~

Shoke · Sep 4, 2021

Meh.. nobody uses fp anymore, i don't have time to play either. Stumbled up on this file, so i'm just going to share it.

Only works for WIN10 (possibly 7, not sure due to WINAPI hooks). Sorry egys, cba to do a XP version.

FairplayBypass

MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.

www.mediafire.com

If you think that this could be somekind of a malware or whatever, then analyze the files yourself, if you can't well.. then take it or leave it simple as that.

Ah and pls don't pm me if this doesn't work for you. Cba to deal with that too.

Janno · Sep 4, 2021

This ain’t your version?

Shoke · Sep 4, 2021

Janno said:
This ain’t your version?

No this is my version, (Clean SS, custom SS, other shit)

Janno · Sep 4, 2021

Ah alright thought you shared yours already but that was before burndown probs.

Good to have this publicly available tbf because people still put blind trust in this trash.

Shoke · Sep 4, 2021

Janno said:
Ah alright thought you shared yours already but that was before burndown probs.

Good to have this publicly available tbf because people still put blind trust in this trash.

I'm not aware (maybe i forgot) that i ever released this version to the public. I sent it to few people over PM here on forums. Only thing that was ever public was this shitty cheatengine trainer from 2013 and honestly this is the only thing that egys will use. This Bypass actually requires a brain to have. If i remember good, sometimes it failed (not sure if i fixed the issue, i do remember doing something about it) to inject the code into FP So you had to try it one or two times. basically it injected it too fast before fp could even start - this can be noticed if fairplay starts to examine packets which it shudn't, it should immediately jump straight into the game..

Janno · Sep 4, 2021

Shoke said:
basically it injected it too fast before fp could even start

fp so bad it even starts too slow hhh

Shoke said:
I sent it to few people over PM here on forums.

I think that was the case. We heard and made a rule to stop using fp

Devil · Sep 5, 2021

imagine sharing toggle-able wh big noops

anyway here is a link for windows 10 fp bypass Download i made with Qt3

Cap10 · Sep 5, 2021

let's download

Splash · Sep 5, 2021

Devil said:
imagine sharing toggle-able wh big noops

anyway here is a link for windows 10 fp bypass Download i made with Qt3

ah you bastard

Splash · Sep 6, 2021

I have this one.

Download

Cap10 · Sep 7, 2021

Splash said:
I have this one.

View attachment 1102
Download

and I was wondering why they kicked you, now I know because you played in At server true

?

Shoke · Dec 25, 2022

I just remembered about this topic might as well share pieces of the source code itself now.. DEAD GAME.. AMIRITE?

C:

void (WINAPIV* ConsoleCMD)(const char*, char) = (void (WINAPIV*)(const char*, char))0x444380;

static  BYTE EnableWh[] = { 0x81, 0xCF, 0x88, 0x00, 0x00, 0x00 };
static  BYTE DisableWh[] = { 0x81, 0xCF, 0x81, 0x00, 0x00, 0x00 };

static BYTE shownormalsON[] = { 0x01,0x74,0x32,0x28,0x85,0xC0 };
static BYTE shownormalsOFF[] = { 0x01, 0x8B, 0x42, 0x28, 0x85, 0xC0 };

static BYTE EnableFullBright[] = { 0x75, 0x17 };
static BYTE DisableFullBright[] = { 0x74, 0x17 };
static BYTE CheckFlashByte[] = { 0x55 };

C:

void loadSettings()
{
    char GET_SCREENSHOT[20];

    GetPrivateProfileStringA("SCREENSHOTS", "screenshot", "normal", GET_SCREENSHOT, sizeof(GET_SCREENSHOT), LOAD_SETTINGS);

    if (!_stricmp(GET_SCREENSHOT, "disable")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to disable");
#endif
        Settings.SET_SCREENSHOT = _DISABLESS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "custom")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to custom");
#endif
        Settings.SET_SCREENSHOT = _CUSTOMSS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "clean")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to clean");
#endif
        Settings.SET_SCREENSHOT = _CLEANSS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "normal")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to normal");
#endif
        Settings.SET_SCREENSHOT = _NORMALSS;
    }
    else {
        Settings.SET_SCREENSHOT = _NORMALSS;
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to normal");
#endif
    }

    Settings.GFValue = GetPrivateProfileIntA("Settings", "GlowingFlags", 0, LOAD_SETTINGS);

    if (Settings.GFValue == 1) { Settings.CHECK_GLOWFLAGS = true; }
    else if (Settings.GFValue == 0) { Settings.CHECK_GLOWFLAGS = false; }
}

PVOID Shoke_FindVMain = NULL;
DWORD pid;
DWORD waitforcgame = NULL;
static bool loadonce;

unsigned __stdcall Shoke_AfterScreenshotMSG(LPVOID useless)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return 0;
    }
    Sleep(1500);
//    WriteBytes((char*)cgame + 0x625C8, "\x5E\x33\x53\x53\x20\x54\x41\x4B\x45\x4E", 16);
    WriteBytes((char*)cgame + 0x625C8, "\x5e\x33\x53\x53\x20\x54\x41\x4b\x45\x4e\x00\x00\x00\x00\x00", 16);

    
//    WriteBytes((char*)cgame + 0x625C8, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16);
    message = GetTickCount() + 4000;
#ifdef _SHOKE_DEBUG
    Debug(_NOCOLOR_, "Start Timer - Replace timer message with custom message. - 4 seconds.");
#endif   

    SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
    SendToConsole("^3 *** Screenshot Taken ^3 ***\n");


    _endthread();
    return 0;
}
void WriteBytes(char* dst, char* src, int size)
{
    DWORD oldprotect;
    VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect);
    memcpy(dst, src, size);
    VirtualProtect(dst, size, oldprotect, &oldprotect);
}
static void Shoke_Antiflash(void)
{
    return;
}


MFUNC(DWORD, Shoke_Detours(LPVOID));
MFBEG(DWORD, Shoke_Detours(LPVOID));
DWORD Shoke_Detours(LPVOID)
{
    VM_START
    Sleep(320);
    DWORD old;

    loadSettings();

    VirtualProtect((LPVOID)0x400000, 0x100000, PAGE_EXECUTE_READWRITE, &old);

    OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    DWORD BaseAddress = GetModuleBaseAddress(pid, "sof2mp.exe");

    DetourFunction((PBYTE)BaseAddress + 0xB7910, (PBYTE)& Test);
    __asm mov[MovedRoutine], eax;

    DetourFunction((PBYTE)glReadPixels, (PBYTE)&Shoke_Screenshot);
    __asm mov[glReadPixels_org], eax;

    orig_Cvar_Get = (Cvar_Get_t)DetourFunction((PBYTE)BaseAddress + 0x4A110, (PBYTE)&Shoke_CvarRestrictions);

    if (Settings.CHECK_GLOWFLAGS) {
        DetourFunction((PBYTE)glBindTexture, (PBYTE)&Shoke_glBindTexture);
        __asm mov[glBindTexture_org], eax;

        DetourFunction((PBYTE)glDrawElements, (PBYTE)&Shoke_glDrawElements);
        __asm mov[glDrawElements_org], eax;
    }

    int iscgame = Cvar_VariableIntegerValue("vm_cgame");
    
    if (iscgame == 0) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Yes cgame, value is set to 0.");
#endif
    }
    else {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "No cgame, value is not set to 0.");
#endif
        Shoke_SetCvar("vm_cgame", "0");
    }
    while (true) {
        DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
        if (!cgame) {
            if (GetTickCount() > timer) {
                timer = GetTickCount() + 2000;
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Waiting for the Client Module...");       
#endif
            }
        }
        else {
            //sof2mp_cgamex86.vmMain+3ACA - 81 CF 81000000        - or edi,00000081 { 129 }
            //sof2mp_cgamex86.dll+1E25A

            DWORD Addy = cgame + 0x1E25A;
            DWORD engineWH = 0x04C3C5E;
            DWORD FULLBRIGHT = 0x04C1FE8;

            DWORD flashstuff = cgame + 0xECE0;
            DWORD msgPatch = cgame + 0x625C8;
            //sof2mp_cgamex86.dll+ECE0 - 55                    - push ebp

    /*        if (Wallhack->integer == 1) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Yes, cvar is 1... spam.");
#endif
            }
            else if (Wallhack->integer == 2) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Yes, cvar is 2... spam.");
#endif
            }
            */
            if (GetTickCount() < message) {
                execute = true;
            }
            if (execute && GetTickCount() > message) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Timer done, Patch message now back to original.");
#endif   
                //Restore bytes: \x25\x32\x69\x3A\x25 // fuck this just use memcpy to copy the original bytes, and then restore it.
                WriteBytes((char*)cgame + 0x625C8, (char *)&RestoreBytes, 16);
                execute = false;
            }
            if (CheckAddress(CheckFlashByte, (LPVOID)flashstuff, sizeof(CheckFlashByte))) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Flash Addy is unchanged... patching it now ");   
#endif
                DetourFunction((PBYTE)flashstuff, (PBYTE)&Shoke_Antiflash);
            }
            /*
            7A1DED0B   | F7 05 50 B6 51 7A 00 0A 00 00   | TEST DWORD PTR DS:[7A51B650], A00                  |
            
            {
            0xF7, 0x05, 0x50, 0xB6, 0x51, 0x7A, 0x00, 0x0A, 0x00, 0x00
            };|
            */
            //flashbang sof2mp_cgamex86.dll:$ECE0

            if ((GetAsyncKeyState(KEY_NUMPAD1) & 1)) {
                //
            //68 C8 25 08 78
                if (CheckAddress(DisableFullBright, (LPVOID)FULLBRIGHT, 2)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &EnableFullBright, sizeof(EnableFullBright), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "FULLBRIGHT Address -> %X Enabled", FULLBRIGHT);
#endif
        //            SendToConsole("^5[INFO] ^7Enabled FULLBRIGHT..\n");
                    Settings.fullbrightflag |= FULLBRIGHT_FLAG;
                }
                else if (CheckAddress(EnableFullBright, (LPVOID)FULLBRIGHT, 2)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &DisableFullBright, sizeof(DisableFullBright), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "FULLBRIGHT Address -> %X Disabled", FULLBRIGHT);
#endif
            //        SendToConsole("^5[INFO] ^7Disabled FULLBRIGHT..\n");
                    Settings.fullbrightflag &= ~FULLBRIGHT_FLAG;
                }
            }

            if ((GetAsyncKeyState(KEY_NUMPAD2) & 1)) {
                if (CheckAddress(shownormalsOFF, (LPVOID)engineWH, 6)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsON, sizeof(shownormalsON), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "ENGINE WH Address -> %X Enabled", engineWH);
#endif
    //                SendToConsole("^5[INFO] ^7Enabled WH..\n");
                    Settings.enginewhflag |= ENGINEWH_FLAG;
                }
                else if (CheckAddress(shownormalsON, (LPVOID)engineWH, 6)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsOFF, sizeof(shownormalsOFF), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "ENGINE WH Address -> %X Disabled", engineWH);
#endif
            //        SendToConsole("^5[INFO] ^7Disabled WH..\n");
                    Settings.enginewhflag &= ~ENGINEWH_FLAG;
                }
            }
            if ((GetAsyncKeyState(KEY_NUMPAD3) & 1)) {
                if (CheckAddress(DisableWh, (LPVOID)Addy, 6)) {
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "CGAME WH Address -> %X Disabled", Addy);
#endif
                    //    Debug(_ERROR_, "~~~~ WH\n");
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &EnableWh, sizeof(EnableWh), NULL);
    //                SendToConsole("^5[INFO] ^7Enabled WH..\n");
                    Settings.clientwhflag |= CLIENTWH_FLAG;

                }
                else if (CheckAddress(EnableWh, (LPVOID)Addy, 6)) {
                    //    SendToConsole("^3Enabled WH");;
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "CGAME WH Address -> %X Enabled", Addy);
#endif
                    //    Debug(_ERROR_, "FF\n");
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &DisableWh, sizeof(DisableWh), NULL);
        //            SendToConsole("^5[INFO] ^7Disabled WH..\n");
                    Settings.clientwhflag &= ~CLIENTWH_FLAG;
                }
            }
        }
    }
    VM_END
    MFEX(Shoke_Detours, 1000);
    return 0;
}
void BeforeScreenshot(void)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return;
    }
    DWORD Addy = cgame + 0x1E25A;
    DWORD engineWH = 0x04C3C5E;
    DWORD FULLBRIGHT = 0x04C1FE8;
    
    if (Settings.GFValue == 1) {
        if (Settings.CHECK_GLOWFLAGS) {
            Settings.CHECK_GLOWFLAGS = false;
        }
    }
    if (Settings.fullbrightflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] FULLBRIGHT OFF");
#endif   
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &DisableFullBright, sizeof(DisableFullBright), NULL);
        Settings.fullbrightflag |= FULLBRIGHT_FLAG;
    }
    if (Settings.enginewhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] WH-ENGINE OFF");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsOFF, sizeof(shownormalsOFF), NULL);
        Settings.enginewhflag |= ENGINEWH_FLAG;
    }
    if (Settings.clientwhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] CLIENTWH OFF..");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &DisableWh, sizeof(DisableWh), NULL);
        Settings.clientwhflag |= CLIENTWH_FLAG;
    }
    waitnow = GetTickCount() + 4000; // 4 seconds shud be enough,,, to not show the messages on the SS.

}
void AfterScreenshot(void)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return;
    }

    DWORD Addy = cgame + 0x1E25A;
    DWORD engineWH = 0x04C3C5E;
    DWORD FULLBRIGHT = 0x04C1FE8;

    if (Settings.fullbrightflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] FULLBRIGHT ON");

#endif   
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &EnableFullBright, sizeof(EnableFullBright), NULL);
    }
    if (Settings.enginewhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] ENGINEWH ON");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsON, sizeof(shownormalsON), NULL);
    }
    if (Settings.clientwhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] CLIENTWH ON");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &EnableWh, sizeof(EnableWh), NULL);
    }

    if (Settings.GFValue == 1) {
        if (!Settings.CHECK_GLOWFLAGS) {
            Settings.CHECK_GLOWFLAGS = true;
        }
    }
    memcpy(RestoreBytes, (char*)cgame + 0x625C8, 16);
    
    _beginthread((void(__cdecl*)(void*))Shoke_AfterScreenshotMSG, 0, NULL);
    
}

#define IMAGE_WIDTH 640
#define IMAGE_HEIGHT 480

void WINAPI Shoke_Screenshot(GLint x, GLint y, GLsizei width, GLsizei height, GLenum format, GLenum type, GLvoid* data)
{
#ifdef _SHOKE_DEBUG
    Debug(_NOCOLOR_, "GLreadPixes Hook Codecave test");
#endif

    if (Settings.SET_SCREENSHOT == _CUSTOMSS) {
            // Open the image file.
            FILE* fp = fopen("custom.ppm", "rb");
            if (!fp) {
                SendToConsole("Couldn't locate the picture.ppm file.");
            }

            // Read the image data from the file.
            int row, column, channel;
            unsigned char* image_data = (BYTE*)malloc(IMAGE_HEIGHT * IMAGE_WIDTH * 3);
            for (row = 0; row < IMAGE_HEIGHT; row++) {
                int position = IMAGE_WIDTH * 3 * row;
                fseek(fp, position - IMAGE_WIDTH * IMAGE_HEIGHT * 3, SEEK_END);
                fread(image_data + IMAGE_WIDTH * (IMAGE_HEIGHT - 1) * 3 - position, 1, IMAGE_WIDTH * 3, fp);
            }
            fclose(fp);

            // Allocate memory for the resized image.
            unsigned char* resized_image = (BYTE*)malloc(height * width * 3);

            // Perform nearest neighbor interpolation to resize the image to the desired dimensions.
            for (row = 0; row < height; row++) {
                for (column = 0; column < width; column++) {
                    int x_index = (int)(column * ((float)IMAGE_WIDTH / (float)width));
                    int y_index = (int)(row * ((float)IMAGE_HEIGHT / (float)height));
                    for (channel = 0; channel < 3; channel++) {
                        resized_image[row * width * 3 + column * 3 + channel] = image_data[y_index * IMAGE_WIDTH * 3 + x_index * 3 + channel];
                    }
                }
            }

            // Copy the resized image to the output data.
            memcpy(data, resized_image, height * width * 3);

            // Free memory.
            free(resized_image);
            free(image_data);

        SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
        SendToConsole("^3 *** Screenshot Taken ^3 ***\n");
    }
    else if (Settings.SET_SCREENSHOT == _CLEANSS) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "GLreadPixes Hook Codecave test -> CLEAN SS");
#endif
        BeforeScreenshot();

        //Give it time and Flush so no hacking traces are left.
        __asm {
            mov eax, CleanScreenAddy
            mov dword ptr[SCR_UpdateScreen], eax
        }
        for (int i = 0; i < 4; i++) { // 4x should be enuff..
            __asm {
                mov eax, SCR_UpdateScreen
                call eax
            }
        }

        AfterScreenshot();

        glReadPixels_org(x, y, width, height, format, type, data);
    }
    else if (Settings.SET_SCREENSHOT == _DISABLESS) {
        SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
        SendToConsole("^3 *** Screenshot Taken ^3 ***\n");
        return;

    }
    else if (Settings.SET_SCREENSHOT == _NORMALSS) {
        glReadPixels_org(x, y, width, height, format, type, data);
    }
}

C:

BOOL WINAPI Shoke_NextFile(
    HANDLE hFindFile,
    LPWIN32_FIND_DATAW lpFindFileData
) {
    return false;
}

BOOL WINAPI Shoke_EnumProcessModules(
    HANDLE hProcess,
    HMODULE* lphModule,
    DWORD cb,
    LPDWORD lpcbNeeded
) {
    return false;
}
bool isRunning(LPCSTR pName) //Simple but effective
{
    HWND hwnd;
    hwnd = FindWindow(NULL, pName);
    if (hwnd != 0) {
        return true;
    }
    else {
        return false;
    }
}
void Shoke_NewWindowName(void)
{
    //Shoke 16/11/2015 - Let's do this as well, just because i can lol...
    HWND name = FindWindow(NULL, "Fairplay Anticheat");
    SetWindowText(name, "Fairplay Anticheat Hacked by Shoke");
}
DWORD Shoke_WaitForSoF2()
{
    HWND hWnd;
    DWORD dwProcessId = -1;
    do {
        Sleep(0x64u);
        hWnd = FindWindowA(0, "Soldier of Fortune 2 Console");
        GetWindowThreadProcessId(hWnd, &dwProcessId);
    } while (dwProcessId == -1);
#ifdef _WIN10
    HMODULE MDC = GetModuleHandle("kernelbase.dll");
    DetourFunc((LPBYTE)GetProcAddress(MDC, "EnumProcessModules"), (LPBYTE)& Shoke_EnumProcessModules, 6);
#else
    HMODULE MDC = GetModuleHandle("kernel32.dll");
    DetourFunc((LPBYTE)GetProcAddress(MDC, "K32EnumProcessModules"), (LPBYTE)& Shoke_EnumProcessModules, 6);

#endif
    return dwProcessId;
}
void Shoke_FairPlayEntry(void)
{
    if (isRunning("Fairplay Anticheat")) {
        DetourFunction((PBYTE)FindNextFileW, (PBYTE)&Shoke_NextFile);

        Shoke_WaitForSoF2();
        Shoke_NewWindowName();
    }
    else {
        CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Shoke_Detours, NULL, NULL, NULL);
    }
}
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    UNREFERENCED_PARAMETER(lpReserved);

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
#ifdef _SHOKE_DEBUG
        DebugEntry();
#endif
        Sleep(1000);
        _beginthread((void(__cdecl*)(void*))Shoke_FairPlayEntry, 0, NULL);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
        //        CloseHandle(Entry);
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Oh man those were fun times back when sof was still alive..

Devil · Dec 25, 2022

Shoke said:

I just remembered about this topic might as well share pieces of the source code itself now.. DEAD GAME.. AMIRITE?

C:

void (WINAPIV* ConsoleCMD)(const char*, char) = (void (WINAPIV*)(const char*, char))0x444380;

static  BYTE EnableWh[] = { 0x81, 0xCF, 0x88, 0x00, 0x00, 0x00 };
static  BYTE DisableWh[] = { 0x81, 0xCF, 0x81, 0x00, 0x00, 0x00 };

static BYTE shownormalsON[] = { 0x01,0x74,0x32,0x28,0x85,0xC0 };
static BYTE shownormalsOFF[] = { 0x01, 0x8B, 0x42, 0x28, 0x85, 0xC0 };

static BYTE EnableFullBright[] = { 0x75, 0x17 };
static BYTE DisableFullBright[] = { 0x74, 0x17 };
static BYTE CheckFlashByte[] = { 0x55 };

C:

void loadSettings()
{
    char GET_SCREENSHOT[20];

    GetPrivateProfileStringA("SCREENSHOTS", "screenshot", "normal", GET_SCREENSHOT, sizeof(GET_SCREENSHOT), LOAD_SETTINGS);

    if (!_stricmp(GET_SCREENSHOT, "disable")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to disable");
#endif
        Settings.SET_SCREENSHOT = _DISABLESS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "custom")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to custom");
#endif
        Settings.SET_SCREENSHOT = _CUSTOMSS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "clean")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to clean");
#endif
        Settings.SET_SCREENSHOT = _CLEANSS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "normal")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to normal");
#endif
        Settings.SET_SCREENSHOT = _NORMALSS;
    }
    else {
        Settings.SET_SCREENSHOT = _NORMALSS;
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to normal");
#endif
    }

    Settings.GFValue = GetPrivateProfileIntA("Settings", "GlowingFlags", 0, LOAD_SETTINGS);

    if (Settings.GFValue == 1) { Settings.CHECK_GLOWFLAGS = true; }
    else if (Settings.GFValue == 0) { Settings.CHECK_GLOWFLAGS = false; }
}

PVOID Shoke_FindVMain = NULL;
DWORD pid;
DWORD waitforcgame = NULL;
static bool loadonce;

unsigned __stdcall Shoke_AfterScreenshotMSG(LPVOID useless)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return 0;
    }
    Sleep(1500);
//    WriteBytes((char*)cgame + 0x625C8, "\x5E\x33\x53\x53\x20\x54\x41\x4B\x45\x4E", 16);
    WriteBytes((char*)cgame + 0x625C8, "\x5e\x33\x53\x53\x20\x54\x41\x4b\x45\x4e\x00\x00\x00\x00\x00", 16);

  
//    WriteBytes((char*)cgame + 0x625C8, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16);
    message = GetTickCount() + 4000;
#ifdef _SHOKE_DEBUG
    Debug(_NOCOLOR_, "Start Timer - Replace timer message with custom message. - 4 seconds.");
#endif 

    SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
    SendToConsole("^3 *** Screenshot Taken ^3 ***\n");


    _endthread();
    return 0;
}
void WriteBytes(char* dst, char* src, int size)
{
    DWORD oldprotect;
    VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect);
    memcpy(dst, src, size);
    VirtualProtect(dst, size, oldprotect, &oldprotect);
}
static void Shoke_Antiflash(void)
{
    return;
}


MFUNC(DWORD, Shoke_Detours(LPVOID));
MFBEG(DWORD, Shoke_Detours(LPVOID));
DWORD Shoke_Detours(LPVOID)
{
    VM_START
    Sleep(320);
    DWORD old;

    loadSettings();

    VirtualProtect((LPVOID)0x400000, 0x100000, PAGE_EXECUTE_READWRITE, &old);

    OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    DWORD BaseAddress = GetModuleBaseAddress(pid, "sof2mp.exe");

    DetourFunction((PBYTE)BaseAddress + 0xB7910, (PBYTE)& Test);
    __asm mov[MovedRoutine], eax;

    DetourFunction((PBYTE)glReadPixels, (PBYTE)&Shoke_Screenshot);
    __asm mov[glReadPixels_org], eax;

    orig_Cvar_Get = (Cvar_Get_t)DetourFunction((PBYTE)BaseAddress + 0x4A110, (PBYTE)&Shoke_CvarRestrictions);

    if (Settings.CHECK_GLOWFLAGS) {
        DetourFunction((PBYTE)glBindTexture, (PBYTE)&Shoke_glBindTexture);
        __asm mov[glBindTexture_org], eax;

        DetourFunction((PBYTE)glDrawElements, (PBYTE)&Shoke_glDrawElements);
        __asm mov[glDrawElements_org], eax;
    }

    int iscgame = Cvar_VariableIntegerValue("vm_cgame");
  
    if (iscgame == 0) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Yes cgame, value is set to 0.");
#endif
    }
    else {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "No cgame, value is not set to 0.");
#endif
        Shoke_SetCvar("vm_cgame", "0");
    }
    while (true) {
        DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
        if (!cgame) {
            if (GetTickCount() > timer) {
                timer = GetTickCount() + 2000;
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Waiting for the Client Module...");     
#endif
            }
        }
        else {
            //sof2mp_cgamex86.vmMain+3ACA - 81 CF 81000000        - or edi,00000081 { 129 }
            //sof2mp_cgamex86.dll+1E25A

            DWORD Addy = cgame + 0x1E25A;
            DWORD engineWH = 0x04C3C5E;
            DWORD FULLBRIGHT = 0x04C1FE8;

            DWORD flashstuff = cgame + 0xECE0;
            DWORD msgPatch = cgame + 0x625C8;
            //sof2mp_cgamex86.dll+ECE0 - 55                    - push ebp

    /*        if (Wallhack->integer == 1) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Yes, cvar is 1... spam.");
#endif
            }
            else if (Wallhack->integer == 2) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Yes, cvar is 2... spam.");
#endif
            }
            */
            if (GetTickCount() < message) {
                execute = true;
            }
            if (execute && GetTickCount() > message) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Timer done, Patch message now back to original.");
#endif 
                //Restore bytes: \x25\x32\x69\x3A\x25 // fuck this just use memcpy to copy the original bytes, and then restore it.
                WriteBytes((char*)cgame + 0x625C8, (char *)&RestoreBytes, 16);
                execute = false;
            }
            if (CheckAddress(CheckFlashByte, (LPVOID)flashstuff, sizeof(CheckFlashByte))) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Flash Addy is unchanged... patching it now "); 
#endif
                DetourFunction((PBYTE)flashstuff, (PBYTE)&Shoke_Antiflash);
            }
            /*
            7A1DED0B   | F7 05 50 B6 51 7A 00 0A 00 00   | TEST DWORD PTR DS:[7A51B650], A00                  |
          
            {
            0xF7, 0x05, 0x50, 0xB6, 0x51, 0x7A, 0x00, 0x0A, 0x00, 0x00
            };|
            */
            //flashbang sof2mp_cgamex86.dll:$ECE0

            if ((GetAsyncKeyState(KEY_NUMPAD1) & 1)) {
                //
            //68 C8 25 08 78
                if (CheckAddress(DisableFullBright, (LPVOID)FULLBRIGHT, 2)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &EnableFullBright, sizeof(EnableFullBright), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "FULLBRIGHT Address -> %X Enabled", FULLBRIGHT);
#endif
        //            SendToConsole("^5[INFO] ^7Enabled FULLBRIGHT..\n");
                    Settings.fullbrightflag |= FULLBRIGHT_FLAG;
                }
                else if (CheckAddress(EnableFullBright, (LPVOID)FULLBRIGHT, 2)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &DisableFullBright, sizeof(DisableFullBright), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "FULLBRIGHT Address -> %X Disabled", FULLBRIGHT);
#endif
            //        SendToConsole("^5[INFO] ^7Disabled FULLBRIGHT..\n");
                    Settings.fullbrightflag &= ~FULLBRIGHT_FLAG;
                }
            }

            if ((GetAsyncKeyState(KEY_NUMPAD2) & 1)) {
                if (CheckAddress(shownormalsOFF, (LPVOID)engineWH, 6)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsON, sizeof(shownormalsON), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "ENGINE WH Address -> %X Enabled", engineWH);
#endif
    //                SendToConsole("^5[INFO] ^7Enabled WH..\n");
                    Settings.enginewhflag |= ENGINEWH_FLAG;
                }
                else if (CheckAddress(shownormalsON, (LPVOID)engineWH, 6)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsOFF, sizeof(shownormalsOFF), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "ENGINE WH Address -> %X Disabled", engineWH);
#endif
            //        SendToConsole("^5[INFO] ^7Disabled WH..\n");
                    Settings.enginewhflag &= ~ENGINEWH_FLAG;
                }
            }
            if ((GetAsyncKeyState(KEY_NUMPAD3) & 1)) {
                if (CheckAddress(DisableWh, (LPVOID)Addy, 6)) {
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "CGAME WH Address -> %X Disabled", Addy);
#endif
                    //    Debug(_ERROR_, "~~~~ WH\n");
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &EnableWh, sizeof(EnableWh), NULL);
    //                SendToConsole("^5[INFO] ^7Enabled WH..\n");
                    Settings.clientwhflag |= CLIENTWH_FLAG;

                }
                else if (CheckAddress(EnableWh, (LPVOID)Addy, 6)) {
                    //    SendToConsole("^3Enabled WH");;
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "CGAME WH Address -> %X Enabled", Addy);
#endif
                    //    Debug(_ERROR_, "FF\n");
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &DisableWh, sizeof(DisableWh), NULL);
        //            SendToConsole("^5[INFO] ^7Disabled WH..\n");
                    Settings.clientwhflag &= ~CLIENTWH_FLAG;
                }
            }
        }
    }
    VM_END
    MFEX(Shoke_Detours, 1000);
    return 0;
}
void BeforeScreenshot(void)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return;
    }
    DWORD Addy = cgame + 0x1E25A;
    DWORD engineWH = 0x04C3C5E;
    DWORD FULLBRIGHT = 0x04C1FE8;
  
    if (Settings.GFValue == 1) {
        if (Settings.CHECK_GLOWFLAGS) {
            Settings.CHECK_GLOWFLAGS = false;
        }
    }
    if (Settings.fullbrightflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] FULLBRIGHT OFF");
#endif 
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &DisableFullBright, sizeof(DisableFullBright), NULL);
        Settings.fullbrightflag |= FULLBRIGHT_FLAG;
    }
    if (Settings.enginewhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] WH-ENGINE OFF");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsOFF, sizeof(shownormalsOFF), NULL);
        Settings.enginewhflag |= ENGINEWH_FLAG;
    }
    if (Settings.clientwhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] CLIENTWH OFF..");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &DisableWh, sizeof(DisableWh), NULL);
        Settings.clientwhflag |= CLIENTWH_FLAG;
    }
    waitnow = GetTickCount() + 4000; // 4 seconds shud be enough,,, to not show the messages on the SS.

}
void AfterScreenshot(void)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return;
    }

    DWORD Addy = cgame + 0x1E25A;
    DWORD engineWH = 0x04C3C5E;
    DWORD FULLBRIGHT = 0x04C1FE8;

    if (Settings.fullbrightflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] FULLBRIGHT ON");

#endif 
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &EnableFullBright, sizeof(EnableFullBright), NULL);
    }
    if (Settings.enginewhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] ENGINEWH ON");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsON, sizeof(shownormalsON), NULL);
    }
    if (Settings.clientwhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] CLIENTWH ON");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &EnableWh, sizeof(EnableWh), NULL);
    }

    if (Settings.GFValue == 1) {
        if (!Settings.CHECK_GLOWFLAGS) {
            Settings.CHECK_GLOWFLAGS = true;
        }
    }
    memcpy(RestoreBytes, (char*)cgame + 0x625C8, 16);
  
    _beginthread((void(__cdecl*)(void*))Shoke_AfterScreenshotMSG, 0, NULL);
  
}

#define IMAGE_WIDTH 640
#define IMAGE_HEIGHT 480

void WINAPI Shoke_Screenshot(GLint x, GLint y, GLsizei width, GLsizei height, GLenum format, GLenum type, GLvoid* data)
{
#ifdef _SHOKE_DEBUG
    Debug(_NOCOLOR_, "GLreadPixes Hook Codecave test");
#endif

    if (Settings.SET_SCREENSHOT == _CUSTOMSS) {
            // Open the image file.
            FILE* fp = fopen("custom.ppm", "rb");
            if (!fp) {
                SendToConsole("Couldn't locate the picture.ppm file.");
            }

            // Read the image data from the file.
            int row, column, channel;
            unsigned char* image_data = (BYTE*)malloc(IMAGE_HEIGHT * IMAGE_WIDTH * 3);
            for (row = 0; row < IMAGE_HEIGHT; row++) {
                int position = IMAGE_WIDTH * 3 * row;
                fseek(fp, position - IMAGE_WIDTH * IMAGE_HEIGHT * 3, SEEK_END);
                fread(image_data + IMAGE_WIDTH * (IMAGE_HEIGHT - 1) * 3 - position, 1, IMAGE_WIDTH * 3, fp);
            }
            fclose(fp);

            // Allocate memory for the resized image.
            unsigned char* resized_image = (BYTE*)malloc(height * width * 3);

            // Perform nearest neighbor interpolation to resize the image to the desired dimensions.
            for (row = 0; row < height; row++) {
                for (column = 0; column < width; column++) {
                    int x_index = (int)(column * ((float)IMAGE_WIDTH / (float)width));
                    int y_index = (int)(row * ((float)IMAGE_HEIGHT / (float)height));
                    for (channel = 0; channel < 3; channel++) {
                        resized_image[row * width * 3 + column * 3 + channel] = image_data[y_index * IMAGE_WIDTH * 3 + x_index * 3 + channel];
                    }
                }
            }

            // Copy the resized image to the output data.
            memcpy(data, resized_image, height * width * 3);

            // Free memory.
            free(resized_image);
            free(image_data);

        SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
        SendToConsole("^3 *** Screenshot Taken ^3 ***\n");
    }
    else if (Settings.SET_SCREENSHOT == _CLEANSS) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "GLreadPixes Hook Codecave test -> CLEAN SS");
#endif
        BeforeScreenshot();

        //Give it time and Flush so no hacking traces are left.
        __asm {
            mov eax, CleanScreenAddy
            mov dword ptr[SCR_UpdateScreen], eax
        }
        for (int i = 0; i < 4; i++) { // 4x should be enuff..
            __asm {
                mov eax, SCR_UpdateScreen
                call eax
            }
        }

        AfterScreenshot();

        glReadPixels_org(x, y, width, height, format, type, data);
    }
    else if (Settings.SET_SCREENSHOT == _DISABLESS) {
        SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
        SendToConsole("^3 *** Screenshot Taken ^3 ***\n");
        return;

    }
    else if (Settings.SET_SCREENSHOT == _NORMALSS) {
        glReadPixels_org(x, y, width, height, format, type, data);
    }
}

C:

BOOL WINAPI Shoke_NextFile(
    HANDLE hFindFile,
    LPWIN32_FIND_DATAW lpFindFileData
) {
    return false;
}

BOOL WINAPI Shoke_EnumProcessModules(
    HANDLE hProcess,
    HMODULE* lphModule,
    DWORD cb,
    LPDWORD lpcbNeeded
) {
    return false;
}
bool isRunning(LPCSTR pName) //Simple but effective
{
    HWND hwnd;
    hwnd = FindWindow(NULL, pName);
    if (hwnd != 0) {
        return true;
    }
    else {
        return false;
    }
}
void Shoke_NewWindowName(void)
{
    //Shoke 16/11/2015 - Let's do this as well, just because i can lol...
    HWND name = FindWindow(NULL, "Fairplay Anticheat");
    SetWindowText(name, "Fairplay Anticheat Hacked by Shoke");
}
DWORD Shoke_WaitForSoF2()
{
    HWND hWnd;
    DWORD dwProcessId = -1;
    do {
        Sleep(0x64u);
        hWnd = FindWindowA(0, "Soldier of Fortune 2 Console");
        GetWindowThreadProcessId(hWnd, &dwProcessId);
    } while (dwProcessId == -1);
#ifdef _WIN10
    HMODULE MDC = GetModuleHandle("kernelbase.dll");
    DetourFunc((LPBYTE)GetProcAddress(MDC, "EnumProcessModules"), (LPBYTE)& Shoke_EnumProcessModules, 6);
#else
    HMODULE MDC = GetModuleHandle("kernel32.dll");
    DetourFunc((LPBYTE)GetProcAddress(MDC, "K32EnumProcessModules"), (LPBYTE)& Shoke_EnumProcessModules, 6);

#endif
    return dwProcessId;
}
void Shoke_FairPlayEntry(void)
{
    if (isRunning("Fairplay Anticheat")) {
        DetourFunction((PBYTE)FindNextFileW, (PBYTE)&Shoke_NextFile);

        Shoke_WaitForSoF2();
        Shoke_NewWindowName();
    }
    else {
        CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Shoke_Detours, NULL, NULL, NULL);
    }
}
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    UNREFERENCED_PARAMETER(lpReserved);

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
#ifdef _SHOKE_DEBUG
        DebugEntry();
#endif
        Sleep(1000);
        _beginthread((void(__cdecl*)(void*))Shoke_FairPlayEntry, 0, NULL);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
        //        CloseHandle(Entry);
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Oh man those were fun times back when sof was still alive..

where is the sourcecode pervsmirk ?

Splash · Dec 25, 2022

Shoke said:
AMIRITE

Sounds like a good name for a mineral, i prefer Calcite though. OMEGALUL

Janno · Dec 25, 2022

Shoke said:

I just remembered about this topic might as well share pieces of the source code itself now.. DEAD GAME.. AMIRITE?

C:

void (WINAPIV* ConsoleCMD)(const char*, char) = (void (WINAPIV*)(const char*, char))0x444380;

static  BYTE EnableWh[] = { 0x81, 0xCF, 0x88, 0x00, 0x00, 0x00 };
static  BYTE DisableWh[] = { 0x81, 0xCF, 0x81, 0x00, 0x00, 0x00 };

static BYTE shownormalsON[] = { 0x01,0x74,0x32,0x28,0x85,0xC0 };
static BYTE shownormalsOFF[] = { 0x01, 0x8B, 0x42, 0x28, 0x85, 0xC0 };

static BYTE EnableFullBright[] = { 0x75, 0x17 };
static BYTE DisableFullBright[] = { 0x74, 0x17 };
static BYTE CheckFlashByte[] = { 0x55 };

C:

void loadSettings()
{
    char GET_SCREENSHOT[20];

    GetPrivateProfileStringA("SCREENSHOTS", "screenshot", "normal", GET_SCREENSHOT, sizeof(GET_SCREENSHOT), LOAD_SETTINGS);

    if (!_stricmp(GET_SCREENSHOT, "disable")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to disable");
#endif
        Settings.SET_SCREENSHOT = _DISABLESS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "custom")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to custom");
#endif
        Settings.SET_SCREENSHOT = _CUSTOMSS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "clean")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to clean");
#endif
        Settings.SET_SCREENSHOT = _CLEANSS;
    }
    else if (!_stricmp(GET_SCREENSHOT, "normal")) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to normal");
#endif
        Settings.SET_SCREENSHOT = _NORMALSS;
    }
    else {
        Settings.SET_SCREENSHOT = _NORMALSS;
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Screenshot is set to normal");
#endif
    }

    Settings.GFValue = GetPrivateProfileIntA("Settings", "GlowingFlags", 0, LOAD_SETTINGS);

    if (Settings.GFValue == 1) { Settings.CHECK_GLOWFLAGS = true; }
    else if (Settings.GFValue == 0) { Settings.CHECK_GLOWFLAGS = false; }
}

PVOID Shoke_FindVMain = NULL;
DWORD pid;
DWORD waitforcgame = NULL;
static bool loadonce;

unsigned __stdcall Shoke_AfterScreenshotMSG(LPVOID useless)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return 0;
    }
    Sleep(1500);
//    WriteBytes((char*)cgame + 0x625C8, "\x5E\x33\x53\x53\x20\x54\x41\x4B\x45\x4E", 16);
    WriteBytes((char*)cgame + 0x625C8, "\x5e\x33\x53\x53\x20\x54\x41\x4b\x45\x4e\x00\x00\x00\x00\x00", 16);

   
//    WriteBytes((char*)cgame + 0x625C8, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 16);
    message = GetTickCount() + 4000;
#ifdef _SHOKE_DEBUG
    Debug(_NOCOLOR_, "Start Timer - Replace timer message with custom message. - 4 seconds.");
#endif  

    SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
    SendToConsole("^3 *** Screenshot Taken ^3 ***\n");


    _endthread();
    return 0;
}
void WriteBytes(char* dst, char* src, int size)
{
    DWORD oldprotect;
    VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect);
    memcpy(dst, src, size);
    VirtualProtect(dst, size, oldprotect, &oldprotect);
}
static void Shoke_Antiflash(void)
{
    return;
}


MFUNC(DWORD, Shoke_Detours(LPVOID));
MFBEG(DWORD, Shoke_Detours(LPVOID));
DWORD Shoke_Detours(LPVOID)
{
    VM_START
    Sleep(320);
    DWORD old;

    loadSettings();

    VirtualProtect((LPVOID)0x400000, 0x100000, PAGE_EXECUTE_READWRITE, &old);

    OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    DWORD BaseAddress = GetModuleBaseAddress(pid, "sof2mp.exe");

    DetourFunction((PBYTE)BaseAddress + 0xB7910, (PBYTE)& Test);
    __asm mov[MovedRoutine], eax;

    DetourFunction((PBYTE)glReadPixels, (PBYTE)&Shoke_Screenshot);
    __asm mov[glReadPixels_org], eax;

    orig_Cvar_Get = (Cvar_Get_t)DetourFunction((PBYTE)BaseAddress + 0x4A110, (PBYTE)&Shoke_CvarRestrictions);

    if (Settings.CHECK_GLOWFLAGS) {
        DetourFunction((PBYTE)glBindTexture, (PBYTE)&Shoke_glBindTexture);
        __asm mov[glBindTexture_org], eax;

        DetourFunction((PBYTE)glDrawElements, (PBYTE)&Shoke_glDrawElements);
        __asm mov[glDrawElements_org], eax;
    }

    int iscgame = Cvar_VariableIntegerValue("vm_cgame");
   
    if (iscgame == 0) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "Yes cgame, value is set to 0.");
#endif
    }
    else {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "No cgame, value is not set to 0.");
#endif
        Shoke_SetCvar("vm_cgame", "0");
    }
    while (true) {
        DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
        if (!cgame) {
            if (GetTickCount() > timer) {
                timer = GetTickCount() + 2000;
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Waiting for the Client Module...");      
#endif
            }
        }
        else {
            //sof2mp_cgamex86.vmMain+3ACA - 81 CF 81000000        - or edi,00000081 { 129 }
            //sof2mp_cgamex86.dll+1E25A

            DWORD Addy = cgame + 0x1E25A;
            DWORD engineWH = 0x04C3C5E;
            DWORD FULLBRIGHT = 0x04C1FE8;

            DWORD flashstuff = cgame + 0xECE0;
            DWORD msgPatch = cgame + 0x625C8;
            //sof2mp_cgamex86.dll+ECE0 - 55                    - push ebp

    /*        if (Wallhack->integer == 1) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Yes, cvar is 1... spam.");
#endif
            }
            else if (Wallhack->integer == 2) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Yes, cvar is 2... spam.");
#endif
            }
            */
            if (GetTickCount() < message) {
                execute = true;
            }
            if (execute && GetTickCount() > message) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Timer done, Patch message now back to original.");
#endif  
                //Restore bytes: \x25\x32\x69\x3A\x25 // fuck this just use memcpy to copy the original bytes, and then restore it.
                WriteBytes((char*)cgame + 0x625C8, (char *)&RestoreBytes, 16);
                execute = false;
            }
            if (CheckAddress(CheckFlashByte, (LPVOID)flashstuff, sizeof(CheckFlashByte))) {
#ifdef _SHOKE_DEBUG
                Debug(_NOCOLOR_, "Flash Addy is unchanged... patching it now ");  
#endif
                DetourFunction((PBYTE)flashstuff, (PBYTE)&Shoke_Antiflash);
            }
            /*
            7A1DED0B   | F7 05 50 B6 51 7A 00 0A 00 00   | TEST DWORD PTR DS:[7A51B650], A00                  |
           
            {
            0xF7, 0x05, 0x50, 0xB6, 0x51, 0x7A, 0x00, 0x0A, 0x00, 0x00
            };|
            */
            //flashbang sof2mp_cgamex86.dll:$ECE0

            if ((GetAsyncKeyState(KEY_NUMPAD1) & 1)) {
                //
            //68 C8 25 08 78
                if (CheckAddress(DisableFullBright, (LPVOID)FULLBRIGHT, 2)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &EnableFullBright, sizeof(EnableFullBright), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "FULLBRIGHT Address -> %X Enabled", FULLBRIGHT);
#endif
        //            SendToConsole("^5[INFO] ^7Enabled FULLBRIGHT..\n");
                    Settings.fullbrightflag |= FULLBRIGHT_FLAG;
                }
                else if (CheckAddress(EnableFullBright, (LPVOID)FULLBRIGHT, 2)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &DisableFullBright, sizeof(DisableFullBright), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "FULLBRIGHT Address -> %X Disabled", FULLBRIGHT);
#endif
            //        SendToConsole("^5[INFO] ^7Disabled FULLBRIGHT..\n");
                    Settings.fullbrightflag &= ~FULLBRIGHT_FLAG;
                }
            }

            if ((GetAsyncKeyState(KEY_NUMPAD2) & 1)) {
                if (CheckAddress(shownormalsOFF, (LPVOID)engineWH, 6)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsON, sizeof(shownormalsON), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "ENGINE WH Address -> %X Enabled", engineWH);
#endif
    //                SendToConsole("^5[INFO] ^7Enabled WH..\n");
                    Settings.enginewhflag |= ENGINEWH_FLAG;
                }
                else if (CheckAddress(shownormalsON, (LPVOID)engineWH, 6)) {
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsOFF, sizeof(shownormalsOFF), NULL);
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "ENGINE WH Address -> %X Disabled", engineWH);
#endif
            //        SendToConsole("^5[INFO] ^7Disabled WH..\n");
                    Settings.enginewhflag &= ~ENGINEWH_FLAG;
                }
            }
            if ((GetAsyncKeyState(KEY_NUMPAD3) & 1)) {
                if (CheckAddress(DisableWh, (LPVOID)Addy, 6)) {
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "CGAME WH Address -> %X Disabled", Addy);
#endif
                    //    Debug(_ERROR_, "~~~~ WH\n");
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &EnableWh, sizeof(EnableWh), NULL);
    //                SendToConsole("^5[INFO] ^7Enabled WH..\n");
                    Settings.clientwhflag |= CLIENTWH_FLAG;

                }
                else if (CheckAddress(EnableWh, (LPVOID)Addy, 6)) {
                    //    SendToConsole("^3Enabled WH");;
#ifdef _SHOKE_DEBUG
                    Debug(_NOCOLOR_, "CGAME WH Address -> %X Enabled", Addy);
#endif
                    //    Debug(_ERROR_, "FF\n");
                    WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &DisableWh, sizeof(DisableWh), NULL);
        //            SendToConsole("^5[INFO] ^7Disabled WH..\n");
                    Settings.clientwhflag &= ~CLIENTWH_FLAG;
                }
            }
        }
    }
    VM_END
    MFEX(Shoke_Detours, 1000);
    return 0;
}
void BeforeScreenshot(void)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return;
    }
    DWORD Addy = cgame + 0x1E25A;
    DWORD engineWH = 0x04C3C5E;
    DWORD FULLBRIGHT = 0x04C1FE8;
   
    if (Settings.GFValue == 1) {
        if (Settings.CHECK_GLOWFLAGS) {
            Settings.CHECK_GLOWFLAGS = false;
        }
    }
    if (Settings.fullbrightflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] FULLBRIGHT OFF");
#endif  
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &DisableFullBright, sizeof(DisableFullBright), NULL);
        Settings.fullbrightflag |= FULLBRIGHT_FLAG;
    }
    if (Settings.enginewhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] WH-ENGINE OFF");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsOFF, sizeof(shownormalsOFF), NULL);
        Settings.enginewhflag |= ENGINEWH_FLAG;
    }
    if (Settings.clientwhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[BEFORE SS] CLIENTWH OFF..");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &DisableWh, sizeof(DisableWh), NULL);
        Settings.clientwhflag |= CLIENTWH_FLAG;
    }
    waitnow = GetTickCount() + 4000; // 4 seconds shud be enough,,, to not show the messages on the SS.

}
void AfterScreenshot(void)
{
    DWORD cgame = (DWORD)GetModuleHandle("sof2mp_cgamex86.dll");
    if (!cgame) {
        return;
    }

    DWORD Addy = cgame + 0x1E25A;
    DWORD engineWH = 0x04C3C5E;
    DWORD FULLBRIGHT = 0x04C1FE8;

    if (Settings.fullbrightflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] FULLBRIGHT ON");

#endif  
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)FULLBRIGHT, &EnableFullBright, sizeof(EnableFullBright), NULL);
    }
    if (Settings.enginewhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] ENGINEWH ON");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)engineWH, &shownormalsON, sizeof(shownormalsON), NULL);
    }
    if (Settings.clientwhflag & 1) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "[AFTER SS] CLIENTWH ON");
#endif
        WriteProcessMemory(GetCurrentProcess(), (LPVOID)Addy, &EnableWh, sizeof(EnableWh), NULL);
    }

    if (Settings.GFValue == 1) {
        if (!Settings.CHECK_GLOWFLAGS) {
            Settings.CHECK_GLOWFLAGS = true;
        }
    }
    memcpy(RestoreBytes, (char*)cgame + 0x625C8, 16);
   
    _beginthread((void(__cdecl*)(void*))Shoke_AfterScreenshotMSG, 0, NULL);
   
}

#define IMAGE_WIDTH 640
#define IMAGE_HEIGHT 480

void WINAPI Shoke_Screenshot(GLint x, GLint y, GLsizei width, GLsizei height, GLenum format, GLenum type, GLvoid* data)
{
#ifdef _SHOKE_DEBUG
    Debug(_NOCOLOR_, "GLreadPixes Hook Codecave test");
#endif

    if (Settings.SET_SCREENSHOT == _CUSTOMSS) {
            // Open the image file.
            FILE* fp = fopen("custom.ppm", "rb");
            if (!fp) {
                SendToConsole("Couldn't locate the picture.ppm file.");
            }

            // Read the image data from the file.
            int row, column, channel;
            unsigned char* image_data = (BYTE*)malloc(IMAGE_HEIGHT * IMAGE_WIDTH * 3);
            for (row = 0; row < IMAGE_HEIGHT; row++) {
                int position = IMAGE_WIDTH * 3 * row;
                fseek(fp, position - IMAGE_WIDTH * IMAGE_HEIGHT * 3, SEEK_END);
                fread(image_data + IMAGE_WIDTH * (IMAGE_HEIGHT - 1) * 3 - position, 1, IMAGE_WIDTH * 3, fp);
            }
            fclose(fp);

            // Allocate memory for the resized image.
            unsigned char* resized_image = (BYTE*)malloc(height * width * 3);

            // Perform nearest neighbor interpolation to resize the image to the desired dimensions.
            for (row = 0; row < height; row++) {
                for (column = 0; column < width; column++) {
                    int x_index = (int)(column * ((float)IMAGE_WIDTH / (float)width));
                    int y_index = (int)(row * ((float)IMAGE_HEIGHT / (float)height));
                    for (channel = 0; channel < 3; channel++) {
                        resized_image[row * width * 3 + column * 3 + channel] = image_data[y_index * IMAGE_WIDTH * 3 + x_index * 3 + channel];
                    }
                }
            }

            // Copy the resized image to the output data.
            memcpy(data, resized_image, height * width * 3);

            // Free memory.
            free(resized_image);
            free(image_data);

        SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
        SendToConsole("^3 *** Screenshot Taken ^3 ***\n");
    }
    else if (Settings.SET_SCREENSHOT == _CLEANSS) {
#ifdef _SHOKE_DEBUG
        Debug(_NOCOLOR_, "GLreadPixes Hook Codecave test -> CLEAN SS");
#endif
        BeforeScreenshot();

        //Give it time and Flush so no hacking traces are left.
        __asm {
            mov eax, CleanScreenAddy
            mov dword ptr[SCR_UpdateScreen], eax
        }
        for (int i = 0; i < 4; i++) { // 4x should be enuff..
            __asm {
                mov eax, SCR_UpdateScreen
                call eax
            }
        }

        AfterScreenshot();

        glReadPixels_org(x, y, width, height, format, type, data);
    }
    else if (Settings.SET_SCREENSHOT == _DISABLESS) {
        SendToConsole("^5 *** ^7FairPlay AC Bypass ^5 ***\n");
        SendToConsole("^3 *** Screenshot Taken ^3 ***\n");
        return;

    }
    else if (Settings.SET_SCREENSHOT == _NORMALSS) {
        glReadPixels_org(x, y, width, height, format, type, data);
    }
}

C:

BOOL WINAPI Shoke_NextFile(
    HANDLE hFindFile,
    LPWIN32_FIND_DATAW lpFindFileData
) {
    return false;
}

BOOL WINAPI Shoke_EnumProcessModules(
    HANDLE hProcess,
    HMODULE* lphModule,
    DWORD cb,
    LPDWORD lpcbNeeded
) {
    return false;
}
bool isRunning(LPCSTR pName) //Simple but effective
{
    HWND hwnd;
    hwnd = FindWindow(NULL, pName);
    if (hwnd != 0) {
        return true;
    }
    else {
        return false;
    }
}
void Shoke_NewWindowName(void)
{
    //Shoke 16/11/2015 - Let's do this as well, just because i can lol...
    HWND name = FindWindow(NULL, "Fairplay Anticheat");
    SetWindowText(name, "Fairplay Anticheat Hacked by Shoke");
}
DWORD Shoke_WaitForSoF2()
{
    HWND hWnd;
    DWORD dwProcessId = -1;
    do {
        Sleep(0x64u);
        hWnd = FindWindowA(0, "Soldier of Fortune 2 Console");
        GetWindowThreadProcessId(hWnd, &dwProcessId);
    } while (dwProcessId == -1);
#ifdef _WIN10
    HMODULE MDC = GetModuleHandle("kernelbase.dll");
    DetourFunc((LPBYTE)GetProcAddress(MDC, "EnumProcessModules"), (LPBYTE)& Shoke_EnumProcessModules, 6);
#else
    HMODULE MDC = GetModuleHandle("kernel32.dll");
    DetourFunc((LPBYTE)GetProcAddress(MDC, "K32EnumProcessModules"), (LPBYTE)& Shoke_EnumProcessModules, 6);

#endif
    return dwProcessId;
}
void Shoke_FairPlayEntry(void)
{
    if (isRunning("Fairplay Anticheat")) {
        DetourFunction((PBYTE)FindNextFileW, (PBYTE)&Shoke_NextFile);

        Shoke_WaitForSoF2();
        Shoke_NewWindowName();
    }
    else {
        CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Shoke_Detours, NULL, NULL, NULL);
    }
}
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    UNREFERENCED_PARAMETER(lpReserved);

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
#ifdef _SHOKE_DEBUG
        DebugEntry();
#endif
        Sleep(1000);
        _beginthread((void(__cdecl*)(void*))Shoke_FairPlayEntry, 0, NULL);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
        //        CloseHandle(Entry);
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Oh man those were fun times back when sof was still alive..

To be honest, change it a bit and it will work fully for guard as well

Darky · Dec 25, 2022

Lol oh this is nice

Dracula` · Dec 25, 2022

Darky said:
Lol oh this is nice

stop shave your ass

Shoke · Dec 25, 2022

Janno said:
To be honest, change it a bit and it will work fully for guard as well

Oh really? Interesting.. never bothered looking into guard. If SOF still wud be what it used to be i wudn't have shared the source anyway. I tend to dislike to share my work.

I just wanted to share this because in a way i see it as a nostalgia for myself. All the laughs and odd answers about my hacks from other players that have zero knowledge in the programming world and thinking this was not possible (clean screenshot feature) - so many people relied on fairshots thinking if it doesn't show anything on the screen then you obviously don't hack.

I would have bothered to look into the guard if sof was still active but If i hax it now who's gonna care?

GUARD is something that this pro hacker 1Head

can do. So @Devil me and Janno will be waiting for your great skills. Let us know the end results. You will be glorified for your work.

I wish the game used to be active again like it once was. But that's just dreams. My beloved game from childhood is a goner now, all that it remains are memories, but hey at least they are good memories and i'm sure you (janno) and i can relate very well to what i'm talking about.

In the end it's why we still are on here and visit the game every now and then, even if it's empty.

Janno · Dec 25, 2022

Shoke said:
GUARD is something that this pro hacker can do. So @Devil me and Janno will be waiting for your great skills. Let us know the end results. You will be glorified for your work.

Devil has done a lot of it already, clean fs (which btw will probs work the same way as shoke’s source shows) and he’s done.

Shoke said:
I wish the game used to be active again like it once was. But that's just dreams. My beloved game from childhood is a goner now, all that it remains are memories, but hey at least they are good memories and i'm sure you (janno) and i can relate very well to what i'm talking about.

Amen about that. Give me a week with old geezers and I’d nolife hard

Devil · Dec 26, 2022

i will make the previous sof2 hackers proud gigachad pervsmirk

~

Whiskey, boats and music

why let your life be controlled by fairytales

Whiskey, boats and music

why let your life be controlled by fairytales

Whiskey, boats and music

why let your life be controlled by fairytales

reject modernity embrace masculinity

๒๏รร

Member

Member

๒๏รร

Whiskey, boats and music

reject modernity embrace masculinity

Member

why let your life be controlled by fairytales

Member

3D# Legend

Whiskey, boats and music

why let your life be controlled by fairytales

reject modernity embrace masculinity