Untitled
unknown
c_cpp
3 years ago
13 kB
58
Indexable
#include <Windows.h>
#include <stdio.h>
#include <conio.h>
#include "leechcore.h"
#include "vmmdll.h"
#include <stdint.h>
#include <conio.h>
#include "Offsets.h"
#include "Vector.h"
#include "decrypt.h"
DWORD PID = 0;
QWORD baseAddress = 0;
QWORD kernelbase_dll = 0;
BOOL r6s_screamer_exit = FALSE;
HANDLE r6s_screamer_exit_event = NULL;
HANDLE r6s_screamer_thread = NULL;
unsigned char clientStateBuffer[0x4000 * 2];
#pragma comment(lib, "vmm")
#define _INITIALIZE_FROM_FPGA
template <typename T>
T read(ULONG64 address)
{
T buf{};
VMMDLL_MemRead(PID, address, (PBYTE)&buf, sizeof(T));
return buf;
}
template <typename T>
void write(ULONG64 address, const T& buffer)
{
VMMDLL_MemWrite(PID, address, (PBYTE)&buffer, sizeof(buffer));
}
uintptr_t get_localplayer() {
uintptr_t GameProfileManagerOff = read<uintptr_t>(baseAddress + 0x70F3358);
GameProfileManagerOff ^= 0x1F;
GameProfileManagerOff += 0x32BA4DB6FE3789C;
GameProfileManagerOff = _rotl64(GameProfileManagerOff, 0x22);
GameProfileManagerOff = read<uintptr_t>(GameProfileManagerOff + 0x18);
GameProfileManagerOff = _rotl64(GameProfileManagerOff, 0x09);
GameProfileManagerOff = GameProfileManagerOff ^ 0xFC931941FCC7DAC4;
GameProfileManagerOff += 0xD69097B48E7145DC;
GameProfileManagerOff = read<uintptr_t>(GameProfileManagerOff);
uintptr_t lp = read<uintptr_t>(GameProfileManagerOff + 0x78);
lp = _rotl64(lp, 0x24);
lp += 0x712A106305214C0B;
lp ^= 0xA4E6A64C5A990EF5;
return lp;
}
uintptr_t GetWeaponInfo()
{
uint64_t weaponInfo = get_localplayer();
uintptr_t pawn = read<uintptr_t>(weaponInfo + 0x48);
pawn += 0xFFFFFFFFFFFFFF81;
pawn = _rotl64(pawn, 0x3E);
pawn += 0xFFFFFFFFFFFFFFBD;
uintptr_t playercomp = read<uintptr_t>(pawn + 0x18);
BYTE compsize =read<DWORD>(playercomp + 0xD8 + 8);
uintptr_t address = read<uintptr_t>(playercomp +0xD8);
BYTE compidx =read<BYTE>(playercomp + 0x1C8);
uintptr_t weaponcomp = read<uintptr_t>(address + compidx * 0x8);
uintptr_t _link = read<uintptr_t>(weaponcomp + 0x758);
_link = read<uintptr_t>(_link);
weaponInfo = read<uintptr_t>(_link + 0x1C0);
weaponInfo = read<uintptr_t>(weaponInfo + 0x228);
weaponInfo -= 0x1F;
return weaponInfo;
}
uint64_t GetEntityInfo(uint64_t entity)
{
uint64_t info = read<uint64_t>(entity + 0x40);
info = _rotl64(info, 0x4);
info ^= 0x64;
info += 0xA82E9E31642CBD5B;
return info;
}
uintptr_t GetEntityList()
{
uint64_t gameManager = read<uint64_t>(baseAddress + OFFSET_GAME_MANAGER);
uint64_t entityList = read<uint64_t>(gameManager + 0x58);
entityList = Decryption::ent64(entityList);
return entityList;
}
int GetRoundState()
{
uintptr_t round_manager = read<uintptr_t>(baseAddress + OFFSET_ROUNDMANAGER);
round_manager -= 0x29;
round_manager = _rotl64(round_manager, 0x2B);
DWORD current_round = read<DWORD>(0xFE552E25D3FD5C9C + round_manager);
current_round -= 0x69;
current_round = _rotl(current_round, 0x11);
current_round -= 1768172663;
return current_round;
}
DWORD encrypt(float to_set) {
DWORD transformed = *(DWORD*)&to_set;
transformed ^= 0x58D3328F;
transformed -= 0xDA6B7575;
return transformed;
}
DWORD encrypt_recoil_horiz(float to_crypt) {
DWORD buffer = *(DWORD*)&to_crypt;
buffer -= 0x3a0f1a60;
buffer = _rotr(buffer, 0x14);
buffer ^= 0x27fecff9;
return buffer;
}
DWORD encrypt_recoil_vertical(float to_crypt) {
DWORD buffer = *(DWORD*)&to_crypt;
buffer = _rotr(buffer, 0x19);
buffer ^= 0x4152A15;
buffer = _rotr(buffer, 0x6);
return buffer;
}
void noRecoil() {
write<BYTE>(GetWeaponInfo() + 0x68, 0x8B);
write<DWORD>(GetWeaponInfo() + 0xFC, encrypt_recoil_vertical(0.24));
write<DWORD>(GetWeaponInfo() + 0x104, encrypt_recoil_horiz(0.27));//left to right
//write<DWORD>(GetWeaponInfo() + 0x170, encrypt(0));
}
int GetShiftIndex(uint8_t flag)
{
switch (flag)
{
case 31:
return 2;
case 32:
return 1;
default:
return 0;
}
}
uint64_t GetContentManager()
{
auto contentManagerEncrypted = read<uint64_t>(baseAddress + ContentManager);
contentManagerEncrypted = read<uint64_t>(contentManagerEncrypted + 0x30);
auto contentManagerDecrypted = read<uint64_t>(_rotl64((contentManagerEncrypted - 0x2AC930CD66630F20) ^ 0xD7F3CA1161C2BFFF, 0x13));
return read<uint64_t>(contentManagerDecrypted + 0x980);
}
BOOL WINAPI ControlHandler(DWORD signal)
{
if ((signal == CTRL_C_EVENT || signal == CTRL_LOGOFF_EVENT || signal == CTRL_SHUTDOWN_EVENT) &&
r6s_screamer_exit_event != NULL)
{
printf("Shutting down\n");
r6s_screamer_exit = TRUE;
HANDLE events[2] = {
r6s_screamer_exit_event,
r6s_screamer_thread
};
WaitForMultipleObjects(ARRAYSIZE(events), (const HANDLE*)&events, TRUE, 1000);
for (int i = 0u; i < ARRAYSIZE(events); i++)
{
CloseHandle(events[i]);
}
ExitProcess(EXIT_SUCCESS);
}
return FALSE;
}
Vector4 encryptvec(Vector4 vec) {
//^ E979CABAC1B488EB
uintptr_t first = *(uintptr_t*)&vec;
uintptr_t second = *(uintptr_t*)((uintptr_t)&vec + 8);
first ^= 0xE979CABAC1B488EB;
second ^= 0xE979CABAC1B488EB;
Vector4 toret;
*(uintptr_t*)&toret = first;
*(uintptr_t*)((uintptr_t)&toret + 8) = second;
return toret;
}
DWORD team_encrypt(DWORD orig) {
DWORD copy = orig;
copy = _rotr(copy, 5);
copy ^= 0xDEC54E84;
copy -= 0x587DDA09;
return copy;
}
DWORD team_decrypt(DWORD encr) {
DWORD copy = encr;
copy += 0x587DDA09;
copy ^= 0xDEC54E84;
copy = _rotl(copy, 5);
return copy;
}
DWORD encrypt_thickness(float to_set) {
DWORD crypt = *(DWORD*)&to_set;
crypt ^= 0x3E21C6EA;
crypt += 0x6E;
crypt ^= 0x75;
return crypt;
}
struct R6List {
DWORD size : 30;
};
uintptr_t entity_by_id(int idx) {
uintptr_t GameManager = read<uintptr_t>(baseAddress + OFFSET_GAME_MANAGER);
GameManager += 0x1AA251C586572660;
GameManager ^= 0x50;
GameManager -= 0x48;
uintptr_t buffer = read<uintptr_t>(GameManager + 0x148);
buffer -= 0x9;
buffer ^= 0x75;
buffer -= 0x7A;
return read<uintptr_t>(buffer + idx * sizeof(void*));
}
BYTE get_team(uintptr_t entity) {
uintptr_t information = read<uintptr_t>(entity + 0x78);
information = _rotl64(information, 0x1E);
information ^= 0x9BAEB47E38D89857;
information = _rotl64(information, 0x22);
BYTE team = read<BYTE>(information + 0x200);
return team;
}
DWORD get_entitylist_size() {
uintptr_t GameManager = read<uintptr_t>(baseAddress + OFFSET_GAME_MANAGER);
GameManager += 0x1AA251C586572660;
GameManager ^= 0x50;
GameManager -= 0x48;
uintptr_t list = read<uintptr_t>(GameManager + 0x150);
list -= 0x9;
list ^= 0x75;
list -= 0x7A;
DWORD realcount = list & 0x3FFFFFFF;
return realcount;
}
int get_health(uintptr_t entity) {
uintptr_t pawn = read<uintptr_t>(entity + 0x48);
pawn += 0xFFFFFFFFFFFFFF81;
pawn = _rotl64(pawn, 0x3E);
pawn += 0xFFFFFFFFFFFFFFBD;
uintptr_t playercomp = read<uintptr_t>(pawn + 0x18);
if (!playercomp)
return 0;
uintptr_t complistaddy = read<uintptr_t>(playercomp + 0xD8);
if (!complistaddy)
return 0;
uintptr_t healthcomp = read<uintptr_t>(complistaddy + sizeof(PVOID));
if (!healthcomp)
return 0;
return read<int>(healthcomp + 0x170);
}
uintptr_t find_entry_in_array(uintptr_t GmComponent, uintptr_t playercompaddy, int size) {
uintptr_t currentArray = read<uintptr_t>(GmComponent + 0x70);
currentArray ^= 0xD90547E44EAF272D;
for (int i = 0; i < size; i++) {
uintptr_t current = read<uintptr_t>(currentArray + i * 0x68 + 0x28);
current += 0xAB2B1D310A893BD7;
current = _rotl64(current, 0x27);
current ^= 0x75968367CCA339B9;
uintptr_t currentplayercomp = read<uintptr_t>(current);
if (currentplayercomp == playercompaddy)
return currentArray + i * 0x68 + 0x28;
}
return 0;
}
bool set_once = false;
void outlineglow() {
while (true) {
uintptr_t gamemanager = read<uintptr_t>(baseAddress + OFFSET_GAME_MANAGER);
gamemanager += 0x1AA251C586572660;
gamemanager ^= 0x50;
gamemanager = read<uintptr_t>(gamemanager + 0x70);
gamemanager = _rotl64(gamemanager, 48);
gamemanager ^= 0x73;
gamemanager -= 86;
uintptr_t GMComponentMarkAndOutline = read<uintptr_t>(gamemanager + 0xBe8);
write<BYTE>(GMComponentMarkAndOutline + 0x60, 0xE8);
uintptr_t weirddefbeef = read<uintptr_t>(baseAddress + 0x70657C0);
weirddefbeef = _rotl64(weirddefbeef, 0x12);
weirddefbeef ^= 0x2DEB704E30D56497;
weirddefbeef = _rotl64(weirddefbeef, 0xE);
write<DWORD>(weirddefbeef + 0x14, encrypt_thickness(15));
if (GetRoundState() == 3 || GetRoundState() == 2) {
Sleep(100);
if (!set_once) {
uintptr_t outlinesize = read<uintptr_t>(GMComponentMarkAndOutline + 0x78);
uintptr_t size = outlinesize ^ 0xD90547E44EAF272D;
uintptr_t arrsize = size & 0x3FFFFFFF;
if (arrsize > 1) {
DWORD listsize = get_entitylist_size();
Vector4 enemycolor = encryptvec(Vector4(1, 0, 0, 1));
Vector4 teamcolor = encryptvec(Vector4(0, 1, 0, 1));
for (int i = 0; i < listsize; i++) {
uintptr_t current = entity_by_id(i);
if (!current)
continue;
if (get_health(current) <= 0)
continue;
if (get_team(current) == get_team(get_localplayer()))
continue;
uintptr_t info = read<uintptr_t>(current + 0x78);
info = _rotl64(info, 0x1E);
info ^= 0x9BAEB47E38D89857;
info = _rotl64(info, 0x22);
if (!info)
continue;
uintptr_t info2 = read<uintptr_t>(info + 0x208);
info2 += 0x4E04557F322F9EE0;
info2 ^= 0xE19C86C4579EC185;
info2 -= 0x64;
if (!info2)
continue;
uintptr_t pawn = read<uintptr_t>(current + 0x48);
pawn += 0xFFFFFFFFFFFFFF81;
pawn = _rotl64(pawn, 0x3E);
pawn += 0xFFFFFFFFFFFFFFBD;
uintptr_t playercomp = read<uintptr_t>(pawn + 0x18);
DWORD team = team_decrypt(read<DWORD>(info2 + 0x50));
uintptr_t InArray = find_entry_in_array(GMComponentMarkAndOutline, playercomp, arrsize);
printf("Found enemy [%p] Pos in array: %p\n", info2, InArray);
if (!InArray)
continue;
uintptr_t nullentity = 0x0;
nullentity ^= 0x75968367CCA339B9;
nullentity = _rotr64(nullentity, 0x27);
nullentity -= 0xAB2B1D310A893BD7;
if (team == 3) {
write<Vector4>(GMComponentMarkAndOutline + 0x50, enemycolor);
Sleep(5);
write<DWORD>(info2 + 0x50, team_encrypt(4));
Sleep(50);
write<uintptr_t>(InArray, nullentity);
Sleep(10);
write<DWORD>(info2 + 0x50, team_encrypt(3));
printf("Spoofed entity [%i]\n", i);
}
else
{
write<Vector4>(GMComponentMarkAndOutline + 0x50, enemycolor);
Sleep(5);
write<DWORD>(info2 + 0x50, team_encrypt(3));
Sleep(50);
write<uintptr_t>(InArray, nullentity);
Sleep(10);
write<DWORD>(info2 + 0x50, team_encrypt(4));
printf("Spoofed entity [%i]\n", i);
}
}
Sleep(10);
write<Vector4>(GMComponentMarkAndOutline + 0x50, teamcolor);
set_once = true;
}
}
}
else
set_once = false;
Sleep(2);
}
}
int main(_In_ int argc, _In_ char* argv[])
{
BOOL result;
NTSTATUS nt;
DWORD i, dwPID;
DWORD dw = 0;
QWORD va;
BYTE pbPage1[0x1000], pbPage2[0x1000];
#ifdef _INITIALIZE_FROM_FPGA
printf("------------------------------------------------------------\n");
printf("#01: Initialize from FPGA: \n");
printf("CALL: VMMDLL_Initialize\n");
LPSTR args[] = { (LPSTR)"", (LPSTR)"-device", (LPSTR)"FPGA" };
result = VMMDLL_Initialize(3, args);
if (result) {
printf("SUCCESS: VMMDLL_Initialize\n");
}
else {
printf("FAIL: VMMDLL_Initialize\n");
return 1;
}
ULONG64 qwID, qwVersionMajor, qwVersionMinor;
result =
VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_FPGA_ID, &qwID) &&
VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_VERSION_MAJOR, &qwVersionMajor) &&
VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_VERSION_MINOR, &qwVersionMinor);
if (!result) {
printf("FAIL: VMMDLL_ConfigGet\n");
return 1;
}
ULONG64 qwReadDelay;
result = VMMDLL_ConfigGet(LEECHCORE_OPT_FPGA_DELAY_READ, &qwReadDelay);
if (!result) {
printf("FAIL: VMMDLL_ConfigGet\n");
return 1;
}
#endif
/////Comp
LPSTR R6Sexename = (LPSTR)"RainbowSix.exe";
LPSTR krnlDLLname = (LPSTR)"kernelbase.dll";
//////
VMMDLL_PidGetFromName(R6Sexename, &PID);
baseAddress = VMMDLL_ProcessGetModuleBase(PID, R6Sexename);
kernelbase_dll = VMMDLL_ProcessGetModuleBase(PID, krnlDLLname);
// No Loop Funcs
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)outlineglow, 0, 0, 0); //We need this in a seperate thread
while (!r6s_screamer_exit)
{
if (PID == 0)
break;
Sleep(1000);
//patchless_outlines();
//spoof_spectate();
//UnlockOps();
if ((GetRoundState() == 2 || (GetRoundState() == 3))) {
noRecoil();
////caveira();
//glow();
}
}
}
Editor is loading...