Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[question]how does the speedhack for CE work?
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source
View previous topic :: View next topic  
Author Message
theonetrueace
Newbie cheater
Reputation: 0

Joined: 05 Feb 2008
Posts: 14

PostPosted: Wed Oct 21, 2009 10:52 am    Post subject: Reply with quote

EDIT 2: I still dont understand why its attempting to write at 00000000...open process is spitting out what appears to be a valid handle....

Code:
    hProcess:=NewKernelHandler.OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
    showmessage('ProcessHandle:' + IntToHex(hProcess, 8));


-------
Original Edit
-------

Nevermind, after nesting a Try/Except statement in the try/finally statement, i found it was trying to write @ 00000000, so i've got to look over my code...

-------
original
-------

havent messed with newkernelhandler.....remember i'm piecing together a dll from parts of your code...basicly just trying to rip out the speedhack....

what all is needed to actually get access to the memory of the process? my understanding was OpenProcess would give access ....
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Fri Oct 23, 2009 2:37 pm    Post subject: Reply with quote

are you sure it's writing at 00000000 and not executing 00000000 ?

if it's executing at 00000000 than that means the loadlibrary/getprocaddress routine failed in newkernelhandler.pas's initialization section

Did you run the usedbk32openprocess routine ?
If so, that might also be the problem if you don't have dbk32.dll in the same folder

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
theonetrueace
Newbie cheater
Reputation: 0

Joined: 05 Feb 2008
Posts: 14

PostPosted: Sat Oct 24, 2009 1:29 am    Post subject: Reply with quote

ok....good news...i'm learning ALOT more about delphi....and i'm sortof liking it....anyway... something is being injected now, and the function completes, but as soon as it does, the app im injecting the hookdll into, well it crashes....heres my inject function....bad news, windows seven 64bit isnt giving me any info about the crash....Stack crash is basicly what it says....take a look and see if u see anything that looks out of place please...remember this is a new dll and i am strictly calling this function and am getting the processID in my vb.net app thats calling this dll...i have yet to edit the hook dll thats getting injected, but i did rename it....
Code:

function InjectDLL(dllname: string; functiontocall: string; processID: integer):integer;
var LoadLibraryPtr: pointer;
    GetProcAddressPtr: Pointer;
    OpenProcessPtr: Pointer;
    injectedlocation: pointer;
    h: Thandle;

    inject: array [0..4095] of byte;
    x:dword;

    outp:TAssemblerBytes;
    position,position2: dword;

    dllLocation: string;
    startaddresS: dword;
    functionloc: dword;

    returnINT: integer;
    hProcess: tHandle;
begin
  returnint:=1;
  h:=LoadLibrary('Kernel32.dll');
  returnint:=returnint+1;
  if h=0 then raise exception.Create('No kernel32.dll loaded');
  returnint:=returnint+1;

  try
  try
  returnint:=returnint+1;
    GetProcAddressPtr:=GetProcAddress(h,'GetProcAddress');   
  returnint:=returnint+1;
    if getprocaddressptr=nil then raise exception.Create('GetProcAddress not found');
  returnint:=returnint+1;

    LoadLibraryPtr:=GetProcAddress(h,'LoadLibraryA');
  returnint:=returnint+1;
    if LoadLibraryptr=nil then raise exception.Create('LoadLibraryA not found');
  returnint:=returnint+1;

  showmessage('processID: ' + IntToHex(processID,8));
  NewKernelHandler.OpenProcess:=GetProcAddress(h,'OpenProcess');
    hProcess:=NewKernelHandler.OpenProcess(PROCESS_ALL_ACCESS,false,processID);
    showmessage('ProcessHandle:' + IntToHex(hProcess, 8));
    VirtualAllocEx:=GetProcAddress(h,'VirtualAllocEx');
    injectedlocation:=VirtualAllocEx(hProcess,nil,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
  returnint:=returnint+1;

    if injectedlocation=nil then raise exception.Create('Failed to allocate memory');
  returnint:=returnint+1;

    dlllocation:=dllname;

    position:=dword(injectedlocation);
    position2:=0;
    copymemory(@inject[0],pchar(dllLocation+#0),length(dllLocation)+1);
    inc(position,length(dllLocation)+1);
    inc(position2,length(dllLocation)+1);

    functionloc:=position;
    copymemory(@inject[position2],pchar(functiontocall+#0),length(functiontocall)+1);
    inc(position,length(functiontocall)+1);
    inc(position2,length(functiontocall)+1);
    startaddress:=position;

{    assemble('mov ['+inttohex(injectedlocation+4096-4,8)+'],esp');
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));}


    assemble('PUSHFD',position,outp);
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));

    assemble('PUSHAD',position,outp);
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));

    //loadlibrary(cehook);
    assemble('PUSH '+IntToHex(dword(injectedlocation),8),position,outp);
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));

    assemble('CALL '+IntToHex(dword(LoadLibraryPtr),8),position,outp);
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));

    if functiontocall<>'' then
    begin

      //getprocaddress
      assemble('PUSH '+IntToHex(functionloc,8),position,outp);
      copymemory(@inject[position2],outp,length(outp));
      inc(position,length(outp));
      inc(position2,length(outp));

      assemble('PUSH EAX',position,outp);
      copymemory(@inject[position2],outp,length(outp));
      inc(position,length(outp));
      inc(position2,length(outp));

      assemble('CALL '+IntToHex(dword(GetProcAddressPtr),8),position,outp);
      copymemory(@inject[position2],outp,length(outp));
      inc(position,length(outp));
      inc(position2,length(outp));

      //call function
      assemble('CALL EAX',position,outp);
      copymemory(@inject[position2],outp,length(outp));
      inc(position,length(outp));
      inc(position2,length(outp));
    end;


    assemble('POPAD',position,outp);
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));

    assemble('POPFD',position,outp);
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));

    assemble('RET',position,outp);
    copymemory(@inject[position2],outp,length(outp));
    inc(position,length(outp));
    inc(position2,length(outp));
  returnint:=returnint+1;


    //call the routine
    writeprocessmemory:=GetProcAddress(h,'WriteProcessMemory');
    {showmessage('Process Handle: ' + inttohex(hprocess,8));
    showmessage('injectedlocation: ' + string(injectedlocation));
    showmessage('@inject[0]: ' + string(@inject[0]));
    showmessage('position2: ' + inttohex(position2,8));
    showmessage('x: ' + inttohex(x,8));   }
    if not writeprocessmemory(hprocess,injectedlocation,@inject[0],position2,x) then raise exception.Create('Failed to inject the dll loader');
  returnint:=returnint+1;

    createremotethread:=GetProcAddress(h,'CreateRemoteThread');
    if createremotethread(hprocess,nil,0,pointeR(startaddress),nil,0,x)=0 then raise exception.Create('Failed to execute the dll loader');
  returnint:=returnint+100;
    except
      on E : Exception do
            ShowMessage(E.ClassName+' error raised, with message : '+E.Message);
    end;
  finally
    FreeLibrary(h);
    result:=returnint+1;

    result:=returnINT ;
  end;

end;
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Sat Oct 24, 2009 3:31 am    Post subject: Reply with quote

first off, obviously, make sure the target process isn't a 64-bit app. If it is, this crash will happen (e.g if you can choose between internet explorer 64 and internet explorer 32, choose ie 32)


and if that isn't it, check your dll code, it could be it's that what's ctrashing

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
theonetrueace
Newbie cheater
Reputation: 0

Joined: 05 Feb 2008
Posts: 14

PostPosted: Sat Oct 24, 2009 1:37 pm    Post subject: Reply with quote

EDIT4:and now its not working....dunno what i changed, cant see anything in particular, but now i get a runtime error 27 when i cerate the thread after injecting the dll....the crash says KERNELBASE.DLL is the source....leave me some feedback, i'm done messing with this for the night...

EDIT3:oookkkk....this is the third edit today on this reply....

good news, i got the injection code straight and the dll is getting into the app, now i just got to figure out how the rest works....for some odd reason delphi doesnt like to recieve strings from vb.net in form of a function perimeter....anyway thx much for all the direction thus far....will continue to post any further questions if your willing to work with me Smile
Back to top
View user's profile Send private message
VikFreeze
Newbie cheater
Reputation: 0

Joined: 14 Feb 2010
Posts: 21
Location: Basking in the warm glow of several computer monitors

PostPosted: Wed Feb 24, 2010 4:37 pm    Post subject: A little help please Reply with quote

Hy,
i've been busy tinkering with CE 5.5 and its going nicely so far,
however there is a problem with the speedhack, when i tick the check box it throws a 'Failed injecting the DLL' error from CEFuncProc, CE 5.6 from SVN does exactly the same thing therefore i'm guessing its a external problem.

Using a handy program called Dependency Walker witch traces the applications references i get this 'Warning: At least one module has an unresolved import due to a missing export function in a delay-load dependent module.' and 2 dlls show up in red, IEFRAME.DLL witch calls functions named #141, #159 and #160 and SHLWAPI.DLL witch calls #270 however these function are not listed or forwarded properly (at least thats what i think its trying to tell me, this program is new to me and im not shure on how to interpret it).

Anyway, a little nudge on how to fix the speedhack and/or if these issues have anything to do with it wouled be greately apreciated
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Wed Feb 24, 2010 5:25 pm    Post subject: Reply with quote

"Failed injecting the DLL" means that the LoadLibraryA call has failed (returned 0)

check if your compiler is using unicode, if so, turn that off or rewrite the injectionroutine to make use of LoadLibraryW

Also, check that you are giving the full path to the dll


Try adding some debugoutput to show where it's storing the dllname in memory and then browse there. See what went wrong

Or try expending the injector to call getlasterror to get a more detailed results

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
VikFreeze
Newbie cheater
Reputation: 0

Joined: 14 Feb 2010
Posts: 21
Location: Basking in the warm glow of several computer monitors

PostPosted: Thu Feb 25, 2010 4:56 am    Post subject: Reply with quote

Lol what a silly n00b mistake, dllname contained a valid looking path so i asumed it found the speedhack.dll but upon closer inspection the dll wasen't where the path was indicating so i got a copy from the CE i had installed on my system and it workes fine now

Thanks for the help DB
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source All times are GMT - 6 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites