| View previous topic :: View next topic |
| Author |
Message |
redhead
Cheater
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 47
|
 Posted: Sat Aug 30, 2008 4:17 am Post subject: Is there a way to jump into ingame code without injection? |
 |
|
Hi,
I know I can make a dll, use inline asm (c++) to make a jump into an ingame function, for example 0x12341234 and then inject the dll.
But is there a way to do this without any injection?
Something like SendMessage or smth.?
I'm trying to make a bot without any injection.. |
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat Aug 30, 2008 4:25 am Post subject: |
|
|
If you get the address of the function and it takes one or less parameters then you can use CreateRemoteThread to call it externally I guess.
If you are trying to make a bot, you can use PostMessage without the need to use any injection or DLL at all. |
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
 Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Sat Aug 30, 2008 10:28 am Post subject: |
|
|
WriteProcessMemory?
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sat Aug 30, 2008 12:32 pm Post subject: |
|
|
um...
If u want the dll to jump to an ingame function u can use: (C++)
asm
{
jmp [whereverthefunctionis]
}
If not a dll. Create A Remote Thread into the process and do that ^ |
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sat Aug 30, 2008 1:29 pm Post subject: |
|
|
| dnsi0 wrote: | um...
If u want the dll to jump to an ingame function u can use: (C++)
asm
{
jmp [whereverthefunctionis]
} |
Yes, he can use it if he want to crash, or use "call" instead. |
|
| Back to top |
|
|
jackyyll
Expert Cheater
![]() Reputation: 0
Joined: 28 Jan 2008
Posts: 143
Location: here
|
| Posted: Sat Aug 30, 2008 1:36 pm Post subject: |
|
|
| Symbol wrote: | | dnsi0 wrote: | um...
If u want the dll to jump to an ingame function u can use: (C++)
asm
{
jmp [whereverthefunctionis]
} |
Yes, he can use it if he want to crash, or use "call" instead. |
But since he doesn't want to inject a DLL, he cant  |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sat Aug 30, 2008 1:38 pm Post subject: |
|
|
| CreateRemoteThread??? |
|
| Back to top |
|
|
redhead
Cheater
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 47
|
| Posted: Sun Aug 31, 2008 10:50 am Post subject: |
|
|
Never used CreateRemoteThread before, I tried : (but it not worked ofc.)
| Code: | | CreateRemoteThread(hopen,NULL,NULL,0x411109,NULL,NULL,NULL) |
this code didn't compile.
It compiles, if I change it abit: (but I don't really know, what I'm doing here)
| Code: | | CreateRemoteThread(hopen,NULL,NULL,(LPTHREAD_START_ROUTINE)0x411109,NULL,NULL,NULL) |
That compiles, but it doesn't work.
GetLastError() tells me, error 5.
Already did LoadSeDebug.
0x411109 is hopefully the ptr of the function.
At least it worked, when I called it with code injection via ollydbg.
I think I'm useing CreateRemoteThread wrong, but how to use it correctly? |
|
| Back to top |
|
|
hcavolsdsadgadsg
I'm a spammer
![]() Reputation: 26
Joined: 11 Jun 2007
Posts: 5801
|
| Posted: Sun Aug 31, 2008 11:10 am Post subject: |
|
|
You have to create the function that acts as your thread.
You obviously want it to call 0x00411109... so... |
|
| Back to top |
|
|
redhead
Cheater
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 47
|
| Posted: Sun Aug 31, 2008 11:25 am Post subject: |
|
|
whoops, I'm an idiot.
I open'd the process without the access to create a thread in it..
create_all_access worked fine.
Thx  |
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Sun Aug 31, 2008 11:27 am Post subject: |
|
|
The function you want to call may not match the function signature of LPTHREAD_START_ROUTINE, meaning it may fuck the stack when you use CreateRemoteThread on it. You are best off finding a codecave in the target process and writing a stub there that will handle the arguments and stack issues then call the target function. Then CreateRemoteThread that will originate there. You can then place an ExitThread call at the end to handle it nicely.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
jackyyll
Expert Cheater
![]() Reputation: 0
Joined: 28 Jan 2008
Posts: 143
Location: here
|
| Posted: Sun Aug 31, 2008 2:46 pm Post subject: |
|
|
| nog_lorp wrote: | | The function you want to call may not match the function signature of LPTHREAD_START_ROUTINE, meaning it may fuck the stack when you use CreateRemoteThread on it. You are best off finding a codecave in the target process and writing a stub there that will handle the arguments and stack issues then call the target function. Then CreateRemoteThread that will originate there. You can then place an ExitThread call at the end to handle it nicely. |
Shouldn't need the ExitThread, should he? Wont the thread exit on return? |
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Mon Sep 01, 2008 2:52 am Post subject: |
|
|
True. I thought ExitThread would lead to nicer cleanup than just letting it return, but I was wrong, threads called with CreateThread return to kernel32.7C80B683 which is immediately followed with a call to ExitThread.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Mon Sep 01, 2008 2:39 pm Post subject: |
|
|
this method would work much more nicely 
psuedo code
| Code: |
SuspendThread()
GetContextThread()
Modify Context
FlushInstructionCache(Modified Registers and Eip)
SetContextThread()
ResumeThread()
|
greets BanMe |
|
| Back to top |
|
|
redhead
Cheater
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 47
|
| Posted: Tue Sep 02, 2008 10:33 am Post subject: |
|
|
| Quote: | Modify Context
GetContextThread()
SetContextThread() |
didn't find something really usefull @msdn / google.
An explanation would be nice |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
