[C++]WriteProcessMemory: Problems opening the process - WTF -

Page 1 of 2 1 2
01/05/2014 16:57 Hybrid~#1
Hello.
so, i'm tring to do a simple troll hack for a game, S4League.
whenever im trying to open the process,it wont let me o_o
Screen:
[Only registered and activated users can see links. Click Here To Register...]
Source Code:
Code:
#include <iostream>
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "user32.lib")




using namespace std;
bool SetPrivilege(LPCTSTR privilege, bool enablePriv) {
	LUID luid = {0};
	if (LookupPrivilegeValue(NULL, privilege, &luid) == FALSE)
		return false;

	HANDLE hToken = NULL;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) == FALSE)
		return false;

	TOKEN_PRIVILEGES tokenPriv = {0};
	tokenPriv.PrivilegeCount = 1;
	tokenPriv.Privileges[0].Luid = luid;
	tokenPriv.Privileges[0].Attributes = enablePriv ? SE_PRIVILEGE_ENABLED : 0;
	if (AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, NULL, NULL, NULL) != FALSE) {
		CloseHandle(hToken);
		return GetLastError() == ERROR_SUCCESS;
	}
	

	CloseHandle(hToken);
	return false;
}

int main()
{
	////////////////////////////////////////////////////////////////////////////////////////////
	int test = SetPrivilege(SE_DEBUG_NAME, true);
	if (!test)
	{
	cout << "Failed to set SE_DEBUG_NAME Privilege" <<endl << endl;
	}
	else 
	{
		cout << "Setted SE_DEBUG_NAME Privilege succesfuly!"<<endl; 
		
	} 
	////////////////////////////////////////////////////////////////////////////////////////////
    int newValue = 2348565979;
    HWND hWnd = FindWindowA(0, "S4 Client");
	Sleep(150);
    if (hWnd == 0) {
        cout << "Cannot find the S4Client Window * o *" << endl;
		cout << "" << endl;
		cout << "Press [ENTER] to close the application ";
		std::cin.get();
		return 0;

    } else {
        DWORD pId = GetWindowThreadProcessId(hWnd, &pId);
		Sleep(100);
        HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);
		cout << "S4Client pId: " << pId << endl<<endl;
        if (!hProc) {
            cout << "Can't open process." << endl;
            cout << "Press [ENTER] to close the application ";
		std::cin.get();
		return 0;
        } else {
            int isSuccessful = WriteProcessMemory(hProc, (LPVOID)0x19951880, (LPVOID)2348565979, sizeof(2348565979), 

NULL);

            if (isSuccessful > 0) {
                cout << "WriteProcessMemory Succesful!" << endl;
				MessageBoxA(NULL, "54", "200 HP by Hybrid      @      www.elitepvpers.com", MB_OK);
            } else {
                cout << "Cannot write process memory." << endl;
                cout << "Press [ENTER] to close the application ";
		std::cin.get();
		return 0;
            }

			
            CloseHandle(hProc);
        }
    }

    return 0;
}
Any help is appreciated :3
01/05/2014 17:11 snow#2
You have to adjust your privileges, you need SeDebugPrivilege to access S4 League.
01/05/2014 17:40 Hybrid~#3
Quote:
Originally Posted by snow911 View Post
You have to adjust your privileges, you need SeDebugPrivilege to access S4 League.
Hello, thanks for reply!
All i found was this msdn link [Only registered and activated users can see links. Click Here To Register...]
But it's still kinda unclear how to do it.
01/05/2014 18:53 Master674b#4
My guess is that this program sets a higher security descriptor on startup. So you might need to embed a manifest to your application which requests more privileges. I would recommend "highestAvailable". After you did that you should adjust your process token privileges by requesting SE_DEBUG.

Code:
bool SetPrivilege(LPCTSTR privilege, bool enablePriv) {
	LUID luid = {0};
	if (LookupPrivilegeValue(NULL, privilege, &luid) == FALSE)
		return false;

	HANDLE hToken = NULL;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) == FALSE)
		return false;

	TOKEN_PRIVILEGES tokenPriv = {0};
	tokenPriv.PrivilegeCount = 1;
	tokenPriv.Privileges[0].Luid = luid;
	tokenPriv.Privileges[0].Attributes = enablePriv ? SE_PRIVILEGE_ENABLED : 0;
	if (AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, NULL, NULL, NULL) != FALSE) {
		CloseHandle(hToken);
		return GetLastError() == ERROR_SUCCESS;
	}

	CloseHandle(hToken);
	return false;
}
Usage:
Code:
SetPrivilege(SE_DEBUG_NAME, true);
01/05/2014 19:19 Hybrid~#5
Quote:
Originally Posted by Master674b View Post
My guess is that this program sets a higher security descriptor on startup. So you might need to embed a manifest to your application which requests more privileges. I would recommend "highestAvailable". After you did that you should adjust your process token privileges by requesting SE_DEBUG.

Code:
bool SetPrivilege(LPCTSTR privilege, bool enablePriv) {
	LUID luid = {0};
	if (LookupPrivilegeValue(NULL, privilege, &luid) == FALSE)
		return false;

	HANDLE hToken = NULL;
	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) == FALSE)
		return false;

	TOKEN_PRIVILEGES tokenPriv = {0};
	tokenPriv.PrivilegeCount = 1;
	tokenPriv.Privileges[0].Luid = luid;
	tokenPriv.Privileges[0].Attributes = enablePriv ? SE_PRIVILEGE_ENABLED : 0;
	if (AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, NULL, NULL, NULL) != FALSE) {
		CloseHandle(hToken);
		return GetLastError() == ERROR_SUCCESS;
	}

	CloseHandle(hToken);
	return false;
}
Usage:
Code:
SetPrivilege(SE_DEBUG_NAME, true);
Thank you so much for reply, but it still don't work.
This is pissing me off ._.

SCREEN:
[Only registered and activated users can see links. Click Here To Register...]
01/05/2014 19:33 bloodx#6
Well S4 is using Hackshield or ? I think u need to load your DLL before Hackshield is loaded.
01/05/2014 19:50 Master674b#7
Quote:
Originally Posted by Hybrid~ View Post
Thank you so much for reply, but it still don't work.
This is pissing me off ._.

SCREEN:
[Only registered and activated users can see links. Click Here To Register...]
Code:
if (test = 0)
is not the same as:

Code:
if (!test)
Did you do what I said? Did you embed the manifest with "requestedExecutionLevel" set to "highestAvailable"? Or "requireAdministrator"?

Try to run the program as admin to test. But you should still embed the manifest!
01/06/2014 12:58 Hybrid~#8
Quote:
Originally Posted by Master674b View Post
Code:
if (test = 0)
is not the same as:

Code:
if (!test)
Did you do what I said? Did you embed the manifest with "requestedExecutionLevel" set to "highestAvailable"? Or "requireAdministrator"?

Try to run the program as admin to test. But you should still embed the manifest!
No, but I'll try later today. Thanks

EDIT: I embedded it. still the same crap @_@
also changed the if (test = 0 ) to if (!test) and it still says that the Privilege has been setted succesfuly~
01/06/2014 15:54 Padmak#9
Quote:
Originally Posted by bloodx View Post
Well S4 is using Hackshield or ? I think u need to load your DLL before Hackshield is loaded.
The are using Hackshield, so you have to inject before Hackshield starts up.
I released an open-source variant of such an Injector a very long time ago, but you can give it a shot: [Only registered and activated users can see links. Click Here To Register...]

Padmak
01/06/2014 16:01 Hybrid~#10
Quote:
Originally Posted by Padmak View Post
The are using Hackshield, so you have to inject before Hackshield starts up.
I released an open-source variant of such an Injector a very long time ago, but you can give it a shot: [Only registered and activated users can see links. Click Here To Register...]

Padmak
I have XTrap bypassed.
It shouldn't be a problem.
and it's a damn console application, not a DLL
01/06/2014 16:05 Master674b#11
Quote:
Originally Posted by Padmak View Post
The are using Hackshield, so you have to inject before Hackshield starts up.
I released an open-source variant of such an Injector a very long time ago, but you can give it a shot: [Only registered and activated users can see links. Click Here To Register...]

Padmak
Once you managed to get the SE_DEBUG privilege it shouldn't matter unless this "Hack Shield" is installing some driver (I would suggest to write your own driver in this case to work around that stupid piece of shit).

It's basically a game of cat-and-mouse.
01/06/2014 16:17 Hybrid~#12
Quote:
Originally Posted by Master674b View Post
Once you managed to get the SE_DEBUG privilege it shouldn't matter unless this "Hack Shield" is installing some driver (I would suggest to write your own driver in this case to work around that stupid piece of shit).

It's basically a game of cat-and-mouse.
Imma just take a break. Thank you for ya help. i appreciate it ;3
01/06/2014 17:52 Padmak#13
Sorry, maybe i didn't read it as well as i should have. My bad. But you could give it a shot, though? Usually DLL-Injection makes ones life a lot easier

@Master674b:
It's exactly like you said: HackShield is using a driver to prevent programs from accessing their process

Padmak
01/06/2014 19:11 Omdi#14
You don't need to request PROCESS_ALL_ACCESS access.
Requesting PROCESS_VM_WRITE should work.
01/06/2014 20:09 K1ramoX#15
Code:
void SetDebugPrivilege()
{
	HANDLE hThis = GetCurrentProcess();

	HANDLE hToken;
	LUID luid;
	OpenProcessToken(hThis, TOKEN_ADJUST_PRIVILEGES, &hToken);
	LookupPrivilegeValue(0, "SeDebugPrivilege", &luid);

	TOKEN_PRIVILEGES priv;
	priv.PrivilegeCount = 1;
	priv.Privileges[0].Luid = luid;
	priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0);

	CloseHandle(hToken);
	CloseHandle(hThis);
}

DWORD getProcessID(const std::string &strName)
{
	PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	DWORD result = 0;

	if (Process32First(hSnapshot, &pe))
	{
		while (Process32Next(hSnapshot, &pe))
		{
			if (std::string(pe.szExeFile) == strName)
			{
				result = pe.th32ProcessID;
				break;
			}
		}
	}

	CloseHandle(hSnapshot);
	return result;
}

int main()
{
	SetDebugPrivilege();

	std::string strProcessname = "S4Client.exe";
	DWORD dwProcessID = 0;

	while (!(dwProcessID = getProcessID(strProcessname)))
		std::this_thread::sleep_for(std::chrono::milliseconds(100));

	/*++
	
	PROCESS_ALL_ACCESS may cause problems, see:
	http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
	
	--*/
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, dwProcessID);
	if (!hProc)
	{
		std::cout << "OpenProcess failed! Errorcode: " << GetLastError() << std::endl;
		std::cin.get();
		return 0;
	}

	// your writeprocessmemory stuff...
	// maybe you put a sleep here to give themida time for unpacking the client

	CloseHandle(hProc);
	std::cout << "Done!" << std::endl;
	std::cin.get();
	return 0;
}
gl & hf
Page 1 of 2 1 2