Skip to content

macOS Memory Patterns for CS:GO

Jump to bottom
Andre Kalisch edited this page Nov 12, 2016 · 4 revisions

client.dylib

m_dwLocalPlayer:

sig: (Byte)"\x89\xD6\x41\x89\x00\x49\x89\x00\x48\x8B\x1D\x00\x00\x00\x00\x48\x85\xDB\x74\x00"*

mask: "xxxx?xx?xxx????xxxx?"

start: 0xB

offset: 0x4

m_dwEntityList:

sig: (Byte)"\x48\x8D\x1D\x00\x00\x00\x00\x48\x89\x00\xE8\x28\xD6\x00\x00"*

mask: "xxx????xx?xxx??"

start: 0x3

offset: 0x2C

m_dwGlowManager:

sig: (Byte)"\x48\x8D\x3D\x00\x00\x00\x05\xE8\x00\x00\x00\x00\x85\xC0\x0F\x84\x00\x00\x00\x00\x48\xC7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x8D\x00\x00\x00\x00\x00"*

mask: "xxx???xx????xxxx????xx?????????xx?????"

start: 0x22

offset: 0x4

m_dwForceAttack:

sig: (Byte)"\x8B\x00\x00\x00\x00\x00\xA8\x00\x00\x95\xC1\x00\xB6\xC9\x09\xD1\x44\x89"*

mask: "x?????x??xx?xxxxxx"

start: 0x2

offset: 0x4

m_dwForceAttack2:

sig: from m_dwForceAttack

mask: from m_dwForceAttack

start: from m_dwForceAttack

offset: 0x10

m_dwForceDuck:

sig: (Byte)"\x21\xC1\x89\x00\x00\x00\x00\x00\x8B\x00\x00\x00\x00\x00\x89\xD1\x83\x00\x00"*

mask: "xxx?????x?????xxx??"

start: 0x4

offset: 0x10

m_dwForceJump:

sig: (Byte)"\x44\x89\xE1\xC1\xE9\x00\x83\xE1\x00\x83\xF1\x00\x21\xC1\x89\x0D\x00\x00\x00\x00\x8B\x05\x00\x00\x00\x00\x89\xD1\x83\xC9\x00\xA8\x00\x0F\x44\xCA\x44\x89\xE2\xD1\xEA\x83\xE2\x00"*

mask: "xxxxx?xx?xx?xxxx????xx????xxxx?x?xxxxxxxxxx?"

start: 0x16

offset: 0x4

engine.dylib

m_dwCClientState:

sig: (Byte)"\x55\x48\x89\xE5\x48\x8B\x00\x00\x00\x00\x00\x48\x83\x00\x00\x5D\xC3\x66\x66\x66\x66\x66\x66\x2E\x0F\x1F\x84\x00\x00\x00\x00\x00"*

mask: "xxxxxx?????xx??xxxxxxxxxxxxxxxxx"

start: 0x7

offset: 0x4

m_szGameDirectory:

sig: (Byte)"\x48\x8D\x15\x00\x00\x00\x00\x48\x8D\x0D\x00\x00\x00\x00\x48\x8D\xBD\xB0\xFD\xFF\xFF\xBE\x04\x01\x00\x00\x31\xC0\xE8\x12\x4E\x2B\x00\x48\x8D\xBD\x08\xFD\xFF\xFF\x48\x89\xDE\xE8\x53\x06\x2C\x00\x48\x8D\x35\x00\x00\x00\x00\x48\x8D\xBD\x08\xFD\xFF\xFF\xE8\x10\x0A\x2C\x00\x4C\x8B\x35\x79\x6D\x65\x00\x48\x8D\xBD\x08\xFD\xFF\xFF\xE8\x9D\x06\x2C\x00\x48\x8D\x95\xB0\xFD\xFF\xFF\xB9\x01\x00\x00\x00\x48\x89\xC6\xE8\x89\x1B\x00\x00\x49\x8B\x45\x00\x48\x8B\x80\x00\x00\x00\x00\x48\x8D\xB5\xB0\xFD\xFF\xFF\x4C\x89\xEF\xFF\xD0\x4C\x89\xFF"*

mask: "xxx????xxx????xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx????xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx????xxxxxxxxxxxxxxx"

start: 0xA

offset: 0x4

Will also provide a memory reader and signature scanning class (source) in the next days. (If I'm not to lazy with it) :-)

Clone this wiki locally