General Discussion Thread

[lol98xlol98]

how are map and minimap pings generated?

I am just curious as to how the client is building the pingwheel icons on the map/minimap

I have overlooked the
DotaUsermessages.CDOTAUserMsg_Ping
and CDOTAUserMsg_LocationPing

CDOTAClientMsg_MapPing may be what i need to look at though

and I can't make sense of how its actually implemented into the games functions.

however

going off of valves dev scripting api page I noticed

void MinimapEvent(int int_1, handle handle_2, int int_3, int int_4, int int_5, int int_6)

Start a minimap event. (nTeamID, hEntity, nXCoord, nYCoord, nEventType, nEventDuration).


It looks like this would somehow be tied into minimap pings. 


#define DOTA_MINIMAP_EVENT_HINT_LOCATION	512 
this would be the event type I would assume as no other event types that are defined in the api could possibly be it.


I would assume hEntity would be the identity of the ping type
Ie

#define PINGTYPE_INFO
#define PINGTYPE_WARNING
#define PINGTYPE_LOCATION
#define PINGTYPE_DANGER
#define PINGTYPE_ATTACK
#define PINGTYPE_ENEMY_VISION
#define PINGTYPE_OWN_VISION

basically i want to be able to programmatically ping the minimap and or draw lines on it for my teammates to alert them of %whatever I feel they need to know about.

Does anyone who frequents this source know of any routines or functions internally that could help guide me along my way in creating such code? I am digging but turning up nothing useful.
I have yet to hook the packets and send/recv features of the client so i can not call a direct packet injection as of yet. it may be awhile before I have such capability.

[LWSS]

UserMessages are server->client

just log sendnetmessage and start pinging, you will get the idea.

message CDOTAMsg_LocationPing {
	optional int32 x = 1;
	optional int32 y = 2;
	optional int32 target = 3;
	optional bool direct_ping = 4;
	optional int32 type = 5;
}

message CDOTAClientMsg_MapPing {
	optional .CDOTAMsg_LocationPing location_ping = 1;
}

note that you can't spam these real fast, that used to be an exploit.

[lol98xlol98]

thats one thing i was going to test and see ;)

What if you chain the messages into one larger packet. I was able to bypass spam protection mechanisms on multiple game clients before by chaining packet data in repeat into one super large packet. to bypass the spam detection

I found a client crash for a few games that used spamming, and they "fixed" it, however if I repeated the data into a larger buffer and fixed the send size to include my extension of the buffer I was able to send them slower but achieve the exact same results (it worked for one hit kos I have made in the past also which used spam packet techniques)

I didn't do this fixup within the game client but through winsock itself. I was able to send my encrypted data into a much much larger packet, all I had to do was fixup the bytes which determined the size of the packet in the actual packet data which I can't remember which bytes it was to be exact but it was in the very first few bytes of the packet itself.

It worked like this

prefixes ,packetdata lets say this was the normal packet

well I basically did this,

prefixes(modified for size correction),packetdatapacketdatapacketdatapacketdatapacketdatapacketdatapacketdatapacketdatapacketdatapacketdatapacketdata

and the packet data itself contained prefixes which were used internally in the game clients to identify size and type etc etc but even with chaining all the data into one larger buffer it still split them into individual packet types it did not see it as multiple packets, but still obeyed each as if they were individual packets being sent. automatically adding them to the internal processes of commands they executed within the game client. it split it accordingly even though it was one long bigasfuck buffer. it still seen them individually.
I have done this method on multiple servers and it works most of the time. every once in a blue moon a server cant parse the data and it may cause a buffer overflow.
however it bypassed spam protection as I only had to send one bigger buffer and allowed me to bypass the timed send check

would it be possible to do such a thing as this...

message CDOTAClientMsg_MapPing {
CDOTAMsg_LocationPing&&CDOTAMsg_LocationPing&&CDOTAMsg_LocationPing&&CDOTAMsg_LocationPing&&CDOTAMsg_LocationPing&&CDOTAMsg_LocationPing&&CDOTAMsg_LocationPing&&CDOTAMsg_LocationPing location_ping = 1;
}

[LWSS]

doubt that will work because all the messages have an ID. After the server gets the packet, it will get the body (https://github.com/LWSS/McDota/blob/master/src/SDK/CNetworkMessages.h#L2148 - something like this). Then do a protobuf ParseFromArray() on the bytes. It will only ever look for 1 packet at a time, it doesn't stack them up like in source 1, it uses repeated protobuf fields for that now.

[lol98xlol98]

hmm forgive my ignorance I have only delved into dota2 on this level for abt a week now, I don't know much about how source engine or source2 work. I haven't messed with anything like this before. I am just speculating on what I know to have worked in my experience in the past. Back in the old days when WPE was a thing I wrote a dll to inject to it, which did what I described.

I had never even heard of a protobuf until a few days ago lol.
But might it not see the whole stacked buffer as "one packet"?
idk just a thought, is the source for the way server handles incoming data available anywhere? Id like to go over it if so.

Also that code you directed me to is basically how the bypass got around it. The games internal data decoding made it figure out that it was individual commands, however it read it as one big packet. which was good for me because it bypassed the spam protection.

[LWSS]

no source available, you'll have to reverse it

yeah i used wpe pro a couple years ago in ffxiv, had overflow in chat packet that could crash people's games when I pm'd them lol.

[lol98xlol98]

I messed with wpe when it first came out, alongside tsearch. lol. I been around for a lil bit.
The last thing I worked on in heavy detail I shut down the game :(
I killed Sony Online Entertainments -> Wizardry Online
We found some source online on bitbucket which had a header to allow us to hook the vtable for its memory encryption during runtime and its packet encryption soon fell afterwards. We made a packet sender( https://github.com/blaquee/axf/tree/master/build i think its in the loaders code somewhere still ), found a method to trade off negative things made a goldhack, flooded the economy with gold and items, and it shut down a few months afterwards.

oh and to top it off that game or part of its network was accepting SQL commands through the games ingame chat, I noticed when I typed '1==1 it disappeared. So I typed something along the lines of

'1=1 where 1 SELECT AS '(asterix here it disappears when i type it)' From '(asterix here it disappears when i type it)' DROP ALL TABLES LOCK TABLES READ WRITE;--

And they had to roll back the server their last backup was two days prior! lol

I miss when things were as simple as memory editing with no debugging required, I am not the best in olly , or x64. I know enough to get around but not enough to be a pro reverser. I think I managed to unpack older themida once or twice manually but that was about the best of my reversing skills. (only did that to bypass Nprotect GameGaurd)

has anyone tried to do any sqli on dota2?
or see if it may register sql commands internally?

[lol98xlol98]

i seen that attemptedtocrashserver shit when i was in olly the other morning lol.

Ive ran into a bug where if monkey king is in battle with us, late game the game constantly(i mean miliseconds apart) is trying to remove a null pointer entity index by the hundreds!! it lags the fuck out of my system to 100%cpu usage
There's a bug in his ult(i think this is what is causing it)at least on windows 7 x64

So is that server-crash fix the reason I am having so much trouble trying to track down prepareunitorders? I totally had a runesnatcher coded up and then came to find out they took out prepareunitorders as a virtual lol
to me it looks like it trails off into the scripting system(if i remember correctly it was days ago..)
and I found that message about the potential server crash during searching for prepareunitorders

I actually had the idea to try to chain messages together using that api as well, to see if I could possibly send less network traffic and accomplish multiple tasks.

And I remember that vulkan bug, I was wondering what was causing that shit it literally made me disconnect prior to being able to join a game.

[LWSS]

yeah lol they made prepunitorders non virtual last month or december to try and deter hackers. Which is amusing because I didn't even really use it in the first place.

The monkey king ult is very ghetto, the monkeys are all their own hero that copies cosmetics and more. When he came out, they would just spawn and remove the entities, that was extremely laggy, so they made them invisible and stored them in the team's fountain. However, this caused some bugs like breaking smoke and other weird shit, so they had to change it again and I don't even know what they do now(maybe shove them off map?).

I could possibly send less network traffic and accomplish multiple tasks.

could try forcing reliable/unreliable transmission(it's kinda like udp/tcp), also I found an up to 5ms delay in the SDR relays, It's called nagletime, you can disable it via sdr console commands. Some of the SDR source is on github (https://github.com/ValveSoftware/GameNetworkingSockets/blob/master/src/steamnetworkingsockets/clientlib/steamnetworkingsockets_snp.cpp) but it is not enjoyable to read.

[lol98xlol98]

besides using netsend or scripting to 'execute orders from table' are there any ways to interact with items on the ground? (excluding clicking unless i can fool the client into believing i clicked an entity without having the capability of clicking it) IE if an item falls under an ancient (which I cant click bc the ancient is in my way!!!)I want to be able to grab it immediately if I have the space to do so, so if an enemy team of idk lets say 3 invade trying to kill me I can at least have grabbed said item and wont risk losing it to the enemy team.
I can get the handle and index almost instantly using the hook written by shekeru
I took their project as a base for what I am working on.

I Haven't even looked into what all I would have to do to actually run a script in a normal game, and or what types of scripts I could run, don't know the difficulty level of implementing it into my source.

If i had been on linux I probably would have used your source. Which is quite complex btw, how long have you been working on this project? and how many people are helping?

are there any message boards I should frequent about dota2 development that you know of? or other sources of discussion about developing shit for dota? I kind of like the fact that I came into the dev scene for dota when I did, a lot of the groundwork has already been laid out given the time people have already put into it. Been playing the game legit as fuck for a little while now, so I am deciding to just fuck around.

......hack ideas...
I have been curious remember how the backpack had 4 slots.... I wonder if it still "does" but is unable to be accessed from the gui. Ever try moving an item into a backpack slot 4 after they removed it? Or is that now the neutral item slot?
I am also curious about moving neutral items into normal inventory slots again, I wonder if it is possible as it used to be. I don't think they carry a flag to keep them out of said slots. Could be nice to have multiple badass items in your inventory again, like when neutrals first came out.

Also has anyone ever tried splitting a stack of items into a "0" or "negative" amount? IE (split -1) of %tangostack or split 0 of %tangostack

And has anyone ever tried "splitting" a non stackable item such as an armor or weapon item?
I wonder if it may produce ghosts of said item serverside even if we "dont see it" render clientside.
could be a means of crash by taking up all available entity slots+overflow or could be a means of duplicating item functions on a given hero by moving the ghosts into our inventory through a command. I have played a few games before where i split unsplitable items. I didn't see it draw the item but I was able to guess that it indeed made it and moved it onto my hero in an invalid slot and gained the bonus's even though I did not see the bonus's occur on my end. It allowed me to equip what was meant to be a weapon on say a shield or helmet slot. because the server didnt know "it wasnt able to be there" it allowed the equipping of the item into an invalid location.

And has anyone made a namespoofer? for ingame chat to fuck with people for the lulz?
I think we can change name during the actual game. But I am unsure, and if that method will not work maybe we can fill the space with unseen characters until newline OR insert newline and type The spoof victims name: message
Be a good way to get people reported for being a dick (if you just didn't like someone lol)

.......questions about your hacks.....
Oh I also wanted to ask, the lane quarantine method you developed, how did it work? Setting the game into thinking it was the lasthit trainer? thats fucking hilarious if that is the case. At first when I seen the video about it on youtube I wondered if maybe whomever was sending 'chop tree' commands near all creeps to draw aggro, and that the server had no sanity check on "is this possible" and just drawed the entities in.

[LWSS]

besides using netsend or scripting to 'execute orders from table' are there any ways to interact with items on the ground

• no you must use orders, it's the only way and the orders are going to be somewhat secure because 1- javascript skiddies can send them, 2- my friend moofmonkey recently had an order spammer(patched), that's where the potentially attampted meme is from.

Which is quite complex btw, how long have you been working on this project? and how many people are helping?

• it's just me unless stated in the source. Probably almost 2 years? This isn't my sole focus though. I do enjoy having a nice thorough-as-can-be SDK, at first this was annoying, but now with the integritychecks and with some history, it's very managable.

are there any message boards I should frequent about dota2 development that you know of? or other sources of discussion about developing shit for dota?

• no not really, there is a post on unknowncheats in the other/mmo section about every 3 months, but most of the time it's a shitpost. There are a few russian ones I think, but it's in russian lol. Pretty much everyone I have met through dota hacking is russian.

unsure about the jungle item slots, haven't messed with that stuff since it came out.

And has anyone made a namespoofer? for ingame chat to fuck with people for the lulz?

• you can change your name, but it does not show up in the UI. (see status). Maybe check c2s_connect packet? for initial name?

lane quarantine method you developed, how did it work?

• I actually have a blog post for this on my new blog: (https://lwss.github.io/Dota-Strain/)

Been playing the game legit as fuck for a little while now, so I am deciding to just fuck around.

• yeah I actually play legit :). Hero specific features don't interest me. I mainly use this for making memes and exploits. Which by the way, the camera zoom can be detected on the server now, I should probably do something about that ;)

[lol98xlol98]

• how are they detecting camera zoom?

If I were a dev and needed to attempt to detect it, I would use these methods or similar:
~and how I would defeat them

1. checking related convars values And memory values of CamPosition
~(spoof convars / map a fake "camera entity" with proper values to point to)
2. checking the integrity of client.dll vs a known untouched one
-via a local and remote comparison of file, and crc checking/hash comparison
~(mapviewoffile easy bypass)
3. see if "mouse moved off visible screen" to move camera %x or %y
~(hook mouse input? / hook screen rendering?)
4. see if "mouse clicked outside of screen"
_~(hook mouse input? / hook screen rendering?)_
5. see if mouse position does not match click coordinates
~(hook mouse input? / hook screen rendering? / hook world positions?)

• a weird function name
  I can't remember what library I had loaded and was debugging,
  But have you came across the routine that is named something like <-keyword LIKE
  foo:barh4xDoNotCallThisFunc()
  And if you have, what the fuck does it do?

• Protobuf

Also this google protobuf shit is a fucking headache from hell. I haven't ever had to work with it before, and it is quite confusing. I spent nearly all day yesterday trying to get it included into my existing project and working- I don't know if I eventually did as I haven't tried calling a function which needs it yet , but damn that was a pain in my ass to get my shit to even compile on visual studio 2017 community edition ver 15 on windows 8sdk toolset on x64 windows 7OS.
And to be quite honest I don't think I did it right or that it will work as intended. Am I supposed to include raw source into my project or a compiled library?(so much link errors! originally) I haven't had much opportunity to work with it and see how it actually works, I just know it was a pain in the ass to get to compile, and then attempt to include into my existing solution.

• network
  Do I need to call a specific interface to be able to work with the networking like I had to for cvars here? (assuming I get protobuf working if it is not)

sdk.Cvars = Cvars->LoadInterface<ICvar>("VEngineCvar007");

I am only trying to work with it so I can mess with the network aspect of this client and possibly look for true exploits and real cheats- not just crashes but actual hacks.
I love being able to inject raw data into a datastream to see what bytes/bits I can modify to change the outcome of the packets resulting effects- so I really want to get the networking capabilities hooked. So I can manually decode the bits/bytes and figure out what packets do what and go from there.

Are the packets encrypted? compressed? have they been decrypted? I would like to see raw network data streams if possible, and then decipher from that tier of communication. It may be easier to unpatch some of these "message level" spam prevention techniques by going up a networking level to the actual packet and chaining the data like I spoke of earlier. messages are internal inside of the packet, maybe the packet can be restructured to contain multiple messages hence unpatching some of the DOS techniques prevented by something along the lines of

client(sendpacket{prefix;data:msg})
client(sendpacket{prefix;data:msg})
client(sendpacket{prefix;data:msg}) **might trigger it**

 client(sendpacket{prefix;data:msg&&msg&&msg&&msg}) **may not**


_where prefix[] (which is the network layer encapsulation
 of the enclosed client datatypes/messages)
 will have to have its size adjusted to include the entire length of the new packet
 and its hash fixed up so that we would not disconnect from sending invalid data.
I dont remember all the flags but its a few bytes of shit
Trust me when I say this is a nifty little trick that nearly always works._
so its (kinda) like this but will vary from each individual app or game or whatever because
 their internal communication routines are well... their own...
Because each message is going to be encapsulated in a packet by itself.
We could encapsulate multiple messages inside of the packet layer and try to 
bypass the spam prevention by sending less packets 
with more messages. as I tried to explain earlier.

class networkLevelEncapsulated{
SizeOFsentShit
checksum
length
     struct clientdata{
     internal 
     unique 
     shit 
     per 
     whatever 
     game 
     or 
     apps 
     communication 
     protocol 
     looks 
     like
     maybe.datatype
     maybe.size
     maybe.whatever
          struct maybeEncapsulatedAgain
         {
         maybeID
         maybeSizeofdata
         encryptionORdecryption->dataraw //this is where the chaining would occur 
                                            //dataraw=modifiedchainedrawdata
          }
     }
}



int SrvRCheckPacketsRecvd(amount,overtime){
somethingsomethingsomething cmp amount,overtime;
if(toomanypackets){
fuckthatguyhescrashingus();
return player->disconnect&flag
}else(){
return WeGucci->parseIncomingdata(packet)
}
}

const* parseIncomingdata(stuff){
stripnetworklayerstuffs(stuff);
if(msg){dotheencapsulatedstuffs}
}

• random
  What the hell is a meme? You mean like drawing random shit on the map to the team?
  as in something like

a big dick
a smiley
a fuckayooo

• order spammer is lulz
  I believe I was in a game that this happened in.
  I noticed like a bazillion events fire and a most horrendous sound nearly deafening then disconnect

• Source2engine
  Has valve ever implemented any cross client/server checking on the integrity of the game?
  I hacked command and conquer tiberium wars a long long long time ago and it had a desync if anything in the actual game was modified and not the same amongst all clients.
  I spent very little time on it, but found some neat and nifty hacks you had to initiate in the lobby pregame. I assume a mapping of the client on the check routine would have bypassed any mods ingame- however I didn't go in depth on that game. (1 hit ko was my favorite, also godmode)

I mean even warcraft3 had a desync upon client mismatch protocol , and that's where this game was birthed.

• Illusions
  Is there any way besides network data to detect these? It seems scripts can do so. I imagine there are memory methods of detection.
  Are the flags and attributes of entities located near or beside the index/handle? An invisible//offscreen/hidden modifier or attribute could be present in memory to indicate illusion.

• _modifiers can have flags within to indicate they cant be seen

• illusions never have full damage

• illusions take more damage

at first i thought maybe the index/handle could be cached and compared against new entities to determine if illusion but idk if this would work._

#define MODIFIER_EVENT_ON_MODIFIER_ADDED	152	//OnModifierAdded

#define MODIFIER_PROPERTY_INVISIBILITY_LEVEL	9
#define MODIFIER_PROPERTY_IS_ILLUSION	107	//GetIsIllusion
#define MODIFIER_PROPERTY_ILLUSION_LABEL	108	//GetModifierIllusionLabel->Setbool(GetInvis());
#define MODIFIER_PROPERTY_SUPER_ILLUSION	109	//GetModifierSuperIllusion
#define MODIFIER_PROPERTY_SUPER_ILLUSION_WITH_ULTIMATE	//110	GetModifierSuperIllusionWithUltimate
#define MODIFIER_PROPERTY_INCOMING_DAMAGE_ILLUSION	174

MODIFIER_PROPERTY_INVISIBILITY_LEVEL
MODIFIER_PROPERTY_PERSISTENT_INVISIBILITY

MODIFIER_PROPERTY_DAMAGEOUTGOING_PERCENTAGE
MODIFIER_PROPERTY_DAMAGEOUTGOING_PERCENTAGE_ILLUSION 
MODIFIER_PROPERTY_BASEDAMAGEOUTGOING_PERCENTAGE 
MODIFIER_PROPERTY_INCOMING_DAMAGE_PERCENTAGE 

MODIFIER_PROPERTY_TOOLTIP = 151 -- OnTooltip
MODIFIER_STATE_VALUE_DISABLED 
MODIFIER_STATE_VALUE_ENABLED 
MODIFIER_STATE_VALUE_NO_ACTION

MODIFIER_ATTRIBUTE_PERMANENT

DOTA_ABILITY_BEHAVIOR_HIDDEN

Also sorry about the formatting of previous posts, I'll try to make newer ones friendlier on the eyes!
And I appreciate your inputs and knowledge I could learn a lot from you sensei.

[LWSS]

yeah about the zoom hack, they calculate the camera bounds and check to see if you clicked outside of them in 3d coordinates. They don't ban for it as far as I know, but according to my russian comrades, you get flagged for it. It probably has a big tolerance.

I have fixed this before by emulating a smaller camera inside your world view. It worked pretty good, needs minimap jumps though. I made this for one of my russian comrades p2c, I said I wouldn't release it, but it has been quite a long time since then.

Also this google protobuf shit is a fucking headache

• Yeah I heard it's bad on windows.

What the hell is a meme?

• something stupid/for fun

order spammer is lulz

• that sounds about right, it worked with instant abilities like medusa shield

Has valve ever implemented any cross client/server checking on the integrity of the game?

• that is controlled by a convar, sv_pure, it is currently turned off on dota. Historically it has caused a lot of lag to continuously hash files, I think they turned it off because of that, and also they don't view dota cheats as an issue. The convar checker seems to be disabled as well. The only checks like that left are vac, which you can literally disable.

Do I need to call a specific interface to be able to work with the networking like I had to for cvars here? (assuming I get protobuf working if it is not)

• Yes, look at the source for my project. SendNetMessage/PostRecvNetMessage should have what you want. There are very few messages that get sent outside of those (like c2s_connect)

I have illusions already (https://github.com/LWSS/McDota/blob/master/src/SDK/CDotaBaseNPC.h#L46)

I think you could get some value out of installing linux on a laptop or something and installing mcdota to see the features.

[lol98xlol98]

I would install linux but I literally have a 80gb hdd which is slap full. I have like 100mb free disk space, and the only thing I really have on here is dota and a few tools alongside an IDE I only have a 10gb (i think 9 is usable) flashdrive as an extension
I really like ubuntu personally. But I need a windows environment for the mrs.
I would totally install mcdota if I had the space to partition a dualboot xD I used to have a triboot partition before my hdd crashed and I had to go buy the cheapest option at a local "scavenger parts" store. Cant really afford to get my space back at this or any foreseeable time in the near future.

Also i edited the above post with the explanation of the packet encapsulation so maybe I could make more sense of it, to make sure you understood what I meant with a simple analogy style pseudo code comparison.

[LWSS]

I forgot that you said you were new, do you have the debug binaries yet? Those make reversing 10x easier.

For the raw packets.... I think...

It calls SerializeAbstract(https://github.com/LWSS/McDota/blob/master/src/SDK/CNetworkMessages.h#L2255)
Which calls the serializer(https://github.com/LWSS/McDota/blob/master/src/SDK/CNetworkMessages.h#L2203)
raw bytes must get sent in netchannel... Probably SendData(https://github.com/LWSS/McDota/blob/master/src/SDK/INetChannel.h#L52)

I am not sure because it crosses a lot of dll-boundaries and most of the functions are virtual

[lol98xlol98]

no I dont have debug binaries.

[LWSS]

Search for them on UC, I can't seem to find the link now, but they should be one there.

[lol98xlol98]

• IllusionOrNah()??

if(!hero->IsModelIndexOriginalModel()){someTingFishE}
		

`
I was looking at that api before but never tried to call it, I believe it checks the modifier and returns the state of m_hReplicatingOtherHeroModel as "null" or "!null"
(I have to debug to see what it actually does at some point)
it's alongside other modifier functions and in the same class , it would only be logical to assume it really does look up the attribute m_hReplicatingOtherHeroModel
There has to be a way to find and always point to the buffer holding all the attributes and modifiers and skills and such on the hero with relative ease.

• How is the CustomNetTables.HEROshit structured?
  Edit found my answer:
  https://github.com/skadistats/skadi/wiki/DT_DOTA_PlayerResource
  https://wiki.alliedmods.net/Entity_Properties#Data_Maps
  https://www.unknowncheats.me/forum/1935356-post1.html

is it dynamic??? ans:NO
and are all the variables within CustomNetTables.HEROshit binary bits? such as hp mp dmg evade crit and whatever else ans:NOT Necessarily

• Random thoughts
  I wonder if I should just risk running cheat engine (I'm sure that will flag me if not ban me)and scanning for my mana and hp and then looking around in memview to see the offset from each other they are, then just use GetHealth() to find the address of the hp to add or sub an offset to in order to find
  < CDOTA_BaseNPC_Hero > m_hReplicatingOtherHeroModel lurking nearby
  I do love CE's :
  Various and Plentiful as well as Powerful capabilities.
  It is still a great tool when used alongside other tools. It really helps me when I sift through olly/x64

• conclusion about proto
  Not having CCustomNetTableManager::CustomNetTables functionality because proto is a bitch to incorporate/build/add/link makes this extremely difficult on me lol
  I wonder if I need to just add it from source into my project and compile it as a dependency of MyDll. as its own project within the solution, that should link it proper I have always hated VS linker it has confused me since day1 and still does.

• on vac
  where besides UC can I find any information on it?
  Id like to know:

-when/how it activates
-what it does
-any signatures or hashes of known dlls
-How its loaded and what loads it(id assume steam)
-what it looks for/if it makes hooks/what it scans/ which api it uses/etc etc 
-Id like to grab some dumps of its modules to debug, I haven't found any online however.

Oh btw man if you dont mind keeping this issue open I am kinda logging my information gathering in here. I am looking at these datamap structures tonight, looks interesting. A bit complex maybe, but interesting.

[heyimrendy]

@lol98xlol98 Latest Dota2 MAC binaries with debug symbol from manifest 2821943592690435352 January 25, 2016.

[lol98xlol98]

• something I typed up to be able to view Entity base classes and some of their data members
  idk if this can be of any use I just did it for a quick reference in my IDE in collapsible tabs

//Base Classes and their properties so i can visualize it
//it may or may not be useful who knows yet
//i just did this so i could see the data and its layout per-se 
//Nice and collapsible tabs in my IDE to quickly browse the members
//~~~~~~~~
#define  PropertyType
#define EntityState
#define MODIFIER_STATE_ROOTED	0	//Set to true to cause the parent to become rooted.
#define MODIFIER_STATE_DISARMED	1	//Set to true to cause the parent to become disarmed.
#define MODIFIER_STATE_ATTACK_IMMUNE	2	//Set to true to cause the parent to become attack immune.
#define MODIFIER_STATE_SILENCED	3	//Set to true to cause the parent to become silenced.
#define MODIFIER_STATE_MUTED	4	//Set to true to cause the parent to become muted.
#define MODIFIER_STATE_STUNNED	5	//Set to true to cause the parent to become stunned.
#define MODIFIER_STATE_HEXED	6	//Set to true to cause the parent to become hexed.
#define MODIFIER_STATE_INVISIBLE	7	//Set to true to cause the parent to become invisible.
#define MODIFIER_STATE_INVULNERABLE	8	//Set to true to cause the parent to become invulnerable.
#define MODIFIER_STATE_MAGIC_IMMUNE	9	//Set to true to cause the parent to become immune to magic.
#define MODIFIER_STATE_PROVIDES_VISION	10	//Set to true to cause the parent to share its vision with the source of the modifier.
#define MODIFIER_STATE_NIGHTMARED	11	//Set to true to cause the parent to become nightmared.
#define MODIFIER_STATE_BLOCK_DISABLED	12	//Set to true to cause the parent to become unable to block attacks.
#define MODIFIER_STATE_EVADE_DISABLED	13	//Set to true to cause the parent to become unable to evade attacks.
#define MODIFIER_STATE_UNSELECTABLE	14	//Set to true to cause the parent to make it unselectable.
#define MODIFIER_STATE_CANNOT_MISS	15	//Set to true to cause the parent to always hit its target.
#define MODIFIER_STATE_SPECIALLY_DENIABLE	16	//Set to true to cause allies to be able to deny the parent.
#define MODIFIER_STATE_FROZEN	17	//Set to true to cause the parent to become frozen.
#define MODIFIER_STATE_COMMAND_RESTRICTED	18	//Set to true to cause the parent to become unable to issue orders.
#define MODIFIER_STATE_NOT_ON_MINIMAP	19	//Set to true to cause the parent to become invisible on the minimap.
#define MODIFIER_STATE_NOT_ON_MINIMAP_FOR_ENEMIES	20	//Set to true to cause the parent to become invisible on the minimap for enemies.
#define MODIFIER_STATE_LOW_ATTACK_PRIORITY	21	//Set to true to cause the parent to become low attack priority, causing it to be the last to be hit when attack moving.
#define MODIFIER_STATE_NO_HEALTH_BAR	22	//Set to true to cause the parent to have its health bar disabled(invisible).
#define MODIFIER_STATE_FLYING	23	//Set to true to cause the parent to fly, ignoring terrains and increasing its offset from the ground.
#define MODIFIER_STATE_NO_UNIT_COLLISION	24	//Set to true to cause the parent to become phased.
#define MODIFIER_STATE_NO_TEAM_MOVE_TO	25
#define MODIFIER_STATE_NO_TEAM_SELECT	26
#define MODIFIER_STATE_PASSIVES_DISABLED	27	//Set to true to cause the parent to have its passives disabled.
#define MODIFIER_STATE_DOMINATED	28	//Set to true to cause the parent to become dominated.
#define MODIFIER_STATE_BLIND	29	//Set to true to cause the parent to become blind.
#define MODIFIER_STATE_OUT_OF_GAME	30
#define MODIFIER_STATE_FAKE_ALLY	31
#define MODIFIER_STATE_FLYING_FOR_PATHING_PURPOSES_ONLY	32	//Set to true to cause the parent to stay on the ground, but be considered flying when moving.
#define MODIFIER_STATE_TRUESIGHT_IMMUNE	33	//Set to true to cause the parent to become immune to truesight.
#define MODIFIER_STATE_LAST	34//

class xDT_DOTA_Gamerules{
public:
	struct PropertyType {

	};

};



class xDT_DOTATeam {
public:
	struct PropertyType {
		enum m_iTeamNum { Teamindex };
		enum m_szTeamname { TeamName };
		enum m_szTag { TeamTag };
		enum m_unTournamentTeamID { TeamID };
		enum player_array { m_iBarracksKills, m_iTowerKills, m_iHeroKills, m_bTeamComplete, m_iScore, m_iRoundsWon };
	};

};

class xDT_DOTAPlayer{
public:
	struct PropertyType {
		enum m_iPlayerID { Playerid };
		enum m_hAssignedHero { eHandle };
	};
};

class xDT_DOTA_PlayerResource{
public:
	struct PropertyType {
	//these are all technically arrays[]!!!
	//ill have to figure out how to programatically type this up and make it proper
	/*
	Arrays
These arrays index from 0000-0004 for Radiant, 0005-0009 for Dire
('m_iReliableGold','0003'): contains the reliable gold of player 3
('m_iPlayerTeams','0000'): contains the team of player 0
('m_iPlayerSteamIDs','0006'): contains the steamID of player 6
('m_iLastHitCount','0005'): contains the number of last hits player 5 has
	*/
	enum        m_iszSelectedHero{};
	enum        m_iReliableGold{};// : the player's reliable gold
	enum	    m_bIsBroadcaster{};
	enum        m_nSelectedHeroID{};// : hero ID for that player entry
	enum		m_UnitShareMasks{};
	enum		m_iNearbyCreepDeathCount{};
	enum		m_iszPlayerNames{};// : the player's name
	enum		m_bHasRepicked{};
	enum		m_iTimedRewardCrates{};
	enum		m_iTimedRewardDrops{};
	enum		m_bFakeClient{};
	enum		m_iBroadcasterLanguage{};
	enum		m_iLastHitStreak{};
	enum		m_bBattleBonusActive{};
	enum		m_iMetaLevel{};
	enum		m_hSelectedHero{};// : ehandle for the DT_DOTA_Unit_Hero entity
	enum		m_iMetaExperienceBonusRate{};
	enum		m_iLastHitMultikill{};
	enum		m_iLastHitCount{};
	enum		m_iLevel{};
	enum		m_iDenyCount{};
	enum		m_iConnectionState{};
	enum		m_iDeaths{};
	enum		m_bFullyJoinedServer{};
	enum		m_iBroadcasterChannelSlot{};
	enum		m_iMetaExperience{};
	enum		m_iTotalEarnedXP{};
	enum		m_iPlayerSteamIDs{};// : steam ID for that player
	enum		m_nPossibleHeroSelection{};
	enum		m_bVoiceChatBanned{};
	enum		m_iUnreliableGold{};// : the player's unreliable gold
	enum		m_iLastBuybackTime{};
	enum		m_iAssists{};
	enum		m_nSuggestedHeroes{};
	enum		m_iBattleBonusRate{};
	enum		m_iKills{};
	enum		m_iTotalEarnedGold{};// : The player's total earned gold
	enum		m_iPlayerTeams{}; //	2 : Radiant   3 : Dire   5 : Spectator
	enum		m_iRespawnSeconds{};
	enum		m_bHasRandomed{};
	enum		m_iStreak{};
	enum		m_iBroadcasterChannel{};
	enum		m_flBuybackCooldownTime{};
	enum		m_bAFK{};
	enum		m_iMetaExperienceAwarded{};

	};
};

class xDT_DOTABaseAbility {
public:
	struct PropertyType {
		enum m_iLevel{ abilitylevel };
		enum m_fCooldown{ gametime };
		enum m_flCooldownLength{ length };
		enum m_iManaCost{ ManaCost };
		enum m_iCastRange{ CastingRange };
		
	};
};

class xDT_DOTA_BaseNPC {
public:
	
	struct PropertyType {
		enum m_iCurrentLevel { EntityLevel };
		enum m_nUnitState {EntityState state = (MODIFIER_STATE_ROOTED | MODIFIER_STATE_DISARMED | MODIFIER_STATE_ATTACK_IMMUNE | MODIFIER_STATE_SILENCED | MODIFIER_STATE_MUTED | MODIFIER_STATE_STUNNED | MODIFIER_STATE_HEXED | MODIFIER_STATE_INVISIBLE | MODIFIER_STATE_INVULNERABLE | MODIFIER_STATE_MAGIC_IMMUNE | MODIFIER_STATE_PROVIDES_VISION | MODIFIER_STATE_NIGHTMARED | MODIFIER_STATE_BLOCK_DISABLED | MODIFIER_STATE_EVADE_DISABLED | MODIFIER_STATE_UNSELECTABLE | MODIFIER_STATE_CANNOT_MISS | MODIFIER_STATE_SPECIALLY_DENIABLE | MODIFIER_STATE_FROZEN | MODIFIER_STATE_COMMAND_RESTRICTED | MODIFIER_STATE_NOT_ON_MINIMAP | MODIFIER_STATE_NOT_ON_MINIMAP_FOR_ENEMIES | MODIFIER_STATE_LOW_ATTACK_PRIORITY | MODIFIER_STATE_NO_HEALTH_BAR | MODIFIER_STATE_FLYING | MODIFIER_STATE_NO_UNIT_COLLISION | MODIFIER_STATE_NO_TEAM_MOVE_TO | MODIFIER_STATE_NO_TEAM_SELECT | MODIFIER_STATE_PASSIVES_DISABLED | MODIFIER_STATE_DOMINATED | MODIFIER_STATE_BLIND | MODIFIER_STATE_OUT_OF_GAME | MODIFIER_STATE_FAKE_ALLY | MODIFIER_STATE_FLYING_FOR_PATHING_PURPOSES_ONLY | MODIFIER_STATE_TRUESIGHT_IMMUNE | MODIFIER_STATE_LAST)}; //32 bits? define it above
		enum m_hReplicatingOtherHeroModel { eHandle };
		enum m_iUnitNameIndex { indexVpkHeroID };
		enum m_lifeState { lifestate }; // 0alive 1dying 2dead 3respawnable 4discard body
		enum m_iHealth {Health};
		enum m_iMaxHealth {MaxHealth};
		enum m_iHealthThinkRegen {HpRegen};
		enum m_iMana {Mana};
		enum m_iMaxMana {MaxMana};
		enum m_iManaThinkRegen {MpRegen};
		enum m_bIsAncient {Flag};//1 ancient-type 0 not
	};
};

class xDT_DOTA_BaseNPC_Creep_Lane{
public:
	struct PropertyType {
		enum m_iHealthPercentage {Percent};
	};
};

class xDT_DOTA_BaseNPC_Hero {
public:
	struct PropertyType {
		enum m_iCurrentXP {Xp};
		enum m_hReplicatingOtherHeroModel {eHandle};
		enum m_iPlayerID {PlayerID};
		enum m_flSpawnedAt {TheTimeAtSpawn};
		enum m_flStrength {BaseStr};
		enum m_flAgility {BaseAgi};
		enum m_flIntellect {BaseInt};
		enum m_flStrengthTotal {StrNow};
		enum m_flAgilityTotal {AgiNow};
		enum m_flIntellectTotal {IntNow};

	};
};

`

Update to xDT_DOTA_BaseNPC
(still needs work i think...)

class xDT_DOTA_BaseNPC {
private:
	enum    xm_nUnitState{ xeState };
public:
               struct PropertyType {

		enum m_iCurrentLevel { EntityLevel };
		struct m_nUnitState {
			virtual int Getstate() = 0;
			(int)Getstate() {
				int statecmp;
				statecmp = (int)xm_nUnitState::xeState;
				switch (statecmp) {
				case  MODIFIER_STATE_ROOTED | MODIFIER_STATE_DISARMED | MODIFIER_STATE_ATTACK_IMMUNE | MODIFIER_STATE_SILENCED | MODIFIER_STATE_MUTED | MODIFIER_STATE_STUNNED | MODIFIER_STATE_HEXED | MODIFIER_STATE_INVISIBLE | MODIFIER_STATE_INVULNERABLE | MODIFIER_STATE_MAGIC_IMMUNE | MODIFIER_STATE_PROVIDES_VISION | MODIFIER_STATE_NIGHTMARED | MODIFIER_STATE_BLOCK_DISABLED | MODIFIER_STATE_EVADE_DISABLED | MODIFIER_STATE_UNSELECTABLE | MODIFIER_STATE_CANNOT_MISS | MODIFIER_STATE_SPECIALLY_DENIABLE | MODIFIER_STATE_FROZEN | MODIFIER_STATE_COMMAND_RESTRICTED | MODIFIER_STATE_NOT_ON_MINIMAP | MODIFIER_STATE_NOT_ON_MINIMAP_FOR_ENEMIES | MODIFIER_STATE_LOW_ATTACK_PRIORITY | MODIFIER_STATE_NO_HEALTH_BAR | MODIFIER_STATE_FLYING | MODIFIER_STATE_NO_UNIT_COLLISION | MODIFIER_STATE_NO_TEAM_MOVE_TO | MODIFIER_STATE_NO_TEAM_SELECT | MODIFIER_STATE_PASSIVES_DISABLED | MODIFIER_STATE_DOMINATED | MODIFIER_STATE_BLIND | MODIFIER_STATE_OUT_OF_GAME | MODIFIER_STATE_FAKE_ALLY | MODIFIER_STATE_FLYING_FOR_PATHING_PURPOSES_ONLY | MODIFIER_STATE_TRUESIGHT_IMMUNE | MODIFIER_STATE_LAST:
					return statecmp;
				}

			}
			int eState = Getstate();
		}; //32 bits? define it above
		enum m_hReplicatingOtherHeroModel { eHandle };
		enum m_iUnitNameIndex { indexVpkHeroID };
		enum m_lifeState { lifestate }; // 0alive 1dying 2dead 3respawnable 4discard body
		enum m_iHealth {Health};
		enum m_iMaxHealth {MaxHealth};
		enum m_iHealthThinkRegen {HpRegen};
		enum m_iMana {Mana};
		enum m_iMaxMana {MaxMana};
		enum m_iManaThinkRegen {MpRegen};
		enum m_bIsAncient {Flag};//1 ancient-type 0 not
};
};

@heyimrendy I do not see anything other than text, is that something I should google? or did you attach a file? I cant see it if so, maybe LWSS has access to it but not I

-interesting function name.....

virtual void AllowAdditionalMessageRegistration(bool allow) = 0;

[lol98xlol98]

@LWSS

does this seem right?

I had to typecast a ClientClass object as datamap to get it to compile here.... so I dont know how I am going to work around this typecasting error which is causing my crashes.
where xXx is a datamap ... but i want to populate it with the information from
ClientClass's Recv table.
Should i do a memcpy or something? but if I do that, I don't think I will get the proper results from the scan as addy+offset.

I tried to init xXx prior and was getting compiler errors saying i overloaded it (hence the // first line of the function)
God I wish I could just get your routine to work for me lol. itd make this shit a lot easier.
But I don't quite understand your netvars wrapper, so I am having trouble trying to port it over. (As compared to the shit in the dotkalib sdk, which is a little more legible. plus I cant do attribute packed on win7x64 in vs2017 so im unable to just copy your netvars routine into my source.

Datamap* xXx = (Datamap*)Clientobject->Schema;
EDIT: confirmed it is the above line of code crashing me

unsigned int ReplicatingAddy() 
			{
			//Datamap* xXx = 0;
				ClientClass* Clientobject;
				Datamap* xXx = (Datamap*)Clientobject->Schema;
				int numberOfTablesOrFields = xXx->numFields;
				auto mapbase = xXx->baseMap;
				TypeDescription* typeDEscription = xXx->dataDesc;
				auto className = xXx->className;
				for (; numberOfTablesOrFields < numberOfTablesOrFields + 1; )
				{
					reinterpret_cast <ClientClass *> (mapbase->numFields)->m_pNext;
					if (typeDEscription->fieldName == "DT_DOTA_BaseNPC_Hero")
					{
						auto BaseofHeroMap = mapbase;
						auto FieldsHeroMap = (Datamap*)mapbase->numFields;
						TypeDescription* herobaseT = mapbase->dataDesc;
						for (; FieldsHeroMap < FieldsHeroMap + 1; )
						{
							reinterpret_cast <ClientClass *> (BaseofHeroMap->numFields)->m_pNext;
							if (herobaseT->fieldName == "m_hReplicatingOtherHeroModel")
							{
								unsigned int addy = 0x00000000;
								unsigned int offset = 0x0;
								addy = reinterpret_cast <unsigned int>(typeDEscription->flatOffset);
								offset = reinterpret_cast <unsigned int>(herobaseT->flatOffset);
								return(addy + offset);
							}
						}
					}
				}

			}

fuck it i just changed the type in the clientclass for schema to datamap* ill see if it works later it allowed me to simply type it without casting anything.
xXx=Clientobject->Schema;

ill test it out later or tomorrow.
Failed, but anyhow
Can you give me some info on hooking into the recvtable

I think its a datamap setup like
find your index (ie DT_blah_Hero)
Then using that as a base Find the next element (IS m_Ivisiblebyenemyteam / isreplicating blah blah)

Ive tried writing my own crawler. Ive tried using the creator of dotkas crawler he had . Ive tried implimenting a scan through his clientbase table, and ive tried(unsucessfully) porting your netvars to win64 on win7.

Any help would be highly appreciated!!! Im getting so frustrated I am losing it :(

[LWSS]

might be a bit different on windows, do you have reclass.net? Just try pointing it at a raw datamap pointer, that's what I did to map it out. Reclass will show you the exact memory.

First you need to get entity list, grab an ent, call the vfunc for C_DOTAPlayer__GetPredDescMap, it might be 1 off for windows because I heard it only has 1 virtual destructor. Print that pointer out printf("datamap @%p\n", entity->C_DOTAPlayer__GetPredDescMap());, put that address into reclass and it should be easy from there.

[lol98xlol98]

• Also I found a network variable which may be of interest, I am unsure if it has to do with camhack detection, but looking around at the references and how I found it, it may just be. I started from

.rdata:00000001819AAE50 aMHclickeffect db 'm_hClickEffect',0 ; DATA XREF: .data:off_1827656B0↓o .data:00000001827656B0 off_1827656B0 dq offset aMHclickeffect .data:00000001827656B0 ; DATA XREF: .data:00000001827D8BD8↓o .data:00000001827656B0 ; "m_hClickEffect"

And along the way through the many routines I landed in an area containing this...... IDk if its for minimap or what, havent had much time to look into it. But it seems as if it may be of use to detect vision beyond normal radius

.data:000000018270E698                 dq offset off_18179CD38
.data:000000018270E6A0                 dq offset aMBuseoffscreen ; "m_bUseOffScreenIndicator"
.data:000000018270E6A8                 db  0Ch

• I been looking through the interfaces, and the data. Sifting looking for what I need. I found a few unreferenced functions(maybe script engine?) which may be of use to handle crawling their netvars datamap. IVe got a mess of a notes.txt right now. Ill have to do serious digging later.

I am trying to fuck around in ida and see if I can find the difference in enemy illusion and team illusion and just hook the jumptable to always draw illusions as default.

I redownloaded ida as of last night and let it run to analyze the code. Lots of useful information.
Now I gotta find the shit in olly so I can modify it and save an edited dll. to test with. As Im too lazy to hook the jmptables in my dll first, thatll come afterwards if it works.

IDA wont allow you to modify and save the file will it? I can't remember if it has that feature. I think I always had to go to an external debugger to do that.

and as far as the datamaps I did find a few things in the client, why would they leave this in? ```

.rdata:00000001817A8B68 aDatadescschema db 'DataDescSchemaInit',0
.rdata:00000001817A8B80 aVStrcmpPdatama db 'V_strcmp( pDataMap->dataClassName, pCodeClass ) == 0',0
.rdata:00000001817A8B80
.rdata:00000001817A8BB8 a810 db '810',0
rdata:00000001817A8BC0 aEntityClassSDo db 'Entity class %s does not have its own datadesc (uses %s)',0Ah,0
rdata:00000001817A8C00 aOwnername db 'ownername',0
rdata:00000001817A8C10 aSSetkinematicC db '%s:SetKinematic(CVariant::type=%s) expected bool argument',0Ah,0
.rdata:00000001817A8C4C aImpact db 'Impact',0

[LWSS]

yeah you can make changes in IDA, but it's cumbersome. It's under Edit->Patch Program.

m_bUseOffScreenIndicator i dont know any more than u do

why would they leave this in? Just for error checking, they have c macros that output the function name and stuff.

[lol98xlol98]

I think the logging function can be overflowed. as well.
What all triggers the logging routines? (crashes I know)

The minidump writing routine may be a very targetable system as an attack vector to try to make an RCE exploit with priv escalation.
Im pretty sure steam has a flaw for priv escalation that is working right now.
And if a crash could be caused with a proper payload for that minidump logger, then it could also incorporate a flaw in steam, and get admin priv's and code execution.
Just a thought. I don't intend to pursue it, but I am pretty sure it's more than possible I'd be willing to bet on it.

I may try to track down
seg007:019DBCEE aPrepareunitord_0 db 'PrepareUnitOrders',0
It's part of the scripting system now(from what I can tell), and the memory behaves like it is a virtual machine. It's a bit much to dig through. I may eventually do it though.

I think dota devs took a good long read over this
https://github.com/Droogans/unmaintainable-code?fbclid=IwAR2_UemOMCj7v1XcsgVTFhUqiRc-IuAzATpDgXUEngDuYwnsxCb2nQQEqks

[Terno-123123]

Wow