| View previous topic :: View next topic |
| Author |
Message |
mStorm
Expert Cheater
![]() Reputation: 0
Joined: 21 Feb 2009
Posts: 107
|
 Posted: Thu Jun 11, 2009 10:49 am Post subject: Changing Opcodes without Injection? |
 |
|
A game that I have been using DLL injection to change the opcodes has obviously done some type of hooking. I know there are alternate avenues to DLL injection but before I delve into all of that, is there a way to change OpCodes without being injected?
I noticed CheatEngine is still able to change opcodes... but If i just try WriteProcessMemory it fails with access violations.
Any ideas?
Last edited by mStorm on Thu Jun 11, 2009 10:58 am; edited 1 time in total |
|
| Back to top |
|
 |
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Thu Jun 11, 2009 10:51 am Post subject: |
|
|
| I think CE uses a dll to inject too, but you can use WriteProcessMemory.
|
|
| Back to top |
|
|
mStorm
Expert Cheater
![]() Reputation: 0
Joined: 21 Feb 2009
Posts: 107
|
| Posted: Thu Jun 11, 2009 10:57 am Post subject: |
|
|
| I tried just WriteProcessMemory first, with the correct privaledges and I get access violation errors. I then wrote a DLL to change the OpCodes and grabbed an injector.dll and it worked fine, until they somehow disabled that method of dll injection. Now I want to figure out how to change the opcodes without DLL injection so I don't have to spend countless hours on finding new methods of injecting a DLL to bypass what they've implemented.
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Thu Jun 11, 2009 11:00 am Post subject: |
|
|
| VirtualProtectEx.
|
|
| Back to top |
|
|
mStorm
Expert Cheater
![]() Reputation: 0
Joined: 21 Feb 2009
Posts: 107
|
| Posted: Thu Jun 11, 2009 11:03 am Post subject: |
|
|
| I'm pretty sure I tried that... I guess i'll try again when I get home.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Jun 11, 2009 7:24 pm Post subject: |
|
|
| either you messed up or something is changing the protections back between your VirtualProtectEx and your WriteProcessMemory call
|
|
| Back to top |
|
|
Jani
Grandmaster Cheater
![]() Reputation: 2
Joined: 29 Dec 2006
Posts: 804
|
| Posted: Fri Jun 12, 2009 6:01 am Post subject: |
|
|
I'm not sure does WriteProcessMemory require the writable flag set by VirtualProtect.. A handle with PROCESS_VM_WRITE and PROCESS_VM_OPERATION access should be enough? VirtualProtect is only for stuffs when you do something inside the process.
I'm not much into this specific topic anyway..
I assume your game isn't protected with any protection like GameGuard?
|
|
| Back to top |
|
|
shhac
Expert Cheater
![]() Reputation: 0
Joined: 30 Oct 2007
Posts: 108
|
| Posted: Fri Jun 12, 2009 7:57 am Post subject: |
|
|
| Did you try writing the whole opcode in one go, rather than writing byte by byte?
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Fri Jun 12, 2009 1:13 pm Post subject: |
|
|
| For WriteProcessMemory, you need to have PROCESS_VM_WRITE access to the process. The memory you're writing to must have the PAGE_READWRITE or PAGE_EXECUTE_READWRITE flags.
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Fri Jun 12, 2009 1:35 pm Post subject: |
|
|
The Question was how to do it without Injection...so you all perpetuate S3NSA's wrong answer with further stupidity..avoiding the question..one way to do it is to Register as a subsystem similar to csrss and rely on system behavior to do all the work for us..please refer to WLSI (windows Local Shellcode injection by Cesar Cerrudo) for futher information..this way is entirely impractical, but it can be done..we could even include inside this Shared Section a means of writing to or reading from the Current Process without using WriteProcessMemory or ReadProcessMemory..refer to my post about WritePointer and x0r's(Irwin's) post about ReadPointer.. then alls that need is a manager that does the required task in conjuction with current system behavior.. all this can be done without hooks ...
but unless you have alot of time and a distinct understanding of the architecture your targeting, this is not something just anyone can accomplish ..
regards BanMe
_________________
don't +rep me..i do not wish to have "status" or "recognition" from you or anyone.. thank you. |
|
| Back to top |
|
|
mStorm
Expert Cheater
![]() Reputation: 0
Joined: 21 Feb 2009
Posts: 107
|
| Posted: Fri Jun 12, 2009 2:29 pm Post subject: |
|
|
| shhac wrote: | | Did you try writing the whole opcode in one go, rather than writing byte by byte? |
I try writing the whole OpCode, would it be better to write byte by byte?
Edit:
Of course, I was not setting the VirtualProtectEx correctly.
Completely weird, but for one of the opcode changes: it will work when running the program in the VB6 environment, but not when it's a standalone exe.
Reasons?
|
|
| Back to top |
|
|
Jani
Grandmaster Cheater
![]() Reputation: 2
Joined: 29 Dec 2006
Posts: 804
|
| Posted: Sat Jun 13, 2009 3:19 am Post subject: |
|
|
| rapion124 wrote: | | For WriteProcessMemory, you need to have PROCESS_VM_WRITE access to the process. The memory you're writing to must have the PAGE_READWRITE or PAGE_EXECUTE_READWRITE flags. |
Wrong.
All you need is PROCESS_VM_WRITE and PROCESS_VM_OPERATION. The memory may have eg. PAGE_EXECUTE_READ and you're still able to write the memory.
Just to prove that I'm correct, here's a small and quick example: | Code: | #include <iostream>
#include <windows.h>
#include <string>
#include <sstream>
#define BufLen 5
int main(int argc, char *argv[])
{
int pid, addy;
std::string s;
std::stringstream ss;
HANDLE hProc;
char buf[ BufLen ] = { 0 };
DWORD oldProtect = 0;
std::cout << "PID: ";
std::getline(std::cin, s);
ss << s;
if( !(ss >> pid) )
return EXIT_FAILURE;
ss.clear();
std::cout << "Addy: 0x";
std::getline(std::cin, s);
ss << s;
if( !(ss >> std::hex >> addy) )
return EXIT_FAILURE;
hProc = OpenProcess(PROCESS_VM_WRITE|PROCESS_VM_OPERATION|PROCESS_VM_READ, FALSE, pid);
if( !hProc )
return EXIT_FAILURE;
std::cout << std::hex;
if( VirtualProtectEx(hProc, (void*)addy, BufLen, PAGE_EXECUTE_READ, &oldProtect) ) {
std::cout << "Protection: 0x" << oldProtect << std::endl;
VirtualProtectEx(hProc, (void*)addy, BufLen, oldProtect, &oldProtect);
}
if( ReadProcessMemory(hProc, (void*)addy, buf, BufLen, NULL) ) {
std::cout << "RPM success:";
for(int i=0; i<BufLen; ++i)
std::cout << " 0x" << (unsigned int)(unsigned char)( (buf[i])++ );
std::cout << std::endl;
}
if( WriteProcessMemory(hProc, (void*)addy, buf, BufLen, NULL) )
std::cout << "WPM success." << std::endl;
if( ReadProcessMemory(hProc, (void*)addy, buf, BufLen, NULL) ) {
std::cout << "RPM success:";
for(int i=0; i<BufLen; ++i)
std::cout << " 0x" << (unsigned int)(unsigned char)(buf[i]);
std::cout << std::endl;
}
CloseHandle(hProc);
return EXIT_SUCCESS;
} |
And output with calc.exe: | Code: | PID: 3464
Addy: 0x01001000
Protection: 0x20
RPM success: 0x52 0x78 0xdd 0x77 0xbb
WPM success.
RPM success: 0x53 0x79 0xde 0x78 0xbc |
Btw, PAGE_EXECUTE_READ is 0x20.
Don't blame me for poor coding, I don't want to put more effort into this.
|
|
| Back to top |
|
|
&Vage
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Jul 2008
Posts: 1053
|
| Posted: Sat Jun 13, 2009 11:45 pm Post subject: |
|
|
| Are you sure the anticheat of the game lets you use WPM and RPM?
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Jun 14, 2009 7:54 am Post subject: |
|
|
| : wrote: | | Are you sure the anticheat of the game lets you use WPM and RPM? |
Yea get your self LiveKD and type u nt!NtReadVirtualMemory and u nt!NtWriteVirtualMemory to see if its hooked.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
