 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
iisv3in
How do I cheat?
![]() Reputation: 0
Joined: 29 Oct 2006
Posts: 7
|
 Posted: Tue Nov 18, 2008 9:53 pm Post subject: C++ Help - Can't write memory from injected dll. [solved] |
 |
|
When injected into Gunbound and I press F1 and the messagebox comes up, but it wont write to the addresses. Works on minesweeper. Anyone know why its not working on gunbound or a method that does?
edit: calling VirtualProtect on the addys does not work either.
| Code: |
#include <windows.h>
#include <iostream>
using namespace std;
void addy()
{
while(1)
{
if(GetAsyncKeyState(VK_F1))
{ //poweruser addys
//*(BYTE*)0x01005194 = 10;//minesweepertest
*(BYTE*)0x00913C10 = 0;
*(BYTE*)0x00913C80 = 0;
MessageBox(NULL, "Called!", "gb", MB_OK + MB_ICONINFORMATION);
Sleep(500);
}
Sleep(500);
}
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
if( ul_reason_for_call == DLL_PROCESS_ATTACH )
{
MessageBox(NULL, "Injection Sucess!", "gb", MB_OK + MB_ICONINFORMATION);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)addy, 0, 0, 0);
}
return true;
} |
Last edited by iisv3in on Tue Nov 25, 2008 2:19 pm; edited 1 time in total |
|
| Back to top |
|
 |
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Tue Nov 18, 2008 10:53 pm Post subject: |
|
|
VirtualProtect()
_________________
|
|
| Back to top |
|
|
sphere90
Grandmaster Cheater
 Reputation: 0
Joined: 24 Jun 2006
Posts: 912
|
| Posted: Tue Nov 18, 2008 10:57 pm Post subject: |
|
|
| Hook VirtualProtect/VirtualProtectEx so that each time GG calls it, the access protection memory page is changed to PAGE_EXECUTE_READWRITE.
|
|
| Back to top |
|
|
b6ooy
Grandmaster Cheater
![]() Reputation: 0
Joined: 21 Sep 2006
Posts: 653
|
| Posted: Wed Nov 19, 2008 5:42 am Post subject: |
|
|
I dont think the memory region of that address protected for GB , its only protected from 400000 to about 580000 .
the address 00913C10 is it for GIS ?
|
|
| Back to top |
|
|
iisv3in
How do I cheat?
![]() Reputation: 0
Joined: 29 Oct 2006
Posts: 7
|
| Posted: Wed Nov 19, 2008 9:48 am Post subject: |
|
|
| b6ooy wrote: | I dont think the memory region of that address protected for GB , its only protected from 400000 to about 580000 .
the address 00913C10 is it for GIS ? |
It's protected somehow  00913C10/00913C80 is GBNA's current poweruser address.
|
|
| Back to top |
|
|
b6ooy
Grandmaster Cheater
![]() Reputation: 0
Joined: 21 Sep 2006
Posts: 653
|
| Posted: Thu Nov 20, 2008 3:57 am Post subject: |
|
|
| iisv3in wrote: | | b6ooy wrote: | I dont think the memory region of that address protected for GB , its only protected from 400000 to about 580000 .
the address 00913C10 is it for GIS ? |
It's protected somehow 00913C10/00913C80 is GBNA's current poweruser address. |
protected ?
then the problem was solved by sphere90 ..
you may used VirtualProtectEx wrongly , you must bypass the hook by 5 bytes trampoline before calling the function because it is hooked by gameguard .
|
|
| Back to top |
|
|
iisv3in
How do I cheat?
![]() Reputation: 0
Joined: 29 Oct 2006
Posts: 7
|
| Posted: Sun Nov 23, 2008 5:17 pm Post subject: |
|
|
| b6ooy wrote: |
then the problem was solved by sphere90 ..
you may used VirtualProtectEx wrongly , you must bypass the hook by 5 bytes trampoline before calling the function because it is hooked by gameguard . |
Using a hookhop does not work for me for some reason.
| Code: | static const FARPROC VPX = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtectEx")+5);
DWORD oldp = 0;
PDWORD oldprot = &oldp;
#define JMP(frm, to) (int)(((int)to - (int)frm) - 5);
DWORD dwBytesWritten;
_declspec(naked) BOOL WINAPI FixMemEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) {
_asm {
mov edi,edi
push ebp
mov ebp,esp
jmp VPX
}
} |
I also tried to hook VirtualProtect/Ex but for some reason I get an unhandled exeption when my program reaches DetourFunction()
| Code: |
typedef BOOL ( WINAPI* VirtualProtect_t)( LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect );
typedef BOOL ( WINAPI* VirtualProtectEx_t)( HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect );
BOOL WINAPI nVirtualProtect( LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect )
{
return pVirtualProtect(lpAddress,dwSize,flNewProtect,lpflOldProtect);
}
BOOL WINAPI nVirtualProtectEx ( HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect )
{
return pVirtualProtectEx(hProcess,lpAddress,dwSize,flNewProtect,lpflOldProtect);
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
if( ul_reason_for_call == DLL_PROCESS_ATTACH )
{
pVirtualProtect = ( VirtualProtect_t )DetourFunction(
( BYTE* )VirtualProtect,
( BYTE* )nVirtualProtect );
}
return TRUE;
}
|
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Mon Nov 24, 2008 12:26 pm Post subject: |
|
|
| Code: |
typedef BOOL ( WINAPI* VirtualProtect_t)( LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect );
VirtualProtect_t VPX = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtectEx")+5);
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push VPX
pop edx
jmp edx
}
|
|
|
| Back to top |
|
|
iisv3in
How do I cheat?
![]() Reputation: 0
Joined: 29 Oct 2006
Posts: 7
|
| Posted: Mon Nov 24, 2008 10:40 pm Post subject: |
|
|
| BanMe wrote: | | Code: |
typedef BOOL ( WINAPI* VirtualProtect_t)( LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect );
VirtualProtect_t VPX = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtectEx")+5);
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push VPX
pop edx
jmp edx
}
|
|
Thanks for this but I'm horrible with asm. What does edx hold here?
I know that this ends up at VirtualProtectEx+5 because I set a breakpoint in olly but this still does not work to set the access rights on gunbound =[
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Mon Nov 24, 2008 10:46 pm Post subject: |
|
|
| Code: |
static const FARPROC VPX = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtect")+5);
_declspec(naked) BOOL WINAPI FixMem(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) {
_asm {
mov edi,edi
push ebp
mov ebp,esp
jmp VPX
}
}
BOOL _FixMem(void *Addr){
return FixMem(Addr, 0x5, PAGE_EXECUTE_READWRITE, NULL);
}
|
Call the function like... _FixMem((void*)0x00400100);
|
|
| Back to top |
|
|
GMZorita
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 21 Mar 2007
Posts: 1361
|
| Posted: Tue Nov 25, 2008 5:34 am Post subject: |
|
|
| _void_ wrote: | | Code: |
static const FARPROC VPX = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtect")+5);
_declspec(naked) BOOL WINAPI FixMem(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) {
_asm {
mov edi,edi
push ebp
mov ebp,esp
jmp VPX
}
}
BOOL _FixMem(void *Addr){
return FixMem(Addr, 0x5, PAGE_EXECUTE_READWRITE, NULL);
}
|
Call the function like... _FixMem((void*)0x00400100); |
Eww 5 bytes?
| Code: |
static const FARPROC VPX = (FARPROC)((DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualProtect")+5);
_declspec(naked) BOOL WINAPI FixMem(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect) {
_asm {
mov edi,edi
push ebp
mov ebp,esp
jmp VPX
}
}
BOOL _FixMem(){
return FixMem(0x401000, 0x400000, PAGE_EXECUTE_READWRITE, NULL);
void WINAPI FixMemThread() {
for (;;) {
_FixMem();
Sleep(2000);
}
}
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)FixMemThread,NULL,NULL,NULL); |
[code]
_________________
Gone |
|
| Back to top |
|
|
iisv3in
How do I cheat?
![]() Reputation: 0
Joined: 29 Oct 2006
Posts: 7
|
| Posted: Tue Nov 25, 2008 6:25 am Post subject: |
|
|
Big thanks to everyone that helped me out.
Problem solved. Turns out Injec-TOR will not work for injecting .dll into gunbound.gme. No matter if I pick the first or second gunbound.gme its not the right process.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
