| View previous topic :: View next topic |
| Author |
Message |
Ridor
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2008
Posts: 14
|
 Posted: Thu Feb 28, 2008 12:20 pm Post subject: Hooking |
 |
|
I'm pretty good at memory poking and packet editing and that kind of thing, but it's getting easy and I want to move on to something more difficult. I think the proper term for what I'm wanting to do is called "application hooking".
In case i'm wrong in my terminology, here is the kind of thing I'm attempted to do.
In the mmorpg DOMO, when you attack something, it pops up a number above creatures head with how much damage you did. What I would like to do is kind of intercept that function, and not only pop up how much damage I did, but also put like DamageThisHit (DamagePerSecond). Or, track the total damage I did on a single creature to calculate how much HP that creature has.
Am I right to assume this is called "hooking?"
Now that you know what I'm trying to do, I would like to know what I'm going to have to learn to do this. Is it possible to do the intercepting in my own C++ program or am I going to have to do it strictly by modifing the game exe using assembly? I don't know assembly too well, so if it's possible with the first option I would prefer that.
If you could link me to some tutorials or anything similar on the topics I will need, I would appreciate it, though I can always google tutorials myself given a topic I need to learn. I always have access to my entire colleges library in E-book form that I can access from my computer as well to learn this stuff with.
|
|
| Back to top |
|
 |
the_undead
Expert Cheater
 Reputation: 1
Joined: 12 Nov 2006
Posts: 235
Location: Johannesburg, South Africa
|
| Posted: Thu Feb 28, 2008 12:29 pm Post subject: |
|
|
You could do that in your own program if you really wanted to.
_________________
|
|
| Back to top |
|
|
malfunction
Grandmaster Cheater Supreme
 Reputation: 0
Joined: 30 Jan 2007
Posts: 1015
Location: http://www.behindthecorner.com/
|
| Posted: Thu Feb 28, 2008 12:33 pm Post subject: |
|
|
I do not know C++ nor tuts for that kind of stuff but I think you should be able to do it with your own program, without messing with the actual game exe.
_________________
|
|
| Back to top |
|
|
systat
Advanced Cheater
 Reputation: 0
Joined: 15 Feb 2008
Posts: 54
|
| Posted: Thu Feb 28, 2008 12:35 pm Post subject: |
|
|
Hmmm, you can intercept app function using detours.
If you dont know what is detours, google it, here is example of function hooking i made for minesweeper, it is a dll, and you just need to use an dll injector(winject) to inject dll in minesweeper
| Code: | #include <windows.h>
#include <detours.h>
void (__fastcall *DoAbout_orig)();
int (__fastcall *GameOver_orig)(int x);
int __fastcall GameOver(int x) {
return GameOver(x);
}
void __fastcall DoAbout() {
GameOver_orig(1);
}
int WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID reserved)
{
switch(reason)
{
case DLL_PROCESS_ATTACH:
GameOver_orig=(int(__fastcall*)(int x))DetourFunction((PBYTE)0x0100347C,(PBYTE)GameOver);
DoAbout_orig=(void(__fastcall*)())DetourFunction((PBYTE)0x01003D1D,(PBYTE)DoAbout);
break;
case DLL_PROCESS_DETACH:
break;
}
return true;
} |
If you compile, and inject dll in minesweeper, you will win game everytime when you press About.
|
|
| Back to top |
|
|
Ridor
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2008
Posts: 14
|
| Posted: Thu Feb 28, 2008 12:37 pm Post subject: |
|
|
| the_undead wrote: | | You could do that in your own program if you really wanted to. |
Cool so it is called hooking? Could you kind of nudge me more in the right direction? I've been googling various terms such as "game hooking" "application hooking" etc... but can't really find any solid information on how to go about doing this.
Some questions I have are:
Is it possible to find the function calls by a program without reverse engineering? I'm guessing no, and I've had trouble tracing a mmorpgs execution in ollydbg so could you give some tips on stepping through a program that runs in an infinite loop and getting to the function I'm looking for? The only experience I have is with linear programs like crackmes that the program stops and waits and I can see where it stopped in olly.
Once I find the function in assembly, how would I hook it exactly?
Thanks, and once again, you don't have to post the answers directly here. I'm just asking for a direction I can go to get these questions answered.
EDIT: Systat, thanks for the information. I'll look into detours.
|
|
| Back to top |
|
|
malfunction
Grandmaster Cheater Supreme
Reputation: 0
Joined: 30 Jan 2007
Posts: 1015
Location: http://www.behindthecorner.com/
|
| Posted: Thu Feb 28, 2008 12:39 pm Post subject: |
|
|
| systat wrote: | Hmmm, you can intercept app function using detours.
If you dont know what is detours, google it, here is example of function hooking i made for minesweeper, it is a dll, and you just need to use an dll injector(winject) to inject dll in minesweeper
| Code: | #include <windows.h>
#include <detours.h>
void (__fastcall *DoAbout_orig)();
int (__fastcall *GameOver_orig)(int x);
int __fastcall GameOver(int x) {
return GameOver(x);
}
void __fastcall DoAbout() {
GameOver_orig(1);
}
int WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID reserved)
{
switch(reason)
{
case DLL_PROCESS_ATTACH:
GameOver_orig=(int(__fastcall*)(int x))DetourFunction((PBYTE)0x0100347C,(PBYTE)GameOver);
DoAbout_orig=(void(__fastcall*)())DetourFunction((PBYTE)0x01003D1D,(PBYTE)DoAbout);
break;
case DLL_PROCESS_DETACH:
break;
}
return true;
} |
If you compile, and inject dll in minesweeper, you will win game everytime when you press About. |
didnt wiccaan do the exact same thing or am I mistaking?
_________________
|
|
| Back to top |
|
|
systat
Advanced Cheater
Reputation: 0
Joined: 15 Feb 2008
Posts: 54
|
| Posted: Thu Feb 28, 2008 12:42 pm Post subject: |
|
|
I dont know, I know I coded this by myself.
@ Ridor
I used, IDA Pro, to find program function calls, but in most application that you open with IDA Pro, you will only get starting adresses of functions, and functions will be named like
sub_12345
|
|
| Back to top |
|
|
Ridor
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2008
Posts: 14
|
| Posted: Thu Feb 28, 2008 12:56 pm Post subject: |
|
|
| systat wrote: | I dont know, I know I coded this by myself.
@ Ridor
I used, IDA Pro, to find program function calls, but in most application that you open with IDA Pro, you will only get starting adresses of functions, and functions will be named like
sub_12345 |
Alright, thinks for that tip. One last question before I spend 2 months researching this stuff. It it possible that after I get it all up and running like I want it to using winject and stuff that I could eventually automate the winject part in my own program? That way if I were to distribute my application, all they would have to do is run my program, then launch the game for my modifications to take place.
|
|
| Back to top |
|
|
systat
Advanced Cheater
Reputation: 0
Joined: 15 Feb 2008
Posts: 54
|
| Posted: Thu Feb 28, 2008 1:04 pm Post subject: |
|
|
| Sure, you can write your own dll injector, it's not complicated.
|
|
| Back to top |
|
|
the_undead
Expert Cheater
Reputation: 1
Joined: 12 Nov 2006
Posts: 235
Location: Johannesburg, South Africa
|
| Posted: Thu Feb 28, 2008 1:05 pm Post subject: |
|
|
Have a look through www.rootkit.com
_________________
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Thu Feb 28, 2008 1:55 pm Post subject: |
|
|
| Ridor wrote: | | Alright, thinks for that tip. One last question before I spend 2 months researching this stuff. It it possible that after I get it all up and running like I want it to using winject and stuff that I could eventually automate the winject part in my own program? That way if I were to distribute my application, all they would have to do is run my program, then launch the game for my modifications to take place. |
Eidolon Injector:
http://forum.cheatengine.org/viewtopic.php?t=150901&postdays=0&postorder=asc&start=0
I made that a while back and posted it, it should be sufficient to teach you how to inject a dll.
Also, just place a jmp instruction at the beginning of the function, and have it redirect to your own proxy function to dump information.
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Thu Feb 28, 2008 5:50 pm Post subject: |
|
|
You need to debug the program in Olly. You need to know what register (or the stack) holds when the game calls the function.
Do you know the function name that does damage? If you do, find the address and set-up a breakpoint there and hit something. Olly will freeze the game and you can start tracing.
|
|
| Back to top |
|
|
Ridor
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2008
Posts: 14
|
| Posted: Thu Feb 28, 2008 11:03 pm Post subject: |
|
|
| rapion124 wrote: | You need to debug the program in Olly. You need to know what register (or the stack) holds when the game calls the function.
Do you know the function name that does damage? If you do, find the address and set-up a breakpoint there and hit something. Olly will freeze the game and you can start tracing. |
No, I don't know the function name. I opened up domo.exe with IDA pro to try and see what functions it listed just out of curiosity and it only listed 2 other than the DLL imports from like directX.
The two functions it listed was "Start" and "Nullsub_1" start just seems to call nullsub_1 and nullsub_1 doesn't look like it does anything except return. Is this going to be a problem? Is the game using some kind of protection to hide it's functions?
|
|
| Back to top |
|
|
systat
Advanced Cheater
Reputation: 0
Joined: 15 Feb 2008
Posts: 54
|
| Posted: Fri Feb 29, 2008 4:31 am Post subject: |
|
|
| Try detouring Notepad or Minesweeper functions for start, there are all function names visible.
|
|
| Back to top |
|
|
Ridor
Newbie cheater
![]() Reputation: 0
Joined: 28 Feb 2008
Posts: 14
|
| Posted: Fri Feb 29, 2008 7:29 am Post subject: |
|
|
| systat wrote: | | Try detouring Notepad or Minesweeper functions for start, there are all function names visible. |
Yeah, I'm trying to make something for InkBall right now. IDA Pro show'd a billion functions for it lol.
I caught the flu yesterday and I feel completely horrible this morning  . The fever and stuff I can stand, it's just the dang sore throat. Every time I swallow or cough it hurts like hell. But...damn flu ain't going to stop me from learning!
EDIT: Systat, I was trying your sample and when trying to compile, I get DetourFunction, identifer not found. I'm using Detours 2.1 express, what are you using?
EDIT2: Ok I got it working using Detours 1.5. Your minesweeper example is for the windows XP version I think so I decided to write my own for the vista version. I can't get it to hook the functions correct though. using IDA pro I found the function for About() and I got the address IDA pro said it started at and used that for this:
IncrementScore_orig=(void(__fastcall*)())DetourFunction((PBYTE)0x0101FED4,(PBYTE)IncrementScore);
(Ignore the Increment Score name, when I'm testing I don't usually update function names. Was testing on inkball increasement score function before this one, it didn't work either.)
Is the starting address the wrong address to use?
I know the DLL is being injected properly because I placed a messagebox on process attach switch case and it does display the messagebox when I inject the DLL.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
