Direct Injection Codes - Delphi/C++/AutoIt

Page 1 of 4

04/28/2009 07:15 asgborges#1

Since all pro people here is a bit selfish... i decided to made my own guide and share with the forum!!

OK... This is the best way to make your bot or whatever you making work well for you!!!

STOP being eMo and just changing addresses!! Lets play hard!!!:D

ALL INFORMATION HERE IS BASED ON PERFECT WORLD INTERNACIONAL (LAST VERSION)

Before Start:
Lets learn some things... all people here is talking about change addresses, offsets and pointers... you know what im talking about? (go on net and find some guides :))

I found 4 kinds of addresses:

1. The Base Address (0x0096d1dc)
--> Base address - Wikipedia, the free encyclopedia
--> We will start from here... all Injected functions needs to start the Pointer from correct address!
--> Use the tutorial [Only registered and activated users can see links. Click Here To Register...].. when you found the address, substract 0x1C from and do another search in Hex value to get the REAL base address.
--> All injectable functions starts from poiting here. (try find the Assembly Code [0096d1dc] in Memory View of Cheat Engine, and you will have all injectabled possibilities)

2. The Dynamic Address (0x0096d1dc + 0x1C -> points to 0x0096d87c)
--> You can easy learn and find by [Only registered and activated users can see links. Click Here To Register...]... just have the WRONG title.
--> Its the Load-in-Time allocator... in other words, its a memory redirector.

3. The Environment Address (0x0096d87c + 0x8 -> points to a dynamic location)
--> Pointer that allocates dynamic addressing for loop and protected blocks

4. The Role Address (0x0096d87c + 0x20 -> points to a dynamic location)
--> Pointer that allocates dynamic address like global variables, constants and types

Definition:
[Only registered and activated users can see links. Click Here To Register...]

Injection Routines

Delphi: (by asgborges)
Updated 25/11/2011

Code:

procedure InjectFunc(ProcessID: Cardinal; Func: Pointer; aParams: Pointer; aParamsSize: DWORD);
var
  hThread: THandle;
  lpNumberOfBytes: DWORD;

  ThreadAddr, ParamAddr: Pointer;
begin
  if ProcessID<>0 then
  begin
    // ---- Write function address
    ThreadAddr := VirtualAllocEx(ProcessID, nil, 256, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(ProcessID, ThreadAddr, Func, 256, lpNumberOfBytes);

    // ---- Address to write parameters
    ParamAddr := VirtualAllocEx(ProcessID, nil, aParamsSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(ProcessID, ParamAddr, aParams, aParamsSize, lpNumberOfBytes);

    // ---- Create a remote thread
    hThread := CreateRemoteThread(ProcessID, nil, 0, ThreadAddr, ParamAddr, 0, lpNumberOfBytes);

    // ---- Thread to wait for the end of
    WaitForSingleObject(hThread, 3000);

    GetExitCodeThread(hThread,lpExitCode);
    TerminateThread(hThread,lpExitCode);

    VirtualFreeEx(ProcessID,ThreadAddr,0,MEM_RELEASE);
    VirtualFreeEx(ProcessID,ParamAddr,0,MEM_RELEASE);
    VirtualFreeEx(ProcessID,Func,0,MEM_RELEASE);
    VirtualFreeEx(ProcessID,aParams,0,MEM_RELEASE);

    CloseHandle(hThread);
  end
end;

C++ Builder: (found on internet)

Code:

#include <tlhelp32.h>
...
[B]typedef[/B]  tagPROCESSENTRY32W pGameProcess;
...
[B]bool[/B] CallRemoteFunction(pGameProcess pProcess)
{
	//Remote Thread Handle
	HANDLE hProcess=NULL;
	//Inject Thread handle
	HANDLE hThread=NULL;
	//Inject Fuction Address after allocate
	LPVOID ThreadCodeAddr=NULL;
	//Inject Function
	LPVOID Func=[B][U]SelectMonster[/U][/B];
	//Inject Fuction Stack Address after allocate
	LPVOID ThreadDataAddr=NULL;
	//Inject Fuction Stack Data
	LPCVOID lpParam = NULL;
	DWORD Value = 0;
	lpParam = &Value;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pProcess.th32ProcessID);
	[B]if [/B](!hProcess)
	{
		//Do your Error message (OpenProcess);
		[B]return false[/B];
	}
	ThreadCodeAddr=VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
	ThreadDataAddr=VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory (hProcess, ThreadCodeAddr, Func, 4096, NULL);
	WriteProcessMemory (hProcess, ThreadDataAddr, lpParam, 256, NULL);
	hThread = CreateRemoteThread(hProcess, NULL, NULL,(LPTHREAD_START_ROUTINE)ThreadCodeAddr, ThreadDataAddr, NULL, NULL);
	[B]if[/B] (!hThread)
	 {
		//Do your Error message (CreateRemoteThread);
	 }
	[B]else[/B]
		WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, ThreadCodeAddr, 4096, MEM_RELEASE);
	VirtualFreeEx(hProcess, ThreadDataAddr, 256, MEM_RELEASE);
	CloseHandle(hProcess);
	[B]return false[/B];
}

AutoIt: (found on internet)

Code:

Func INJECTCODE($PID)
If $PID <> 0 And $OPCODE <> "" Then
Local $DATA = DllStructCreate("byte[" & StringLen($OPCODE) / 2 & "]")
For $I = 1 To DllStructGetSize($DATA)
DllStructSetData($DATA, 1, Dec(StringMid($OPCODE, ($I - 1) * 2 + 1, 2)), $I)
Next
Local $RESULT, $PROCESS, $ADD, $THREAD
$RESULT = DllCall("Kernel32.Dll", "int", "OpenProcess", "int", 2035711, "int", 0, "int", $PID)
$PROCESS = $RESULT[0]
$RESULT = DllCall("Kernel32.dll", "ptr", "VirtualAllocEx", "int", $PROCESS, "ptr", 0, "int", DllStructGetSize($DATA), "int", 4096, "int", 64)
$ADD = $RESULT[0]
$RESULT = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $PROCESS, "ptr", $ADD, "ptr", DllStructGetPtr($DATA), "int", DllStructGetSize($DATA), "int", 0)
$RESULT = DllCall("kernel32.dll", "int", "CreateRemoteThread", "int", $PROCESS, "ptr", 0, "int", 0, "int", $ADD, "ptr", 0, "int", 0, "int", 0)
$THREAD = $RESULT[0]
Do
$RESULT = DllCall("kernel32.dll", "int", "WaitForSingleObject", "int", $THREAD, "int", 50)
Until $RESULT[0] <> 258
DllCall("Kernel32.dll", "int", "CloseHandle", "int", $THREAD)
$RESULT = DllCall("Kernel32.dll", "ptr", "VirtualFreeEx", "hwnd", $PROCESS, "ptr", DllStructGetPtr($DATA), "int", DllStructGetSize($DATA), "int", 32768)
DllCall("Kernel32.dll", "int", "CloseHandle", "int", $PROCESS)
$OPCODE = ""
$DATA = 0
EndIf
EndFunc

Injectable Codes

Delphi: (by asgborges)

Code:

[COLOR="Green"]
//*************************************************************//
// Select the Moster (Full Target HP)
// OBS: Working well
//*************************************************************//[/COLOR]
[B]procedure[/B] SelectMonster(MonID: PParams); [B]stdcall[/B];
[COLOR="Green"](*
004596AD - a1 dc d1 96 00             - mov eax,[0096d1dc] : 0096D860
004596B2 - 57                         - push edi
004596B3 - 8b 48 20                   - mov ecx,[eax+20]
004596B6 - 81 c1 ec 00 00 00          - add ecx,000000ec
004596BC - e8 8f c7 14 00             - call 005a5e50
*)
[/COLOR][B]var[/B]
  P1: DWORD;
[B]begin[/B]
  P1:=MonID^.Param1;
  [B]asm[/B]
    mov edx, DWORD PTR [$0096d1dc]
    push     P1
    mov ecx, DWORD PTR [edx+$20]
    add ecx, $EC
    mov edx, $005a5e50
    call     edx
  [B]end[/B];
[B]end[/B];

[COLOR="Green"]//*************************************************************//
// Fly command
// OBS: Working well
//*************************************************************
[/COLOR][B]procedure[/B] Fly(aPParams: PParams); [B]stdcall[/B];
[COLOR="Green"](*
0044A926 - 8b 15 dc d1 96 00          - mov edx,[0096d1dc] : 0096D860
0044A92C - 6a 01                      - push 01
0044A92E - 51                         - push ecx
0044A92F - 8b 4a 20                   - mov ecx,[edx+20]
0044A932 - 6a 0c                      - push 0c
0044A934 - 6a 01                      - push 01
0044A936 - 81 c1 ec 00 00 00          - add ecx,000000ec
0044A93C - e8 bf b2 15 00             - call 005a5c00
*)
[/COLOR][B]begin[/B]
    [B]asm[/B]
       mov  edx, DWORD PTR [$0096d1dc]
       push $01
       push $31f7
       mov  ecx, DWORD PTR [edx+$20]
       push $0C
       push $01
       add ecx, $EC
       mov  edx, $005a5c00
       call edx
    [B]end[/B];
[B]end[/B];

[COLOR="Green"]//*************************************************************//
// Pick Items on ground
// OBS: Working... need to stay close of the Item
//*************************************************************//
[/COLOR][B]procedure[/B] PickItem(aPParams: PParams); [B]stdcall[/B];
(*
00467693 - 8b 15 dc d1 96 00          - mov edx,[0096d1dc] : 0096D860
00467699 - 50                         - push eax
0046769A - 51                         - push ecx
0046769B - 8b 4a 20                   - mov ecx,[edx+20]
0046769E - 81 c1 ec 00 00 00          - add ecx,000000ec
004676A4 - e8 37 e7 13 00             - call 005a5de0
*)
[B]var[/B]
  Address: pointer;
  Pa1,pa2: cardinal;
[B]begin[/B]
  Pa1:=aPParams^.Param1;
  pa2:=aPParams^.Param2;
  asm
    mov  edx, DWORD PTR [$0096d1dc]
    push Pa1                  [COLOR="Green"]// Item SN[/COLOR]
    push Pa2                  [COLOR="Green"]// Item ID[/COLOR]
    mov  ecx, DWORD PTR [edx+$20]
    add  ecx, $EC
    mov  edx, $005a5de0
    call edx
  [B]end[/B];
[B]end[/B];

C++ Builder: (adapted to work with PWI)

Code:

[B]static[/B] DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
	//004596AD - a1 dc d1 96 00             - mov eax,[0096d1dc] : 0096D860
	//004596B2 - 57                         - push edi
	//004596B3 - 8b 48 20                   - mov ecx,[eax+20]
	//004596B6 - 81 c1 ec 00 00 00          - add ecx,000000ec
	//004596BC - e8 8f c7 14 00             - call 005a5e50
	DWORD BaseAddress= 0x0096d1dc;
	DWORD CallAddress= 0x005a5e50;
	DWORD MonsterID = (DWORD)lpParam;
	[B]__try[/B]
	{
		[B]_asm[/B]
		{
		  mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx
		}
	}
	[B]__except[/B](1)
	{
	}
	[B]return[/B] 0;
}

AutoIt: (adapted to work with PWI)

Code:

Func SETCURENTMOBID($ID)
  _MEMORYWRITE($MOB_ID_ADD, $MEMID, $ID)
  If $ID <> 0 Then
    $OPCODE = ""
    PUSHAD()
    MOV_EDX_DWORD_PTR(9875524)
    PUSH($ID)
    MOV_ECX_DWORD_PTR_EAX_ADD(32)
    $OPCODE &= "81c1ec000000"
    MOV_EDX(5916464)
    CALL_EDX()
    POPAD()
    RET()
    INJECTCODE($PID)
  EndIf
EndFunc

Injection Examples

Delphi: (by asgborges)

Code:

Type
  PParams = ^TParams;
  TParams = packed record
    Param1: DWORD;
    Param2: DWORD;
    Param3: single;
    Param4: single;
    Param5: single;
    Param6: byte;
  end;
.
.
.
Procedure TForm1.SelectMonsterByID(ID: Cardinal);
var
  hProcess : THandle;
  aParams : TParams;
  aParamsSize: DWORD;

begin
  ChangePrivilege('SeDebugPrivilege', True);

  hProcess := OpenProcess( PROCESS_ALL_ACCESS, FALSE, Process.th32ProcessID);

  aParams.Param1 := ID;
  aParamsSize := SizeOf(aParams);

  InjectFunc(hProcess,@SelectMonster, @aParams,aParamsSize);

  CloseHandle(hProcess);
end;

Now im working in actions like OpenNPC, RunTo(X,Y,X), GatherMines, NormalAttack, MagicAttack and alot of more...

(when i get results will keep sharing here)

Enjoy kids :D

*Last Updated: 03.05.2009

Injection Codes:
* Full-Target HP select (full HP bar)
* Fly command
* Pick Item

04/28/2009 18:33 0o0#2

gona try it on! Thanks a bunch
static DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
DWORD Address= 0x582630;
DWORD MonsterID = (DWORD)lpParam;

I assume the "Adress" is base address

btw u got injection example for c++?

thanks !!

04/28/2009 21:03 asgborges#3

Quote:

Originally Posted by 0o0

gona try it on! Thanks a bunch
static DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
DWORD Address= 0x582630;
DWORD MonsterID = (DWORD)lpParam;

I assume the "Adress" is base address

btw u got injection example for c++?

thanks !!

Sorry.. i corrected the code...

Full-Target Injection Code in C++ Builder:

Code:

[B]static[/B] DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
	DWORD BaseAddress= 0x96b044;
	DWORD CallAddress= 0x5a4730;
	DWORD MonsterID = (DWORD)lpParam;
	[B]__try[/B]
	{
		[B]_asm[/B]
		{
		  mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx
		}
	}
	[B]__except[/B](1)
	{
	}
	[B]return[/B] 0;
}

04/29/2009 11:38 BuBucekTop#4

Let me contribute my 5 cents =)

In PW we have 3 types of movement :
1. direct move to coordinates.
2. move to object (mob/player for attack or drop/res to pickup)
3. follow

let's research type 2.
(Sorry I can't give valid addresses, because i'm playing on PW-RU, but give a hint.)

1. open console and enable showing NPC ids
2. attach CE to elementclient
3. target some mob and "first search" for 4bytes hex in CE it's ID (shown on top of the mob). You'll get a lot of matches.
4. Target another mob and "next search" for it's ID. You'll get 4-5 results.
One of them definetely for character target, we'll skip it.
Other is internal ID for client command. We'll investigate it soon.
The rest are unknown for me.

So.

Keep watching on these 4-5 addresses and go farm a mine/herb. Preferable far enough from your char. During approaching to mine/herb you'll notice that ONE value in CE changed. This is the internal pointer to object we're moving to !!!

Substract 0x20 and you'll get the base address for command "move to object".

finally after back tracing you'll get something like this :

[Dynamic Address ] + 20$] + XXX$] + 30$] + 02 * 4] <= CMD base
[Dynamic Address ] + 20$] + XXX$] + 30$] + 02 * 4] + 20$] <= CMD target ID

XXX - depends on your server (PWI, PW-RU, etc...)

now it's time to find how to use this command to creatre appropriate code for injection.
But i'm stuck here and need your help.

04/29/2009 13:32 Megamorph#5

I already posted that here @BuBucekTop:

[Only registered and activated users can see links. Click Here To Register...]

[[[[[[Base Adress]+0x20]+0xBFC]0x30]+0x8]+0x20] (kind of "move to" id offset)
<-- this is for PWI

edit: this so called "Base Adress" is ofc the Dynamic Adress

04/30/2009 05:40 Laser-in-your-ear#6

DWORD CallAddress= 0x5a4730;

What is this Address? How do you get it and is it static?

04/30/2009 06:04 proaznhackers#7

thankz :)

04/30/2009 15:21 Laser-in-your-ear#8

I have...

Code:

#define BASE_ADDRESS		0x96D1DC
#define CALL_ADDRESS		0x5a5e50
#define DYNAMIC_ADDRESS		0x96D87C

Code:

static DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
	//004596AD - a1 dc d1 96 00             - mov eax,[0096d1dc] : 0096D860
	//004596B2 - 57                         - push edi
	//004596B3 - 8b 48 20                   - mov ecx,[eax+20]
	//004596B6 - 81 c1 ec 00 00 00          - add ecx,000000ec
	//004596BC - e8 8f c7 14 00             - call 005a5e50
	DWORD BaseAddress= BASE_ADDRESS;
	DWORD CallAddress= CALL_ADDRESS;
	DWORD MonsterID = (DWORD)lpParam;
	__try
	{
		_asm
		{
		  mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx
		}
	}
	__except(1)
	{
	}
	return 0;
}

Code:

void ProcessHook::selectCreature(quint32 creatureid)
{
	InjectFunction(SelectMonster, (LPCVOID)creatureid);
}

bool ProcessHook::InjectFunction(LPVOID Func, LPCVOID lpParam)
{
	HANDLE hThread=NULL;
	LPVOID ThreadCodeAddr=NULL;
	LPVOID ThreadDataAddr=NULL;

	ThreadCodeAddr=VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(hProcess, ThreadCodeAddr, Func, 256, NULL);

	ThreadDataAddr=VirtualAllocEx(hProcess, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(hProcess, ThreadDataAddr, lpParam, 4, NULL);

	hThread = CreateRemoteThread(hProcess, NULL, NULL,(LPTHREAD_START_ROUTINE)ThreadCodeAddr, ThreadDataAddr, NULL, NULL);
	if (hThread)
		WaitForSingleObject(hThread, INFINITE);

	CloseHandle(hThread);
	VirtualFreeEx(hProcess, ThreadCodeAddr, 256, MEM_RELEASE);
	VirtualFreeEx(hProcess, ThreadDataAddr, 4, MEM_RELEASE);
	return true;
}

This explodes and crashes element client, this is on the absolute newest client as of April 30th

04/30/2009 22:33 asgborges#9

Quote:

Originally Posted by Laser-in-your-ear

I have...

Code:

#define BASE_ADDRESS		0x96D1DC
#define CALL_ADDRESS		0x5a5e50
#define DYNAMIC_ADDRESS		0x96D87C

Code:

static DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
	//004596AD - a1 dc d1 96 00             - mov eax,[0096d1dc] : 0096D860
	//004596B2 - 57                         - push edi
	//004596B3 - 8b 48 20                   - mov ecx,[eax+20]
	//004596B6 - 81 c1 ec 00 00 00          - add ecx,000000ec
	//004596BC - e8 8f c7 14 00             - call 005a5e50
	DWORD BaseAddress= BASE_ADDRESS;
	DWORD CallAddress= CALL_ADDRESS;
	DWORD MonsterID = (DWORD)lpParam;
	__try
	{
		_asm
		{
		  mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx
		}
	}
	__except(1)
	{
	}
	return 0;
}

Code:

void ProcessHook::selectCreature(quint32 creatureid)
{
	InjectFunction(SelectMonster, (LPCVOID)creatureid);
}

bool ProcessHook::InjectFunction(LPVOID Func, LPCVOID lpParam)
{
	HANDLE hThread=NULL;
	LPVOID ThreadCodeAddr=NULL;
	LPVOID ThreadDataAddr=NULL;

	ThreadCodeAddr=VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(hProcess, ThreadCodeAddr, Func, 256, NULL);

	ThreadDataAddr=VirtualAllocEx(hProcess, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(hProcess, ThreadDataAddr, lpParam, 4, NULL);

	hThread = CreateRemoteThread(hProcess, NULL, NULL,(LPTHREAD_START_ROUTINE)ThreadCodeAddr, ThreadDataAddr, NULL, NULL);
	if (hThread)
		WaitForSingleObject(hThread, INFINITE);

	CloseHandle(hThread);
	VirtualFreeEx(hProcess, ThreadCodeAddr, 256, MEM_RELEASE);
	VirtualFreeEx(hProcess, ThreadDataAddr, 4, MEM_RELEASE);
	return true;
}

This explodes and crashes element client, this is on the absolute newest client as of April 30th

Try use the ESPECIFIC Injection Function for C++ ok?! --> CallRemoteFunction !!!

Dont translate functions from other languages... this dont work well until a lot of tests !!

Code:

#include <tlhelp32.h>
...
[B]typedef[/B]  tagPROCESSENTRY32W pGameProcess;
...
static DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
	//004596AD - a1 dc d1 96 00             - mov eax,[0096d1dc] : 0096D860
	//004596B2 - 57                         - push edi
	//004596B3 - 8b 48 20                   - mov ecx,[eax+20]
	//004596B6 - 81 c1 ec 00 00 00          - add ecx,000000ec
	//004596BC - e8 8f c7 14 00             - call 005a5e50
	DWORD BaseAddress= 0x0096d1dc;
	DWORD CallAddress= 0x005a5e50;
	DWORD MonsterID = (DWORD)lpParam;
	__try
	{
		_asm
		{
		  mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx
		}
	}
	__except(1)
	{
	}
	return 0;
}
[B]bool[/B] CallRemoteFunction(pGameProcess pProcess)
{
	//Remote Thread Handle
	HANDLE hProcess=NULL;
	//Inject Thread handle
	HANDLE hThread=NULL;
	//Inject Fuction Address after allocate
	LPVOID ThreadCodeAddr=NULL;
	//Inject Function
	LPVOID Func=[B][U]SelectMonster[/U][/B];
	//Inject Fuction Stack Address after allocate
	LPVOID ThreadDataAddr=NULL;
	//Inject Fuction Stack Data
	LPCVOID lpParam = NULL;
	DWORD Value = 0;
	lpParam = &Value;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pProcess.th32ProcessID);
	[B]if [/B](!hProcess)
	{
		//Do your Error message (OpenProcess);
		[B]return false[/B];
	}
	ThreadCodeAddr=VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
	ThreadDataAddr=VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory (hProcess, ThreadCodeAddr, Func, 4096, NULL);
	WriteProcessMemory (hProcess, ThreadDataAddr, lpParam, 256, NULL);
	hThread = CreateRemoteThread(hProcess, NULL, NULL,(LPTHREAD_START_ROUTINE)ThreadCodeAddr, ThreadDataAddr, NULL, NULL);
	[B]if[/B] (!hThread)
	 {
		//Do your Error message (CreateRemoteThread);
	 }
	[B]else[/B]
		WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, ThreadCodeAddr, 4096, MEM_RELEASE);
	VirtualFreeEx(hProcess, ThreadDataAddr, 256, MEM_RELEASE);
	CloseHandle(hProcess);
	[B]return false[/B];
}

* this is working fine for me... with Delphi and C++ Builder!!!

05/01/2009 01:02 Laser-in-your-ear#10

Well, there has to be something wrong here, I'm using this which is practically identicle except that I got rid of "pGameProcess" and supplied the processId directly instead, do you have an example of how you called it, and how you actually provide a monsterId, from this looks of this... Its just 0? This crashes Element Client when I call it

I'm compiling under VC2008, could that be the issue? I know it does something, just not anything useful since it crashes the game, but the application itself is unaffected.

05/01/2009 02:32 asgborges#11

Quote:

Originally Posted by Laser-in-your-ear

Well, there has to be something wrong here, I'm using this which is practically identicle except that I got rid of "pGameProcess" and supplied the processId directly instead, do you have an example of how you called it, and how you actually provide a monsterId, from this looks of this... Its just 0? This crashes Element Client when I call it

I'm compiling under VC2008, could that be the issue? I know it does something, just not anything useful since it crashes the game, but the application itself is unaffected.

Well... i dont like VC so much.. this why i use Borland family... maybe its your problem... C++ declarations in Builder and VC are a bit deferent and the "linker" too... maybe if u use PUSHAD and POPAD comands you will get the right addresses... and for monster ID, is a global var that is changed before CallRemoteFunction...

just stop with Ctrl+C and Ctrl+V... sorry, i dont have time to teach "how to make a program"... this post just gives a right direction to ppl that already knows program languages and wants make something (like bots) for PWI:(

05/01/2009 06:30 toxic6666#12

Quote:

Originally Posted by asgborges

Try use the ESPECIFIC Injection Function for C++ ok?! --> CallRemoteFunction !!!

Dont translate functions from other languages... this dont work well until a lot of tests !!

Code:

#include <tlhelp32.h>
...
[B]typedef[/B]  tagPROCESSENTRY32W pGameProcess;
...
static DWORD WINAPI SelectMonster(LPCVOID lpParam)
{
	//004596AD - a1 dc d1 96 00             - mov eax,[0096d1dc] : 0096D860
	//004596B2 - 57                         - push edi
	//004596B3 - 8b 48 20                   - mov ecx,[eax+20]
	//004596B6 - 81 c1 ec 00 00 00          - add ecx,000000ec
	//004596BC - e8 8f c7 14 00             - call 005a5e50
	DWORD BaseAddress= 0x0096d1dc;
	DWORD CallAddress= 0x005a5e50;
	DWORD MonsterID = (DWORD)lpParam;
	__try
	{
		_asm
		{
		  mov edx, DWORD PTR [BaseAddress]
		  push     MonsterID
		  mov ecx, DWORD PTR [edx+0x20]
		  add ecx, 0xEC
		  mov edx, CallAddress
		  call     edx
		}
	}
	__except(1)
	{
	}
	return 0;
}
[B]bool[/B] CallRemoteFunction(pGameProcess pProcess)
{
	//Remote Thread Handle
	HANDLE hProcess=NULL;
	//Inject Thread handle
	HANDLE hThread=NULL;
	//Inject Fuction Address after allocate
	LPVOID ThreadCodeAddr=NULL;
	//Inject Function
	LPVOID Func=[B][U]SelectMonster[/U][/B];
	//Inject Fuction Stack Address after allocate
	LPVOID ThreadDataAddr=NULL;
	//Inject Fuction Stack Data
	LPCVOID lpParam = NULL;
	DWORD Value = 0;
	lpParam = &Value;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pProcess.th32ProcessID);
	[B]if [/B](!hProcess)
	{
		//Do your Error message (OpenProcess);
		[B]return false[/B];
	}
	ThreadCodeAddr=VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
	ThreadDataAddr=VirtualAllocEx(hProcess, NULL, 256, MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory (hProcess, ThreadCodeAddr, Func, 4096, NULL);
	WriteProcessMemory (hProcess, ThreadDataAddr, lpParam, 256, NULL);
	hThread = CreateRemoteThread(hProcess, NULL, NULL,(LPTHREAD_START_ROUTINE)ThreadCodeAddr, ThreadDataAddr, NULL, NULL);
	[B]if[/B] (!hThread)
	 {
		//Do your Error message (CreateRemoteThread);
	 }
	[B]else[/B]
		WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	VirtualFreeEx(hProcess, ThreadCodeAddr, 4096, MEM_RELEASE);
	VirtualFreeEx(hProcess, ThreadDataAddr, 256, MEM_RELEASE);
	CloseHandle(hProcess);
	[B]return false[/B];
}

* this is working fine for me... with Delphi and C++ Builder!!!

first of all, according to the api, you are not able to commit unreserved pages, so calling virtualallocex with just mem_commit should fail, leaving you with no allocated mem. i've seen other code that does this too, so maybe it does work, but to make sure, commit and reserve the pages in your call.
also, you should always be doing some error checking on mem allocation.

the page you write your code to must have execute access too. executing code in a page without execute access will definately yield an access violation on some/all systems.

also, when releasing reserved pages, you dont specify a size, just the base address.

now about the param.
you can pass a 4 byte param to the remote thread, which is just enough to store the target id.
what you are "trying" to do is pass a pointer to a buffer in the remote process. first of all, you are doing it totally wrong, second of all, it isn't even necessary.
problem:
the buffer you are trying to write into the remote process is 4 bytes in size (the target id). you specify a size of 256 bytes. what, if writeprocessmemory breaks a page boundary on the local process when reading 256 bytes from your "buffer" which actually is only 4 bytes in size and fall into a page without read access or a guard page or whatever (very unlikely, but who knows)?

=> just allocate mem for the function and pass the target id in the createremotethread call directly instead of allocating a buffer for the target id and passing a pointer to the buffer.

and now some general and some vc++ specific things about your asm code:
there is no difference between
mov edx, dword ptr [Variable] and
mov edx, Variable

so mov edx, DWORD PTR [BaseAddress] will result in mov edx, 0x0096d1dc not mov edx, dword ptr [0x0096d1dc] (this is what you actually wanted).

also, some vc++ versions make
mov edx, 0x0096d1dc out of mov edx, dword ptr [0x0096d1dc]
(don't ask me why).

so something like this wouldn't work either:
#define ADDR 0x0096d1dc
...
mov edx, dword ptr [ADDR]

you should replace your first asm line with something like this to make sure it works with vc++:
mov edx, ADDR
mov edx, dword ptr [edx]

also better use constants instead of params for your addresses.

and the last thing:
i pretty much doubt that you can use compiler generated frame based __try / __except exception handling in remote injected code since the handler that the compiler generates will reside only in the local process.

also, i would rather write a dll. do you really want to inject code everytime you call an ingame function or use readprocessmemory everytime you need to update your data?

05/01/2009 10:05 asgborges#13

are u kidding??

aperently you are good enough with program languages.. so.. dont need ASK how do this or that.. like EXAMPLES.. eh?!

Quote:

Originally Posted by toxic6666

first of all, according to the api, you are not able to commit unreserved pages, so calling virtualallocex with just mem_commit should fail, leaving you with no allocated mem. i've seen other code that does this too, so maybe it does work, but to make sure, commit and reserve the pages in your call.
also, you should always be doing some error checking on mem allocation.

ok.. you right in "teory".. but works fine for me.. i just dont use MEM_RESERVE to prevent more consume of memmory, because some times the VirtualFreeEx dont work well and just clearing instead of freezes.. idk why.. thats all..

Quote:

Originally Posted by toxic6666

the page you write your code to must have execute access too. executing code in a page without execute access will definately yield an access violation on some/all systems.

MEM_COMMIT + PAGE_READWRITE is perfect for what i want... because the injected code goes like a READ and not a EXECUTE page... that is the magic of the "injection", in other words, hijack... so.. i dont need do error checking when i knows what im doing!!
when you using a DLL you oblygatory need to use (MEM_COMMIT & MEM_RESERVE + PAGE_EXECUTE_READWRITE)... because your external program will call a function inside DLL -> inside the game!!

go check: [Only registered and activated users can see links. Click Here To Register...]

Quote:

Originally Posted by toxic6666

now about the param.
you can pass a 4 byte param to the remote thread, which is just enough to store the target id.
what you are "trying" to do is pass a pointer to a buffer in the remote process. first of all, you are doing it totally wrong, second of all, it isn't even necessary.
problem:
the buffer you are trying to write into the remote process is 4 bytes in size (the target id). you specify a size of 256 bytes. what, if writeprocessmemory breaks a page boundary on the local process when reading 256 bytes from your "buffer" which actually is only 4 bytes in size and fall into a page without read access or a guard page or whatever (very unlikely, but who knows)?

your really insists eh?!
if you check my Delphi example you will see a struct TParams.. and its obvious... some functions need only 1 like SelectMon, but others no... im trying to make an GENERIC function instead to make 1 of each... the struct is good to localize/organize myself and i can change the 256 to SizeOf(TParams).. but no point to this now... its not a finished code, idk what can i found in future...!!!

Quote:

Originally Posted by toxic6666

and now some general and some vc++ specific things about your asm code:
there is no difference between
mov edx, dword ptr [Variable] and
mov edx, Variable

so mov edx, DWORD PTR [BaseAddress] will result in mov edx, 0x0096d1dc not mov edx, dword ptr [0x0096d1dc] (this is what you actually wanted).

also, some vc++ versions make
mov edx, 0x0096d1dc out of mov edx, dword ptr [0x0096d1dc]
(don't ask me why).

idk if this is true... but i just programing NORMAL assembly and Delphi accept this well!!!

in Normal assembly [0x0096d1dc] are diferent from 0x0096d1dc as well DWORD PTR, WORD PTR... and on so on...!!!

Quote:

Originally Posted by toxic6666

so something like this wouldn't work either:
#define ADDR 0x0096d1dc
...
mov edx, dword ptr [ADDR]

you should replace your first asm line with something like this to make sure it works with vc++:
mov edx, ADDR
mov edx, dword ptr [edx]

also better use constants instead of params for your addresses.

when you knows how FIFO works.. you can do a good job pointing the right stack in registers from ESP... the MOV function is a kinda oblygatory only before CALL functions... or you can move direct from JMP, but u need more work for this!!

Quote:

Originally Posted by toxic6666

and the last thing:
i pretty much doubt that you can use compiler generated frame based __try / __except exception handling in remote injected code since the handler that the compiler generates will reside only in the local process.

well.. its possible in real... but you will need to import all functions to your injection code... and make the correct handle-exception... this is a hard work, but not what i want....
the __try as you know.. puts the code in a proteced block... and in this case, if any access violation occurs, just close the game "fast" without showing anything... (eh?! thats what i want for c++, i remove in delphi because im working on it and want to see what is going on)

Quote:

Originally Posted by toxic6666

also, i would rather write a dll. do you really want to inject code everytime you call an ingame function or use readprocessmemory everytime you need to update your data?

well.. its not a big deal.. but IN MY OPINION is better for me instead to perm-alloc the dll memmory in game!!

* and lets stops this discussion OK?! i just trying to give a "direction" to ppl who dont knows how to start (for this game).. every1 need to "think" by yourself eh?! and of course know something about program languages!!
* thats all!!!

05/01/2009 12:32 toxic6666#14

lol dood, whats wrong with you? was the bath you were taking too hot?
i dont care whether you accept the flaws or not, i was just trying to tell laser-in-your-ear how to make his code work with vc++ for sure.

as for dll injection yes or no..
i dont see any point of using code injection over dll injection. pw uses a shitload of mem anyways, the few kbs your dll will be using wont even be noticed. and furthermore, if you inject a dll, you wont have to allocate additional mem to read in ingame structures, you can just point to the original data and read it out (better use exception handling with this one).
depending on how much data you need and read out at a specific point, you might be allocating just as much mem in your process as the dll needs in the remote process at a noticable loss in performance.
later, if you dont want to hook every needed ingame function to update important data and need to constantly poll your data, resolving dynamic level 5 pointers that might change whenever you do something different ingame with 5 readprocessmemory calls isn't only performance inefficient, it's also a pain in the ass to program compared to the possibilites of dll injection.
dll injection e.g. allows you to go like this:
obj0->obj1->obj2->obj3->obj4->dwValue

how much more code would it be via readprocessmemory? um, let's not talk about it..

05/01/2009 20:09 asgborges#15

Quote:

Originally Posted by toxic6666

how much more code would it be via readprocessmemory? um, let's not talk about it..

who cares?? like u said: "pw uses a shitload of mem anyways"...
dosent metter if is a CODE or DLL injection....
i make my way -> Code Injection... and its working well for what i want... thats all!!!
* I just dont wanna a DLL * (like almost ppl do, you can check by your self in mmo's foruns.. u can found a lot of code injection against dll injection... i just going the same way)

you just forgot the title of my thread: Direct Injection Codes :)

feel free to SHARE your contents

Page 1 of 4

Last »