Problem with jump to cave, always jump wrong help plz! - Santasgaming - 04.05.2014
I wonder if anyone could help me solve some problems with jumping to a cave, i am trying to make my code work so i can make a valid jump to my code cave, I use virtualallocEx to do so. but the jump code i have does not jump to the correct cave address, it always shoortens the address, like jumping , lets say i jump from &H12000000 and my allocation address is 140123456, then my jump will look like this JMP 123456, you see only the lower part of the address is getting writen as the destination address to my allocated cave.
The game i am working on is a game called Outlast and it is in 64 bit the exe i use, but i am not an expert on this so any help would be appreciated.
Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
Try
Dim TargetProcess As Process() = Process.GetProcessesByName(TextBox1.Text)
TargetProcessHandle = OpenProcess(PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, False, TargetProcess(0).Id)
Dim CaveAddr As Long = VirtualAllocEx(TargetProcessHandle, 0, &H1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
TextBox2.Text = Hex(CaveAddr)
MakeJmp(&H104C40FF0, "&H" & CaveAddr)
Exit For
End If
Next
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
End Try
End Sub
RE: Problem with jump to cave, always jump wrong help plz! - DNA - 04.05.2014
Hey,
i'll use your example addresses.
[code=VB]Dim CaveAddr As Long = VirtualAllocEx(TargetProcessHandle, 0, &H1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE)[/code]
CaveAddr is now 140123456 = 85A1D40 Hex
[code=VB]MakeJmp(&H104C40FF0, "&H" & CaveAddr)[/code]
Your code jumps from &H104C40FF0 to &H140123456 but it should jump to &H85A1D40
If your MakeJmp Function works properly (which i don't know, unless i see it), you've to delete the "&H" &
[code=VB]MakeJmp(&H104C40FF0, CaveAddr)[/code]
Oh, and try to use the "newer" declarations...
Dim CaveAddr as Int32
RE: Problem with jump to cave, always jump wrong help plz! - Santasgaming - 04.05.2014
I just need to eat and i will explain abit betterm, the address though is a very high one, its not like the addresses on a 32 byte process, its at for example 120C30110 and 1404562A3 like those high addresses,
cause i make jumps work fine for the 32 bit game versions, but for 64 i am making something wrong, i will try to post soon. thank you for helping.
RE: Problem with jump to cave, always jump wrong help plz! - Santasgaming - 04.05.2014
Code:
1 2 3 4 5 6
Public Function MakeJmp(ByVal lpAddress As Long, ByVal lpJmpAddress As Long, Optional ByVal lpNops As Long = 0) As Long
Dim JmpByte As Byte() = {&HE9}
MakeJmp = CBool(WriteByte(lpAddress, JmpByte)) And CBool(WriteLong(lpAddress + 1, lpJmpAddress - lpAddress - 5))
If lpNops = 0 Then Exit Function
Return MakeJmp
End Function
This is the function i use here to jump to cave.
But i dont get it to work right i use this in the main module.
I think i maby are missing some declerations , also i thought int32 was only to be used on a 32 bit process. so i have changed my declerations to int64 and also tried to change them to long but still it makes the jump wrong.
RE: Problem with jump to cave, always jump wrong help plz! - Santasgaming - 04.05.2014
I have this in a module now and i am stuck as to why i can not jump to alloccave on my game.
Imports System.ComponentModel
Module Module1
#Region "Declarations"
Declare Function VirtualAllocEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As IntPtr
Declare Function VirtualProtectEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal newProtect As Integer, ByRef oldProtect As Integer) As Boolean
Public Declare Function CloseHandle Lib "KERNEL32" _
(ByVal hObject As Int32) _
As Boolean
Public Declare Function GetAsyncKeyState Lib "USER32" _
(ByVal vKey As Int32) _
As Int16
Public Declare Function IsDebuggerPresent Lib "KERNEL32" () As Boolean
Public Declare Function OpenProcess Lib "KERNEL32" _
(ByVal DesiredAccess As Int32, _
ByVal InheritHandle As Boolean, _
ByVal ProcessId As Int32) _
As Int32
Private Declare Function WriteProcessMemory Lib "kernel32" _
(ByVal Handle As Integer, _
ByVal address As Long, _
ByRef Value As Int32, _
ByVal Size As Integer, _
ByRef lpNumberOfBytesWritten As Long) _
As Long
Private Declare Function ReadProcessMemory Lib "kernel32" _
(ByVal Handle As Int32, _
ByVal address As Int32, _
ByRef Value As Int32, _
Optional ByVal Size As Int32 = 4, _
Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _
As Integer
'PROCESS ACCESS RIGHTS.
Public PROCESS_TERMINATE As Int32 = 1
Public PROCESS_CREATE_THREAD As Int32 = 2
Public PROCESS_VM_OPERATION As Int32 = 8
Public PROCESS_VM_READ As Int32 = 16
Public PROCESS_VM_WRITE As Int32 = 32
Public PROCESS_DUP_HANDLE As Int32 = 64
Public PROCESS_CREATE_PROCESS As Int32 = 128
Public PROCESS_SET_QUOTA As Int32 = 256
Public PROCESS_SET_INFORMATION As Int32 = 512
Public PROCESS_QUERY_INFORMATION As Int32 = 1024
Public PROCESS_SUSPEND_RESUME As Int32 = 2048
Public PROCESS_ALL_ACCESS As Int32 = 4091
'ALLOCATION TYPES.
Public MEM_COMMIT As Int32 = 4096
Public MEM_RESERVE As Int32 = 8192
Public MEM_RESET As Int32 = 524288
Public MEM_TOP_DOWN As Int32 = 1048576
Public MEM_PHYSICAL As Int32 = 4194304
'MEMORY PROTECTION TYPES.
Public PAGE_NOACCESS As Int32 = 1
Public PAGE_READONLY As Int32 = 2
Public PAGE_READWRITE As Int32 = 4
Public PAGE_WRITECOPY As Int32 = 8
Public PAGE_EXECUTE As Int32 = 16
Public PAGE_EXECUTE_READ As Int32 = 32
Public PAGE_EXECUTE_READWRITE As Int32 = 64
Public PAGE_EXECUTE_WRITECOPY As Int32 = 128
Private Const ACCESS_RIGHTS_ALL = &H1F0FFF
Private process_id As Int32 = 0
Public pHandle As Integer = 0
Dim FlagValue As Integer
Public Function GetProcessId(ByVal game_name As String) As Boolean 'Checks to see if the game is running (returns True or False) and sets th pHandle *REQUIRED TO USE*
For Each p As Process In Process.GetProcessesByName(game_name)
process_id = p.Id
pHandle = OpenProcess(56, False, process_id)
Return True
Next
Return False
End Function
#End Region
#Region "Memory Allocations"
Public Function AllocMem() As Integer 'Allocates memory in the process and returns the starting address of the allocated area
Dim pBlob As IntPtr = VirtualAllocEx(pHandle, New IntPtr(), New IntPtr(2048), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBlob = IntPtr.Zero Then
Return 0
MsgBox("The trainer couldn't implant the cheats. Please restart the trainer.", MsgBoxStyle.Critical, "Error")
Else : Return pBlob
End If
End Function
Sub RemoveProtection(ByVal AddressOfStart As Integer) 'Changes the protection of the page with the specified starting address to PAGE_EXECUTE_READWRITE
Dim oldProtect As Integer
If Not VirtualProtectEx(pHandle, New IntPtr(AddressOfStart), New IntPtr(2048), PAGE_EXECUTE_READWRITE, oldProtect) Then Throw New Win32Exception
End Sub
#End Region
#Region "Write"
Public Sub WriteByte(ByVal address As Int64, ByVal Value As Byte) 'Writes a single byte value
WriteProcessMemory(pHandle, address, Value, 1, 0)
End Sub
Public Sub WriteInt32(ByVal address As IntPtr, ByVal Value As Int32) 'Writes a 4 bytes value
WriteProcessMemory(pHandle, address, Value, 4, 0)
End Sub
Public Sub WriteASM(ByVal address As Int64, ByVal Value As Byte()) 'Writes assembly using bytes
For i As Long = LBound(Value) To UBound(Value)
WriteByte(address + i, Value(i))
Next
End Sub
Public Function WritePointer(ByVal Pointer As Long, ByVal Buffer As Int32, ByVal OffSet() As Int32) 'Writes to a pointer
For Each I As Integer In OffSet
ReadProcessMemory(pHandle, Pointer, Pointer)
Pointer += I
Next
WriteProcessMemory(pHandle, Pointer, Buffer, 4, 0)
Return 0
End Function
Public Function WriteAddPointer(ByVal Pointer As Int32, ByVal Buffer As Int32, ByVal OffSet() As Int32) 'Adds a value to a pointer
For Each I As Integer In OffSet
ReadProcessMemory(pHandle, Pointer, Pointer)
Pointer += I
Next
WriteProcessMemory(pHandle, Pointer, ReadInt32(Pointer) + Buffer, 4, 0)
Return 0
End Function
' 8 Bytes in den Przess schreiben
Public Sub Write_Float(ByVal address As Int32, ByVal value As Int64)
Dim process_handle As Int32
process_handle = OpenProcess(ACCESS_RIGHTS_ALL, False, process_id)
If process_handle <> 0 Then
WriteProcessMemory(process_handle, address, value, 8, 0)
End If
CloseHandle(process_handle)
End Sub
' Für die CodeInjection
Public Sub autopatcher(ByVal address As Int32, ByVal value As Byte())
Dim i As Byte
For i = LBound(value) To UBound(value)
WriteByte(address + i, value(i))
Next
End Sub
#End Region
Public Function AllocJump(ByVal source As Int32, ByVal destination As Int32, Optional ByVal Nops As Integer = 0) As Boolean 'Creates a jump from the specified address to a destination address
WriteByte(source, &HE9)
WriteInt32(source + 1, destination - source - 5)
If Nops = 0 Then
Return 0
End If
For i As Int32 = 1 To Nops
WriteByte(source + 4 + i, &H90)
Next
Return 0
End Function
And This is in the form class
Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Public Class Form1
Private Const ProcName = "Outlast"
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
GetProcessId(ProcName)
'WriteASM(&H140446285, New Byte() {&H90, &H90, &H90, &H90, &H90})
Dim pBlob As UInt64 = VirtualAllocEx(pHandle, New IntPtr(), New IntPtr(2048), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
TextBox1.Text = Hex(pBlob)' i use this to see the address in hex only
Dim caveAddr = pBlob
AllocJump(&H13CF0006, caveAddr) 'This Works fine
End Sub
End Class
I get the following error if i do this
AllocJump(&H13CA00000, caveAddr) This does not work , the address from my code is this high in the address so how do i do the jump?
"constant expression not representable in type 'integer'"
on 32 bit process if i jump from a lower address it works fine like this
AllocJump(&H13CA0000, caveAddr) This works fine , but why not for the higher address on 64 bit game?
Please help, i buy you a game on steam as thank you.
RE: Problem with jump to cave, always jump wrong help plz! - Santasgaming - 05.05.2014
Dont allocjump not work on 64 bit games? how do you guys do it?
i see trainers for 64 bit games on such palce as gamecopy world but how do they do it?
RE: Problem with jump to cave, always jump wrong help plz! - Santasgaming - 05.05.2014
i use cheat engine trainer maker, that works ok.
Will have to learn more of it but its good enough.
RE: Problem with jump to cave, always jump wrong help plz! - DNA - 06.05.2014
Hey,
could you make some screenshots of the MemoryViewer from CheatEngine
while your code is injected?
RE: Problem with jump to cave, always jump wrong help plz! - DerBaum - 06.05.2014
(05.05.2014, 04:07)Santasgaming schrieb: Dont allocjump not work on 64 bit games? how do you guys do it?
i see trainers for 64 bit games on such palce as gamecopy world but how do they do it?
VirtualAllocEx doesn't work on 64 bit processes or to be clear: it does not handle 64 bit integers. Some 64 bit processes contain main modules inside of the "32 bit area" where VirtualAllocEx still work.
Personally I'm searching for code caves on my own and change the protection of this area to read/write.
Another solution (like Caliber from Cheathappens handles it) is to inject a dll file. You can use for example CreateRemoteThread or something similar.
RE: Problem with jump to cave, always jump wrong help plz! - Santasgaming - 07.05.2014
(06.05.2014, 19:38)DNA schrieb: Hey,
could you make some screenshots of the MemoryViewer from CheatEngine
while your code is injected?
I got it to work for 32 bit trainer i'm making in vb, i code a simple game trainer in ce only for when i need it to work for 64 bit, but i would greatfull to get some help on how to use the sigscanner code i saw in another post, i'm trying to get it to work, but i'm not great for coding but trying to learn. so how could i call it and use a textbox to add my own array on the form when i after i run it, i see poster says you call it this way. where is sigscanner in module code? MsgBox(sigscanner.FindPattern(New Byte() {&H83, &H96, &H5C, &H6, &H0, &H0, &H8B, &H7, &H8B, &H90, &HB4, &H5, &H0, &H0}, "xx????xxxx????", &H0))
I mostly want this for my trainer i make for my emulation games. i'm more for making trainers for emulators and need the sigscanner to work so i can search for value with it with pattern.
if any can example of how i can call it from my form1 on a button to a text and i will be done with my simple cheat tool.
I found a dll that i can call from vb but i dont want to have any extra files with my project, i also try to learn about vb resource for my option sounds so i'm learning more.
