| View previous topic :: View next topic |
| Author |
Message |
gunminiho
Expert Cheater
![]() Reputation: 0
Joined: 15 Dec 2008
Posts: 144
Location: peru
|
 Posted: Wed May 20, 2009 7:33 am Post subject: AA and ASM |
 |
|
well i want to ask something about this, AutoAssembler script and ASM, let's say i have this AA:
| Code: | [Enable]
alloc(CSX,128)
label(CSXReturn)
CSX:
push eax
mov eax,[00a88d28]
mov eax,[eax+2350]
cmp eax,0000050
pop eax
jg CSXReturn
push eax
mov eax,[00a88d28]
mov eax,[eax+0F24]
cmp esi,eax
pop eax
jne CSXReturn
add eax,06
jmp CSXReturn
CSXReturn:
mov [ebx], eax
mov edi,[ebp+10]
jmp 008A52A7
008A52A2:
jmp CSX
|
i wanna ask how do i write this on Delphi, i mean how to simulate alloc in delphi and RegisterSymbol too? i think for alloc exits VirtualAlloc(Ex), but i have no idea how to use it :S
|
|
| Back to top |
|
 |
NINTENDO
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 02 Nov 2007
Posts: 1371
|
| Posted: Wed May 20, 2009 7:41 am Post subject: |
|
|
google told me that
"To allocate memory in the address space of another process, use the VirtualAllocEx function."
if that is any help.
http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx
_________________
Intel over amd yes. |
|
| Back to top |
|
|
Zerith
Master Cheater
 Reputation: 1
Joined: 07 Oct 2007
Posts: 468
|
| Posted: Wed May 20, 2009 7:54 am Post subject: |
|
|
most likely he will be in the address space of the other process (so he can execute the other instructions), so using VirtualAlloc (in the other processe's address space) should work fine.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed May 20, 2009 7:59 am Post subject: |
|
|
why would you use virtualallocex?
you can use inline asm
and as cavecode you can write a function / procedure that you'd jump to the address of that procedure from your code
i can write it in C++ for you but i could be difficult for you to translate it to delphi
|
|
| Back to top |
|
|
gunminiho
Expert Cheater
![]() Reputation: 0
Joined: 15 Dec 2008
Posts: 144
Location: peru
|
| Posted: Wed May 20, 2009 8:01 am Post subject: |
|
|
yes but how to use it? just declare it and then use addy that i declared?? i have no idea, well i have it but incomplete
| 1qaz wrote: | why would you use virtualallocex?
you can use inline asm
and as cavecode you can write a function / procedure that you'd jump to the address of that procedure from your code
i can write it in C++ for you but i could be difficult for you to translate it to delphi |
i can translate it =D
what i mean its that Alloc from AA, reserve a piece of memory, i cant use Alloc in inline asm cause its not a ASM instruction
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed May 20, 2009 8:13 am Post subject: |
|
|
you can declare CSX as function that returns nothing (void).
that's your codecave in it use inline asm (in delphi the keyword is asm).
in it you will enter the codecave's code
now the memory editing part is to make the code will jump to your cavecode
at address: 008A52A2
so what we will do is to change the first byte at the address to 0xe9 which means jmp opcode
after that we will calculate the bytes to jump to our codecave.
so we can use the formula of: destination address - source address - 5
the result of it will be dword value (4 bytes value) that's represent the bytes to jump.
|
|
| Back to top |
|
|
gunminiho
Expert Cheater
![]() Reputation: 0
Joined: 15 Dec 2008
Posts: 144
Location: peru
|
| Posted: Wed May 20, 2009 9:32 am Post subject: |
|
|
ok ^^ about formula hmm
its:
destination addy - source addy - 5 or destination addy:source addy - 5????????????????
if its first, my destination addy its a label? how do i calcule that? O.o! source addy :S what is that?
Extra question 
how do i get hProcess in VirtualProtectEx or VirtuAllocEx?
| Code: | function VirtualProtectEx (hProcess : Integer;
var lpAddress : Pointer;
dwSize : Integer;
flNewProtect : Integer;
var lpflOldProtect : Integer) : Integer;
stdcall; external 'kernel32' name 'VirtualProtectEx' |
| Code: |
function VirtualAllocEx (hProcess : Integer;
var lpAddress : Pointer;
var dwSize : Integer;
flAllocationType : Integer;
flProtect : Integer) : Integer;
stdcall; external 'kernel32.dll' name 'VirtualAllocEx' |
GetModuleHandle? if so, how do i use it? i see this:
| Code: |
function GetModuleHandle (lpModuleName : PChar) : Integer;
stdcall; external 'kernel32' name 'GetModuleHandleA' |
[/code]
Last edited by gunminiho on Wed May 20, 2009 9:38 am; edited 1 time in total |
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed May 20, 2009 9:37 am Post subject: |
|
|
it's the first formula.
and your destination address isn't a label it's the CSX function you declared b4
that function has address at the memory space so CSX - source address - 5 should work since it'll take CSX as the numeric value of the function (it's address).
i know it works perfectly in C++ (CSX converted to it's numeric value) but i don't know about delphi.
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed May 20, 2009 4:50 pm Post subject: |
|
|
| gunminiho wrote: | ok ^^ about formula hmm
its:
destination addy - source addy - 5 or destination addy:source addy - 5????????????????
if its first, my destination addy its a label? how do i calcule that? O.o! source addy :S what is that?
Extra question
how do i get hProcess in VirtualProtectEx or VirtuAllocEx?
| Code: | function VirtualProtectEx (hProcess : Integer;
var lpAddress : Pointer;
dwSize : Integer;
flNewProtect : Integer;
var lpflOldProtect : Integer) : Integer;
stdcall; external 'kernel32' name 'VirtualProtectEx' |
| Code: |
function VirtualAllocEx (hProcess : Integer;
var lpAddress : Pointer;
var dwSize : Integer;
flAllocationType : Integer;
flProtect : Integer) : Integer;
stdcall; external 'kernel32.dll' name 'VirtualAllocEx' |
GetModuleHandle? if so, how do i use it? i see this:
| Code: |
function GetModuleHandle (lpModuleName : PChar) : Integer;
stdcall; external 'kernel32' name 'GetModuleHandleA' |
[/code] |
hProcess:=OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
Let me guess. Your next question is how to get ProcessID:
You use either PSAPI or TLHelp.
PSAPI it is EnumProcesses and Shapshots its CreateToolHelp32Snapshot.
How to use? MSDN is your friend.
And To Answer RegisterSymbol():
RegisterSymbol doesn't do anything other than register it on a list which it becomes a recognized symbol for the engine nothing else. So just ignore it.
|
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Wed May 20, 2009 5:32 pm Post subject: |
|
|
alloc(CSX,128)
means make codecave
you don't have to use VirtualAlloac
you can use malloc/new in C/C++
P.S> I see you want to do this in Delphi hey.. Cheat Engine is made in delphi why not just look at the source code and rip stuff into your hack.
To get original address of something I used this in my C++ winsock hook
| Code: |
osend = (r_send) GetProcAddress(GetModuleHandle("ws2_32.dll"), "send"); //gets original address for send
orecv = (r_recv) GetProcAddress(GetModuleHandle("ws2_32.dll"), "recv"); //for recv same as above
|
easily translated into Delphi osend/orecv are just addresses to function/subproc calls. (r_send/r_recv) is a interface to the prototype of recv/send the layout for the function
_________________
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed May 20, 2009 6:16 pm Post subject: |
|
|
I don't know about delphi, but here's C++
| Code: |
void __declspec(naked) CSXCave( void ){
__asm{
CSX:
push eax
mov eax,[0x00A88D28]
mov eax,[eax+0x2350]
cmp eax, 0x0000050
pop eax
jg CSXReturn
push eax
mov eax,[0x00A88D28]
mov eax,[eax+0x0F24]
cmp esi, eax
pop eax
jne CSXReturn
add eax, 0x06
jmp CSXReturn // I see no use in this but w/e
CSXReturn:
mov [ebx], eax
mov edi, [ebp+10]
mov edx, 0x008A52A7
jmp edx
}
}
#define JMP(frm, to) (int)(((int)to - (int)frm) - 5);
__inline void setCSX( __in bool t = true ){
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery((LPCVOID*)0x008A52A2, &mbi, 5);
if(mbi.AllocationProtect != PAGE_EXECUTE_READWRITE)
VirtualProtect((LPVOID*)0x008A52A2, 5, PAGE_EXECUTE_READWRITE, NULL);
if(t){
*(BYTE*)0x008A52A2 = 0xE9;
*(DWORD*)(0x008A52A2+1) = JMP(0x008A52A2, CSXCave);
} else {
*(DWORD*)0x008A52A2 = 0x00000000; //Change these to the 5 bytes
*(BYTE*)(0x008A52A2+0x4) = 0x00;
}
} |
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Wed May 20, 2009 6:44 pm Post subject: |
|
|
| Code: | mov eax,[0x00A88D28]
mov eax,[eax+0x2350]
mov eax,[0x00A88D28]
mov eax,[eax+0x0F24] |
These will not work in C/C++ inline ASM due to the lack of size operands, they'd have to look like this:
| Code: | MOV EAX, DWORD PTR [0xA88D28]
MOV EAX, DWORD PTR [EAX+0x2350] |
Oh and The label CSX isn't required.
Second off, the AllocationProtect doesn't just have to be PAGE_EXECUTE_READWRITE... lets not forget the PAGE_GUARD/PAGE_NOCACHE/etc. flags that can be included, so to really find out if the PAGE_EXECUTE_READWRITE bit is set you must AND the value.
| Code: | if ((mbi.AllocationProtect & PAGE_EXECUTE_READWRITE) != PAGE_EXECUTE_READWRITE)
VirtualProtect(...); |
P.S. Pick up some better coding habits..
Edit:
Hell this might not even change the protection on the page..
| Code: | | VirtualProtect((LPVOID*)0x008A52A2, 5, PAGE_EXECUTE_READWRITE, NULL); |
LPVOID* ?, Just LPVOID will do..
_________________
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Wed May 20, 2009 7:08 pm Post subject: |
|
|
| Go fuck yourself :]
|
|
| Back to top |
|
|
tanjiajun_34
Grandmaster Cheater
 Reputation: 0
Joined: 16 Feb 2006
Posts: 786
Location: Singapore
|
| Posted: Fri Jun 05, 2009 10:13 pm Post subject: |
|
|
For this...
function VirtualAllocEx (hProcess : Integer;
var lpAddress : Pointer;
var dwSize : Integer;
flAllocationType : Integer;
flProtect : Integer) : Integer;
stdcall; external 'kernel32.dll' name 'VirtualAllocEx'
How do I get lpAddress?
Lets take the first post script as example.
| Code: |
var
hProcess:integer;
MS:hwnd;
ProcessID:integer;
begin
MS := FindWindow('msyClass', nil);
if MS <>0 then
begin
GetWindowThreadProcessID(MS, @ProcessID);
hProcess:=OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
virtualallocex(hProcess,pointer($008A52A2),128,MEM_COMMIT,page_execute_readwrite);
end;
end; |
Is this correct?
|
|
| Back to top |
|
|
gunminiho
Expert Cheater
![]() Reputation: 0
Joined: 15 Dec 2008
Posts: 144
Location: peru
|
| Posted: Sat Jun 20, 2009 1:24 am Post subject: |
|
|
| tanjiajun_34 wrote: | For this...
function VirtualAllocEx (hProcess : Integer;
var lpAddress : Pointer;
var dwSize : Integer;
flAllocationType : Integer;
flProtect : Integer) : Integer;
stdcall; external 'kernel32.dll' name 'VirtualAllocEx'
How do I get lpAddress?
Lets take the first post script as example.
| Code: |
var
hProcess:integer;
MS:hwnd;
ProcessID:integer;
begin
MS := FindWindow('msyClass', nil);
if MS <>0 then
begin
GetWindowThreadProcessID(MS, @ProcessID);
hProcess:=OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
virtualallocex(hProcess,pointer($008A52A2),128,MEM_COMMIT,page_execute_readwrite);
end;
end; |
Is this correct? |
acording to msdn lpAddress is the start addy for you reservation of memory
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
