 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
s3pt3mb3r
How do I cheat?
![]() Reputation: 0
Joined: 26 May 2020
Posts: 2
|
 Posted: Tue May 26, 2020 2:55 pm Post subject: Help me with doing x64 code hooking in C++ |
 |
|
First of all, I apologize for my poor English.
In Cheat Engine, there is a function called "code injection" acting replace particular assembly into 'jmp' instruction, and jump to a new memory region then execute instructions and jump back to the original place.
I'd like to know how to simulate it in x64 archtecture in C++.
I'm tryng to do DLL injection game hacking so all i talk is in dll.
I looked up about it and partially got some basic techniques.
1. I can allocate new memory region by this code below
| Code: | | void* newMemory = VirtualAlloc(NULL, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); |
2. and I can write bytes to this new region by this code
| Code: | | memcpy(newMemory, &instructions, sizeof(instructions)); |
Instructions represent bytes array of instructions.
3. Probably I need VirtualProtect as well
4.I need to calcurate the address to jump and jump back.
I want anyone reading this to write an example "hook" function (maybe upon these techniques?).
Plz kindly help me. If you want to ask more information, just reply me.I'll get back to you as soon as i see.
|
|
| Back to top |
|
 |
BoozeAddict
How do I cheat?
![]() Reputation: 0
Joined: 30 May 2020
Posts: 3
|
| Posted: Tue Jun 09, 2020 5:32 am Post subject: |
|
|
1. If you're injecting a .dll, you don't really need to allocate memory, your function will get allocated in your dll anyways. Let's say your hooked function is "void MyFunction() { //somecode }"
2. You patch the jump with a memcpy. 1st parameter is destination (the address you want to patch (jump from), not the actual jump destination), 2nd parameter is the bytes you want to patch (pointer to an array/vector that holds your "jmp <address>" instruction in bytes), and 3rd parameter is size of the array.
3. Probably, yes. Just do it to make sure it's writable, no harm in doing that. first define a dword that will hold old protection information. then do a VrtualProtect(<the address you want to protect>, <how many bytes. it will protect the entire page (or 2) actually, but it doesn't matter.>, PAGE_EXECUTE_READWRITE (so we can do everything with it), &<the address of the variable you created to hold old protection>). After you're done, make sure you swap out the protection again, so instead of PAGE_EXECblahblah use your variable.
4. The opcode for a far absolute jmp is "ff 25 00 00 00 00 <(long long (8 bytes))address, in little endian>" . To reverse a long long (64 bits) to little endian, use "_byteswap_uint64(long long bytes)". (for 32 bits it would be _byteswap_ulong) That function is in "intrin.h". Address to jump back is just the address you jump from + size of instruction, nothing fancy. Short jump would be "E9 <size of jump>", and you get the size by doing a <destination address> - <jump address> + <byes size of instrcution>, but that only works with jumps of 32 bits in size.
Edit : just thought of an untested idea, but you can also probably make a struct with the instructions, then just directly write to the pointer, so you don't need to worry about the little endian.
MyNewStruct* originalAddress = <whatever>;
originalAddress = mystruct;. Still need to protect it, of course.
|
|
| Back to top |
|
|
s3pt3mb3r
How do I cheat?
![]() Reputation: 0
Joined: 26 May 2020
Posts: 2
|
| Posted: Wed Jun 10, 2020 7:30 am Post subject: Thank you for the reply |
|
|
I really, EXTREMELY appreciate your reply! Thank you.
I didn't know that 1st parameter of "memcpy" is where i wanna jump from!
I found something that i couldn't understand, so I'm gonna write it.
First of all, what I wanna inject is like this. (including stolen bytes)
| Code: | mov edi, (int)0 BF00000000
sub [rbx+54],edi 297B54
mov rcx,rsi 488BCE
mov rax,[rsi] 488B06
neg edi F7DF
mov edx,edi 8BD7
call qword ptr [rax+000007A0] FF90A0070000
|
Q1. How is it possible to convert assembly into an actual function like Myfunction()?
Q2. How can i define the address where I will jump to? I will leave it just 0000000000000000 in the code below.
Q3. Which is the second parameter of "VirtualProtect()" the size of bytes overwritten by jmp instruction, or 14 which is the size of the jump array? I'll just go with 14 in the code below.
Q4. Main section! How to inject the assembly(bytes) code?
I don't really get them, but anyway let me go further. I assume the code around the jumping is like this?
| Code: |
uintptr_t OriginalAddress = moduleBase + 0x72A533; // This is the address where i wanna jump from.
BYTE jmp_instruction[] = {
0xFF, 0x25, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //I have to specify here, but where is the empty memory I can use????
};
DWORD dwOld = 0;
VirtualProtect(OriginalAddress, 14, PAGE_EXECUTE_READWRITE, &dwOld);
memcpy(OriginalAddress, &jmp_instruction, sizeof(jmp_instruction))
VirtualProtect(OriginalAddress, 14, dwOld, &dwOld);
|
I know I am a huge noob in C++ but i would be so happy if you answer and help me again! 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
