Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


C++ - Problem with jmp into CodeCave

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Darktarx
How do I cheat?
Reputation: 0

Joined: 27 Apr 2014
Posts: 3
PostPosted: Thu Jun 25, 2015 1:06 pm    Post subject: C++ - Problem with jmp into CodeCave Reply with quote
Hi guys,
I'm trying to make trainer in cpp, but I have a huge problem and I have no idea how to fix that.
Code cave address returned by VirtualAllocEx() is (for example) 0x2810000 but in memory viewer I see this "jmp 10281000A". So, idk why compiler is always adding "10" before my codecave address. :/
Can someone help me to fix that?


My Code (VS 2013):
Code:
// SaperTrainer.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <iostream>
#include <Windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <TlHelp32.h>
#include <Psapi.h>

using namespace std;

BYTE   btMinesCave[] = { 0x00};
BYTE   btMinesOrg[] = { 0x00 };


DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName);
BOOL WriteNops(BYTE* pAddress, int iNopsToWrite, HANDLE hProc);
DWORD MakeCave(LPVOID pCaveBytes, DWORD dwCaveSize, HANDLE hProc, BYTE* Address);
DWORD MakeJump(BYTE* pOrigAddress, int iNopsNeeded, LPVOID pCaveBytes, DWORD dwCaveSize, HANDLE hProc);
BOOL DeleteCave(BYTE* pCaveAddr, DWORD dwCaveSize, HANDLE hProc);
BOOL WriteMem(BYTE *pAddress, LPVOID pBuffer, DWORD dwSize, HANDLE hProc);

int main(int argc, CHAR* argv[])
{
   cout << "TEST" << endl;
   HWND hWnd = FindWindow(0, L"Saper");
   if (hWnd == 0){
      cout << "ERROR" << endl;
   }
   else{
      cout << "FOUND!" << endl;
   }

   DWORD pId;
   GetWindowThreadProcessId(hWnd, &pId);

   HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
   DWORD_PTR BaseAddress = (DWORD_PTR)dwGetModuleBaseAddress(pId, L"MineSweeper.exe");
   DWORD   Pointer = 0x2AEAA;

   MakeJump((PBYTE)BaseAddress + Pointer, 2, &btMinesOrg, 2048, hProc);

    system("pause");
   return 0;
}

DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName)
{
   DWORD_PTR dwModuleBaseAddress = 0;
   HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcID);
   if (hSnapshot != INVALID_HANDLE_VALUE)
   {
      MODULEENTRY32 ModuleEntry32;
      ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
      if (Module32First(hSnapshot, &ModuleEntry32))
      {
         do
         {
            if (_tcsicmp(ModuleEntry32.szModule, szModuleName) == 0)
            {
               dwModuleBaseAddress = (DWORD_PTR)ModuleEntry32.modBaseAddr;
               break;
            }
         } while (Module32Next(hSnapshot, &ModuleEntry32));
      }
      CloseHandle(hSnapshot);
   }
   return dwModuleBaseAddress;
}

BOOL WriteNops(BYTE* pAddress, int iNopsToWrite, HANDLE hProc)
{
   if (!hProc){
      cout << "ERROR" << endl;
   }
   else{
      cout << "OPENED!" << endl;
   }

   if (hProc == INVALID_HANDLE_VALUE){
         return FALSE;
   }
   else{
      DWORD dwOldProtect = NULL;
      VirtualProtect(pAddress, iNopsToWrite, PAGE_EXECUTE_READWRITE, &dwOldProtect);
      BYTE Zero[] = { 0x90 };
      WriteProcessMemory(hProc, pAddress, &Zero, sizeof(Zero), NULL);
      BYTE bNOP[] = { 0x90 };
      for (int x = 0; x < iNopsToWrite; x++)
         if (!WriteProcessMemory(hProc, pAddress + x, &bNOP, 1, NULL))
            return FALSE;
      VirtualProtectEx(hProc, pAddress, iNopsToWrite, dwOldProtect, &dwOldProtect);
      return TRUE;
   }
}

DWORD MakeCave(LPVOID pCaveBytes, DWORD dwCaveSize, HANDLE hProc, BYTE* Address)
{
   if (hProc == INVALID_HANDLE_VALUE)
      return NULL;
   DWORD dwCaveAddress = NULL;
   dwCaveAddress = (DWORD)VirtualAllocEx(hProc, NULL, dwCaveSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
   cout << "CAVE ADDRESS: 0x" << hex << dwCaveAddress << endl;
   if (pCaveBytes != NULL)
      WriteMem((BYTE*)dwCaveAddress, pCaveBytes, dwCaveSize, hProc);

   return dwCaveAddress;
}

BOOL DeleteCave(BYTE* pCaveAddr, DWORD dwCaveSize, HANDLE hProc)
{
   if (hProc == INVALID_HANDLE_VALUE)
      return FALSE;

   BOOL bRet = VirtualFreeEx(hProc, pCaveAddr, dwCaveSize, MEM_DECOMMIT);
   return bRet;
}

DWORD MakeJump(BYTE *pOrigAddress, int iNopsNeeded, LPVOID pCaveBytes, DWORD dwCaveSize, HANDLE hProc)
{
   DWORD dwCaveAddress = NULL;
      dwCaveAddress = MakeCave(pCaveBytes, (dwCaveSize + 5), hProc, pOrigAddress);


      BYTE* dwReturnJmp = (PBYTE)(((DWORD)pOrigAddress + 5) + iNopsNeeded);
      dwReturnJmp = dwReturnJmp - (dwCaveAddress + (dwCaveSize + 5));

      BYTE bJmp[] = { 0xE9, 0x00, 0x00, 0x00, 0x00 };
      WriteMem((BYTE*)((dwCaveAddress + dwCaveSize)), &bJmp, 5, hProc);
      WriteMem((BYTE*)((dwCaveAddress + dwCaveSize) + 1), &dwReturnJmp, 4, hProc);

      DWORD dwJmpAddr = dwCaveAddress - (DWORD)pOrigAddress + 5;

      WriteMem(pOrigAddress, &bJmp, 1, hProc);
      WriteMem((pOrigAddress + 1), &dwJmpAddr, 4, hProc);

      if (iNopsNeeded != 0)
         WriteNops((pOrigAddress + 5), iNopsNeeded, hProc);

   return dwCaveAddress;
}

BOOL WriteMem(BYTE *pAddress, LPVOID pBuffer, DWORD dwSize, HANDLE hProc)
{
   if (hProc == INVALID_HANDLE_VALUE)
      return FALSE;

   DWORD dwOldProtect = NULL;
   BOOL bProt = VirtualProtectEx(hProc, pAddress, dwSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
   BOOL bWrite = WriteProcessMemory(hProc, pAddress, pBuffer, dwSize, NULL);
   VirtualProtectEx(hProc, pAddress, dwSize, dwOldProtect, &dwOldProtect);
   return bWrite;
}
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25821
Location: The netherlands
PostPosted: Thu Jun 25, 2015 2:15 pm    Post subject: Reply with quote
is this a 64 bit game?
if so, your makecave routine (andcother stuff as well) needs to be updated.
dword is only 32 bits

oh, and the 2nd parameter for virtualallocex isn't optional in 64 bit (if you use e9 jumps)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites