|
You last visited: Today at 18:18
Advertisement
Making Jump To Codecave for X6 bit process, How to make It Work correct.
Discussion on Making Jump To Codecave for X6 bit process, How to make It Work correct. within the .NET Languages forum part of the Coders Den category.
05/04/2014, 04:02
|
#1
|
elite*gold: 0 
Join Date: May 2014
Posts: 5
Received Thanks: 0
|
Making Jump To Codecave for X6 bit process, How to make It Work correct.
Hi i have been trying to get my little cheat code working correct for some times now. What i am having problems with is that i do not manage to figure out how to make my code work and jump to my codecave which i use VirtualalloEx to create, i get it to work just fine on a 32 bit process but when i try it on a 64 bit process the address which i need to jump to the allocated space i create first, it gets all screwed up and it does not work correct.
If anyone can help here id be more than greatfull.
If you need me to show some code i use il post it.
|
|
|
|
05/04/2014, 13:22
|
#2
|
elite*gold: 1091
Join Date: Jun 2007
Posts: 19,836
Received Thanks: 7,180
|
Pointers usually got a size of 8 bytes on x64. You should get a datatype which varies and adapts it's size. I don't know any datatypes in .NET that may archive this but in C++, there is a type called uintptr_t which is guaranteed to be the same size as a pointer.
See  for more information on this.
|
|
|
|
|
05/04/2014, 14:46
|
#3
|
elite*gold: 1
Join Date: Jun 2012
Posts: 5,819
Received Thanks: 3,200
|
In C# it should be a System.UIntPtr
|
|
|
|
|
05/04/2014, 22:00
|
#4
|
elite*gold: 0
Join Date: May 2014
Posts: 5
Received Thanks: 0
|
Hi guys thank you for response, well i can write just fine to an address offset of lest say &140000000 and up which is available in the address span of a 64 bit process, but the problem arrises when i want to jump from this address of 140000000 to a lower or higher address making a long jump, so lets say i want to make a jump or call from the adress of JMP 140000000 to a lower address like 0C010000 , you see its a lower allocation address in this example, this way i thought there was no need for me to convert it to an 8 bytes pointer, or am i wrong here, maby its just my way of jumping that does not do it right?
|
|
|
|
|
05/04/2014, 22:50
|
#5
|
elite*gold: 1091
Join Date: Jun 2007
Posts: 19,836
Received Thanks: 7,180
|
Just use your calculator.
0x140000000 - 0x0C010000 = 0x133FF0000
0x133FF0000 / 4 = 0x4CFFC000
0x133FF0000 / 8 = 0x267FE000
Ignoring this fact can be very dangerous, you may hit something other than your target game which'd lead to undefined behavior.
I don't see any problem in changing the datatype. As stated above, uintptr_t is guaranteed to be the same size so there is no need for converting.
Waka Toa is right, even a IntPtr will work here. According to the docs, this is the .NET equivalent to the uintptr_t which is also guaranteed to be the size of a pointer.
|
|
|
|
|
05/04/2014, 23:45
|
#6
|
elite*gold: 0
Join Date: May 2014
Posts: 5
Received Thanks: 0
|
In cheat engine doing a far jump like i would have done it if it worked looks like so
JMP Qword ptr[04010000] as an example, but i wonder how cheat engine does this.
If i am at lets say 130000000 as an offset for where to inject, cheat engine automatcly
starst to allocated to an address that is around the same address size, how would i do that cause taking this address manualy and adding it to my to jump to code makes the jump work just like id hope to. but the problem is i dont know if and how i can set my own start base for the allocations like cheat enigne can do. this is using injections with CE aa scripts in cheat engine, if i select the tools/allocate memory option in CE it will start to allocate at a 32 bit address span and up. but its like cheat engine sees that i am at a higher address and starts to allocate from around there when i use the injection scripts. if i could do the same i could make it work perhapse.
If you want me to post some code il post it right up.
Code in module i use here in this last test project.
Code:
Imports System.ComponentModel
Module Module1
#Region "Declarations"
Declare Function VirtualAllocEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As IntPtr
Declare Function VirtualProtectEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal newProtect As Integer, ByRef oldProtect As Integer) As Boolean
Public Declare Function CloseHandle Lib "KERNEL32" _
(ByVal hObject As Int32) _
As Boolean
Public Declare Function GetAsyncKeyState Lib "USER32" _
(ByVal vKey As Int32) _
As Int16
Public Declare Function IsDebuggerPresent Lib "KERNEL32" () As Boolean
Public Declare Function OpenProcess Lib "KERNEL32" _
(ByVal DesiredAccess As Int32, _
ByVal InheritHandle As Boolean, _
ByVal ProcessId As Int32) _
As Int32
Private Declare Function WriteProcessMemory Lib "kernel32" _
(ByVal Handle As Integer, _
ByVal address As Long, _
ByRef Value As Int32, _
ByVal Size As Integer, _
ByRef lpNumberOfBytesWritten As Long) _
As Long
Private Declare Function ReadProcessMemory Lib "kernel32" _
(ByVal Handle As Int32, _
ByVal address As Int32, _
ByRef Value As Int32, _
Optional ByVal Size As Int32 = 4, _
Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _
As Integer
'PROCESS ACCESS RIGHTS.
Public PROCESS_TERMINATE As Int32 = 1
Public PROCESS_CREATE_THREAD As Int32 = 2
Public PROCESS_VM_OPERATION As Int32 = 8
Public PROCESS_VM_READ As Int32 = 16
Public PROCESS_VM_WRITE As Int32 = 32
Public PROCESS_DUP_HANDLE As Int32 = 64
Public PROCESS_CREATE_PROCESS As Int32 = 128
Public PROCESS_SET_QUOTA As Int32 = 256
Public PROCESS_SET_INFORMATION As Int32 = 512
Public PROCESS_QUERY_INFORMATION As Int32 = 1024
Public PROCESS_SUSPEND_RESUME As Int32 = 2048
Public PROCESS_ALL_ACCESS As Int32 = 4091
'ALLOCATION TYPES.
Public MEM_COMMIT As Int32 = 4096
Public MEM_RESERVE As Int32 = 8192
Public MEM_RESET As Int32 = 524288
Public MEM_TOP_DOWN As Int32 = 1048576
Public MEM_PHYSICAL As Int32 = 4194304
'MEMORY PROTECTION TYPES.
Public PAGE_NOACCESS As Int32 = 1
Public PAGE_READONLY As Int32 = 2
Public PAGE_READWRITE As Int32 = 4
Public PAGE_WRITECOPY As Int32 = 8
Public PAGE_EXECUTE As Int32 = 16
Public PAGE_EXECUTE_READ As Int32 = 32
Public PAGE_EXECUTE_READWRITE As Int32 = 64
Public PAGE_EXECUTE_WRITECOPY As Int32 = 128
Private Const ACCESS_RIGHTS_ALL = &H1F0FFF
Private process_id As Int32 = 0
Public pHandle As Integer = 0
Dim FlagValue As Integer
Public Function GetProcessId(ByVal game_name As String) As Boolean 'Checks to see if the game is running (returns True or False) and sets th pHandle *REQUIRED TO USE*
For Each p As Process In Process.GetProcessesByName(game_name)
process_id = p.Id
pHandle = OpenProcess(56, False, process_id)
Return True
Next
Return False
End Function
#End Region
#Region "Memory Allocations"
Public Function AllocMem() As Integer 'Allocates memory in the process and returns the starting address of the allocated area
Dim pBlob As IntPtr = VirtualAllocEx(pHandle, New IntPtr(), New IntPtr(2048), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBlob = IntPtr.Zero Then
Return 0
MsgBox("The trainer couldn't implant the cheats. Please restart the trainer.", MsgBoxStyle.Critical, "Error")
Else : Return pBlob
End If
End Function
Sub RemoveProtection(ByVal AddressOfStart As Integer) 'Changes the protection of the page with the specified starting address to PAGE_EXECUTE_READWRITE
Dim oldProtect As Integer
If Not VirtualProtectEx(pHandle, New IntPtr(AddressOfStart), New IntPtr(2048), PAGE_EXECUTE_READWRITE, oldProtect) Then Throw New Win32Exception
End Sub
#End Region
#Region "Write"
Public Sub WriteByte(ByVal address As Int64, ByVal Value As Byte) 'Writes a single byte value
WriteProcessMemory(pHandle, address, Value, 1, 0)
End Sub
Public Sub WriteInt32(ByVal address As IntPtr, ByVal Value As Int32) 'Writes a 4 bytes value
WriteProcessMemory(pHandle, address, Value, 4, 0)
End Sub
Public Sub WriteASM(ByVal address As Int64, ByVal Value As Byte()) 'Writes assembly using bytes
For i As Long = LBound(Value) To UBound(Value)
WriteByte(address + i, Value(i))
Next
End Sub
Public Function WritePointer(ByVal Pointer As Long, ByVal Buffer As Int32, ByVal OffSet() As Int32) 'Writes to a pointer
For Each I As Integer In OffSet
ReadProcessMemory(pHandle, Pointer, Pointer)
Pointer += I
Next
WriteProcessMemory(pHandle, Pointer, Buffer, 4, 0)
Return 0
End Function
Public Function WriteAddPointer(ByVal Pointer As Int32, ByVal Buffer As Int32, ByVal OffSet() As Int32) 'Adds a value to a pointer
For Each I As Integer In OffSet
ReadProcessMemory(pHandle, Pointer, Pointer)
Pointer += I
Next
WriteProcessMemory(pHandle, Pointer, ReadInt32(Pointer) + Buffer, 4, 0)
Return 0
End Function
' 8 Bytes in den Przess schreiben
Public Sub Write_Float(ByVal address As Int32, ByVal value As Int64)
Dim process_handle As Int32
process_handle = OpenProcess(ACCESS_RIGHTS_ALL, False, process_id)
If process_handle <> 0 Then
WriteProcessMemory(process_handle, address, value, 8, 0)
End If
CloseHandle(process_handle)
End Sub
' Für die CodeInjection
Public Sub autopatcher(ByVal address As Int32, ByVal value As Byte())
Dim i As Byte
For i = LBound(value) To UBound(value)
WriteByte(address + i, value(i))
Next
End Sub
#End Region
Public Function AllocJump(ByVal source As Int32, ByVal destination As Int32, Optional ByVal Nops As Integer = 0) As Boolean 'Creates a jump from the specified address to a destination address
WriteByte(source, &HE9)
WriteInt32(source + 1, destination - source - 5)
If Nops = 0 Then
Return 0
End If
For i As Int32 = 1 To Nops
WriteByte(source + 4 + i, &H90)
Next
Return 0
End Function
Code:
Public Class Form1
Private Const ProcName = "Outlast"
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
GetProcessId(ProcName)
'WriteASM(&H140446285, New Byte() {&H90, &H90, &H90, &H90, &H90})
Dim pBlob As UInt64 = VirtualAllocEx(pHandle, New IntPtr(), New IntPtr(2048), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
TextBox1.Text = Hex(pBlob)' i use this to see the address in hex only
Dim caveAddr = pBlob
AllocJump(&H13CF0006, caveAddr) 'This Works fine
End Sub
End Class
I get the following error if i do this
AllocJump(&H13CA00000, caveAddr) This does not work , the address from my code is this high in the address so how do i do the jump?
"constant expression not representable in type 'integer'"
So the question is where in the module i need to change it to work.
I dont know why the code wraped gets outputet in 1 single line here , but i added code marks around it.
ok my bad it seems to be layed oout fine now.
I am willing to pay anyone that is able to solve this, this is driving me nuts.
If ok i can pay for some kind of code that can calculate the right jump from the code i provided to work as i hoped.
I have tried for over a week now.
|
|
|
|
|
05/05/2014, 07:30
|
#7
|
elite*gold: 1091
Join Date: Jun 2007
Posts: 19,836
Received Thanks: 7,180
|
I'm not very familar with VisualBasic but don't you got Enums or something? As far as I can see, your code consists of multiple structures containing flags used for the WinAPI.
Another point here, which is probably causing the behavior on x64, is among others this line here:
Code:
AllocJump(ByVal source As Int32, ByVal destination As Int32,
I already told you to not use Int32 since 32 bits are not safe for use when it comes to memory allocation on x64.
|
|
|
|
|
05/06/2014, 11:29
|
#8
|
elite*gold: 0
Join Date: May 2014
Posts: 5
Received Thanks: 0
|
I solved it, so thats why i got back here to tell you this and you been very helpfull.
I wrote a function that calucaltes the jump between the distances of address.
Or a sub here goes, works but took sometimes to figure out, dont know why i could not do it internaly within vb but this works.
Code:
Private Sub WriteX64JMP(ByVal WindowName As String, ByRef Address As Long, ByVal JMP As Long)
Dim XprocX As String
Dim hWnd As Long, hProcess As Long, pid As Long
hWnd = FindWindowA(vbNullString, Game.Text)
XprocX = Game.Text
If hWnd = 0 Then
Exit Sub
End If
If GetWindowThreadProcessId(hWnd, pid) = 0 Then
Exit Sub
End If
hProcess = OpenProcess(4091, False, pid)
If hProcess = 0 Then
Exit Sub
End If
JMP = JMP - Address - 14
WriteMemory(Of Integer)(Address, 255)
Call WriteMemoryASM((XprocX), Address + 1, "250000")
WriteMemory(Of Integer)(Address + 6, X64JMP)
Call WriteMemoryASM((XprocX), Address + 10, "00000000")
Address = Address + 14
Call CloseHandle(hProcess)
End Sub
|
|
|
|
|
05/12/2014, 08:54
|
#9
|
elite*gold: 7110
Join Date: Jun 2009
Posts: 28,907
Received Thanks: 25,408
|
Quote:
Originally Posted by Cheataman
Hi guys thank you for response, well i can write just fine to an address offset of lest say &140000000 and up which is available in the address span of a 64 bit process, but the problem arrises when i want to jump from this address of 140000000 to a lower or higher address making a long jump, so lets say i want to make a jump or call from the adress of JMP 140000000 to a lower address like 0C010000 , you see its a lower allocation address in this example, this way i thought there was no need for me to convert it to an 8 bytes pointer, or am i wrong here, maby its just my way of jumping that does not do it right?
|
Well, where exactly is your problem? What happens to your address? Did you step through your code in a debugger?
Quote:
Originally Posted by Mostey
Just use your calculator.
0x140000000 - 0x0C010000 = 0x133FF0000
0x133FF0000 / 4 = 0x4CFFC000
0x133FF0000 / 8 = 0x267FE000
|
What is this division supposed to be?
|
|
|
|
|
05/13/2014, 00:27
|
#10
|
elite*gold: 0
Join Date: May 2014
Posts: 5
Received Thanks: 0
|
Hi i got it to work now by calculating the offset destination between the addresses,
My main gold was to allocate a codecave and inject to there from the instruction, but the problem beeing on a 64 bit process, the address range goes from very low to very high. so the normal JMP Address did not work, it hade to be JMP qword ptr [pointer]
otherwise the address would be something else.
I am sure this is much easier done in c++ or C# but i am not good with that.
I do however need some help with a small code that scans the memory of a process by scaning through the memory regions untill it finds the correct Array of bytes.
If anyone can spot where i go wrong with the comparing id be very greatfull.
Heres the vb6 version that works just flawlessly, it works just like i would want the vb net version to work.
Heres the vb6 version first layed out.
Code:
Private Sub CommandX1_Click() '
Dim pid As Long, hProcess As Long, hWin As Long
Dim lpMem As Long, Ret As Long, lLenMBI As Long
Dim lWritten As Long, CalcAddress As Long, lPos As Long
Dim sReplaceString As String
Dim si As SYSTEM_INFO
Dim dwProcId As Long
Dim Pos1 As Variant
Dim i As Integer
'/**************************************************/
hWin = FindWindowA(vbNullString, "Untitled - Notepad")
Call GetWindowThreadProcessId(hWin, pid)
hWin = hProcess '
hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid)
lLenMBI = Len(mbi)
'Determine applications memory addresses range
Call GetSystemInfo(si)
lpMem = Int(&H20000000 / si.dwPageSize) * si.dwPageSize 'si.lpMinimumApplicationAddress
'Scan memory
Do While lpMem < Int("&H4FFFFFFF" / si.dwPageSize) * si.dwPageSize
mbi.RegionSize = 0
Ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI)
If Ret = lLenMBI Then
If (mbi.lType = MEM_PRIVATE) And (mbi.State = MEM_COMMIT) = True Then ' this block is In use by this process
'My Array Of Bytes To Scan For
'============================='
Pos1 = ByteArray(&HCC, &HCC)
Dim Array2str As String
Array2str = StrConv(Pos1, vbUnicode)
Dim Sbuffer As String
Sbuffer = String(mbi.RegionSize, 0)
'Read region into string
On Error GoTo Finished
'Check if region contain search string
ReadProcessMemory hProcess, ByVal mbi.BaseAddress, ByVal Sbuffer, mbi.RegionSize, lWritten
Dim MemPos As Long
MemPos = InStr(1, Sbuffer, Array2str, vbTextCompare)
If MemPos Then
ArrayX(1).Text = Hex(mbi.BaseAddress + MemPos - 1)
If FinalAddress.Text = "0" Then
GoTo Finished
Exit Sub
End If
End If
End If
End If
End If
End If
End If
On Error GoTo Finished
lpMem = mbi.BaseAddress + mbi.RegionSize
On Error GoTo Finished
Else
Exit Do
End If
Loop
GoTo Finished
Finished:
CloseHandle hProcess
And Heres is my attempt to convert it, but the program closes when i scan with it because i think my conversion of the above code is not properly converted. can you experts maby see where i am going wrong. i think the problem is where it should conver and read the buffer and compare it with the array of bytes i want to search for. But i am not sure.
The VB net conversion of the above working vb6 version.
Code:
PrivateSub Button8_Click(sender AsObject, e AsEventArgs) Handles Button8.Click
Dim hWnd AsLong
Dim Pid AsLong
Dim mbi AsMEMORY_BASIC_INFORMATION
Dim si AsSYSTEM_INFO
Dim hProcess AsIntPtr
Dim lpmem AsInteger
Dim lLenMBI AsLong
Dim lPos AsLong
Dim lWritten AsInteger
'/Titlte Name Of The Process Here!
hWnd = FindWindowA(vbNullString,
"Unitled - Notepad")
Call GetWindowThreadProcessId(hWnd, Pid)
hProcess = OpenProcess(PROCESS_ALL_ACCESS,
False, Pid)
lLenMBI = Len(mbi)
Call GetSystemInfo(si)
'/Search Base
lpmem = Int(&H400000)
' Scan memory To
DoWhile lpmem < Int(&H5FFFFFFF / si.dwPageSize) * si.dwPageSize
mbi.RegionSize = 0
Dim ret AsUIntPtr = VirtualQueryEx(hProcess, lpmem, mbi, lLenMBI)
If ret = Len(mbi) Then
If mbi.RegionSize > 0 Then
' If (mbi.State = MEM_COMMIT) = True Then 'This block is In use by this process
Dim lBuffer() AsByte
'/The Byte Array To Search For
Dim bData() AsByte = NewByte() {&HCC, &HCC}
Dim MyArray AsString
'/Converting the array to a string
MyArray = System.Text.
Encoding.Unicode.GetString(bData)
ReDim lBuffer(0 To Int(mbi.RegionSize / 4))
ReadProcessMemory(hProcess, mbi.BaseAddress, VarPtr(lBuffer(1)), mbi.RegionSize, lWritten)
Dim MBuff AsString
MBuff = System.Text.
Encoding.Unicode.GetString(lBuffer)
lPos = InStr(1, MBuff, MyArray, vbTextCompare)
If lPos > 0 Then
ListBox1.Items.Add(lPos)
Exit Sub
EndIf
EndIf
lpmem = mbi.BaseAddress + mbi.RegionSize
Else
Exit Do
EndIf
Loop
EndSub
|
|
|
|
|
05/15/2014, 16:33
|
#11
|
elite*gold: 0
Join Date: May 2010
Posts: 88
Received Thanks: 23
|
Idk if its useful for you but there is no simple jmp instruction in x64.
you have to use something like
Code:
mov rax, address
jmp rax
I use it for my wow sniffer hooks
|
|
|
|
 |
Similar Threads
|
[request/help] Correct way of sending EntityMove/Jump packets?
09/04/2013 - CO2 Programming - 3 Replies
this have been bothered me for a while and i know that i am not the only one who struggles to break this tough nut. The methodology of sending the Jump packets to clients is a pain in the ass as there are many things to be considered in order to implement a bug-free method of doing it.
Let's say that player X jumps(distance between them > max_view_distance before jump) near player Y(distance between them <= max_view_distance after jump), both packets for entity information are...
|
[REQUEST]Help with making the skill work around actually work...
03/02/2011 - Shaiya Private Server - 2 Replies
So I have done like this topic said, but instead of replacing the whole database, I just replaced the skill (and later on the BaseItemsDefs and ExpDefs just in case). I exported the skills to a csv, and into Skill.SData. I then placed it inside my data file(s). I started the game, but it still wont pass level 3. What could be wrong? I don't think I have to replace the items/mobitems/mobs/productlist to get it to work. Any ideas?
|
New to the whole process need some advice making private server
06/19/2010 - Shaiya Private Server - 1 Replies
how do i create a login server IP for my privat4e server?
|
IG Walker wont work correct Please Help
04/12/2010 - Lineage 2 - 3 Replies
Hello,
i play on a Free Server for Lineage 2 and try to use IG Walker there.
I could still log in make all Options etc. and if i press end to start the bot he start to work, ok now the Problem is he target mobs but dont attack them. He target--->runs to the mob----->Change target to next mob and run again.
Its an L2j server, the server i played before is also l2j and all worked fine there.
Is there anyone with same prob and a sollution or any idea how to get em working?
|
[coding] Making a dialog show inside of CO process
05/15/2007 - Conquer Online 2 - 0 Replies
i have done this alot before in time, but when i try to do it with Conquer nothing appears.. my dll gets injected into the process and all. just nothing appears.
any ideas suggestions are welcome, ty :)
im doing this in c/c++ btw
|
All times are GMT +1. The time now is 18:19.
|
|
