hm...


let me start off by saying:
evilhack clones and the like cant hold a candle to UEngine hooking...


I was the first person to create a UEngine Client Hook about ~4 years ago in the Unreal 1 Engine, as you saw above the post with the attached HelioS Engine hook is indeed true.


[ELF] (the hacking group that HelioS and I both are from) has achieved engine hacks in the UE2 engine, the screenshot you see from AA is just 1 of the many games that are able to be exploited since the engine has been so kind to be nearly unchanged (core) for 8+ years now.

In all actuality and truth though I do not kid you and I am not lieing when I tell you that having access to the engine is naturally 10 times better than render device hacking...


if you say my words are hogwash I present to you the following:

a) a demonstration (movie) of my old Unreal 1 Engine Hook in action:

- http://osgb.game-deception.com/osgb/demo-movie2.zip

b) screenshots;

- http://osgb.game-deception.com/osgb/2k4_Hook/

c) Both of my Tutorials (proof of concept src code releases) on the G-D forum for both UEngine 1 and recently UEngine 2

- http://forum.game-deception.com/showthread.php?t=1960 (UE1)

- http://forum.game-deception.com/showthread.php?t=4909 (UE2)


The actual base hook - proof of concept (hello world) hook for UE1 wasnt posted until a year ago, but my first binary release from dabbling with the Engine spans back 3-4 years now. -> An old recompiled OpenGL Driver with Engine access hooked and used within.


General Note about cheat related material in both UE1 and UE2: what you saw in demo-movie has also been accomplished in the Unreal 2 Engine, as you may say "but that is ut1 ..."


General Note about HOOKING in UE2: obviously you won't be able to make a full client hook without an SDK, as any seasoned programmer will know immediately. Although note my point about Core in the coming paragraph.


and on that note; UE1 though is open sourced - at least in the respect to its public headers.


Native programming is still possible in both games, but then again -> headers.

The Idea behind the UE2 hook is the fact that Core (.dll, .u) -> has NOT changed since Unreal 1's release 8 years ago, therefore the 432 headers will still work with my proof of concept release for UE2 engine.


Engine of course has changed, drastically, from u1, to ut, to ut2k3, to ut2k4 and so on - (AA being based off of UE2 in this case so that too has changed)


ok so with that being said how does one actually make a client hook (as you see in HelioS's screenshot, surely that is just that - a FULLY functional client hook for an engine with NO SDK?) for a game that runs on the Unreal 2 Engine?


wellllll, thats what we like to call majic ;]


reverse engineering is a wonderful thing and having a tool that generates both a .h and .lib from the modules is a god send. of course said tool is not available to the public seeing as though I and others were never able to find one when we searched for it, making one though is another story.



I hope this opens some peoples eyes, aimbots made from ViewRotations are - (naturally) far superior to any render device aimbot, always will have been, always will be. Thats what makes hacking the unreal engine so fun, and so 'dangerous' - its that same cheat friendly atmosphere that draws people to it.

-[ELF]osGb`-

hm...


let me start off by saying:
evilhack clones and the like cant hold a candle to UEngine hooking...


wow... this is like Close Encounters of the 3d Kind... lol... i almost shit my pants...
respect....

if you say my words are hogwash I present to you the following:


^-




are you shitting me, what are you trying to say? I'm wrong on this account?


believe whatever you wish, its obvious you did not look at my sources/movie

its a damn shame some people are naive enough to think what they do but hey, the world is full of people like them -> what can we do, neh? :bunny:

No one said EH based hacks are in the same class as engine hacks.
This is a fact, there is no argue here.

I dont think there are any news in your post. we knew they're exist, but just not for the public.


Thanks for the info thu ;)

-___________-;

gpled source code....

public...
re
le
as
ed


ARGH how is that not public?!

>_<

you guys have been able to make cheats before from hack method releases, why not again this time -_-

Is there any mh source we can work with?

Is there any mh source we can work with?


no

I hope this opens some peoples eyes, aimbots made from ViewRotations are - (naturally) far superior to any render device aimbot, always will have been, always will be. Thats what makes hacking the unreal engine so fun, and so 'dangerous' - its that same cheat friendly atmosphere that draws people to it.


Cheers for the excellent *pointers m8 and you are of course right about ping & velocity vector corrected ViewRotation (all of which are accessible from the engine) .

There is of course a lot more to a fully owning engine game hack than just this as anybody experienced with the extreme ROF and accuracy of devmode players knows.

I'm interested in an information share with ELF members, if they are interested in AA. I'm not particularly interested in joining ELF.

ut432pubsrc.zip to get the 432 Unreal Public Headers http://unreal.epicgames.com/files/ut432pubsrc.zip

From what I know the .lib file should be pretty easy if you have the .h as you can create the .def then lib /machine:ix86 /def:mydll.def /out:mydll.lib

To get the headers check out

dumpbin mydll.dll /exports Visual Studio

In all actuality and truth though I do not kid you and I am not lieing when I tell you that having access to the engine is naturally 10 times better than render device hacking...

if you say my words are hogwash I present to you the following:
I think most people are convinced those engine hacks are more powerful than D3D hacks. MH was a good example of the power of engine hacking.



Native programming is still possible in both games, but then again -> headers.
If you know how, you can extract the headers directly from the engine. Here is the PlayerReplicationInfo complete with replications statements. (Sorry, it is so wide.)

struct APlayerReplicationInfo : AReplicationInfo //OF0x640F0044
{
int Score_Total; //0x0430 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Leadership; //0x0434 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Wins; //0x0438 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Objectives; //0x043C PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Deaths; //0x0440 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Kills; //0x0444 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_ROE; //0x0448 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int _Credited_Wins; //0x044C PF0x00000000
int _Credited_Leadership; //0x0450 PF0x00000000
ACarriedObject * HasFlag; //0x0454 PF0x00000000
int Ping; //0x0458 PF0x00000020 Replicate if ((bNetDirty && !bNetOwner) && (Role == 4))
AVolume * PlayerVolume; //0x045C PF0x00000020 Replicate if (bNetDirty && (Role == 4))
AZoneInfo * PlayerZone; //0x0460 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int NumLives; //0x0464 PF0x00000000
FString PlayerName; //0x0468 PF0x00400020 Replicate if (bNetDirty && (Role == 4))
FString CharacterName; //0x0474 PF0x00400020 Replicate if (bNetDirty && (Role == 4))
FString OldCharacterName; //0x0480 PF0x00400000
FString OldName; //0x048C PF0x00400000
FString PreviousName; //0x0498 PF0x00400000
FString PlayerMAC; //0x04A4 PF0x00400000
int PlayerID; //0x04B0 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
ATeamInfo * Team; //0x04B4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
BYTE DesiredTeam; //0x04B8 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int TeamID; //0x04B9 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
UClass * VoiceType; //0x04C0 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bAdmin : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bIsFemale : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bIsSpectator : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bOnlySpectator : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bWaitingPlayer : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bReadyToPlay : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bOutOfLives : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bBot : 1; //0x04C4 PF0x00000020 Replicate if (bNetInitial && (Role == 4))
unsigned int bWelcomed : 1; //0x04C4 PF0x00000000
unsigned int bReceivedPing : 1; //0x04C4 PF0x00000000
unsigned int bHasFlag : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bGuerrillaPS : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bSpecialForcesPS : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bVIPPS : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int StartTime; //0x04C8 PF0x00000020 Replicate if (bNetInitial && (Role == 4))
FString StringSpectating; //0x04CC PF0x00408000
FString StringUnknown; //0x04D8 PF0x00408000
int GoalsScored; //0x04E4 PF0x00000000
int Kills; //0x04E8 PF0x00000000
unsigned int bDead : 1; //0x04EC PF0x00000020 Replicate if (bNetDirty && (Role == 4))
APawn * myPawn; //0x04F0 PF0x00000000
int LocationX; //0x04F4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int LocationY; //0x04F8 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int LocationZ; //0x04FC PF0x00000020 Replicate if (bNetDirty && (Role == 4))
float slowtime; //0x0500 PF0x00000000
APlayerReplicationInfo * PRI_WaitingForPawn; //0x0504 PF0x00000000
int SwapRequest; //0x0508 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
BYTE FT; //0x050C PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bWillBeMedic : 1; //0x050D PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bLostMedic : 1; //0x050D PF0x00000000
unsigned int bIsMedic : 1; //0x050D PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bCallForMedic : 1; //0x050D PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int _bSoldiersCharacter : 1; //0x050D PF0x00000000
int _iTrust; //0x0514 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bWantsFTLeader : 1; //0x0518 PF0x00000000
unsigned int bWantsSquadLeader : 1; //0x0518 PF0x00000000
unsigned int bAvoidLeaderRole : 1; //0x0518 PF0x00000000
unsigned int bWantsMedic : 1; //0x0518 PF0x00000000
unsigned int bQualifiedSniper : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedAirborne : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedRanger : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedMedic : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedSF : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
float _fWeight; //0x051C PF0x00000000
float tNextVoteAllowed; //0x0520 PF0x00000000
FString votekick; //0x0524 PF0x00400000
FString SquadName; //0x0530 PF0x00400020 Replicate if (bNetDirty && (Role == 4))
int _cumRounds; //0x053C PF0x00000000
int _LastTimeUpdate; //0x0540 PF0x00000000
int _cumTotal; //0x0544 PF0x00000000
int _cumLeadership; //0x0548 PF0x00000000
int _cumWins; //0x054C PF0x00000000
int _cumObjectives; //0x0550 PF0x00000000
int _cumDeaths; //0x0554 PF0x00000000
int _cumKills; //0x0558 PF0x00000000
int _cumROE; //0x055C PF0x00000000
int _prevTotal; //0x0560 PF0x00000000
int _prevLeadership; //0x0564 PF0x00000000
int _prevWins; //0x0568 PF0x00000000
int _prevObjectives; //0x056C PF0x00000000
int _prevDeaths; //0x0570 PF0x00000000
int _prevKills; //0x0574 PF0x00000000
int _prevROE; //0x0578 PF0x00000000
int _Experience; //0x057C PF0x00000000
int _ExperienceDelta; //0x0580 PF0x00000000
unsigned int bSUEnabled : 1; //0x0584 PF0x00000000
BYTE _Group; //0x0588 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bMuted : 1; //0x0589 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
UClass * requiredClass; //0x0590 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bTournamentSquadLeader : 1; //0x0594 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
}; //0x0598




ok so with that being said how does one actually make a client hook (as you see in HelioS's screenshot, surely that is just that - a FULLY functional client hook for an engine with NO SDK?) for a game that runs on the Unreal 2 Engine?

wellllll, thats what we like to call majic ;]
Lots of people hack. Tomorrow someone else will create yet another engine hack for this game without using the SDK.

I bet they will think they are pretty magical too. ;)

Um Are We Still Speaking English Here,cuz You Guys Lost Me A Page Or 2 Ago Lol.it Realy Is Hard Being A Noob Somtimes But I Guess I Will Just Have To Live With It.

If you know how, you can extract the headers directly from the engine. Here is the PlayerReplicationInfo complete with replications statements. (Sorry, it is so wide.)


How did you do that? Looks pretty interesting and is obviously not from the SDK but some reverse enginerring tool.


Both of my Tutorials (proof of concept src code releases) on the G-D forum for UEngine 2[/I]

http://forum.game-deception.com/showthread.php?t=4909


Got a nice hook.dll in my c:\ directory. Renamed it and injected it into the running game.


22:29:09 - ================================================== =
23:17:10 - - 2k4 Core Hook by [ELF]osGb` -
23:17:10 - Attaching DLL
23:17:10 - Redirected ProcessEvent
23:17:10 - Class Found: PlayerController 257
23:17:10 - Player Pointer 0x7453b8
23:17:10 - InteractionMaster Pointer 0x15ec710
23:17:10 - InteractionMaster.AddInteraction Pointer 0x0
23:17:10 - Detaching DLL
23:17:10 - =======================end======================== =


...the engine has been so kind to be nearly unchanged (core) for 8+ years now.


Not to my mind surprising, if it ain’t broke don’t fix it, but however very useful information.

hm...


let me start off by saying:
evilhack clones and the like cant hold a candle to UEngine hooking...


-[ELF]osGb`-


Yup... didn't wanna quote the whole thing, but i just wanted to say your post gave me quite a hard on. Very useful information, glad to see you lurkin around the AA section.

It was indeed a very enlightening an informative post , Lends to great food for thought huh guys.....

I think this one deserves his own thread.
The last one got off-topic, but i coudlnt close it... too interesting.

So I splitted it from the moment osGb made his first post.

temp2 how did u get those offsets?

temp2 how did u get those offsets?

dumpbin mydll.dll /exports

From Visual Studio. The names are sometimes mangled by the compiler you use but PE Explorer will reconstruct them..


Microsoft (R) COFF/PE Dumper Version 7.00.8905
Copyright (C) 1992-2000 Microsoft Corporation. All rights reserved.


Dump of file core.dll

File Type: DLL

Section contains the following exports for Core.dll

0 characteristics
40AD50F3 time date stamp Fri May 21 12:44:35 2004
0.00 version
1 ordinal base
2513 number of functions
2513 number of names

ordinal hint RVA name

1 0 0000B870 ??0?$TArray@G@@QAE@ABV0@@Z
2 1 0000B850 ??0?$TArray@G@@QAE@H@Z
3 2 00001DE0 ??0?$TArray@G@@QAE@W4ENoInit@@@Z
4 3 0003B930 ??0?$TArray@G@@QAE@XZ
5 4 00001B10 ??0FArchive@@QAE@ABV0@@Z
6 5 00001A40 ??0FArchive@@QAE@XZ
7 6 0000A430 ??0FArchiveCountMem@@QAE@ABV0@@Z
8 7 0000A350 ??0FArchiveCountMem@@QAE@PAVUObject@@@Z
9 8 00012570 ??0FArchiveDummySave@@QAE@ABV0@@Z
10 9 00012520 ??0FArchiveDummySave@@QAE@XZ
11 A 00001E50 ??0FArray@@IAE@HH@Z
12 B 00001DE0 ??0FArray@@QAE@W4ENoInit@@@Z
13 C 0003B930 ??0FArray@@QAE@XZ

The following tools are obsolete: Implib32 and dll2def

http://www.geocities.com/SiliconValley/5806/implib32.htm
http://www.geocities.com/SiliconValley/Pines/7268/dll2def.html

there is also a program called dll to lib (shareware) but i dont know if it also generates def files
http://shareit1.element5.com/product.html?productid=154785

thank you temp2 bunches :D

so what are you guys saying, that we're about a month or 2 away from a completely ridiculous forever undetectable insane godhack?

Looks like that devmode set is done by the SetPropertyText method which is part of the Unreal base Uobject class. It might get disabled in the console, will be damned hard to not mess things up if they take it out of core.

core.dll
// Properties.
native final function string GetPropertyText( string PropName );
native final function bool SetPropertyText( string PropName, string PropValue );

i got the core and engine.lib but i aint sure if the are correct i used to the tool Fredotnet has posted abut 4 post above so now, how we can get the header files ??


Edit //

i still don't know what to do exaclty i try to following this a little :x

but if we have the .h files and we edit the source would that be the last steps ?

It’s a waste of time looking for an automatic dll -> lib tool as its so easy manually.

dumpbin /exports core.dll > core.def

Then edit in excel such that:


Microsoft (R) COFF/PE Dumper Version 7.00.8905
Copyright (C) 1992-2000 Microsoft Corporation. All rights reserved.


Dump of file Core.dll

File Type: DLL

Section contains the following exports for Core.dll

0 characteristics
40AD50F3 time date stamp Fri May 21 12:44:35 2004
0.00 version
1 ordinal base
2513 number of functions
2513 number of names

ordinal hint RVA name

1 0 0000B870 ??0?$TArray@G@@QAE@ABV0@@Z
2 1 0000B850 ??0?$TArray@G@@QAE@H@Z
3 2 00001DE0 ??0?$TArray@G@@QAE@W4ENoInit@@@Z
4 3 0003B930 ??0?$TArray@G@@QAE@XZ
5 4 00001B10 ??0FArchive@@QAE@ABV0@@Z
6 5 00001A40 ??0FArchive@@QAE@XZ
7 6 0000A430 ??0FArchiveCountMem@@QAE@ABV0@@Z
8 7 0000A350 ??0FArchiveCountMem@@QAE@PAVUObject@@@Z
9 8 00012570 ??0FArchiveDummySave@@QAE@ABV0@@Z
10 9 00012520 ??0FArchiveDummySave@@QAE@XZ


becomes

LIBRARY core.DLL

EXPORTS
??0?$TArray@G@@QAE@ABV0@@Z @ 1
??0?$TArray@G@@QAE@H@Z @ 2
??0?$TArray@G@@QAE@W4ENoInit@@@Z @ 3
??0?$TArray@G@@QAE@XZ @ 4
??0FArchive@@QAE@ABV0@@Z @ 5
??0FArchive@@QAE@XZ @ 6
??0FArchiveCountMem@@QAE@ABV0@@Z @ 7
??0FArchiveCountMem@@QAE@PAVUObject@@@Z @ 8
??0FArchiveDummySave@@QAE@ABV0@@Z @ 9
??0FArchiveDummySave@@QAE@XZ @ 10


and

lib /machine:ix86 /def:core.def

However this did not solve my problems as the AddInteraction method still cannot be found.

20:18:10 - ================================================== =
20:18:10 - - 2k4 Core Hook by [ELF]osGb` -
20:18:10 - Attaching DLL
20:18:10 - Redirected ProcessEvent
20:18:11 - Class Found: PlayerController 257
20:18:11 - Player Pointer 0x7453b8
20:18:11 - InteractionMaster Pointer 0x15ec710
20:18:11 - InteractionMaster.AddInteraction Pointer 0x0



How To Create 32-bit Import Libraries Without .OBJs or Source
http://support.microsoft.com/default.aspx?scid=kb;en-us;q131313

INFO: Exporting PASCAL-Like Symbols in 32-Bit DLLs
http://support.microsoft.com/default.aspx?scid=kb;EN-US;140485

tnx for the tip temp

Just to let you know if you add one of the dll from aao system folder as a resource to your hack it decompiles the dll for you as a lib file. therefore all you have to do is copy and paste to note pad and save as blahblah.lib. This is the easiest way i found out.

However this did not solve my problems as the AddInteraction method still cannot be found.
AddInteraction is in engine.dll. It is a UScript event, so the name will really be eventAddInteraction.
Here is the mangled name:
?eventAddInteraction@UInteractionMaster@@QAEPAVUIn teraction@@ABVFString@@PAVUPlayer@@@Z

Here is the prototype from IDAPro:
class UInteraction * __thiscall UInteractionMaster::eventAddInteraction(class FString const &, class UPlayer *);

yeah picklelicious said it before me, you cant just go and use the hook for AA - it wasnt developed for it, the location / name of the actual function at hand changed in this case and thats why my project will compile but not give you the information / results you want.


the hook's EXAMPLE code was only proof of concept to work with ut2003/ut2004 first and foremost.

as for getting it to work with AA -^ read pickle's post.



btw; pickle: how did you generate/create that header?

Here is the prototype from IDAPro:
class UInteraction * __thiscall UInteractionMaster::eventAddInteraction(class FString const &, class UPlayer *);

Cheers m8 but I’ve actually progressed a bit further than that already. I’ve sent you a PM.

the hook's EXAMPLE code was only proof of concept to work with ut2003/ut2004 first and foremost.


It mostly works fine as it is with AA, certainly much better than Helios' which requires quite a lot of work as it currently stands. Helios' is of course much better for later stage development.

btw; pickle: how did you generate/create that header?

I think I know and am trying it out.

If anyone wants the .lib and .exp files for 2.1 PM your email address to me and I will send them.

well at that, dont bother answering it pickle ;p

and if you do figure it out temp2 you might as well keep it to yourself

ok now im drunk and bit lost, and my knowledge of c++ is not that big,
what should i do with pickle info to get the hook to work?

ok now im drunk and bit lost, and my knowledge of c++ is not that big,
what should i do with pickle info to get the hook to work?

Pray?

what can i say the advance c++ programing course is next year, i do want to know what to do

what can i say the advance c++ programing course is next year, i do want to know what to do

Sorry. It’s just driving me frickin bananas knowing that Picklelicious can generate those headers somehow.

btw; pickle: how did you generate/create that header?
In the engine, everything in the game is really a C++ object. For example, a player's pawn (the thing you can shoot at on the screen) is a C++ object. This object contains everything the engine needs to know about that pawn - including it's location.

Now, both native code (written in C++) and the uScript code have to be able to access the same objects. In native code you access the object directly by using the headers. However, uScript does not have access to the headers. So the engine must provide a way for the uScript to access the same object. That is what all that UClass and UProperty stuff is for. They are there so that the uScript processor can figure out where things are stored in the objects.

For example, let's say you want a pawn's location. In native code, you would directly access it using something like pPawn->Location. However in uScript, it doesn't know about the headers. So the uScript processor has to look at the UClass/UProperty information about the APawn class and calculate where pPawn->Location is stored. Once the uScript processor has the address, it can access the pawn's location.

Once you figure out how all that works, it is not hard to use the UClass/UProperty information and construct the headers.

welll i guess im gonna give up trying since noone is answering my question and all my efforts end up in unresolved links

In the engine, everything in the game is really a C++ object. For example, a player's pawn (the thing you can shoot at on the screen) is a C++ object. This object contains everything the engine needs to know about that pawn - including it's location.

Now, both native code (written in C++) and the uScript code have to be able to access the same objects. In native code you access the object directly by using the headers. However, uScript does not have access to the headers. So the engine must provide a way for the uScript to access the same object. That is what all that UClass and UProperty stuff is for. They are there so that the uScript processor can figure out where things are stored in the objects.

For example, let's say you want a pawn's location. In native code, you would directly access it using something like pPawn->Location. However in uScript, it doesn't know about the headers. So the uScript processor has to look at the UClass/UProperty information about the APawn class and calculate where pPawn->Location is stored. Once the uScript processor has the address, it can access the pawn's location.

Once you figure out how all that works, it is not hard to use the UClass/UProperty information and construct the headers.

so are you telling me that with this kinda of engine hack you could make your guy invisable or some crazy thing like that?

I'm currently making my own offset logger and it's comming along nicely
there is only one more thing i need to sort out

How did you sort the Properties with the same offsets ?


Example output of the logger

***************************** PlayerReplicationInfo *****************************
IntProperty Score_Total; // Offset 1072 (0x430) Size 4 PFlags 0x20
IntProperty Score_Leadership; // Offset 1076 (0x434) Size 4 PFlags 0x20
IntProperty Score_Wins; // Offset 1080 (0x438) Size 4 PFlags 0x20
IntProperty Score_Objectives; // Offset 1084 (0x43c) Size 4 PFlags 0x20
IntProperty Score_Deaths; // Offset 1088 (0x440) Size 4 PFlags 0x20
IntProperty Score_Kills; // Offset 1092 (0x444) Size 4 PFlags 0x20
IntProperty Score_ROE; // Offset 1096 (0x448) Size 4 PFlags 0x20
IntProperty _Credited_Wins; // Offset 1100 (0x44c) Size 4 PFlags 0x0
IntProperty _Credited_Leadership; // Offset 1104 (0x450) Size 4 PFlags 0x0
ObjectProperty HasFlag; // Offset 1108 (0x454) Size 4 PFlags 0x0
IntProperty Ping; // Offset 1112 (0x458) Size 4 PFlags 0x20
ObjectProperty PlayerVolume; // Offset 1116 (0x45c) Size 4 PFlags 0x20
ObjectProperty PlayerZone; // Offset 1120 (0x460) Size 4 PFlags 0x20
IntProperty NumLives; // Offset 1124 (0x464) Size 4 PFlags 0x0
StrProperty PlayerName; // Offset 1128 (0x468) Size 12 PFlags 0x400020
StrProperty CharacterName; // Offset 1140 (0x474) Size 12 PFlags 0x400020
StrProperty OldCharacterName; // Offset 1152 (0x480) Size 12 PFlags 0x400000
StrProperty OldName; // Offset 1164 (0x48c) Size 12 PFlags 0x400000
StrProperty PreviousName; // Offset 1176 (0x498) Size 12 PFlags 0x400000
StrProperty PlayerMAC; // Offset 1188 (0x4a4) Size 12 PFlags 0x400000
IntProperty PlayerID; // Offset 1200 (0x4b0) Size 4 PFlags 0x20
ObjectProperty Team; // Offset 1204 (0x4b4) Size 4 PFlags 0x20
ByteProperty DesiredTeam; // Offset 1208 (0x4b8) Size 1 PFlags 0x20
IntProperty TeamID; // Offset 1212 (0x4bc) Size 4 PFlags 0x20
ClassProperty VoiceType; // Offset 1216 (0x4c0) Size 4 PFlags 0x20
BoolProperty bReadyToPlay; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bOnlySpectator; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bIsFemale; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bReceivedPing; // Offset 1220 (0x4c4) Size 4 PFlags 0x0
BoolProperty bAdmin; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bIsSpectator; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bWaitingPlayer; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bOutOfLives; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bGuerrillaPS; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bSpecialForcesPS; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bVIPPS; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bBot; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bHasFlag; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BoolProperty bWelcomed; // Offset 1220 (0x4c4) Size 4 PFlags 0x0
IntProperty StartTime; // Offset 1224 (0x4c8) Size 4 PFlags 0x20
StrProperty StringSpectating; // Offset 1228 (0x4cc) Size 12 PFlags 0x408000
StrProperty StringUnknown; // Offset 1240 (0x4d8) Size 12 PFlags 0x408000
IntProperty GoalsScored; // Offset 1252 (0x4e4) Size 4 PFlags 0x0
IntProperty Kills; // Offset 1256 (0x4e8) Size 4 PFlags 0x0
BoolProperty bDead; // Offset 1260 (0x4ec) Size 4 PFlags 0x20
ObjectProperty myPawn; // Offset 1264 (0x4f0) Size 4 PFlags 0x0
IntProperty LocationX; // Offset 1268 (0x4f4) Size 4 PFlags 0x20
IntProperty LocationY; // Offset 1272 (0x4f8) Size 4 PFlags 0x20
IntProperty LocationZ; // Offset 1276 (0x4fc) Size 4 PFlags 0x20
FloatProperty slowtime; // Offset 1280 (0x500) Size 4 PFlags 0x0
ObjectProperty PRI_WaitingForPawn; // Offset 1284 (0x504) Size 4 PFlags 0x0
IntProperty SwapRequest; // Offset 1288 (0x508) Size 4 PFlags 0x20
ByteProperty FT; // Offset 1292 (0x50c) Size 1 PFlags 0x20
BoolProperty _bSoldiersCharacter; // Offset 1296 (0x510) Size 4 PFlags 0x0
BoolProperty bLostMedic; // Offset 1296 (0x510) Size 4 PFlags 0x0
BoolProperty bIsMedic; // Offset 1296 (0x510) Size 4 PFlags 0x20
BoolProperty bCallForMedic; // Offset 1296 (0x510) Size 4 PFlags 0x20
BoolProperty bWillBeMedic; // Offset 1296 (0x510) Size 4 PFlags 0x20
IntProperty _iTrust; // Offset 1300 (0x514) Size 4 PFlags 0x20
BoolProperty bWantsFTLeader; // Offset 1304 (0x518) Size 4 PFlags 0x0
BoolProperty bWantsSquadLeader; // Offset 1304 (0x518) Size 4 PFlags 0x0
BoolProperty bAvoidLeaderRole; // Offset 1304 (0x518) Size 4 PFlags 0x0
BoolProperty bWantsMedic; // Offset 1304 (0x518) Size 4 PFlags 0x0
BoolProperty bQualifiedSniper; // Offset 1304 (0x518) Size 4 PFlags 0x20
BoolProperty bQualifiedAirborne; // Offset 1304 (0x518) Size 4 PFlags 0x20
BoolProperty bQualifiedRanger; // Offset 1304 (0x518) Size 4 PFlags 0x20
BoolProperty bQualifiedMedic; // Offset 1304 (0x518) Size 4 PFlags 0x20
BoolProperty bQualifiedSF; // Offset 1304 (0x518) Size 4 PFlags 0x20
FloatProperty _fWeight; // Offset 1308 (0x51c) Size 4 PFlags 0x0
FloatProperty tNextVoteAllowed; // Offset 1312 (0x520) Size 4 PFlags 0x0
StrProperty votekick; // Offset 1316 (0x524) Size 12 PFlags 0x400000
StrProperty SquadName; // Offset 1328 (0x530) Size 12 PFlags 0x400020
IntProperty _cumRounds; // Offset 1340 (0x53c) Size 4 PFlags 0x0
IntProperty _LastTimeUpdate; // Offset 1344 (0x540) Size 4 PFlags 0x0
IntProperty _cumTotal; // Offset 1348 (0x544) Size 4 PFlags 0x0
IntProperty _cumLeadership; // Offset 1352 (0x548) Size 4 PFlags 0x0
IntProperty _cumWins; // Offset 1356 (0x54c) Size 4 PFlags 0x0
IntProperty _cumObjectives; // Offset 1360 (0x550) Size 4 PFlags 0x0
IntProperty _cumDeaths; // Offset 1364 (0x554) Size 4 PFlags 0x0
IntProperty _cumKills; // Offset 1368 (0x558) Size 4 PFlags 0x0
IntProperty _cumROE; // Offset 1372 (0x55c) Size 4 PFlags 0x0
IntProperty _prevTotal; // Offset 1376 (0x560) Size 4 PFlags 0x0
IntProperty _prevLeadership; // Offset 1380 (0x564) Size 4 PFlags 0x0
IntProperty _prevWins; // Offset 1384 (0x568) Size 4 PFlags 0x0
IntProperty _prevObjectives; // Offset 1388 (0x56c) Size 4 PFlags 0x0
IntProperty _prevDeaths; // Offset 1392 (0x570) Size 4 PFlags 0x0
IntProperty _prevKills; // Offset 1396 (0x574) Size 4 PFlags 0x0
IntProperty _prevROE; // Offset 1400 (0x578) Size 4 PFlags 0x0
IntProperty _Experience; // Offset 1404 (0x57c) Size 4 PFlags 0x0
IntProperty _ExperienceDelta; // Offset 1408 (0x580) Size 4 PFlags 0x0
BoolProperty bSUEnabled; // Offset 1412 (0x584) Size 4 PFlags 0x0
ByteProperty _Group; // Offset 1416 (0x588) Size 1 PFlags 0x20
BoolProperty bMuted; // Offset 1420 (0x58c) Size 4 PFlags 0x20
ClassProperty requiredClass; // Offset 1424 (0x590) Size 4 PFlags 0x20
BoolProperty bTournamentSquadLeader; // Offset 1428 (0x594) Size 4 PFlags 0x20

I'm currently making my own offset logger and it's comming along nicely


Mary mother of jeesus is everybody doing this? Good to see you aboard Helios. I thought I was ahead of you on this one (sent osGB and email with the details) but I've just had to work out how to de-install Visual Studio 7.0 Beta after buggering it up, it involves exorcising with holy water and a lot of insane giggery pokery which I will just log here for future reference (since it took me ages to find it) as I’m just reinstalling it. Given this I will be lucky to be third :-(.

BITFIELD BitMask of UBoolProperty perhaps?

You might be interested in checking the following subclasses of Uexporter also:
UClassExporterH
UClassExporterUC
ULevelExporterT3D
UModelExporterT3D
UMusicExporterTracker
UPolysExporterT3D
USoundExporterWAV
UTextBufferExporterTXT
UTextureExporterBMP
UTextureExporterPCX

Freedom from the core and an independent native SDK HOORAH!


-----Begin quote for Beta 1 uninstall instructions-----
Run the following, and answer yes when prompted, to remove Visual Studio.NET
Beta 1
msiexec.exe /x {33334F07-0C6B-11D3-A51D-00A0C9231BA1} NOVSUI=1

Then run the following, and answer yes when prompted, to remove the
Bootstrap goo.
msiexec.exe /x {267CD0E5-21C5-411E-980B-1A8DE3043C44} NOVSUI=1


Run Regedit and delete the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{33334F07-0C6B-11D3
-A51D-00A0C9231BA1}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\14B10BA0-2E68-11d3-
A829-00C04FB1799F
HKLM\SOFTWARE\Microsoft\Microsoft
Integration\14B10BA0-2E68-11d3-A829-00C04FB1799F
HKLM\SOFTWARE\Microsoft\HTMLHelp\2.0

HKLM\SOFTWARE\Microsoft\HTML Help Collections
HKCU\Software\Microsoft\VisualStudio\7.0
HKLM\Software\Microsoft\VisualStudio\7.0

Navigate to the Microsoft Visual Studio.Net directory and delete it and all
of its contents.

Visual Studio .NET Beta 1 should now be exorcised.

-----End quote for Beta 1 uninstall instructions-----

Mary mother of jeesus is everybody doing this? Good to see you aboard Helios. I thought I was ahead of you on this one (sent osGB and email with the details) but I've just had to work out how to de-install Visual Studio 7.0 Beta after buggering it up, it involves exorcising with holy water and a lot of insane giggery pokery which I will just log here for future reference (since it took me ages to find it) as I’m just reinstalling it. Given this I will be lucky to be third :-(.

BITFIELD BitMask of UBoolProperty perhaps?

You might be interested in checking the following subclasses of Uexporter also:
UClassExporterH
UClassExporterUC
ULevelExporterT3D
UModelExporterT3D
UMusicExporterTracker
UPolysExporterT3D
USoundExporterWAV
UTextBufferExporterTXT
UTextureExporterBMP
UTextureExporterPCX

Freedom from the core and an independent native SDK HOORAH!


It's nice to see you are making some progress

btw I improved the logger and it now works on all Unreal engines
This is the output for the PlayerReplicationInfo class


class DLL_IMPORT PlayerReplicationInfo
{
public:
INT Score_Total; // Offset 1072 (0x430) Size 4 PFlags 0x20
INT Score_Leadership; // Offset 1076 (0x434) Size 4 PFlags 0x20
INT Score_Wins; // Offset 1080 (0x438) Size 4 PFlags 0x20
INT Score_Objectives; // Offset 1084 (0x43c) Size 4 PFlags 0x20
INT Score_Deaths; // Offset 1088 (0x440) Size 4 PFlags 0x20
INT Score_Kills; // Offset 1092 (0x444) Size 4 PFlags 0x20
INT Score_ROE; // Offset 1096 (0x448) Size 4 PFlags 0x20
INT _Credited_Wins; // Offset 1100 (0x44c) Size 4 PFlags 0x0
INT _Credited_Leadership; // Offset 1104 (0x450) Size 4 PFlags 0x0
class ACarriedObject* HasFlag; // Offset 1108 (0x454) Size 4 PFlags 0x0
INT Ping; // Offset 1112 (0x458) Size 4 PFlags 0x20
class AVolume* PlayerVolume; // Offset 1116 (0x45c) Size 4 PFlags 0x20
class AZoneInfo* PlayerZone; // Offset 1120 (0x460) Size 4 PFlags 0x20
INT NumLives; // Offset 1124 (0x464) Size 4 PFlags 0x0
FStringNoInit PlayerName; // Offset 1128 (0x468) Size 12 PFlags 0x400020
FStringNoInit CharacterName; // Offset 1140 (0x474) Size 12 PFlags 0x400020
FStringNoInit OldCharacterName; // Offset 1152 (0x480) Size 12 PFlags 0x400000
FStringNoInit OldName; // Offset 1164 (0x48c) Size 12 PFlags 0x400000
FStringNoInit PreviousName; // Offset 1176 (0x498) Size 12 PFlags 0x400000
FStringNoInit PlayerMAC; // Offset 1188 (0x4a4) Size 12 PFlags 0x400000
INT PlayerID; // Offset 1200 (0x4b0) Size 4 PFlags 0x20
class ATeamInfo* Team; // Offset 1204 (0x4b4) Size 4 PFlags 0x20
BYTE DesiredTeam; // Offset 1208 (0x4b8) Size 1 PFlags 0x20
INT TeamID; // Offset 1212 (0x4bc) Size 4 PFlags 0x20
class UClass* VoiceType; // Offset 1216 (0x4c0) Size 4 PFlags 0x20
BITFIELD bReadyToPlay:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bOnlySpectator:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bIsFemale:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bReceivedPing:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x0
BITFIELD bAdmin:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bIsSpectator:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bWaitingPlayer:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bOutOfLives:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bGuerrillaPS:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bSpecialForcesPS:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bVIPPS:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bBot:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bHasFlag:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x20
BITFIELD bWelcomed:1; // Offset 1220 (0x4c4) Size 4 PFlags 0x0
INT StartTime; // Offset 1224 (0x4c8) Size 4 PFlags 0x20
FStringNoInit StringSpectating; // Offset 1228 (0x4cc) Size 12 PFlags 0x408000
FStringNoInit StringUnknown; // Offset 1240 (0x4d8) Size 12 PFlags 0x408000
INT GoalsScored; // Offset 1252 (0x4e4) Size 4 PFlags 0x0
INT Kills; // Offset 1256 (0x4e8) Size 4 PFlags 0x0
BITFIELD bDead:1; // Offset 1260 (0x4ec) Size 4 PFlags 0x20
class APawn* myPawn; // Offset 1264 (0x4f0) Size 4 PFlags 0x0
INT LocationX; // Offset 1268 (0x4f4) Size 4 PFlags 0x20
INT LocationY; // Offset 1272 (0x4f8) Size 4 PFlags 0x20
INT LocationZ; // Offset 1276 (0x4fc) Size 4 PFlags 0x20
FLOAT slowtime; // Offset 1280 (0x500) Size 4 PFlags 0x0
class APlayerReplicationInfo* PRI_WaitingForPawn; // Offset 1284 (0x504) Size 4 PFlags 0x0
INT SwapRequest; // Offset 1288 (0x508) Size 4 PFlags 0x20
BYTE FT; // Offset 1292 (0x50c) Size 1 PFlags 0x20
BITFIELD _bSoldiersCharacter:1; // Offset 1296 (0x510) Size 4 PFlags 0x0
BITFIELD bLostMedic:1; // Offset 1296 (0x510) Size 4 PFlags 0x0
BITFIELD bIsMedic:1; // Offset 1296 (0x510) Size 4 PFlags 0x20
BITFIELD bCallForMedic:1; // Offset 1296 (0x510) Size 4 PFlags 0x20
BITFIELD bWillBeMedic:1; // Offset 1296 (0x510) Size 4 PFlags 0x20
INT _iTrust; // Offset 1300 (0x514) Size 4 PFlags 0x20
BITFIELD bWantsFTLeader:1; // Offset 1304 (0x518) Size 4 PFlags 0x0
BITFIELD bWantsSquadLeader:1; // Offset 1304 (0x518) Size 4 PFlags 0x0
BITFIELD bAvoidLeaderRole:1; // Offset 1304 (0x518) Size 4 PFlags 0x0
BITFIELD bWantsMedic:1; // Offset 1304 (0x518) Size 4 PFlags 0x0
BITFIELD bQualifiedSniper:1; // Offset 1304 (0x518) Size 4 PFlags 0x20
BITFIELD bQualifiedAirborne:1; // Offset 1304 (0x518) Size 4 PFlags 0x20
BITFIELD bQualifiedRanger:1; // Offset 1304 (0x518) Size 4 PFlags 0x20
BITFIELD bQualifiedMedic:1; // Offset 1304 (0x518) Size 4 PFlags 0x20
BITFIELD bQualifiedSF:1; // Offset 1304 (0x518) Size 4 PFlags 0x20
FLOAT _fWeight; // Offset 1308 (0x51c) Size 4 PFlags 0x0
FLOAT tNextVoteAllowed; // Offset 1312 (0x520) Size 4 PFlags 0x0
FStringNoInit votekick; // Offset 1316 (0x524) Size 12 PFlags 0x400000
FStringNoInit SquadName; // Offset 1328 (0x530) Size 12 PFlags 0x400020
INT _cumRounds; // Offset 1340 (0x53c) Size 4 PFlags 0x0
INT _LastTimeUpdate; // Offset 1344 (0x540) Size 4 PFlags 0x0
INT _cumTotal; // Offset 1348 (0x544) Size 4 PFlags 0x0
INT _cumLeadership; // Offset 1352 (0x548) Size 4 PFlags 0x0
INT _cumWins; // Offset 1356 (0x54c) Size 4 PFlags 0x0
INT _cumObjectives; // Offset 1360 (0x550) Size 4 PFlags 0x0
INT _cumDeaths; // Offset 1364 (0x554) Size 4 PFlags 0x0
INT _cumKills; // Offset 1368 (0x558) Size 4 PFlags 0x0
INT _cumROE; // Offset 1372 (0x55c) Size 4 PFlags 0x0
INT _prevTotal; // Offset 1376 (0x560) Size 4 PFlags 0x0
INT _prevLeadership; // Offset 1380 (0x564) Size 4 PFlags 0x0
INT _prevWins; // Offset 1384 (0x568) Size 4 PFlags 0x0
INT _prevObjectives; // Offset 1388 (0x56c) Size 4 PFlags 0x0
INT _prevDeaths; // Offset 1392 (0x570) Size 4 PFlags 0x0
INT _prevKills; // Offset 1396 (0x574) Size 4 PFlags 0x0
INT _prevROE; // Offset 1400 (0x578) Size 4 PFlags 0x0
INT _Experience; // Offset 1404 (0x57c) Size 4 PFlags 0x0
INT _ExperienceDelta; // Offset 1408 (0x580) Size 4 PFlags 0x0
BITFIELD bSUEnabled:1; // Offset 1412 (0x584) Size 4 PFlags 0x0
BYTE _Group; // Offset 1416 (0x588) Size 1 PFlags 0x20
BITFIELD bMuted:1; // Offset 1420 (0x58c) Size 4 PFlags 0x20
class UClass* requiredClass; // Offset 1424 (0x590) Size 4 PFlags 0x20
BITFIELD bTournamentSquadLeader:1; // Offset 1428 (0x594) Size 4 PFlags 0x20
};

How did you sort the Properties with the same offsets?

BoolProperty fields only use one bit. You can pack in 32 of them at the same offset.

[Note:]
Ah, I see you already figured that out.

It's nice to see you are making some progress

btw I improved the logger and it now works on all Unreal engines
This is the output for the PlayerReplicationInfo class



OMG, yes, just a little bit, can I have it please. :'''-(.

Do you think it will be quite useful to have a native SDK for any Unreal game yet developed eh? Irony required.

I got the Logger working on

UT99
UT2003
UT2004
U2XMP
AA

only RVS seems to fail

I got the Logger working on

UT99
UT2003
UT2004
U2XMP
AA

only RVS seems to fail

I hate you, I hate you, I hate you. Still trying to break out of the core here and having problems with old .h files from the pubic release. Its like programming in treacle but there is light at the end of the tunnel. Bet the RVS proplem is one of the core .h files.

N.B. to nay people wishing to help; download ut432pubsrc.zip to get the 432 Unreal Public Headers http://unreal.epicgames.com/files/ut432pubsrc.zip and start examining the core classes (.h files) to see how things go together and what you can do.

can someone up load this file to mpc the link to it is not working
http://unreal.epicgames.com/files/ut432pubsrc.zip

thanks

can someone up load this file to mpc the link to it is not working
http://unreal.epicgames.com/files/ut432pubsrc.zip
thanks

Who says we are not being watched?

can someone up load this file to mpc the link to it is not working
http://unreal.epicgames.com/files/ut432pubsrc.zip

thanks
Link is broken anyway.

Anyway...here's a working link for those who are interested in it :ermm:
ut432pubsrc.zip (http://www.lamce.ufrj.br/grva/game_engine/index.php?go=ut432pubsrc.zip)

Glad to see Helios in the AA scene. Good stuff Picklelicious, Temp2, and Helios!

I see a bright future towards us :D

I'm getting there. Not sure if I'm doing it the same way as Helios or Pickel. Just a bit of sorting and how do you sort the Bitmap ... guess I will have to find out the HARD way.


Class Engine.PlayerReplicationInfo
UBoolProperty bReadyToPlay; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UObjectProperty Team; //Offset=0x4b4, Size=0x4, Bitmap=0x0
UBoolProperty bOnlySpectator; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UStrProperty PlayerName; //Offset=0x468, Size=0xc, Bitmap=0x0
UBoolProperty bIsFemale; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UIntProperty Ping; //Offset=0x458, Size=0x4, Bitmap=0x0
UByteProperty DesiredTeam; //Offset=0x4b8, Size=0x1, Bitmap=0x0
UBoolProperty bReceivedPing; //Offset=0x4c4, Size=0x4, Bitmap=0x0
UClassProperty VoiceType; //Offset=0x4c0, Size=0x4, Bitmap=0x0
UBoolProperty bAdmin; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UObjectProperty myPawn; //Offset=0x4f0, Size=0x4, Bitmap=0x0
UFunction SubmitPlayerRequest; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetFTLeader; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetSquadLeader; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction isTeamLeader; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction IsSquadLeader; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction isSpectator; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction isDead; //Offset=0x0, Size=0x0, Bitmap=0x0
UBoolProperty bIsSpectator; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UFunction GetMyPawn; //Offset=0x0, Size=0x0, Bitmap=0x0
UBoolProperty bDead; //Offset=0x4ec, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bWaitingPlayer; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bOutOfLives; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UFunction FoundWaitingForPawn; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction WaitingForPawn; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction ServerSetMyPawn; //Offset=0x0, Size=0x0, Bitmap=0x0
UObjectProperty PRI_WaitingForPawn; //Offset=0x504, Size=0x4, Bitmap=0x0
UFunction GetPawnLocation; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction TeamReset; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty LocationX; //Offset=0x4f4, Size=0x4, Bitmap=0x0
UIntProperty LocationY; //Offset=0x4f8, Size=0x4, Bitmap=0x0
UIntProperty LocationZ; //Offset=0x4fc, Size=0x4, Bitmap=0x0
UFunction Timer; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction IsEnemy; //Offset=0x0, Size=0x0, Bitmap=0x0
UFloatProperty slowtime; //Offset=0x500, Size=0x4, Bitmap=0x0
UFunction IsFriend; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction hasSoldiersCharacter; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction ResetScores; //Offset=0x0, Size=0x0, Bitmap=0x0
UBoolProperty _bSoldiersCharacter; //Offset=0x510, Size=0x4, Bitmap=0x0
UFunction TotalExperience; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _cumRounds; //Offset=0x53c, Size=0x4, Bitmap=0x0
UIntProperty _LastTimeUpdate; //Offset=0x540, Size=0x4, Bitmap=0x0
UIntProperty Score_Total; //Offset=0x430, Size=0x4, Bitmap=0x0
UIntProperty Score_Leadership; //Offset=0x434, Size=0x4, Bitmap=0x0
UIntProperty Score_Wins; //Offset=0x438, Size=0x4, Bitmap=0x0
UIntProperty Score_Objectives; //Offset=0x43c, Size=0x4, Bitmap=0x0
UIntProperty Score_Deaths; //Offset=0x440, Size=0x4, Bitmap=0x0
UIntProperty Score_Kills; //Offset=0x444, Size=0x4, Bitmap=0x0
UIntProperty Score_ROE; //Offset=0x448, Size=0x4, Bitmap=0x0
UStrProperty votekick; //Offset=0x524, Size=0xc, Bitmap=0x0
UFunction CalculateExperience; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _ExperienceDelta; //Offset=0x580, Size=0x4, Bitmap=0x0
UIntProperty _Experience; //Offset=0x57c, Size=0x4, Bitmap=0x0
UIntProperty _cumTotal; //Offset=0x544, Size=0x4, Bitmap=0x0
UIntProperty _cumLeadership; //Offset=0x548, Size=0x4, Bitmap=0x0
UIntProperty _cumWins; //Offset=0x54c, Size=0x4, Bitmap=0x0
UIntProperty _cumObjectives; //Offset=0x550, Size=0x4, Bitmap=0x0
UIntProperty _cumDeaths; //Offset=0x554, Size=0x4, Bitmap=0x0
UIntProperty _cumKills; //Offset=0x558, Size=0x4, Bitmap=0x0
UIntProperty _cumROE; //Offset=0x55c, Size=0x4, Bitmap=0x0
UFunction IncrementCumulativeScores; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction CalculateLeaderPenalty; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction CalculateLeaderScore; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetFTLBonus; //Offset=0x0, Size=0x0, Bitmap=0x0
UByteProperty FT; //Offset=0x50c, Size=0x1, Bitmap=0x0
UFunction GetSLBonus; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetMultiplier; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction ScoreRound; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction PScoreObjective; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction CheckROE; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction PScoreFF; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction PScoreDeath; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction PScoreKill; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction UpdateScore; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetGoalScore; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction ClientNotifyLostMedic; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetRoundScore_ROE; //Offset=0x0, Size=0x0, Bitmap=0x0
UBoolProperty bLostMedic; //Offset=0x510, Size=0x4, Bitmap=0x0
UFunction GetRoundScore_Kills; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _prevROE; //Offset=0x578, Size=0x4, Bitmap=0x0
UFunction GetRoundScore_Deaths; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _prevKills; //Offset=0x574, Size=0x4, Bitmap=0x0
UFunction GetRoundScore_Objectives; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _prevDeaths; //Offset=0x570, Size=0x4, Bitmap=0x0
UFunction GetRoundScore_Wins; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _prevObjectives; //Offset=0x56c, Size=0x4, Bitmap=0x0
UFunction GetRoundScore_Leadership; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _prevWins; //Offset=0x568, Size=0x4, Bitmap=0x0
UFunction GetRoundScore_Total; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _prevLeadership; //Offset=0x564, Size=0x4, Bitmap=0x0
UFunction ResetPerRound; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _prevTotal; //Offset=0x560, Size=0x4, Bitmap=0x0
UFunction GetController; //Offset=0x0, Size=0x0, Bitmap=0x0
UBoolProperty bIsMedic; //Offset=0x510, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bCallForMedic; //Offset=0x510, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bGuerrillaPS; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bSpecialForcesPS; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bVIPPS; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UFunction GetPlayTime; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetCumRounds; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetExperience; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction Administrator; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction SuperUser; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction SUToggle; //Offset=0x0, Size=0x0, Bitmap=0x0
UByteProperty _Group; //Offset=0x588, Size=0x1, Bitmap=0x0
UBoolProperty bSUEnabled; //Offset=0x584, Size=0x4, Bitmap=0x0
UFunction SetGroup; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetGroup; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction HasGroupIcon; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetHonor; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetWeight; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty _iTrust; //Offset=0x514, Size=0x4, Bitmap=0x0
UFunction CalculateWeight; //Offset=0x0, Size=0x0, Bitmap=0x0
UFloatProperty _fWeight; //Offset=0x51c, Size=0x4, Bitmap=0x0
UFunction NotifyClientMessage; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction NotifyNoScore; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction NotifyPromotion; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction EquivalentName; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetSquadName; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty PlayerID; //Offset=0x4b0, Size=0x4, Bitmap=0x0
UStrProperty SquadName; //Offset=0x530, Size=0xc, Bitmap=0x0
UFunction GetLocationName; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetNearbyObjective; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetCommVolume; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction SetWaitingPlayer; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction SetPlayerName; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction OldTimer; //Offset=0x0, Size=0x0, Bitmap=0x0
UStrProperty OldName; //Offset=0x48c, Size=0xc, Bitmap=0x0
UFunction ClientNameChange; //Offset=0x0, Size=0x0, Bitmap=0x0
UBoolProperty bBot; //Offset=0x4c4, Size=0x4, Bitmap=0x16264a0
UFunction DisplayDebug; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction UpdatePlayerLocation; //Offset=0x0, Size=0x0, Bitmap=0x0
UObjectProperty HasFlag; //Offset=0x454, Size=0x4, Bitmap=0x0
UFunction UpdateCharacter; //Offset=0x0, Size=0x0, Bitmap=0x0
UObjectProperty PlayerVolume; //Offset=0x45c, Size=0x4, Bitmap=0x0
UObjectProperty PlayerZone; //Offset=0x460, Size=0x4, Bitmap=0x0
UFunction GetPortrait; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction GetHumanReadableName; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction SetFlag; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction Reset; //Offset=0x0, Size=0x0, Bitmap=0x0
UBoolProperty bHasFlag; //Offset=0x4c4, Size=0x4, Bitmap=0x178e4d0
UFunction SetCharacterName; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty NumLives; //Offset=0x464, Size=0x4, Bitmap=0x0
UFunction Destroyed; //Offset=0x0, Size=0x0, Bitmap=0x0
UStrProperty CharacterName; //Offset=0x474, Size=0xc, Bitmap=0x0
UFunction PostNetBeginPlay; //Offset=0x0, Size=0x0, Bitmap=0x0
UFunction PostBeginPlay; //Offset=0x0, Size=0x0, Bitmap=0x0
UNKNOWN UPDATE_TIME; //Offset=0x0, Size=0x0, Bitmap=0x0
UIntProperty StartTime; //Offset=0x4c8, Size=0x4, Bitmap=0x0
UIntProperty _Credited_Wins; //Offset=0x44c, Size=0x4, Bitmap=0x0
UIntProperty _Credited_Leadership; //Offset=0x450, Size=0x4, Bitmap=0x0
UStrProperty OldCharacterName; //Offset=0x480, Size=0xc, Bitmap=0x0
UStrProperty PreviousName; //Offset=0x498, Size=0xc, Bitmap=0x0
UStrProperty PlayerMAC; //Offset=0x4a4, Size=0xc, Bitmap=0x0
UIntProperty TeamID; //Offset=0x4bc, Size=0x4, Bitmap=0x0
UBoolProperty bWelcomed; //Offset=0x4c4, Size=0x4, Bitmap=0x0
UStrProperty StringSpectating; //Offset=0x4cc, Size=0xc, Bitmap=0x0
UStrProperty StringUnknown; //Offset=0x4d8, Size=0xc, Bitmap=0x0
UIntProperty GoalsScored; //Offset=0x4e4, Size=0x4, Bitmap=0x0
UIntProperty Kills; //Offset=0x4e8, Size=0x4, Bitmap=0x0
UIntProperty SwapRequest; //Offset=0x508, Size=0x4, Bitmap=0x0
UBoolProperty bWillBeMedic; //Offset=0x510, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bWantsFTLeader; //Offset=0x518, Size=0x4, Bitmap=0x0
UBoolProperty bWantsSquadLeader; //Offset=0x518, Size=0x4, Bitmap=0x0
UBoolProperty bAvoidLeaderRole; //Offset=0x518, Size=0x4, Bitmap=0x0
UBoolProperty bWantsMedic; //Offset=0x518, Size=0x4, Bitmap=0x0
UBoolProperty bQualifiedSniper; //Offset=0x518, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bQualifiedAirborne; //Offset=0x518, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bQualifiedRanger; //Offset=0x518, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bQualifiedMedic; //Offset=0x518, Size=0x4, Bitmap=0x178e4d0
UBoolProperty bQualifiedSF; //Offset=0x518, Size=0x4, Bitmap=0x178e4d0
UFloatProperty tNextVoteAllowed; //Offset=0x520, Size=0x4, Bitmap=0x0
UBoolProperty bMuted; //Offset=0x58c, Size=0x4, Bitmap=0x178e4d0
UClassProperty requiredClass; //Offset=0x590, Size=0x4, Bitmap=0x0
UBoolProperty bTournamentSquadLeader; //Offset=0x594, Size=0x4, Bitmap=0x178e4d0

Damn, I don't understand ANY of that.... C++ looks pretty hard compared to PHP - LoL :) :) :)

Anyway...here's a working link for those who are interested in it :ermm:
ut432pubsrc.zip (http://www.lamce.ufrj.br/grva/game_engine/index.php?go=ut432pubsrc.zip)


Thanks for the file don't know if I can do anything with it but im going to try

Php is an easy form of codeing. However, if you have good logic skills and can work with variables, any kind of codeing is possible. just dive into it and learn as much as you can and eventually it all becomes easy.

cheers

Structural Decomposition Of The Entire UnrealOS

I've moved on a bit from the structural decomposition of an Unreal class to the recursive structural decomposition of the entire game. The technique utilised is pretty fundamental to the core mechanics of the UnrealOS.

More soon :-). Unless my install of Visual Studio .NET does not o well.


Log: Package Window Processed
Log: Package Core Processed
Log: Package Engine Processed
Log: Package Transient Processed
Log: Package WinDrv Processed
Log: Package D3DDrv Processed
Log: Package Entry Processed
Log: Package AGP_Gameplay Processed
Log: Package AGP Processed
Log: Package AGP_UI Processed
Log: Package IpDrv Processed
Log: Package T-UI Processed
Log: Package T2-UI Processed
Log: Package T_UI2 Processed
Log: Package T-MISC Processed
Log: Package T-WINDOWS Processed
Log: Package T-FX Processed
Log: Package T2-FX Processed
Log: Package T2-SKY Processed
Log: Package T-CONCRETE Processed
Log: Package T2-CONCRETE Processed
Log: Package T2-BRICK Processed
Log: Package S-PlayerCommo Processed
Log: Package AGP_Effects Processed
Log: Package M-FX Processed
Log: Package T-EQUIPMENT Processed
Log: Package T-SKINS Processed
Log: Package T-METAL Processed
Log: Package T-SKINS_vehicles Processed
Log: Package T2-SKINS Processed
Log: Package T2-WOOD Processed
Log: Package T2-METAL Processed
Log: Package T2-FABRIC Processed
Log: Package T-FABRIC Processed
Log: Package T-FOLIAGE Processed
Log: Package S-WeaponFX Processed
Log: Package S-Foley Processed
Log: Package M2-fx Processed
Log: Package T-LIQUIDS Processed
Log: Package S-Explosions Processed
Log: Package M-weapons Processed
Log: Package T-Weapons Processed
Log: Package M2-Weapons Processed
Log: Package S-WeaponsUS Processed
Log: Package S-Human Processed
Log: Package Gameplay Processed
Log: Package T-Fonts Processed
Log: Package S-JumpSchool Processed
Log: Package S-Objective Processed
Log: Package T-Editor Processed
Log: Package A-USMods Processed
Log: Package Editor Processed



Package Window
Class Window.WindowManager
Package Core
Class Core.Object
Function Core.Object.EndState
Function Core.Object.BeginState
Function Core.Object.LogFileClose
BoolProperty Core.Object.LogFileClose.ReturnValue
Function Core.Object.LogFileWrite
StrProperty Core.Object.LogFileWrite.szType
StrProperty Core.Object.LogFileWrite.szMessage
BoolProperty Core.Object.LogFileWrite.bFlush
BoolProperty Core.Object.LogFileWrite.ReturnValue
Function Core.Object.LogFileOpen
BoolProperty Core.Object.LogFileOpen.ReturnValue
...
Class Core.System
IntProperty Core.System.PurgeCacheDays
StrProperty Core.System.SavePath
StrProperty Core.System.CachePath
StrProperty Core.System.CacheExt
ArrayProperty Core.System.Paths
StrProperty Core.System.Paths.StrProperty0
ArrayProperty Core.System.Suppress
NameProperty Core.System.Suppress.NameProperty0
Class Core.StructProperty
Class Core.Property
Class Core.Field
Class Core.MapProperty
Class Core.ArrayProperty
Class Core.FixedArrayProperty
Class Core.StrProperty
Class Core.NameProperty
Class Core.ClassProperty
Class Core.ObjectProperty
Class Core.FloatProperty
Class Core.BoolProperty
Class Core.DelegateProperty
Class Core.IntProperty
Class Core.ByteProperty
Class Core.Language
Class Core.TextBufferFactory
Class Core.Factory
StrProperty Core.Factory.Description
StrProperty Core.Factory.InContextCommand
StrProperty Core.Factory.OutOfContextCommand
ArrayProperty Core.Factory.Formats
StrProperty Core.Factory.Formats.StrProperty0
Class Core.Package
Class Core.LinkerSave
Class Core.Linker
Class Core.LinkerLoad
Class Core.Enum
Class Core.TextBuffer
Class Core.Const
Class Core.Function
Class Core.Struct
Class Core.Class
Class Core.State
Class Core.ObjectExporterT3D
Class Core.Exporter
ArrayProperty Core.Exporter.Formats
StrProperty Core.Exporter.Formats.StrProperty0
Package Engine
Class Engine.NetPendingLevel
Class Engine.PendingLevel
Class Engine.NetDriver
FloatProperty Engine.NetDriver.ConnectionTimeout
FloatProperty Engine.NetDriver.InitialConnectTimeout
FloatProperty Engine.NetDriver.KeepAliveTime
FloatProperty Engine.NetDriver.RelevantTimeout
FloatProperty Engine.NetDriver.SpawnPrioritySeconds
FloatProperty Engine.NetDriver.ServerTravelPause
IntProperty Engine.NetDriver.MaxClientRate
IntProperty Engine.NetDriver.NetServerMaxTickRate
IntProperty Engine.NetDriver.LanServerMaxTickRate
Class Engine.PackageMapLevel
Class Engine.ChannelDownload
Class Engine.Download
Class Engine.DemoRecDriver
StrProperty Engine.DemoRecDriver.DemoSpectatorClass
Class Engine.DemoRecConnection
Class Engine.NetConnection
Class Engine.Player
...

It's nice to see you are making some progress


Are you sure you guy's have got the bitmap order correct? It does not correspond to the mask I see. I will test out some code to read the bits if you don't reply.


class DLL_IMPORT PlayerReplicationInfo : public APlayerReplicationInfo
{
public:
INT Score_Total; // Offset=0x430 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT Score_Leadership; // Offset=0x434 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT Score_Wins; // Offset=0x438 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT Score_Objectives; // Offset=0x43c Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT Score_Deaths; // Offset=0x440 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT Score_Kills; // Offset=0x444 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT Score_ROE; // Offset=0x448 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT _Credited_Wins; // Offset=0x44c Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _Credited_Leadership; // Offset=0x450 Size=0x04 Flags=0x00000000 BitMask=0x00000000
class ACarriedObject* HasFlag; // Offset=0x454 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT Ping; // Offset=0x458 Size=0x04 Flags=0x00000020 BitMask=0x00000000
class AVolume* PlayerVolume; // Offset=0x45c Size=0x04 Flags=0x00000020 BitMask=0x00000000
class AZoneInfo* PlayerZone; // Offset=0x460 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT NumLives; // Offset=0x464 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FStringNoInit PlayerName; // Offset=0x468 Size=0x0c Flags=0x00400020 BitMask=0x00000000
FStringNoInit CharacterName; // Offset=0x474 Size=0x0c Flags=0x00400020 BitMask=0x00000000
FStringNoInit OldCharacterName; // Offset=0x480 Size=0x0c Flags=0x00400000 BitMask=0x00000000
FStringNoInit OldName; // Offset=0x48c Size=0x0c Flags=0x00400000 BitMask=0x00000000
FStringNoInit PreviousName; // Offset=0x498 Size=0x0c Flags=0x00400000 BitMask=0x00000000
FStringNoInit PlayerMAC; // Offset=0x4a4 Size=0x0c Flags=0x00400000 BitMask=0x00000000
INT PlayerID; // Offset=0x4b0 Size=0x04 Flags=0x00000020 BitMask=0x00000000
class ATeamInfo* Team; // Offset=0x4b4 Size=0x04 Flags=0x00000020 BitMask=0x00000000
BYTE DesiredTeam; // Offset=0x4b8 Size=0x01 Flags=0x00000020 BitMask=0x00000000
INT TeamID; // Offset=0x4bc Size=0x04 Flags=0x00000020 BitMask=0x00000000
class UClass* VoiceType; // Offset=0x4c0 Size=0x04 Flags=0x00000020 BitMask=0x00000000
BITFIELD bAdmin : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000001
BITFIELD bIsFemale : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000002
BITFIELD bIsSpectator : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000004
BITFIELD bOnlySpectator : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000008
BITFIELD bWaitingPlayer : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000010
BITFIELD bReadyToPlay : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000020
BITFIELD bOutOfLives : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000040
BITFIELD bBot : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000080
BITFIELD bWelcomed : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000000 BitMask=0x00000100
BITFIELD bReceivedPing : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000000 BitMask=0x00000200
BITFIELD bHasFlag : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000400
BITFIELD bGuerrillaPS : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00000800
BITFIELD bSpecialForcesPS : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00001000
BITFIELD bVIPPS : 1; // Offset=0x4c4 Size=0x04 Flags=0x00000020 BitMask=0x00002000
INT StartTime; // Offset=0x4c8 Size=0x04 Flags=0x00000020 BitMask=0x00000000
FStringNoInit StringSpectating; // Offset=0x4cc Size=0x0c Flags=0x00408000 BitMask=0x00000000
FStringNoInit StringUnknown; // Offset=0x4d8 Size=0x0c Flags=0x00408000 BitMask=0x00000000
INT GoalsScored; // Offset=0x4e4 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT Kills; // Offset=0x4e8 Size=0x04 Flags=0x00000000 BitMask=0x00000000
BITFIELD bDead : 1; // Offset=0x4ec Size=0x04 Flags=0x00000020 BitMask=0x00000001
class APawn* myPawn; // Offset=0x4f0 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT LocationX; // Offset=0x4f4 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT LocationY; // Offset=0x4f8 Size=0x04 Flags=0x00000020 BitMask=0x00000000
INT LocationZ; // Offset=0x4fc Size=0x04 Flags=0x00000020 BitMask=0x00000000
FLOAT slowtime; // Offset=0x500 Size=0x04 Flags=0x00000000 BitMask=0x00000000
class APlayerReplicationInfo* PRI_WaitingForPawn; // Offset=0x504 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT SwapRequest; // Offset=0x508 Size=0x04 Flags=0x00000020 BitMask=0x00000000
BYTE FT; // Offset=0x50c Size=0x01 Flags=0x00000020 BitMask=0x00000000
BITFIELD bWillBeMedic : 1; // Offset=0x510 Size=0x04 Flags=0x00000020 BitMask=0x00000001
BITFIELD bLostMedic : 1; // Offset=0x510 Size=0x04 Flags=0x00000000 BitMask=0x00000002
BITFIELD bIsMedic : 1; // Offset=0x510 Size=0x04 Flags=0x00000020 BitMask=0x00000004
BITFIELD bCallForMedic : 1; // Offset=0x510 Size=0x04 Flags=0x00000020 BitMask=0x00000008
BITFIELD _bSoldiersCharacter : 1; // Offset=0x510 Size=0x04 Flags=0x00000000 BitMask=0x00000010
INT _iTrust; // Offset=0x514 Size=0x04 Flags=0x00000020 BitMask=0x00000000
BITFIELD bWantsFTLeader : 1; // Offset=0x518 Size=0x04 Flags=0x00000000 BitMask=0x00000001
BITFIELD bWantsSquadLeader : 1; // Offset=0x518 Size=0x04 Flags=0x00000000 BitMask=0x00000002
BITFIELD bAvoidLeaderRole : 1; // Offset=0x518 Size=0x04 Flags=0x00000000 BitMask=0x00000004
BITFIELD bWantsMedic : 1; // Offset=0x518 Size=0x04 Flags=0x00000000 BitMask=0x00000008
BITFIELD bQualifiedSniper : 1; // Offset=0x518 Size=0x04 Flags=0x00000020 BitMask=0x00000010
BITFIELD bQualifiedAirborne : 1; // Offset=0x518 Size=0x04 Flags=0x00000020 BitMask=0x00000020
BITFIELD bQualifiedRanger : 1; // Offset=0x518 Size=0x04 Flags=0x00000020 BitMask=0x00000040
BITFIELD bQualifiedMedic : 1; // Offset=0x518 Size=0x04 Flags=0x00000020 BitMask=0x00000080
BITFIELD bQualifiedSF : 1; // Offset=0x518 Size=0x04 Flags=0x00000020 BitMask=0x00000100
FLOAT _fWeight; // Offset=0x51c Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT tNextVoteAllowed; // Offset=0x520 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FStringNoInit votekick; // Offset=0x524 Size=0x0c Flags=0x00400000 BitMask=0x00000000
FStringNoInit SquadName; // Offset=0x530 Size=0x0c Flags=0x00400020 BitMask=0x00000000
INT _cumRounds; // Offset=0x53c Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _LastTimeUpdate; // Offset=0x540 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _cumTotal; // Offset=0x544 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _cumLeadership; // Offset=0x548 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _cumWins; // Offset=0x54c Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _cumObjectives; // Offset=0x550 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _cumDeaths; // Offset=0x554 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _cumKills; // Offset=0x558 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _cumROE; // Offset=0x55c Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _prevTotal; // Offset=0x560 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _prevLeadership; // Offset=0x564 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _prevWins; // Offset=0x568 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _prevObjectives; // Offset=0x56c Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _prevDeaths; // Offset=0x570 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _prevKills; // Offset=0x574 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _prevROE; // Offset=0x578 Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _Experience; // Offset=0x57c Size=0x04 Flags=0x00000000 BitMask=0x00000000
INT _ExperienceDelta; // Offset=0x580 Size=0x04 Flags=0x00000000 BitMask=0x00000000
BITFIELD bSUEnabled : 1; // Offset=0x584 Size=0x04 Flags=0x00000000 BitMask=0x00000001
BYTE _Group; // Offset=0x588 Size=0x01 Flags=0x00000020 BitMask=0x00000000
BITFIELD bMuted : 1; // Offset=0x58c Size=0x04 Flags=0x00000020 BitMask=0x00000001
class UClass* requiredClass; // Offset=0x590 Size=0x04 Flags=0x00000020 BitMask=0x00000000
BITFIELD bTournamentSquadLeader : 1; // Offset=0x594 Size=0x04 Flags=0x00000020 BitMask=0x00000001
};

this is what my tools spits out atm
check out http://www.ArtificialAiming.tk to see what is possible :)


class DLL_IMPORT APlayerReplicationInfo : public AReplicationInfo
{
public:
INT Score_Total;
INT Score_Leadership;
INT Score_Wins;
INT Score_Objectives;
INT Score_Deaths;
INT Score_Kills;
INT Score_ROE;
INT _Credited_Wins;
INT _Credited_Leadership;
class ACarriedObject* HasFlag;
INT Ping;
class AVolume* PlayerVolume;
class AZoneInfo* PlayerZone;
INT NumLives;
FStringNoInit PlayerName;
FStringNoInit CharacterName;
FStringNoInit OldCharacterName;
FStringNoInit OldName;
FStringNoInit PreviousName;
FStringNoInit PlayerMAC;
INT PlayerID;
class ATeamInfo* Team;
BYTE DesiredTeam;
INT TeamID;
class UClass* VoiceType;
BITFIELD bAdmin:1;
BITFIELD bIsFemale:1;
BITFIELD bIsSpectator:1;
BITFIELD bOnlySpectator:1;
BITFIELD bWaitingPlayer:1;
BITFIELD bReadyToPlay:1;
BITFIELD bOutOfLives:1;
BITFIELD bBot:1;
BITFIELD bWelcomed:1;
BITFIELD bReceivedPing:1;
BITFIELD bHasFlag:1;
BITFIELD bGuerrillaPS:1;
BITFIELD bSpecialForcesPS:1;
BITFIELD bVIPPS:1;
INT StartTime;
FStringNoInit StringSpectating;
FStringNoInit StringUnknown;
INT GoalsScored;
INT Kills;
BITFIELD bDead:1;
class APawn* myPawn;
INT LocationX;
INT LocationY;
INT LocationZ;
FLOAT slowtime;
class APlayerReplicationInfo* PRI_WaitingForPawn;
INT SwapRequest;
BYTE FT;
BITFIELD bWillBeMedic:1;
BITFIELD bLostMedic:1;
BITFIELD bIsMedic:1;
BITFIELD bCallForMedic:1;
BITFIELD _bSoldiersCharacter:1;
INT _iTrust;
BITFIELD bWantsFTLeader:1;
BITFIELD bWantsSquadLeader:1;
BITFIELD bAvoidLeaderRole:1;
BITFIELD bWantsMedic:1;
BITFIELD bQualifiedSniper:1;
BITFIELD bQualifiedAirborne:1;
BITFIELD bQualifiedRanger:1;
BITFIELD bQualifiedMedic:1;
BITFIELD bQualifiedSF:1;
FLOAT _fWeight;
FLOAT tNextVoteAllowed;
FStringNoInit votekick;
FStringNoInit SquadName;
INT _cumRounds;
INT _LastTimeUpdate;
INT _cumTotal;
INT _cumLeadership;
INT _cumWins;
INT _cumObjectives;
INT _cumDeaths;
INT _cumKills;
INT _cumROE;
INT _prevTotal;
INT _prevLeadership;
INT _prevWins;
INT _prevObjectives;
INT _prevDeaths;
INT _prevKills;
INT _prevROE;
INT _Experience;
INT _ExperienceDelta;
BITFIELD bSUEnabled:1;
BYTE _Group;
BITFIELD bMuted:1;
class UClass* requiredClass;
BITFIELD bTournamentSquadLeader:1;
};

this is what my tools spits out atm
check out http://www.ArtificialAiming.tk to see what is possible :)


Yep that corresponds to my bitmap ordering.

What is possible is only the beginning.

I'm just reverse engineering as much of the core & engine .h's as possible before work starts in ernest. I'm sure you aware that there are some significant differences in some 432's to what is clearly in 2110. I will also be generating an independant c++ SDK on a trade basis.

class DLL_IMPORT Canvas : public UCanvas
{
public:
class UFont* Font; // Offset=0x028 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT FontScaleX; // Offset=0x02c Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT FontScaleY; // Offset=0x030 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT SpaceX; // Offset=0x034 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT SpaceY; // Offset=0x038 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT OrgX; // Offset=0x03c Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT OrgY; // Offset=0x040 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT ClipX; // Offset=0x044 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT ClipY; // Offset=0x048 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT CurX; // Offset=0x04c Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT CurY; // Offset=0x050 Size=0x04 Flags=0x00000000 BitMask=0x00000000
FLOAT Z; // Offset=0x054 Size=0x04 Flags=0x00000000 BitMask=0x00000000
BYTE Style; // Offset=0x058 Size=0x01 Flags=0x00000000 BitMask=0x00000000
FLOAT CurYL; // Offset=0x05c Size=0x04 Flags=0x00000000 BitMask=0x00000000
class UStruct* DrawColor; // Offset=0x060 Size=0x04 Flags=0x00000000 BitMask=0x00000000
BITFIELD bCenter : 1; // Offset=0x064 Size=0x04 Flags=0x00000000 BitMask=0x00000001
BITFIELD bNoSmooth : 1; // Offset=0x064 Size=0x04 Flags=0x00000000 BitMask=0x00000002
BITFIELD bNoNightVision : 1; // Offset=0x064 Size=0x04 Flags=0x00000000 BitMask=0x00000004
INT SizeX; // Offset=0x068 Size=0x04 Flags=0x00000002 BitMask=0x00000000
INT SizeY; // Offset=0x06c Size=0x04 Flags=0x00000002 BitMask=0x00000000
class UStruct* ColorModulate; // Offset=0x070 Size=0x10 Flags=0x00000000 BitMask=0x00000000
BITFIELD bRenderLevel : 1; // Offset=0x080 Size=0x04 Flags=0x00000000 BitMask=0x00000001
class UFont* TinyFont; // Offset=0x084 Size=0x04 Flags=0x00000000 BitMask=0x00000000
class UFont* SmallFont; // Offset=0x088 Size=0x04 Flags=0x00000000 BitMask=0x00000000
class UFont* MedFont; // Offset=0x08c Size=0x04 Flags=0x00000000 BitMask=0x00000000
FStringNoInit TinyFontName; // Offset=0x090 Size=0x0c Flags=0x00400000 BitMask=0x00000000
FStringNoInit SmallFontName; // Offset=0x09c Size=0x0c Flags=0x00400000 BitMask=0x00000000
FStringNoInit MedFontName; // Offset=0x0a8 Size=0x0c Flags=0x00400000 BitMask=0x00000000
class UViewport* Viewport; // Offset=0x0b4 Size=0x04 Flags=0x00000002 BitMask=0x00000000
INT pCanvasUtil; // Offset=0x0b8 Size=0x04 Flags=0x00000002 BitMask=0x00000000
class UStruct* TrimX; // Offset=0x0bc Size=0x08 Flags=0x00000000 BitMask=0x00000000
class UStruct* TrimY; // Offset=0x0c4 Size=0x08 Flags=0x00000000 BitMask=0x00000000
class UMaterial* LastBlackMaterial; // Offset=0x0cc Size=0x04 Flags=0x00000000 BitMask=0x00000000
class UMaterial* LastBlackSource; // Offset=0x0d0 Size=0x04 Flags=0x00000000 BitMask=0x00000000
};

class DLL_IMPORT Canvas : public UCanvas

seems wrong it should be
class DLL_IMPORT UCanvas : public UObject

seems wrong it should be
class DLL_IMPORT UCanvas : public UObject

Correct. That piece of code needed looking at:


class DLL_IMPORT PlayerReplicationInfo : public AReplicationInfo
{
class DLL_IMPORT Pawn : public AActor
{
class DLL_IMPORT Canvas : public UObject
{
class DLL_IMPORT AGP_Pawn : public APawn
{


Now to add the native function prototypes :-)

HelioS ? it would be much easier if you would post ur radar for aao here:P ;)

i tried to make my own core hax - i have not ctype.h and time.h ... lol can someone give me it?

HelioS ? it would be much easier if you would post ur radar for aao here:P ;)

i tried to make my own core hax - i have not ctype.h and time.h ... lol can someone give me it?

http://www.google.com/search?hl=en&ie=UTF-8&q=ctype.h

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=time.h

man i just broke a sweat

i've been arleady lookin for it on google and no results..

and... i typed ctype.h, time.h maybe thats the reason :P

i've been arleady lookin for it on google and no results..

and... i typed ctype.h, time.h maybe thats the reason :P

I had hoped you were being ironic and still hope you are.

dunno.i have all files ,also with these .h things but hook won't compile.
Temp,i am sure u have compiled one:PCan i ask for it?:P

dunno.i have all files ,also with these .h things but hook won't compile.
Temp,i am sure u have compiled one:PCan i ask for it?:P


Ha! Hes not going to share it even if he had it! BTW .h files are called header files.

dunno.i have all files ,also with these .h things but hook won't compile.
Temp,i am sure u have compiled one:PCan i ask for it?:P

u need osgb core hook

this is what my tools spits out atm
check out http://www.ArtificialAiming.tk to see what is possible :)

Wow, that is impressive. You are doing great. Now all you need to do is decode the uScript functions and figure out how to call them from C++. (The UTPT docs are very helpful for decoding, and UObject:: ProcessEvent is the function you are interested in.)

Doing this will allow you to do AAOManager style patches to the memory instead of the *.u files. Having perfect aim is necessary for those across the map shots, and you can do some very entertaining things by directly calling Server*() functions. You also are going to need to know how to decode functions to get the replication statements.



function void AGP.AGP_Weapon.ServerFire(optional bool bNoAdjustAim, optional bool bRapid, optional bool bBreatheBonus)
Flags: 000200C2, 0x00020000, NetReliable, Net, Defined
Replicate if (Role < 4)
{
0000: if (GetCurrentAmmoType() == None)
{
000C: GiveAmmo((APawn)Owner);
}

001C: if (GetCurrentAmmoType().HasAmmo())
{
002F: if (!bNoAdjustAim)
{
003A: AdjustedAim = AdjustAim(bBreatheBonus);
}

004C: iNextMisFire--;
0053: if (bMisFireOnRapid)
{
005C: CheckRapidMisfire(bRapid);
}

0068: if (bMisFire && (iNextMisFire <= 0))
{
007E: CalcNextMisFire();
0084: HandleMisFire();
008A: goto 00B6;
}

008D: if (IsInState('BusyFiring'))
{
0098: BeginState();
009E: goto 00B6;
}

00A1: if (IsInState('BusyTempLowering'))
{
00AC: goto 00B6;
}

00AF: GotoState('BusyFiring');
00B6: goto 00F8;
}

00B9: DebugLog(1, "AGP_Weapon::ServerFire() Got here with no ammo! " + self);
00F8:}

0000: 07 1C 00 72 1B E1 06 00 00 16 2A 16 1B D6 06 00 | .rá. .*Ö.
0010: 00 2E D0 55 8A 00 01 80 73 9F 01 16 07 B9 00 19 | ..ÐUŠ.
€ sŸ
¹.
0020: 1B E1 06 00 00 16 06 00 04 1B C1 04 00 00 16 07 | á... Á..
0030: 4C 00 81 2D 00 00 70 E0 06 16 0F 01 D0 6D BC 01 | L.?-..pà 
Ðm¼

0040: 1B 28 06 00 00 2D 00 90 6F E0 06 16 A6 01 A0 17 | (..-.? oà¦
*
0050: BC 01 16 07 68 00 2D 01 60 19 BC 01 1B E9 2A 00 | ¼
h.-
`¼
é*.
0060: 00 2D 00 20 6F E0 06 16 07 8D 00 82 2D 01 D0 19 | .-..oà ?.‚-
Ð
0070: BC 01 18 09 00 98 01 A0 17 BC 01 25 16 16 1B EB | ¼
..˜
* ¼
.ë
0080: 2A 00 00 16 1B 8B 2B 00 00 16 06 B6 00 07 A1 00 | *..‹+. .¶.¡.
0090: 61 19 21 52 2A 00 00 16 1B 3C 01 00 00 16 06 B6 | a!R*.. <
..¶
00A0: 00 07 AF 00 61 19 21 C2 2A 00 00 16 06 B6 00 71 | .¯.a! *..¶.q
00B0: 21 52 2A 00 00 16 06 F8 00 1B A8 04 00 00 24 01 | !R*..ø .¨..$

00C0: A8 1F 41 47 50 5F 57 65 61 70 6F 6E 3A 3A 53 65 | ¨AGP_We apon::Se
00D0: 72 76 65 72 46 69 72 65 28 29 09 47 6F 74 20 68 | rverFire ().Got.h
00E0: 65 72 65 20 77 69 74 68 20 6E 6F 20 61 6D 6D 6F | ere.with .no.ammo
00F0: 21 20 00 39 56 17 16 16 04 0B -- -- -- -- -- -- | !..9V ------

Wow all the magicians came out for this... I'm waiting for the show to start when these type of things start to pop up and fill the downloads, but im waiting for the one who makes the engine hack and goes public....Then you will be the Grand Magician...and they will call you........>>>>>HOUDINI<<<<<......

HelioS ? it would be much easier if you would post ur radar for aao here:P ;)

i tried to make my own core hax - i have not ctype.h and time.h ... lol can someone give me it?


you have a lot more problems ahead of you...


and lol @ bigg-boy....



we know about decompiling pickle, thanks :ermm:

and I addressed ProcEvent 2 years ago -_-;

dunno.i have all files ,also with these .h things but hook won't compile.
Temp,i am sure u have compiled one:PCan i ask for it?:P

Lots more will be on it's way soon. But to get it you will need to trade source code. The shopping list for code will follow also.... Stay tuned.

i've never s seen more experienced cheater/hacker/coder than you Temp2,and ELFs....
do you mean u r working on public hacks??

and one question.. what core hook includes? radar? aimbot??

i've never s seen more experienced cheater/hacker/coder than you Temp2,and ELFs....
do you mean u r working on public hacks??

and one question.. what core hook includes? radar? aimbot??

Me:


Independant c++ SDK for semi-public release.
Private warfare bot (aimbot ++) it will navigate the map.
Public devmode replacement for 2.2 time permitting (inject, hook, change the settings and detach elegantly). Being non-residential and injectable when the user wants this should be very difficult ne impossible for PB to detect as a piece of software.


osGB's tutorial is good for getting going.
Helios' contains an aimbot + radar but needs an SDK (AA is quite different from UT 432).

What about me??
some bytehack... i'm trying to find something interesting.. i've found good thing to make it honorhack..... (Engine.u > xxxxx (don't remember) > UpdateScore...

Now all you need to do is decode the uScript functions and figure out how to call them from C++. (The UTPT docs are very helpful for decoding, and UObject:: ProcessEvent is the function you are interested in.)


function void AGP.AGP_Weapon.ServerFire(optional bool bNoAdjustAim, optional bool bRapid, optional bool bBreatheBonus)
Flags: 000200C2, 0x00020000, NetReliable, Net, Defined
Replicate if (Role < 4)


Cheers Picklelicious. I was just moving onto functions after restructuring the my class decompositor so that is more modular and recurses the entire object hierarchy of a running Unreal OS game. Those flags look quite useful and I can see you have been acquainting yourself with master Antonio Cordero Balcazar's excellent work.

I'll just share with you the following, which amused me when it popped out at the top of my new .h.


class DLL_IMPORT Object
{
public:
INT ObjectInternal;
class UObject* Outer;
INT ObjectFlags;
FName* Name;
class UClass* Class;
};

we know about decompiling pickle, thanks :ermm:

and I addressed ProcEvent 2 years ago -_-;

Glad to hear it. Didn’t mean to tell you things you already knew. I find the replication statement very handy. It is nice to be able to just look at the variables and functions and know how they get replicated and which side they execute on. I am sure you enjoy that too.

I also noticed some strange behavior with ProcessEvent. It will not call functions that have native indexes (like the Engine.Actor.BoneTrace function). But that is easy to fix.

I’ll try not to bother you in the future.

I'll just share with you the following, which amused me when it popped out at the top of my new .h.

The UClass/UProperty info is extremely helpful, but it doesn’t always give you everything. UObject is one of those cases. You have to do it by hand. Here is mine:


struct UObject
{
DWORD * pVMT; //0x000
int ObjectInternal; //0x004
UObject * pOuter; //0x008
FFrame * pFrame; //0x00C
ULinkerLoad * pLinkerLoad; //0x010
int PackageNumber; //0x014
UClass * pParentClass; //0x018
ObjectFlagStruct ObjectFlags; //0x01C
FName Name; //0x020
UClass * pClass; //0x024
}

Keep up the good work Picklelicious, and don't worry about osGB. Once the class structure is cracked all the rest starts falling into place. I want to get into a position where the decompositor is as self maintaining as possible which is necessary as 432 headers are departing more and more from reality.

Here is my todo list for SDK beta 1 release.

* Examine holes in class property offsets to maintain alignments: char Unknown[n]
* PropertyFlag interpreter
* Functions and parameters
* All class headers independant of whether they have internally published properties
* Macro's for what process Event can handle
* Account for discrepancies between unmangled dll exports and decompositor results.

I have a command line tool for demangling all exports.

I want to get into a position where the decompositor is as self maintaining as possible which is necessary as 432 headers are departing more and more from reality.
You really don’t need any headers. The AAO engine was the first UT engine I hacked and I didn’t have any headers. All you need are partial definitions of the UObject, UField, UStruct, UState, UClass, UProperty, and UFunction objects. (You can get those by looking at core and engine in IDAPro. There are so many exported member functions that it is pretty easy to trace through them and get the property offsets.)

* PropertyFlag interpreter
I got most of these from UTPT docs. Really, the only ones I use are the *Parm ones and the Net one.

struct PropertyFlagStruct
{
unsigned int Edit : 1; //0x00000001
unsigned int Const : 1; //0x00000002
unsigned int Input : 1; //0x00000004
unsigned int ExportObject : 1; //0x00000008
unsigned int OptionalParm : 1; //0x00000010
unsigned int Net : 1; //0x00000020
unsigned int ConstRef : 1; //0x00000040
unsigned int Parm : 1; //0x00000080
unsigned int OutParm : 1; //0x00000100
unsigned int SkipParm : 1; //0x00000200
unsigned int ReturnParm : 1; //0x00000400
unsigned int CoerceParm : 1; //0x00000800
unsigned int Native : 1; //0x00001000
unsigned int Transient : 1; //0x00002000
unsigned int Config : 1; //0x00004000
unsigned int Localized : 1; //0x00008000
unsigned int Travel : 1; //0x00010000
unsigned int EditConst : 1; //0x00020000
unsigned int GlobalConfig : 1; //0x00040000
unsigned int Unknown0x00080000 : 1; //0x00080000
unsigned int OnDemand : 1; //0x00100000
unsigned int New : 1; //0x00200000
unsigned int NeedCtorLink : 1; //0x00400000
unsigned int Unknown0x00800000 : 1; //0x00800000
unsigned int Unknown0x01000000 : 1; //0x01000000
unsigned int Unknown0x02000000 : 1; //0x02000000
unsigned int Unknown0x04000000 : 1; //0x04000000
unsigned int Unknown0x08000000 : 1; //0x08000000
unsigned int Unknown0x10000000 : 1; //0x10000000
unsigned int Unknown0x20000000 : 1; //0x20000000
unsigned int Unknown0x40000000 : 1; //0x40000000
unsigned int Unknown0x80000000 : 1; //0x80000000
};


* All class headers independant of whether they have internally published properties
That is going to be a lot of work. Some of the classes have interesting properties that are not defined in the UProperties. For example, UD3DRenderDevice has the D3D interfaces stored in it, but they are not defined. (And they are at different offsets between UT2003 and UT2004.) If you look at this definition, there is a bunch of undefined stuff at Unknown0x0064. I think it would take a long time to figure out what all of it was.

BTW, you used to be able to hook D3D by just replacing pD3DDevice with a pointer to your wrapper class, but PB checks for that now. (Their check is easy to get around. Just restore the original pointer before they do their test.)

struct UD3DRenderDevice : URenderDevice //OF0x44084044
{
float TesselationFactor; //0x0044 PF0x00004000
float DefaultTexMipBias; //0x0048 PF0x00004000
float DetailTexMipBias; //0x004C PF0x00004000
int LevelOfAnisotropy; //0x0050 PF0x00004000
int DesiredRefreshRate; //0x0054 PF0x00004000
int MaxPixelShaderVersion; //0x0058 PF0x00004000
int AdapterNumber; //0x005C PF0x00004000
unsigned int DecompressTextures : 1; //0x0060 PF0x00004000
unsigned int CheckForOverflow : 1; //0x0060 PF0x00004000
unsigned int UseNPatches : 1; //0x0060 PF0x00004000
unsigned int UseXBoxFSAA : 1; //0x0060 PF0x00004000
unsigned int ReduceMouseLag : 1; //0x0060 PF0x00004000
unsigned int UseCubemaps : 1; //0x0060 PF0x00004000
unsigned int UseTripleBuffering : 1; //0x0060 PF0x00004000
unsigned int UseVSync : 1; //0x0060 PF0x00004000
unsigned int UseTrilinear : 1; //0x0060 PF0x00004000
unsigned int UsePrecaching : 1; //0x0060 PF0x00004000
unsigned int UseHardwareVS : 1; //0x0060 PF0x00004000
unsigned int UseHardwareTL : 1; //0x0060 PF0x00004000
char Unknown0x0064[0x46A4 - 0x0064];
IDirect3D8 * pD3D; //0x46A4
IDirect3DDevice8 * pD3DDevice; //0x46A8
}; //0x468C


* Macro's for what process Event can handle

That is pretty easy. One of the fields in UFunction contains the native function index. If it is non-zero, then ProcessEvent will not execute the function. You can find the offset by stepping through the ProcessEvent function.

Hey if you guys need help in testing anything feel free to contact me.....

That is going to be a lot of work. Some of the classes have interesting properties that are not defined in the UProperties. For example, UD3DRenderDevice has the D3D interfaces stored in it, but they are not defined. (And they are at different offsets between UT2003 and UT2004.) If you look at this definition, there is a bunch of undefined stuff at Unknown0x0064. I think it would take a long time to figure out what all of it was.


Intriguing Picklelicious. Check this out. Clearly and INT does not occupy 18 bytes:


class DLL_IMPORT Object
{
public:
INT ObjectInternal; // Offset=0x0000 Size=0x18 CPF_Const|CPF_Native
class UObject* Outer; // Offset=0x0018 Size=0x04 CPF_Const|CPF_Native
INT ObjectFlags; // Offset=0x001c Size=0x04 CPF_Const|CPF_Native
FName* Name; // Offset=0x0020 Size=0x04 CPF_Edit|CPF_Const|CPF_Native|CPF_EditConst
class UClass* Class; // Offset=0x0024 Size=0x04 CPF_Const|CPF_Native|CPF_EditConst
};


Furthermore your D3DrenderDevice looks nothing like mine. Is it from a different game?


class DLL_IMPORT D3DRenderDevice : public URenderDevice
{
public:
BITFIELD UsePrecaching : 1; // Offset=0x40cc Size=0x04 CPF_Config
BITFIELD UseTrilinear : 1; // Offset=0x40d0 Size=0x04 CPF_Config
char Unknown2[0x0004];
BITFIELD UseVSync : 1; // Offset=0x40d8 Size=0x04 CPF_Config
BITFIELD UseHardwareTL : 1; // Offset=0x40dc Size=0x04 CPF_Config
BITFIELD UseHardwareVS : 1; // Offset=0x40e0 Size=0x04 CPF_Config
BITFIELD UseCubemaps : 1; // Offset=0x40e4 Size=0x04 CPF_Config
char Unknown6[0x0010];
BITFIELD UseTripleBuffering : 1; // Offset=0x40f8 Size=0x04 CPF_Config
BITFIELD ReduceMouseLag : 1; // Offset=0x40fc Size=0x04 CPF_Config
BITFIELD UseXBoxFSAA : 1; // Offset=0x4100 Size=0x04 CPF_Config
char Unknown9[0x0010];
BITFIELD CheckForOverflow : 1; // Offset=0x4114 Size=0x04 CPF_Config
BITFIELD UseNPatches : 1; // Offset=0x4118 Size=0x04 CPF_Config
BITFIELD DecompressTextures : 1; // Offset=0x411c Size=0x04 CPF_Config
INT AdapterNumber; // Offset=0x4120 Size=0x04 CPF_Config
char Unknown13[0x0004];
INT MaxPixelShaderVersion; // Offset=0x4128 Size=0x04 CPF_Config
INT LevelOfAnisotropy; // Offset=0x412c Size=0x04 CPF_Config
FLOAT DetailTexMipBias; // Offset=0x4130 Size=0x04 CPF_Config
FLOAT DefaultTexMipBias; // Offset=0x4134 Size=0x04 CPF_Config
FLOAT TesselationFactor; // Offset=0x4138 Size=0x04 CPF_Config
INT DesiredRefreshRate; // Offset=0x413c Size=0x04 CPF_Config
};


I will put alignment compensation in for that jumping over variables.



Yours Engines
----- -------
DWORD * pVMT; //0x000 INT ObjectInternal; // Offset=0x0000 Size=0x18 CPF_Const|CPF_Native
int ObjectInternal; //0x004
UObject * pOuter; //0x008
FFrame * pFrame; //0x00C
ULinkerLoad * pLinkerLoad; //0x010
int PackageNumber; //0x014
UClass * pParentClass; //0x018 class UObject* Outer; // Offset=0x0018 Size=0x04 CPF_Const|CPF_Native
ObjectFlagStruct ObjectFlags; //0x01C INT ObjectFlags; // Offset=0x001c Size=0x04 CPF_Const|CPF_Native
FName Name; //0x020 FName* Name; // Offset=0x0020 Size=0x04 CPF_Edit|CPF_Const|CPF_Native|CPF_EditConst
UClass * pClass; //0x024 class UClass* Class; // Offset=0x0024 Size=0x04 CPF_Const|CPF_Native|CPF_EditConst


Better.


class DLL_IMPORT Object
{
public:
INT ObjectInternal; // Offset=0x0000 Size=0x18 CPF_Const|CPF_Native
char Unknown0[0x0014];
class UObject* Outer; // Offset=0x0018 Size=0x04 CPF_Const|CPF_Native
INT ObjectFlags; // Offset=0x001c Size=0x04 CPF_Const|CPF_Native
FName* Name; // Offset=0x0020 Size=0x04 CPF_Edit|CPF_Const|CPF_Native|CPF_EditConst
class UClass* Class; // Offset=0x0024 Size=0x04 CPF_Const|CPF_Native|CPF_EditConst
};

k This is what mine spits out

class DLL_IMPORT UObject : public FUnknown
{
public:
INT ObjectInternal[6]; // Offset 0 (0x0) Size 4 PFlags (0x1002) 0|CPF_Const|CPF_Native|CPF_PropagateFromStruct
class UObject* Outer; // Offset 24 (0x18) Size 4 PFlags (0x1002) 0|CPF_Const|CPF_Native|CPF_PropagateFromStruct
INT ObjectFlags; // Offset 28 (0x1c) Size 4 PFlags (0x1002) 0|CPF_Const|CPF_Native|CPF_PropagateFromStruct
FName Name; // Offset 32 (0x20) Size 4 PFlags (0x21003) 0|CPF_Edit|CPF_Const|CPF_Native|CPF_EditConst|CPF_ PropagateFromStruct
class UClass* Class; // Offset 36 (0x24) Size 4 PFlags (0x21002) 0|CPF_Const|CPF_Native|CPF_EditConst|CPF_Propagate FromStruct

DECLARE_BASE_CLASS(UObject,UObject,CLASS_Abstract, Core)
};


class DLL_IMPORT APlayerReplicationInfo : public AReplicationInfo
{
public:
INT Score_Total; // Offset 1072 (0x430) Size 4 PFlags (0x20) 0|CPF_Net
INT Score_Leadership; // Offset 1076 (0x434) Size 4 PFlags (0x20) 0|CPF_Net
INT Score_Wins; // Offset 1080 (0x438) Size 4 PFlags (0x20) 0|CPF_Net
INT Score_Objectives; // Offset 1084 (0x43c) Size 4 PFlags (0x20) 0|CPF_Net
INT Score_Deaths; // Offset 1088 (0x440) Size 4 PFlags (0x20) 0|CPF_Net
INT Score_Kills; // Offset 1092 (0x444) Size 4 PFlags (0x20) 0|CPF_Net
INT Score_ROE; // Offset 1096 (0x448) Size 4 PFlags (0x20) 0|CPF_Net
INT _Credited_Wins; // Offset 1100 (0x44c) Size 4 PFlags (0x0)
INT _Credited_Leadership; // Offset 1104 (0x450) Size 4 PFlags (0x0)
class ACarriedObject* HasFlag; // Offset 1108 (0x454) Size 4 PFlags (0x0)
INT Ping; // Offset 1112 (0x458) Size 4 PFlags (0x20) 0|CPF_Net
class AVolume* PlayerVolume; // Offset 1116 (0x45c) Size 4 PFlags (0x20) 0|CPF_Net
class AZoneInfo* PlayerZone; // Offset 1120 (0x460) Size 4 PFlags (0x20) 0|CPF_Net
INT NumLives; // Offset 1124 (0x464) Size 4 PFlags (0x0)
FStringNoInit PlayerName; // Offset 1128 (0x468) Size 12 PFlags (0x400020) 0|CPF_Net|CPF_NeedCtorLink
FStringNoInit CharacterName; // Offset 1140 (0x474) Size 12 PFlags (0x400020) 0|CPF_Net|CPF_NeedCtorLink
FStringNoInit OldCharacterName; // Offset 1152 (0x480) Size 12 PFlags (0x400000) 0|CPF_NeedCtorLink
FStringNoInit OldName; // Offset 1164 (0x48c) Size 12 PFlags (0x400000) 0|CPF_NeedCtorLink
FStringNoInit PreviousName; // Offset 1176 (0x498) Size 12 PFlags (0x400000) 0|CPF_NeedCtorLink
FStringNoInit PlayerMAC; // Offset 1188 (0x4a4) Size 12 PFlags (0x400000) 0|CPF_NeedCtorLink
INT PlayerID; // Offset 1200 (0x4b0) Size 4 PFlags (0x20) 0|CPF_Net
class ATeamInfo* Team; // Offset 1204 (0x4b4) Size 4 PFlags (0x20) 0|CPF_Net
BYTE DesiredTeam; // Offset 1208 (0x4b8) Size 1 PFlags (0x20) 0|CPF_Net
INT TeamID; // Offset 1212 (0x4bc) Size 4 PFlags (0x20) 0|CPF_Net
class UClass* VoiceType; // Offset 1216 (0x4c0) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bAdmin:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bIsFemale:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bIsSpectator:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bOnlySpectator:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bWaitingPlayer:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bReadyToPlay:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bOutOfLives:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bBot:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bWelcomed:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x0)
BITFIELD bReceivedPing:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x0)
BITFIELD bHasFlag:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bGuerrillaPS:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bSpecialForcesPS:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bVIPPS:1; // Offset 1220 (0x4c4) Size 4 PFlags (0x20) 0|CPF_Net
INT StartTime; // Offset 1224 (0x4c8) Size 4 PFlags (0x20) 0|CPF_Net
FStringNoInit StringSpectating; // Offset 1228 (0x4cc) Size 12 PFlags (0x408000) 0|CPF_Localized|CPF_NeedCtorLink
FStringNoInit StringUnknown; // Offset 1240 (0x4d8) Size 12 PFlags (0x408000) 0|CPF_Localized|CPF_NeedCtorLink
INT GoalsScored; // Offset 1252 (0x4e4) Size 4 PFlags (0x0)
INT Kills; // Offset 1256 (0x4e8) Size 4 PFlags (0x0)
BITFIELD bDead:1; // Offset 1260 (0x4ec) Size 4 PFlags (0x20) 0|CPF_Net
class APawn* myPawn; // Offset 1264 (0x4f0) Size 4 PFlags (0x0)
INT LocationX; // Offset 1268 (0x4f4) Size 4 PFlags (0x20) 0|CPF_Net
INT LocationY; // Offset 1272 (0x4f8) Size 4 PFlags (0x20) 0|CPF_Net
INT LocationZ; // Offset 1276 (0x4fc) Size 4 PFlags (0x20) 0|CPF_Net
FLOAT slowtime; // Offset 1280 (0x500) Size 4 PFlags (0x0)
class APlayerReplicationInfo* PRI_WaitingForPawn; // Offset 1284 (0x504) Size 4 PFlags (0x0)
INT SwapRequest; // Offset 1288 (0x508) Size 4 PFlags (0x20) 0|CPF_Net
BYTE FT; // Offset 1292 (0x50c) Size 1 PFlags (0x20) 0|CPF_Net
BITFIELD bWillBeMedic:1; // Offset 1296 (0x510) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bLostMedic:1; // Offset 1296 (0x510) Size 4 PFlags (0x0)
BITFIELD bIsMedic:1; // Offset 1296 (0x510) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bCallForMedic:1; // Offset 1296 (0x510) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD _bSoldiersCharacter:1; // Offset 1296 (0x510) Size 4 PFlags (0x0)
INT _iTrust; // Offset 1300 (0x514) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bWantsFTLeader:1; // Offset 1304 (0x518) Size 4 PFlags (0x0)
BITFIELD bWantsSquadLeader:1; // Offset 1304 (0x518) Size 4 PFlags (0x0)
BITFIELD bAvoidLeaderRole:1; // Offset 1304 (0x518) Size 4 PFlags (0x0)
BITFIELD bWantsMedic:1; // Offset 1304 (0x518) Size 4 PFlags (0x0)
BITFIELD bQualifiedSniper:1; // Offset 1304 (0x518) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bQualifiedAirborne:1; // Offset 1304 (0x518) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bQualifiedRanger:1; // Offset 1304 (0x518) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bQualifiedMedic:1; // Offset 1304 (0x518) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bQualifiedSF:1; // Offset 1304 (0x518) Size 4 PFlags (0x20) 0|CPF_Net
FLOAT _fWeight; // Offset 1308 (0x51c) Size 4 PFlags (0x0)
FLOAT tNextVoteAllowed; // Offset 1312 (0x520) Size 4 PFlags (0x0)
FStringNoInit votekick; // Offset 1316 (0x524) Size 12 PFlags (0x400000) 0|CPF_NeedCtorLink
FStringNoInit SquadName; // Offset 1328 (0x530) Size 12 PFlags (0x400020) 0|CPF_Net|CPF_NeedCtorLink
INT _cumRounds; // Offset 1340 (0x53c) Size 4 PFlags (0x0)
INT _LastTimeUpdate; // Offset 1344 (0x540) Size 4 PFlags (0x0)
INT _cumTotal; // Offset 1348 (0x544) Size 4 PFlags (0x0)
INT _cumLeadership; // Offset 1352 (0x548) Size 4 PFlags (0x0)
INT _cumWins; // Offset 1356 (0x54c) Size 4 PFlags (0x0)
INT _cumObjectives; // Offset 1360 (0x550) Size 4 PFlags (0x0)
INT _cumDeaths; // Offset 1364 (0x554) Size 4 PFlags (0x0)
INT _cumKills; // Offset 1368 (0x558) Size 4 PFlags (0x0)
INT _cumROE; // Offset 1372 (0x55c) Size 4 PFlags (0x0)
INT _prevTotal; // Offset 1376 (0x560) Size 4 PFlags (0x0)
INT _prevLeadership; // Offset 1380 (0x564) Size 4 PFlags (0x0)
INT _prevWins; // Offset 1384 (0x568) Size 4 PFlags (0x0)
INT _prevObjectives; // Offset 1388 (0x56c) Size 4 PFlags (0x0)
INT _prevDeaths; // Offset 1392 (0x570) Size 4 PFlags (0x0)
INT _prevKills; // Offset 1396 (0x574) Size 4 PFlags (0x0)
INT _prevROE; // Offset 1400 (0x578) Size 4 PFlags (0x0)
INT _Experience; // Offset 1404 (0x57c) Size 4 PFlags (0x0)
INT _ExperienceDelta; // Offset 1408 (0x580) Size 4 PFlags (0x0)
BITFIELD bSUEnabled:1; // Offset 1412 (0x584) Size 4 PFlags (0x0)
BYTE _Group; // Offset 1416 (0x588) Size 1 PFlags (0x20) 0|CPF_Net
BITFIELD bMuted:1; // Offset 1420 (0x58c) Size 4 PFlags (0x20) 0|CPF_Net
class UClass* requiredClass; // Offset 1424 (0x590) Size 4 PFlags (0x20) 0|CPF_Net
BITFIELD bTournamentSquadLeader:1; // Offset 1428 (0x594) Size 4 PFlags (0x20) 0|CPF_Net

DECLARE_CLASS(APlayerReplicationInfo,AReplicationI nfo,0|CLASS_Localized|CLASS_RuntimeStatic|CLASS_No Export|CLASS_NativeReplication|CLASS_Inherit|CLASS _RecompilerClear,Engine)
};


There is no need to alter UObject class, the one from the UT432 headers is valid

@Temp2:
My UD3DRenderDevice is from AAO 2.1.

You might want to check to see if ObjectInternal is an array. I noticed that HeloiS’ version used ObjectInternal[6]. A lot of the fields are actually arrays. You can tell that it is an array because the field before UProperty::Size is the array size. For example, the first property of AActor is ActorHelp, which is an array of 10 FStrings.


struct AActor : UObject //OF0x640F0044
{
FString ActorHelp[10]; //0x0028 PF0x00420003
BYTE /*ELightType*/ LightType; //0x00A0 PF0x00000021 Replicate if ((!bSkipActorPropertyReplication || bNetInitial) && (Role == 4))
BYTE /*ELightEffect*/ LightEffect; //0x00A1 PF0x00000021 Replicate if ((((!bSkipActorPropertyReplication || bNetInitial) && (Role == 4)) && bNetDirty) && (LightType != 0))
float LightBrightness; //0x00A2 PF0x00000021 Replicate if ((((!bSkipActorPropertyReplication || bNetInitial) && (Role == 4)) && bNetDirty) && (LightType != 0))
float LightRadius; //0x00A8 PF0x00000021 Replicate if ((((!bSkipActorPropertyReplication || bNetInitial) && (Role == 4)) && bNetDirty) && (LightType != 0))
…


I think it is useful to break out UObject::ObjectInternal into it parts. I use pVMT all the time. Mostly for calling an object’s virtual functions, but it is also useful for hooking a single object. I find it very convenient to copy an object’s virtual method table, change the pointers to the functions I need to hook, and then set the object’s pVMT to my new table.


@HeloiS:
What does the UObject class in the UT432 headers look like?

Have you done anything with client-side prediction? What I would like to do is have the engine project a pawn into the future (for aimbot leading). Right now I use the pawn’s current velocity, which works okay but is not great. I would really like the leading to take into account gravity and bone animation. (I have a bone aimbot and the animation makes a difference.)

I tried using AActor::performPhysics(), but that didn’t move the pawn.

Picklelicious you might wanna get a copy of UT432pubsrc
They hold a lot of info about the diff classes

and to get the head location you can use GetBoneCoors uscript function

One more thing, it seems your logger got the info from file, mine worx from inside the game memory

I'll go download the UT432pubsrc.

I also use GetBoneCoors to get the bone coordinates. I also use BoneTrace to see which bones I can actually hit and how much damage it will do (it was very nice of the AAO devs to add that function). However, what I really need is where the bones are going to be in the future (when the fire command actually reaches the server) not where the bones are currently positioned now. The bones move around quite a bit when someone is moving (especially jumping). Using the pawn's current velocity does not model that motion very well.

My logger also works from memory. You inject it into a UT based game, press "Shift+D", and it dumps all the constants, enumerated types, and structures to a header file that will actually compile. It also decompiles all the UT scripts that are loaded in memory and dumps them into a separate file. It works with both the game and the stand-alone server.

Dumping the AAO server was interesting. There are some special admin commands that are only available for user group 20 (the Devs and the old HomeLAN admins). Stuff like barrel extenders and crap that would help the admins tell if you were wall hacking or had fog turned off. That special admin stuff doesn’t load on a server until a group 20 person logs on. You have to hack your stand-alone server first and force it to assign you to group 20 during the login.

Dumping the AAO server was interesting. There are some special admin commands that are only available for user group 20 (the Devs and the old HomeLAN admins). Stuff like barrel extenders and crap that would help the admins tell if you were wall hacking or had fog turned off. That special admin stuff doesn’t load on a server until a group 20 person logs on. You have to hack your stand-alone server first and force it to assign you to group 20 during the login.

I remember hearing about this awhile ago and they guy said he was working on trying to access these functions. Anybody ever have any luck?

You might want to check to see if ObjectInternal is an array. I noticed that HeloiS’ version used ObjectInternal[6]. A lot of the fields are actually arrays. You can tell that it is an array because the field before UProperty::Size is the array size.


I can confirm you are correct Picklelicious. I'm now starting on the functions.


class DLL_IMPORT UObject
{
public:
INT ObjectInternal[6]; // Offset=0x0000 CPF_Const|CPF_Native
UObject* Outer; // Offset=0x0018 CPF_Const|CPF_Native
INT ObjectFlags; // Offset=0x001c CPF_Const|CPF_Native
FName* Name; // Offset=0x0020 CPF_Edit|CPF_Const|CPF_Native|CPF_EditConst
UClass* Class; // Offset=0x0024 CPF_Const|CPF_Native|CPF_EditConst

//GetLanguageFilter(BITFIELD ReturnValue : 1);
//CPF_Edit|CPF_ReturnParm|CPF_Transient|CPF_EditCons t
DECLARE_FUNCTION(execGetLanguageFilter)

//LogFileClose(BITFIELD ReturnValue : 1);
//CPF_Edit|CPF_ReturnParm|CPF_EditConst
DECLARE_FUNCTION(execLogFileClose)

//LogFileOpen(BITFIELD ReturnValue : 1);
//CPF_Edit|CPF_ReturnParm|CPF_EditConst
DECLARE_FUNCTION(execLogFileOpen)

//FClose(BITFIELD ReturnValue : 1);
//CPF_Edit|CPF_ReturnParm|CPF_EditConst
DECLARE_FUNCTION(execFClose)
...



class DLL_IMPORT AActor : public UObject
{
public:
FStringNoInit ActorHelp[10]; // Offset=0x0028 CPF_Edit|CPF_Const|CPF_EditConst
BYTE LightType; // Offset=0x00a0 CPF_Edit|CPF_Net
BYTE LightEffect; // Offset=0x00a1 CPF_Edit|CPF_Net
FLOAT LightBrightness; // Offset=0x00a4 CPF_Edit|CPF_Net
FLOAT LightRadius; // Offset=0x00a8 CPF_Edit|CPF_Net
BYTE LightHue; // Offset=0x00ac CPF_Edit|CPF_Net
...


But still get holes and general discrepancy in UD3DRenderDevice.


class DLL_IMPORT UD3DRenderDevice : public URenderDevice
{
public:
BITFIELD UsePrecaching : 1; // Offset=0x40cc CPF_Config
BITFIELD UseTrilinear : 1; // Offset=0x40d0 CPF_Config
char Unknown2[0x0004];
BITFIELD UseVSync : 1; // Offset=0x40d8 CPF_Config
BITFIELD UseHardwareTL : 1; // Offset=0x40dc CPF_Config
BITFIELD UseHardwareVS : 1; // Offset=0x40e0 CPF_Config
BITFIELD UseCubemaps : 1; // Offset=0x40e4 CPF_Config
char Unknown6[0x0010];
BITFIELD UseTripleBuffering : 1; // Offset=0x40f8 CPF_Config
BITFIELD ReduceMouseLag : 1; // Offset=0x40fc CPF_Config
BITFIELD UseXBoxFSAA : 1; // Offset=0x4100 CPF_Config
char Unknown9[0x0010];
BITFIELD CheckForOverflow : 1; // Offset=0x4114 CPF_Config
BITFIELD UseNPatches : 1; // Offset=0x4118 CPF_Config
BITFIELD DecompressTextures : 1; // Offset=0x411c CPF_Config
INT AdapterNumber; // Offset=0x4120 CPF_Config
char Unknown13[0x0004];
INT MaxPixelShaderVersion; // Offset=0x4128 CPF_Config
INT LevelOfAnisotropy; // Offset=0x412c CPF_Config
FLOAT DetailTexMipBias; // Offset=0x4130 CPF_Config
FLOAT DefaultTexMipBias; // Offset=0x4134 CPF_Config
FLOAT TesselationFactor; // Offset=0x4138 CPF_Config
INT DesiredRefreshRate; // Offset=0x413c CPF_Config
};



What does the UObject class in the UT432 headers look like?


Man I cannot belive you got so far without it.


INT Index; // Index of object into table.
UObject* HashNext; // Next object in this hash bin.
FStateFrame* StateFrame; // Main script execution stack.
ULinkerLoad* _Linker; // Linker it came from, or NULL if none.
INT _LinkerIndex; // Index of this object in the linker's export map.
UObject* Outer; // Object this object resides in.
DWORD ObjectFlags; // Private EObjectFlags used by object manager.
FName Name; // Name of the object.
UClass* Class; // Class the object belongs to.

class DLL_IMPORT UD3DRenderDevice : public URenderDevice
{
public:
FLOAT TesselationFactor; // Offset 16696 (0x4138) Size 4 PFlags (0x4000) 0|CPF_Config
FLOAT DefaultTexMipBias; // Offset 16692 (0x4134) Size 4 PFlags (0x4000) 0|CPF_Config
FLOAT DetailTexMipBias; // Offset 16688 (0x4130) Size 4 PFlags (0x4000) 0|CPF_Config
INT LevelOfAnisotropy; // Offset 16684 (0x412c) Size 4 PFlags (0x4000) 0|CPF_Config
INT DesiredRefreshRate; // Offset 16700 (0x413c) Size 4 PFlags (0x4000) 0|CPF_Config
INT MaxPixelShaderVersion; // Offset 16680 (0x4128) Size 4 PFlags (0x4000) 0|CPF_Config
INT AdapterNumber; // Offset 16672 (0x4120) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD DecompressTextures:1; // Offset 16668 (0x411c) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD CheckForOverflow:1; // Offset 16660 (0x4114) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseNPatches:1; // Offset 16664 (0x4118) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseXBoxFSAA:1; // Offset 16640 (0x4100) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD ReduceMouseLag:1; // Offset 16636 (0x40fc) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseCubemaps:1; // Offset 16612 (0x40e4) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseTripleBuffering:1; // Offset 16632 (0x40f8) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseVSync:1; // Offset 16600 (0x40d8) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseTrilinear:1; // Offset 16592 (0x40d0) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UsePrecaching:1; // Offset 16588 (0x40cc) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseHardwareVS:1; // Offset 16608 (0x40e0) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseHardwareTL:1; // Offset 16604 (0x40dc) Size 4 PFlags (0x4000) 0|CPF_Config

DECLARE_CLASS(UD3DRenderDevice,URenderDevice,0,D3D Drv)
};

Cheers HelioS. Like you say UD3DrenderDevice is unlikely to be of use to most people. I’m concentrating on a beta 1 semi-public header release with as much functionality as possible.

Man this tool is going to be sweet. Just cast your c++ pointer to the correct class for the object and read the class public variables to make your aimbot. Anything you could do in UnrealScript you will be able to do with c++ with all the speed and flexibility that that entails.

With this tool it should also be possible to port aimbots if you are careful i.e. just get the header generated for your new game and recompile

Still some work to do on:

class member functions (synchronize parameter counts)
ordering of classes in the .h (prettyfying)
structures e.g. FRobot struct {};
enumerations e.g. enum ERobot {};
constants e.g. RF_NotForServer = 0x00200000

i.e all the UnrealScript available objects. ALL OF THEM. A sample:

Unreal Decompositor output:


class DLL_IMPORT ASceneManager : public AInfo //0x008b7a70
{
public:
TArray<UMatAction*> Actions; // Offset=0x0430 CPF_Edit|CPF_ExportObject
BYTE Affect; // Offset=0x043c CPF_Edit|CPF_Config
AActor* AffectedActor; // Offset=0x0440 CPF_Edit
BITFIELD bLooping : 1; // Offset=0x0444 CPF_Edit
BITFIELD bCinematicView : 1; // Offset=0x0444 CPF_Edit
FName* PlayerScriptTag; // Offset=0x0448 CPF_Edit
FName* NextSceneTag; // Offset=0x044c CPF_Edit
UMatAction* CompareAction; // Offset=0x0450
FLOAT PctSceneComplete; // Offset=0x0454 CPF_Transient
UMatAction* CurrentAction; // Offset=0x0458 CPF_Transient
FLOAT SceneSpeed; // Offset=0x045c CPF_Transient
FLOAT TotalSceneTime; // Offset=0x0460 CPF_Transient
AActor* Viewer; // Offset=0x0464 CPF_Transient
APawn* OldPawn; // Offset=0x0468 CPF_Transient
BITFIELD bIsRunning : 1; // Offset=0x046c CPF_Transient
BITFIELD bIsSceneStarted : 1; // Offset=0x046c CPF_Transient
FLOAT CurrentTime; // Offset=0x0470 CPF_Transient
TArray<UStruct*> SampleLocations; // Offset=0x0474 CPF_Transient
TArray<UMatSubAction*> SubActions; // Offset=0x0480 CPF_Transient
UStruct* CamOrientation; // Offset=0x048c CPF_Transient
UStruct* PrevOrientation; // Offset=0x04c0 CPF_Transient
UStruct* RotInterpolator; // Offset=0x04f4 CPF_Transient
UStruct* CameraShake; // Offset=0x050c CPF_Transient
UStruct* DollyOffset; // Offset=0x0518 CPF_Transient
BITFIELD bEndSceneNow : 1; // Offset=0x0524

// UnrealScript intrinsics
//GetTotalSceneTime(FLOAT ReturnValue);
DECLARE_FUNCTION(execGetTotalSceneTime);
eventSceneStarted(AController* P, AAIScript* S);
eventSceneEnded();
eventPointReached(AInterpolationPoint* Point);
};


Unmangled core.dll


const ASceneManager::vftable
void *cdecl ASceneManager::new(unsigned ,EInternal *)
void *cdecl ASceneManager::new(unsigned ,UObject *,FName ,unsigned long )
ASceneManager &syscall ASceneManager::=(ASceneManager const &)
syscall ASceneManager::~ASceneManager()
syscall ASceneManager::ASceneManager()
syscall ASceneManager::ASceneManager(ASceneManager const &)
void cdecl ASceneManager::InternalConstructor(void *)
UClass *cdecl ASceneManager::StaticClass()
UClass ASceneManager::PrivateStaticClass

void syscall ASceneManager::execGetTotalSceneTime(FFrame &,void *const )
void syscall ASceneManager::eventSceneStarted()
void syscall ASceneManager::eventSceneEnded()
void syscall ASceneManager::eventPointReached(AInterpolationPoi nt *)

float syscall ASceneManager::GetActionPctFromScenePct(float )
float syscall ASceneManager::GetTotalSceneTime()
FRotator syscall ASceneManager::GetRotation(TArray<FVector > *,float ,FVector ,FRotator ,UMatAction *,int )
FVector syscall ASceneManager::GetLocation(TArray<FVector > *,float )
int syscall ASceneManager::Tick(float ,ELevelTick )
UMatAction *syscall ASceneManager::GetActionFromPct(float )
void syscall ASceneManager::ChangeOrientation(FOrientation )
void syscall ASceneManager::CheckForErrors()
void syscall ASceneManager::CleanupPreviewActors()
void syscall ASceneManager::DeletePathSamples()
void syscall ASceneManager::InitializePreviewActors()
void syscall ASceneManager::PostBeginPlay()
void syscall ASceneManager::PostEditChange()
void syscall ASceneManager::PreparePath()
void syscall ASceneManager::RefreshSubActions(float )
void syscall ASceneManager::SceneEnded()
void syscall ASceneManager::SceneStarted()
void syscall ASceneManager::SetCurrentTime(float )
void syscall ASceneManager::SetSceneStartTime()
void syscall ASceneManager::UpdatePreviewActors(float )
void syscall ASceneManager::UpdateViewerFromPct(float )



Begin Object Class=SceneManager Name=SceneManager0
Begin Object Class=ActionMoveCamera Name=ActionMoveCamera5
PathStyle=PATHSTYLE_Bezier
IntPoint=InterpolationPoint'SFhospital.Interpolati onPoint9'
Duration=8.183928
StartControlPoint=(X=-13.703125,Y=542.334045)
EndControlPoint=(X=13.703125,Y=-542.334045)
bConstantPathVelocity=True
PathVelocity=999.000000
PathLength=8175.744141
Name="ActionMoveCamera5"
End Object
Actions(0)=ActionMoveCamera'SFhospital.myLevel.Act ionMoveCamera5'
Begin Object Class=ActionMoveCamera Name=ActionMoveCamera1
PathStyle=PATHSTYLE_Bezier
IntPoint=InterpolationPoint'SFhospital.Interpolati onPoint8'
Duration=8.120852
StartControlPoint=(X=5.670410,Y=313.807861)
EndControlPoint=(X=-5.670410,Y=-313.807861)
bConstantPathVelocity=True
PathVelocity=999.000000
PathLength=8112.731934
Name="ActionMoveCamera1"
End Object
Actions(1)=ActionMoveCamera'SFhospital.myLevel.Act ionMoveCamera1'
Affect=AFFECT_Actor
Level=LevelInfo'SFhospital.LevelInfo0'
Region=(Zone=ZoneInfo'SFhospital.ZoneInfo6',iLeaf= 1822,ZoneNumber=1)
Tag="HeliFlyBy1-2"
PhysicsVolume=DefaultPhysicsVolume'SFhospital.Defa ultPhysicsVolume0'
Location=(X=3293.297607,Y=-1555.851196,Z=881.139709)
DrawScale=3.000000
bSelected=False
bScriptInitialized=True
Name="SceneManager0"
End Object

Besides the D3D interface pointers, the only thing in UD3DRenderDevice that might be useful is UseTripleBuffering. If you are making a PB screenshot blocker, the UseTripleBuffering flag would let you know how many times you need to render a clean scene to flush all the hacked scenes out of the D3D pipe.

I wonder if anyone has used the client-side prediction to lead targets.

I wonder if anyone has used the client-side prediction to lead targets.

I’m know they have but probably not to the level of extreme detail that you are experimenting with. Personally I would ignore Y vector and acceleration and aim for the Z and X predicted location accounting for ping and ping discrepancy. In the disappointing situation of the target jumping (i.e. Y vector above a threshold) I would also consider increasing ROF to ensure such nauseating behaviour is justly rewarded.

My gaming preference is 1) Body. 2) Head if still. 3) Other bones if head and body not visible. Clearly that may need adjusting if you are playing another aimbot though ROF alteration should suffice.

Dumping the AAO server was interesting. There are some special admin commands that are only available for user group 20 (the Devs and the old HomeLAN admins). Stuff like barrel extenders and crap that would help the admins tell if you were wall hacking or had fog turned off. That special admin stuff doesn’t load on a server until a group 20 person logs on. You have to hack your stand-alone server first and force it to assign you to group 20 during the login.

Where would i look for this info? any help would be appreciated

Just added code for the constants. Now time to tryout the HelioS creation. Like actually playing the game for a while.


Pi = 3.1415926535897932
MaxInt = 0x7fffffff
RF_Transactional = 0x00000001
RF_Public = 0x00000004
RF_Transient = 0x00004000
RF_NotForClient = 0x00100000
RF_NotForServer = 0x00200000
RF_NotForEdit = 0x00400000

class DLL_IMPORT UObject : public FUnknown //0x10266158
{

Just added code for the constants. Now time to tryout the HelioS creation. Like actually playing the game for a while.


Pi = 3.1415926535897932
MaxInt = 0x7fffffff
RF_Transactional = 0x00000001
RF_Public = 0x00000004
RF_Transient = 0x00004000
RF_NotForClient = 0x00100000
RF_NotForServer = 0x00200000
RF_NotForEdit = 0x00400000

class DLL_IMPORT UObject : public FUnknown //0x10266158
{

lol, its about time you play for a while.
you should check if the game has not changed since last time you played ;)

lol, its about time you play for a while.
you should check if the game has not changed since last time you played ;)

LOL. Have not played in about 3 weeks. The radar and devmode take some time to get used to and player tagging is very useful once you establish who other fellow cheaters are...

Enumerations: Done


Pi = 3.1415926535897932
MaxInt = 0x7fffffff
RF_Transactional = 0x00000001
RF_Public = 0x00000004
RF_Transient = 0x00004000
RF_NotForClient = 0x00100000
RF_NotForServer = 0x00200000
RF_NotForEdit = 0x00400000

enum EBoneRegion {
BR_NONE = 0
BR_Head = 1
BR_Upper_Torso = 2
BR_Lower_Torso = 3
BR_Left_Arm = 4
BR_Left_Hand = 5
BR_Left_Leg = 6
BR_Left_Foot = 7
BR_Right_Arm = 8
BR_Right_Hand = 9
BR_Right_Leg = 10
BR_Right_Foot = 11
};
enum EBulletImpactType {
BT_Impact = 0
BT_Exit = 1
BT_Ricochet = 2
};
enum EDrawPivot {
DP_UpperLeft = 0
DP_UpperMiddle = 1
DP_UpperRight = 2
DP_MiddleRight = 3
DP_LowerRight = 4
DP_LowerMiddle = 5
DP_LowerLeft = 6
DP_MiddleLeft = 7
DP_MiddleMiddle = 8
};
enum ESoundSlot {
SLOT_None = 0
SLOT_Misc = 1
SLOT_Pain = 2
SLOT_Interact = 3
SLOT_Ambient = 4
SLOT_Talk = 5
SLOT_Interface = 6
};
enum ECamOrientation {
CAMORIENT_None = 0
CAMORIENT_LookAtActor = 1
CAMORIENT_FacePath = 2
CAMORIENT_Interpolate = 3
CAMORIENT_Dolly = 4
};

class DLL_IMPORT UObject : public FUnknown //0x10266158
{
public:
INT ObjectInternal[6]; // Offset=0x0000 CPF_Const|CPF_Native
UObject* Outer; // Offset=0x0018 CPF_Const|CPF_Native
INT ObjectFlags; // Offset=0x001c CPF_Const|CPF_Native
FName* Name; // Offset=0x0020 CPF_Edit|CPF_Const|CPF_Native|CPF_EditConst
UClass* Class; // Offset=0x0024 CPF_Const|CPF_Native|CPF_EditConst
...

Are you guys planing to create a new engine hack? Cuz my english sucks and I don't understand a lot of posts -.-

Are you guys planing to create a new engine hack? Cuz my english sucks and I don't understand a lot of posts -.-

No but some people that use the c++ independent SDK I produce will. I will probably only publicly produce a method of setting object properties.

class DLL_IMPORT UD3DRenderDevice : public URenderDevice
{
public:
FLOAT TesselationFactor; // Offset 16696 (0x4138) Size 4 PFlags (0x4000) 0|CPF_Config
FLOAT DefaultTexMipBias; // Offset 16692 (0x4134) Size 4 PFlags (0x4000) 0|CPF_Config
FLOAT DetailTexMipBias; // Offset 16688 (0x4130) Size 4 PFlags (0x4000) 0|CPF_Config
INT LevelOfAnisotropy; // Offset 16684 (0x412c) Size 4 PFlags (0x4000) 0|CPF_Config
INT DesiredRefreshRate; // Offset 16700 (0x413c) Size 4 PFlags (0x4000) 0|CPF_Config
INT MaxPixelShaderVersion; // Offset 16680 (0x4128) Size 4 PFlags (0x4000) 0|CPF_Config
INT AdapterNumber; // Offset 16672 (0x4120) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD DecompressTextures:1; // Offset 16668 (0x411c) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD CheckForOverflow:1; // Offset 16660 (0x4114) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseNPatches:1; // Offset 16664 (0x4118) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseXBoxFSAA:1; // Offset 16640 (0x4100) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD ReduceMouseLag:1; // Offset 16636 (0x40fc) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseCubemaps:1; // Offset 16612 (0x40e4) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseTripleBuffering:1; // Offset 16632 (0x40f8) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseVSync:1; // Offset 16600 (0x40d8) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseTrilinear:1; // Offset 16592 (0x40d0) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UsePrecaching:1; // Offset 16588 (0x40cc) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseHardwareVS:1; // Offset 16608 (0x40e0) Size 4 PFlags (0x4000) 0|CPF_Config
BITFIELD UseHardwareTL:1; // Offset 16604 (0x40dc) Size 4 PFlags (0x4000) 0|CPF_Config

DECLARE_CLASS(UD3DRenderDevice,URenderDevice,0,D3D Drv)
};


I'm sure i know what your answer will be but could I get a copy of the program you are using to get these offsets? My post in the Coding Tech Support
section off AAO will explain the Whys and Whats I am trying to do. Any help at all would be greatly appreciated. Heck I don't even know if I'm headed in the right direction right now...

Link To My Post (http://www.mpcforum.com/showthread.php?t=59009)

man My Aimbot is pretty darn good . and you would NEVER be able to camp a server for hours iof you implemented this into a spectator view game . Youd get votekicked to high hell .But it would be awesome to have for UT4 and some others where spectators dont RULE the server

I think most people are convinced those engine hacks are more powerful than D3D hacks. MH was a good example of the power of engine hacking.




If you know how, you can extract the headers directly from the engine. Here is the PlayerReplicationInfo complete with replications statements. (Sorry, it is so wide.)

struct APlayerReplicationInfo : AReplicationInfo //OF0x640F0044
{
int Score_Total; //0x0430 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Leadership; //0x0434 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Wins; //0x0438 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Objectives; //0x043C PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Deaths; //0x0440 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_Kills; //0x0444 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int Score_ROE; //0x0448 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int _Credited_Wins; //0x044C PF0x00000000
int _Credited_Leadership; //0x0450 PF0x00000000
ACarriedObject * HasFlag; //0x0454 PF0x00000000
int Ping; //0x0458 PF0x00000020 Replicate if ((bNetDirty && !bNetOwner) && (Role == 4))
AVolume * PlayerVolume; //0x045C PF0x00000020 Replicate if (bNetDirty && (Role == 4))
AZoneInfo * PlayerZone; //0x0460 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int NumLives; //0x0464 PF0x00000000
FString PlayerName; //0x0468 PF0x00400020 Replicate if (bNetDirty && (Role == 4))
FString CharacterName; //0x0474 PF0x00400020 Replicate if (bNetDirty && (Role == 4))
FString OldCharacterName; //0x0480 PF0x00400000
FString OldName; //0x048C PF0x00400000
FString PreviousName; //0x0498 PF0x00400000
FString PlayerMAC; //0x04A4 PF0x00400000
int PlayerID; //0x04B0 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
ATeamInfo * Team; //0x04B4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
BYTE DesiredTeam; //0x04B8 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int TeamID; //0x04B9 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
UClass * VoiceType; //0x04C0 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bAdmin : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bIsFemale : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bIsSpectator : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bOnlySpectator : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bWaitingPlayer : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bReadyToPlay : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bOutOfLives : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bBot : 1; //0x04C4 PF0x00000020 Replicate if (bNetInitial && (Role == 4))
unsigned int bWelcomed : 1; //0x04C4 PF0x00000000
unsigned int bReceivedPing : 1; //0x04C4 PF0x00000000
unsigned int bHasFlag : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bGuerrillaPS : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bSpecialForcesPS : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bVIPPS : 1; //0x04C4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int StartTime; //0x04C8 PF0x00000020 Replicate if (bNetInitial && (Role == 4))
FString StringSpectating; //0x04CC PF0x00408000
FString StringUnknown; //0x04D8 PF0x00408000
int GoalsScored; //0x04E4 PF0x00000000
int Kills; //0x04E8 PF0x00000000
unsigned int bDead : 1; //0x04EC PF0x00000020 Replicate if (bNetDirty && (Role == 4))
APawn * myPawn; //0x04F0 PF0x00000000
int LocationX; //0x04F4 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int LocationY; //0x04F8 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
int LocationZ; //0x04FC PF0x00000020 Replicate if (bNetDirty && (Role == 4))
float slowtime; //0x0500 PF0x00000000
APlayerReplicationInfo * PRI_WaitingForPawn; //0x0504 PF0x00000000
int SwapRequest; //0x0508 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
BYTE FT; //0x050C PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bWillBeMedic : 1; //0x050D PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bLostMedic : 1; //0x050D PF0x00000000
unsigned int bIsMedic : 1; //0x050D PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bCallForMedic : 1; //0x050D PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int _bSoldiersCharacter : 1; //0x050D PF0x00000000
int _iTrust; //0x0514 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bWantsFTLeader : 1; //0x0518 PF0x00000000
unsigned int bWantsSquadLeader : 1; //0x0518 PF0x00000000
unsigned int bAvoidLeaderRole : 1; //0x0518 PF0x00000000
unsigned int bWantsMedic : 1; //0x0518 PF0x00000000
unsigned int bQualifiedSniper : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedAirborne : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedRanger : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedMedic : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bQualifiedSF : 1; //0x0518 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
float _fWeight; //0x051C PF0x00000000
float tNextVoteAllowed; //0x0520 PF0x00000000
FString votekick; //0x0524 PF0x00400000
FString SquadName; //0x0530 PF0x00400020 Replicate if (bNetDirty && (Role == 4))
int _cumRounds; //0x053C PF0x00000000
int _LastTimeUpdate; //0x0540 PF0x00000000
int _cumTotal; //0x0544 PF0x00000000
int _cumLeadership; //0x0548 PF0x00000000
int _cumWins; //0x054C PF0x00000000
int _cumObjectives; //0x0550 PF0x00000000
int _cumDeaths; //0x0554 PF0x00000000
int _cumKills; //0x0558 PF0x00000000
int _cumROE; //0x055C PF0x00000000
int _prevTotal; //0x0560 PF0x00000000
int _prevLeadership; //0x0564 PF0x00000000
int _prevWins; //0x0568 PF0x00000000
int _prevObjectives; //0x056C PF0x00000000
int _prevDeaths; //0x0570 PF0x00000000
int _prevKills; //0x0574 PF0x00000000
int _prevROE; //0x0578 PF0x00000000
int _Experience; //0x057C PF0x00000000
int _ExperienceDelta; //0x0580 PF0x00000000
unsigned int bSUEnabled : 1; //0x0584 PF0x00000000
BYTE _Group; //0x0588 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bMuted : 1; //0x0589 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
UClass * requiredClass; //0x0590 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
unsigned int bTournamentSquadLeader : 1; //0x0594 PF0x00000020 Replicate if (bNetDirty && (Role == 4))
}; //0x0598





Lots of people hack. Tomorrow someone else will create yet another engine hack for this game without using the SDK.

I bet they will think they are pretty magical too. ;)

The problem also lies within the direct x limitations as well ./

Picklelicious what did you pass onto the GetBoneCoords functions ?
the native functions in USkeletalMeshInstance is like this FCoords GetBoneCoords(unsigned long);

btw i was bored so converted my UT2004 engine hook to AA, here is the result so far
http://users.skynet.be/HelioS/Shot00043.JPG
http://users.skynet.be/HelioS/Shot00044.JPG
http://users.skynet.be/HelioS/Shot00045.JPG
http://users.skynet.be/HelioS/Shot00046.JPG
http://users.skynet.be/HelioS/Shot00047.JPG

nice job helios, great that its back on for 2.2 :)

http://users.skynet.be/HelioS/Shot00043.JPG
http://users.skynet.be/HelioS/Shot00044.JPG
http://users.skynet.be/HelioS/Shot00045.JPG
http://users.skynet.be/HelioS/Shot00046.JPG
http://users.skynet.be/HelioS/Shot00047.JPG

Helios (elf) i have been watching you for sometime now. I would say i have been reading through video game code and cheat for about 2 years now ... im curious if you are the one who developed the adebot for to and sf (ut mods). your style of a bot is rather unique.

Picklelicious what did you pass onto the GetBoneCoords functions ?
the native functions in USkeletalMeshInstance is like this FCoords GetBoneCoords(unsigned long);


Tried one of the following?

enum EBoneRegion {
BR_NONE = 0,
BR_Head = 1,
BR_Upper_Torso = 2,
BR_Lower_Torso = 3,
BR_Left_Arm = 4,
BR_Left_Hand = 5,
BR_Left_Leg = 6,
BR_Left_Foot = 7,
BR_Right_Arm = 8,
BR_Right_Hand = 9,
BR_Right_Leg = 10,
BR_Right_Foot = 11,
};

Or FName* BoneName

Helios (elf) i have been watching you for sometime now. I would say i have been reading through video game code and cheat for about 2 years now ... im curious if you are the one who developed the adebot for to and sf (ut mods). your style of a bot is rather unique.

I did not code ADE bot, i started out with that bot too. It was a very good bot back in the days but now other bots take its place in the hall of fame :P

Picklelicious what did you pass onto the GetBoneCoords functions ?
The FName of the bone you want.

There is a big TArray of FNameEntry:
?Names@FName@@0V?$TArray@PAUFNameEntry@@@@A

which would look like this in C:
TArray<FNameEntry *> Names;



struct FNameEntry
{
int FNameIndex;
DWORD Unknown0x004;
DWORD Unknown0x008;
WCHAR Name[1];
};


You traverse the array until you find the Name you want. The FNameEntry structure is variable sized. Name[1] is really allocated big enough to hold the wide char name.

Once you find the name, FNameIndex is the FName. You pass that number into GetBoneCoords.

For the head bone you would search Names for L"Head".

Originally Posted by HelioS

http://users.skynet.be/HelioS/Shot00043.JPG
http://users.skynet.be/HelioS/Shot00044.JPG
http://users.skynet.be/HelioS/Shot00045.JPG
http://users.skynet.be/HelioS/Shot00046.JPG
http://users.skynet.be/HelioS/Shot00047.JPG

OMG, OMG... man. Respect, you deserve my upmost and sincere respect. I hope one day (a very near day), we could see the result on a public release. Congrats to you and all the guys working on this. :D

Best,

The FName of the bone you want.

There is a big TArray of FNameEntry:
?Names@FName@@0V?$TArray@PAUFNameEntry@@@@A

which would look like this in C:
TArray<FNameEntry *> Names;



struct FNameEntry
{
int FNameIndex;
DWORD Unknown0x004;
DWORD Unknown0x008;
WCHAR Name[1];
};


You traverse the array until you find the Name you want. The FNameEntry structure is variable sized. Name[1] is really allocated big enough to hold the wide char name.

Once you find the name, FNameIndex is the FName. You pass that number into GetBoneCoords.

For the head bone you would search Names for L"Head".


Picklelicious,
i have 6 different offsets for an old cs hook. when using the idapro on the hl.exe the offsets appear to be in blank space of the file. am i using the disassemblier wrong? will someone please help me learn how to obtain these offsets. thx your knowledge it greatly appreciated.


cl_enginefuncs_s *pEngfuncs = (cl_enginefuncs_s*) 0x01DE5158; //
engine_studio_api_s *pEngstudio = (engine_studio_api_s*) 0x01DFF2D0; //
efx_api_s *pEfxapi = (efx_api_t*) 0x01DFEE88; //
event_api_s *pEventapi = (event_api_t*) 0x01DEE840; //
triangleapi_s *pTriapi = (triangleapi_t*) 0x01DFF548; //
net_api_t *pNetapi = (net_api_t*) 0x01DF9944; //


Helios i say 2 years **** its been 3-4 now lol!!!!!

Before i read your post i did some logging.


USkeletalMeshInstance* Mesh = (USkeletalMeshInstance*)Target->MeshInstance;
if ( Mesh != NULL )
{
FCoords Coords = Mesh->GetBoneCoords(0x26);
Pos = Coords.Origin + Coords.XAxis + Coords.YAxis + Coords.ZAxis;
}


When using 0x26 it seems to be the closest to a clean headshot
I'll check out your way too.

You can actually make very complicated aiming algorithms once you can trace the bullet paths.

Mine bot will project them into the future (to account for ping and FPS) and then eliminate any bones that are blocked (for example, behind a rock or wall). That is pretty handy when going up against another aimbot. If you meet another aimbot coming around a corner, he will be blasting away into the wall, while you will shoot at their elbow or whatever part of them is coming around the corner first.

You can also figure out how much damage the bullet is going to do and the damage multiplier the bone has. (For example, the head bone use to multiple the bullet damage by 3, and the toe bone was something like 0.5. Which is why headshots are instant kills and you can shoot someone in the foot for a long time before they die.) This is also handy when going up against another bot. If you know that shooting him in the chest will kill him, then you might as well aim there instead of the head and improve your odds.

On big outdoor maps, like Mountain Pass, sometimes it is fun to just wound people (like their snipers) to 10% health, and then leave them for someone else. However, doing this require that you also patch some uScript functions so that you have perfect aim.

If you wanted to get really complicated, you could take into account ricochets and materials that can be penetrated (like doors and tents). I think it would be fun to make a ricochet bot and kill people with ricochets, but I have never tried to.

One thing I wanted to try was to make a shotgun of sorts. What you do is create a grid of aiming points that covers an area. Then you aim at the first point and shoot at it, then aim at the second point and shoot at it… until you have shot them all. So in one frame you could aim/shoot at several different points using several different bullets and get a shotgun scatter effect. It would probably just sound like a single shot, but it would leave a nice spread of bullet holes in a wall.

Using the same idea, you could create a multiple target system where you shoot at more than one target at a time in one frame. Or shoot multiple bullets at multiple targets at the same time.

Are the Offset you speak of ... stack calls or memory offsets? im guessing there arent physical file location offsets?

Offsets from the start of a C++ object in memory. The UT engine is not like the HL engine. Just about everything is dynamically allocated and it location in memory will move around.

Offsets from the start of a C++ object in memory. The UT engine is not like the HL engine. Just about everything is dynamically allocated and it location in memory will move around.

Ty ;)

Using the same idea, you could create a multiple target system where you shoot at more than one target at a time in one frame. Or shoot multiple bullets at multiple targets at the same time.

Damned good bit of lateral thinking there Picklelicious, why limit aiming to one target at a time!

Damned good bit of lateral thinking there Picklelicious, why limit aiming to one target at a time!

To bad the models dont fragment ... shot someones balls off with that coding LOL!