 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
anthor
How do I cheat?
![]() Reputation: 0
Joined: 28 Dec 2009
Posts: 6
|
 Posted: Mon Dec 28, 2009 1:27 pm Post subject: Hooked Api Send,but how to get Socket ID? |
 |
|
i have hooked Api Send,but how to retrieve the socket id ?
i m using Delphi ,i have no idea already..please guide me...!
|
|
| Back to top |
|
 |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Mon Dec 28, 2009 1:33 pm Post subject: |
|
|
when send function called the socket's id is pushed into the stack
you can use inline assembly to get it
| Code: |
asm
push ebp
mov ebp,esp
mov eax,[ebp+0x8] // [ebp] = to ebp value that we've pushed earlier, ebp + 4 = to the return address to the original code and [ebp + 8] is the socket's id
end;
|
i guess 0x8 won't work at delphi since it has other way to present hexadecimal numbers
but that's the way
and if you'd like to move the socket's id to your variables instead eax register just use
| Code: |
mov dword ptr ds:[myVar],eax
|
hope you got it 
|
|
| Back to top |
|
|
anthor
How do I cheat?
![]() Reputation: 0
Joined: 28 Dec 2009
Posts: 6
|
| Posted: Mon Dec 28, 2009 2:08 pm Post subject: |
|
|
 still blur with asm..is ok..this is my code,let me show u
| Code: |
type
PData = ^TData;
TData = record
Hook: THandle;
Hooked: Boolean;
end;
var
DLLData: PData;
procedure HookProc(nCode, wParam, lParam: LongWORD);stdcall;
begin
if not DLLData^.Hooked then
begin
HookAPI;
DLLData^.Hooked := True;
end;
CallNextHookEx(DLLData^.Hook, nCode, wParam, lParam);
end;
function InstallHook(SWindow: LongWORD):Boolean;stdcall;
var
ThreadID: LongWORD;
begin
Result := False;
DLLData^.Hook := 0;
ThreadID := GetWindowThreadProcessId(sWindow, nil);
DLLData^.Hook := SetWindowsHookEx(WH_GETMESSAGE, @HookProc, Hinstance, ThreadID);
if DLLData^.Hook > 0 then
Result := True //ÊÇ·ñ³É¹¦HOOK
else
exit;
end;
procedure HookAPI;
var
DLLModule: THandle;
dwSize: cardinal;
begin
ProcessHandle := GetCurrentProcess;
DLLModule := LoadLibrary('ws2_32.dll');
AddSend := GetProcAddress(DLLModule, 'send');
end;
|
so,we get the send address and stored into AddSend,which Address i have to push or wat=.=...bluring.... 
and 1 more question, that 0x8?why + 8 bytes?i think Delphi stored as 8 bytes too
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Mon Dec 28, 2009 3:45 pm Post subject: |
|
|
| Because that's where the socket is stored on the stack.
|
|
| Back to top |
|
|
anthor
How do I cheat?
![]() Reputation: 0
Joined: 28 Dec 2009
Posts: 6
|
| Posted: Mon Dec 28, 2009 11:37 pm Post subject: |
|
|
so now i hooked the send function and then jump to my own following code
| Code: |
asm
push ebp
mov ebp,esp
mov eax,[ebp+0x8] // [ebp] = to ebp value that we've pushed earlier, ebp + 4 = to the return address to the original code and [ebp + 8] is the socket's id
end;
|
then get the socket id and jmp back to the original send address?
am i right??
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Tue Dec 29, 2009 12:21 am Post subject: |
|
|
No.
this isn't a memory redirection that should be returned to it's original code
this is just a code (only in assembly instead of delphi) you just run it as it is
|
|
| Back to top |
|
|
anthor
How do I cheat?
![]() Reputation: 0
Joined: 28 Dec 2009
Posts: 6
|
| Posted: Tue Dec 29, 2009 3:23 am Post subject: |
|
|
 goshh.....
i don't understand at all,then what i need to hook?..
it is better u give me some example man...thanks!
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Tue Dec 29, 2009 11:57 am Post subject: |
|
|
redirecting code is when you're editing other process's memory to jump to your own code
like:
| Code: |
// original code could be (memory map)
0xFFFFFFFD: mov edi,edi
0xFFFFFFFE: push ebp
0xFFFFFFFF: mov ebp,esp
// but when you want the address 0xFFFFFFFD to jump to your own code instead of continue you use the formula [destination address - source address - 5] which means
<myHookingFunc> - 0xFFFFFFFD - 5 = the number of bytes to jump to myHookingFunc
and in your hooking function you write your own code in assembly cuz that's the easiest access to the stack and from there to the socket's id
|
just for the record these addresses is just a random addresses that i picked now
now when you write assembly code at your program it's just as you write it on delphi, the compiler compiles it anyway to assembly so it won't matter, it's just an easiest way to access your memory
|
|
| Back to top |
|
|
anthor
How do I cheat?
![]() Reputation: 0
Joined: 28 Dec 2009
Posts: 6
|
| Posted: Sat Feb 20, 2010 8:59 pm Post subject: |
|
|
here is what i understand...
Example:
| Code: |
Send Func From ws2_32.dll
0xFFFFFFFD: mov edi,edi //Send Address
0xFFFFFFFE: push ebp
0xFFFFFFFF: mov ebp,esp
|
DLLModule := LoadLibrary('ws2_32.dll');
AddSend := GetProcAddress(DLLModule, 'send');
ok,now Addsend i get 0xFFFFFFFD,
i change the asm using writememoryprocess
0xFFFFFFFD: mov edi,edi
become
0xFFFFFFFD: JMP 0x00400000
0x00400000 is my ABC Func Address,
here is my ABC func Code:
| Code: |
ABC:
asm
push ebp
mov ebp,esp
mov eax,[ebp+0x8]
mov dword ptr ds:[Socket_ID],eax
JMP 0xFFFFFFFE //ok now i get what i want,then jmp back to the original code
end;
|
Am i Right??Now i get the socket ID on my variable Socket_ID..
|
|
| Back to top |
|
|
anthor
How do I cheat?
![]() Reputation: 0
Joined: 28 Dec 2009
Posts: 6
|
| Posted: Mon Mar 08, 2010 1:16 am Post subject: |
|
|
| _DoR??please...
|
|
| Back to top |
|
|
pkedpker
Master Cheater
![]() Reputation: 1
Joined: 11 Oct 2006
Posts: 412
|
| Posted: Thu Mar 11, 2010 6:39 pm Post subject: |
|
|
I do this in C++
after redirection is complete.. as you can see SOCKET sock is the socketId.
Note that I don't use any assembly at all I don't want to complicate the code but only in the DetourFunction method you will see a few 0xE8/0xE9's for assembly CALL/JMP's.
| Code: |
int WINAPI myDetouredSend(SOCKET sock, char* buf, int len, int flags)
{
char makePacket = "\x01\x02\x03\x04\x05\x06\etc.."; //temp packet.
int size = strlen(makePacket); //not always correct \x00 etc.. best to do it by hand
char* sendPacket = new char[size];
memcpy(sendPacket,makePacket,size); //transfer it to pointer
return osend(sock, sendPacket, size, flags);
}
|
haven't did C++ coding in a while not sure if that even compiles just showing how I would do it.
myDetouredSend and osend are both addresses but osend is the original send address where it jumps back I declare it with typedef'ing.
| Code: |
typedef int (WINAPI* r_send)(SOCKET sock, char* buf, int len, int flags);
r_send osend;
|
How I get oringinal address similar to your WINAPI calls
| Code: |
DWORD dwSendOriAddr = GetProcAddress(GetModuleHandle("ws2_32.dll"), "send"); //gets original address for send
|
No idea in delphi sorry could be similiar I use this in a DLL Injection method
Here is the DetourFunction method I use.
| Code: |
void *DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(len+5);
DWORD dwback;
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
memcpy(jmp, src, len); jmp += len;
jmp[0] = 0xE9;
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
VirtualProtect(src, len, dwback, &dwback);
return (jmp-len);
}
|
As you can see the function above does 2 things.. redirect your found address where send function is loaded in the application/game nearly always changes when you restart the game.
It replaces the address to the function in your DLL Injection which is also generated when your DLL is injected and in the end it returns the address of the original jump back to send function.
I use it like this
| Code: |
osend = (r_send) DetourFunc((BYTE*)osend, (BYTE*)&myDetouredSend, 5);
|
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
