/***************************************** * Simple H1Z1 Radar/MemDumper * * Mayb DETECTED, RPM could be hook'd to detect such things! * Read it, but DONT use it! * * coded by lnslbrty/dev0, \x90 * * recommendation (mingw64): * CFLAGS=-march=athlon64 -Wall -g -DPSAPI_VERSION=1 -DUNICODE=1 -D_UNICODE=1 -g * LDFLAGS=-static-libgcc -static [PATH_TO_LIBPSAPI].a [PATH_TO_LIBKERNEL32].a * Windows PowerShell as Terminal Emulator *****************************************/ #include #include #include #include #include #include #include #include #include #define BPATTERN_SIZ(pat) (sizeof(pat)/sizeof(pat[0])) #define GAME_PATTERN { 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xD0, 0xD2 } #define GAME_MASK "x???????????????xx" #define GAME_OFFSET 0x8 #define ENTNEXT 0x410 #define ENTCOUNT 0x688 #define ENTFIRST 0x11D8 #define O_CARPOS 0x0250 #define O_PLYSTT 0x0028 #define O_NAME 0x04E8 #define O_STANCE 0x05C8 #define O_YAW 0x0240 #define O_TYPE 0x05D0 #define O_ALIVE 0x139C #define O_POSOFF 0x0198 #define O_POS 0x0100 #define O_VWANGLX 0x02E0 #define O_VWANGLY O_VWANGLX+0x4 #define MIN_VEC_VAL -10000.0f #define MAX_VEC_VAL 10000.0f #define TYPELEN 32 #define NAMELEN 32 #define PROCLEN 256 #ifdef _ENABLE_HRADAR #define HIZI_MAXDIST 260.0f #define ENABLE_HRADAR 1 #endif // ENABLE_HRADAR //#define readMem(baseAdr, data, siz) _readMem(baseAdr, data, siz, __FILE__, __LINE__) #ifdef ENABLE_HRADAR #define ENT(id, nm, col) { id, nm, col } static struct radarInfo *rdr_entCnt = NULL; #else #define ENT(id, nm, col) { id, nm } #endif typedef UINT64 QWORD; HANDLE hndl_proc; static LPCVOID adr_game = NULL; static LPCVOID adr_base = NULL; static LPCVOID adr_entityCount = NULL; static LPCVOID adr_firstEntity = NULL; static UINT32 entityCount = 0; struct e_type { DWORD id; const CHAR name[TYPELEN]; #ifdef ENABLE_HRADAR enum radarColor color; #endif // ENABLE_HRADAR }; #define ETYPE_PLAYERM 0x04 #define ETYPE_PLAYERF 0x05 #define ETYPE_ZOMBIE 0x0C #define ETYPE_ZOMBIE2 0x5b #define ETYPE_DEER 0x13 #define ETYPE_BEAR 0x50 #define ETYPE_WOLF 0x14 #define ETYPE_RABBIT 0x55 #define ETYPE_WEAPON 0x34 #define ETYPE_LOOT 0x2E #define ETYPE_OFFROAD 0x11 #define ETYPE_PICKUP 0x72 #define ETYPE_POLICE 0x76 struct e_type t_entities[] = { ENT(ETYPE_PLAYERM, "PLAYER_MAL", RC_RED), ENT(ETYPE_PLAYERF, "PLAYER_FEM", RC_RED), ENT(ETYPE_ZOMBIE, "ZOMBIE", RC_GREEN), ENT(ETYPE_ZOMBIE2, "ZOMBIE", RC_GREEN), ENT(ETYPE_BEAR, "BEAR", RC_GREEN), ENT(ETYPE_WOLF, "WOLF", RC_GREEN), ENT(0x15, "AMMO", RC_MAGENTA), ENT(ETYPE_OFFROAD, "OffRoad", RC_MAGENTA), ENT(ETYPE_PICKUP, "Pickup", RC_MAGENTA), ENT(ETYPE_POLICE, "PoliceCar", RC_MAGENTA), ENT(0x2C, "USABLE", RC_BLUE), ENT(0x9C, "LANDMINE", RC_CYAN), ENT(0x33, "STORAGE", RC_YELLOW), ENT(0x6D, "LOOTSTASH", RC_YELLOW), ENT(0x6F, "LOCKER", RC_WHITE), ENT(0x70, "LOCKER", RC_WHITE), ENT(ETYPE_DEER, "DEER", RC_WHITE), ENT(0x55, "RABBIT", RC_WHITE), ENT(ETYPE_LOOT, "*LOOT*", RC_YELLOW), ENT(ETYPE_WEAPON, "WEAPON", RC_YELLOW) }; #define t_entities_siz sizeof(t_entities)/sizeof(t_entities[0]) struct g_entity { LPCVOID adr; FLOAT pos[3]; float yaw; char name[NAMELEN]; DWORD stance; DWORD type; BYTE isAlive; struct g_entity *next; }; static LPCVOID localEntitiy; static struct g_entity localPlayer; #define PLAYER_DEFAULT 0x1 #define PLAYER_INCAR 0x2 static BYTE localPlayerStatus = PLAYER_DEFAULT; static FLOAT localViewAngle[2]; #ifndef ENABLE_HRADAR static void clrscr(void) { HANDLE hStdOut; CONSOLE_SCREEN_BUFFER_INFO csbi; DWORD count; DWORD cellCount; COORD homeCoords = { 0, 0 }; hStdOut = GetStdHandle( STD_OUTPUT_HANDLE ); if (hStdOut == INVALID_HANDLE_VALUE) return; if (!GetConsoleScreenBufferInfo( hStdOut, &csbi )) return; cellCount = csbi.dwSize.X *csbi.dwSize.Y; if (!FillConsoleOutputCharacter( hStdOut, (TCHAR) ' ', cellCount, homeCoords, &count )) return; if (!FillConsoleOutputAttribute( hStdOut, csbi.wAttributes, cellCount, homeCoords, &count )) return; SetConsoleCursorPosition( hStdOut, homeCoords ); } #endif static void getEntityCount(void) { if (adr_base == NULL) { adr_base = //readPtrH(adr_game, 0); readPtr(hndl_proc, adr_game, 0); if (adr_base != NULL) { adr_entityCount = calcOffset( adr_base, ENTCOUNT ); adr_firstEntity = calcOffset( adr_base, 0 ); } } else { if ( readMemH( adr_entityCount, &entityCount, sizeof(entityCount) ) == 0 ) { exit(1); } } } static inline const CHAR *getEntityTypeA(DWORD id) { int i; for (i = 0; i < t_entities_siz; i++) { if (t_entities[i].id == id) { return t_entities[i].name; } } return "UNKNOWN"; } static inline BOOL isEntityOk(DWORD id) { int i; for (i = 0; i < t_entities_siz; i++) { if (t_entities[i].id == id) { return TRUE; } } return FALSE; } static BOOL readEntity(LPCVOID adr, struct g_entity *ge) { int i; FLOAT tmp3f[3]; LPCVOID ptr = NULL; if (ge == NULL) return FALSE; if ( readMemH( calcOffset(adr, O_TYPE), &ge->type, sizeof(ge->type) ) == 0) return FALSE; if (isEntityOk(ge->type) == FALSE) return TRUE; readMemH( calcOffset(adr, O_STANCE), &ge->stance, sizeof(ge->stance) ); readMemH( calcOffset(adr, O_ALIVE), &ge->isAlive, sizeof(ge->isAlive) ); if (ge->isAlive == 0x1) { if (ge->type == ETYPE_PLAYERM || ge->type == ETYPE_PLAYERF) { ptr = readPtrH(adr, O_NAME); readMemH( ptr, &ge->name[0], sizeof(CHAR)*NAMELEN ); readMemH( calcOffset(adr, O_YAW), &ge->yaw, sizeof(ge->yaw) ); } if (localEntitiy == NULL) localEntitiy = adr; if (ge->type == ETYPE_OFFROAD || ge->type == ETYPE_PICKUP || ge->type == ETYPE_POLICE) { readMemH( calcOffset(adr, O_CARPOS), &ge->pos[0], sizeof(FLOAT)*3 ); readMemH( calcOffset(adr, O_YAW), &ge->yaw, sizeof(ge->yaw) ); } else { ptr = readPtrH(adr, O_POSOFF); readMemH( calcOffset(ptr, O_POS), &tmp3f[0], sizeof(tmp3f) ); if (adr == localEntitiy) { readMemH( calcOffset(adr, O_PLYSTT), &localPlayerStatus, sizeof(localPlayerStatus) ); } for (i = 0; i <= 2; i++) { if (tmp3f[i] < MAX_VEC_VAL && tmp3f[i] > MIN_VEC_VAL) { ge->pos[i] = tmp3f[i]; } } } } return ( TRUE ); } static float calcVecDist(float v1[3], float v2[3]) { return sqrtf( powf(v1[0] - v2[0], 2.0f) + powf(v1[1] - v2[1], 2.0f) + powf(v1[2] - v2[2], 2.0f) ); } #ifndef ENABLE_HRADAR static void printEntity(LPCVOID adr_ptr, struct g_entity *ge) { const char *etype; if (adr_ptr == localEntitiy) { printf("[LOCALPLAYER] status:%03d | vieAngle[x,y]: %3.2f,%3.2f ", localPlayerStatus, localViewAngle[0], localViewAngle[1]); } if ( strcmp( (etype = getEntityTypeA(ge->type)), "UNKNOWN") != 0 ) { printf("%p [ENTITY]" " type:%04lu (%7s) | alive:%02d | pos_01[x,y,z]:%+8.2f,%+8.2f,%+8.2f | vecDist:%+8.2f | stance:%ld | yaw:%+8.2f | name: %s" "\n", adr_ptr, ge->type, getEntityTypeA(ge->type), ge->isAlive, ge->pos[0], ge->pos[1], ge->pos[2], (ge->isAlive == 0x1 ? calcVecDist( ge->pos, localPlayer.pos ) : 0.0f), ge->stance, ge->yaw, (ge->type == ETYPE_PLAYERM || ge->type == ETYPE_PLAYERF ? ge->name : "-") ); } } #endif #ifdef ENABLE_HRADAR static void doCarRadar(struct g_entity *ge) { if ( localPlayerStatus == PLAYER_INCAR && calcVecDist( ge->pos, localPlayer.pos ) < 3.0f ) { switch (ge->type) { case ETYPE_OFFROAD: case ETYPE_PICKUP: case ETYPE_POLICE: radarSetPlayerPosition(ge->pos, localViewAngle[0]); } } } static void drawEntityOnRadar(LPCVOID adr_ptr, struct g_entity *ge) { int i; enum radarColor color;; BOOL b_colFound = FALSE; for (i = 0; i < t_entities_siz; i++) { if (t_entities[i].id == ge->type) { color = t_entities[i].color; b_colFound = TRUE; break; } } if (b_colFound == FALSE) { color = RC_WHITE; } doCarRadar(ge); radarUpdateEntity((UINT64)adr_ptr, ge->pos, color, (ge->type == ETYPE_PLAYERM || ge->type == ETYPE_PLAYERF ? TRUE : FALSE), TRUE); } #endif static FLOAT getViewAngleX(void) { FLOAT ret; if ( readFloat(calcOffset(localEntitiy, O_VWANGLX), ret) > 0 ) { return ( M_PI + ret ) * -(180/M_PI) + 270; } else { return 0.0f; } } static FLOAT getViewAngleY(void) { FLOAT ret; if ( readFloat(calcOffset(localEntitiy, O_VWANGLY), ret) > 0 ) { return ( M_PI + ret ) * -(180/M_PI) + 270; } else { return 0.0f; } } /* static void doAim(FLOAT target[3], FLOAT local[3], FLOAT localAngle[2]) { float deltaX = (local[0]) - (target[0]); float deltaY = (local[1]) - (target[1]); float orgAngleX = localAngle[0], orgAngleY = localAngle[1]; if ((target[0]) > (local[0]) && (target[1]) <= (local[1])) { localAngle[0] = atanf(deltaX/deltaY) * -180.0f / M_PI; } else if((target[0]) >= (local[0]) && (target[1]) > (local[1])) { localAngle[0] = atanf(deltaX/deltaY) * -180.0f / M_PI + 180.0f; } else if((target[0]) < (local[0]) && (target[1]) >= (local[1])) { localAngle[0] = atanf(deltaX/deltaY) * -180.0f / M_PI - 180.0f; } else if((target[0]) <= (local[0]) && (target[1]) < (local[1])) { localAngle[0] = atanf(deltaX/deltaY) * -180.0f / M_PI + 360.0f; } float deltaZ = (target[2]) - (local[2]); float dist = sqrt( powf( (target[0] - local[0]), 2.0) + powf( (target[1] - local[1]), 2.0) + powf( (target[2] - local[2]), 2.0) ); localAngle[1] = asinf(deltaZ/dist) * 180.0f / M_PI; mouse_event(MOUSEEVENTF_MOVE, localAngle[0]-orgAngleX, 0, 0, 0); } */ static void getEntities(void) { UINT32 dw_entCnt = 0; LPCVOID adr_fstPtr, adr_ent; struct g_entity ge; adr_fstPtr = readPtrH(adr_firstEntity, ENTFIRST); #ifdef ENABLE_HRADAR radarInvalidateAll(); #endif // ENABLE_HRADAR adr_ent = adr_fstPtr; while ( adr_ent != NULL ) { memset(&ge, '\0', sizeof(struct g_entity)); ge.adr = adr_ent; if (readEntity(adr_ent, &ge) == TRUE) { if (dw_entCnt == 0 && (ge.type == ETYPE_PLAYERM || ge.type == ETYPE_PLAYERF)) { localEntitiy = adr_ent; localPlayer = ge; #ifdef ENABLE_HRADAR if (localViewAngle[0] != 0.0f && localPlayerStatus != PLAYER_INCAR) { radarSetPlayerPosition(localPlayer.pos, localViewAngle[0]); } #endif // ENABLE_HRADAR } #ifndef ENABLE_HRADAR printEntity(adr_ent, &ge); #endif #ifdef ENABLE_HRADAR /* switch (ge.type) { case ETYPE_PLAYERM: case ETYPE_PLAYERF: case ETYPE_ZOMBIE: case ETYPE_ZOMBIE2: if ( (ge.adr != localEntitiy) && ((GetKeyState(VK_CAPITAL) & 0x0001) != 0) ) { if (aimed == NULL) { aimed = ≥ } else { printf("*** AIMING AT: %s", ge.name); doAim(ge.pos, localPlayer.pos, localViewAngle); } } else aimed = NULL; break; default: break; } */ drawEntityOnRadar(adr_ent, &ge); #endif } else { printf("ERROR: Could not read (%lu bytes) entity from %p\n", (long unsigned int) sizeof(ge), adr_ent); } adr_ent = readPtrH(adr_ent, ENTNEXT); dw_entCnt++; } #ifdef ENABLE_HRADAR radarRemoveInvalidEntities(); #endif // ENABLE_HRADAR } static void mainLoop(void) { #ifdef ENABLE_HRADAR struct radarConfig rad_cfg; memset(&rad_cfg, '\0', sizeof(rad_cfg)); strncpy(rad_cfg.wnd_name, "H1Z1", RDR_NAMELEN); radarInit(&rad_cfg); radarExecThread(); radarWaitUntilRdy(); radarSetDrawDistance(HIZI_MAXDIST); rdr_entCnt = radarAddInfo("entities"); #endif // ENABLE_HRADAR getEntityCount(); while ( #ifdef ENABLE_HRADAR radarIsActive() == TRUE #else 1 #endif ) { getEntityCount(); if (entityCount > 0) { getEntities(); localViewAngle[0] = getViewAngleX(); localViewAngle[1] = getViewAngleY(); Sleep(100); #ifdef ENABLE_HRADAR radarSetInfoF(rdr_entCnt, "%d", entityCount); radarSetPlayerPosition(localPlayer.pos, localViewAngle[0]); #else clrscr(); printf("H1Z1_HCK...ENTITIES: %lu\n", (long unsigned int) entityCount); #endif // ENABLE_HRADAR } } #ifdef ENABLE_HRADAR radarKillThread(); radarCleanup(); #endif // ENABLE_HRADAR } static BOOL getProcessModules(HMODULE hProcess, MODULEINFO *mInfoArr, UINT mInfoSiz, LPCSTR mNames, ...) { BOOL ret = TRUE; HMODULE hMods[1024]; MODULEINFO mod; LPCSTR nm = mNames; UINT16 found = 0; DWORD cbNeeded; va_list vrgl; int i; if (nm == NULL) return FALSE; va_start(vrgl, mNames); while( nm != NULL && found < mInfoSiz) { if( EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded) ) { for ( i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ ) { TCHAR szModName[MAX_PATH]; if ( GetModuleBaseName( hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR))) { if ( lstrcmpA(szModName, nm) == 0 ) { if ( GetModuleInformation(hProcess, hMods[i], &mod, sizeof(mod)) == TRUE ) { mInfoArr[found] = mod; dbg( "*** %s: BaseAddress: 0x%p | EntryPoint: 0x%p | Size: %ld bytes\n", szModName, mInfoArr[found].lpBaseOfDll, mInfoArr[found].EntryPoint, mInfoArr[found].SizeOfImage ); break; } else { ret &= FALSE; } } } } } nm = va_arg(vrgl, LPCSTR); found++; } va_end(vrgl); return TRUE; } int _cdecl funcOfDeath(DWORD processID) { BOOL ret = TRUE; TCHAR sProc[PROCLEN+1]; memset(sProc, '\0', PROCLEN+1); hndl_proc = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, TRUE, processID ); if (hndl_proc != NULL) { if ( GetModuleBaseName (hndl_proc, NULL, sProc, PROCLEN) > 0 ) { if (lstrcmpA(sProc, "H1Z1.exe") == 0) { MODULEINFO info; dbg("H1Z1.exe found (pid:%ld)", processID); if (getProcessModules(hndl_proc, &info, 1, "H1Z1.exe") == TRUE) { BYTE *dllBuf = (BYTE *) calloc(info.SizeOfImage, sizeof(BYTE)); if ( readMemH( (LPCVOID) info.lpBaseOfDll, dllBuf, sizeof(BYTE)*info.SizeOfImage ) == FALSE ) { dbg("%s", "Could not read main module memory."); ret &= FALSE; } else { BYTE rpat[] = GAME_PATTERN; adr_game = getBaseAdr( dllBuf, info.SizeOfImage, rpat, GAME_MASK, BPATTERN_SIZ(rpat), GAME_OFFSET); adr_game += (ULONG_PTR) info.lpBaseOfDll; //adr_game = 0x142979F20; free(dllBuf); dbg("base pointer: 0x%p", adr_game); mainLoop(); } } } else { ret &= FALSE; } } else { ret &= FALSE; } } else { ret &= FALSE; } CloseHandle( hndl_proc ); return ret; } int _cdecl main(int argc, char **argv) { BOOL ok = FALSE; DWORD aProcesses[1024]; DWORD cbNeeded; DWORD cProcesses; unsigned int i; if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) return 1; cProcesses = cbNeeded / sizeof(DWORD); for ( i = 0; i < cProcesses; i++ ) { if ( funcOfDeath( aProcesses[i] ) == TRUE ) { printf("done.\n"); ok = TRUE; break; } } if (ok == FALSE) { printf( "h1z1.exe started and a server joined?\n" ); } return 0; }