| View previous topic :: View next topic |
| Author |
Message |
DeviantGeek
Newbie cheater
![]() Reputation: 0
Joined: 30 Apr 2006
Posts: 20
Location: 127.0.0.1
|
 Posted: Sun Apr 30, 2006 5:13 pm Post subject: call number retrieving |
 |
|
| Im writing an app that has some stealth to it and working off of your code. I dont know delphi but i can figure out the majority of the code either way. Im stuck with call number retrieving, ive managed to get an app to debug going and get some possible call numbers from it. from there i dont know how to get the parameter count out of each of the call numbers i found. I checked out your Debugger.pas in systemcallretriever and found out that in procedure TDebugger.UpdateList you grab the parameter count of a possible call number you found by reading some memory. i dont know where your getting the address to read from. i understand the context.eax and $FFF but what exactly is paramlist? ive traced it through your code and found that at some point it gets set to the SDTShadow value, but how can you get the shadow if it rely's on callnumbers to be sure you have the correct sdtshadow? catch 22 =D. lol so what am i missing or screwing up thats getting me all confused and how do i get the parameter counts?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Mon May 01, 2006 12:34 am Post subject: |
|
|
The driver can start and load without having to know the callnumbers. It find out the SDTShadow address at the initialization of the driver. The dll then stores that address for later requests (systemcallretriever is one of them that needs that address as you've seen)
In the shadow service descriptot table(16 byte structure) there are 2 pointers. One(the first one) points to a array that holds pointers to all functions, so arrayx[callnumber] gets you the address of the real function
the other (the last one) points to a array that golds the number of bytes needed for the parameters.
arrayy[callnumber] gets you the number of bytes for that particular callnumber.
So, if you know the function you need takes 3 parameters, then the parameter bytesize will be 0xc I use that information to verify that the callnumber I found by debugging and inspecting the eax value at systemcall instructions is correct
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
DeviantGeek
Newbie cheater
![]() Reputation: 0
Joined: 30 Apr 2006
Posts: 20
Location: 127.0.0.1
|
| Posted: Mon May 01, 2006 9:55 am Post subject: |
|
|
| i see, i was looking at the driver init routine wrong. it only needs win32k.sys address and size in order to grab the shadow table. thats what i get for not taking a break at coding! thanks for the reply and awesome job on cheat engine, no more t-search for me lol.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
