Problem with jump to cave, always jump wrong help plz!

[Santasgaming]

I wonder if anyone could help me solve some problems with jumping to a cave, i am trying to make my code work so i can make a valid jump to my code cave, I use virtualallocEx to do so. but the jump code i have does not jump to the correct cave address, it always shoortens the address, like jumping , lets say i jump from &H12000000 and my allocation address is 140123456, then my jump will look like this JMP 123456, you see only the lower part of the address is getting writen as the destination address to my allocated cave.

The game i am working on is a game called Outlast and it is in 64 bit the exe i use, but i am not an expert on this so any help would be appreciated.

Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click Try Dim TargetProcess As Process() = Process.GetProcessesByName(TextBox1.Text) TargetProcessHandle = OpenProcess(PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, False, TargetProcess(0).Id) Dim CaveAddr As Long = VirtualAllocEx(TargetProcessHandle, 0, &H1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE) TextBox2.Text = Hex(CaveAddr) MakeJmp(&H104C40FF0, "&H" & CaveAddr) Exit For End If Next End If Catch ex As Exception MessageBox.Show(ex.Message) End Try End Sub

---

[DNA]

Hey,

i'll use your example addresses.

[code=VB]Dim CaveAddr As Long = VirtualAllocEx(TargetProcessHandle, 0, &H1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE)[/code]
CaveAddr is now 140123456 = 85A1D40 Hex

[code=VB]MakeJmp(&H104C40FF0, "&H" & CaveAddr)[/code]
Your code jumps from &H104C40FF0 to &H140123456 but it should jump to &H85A1D40

If your MakeJmp Function works properly (which i don't know, unless i see it), you've to delete the "&H" &
[code=VB]MakeJmp(&H104C40FF0, CaveAddr)[/code]

Oh, and try to use the "newer" declarations...
Dim CaveAddr as Int32

[Santasgaming]

I just need to eat and i will explain abit betterm, the address though is a very high one, its not like the addresses on a 32 byte process, its at for example 120C30110 and 1404562A3 like those high addresses,
cause i make jumps work fine for the 32 bit game versions, but for 64 i am making something wrong, i will try to post soon. thank you for helping.

[Santasgaming]

Code:

1 2 3 4 5 6

Public Function MakeJmp(ByVal lpAddress As Long, ByVal lpJmpAddress As Long, Optional ByVal lpNops As Long = 0) As Long Dim JmpByte As Byte() = {&HE9} MakeJmp = CBool(WriteByte(lpAddress, JmpByte)) And CBool(WriteLong(lpAddress + 1, lpJmpAddress - lpAddress - 5)) If lpNops = 0 Then Exit Function Return MakeJmp End Function

---

This is the function i use here to jump to cave.
But i dont get it to work right i use this in the main module.

I think i maby are missing some declerations , also i thought int32 was only to be used on a 32 bit process. so i have changed my declerations to int64 and also tried to change them to long but still it makes the jump wrong.

[Santasgaming]

I have this in a module now and i am stuck as to why i can not jump to alloccave on my game.

Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158

Imports System.ComponentModel Module Module1 #Region "Declarations" Declare Function VirtualAllocEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As IntPtr Declare Function VirtualProtectEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal newProtect As Integer, ByRef oldProtect As Integer) As Boolean Public Declare Function CloseHandle Lib "KERNEL32" _ (ByVal hObject As Int32) _ As Boolean Public Declare Function GetAsyncKeyState Lib "USER32" _ (ByVal vKey As Int32) _ As Int16 Public Declare Function IsDebuggerPresent Lib "KERNEL32" () As Boolean Public Declare Function OpenProcess Lib "KERNEL32" _ (ByVal DesiredAccess As Int32, _ ByVal InheritHandle As Boolean, _ ByVal ProcessId As Int32) _ As Int32 Private Declare Function WriteProcessMemory Lib "kernel32" _ (ByVal Handle As Integer, _ ByVal address As Long, _ ByRef Value As Int32, _ ByVal Size As Integer, _ ByRef lpNumberOfBytesWritten As Long) _ As Long Private Declare Function ReadProcessMemory Lib "kernel32" _ (ByVal Handle As Int32, _ ByVal address As Int32, _ ByRef Value As Int32, _ Optional ByVal Size As Int32 = 4, _ Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _ As Integer 'PROCESS ACCESS RIGHTS. Public PROCESS_TERMINATE As Int32 = 1 Public PROCESS_CREATE_THREAD As Int32 = 2 Public PROCESS_VM_OPERATION As Int32 = 8 Public PROCESS_VM_READ As Int32 = 16 Public PROCESS_VM_WRITE As Int32 = 32 Public PROCESS_DUP_HANDLE As Int32 = 64 Public PROCESS_CREATE_PROCESS As Int32 = 128 Public PROCESS_SET_QUOTA As Int32 = 256 Public PROCESS_SET_INFORMATION As Int32 = 512 Public PROCESS_QUERY_INFORMATION As Int32 = 1024 Public PROCESS_SUSPEND_RESUME As Int32 = 2048 Public PROCESS_ALL_ACCESS As Int32 = 4091 'ALLOCATION TYPES. Public MEM_COMMIT As Int32 = 4096 Public MEM_RESERVE As Int32 = 8192 Public MEM_RESET As Int32 = 524288 Public MEM_TOP_DOWN As Int32 = 1048576 Public MEM_PHYSICAL As Int32 = 4194304 'MEMORY PROTECTION TYPES. Public PAGE_NOACCESS As Int32 = 1 Public PAGE_READONLY As Int32 = 2 Public PAGE_READWRITE As Int32 = 4 Public PAGE_WRITECOPY As Int32 = 8 Public PAGE_EXECUTE As Int32 = 16 Public PAGE_EXECUTE_READ As Int32 = 32 Public PAGE_EXECUTE_READWRITE As Int32 = 64 Public PAGE_EXECUTE_WRITECOPY As Int32 = 128 Private Const ACCESS_RIGHTS_ALL = &H1F0FFF Private process_id As Int32 = 0 Public pHandle As Integer = 0 Dim FlagValue As Integer Public Function GetProcessId(ByVal game_name As String) As Boolean 'Checks to see if the game is running (returns True or False) and sets th pHandle *REQUIRED TO USE* For Each p As Process In Process.GetProcessesByName(game_name) process_id = p.Id pHandle = OpenProcess(56, False, process_id) Return True Next Return False End Function #End Region #Region "Memory Allocations" Public Function AllocMem() As Integer 'Allocates memory in the process and returns the starting address of the allocated area Dim pBlob As IntPtr = VirtualAllocEx(pHandle, New IntPtr(), New IntPtr(2048), MEM_COMMIT, PAGE_EXECUTE_READWRITE) If pBlob = IntPtr.Zero Then Return 0 MsgBox("The trainer couldn't implant the cheats. Please restart the trainer.", MsgBoxStyle.Critical, "Error") Else : Return pBlob End If End Function Sub RemoveProtection(ByVal AddressOfStart As Integer) 'Changes the protection of the page with the specified starting address to PAGE_EXECUTE_READWRITE Dim oldProtect As Integer If Not VirtualProtectEx(pHandle, New IntPtr(AddressOfStart), New IntPtr(2048), PAGE_EXECUTE_READWRITE, oldProtect) Then Throw New Win32Exception End Sub #End Region #Region "Write" Public Sub WriteByte(ByVal address As Int64, ByVal Value As Byte) 'Writes a single byte value WriteProcessMemory(pHandle, address, Value, 1, 0) End Sub Public Sub WriteInt32(ByVal address As IntPtr, ByVal Value As Int32) 'Writes a 4 bytes value WriteProcessMemory(pHandle, address, Value, 4, 0) End Sub Public Sub WriteASM(ByVal address As Int64, ByVal Value As Byte()) 'Writes assembly using bytes For i As Long = LBound(Value) To UBound(Value) WriteByte(address + i, Value(i)) Next End Sub Public Function WritePointer(ByVal Pointer As Long, ByVal Buffer As Int32, ByVal OffSet() As Int32) 'Writes to a pointer For Each I As Integer In OffSet ReadProcessMemory(pHandle, Pointer, Pointer) Pointer += I Next WriteProcessMemory(pHandle, Pointer, Buffer, 4, 0) Return 0 End Function Public Function WriteAddPointer(ByVal Pointer As Int32, ByVal Buffer As Int32, ByVal OffSet() As Int32) 'Adds a value to a pointer For Each I As Integer In OffSet ReadProcessMemory(pHandle, Pointer, Pointer) Pointer += I Next WriteProcessMemory(pHandle, Pointer, ReadInt32(Pointer) + Buffer, 4, 0) Return 0 End Function ' 8 Bytes in den Przess schreiben Public Sub Write_Float(ByVal address As Int32, ByVal value As Int64) Dim process_handle As Int32 process_handle = OpenProcess(ACCESS_RIGHTS_ALL, False, process_id) If process_handle <> 0 Then WriteProcessMemory(process_handle, address, value, 8, 0) End If CloseHandle(process_handle) End Sub ' Für die CodeInjection Public Sub autopatcher(ByVal address As Int32, ByVal value As Byte()) Dim i As Byte For i = LBound(value) To UBound(value) WriteByte(address + i, value(i)) Next End Sub #End Region Public Function AllocJump(ByVal source As Int32, ByVal destination As Int32, Optional ByVal Nops As Integer = 0) As Boolean 'Creates a jump from the specified address to a destination address WriteByte(source, &HE9) WriteInt32(source + 1, destination - source - 5) If Nops = 0 Then Return 0 End If For i As Int32 = 1 To Nops WriteByte(source + 4 + i, &H90) Next Return 0 End Function

---

And This is in the form class

Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

Public Class Form1 Private Const ProcName = "Outlast" Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click GetProcessId(ProcName) 'WriteASM(&H140446285, New Byte() {&H90, &H90, &H90, &H90, &H90}) Dim pBlob As UInt64 = VirtualAllocEx(pHandle, New IntPtr(), New IntPtr(2048), MEM_COMMIT, PAGE_EXECUTE_READWRITE) TextBox1.Text = Hex(pBlob)' i use this to see the address in hex only Dim caveAddr = pBlob AllocJump(&H13CF0006, caveAddr) 'This Works fine End Sub End Class

---

I get the following error if i do this

AllocJump(&H13CA00000, caveAddr) This does not work , the address from my code is this high in the address so how do i do the jump?

"constant expression not representable in type 'integer'"


on 32 bit process if i jump from a lower address it works fine like this

AllocJump(&H13CA0000, caveAddr) This works fine , but why not for the higher address on 64 bit game?

Please help, i buy you a game on steam as thank you.

[Santasgaming]

Dont allocjump not work on 64 bit games? how do you guys do it?
i see trainers for 64 bit games on such palce as gamecopy world but how do they do it?

[Santasgaming]

i use cheat engine trainer maker, that works ok.

Will have to learn more of it but its good enough.

[DNA]

Hey,
could you make some screenshots of the MemoryViewer from CheatEngine
while your code is injected?

[DerBaum]

(05.05.2014, 04:07)Santasgaming schrieb: Dont allocjump not work on 64 bit games? how do you guys do it?
i see trainers for 64 bit games on such palce as gamecopy world but how do they do it?

VirtualAllocEx doesn't work on 64 bit processes or to be clear: it does not handle 64 bit integers. Some 64 bit processes contain main modules inside of the "32 bit area" where VirtualAllocEx still work.

Personally I'm searching for code caves on my own and change the protection of this area to read/write.

Another solution (like Caliber from Cheathappens handles it) is to inject a dll file. You can use for example CreateRemoteThread or something similar.

[Santasgaming]

(06.05.2014, 19:38)DNA schrieb: Hey,
could you make some screenshots of the MemoryViewer from CheatEngine
while your code is injected?

I got it to work for 32 bit trainer i'm making in vb, i code a simple game trainer in ce only for when i need it to work for 64 bit, but i would greatfull to get some help on how to use the sigscanner code i saw in another post, i'm trying to get it to work, but i'm not great for coding but trying to learn. so how could i call it and use a textbox to add my own array on the form when i after i run it, i see poster says you call it this way. where is sigscanner in module code? MsgBox(sigscanner.FindPattern(New Byte() {&H83, &H96, &H5C, &H6, &H0, &H0, &H8B, &H7, &H8B, &H90, &HB4, &H5, &H0, &H0}, "xx????xxxx????", &H0))

I mostly want this for my trainer i make for my emulation games. i'm more for making trainers for emulators and need the sigscanner to work so i can search for value with it with pattern.

if any can example of how i can call it from my form1 on a button to a text and i will be done with my simple cheat tool.
I found a dll that i can call from vb but i dont want to have any extra files with my project, i also try to learn about vb resource for my option sounds so i'm learning more.