 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Just4Fun49v2
How do I cheat?
![]() Reputation: 0
Joined: 17 Mar 2011
Posts: 6
|
 Posted: Fri Mar 18, 2011 10:32 am Post subject: [C++] Help Creating Solitaire Trainer |
 |
|
Greetings CE community. So, my problem stays this way. I'm sort of new to gamehacking, and I'm trying to get a better grip of it. I've been trying to hack Solitaire (for Windows 7) for training and stuff. I've set myself to create a simple trainer for it in C++.
The problem with Solitaire is that every time it's restarted it changes adresses for the values I need to hack (aka. code-shifting) thus rendering my trainer useless. So I've got the modules (eg. solitaire.exe+0002F342), but now I don't know how to implement them in C++ Code and make a working trainer.
This is the skeleton-code I've been trying to make it on, but it doesn't work with modules.
| Code: | #include <windows.h>
#include <stdio.h>
int main(){
HANDLE hProcess = 0;
HWND hWindow;
DWORD pid = 0;
hWindow = FindWindow(NULL, "Window Name");
if (hWindow){
GetWindowThreadProcessId(hWindow, &pid);
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
if(hProcess != NULL)
printf("Process Found!");
else {
printf("Process Not Found!");
return 0;
}
//Writes byte values to 0x00567...
BYTE valueToWrite[] ={0x90, 0x90};
WriteProcessMemory(hProcess, (void*)0x00567A8F, (void*)&valueToWrite, sizeof(valueToWrite), NULL);
return 0;
} |
I started programming in C++ last year, so I'm not really that good with it, but neither a total newbie. Could you guys please lend me a hand, and show me a way to make it working, or any other solutions that match to my point (trainer to work even after it has been restarted) eg. pointers or whatever. Thanks.
|
|
| Back to top |
|
 |
Deltron Z
Expert Cheater
![]() Reputation: 1
Joined: 14 Jun 2009
Posts: 164
|
| Posted: Fri Mar 18, 2011 11:42 am Post subject: |
|
|
You can use CreateToolhelp32Snapshot with TH32CS_SNAPMODULE flag. then call Module32First to get the first (main) module. for other modules, use Module32Next.
_________________
SharpDisassembler
"When I find my code in tons of trouble,
Friends and colleagues come to me...
Speaking words of wisdom:
Write in C."
#pragma message("Let there be byte!") |
|
| Back to top |
|
|
Just4Fun49v2
How do I cheat?
![]() Reputation: 0
Joined: 17 Mar 2011
Posts: 6
|
| Posted: Fri Mar 18, 2011 1:11 pm Post subject: |
|
|
| Mind showing me an example ? It looks quite slightly complicated and intimidating.
|
|
| Back to top |
|
|
Deltron Z
Expert Cheater
![]() Reputation: 1
Joined: 14 Jun 2009
Posts: 164
|
| Posted: Fri Mar 18, 2011 1:21 pm Post subject: |
|
|
It's just like any other function. read the documentation, understand what kind of parameters the functions receives and what is the return value. make sure to read the remarks section. and you only need to read the documentation for the module functions (and flag).
_________________
SharpDisassembler
"When I find my code in tons of trouble,
Friends and colleagues come to me...
Speaking words of wisdom:
Write in C."
#pragma message("Let there be byte!") |
|
| Back to top |
|
|
Just4Fun49v2
How do I cheat?
![]() Reputation: 0
Joined: 17 Mar 2011
Posts: 6
|
| Posted: Sat Mar 19, 2011 12:01 pm Post subject: |
|
|
Alright so I've modified the code. Now how do I use WriteProcessMemory on the GetModuleBaseAdress result ?
| Code: | #include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
int main(){
HANDLE hProcess = 0;
const char* DLLName = "solitaire.exe";
HWND hWindow;
DWORD pid = 0;
hWindow = FindWindow(NULL, "Solitaire");
if (hWindow){
GetWindowThreadProcessId(hWindow, &pid);
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
if(hProcess != NULL)
printf("Process Found!");
else {
printf("Process Not Found!");
return 0;
}
BYTE valueToWrite[] ={0xC7, 0x40, 0x10, 0x9F, 0x86, 0x01, 0x00};
WriteProcessMemory(hProcess, (void*)0x342, (void*)&valueToWrite, sizeof(valueToWrite), NULL);
return 0;
}
DWORD GetModuleBaseAdress(DWORD pid, char* DLLName)
{
HANDLE hSnap;
MODULEENTRY32 xModule;
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
xModule.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hSnap, &xModule))
{
while (Module32Next(hSnap,&xModule))
{
if (strcmp(xModule.szModule,DLLName) == 0)
{
CloseHandle(hSnap); //Free the handle.
return (DWORD)xModule.modBaseAddr;
}
}
}
CloseHandle(hSnap);
return 0;
} |
|
|
| Back to top |
|
|
Just4Fun49v2
How do I cheat?
![]() Reputation: 0
Joined: 17 Mar 2011
Posts: 6
|
| Posted: Wed Mar 30, 2011 10:47 am Post subject: |
|
|
Alright, well I sort of got through but now i have another dilemma. Let's say I have the following code ...
| Code: | BYTE * caveaddr = (baseEngineAddr+0x2F342);
printf("Base + Offset (solitaire+0x2F342):= %x\n", caveaddr);
HANDLE hProcess = OpenProcess(PROCESS_VM_WRITE+PROCESS_VM_OPERATION,0,pid);
if(!hProcess)
{
cout << "Game process could not be opened.";
_getch();
return 0;
}
unsigned char byte2write[] = {0x90,0x90,0x90,0xFE};
if(!WriteProcessMemory(hProcess, caveaddr, byte2write, sizeof(byte2write), 0)) |
... and I want to add 9999 points to my score. The thing is that, whatever I modify the bytes to, the score in-game just freezes (I mean the time doesn't decrease it anymore, but you still get points from moves), even if it's nopped (0x90) or I change it to any other byte. What do I do ?
|
|
| Back to top |
|
|
Innovation
Grandmaster Cheater
![]() Reputation: 12
Joined: 14 Aug 2008
Posts: 617
|
| Posted: Wed Mar 30, 2011 6:42 pm Post subject: |
|
|
| Just4Fun49v2 wrote: | Alright, well I sort of got through but now i have another dilemma. Let's say I have the following code ...
| Code: | BYTE * caveaddr = (baseEngineAddr+0x2F342);
printf("Base + Offset (solitaire+0x2F342):= %x\n", caveaddr);
HANDLE hProcess = OpenProcess(PROCESS_VM_WRITE+PROCESS_VM_OPERATION,0,pid);
if(!hProcess)
{
cout << "Game process could not be opened.";
_getch();
return 0;
}
unsigned char byte2write[] = {0x90,0x90,0x90,0xFE};
if(!WriteProcessMemory(hProcess, caveaddr, byte2write, sizeof(byte2write), 0)) |
... and I want to add 9999 points to my score. The thing is that, whatever I modify the bytes to, the score in-game just freezes (I mean the time doesn't decrease it anymore, but you still get points from moves), even if it's nopped (0x90) or I change it to any other byte. What do I do ? |
It's because you aren't writing to data; at that address in memory, there is an opcode that uses a multi-level pointer to change the score. Also, you should make sure you aren't messing up the opcodes with that 0xFE byte. See the following code for reference.
| Code: | // Solitaire Trainer for 32-bit Windows 7
// Made by Innovation of CEF
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <conio.h>
DWORD dwNOPs = 0x90909090;
DWORD dwScore = 0x0000270F;
DWORD dwGetModuleBaseAddress(DWORD dwProcessIdentifier, TCHAR *szModuleName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessIdentifier);
DWORD dwModuleBaseAddress = 0;
if (hSnapshot != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 ModuleEntry32;
ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
if (Module32First(hSnapshot, &ModuleEntry32))
{
do
{
if (_tcscmp(ModuleEntry32.szModule, szModuleName) == 0)
{
dwModuleBaseAddress = (DWORD)ModuleEntry32.modBaseAddr;
break;
}
}
while (Module32Next(hSnapshot, &ModuleEntry32));
}
CloseHandle(hSnapshot);
}
return dwModuleBaseAddress;
}
int _tmain(int nArgumentCount, TCHAR **pvArgumentVector)
{
SetConsoleTitle(_T("Solitaire Trainer [Windows 7 32-bit Version]"));
HWND hWindow = FindWindow(NULL, _T("Solitaire"));
if (hWindow == NULL)
{
_tprintf_s(_T("The window could not be found.\n"));
}
else
{
_tprintf_s(_T("The window was found.\n"));
DWORD dwProcessIdentifier = 0;
GetWindowThreadProcessId(hWindow, &dwProcessIdentifier);
HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwProcessIdentifier);
if (hProcess == NULL)
{
_tprintf_s(_T("The process could not be opened.\n"));
}
else
{
_tprintf_s(_T("The process was opened.\n"));
DWORD dwModuleBaseAddress = dwGetModuleBaseAddress(dwProcessIdentifier, _T("solitaire.exe"));
if (dwModuleBaseAddress != 0)
{
_tprintf_s(_T("The module base address was found.\n"));
if (WriteProcessMemory(hProcess, (PVOID)(dwModuleBaseAddress + 0x0002F342), &dwNOPs, sizeof(dwNOPs), NULL))
{
_tprintf_s(_T("Time no longer decreases the score.\n"));
}
else
{
_tprintf_s(_T("Time could not be prevented from decreasing the score.\n"));
}
DWORD dwMemoryBuffer = 0;
if(ReadProcessMemory(hProcess, (PVOID)(dwModuleBaseAddress + 0x00097074), &dwMemoryBuffer, sizeof(dwMemoryBuffer), NULL) && ReadProcessMemory(hProcess, (PVOID)(dwMemoryBuffer + 0x2C), &dwMemoryBuffer, sizeof(dwMemoryBuffer), NULL) && WriteProcessMemory(hProcess, (PVOID)(dwMemoryBuffer + 0x10), &dwScore, sizeof(dwScore), NULL))
{
_tprintf_s(_T("The score was set.\n"));
}
else
{
_tprintf_s(_T("The score could not be set.\n"));
}
}
else
{
_tprintf_s(_T("The module base address could not be found.\n"));
}
CloseHandle(hProcess);
}
}
_tprintf_s(_T("\nPress enter to exit.\n"));
while (_getch() != 0x0D);
return 0;
} |
Last edited by Innovation on Mon Aug 20, 2012 3:35 pm; edited 5 times in total |
|
| Back to top |
|
|
Just4Fun49v2
How do I cheat?
![]() Reputation: 0
Joined: 17 Mar 2011
Posts: 6
|
| Posted: Sat Apr 02, 2011 3:37 am Post subject: |
|
|
Thank you. Could you please explain what did you do at that point, where you wrote 9999 to the game's memory ? I'd like to know, because I'm not really into ripping code and running off, and also I'm sort-of a newbie and I'd like to learn  .
|
|
| Back to top |
|
|
Innovation
Grandmaster Cheater
![]() Reputation: 12
Joined: 14 Aug 2008
Posts: 617
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Apr 03, 2011 4:47 am Post subject: |
|
|
| Innovation: if you're going to use TCHAR then use _tmain
|
|
| Back to top |
|
|
Innovation
Grandmaster Cheater
![]() Reputation: 12
Joined: 14 Aug 2008
Posts: 617
|
| Posted: Sun Apr 03, 2011 12:41 pm Post subject: |
|
|
| Slugsnack wrote: | | Innovation: if you're going to use TCHAR then use _tmain |
I started writing it for only ANSI but decided to use the macro a little while in, and I forgot to change it.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Apr 03, 2011 1:24 pm Post subject: |
|
|
| you also forgot to close hprocess
|
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sun Apr 03, 2011 2:11 pm Post subject: |
|
|
| Slugsnack wrote: | | you also forgot to close hprocess |
| Code: | | CloseHandle(hProcess); |
It's in the code?
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Apr 03, 2011 2:14 pm Post subject: |
|
|
| he edited
|
|
| Back to top |
|
|
Just4Fun49v2
How do I cheat?
![]() Reputation: 0
Joined: 17 Mar 2011
Posts: 6
|
| Posted: Wed Apr 06, 2011 1:53 pm Post subject: |
|
|
| Thank you for your help guys. I'll report back eventually if I find problems ...
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
