[TUTORIAL] Creating a simple DLL Cheat/Hack

[hawkagent]

I have not yet found a solution, but the weird thing is, my proxy dll DOES actually work on a less secured server, although the export is "DirectSoundCaptureCreate = ___E__0__@0" instead of "DirectSoundCaptureCreate".

I'm not sure how come this is. But I think im on to something here, a good guess would be kalsage is sensing this modified export, and refuses to import this. So I would like to remove the "= ___E__0__@0" from the exports, so it only exports "DirectSoundCaptureCreate". Is there a way to do this?

[RunzelEier]

Try to compile it as a release.
There might be some problems with the debug version

[hawkagent]

It was already in Release mode, but as the problem miraculously appeared, it disappeared when I changed the release output folder. Anyway I successfully proxy'd the dll, now on to hooking some functions

[SimSir]

This is Virtual base adress? oR OEP?

PHP Code:

DWORD GetTargetThreadIDFromProcName(const char * ProcName) 
{ 
   PROCESSENTRY32 pe; 
   HANDLE thSnapShot; 
   BOOL retval, ProcFound = false; 

   thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
   if(thSnapShot == INVALID_HANDLE_VALUE) 
   { 
      //MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "2MLoader", MB_OK); 
      printf("Error: Unable to create toolhelp snapshot!"); 
      return false; 
   } 

   pe.dwSize = sizeof(PROCESSENTRY32); 
    
   retval = Process32First(thSnapShot, &pe); 
   while(retval) 
   { 
      if(StrStrI(pe.szExeFile, ProcName)) 
      { 
         return pe.th32ProcessID; 
      } 
      retval = Process32Next(thSnapShot, &pe); 
   } 
   return 0; 
}

int main(int argc, char * argv[]) 
{
HANDLE Proc; 
DWORD pID = GetTargetThreadIDFromProcName("engine.exe");
Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
MEMORY_BASIC_INFORMATION mInfo;
VirtualQueryEx(Proc,NULL,&mInfo,NULL);
std::cout <<"AllocationBase :"<< mInfo.AllocationBase << "\n";
    std::cout <<"AllocationProtect :" <<mInfo.AllocationProtect <<"\n";
    std::cout <<"BaseAddress :" << mInfo.BaseAddress <<"\n"; //<---g_dwBasePointerAddress ? 
    std::cout <<"Protect :" <<mInfo.Protect << "\n";
    std::cout <<"RegionSize :" << mInfo.RegionSize << "\n";
    std::cout <<"State :" << mInfo.State <<"\n";
    std::cout <<"Type :" <<mInfo.Type << "\n";
CloseHandle(Proc); 
} 


ineed some help ^^

[Thiesius]

1] If the NULL is valid argument for second parameter, then I would say it will be Image Base - 0x400000.

2] It won't be OEP 100%, that's bullcrap.

3] HackShields hook returns Access Denied for OpenProcess, so unless you have a driver it won't work.

4] Thread ID != Process ID

[pleaX]

It's better to create a process(engine.exe) & then inject your dll...

[SimSir]

Quote:

Originally Posted by Thiesius

1] If the NULL is valid argument for second parameter, then I would say it will be Image Base - 0x400000.

2] It won't be OEP 100%, that's bullcrap.

3] HackShields hook returns Access Denied for OpenProcess, so unless you have a driver it won't work.

4] Thread ID != Process ID

ty for reply.

GetTargetThreadIDFromProcName its my function name return PID.

[SimSir]

Only int. server Good Luck )

dbghelp.h

PHP Code:

#include <windows.h>
#define jnz 0x850F;


static DWORD g_dwBasePointerAddress     = 0x401000; 
static DWORD* g_fileSecurityCheck       = 0;
static DWORD* g_memorySecurityCheck     = 0; 


dbghelp.cpp

PHP Code:

    DWORD Address=0;
    DWORD dwBuffer = jnz;
    
    g_fileSecurityCheck = &dwBuffer;
    g_memorySecurityCheck = &dwBuffer;
    
    //File Manipulation Check (Patch Je --> Jnz)
    Address= SearchPattern("50 FF 15 x x x x 8B 8D x x x x 89 8D x x x x 81 BD x x x x x x x x 0F 84 x x x x",g_dwBasePointerAddress,0x007fffff);
    MemCpyEx((LPVOID)(Address+29),(LPVOID)g_fileSecurityCheck, 2);

    
    //Memory Manipulation Check (Patch je--> Jnz)
    Address= SearchPattern("81 BD x x x x 05 07 01 00  0F 84 9D 01 00 00",g_dwBasePointerAddress,0x007fffff);
    MemCpyEx((LPVOID)(Address+10),(LPVOID)g_memorySecurityCheck, 2); 


[FrankHenk]

I'm trying to create a dinput8.dll proxy using this tutorial (although not for Kal Online but for another game), however the LoadLibrary function doesn't seems to find my renamed original DLL (dinput8_.dll) and I thought this topic would be the best to post my question.

To try and find which causes that error I changed to code for loading the library to this:

Code:

		hL = LoadLibrary("dinput8_.dll");
		if (!hL) {
			char error[300];
			sprintf(error, "LoadLibrary failed >> %d",GetLastError());
			MessageBox(
				NULL,
				error,
				"Error",
				MB_OK
				);
				return false;
		};

The error message I get is "LoadLibrary failed >> 193", so LoadLibrary seems to fail with code 193, but I can't find what this error actually means, but on Google I found it could be either a damaged original DLL (I copied the original from System32, so It's probably not damaged) or the code being compiled for 64bit while it has to be 32bit and vice versa. I couldn't find any site though which came with a fix, so I was wondering if someone here knows how to fix this.

Maybe usefull to know:
I am working on a 64bit Windows 7 with Visual Studi 10, and the DLL is used in a 32bit game from 2004 .

[xNekro]

€:Work Perfectly
Ty !

[dawly50]

ever think done but at cheat setup i stoped can u help me plz and rly thx ^^

[g3orgi00]

can i use another program other than microsoft visual studio?

[MoepMeep]

You can use any C++-Compiler ;o

[Doctor2]

I got an error: file manipulation detected

It happens when I press start on kalonline launcher ... any solutions?

[Sephit]

im trying to ready all the post but i cant find any solution of my problem .
Im trying to learn but im stuck at step 4, it seems that "Wrappit.exe" it's wrong or corrupted somewhere cause when i typed "wrappit.exe ... .. . .. ." the command prompt says that "wrappit.exe" cant be recognized as an internal or external command

what can i do? :/