Well as I quit not so long ago, well I think it's time for me to give back again, if you guys need an offset PM or Aim me. Tell me about it... Also keep in mind the name Struct is 20 bytes otherwise it glitches. Edit: As I fell asleep last night I didn't post these, so enjoy. Tu2 Spoiler Function - offset - type XamInputGetState - 0x82855DB4 Level_Locals_t 0x837BEC80 - DWORD game_va - 0x82384E40 SP_trigger_radius - 0x821E9CF8 FPS as TGK released my own offsets ... Code: 0x823B073C - beq - on: 0x40 : off: 0x41 - FPS Enabler 0x82098168 - String - FPS Text Main Required functions Code: Cbuf_AddText - 0x824B31C8 Dvar_GetBool - 0x8238C2C0 SV_ExecuteClientCommand - 0x8241CA18 SV_GameSendServerCommand - 0x82419758 SV_SendClientStatMessage(void) - 0x824105C8 ClientCommand - 0x8252E938 SV_AddServerCommand- 0x82410760 Weapon Giving Code: GetWeaponIndexForName - 0x826C03F0 * New * G_GivePlayerWeapon - 824CFA40 * New * G_InitializeAmmo - 0x825257C8 Call: Code: private void G_GivePlayerWeapon(uint client, uint ak, string GunName) { uint BG_GetWeaponIndexForName = 0x82249F68, weapIndex = Jtag.Call(BG_GetWeaponIndexForName, GunName); if (weapIndex == 0 | weapIndex == 1) { MessageBox.Show("Error returned == 0 | 1, please Restart the game or console"); } else { uint G_GivePlayerWeapon = 0x824CFA40, G_InitializeAmmo = 0x825257C8; MessageBox.Show("GunIdx decimal = " + weapIndex.ToString()); Jtag.Call(G_GivePlayerWeapon, getPlayerState((uint)CLient), weapIndex, ak, 0); Jtag.Call(G_InitializeAmmo, getPlayerState((uint)Client), weapIndex, 0, 0); } } Call: Example: G_GivePlayerWeapon(0, 0, "throwingknife_mp") Assets Code: DB_FindXAssetDefaultHeaderInternal - 0x82584810 DB_CreateDefaultEntry - 0x825865D0 Gamertag Editing Code: PregameName: 0x84300494 - String - 0x20 chars max Call: void SetName(string Name) { byte[] Clear = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; Manga.SetMemory(0x84300494, Clear);// Resets GT Manga.SetMemory(0x84300494, Encoding.ASCII.GetBytes(Name)); } Call: SetName("^6Love Manga +1"); EntryStats *New* Code: EntryStats: 0x83A0CFC4 Player Jump Height Code: Jump height 8206319C flt_8206319C: .float 39.0 Call: JRPC.WriteFloat(jump, 999f); Offhost Functions Code: recoil: 0x8263ED3C nop it | 48 07 C3 25 host redboxes: 0x826A1FF4 on 40 off: 41 or 9A offhost redboxes: 0x826A1FF5 on 40 off: 41 or 9A TU3 Spoiler Also: Let's make this offset thread, "worth viewing" other then the basic offsets. Spoiler Multiplayer EntryStats (not smart to use this) 0x83A0D644 Credit to: SC58 Aimbot (offhost) 0x82B56454 - clientActive_t 0x82318C08 - CL_SetViewAngles(int localClientNum, const float *angles) clientActive_t + 0x3D68 CEntity ClientOrgins - 0x82B07324 + 0x14 Next Client - 0x20C Credit to: Kyza Load DLL in memory address 1 - 0x8213ABA0 address 2 - 0x8213B088 address 3 - 0x82088D11 Hudelems g_hudelem_s - 0x83685D00 void __cdecl BG_LerpHudColors(int elem, int time, int toColor) - 0x826E4DC0 Requirement: - 0x837BF7C0 void __cdecl BG_LerpHudFont(int elem, int time, int fontscale) - 0x826E4F48 int __cdecl HudElem_Alloc(int clientNum, int teamNum) - 0x82527F88 void __cdecl Scr_AddHudElem(int hud) - 0x824D71F8 SetOrigin G_SetOrigin(gentity_s *ent, const float *origin) - 0x824D1EA8 Other XamInputGetState - 0x82855EA4 (DWORD) Level_Locals_t 0x837BEC80 game_va - 0x82384E08 SP_trigger_radius - 0x821E9C78 G_TempEntity 0x824D2BF0 g_enableEarthquake - 0x836B4D84 Visionmass - 0x82006688 FPS [Frames Per second] FPS = 0x823B0704 FPS_Text = 0x82098170, FpsPosition1Offset = 0x82062D9C/*(up&down)*/ FpsPosition2Offset = 0x820630B4 /*(Left&Right)*/ Index's G_SoundAliasIndex_t - 0x8283BAF0 G_FindConfigstringIndex - 0x827FBA30 Model Stuff SetModel = 0x824D4328 Main Functions Force Host = 0x82615ED0 SV_ExecuteClientCommand(client_s *cl, const char *s, int clientOK) - 0x8241C9E0 SV_GameSendServerCommand(int clientNum, int type, const char *text) - 0x82419720 SV_SendClientStatMessage(void) - 0x82410590 ClientCommand - 0x8252E900 SV_AddServerCommand- 0x82410728 SV_SendServerCommand 0x82410D00 Ammo 0x82816134 Recoil 0x8263ECFC Key_isDown 0x82619670 Structs playerState_s - 0x8378E100- additive - same gentity_s - 0x837C3A80 - additive - same client_s - 0x83E79F80 - additive - same mFlags - same Fun Mods Jump - 0x8206319C - same Now the good stuff Regarding Chams Stored in: CG_Player 0x82675464 Offhost Functions onhost Redboxes: 0x826A1FB4 | offhost Redboxes: 0x826A1FB5 Setting Player Angles void __cdecl SetTestClientViewAngle(int ent, const float *angles) - 0x8244C6E8 void __cdecl SetClientViewAngle(int ent, const float *angles) - 0x8252CED8 Weapon Giving GivePlayerWeapon - 0x824CFA08 GetWeaponIndexForName - 0x826C03B0 G_InitializeAmmo - 0x82525790 Regarding Single Player (Not released, and No, I didn't port these you fucks) I enjoy, messing around in single player, I'm sure CraigChrist8239 does as well, as we don't care to get online, unless it's a testing reason. Single Player FPS string - 0x82032C5C FPS nop- 0x8247D0AC Ammo - 0x8251979C + 0x03 FPS Position left -> Right - 0x82012538 Jump - 0x82038270 Preview: Exo Gamertag: 0x84300B14 XUID: 0x84300B60 TU4 was released at 2:21 am : Posted at 5:51 am Spoiler This is the last time I'm updating these, Stop selling friggen tools! Bypasses Spoiler Time: 15 Minutes to 20 minutes. Why? enough to do a recovery or something. Type of bypass: Free | Resourceful?: No Instruction Changed into: li, r0, 0 Activators: 3C 00 00 00 TU4 0x822D5F80 addi r4, r1, 0xB0+var_60 | hex: 38 81 00 50 0x821CA2E8 mfspr r12, LR | hex: 7D 88 02 A6 What this so called 'bypass' does 0x822D5F80 lis r0, 0 //3C000000 0x821CA2E8 lis r0, 0 //3C000000 Multiplayer Spoiler EntryStats (not smart to use this) 0x83A66374 Credit to: SC58 for original Release | me for updating. Spoiler Aimbot (offhost) 0x82B6B494 - clientActive_t 0x82318FD0 - CL_SetViewAngles(int localClientNum, const float *angles) clientActive_t + 0x3D68 CEntity_ClientOrgins - 0x82B1C1D4 + 0x14 Next Client - 0x20C Credit to: Kyza Load DLL in memory Spoiler .set DLLLoaderHook, 0x8213AAF0 .set LoadLibraryA, 0x8213AFD8 .set DLLLoaderString, 0x82088D11 /*didn't change*/ Patch.S Code: #The command I use for xepatcher (so i can ctrl+c+v) #xepatcher -p defaultdllpatches.s -x default_mp.xex #Game: Advanced Warfare TU: 0 through 4 Supported #Author: Nicholasbroo #How To find the functions required: DLLHook: 60 00 00 00 7D 08 43 78 7D 08 43 78 3D 20 84 | LoadLibraryA: 7D 88 02 A6 91 81 FF F8 94 21 FF A0 38 C1 00 50 | DLLLoaderString: 61 74 65 3A 20 6F 62 6A 65 63 74 69 76 65 6E 75 (Go to SV_) .globl _start _start: #Simply remove the # for the 3 lines under the TU you are patching. #That way I won't have to have 2 .S files... ##################### #### TU4 Patches #### ##################### .set DLLLoaderHook, 0x8213AAF0 .set LoadLibraryA, 0x8213AFD8 .set DLLLoaderString, 0x82088D11 ##################### #### TU3 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA0 #.set LoadLibraryA, 0x8213B088 #.set DLLLoaderString, 0x82088D11 ##################### #### TU2 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA8 #.set LoadLibraryA, 0x8213B090 #.set DLLLoaderString, 0x82088D35 ##################### #### TU1 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA0 #.set LoadLibraryA, 0x8213B088 #.set DLLLoaderString, 0x82088E45 ##################### #### TU0 Patches #### ##################### #.set DLLLoaderHook, 0x8213A6E0 #.set LoadLibraryA, 0x8213ABC8 #.set DLLLoaderString, 0x8208718D .long DLLLoaderString .long (9f-0f)/4 0 : .string "game:\\dll_load.dll" .align 1 9: .long DLLLoaderHook .long (9f-0f)/4 0 : lis %r11, DLLLoaderString@h ori %r3, %r11, DLLLoaderString@l bl (LoadLibraryA - (DLLLoaderHook + 0x8)) 9: # ======================================================= # End Patches # ======================================================= .long 0xFFFFFFFF Hudelems Spoiler g_hudelem_s - 0x83685D00 void __cdecl BG_LerpHudColors(int elem, int time, int toColor) - 0x826E7B88 Requirement: - 0x838180C0 void __cdecl BG_LerpHudFont(int elem, int time, int fontscale) - 0x826E7D10 int __cdecl HudElem_Alloc(int clientNum, int teamNum) - 0x825295D8 void __cdecl Scr_AddHudElem(int hud) - 0x824D8538 SetOrigin Spoiler G_SetOrigin(gentity_s *ent, const float *origin) - 0x824D31A8 Other Spoiler XamInputGetState - 0x8285A084 (DWORD) Level_Locals_t - 0x83817C00 game_va - 0x82385150 SP_trigger_radius - 0x821E9AB8 G_TempEntity - 0x824D3EF0 g_enableEarthquake - 0x8370D63C Visionmass - 0x820066A0 FPS [Frames Per second] Spoiler FPS = 0x823B0A3C FPS_Text = 0x820987E0 FpsPosition1Offset = 0x82062F1C /*(up&down)*/ FpsPosition2Offset = 0x82063234 /*(Left&Right)*/ Index's Spoiler 0x G_SoundAliasIndex_t - 0x8283FC40 G_FindConfigstringIndex - 0x8281E630 Model Stuff Spoiler SetModel = 0x824D5650 Main Functions Spoiler Force Host = 0x0x82617AE0 SV_ExecuteClientCommand(client_s *cl, const char *s, int clientOK) - 0x8241DBA8 SV_GameSendServerCommand(int clientNum, int type, const char *text) - 0x8241A8F8 SV_SendClientStatMessage(void) - 0x82411720 ClientCommand - 0x8252FF50 SV_AddServerCommand- 0x824118B8 SV_SendServerCommand - 0x82411E90 Cbuff_addText = 0x824B41C8 Dvar Retrieving Spoiler Dvar_GetBool - 0x8238C5C8 Ammo Spoiler 0x8281A144 Recoil Spoiler 0x82640B24 Key_isDown Spoiler 0x8261B270 Credit to: imGol2den for releasing | me for updating CL_WritePacket Spoiler CL_WritePacket(int localclientnum) - 0x8261F510 Structs Spoiler playerState_s - 0x837E6A00 - additive - same gentity_s -0x8381CA00 - additive - same client_s - 0x83E8FA80 - additive - same mFlags - same Fun Mods Spoiler Jump - 0x8206331C Now the good stuff Regarding Chams Stored in: CG_Player Spoiler 0x8267732C Offhost Functions Spoiler onhost Redboxes: 0x826A422C | offhost Redboxes: 0x826A422C + 0x01 Setting Player Angles Spoiler void __cdecl SetTestClientViewAngle(int ent, const float *angles) - 0x8244C6E8 void __cdecl SetClientViewAngle(int ent, const float *angles) - 0x8252CED8 Warning: There's an issue here, they changed the structure for BG_GetWeaponIndexForName into a branch. Weapon Giving Spoiler GivePlayerWeapon - 0x824D0CA8 GetWeaponIndexForName - 0x826C2AC8, 0x824D02A8, or 0x824D06A0 G_InitializeAmmo - 0x82526DE0 Credit to: sonido64 for original find. Walk Nop Spoiler 0x82536A34 Any TU Spoiler Button Monitoring ---- Int32 returned----- hex--- A = 1024 /* 0x400 */ B = 256 /* 0x100 */ Y = 0 /* 0x00 */ X = 48 /* 0x30 */ LT = 526336 /* 0x80800 */ RT = 1 /* 0x01 */ START = 8388608 /* 0x800000 */ BACK = NULL /* NULL *// Removed LB = 32768 /* 0x8000 */ RB = 16384 /* 0x4000 */ DPAD_LEFT = /* */ Removed DPAD_RIGHT = /* */ Removed DPAD_UP = /* */ Removed DPAD_DOWN = /* */ Removed LS = 8194 /* 0x2002 */ RS = 67108868 /* 0x4000004 */
Okay here's more TU2 Spoiler Offhost Functions Redboxes offset: 0x826A1FF5 function: I believe is: CG_Draw2d or # void __cdecl PM_UpdateViewAngles(playerState_s *ps, float msec, usercmd_s *cmd, char handler) Code: Call: How to Enable: byte[] ON = 0x40, byte[] OFF = 0x41; Example: void Redboxes(bool isEnabled) { uint RedboxesHost= 0x826A1FF5; byte[] ON = 0x40, byte[] OFF = 0x41; switch (isEnabled) { case true: Jtag.SetMemory(RedboxesHost, ON); break; case false: Jtag.SetMemory(RedboxesHost, OFF); break; } } Chrome Players Code: * Add later offset: UAV Code: * Add later offset: Something new I found Note: This is TU2 if you're not on TU2 then it will not work as the bytes shifted during TU1. playerstate stuff so far Code: Player Laser Color = PlayerState + 0x1D Item Objective Sonar Ping PlayerState+ 0x68 - Activators: 0x01 - 0x00 : laser = PlayerState + 0x69 - Activators: 0x01 - 0x00 Code: Here: Function G_SetOrigin Function Args G_SetOrigin(gentity_s *ent, const float *origin) It's either this one or this one 0x824D1E80 : 0x824D1EE0 Too tired to test. Code: public static class Playerstate { public static class Laser_Colors { public static uint default = 0x00, yellow = 0x01, red_big = 0x02, none = 0x03, blue_small = 0x04; } } Preview blue Forgot to update this TU2 Function: AnswerChallenges SP: 0x826CA488 (PDWORD) MP: 0x821CA3B8 (PDWORD) //Hook it like so SinglePlayer Code: HookFunctionStart((PDWORD)0x826CA488, (PDWORD)answerChallenges, (DWORD)answerChallengesHook); MultiPlayer Code: HookFunctionStart((PDWORD)0x821CA3B8, (PDWORD)answerChallenges, (DWORD)answerChallengesHook); Secret Room found by: imGol2den JRPC.CallVoid(Cbuf_addText, 0, "set ui_mapname mp_vlobby_room"); Preview
Force Host when people cannot force it with any dvar due to a playlist update. Code: void ForceHost(bool isactive) { Byte[] On = { 0x60, 0x00, 0x00, 0x00 }, Off = { 0x89, 0x6B, 0x00, 0x0C }; Nick.SetMemory(0x82615F20, isactive ? On : Off); } Code: ForceHost(true); ForceHost(false);
Thanks bullet. ESP will be added soon enough enjoy guys because if people are going to sell stupid tools then I'll be releasing alot of stuff. Expect chams to be released tommarrow afternoon. Here's a basic ESP (via CBUF) To draw player names through the wall credit to Coder123 Preview ESP names Code: Function to call: CBUF_ADDTEXT ------ Type --- Dvar ----- [bool] cg_allPlayerNamesVisible 1 [bool] cg_drawThroughWalls 1 [int] cg_overheadNamesMaxDist 99999 I don't see this a lot so screw it. part of ESP so hook this crap. Example: Code: Search: 7D 2A 41 2E 4B FF Function: typedef void (_cdecl *R_AddCmdDrawStretchPic)(float x, float y, float w, float h, float xScale, float yScale, float xay, float yay, const float *color, int material); R_AddCmdDrawStretchPic R_DrawImage = (R_AddCmdDrawStretchPic) 0x8229ABC8; MW2: 0x8234F998 MW3: 0x:8241F038 GHOSTS: 0x8266AB90 AW: 0x8229ABC8 or 8229ACD0
Player Chams As Promised at 4pm which i got annoyed about and bugged. Before We start refer to the flags I released Structure Code: public static class Chams { /// <summary> This holds all the Render flags for Player Outlines or Full player color /// </summary> public static class renderFxFlags { public static Byte[] Kill = { 0x7F, 0xC6, 0xF3, 0x78 }; public static class Player_Outlines { public static Byte[] Black = { 0x38, 0xC0, 0x00, 0x02 }, Red = { 0x38, 0xC0, 0x00, 0x04 }, Green = { 0x38, 0xC0, 0x00, 0x06 }, Cyan = { 0x38, 0xC0, 0x00, 0x08 }, Basic = { 0x38, 0xC0, 0x00, 0x08 }, Orange = { 0x38, 0xC0, 0x00, 0x0A }, Yellow = { 0x38, 0xC0, 0x00, 0x0C }, Blue = { 0x38, 0xC0, 0x00, 0x0E }; } public static class PlayerBodyColor_No_Outlines { public static Byte[] Red = { 0x38, 0xC0, 0x00, 0x12 }, RedBold = { 0x38, 0xC0, 0x00, 0x14 }, Green = { 0x38, 0xC0, 0x00, 0x16 }, Cyan = { 0x38, 0xC0, 0x00, 0x18 }, Orange = { 0x38, 0xC0, 0x00, 0x1A }, Yellow = { 0x38, 0xC0, 0x00, 0x1C }, Blue = { 0x38, 0xC0, 0x00, 0x1E }; } } //Definer uint ChamsMP = 0x826754A4; static void SetChamsMP(Boolean isactive) { switch (isactive) { case true: Nick.SetMemory(ChamsMP, renderFxFlags.Player_Outlines.Yellow); break; case false: Nick.SetMemory(ChamsMP, renderFxFlags.Kill); break; } } Call Code: SetChamsMP(true); SetChamsMP(false); Preview:
Button Monitoring Code: ---- Int32 returned----- hex--- A = 1024 /* 0x400 */ B = 256 /* 0x100 */ Y = 0 /* 0x00 */ X = 48 /* 0x30 */ LT = 526336 /* 0x80800 */ RT = 1 /* 0x01 */ START = 8388608 /* 0x800000 */ BACK = NULL /* NULL *// Removed LB = 32768 /* 0x8000 */ RB = 16384 /* 0x4000 */ DPAD_LEFT = /* */ Removed DPAD_RIGHT = /* */ Removed DPAD_UP = /* */ Removed DPAD_DOWN = /* */ Removed LS = 8194 /* 0x2002 */ RS = 67108868 /* 0x4000004 */
im not sure weather you mean either "0x8229ABC8 or 8229ACD0" or as in your not sure which lol, and i got 0x8229ACD0 btw for AddCmdDrawStretchPic
that's what i thought, it was one of the two I ported from MW2 so it's weird anyhow, aim me: TTGNicholasbroo1
Screw it, I keep being told to update offsets so have at it, also FYI, I will not respond to ignorant people quoting me. Also: Let's make this offset thread, "worth viewing" other then the basic offsets. TU3 Spoiler Multiplayer EntryStats (not smart to use this) Code: 0x83A0D644 Credit to: SC58 Aimbot (offhost) Code: 0x82B56454 - clientActive_t 0x82318C08 - CL_SetViewAngles(int localClientNum, const float *angles) clientActive_t + 0x3D68 CEntity ClientOrgins - 0x82B07324 + 0x14 Next Client - 0x20C Credit to: Kyza Load DLL in memory Code: address 1 - 0x8213ABA0 address 2 - 0x8213B088 address 3 - 0x82088D11 Hudelems Code: g_hudelem_s - 0x83685D00 void __cdecl BG_LerpHudColors(int elem, int time, int toColor) - 0x826E4DC0 Requirement: - 0x837BF7C0 void __cdecl BG_LerpHudFont(int elem, int time, int fontscale) - 0x826E4F48 int __cdecl HudElem_Alloc(int clientNum, int teamNum) - 0x82527F88 void __cdecl Scr_AddHudElem(int hud) - 0x824D71F8 SetOrigin Code: G_SetOrigin(gentity_s *ent, const float *origin) - 0x824D1EA8 Other Code: XamInputGetState - 0x82855EA4 (DWORD) Level_Locals_t 0x837BEC80 game_va - 0x82384E08 SP_trigger_radius - 0x821E9C78 G_TempEntity 0x824D2BF0 g_enableEarthquake - 0x836B4D84 Visionmass - 0x82006688 FPS [Frames Per second] Code: FPS = 0x823B0704 FPS_Text = 0x82098170, FpsPosition1Offset = 0x82062D9C/*(up&down)*/ FpsPosition2Offset = 0x820630B4 /*(Left&Right)*/ Index's Code: G_SoundAliasIndex_t - 0x8283BAF0 G_FindConfigstringIndex - 0x827FBA30 Model Stuff Code: SetModel = 0x824D4328 Main Functions Code: Force Host = 0x82615ED0 SV_ExecuteClientCommand(client_s *cl, const char *s, int clientOK) - 0x8241C9E0 SV_GameSendServerCommand(int clientNum, int type, const char *text) - 0x82419720 SV_SendClientStatMessage(void) - 0x82410590 ClientCommand - 0x8252E900 SV_AddServerCommand- 0x82410728 SV_SendServerCommand 0x82410D00 Ammo Code: 0x82816134 Recoil Code: 0x8263ECFC Key_isDown Code: 0x82619670 Structs Code: playerState_s - 0x8378E100- additive - same gentity_s - 0x837C3A80 - additive - same client_s - 0x83E79F80 - additive - same mFlags - same Fun Mods Code: Jump - 0x8206319C - same Now the good stuff Regarding Chams Stored in: CG_Player Code: 0x82675464 Offhost Functions Code: onhost Redboxes: 0x826A1FB4 | offhost Redboxes: 0x826A1FB5 Setting Player Angles Code: void __cdecl SetTestClientViewAngle(int ent, const float *angles) - 0x8244C6E8 void __cdecl SetClientViewAngle(int ent, const float *angles) - 0x8252CED8 Weapon Giving Code: GivePlayerWeapon - 0x824CFA08 GetWeaponIndexForName - 0x826C03B0 G_InitializeAmmo - 0x82525790 Regarding Single Player (Not released, and No, I didn't port these you fucks) I enjoy, messing around in single player, I'm sure CraigChrist8239 does as well, as we don't care to get online, unless it's a testing reason. Single Player Code: FPS string - 0x82032C5C FPS nop- 0x8247D0AC Ammo - 0x8251979C + 0x03 FPS Position left -> Right - 0x82012538 Jump - 0x82038270 Preview: Exo Code: Gamertag: 0x84300B14 XUID: 0x84300B60
Well Here as people don't understand what to do with loading a dll. First you will require a Patch.s file, I have everything here for you. Supporting all Tu's currently. Code: #How to patch: xepatcher -p defaultdllpatches.s -x default_mp.xex #Game: Advanced Warfare TU: 0 through 3 Supported - Author: Nicholasbroo .globl _start _start: #Simply remove the # for the 3 lines under the TU you are patching. #That way I won't have to have 2 .S files... ##################### #### TU3 Patches #### ##################### .set DLLLoaderHook, 0x8213ABA0 .set LoadLibraryA, 0x8213B088 .set DLLLoaderString, 0x82088D11 ##################### #### TU2 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA8 #.set LoadLibraryA, 0x8213B090 #.set DLLLoaderString, 0x82088D35 ##################### #### TU1 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA0 #.set LoadLibraryA, 0x8213B088 #.set DLLLoaderString, 0x82088E45 ##################### #### TU0 Patches #### ##################### #.set DLLLoaderHook, 0x8213A6E0 #.set LoadLibraryA, 0x8213ABC8 #.set DLLLoaderString, 0x8208718D .long DLLLoaderString .long (9f-0f)/4 0 : .string "game:\\dll_load.dll" .align 1 9: .long DLLLoaderHook .long (9f-0f)/4 0 : lis %r11, DLLLoaderString@h ori %r3, %r11, DLLLoaderString@l bl (LoadLibraryA - (DLLLoaderHook + 0x8)) 9: # ======================================================= # End Patches # ======================================================= .long 0xFFFFFFFF How to Update this. Simply Search for these functions below Code: DLLHook: 60 00 00 00 7D 08 43 78 7D 08 43 78 3D 20 84 LoadLibraryA: 7D 88 02 A6 91 81 FF F8 94 21 FF A0 38 C1 00 50 DLLLoaderString: 61 74 65 3A 20 6F 62 6A 65 63 74 69 76 65 6E 75 (Go to SV_)
TU4 was released at 2:21 am : Posted at 5:51 am This is the last time I'm updating these, Stop selling friggen tools! Bypasses Spoiler: SPOILER Spoiler Time: 15 Minutes to 20 minutes. Why? enough to do a recovery or something. Type of bypass: Free | Resourceful?: No Instruction Changed into: li, r0, 0 Activators: 3C 00 00 00 TU4 Code: 0x822D5F80 addi r4, r1, 0xB0+var_60 | hex: 38 81 00 50 0x821CA2E8 mfspr r12, LR | hex: 7D 88 02 A6 What this so called 'bypass' does Code: 0x822D5F80 lis r0, 0 //3C000000 0x821CA2E8 lis r0, 0 //3C000000 Multiplayer Spoiler EntryStats (not smart to use this) Code: 0x83A66374 Credit to: SC58 for original Release | me for updating. Spoiler Aimbot (offhost) Code: 0x82B6B494 - clientActive_t 0x82318FD0 - CL_SetViewAngles(int localClientNum, const float *angles) clientActive_t + 0x3D68 CEntity_ClientOrgins - 0x82B1C1D4 + 0x14 Next Client - 0x20C Credit to: Kyza Load DLL in memory Spoiler Code: .set DLLLoaderHook, 0x8213AAF0 .set LoadLibraryA, 0x8213AFD8 .set DLLLoaderString, 0x82088D11 /*didn't change*/ Patch.S Code: #The command I use for xepatcher (so i can ctrl+c+v) #xepatcher -p defaultdllpatches.s -x default_mp.xex #Game: Advanced Warfare TU: 0 through 4 Supported #Author: Nicholasbroo #How To find the functions required: DLLHook: 60 00 00 00 7D 08 43 78 7D 08 43 78 3D 20 84 | LoadLibraryA: 7D 88 02 A6 91 81 FF F8 94 21 FF A0 38 C1 00 50 | DLLLoaderString: 61 74 65 3A 20 6F 62 6A 65 63 74 69 76 65 6E 75 (Go to SV_) .globl _start _start: #Simply remove the # for the 3 lines under the TU you are patching. #That way I won't have to have 2 .S files... ##################### #### TU4 Patches #### ##################### .set DLLLoaderHook, 0x8213AAF0 .set LoadLibraryA, 0x8213AFD8 .set DLLLoaderString, 0x82088D11 ##################### #### TU3 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA0 #.set LoadLibraryA, 0x8213B088 #.set DLLLoaderString, 0x82088D11 ##################### #### TU2 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA8 #.set LoadLibraryA, 0x8213B090 #.set DLLLoaderString, 0x82088D35 ##################### #### TU1 Patches #### ##################### #.set DLLLoaderHook, 0x8213ABA0 #.set LoadLibraryA, 0x8213B088 #.set DLLLoaderString, 0x82088E45 ##################### #### TU0 Patches #### ##################### #.set DLLLoaderHook, 0x8213A6E0 #.set LoadLibraryA, 0x8213ABC8 #.set DLLLoaderString, 0x8208718D .long DLLLoaderString .long (9f-0f)/4 :shocked: .string "game:\\dll_load.dll" .align 1 9: .long DLLLoaderHook .long (9f-0f)/4 :shocked: lis %r11, DLLLoaderString@h ori %r3, %r11, DLLLoaderString@l bl (LoadLibraryA - (DLLLoaderHook + 0x8)) 9: # ======================================================= # End Patches # ======================================================= .long 0xFFFFFFFF Hudelems Spoiler Code: g_hudelem_s - 0x83685D00 void __cdecl BG_LerpHudColors(int elem, int time, int toColor) - 0x826E7B88 Requirement: - 0x838180C0 void __cdecl BG_LerpHudFont(int elem, int time, int fontscale) - 0x826E7D10 int __cdecl HudElem_Alloc(int clientNum, int teamNum) - 0x825295D8 void __cdecl Scr_AddHudElem(int hud) - 0x824D8538 SetOrigin Spoiler Code: G_SetOrigin(gentity_s *ent, const float *origin) - 0x824D31A8 Other Spoiler Code: XamInputGetState - 0x8285A084 (DWORD) Level_Locals_t - 0x83817C00 game_va - 0x82385150 SP_trigger_radius - 0x821E9AB8 G_TempEntity - 0x824D3EF0 g_enableEarthquake - 0x8370D63C Visionmass - 0x820066A0 FPS [Frames Per second] Spoiler Code: FPS = 0x823B0A3C FPS_Text = 0x820987E0 FpsPosition1Offset = 0x82062F1C /*(up&down)*/ FpsPosition2Offset = 0x82063234 /*(Left&Right)*/ Index's Spoiler Code: 0x G_SoundAliasIndex_t - 0x8283FC40 G_FindConfigstringIndex - 0x8281E630 Model Stuff Spoiler Code: SetModel = 0x824D5650 Main Functions Spoiler Code: Force Host = 0x0x82617AE0 SV_ExecuteClientCommand(client_s *cl, const char *s, int clientOK) - 0x8241DBA8 SV_GameSendServerCommand(int clientNum, int type, const char *text) - 0x8241A8F8 SV_SendClientStatMessage(void) - 0x82411720 ClientCommand - 0x8252FF50 SV_AddServerCommand- 0x824118B8 SV_SendServerCommand - 0x82411E90 Cbuff_addText = 0x824B41C8 Dvar Retrieving Spoiler Dvar_GetBool - 0x8238C5C8 Ammo Spoiler Code: 0x8281A144 Recoil Spoiler Code: 0x82640B24 Key_isDown Spoiler Code: 0x8261B270 Credit to: imGol2den for releasing | me for updating CL_WritePacket Spoiler CL_WritePacket(int localclientnum) - 0x8261F510 Structs Spoiler Code: playerState_s - 0x837E6A00 - additive - same gentity_s -0x8381CA00 - additive - same client_s - 0x83E8FA80 - additive - same mFlags - same Fun Mods Spoiler Code: Jump - 0x8206331C Now the good stuff Regarding Chams Stored in: CG_Player Spoiler Code: 0x8267732C Offhost Functions Spoiler Code: onhost Redboxes: 0x826A422C | offhost Redboxes: 0x826A422C + 0x01 Setting Player Angles Spoiler Code: void __cdecl SetTestClientViewAngle(int ent, const float *angles) - 0x8244C6E8 void __cdecl SetClientViewAngle(int ent, const float *angles) - 0x8252CED8 Warning: There's an issue here, they changed the structure for BG_GetWeaponIndexForName into a branch. Weapon Giving Spoiler Code: GivePlayerWeapon - 0x824D0CA8 GetWeaponIndexForName - 0x826C2AC8, 0x824D02A8, or 0x824D06A0 G_InitializeAmmo - 0x82526DE0 Credit to: sonido64 for original find. Walk Nop Spoiler 0x82536A34
