 |
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
theonetrueace Newbie cheater
Reputation: 0
Joined: 05 Feb 2008 Posts: 14
|
Posted: Wed Oct 21, 2009 10:52 am Post subject: |
|
|
EDIT 2: I still dont understand why its attempting to write at 00000000...open process is spitting out what appears to be a valid handle....
Code: | hProcess:=NewKernelHandler.OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
showmessage('ProcessHandle:' + IntToHex(hProcess, 8)); |
-------
Original Edit
-------
Nevermind, after nesting a Try/Except statement in the try/finally statement, i found it was trying to write @ 00000000, so i've got to look over my code...
-------
original
-------
havent messed with newkernelhandler.....remember i'm piecing together a dll from parts of your code...basicly just trying to rip out the speedhack....
what all is needed to actually get access to the memory of the process? my understanding was OpenProcess would give access ....
|
|
Back to top |
|
 |
Dark Byte Site Admin
Reputation: 470
Joined: 09 May 2003 Posts: 25791 Location: The netherlands
|
Posted: Fri Oct 23, 2009 2:37 pm Post subject: |
|
|
are you sure it's writing at 00000000 and not executing 00000000 ?
if it's executing at 00000000 than that means the loadlibrary/getprocaddress routine failed in newkernelhandler.pas's initialization section
Did you run the usedbk32openprocess routine ?
If so, that might also be the problem if you don't have dbk32.dll in the same folder
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
 |
theonetrueace Newbie cheater
Reputation: 0
Joined: 05 Feb 2008 Posts: 14
|
Posted: Sat Oct 24, 2009 1:29 am Post subject: |
|
|
ok....good news...i'm learning ALOT more about delphi....and i'm sortof liking it....anyway... something is being injected now, and the function completes, but as soon as it does, the app im injecting the hookdll into, well it crashes....heres my inject function....bad news, windows seven 64bit isnt giving me any info about the crash....Stack crash is basicly what it says....take a look and see if u see anything that looks out of place please...remember this is a new dll and i am strictly calling this function and am getting the processID in my vb.net app thats calling this dll...i have yet to edit the hook dll thats getting injected, but i did rename it....
Code: |
function InjectDLL(dllname: string; functiontocall: string; processID: integer):integer;
var LoadLibraryPtr: pointer;
GetProcAddressPtr: Pointer;
OpenProcessPtr: Pointer;
injectedlocation: pointer;
h: Thandle;
inject: array [0..4095] of byte;
x:dword;
outp:TAssemblerBytes;
position,position2: dword;
dllLocation: string;
startaddresS: dword;
functionloc: dword;
returnINT: integer;
hProcess: tHandle;
begin
returnint:=1;
h:=LoadLibrary('Kernel32.dll');
returnint:=returnint+1;
if h=0 then raise exception.Create('No kernel32.dll loaded');
returnint:=returnint+1;
try
try
returnint:=returnint+1;
GetProcAddressPtr:=GetProcAddress(h,'GetProcAddress');
returnint:=returnint+1;
if getprocaddressptr=nil then raise exception.Create('GetProcAddress not found');
returnint:=returnint+1;
LoadLibraryPtr:=GetProcAddress(h,'LoadLibraryA');
returnint:=returnint+1;
if LoadLibraryptr=nil then raise exception.Create('LoadLibraryA not found');
returnint:=returnint+1;
showmessage('processID: ' + IntToHex(processID,8));
NewKernelHandler.OpenProcess:=GetProcAddress(h,'OpenProcess');
hProcess:=NewKernelHandler.OpenProcess(PROCESS_ALL_ACCESS,false,processID);
showmessage('ProcessHandle:' + IntToHex(hProcess, 8));
VirtualAllocEx:=GetProcAddress(h,'VirtualAllocEx');
injectedlocation:=VirtualAllocEx(hProcess,nil,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
returnint:=returnint+1;
if injectedlocation=nil then raise exception.Create('Failed to allocate memory');
returnint:=returnint+1;
dlllocation:=dllname;
position:=dword(injectedlocation);
position2:=0;
copymemory(@inject[0],pchar(dllLocation+#0),length(dllLocation)+1);
inc(position,length(dllLocation)+1);
inc(position2,length(dllLocation)+1);
functionloc:=position;
copymemory(@inject[position2],pchar(functiontocall+#0),length(functiontocall)+1);
inc(position,length(functiontocall)+1);
inc(position2,length(functiontocall)+1);
startaddress:=position;
{ assemble('mov ['+inttohex(injectedlocation+4096-4,8)+'],esp');
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));}
assemble('PUSHFD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('PUSHAD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
//loadlibrary(cehook);
assemble('PUSH '+IntToHex(dword(injectedlocation),8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('CALL '+IntToHex(dword(LoadLibraryPtr),8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
if functiontocall<>'' then
begin
//getprocaddress
assemble('PUSH '+IntToHex(functionloc,8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('PUSH EAX',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('CALL '+IntToHex(dword(GetProcAddressPtr),8),position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
//call function
assemble('CALL EAX',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
end;
assemble('POPAD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('POPFD',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
assemble('RET',position,outp);
copymemory(@inject[position2],outp,length(outp));
inc(position,length(outp));
inc(position2,length(outp));
returnint:=returnint+1;
//call the routine
writeprocessmemory:=GetProcAddress(h,'WriteProcessMemory');
{showmessage('Process Handle: ' + inttohex(hprocess,8));
showmessage('injectedlocation: ' + string(injectedlocation));
showmessage('@inject[0]: ' + string(@inject[0]));
showmessage('position2: ' + inttohex(position2,8));
showmessage('x: ' + inttohex(x,8)); }
if not writeprocessmemory(hprocess,injectedlocation,@inject[0],position2,x) then raise exception.Create('Failed to inject the dll loader');
returnint:=returnint+1;
createremotethread:=GetProcAddress(h,'CreateRemoteThread');
if createremotethread(hprocess,nil,0,pointeR(startaddress),nil,0,x)=0 then raise exception.Create('Failed to execute the dll loader');
returnint:=returnint+100;
except
on E : Exception do
ShowMessage(E.ClassName+' error raised, with message : '+E.Message);
end;
finally
FreeLibrary(h);
result:=returnint+1;
result:=returnINT ;
end;
end;
|
|
|
Back to top |
|
 |
Dark Byte Site Admin
Reputation: 470
Joined: 09 May 2003 Posts: 25791 Location: The netherlands
|
Posted: Sat Oct 24, 2009 3:31 am Post subject: |
|
|
first off, obviously, make sure the target process isn't a 64-bit app. If it is, this crash will happen (e.g if you can choose between internet explorer 64 and internet explorer 32, choose ie 32)
and if that isn't it, check your dll code, it could be it's that what's ctrashing
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
 |
theonetrueace Newbie cheater
Reputation: 0
Joined: 05 Feb 2008 Posts: 14
|
Posted: Sat Oct 24, 2009 1:37 pm Post subject: |
|
|
EDIT4:and now its not working....dunno what i changed, cant see anything in particular, but now i get a runtime error 27 when i cerate the thread after injecting the dll....the crash says KERNELBASE.DLL is the source....leave me some feedback, i'm done messing with this for the night...
EDIT3:oookkkk....this is the third edit today on this reply....
good news, i got the injection code straight and the dll is getting into the app, now i just got to figure out how the rest works....for some odd reason delphi doesnt like to recieve strings from vb.net in form of a function perimeter....anyway thx much for all the direction thus far....will continue to post any further questions if your willing to work with me
|
|
Back to top |
|
 |
VikFreeze Newbie cheater
Reputation: 0
Joined: 14 Feb 2010 Posts: 21 Location: Basking in the warm glow of several computer monitors
|
Posted: Wed Feb 24, 2010 4:37 pm Post subject: A little help please |
|
|
Hy,
i've been busy tinkering with CE 5.5 and its going nicely so far,
however there is a problem with the speedhack, when i tick the check box it throws a 'Failed injecting the DLL' error from CEFuncProc, CE 5.6 from SVN does exactly the same thing therefore i'm guessing its a external problem.
Using a handy program called Dependency Walker witch traces the applications references i get this 'Warning: At least one module has an unresolved import due to a missing export function in a delay-load dependent module.' and 2 dlls show up in red, IEFRAME.DLL witch calls functions named #141, #159 and #160 and SHLWAPI.DLL witch calls #270 however these function are not listed or forwarded properly (at least thats what i think its trying to tell me, this program is new to me and im not shure on how to interpret it).
Anyway, a little nudge on how to fix the speedhack and/or if these issues have anything to do with it wouled be greately apreciated
|
|
Back to top |
|
 |
Dark Byte Site Admin
Reputation: 470
Joined: 09 May 2003 Posts: 25791 Location: The netherlands
|
Posted: Wed Feb 24, 2010 5:25 pm Post subject: |
|
|
"Failed injecting the DLL" means that the LoadLibraryA call has failed (returned 0)
check if your compiler is using unicode, if so, turn that off or rewrite the injectionroutine to make use of LoadLibraryW
Also, check that you are giving the full path to the dll
Try adding some debugoutput to show where it's storing the dllname in memory and then browse there. See what went wrong
Or try expending the injector to call getlasterror to get a more detailed results
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
 |
VikFreeze Newbie cheater
Reputation: 0
Joined: 14 Feb 2010 Posts: 21 Location: Basking in the warm glow of several computer monitors
|
Posted: Thu Feb 25, 2010 4:56 am Post subject: |
|
|
Lol what a silly n00b mistake, dllname contained a valid looking path so i asumed it found the speedhack.dll but upon closer inspection the dll wasen't where the path was indicating so i got a copy from the CE i had installed on my system and it workes fine now
Thanks for the help DB
|
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|