- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 16
- Reaction score
- 0
Has anyone tested this yet? Stumbled on this while browsing some other forums. Looks like an attempt to get custom paks mounted in Valorant, but the OP admits it's pretty much toasted after the last few updates. Riot's anticheat team is usually on top of this stuff immediately, so getting corrupted game files is exactly what I'd expect if you try to inject this nowadays.
Still, if you're into reversing or just want to see how the logic was structured before the patch, it's worth a look. Here is the code snippet from the thread:
Don't bother trying this on your main account unless you enjoy HWID bans. It's obviously dated. If anyone manages to find updated offsets for this method, feel free to share, but I wouldn't hold your breath.
Still, if you're into reversing or just want to see how the logic was structured before the patch, it's worth a look. Here is the code snippet from the thread:
Code:
constexpr uintptr_t MOUNT_OFFSET = 0x283E150;
constexpr uintptr_t GET_PLATFORM_SLOT = 0x1710450;
constexpr uintptr_t FIND_PLATFORM_FILE = 0x1710080;
constexpr uintptr_t DELEGATE_OFFSET = 0xBF5A1D8;
constexpr const wchar_t* PAK_PATH_1 = L"C:\\Mods\\pakchunk1Custom-Windows_P.pak";
constexpr const wchar_t* PAK_PATH_2 = L"C:\\Mods\\pakchunk2Custom-Windows_P.pak";
constexpr const wchar_t* PAK_PATH_3 = L"C:\\Mods\\pakchunk3Custom-Windows_P.pak";
constexpr int PAK_ORDER = 100;
typedef bool(__fastcall* tMount)(
__int64 self,
const wchar_t* InPakFilename,
int PakOrder,
__int64 InPath,
char bLoadIndex,
char bEncrypted
);
typedef __int64* (__fastcall* tGetPlatformSlot)();
typedef __int64(__fastcall* tFindPlatformFile)(__int64* slot, const wchar_t* name);
void Mount()
{
uintptr_t base = VALORANT::Module;
tMount MountFn = (tMount)(base + MOUNT_OFFSET);
tGetPlatformSlot GetPlatformSlot = (tGetPlatformSlot)(base + GET_PLATFORM_SLOT);
tFindPlatformFile FindFile = (tFindPlatformFile)(base + FIND_PLATFORM_FILE);
__int64 pakFile = 0;
while (true)
{
__int64* slot = GetPlatformSlot();
if (slot && *slot)
{
__int64 pf = FindFile(slot, L"PakFile");
if (pf)
{
__int64 iostore = *(__int64*)(pf + 328);
if (iostore)
{
pakFile = pf;
break;
}
}
}
Sleep(1000);
}
const wchar_t* paths[] = { PAK_PATH_1, PAK_PATH_2, PAK_PATH_3 };
for (int i = 0; i < 3; i++)
{
FILE* f = _wfopen(paths[i], L"rb");
if (!f)
{
printf("[-] file %d not found: %ls\n", i + 1, paths[i]);
}
else
{
fseek(f, 0, SEEK_END);
long sz = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char magic[8] = {};
fread(magic, 1, 8, f);
fclose(f);
printf("[*] file %d size=%ld magic: %02X %02X %02X %02X %02X %02X %02X %02X\n",
i + 1, sz,
magic[0], magic[1], magic[2], magic[3],
magic[4], magic[5], magic[6], magic[7]);
}
}
__int64* delegateObj1 = (__int64*)(base + 0xBF5A100);
__int64 saved1Ptr = delegateObj1[0];
int saved1Count = *(int*)((char*)delegateObj1 + 8);
int saved1Cap = *(int*)((char*)delegateObj1 + 12);
delegateObj1[0] = 0;
*(int*)((char*)delegateObj1 + 8) = 0;
*(int*)((char*)delegateObj1 + 12) = 0;
__int64* delegateObj2 = (__int64*)(base + DELEGATE_OFFSET);
__int64 saved2Ptr = delegateObj2[0];
int saved2Count = *(int*)((char*)delegateObj2 + 8);
int saved2Cap = *(int*)((char*)delegateObj2 + 12);
delegateObj2[0] = 0;
*(int*)((char*)delegateObj2 + 8) = 0;
*(int*)((char*)delegateObj2 + 12) = 0;
bool r1 = MountFn(pakFile, PAK_PATH_1, PAK_ORDER, 0, 1, 0);
bool r2 = MountFn(pakFile, PAK_PATH_2, PAK_ORDER, 0, 1, 0);
bool r3 = MountFn(pakFile, PAK_PATH_3, PAK_ORDER, 0, 1, 0);
delegateObj1[0] = saved1Ptr;
*(int*)((char*)delegateObj1 + 8) = saved1Count;
*(int*)((char*)delegateObj1 + 12) = saved1Cap;
delegateObj2[0] = saved2Ptr;
*(int*)((char*)delegateObj2 + 8) = saved2Count;
*(int*)((char*)delegateObj2 + 12) = saved2Cap;
printf("[Mount] chunk1=%d chunk2=%d chunk3=%d\n", r1, r2, r3);
}Don't bother trying this on your main account unless you enjoy HWID bans. It's obviously dated. If anyone manages to find updated offsets for this method, feel free to share, but I wouldn't hold your breath.
View hidden content is available for registered users!
