 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
samuri25404
Grandmaster Cheater
 Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
 Posted: Sun Mar 09, 2008 12:17 pm Post subject: [C++] BYTE [ ] to BYTE * ? |
 |
|
Since I have nothing better to do, I've been screwing around on Icy Tower (you can Google it if you want it, it's like 1.8 mb unzipped).
I've decided to create an injectable dll, just for the heck of it, and one of my hacks includes flying.
Here's my AA script:
| Code: |
//FLY!!
//AA script by samuri25404 of CEF
alloc(fly,1024)
label(return)
label(original)
label(exit)
409046: //original instruction is a compare on whether or not the address is 1
//0 = fly
//1 = stand
jmp fly
nop
nop
nop
nop
nop
return:
fly:
mov [eax+34],00000001
original:
cmp dword ptr [eax+34],01
je 0040a167
exit:
jmp return
|
and I looked up that tutorial by Wiccaan on Extalia about writing dlls, and I'm writing the Destroy method.
I want the address ( 409046 ) to go back to
| Code: |
cmp dword ptr [eax+34],01
je 0040a167
|
The bytes for that are
| Code: |
83 78 34 01 //cmp dword ptr [eax+34],01
0f 84 56 a1 9d fc //je 0040a167
|
How to I write that to the address?
Thanks,
samuri25404
_________________
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Mar 09, 2008 12:33 pm Post subject: |
|
|
| Code: | BYTE bArray[] = {0x83, 0x78, 0x34, 0x01, 0x0f, 0x84, 0x56, 0xa1, 0x9d, 0xfc};
WriteProcessMemory( hProcess, (BYTE*)Address, &bArray, sizeof(bArray) ); |
_________________
- Retired. |
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Mar 09, 2008 12:34 pm Post subject: |
|
|
Why code caving that?
You can either
40904A:
db EB or db 75. (or nop 90 90 :O)
But since you asked this specific question, with your dll injected you can access the memory easily, far jump byte is E9, and you calculate the address Destination - Source - 5 (also for reversed jumps) but instead of writing the jmp byte and then the destination address bytes, I've improved a bit the function that calculates the bytes, so you don't have to define it, though you have to use memset().
#define JMP(From, To) (long)(((int)To - (int)From - 5) <<  + 0xE9
not sure, but maybe you could:
*(long*)address = JMP(From,To);
Not sure if, but it might overwrite 3 bytes and replace them with 0, but try it anyway...
| Wiccaan wrote: | | Code: | BYTE bArray[] = {0x83, 0x78, 0x34, 0x01, 0x0f, 0x84, 0x56, 0xa1, 0x9d, 0xfc};
WriteProcessMemory( hProcess, (BYTE*)Address, &bArray, sizeof(bArray) ); |
|
He said he's using a dll. 
Isn't it useless calling WPM then? 
Edit: then again, you could simply change a single byte...:
(I just noticed its a far jump)
| Code: | 409049:
db 00
or
40904B:
db 85 //far jne |
Last edited by Symbol on Sun Mar 09, 2008 12:38 pm; edited 1 time in total |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Mar 09, 2008 12:37 pm Post subject: |
|
|
Oh missed the DLL part, use memset then.
| Code: | | memset( (BYTE*)Address, &bArray, sizeof(bArray) ); |
_________________
- Retired. |
|
| Back to top |
|
|
Aviram
Grandmaster Cheater
![]() Reputation: 0
Joined: 30 Jun 2006
Posts: 633
|
| Posted: Sun Mar 09, 2008 12:52 pm Post subject: |
|
|
| He can use memcpy too no?
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Mar 09, 2008 1:01 pm Post subject: |
|
|
| memcpy is to copy memory.
|
|
| Back to top |
|
|
Aviram
Grandmaster Cheater
![]() Reputation: 0
Joined: 30 Jun 2006
Posts: 633
|
| Posted: Sun Mar 09, 2008 1:01 pm Post subject: |
|
|
Yes but you can use it to edit memory too  .
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Mar 09, 2008 1:19 pm Post subject: |
|
|
Yea, sorry, my bad, in this case, both can be used for the same purpose.
But not always, sometimes you'll need memset and sometimes memcpy.
|
|
| Back to top |
|
|
Aviram
Grandmaster Cheater
![]() Reputation: 0
Joined: 30 Jun 2006
Posts: 633
|
| Posted: Sun Mar 09, 2008 1:31 pm Post subject: |
|
|
| Yeah but,I dunno why but i like memcpy lol.
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Sun Mar 09, 2008 1:48 pm Post subject: |
|
|
| Wiccaan wrote: | Oh missed the DLL part, use memset then.
| Code: | | memset( (BYTE*)Address, &bArray, sizeof(bArray) ); |
|
I think you mentioned something about not using memset when using the little linker hack.
Am I right, or is it fine to use memset with the
| Code: |
#pragma comment(linker, "/ENTRY:DllMain")
|
thing?
_________________
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sun Mar 09, 2008 2:03 pm Post subject: |
|
|
No function is needed.
| Code: | BYTE bArray[] = {0x83, 0x78, 0x34, 0x01, 0x0f, 0x84, 0x56, 0xa1, 0x9d, 0xfc};
int k = 0;
for(; k < sizeof(bArray); k++) *((BYTE *)(addr+k)) = bArray[k]; |
However, if you do feel like you must use a function, use the intrinsic function __movsb() in <intrin.h>. It is faster than any memcpy variant.
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Sun Mar 09, 2008 2:14 pm Post subject: |
|
|
| Flyte wrote: | No function is needed.
| Code: | BYTE bArray[] = {0x83, 0x78, 0x34, 0x01, 0x0f, 0x84, 0x56, 0xa1, 0x9d, 0xfc};
int k = 0;
for(; k < sizeof(bArray); k++) *((BYTE *)(addr+k)) = bArray[k]; |
However, if you do feel like you must use a function, use the intrinsic function __movsb() in <intrin.h>. It is faster than any memcpy variant. |
Thanks!
That's just what I was looking for (the code, not the method)!
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Mar 09, 2008 2:28 pm Post subject: |
|
|
Well the linker hack removes the CRT but you should be able to still use them. If anything it will reimport them as needed. I just tested it with Minesweeper and it worked fine. Mind you, memcpy is what you will want to use probably as memset expects a value which was my mistake.
| Code: | | memcpy( (BYTE*)Address, &bArray, sizeof(bArray) ); |
Testing this proved that memcpy and memset wont give you the same results as you would want. My test:
memset
| Code: | | memset( (BYTE*)0x0100383E, 0x00000001, 4 ); |
memcpy
| Code: | DWORD dwValue = 0x00000001;
memcpy( (BYTE*)0x0100383E, &dwValue, 4); |
0x0100383E contains the push of the timer value when you start playing. Which default is 00003E8 which converts to 1000 in decimal meaning 1 second ticks.
If you use memset like I did above it changes the push to:
push 01010101
If you use the memcpy it changes it to:
push 00000001
So ya.. use memcpy.
_________________
- Retired. |
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Sun Mar 09, 2008 2:33 pm Post subject: |
|
|
| Wiccaan wrote: | Well the linker hack removes the CRT but you should be able to still use them. If anything it will reimport them as needed. I just tested it with Minesweeper and it worked fine. Mind you, memcpy is what you will want to use probably as memset expects a value which was my mistake.
| Code: | | memcpy( (BYTE*)Address, &bArray, sizeof(bArray) ); |
Testing this proved that memcpy and memset wont give you the same results as you would want. My test:
memset
| Code: | | memset( (BYTE*)0x0100383E, 0x00000001, 4 ); |
memcpy
| Code: | DWORD dwValue = 0x00000001;
memcpy( (BYTE*)0x0100383E, &dwValue, 4); |
0x0100383E contains the push of the timer value when you start playing. Which default is 00003E8 which converts to 1000 in decimal meaning 1 second ticks.
If you use memset like I did above it changes the push to:
push 01010101
If you use the memcpy it changes it to:
push 00000001
So ya.. use memcpy. |
I'd rather use Flyte's way--thanks though.
_________________
|
|
| Back to top |
|
|
Symbol
I'm a spammer
![]() Reputation: 0
Joined: 18 Apr 2007
Posts: 5094
Location: Israel.
|
| Posted: Sun Mar 09, 2008 2:36 pm Post subject: |
|
|
| Wiccaan wrote: | Well the linker hack removes the CRT but you should be able to still use them. If anything it will reimport them as needed. I just tested it with Minesweeper and it worked fine. Mind you, memcpy is what you will want to use probably as memset expects a value which was my mistake.
| Code: | | memcpy( (BYTE*)Address, &bArray, sizeof(bArray) ); |
Testing this proved that memcpy and memset wont give you the same results as you would want. My test:
memset
| Code: | | memset( (BYTE*)0x0100383E, 0x00000001, 4 ); |
memcpy
| Code: | DWORD dwValue = 0x00000001;
memcpy( (BYTE*)0x0100383E, &dwValue, 4); |
0x0100383E contains the push of the timer value when you start playing. Which default is 00003E8 which converts to 1000 in decimal meaning 1 second ticks.
If you use memset like I did above it changes the push to:
push 01010101
If you use the memcpy it changes it to:
push 00000001
So ya.. use memcpy. |
But, when you push a 4 bytes value, doesn't it read the value in thats address, and doesn't treat it as a value? if it does, this code will throw an exception, then simply push 01 instead of push 00000001.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
