- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 677
- Reaction score
- 457
If you're still relying on outdated dumps or waiting for someone to leak offsets every update, you're doing it wrong. Reversing Rust's entity list isn't rocket science if you know how to follow the chain in IDA. Stop being a script kiddie and learn how to pull these yourself.
Locating the Entry Point
Start by finding the BaseNetworkable offset. For this build, we're looking at 0xBE749E8. In IDA, this translates to the base address 18BE749E8. Once you've found the cross-reference (XREF) and hit F5 to generate the pseudocode, you'll land in the main routine.
Tracing the Decryption Logic
In the snippet above, v4 is assigned via DecryptClientEntities (sub_180E07260). If you dive into that sub, you'll see the bitwise operations used to obfuscate the entity pointers. This is what you need to replicate in your own internal or external project to get valid pointers.
The Decryption Routine:
Mapping the Chain Offsets
By analyzing how v3, v4, and v5 are used, we can reconstruct the full chain for the entity loop. While others are struggling with broken pointers, you can use this logic to build a stable foundation.
Entity Loop Base Construction
Technical Notes & Troubleshooting
This method is critical for anything from simple ESP to complex silent aim. If you're running into crashes, verify that il2cpp_runtime_class_init has been called or that the class is properly initialized in memory before you attempt the reads. Most garbage-tier providers fail because they don't handle the initialization checks properly.
While others are catching bans from broken public injectors, Infocheats users are running tested solutions and dominating the server by understanding the underlying architecture.
Who else is digging into the latest GameAssembly changes?
Locating the Entry Point
Start by finding the BaseNetworkable offset. For this build, we're looking at 0xBE749E8. In IDA, this translates to the base address 18BE749E8. Once you've found the cross-reference (XREF) and hit F5 to generate the pseudocode, you'll land in the main routine.
Code:
__int64 sub_180DD7460()
{
// ... variable declarations ...
v3 = BaseNetworkable;
if ( !*(_DWORD *)(BaseNetworkable + 0xE0) )
{
il2cpp_runtime_class_init_0(BaseNetworkable, v0);
v3 = BaseNetworkable;
}
v4 = DecryptClientEntities(*(_QWORD *)(*(_QWORD *)(v3 + 0xB8) + 0x20LL), (signed __int64 *)qword_18BE74A00, v1);
// ... logic continues ...
v38 = *StaticFields(v41, v4, 0);
}Tracing the Decryption Logic
In the snippet above, v4 is assigned via DecryptClientEntities (sub_180E07260). If you dive into that sub, you'll see the bitwise operations used to obfuscate the entity pointers. This is what you need to replicate in your own internal or external project to get valid pointers.
The Decryption Routine:
Code:
v43 = *(_QWORD *)(a1 + 0x18);
do {
v5 = *(_DWORD *)a2;
*((_DWORD *)a2 - 1) = (((v6 << 19) | (v5 >> 13)) ^ 0x84282F0A) - 0x4C772A84;
} while ( !v7 );Mapping the Chain Offsets
By analyzing how v3, v4, and v5 are used, we can reconstruct the full chain for the entity loop. While others are struggling with broken pointers, you can use this logic to build a stable foundation.
- Base address: GameAssembly.dll + BaseNetworkable
- First read: 0xB8
- Second read: 0x20
- Execute Decryption: DecryptClientEntities
- Third read: 0x10
- Execute Decryption: DecryptEntityList
- Final Step: Access the BufferList to begin your loop.
Entity Loop Base Construction
Code:
auto bn = GameAssembly.dll + BaseNetworkable;
auto bn1 = read<uintptr_t>(bn + 0xB8);
auto bn2 = read<uintptr_t>(bn1 + 0x20);
auto bn3 = DecryptClientEntities(bn2);
auto bn4 = read<uintptr_t>(bn3 + 0x10);
auto bn5 = DecryptEntityList(bn4);
auto bufferlist = bn5 + 0x10; // Member of ListDictionary
auto entity_list = read<uintptr_t>(bufferlist + 0x10);
auto count = read<int>(bufferlist + 0x18);Technical Notes & Troubleshooting
This method is critical for anything from simple ESP to complex silent aim. If you're running into crashes, verify that il2cpp_runtime_class_init has been called or that the class is properly initialized in memory before you attempt the reads. Most garbage-tier providers fail because they don't handle the initialization checks properly.
While others are catching bans from broken public injectors, Infocheats users are running tested solutions and dominating the server by understanding the underlying architecture.
Who else is digging into the latest GameAssembly changes?
