|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
Posted: Tue Apr 24, 2012 2:18 pm Post subject: |
|
|
How could i calculate jmp bytes. and nop remaining bytes.
Description: |
|
Filesize: |
27.04 KB |
Viewed: |
14621 Time(s) |
|
Description: |
|
Filesize: |
21 KB |
Viewed: |
14621 Time(s) |
|
_________________
r--._,---------------.
"-, .c-.-----------""
/ i--'
C__J |
|
Back to top |
|
|
Innovation Grandmaster Cheater Reputation: 12
Joined: 14 Aug 2008 Posts: 617
|
Posted: Tue Apr 24, 2012 3:45 pm Post subject: |
|
|
svchost wrote: | How could i calculate jmp bytes. and nop remaining bytes. |
http://ref.x86asm.net/coder32.html
Code: | 0xE9, (dwAddressTo - dwAddressFrom - 5) |
The operand is the offset added to the instruction pointer after the instruction completes.
|
|
Back to top |
|
|
Pingo Grandmaster Cheater Reputation: 8
Joined: 12 Jul 2007 Posts: 571
|
Posted: Tue Apr 24, 2012 7:29 pm Post subject: |
|
|
Stylo and myself have said how to calculate the jmp bytes in this thread.
The jump needs 5 bytes, anything over that to the next instruction gets nopped. So if the original instruction is 6 bytes, you nop the last byte.
btw you dont need to use openprocess. It can be done like..
Code: | Dim MyProcess As Process() = Process.GetProcessesByName("Tutorial-i386")
Dim hAddress As IntPtr = VirtualAllocEx(MyProcess(0).Handle, &H800000, 512, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
Dim wrte As Byte() = {&HC7, &H83, &H58, &H4, &H0, &H0, &H64, &H0, &H0, &H0}
WriteProcessMemory(hProcess, hAddress, wrte, 512, 0) |
But instead of WriteProcessMemory(hProcess, hAddress, wrte, 512, 0)
Write WriteProcessMemory(hProcess, hAddress, wrte, wrte.Length, 0)
Also what Stylo said
VirtualAllocEx(hProcess, &H800000, 512, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
you can replace &H800000 with IntPtr.Zero
_________________
|
|
Back to top |
|
|
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
Posted: Wed Apr 25, 2012 1:10 am Post subject: |
|
|
Innovation wrote: | Code: | 0xE9, (dwAddressTo - dwAddressFrom - 5) |
The operand is the offset added to the instruction pointer after the instruction completes. | In above image Tutorial-i386.exe+20F3E = 00420F3E and cave address is 02C20000.
i'm doing following
(02C20000 - 00420F3E)-5 = 27FF0BD
should i write bytes E9 27FF0BD but in the above image it is E9 BDF07F02
what i'm doing wrong, tell me.
Pingo wrote: | Since you can use writeprocessmemory, you should beable to finish from here. A simple way to calculate the the bytes is Cave - starting point - 5
If you cant figure it out, read the msdn. | could you give me msdn link to calculating jump bytes. or what i have to search on msdn?
_________________
r--._,---------------.
"-, .c-.-----------""
/ i--'
C__J |
|
Back to top |
|
|
Pingo Grandmaster Cheater Reputation: 8
Joined: 12 Jul 2007 Posts: 571
|
Posted: Wed Apr 25, 2012 2:47 am Post subject: |
|
|
You need to convert 27FF0BD to byte array.
Here is the method i made. I use 2 different functions sorry, one is used for other things aswell
Code: | Private Function Jmp_Call(ByVal iCave As IntPtr, ByVal JumpFrom As Integer, ByVal iNext As Integer, ByVal JC As Boolean) As String
Dim Ins As String = GetIns(BitConverter.GetBytes(iCave.ToInt32 - JumpFrom - 5))
For i As Integer = 5 To (iNext - JumpFrom) - 1
Ins += "90"
Next i
Return IIf(Not JC, "E8" & Ins, "E9" & Ins)
End Function
Private Function GetIns(ByVal BTS As Byte()) As String
Dim Ins As String = String.Empty
For i As Integer = 0 To BTS.Length - 1
Ins += String.Format("{0:x2}", Convert.ToUInt32(BTS(i)))
Next i
Return Ins
End Function |
I dont know the length of you original bytes but using
00420F3E <-jump from
02C20000 <-Cave
6 <- original byte length *example*
Jmp_Call(&h2C20000, &h420F3E, 6, True) <-will return the bytes jmp 2C20000
Jmp_Call(&h2C20000, &h420F3E, 6, False) <- will return the bytes call 2C20000
You wont wanna hardcode the cave like that though. More like
Code: | Dim hAddress As IntPtr = VirtualAllocEx(MyProcess(0).Handle, &H800000, 512, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
Jmp_Call(hAddress, &h420F3E, 6, True) |
The problem is, this returns the bytes in text form, not byte(). Its just the way i do it.
Converting it is simple enough though.
Code: | Private Shared Function HX2Bts(ByVal HXS As String) As Byte()
HXS = System.Text.RegularExpressions.Regex.Replace(HXS, "[^a-fA-F0-9]", "")
Dim buf As Byte() = New Byte(HXS.Length / 2 - 1) {}
For i As Integer = 0 To buf.Length - 1
buf(i) = Byte.Parse(HXS.Substring(i * 2, 2), System.Globalization.NumberStyles.HexNumber)
Next i
Return buf
End Function |
_________________
|
|
Back to top |
|
|
Innovation Grandmaster Cheater Reputation: 12
Joined: 14 Aug 2008 Posts: 617
|
Posted: Wed Apr 25, 2012 4:46 am Post subject: |
|
|
svchost wrote: | In above image Tutorial-i386.exe+20F3E = 00420F3E and cave address is 02C20000.
i'm doing following
(02C20000 - 00420F3E)-5 = 27FF0BD
should i write bytes E9 27FF0BD but in the above image it is E9 BDF07F02
what i'm doing wrong, tell me. |
BDF07F02 -> BD F0 7F 02 -> Mirror -> 02 7F F0 BD -> 027FF0BD
x86/x64 microprocessors use little endian; when you write bytes to a pointer, the bytes are written in reverse order.
In C, it would look like this if you had direct memory access:
Code: | *(unsigned char *)dwAddressFrom = 0xE9;
*(unsigned long *)(dwAddressFrom + 1) = dwAddressTo - dwAddressFrom - 5; |
If you're using WriteProcessMemory, then you will need to reverse the bytes before you write them to memory.
Last edited by Innovation on Wed Apr 25, 2012 5:15 pm; edited 3 times in total |
|
Back to top |
|
|
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
Posted: Wed Apr 25, 2012 6:23 am Post subject: |
|
|
In following function iCave=2C90000, JumpFrom=420F3E, iNext=6 and JC=True
Pingo wrote: | Code: | Private Function Jmp_Call(ByVal iCave As IntPtr, ByVal JumpFrom As Integer, ByVal iNext As Integer, ByVal JC As Boolean) As String
Dim Ins As String = GetIns(BitConverter.GetBytes(iCave.ToInt32 - JumpFrom - 5))
For i As Integer = 5 To (iNext - JumpFrom) - 1
Ins += "90"
Next i
Return IIf(Not JC, "E8" & Ins, "E9" & Ins)
End Function |
| In your Jmp_Call function it always return allocated address and adds an offset 2CB. means [AllocAddress + 2CB].
ex. if AllocAddress is 2C90000 then Jmp_Call return 2C902CB
Code: | For i As Integer = 5 To (iNext - JumpFrom) - 1
Ins += "90"
Next i | In this loop iNext=6 and JumpFrom=&H420F3E
Means (6-420F3E)-1 = FFFFFFFFFFBDF0C7. It always exit for loop means it will not add 90(nop) to remaining bytes.
Orignal Bytes ->sub [ebx+00000458],eax //Alt: db 29 83 58 04 00 00 ==6
Innovation wrote: | BDF07F02 -> BD F0 7F 02 -> Mirror -> 02 7F F0 BD -> 027FF0BD | As Innovation said,
(2C90000-420F3E)-5=286F0BD
2 86 F0 BD -> Mirror -> BD F0 86 02
If I write E9 BDF08602 it also add an 2CB offset. means [AllocAddress + 2CB].
E9 BDF08602 == jmp 02C902CB //but acctually cave is started at 02C90000
_________________
r--._,---------------.
"-, .c-.-----------""
/ i--'
C__J |
|
Back to top |
|
|
Pingo Grandmaster Cheater Reputation: 8
Joined: 12 Jul 2007 Posts: 571
|
Posted: Wed Apr 25, 2012 7:17 am Post subject: |
|
|
Sorry yea you're right. I dont code in VB and never noticed that.
But i see the error now. Haha i gave you the wrong code, im recovering from a hangover so im not with it atm.
It should of been this i think
Code: | Private Function JmpCall(ByVal Cave As IntPtr, ByVal JumpFrom As Integer, ByVal iLen As Integer, ByVal _Jump As Boolean) As String
Dim Ins As String = GetIns(BitConverter.GetBytes(Cave.ToInt32 - JumpFrom - 5))
For i As Integer = 5 To iLen - 1
Ins += "90"
Next i
Return (IIf(_Jump, "E9", "E8") & Ins)
End Function |
That first one i gave you does work but instead of putting the length, you put the next instruction and the length is calculated. It was one of my first attempt but changed it to the code i provided above.
_________________
|
|
Back to top |
|
|
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
Posted: Wed Apr 25, 2012 12:24 pm Post subject: |
|
|
@Pingo, @Stylo, @Innovation,@Wiccaan
Thank You all of you guyz.
I finally made my trainer. It works without any problem. Here is my code.
Code: | Imports System.Runtime.InteropServices
Public Class frmMyTrainer
#Region "Import Functions From kernel32.dll"
<DllImport("kernel32.dll", SetLastError:=True)> _
Public Shared Function VirtualAllocEx(ByVal hProcess As IntPtr, _
ByVal lpAddress As IntPtr, _
ByVal dwSize As Integer, _
ByVal flAllocationType As Integer, _
ByVal flProtect As Integer) As IntPtr
End Function
<DllImport("kernel32.dll", SetLastError:=True)> _
Public Shared Function VirtualFreeEx(ByVal hProcess As IntPtr, _
ByVal lpAddress As IntPtr, _
ByVal dwSize As Integer, _
ByVal dwFreeType As IntPtr) As Boolean
End Function
<DllImport("kernel32.dll", SetLastError:=True)> _
Public Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, _
ByVal lpBaseAddress As IntPtr, _
ByVal lpBuffer As Byte(), _
ByVal nSize As IntPtr, _
ByRef lpNumberOfBytesWritten As IntPtr) As Integer
End Function
#End Region
#Region "Declare Constant"
Const MEM_COMMIT = &H1000
Const MEM_DECOMMIT = &H4000
Const PAGE_EXECUTE_READWRITE = &H40
#End Region
#Region "Function Declaration"
Private Function JmpCall(ByVal Cave As IntPtr, ByVal JumpFrom As Integer, ByVal iLen As Integer, ByVal _Jump As Boolean) As String
Dim Ins As String = GetIns(BitConverter.GetBytes(Cave.ToInt32 - JumpFrom - 5))
For i As Integer = 5 To iLen - 1
Ins += "90"
Next i
Return (IIf(_Jump, "E9", "E8") & Ins)
End Function
Private Function GetIns(ByVal BTS As Byte()) As String
Dim Ins As String = String.Empty
For i As Integer = 0 To BTS.Length - 1
Ins += String.Format("{0:x2}", Convert.ToUInt32(BTS(i)))
Next i
Return Ins
End Function
Private Shared Function HX2Bts(ByVal HXS As String) As Byte()
HXS = System.Text.RegularExpressions.Regex.Replace(HXS, "[^a-fA-F0-9]", "")
Dim buf As Byte() = New Byte(HXS.Length / 2 - 1) {}
For i As Integer = 0 To buf.Length - 1
buf(i) = Byte.Parse(HXS.Substring(i * 2, 2), System.Globalization.NumberStyles.HexNumber)
Next i
Return buf
End Function
#End Region
Dim hAddres As IntPtr = IntPtr.Zero
Private Sub CheckBox1_CheckedChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles CheckBox1.CheckedChanged
Dim MyProcess As Process() = Process.GetProcessesByName("Tutorial-i386")
If CheckBox1.Checked = True Then
Dim hAddress As Integer = VirtualAllocEx(MyProcess(0).Handle, IntPtr.Zero, 11, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
'For Jump To Code-Cave
Dim JumpCall As String = JmpCall(hAddress, &H420F3E, 6, False)
Dim JumpBytes As Byte() = HX2Bts(JumpCall)
WriteProcessMemory(MyProcess(0).Handle, &H420F3E, JumpBytes, JumpBytes.Length, IntPtr.Zero)
'For Writing Cave
Dim CaveBytes As Byte() = HX2Bts("C7 83 58 04 00 00 64 00 00 00 C3")
WriteProcessMemory(MyProcess(0).Handle, hAddress, CaveBytes, CaveBytes.Length, IntPtr.Zero)
hAddres = hAddress
ElseIf CheckBox1.Checked = False Then
'For Writing Orignal Bytes
Dim OrignalBytes As Byte() = HX2Bts("29 83 58 04 00 00")
WriteProcessMemory(MyProcess(0).Handle, &H420F3E, OrignalBytes, OrignalBytes.Length, 0)
'For Clear Allocated Memory
VirtualFreeEx(MyProcess(0).Handle, hAddres, IntPtr.Zero, MEM_DECOMMIT)
End If
End Sub
End Class |
Give me suggestion to improve my code.
Edit:
The above code works perfect but i want to ask you question
Code: | Dim hAddress As Integer = VirtualAllocEx(MyProcess(0).Handle, IntPtr.Zero, 11, MEM_COMMIT, PAGE_EXECUTE_READWRITE) |
In above, I allocate 11 bytes. When i manually check the allocated address in CE it shows 4072 bytes allocated. How could I fix this problem.
e.g.Suppose, allocated address is 02CA0000 and it allocates upto 02CA0FE8 which is total 4072 bytes.
I want to allocate only From 02CA0000 upto 02CA000B which is 11 bytes. What i'm doing wrong.
Note:-This isn't any problem to work trainer. But I want to ask for to improve my knowledge.
_________________
r--._,---------------.
"-, .c-.-----------""
/ i--'
C__J |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Wed Apr 25, 2012 2:46 pm Post subject: |
|
|
As MSDN states:
Quote: |
If lpAddress is NULL, the function determines where to allocate the region.
If lpAddress is NULL, the function rounds dwSize up to the next page boundary.
|
So you aren't doing anything wrong, it's just how the function works.
Also be careful using 'MyProcess(0).Handle', without checking that MyProcess(0) is valid, you can cause an exception to be thrown which will crash your trainer if it's not caught.
_________________
- Retired. |
|
Back to top |
|
|
Pingo Grandmaster Cheater Reputation: 8
Joined: 12 Jul 2007 Posts: 571
|
Posted: Thu Apr 26, 2012 4:57 am Post subject: |
|
|
One simple way to check
Code: | Public Function ProcActive() As Boolean
Try
Return Not MyProcess(0).HasExited
Catch
Return False
End Try
End Function |
Personally i store it as a boolean to use within the class
ProcActive = MyProcess.Length <> 0
That'l tell me if the process was found since the length will be 1 unless you have more instances of the same process.
and
Try
ProcActive = Not MyProcess(0).HasExited
Catch
ProcActive = False
End Try
Changes the boolean to false if the process closes after it was found.
This is to avoid an exception if something tries to write before the process is found or exits.
_________________
|
|
Back to top |
|
|
Igor Expert Cheater Reputation: 1
Joined: 04 Apr 2012 Posts: 145
|
Posted: Thu Apr 26, 2012 11:51 am Post subject: |
|
|
Thank you vry much.
Now I'm trying to improve my code and reducing runtime errors.
Do you guys know any tutorials for VB.Net Memory Hacking.
_________________
r--._,---------------.
"-, .c-.-----------""
/ i--'
C__J |
|
Back to top |
|
|
vegettadbz Cheater Reputation: 0
Joined: 01 Dec 2010 Posts: 28
|
Posted: Mon Sep 07, 2015 2:21 pm Post subject: |
|
|
Sorry for bumping this old topic, but I have an issue creating a VB.NET trainer...
Check this: http://forum.cheatengine.org/viewtopic.php?t=583942
@IGOR.
I tried your code but I get an "IndexOutOfRangeException" when I check the CheckBox. The problem is here...
"Dim hAddress As Integer = VirtualAllocEx(MyProcess(0).Handle, IntPtr.Zero, 11, MEM_COMMIT, PAGE_EXECUTE_READWRITE)"
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Mon Sep 07, 2015 8:02 pm Post subject: |
|
|
Sounds like you need to go take an introductory VB class before you try to just use someone's code.
Next time, be sure to spell the executable's name correctly and have the game running before launching "your" trainer.
|
|
Back to top |
|
|
vegettadbz Cheater Reputation: 0
Joined: 01 Dec 2010 Posts: 28
|
Posted: Tue Sep 08, 2015 12:26 am Post subject: |
|
|
Guys, I just need some help to start from somewhere...
I have tried several codes, I have made some pieces on my own and I have made some cheats using Pointers+ offsets.
My issue is that I don't know how to make a "code injection" in VB.NET, so I am trying others guys code to check if it works for me
Any help?
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|