Untitled

mail@pastecode.io avatar
unknown
c_cpp
2 years ago
13 kB
15
Indexable
Never
#include <Windows.h>
#include <stdio.h>
#include <conio.h>
#include "leechcore.h"
#include "vmmdll.h"
#include <stdint.h>
#include <conio.h>
#include "Offsets.h"
#include "Vector.h"
#include "decrypt.h"

DWORD PID = 0;
QWORD baseAddress = 0;
QWORD kernelbase_dll = 0;

BOOL r6s_screamer_exit = FALSE;
HANDLE r6s_screamer_exit_event = NULL;
HANDLE r6s_screamer_thread = NULL;
unsigned char clientStateBuffer[0x4000 * 2];

#pragma comment(lib, "vmm")
#define _INITIALIZE_FROM_FPGA

template <typename T>
T read(ULONG64 address)
{
	T buf{};
	VMMDLL_MemRead(PID, address, (PBYTE)&buf, sizeof(T));
	return buf;

}

template <typename T>
void write(ULONG64 address, const T& buffer)
{
	VMMDLL_MemWrite(PID, address, (PBYTE)&buffer, sizeof(buffer));
}

uintptr_t get_localplayer() {

	uintptr_t GameProfileManagerOff = read<uintptr_t>(baseAddress + 0x70F3358);
	GameProfileManagerOff ^= 0x1F;
	GameProfileManagerOff += 0x32BA4DB6FE3789C;
	GameProfileManagerOff = _rotl64(GameProfileManagerOff, 0x22);
	GameProfileManagerOff = read<uintptr_t>(GameProfileManagerOff + 0x18);
	GameProfileManagerOff = _rotl64(GameProfileManagerOff, 0x09);
	GameProfileManagerOff = GameProfileManagerOff ^ 0xFC931941FCC7DAC4;
	GameProfileManagerOff += 0xD69097B48E7145DC;
	GameProfileManagerOff = read<uintptr_t>(GameProfileManagerOff);
	uintptr_t lp = read<uintptr_t>(GameProfileManagerOff + 0x78);
	lp = _rotl64(lp, 0x24);
	lp += 0x712A106305214C0B;
	lp ^= 0xA4E6A64C5A990EF5;
	return lp;
}
uintptr_t GetWeaponInfo()
{
	uint64_t weaponInfo = get_localplayer();

	uintptr_t pawn = read<uintptr_t>(weaponInfo + 0x48);
	pawn += 0xFFFFFFFFFFFFFF81;
	pawn = _rotl64(pawn, 0x3E);
	pawn += 0xFFFFFFFFFFFFFFBD;

	uintptr_t playercomp = read<uintptr_t>(pawn + 0x18);
	BYTE compsize =read<DWORD>(playercomp + 0xD8 + 8);
	uintptr_t address = read<uintptr_t>(playercomp +0xD8);


	BYTE compidx =read<BYTE>(playercomp + 0x1C8);
	uintptr_t weaponcomp = read<uintptr_t>(address + compidx * 0x8);
	uintptr_t _link = read<uintptr_t>(weaponcomp + 0x758);
	_link = read<uintptr_t>(_link);
	weaponInfo = read<uintptr_t>(_link + 0x1C0);
	weaponInfo = read<uintptr_t>(weaponInfo + 0x228);
	weaponInfo -= 0x1F;
	return weaponInfo;
}

uint64_t GetEntityInfo(uint64_t entity)
{
	uint64_t info = read<uint64_t>(entity + 0x40);
	info = _rotl64(info, 0x4);
	info ^= 0x64;
	info += 0xA82E9E31642CBD5B;

	return info;
}

uintptr_t GetEntityList()
{
	uint64_t gameManager = read<uint64_t>(baseAddress + OFFSET_GAME_MANAGER);
	uint64_t entityList = read<uint64_t>(gameManager + 0x58);
	entityList = Decryption::ent64(entityList);

	return entityList;
}

int GetRoundState()
{
	uintptr_t round_manager = read<uintptr_t>(baseAddress + OFFSET_ROUNDMANAGER);
	round_manager -= 0x29;
	round_manager = _rotl64(round_manager, 0x2B);
	DWORD current_round = read<DWORD>(0xFE552E25D3FD5C9C + round_manager);
	current_round -= 0x69;
	current_round = _rotl(current_round, 0x11);
	current_round -= 1768172663;
	return current_round;
}
DWORD encrypt(float to_set) {
	DWORD transformed = *(DWORD*)&to_set;
	transformed ^= 0x58D3328F;
	transformed -= 0xDA6B7575;
	return transformed;
}
DWORD encrypt_recoil_horiz(float to_crypt) {
	DWORD buffer = *(DWORD*)&to_crypt;
	buffer -= 0x3a0f1a60;
	buffer = _rotr(buffer, 0x14);
	buffer ^= 0x27fecff9;
	return buffer;
}

DWORD encrypt_recoil_vertical(float to_crypt) {
	DWORD buffer = *(DWORD*)&to_crypt;
	buffer = _rotr(buffer, 0x19);
	buffer ^= 0x4152A15;
	buffer = _rotr(buffer, 0x6);
	return buffer;
}


void noRecoil() {

	write<BYTE>(GetWeaponInfo() + 0x68, 0x8B);

	write<DWORD>(GetWeaponInfo() + 0xFC, encrypt_recoil_vertical(0.24));
	write<DWORD>(GetWeaponInfo() + 0x104, encrypt_recoil_horiz(0.27));//left to right
	//write<DWORD>(GetWeaponInfo() + 0x170, encrypt(0));

}


int GetShiftIndex(uint8_t flag)
{
	switch (flag)
	{
	case 31:
		return 2;
	case 32:
		return 1;
	default:
		return 0;
	}
}


uint64_t GetContentManager()
{
	auto contentManagerEncrypted = read<uint64_t>(baseAddress + ContentManager);
	contentManagerEncrypted = read<uint64_t>(contentManagerEncrypted + 0x30);
	auto contentManagerDecrypted = read<uint64_t>(_rotl64((contentManagerEncrypted - 0x2AC930CD66630F20) ^ 0xD7F3CA1161C2BFFF, 0x13));
	return read<uint64_t>(contentManagerDecrypted + 0x980);
}

BOOL WINAPI ControlHandler(DWORD signal)
{
	if ((signal == CTRL_C_EVENT || signal == CTRL_LOGOFF_EVENT || signal == CTRL_SHUTDOWN_EVENT) &&
		r6s_screamer_exit_event != NULL)
	{
		printf("Shutting down\n");

		r6s_screamer_exit = TRUE;

		HANDLE events[2] = {
			r6s_screamer_exit_event,
			r6s_screamer_thread
		};

		WaitForMultipleObjects(ARRAYSIZE(events), (const HANDLE*)&events, TRUE, 1000);

		for (int i = 0u; i < ARRAYSIZE(events); i++)
		{
			CloseHandle(events[i]);
		}

		ExitProcess(EXIT_SUCCESS);
	}

	return FALSE;
}

Vector4 encryptvec(Vector4 vec) {


	//^ E979CABAC1B488EB
	uintptr_t first = *(uintptr_t*)&vec;
	uintptr_t second = *(uintptr_t*)((uintptr_t)&vec + 8);

	first ^= 0xE979CABAC1B488EB;
	second ^= 0xE979CABAC1B488EB;

	Vector4 toret;
	*(uintptr_t*)&toret = first;
	*(uintptr_t*)((uintptr_t)&toret + 8) = second;
	return toret;




}


DWORD team_encrypt(DWORD orig) {
	DWORD copy = orig;
	copy = _rotr(copy, 5);
	copy ^= 0xDEC54E84;
	copy -= 0x587DDA09;
	return copy;
}

DWORD team_decrypt(DWORD encr) {
	DWORD copy = encr;
	copy += 0x587DDA09;
	copy ^= 0xDEC54E84;
	copy = _rotl(copy, 5);
	return copy;
}

DWORD encrypt_thickness(float to_set) {
	DWORD crypt = *(DWORD*)&to_set;
	crypt ^= 0x3E21C6EA;
	crypt += 0x6E;
	crypt ^= 0x75;
	return crypt;
}
struct R6List {
	DWORD size : 30;
};

uintptr_t entity_by_id(int idx) {
	uintptr_t GameManager = read<uintptr_t>(baseAddress + OFFSET_GAME_MANAGER);
	GameManager += 0x1AA251C586572660;
	GameManager ^= 0x50;
	GameManager -= 0x48;
	uintptr_t buffer = read<uintptr_t>(GameManager + 0x148);
	buffer -= 0x9;
	buffer ^= 0x75;
	buffer -= 0x7A;
	return read<uintptr_t>(buffer + idx * sizeof(void*));
}

BYTE get_team(uintptr_t entity) {
	uintptr_t information = read<uintptr_t>(entity + 0x78);
	information = _rotl64(information, 0x1E);
	information ^= 0x9BAEB47E38D89857;
	information = _rotl64(information, 0x22);
	BYTE team =  read<BYTE>(information + 0x200);
	return team;
}

DWORD get_entitylist_size() {
	uintptr_t GameManager = read<uintptr_t>(baseAddress + OFFSET_GAME_MANAGER);
	GameManager += 0x1AA251C586572660;
	GameManager ^= 0x50;
	GameManager -= 0x48;
	uintptr_t list = read<uintptr_t>(GameManager + 0x150);
	list -= 0x9;
	list ^= 0x75;
	list -= 0x7A;
	DWORD realcount = list & 0x3FFFFFFF;
	return realcount;
}


int get_health(uintptr_t entity) {
	uintptr_t pawn = read<uintptr_t>(entity + 0x48);
	pawn += 0xFFFFFFFFFFFFFF81;
	pawn = _rotl64(pawn, 0x3E);
	pawn += 0xFFFFFFFFFFFFFFBD;
	uintptr_t playercomp = read<uintptr_t>(pawn + 0x18);
	if (!playercomp)
		return 0;

	uintptr_t complistaddy = read<uintptr_t>(playercomp + 0xD8);
	if (!complistaddy)
		return 0;
	uintptr_t healthcomp = read<uintptr_t>(complistaddy + sizeof(PVOID));
	if (!healthcomp)
		return 0;
	return read<int>(healthcomp + 0x170);

}



uintptr_t find_entry_in_array(uintptr_t GmComponent, uintptr_t playercompaddy, int size) {
	uintptr_t currentArray = read<uintptr_t>(GmComponent + 0x70);
	currentArray ^= 0xD90547E44EAF272D;
	for (int i = 0; i < size; i++) {
		uintptr_t current = read<uintptr_t>(currentArray + i * 0x68 + 0x28);
		current += 0xAB2B1D310A893BD7;
		current = _rotl64(current, 0x27);
		current ^= 0x75968367CCA339B9;
		uintptr_t currentplayercomp = read<uintptr_t>(current);
		if (currentplayercomp == playercompaddy)
			return currentArray + i * 0x68 + 0x28;
	}
	return 0;
}

bool set_once = false;
void outlineglow() {
	while (true) {
		uintptr_t gamemanager = read<uintptr_t>(baseAddress + OFFSET_GAME_MANAGER);
		gamemanager += 0x1AA251C586572660;
		gamemanager ^= 0x50;
		gamemanager = read<uintptr_t>(gamemanager + 0x70);
		gamemanager = _rotl64(gamemanager, 48);
		gamemanager ^= 0x73;
		gamemanager -= 86;

		uintptr_t GMComponentMarkAndOutline = read<uintptr_t>(gamemanager + 0xBe8);
		write<BYTE>(GMComponentMarkAndOutline + 0x60, 0xE8);


		uintptr_t weirddefbeef = read<uintptr_t>(baseAddress + 0x70657C0);
		weirddefbeef = _rotl64(weirddefbeef, 0x12);
		weirddefbeef ^= 0x2DEB704E30D56497;
		weirddefbeef = _rotl64(weirddefbeef, 0xE);
		write<DWORD>(weirddefbeef + 0x14, encrypt_thickness(15));

		if (GetRoundState() == 3 || GetRoundState() == 2) {
			Sleep(100);
			if (!set_once) {

				uintptr_t outlinesize = read<uintptr_t>(GMComponentMarkAndOutline + 0x78);
				uintptr_t size = outlinesize ^ 0xD90547E44EAF272D;
				uintptr_t arrsize = size & 0x3FFFFFFF;
				if (arrsize > 1) {
					DWORD listsize = get_entitylist_size();
					
					Vector4 enemycolor = encryptvec(Vector4(1, 0, 0, 1));
					Vector4 teamcolor = encryptvec(Vector4(0, 1, 0, 1));
					for (int i = 0; i < listsize; i++) {
					
						uintptr_t current = entity_by_id(i);
						if (!current)
							continue;
						if (get_health(current) <= 0)
							continue;
						if (get_team(current) == get_team(get_localplayer()))
							continue;
						uintptr_t info = read<uintptr_t>(current + 0x78);
						info = _rotl64(info, 0x1E);
						info ^= 0x9BAEB47E38D89857;
						info = _rotl64(info, 0x22);
						if (!info)
							continue;
						uintptr_t info2 = read<uintptr_t>(info + 0x208);
						info2 += 0x4E04557F322F9EE0;
						info2 ^= 0xE19C86C4579EC185;
						info2 -= 0x64;
						if (!info2)
							continue;

						uintptr_t pawn = read<uintptr_t>(current + 0x48);
						pawn += 0xFFFFFFFFFFFFFF81;
						pawn = _rotl64(pawn, 0x3E);
						pawn += 0xFFFFFFFFFFFFFFBD;
						uintptr_t playercomp = read<uintptr_t>(pawn + 0x18);
						DWORD team = team_decrypt(read<DWORD>(info2 + 0x50));
						uintptr_t InArray = find_entry_in_array(GMComponentMarkAndOutline, playercomp, arrsize);
						printf("Found enemy [%p] Pos in array: %p\n", info2, InArray);
						if (!InArray)
							continue;
						uintptr_t nullentity = 0x0;
						nullentity ^= 0x75968367CCA339B9;
						nullentity = _rotr64(nullentity, 0x27);
						nullentity -= 0xAB2B1D310A893BD7;
						if (team == 3) {

							write<Vector4>(GMComponentMarkAndOutline + 0x50, enemycolor);
							Sleep(5);
							write<DWORD>(info2 + 0x50, team_encrypt(4));
							Sleep(50);
							write<uintptr_t>(InArray, nullentity);
							Sleep(10);
							write<DWORD>(info2 + 0x50, team_encrypt(3));
							printf("Spoofed entity [%i]\n", i);
						}
						else
						{
							write<Vector4>(GMComponentMarkAndOutline + 0x50, enemycolor);
							Sleep(5);
							write<DWORD>(info2 + 0x50, team_encrypt(3));
							Sleep(50);
							write<uintptr_t>(InArray, nullentity);
							Sleep(10);
							write<DWORD>(info2 + 0x50, team_encrypt(4));
							printf("Spoofed entity [%i]\n", i);
						}
					}
					Sleep(10);
					write<Vector4>(GMComponentMarkAndOutline + 0x50, teamcolor);
					set_once = true;
				}
			}
		}
		else
			set_once = false;

		
		Sleep(2);
	}
	
}


int main(_In_ int argc, _In_ char* argv[])
{
	BOOL result;
	NTSTATUS nt;
	DWORD i, dwPID;
	DWORD dw = 0;
	QWORD va;
	BYTE pbPage1[0x1000], pbPage2[0x1000];

#ifdef _INITIALIZE_FROM_FPGA
	printf("------------------------------------------------------------\n");
	printf("#01: Initialize from FPGA:                                  \n");
	printf("CALL:    VMMDLL_Initialize\n");
	LPSTR args[] = { (LPSTR)"", (LPSTR)"-device", (LPSTR)"FPGA" };
	result = VMMDLL_Initialize(3, args);
	if (result) {
		printf("SUCCESS: VMMDLL_Initialize\n");
	}
	else {
		printf("FAIL:    VMMDLL_Initialize\n");
		return 1;
	}
	ULONG64 qwID, qwVersionMajor, qwVersionMinor;
	result =
		VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_FPGA_ID, &qwID) &&
		VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_VERSION_MAJOR, &qwVersionMajor) &&
		VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_VERSION_MINOR, &qwVersionMinor);

	if (!result) {
		printf("FAIL:    VMMDLL_ConfigGet\n");
		return 1;
	}

	ULONG64 qwReadDelay;
	result = VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_DELAY_READ, &qwReadDelay);
	if (!result) {
		printf("FAIL:    VMMDLL_ConfigGet\n");
		return 1;
	}
#endif


	/////Comp 
	LPSTR R6Sexename = (LPSTR)"RainbowSix.exe";
	LPSTR krnlDLLname = (LPSTR)"kernelbase.dll";
	//////

	VMMDLL_PidGetFromName(R6Sexename, &PID);
	baseAddress = VMMDLL_ProcessGetModuleBase(PID, R6Sexename);
	kernelbase_dll = VMMDLL_ProcessGetModuleBase(PID, krnlDLLname);
	
	// No Loop Funcs
	CreateThread(0, 0, (LPTHREAD_START_ROUTINE)outlineglow, 0, 0, 0); //We need this in a seperate thread
	while (!r6s_screamer_exit)
	{
		if (PID == 0)
			break;

		Sleep(1000);

		//patchless_outlines();
		//spoof_spectate();
		//UnlockOps();

		if ((GetRoundState() == 2 || (GetRoundState() == 3))) {
			noRecoil();
			////caveira();
			//glow();
		}

	}
}