not working crit hack

src/crits.cpp

@@ -11,6 +11,8 @@
 #include "copypasted/CSignature.h"
 #include <link.h>
 
+std::unordered_map<int, int> command_number_mod {};
+
 bool AllowAttacking() {
 	if (!hacks::shared::misc::crit_hack) return true;
 	bool crit = IsAttackACrit(g_pUserCmd);

src/crits.h

@@ -16,6 +16,12 @@ bool RandomCrits();
 bool WeaponCanCrit();
 bool IsAttackACrit(CUserCmd* cmd);
 
+#include "beforecheaders.h"
+#include <unordered_map>
+#include "aftercheaders.h"
+
+extern std::unordered_map<int, int> command_number_mod;
+
 //bool CalcIsAttackCritical(IClientEntity* weapon);
 
 

src/hack.cpp

@@ -167,6 +167,10 @@ void hack::Initialize() {
 	hooks::hkClient->HookMethod((void*)DispatchUserMessage_hook, hooks::offFrameStageNotify + 1);
 	hooks::hkClient->HookMethod((void*)IN_KeyEvent_hook, hooks::offKeyEvent);
 	hooks::hkClient->Apply();
+	hooks::hkInput = new hooks::VMTHook();
+	hooks::hkInput->Init((void*)g_IInput, 0);
+	hooks::hkInput->HookMethod((void*)GetUserCmd_hook, hooks::offGetUserCmd);
+	hooks::hkInput->Apply();
 	if (TF2) g_GlowObjectManager = *reinterpret_cast<CGlowObjectManager**>(gSignatures.GetClientSignature("C1 E0 05 03 05") + 5);
 	InitStrings();
 	hacks::shared::killsay::Init();
@@ -190,6 +194,7 @@ void hack::Shutdown() {
 	if (hooks::hkMatSurface) hooks::hkMatSurface->Kill();
 	if (hooks::hkNetChannel) hooks::hkNetChannel->Kill();
 	if (hooks::hkStudioRender) hooks::hkStudioRender->Kill();
+	if (hooks::hkInput) hooks::hkInput->Kill();
 	//if (hooks::hkCTFPlayer) hooks::hkCTFPlayer->Kill();
 	logging::Info("Unregistering convars..");
 	ConVar_Unregister();

src/hacks/Misc.cpp

@@ -48,6 +48,8 @@ bool C_TFPlayer__ShouldDraw_hook(IClientEntity* thisptr) {
 	}
 }
 
+static CatVar crit_hack_experimental(CV_SWITCH, "crit_hack_experimental", "0", "Experimental crit hack");
+
 void CreateMove() {
 	static bool flswitch = false;
 
@@ -73,7 +75,47 @@ void CreateMove() {
 
 	if (TF2C && tauntslide)
 		RemoveCondition(LOCAL_E, TFCond_Taunting);
-	if (!AllowAttacking()) g_pUserCmd->buttons &= ~IN_ATTACK;
+
+	if (crit_hack_experimental && TF2 && CE_GOOD(LOCAL_W) && (g_pUserCmd->buttons & IN_ATTACK)) {
+		IClientEntity* weapon = RAW_ENT(LOCAL_W);
+		if (vfunc<bool(*)(IClientEntity*)>(weapon, 1944 / 4, 0)(weapon)) {
+			static uintptr_t CalcIsAttackCritical_s = gSignatures.GetClientSignature("55 89 E5 83 EC 28 89 5D F4 8B 5D 08 89 75 F8 89 7D FC 89 1C 24 E8 ? ? ? ? 85 C0 89 C6 74 60 8B 00 89 34 24 FF 90 E0 02 00 00 84 C0 74 51 A1 ? ? ? ? 8B 40 04");
+			typedef void(*CalcIsAttackCritical_t)(IClientEntity*);
+			CalcIsAttackCritical_t CIACFn = (CalcIsAttackCritical_t)(CalcIsAttackCritical_s);
+			if (g_pUserCmd->command_number) {
+				int tries = 0;
+				int cmdn = g_pUserCmd->command_number;
+				bool chc = false;
+				while (!chc && tries < 4096) {
+					int md5seed = MD5_PseudoRandom(cmdn) & 0x7fffffff;
+					int rseed = md5seed;
+					float bucket = *(float*)((uintptr_t)RAW_ENT(LOCAL_W) + 2612u);
+					int& a = *(int*)((uintptr_t)(sharedobj::client->lmap->l_addr) + 0x01F8B228);
+					a = md5seed;
+					int c = LOCAL_W->m_IDX << 8;
+					int b = LOCAL_E->m_IDX;
+					rseed = rseed ^ (b | c);
+					*(float*)(weapon + 2856ul) = 0.0f;
+					RandomSeed(rseed);
+					chc = vfunc<bool(*)(IClientEntity*)>(weapon, 1836 / 4, 0)(weapon);
+					if (!chc) {
+						tries++;
+						cmdn++;
+					}
+				}
+				if (chc) {
+					logging::Info("Found crit at: %i, original: %i", cmdn, g_pUserCmd->command_number);
+					command_number_mod[g_pUserCmd->command_number] = cmdn;
+					//*(int*)(sharedobj::engine->Pointer(0x00B6C91C)) = cmdn - 1;
+				} else {
+					g_pUserCmd->buttons &= ~IN_ATTACK;
+				}
+				//if (!crits) *(float*)((uintptr_t)RAW_ENT(LOCAL_W) + 2612u) = bucket;
+			}
+		}
+	} else {
+		if (!AllowAttacking()) g_pUserCmd->buttons &= ~IN_ATTACK;
+	}
 
 	if (flashlight_spam) {
 		if (flswitch && !g_pUserCmd->impulse) g_pUserCmd->impulse = 100;

src/hooks.cpp

@@ -73,6 +73,7 @@ void hooks::VMTHook::Apply() {
 }
 
 //hooks::VMTHook* hooks::hkCTFPlayer = nullptr;
+hooks::VMTHook* hooks::hkInput = nullptr;
 hooks::VMTHook* hooks::hkClientMode = 0;
 hooks::VMTHook* hooks::hkPanel = 0;
 hooks::VMTHook* hooks::hkClient = 0;

src/hooks.h

@@ -39,7 +39,9 @@ extern VMTHook* hkNetChannel;
 extern VMTHook* hkClientDLL;
 extern VMTHook* hkMatSurface;
 extern VMTHook* hkStudioRender;
+extern VMTHook* hkInput;
 
+constexpr unsigned int offGetUserCmd = 8;
 constexpr unsigned int offShouldDraw = 136;
 extern unsigned int offHandleInputEvent;
 extern unsigned int offPaintTraverse;

src/hooks/hookedmethods.h

@@ -28,11 +28,13 @@ typedef void(LevelInit_t)(void*, const char*);
 typedef void(LevelShutdown_t)(void*);
 typedef void(BeginFrame_t)(IStudioRender*);
 typedef bool(*CanInspect_t)(IClientEntity*);
+typedef CUserCmd*(GetUserCmd_t)(IInput*, int);
 //typedef void(*CInput__CreateMove_t)(void*, int, float, bool);
 //void CInput__CreateMove_hook(void*, int sequence_number, float input_sample_frametime, bool active);
 bool CanInspect_hook(IClientEntity*);
 const unsigned int offCanInspect = 512;
 void BeginFrame_hook(IStudioRender*);
+CUserCmd* GetUserCmd_hook(IInput*, int);
 
 #include "CreateMove.h"
 #include "PaintTraverse.h"

src/hooks/others.cpp

@@ -17,6 +17,18 @@ bool CanPacket_hook(void* thisptr) {
 	return false;
 }
 
+CUserCmd* GetUserCmd_hook(IInput* thisptr, int sequence_number) {
+	CUserCmd* def = ((GetUserCmd_t*)(hooks::hkInput->GetMethod(hooks::offGetUserCmd)))(thisptr, sequence_number);
+	if (def && command_number_mod.find(def->command_number) != command_number_mod.end()) {
+		logging::Info("Replacing command %i with %i", def->command_number, command_number_mod[def->command_number]);
+		int oldcmd = def->command_number;
+		def->command_number = command_number_mod[def->command_number];
+		def->random_seed = MD5_PseudoRandom(def->command_number) & 0x7fffffff;
+		command_number_mod.erase(command_number_mod.find(oldcmd));
+	}
+	return def;
+}
+
 int IN_KeyEvent_hook(void* thisptr, int eventcode, int keynum, const char* pszCurrentBinding) {
 	SEGV_BEGIN;
 	if (g_pGUI->ConsumesKey((ButtonCode_t)keynum)) {