Cheat Engine

[whtwht]

I'm trying to insert a chunk of code in assembly just to grasp where the code execution is for now

I want my code to look something like a message box

with title : whatever
message : error

and just with an ok button

so something like

1234567 jmp blah.22345678

22345678 push ...
push ...
push ...
call ...
jump blah. 12345678

so a simple jump to a random section, poping up the box, ok and continue code execution, i think i need to push the eax value first and then pop it agian as messgebox affects the eax, however, i know how to write this in C, but have no clue how to insert this in another program that i don't know the source code to and i'm not sure if its protection (packed) is completely removed yet.

thanks

[Slugsnack]

stdcall convention means eax holds return value and ecx/edx are not guaranteed to be preserved. so you can always pushad and then popad at start/end of your codecave. or if you really want to save the few nanoseconds then push eax, push ecx, push edx and at the end pop edx, pop ecx, pop eax.

look at the parameters of messagebox. since stdcall is reverse order then utype needs to be pushed first. normal popup is 0. caption is a pointer to a string for caption string. otherwise 0 will also work for a default one. same with the text pointer. hwnd put as 0.

so this will work:

[whtwht]

thanks for your help,

as for what i want to do is this

00718716 |. E8 5B700000 CALL ACEOnlin.0071F776
0071871B |. 59 POP ECX
0071871C |. 85C0 TEST EAX,EAX

I want to change that to

00718716 |. E8 5B700000 CALL ACEOnlin.0071F776
0071871B |. ED ED JMP CODECAVE
0071871C |. 59 TEST EAX, EAX

CODECAVE =>

POP ECX
PUSH 0
PUSH (I'm confused here, cause I can't push a ascii... like PUSH "ERROR" for title)
PUSH (Message)
Call MessegeboxA
JMP aceonlin.0071871c



The problem like i said above, was i don't know how to 'push' an ascii onto the stack otherwise i'm fine, and how do i call messegeboxa inside another targetproblem?

[Slugsnack]

you don't push an ascii onto the stack. you push a pointer to an ascii string if you are to use MessageBoxA. that means somewhere you have to declare/define a null terminated ascii string. a pointer to that string is its address.

[BanMe]

[Slugsnack]

no need for suspending and resuming process. as long as you write the codecave contents first then it won't do anything bad.

[whtwht]

yeap, thanks for the code banme, but I can do it in C, I just don't know how to do it in a target process in asm, I can do it normally in asm, but no clue how to do it in another asm program.

Thats what I'm trying to find out right now

[Slugsnack]

you want source code for it ? easiest way is to do a dll injection. it's quite tricky to get the actual bytes for it dynamically considering you have to calculate jmps and stuff. with dll injection it is very very easy.

although i suppose since you only wanna call a messagebox.. you could virtualalloc some memory and write the 2 strings. then writeprocessmemory the bytes which would be static. main problem would be to get address of messageboxa. i would suggest you call it via the program's IAT if it uses one. if you wanna get the bytes for the static instructions, a fast way is to assemble them in ollydbg and just copy the bytes.

[whtwht]

lol holy shit, thats a lot of code for doing a simple message box

and no dll injection isn't going to suffice,

heres what i want to do, I'm trying to find out when hshield is loaded, so I'm trying to change the memory simply by adding a message box, frankly if the box comes up before the hshield pwns me, I'll know that Hshield hasn't been called in the memory yet, since the messege box pause execution until Ok is pressed, or I think it was.

I want to repeat that until I can isolate the loop or function that calls hshield, and for dll injection, I don't think I can control when its injected or where during the code execution

[dnsi0]

why don't u use olly. Attach. Find all refrences to CreateProcessA?

[Slugsnack]

with dll injection yes you can control exact time of injection and also you can control what code is changed, yes. it doesn't matter WHERE it is injected, you write a generic generator for the JMP bytes that would be required.

[BanMe]

what i provided is the full "asm" for the codecave..written in C..iono maybe i missed something..

[dnsi0]

Just put a bp on CreateProcessA and look at the stack to see what is running then trace the function back to where its called.

[whtwht]

hey dnsi0, thats the thing... its a dll thats being loaded so I don't think that HShield is being called through CreateProcess, I'll give it a try right now, as for BanMe

I know how to write it like what you did, but what do I substitute for stringaddress? I didn't write it so theres no .sections for me to initiate my string and I don't know how to stick it into the file using olly, since... I think that theres another protection on it... my olly hangs when its analysing the code at start-up and apparently... theres a lot of ??? unknown commands that dissapear after using AnalyzeThis!

[dnsi0]

If hack shield is a dll then put a bp on LoadLibraryA.