I know SuprNovaAO put this in his bypasser, but his was a memhack, not a hook.

Also, renaming sv_pure does not do anything, because there's background code that checks the server, not if the local CVar sv_pure is set.

Anyway to do that?

Turn off sv_cheat check for achievements (JMP):

DWORD dwJMPSigScan = gMemoryTools.dwFindPattern( (DWORD)gBaseAPI.GetModuleHandleSafe( "client.dll" ), 0x463000, (BYTE*)"\x74\x3A\x8B\x0D\x00\x00\x00\x00\x83\x79\x30\x00", "xxxx????xxxx");

Turn off sv_pure (JMP):

DWORD dwPure = gMemoryTools.dwFindPattern( (DWORD)gBaseAPI.GetModuleHandleSafe( "engine.dll" ), 0x2A5000, (BYTE*)"\x74\x42\x68\x00\x00\x00\x00\x50", "xxx????x");

Yes, check the CAchievementMgr in the Mac binaries -> Find a nicely named virtual function -> ...

I hooked CAchievementMgr using g_pEngine->GetAchievementMgr() and there's only these functions:

AwardAchievement
DownloadUserData
EnsureGlobalStateLoaded
GetAchievementByID
GetAchievementByIndex
GetAchievementCount
InitializeAchievements
OnMapEvent
SaveGlobalStateIfDirty

I see the private member bool m_bCheatsEverOn in the header. How do I force it to be false?

Get a pointer to CAchievementMgr,
start debugger,
look at memory at CAchievementMgr,
Set cheats -> 1,
See what changes,
Compute offset (&var - baseptr),
change sv_cheats callback or BP this data to see what changes it, etc, etc, etc, etc, etc. I think.
LOL MISSED ONE: CAchievementMgr::WereCheatsEverOn(void)
(you should PROBABLY return false ;D) byte ptr [eax+227h] for mac... but you're better off hooking this function.

The way SuprNovaAO did his, and currently works, is he found where it was calling the "This achievement is blah blah" and backtraced, until he found a JE that when he made it always JMP, it would give you the achievement if you did or didn't have cheats on.

I made a sig for it:


DWORD dwJMPSigScan = gMemoryTools.dwFindPattern( (DWORD)gBaseAPI.GetModuleHandleSafe( "client.dll" ), 0x463000, (BYTE*)"\x74\x3A\x8B\x0D\x00\x00\x00\x00\x83\x79\x30\x00", "xxxx????xxxx");

EDIT: I did not miss that one. I wrote down each function that came up.

You can just force that m_bCheatsEverOn every frame so you don't have to spent time on hooks that *might* be detected by some anticheat (other than VAC).

I'm just too lazy to go reversing all that shit when I can just use SuprNovaAO's idea that's been working forever.

Sig for pure:

DWORD dwPure = gMemoryTools.dwFindPattern( (DWORD)gBaseAPI.GetModuleHandleSafe( "engine.dll" ), 0x2A5000, (BYTE*)"\x74\x42\x68\x00\x00\x00\x00\x50", "xxx????x");

void __fastcall Hooked_AchievementMgr(void* thisptr, int edx, float frametime)
{
vmtmanager* pHook = vmtmanager::GetOrCreateHook(thisptr);
pHook->GetMethod<::AchievementMgrUpdateFn>(OFFSET_AchievementMgrUpdate)(thisptr, frametime);

*((BYTE *)thisptr + 507) = 0;
}
Finally implementation, CAchievementMgr inherits from a bunch of things, but is defined in the SDK so:
#define OFFSET_AchievementMgrUpdate 15
typedef void (__thiscall* AchievementMgrUpdateFn)(void*, float frametime);

IAchievementMgr* pAch = engine->GetAchievementMgr();
CAchievementMgr* cAch = dynamic_cast<CAchievementMgr*>(pAch);
vmtmanager* pAchievementHook = vmtmanager::GetOrCreateHook(cAch, /*OFFSET_AchievementMgrVtable*/ 0);
pAchievementHook->HookMethod(TF2::Hooked_AchievementMgr, OFFSET_AchievementMgrUpdate);
Test scenario: (sv_lan 1 servers disable achievements in another fasion)
Bypass sv_cheats via renaming
set renamed sv_cheats to 1
Use scout to kill enemy -> No message == success -> recording stats with cheats on. I was told this is a good test case.

It's not working using P47R!CK's VMT hook.

IAchievementMgr* pAch = g_pEngine->GetAchievementMgr();
CAchievementMgr* cAch = dynamic_cast<CAchievementMgr*>(pAch);
g_pAchievHook = new CVMTHookManager( (PDWORD*)cAch );
g_pAchievHook->dwHookMethod( ( DWORD )Hooked_AchievementMgr, 15 );

It crashes at New CVMTHook.

Sorry to bump an old thread, but I just wanted to say that for the Hooked_AchievementMgr, just have it do nothing inside the hook, and bWasCheatsEverOn will not get set.