[QUESTION] HP Memory Address

clintonselke · 05/16/2009, 16:21

Maybe this thread is dead now... im not sure xD... anyways, this is how i get the current HP using the function addresses from high6.

PHP Code:


			
uint32_t CCO2Functions::execute(void* opcode, uint32_t size)

{

    void* remoteMem = VirtualAllocEx(hProcess, 0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    if (remoteMem == NULL) { return 0; }

    if (!WriteProcessMemory(hProcess, remoteMem, opcode, size, 0)) {

        VirtualFreeEx(hProcess, remoteMem, 0, MEM_RELEASE);

        return 0;

    }

    HANDLE hThread = CreateRemoteThread(hProcess, 0, 65536, (LPTHREAD_START_ROUTINE)remoteMem, 0, 0, 0);

    if (!hThread) {

        VirtualFreeEx(hProcess, remoteMem, 0, MEM_RELEASE);

        return 0;

    }

    while (WaitForSingleObject(hThread, 1000) != WAIT_OBJECT_0) {}

    uint32_t retval;

    GetExitCodeThread(hThread, (DWORD*)&retval);

    VirtualFreeEx(hProcess, remoteMem, 0, MEM_RELEASE);

    CloseHandle(hThread);

    return retval;

}



CCO2Functions::CCO2Functions(uint32_t pid)

{

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

}



CCO2Functions::~CCO2Functions()

{

    if (hProcess != INVALID_HANDLE_VALUE) {

        CloseHandle(hProcess);

    }

}



uint32_t CCO2Functions::getHP()

{

    char opcode[] =

    "\x57"                     // PUSH EDI

    "\x56"                     // PUSH ESI

    "\x6A\x01"                 // PUSH 0x01

    "\xB9\xB8\xAB\x5D\x00"     // MOV ECX, 0x005DABB8

    "\xB8\x18\xA5\x4D\x00"     // MOV EAX, 0x004DA518

    "\xFF\xD0"                 // CALL EAX

    "\x5E"                     // POP ESI

    "\x5F"                     // POP EDI

    "\xC3";                    // RET

    return execute((void*)opcode, sizeof(opcode));

}

swords · 05/17/2009, 07:01

@clinton - Does that make the HP static?... If so, could you convert it to AutoIt script please

.

clintonselke · 05/17/2009, 15:58

Quote:

Originally Posted by swords

@clinton - Does that make the HP static?... If so, could you convert it to AutoIt script please .

Yeap it does

... and converting to AutoIt... U wanna do it?? xD, enough information is available now.

THis is the only extra part u would have to translate into AutoIt using DllCall() function

PHP Code:


			
while (WaitForSingleObject(hThread, 1000) != WAIT_OBJECT_0) {} 

uint32_t retval; 

GetExitCodeThread(hThread, (DWORD*)&retval);

That there waits until the function ends and gets the return value from it that was in EAX (ur hp value).

I'll convert it to AutoIt later, just feeling lazy atm

swords · 05/17/2009, 18:09

Quote:

Originally Posted by clintonselke

Yeap it does ... and converting to AutoIt... U wanna do it?? xD, enough information is available now.

THis is the only extra part u would have to translate into AutoIt using DllCall() function

PHP Code:

while (WaitForSingleObject(hThread, 1000) != WAIT_OBJECT_0) {} uint32_t retval; GetExitCodeThread(hThread, (DWORD*)&retval);

That there waits until the function ends and gets the return value from it that was in EAX (ur hp value).

I'll convert it to AutoIt later, just feeling lazy atm

Akaka, I don't understand C++, no chance I could convert it lol xD.

Thanks for doing this for me

. I actually have an auto-potter that can pot at the exact HP you desire, using NO memory work at all, just algorithms... With this, I can make a background potter by sending F keys through ControlSend

.