DaviFN
Cheater
![]() Reputation: 0
Joined: 23 Oct 2016
Posts: 32
|
 Posted: Mon Oct 24, 2016 2:15 pm Post subject: [C++] Couldn't use OP/WPM/RPM yet! (dbk32.dll, dbk32.sys...) |
 |
|
Hello everyone. I've a simple problem, but I couldn't solve it yet because I'm a newbie in programming. See if you can help me:
I'm creating a C++ trainer for a game. I've created a lot of trainers before, but what happened to me this time is curious: I'm not able to use WriteProcessMemory()/ReadProcessMemory. But this only happens in Windows 7. I can use WPM and RPM normally in Win XP.
So I tried to google everything, and I found something capable of editing the memory of the game I'm targetting; Cheat Engine. But normal options in Cheat Engine couldn't edit memory (Memory Viewer just had ?? on it), I had to enable a Kernel Mode routine option for WPM/RPM (whatever). Never mind. But the important thing is that, if some program can edit that memory, mine could too. So here I am, trying to simulate the same thing CE does.
In sum, what I want is to use the WPM/RPM functions like Cheat Engine does. I think I'm in the way to do that, but just need a simple help. Have a look at my
| Code: |
#include <cstdio>
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <objidl.h>
#pragma comment(lib, "user32.lib")
int newdata;
DWORD newdatasize;
typedef HANDLE (__stdcall *OPfunc)(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId);
typedef bool (__stdcall *WPMfunc)(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesWritten);
typedef bool (__stdcall *RPMfunc)(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesWritten);
void enableDebugPrivileges() {
HANDLE hcurrent=GetCurrentProcess();
HANDLE hToken;
BOOL bret=OpenProcessToken(hcurrent,40,&hToken);
LUID luid;
bret=LookupPrivilegeValue(NULL,"SeDebugPrivilege",&luid);
TOKEN_PRIVILEGES NewState,PreviousState;
DWORD ReturnLength;
NewState.PrivilegeCount =1;
NewState.Privileges[0].Luid =luid;
NewState.Privileges[0].Attributes=2;
AdjustTokenPrivileges(hToken,FALSE,&NewState,28,&PreviousState,&ReturnLength);
}
BOOL SetProcessEditPriv(LPCSTR Priv, HANDLE pHandle)
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES Privs;
ZeroMemory (&Privs, sizeof(Privs));
if (!OpenProcessToken (pHandle, (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY),
&hToken))
{
printf("No se pudieron modificar los privilegios");
return FALSE;
}
if (!LookupPrivilegeValue (NULL, Priv, &luid))
{
CloseHandle (hToken);
return FALSE;
}
Privs.PrivilegeCount = 1;
Privs.Privileges[0].Luid = luid;
Privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL retValue = AdjustTokenPrivileges(hToken, FALSE,
&Privs, sizeof(Privs),NULL,NULL);
CloseHandle(hToken);
return retValue;
}
void EnableDebugPriv()
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
}
int main( int, char *[] )
{
unsigned long PID; // We need this now to store the PID.
HANDLE hProcess; //We will use this for OpenProcess
HINSTANCE hDllTrainer;
BOOL fFreeResult, fRunTimeLinkSuccess = FALSE;
HWND hWindow = FindWindow(NULL, "Minesweeper");
GetWindowThreadProcessId(hWindow, &PID);
DWORD ToBeWritten[]={0x90};
DWORD Newdatasize = sizeof(ToBeWritten);
hDllTrainer = LoadLibrary("dbk32.dll");
if(hDllTrainer != NULL) {
}
else if(!hDllTrainer) {
MessageBoxA(0, "Error! Couldnt Load dbk32.dll! Quiting.", "ERROR!", MB_ICONINFORMATION);
}
OPfunc OP;
OP=(OPfunc)GetProcAddress(hDllTrainer,"OP");
if(OP==NULL){MessageBox(NULL,"OP = NULL","",MB_OK);}
WPMfunc WPM;
WPM=(WPMfunc)GetProcAddress(hDllTrainer,"WPM");
if(WPM==NULL){MessageBox(NULL,"WPM = NULL","",MB_OK);}
RPMfunc RPM;
RPM=(RPMfunc)GetProcAddress(hDllTrainer,"RPM");
if(RPM==NULL){MessageBox(NULL,"RPM = NULL","",MB_OK);}
//EnableDebugPriv();
enableDebugPrivileges();
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(snapshot, &entry) == TRUE)
{
while (Process32Next(snapshot, &entry) == TRUE)
{
if (stricmp(entry.szExeFile, "msd.exe") == 0)
{
//HANDLE hProcess;
HANDLE hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, entry.th32ProcessID);
//OP(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, entry.th32ProcessID);
if(hProcess)
{ printf("Process was found succesfully");
SetProcessEditPriv(SE_DEBUG_NAME,hProcess);
VirtualProtectEx(hProcess,(LPVOID)0x0001000C,256,PAGE_EXECUTE_READWRITE, NULL);
BYTE BufferOut = 0x00;
int BufferSize = sizeof(BufferOut);
int BufferIn;
SIZE_T bWritten;
DWORD OldProtection = -1;
MEMORY_BASIC_INFORMATION mbi;
// if (!VirtualProtectEx (hProcess, (LPVOID)0x0001000C, BufferSize, PAGE_EXECUTE_READWRITE, &OldProtection))
// printf("\n\nNo se han podido modificar los permisos de memoria. Error %d\n\n",GetLastError());
BYTE bP = 0x00;
if (ReadProcessMemory(hProcess, (LPVOID)0x0001000C, &bP, sizeof(BYTE), NULL))
{printf("\n\nLeitura feita. Resposta: %d",BufferOut);}else{printf("\n\nLeitura falhou. LastError:%d",GetLastError());}
newdata = 30;
newdatasize = sizeof(newdata);
//func(hProcess, (LPVOID)0x0001000C, &bP, sizeof(BYTE),(DWORD*)2);
//WPM(hProcess, (LPVOID)0x0001000C, &bP, sizeof(BYTE),NULL);
//WPM(0,0,0,0,0);
WPM(hProcess, (LPVOID)0x0001000C, &bP, sizeof(BYTE), NULL);// << This crashes. Why?
if(WriteProcessMemory(hProcess, (LPVOID)0x0001000C, &bP, sizeof(BYTE),NULL))
{
printf("\n\nMemory written succesfully.\n\n");
}
else{printf("Erro ao manipular memoria! Codigo do erro: %d",GetLastError());}
}
CloseHandle(hProcess);
}
}
}
CloseHandle(snapshot);
system("pause>nul");
return 0;
}
|
What is this horrible code?
Well, it turns out that Cheat Engine (the 5.X versions) uses a DLL called dbk32.dll. This DLL is somehow related to the functions of that Kernel thing. It basically loads a driver (dbk32.sys) and lets the Cheat Engine use the functions of RPM/WPM and OpenProcess (OP). So I tried to use that dll and that sys in my C++ program, in order to do what CE does (and, finally, be able to edit the memory).
I was able to somehow use the OP function (OpenProcess), and it worked. But the WPM and RPM functions crash my C++ program. Why is that?
Could you help me do what I want to do? I want to use those WPM and RPM functions properly, in order to be able to edit the memory of the game. I wish I could simply use the normal WriteProcessMemory thing.
The code above is just a scratch I created from zero, and it has nothing organized in it. Just look at the part "WPM(hProcess, (LPVOID)0x0001000C, &bP, sizeof(BYTE), NULL);// << This crashes. Why?" and tell me why it crashes.
Or, if there is another way to accomplish what I want, please help me.
Thanks!
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
