 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Matherz
Newbie cheater
![]() Reputation: 0
Joined: 25 Aug 2012
Posts: 15
|
 Posted: Fri Jan 04, 2013 3:55 pm Post subject: C++ Auto Assemble script |
 |
|
Hi there,
I have simple AA script which jump to address which will kill the player. But I have a problem to rewrite it to C++ (DLL Injection). I already read few TUTs and finding some on google but without success because I'am in RE noob. Thanks lot for helping. (This isnt MP game).
AA:
| Code: |
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
jmp 00526813
originalcode:
//fstp dword ptr [ebx+00000354]
exit:
jmp returnhere
"gta-vc.exe"+126808:
jmp newmem
nop
returnhere:
|
C++ (DLLi)
| Code: |
#include <Windows.h>
DWORD KILL = 0x00526813;
__declspec(naked) void __stdcall Test()
{
__asm
{
call KILL
// There probably should be some returns :(
}
}
DWORD WINAPI Init(LPVOID lpArgs)
{
while(true)
{
if(GetAsyncKeyState(VK_F5))
{
//MessageBox(0, L"Trolol", L"Hello", MB_HELP);
/* HaRaKiri !! */
Test(); /* Game Crash */
}
}
}
BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, Init, 0, 0, 0);
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
|
DLL injection works fine but when I exec AA function (by pressing F5) game crash. (I know that someting is wrong or missing  )
Sorry for my english. |
|
| Back to top |
|
 |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sat Jan 05, 2013 10:48 am Post subject: |
|
|
Take a quick look at your AA script:
| Code: |
"gta-vc.exe"+126808:
|
That address is the trigger for the hack to execute.
but at your C++ code you don't set that trigger at all.
you need to remove the page protection at that address using VirtualProtect API
and then set your "jmp Test" code so it will jump to your code cave.
_________________
Stylo |
|
| Back to top |
|
|
Matherz
Newbie cheater
![]() Reputation: 0
Joined: 25 Aug 2012
Posts: 15
|
| Posted: Thu Jan 10, 2013 3:08 am Post subject: |
|
|
Okey dude thanks much for help. But I still have a trouble with that. I found some examples but I still dont know how function works.
| Code: |
//Is is right?
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress, // My "gta-vc.exe"+126808: adrress
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect, // Probably PAGE_EXECUTE_READWRITE
_Out_ PDWORD lpflOldProtect // ??
);
|
What is mean the fourth param lpflOldProtect ?
thanks |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25823
Location: The netherlands
|
| Posted: Thu Jan 10, 2013 5:22 am Post subject: |
|
|
i means it wants the address of a DWORD which will get the previous protection value
e.g: &OldProtect
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Thu Jan 10, 2013 9:09 pm Post subject: |
|
|
If I understood what you were doing correctly, I believe you want to replace the original instruction with the JMP.
You're going to want to retrieve the corresponding bytes to the JMP 00526813 instruction. Its a total of 5 bytes starting with E9, then ( AddressYouWantToJumpTo - ( AddressYourAt + 0x05 ) ). |
|
| Back to top |
|
|
ablonevn
Advanced Cheater
![]() Reputation: 1
Joined: 02 Oct 2011
Posts: 59
|
| Posted: Thu Jan 10, 2013 10:51 pm Post subject: |
|
|
| Matherz wrote: | Okey dude thanks much for help. But I still have a trouble with that. I found some examples but I still dont know how function works.
| Code: |
//Is is right?
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress, // My "gta-vc.exe"+126808: adrress
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect, // Probably PAGE_EXECUTE_READWRITE
_Out_ PDWORD lpflOldProtect // ??
);
|
What is mean the fourth param lpflOldProtect ?
thanks |
don't you see "_Out_ PDWORD lpflOldProtect" the "out" mean that not "in" it will hold old value of protection of "in address" |
|
| Back to top |
|
|
Matherz
Newbie cheater
![]() Reputation: 0
Joined: 25 Aug 2012
Posts: 15
|
| Posted: Sat Jan 12, 2013 8:32 am Post subject: |
|
|
| iPromise wrote: | If I understood what you were doing correctly, I believe you want to replace the original instruction with the JMP.
You're going to want to retrieve the corresponding bytes to the JMP 00526813 instruction. Its a total of 5 bytes starting with E9, then ( AddressYouWantToJumpTo - ( AddressYourAt + 0x05 ) ). |
I'am just trying call/jmp address which should kill me in game ... shall you explain this more in C++ style please?
Why that instuction have 5 bytes?
Why it's start with E9?
How get address where Iam at?
Someting like?
| Code: |
DWORD suicideAdd = 0x00526813;
DWORD actualAdd = ; //Dont know how get it
suicideAdd - ( actualAdd + 0x05);
|
(Browse region: s2.postimage.org/lpfisx4l5/addy.png)
Sorry for my question and english and thank much for help dudes. |
|
| Back to top |
|
|
Greg798
How do I cheat?
![]() Reputation: 0
Joined: 18 Aug 2013
Posts: 2
|
| Posted: Wed Aug 21, 2013 3:12 pm Post subject: |
|
|
Hi.
How i am convert script aa in c++.
| Code: | [ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
// Code Executer
alloc(mcode, 1000)
alloc(ThisPtr, 4)
alloc(Param1, 4)
alloc(Param2, 4)
alloc(sCode, 100)
sCode:
db '"UH1H_DZ" createVehicleLocal (position player); cutText ["Spawn heli local", "PLAIN DOWN"];',0
// Sig Scans
aobscan(pExecFunc, 55 8B EC 81 EC ?? ?? ?? ?? 53 8B 5D 0C 56 57 FF 75 10 8D 45 F8)
aobscan(pThisPtr, BE ?? ?? ?? ?? 50 8B CE E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ??)
aobscan(pParam1, A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 8D 4F 08)
aobscan(pParam2, 68 ?? ?? ?? ?? 51 8B CE E8 ?? ?? ?? ?? 8B CE 8A D8)
ThisPtr:
readmem(pThisPtr+1, 4)
Param1:
readmem(pParam1+1, 4)
Param2:
readmem(pParam2+1, 4)
CreateThread(mcode)
mcode:
mov eax, [Param1]
mov eax, [eax]
mov eax, [eax+600]
push eax
push [Param2]
push sCode
mov ecx, [ThisPtr]
call pExecFunc
ret 4
dealloc(mcode)
dealloc(ThisPtr)
dealloc(Param1)
dealloc(Param2)
dealloc(sCode)
[DISABLE]
//code from here till the end of the code will be used to disable the cheat |
This script, no jimp, this executor.
I tried to get successfully scans, but how to implement it in a dll (memcpy)?
| Code: | DWORD Modul = (DWORD)GetModuleHandleA("arma2oa.exe");
pExecFunc = FindPattern(Modul, 0xffffffff, (PBYTE)"\x55\x8B\xEC\x81\xEC\x00\x00\x00\x00\x53\x8B\x5D\x0C\x56\x57\xFF\x75\x10\x8D\x45\xF8",
"xxxxx????xxxxxxxxxxxx");
ThisPtr = FindPattern(Modul, 0xffffffff, (PBYTE)"\xBE\x00\x00\x00\x00\x50\x8B\xCE\xE8\x00\x00\x00\x00\xA1\x00\x00\x00\x00\x8B\x80\x00\x00\x00\x00",
"x????xxxx????x????xx????")+1;
Param1 = FindPattern(Modul, 0xffffffff, (PBYTE)"\xA1\x00\x00\x00\x00\x8B\x80\x00\x00\x00\x00\x8D\x4F\x08",
"x????xx????xxx")+1;
Param2 = FindPattern(Modul, 0xffffffff, (PBYTE)"\x68\x00\x00\x00\x00\x51\x8B\xCE\xE8\x00\x00\x00\x00\x8B\xCE\x8A\xD8",
"x????xxxx????xxxx")+1; |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
