View previous topic :: View next topic |
Author |
Message |
Minzoik How do I cheat? Reputation: 0
Joined: 24 Dec 2019 Posts: 4
|
Posted: Thu Jun 04, 2020 1:39 pm Post subject: [C++] Change Register at this Location |
|
|
Is there a way in C++ to do what CE does for this function. I want to change the EIP register at a certain address location in my own program.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Thu Jun 04, 2020 1:50 pm Post subject: |
|
|
GetThreadContext / SetThreadContext
_________________
- Retired. |
|
Back to top |
|
|
Minzoik How do I cheat? Reputation: 0
Joined: 24 Dec 2019 Posts: 4
|
Posted: Thu Jun 04, 2020 5:32 pm Post subject: |
|
|
atom0s wrote: | GetThreadContext / SetThreadContext |
Thanks for the quick reply.
Do you this would be an appropriate way using this?
Code: |
DWORD threadId = GetWindowThreadProcessId(windowHandle, NULL);
HANDLE thread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, threadId);
SuspendThread(thread);
CONTEXT threadContext;
threadContext.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(thread, &threadContext);
if (threadContext.Eip == 0x010XXXXX)
{
threadContext.Eip = 0x010YYYYY;
threadContext.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(thread, &threadContext);
ResumeThread(thread);
}
ResumeThread(thread);
|
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Thu Jun 04, 2020 7:04 pm Post subject: |
|
|
You would need to force the context adjustments to happen at that specific location. By suspending the thread, at random, you are basically guaranteed to never get the result you want.
Either you can force an exception, and handle it manually to obtain the context and edit it as needed, or you can inject a code cave at the given area/function and edit it as needed when it's called. I'd suggest going the code cave route first and ensure that method works before digging into making a custom exception handler.
If you need to go the exception route, look into vectored exception handling.
_________________
- Retired. |
|
Back to top |
|
|
Minzoik How do I cheat? Reputation: 0
Joined: 24 Dec 2019 Posts: 4
|
Posted: Thu Jun 04, 2020 7:12 pm Post subject: |
|
|
atom0s wrote: | You would need to force the context adjustments to happen at that specific location. By suspending the thread, at random, you are basically guaranteed to never get the result you want.
Either you can force an exception, and handle it manually to obtain the context and edit it as needed, or you can inject a code cave at the given area/function and edit it as needed when it's called. I'd suggest going the code cave route first and ensure that method works before digging into making a custom exception handler.
If you need to go the exception route, look into vectored exception handling. |
Just trying to avoid the random check they do. Thought this would be a good route to go since it doesn't change the bytes in this area of the code. I'll look into it more.
Got the VEH hook to work, but I guess this function calls too frequently to actually utilize it. Will have to look for a different approach to avoid .text changes.
|
|
Back to top |
|
|
v3rmin How do I cheat? Reputation: 0
Joined: 19 Dec 2020 Posts: 6
|
Posted: Sat Dec 19, 2020 8:56 am Post subject: |
|
|
Minzoik wrote: | atom0s wrote: | GetThreadContext / SetThreadContext |
Thanks for the quick reply.
Do you this would be an appropriate way using this?
Code: |
DWORD threadId = GetWindowThreadProcessId(windowHandle, NULL);
HANDLE thread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, threadId);
SuspendThread(thread);
CONTEXT threadContext;
threadContext.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(thread, &threadContext);
if (threadContext.Eip == 0x010XXXXX)
{
threadContext.Eip = 0x010YYYYY;
threadContext.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(thread, &threadContext);
ResumeThread(thread);
}
ResumeThread(thread);
|
|
To do it like that would mean you'd have to suspend the thread at the moment you want the EIP changed. Due to these lines:
Code: | SuspendThread(thread);
if (threadContext.Eip == 0x010XXXXX) |
|
|
Back to top |
|
|
|