 = 0
        for a1 in range(0, mem.read_i32(address + 0x8)):
            a2 = a1 * 96 + mem.read_i64(address)
            a3 = mem.read_i32(a2 + 0x48)
            a4 = mem.read_i64(a2 + 0x40)
            if a4 != 0 and mem.read_i32(a4 + 0x8) != 0:
                a5 = self.__get_offset(a4, name)
                if a5 != 0:
                    a0 += a3 + a5
            if name == mem.read_string(mem.read_i64(a2)):
                return a3 + a0
        return a0


class ConVar:
    def __init__(self, name):
        self.address = 0
        a0 = mem.read_i64(mem.read_i64(mem.read_i64(vt.cvar.table + 0x70)) + 0x8)
        while a0 != 0:
            if name == mem.read_string(mem.read_i64(a0 + 0x18)):
                self.address = a0
                break
            a0 = mem.read_i64(a0 + 0x8)
        if self.address == 0:
            raise Exception('[!]ConVar not found!')

    def get_int(self):
        a0 = c_int32()
        a1 = mem.read_i32(self.address + 0x58) ^ self.address
        libc.memcpy(pointer(a0), pointer(c_int32(a1)), 4)
        return a0.value

    def get_float(self):
        a0 = c_float()
        a1 = mem.read_i32(self.address + 0x54) ^ self.address
        libc.memcpy(pointer(a0), pointer(c_int32(a1)), 4)
        return a0.value


class InterfaceList:
    def __init__(self):
        table = InterfaceTable('client_panorama_client.so')
        self.client = table.get_interface('VClient')
        self.entity = table.get_interface('VClientEntityList')
        table = InterfaceTable('engine_client.so')
        self.engine = table.get_interface('VEngineClient')
        table = InterfaceTable('materialsystem_client.so')
        self.cvar = table.get_interface('VEngineCvar')
        table = InterfaceTable('inputsystem_client.so')
        self.input = table.get_interface('InputSystemVersion')


class NetVarList:
    @staticmethod
    def __get_entity_list():
        return vt.entity.table - mem.read_i32(vt.entity.function(4) + 3) + 0x08

    @staticmethod
    def __get_client_state():
        a0 = vt.engine.function(18)
        a1 = mem.read_i32(a0 + 0x11 + 1) + 0x16
        a2 = mem.read_i32(a0 + a1 + 5 + 3) + 0x0C
        return mem.read_i64(a0 + a1 + a2 + 0x08) + 0x08

    def __init__(self):
        table = NetVarTable('DT_BasePlayer')
        self.m_iHealth = table.get_offset('m_iHealth')
        self.m_vecViewOffset = table.get_offset('m_vecViewOffset[0]')
        self.m_lifeState = table.get_offset('m_lifeState')
        self.m_nTickBase = table.get_offset('m_nTickBase')
        self.m_vecPunch = table.get_offset('m_aimPunchAngle')
        table = NetVarTable('DT_BaseEntity')
        self.m_iTeamNum = table.get_offset('m_iTeamNum')
        self.m_vecOrigin = table.get_offset('m_vecOrigin')
        table = NetVarTable('DT_CSPlayer')
        self.m_hActiveWeapon = table.get_offset('m_hActiveWeapon')
        self.m_iShotsFired = table.get_offset('m_iShotsFired')
        self.m_iCrossHairID = table.get_offset('m_bHasDefuser') + 0x78
        table = NetVarTable('DT_BaseAnimating')
        self.m_dwBoneMatrix = table.get_offset('m_nForceBone') + 0x2C
        self.entityList = self.__get_entity_list()
        self.clientState = self.__get_client_state()
        self.getLocalPlayer = mem.read_i32(vt.engine.function(12) + 0x11)
        self.dwViewAngles = mem.read_i32(vt.engine.function(18) + 0x1A)
        self.dwMaxClients = mem.read_i32(vt.engine.function(20) + 0x0C)
        self.dwState = mem.read_i32(vt.engine.function(26) + 0x0C)
        self.dwButton = mem.read_i32(vt.input.function(15) + 0x19)
        self.dwInput = mem.read_absolute(vt.client.function(16), 3, 7)
        self.dwInput = mem.read_i64(mem.read_i64(self.dwInput))
        self.dwLastCommand = 0x8E34


class Player:
    def __init__(self, address):
        self.address = address

    def get_team_num(self):
        return mem.read_i32(self.address + nv.m_iTeamNum)

    def get_health(self):
        return mem.read_i32(self.address + nv.m_iHealth)

    def get_life_state(self):
        return mem.read_i32(self.address + nv.m_lifeState)

    def get_tick_count(self):
        return mem.read_i32(self.address + nv.m_nTickBase)

    def get_shots_fired(self):
        return mem.read_i32(self.address + nv.m_iShotsFired)

    def get_cross_index(self):
        return mem.read_i32(self.address + nv.m_iCrossHairID)

    def get_weapon(self):
        a0 = mem.read_i32(self.address + nv.m_hActiveWeapon)
        return mem.read_i64(nv.entityList + ((a0 & 0xFFF) - 1) * 0x10)

    def get_origin(self):
        return mem.read_vec3(self.address + nv.m_vecOrigin)

    def get_vec_view(self):
        return mem.read_vec3(self.address + nv.m_vecViewOffset)

    def get_eye_pos(self):
        v = self.get_vec_view()
        o = self.get_origin()
        return Vector3(v.x + o.x, v.y + o.y, v.z + o.z)

    def get_vec_punch(self):
        return mem.read_vec3(self.address + nv.m_vecPunch)

    def get_bone_pos(self, index):
        a0 = 0x30 * index
        a1 = mem.read_i64(self.address + nv.m_dwBoneMatrix)
        return Vector3(
            mem.read_float(a1 + a0 + 0x0C),
            mem.read_float(a1 + a0 + 0x1C),
            mem.read_float(a1 + a0 + 0x2C)
        )

    def is_valid(self):
        health = self.get_health()
        return self.address != 0 and self.get_life_state() == 0 and 0 < health < 1338


class Engine:
    @staticmethod
    def get_local_player():
        return mem.read_i32(nv.clientState + nv.getLocalPlayer) + 1

    @staticmethod
    def get_view_angles():
        return mem.read_vec3(nv.clientState + nv.dwViewAngles)

    @staticmethod
    def get_max_clients():
        return mem.read_i32(nv.clientState + nv.dwMaxClients)

    @staticmethod
    def is_in_game():
        return mem.read_i8(nv.clientState + nv.dwState) >> 2


class Entity:
    @staticmethod
    def get_client_entity(index):
        return Player(mem.read_i64(nv.entityList + index * 0x20))


class InputSystem:
    @staticmethod
    def is_button_down(button):
        a0 = mem.read_i32(vt.input.table + ((button >> 5) * 4) + nv.dwButton)
        return (a0 >> (button & 31)) & 1


def get_user_cmd():
    sequence_num = mem.read_i32(nv.clientState + nv.dwLastCommand)
    user_cmd = mem.read_i64(nv.dwInput + 0x100) + (sequence_num % 150) * 104
    user_cmd_old = mem.read_i64(nv.dwInput + 0x100) + ((sequence_num - 1) % 150) * 104
    while mem.read_i32(user_cmd + 0x8) < sequence_num:
        libc.usleep(100)
    return mem.read(user_cmd_old, CUserCmd(), sizeof(CUserCmd))


class Math:
    @staticmethod
    def sin_cos(radians):
        return [math.sin(radians), math.cos(radians)]

    @staticmethod
    def rad2deg(x):
        return x * 3.141592654

    @staticmethod
    def deg2rad(x):
        return x * 0.017453293

    @staticmethod
    def angle_vec(angles):
        s = Math.sin_cos(Math.deg2rad(angles.x))
        y = Math.sin_cos(Math.deg2rad(angles.y))
        return Vector3(s[1] * y[1], s[1] * y[0], -s[0])

    @staticmethod
    def vec_normalize(vec):
        radius = 1.0 / math.sqrt(vec.x * vec.x + vec.y * vec.y + vec.z * vec.z) + 1.192092896e-07
        vec.x *= radius
        vec.y *= radius
        vec.z *= radius
        return vec

    @staticmethod
    def vec_angles(forward):
        if forward.y == 0.00 and forward.x == 0.00:
            yaw = 0
            pitch = 270.0 if forward.z > 0.00 else 90.0
        else:
            yaw = math.atan2(forward.y, forward.x) * 57.295779513
            if yaw < 0.00:
                yaw += 360.0
            tmp = math.sqrt(forward.x * forward.x + forward.y * forward.y)
            pitch = math.atan2(-forward.z, tmp) * 57.295779513
            if pitch < 0.00:
                pitch += 360.0
        return Vector3(pitch, yaw, 0.00)

    @staticmethod
    def vec_clamp(v):
        if 89.0 < v.x <= 180.0:
            v.x = 89.0
        if v.x > 180.0:
            v.x -= 360.0
        if v.x < -89.0:
            v.x = -89.0
        v.y = math.fmod(v.y + 180.0, 360.0) - 180.0
        v.z = 0.00
        return v

    @staticmethod
    def vec_dot(v0, v1):
        return v0.x * v1.x + v0.y * v1.y + v0.z * v1.z

    @staticmethod
    def vec_length(v):
        return v.x * v.x + v.y * v.y + v.z * v.z

    @staticmethod
    def get_fov(va, angle):
        a0 = Math.angle_vec(va)
        a1 = Math.angle_vec(angle)
        return Math.rad2deg(math.acos(Math.vec_dot(a0, a1) / Math.vec_length(a0)))


def get_target_angle(local_p, target, bone_id):
    m = target.get_bone_pos(bone_id)
    c = local_p.get_eye_pos()
    c.x = m.x - c.x
    c.y = m.y - c.y
    c.z = m.z - c.z
    c = Math.vec_angles(Math.vec_normalize(c))
    if local_p.get_shots_fired() > 1:
        p = local_p.get_vec_punch()
        c.x -= p.x * 2.0
        c.y -= p.y * 2.0
        c.z -= p.z * 2.0
    return Math.vec_clamp(c)


_target = Player(0)
_target_bone = 0


def get_best_target(va, local_p):
    global _target
    global _target_bone
    a0 = 9999.9
    for i in range(1, Engine.get_max_clients()):
        entity = Entity.get_client_entity(i)
        if not entity.is_valid():
            continue

        if not mp_teammates_are_enemies.get_int() and local_p.get_team_num() == entity.get_team_num():
            continue

        if head_only:
            fov = Math.get_fov(va, get_target_angle(local_p, entity, 8))
            if fov < a0:
                a0 = fov
                _target = entity
                _target_bone = 8
        else:
            for j in range(0, bone_list.__len__()):
                fov = Math.get_fov(va, get_target_angle(local_p, entity, bone_list[j]))
                if fov < a0:
                    a0 = fov
                    _target = entity
                    _target_bone = bone_list[j]
    return a0 != 9999


_current_tick = 0
_previous_tick = 0


def aim_at_target(va, angle):
    global _current_tick
    global _previous_tick

    y = va.x - angle.x
    x = va.y - angle.y

    if y > 89.0:
        y = 89.0
    elif y < -89.0:
        y = -89.0
    if x > 180.0:
        x -= 360.0
    elif x < -180.0:
        x += 360.0

    if math.fabs(x) / 180.0 >= aim_fov:
        return

    if math.fabs(y) / 89.0 >= aim_fov:
        return

    fl_sensitivity = sensitivity.get_float()
    x = (x / fl_sensitivity) / 0.022
    y = (y / fl_sensitivity) / -0.022
    if aim_smooth != 0.00:
        sx = 0.00
        sy = 0.00
        if sx < x:
            sx += 1.0 + (x / aim_smooth)
        elif sx > x:
            sx -= 1.0 - (x / aim_smooth)
        if sy < y:
            sy += 1.0 + (y / aim_smooth)
        elif sy > y:
            sy -= 1.0 - (y / aim_smooth)
    else:
        sx = x
        sy = y
    if _current_tick - _previous_tick > 0:
        _previous_tick = _current_tick
        mouse.move(int(sx), int(sy))


def trigger_bot(local_p):
    if InputSystem.is_button_down(trigger_key):
        cross_id = local_p.get_cross_index()
        if cross_id == 0:
            return

        cross_target = Entity.get_client_entity(cross_id)
        if local_p.get_team_num() != cross_target.get_team_num() and cross_target.get_health() > 0:
            mouse.click()


if __name__ == "__main__":
    global mouse
    global mem
    global vt
    global nv
    global sensitivity
    global mp_teammates_are_enemies

    try:
        mouse = MouseInput()
        mem = Process('csgo_linux64')
        vt = InterfaceList()
        nv = NetVarList()
        sensitivity = ConVar('sensitivity')
        engine_base = mem.read_i64(mem.get_library('client_engine.so'))
        mp_teammates_are_enemies = ConVar('mp_teammates_are_enemies')
    except Exception as e:
        print(e)
        exit(0)

    print('[*]VirtualTables')
    print('    VClient:            ' + hex(vt.client.table))
    print('    VClientEntityList:  ' + hex(vt.entity.table))
    print('    VEngineClient:      ' + hex(vt.engine.table))
    print('    VEngineCvar:        ' + hex(vt.cvar.table))
    print('    InputSystemVersion: ' + hex(vt.input.table))
    print('[*]Offsets')
    print('    EntityList:         ' + hex(nv.entityList))
    print('    ClientState:        ' + hex(nv.clientState))
    print('    GetLocalPlayer:     ' + hex(nv.getLocalPlayer))
    print('    GetViewAngles:      ' + hex(nv.dwViewAngles))
    print('    GetMaxClients:      ' + hex(nv.dwMaxClients))
    print('    IsInGame:           ' + hex(nv.dwState))
    print('[*]NetVars')
    print('    m_iHealth:          ' + hex(nv.m_iHealth))
    print('    m_vecViewOffset:    ' + hex(nv.m_vecViewOffset))
    print('    m_lifeState:        ' + hex(nv.m_lifeState))
    print('    m_nTickBase:        ' + hex(nv.m_nTickBase))
    print('    m_vecPunch:         ' + hex(nv.m_vecPunch))
    print('    m_iTeamNum:         ' + hex(nv.m_iTeamNum))
    print('    m_vecOrigin:        ' + hex(nv.m_vecOrigin))
    print('    m_hActiveWeapon:    ' + hex(nv.m_hActiveWeapon))
    print('    m_iShotsFired:      ' + hex(nv.m_iShotsFired))
    print('    m_iCrossHairID:     ' + hex(nv.m_iCrossHairID))
    print('    m_dwBoneMatrix:     ' + hex(nv.m_dwBoneMatrix))
    print('[*]Info')
    print('    Creator:            github.com/ekknod')

    while mem.exists() and not InputSystem.is_button_down(quit_key):
        libc.usleep(1000)
        if Engine.is_in_game():
            try:
                self = Entity.get_client_entity(Engine.get_local_player())
                trigger_bot(self)
                # print(get_user_cmd().mouse_dx)
                if InputSystem.is_button_down(aim_key):
                    view_angle = Engine.get_view_angles()
                    _current_tick = self.get_tick_count()
                    if not _target.is_valid() and not get_best_target(view_angle, self):
                        continue
                    aim_at_target(view_angle, get_target_angle(self, _target, _target_bone))
                else:
                    _target = Player(0)
            except ValueError:
                continue
- auto offsets
- netvars
- interfaces

AimKey: mouse1
TriggerKey: mouse5

Manual map injector
dll requirement: don't check if (DLL_PROCESS_ATTACH) in dllmain.

Python:
import platform
from ctypes import *
#
# ekknod@2019
#
 
nt = windll.ntdll
k32 = windll.kernel32
u32 = windll.user32
msvcrt = windll.msvcrt
 
 
def array_to_data(address):
    r = 0
    for j in bytearray(reversed(address)):
        r = (r << 8) + j
    return r
 
 
class ProcessList:
    def __init__(self):
        length = c_uint()
        self.snap = create_string_buffer(8)
        nt.NtQuerySystemInformation(57, self.snap, 0x188, pointer(length))
        self.snap = create_string_buffer(length.value + 8192)
        if nt.NtQuerySystemInformation(57, self.snap, length.value + 8192, 0) != 0:
            raise Exception("[!]ProcessList::__init__")
        self.pos = 0
 
    def next(self):
        temp = array_to_data(self.snap[self.pos:self.pos+4])
        if temp != 0:
            self.pos = temp + self.pos
            return True
        return False
 
    def pid(self):
        return int(array_to_data(self.snap[self.pos+0x128:self.pos+0x130]))
 
    def wow64(self):
        return array_to_data(self.snap[self.pos+0x160:self.pos+0x168]) <= 0xffffffff
 
    def teb(self):
        return c_int64(array_to_data(self.snap[self.pos+0x168:self.pos+0x170])).value
 
    def name(self):
        name = create_unicode_buffer(120)
        nt.memcpy(name, c_int64(array_to_data(self.snap[self.pos+0x40:self.pos+0x48])), 120)
        return name.value
 
 
class Process:
    def __init__(self, name):
        temp = c_uint8()
        nt.RtlAdjustPrivilege(20, 1, 0, pointer(temp))
        temp = ProcessList()
        status = False
        while temp.next():
            temp_handle = k32.OpenProcess(0x1fffff, 0, temp.pid())
            if temp.name() == name:
                self.mem = temp_handle
                self.wow64 = temp.wow64()
                if self.wow64:
                    self.peb = self.read_i64(temp.teb() + 0x2030, 4)
                else:
                    self.peb = self.read_i64(temp.teb() + 0x0060, 8)
                status = True
                break
        if not status:
            raise Exception("[!]Process is not running!")
 
    def is_running(self):
        buffer = c_uint32()
        k32.GetExitCodeProcess(self.mem, pointer(buffer))
        return buffer.value == 0x103
 
    def read_string(self, address, length):
        buffer = create_string_buffer(length)
        nt.NtReadVirtualMemory(self.mem, c_uint64(address), buffer, length, 0)
        return buffer.value
 
    def read_unicode(self, address, length):
        buffer = create_unicode_buffer(length)
        nt.NtReadVirtualMemory(self.mem, c_uint64(address), pointer(buffer), length, 0)
        return buffer.value
 
    def read_i16(self, address, length=2):
        buffer = c_uint16()
        nt.NtReadVirtualMemory(self.mem, c_uint64(address), pointer(buffer), length, 0)
        return buffer.value
 
    def read_i32(self, address, length=4):
        buffer = c_uint32()
        nt.NtReadVirtualMemory(self.mem, c_uint64(address), pointer(buffer), length, 0)
        return buffer.value
 
    def read_i64(self, address, length=8):
        buffer = c_uint64()
        nt.NtReadVirtualMemory(self.mem, c_uint64(address), pointer(buffer), length, 0)
        return buffer.value
 
    def write_i8(self, address, value):
        buffer = c_uint8(value)
        return nt.NtWriteVirtualMemory(self.mem, c_uint64(address), pointer(buffer), 1, 0) == 0
 
    def write_i16(self, address, value):
        buffer = c_uint16(value)
        return nt.NtWriteVirtualMemory(self.mem, c_uint64(address), pointer(buffer), 2, 0) == 0
 
    def write_i32(self, address, value):
        buffer = c_uint32(value)
        return nt.NtWriteVirtualMemory(self.mem, c_uint64(address), pointer(buffer), 4, 0) == 0
 
    def write_i64(self, address, value, length=8):
        buffer = c_uint64(value)
        return nt.NtWriteVirtualMemory(self.mem, c_uint64(address), pointer(buffer), length, 0) == 0
 
    def write(self, address, buffer, length):
        return nt.NtWriteVirtualMemory(self.mem, c_uint64(address), pointer(buffer), length, 0) == 0
 
    def malloc(self, length, protection=0x04):
        address = c_uint64()
        length = c_uint64(length + 8)
        if nt.NtAllocateVirtualMemory(self.mem, pointer(address), 0, pointer(length), 0x1000, protection) == 0:
            self.write_i64(address.value, length.value)
            return address.value + 8
        return 0
 
    def free(self, address):
        address = c_uint64(address - 8)
        length = c_uint64(self.read_i64(address.value))
        return nt.NtFreeVirtualMemory(self.mem, pointer(address), pointer(length), 0x8000) == 0
 
    def virtual_protect(self, address, protection):
        address = c_uint64(address - 8)
        length = c_uint64(self.read_i64(address.value))
        return nt.NtAllocateVirtualMemory(self.mem, pointer(address), 0, pointer(length), 0x1000, protection) == 0
 
    def create_thread(self, address, parameters):
        thread_handle = c_uint64()
        cid = create_string_buffer(16)
        status = nt.RtlCreateUserThread(self.mem, 0, 0, 0, 0, 0, c_uint64(address),
                                        c_uint64(parameters), pointer(thread_handle), pointer(cid))
        if status == 0:
            return thread_handle.value
        else:
            return 0
 
    def get_module(self, name):
        if self.wow64:
            a0 = [0x04, 0x0C, 0x14, 0x28, 0x10]
        else:
            a0 = [0x08, 0x18, 0x20, 0x50, 0x20]
        a1 = self.read_i64(self.read_i64(self.peb + a0[1], a0[0]) + a0[2], a0[0])
        a2 = self.read_i64(a1 + a0[0], a0[0])
        while a1 != a2:
            val = self.read_unicode(self.read_i64(a1 + a0[3], a0[0]), 120)
            if str(val).lower() == name.lower():
                return self.read_i64(a1 + a0[4], a0[0])
            a1 = self.read_i64(a1, a0[0])
        raise Exception("[!]Process::get_module")
 
    def get_export(self, module, name):
        if module == 0:
            return 0
        a0 = self.read_i32(module + self.read_i16(module + 0x3C) + (0x88 - self.wow64 * 0x10)) + module
        a1 = [self.read_i32(a0 + 0x18), self.read_i32(a0 + 0x1c), self.read_i32(a0 + 0x20), self.read_i32(a0 + 0x24)]
        while a1[0] > 0:
            a1[0] -= 1
            export_name = self.read_string(module + self.read_i32(module + a1[2] + (a1[0] * 4)), 120)
            if name.encode('ascii', 'ignore') == export_name:
                a2 = self.read_i16(module + a1[3] + (a1[0] * 2))
                a3 = self.read_i32(module + a1[1] + (a2 * 4))
                return module + a3
        raise Exception("[!]Process::get_export")
 
 
class File:
    def __init__(self, path):
        self.file = c_uint64()
        if msvcrt.fopen_s(pointer(self.file),
                          str(path).encode('ascii', 'ignore'), str('rb').encode('ascii', 'ignore')) != 0:
            raise Exception('[!]File not found!')
 
    def __del__(self):
        msvcrt.fclose(self.file)
 
    def read_i16(self, offset, length=2):
        msvcrt.fseek(self.file, offset, 0)
        buffer = c_uint16()
        if msvcrt.fread(pointer(buffer), length, 1, self.file) != 1:
            return 0
        return buffer.value
 
    def read_i32(self, offset, length=4):
        msvcrt.fseek(self.file, offset, 0)
        buffer = c_uint32()
        if msvcrt.fread(pointer(buffer), length, 1, self.file) != 1:
            return 0
        return buffer.value
 
    def read(self, offset, length):
        msvcrt.fseek(self.file, offset, 0)
        buffer = bytearray(length)
        char_array = c_char * len(buffer)
        char_array = char_array.from_buffer(buffer)
        if msvcrt.fread(char_array, length, 1, self.file) != 1:
            return 0
        return char_array
 
 
class Image:
    def __init__(self, path, process_name):
        self.file = File(path)
        self.process = Process(process_name)
        self.nt_header = self.file.read_i32(0x03C)
        self.wow64 = self.file.read_i16(self.nt_header + 0x018)
        self.image_size = self.file.read_i32(self.nt_header + 0x50)
        self.headers_size = self.file.read_i32(self.nt_header + 0x54)
        if self.wow64 == 0x20b:
            self.wow64 = False
            self.offsets = [0x0108, 0x0B0, 0x090, 0x030, 0x008]
        else:
            self.wow64 = True
            self.offsets = [0x00F8, 0x0A0, 0x080, 0x034, 0x004]
 
    def manual_map(self):
        if not self.process.is_running():
            return False
        image_base = self.process.malloc(self.image_size)
        base_relocation = image_base + self.file.read_i32(self.nt_header + self.offsets[1])
        import_directory = image_base + self.file.read_i32(self.nt_header + self.offsets[2])
        section_header = self.nt_header + self.offsets[0]
        delta = int(image_base - self.file.read_i32(self.nt_header + self.offsets[3]))
        temp = self.file.read(0, self.headers_size)
 
        if not self.process.write(image_base, temp, self.headers_size):
            self.process.free(image_base)
            return False
 
        for i in range(self.file.read_i16(self.nt_header + 0x06)):
            section = section_header + (i * 40)
            section_address = self.file.read_i32(section + 0x00C)
            section_size = self.file.read_i32(section + 0x010)
            section_data = self.file.read_i32(section + 0x014)
            section_temp = self.file.read(section_data, section_size)
            if not self.process.write(image_base + section_address, section_temp, section_size):
                self.process.free(image_base)
                return False
        while self.process.read_i32(base_relocation):
            block_size = self.process.read_i32(base_relocation + 0x04)
            block_count = int((block_size - 8) / 2)
            list_address = base_relocation + 1
            if block_size > 8:
                for i in range(block_count):
                    list_index = self.process.read_i32(list_address + i * 0x2)
                    if not list_index:
                        continue
                    list_item = self.process.read_i32(image_base +
                                                 (self.process.read_i32(base_relocation) + (list_index & 0xFFF)))
                    self.process.write_i32(
                        image_base + (self.process.read_i32(base_relocation) + (list_index & 0xFFF)),
                        list_item + delta)
            base_relocation += block_size
 
        while self.process.read_i32(import_directory):
            original_thunk = (image_base + self.process.read_i32(import_directory + 0x000))
            thunk = (image_base + self.process.read_i32(import_directory + 0x010))
            module_name = self.process.read_string(image_base + self.process.read_i32(import_directory + 0x00C), 120)
            module_base = self.process.get_module(module_name.decode())
            if not module_base:
                print('[!]injecting dependencies is not implemented yet')
                self.process.free(image_base)
                return False
            while self.process.read_i32(original_thunk):
                if self.process.read_i32(original_thunk) & 0x80000000:
                    print('[!]ord is not implemented yet')
                    self.process.free(image_base)
                    return False
                else:
                    export_name = self.process.read_string(image_base + self.process.read_i64(
                        original_thunk, self.offsets[4]) + 0x02, 120)
                    export_address = self.process.get_export(module_base, export_name.decode())
                    self.process.write_i64(thunk, export_address, self.offsets[4])
                original_thunk += 8
                thunk += 8
            import_directory += 0x20
        self.process.virtual_protect(image_base, 0x20)
        self.process.create_thread(image_base + self.process.read_i32(image_base + self.nt_header + 0x028), 0)
        return True
 
 
if __name__ == "__main__":
    if platform.architecture()[0] != '64bit':
        print('[!]64bit python required')
        exit(0)
    try:
        if Image('test_poc_x64.dll', 'notepad.exe').manual_map():
            print('[*]injected')
    except Exception as e:
        print(e)

HF.
 

Mr House

Moderator
Moderator

Mr House

Moderator
Moderator
Status
Offline
Joined
Mar 27, 2019
Messages
355
Reaction score
994
Wouldn't it be safer and faster to use Pymem library instead of ctypes?
 
Top