HRADBA bypass?

[Rav3n]

Anyone released a HRADBA bypass or am i gonna have to try and make one lol

REAL superjump is available on 1.6 BTW just gotta get it past H

[[TKC]phranz]

ask subsky

[ZOldDude]

I have the bypass (his and Rainer's) on another HD....but no permission to pass it into public hands.

How many people still play VC on a weekend anyhow?
I have no games installed on the newest computer and never go out to the garage to use the LAN.

[Subsky]

A lot of shit super-jumps were released for 1.6 (even my older versions sucked).

Real superjump height is found @:

PL_JUMP -> (float)0x870B3F.  Should be 6.510... by default.

To bypass, you need to beat #28, #138 (so you can modify HRADBA.DLL)- then look at

.text:10039C50 sub_10039C50    proc near               ; CODE XREF: sub_1003B1C0+99p
.text:10039C50
.text:10039C50 arg_0           = dword ptr  4
.text:10039C50 arg_4           = dword ptr  8
.text:10039C50
.text:10039C50                 mov     eax, dword_1001FD9C
.text:10039C55                 test    eax, eax
.text:10039C57                 jnz     short loc_10039C75
.text:10039C59                 push    offset byte_1001FD60 ; lpModuleName
.text:10039C5E                 push    10000000h       ; int
.text:10039C63                 push    offset aCol_getlinecol ; "COL_GetLineCollision"
.text:10039C68                 call    sub_100397F0
.text:10039C6D                 add     esp, 0Ch
.text:10039C70                 mov     dword_1001FD9C, eax
.text:10039C75
.text:10039C75 loc_10039C75:                           ; CODE XREF: sub_10039C50+7j

Give it a try; if you fail; show us what you've done and if it's a decent effort I'll send you the bypass  .

[Rav3n]

Subsky is alive!

Hows it goin m8 ?  Still on MSN?

Ill try my best to bypass HRADBA but im no expert...

I made a real superjump on 1.01 fully adjustable along with a bunch of other hacks see my Vc1.01 Owned post..

I found the real Superjump address on 1.6 and it works great...

The COL_GetLineCollision is for the fall damage right?

anyway ill try a bit later on when i got 10mins

Thanks

[Subsky]

I'll elaborate by reversing everything you need to know.

The function I've called HB_GetLineColWrapper takes in Position and Direction Vector, and returns true or false depending on if there is a collision.  Returning false = no kick for #148/#149 (floating/superjump).

.text:10039C50 HB_GetLineColWrapper proc near          ; CODE XREF: sub_1003B1C0+99p
.text:10039C50
.text:10039C50 pVectorPosition  = dword ptr  4
.text:10039C50 pVectorDirection= dword ptr  8
.text:10039C50
.text:10039C50                 mov     eax, pCOL_GetLineCollision
.text:10039C55                 test    eax, eax
.text:10039C57                 jnz     short loc_10039C75
.text:10039C59                 push    offset lpModuleName ; "logs.dll"
.text:10039C5E                 push    10000000h       ; logs.dll base address- Used for module scanning
.text:10039C63                 push    offset aCol_getlinecol ; "COL_GetLineCollision"
.text:10039C68                 call    HB_GetProcAddress
.text:10039C6D                 add     esp, 0Ch
.text:10039C70                 mov     pCOL_GetLineCollision, eax
.text:10039C75
.text:10039C75 loc_10039C75:                           ; CODE XREF: HB_GetLineColWrapper+7j
.text:10039C75                 xor     ecx, ecx
.text:10039C77                 test    eax, eax
.text:10039C79                 jz      short ??0Iostream_init@@QAE@XZ_1 ; Iostream_init::Iostream_init(void)
.text:10039C7B                 mov     edx, [esp+pVectorPosition]
.text:10039C7F                 push    1
.text:10039C81                 push    ecx
.text:10039C82                 push    ecx
.text:10039C83                 mov     ecx, [esp+0Ch+pVectorDirection]
.text:10039C87                 push    ecx
.text:10039C88                 push    edx
.text:10039C89                 call    eax ; pCOL_GetLineCollision
.text:10039C8B                 add     esp, 14h
.text:10039C8E                 retn
.text:10039C8E HB_GetLineColWrapper endp

Important thing to note is:

.text:10039C8F ; public: __thiscall Iostream_init::Iostream_init(void)
.text:10039C8F ??0Iostream_init@@QAE@XZ_1 proc near    ; CODE XREF: HB_GetLineColWrapper+29j
.text:10039C8F                 mov     eax, ecx
.text:10039C91                 retn
.text:10039C91 ??0Iostream_init@@QAE@XZ_1 endp

If HB_GetProcAddress() can not get a function pointer to "COL_GetLineCollision", Iostream_init::Iostream_init will automatically return false because both EAX and ECX are 0 when it is called.  You can't modify HB dll straight off (get kicked for #28)- easiest solution is knowing that HB_GetProcAddress() calls win32 GetProcAddress.  All you need to do is:

Use detours to hook GetProcAddress((HMODULE)hLogsDll, "COL_GetLineCollision") & return NULL.  Similiar method can be used to evade detection for wallhack codes.