Author Topic: HRADBA bypass?  (Read 813 times)

0 Members and 1 Guest are viewing this topic.

Rav3n

  • Klass Klown
  • ***
  • Posts: 419
    • View Profile
HRADBA bypass?
« on: March 23, 2008, 03:38:59 pm »
Anyone released a HRADBA bypass or am i gonna have to try and make one lol

REAL superjump is available on 1.6 BTW just gotta get it past H



Free Rapidshare Prem Accounts
http://rapidshare dot com/files/111551586/Free-PremAccs.rar

[TKC]phranz

  • Insane Joker
  • ****
  • Posts: 540
  • srsly
    • View Profile
Re: HRADBA bypass?
« Reply #1 on: March 23, 2008, 11:01:54 pm »
ask subsky ;)
the iq's around here are god awfull low!

ZOldDude

  • The Unknown Rank!
  • Administrator
  • MasstKer
  • *
  • Posts: 20874
  • Old School TKC
    • View Profile
    • Admin
Re: HRADBA bypass?
« Reply #2 on: March 24, 2008, 02:03:57 am »
I have the bypass (his and Rainer's) on another HD....but no permission to pass it into public hands.

How many people still play VC on a weekend anyhow?
I have no games installed on the newest computer and never go out to the garage to use the LAN.

*While we crash and burn, small, low tech, agrarian societies such as the Hmong in the mountains of Laos will continue on without so much as blinking an eye.*

Subsky

  • Insane Joker
  • ****
  • Posts: 504
  • Subskii
    • View Profile
Re: HRADBA bypass?
« Reply #3 on: March 24, 2008, 05:45:11 am »
A lot of shit super-jumps were released for 1.6 (even my older versions sucked).

Real superjump height is found @:

PL_JUMP -> (float)0x870B3F.  Should be 6.510... by default.

To bypass, you need to beat #28, #138 (so you can modify HRADBA.DLL)- then look at

.text:10039C50 sub_10039C50    proc near               ; CODE XREF: sub_1003B1C0+99p
.text:10039C50
.text:10039C50 arg_0           = dword ptr  4
.text:10039C50 arg_4           = dword ptr  8
.text:10039C50
.text:10039C50                 mov     eax, dword_1001FD9C
.text:10039C55                 test    eax, eax
.text:10039C57                 jnz     short loc_10039C75
.text:10039C59                 push    offset byte_1001FD60 ; lpModuleName
.text:10039C5E                 push    10000000h       ; int
.text:10039C63                 push    offset aCol_getlinecol ; "COL_GetLineCollision"
.text:10039C68                 call    sub_100397F0
.text:10039C6D                 add     esp, 0Ch
.text:10039C70                 mov     dword_1001FD9C, eax
.text:10039C75
.text:10039C75 loc_10039C75:                           ; CODE XREF: sub_10039C50+7j

Give it a try; if you fail; show us what you've done and if it's a decent effort I'll send you the bypass  :icon_thumbsup.

Rav3n

  • Klass Klown
  • ***
  • Posts: 419
    • View Profile
Re: HRADBA bypass?
« Reply #4 on: March 24, 2008, 04:00:05 pm »
Subsky is alive!

Hows it goin m8 ?  Still on MSN?

Ill try my best to bypass HRADBA but im no expert...

I made a real superjump on 1.01 fully adjustable along with a bunch of other hacks see my Vc1.01 Owned post..

I found the real Superjump address on 1.6 and it works great...

The COL_GetLineCollision is for the fall damage right?

anyway ill try a bit later on when i got 10mins

Thanks

Free Rapidshare Prem Accounts
http://rapidshare dot com/files/111551586/Free-PremAccs.rar

Subsky

  • Insane Joker
  • ****
  • Posts: 504
  • Subskii
    • View Profile
Re: HRADBA bypass?
« Reply #5 on: March 25, 2008, 04:52:12 am »
I'll elaborate by reversing everything you need to know.

The function I've called HB_GetLineColWrapper takes in Position and Direction Vector, and returns true or false depending on if there is a collision.  Returning false = no kick for #148/#149 (floating/superjump).

.text:10039C50 HB_GetLineColWrapper proc near          ; CODE XREF: sub_1003B1C0+99p
.text:10039C50
.text:10039C50 pVectorPosition  = dword ptr  4
.text:10039C50 pVectorDirection= dword ptr  8
.text:10039C50
.text:10039C50                 mov     eax, pCOL_GetLineCollision
.text:10039C55                 test    eax, eax
.text:10039C57                 jnz     short loc_10039C75
.text:10039C59                 push    offset lpModuleName ; "logs.dll"
.text:10039C5E                 push    10000000h       ; logs.dll base address- Used for module scanning
.text:10039C63                 push    offset aCol_getlinecol ; "COL_GetLineCollision"
.text:10039C68                 call    HB_GetProcAddress
.text:10039C6D                 add     esp, 0Ch
.text:10039C70                 mov     pCOL_GetLineCollision, eax
.text:10039C75
.text:10039C75 loc_10039C75:                           ; CODE XREF: HB_GetLineColWrapper+7j
.text:10039C75                 xor     ecx, ecx
.text:10039C77                 test    eax, eax
.text:10039C79                 jz      short ??0Iostream_init@@QAE@XZ_1 ; Iostream_init::Iostream_init(void)
.text:10039C7B                 mov     edx, [esp+pVectorPosition]
.text:10039C7F                 push    1
.text:10039C81                 push    ecx
.text:10039C82                 push    ecx
.text:10039C83                 mov     ecx, [esp+0Ch+pVectorDirection]
.text:10039C87                 push    ecx
.text:10039C88                 push    edx
.text:10039C89                 call    eax ; pCOL_GetLineCollision
.text:10039C8B                 add     esp, 14h
.text:10039C8E                 retn
.text:10039C8E HB_GetLineColWrapper endp

Important thing to note is:

.text:10039C8F ; public: __thiscall Iostream_init::Iostream_init(void)
.text:10039C8F ??0Iostream_init@@QAE@XZ_1 proc near    ; CODE XREF: HB_GetLineColWrapper+29j
.text:10039C8F                 mov     eax, ecx
.text:10039C91                 retn
.text:10039C91 ??0Iostream_init@@QAE@XZ_1 endp

If HB_GetProcAddress() can not get a function pointer to "COL_GetLineCollision", Iostream_init::Iostream_init will automatically return false because both EAX and ECX are 0 when it is called.  You can't modify HB dll straight off (get kicked for #28)- easiest solution is knowing that HB_GetProcAddress() calls win32 GetProcAddress.  All you need to do is:

Use detours to hook GetProcAddress((HMODULE)hLogsDll, "COL_GetLineCollision") & return NULL.  Similiar method can be used to evade detection for wallhack codes.

« Last Edit: March 25, 2008, 04:57:31 am by Subsky »