Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


dll injection to modify .net game

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
adaptusaaf
Advanced Cheater
Reputation: 0

Joined: 13 Jan 2008
Posts: 52
PostPosted: Mon Nov 25, 2013 2:56 pm    Post subject: dll injection to modify .net game Reply with quote
I have a .net game which I can open in .net reflector and see the source code, but can't save changes to the dll because it's signed (protected and other half of the game is on a server with the author token).

So I have to change values after the program is already running, to do this for values I can't search for in memory (because they never change), I need to change the return value for methods in the original c# source code.

I've determined that injecting a dll, intercepting the call to the method, changing the return value (such as health is normally 100, I change it to 999999) and then resend the modified value back to the game will work in theory.

I have located one resource to help with this called easyhook. http://easyhook.codeplex.com/

My questions:

1. Even though the game is coded in c#, do I have to use a c# solution such as easyhook to change the return value of health (which is an integer), or can I use a c++ injection/hooking solution?

2. By using cheat engines built in injector, does this pretty much guarantee my custom .dll is injected into the target program? How do I make sure the .dll intercepts the call I want?

3. Do I need to know memory addresses of methods/classes, or is injecting a .dll and then writing code which knows the source code's names of classes and methods enough? If I need to know memory addresses, how do I use what I'm looking at in .net reflector to find them?
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 891
PostPosted: Mon Nov 25, 2013 11:55 pm    Post subject: Re: dll injection to modify .net game This post has 1 review(s) Reply with quote
adaptusaaf wrote:
So I have to change values after the program is already running, to do this for values I can't search for in memory (because they never change)

You can find them by name or other attributes with the proper tools.

adaptusaaf wrote:
I have located one resource to help with this called easyhook. http://easyhook.codeplex.com/

EasyHook website wrote:
This project supports extending (hooking) unmanaged code (APIs) with pure managed ones, from within a fully managed environment

Unless I'm misreading, this means that the hooks can be written in .NET, not that they are specialized in hooking .NET

My questions:

adaptusaaf wrote:
do I have to use a c# solution such as easyhook to change the return value of health (which is an integer), or can I use a c++ injection/hooking solution?
You can absolutely write an unmanaged cheat. There are many .NET games which have cheat tables posted here.

adaptusaaf wrote:
2. By using cheat engines built in injector, does this pretty much guarantee my custom .dll is injected into the target program? How do I make sure the .dll intercepts the call I want?
You'll have to find the call in question and redirect the flow of execution. If you can't do this in CE, you're probably not going to be able to do it with an injected DLL (because of understanding, not any functional limitation).

adaptusaaf wrote:
3. Do I need to know memory addresses of methods/classes, or is injecting a .dll and then writing code which knows the source code's names of classes and methods enough? If I need to know memory addresses, how do I use what I'm looking at in .net reflector to find them?

DB has posted lots of interesting stuff, including working source, for using some of the managed debugging API lately. You could translate a method name to an address in a loaded assembly, sure. Alternatively, you could also just load your app into a debugger and manually find what you're looking for and then generate a more conventional aob scan for the function signature (again, just like any other cheat).
Back to top
View user's profile Send private message
adaptusaaf
Advanced Cheater
Reputation: 0

Joined: 13 Jan 2008
Posts: 52
PostPosted: Tue Nov 26, 2013 12:16 am    Post subject: Reply with quote
thanks for the reply justa_dude

of particular interest is your last sentence

Quote:
Alternatively, you could also just load your app into a debugger and manually find what you're looking for and then generate a more conventional aob scan for the function signature (again, just like any other cheat).


I can easily load the app in a debugger (.net reflector) and view the entire source code with the names of classes / methods etc, but how do you suggest I translate this to an array of bytes??

for example here is the structure of the source code of my target class/method:

Code:
using System;
using System.Collections.Generic;
using System.Text;

namespace Test.Subtest
{
    class TestData
    {
        int get_TestValues()
        {
            return default(int);
        }
    }
}


I want to change the result for all TestValues to be 100, so how I would rewrite it is this:

Code:
using System;
using System.Collections.Generic;
using System.Text;

namespace Test.Subtest
{
    class TestData
    {
        int get_TestValues()
        {
            return 100;
        }
    }
}


however, I did not think that an array of byte sequence in a disassembler (ildasm) and then searching for it in CE and overriding it with the modified aob would translate into this functionality.. am I wrong?

If I'm wrong that is great, that will releive this huge headache I have, but I would still not know how to find the array of bytes of that particular function/class/method which is my target once the application is dissassembled? Can the msdbg tool you mentioned do this (it seems to imply to be able to, just want to make sure I'm using it for the right purpose).
Back to top
View user's profile Send private message
justa_dude
Grandmaster Cheater
Reputation: 23

Joined: 29 Jun 2010
Posts: 891
PostPosted: Tue Nov 26, 2013 2:54 am    Post subject: Reply with quote
adaptusaaf wrote:
Quote:
Alternatively, you could also just load your app into a debugger and manually find what you're looking for and then generate a more conventional aob scan for the function signature (again, just like any other cheat).

I can easily load the app in a debugger (.net reflector) and view the entire source code with the names of classes / methods etc, but how do you suggest I translate this to an array of bytes??

I was under the impression that reflector used the metadata API rather than the debugging API. You need to use a proper debugger to view the code after it has been JIT compiled. I would attach windbg (as in the tutorial I linked above) and do a !name2ee Test.Subtest TestData.Testvalues or whatever to get the address and disassembly of the function, then just read off some suitable bytes with which to form the aobscan signature.

adaptusaaf wrote:
however, I did not think that an array of byte sequence in a disassembler (ildasm) and then searching for it in CE and overriding it with the modified aob would translate into this functionality.. am I wrong?

If you replace the IL, then you need to do it before the function has executed the first time. If you replace the raw assembly, you need to do it after. Either way is fine, but most of us have a lot more experience modifying x86 asm than raw IL.

adaptusaaf wrote:
I would still not know how to find the array of bytes of that particular function/class/method which is my target once the application is dissassembled? Can the msdbg tool you mentioned do this (it seems to imply to be able to, just want to make sure I'm using it for the right purpose).
Yes, please read the tutorial and try it. Otherwise, the code that DB posted in the same thread works just fine. I can give you the basic pipe client I used to test it if you want, but I personally think that it is overkill for what you need.

Honestly, if you just follow the most basic steps for creating cheats in CE you need not be terribly concerned about whether the code is in .NET or mono or crt or whatever. The biggest difference with the .NET stuff is that you'll have to use an aobscan to find the code and if you work with the binary (asm) then your code will also be limited to functioning on similar platforms (same runtime, etc) - though I wouldn't be surprised if this would also be true, to a lesser extent, with making raw IL mods (I don't know how much the VM changes from version to version or how backward-compatible versions are).

PS - I understand that Cecil is a pretty good option for hacks like this, so long as you don't mind saving a new/modified assembly to disk for execution.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites