[CODE][TF2] Obtain appSystemFactory, clientFactory and pGlobals on the fly

[Syran0]

bool CTF2::Init(HMODULE hEngine)
{
        DWORD dwClientDLL_Init = NULL;
        char szClientDLL_InitSig[] = "\x56\xE8\xFA\x71\x01\x00\x83\x3D\x5C\x99\x22\x0D\x00\x8B\x35\x64\xA5\x11\x0D\x0F\x84\x93\x01\x00\x00\x68\xDC\x8C\x13\x0D\xFF\xD6";
        char szClientDLL_InitMsk[] = "xx????xx????xxx????xx????x????xx";

        dwClientDLL_Init = gMem.FindPattern(((DWORD)hEngine + 0xBA340), 0x00617000, (PBYTE)szClientDLL_InitSig, szClientDLL_InitMsk);
        if(dwClientDLL_Init == NULL) return FALSE;

        CreateInterfaceFn appSystemFactory = NULL;
        appSystemFactory = (CreateInterfaceFn)*(DWORD*)*(DWORD*)(dwClientDLL_Init + 0x21);
        if(appSystemFactory == NULL) return FALSE;

        DWORD ppClient = *(DWORD*)(dwClientDLL_Init + 0x27);
        if(ppClient == NULL) return FALSE;
        pClient = (IBaseClientDLL*)*(DWORD*)ppClient;
        if(pClient == NULL) return FALSE;

        CreateInterfaceFn clientFactory = NULL;
        clientFactory = (CreateInterfaceFn)*(DWORD*)(ppClient - 0x8);

        DWORD ppGlobals = *(DWORD*)(*(DWORD*)*(DWORD*)pClient + 0x39);

        return TRUE;
}

 

 

 

 

 

 

 

 

 

 

 

 

CreateInterfaceFn GetAppSystemFactory()
{
BYTE* sig = (BYTE*)"\x8B\x44\x24\x04\x8B\x08\x8B\x50\x04\x89\x0D\x00\x00\x00\x00\x89\x15\x00\x00\x00\x00\xC3";
char* mask = "xxxxxxxxxxx????xx????x";
DWORD func = gMemory.dwFindPattern( (DWORD)GetModuleHandle("client.dll"), 0x62b000, sig, mask );
CreateInterfaceFn* address = (CreateInterfaceFn*) func + 0xB;
return *address;
}