[Tutorial] How To Make Your (Ingame & AOB-Scan) trainer

[HaMaDa..]

#Closed.

[Jugram]

best tutorial for making trainers so far

[ZarneXxX]

Looks good

[Terrat]

Looks good but you should replace learn to teach.

[RingleRangleRob]

^Better UDF ( my opinion )

^This include also better Function and support AoBs with jmps,calls..etc.

Code:

SetPrivilege("Sedebugprivilege", 1)

Func SetPrivilege( $privilege, $bEnable )

    Local $hToken, $SP_auxret, $SP_ret, $hCurrProcess, $nTokens, $nTokenIndex, $priv
    $nTokens = 1
    $LUID = DLLStructCreate("dword;int")
    If IsArray($privilege) Then    $nTokens = UBound($privilege)
    $TOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
    $NEWTOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
    $hCurrProcess = DLLCall("kernel32.dll","hwnd","GetCurrentProcess")
    $SP_auxret = DLLCall("advapi32.dll","int","OpenProcessToken","hwnd",$hCurrProcess[0],   _
            "int",BitOR($TOKEN_ADJUST_PRIVILEGESS,$TOKEN_QUERYY),"int_ptr",0)
    If $SP_auxret[0] Then
        $hToken = $SP_auxret[3]
        DLLStructSetData($TOKEN_PRIVILEGES,1,1)
        $nTokenIndex = 1
        While $nTokenIndex <= $nTokens
            If IsArray($privilege) Then
                $priv = $privilege[$nTokenIndex-1]
            Else
                $priv = $privilege
            EndIf
            $ret = DLLCall("advapi32.dll","int","LookupPrivilegeValue","str","","str",$priv,   _
                    "ptr",DLLStructGetPtr($LUID))
            If $ret[0] Then
                If $bEnable Then
                    DLLStructSetData($TOKEN_PRIVILEGES,2,$SE_PRIVILEGE_ENABLEDD,(3 * $nTokenIndex))
                Else
                    DLLStructSetData($TOKEN_PRIVILEGES,2,0,(3 * $nTokenIndex))
                EndIf
                DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,1),(3 * ($nTokenIndex-1)) + 1)
                DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,2),(3 * ($nTokenIndex-1)) + 2)
                DLLStructSetData($LUID,1,0)
                DLLStructSetData($LUID,2,0)
            EndIf
            $nTokenIndex += 1
        WEnd
        $ret = DLLCall("advapi32.dll","int","AdjustTokenPrivileges","hwnd",$hToken,"int",0,   _
                "ptr",DllStructGetPtr($TOKEN_PRIVILEGES),"int",DllStructGetSize($NEWTOKEN_PRIVILEGES),   _
                "ptr",DllStructGetPtr($NEWTOKEN_PRIVILEGES),"int_ptr",0)
        $f = DLLCall("kernel32.dll","int","GetLastError")
    EndIf
    $NEWTOKEN_PRIVILEGES=0
    $TOKEN_PRIVILEGES=0
    $LUID=0
    If $SP_auxret[0] = 0 Then Return 0
    $SP_auxret = DLLCall("kernel32.dll","int","CloseHandle","hwnd",$hToken)
    If Not $ret[0] And Not $SP_auxret[0] Then Return 0
    return $ret[0]
EndFunc   ;==>SetPrivilege

You didn't should use 4 Bytes for writing assembler..


^Quelle :

If you need to write one byte you don't need to use four bytes..

Array of Bytes

Array of Bytes = sequence of bytes

Example :

(Show HP of Mates)
C6 41 14 00 83 7D E8 00 0F 85

Bytes = duh ?
Opcode = Operation Code ( Assembly Code )


The Jmp don't need because this sequence of bytes give us only one result.

This mean this sequence of bytes is only one time in the assembly code.

If we want to include this jmp ( jne = jump if not equal ) we need to ignore the bytes of the jmp



it will change after a patch.

C6 41 14 00 83 7D E8 00 0F 85 ?? ?? ?? ?? 8B 55 EC



^to this i don't need to say more ( the most will not understand )

Usage ( Autoit )



In this Function you got one change

Code:

 _MemoryScanEx($ah_Handle, $pattern, $mask , $after = False, $iv_addrStart = 0x00400000, $iv_addrEnd = 0x00FFFFFF, $step = 51200)

huh ? wut is mask ?

$handle = huh ? brain afk ?
$pattern = '\xC6\x41\x14\x00\x83\x7D\xE8\x00\x0F\x85\x00\x00\ x00\x00 \x8B\x55\xEC'
$mask = 'xxxxxxxxxx????xxx'
..

i hope you can understand. i am sorry for my bad english

[teeracer]

Quote:

Originally Posted by HaMaDa..

[CENTER]
3. Copy All Your Code (Alt+C)
3. Paste the Code that you have copied (Alt+V)

And I always thought it is Ctrl + C/V o.o

But nice tutorial c:

[[Beatrice]]

This was public since 2009 but it would be helpful for the people who's too *** to use google.

[HaMaDa..]

Quote:

Originally Posted by teeracer

And I always thought it is Ctrl + C/V o.o

But nice tutorial c:

Fixed xD

[alexmen10]

Cool
mmm is nothing new
for beginners will do well: v

[naruhinasakusasu]

Making an ingame autoit is nothing new for me , but the aob scan is awesome , Thanks Bro xD

[Technodrame]

Nice... Surely the best tutorial for making trainers.

[~*MarlboroRed+]

Thank you for this great tutorial!
However, I prefer VB.NET.

[HaMaDa..]

Quote:

Originally Posted by ~*MarlboroRed+

Thank you for this great tutorial!
However, I prefer VB.NET.

Wanna a tutorial for vb.net? xD

[~*MarlboroRed+]

Quote:

Originally Posted by HaMaDa..

Wanna a tutorial for vb.net? xD

No, I know how that works.

[BeatZz-]

Quote:

Originally Posted by HaMaDa..

Wanna a tutorial for vb.net? xD

I would be happy if you could make a tutorial for vb.net because I have no idea how to include the aob scan in vb.net

I was a little bit confused because AutoIt said that "_memorywrite" is not declared so I was to stupid to work with copy&paste q.q

The Tutorial itselfe was pretty nice I want more like this

Here the Code :

Quote:

#RequireAdmin
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <NoMadMemory.au3>
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("BeatZz Trainer", 338, 100, 192, 124)
$Checkbox1 = GUICtrlCreateCheckbox("Inf Sp", 144, 40, 65, 17)
$Button1 = GUICtrlCreateButton("Exit", 136, 64, 75, 25)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

$Pid = ProcessExists("S4Client.exe")
$OPEN = _MemoryOpen ($Pid)

$InfSp = ""
$InfSpMEMSCAN = _MEMSCAN($OPEN,$InfSp,0x0000000000000000,0x7ffffff fffffffff)

While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
Case $Button1
Exit
;(I thinkhere is the mistake)
If GUICtrlRead($Checkbox1) = 1 Then
_memorywrite($InfSpMEMSCAN,$open,2348565979,"long ;4Bytes")
Else
_memorywrite($InfSpMEMSCAN,$open,2348565977,"long ;4Bytes")
EndIf
EndSwitch
WEnd


Func _MEMSCAN($AH_HANDLE, $AB_ARRAY, $BASE_ADD = 0x00400000, $STOP_ADD = 0xFFFFFFFF)
For $ADD = $BASE_ADD To $STOP_ADD Step 51200 - (StringLen($AB_ARRAY) / 2)
StringRegExp(_MREAD($ADD, $AH_HANDLE, "byte[" & 51200 & "]"), $AB_ARRAY, 1, 2)
If Not @Error Then
Return StringFormat("0x%.8X", $ADD + ((@extended - StringLen($AB_ARRAY) - 2) / 2))
EndIf
Next
EndFunc

Func _MOPEN($IV_PID, $IV_DESIREDACCESS = 2035711, $IV_INHERITHANDLE = 1)
If Not ProcessExists($IV_PID) Then
SetError(1)
Return 0
EndIf
Local $AH_HANDLE[2] = [DllOpen("kernel32.dll")]
If @error Then
SetError(2)
Return 0
EndIf
Local $AV_OPENPROCESS = DllCall($AH_HANDLE[0], "int", "OpenProcess", "int", $IV_DESIREDACCESS, "int", $IV_INHERITHANDLE, "int", $IV_PID)
If @error Then
DllClose($AH_HANDLE[0])
SetError(3)
Return 0
EndIf
$AH_HANDLE[1] = $AV_OPENPROCESS[0]
Return $AH_HANDLE
EndFunc

Func _MREAD($IV_ADDRESS, $AH_HANDLE, $SV_TYPE = "dword")
If Not IsArray($AH_HANDLE) Then
SetError(1)
Return 0
EndIf
Local $V_BUFFER = DllStructCreate($SV_TYPE)
If @error Then
SetError(@error + 1)
Return 0
EndIf
DllCall($AH_HANDLE[0], "int", "ReadProcessMemory", "int", $AH_HANDLE[1], "int", $IV_ADDRESS, "ptr", DllStructGetPtr($V_BUFFER), "int", DllStructGetSize($V_BUFFER), "int", "")
If Not @error Then
Local $V_VALUE = DllStructGetData($V_BUFFER, 1)
Return $V_VALUE
Else
SetError(6)
Return 0
EndIf
EndFunc

Func _MCLOSE($AH_HANDLE)
If Not IsArray($AH_HANDLE) Then
SetError(1)
Return 0
EndIf
DllCall($AH_HANDLE[0], "int", "CloseHandle", "int", $AH_HANDLE[1])
If Not @error Then
DllClose($AH_HANDLE[0])
Return 1
Else
DllClose($AH_HANDLE[0])
SetError(2)
Return 0
EndIf
EndFunc

Edit: Now I fixed the error but it still dont work q.q Im too stupid