| View previous topic :: View next topic |
| Author |
Message |
Legend28469
How do I cheat?
![]() Reputation: 0
Joined: 17 Oct 2010
Posts: 6
Location: Ontario, Canada
|
 Posted: Mon Oct 18, 2010 1:03 am Post subject: C++ pointer problem |
 |
|
Hey Guys, how ya doin?
Oh, well thats great =D.
So Heres the problem -->
I finished the CE tutorial a few days ago and figured I'd incorporate some things into my programming (C/C++)
So, I try to create a program that would freeze the value during step 8 of the CE tutorial... although that isn't working out
--> Here's the attempt (I think my problem maybe that theres no offset... or something.. I don't know)
| Code: |
#include <Windows.h>
#include <stdio.h>
bool freeze = false;
void instantStaticPointerFreeze(void)
{
while(1)
{
if (GetAsyncKeyState(VK_F6) &1)
freeze = !freeze;
if (freeze)
{
DWORD dwStaticPointer = *(DWORD*)0x002E3838; //Maybe its 002E3838
if (dwStaticPointer != 0)
*(long*)(dwStaticPointer + 0x0C) = 5000; //C is the offset (0x0C)
}
// Sleep(50);
}
}
BOOL WINAPI DllMain(HINSTANCE module, DWORD dwReason, LPVOID lpvReserved) /*Basic Function. */
{
if(dwReason == DLL_PROCESS_ATTACH) /*Here is "tested" if the dll has been attached.*/
{
/*If we get here, everything has gone well.*/
// Create new thread
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)instantStaticPointerFreeze, NULL, NULL, NULL);
}
return TRUE;
}
|
_________________
I used to be Balling, but now I'm Bill Gateing |
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Oct 18, 2010 6:06 am Post subject: |
|
|
That code looks okay to me. The only problem I can think of is your GetAsyncKeyState. Because of how fast the loop runs I've got a feeling by the time you release the key it will have run again already. In which case it will change the value once then freeze will be cleared again.
In cases like this where there is nothing obviously wrong with the code you can try to debug either by using the built-in visual studio debugger or you can try doing debug statements inside your if( freeze ) block. So try to read it first and see what value you get via debug statements. Also if you restarted another instance of the tutorial, it's possible that the pointers could've changed.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Mon Oct 18, 2010 6:37 am Post subject: |
|
|
are you sure it is 002E3838 and not modulename.xxx+002E3838 ?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Legend28469
How do I cheat?
![]() Reputation: 0
Joined: 17 Oct 2010
Posts: 6
Location: Ontario, Canada
|
| Posted: Mon Oct 18, 2010 7:58 am Post subject: |
|
|
Okay what does the xxx stand for?
And.. I was trying to create it in a way where I would be able to find the pointer that doesn't change.
Maybe I can inject the dll at step 8 of the CE tutorial therefore eliminating the need of the GetAsyncKeyState.
_________________
I used to be Balling, but now I'm Bill Gateing |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Mon Oct 18, 2010 9:18 am Post subject: |
|
|
assuming you got the addresses using ce, it shows addresses in the form of modulename+distance
e.g game.exe+002e3838
or tutorial.exe+2e3838
or gamex86.dll+2e3838
that means the base address of the given module and then add 2e3838 to it to get to the real address of the base pointer
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Legend28469
How do I cheat?
![]() Reputation: 0
Joined: 17 Oct 2010
Posts: 6
Location: Ontario, Canada
|
| Posted: Mon Oct 18, 2010 11:01 am Post subject: |
|
|
Well... umm.. can you show me how to implement that code.. because I can't figure it out...
WriteProcessMemory(hProcess, /*(LPVOID)*/hWnd + 0x60C20/*0x00460C20*/, &newdata, newdatasize, NULL))
I don't think it's even (accessing) changing anything.. because the value in step 8... doesn't change at all... nor does the value shown in cheat engine...
_________________
I used to be Balling, but now I'm Bill Gateing |
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Oct 18, 2010 4:18 pm Post subject: |
|
|
| GetModuleHandle will return the address of a given module.
|
|
| Back to top |
|
|
Legend28469
How do I cheat?
![]() Reputation: 0
Joined: 17 Oct 2010
Posts: 6
Location: Ontario, Canada
|
| Posted: Mon Oct 18, 2010 4:23 pm Post subject: |
|
|
soo..
| Code: |
WriteProcessMemory(hProcess, GetModuleHandleA("Tutorial.exe") + 0x485168 , &newdata, newdatasize, NULL)
|
If this is legit.. i only have one problem.. I'm not using the right offset ... can I get help with that too
_________________
I used to be Balling, but now I'm Bill Gateing |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25791
Location: The netherlands
|
| Posted: Mon Oct 18, 2010 4:30 pm Post subject: |
|
|
seeing that you use WriteProcessMemory i really doubt GetModuleHandle will work
I recommend using the Toolhelp32Snapshot combined with module32first/module32next to find the module you need
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Mon Oct 18, 2010 4:48 pm Post subject: |
|
|
| his code above describes a dll
|
|
| Back to top |
|
|
Legend28469
How do I cheat?
![]() Reputation: 0
Joined: 17 Oct 2010
Posts: 6
Location: Ontario, Canada
|
| Posted: Mon Oct 18, 2010 4:50 pm Post subject: |
|
|
well i've tried both.. because I haven't been able to have luck with either of them...
I'd prefer the dll way if i could get it...
_________________
I used to be Balling, but now I'm Bill Gateing |
|
| Back to top |
|
|
KernelMode
How do I cheat?
![]() Reputation: 1
Joined: 13 Oct 2010
Posts: 9
Location: Messing around with bits in you kernel for now...
|
| Posted: Tue Oct 19, 2010 7:40 am Post subject: |
|
|
| Legend28469 wrote: | well i've tried both.. because I haven't been able to have luck with either of them...
I'd prefer the dll way if i could get it... |
The DLL way it is... I've already completed step 8 long ago but I opened the tutorial and got back to it, to help out with this...
Your problem is that you haven't found the whole pointer! The step even says that its a 4 level deep pointer, that means it will have 4 offsets. You only have one offset written in your dll code, which by the way is the correct first offset, but its only the first.
I've found it but in order to not give it away (its easy to find anyway) I blacked out the second and fourth offsets on the image attached at the bottom. I'll give the third offset though, its zero... at the instruction "mov edx,[eax]" at address 45981E as shown in the attached image, just the value of eax is being moved into edx, not the value of eax plus an offset like the other code for this pointer. So the offset there is zero.
It's good to keep the extra info windows open when following a pointer path, so when you reach the end and find the static address, you can back track looking at the extra info windows and get the offsets. The first code you found with the codefinder window will contain the last offset and the last code you found will contain the first offset.
You seem to have made it to the end, because you got the pointer and first offset, but maybe you didn't keep your other extra info windows open so you couldn't see what the other offsets were. Try again and this time keep them open.
Once you find all four offsets insert them in here and it should work (I modified your code to make it work):
Note: You'll have to change the question marks '??' into the real offsets otherwise it won't compile 
| Code: |
#include <Windows.h>
#include <stdio.h>
bool freeze = false;
void instantStaticPointerFreeze(void)
{
while(1)
{
if(GetAsyncKeyState(VK_F6) &1)
{
freeze = !freeze;
Sleep(250);
//250 sleep is good for GetAsyncKeyState hotkeys...
//Otherwise one key press no matter how fast you press the key will run through this code many times
//so freeze will be true and false many times on a single key press and when releasing the key you'll never know which it landed on
//and whether its currently true or false
//setting a 250ms sleep makes it so after pressing the key it will toggle freeze and wait 250ms before checking again whether the key is pressed.
}
if(freeze)
{
//DWORD dwStaticPointer = *(DWORD*)0x00460C20; //Tutorial.exe base is 0x00400000 + 60C20
//If we don't want to assume that that's so...
DWORD dwStaticPointer = *(DWORD*)((DWORD)GetModuleHandle(NULL) + 0x60C20); //GetModuleHandle with NULL or 0 passed as the parameter returns the base of the current process, in this case Tutorial.exe if its injected in Tutorial.exe
if(dwStaticPointer != 0)
{
dwStaticPointer = *(DWORD*)(dwStaticPointer + 0x0C); //C is the first offset (0x0C)
dwStaticPointer = *(DWORD*)(dwStaticPointer + 0x??); //figure out the second offset
dwStaticPointer = *(DWORD*)dwStaticPointer; //third offset is zero (0x00)
*(DWORD*)(dwStaticPointer + 0x??) = 5000; //figure out fourth/final offset
}
//alternatively, inline assembler is always there for you ;)
/*
_asm
{
push eax
mov eax,[dwStaticPointer]
test eax,eax
je SkipSettingValue
mov eax,[eax+0x0c]
mov eax,[eax+0x??]
mov eax,[eax]
mov dword ptr [eax+0x??],5000
SkipSettingValue:
pop eax
}
*/
}
Sleep(10); //always keep at least a 10 ms sleep in infinite loops, especially when using GetAsyncKeyState/GetKeyState
//Otherwise you'll hog CPU like no other!
}
}
BOOL WINAPI DllMain(HINSTANCE module, DWORD dwReason, LPVOID lpvReserved) /*Basic Function. */
{
if(dwReason == DLL_PROCESS_ATTACH) /*Here is "tested" if the dll has been attached.*/
{
/*If we get here, everything has gone well.*/
// Create new thread
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)instantStaticPointerFreeze, NULL, NULL, NULL);
}
return TRUE;
}
|
| Description: |
|
| Filesize: |
80.89 KB |
| Viewed: |
13919 Time(s) |
|
|
|
| Back to top |
|
|
Legend28469
How do I cheat?
![]() Reputation: 0
Joined: 17 Oct 2010
Posts: 6
Location: Ontario, Canada
|
| Posted: Tue Oct 19, 2010 11:13 pm Post subject: |
|
|
WOW... thx a billion.. i would've never figured this out by myself... well.. i guess I learned something new tonight... Much Appreciated
_________________
I used to be Balling, but now I'm Bill Gateing |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
