 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
 Posted: Fri Mar 05, 2010 12:39 pm Post subject: IMPORTANT: Cheat Engine permission system |
 |
|
Hi again. I fixed the 0 thing, for those who doesn't know, I'm developing a cheat for a specific game in C++, in which I need to modify a single byte (B7) to 00, which is GetLastError thing (CreateMutexA), my problem is when I try to use WriteProcessMemory I get error 299. I'm using windows vista x64 (although this doesn't work under windows 7 x86 either). Before the WriteProcessMemory call I call the following to, in order:
| Code: |
OpenProcess (PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, GetProcessClientID()) // ID IS OK
|
I call this too:
| Code: |
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES Privs;
ZeroMemory (&Privs, sizeof(Privs));
if (!OpenProcessToken (pHandle, (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY),
&hToken))
{
cout << "Privilleges couldn't be set\n";
return FALSE;
}
if (!LookupPrivilegeValue (NULL, Priv, &luid))
{
CloseHandle (hToken);
return FALSE;
}
Privs.PrivilegeCount = 1;
Privs.Privileges[0].Luid = luid;
Privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL retValue = AdjustTokenPrivileges(hToken, FALSE,
&Privs, sizeof(Privs),NULL,NULL);
CloseHandle(hToken);
return retValue;
|
No error when I call this function (SE_DEBUG_NAME parameter)
| Code: |
if (!VirtualProtectEx (pHandle, BufferIn, 2, PAGE_READWRITE, &OldProtection))
cout << "Memory access couldn't be set. Error " << GetLastError() << endl;
|
No error here. OldProtection here VARIATES. Yes, this is strange. Sometimes i get 0x20, and sometimes 0x40 (I THINK, I DONT REMEMBER QUITE WELL. DONT MAKE GUESSES BASED ON THIS).
Then WriteProcessMemory comes, i get error 299.
Another important thing is that when i try to call VirtualQueryEx, I get error 5 (Access Denied).
PS: I dont need you to explain what the error means unless you have a more detailed explanaition than msdn).
How does cheat engine avoid all these things? Thanks a lot.
SBAOM[/code]
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Fri Mar 05, 2010 1:19 pm Post subject: |
|
|
Error 299 means partial copy, but knowing from experience, that partial copy can be 0 bytes long, but does mean the processhandle is valid and you have proper rights
The error for VirtualQueryEx is because you havn't opened the process with PROCESS_QUERY_INFORMATION
OldProtection changing no idea, perhaps you've not set the original protection back so the next time you can it you get the value you set it to (with or without an os modified flag)
As for writeprocessmemory not working no idea.
The readProcessMemory call does work? And you're giving the proper address ?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
| Posted: Fri Mar 05, 2010 1:55 pm Post subject: |
|
|
This computer is really very crazy... DAMN! I did what you said. Worked. Not only that, when I did that i got error 487 in VirtualProtect and WriteProcessMemory. I modified a very tiny thing (which by the way I got it like before) and now ReadProcessMemory is giving me error 299 (WPM and VP are still giving me error 487 -Attempt to access invalid address-.
EDIT: The answer is this: OpenProcess is hooked. Somehow microsoft "hooked" (nice time to learn something) this function, which is now protected, so I can't access some privilleges like PROCESS_VM_WRITE or PROCESS_VM_OPERATION (main problematic stuff here, ReadProcessMemory, WriteProcessMemory and VirtualProtect). Until I un-hook it or hook it back or something, I don't know what that is so I suggest you tell me, I won't be able to continue with my program
EDIT 2: There is a second option, though, which is injecting it as a DLL, making of it a much simpler thing. I wouldn't like that much though, it's the easy way out. Still waiting for help.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Sat Mar 06, 2010 9:44 am Post subject: |
|
|
Cheat Engine also makes use of OpenProcess and ReadProcessMemory (Unless Kernelmode versions are used, but they are only used when explicitly enabled)
The only special thing is that it must be run in admin mode (It has a manifest embedded that tells windows it needs to run as admin)
I take it you already tried running it as admin? (that requires that you also run the debugger as admin)
If you're not running explicitly as administrator, then check your user account, and see if it's allowed to be granted the vm access rights
as for the hook:
On a normal windows system(64-bit), OpenProcess is:
| Code: |
75C11B12 - 8b ff - mov edi,edi
75C11B14 - 55 - push ebp
75C11B15 - 8b ec - mov ebp,esp
75C11B17 - 5d - pop ebp
75C11B18 - eb 05 - jmp openprocess+d
75C11B1A - 90 - nop
75C11B1B - 90 - nop
75C11B1C - 90 - nop
75C11B1D - 90 - nop
75C11B1E - 90 - nop
75C11B1F - ff 25 40 09 c1 75 - jmp dword ptr [75c10940] : [OpenProcess]
|
Not much of a hook if you ask me. Most likely it's just a stub to make the emulation for 32-bit functions.
The OpenProcess indicated by jmp dword ptr [75c10940] : [OpenProcess] is KERNELBASE.dll's OpenProcess, not Kernel32.dll's
| Quote: |
(WPM and VP are still giving me error 487 -Attempt to access invalid address-.
|
Out of curiosity, did you declare the function parameters yourself? (e.g using dword/qword instead of the pointer type for address)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
| Posted: Sat Mar 06, 2010 7:12 pm Post subject: |
|
|
I actually NEED to run the program as admin, because I use CreateProcess, which needs elevation (if I don't run it as admin, I get error 740, anyway, I'm actually used to run every program as admin).
| Quote: |
Out of curiosity, did you declare the function parameters yourself? (e.g using dword/qword instead of the pointer type for address)
|
What do you mean? Which function? OpenProcess? WriteProcessMemory.
I would be very thankfull if you gave me a good reference of what a hook is, I'm pretty sure there's something about this that has to do with hooks. I didn't quite get these either:
| Quote: |
It has a manifest embedded that tells windows it needs to run as admin
|
| Quote: |
(...)see if it's allowed to be granted the vm access rights
|
Let's base on the point, as the program says, I'm trying to access an "invalid memory address", which is not actually invalid, cause I check it with C-E, which, by the way, sometimes doesn't show up, and it appears as it worked, but when I call the out var of readprocessmemory i get a random number. This is freaky stuff, and I WILL solve it, but need your help. Don't forget about the hook thing. I'm suppose to have every permission granted, but I get error 478.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Sat Mar 06, 2010 7:29 pm Post subject: |
|
|
A hook is defined as relocating the address of some api's, or rewriting the first few instructions so they jump to another location before jumping back to the rest of the routine
The openprocess api looks like a hook, but it doesn't jump to an extra routine that blocks you. It's the usual OpenProcess access rights check and open process stuff that always happens.
And if it's a blocking hook, then how can CE work ? I'm pretty sure I don't have any special dealings with Microsoft that they allow me to call those functions without a problem
With running as admin I mean rightclick the process and choose run as administrator, even turning off UAC isn't always enough
As for declaring the functions yourself I meant the WriteProcessMemory and ReadProcessMemory instead of using those provided in windows.h
For example, you might be running your app in 64-bit, and have declared the function to take the read address and buffer pointer as a DWORD instead of a pointer
That will cause it to randomly return wrong results, since bits 32 to 63 of the actual pointer will then contain random data, sometimes being 0 and succeed, other times having a bit set making it read an invalid address
I really doubt you did that though.
Also, it could be it's not the address you're trying to accessi s invalid, but your read/write buffers are. Have they been allocated? Are they big enough? And is the size parameter you give within the size of that buffer?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
| Posted: Sat Mar 06, 2010 9:16 pm Post subject: |
|
|
May I insert the whole code here? It's not that long.
NOTE: Comments, debugging stuff and output are in spanish, just don't pay attention to them.
Main.cpp
| Code: |
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <iostream>
#include "CrackProcess.h"
using namespace std;
void _tmain( int argc, TCHAR *argv[] )
{
cout << "ImperiumAO MultiClient Engine\n";
cout << "Cargando proceso...\n";
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE IAOHandle;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
// Start the child process.
if( !CreateProcess( "ImperiumAO.exe", // No module name (use command line)
NULL, // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
4, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
)
{
printf( "Error numero %d.\n", GetLastError() );
return;
}
cout << "Crackeando cliente...\n";
cout << PROCESS_ALL_ACCESS << endl;
IAOHandle = OpenProcess (PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION , FALSE, GetIAOProcessClientID());
WriteIAOAddress(IAOHandle);
cout << "Abriendo ImperiumAO...\n";
ResumeIAO(GetIAOProcessClientID());
cout << "Terminando...\n";
cout << "CREADO POR SASHA\n";
// Wait until child process exits.
WaitForSingleObject( pi.hProcess, INFINITE );
// Close process and thread handles.
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
CloseHandle (IAOHandle);
} |
UnPauseThread.h:
| Code: |
#include <iostream>
#include <string>
#include <windows.h>
#include <tlhelp32.h>
DWORD GetIAOProcessClientID();
void ResumeIAO(DWORD);
DWORD GetIAOProcessClientID ()
{
char ProcessName[] = "ImperiumAO.exe";
PROCESSENTRY32 IAOProcessInfo;
IAOProcessInfo.dwSize = sizeof(IAOProcessInfo);
HANDLE P_SNAPSHOT = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if ( P_SNAPSHOT == INVALID_HANDLE_VALUE )
return 0;
Process32First(P_SNAPSHOT,&IAOProcessInfo);
if ( !strcmp(ProcessName,IAOProcessInfo.szExeFile) )
{
CloseHandle (P_SNAPSHOT);
return IAOProcessInfo.th32ProcessID;
}
while ( Process32Next(P_SNAPSHOT, &IAOProcessInfo) )
{
if (!strcmp(ProcessName,IAOProcessInfo.szExeFile) )
{
CloseHandle (P_SNAPSHOT);
return IAOProcessInfo.th32ProcessID;
}
}
CloseHandle(P_SNAPSHOT);
return 0;
}
void ResumeIAO (DWORD PID)
{
HANDLE hIAOThread;
THREADENTRY32 ThreadsInfo;
ThreadsInfo.dwSize = sizeof(ThreadsInfo);
ThreadsInfo.th32OwnerProcessID = PID;
HANDLE P_SNAPSHOT = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, NULL);
if ( P_SNAPSHOT == INVALID_HANDLE_VALUE )
{
return;
}
Thread32First (P_SNAPSHOT, &ThreadsInfo);
hIAOThread = OpenThread (THREAD_SUSPEND_RESUME, FALSE, ThreadsInfo.th32ThreadID);
ResumeThread (hIAOThread);
CloseHandle (hIAOThread);
while ( Thread32Next(P_SNAPSHOT, &ThreadsInfo) )
{
hIAOThread = OpenThread (THREAD_SUSPEND_RESUME, FALSE, ThreadsInfo.th32ThreadID);
ResumeThread (hIAOThread);
CloseHandle (hIAOThread);
}
CloseHandle (P_SNAPSHOT);
} |
CrackProcess.h:
| Code: |
#include <windows.h>
#include <cstdio>
#include "UnPauseThread.h"
using namespace std;
void WriteIAOAddress (HANDLE);
int GetKernelAddress (HANDLE);
BOOL SetProcessEditPriv(LPCSTR, HANDLE);
void WriteIAOAddress (HANDLE pHandle)
{
BYTE BufferOut = 0x00;
int BufferSize = sizeof(BufferOut);
int BufferIn;
SIZE_T bWritten;
DWORD OldProtection = -1;
MEMORY_BASIC_INFORMATION mbi;
SetProcessEditPriv(SE_DEBUG_NAME, pHandle);
BufferIn = GetKernelAddress (pHandle);
if (BufferIn == 0)
cout << "Kernel32 error" << endl;
BufferIn += 0x8D858;
printf ("%X\n", BufferIn);
if (!VirtualQueryEx (pHandle, (LPVOID)BufferIn, &mbi, sizeof(mbi)))
cout << "No se ha podido iniciar un pedido virtual. Error " << GetLastError() << endl;
cout << "mbi.Type: " << mbi.Type << endl;
cout << "mbi.AllocationProtect: " << mbi.AllocationProtect << endl;
cout << "mbi.State: " << mbi.State << endl;
if (!VirtualProtectEx (pHandle, &BufferIn, BufferSize, PAGE_EXECUTE_READWRITE, &OldProtection))
cout << "No se han podido modificar los permisos de memoria. Error " << GetLastError() << endl;
cout << "PAGE_READWRITE: " << PAGE_READWRITE << endl;
cout << "Old protection: " << OldProtection << endl;
for (int i = 0; i < 30; i++)
{
cout << "\n\n\n\n\n\n";
printf ("BufferIn: %X\n", BufferIn);
printf ("Address: %X\n", BufferIn);
cout << "Size of BufferOut: " << sizeof(BufferOut) << endl;
printf("BufferOut: %X\n", BufferOut);
if (!ReadProcessMemory (pHandle, &BufferIn, (LPVOID)&BufferOut, sizeof(BufferOut), NULL))
{
cout << "Error ReadProcessMemory. Error " << GetLastError() << endl;
}
cout << "BufferOut: " << (int) BufferOut << endl;
BufferOut = 0;
if (WriteProcessMemory(pHandle, &BufferIn, &BufferOut, sizeof(BufferOut), &bWritten))
cout << "Memoria editada con exito" << endl;
else
cout << "Fallo en edición de memoria. Error " << GetLastError() << endl;
cout << "Bytes Written: " << bWritten << endl;
ReadProcessMemory (pHandle, &BufferIn, &BufferOut, sizeof(BufferOut), NULL);
cout << "BufferOut: " << (int) BufferOut << endl;
BufferIn++;
}
return;
}
int GetKernelAddress (HANDLE pHandle)
{
DWORD pID = GetProcessId (pHandle);
cout << "Process ID is " << pID << "\n";
MODULEENTRY32 ModE32;
ModE32.dwSize = sizeof(ModE32);
HANDLE P_SNAPSHOT = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, pID);
if (P_SNAPSHOT == INVALID_HANDLE_VALUE)
{
cout << "Error en modulos\n";
cout << "Error " << GetLastError() << "\n";
return 0;
}
if (!Module32First(P_SNAPSHOT,&ModE32))
{
cout << "No se encontraron modulos en el proceso" << endl;
return 0;
}
if (ModE32.modBaseAddr == NULL)
{
cout << "Jaja!! Que problemon che eh!!" << endl;
}
do
{
/*printf ("%Xld\n",ModE32.modBaseAddr);
printf ("%Xld\n",ModE32.modBaseSize);
cout << ModE32.th32ModuleID << endl;
cout << ModE32.th32ProcessID << endl;
cout << ModE32.szExePath << endl;
cout << ModE32.szModule << endl;
system ("pause");*/
}
while (Module32Next(P_SNAPSHOT,&ModE32) && strcmp (ModE32.szModule,"kernel32.dll"));
return (int)ModE32.modBaseAddr;
}
BOOL SetProcessEditPriv(LPCSTR Priv, HANDLE pHandle)
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES Privs;
ZeroMemory (&Privs, sizeof(Privs));
if (!OpenProcessToken (pHandle, (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY),
&hToken))
{
cout << "No se pudieron modificar los privilegios\n";
return FALSE;
}
if (!LookupPrivilegeValue (NULL, Priv, &luid))
{
CloseHandle (hToken);
return FALSE;
}
Privs.PrivilegeCount = 1;
Privs.Privileges[0].Luid = luid;
Privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL retValue = AdjustTokenPrivileges(hToken, FALSE,
&Privs, sizeof(Privs),NULL,NULL);
CloseHandle(hToken);
return retValue;
} |
NOTE: The "for" loop inside WriteIAOAddress function is just for debugging perpouses. It's taken out in the original code.
Please take a look at it, it's not that long. Thank you, you've been really helpful.[/quote]
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Sun Mar 07, 2010 9:29 am Post subject: |
|
|
Your call to ReadProcessMemory and WriteProcessMemory is wrong
you have set bufferIn to the address you want to read
| Code: |
if (!ReadProcessMemory (pHandle, &BufferIn, (LPVOID)&BufferOut, sizeof(BufferOut), NULL))
|
should be
| Code: |
if (!ReadProcessMemory (pHandle, (LPVOID)BufferIn, (LPVOID)&BufferOut, sizeof(BufferOut), NULL))
|
and
| Code: |
WriteProcessMemory(pHandle, &BufferIn, &BufferOut, sizeof(BufferOut), &bWritten)
|
should be
| Code: |
WriteProcessMemory(pHandle, (LPVOID)BufferIn, &BufferOut, sizeof(BufferOut), &bWritten)
|
and before you ask that the loop keeps giving different addresses: "BufferIn++;" is responsible for that
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
| Posted: Mon Mar 08, 2010 4:10 pm Post subject: |
|
|
Yeah, I know that, but the thing is the opposite. It gives the same value for each address, each time I restart the application a different address. That's what I meant. I'm gonna try what you said and edit after. Thank you  .
Okay. There are still some problems, though WriteProcessMemory isn't retrieving any official errors, it's having some problems. First of all, there is ReadProcessMemory. Every address it reads, it reads it as 0, unless I call WriteProcessMemory, which variates each time I restart the executable. VirtualProtect is returning error 487 and another error I don't remember right now, and sometimes no error, even though when I call VirtualQueryEx the protect thing doesn't change. This is really messed up, I'd love to know what's going on, quite a mistery. The good thing is after I solve this problem, I'll have it no more
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Mon Mar 08, 2010 5:29 pm Post subject: |
|
|
Moved to general programming.
Anyhow,
| Code: |
if (!VirtualProtectEx (pHandle, &BufferIn, BufferSize, PAGE_EXECUTE_READWRITE, &OldProtection))
cout << "No se han podido modificar los permisos de memoria. Error " << GetLastError() << endl;
|
If you havn't fixed that yet, then change &BufferIn to (LPVOID)BufferIn
As for readprocess reading 0, not sure, only reason is a wrong address that points to 0, or it fails reading
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
| Posted: Mon Mar 08, 2010 7:55 pm Post subject: |
|
|
Oh my god. Whats going on here? Good thing is VirtualProtectEx doesn't return any errors and works perfectly. The thing is I have a completly different problem here, or at least it is the same one but I found out more about it. When I call ReadProcessMemory BEFORE calling WriteProcessMemory, the output is set to 0. I tried writing 50 into that address, and when I called ReadProcessMemory AFTER calling WriteProcessMemory, the output is set to.. guess what? 50. The WEIRDEST though, is that after I execute my program calling WPM writing 50 into an address, and I execute it again WITHOUT the WPM, the address is still 50. It seems that when I write to an address (which isn't really the address I want to access), and I'm trying to read that memory piece again, i get the same value I wrote last time I executed the program... Here's the thing: When I open the exact same process with Cheat Engine, that space in memory (which is in this case 0x762B286B) is STILL 0xB7, it hasn't been affected by my program. There are two possibilities I thought about:
First possibility is that my program is not accessing the correct address because of an unknown problem
Second possibility is that my program is accessing an address that is not from the program's kernel32 module but an unexistent address, out of range.
If I'm right about the second possibility then I must ask: How can I access a process' module? Is it the same way of accessing a process executable address?
There's something else:
Since I was able to use WriteProcessMemory, my game (even when I open it without my executable) crashes after it isn't used for a while.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Mon Mar 08, 2010 9:59 pm Post subject: |
|
|
Are you sure the offset from the base address of kernel32.dll is 0x8D858 ?
modules are usually loaded on an address base thatends with 4 0's, (e.g 789a0000)
that means the offset should end with 286B , not D858
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
| Posted: Tue Mar 09, 2010 8:40 am Post subject: |
|
|
I found that out using Olly DBG. I actually think that address is correct, because, using my function GetKernelAddress I get the base address of kernel32 (which changes every time I restart my computer, by the way, that's why I have to use that function. The total size of kernel32.dll in my computer is of 0x128F5C bytes, so 0x8D86B (that's actually my offset) would be correct. Anyway, after I run the program I output the complete memory address (kernel32 base address + offset) and I look for it on Cheat Engine. It's actually the value I'm looking for. By the way, why this value (286B)?
The question here is: Why would I change an address PERMANENTLY by using WriteProcessMemory? Why is that memory address different in cheat engine and my executable?
What I know is this: The problem here is with ReadProcessMemory and WriteProcessMemory. They are not reading the correct address, which means they are missenterpreting the input value of the address buffer. Good thing is that they are missinterpreting it the same way, so this shouldn't be hard to solve. Thank you once again,
Cheers
SBAOM
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 458
Joined: 09 May 2003
Posts: 25288
Location: The netherlands
|
| Posted: Tue Mar 09, 2010 9:21 am Post subject: |
|
|
| Quote: | | The total size of kernel32.dll in my computer is of 0x128F5C bytes, so 0x8D86B (that's actually my offset) would be correct. |
that only means it falls within the region, not that it is correct
0x8D86B comes closer, but it's still slightly off. (you say you used, olly, but do you understand the differences between the modulebase and .code ? )
| Quote: | Why would I change an address PERMANENTLY by using WriteProcessMemory? Why is that memory address different in cheat engine and my executable?
|
because you are reading and writing a wrong address (that explains the crash)
| Quote: |
By the way, why this value (286B)?
|
you said that the address you want to change is 0x762B286B
So, obviously, the last 4 digits of the offset MUST end with 286b
What is the address of the kernel32 base ? and the proper address you want to change at that time ?
then just do offsetyouneed=Addressyoutarget-kernel32base
Tip:
In cheat engine just go to that addres in the disassembler, disable view->show symbols and enable view->show module addresses
It'll write it in modulename+offset notation, just use that offset
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
SBAOM
Newbie cheater
![]() Reputation: 0
Joined: 10 Feb 2010
Posts: 19
|
| Posted: Tue Mar 09, 2010 12:45 pm Post subject: |
|
|
Okay. I'll start by saying that the address did not actually end at 286B, I mistakenly wrote that 2 instead of my B, sometimes I do that, as the 9 for the d or the 5 for the f lol. I don't know why that happens to me quite often. So the correct offset IS 0x8D86B. I tried it with cheat engine doing what you said, kernel32.dll+8d86b and I got B7.
I don't underestand this phrase, shall you explain?
| Code: |
0x8D86B comes closer, but it's still slightly off. (you say you used, olly, but do you understand the differences between the modulebase and .code ? )
|
What's modulebase and .code?
about this
| Code: |
because you are reading and writing a wrong address (that explains the crash)
|
My program doesn't exactly "crash" but works undesireably, specificaly ReadProcessMemory and WriteProcessMemory. I think you kinda understand that. My problem here is that those to procedures interact with a wrong address, which shouldn't be, because the address I assign to my function variable is correct, I test it each time I call a function.
About kernel32.dll base address, it's different every time I restart my PC. That's why I use the function GetKernelAddress, It gets process' kernel32.dll base address using MODULEENTRY32.modBaseAddr (which is, by the way, always correct). I'm too close to the problem seed to give up. I solved lots of problems with your help, I think this might be the last one. Cheers.
EDIT: **NEW INFO**. I found out something new, and very strange. I shut down my computer, turned it on again and open my executable. Guess what? Values were correct. Everything in it's place. Then I close the program, reopen it and guess what? Now the values are the values I assigned the last time I executed my program. Now, man, that is something. Something weird. I mean... It isn't coherent. Memory can't be edited FOREVER. You know what I mean? When I edit something in CE, close the program, run it back, the address is back to normality. Now THIS is something interesting. This discards the possibility the function is pointing to a wrong address. Now the problem is something COMPLETLY different, from one second to another. Trial and error.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
