Cheat Engine

[FreewareFire]

Hey out there,

as my prevoiusly problem can not be solved i tried to find another solution.
My Problem is: The game i try to hack is updated regulary and with every Update my Base Address and my Pointers get broken. That's bad. I can't search 50 Values every 2 Weeks from scratch. My idea yet was to get into the called (asm) code and relocate the called code to my own memory address where i can read out the memory address i where looking for.

The asm code is
mov [rdi+00000188],rdx

The idea... replace the original code with my own to jmp to a new created memory place created with VirtualAlloc. But i'm confused. I can't really find an example what i had to do, btw. i'm unsure what's the best solution to achieve my goal. Another approach would be to inject my own dll and send the value from rdi to my trainer. But i'm not sure if that's possible.

Can someone give me a drive into the right direction? What's the best solution?

The best solution (i think) would be to grab the value from rdi to my trainer where i could use it then.

As mentioned i try to get that working with C#.

Thank you for any help, suggestions or codes

Btw this Forum is Great!

[ulysse31]

This can be done with DLL injection or with simple readprocmemory/writeprocmemory.
IF you chose DLL injection you can use pattern scanning to find your instruction :
https://www.youtube.com/watch?v=mKUSLJjlajg

inject dll
use pattern sig scan to get code address
allocate memory (from dll)
hook the original code found with pattern scan and redirect it to allocated memory, save edi somewhere, send the code back to its original location.

You could use code cave instead of memory allocation but your code would be less patch proof.

[FreewareFire]

@ulysse31

hmmm. Ok, that's what i thought, but how do i allocate memory to the game? I thought i can directly use VirtualAlloc from C# Source to allocate new memory (without inject a dll). If i understand correctly, VirtualAlloc allocates new memory in the game itself and i can access that new allocated memory address as it's returned by VirtualAlloc?. That's what i understand if i'm right (but also can crash the game too?). That's why i'm confused. What's with CreateRemoteThread? I don't really understand the different approaches really. If i use the VirtualAlloc version: Allocate new memory in the game, search for the byte pattern, replace the original code with a jmp condition to the new created memory (the returned address from VirtualAlloc) where i can store the original code, the value from edi and then jmp back to the original code... Correctly?

As it's a 64 bit game, i can't use fasm.net as it's 32 bit only... That's what i thought first

Difficult to me as i see only half solutions, no explainations - reading the past 2 days different Websites but had no idea what's the best solution.

Greets

[ulysse31]

Yes you can use VirtualAllocEx to allcoate memory inside the game from your own process.
VirtualAlloc can only allocate memory inside the calling process so only the injected dll could call that for the mentioned purpose.
If you inject a DLL you'll need to use CreateRemoteThreadEx to make the game start your dll, as mentioned in video.
If you chose not to inject a dll you can have the same result with virtualallocex and u wont need to use createremotethread. However the code will be ugly and the work won't resist patch that well (sort of).
I just think dll injection is better as you'll be able to use c# code from within the process which is fairly strong and cleaner than writing arrays of bytes to get them executed as code later.
Also in the video i linked both dll injection with createthread and pattern scanning are taken care off so thats like 60% of the work. All that's left for you to do is alloc memory, calculate the byte jumps and save edi.

NB : some WINAPIs have another version of themselves with "Ex" extension which means they can be used from a calling process A to operate on a process B, this is the case for virtualAlloc

[FreewareFire]

Ok, well i made a little step further. Now i'm able to use VirtualAllocEx to add memory. Also it returns me the memory address where VirtualAllocEx added the memory. Fine so far. But in fact it doesn't make any sense

What i was going to get is just the value of rdi.

mov [rdi+00000188],rdx

Do i really need to allocate memory, relocate the original code to it to store the value from rdi there? Isn't there a easier way to get just the value from rdi?

Also i can't get the idea with CreateRemoteThread. I can't find any example that makes sense to me. The value stored at rdi+00000188 is the money value. There's no base pointer i can catch so i thought it would be another try to get rdi. As said i use C#. Nearly everything is just C or C++ and the examples don't do anything - they just inject DLL but how do the game now to call my injected dll - and what should my dll do? I mean how can the injected dll read the value from rdi then... I've looked the video but he's just speaking about it, not showing it. It sounds so OP to me to just get a value

Do you or someone have some code or snippets to get me on the right track? I'm more and more confused as i read articles and viewing videos.

[ulysse31]

I'll poste you code (c++) that I wrote 2 years ago while hacking MMO, I was doing my first steps therefore it doesn't look good but does the job.
It gets game handle by name (Tera.exe), injects StealLoginKey.dll and retrieves login ticket (you ll get RDI).
get handle :

[FreewareFire]

Thank you so much! I'm gonna read it carefully to copy over to C#. The dll Part is the one i gonna research intensively

Very nice!!

[atom0s]

If you are injected into the target process, you do not need to use things like WriteProcessMemory/ReadProcessMemory/VirtualAllocEx and so on.

You can read and write memory simply via direct casting to addresses. Which removes a handful of overhead from the two API. (Plus additional calls to get other info that those APIs need.)

You can use VirtualAlloc instead of VirtualAllocEx as you are not targeting a remote process.

[FreewareFire]

Ok, what i got so far is: Alloc new memory and inject my DLL - as it's injected it shows a message box that it was successfull. Ok, that's really good

And now comes the part i don't get. How the hell can i now get the value from rdi? Let's say the code rdi+188 is at mem: 012345

What will i do now to tell my dll to get rdi from the loc 012345? If i'd understand right, i replace the original code at 012345 to store the value somewhere i can read it from. What i would try now:

create a dword, let's say myrdi, then goto 012345 and assemble the code to copy rdi value to myrdi. Would that work? Or i'm completly wrong here? I think i miss something fundamental but damn, i wanna understand that
Even my brain crashes

I believe i think to complicated

[atom0s]

In order to get a registers value you are going to have to create a code-cave and store the value as it passes through your own code, or you are going to have to use breakpoints to cause a breakpoint, read the thread information at the given instruction, then continue. (You can use exceptions and such to do this as well.)

[FreewareFire]

Hi, sorry for late response, was busy last days. I tried nearly everything i can imagine. But it seems i'm stucked. I can create a code cave using VirtualAllocEx from my process and can write to it. The problem i have is the correct jmp to the cave and back (can't figure it out). Problem is that it's a 64 bit game and the cave is created somewhere in the process. I don't get the correct code to jmp from the original code to the cave. As said i using C# - as i'm on 64 bit i'm not able to create the right jump to the cave and get back. Has someone a class or some code to help me out? I found some classes for 32 bit but not for 64 bit. Writing to memory itself isn't my problem as i created few easy trainers before, but not for 64 bit. I don't want to use dll injection as it makes no sense to me - or i'm just to stupid that i'm missing the advantages.

The easy one would as atom0s says: create code cave, jmp to it, store the value, jmp back to the original code and then just read the value i stored at the code cave... And again i thank everyone for his/her help !!

[atom0s]

Jumps and calls are calculated offsets, so you need to calculate the jump based on the position of the cave and the original code.

The jump from the original code to your cave will be calculated as:
CaveAddress - (Original Code Address + 5)
Adjust 5 as needed for the size of the jump.

The cave jump that has to return back to the original code would be done as:
ReturnAddress = (OriginalCodeAddress + 5) + NumberOfNopsNeeded
ReturnJump = ReturnAddress - (CaveAddress + (CaveSize + 5))
Adjust 5 as needed for the size of the jump.

When you create a jump, in some cases you will need to use nops to null out additional invalid code if your jump cuts into part of an instruction. So take into account how many are used when creating your jumps.

[ulysse31]

It is this part of the code :

[FreewareFire]

Let me show an example what i get when i do it in notepad:

Original code is at: 7FF656473CB0 (example what's outputted az my tests)
Code Cave is created at: 24C2DEC0000 via VirtualAllocEx

So when i calc the Jump it would be: FFFF8255D7A4C35E

Calculated like: (Cave - Originalcode) - 14

[ulysse31]

If you chose to use jmp qword ptr the first 6 bytes always are
"FF2500000000"
Followed by the virtual address so that means in this case no difference, just the address that will be interpreted as data (little endian) so shift bytes.
If you wanna jump to address 0x0123456789123456
then the full code is 14 bytes :
"FF25000000005634128967452301"
If you haven't understood it all, play with cheat engine and understand how jmps are made