| View previous topic :: View next topic |
| Author |
Message |
koodpzok
Newbie cheater
![]() Reputation: 0
Joined: 10 Jun 2009
Posts: 11
|
 Posted: Sat Aug 28, 2021 12:08 am Post subject: stuck at implementation of stealthedit in C++ |
 |
|
| Code: |
LONG WINAPI VehHeader::VehHandler(EXCEPTION_POINTERS* pExceptionInfo)
{
if (pExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION) //We will catch STATUS_ACCESS_VIOLATION Violation
{
//(Eip - Function page address) + New page Address
MEMORY_BASIC_INFORMATION mbi_eip;
VirtualQuery((LPVOID)(pExceptionInfo->ContextRecord->Eip), &mbi_eip, sizeof(mbi_eip));
uintptr_t beginningOfHkPage = (uintptr_t)hkAddr - ((uintptr_t)hkAddr % 0x1000);
if ((uintptr_t)mbi_eip.BaseAddress == beginningOfHkPage) //Make sure we are at the address we want within the page
{
//MessageBoxA(0, std::to_string((uintptr_t)mbi_eip.BaseAddress).c_str(), "(uintptr_t)mbi_eip.BaseAddress", 0);
auto it = std::find_if(vehPageMappingList.begin(), vehPageMappingList.end(), [&beginningOfHkPage](std::tuple<unsigned int, unsigned int>& e) { return std::get<0>(e) == beginningOfHkPage; });
//Found
uintptr_t allocatedMem = 0; //coped page address
if (it != vehPageMappingList.end()) {
allocatedMem = std::get<1>(*it);
}
pExceptionInfo->ContextRecord->Eip = (uintptr_t)pExceptionInfo->ContextRecord->Eip - (uintptr_t)mbi_eip.BaseAddress + allocatedMem;
}
return EXCEPTION_CONTINUE_EXECUTION; //Continue to next instruction
}
return EXCEPTION_CONTINUE_SEARCH; //Keep going down the exception handling list to find the right handler IF it is not STATUS_ACCESS_VIOLATION
}
|
Hello my CE friends, im trying to implement veh hook using the same concept as stealthedit plugin in CE. I already fixed the calls and jmps after copying the page. I just want to successfully direct the control flow to my copied page first without placing any hook. The problem I faced is that when i injected, the game just froze. Can anyone point out what is wrong with my code? 
_________________
dear VK j-rock
Last edited by koodpzok on Mon Aug 30, 2021 5:51 am; edited 1 time in total |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Sat Aug 28, 2021 2:05 am Post subject: |
|
|
what happens when the target process does an access violation on purpose?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
koodpzok
Newbie cheater
![]() Reputation: 0
Joined: 10 Jun 2009
Posts: 11
|
| Posted: Sat Aug 28, 2021 5:03 am Post subject: |
|
|
The control will come to the VehHeader::VehHandler() function
_________________
dear VK j-rock |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Sat Aug 28, 2021 5:43 am Post subject: |
|
|
right and then it will continue unchanged, imeadiately triggering again
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
koodpzok
Newbie cheater
![]() Reputation: 0
Joined: 10 Jun 2009
Posts: 11
|
| Posted: Sat Aug 28, 2021 9:29 am Post subject: |
|
|
| Dark Byte wrote: | | right and then it will continue unchanged, imeadiately triggering again |
u mean once it comes to VehHandler, it will stay inside VehHandler forever without going back to the original page?
So how can i solve this?
_________________
dear VK j-rock |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Sat Aug 28, 2021 11:37 am Post subject: |
|
|
if you don't handle it, search for the next handler
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
koodpzok
Newbie cheater
![]() Reputation: 0
Joined: 10 Jun 2009
Posts: 11
|
| Posted: Sat Aug 28, 2021 7:18 pm Post subject: |
|
|
| Dark Byte wrote: | | if you don't handle it, search for the next handler |
I am confused. Doesn't the last line do what u said(ie. return EXCEPTION_CONTINUE_SEARCH;) ?
_________________
dear VK j-rock |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Sat Aug 28, 2021 10:28 pm Post subject: |
|
|
yes, but you're doing "return EXCEPTION_CONTINUE_EXECUTION" on every access violation
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
koodpzok
Newbie cheater
![]() Reputation: 0
Joined: 10 Jun 2009
Posts: 11
|
| Posted: Sat Aug 28, 2021 10:59 pm Post subject: |
|
|
| Dark Byte wrote: | | yes, but you're doing "return EXCEPTION_CONTINUE_EXECUTION" on every access violation |
| Code: |
LONG WINAPI VehHeader::VehHandler(EXCEPTION_POINTERS* pExceptionInfo)
{
if (pExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION) //We will catch STATUS_ACCESS_VIOLATION Violation
{
//(Eip - Function page address) + New page Address
MEMORY_BASIC_INFORMATION mbi_eip;
VirtualQuery((LPVOID)(pExceptionInfo->ContextRecord->Eip), &mbi_eip, sizeof(mbi_eip));
uintptr_t beginningOfHkPage = (uintptr_t)hkAddr - ((uintptr_t)hkAddr % 0x1000);
if ((uintptr_t)mbi_eip.BaseAddress == beginningOfHkPage) //Make sure we are at the address we want within the page
{
//MessageBoxA(0, std::to_string((uintptr_t)mbi_eip.BaseAddress).c_str(), "(uintptr_t)mbi_eip.BaseAddress", 0);
auto it = std::find_if(vehPageMappingList.begin(), vehPageMappingList.end(), [&beginningOfHkPage](std::tuple<unsigned int, unsigned int>& e) { return std::get<0>(e) == beginningOfHkPage; });
//Found
uintptr_t allocatedMem = 0; //coped page address
if (it != vehPageMappingList.end()) {
allocatedMem = std::get<1>(*it);
}
pExceptionInfo->ContextRecord->Eip = (uintptr_t)pExceptionInfo->ContextRecord->Eip - (uintptr_t)mbi_eip.BaseAddress + allocatedMem;
return EXCEPTION_CONTINUE_EXECUTION; //Continue to next instruction
}
return EXCEPTION_CONTINUE_SEARCH; //Keep going down the exception handling list to find the right handler IF it is not OUR STATUS_ACCESS_VIOLATION
}
return EXCEPTION_CONTINUE_SEARCH; //Keep going down the exception handling list to find the right handler IF it is not STATUS_ACCESS_VIOLATION
}
|
So I fixed my code accordingly to what you have described. This time, the game didnt freeze, but it crashed instantly 
_________________
dear VK j-rock |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Sun Aug 29, 2021 1:17 am Post subject: |
|
|
likely means there is an access violation happening inside the handler
try printing out the path your code takes. e.g printf if console or outputdebugmessage
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
koodpzok
Newbie cheater
![]() Reputation: 0
Joined: 10 Jun 2009
Posts: 11
|
| Posted: Sun Aug 29, 2021 3:38 am Post subject: |
|
|
| Dark Byte wrote: | likely means there is an access violation happening inside the handler
try printing out the path your code takes. e.g printf if console or outputdebugmessage |
I have logged the address that caused access violation and is responsible for the crashing. It seems to be at the boundary. The address is 0x617FFF but the hook page address starts at 0x618000. So How am i supposed to handle this?
_________________
dear VK j-rock |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Sun Aug 29, 2021 4:13 am Post subject: |
|
|
ah that one. lol
make the copy 3 pages width and fill the page before and after with 0xcc's and complete the boundary instructions
then when the instructions hits the 0xcc (breakpoint exception) jump back to the correct relative location
(or easier, copy the WHOLE program. eventually it'll ret back to the caller)
and check that the instruction spans the exception handled. EIP and the exception address received in the handler are not the same. Check that EIP or the exception is in your stealthedited region and uf so, handle it
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
koodpzok
Newbie cheater
![]() Reputation: 0
Joined: 10 Jun 2009
Posts: 11
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
