| View previous topic :: View next topic |
| Author |
Message |
Freiza
Grandmaster Cheater
 Reputation: 22
Joined: 28 Jun 2010
Posts: 662
|
 Posted: Thu Aug 05, 2010 1:35 pm Post subject: Help with code injection tutorial 8! revised question |
 |
|
How to solve cheat engine tutorial 8 with code injection
my steps
1)Found value
2)Memory on write
Original code
| Code: |
mov [ebx+18],edi
lea edx,[ebp-04]
|
My codes
| Code: |
mov [ebx+18],1388 //1388 == 5000d
lea edx,[ebp-04]
|
But not working
Last edited by Freiza on Fri Aug 06, 2010 2:32 am; edited 1 time in total |
|
| Back to top |
|
 |
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5636
|
| Posted: Thu Aug 05, 2010 6:39 pm Post subject: |
|
|
Step 8 is about multi-level pointers.
Step 7 is code injection.
Task:
Code injection is a technique where one injects a piece of code into the target process, and then reroute the
execution of code to go through your own written code
In this tutorial you'll have a health value and a button that will decrease your health with 1 each time you click it.
Your task is to use code injection to increase the value of your health with 2 every time it is clicked
Working script:
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
0045A063:
jmp newmem
nop
returnhere:
newmem:
add [ebx+00000310],2
originalcode:
//dec [ebx+00000310]
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
0045A063:
dec [ebx+00000310]
//Alt: db FF 8B 10 03 00 00 |
_________________
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 892
|
| Posted: Thu Aug 05, 2010 8:08 pm Post subject: |
|
|
The problem is that you're looking at a value at the end of the pointer chain. When you hit the "change pointer" button, it no longer points to the value being compared to 5000. If you wanna' hack it by injection, you wanna' look for the code that compares against the constant 5000. In a "real-world" application, where you didn't know what condition was allowing success, you'd probably instead spy on the (well known) API calls to manipulate common controls - enablewindow to set the next button to active, setwindowtext to change the static text control, etc.
Cheers,
adude
| Code: |
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(address)
registersymbol(address)
Tutorial.exe+59B6F:
jmp newmem
nop
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
push ecx //grab the address
lea ecx,[eax+18] //not required for this hack
mov [address],ecx //but probably answers
pop ecx //the inevitable next question
mov [eax+18],#5000
originalcode:
cmp [eax+18],00001388
exit:
jmp returnhere
address:
dd 0
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
unregistersymbol(address)
Tutorial.exe+59B6F:
cmp [eax+18],00001388
//Alt: db 81 78 18 88 13 00 00
|
|
|
| Back to top |
|
|
Freiza
Grandmaster Cheater
Reputation: 22
Joined: 28 Jun 2010
Posts: 662
|
| Posted: Fri Aug 06, 2010 1:39 am Post subject: Mr. Geri. You are getting me wrong. |
|
|
To Geri:
Dear, I was trying to solve tutorial 8 with code injection. I do know it is multilevel pointer.
Mr. Justa_dude got me right.
To Justa_dude:
Any ways how did you reach to Tutorial.exe+59B6F.
I did both memory on write and memory on access but always break at
00459862 - 89 7b 18 - mov [ebx+18],edi
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5636
|
| Posted: Fri Aug 06, 2010 4:37 am Post subject: |
|
|
Oh I see. I was totally confused. 
_________________
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
Reputation: 23
Joined: 29 Jun 2010
Posts: 892
|
| Posted: Fri Aug 06, 2010 8:24 am Post subject: Re: Mr. Geri. You are getting me wrong. |
|
|
| freiza wrote: |
Any ways how did you reach to Tutorial.exe+59B6F.
I did both memory on write and memory on access but always break at
00459862 - 89 7b 18 - mov [ebx+18],edi |
I cheated. I knew that the tutorial was comparing the value against 5000, so I looked for that compare. That's related to what I was saying earlier - in a "real" app, you'd probably wanna' set a breakpoint on setwindowtext or sprintf or something else to try to find the value. The searches you're using aren't working because they only find the pointers that become invalid when you click the "change pointer" button.
TBH, this isn't the best example of a case where you'd grab a pointer via. injection. In a real game, the pointers would likely only be reset when you load a new level or die or something significant - you're not going to be concerned with what their values are AFTER they change but before the event that triggers your injection happens again (i.e., what your health is while you're loading a new level).
Cheers,
adude
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
