Cheat Engine

Uli · Cheater Reputation: 0 Joined: 08 Mar 2008 Posts: 37

Editing a game EXE in Ollydbg.

So far I have edited everything and it all works however I need to do something else for what I want to do to work.

The game loads a DLL which needs to be loaded however once it has been loaded you can remove it (I have removed it manually by closing its threads to the DLL)

However I want to make it so the EXE closes the threads after the DLL has been fully loaded.

I got the space to do it and I know where to call the code to do it.

The problem is the ASM To do it, the game loads up Kernel32.dll so I got access to the FreeLibrary, close thread etc however I do not know which one I need, what I need to pass to it etc.

Any help on it will be appreciated.

Example, Calls to Kernel32.

Close (Terminate) Thread - CALL DWORD PTR DS:[76B280]

Close Handle - CALL DWORD PTR DS:[76B27C]

Free Library - CALL DWORD PTR DS:[76B0C4]

Slugsnack · Posted: Sat Apr 17, 2010 5:26 am Post subject:

so you want to kill threads belonging to that dll ? how are you currently doing that ? then what ? free the library ?

Uli · Cheater Reputation: 0 Joined: 08 Mar 2008 Posts: 37

Slugsnack · Posted: Sat Apr 17, 2010 6:22 am Post subject:

i'm not sure why you want the dll to be loaded up then freed straight afterwards. i mean if that is really the case then you could just write some code in the dllmain that creates a new thread, passing the hinstance which calls freelibraryandexitthread

how are you currently doing this ?

if you freelibrary and there is a thread executing inside that dll at the time, on the next fetch-execute cycle, it would crash with an memory violation

Uli · Cheater Reputation: 0 Joined: 08 Mar 2008 Posts: 37

Slugsnack · Posted: Sat Apr 17, 2010 6:49 am Post subject:

what do you mean by X amount of dll threads ? what do you mean by 'the dll will only get executed if 3 threads respond to it' ?

if the dll is able to detect that certain threads are not running then it implies it is in some way synchronizing with those threads. if your solution is to free that dll, then that thread that we assume is executing this synchronization code within the dll must be terminated. is that what you want to do ?

it is odd, though, that a dll would be loaded up for the sole purpose of thread synchronization. mostly, a thread would be created in a function in the calling module for something like that

Uli · Cheater Reputation: 0 Joined: 08 Mar 2008 Posts: 37

Slugsnack · Posted: Sat Apr 17, 2010 7:30 am Post subject:

it's not a simple matter enumerating threads ( easy part ) and finding which modules they belong to ( at least not in inline asm ). if you're gonna do that, might as well code your own module in asm or something and inject it.

can't you just block the loadlibrary call in the first place ?

Uli · Cheater Reputation: 0 Joined: 08 Mar 2008 Posts: 37

Slugsnack · Posted: Sat Apr 17, 2010 8:20 am Post subject:

you could always find where this 'check thread' is being launched and disable that call. from what it sounds like, this may well be dllmain. it's unlikely another module would load the library then create the corresponding thread to run inside the new module.