what possible?Quote:
its possible? :o
I post and ask question... And yes,i read it....Quote:
2.The Info you requested can easily found in this Board by using just this: [Only registered and activated users can see links. Click Here To Register...]
DWORD CNewBotDlg::MyPetHP()
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
DWORD value = 0;
ReadProcessMemory(hProcess,(void*)BA,&value,sizeof(DWORD),NULL);
ReadProcessMemory(hProcess,(void*)(value + M_D1),&value,sizeof(DWORD),NULL);
ReadProcessMemory(hProcess,(void*)(value + PersStruct),&value,sizeof(DWORD),NULL);
ReadProcessMemory(hProcess,(void*)(value + PET_ARRAY),&value,sizeof(DWORD),NULL);
ReadProcessMemory(hProcess,(void*)(value + NUMBER_SLOT),&value,sizeof(DWORD),NULL);
ReadProcessMemory(hProcess,(void*)(value + ACTIVE_PET_ID),&value,sizeof(DWORD),NULL);
ReadProcessMemory(hProcess,(void*)(value + (NUMBER_SLOT*4+0x10)),&value,sizeof(DWORD),NULL);
ReadProcessMemory(hProcess,(void*)(value + PET_HP),&value,sizeof(DWORD),NULL);
CloseHandle(hProcess);
return value;
}
#define BA 0x00B8FBCC #define M_D1 0x1C #define PersStruct 0x34 #define PET_ARRAY 0x1140 #define NUMBER_SLOT 0x08 #define ACTIVE_PET_ID 0x07CC #define PET_HP 0x38
#define BA 0x00B8FBCC
//Функция определения ИД окна игры
DWORD PidbyName(CString nameofprogram)
{
HANDLE pHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 ProcessEntry;
ProcessEntry.dwSize = sizeof(ProcessEntry);
BOOL Loop = Process32First(pHandle,&ProcessEntry);
while(Loop)
{
if(strcmp(ProcessEntry.szExeFile, nameofprogram) == 0)
{
pidgmwnd = ProcessEntry.th32ProcessID;
CloseHandle(pHandle);
return pidgmwnd;
}
Loop = Process32Next(pHandle, &ProcessEntry);
}
return 0;
}
// Функция Сброса Таргета моба
void Target_THREAD()
{
DWORD wid = 0;
DWORD Myfunc = 0x00693D60;
_asm
{
MOV EAX,DWORD PTR DS:[BA]
PUSH wid
MOV ECX,DWORD PTR DS:[EAX+0x20]
ADD ECX,0x0EC
CALL Myfunc
}
}
// Инжектирующая функция
BYTE Inject(LPCVOID Func, LPCVOID Params)
{
LPVOID pfunc = 0;
LPVOID paramaddr = 0;
DWORD* lpNumberOfBytes = NULL;
HANDLE hProcThread;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pidgmwnd);
pfunc = VirtualAllocEx(hProcess,NULL,250,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,pfunc,Func,250,lpNumberOfBytes);
paramaddr= VirtualAllocEx(hProcess,NULL,511,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,paramaddr,Params,511,lpNumberOfBytes);
hProcThread = CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)pfunc,paramaddr,0,0);
WaitForSingleObject(hProcThread,INFINITE);
CloseHandle(hProcThread);
CloseHandle(hProcess);
VirtualFreeEx(hProcess, paramaddr,0, MEM_RELEASE);
VirtualFreeEx(hProcess, pfunc,0, MEM_RELEASE);
return 1;
}
void CTestAssemblerDlg::OnBnClickedOk()
{
Inject(Target_THREAD,0);
//OnOK();
}
i try it, because later i want use assembler code for move, because it simple then use packets. But even simple assembler code(escape target) wan't work :( .Quote:
void Target_THREAD()
{
DWORD wid = 0; //0x80104ac7
DWORD Myfunc = 0x00693D60;
_asm{
MOV EAX,DWORD PTR DS:[0x00B8FBCC] //BA
PUSH 0 //
MOV ECX,DWORD PTR DS:[EAX+0x20]
ADD ECX,0x0EC
MOV EAX,0x00693D60
CALL EAX
RETN
}
}
BYTE Inject(void* Func, void* Params)
{
/* CString str;*/
LPVOID pfunc = NULL;
LPVOID paramaddr = NULL;
LPVOID lpNumberOfBytes = NULL;
HANDLE hProcThread;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pidgmwnd);
if(!hProcess)
{
MessageBox(NULL,"pid равен 0","",MB_OK);
return 0;
}
pfunc = VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT,PAGE_READWRITE);
paramaddr = VirtualAllocEx(hProcess,NULL,256,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,pfunc,Func,4096,NULL);
WriteProcessMemory(hProcess,paramaddr,Params,256,NULL);
hProcThread = CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)pfunc,paramaddr,NULL,NULL);
//DWORD t = GetLastError();
//str.Format("%lu",t);
//MessageBox(NULL,str,"",MB_OK|MB_ICONINFORMATION);
WaitForSingleObject(hProcThread,INFINITE);
CloseHandle(hProcThread);
CloseHandle(hProcess);
VirtualFreeEx(hProcess, pfunc,4096, MEM_RELEASE);
VirtualFreeEx(hProcess, paramaddr,256, MEM_RELEASE);
return 1;
}
void CTestAssemblerDlg::OnBnClickedOk()
{
Inject(&Target_THREAD,0);
//OnOK();
}
BYTE Inject(void* Func, void* Params)
{
/* CString str;*/
char packet[25] = "\xA1\xCC\xFB\xB8\x00\x6A\x00\x8B\x48\x20\x81\xC1\xEC\x00\x00\x00\xB8\x60\x3D\x69\x00\xFF\xD0\xC3";
LPVOID pfunc = NULL;
LPVOID paramaddr = NULL;
LPVOID lpNumberOfBytes = NULL;
HANDLE hProcThread;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pidgmwnd);
if(!hProcess)
{
MessageBox(NULL,"pid равен 0","",MB_OK);
return 0;
}
pfunc = VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT,PAGE_READWRITE);
paramaddr = VirtualAllocEx(hProcess,NULL,256,MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess,pfunc,packet,4096,NULL);
WriteProcessMemory(hProcess,paramaddr,Params,256,NULL);
hProcThread = CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)pfunc,paramaddr,NULL,NULL);
//DWORD t = GetLastError();
//str.Format("%lu",t);
//MessageBox(NULL,str,"",MB_OK|MB_ICONINFORMATION);
WaitForSingleObject(hProcThread,INFINITE);
CloseHandle(hProcThread);
CloseHandle(hProcess);
VirtualFreeEx(hProcess, pfunc,4096, MEM_RELEASE);
VirtualFreeEx(hProcess, paramaddr,256, MEM_RELEASE);
return 1;
}
void CTestAssemblerDlg::OnBnClickedOk()
{
Inject(&Target_THREAD,0);
//OnOK();
}
char packet[25] = "\xA1\xCC\xFB\xB8\x00\x6A\x00\x8B\x48\x20\x81\xC1\xEC\x00\x00\x00\xB8\x60\x3D\x69\x00\xFF\xD0\xC3";
void Target_THREAD()
{
DWORD wid = 0;
DWORD Myfunc = 0x00693D60;
_asm{
MOV EAX,DWORD PTR DS:[0x00B8FBCC]
PUSH 0
MOV ECX,DWORD PTR DS:[EAX+0x20]
ADD ECX,0x0EC
MOV EAX,0x00693D60
CALL EAX
RETN
}
}
yes, we all see...asm is for you more simple then just using sendpacket function :rolleyes:Quote:
void INJECTOR::TargetOff()
{
PACKET pack;
pack.len=2;
pack.Bytes[0]='\x08';
pack.Bytes[1]='\x00';
SendPacket(&pack);
}
void INJECTOR::TargetMob(DWORD wid)
{
PACKET pack;
pack.len=6;
char Packet[6] = "\x02\x00\x00\x00\x00\x00";
memcpy(pack.Bytes,Packet,pack.len);
memcpy(pack.Bytes+2,&wid,4);
SendPacket(&pack);
}
BYTE INJECTOR::SendPacket(PACKET* pack)
{
HANDLE hProcThread;
char fdata[29]="\x60\x8B\x0D\x00\x00\x00\x00\x8B\x49\x20\x68\x11\x11\x11\x11\x68\x22\x22\x22\x22\xB8\x33\x33\x33\x33\xFF\xD0\x61\xC3";
int lenfunc=29;
DWORD func=ofs->F_SEND_PACKET;
DWORD ba=ofs->BA;
DWORD len=pack->len;
//HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (!hProcess) return 0;
WriteProcessMemory(hProcess,pParam,pack->Bytes,len,NULL);
DWORD addr=DWORD(pParam);
memcpy(fdata+3,&ba,4);
memcpy(fdata+11,&len,4);
memcpy(fdata+16,&addr,4);
memcpy(fdata+21,&func,4);
WriteProcessMemory(hProcess,pFunction,fdata,lenfunc,NULL);
hProcThread = CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)pFunction,NULL,NULL,NULL);
if(hProcThread==INVALID_HANDLE_VALUE)
{
return 0;
}
WaitForSingleObject(hProcThread, INFINITE);
CloseHandle(hProcThread);
return 1;
}
void INJECTOR::Move(float x, float y, float z, int walkmode)
{
char fdata[117]="\x60\xA1\x00\x00\x00\x00\x8B\xB0\x11\x11\x11\x11\x8B\x8E\x22\x22\x22\x22\x6A\x01\xBB\x33\x33\x33\x33\xFF\xD3\x89\xC7\x8D\x44\xE4\x0C\x50\x68\x44\x44\x44\x44\x89\xF9\xBB\x55\x55\x55\x55\xFF\xD3\x8B\x8E\x66\x66\x66\x66\x6A\x00\x6A\x01\x57\x6A\x01\xBB\x77\x77\x77\x77\xFF\xD3\xA1\x88\x88\x88\x88\x8B\x80\x99\x99\x99\x99\x8B\x80\xAA\xAA\xAA\xAA\x8B\x40\x30\x8B\x48\x04\xB8\xBB\xBB\xBB\xBB\x89\x41\x20\xB8\xCC\xCC\xCC\xCC\x89\x41\x24\xB8\xDD\xDD\xDD\xDD\x89\x41\x28\x61\xC3";
DWORD func1=ofs->F_MOVE1;
DWORD func2=ofs->F_MOVE2;
DWORD func3=ofs->F_MOVE3;
DWORD ga=ofs->GA;
DWORD ps=ofs->PERS_STRUCT;
DWORD maa=ofs->MY_ACTION_ARRAY;
DWORD wmode=1; if (walkmode==0) wmode=0;
memcpy(fdata+2,&ga,4);
memcpy(fdata+8,&ps,4);
memcpy(fdata+14,&maa,4);
memcpy(fdata+21,&func1,4);
memcpy(fdata+35,&wmode,4);
memcpy(fdata+42,&func2,4);
memcpy(fdata+50,&maa,4);
memcpy(fdata+62,&func3,4);
memcpy(fdata+69,&ga,4);
memcpy(fdata+75,&ps,4);
memcpy(fdata+81,&maa,4);
memcpy(fdata+92,&x,4);
memcpy(fdata+100,&z,4);
memcpy(fdata+108,&y,4);
InjectFunction(&fdata,117);
}
were the hell did i wrote its moving with packets code ?Quote:
and whats is actually offsets in revival of dynasties for move?