[C++] Complex address (multi-level pointers), what's wrong?

Technical Discussions not Related Directly to MHS. For Example, Coding, Hex Editing, General Hacking, Etc.

Moderators: g3nuin3, SpeedWing, WhiteHat

[C++] Complex address (multi-level pointers), what's wrong?

Postby 4Special » Wed Feb 17, 2010 10:20 pm

Hi all, i'm coding my trainer to mmorpg game in visual c++ mfc application.
I don't know why but my WriteProcessMemory crashes application and sometimes game. Can someone tell me what's wrong?
And sorry if this is wrong section :/

Code: Select all
        unsigned int speed = 16550;
   // [[[BaseAddress + 0x26767C]+0x598]+0x1EC]+0x9F2

   //Pointer to base address
   DWORD Base = GetModuleBase("TLoader.exe",proc_id);

   PDWORD pdwAddress = ( PDWORD )*( PDWORD )(Base + 0x26767C);
   PDWORD pdw2ndAddress = ( PDWORD )*( PDWORD )( pdwAddress + 0x598 );
   PDWORD pdw3rdAddress = ( PDWORD )*( PDWORD )( pdw2ndAddress + 0x1EC );
   PDWORD pdwFinalAddress = ( PDWORD )*( PDWORD )( pdw3rdAddress + 0x9F2 );

   WriteProcessMemory(hProcess, (void*)pdwFinalAddress, &speed, sizeof(speed), NULL);


GetModuleBase:
Code: Select all
DWORD GetModuleBaseAddress(DWORD iProcId, char* DLLName)
{
  HANDLE hSnap;
  MODULEENTRY32 xModule;
  hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, iProcId);
  xModule.dwSize = sizeof(MODULEENTRY32);
  if (Module32First(hSnap, &xModule))
  {
    while (Module32Next(hSnap, &xModule))
    {
        if (strcmp(xModule.szModule, DLLName) == 0)
        {
        CloseHandle(hSnap);
        return (DWORD)xModule.modBaseAddr;
        }
    }
  }
  CloseHandle(hSnap);
  return 0;
}


And my initialization code:
Code: Select all
void memory()
{
HWND hWnd = FindWindow(NULL, "4Story");
GetWindowThreadProcessId(hWnd, &proc_id);
hProcess = OpenProcess(PROCESS_ALL_ACCESS|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, proc_id);

if (hWnd!=0)
        {
        MessageBox(NULL, "Process not found", "4Story", MB_ICONWARNING_MB_OK);
        }else{
        MessageBox(NULL, "Process found!", "4Story", MB_ICONWARNING_MB_OK);
        }
}
Last edited by 4Special on Thu Feb 18, 2010 9:21 pm, edited 1 time in total.
4Special
I Have A Few Questions
 
Posts: 7
Joined: Sat Feb 06, 2010 3:27 am

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby L. Spiro » Thu Feb 18, 2010 8:24 am

Code: Select all
PDWORD pdwAddress = ( PDWORD )*( PDWORD )(Base + 0x26767C);

You have performed indirection on a pointer in your own application, not in the game.
If this is intended for DLL injection then it would work, but then you would not be using WriteProcessMemory().


Secondly, drop DWORD.
viewtopic.php?f=30&t=5519



Make a utility function.
Code: Select all
UINT_PTR DeRef( UINT_PTR _uiptrPointer ) {
    UINT_PTR uiptrRet;
    // g_hProcess assumed to be a global, but this is bad coding practice.
    //  Make it a class member or pass it to this function.
    if ( !::ReadProcessMemory( g_hProcess, reinterpret_cast<LPVOID>(_uiptrPointer), &uiptrRet, sizeof( uiptrRet ), NULL ) ) { return 0UL; }
    return uiptrRet;
}


Now replace the [] in your Complex Address with the utility function.
Code: Select all
// [[[BaseAddress + 0x26767C]+0x598]+0x1EC]+0x9F2
UINT_PTR uiptrFinal = DeRef( DeRef( DeRef( BaseAddress + 0x26767C ) + 0x598 ) + 0x1EC ) + 0x9F2;
::WriteProcessMemory( g_hProcess, reinterpret_cast<LPVOID>(uiptrFinal), &speed, sizeof(speed), NULL );



BaseAddress needs to be UINT_PTR. Every case where you used a DWORD instead of a void * needs to be UINT_PTR. Read my article for why.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby 4Special » Fri Feb 19, 2010 5:59 am

!! Thank you alot man! It work's 100% perfectly :)

Can you tell me how can I freeze address in c++? i need to use timer or something like this?
4Special
I Have A Few Questions
 
Posts: 7
Joined: Sat Feb 06, 2010 3:27 am

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby L. Spiro » Fri Feb 19, 2010 6:35 am

Either a thread in an infinite while loop or a timer.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby 4Special » Mon Feb 22, 2010 7:00 am

Thank you. Everything work fine on my Windows 7 x32 and x64 bit, but when i tested it on Windows XP x32, well application runs but when i'm changing my speed value nothing happens. I tested this pointer and it works in MHS on both Windows (XP and 7).

I'm using Visual Studio 2010 Professional [MFC Application]. I downloaded latest .NET Framework 4.0 but it didn't help.
I tried to use both Character set (Unicode and Multi-byte) - nothing changed.

This is my code: (4SGH SpeedHackDlg.cpp)

Definitions:
Code: Select all
#include "stdafx.h"
#include "4SGH SpeedHack.h"
#include "4SGH SpeedHackDlg.h"
#include <tlhelp32.h>
#include <windows.h>
#include <string>
#include <iostream>

#include <stdlib.h>

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

DWORD proc_id;
HANDLE hProcess;
DWORD GetModuleBase(LPSTR lpModuleName, DWORD dwProcessId);
UINT_PTR DeRef( UINT_PTR _uiptrPointer );
UINT MyThreadProc( LPVOID pParam );
void Speedhack();

UINT_PTR BaseAddress;
UINT_PTR uiptrFinal;
unsigned int speed;
bool FreezeOnOff;
int firstTime = 0;


memory():
Code: Select all
DWORD GetModuleBase(LPSTR lpModuleName, DWORD dwProcessId);
UINT_PTR DeRef( UINT_PTR _uiptrPointer );
UINT MyThreadProc( LPVOID pParam );
void Speedhack();


UINT_PTR BaseAddress;
UINT_PTR uiptrFinal;
unsigned int speed;
bool FreezeOnOff;
int firstTime = 0;

void memory()
{
HWND hWnd = FindWindow(NULL, "4Story");
GetWindowThreadProcessId(hWnd, &proc_id);
hProcess = OpenProcess(PROCESS_ALL_ACCESS|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, proc_id);

if (hWnd!=0)
        {
        MessageBox(NULL,"Process detected","4Story",MB_ICONINFORMATION | MB_OK);
        }else{
   MessageBox(NULL,"Run game first!","Error",MB_ICONWARNING | MB_OK);
   exit(0);
        }
   Speedhack();
}


Speedhack()
Code: Select all
void Speedhack() {
   BaseAddress = GetModuleBase("TLoader.exe",proc_id);

   uiptrFinal = DeRef( DeRef( DeRef( BaseAddress + 0x26767C ) + 0x598 ) + 0x1EC ) + 0x9F2;

   if(firstTime = 0) {
   ::WriteProcessMemory( hProcess, reinterpret_cast<LPVOID>(uiptrFinal), (LPCSTR)16230, sizeof(int), NULL );
   ++firstTime;
   }
   else {
   ::WriteProcessMemory( hProcess, reinterpret_cast<LPVOID>(uiptrFinal), &speed, sizeof(speed), NULL );
   }

}


Some buttons:
Code: Select all
void CMy4SGHSpeedHackDlg::OnSpeedOff()
{
speed = 16230;
Speedhack();
}

void CMy4SGHSpeedHackDlg::OnSpeed1()
{
speed = 16333;
Speedhack();
}

void CMy4SGHSpeedHackDlg::OnSpeed2()
{
speed = 16444;
Speedhack();
}

void CMy4SGHSpeedHackDlg::OnSpeed3()
{
speed = 16555;
Speedhack();
}

void CMy4SGHSpeedHackDlg::OnSpeed4()
{
speed = 16666;
Speedhack();
}

void CMy4SGHSpeedHackDlg::OnFreeze()
{
   AfxBeginThread( MyThreadProc, 0 );
   FreezeOnOff = 0;
}

void CMy4SGHSpeedHackDlg::OnFreezeExit()
{
   FreezeOnOff = TRUE;
}


GetModuleBase():
Code: Select all
DWORD GetModuleBase(LPSTR lpModuleName, DWORD dwProcessId)
{
   MODULEENTRY32 lpModuleEntry = {0};
   HANDLE hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );

   if(!hSnapShot)
      return NULL;
   lpModuleEntry.dwSize = sizeof(lpModuleEntry);
   BOOL bModule = Module32First( hSnapShot, &lpModuleEntry );
   while(bModule)
   {
      if(!strcmp( lpModuleEntry.szModule, lpModuleName ) )
      //if(!wcscmp( lpModuleEntry.szModule, L"TLoader.exe") )
      {
         CloseHandle( hSnapShot );
         return (DWORD)lpModuleEntry.modBaseAddr;
      }
      bModule = Module32Next( hSnapShot, &lpModuleEntry );
   }
   CloseHandle( hSnapShot );
   return NULL;
}


DeRef():
Code: Select all
UINT_PTR DeRef( UINT_PTR _uiptrPointer ) {
    UINT_PTR uiptrRet;
    if ( !::ReadProcessMemory( hProcess, reinterpret_cast<LPVOID>(_uiptrPointer), &uiptrRet, sizeof( uiptrRet ), NULL ) ) { return 0UL; }
    return uiptrRet;
}


MyThreadProc() (used to freeze address):

Code: Select all
UINT MyThreadProc( LPVOID pParam )
{
    while ( !FreezeOnOff ) {
        Sleep( 50 ); // 20 times per second
      ::WriteProcessMemory( hProcess, reinterpret_cast<LPVOID>(uiptrFinal), &speed, sizeof(speed), NULL );
    }
    return(1);
}


OnHScroll() - Function to my slider that is working on windows 7 and changing address value:
Code: Select all
void CMy4SGHSpeedHackDlg::OnHScroll(UINT nSBCode, UINT nPos, CScrollBar* pScrollBar)
{
   if(nSBCode == SB_THUMBPOSITION) {

   speed = nPos;

   if(!FreezeOnOff) {
   ::WriteProcessMemory( hProcess, reinterpret_cast<LPVOID>(uiptrFinal), &speed, sizeof(speed), NULL );
   }
   UpdateData(false);
   }

   else {
   CDialog::OnHScroll(nSBCode, nPos, pScrollBar);
   }

   CDialog::OnHScroll(nSBCode, nPos, pScrollBar);
}


I can too share my visual studio project. Any idea why it work on Windows 7 (x32) but doesn't work on Windows XP (x32)?
4Special
I Have A Few Questions
 
Posts: 7
Joined: Sat Feb 06, 2010 3:27 am

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby L. Spiro » Mon Feb 22, 2010 12:31 pm

There is nothing wrong that I can see, but I have not used MFC.
You may want to build on Windows XP (rather than building on Windows 7 and running on Windows XP), and be sure to link to the appropriate libraries, if there are any differences.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby TheJAF » Sat Sep 04, 2010 5:31 pm

Errors occur because the arguments in API function 'OpenProcess ()' can not be used on Windows XP O/S.

Please look at this section:
Code: Select all
hProcess = OpenProcess(PROCESS_ALL_ACCESS|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, proc_id);


GetLastError() result = ERROR_ACCESS_DENIED

remove PROCESS_ALL_ACCESS argument from your OpenProcess():
Code: Select all
hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, proc_id);


HTH
TheJAF
I Have A Few Questions
 
Posts: 6
Joined: Mon Aug 02, 2010 5:14 pm

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby 4Special » Wed Sep 15, 2010 1:56 am

Hi all, I have again question about pointers.
Is there a way to use Complex Address without using ReadProcessMemory? Like this:
Code: Select all
DWORD Base = (DWORD)(0x69F190); //BaseAddy
DWORD Ptr0 = *(DWORD*)(Base);      //Get Pointer

DWORD Ptr1 = (DWORD)(Ptr0+0xA20);  //Add to the previous ptr ur offset
DWORD Ptr2 = *(DWORD*)(Ptr1); //Get Pointer

DWORD Ptr3 = (DWORD)(Ptr2+0x9BA); //Add to the previous ptr ur offset

MemCpy( (void*)Pt3, bytes, 4);

void MemCpy(void* dest, void* src, size_t size)
{
   DWORD oProtect = NULL;
   VirtualProtect(dest, size, PAGE_EXECUTE_READWRITE, &oProtect);
   memcpy(dest, src, size);
   VirtualProtect(dest, size, oProtect, NULL);
}


I know that DWORD suck's (it's detected by some AC's) well how can I use UINT_PTR instead of DWORD?
4Special
I Have A Few Questions
 
Posts: 7
Joined: Sat Feb 06, 2010 3:27 am

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby L. Spiro » Thu Sep 16, 2010 8:27 pm

You would have to inject the code (via DLL injection is best).
And DWORD is not detected by anti-cheats. There is no way to detect such a thing.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: [C++] Complex address (multi-level pointers), what's wrong?

Postby 4Special » Fri Sep 17, 2010 3:53 am

Oh thank's again ; )
4Special
I Have A Few Questions
 
Posts: 7
Joined: Sat Feb 06, 2010 3:27 am


Return to Technical Unrelated

Who is online

Users browsing this forum: No registered users and 0 guests

cron