A Bunnyhop hack for Counter Strike: Source written in Rust. Nothing special new about anything in terms of game hacking, but more of a project for me to get a first feeling for the Rust workflow.
Inject the generated libbhop.so shared library into the hl2_linux process
using your favorite injection method, e.g. use of LD_PRELOAD:
Most simple way is to add an export inside Steams boostrap hl2.sh.
~/.steam/debian-installation/steamapps/common/Counter-Strike Source:
export LD_PRELOAD=/path/to/libbhop.so
After you started Counter Strike, you should see the following output on the internal game console:
client.so @ 0xcb666000
do_jump_scan @ 0xcbd079d6
leave_ground_scan @ 0xcba72360
on_ground_land_scan @ 0xcba72220
DO_JUMP @ 0xcc2544e8
BHOP initialized
At this point the Bunnyhop hack is initialized an ready.
Keep the SPACE key pressed to see the effects.
As the hl2_linux binary and it's libraries are compiled as ELF 32-bit files
for the i686 architecture, we need to provide our own library in the same
format. So if you are on a x86_64 system, you will need to cross compile the
library.
- Setup a i686 build environment
See also: https://rust-lang.github.io/rustup/cross-compilation.html
rustup target add i686-unknown-linux-musl - Install all dependencies, for Ubuntu
sudo dpkg --add-architecture i386 sudo apt-get update sudo apt-get install \ libc6-dev:i386 \ gcc:i386 \ libinput-dev:i386 \ libx11-dev:i386 \ libxtst-dev:i386 \ musl-tools # And maybe more libraries are required # I don't have the full install log anymore :( - After that you should be able to run a cargo build
export PKG_CONFIG_SYSROOT_DIR="/usr/lib/i386-linux-gnu/" RUSTFLAGS="-C target-feature=-crt-static" cargo build --target i686-unknown-linux-musl - Don't blame me if it's not compiling
Since patterns tend to break over time it is helpful to know on how to find outdated game functions again.
Tools used: GDB & your favorite memory scanning tool.
Used to execute the ingame jump. Known memory values are
DO_JUMP=4 and DO_JUMP=5 (jump). Basically, you just have to use your memory
scanning tool and scan for 4 or 5 depending if you are jumping or not.
After we found the memory address, we need to find a user (code) inside the
process that is pointing to this memory address. Simply go with GDB and
set a watchpoint on the content of this memory address, e.g.: watch *<addr>.
A jump should trigger the GDB watchpoint and points you to some (code) users.
From here on you can start and rebuild your new pattern.
There is a memory address that comes with the values 0 or 1 which tells
us if we are currently on the ground or not (ON_GROUND=1/0).
Find the location and use the same watchpoint method as described above.
GDB triggers twice on this location: After jumping/leaving the ground and
if you come back again. Now you know your hook locations.