| View previous topic :: View next topic |
| Author |
Message |
NINTENDO
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 02 Nov 2007
Posts: 1371
|
 Posted: Mon Aug 16, 2010 11:20 am Post subject: How do I hack my code with ce? I cant seem to figure it out. |
 |
|
Hello programmers.
I have made a very simple program that calculates two values.
I'm trying to freeze one of these values with CE but when I do so my code still use the values from the text boxes.
I dont know what to do :/
| Code: |
using System;
using System.Windows.Forms;
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
}
int tal1=0, tal2=0;
private void button1_Click(object sender, EventArgs e)
{
if (int.TryParse(_txtTal1.Text, out tal1) && int.TryParse(_txtTal2.Text, out tal2))
{
MessageBox.Show(tal1 + "+" + tal2 + "=" + (tal1+tal2));
}
else
{
MessageBox.Show("Invalid numbers are invalid.");
}
}
}
} |
_________________
Intel over amd yes. |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Mon Aug 16, 2010 11:54 am Post subject: |
|
|
freezing isn't fast enough so use code injection in the routine that writes the address and change it there
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Mon Aug 16, 2010 2:57 pm Post subject: |
|
|
It's not that freezing isn't fast enough. It's more how the Visual Studio handles memory.
Build a solution for your project then attach it to CE. Enter in a value. What you will see is when you click on your button search in CE, you should be able to find your value. Click OK in the button dialog you will see the value change. Now freeze this value. When you click your button again you will need to rescan, the program had moved the memory location on it's own.
If you build the same app in C++ you should see completely different results.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25833
Location: The netherlands
|
| Posted: Mon Aug 16, 2010 4:21 pm Post subject: |
|
|
in this case tal1 and tal2 are on pretty solid addresses. Only when the form is destroyed and re-created the addresses will change.
The problem here is the button click. The textboxes txtTal1 and txtTal2 get converted to integers and stored in tal1 and tal2, and then immediately shown in the messagebox.
Because the time between converting to integers and showing in the messagebox is less than 50 milliseconds the freezer of ce will be too late to change it back
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Mon Aug 16, 2010 4:42 pm Post subject: |
|
|
you could try adding
| Code: |
using System;
using System.Windows.Forms;
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
public int tal1=0, tal2=0;
private void button1_Click(object sender, EventArgs e)
{
if ( tal1 != null && tal2 != null )
{
MessageBox.Show(tal1.ToString() + "+" + tal2.ToString() + "=" + (tal1+tal2));
}
else
{
MessageBox.Show("Invalid numbers are invalid.");
}
}
private void _txtTal1_TextChanged(object sender, EventArgs e)
{
tal1 = int.TryParse(_txtTal1.Text, out tal1);
}
private void _txtTal2_TextChanged(object sender, EventArgs e)
{
tal2 = int.TryParse(_txtTal2.Text, out tal2);
}
}
} |
Will change the values before messagebox creation/destruction.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Aug 17, 2010 7:04 am Post subject: |
|
|
.NET's garbage collection will kill the addresses when it sees fit based on usage and reference though which may be causing the addresses to change after a set period of time.
Your best bet is so use code injection based on the function that alters the addresses.
For example using similar code to yours above I would get the following function start:
| Code: | 006E0632 - 89 45 cc - mov [ebp-34],eax
006E0635 - 8b 45 e8 - mov eax,[ebp-18]
006E0638 - 8b 80 4c 01 00 00 - mov eax,[eax+0000014c]
006E063E - 8b 55 d8 - mov edx,[ebp-28] |
mov eax,[eax+0000014c] would be obtaining the value from tal1.
We can use aobscan to find it with:
8b 45 e8 8b 80 4c 01 00 00 8b 55 d8
(Since this is a small example we can fairly well guarantee no other code is going to look the same, you will need to do more work with aob's later on if the project is fairly large as you will often run into similar code chunks for other things.)
And now a small script to force alter the addresses:
| Code: | [ENABLE]
alloc(cave,1024)
aobscan(tal1,8b45e88b804c0100008b55d8)
label(back)
tal1:
jmp cave
nop
nop
nop
nop
back:
cave:
// Restore original code.
mov eax, [ebp-18]
// Adjust values of tal1 and tal2.
mov [eax+014c], 2
mov [eax+0150], 4
// Restore other original code.
mov eax, [eax+014c]
jmp back
[DISABLE]
aobscan(tal1,e9xxxxxxxx909090908b55d8)
dealloc(cave)
tal1:
mov eax, [ebp-18]
mov eax, [eax+014c] |
With this, tal1 is forced to 2, and tal2 is forced to 4. You could register symbols if you wanted to be able to easily edit their values from a cheat table as well.
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
