 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
unkown-dev
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2012
Posts: 6
|
 Posted: Mon Jun 11, 2012 11:01 pm Post subject: Get params values when hooking RtlHashUnicodeString |
 |
|
Hi,
I'm trying to hook into the ntdll RtlHashUnicodeString function so I can see the value of its parameters when it's called..I've been searching in the forum, and I found some stuff that was useful for me to do this, but unfortunately, I'm having some problems..
First of all, here are some useful information about the function that I want to hook into..
| Code: | NTSTATUS RtlHashUnicodeString(
__in PCUNICODE_STRING String,
__in BOOLEAN CaseInSensitive,
__in ULONG HashAlgorithm,
__out PULONG HashValue
);
|
and
| Code: | typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING; |
And here is the Lua Script that I'm using
| Code: |
--[[
Send Hook Example
by atom0s [Wiccaan]
]]--
local Hook_Example = {}
function Hook_Example.Main( )
Hook_Example.sendPointer = 0x77CCDD37;-- getAddress( "77CCDD37" );
-- Error checking..
if( Hook_Example.sendPointer == nil ) or ( Hook_Example.sendPointer == 0 ) then
showMessage( "Failed to hook send, possibly not imported by process." );
return false;
end
-- Set debugger callback.
debugger_onBreakpoint = Hook_Example.OnBreakpoint;
-- Apply breakpoint.
debug_setBreakpoint( "send" );
return true;
end
function Hook_Example.OnBreakpoint( )
-- Skip if not send breakpoint.
if( EIP ~= Hook_Example.sendPointer ) then
return 1;
end
-- Obtain information from call stack.
local addr = ESP + 4;
local strLen = readBytes(addr, 2, false);
local maxLen = readBytes(addr + 2, 2, false);
local unicodestr = readString(addr + 4, 4000);
local caseSens = readBytes(ESP + 8, 1, false);
local hashAlg = readBytes(ESP + 12, 8, false);
debug_removeBreakpoint(0x77CCDD37);
showMessage( string.format(
"Len %d\nMaxLen %d\nAddress %08x\nString: %s\nCaseInsensitive: %d\nHashAlg: %d", strLen, maxLen , addr, unicodestr , caseSens, hashAlg
) );
return 1;
end
Hook_Example.Main();
|
This code was based in a similar sample that I've found in here, it seems to be working, at least the breakpoint is working, so the code is being executed when the RtlHashUnicodeString function is called, the problem is that 'strLen', 'maxLen' and 'unicodestr' parameters values are weird..
I was expecting some weird stuff in the 'unicodestr', as its a unicode string, and I don't know if readString(..) knows how to handle it properly..
So if anyone here can point me in the right direction I would appreciate, I really don't know what I'm doing wrong :/
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25291
Location: The netherlands
|
| Posted: Mon Jun 11, 2012 11:18 pm Post subject: |
|
|
Your code:
| Code: |
local addr = ESP + 4;
local strLen = readBytes(addr, 2, false);
local maxLen = readBytes(addr + 2, 2, false);
|
String is a pointer to an UNICODE_STRING structure
that means that ESP+4 contains a pointer to that structure. So it doesn't contain the structure itself there
also, readBytes returns 2 distinct bytes, but you only store the first byte (usually not a problem)
It also seems I did not add a readWord but that can be bypassed by using "value % 65536"
try this instead:
| Code: |
local addr = readInteger(ESP + 4);
local strLen = readInteger(addr) % 65536;
local maxLen = readInteger(addr + 2) % 65536;
local addressOfString = readInteger(addr+4)
local caseSens = readInteger(ESP + 8)
local hashAlg = readInteger(ESP + 12)
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
unkown-dev
How do I cheat?
![]() Reputation: 0
Joined: 11 Jun 2012
Posts: 6
|
| Posted: Tue Jun 12, 2012 10:44 pm Post subject: |
|
|
| Dark Byte wrote: | Your code:
| Code: |
local addr = ESP + 4;
local strLen = readBytes(addr, 2, false);
local maxLen = readBytes(addr + 2, 2, false);
|
String is a pointer to an UNICODE_STRING structure
that means that ESP+4 contains a pointer to that structure. So it doesn't contain the structure itself there
also, readBytes returns 2 distinct bytes, but you only store the first byte (usually not a problem)
It also seems I did not add a readWord but that can be bypassed by using "value % 65536"
try this instead:
| Code: |
local addr = readInteger(ESP + 4);
local strLen = readInteger(addr) % 65536;
local maxLen = readInteger(addr + 2) % 65536;
local addressOfString = readInteger(addr+4)
local caseSens = readInteger(ESP + 8)
local hashAlg = readInteger(ESP + 12)
|
|
Thanks, it worked 
I think coding late at night has some weird effects on me, as I had info I needed, and I was able to miss the ESP + 4 contained the structure pointer and not the structure itself
Once again, thanks 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
