| |||||||
| |
| Register | Blogs | Live view | Downloads | Marketplace | FAQ | Members List | Social Groups | Calendar | Search | Today's Posts | Mark Forums Read |
Codecaving Tutorial Part 2: C++ program
This is a discussion on Codecaving Tutorial Part 2: C++ program within the Development forum part of the Software/Hardware category; In the last tutorial, I explained how to code cave an offset in memory with a debugger. Now I am ...
Welcome on D3scene.com! Make sure to register - it's free and very quick! You have to register before you can post and participate in our discussions with 70000 other registered members. Downloads, user profiles and some forums can only be seen by registered members. After you create your free account you will be able to customize many options, you will have the full access to new hacks, latest cheats and last but not least will see no advertisements at all. We would love to see you around in our community! |
| | LinkBack | Thread Tools | Display Modes |
|
#1
02-27-2009, 11:04 PM
| ||||
| ||||
| Codecaving Tutorial Part 2: C++ program In the last tutorial, I explained how to code cave an offset in memory with a debugger. Now I am going to show you how to make this a stand-alone program. We are going to use a very popular, mid-strong typed object-oriented programming language: C++! Tools you will need: - A C++ compiler, let's use DevC++ (uses minGW). - Your codecave info from the last tutorial:   Let's open DevC++ and start a new project C++ console application project.  Right now, your source should be: Code: #include <cstdlib>
#include <iostream>
using namespace std;
int main(int argc, char *argv[])
{
system("PAUSE");
return EXIT_SUCCESS;
}
We will need to: - Get the PID for our running Warcraft 3 process - Enable debug priviledges for that process - Get Game.dll's base (which is most of the time 6F000000) We are going to use SD333221's open-source maphack functions for this: Lets put these function prototypes before our main() function. DWORD GetPIDForProcess (char* process); void EnableDebugPriv(); DWORD GetDLLBase(char* DllName, DWORD tPid); And the functions after the main function. Code: DWORD GetPIDForProcess (char* process)
{
BOOL working=0;
PROCESSENTRY32 lppe= {0};
DWORD targetPid=0;
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS ,0);
if (hSnapshot)
{
lppe.dwSize=sizeof(lppe);
working=Process32First(hSnapshot,&lppe);
while (working)
{
if(_stricmp(lppe.szExeFile,process)==0)
{
targetPid=lppe.th32ProcessID;
break;
}
working=Process32Next(hSnapshot,&lppe);
}
}
CloseHandle( hSnapshot );
return targetPid;
}
void EnableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ){
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}
DWORD GetDLLBase(char* DllName, DWORD tPid)
{
HANDLE snapMod;
MODULEENTRY32 me32;
if (tPid == 0) return 0;
snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid);
me32.dwSize = sizeof(MODULEENTRY32);
if (Module32First(snapMod, &me32)){
do{
if (strcmp(DllName,me32.szModule) == 0){
CloseHandle(snapMod);
return (DWORD) me32.modBaseAddr;
}
}while(Module32Next(snapMod,&me32));
}
CloseHandle(snapMod);
return 0;
}
Let's find the PID, and if we can't, exit. Code: if(GetPIDForProcess("WAR3.EXE") == 0)
{
system("Pause");
exit(0);
}
Code: else
{
EnableDebugPriv();
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, GetPIDForProcess("WAR3.EXE"));
if(hProc)
{
DWORD gameBase = GetDLLBase("Game.dll",GetPIDForProcess("WAR3.EXE"));
DWORD dSize = 0;
Now let's use our patch function. We will need to use it twice. First jump: 6F39B97D E9 A2 04 4C 00 E9 + A2 + 04 + 4C + 00 = 5 bytes, therefore our dSize will be 5. And we will write: "\xE9\xA2\x04\x4C\x00" Since our base is most likely 6F000000, let's substract: 6F39B97D - 6F000000 = 39B97D. Our address will be 0x39B97D: Code: PATCH(0x39B97D,"\xE9\xA2\x04\x4C\x00",5);
if(dSize == 0)
{
cout << "Failed to patch uselessblackground jump to codecave." << endl;
}
6F85BE24 E8 77 4B 7B FF 39 AE 30 03 00 00 90 90 8B CE E8 A8 E8 B3 FF BA 00 00 00 00 E9 54 FB B3 FF E8 + 77 + 4B + 7B + FF + 39 + AE + 30 + 03 + 00 + 00 + 90 + 90 + 8B + CE + E8 + A8 + E8 + B3 + FF + BA + 00 + 00 + 00 + 00 + E9 + 54 + FB + B3 + FF = 30 bytes dSize = 30 Address = 0x85BE24 (6F85BE24 - 6F000000) And we will write: "\xE8\x77\x4B\x7B\xFF\x39\xAE\x30\x03\x00\x00\x90\ x90\x8B\xCE\xE8\xA8\xE8\xB3\xFF\xBA\x00\x00\x00\x0 0\xE9\x54\xFB\xB3\xFF" Code: PATCH(0x85BE24,"\xE8\x77\x4B\x7B\xFF\x39\xAE\x30\x03\x00\x00\x90\x90\x8B\xCE\xE8\xA8\xE8\xB3\xFF\xBA\x00\x00\x00\x00\xE9\x54\xFB\xB3\xFF",30);
if(dSize == 0)
{
cout << "Failed to patch uselessblackground codecave." << endl;
}
Let's then close the process handle and pause: Code: CloseHandle(hProc);
cout << "Done, goodbye!" << endl;
system("Pause");
exit(1);
}
else
{
cout << "Warcraft 3 could not be opened..." << endl;
system("Pause");
exit(0);
}
}
}
Here is the full source: Code: #include <windows.h>
#include <Tlhelp32.h>
#include <cstdlib>
#include <iostream>
DWORD GetPIDForProcess (char* process);
void EnableDebugPriv();
DWORD GetDLLBase(char* DllName, DWORD tPid);
#define PATCH(i,w,l) WriteProcessMemory(hProc,reinterpret_cast<LPVOID>(gameBase+i),w,l,&dSize)
using namespace std;
int main()
{
if(GetPIDForProcess("WAR3.EXE") == 0)
{
cout <<"Could not find Warcraft 3 process." << endl;
system("Pause");
exit(0);
}
else
{
EnableDebugPriv();
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, GetPIDForProcess("WAR3.EXE"));
if(hProc)
{
DWORD gameBase = GetDLLBase("Game.dll",GetPIDForProcess("WAR3.EXE"));
DWORD dSize = 0;
PATCH(0x85BE24,"\xE8\x77\x4B\x7B\xFF\x39\xAE\x30\x03\x00\x00\x90\x90\x8B\xCE\xE8\xA8\xE8\xB3\xFF\xBA\x00\x00\x00\x00\xE9\x54\xFB\xB3\xFF",30);
if(dSize == 0)
{
cout << "Failed to patch uselessblackground codecave." << endl;
}
PATCH(0x39B97D,"\xE9\xA2\x04\x4C\x00",5);
if(dSize == 0)
{
cout << "Failed to patch uselessblackground jump to codecave." << endl;
}
cout << "Hack injected with success." << endl;
CloseHandle(hProc);
system("Pause");
exit(1);
}
else
{
cout << "Hack failed to inject." << endl;
system("Pause");
exit(0);
}
}
}
DWORD GetPIDForProcess (char* process)
{
BOOL working=0;
PROCESSENTRY32 lppe= {0};
DWORD targetPid=0;
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS ,0);
if (hSnapshot)
{
lppe.dwSize=sizeof(lppe);
working=Process32First(hSnapshot,&lppe);
while (working)
{
if(_stricmp(lppe.szExeFile,process)==0)
{
targetPid=lppe.th32ProcessID;
break;
}
working=Process32Next(hSnapshot,&lppe);
}
}
CloseHandle( hSnapshot );
return targetPid;
}
void EnableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ){
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}
DWORD GetDLLBase(char* DllName, DWORD tPid)
{
HANDLE snapMod;
MODULEENTRY32 me32;
if (tPid == 0) return 0;
snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid);
me32.dwSize = sizeof(MODULEENTRY32);
if (Module32First(snapMod, &me32)){
do{
if (strcmp(DllName,me32.szModule) == 0){
CloseHandle(snapMod);
return (DWORD) me32.modBaseAddr;
}
}while(Module32Next(snapMod,&me32));
}
CloseHandle(snapMod);
return 0;
}
Last edited by TyranO; 02-27-2009 at 11:09 PM.  |
| The Following User Says Thank You to TyranO For This Useful Post: | ||
| D3scene |
Welcome to D3scene - probably the best location for all Gamers. To participate in our friendly environment you have to register. After completing registration you will have full access to all threads and features. We care about members and try to make your stay as pleasant as possible. We are unique with the following feature for members - you will not see a single Advertisement! The best: registration is completely free. It will not cost you a single penny or harm you in any way. You will lose nothing except 1 minute of your time. So why not register? We would be happy to see you around! |
properly XD)
|
#3
02-28-2009, 01:15 AM
| ||||
| ||||
| interesting read   |
| D3scene |
|
Welcome to D3scene - probably the best location for all Gamers. To participate in our friendly environment you have to register. After completing registration you will have full access to all threads and features. We care about members and try to make your stay as pleasant as possible. We are unique with the following feature for members - you will not see a single Advertisement! The best: registration is completely free. It will not cost you a single penny or harm you in any way. You will lose nothing except 1 minute of your time. So why not register? We would be happy to see you around! |
|
| Tags |
| c++, codecaving, source, tutorial, tyrano |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Codecaving Tutorial (Warcraft 3 example) | TyranO | Development | 14 | 10-24-2009 05:03 PM |
| Tutorial: How to hack someone by knowing his IP. | GrafVladDrakula | Development | 25 | 06-13-2009 11:52 AM |
| DDM's Hacking Tool Collection | Zend | Rakion | 3 | 03-15-2009 11:05 AM |
| A custom quest tutorial. | Batman | WoW Private Server Info & Help | 13 | 07-29-2008 06:13 PM |
| Blender 3D-Model Program and Tutorial HOW TO MAKE Penguin Model WITh PIC's | jahoo1122 | WoW Guides | 2 | 07-27-2008 11:43 PM |
| All times are GMT +1. The time now is 01:09 PM. |
