Jump to content
Default Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Default Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Sign in to follow this  
Feretorix

[Developer Assembly] Find ViewProjectionMatrix for WorldToScreen in any game!

Recommended Posts

We all know Cheat Engine right? And it's ability to scan for floats, doubles, 4bytes, and so on. Also we know about the "unknown initial value" and "increased/decreased/changed/unchanged" value scanning methods.

What CE doesn't provide is the ability to do unknown scans for matrix-es. With a matrix, we can draw 3d coordinates on a 2d surface (our screen).

 

Preparing the assembly for the game you are going to work on:

First after installing, you have to clone the assembly: 
f580331a09.png

After cloning it, navigate to: Loader.exe directory >> LocalAssemblies\ViewProjectionMatrixFinder_clone_XXXXXX

Open the source code and edit the following:
 

public static string GameWindowName = "Counter-Strike: Global Offensive";
public static string GameModuleName = "client_panorama.dll";

Where GameWindowName is the "caption" of the game window to be targeted.
And GameModuleName is the module where you suspect the dynamic matrix would be located. (You can always uncomment at line 153 and scan the whole game mem)
 

//matrixesFnd = Memory.FindPossibleMatrix(procHnd, IntPtr.Zero, (IntPtr)0x7FFFFFFF, vecToSearchFor, out returnedAddresses, Components.SettingsComponent.W2SType.Value);

The same goes for pre-defined position at line 143:

//vecToSearchFor = new Vector3(-2940.042725f, -219.2802734f, 53.91707611f);

 

What you need to do when trying to find a matrix for the worldtoscreen function in WeScript:

1) Either take your own localplayer position in the game (and step aside from that position), or take a 0,0,0 as a start.
2) Make sure you are looking towards that same position you suspect your target location should be "existing".
3) Start an initial scan with the "DELETE" key on your keyboard.
4) Move your mouse/camera and clean from static, unchanging matrix-es with the "HOME" key, repeat this step a few times.
5) Stop moving your camera and start cleaning from constantly changing matrix-es while your camera is stationary with "END" key.
6) Repeat step 4 and 5 a few times more until the screen cleans up from addresses and try to locate your desired address.
7) There is a box, where if multiple results/addresses are stacked you can list them on the left and take a screenshot, debug those, find a pointer with CE and so on...

 

 

In Example 1 of the video we have:

1.WOW, where we're using pre-defined position to find W2S
2.CS1.6, where we're using 0,0,0 position and getting a single result
3.CSGO, where we're using 0,0,0 position and getting multiple results

 

Follow this link to view the videos: https://gofile.io/d/jD8TaV

 

Install the assembly and experiment on your games from this link: https://github.com/WeScript/WeScript.Assemblies
The assembly is called "ViewProjectionMatrixFinder"

  • Like 2
  • Thanks 2

giphy.gif

Gaben strategies too OP.

Share this post


Link to post
Share on other sites

I don't really know the things about coding but, this guide looks realy helpful! Thanks for this source/info/guide! 

Share this post


Link to post
Share on other sites

If Cheat Engine auto detected by the game are there other programs to use or do you need to edit the source code of CE itself?

Share this post


Link to post
Share on other sites
8 minutes ago, Cazza said:

If Cheat Engine auto detected by the game are there other programs to use or do you need to edit the source code of CE itself?

There are several ways to make the Cheat Engine undetectable for some games.

> You can edit the CE(Cheat Engine) code.
   ^ Cheat Engine Source
> There are plugins.
> You can freeze the game too. (Works in most)
> By PathLine.

Share this post


Link to post
Share on other sites

Interesting read, thanks for sharing, i'll try it during the weekend.

Share this post


Link to post
Share on other sites
2 hours ago, Int said:

There are several ways to make the Cheat Engine undetectable for some games.

> You can edit the CE(Cheat Engine) code.
   ^ Cheat Engine Source
> There are plugins.
> You can freeze the game too. (Works in most)
> By PathLine.

Got it working thanks 😉

Share this post


Link to post
Share on other sites
On 5/26/2020 at 8:51 PM, Cazza said:

If Cheat Engine auto detected by the game are there other programs to use or do you need to edit the source code of CE itself?

Most of the times the anti cheat detects windows titles so if you rename CE window title you are 99% good to go.

In other scenarios, they block attachment and memory reading, those are way more complex to deal with most of the times.

Share this post


Link to post
Share on other sites

Really helpful! What DLL do you use for WoW? Thanks!

Share this post


Link to post
Share on other sites
2 minutes ago, Raine said:

Really helpful! What DLL do you use for WoW? Thanks!

I don't quite understand you, no dlls are used, the program is 100% external using OpenProcess/ReadProcessMemory


giphy.gif

Gaben strategies too OP.

Share this post


Link to post
Share on other sites
Posted (edited)
5 minutes ago, Feretorix said:

I don't quite understand you, no dlls are used, the program is 100% external using OpenProcess/ReadProcessMemory

Oh, sorry. I'm still a beginner. 😅 I was asking what string do you use in GameModuleName.

Edited by Raine

Share this post


Link to post
Share on other sites
Just now, Raine said:

Oh, sorry. I'm still a beginner. I was asking what string do you use in GameModuleName.

No problem, it's not a bad thing to ask.
The module I tried "my luck" on was called "Wow.exe".

You can also check out the videos for 3 different games (including WoW): https://gofile.io/d/jD8TaV

  • Like 1

giphy.gif

Gaben strategies too OP.

Share this post


Link to post
Share on other sites
17 minutes ago, Feretorix said:

No problem, it's not a bad thing to ask.
The module I tried "my luck" on was called "Wow.exe".

You can also check out the videos for 3 different games (including WoW): https://gofile.io/d/jD8TaV

Thanks a lot! I'll try with Wow.exe and WowClassic.exe respectively.

I think the problem that I had was actually related to the fact that it's not displaying elements in the overlay, since the assembly isn't even displaying the Helper Menu, so it's not related to the assembly itself but something in my PC that needs to be installed or something. 😅

Share this post


Link to post
Share on other sites
1 minute ago, Raine said:

Thanks a lot! I'll try with Wow.exe and WowClassic.exe respectively.

I think the problem that I had was actually related to the fact that it's not displaying elements in the overlay, since the assembly isn't even displaying the Helper Menu, so it's not related to the assembly itself but something in my PC that needs to be installed or something. 😅

The game has to run in windowed/borderless mode and Windows AERO must be enabled (DWM).

I might add a check later from WeScript.app itself to verify that AERO is enabled on the system.

  • Like 1

giphy.gif

Gaben strategies too OP.

Share this post


Link to post
Share on other sites
13 minutes ago, Feretorix said:

The game has to run in windowed/borderless mode and Windows AERO must be enabled (DWM).

I might add a check later from WeScript.app itself to verify that AERO is enabled on the system.

Hmm well, this is weird. I have Windows Aero enabled and installed all pre-requisites, but somehow it doesn't display addresses/helper menu (the one from the assembly) on the screen. However, it does display the watermark and the WeScript menu if I press INS.

Share this post


Link to post
Share on other sites
43 minutes ago, Raine said:

Hmm well, this is weird. I have Windows Aero enabled and installed all pre-requisites, but somehow it doesn't display addresses/helper menu (the one from the assembly) on the screen. However, it does display the watermark and the WeScript menu if I press INS.

You need to edit the source code of the assembly for the game you want to "attack" or rather search a valid viewprojectionmatrix to get a working WorldToScreen.

At the end, even if you find a working W2S you will need to "loop all monsters/objects" and find their 3d position in the world, then conver that to 2D coordinates using WorldToScreen.


giphy.gif

Gaben strategies too OP.

Share this post


Link to post
Share on other sites
On 5/29/2020 at 2:41 PM, Feretorix said:

You need to edit the source code of the assembly for the game you want to "attack" or rather search a valid viewprojectionmatrix to get a working WorldToScreen.

At the end, even if you find a working W2S you will need to "loop all monsters/objects" and find their 3d position in the world, then conver that to 2D coordinates using WorldToScreen.

Same issue had to Regedit for Aero. no text written in right hand corner "RocketLeague"

Share this post


Link to post
Share on other sites

Hey guys need some help here if you could. I found several process modules that are injected into RL however using different ones the tool doesn't show anything. Here is what i found


"DLLName": "RocketLeague.exe",
  "Address": "0x4B0000",
  "EntryPoint": "0x0",
  "Size": 155648
},
{
  "DLLName": "ntdll.dll",
  "Address": "0x771B0000",
  "EntryPoint": "0x0",
  "Size": 1712128
},
{
  "DLLName": "MSCOREE.DLL",
  "Address": "0x75030000",
  "EntryPoint": "0x7505F100",
  "Size": 335872
},
{
  "DLLName": "KERNEL32.dll",
  "Address": "0x750F0000",
  "EntryPoint": "0x7510F5A0",
  "Size": 983040
},
{
  "DLLName": "KERNELBASE.dll",
  "Address": "0x75820000",
  "EntryPoint": "0x75934030",
  "Size": 2174976
},
{
  "DLLName": "gameoverlayrenderer.dll",
  "Address": "0x5B440000",
  "EntryPoint": "0x5B4E9061",
  "Size": 1609728
},
{
  "DLLName": "USER32.dll",
  "Address": "0x75E00000",
  "EntryPoint": "0x75E39850",
  "Size": 1650688
},
{
  "DLLName": "win32u.dll",
  "Address": "0x76F00000",
  "EntryPoint": "0x0",
  "Size": 98304
},
{
  "DLLName": "GDI32.dll",
  "Address": "0x76ED0000",
  "EntryPoint": "0x76ED73C0",
  "Size": 143360
},
{
  "DLLName": "gdi32full.dll",
  "Address": "0x75C40000",
  "EntryPoint": "0x75C9FE70",
  "Size": 892928
},
{
  "DLLName": "msvcp_win.dll",
  "Address": "0x760D0000",
  "EntryPoint": "0x760E7800",
  "Size": 503808
},
{
  "DLLName": "ucrtbase.dll",
  "Address": "0x76880000",
  "EntryPoint": "0x768AB170",
  "Size": 1179648
},
{
  "DLLName": "ADVAPI32.dll",
  "Address": "0x761F0000",
  "EntryPoint": "0x76201A00",
  "Size": 495616
},
{
  "DLLName": "msvcrt.dll",
  "Address": "0x76DA0000",
  "EntryPoint": "0x76DD5AC0",
  "Size": 782336
},
{
  "DLLName": "sechost.dll",
  "Address": "0x75BC0000",
  "EntryPoint": "0x75BDF710",
  "Size": 479232
},
{
  "DLLName": "RPCRT4.dll",
  "Address": "0x76270000",
  "EntryPoint": "0x762AA2C0",
  "Size": 761856
},
{
  "DLLName": "ole32.dll",
  "Address": "0x75AB0000",
  "EntryPoint": "0x75ADC600",
  "Size": 929792
},
{
  "DLLName": "combase.dll",
  "Address": "0x76F20000",
  "EntryPoint": "0x7705AFE0",
  "Size": 2621440
},
{
  "DLLName": "IMM32.dll",
  "Address": "0x75FA0000",
  "EntryPoint": "0x75FA4410",
  "Size": 151552
},
{
  "DLLName": "WINMM.dll",
  "Address": "0x73480000",
  "EntryPoint": "0x734855B0",
  "Size": 163840
},
{
  "DLLName": "PSAPI.DLL",
  "Address": "0x76E60000",
  "EntryPoint": "0x76E614D0",
  "Size": 24576
},
{
  "DLLName": "mscoreei.dll",
  "Address": "0x73B30000",
  "EntryPoint": "0x73B42870",
  "Size": 577536
},
{
  "DLLName": "SHLWAPI.dll",
  "Address": "0x76C50000",
  "EntryPoint": "0x76C67870",
  "Size": 282624
},
{
  "DLLName": "kernel.appcore.dll",
  "Address": "0x72ED0000",
  "EntryPoint": "0x72ED4830",
  "Size": 61440
},
{
  "DLLName": "VERSION.dll",
  "Address": "0x73BC0000",
  "EntryPoint": "0x73BC1800",
  "Size": 32768
},
{
  "DLLName": "clr.dll",
  "Address": "0x725E0000",
  "EntryPoint": "0x725FE930",
  "Size": 8060928
},
{
  "DLLName": "VCRUNTIME140_CLR0400.dll",
  "Address": "0x72510000",
  "EntryPoint": "0x7251AC00",
  "Size": 81920
},
{
  "DLLName": "ucrtbase_clr0400.dll",
  "Address": "0x72530000",
  "EntryPoint": "0x725C5F20",
  "Size": 700416
},
{
  "DLLName": "mscorlib.ni.dll",
  "Address": "0x70AB0000",
  "EntryPoint": "0x0",
  "Size": 21028864
},
{
  "DLLName": "bcryptPrimitives.dll",
  "Address": "0x76160000",
  "EntryPoint": "0x76190900",
  "Size": 376832
},
{
  "DLLName": "clrjit.dll",
  "Address": "0x707C0000",
  "EntryPoint": "0x707C1150",
  "Size": 561152
},
{
  "DLLName": "OLEAUT32.dll",
  "Address": "0x75FD0000",
  "EntryPoint": "0x76005670",
  "Size": 614400
},
{
  "DLLName": "System.ni.dll",
  "Address": "0x6FCF0000",
  "EntryPoint": "0x0",
  "Size": 10842112
},
{
  "DLLName": "System.Core.ni.dll",
  "Address": "0x6EF80000",
  "EntryPoint": "0x0",
  "Size": 8486912
},
{
  "DLLName": "apphelp.dll",
  "Address": "0x74F90000",
  "EntryPoint": "0x74FC85C0",
  "Size": 651264
},

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...