Results 1 to 12 of 12
  1. #1
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh

    Hack Template[Delphi]

    Well I just joined up a couple of days ago to try my luck on making a gamehack, Anyway from some bits and pieces around the forum(most people are super protective of there work and call others "noob") lol

    Here is a Delphi Template I made, The PushToConsole gets you kicked and for some reason im not sure why but It wont write the original Recoil Bytes back to the VA, So next round in a game you get kicked, Also made my own dump of CShell.dll and another strange thing is my Dump is 7mb while the dump released on this forum was 9mb and would'nt load in my Ollydebug, but the dump I made loaded without a problem

    Anyway here is the Delphi source Template with Recoil Addresses fromt his forum.

    Code:
    library DepartureLib;
    
    uses
      Windows, SysUtils;
    
    {$R *.res}
    
    // Set this up later for easyer use
    Type
      TPatchRecord = Record
        Address: Pointer;
        Bytes: array of Byte;
      end;
    
      PPatchRecord = ^TPatchRecord;
    
    var
      dwThrdHack: Dword = 0;
      dwThrdMain: Dword = 0;
    Const
      //Recoil
      AddressRecoil1 = $37465A60;
      AddressRecoil2 = $37234EB9;
      AddressRecoil3 = $37465A74;
      AddressRecoil4 = $37465A77;
      AddressRecoil5 = $37465A80;
    
      PatchRecoil1 : Array[0..2] of byte = ($90,$90,$90);
      PatchRecoil2 : Array[0..10] of byte = ($90,$90,$90,$90,$90,$90,$90,$90,$90,$90,$90);
      PatchRecoil3 : Array[0..2] of byte = ($90,$90,$90);
      PatchRecoil4 : Array[0..2] of byte = ($90,$90,$90);
      PatchRecoil5 : Array[0..2] of byte = ($90,$90,$90);
    
      OriginalRecoil1 : Array[0..2] of byte = ($D8,$66,$54);
      OriginalRecoil2 : Array[0..10] of byte = ($C7,$84,$24,$94,$00,$00,$00,$0F,$00,$00,$00);
      OriginalRecoil3 : Array[0..2] of byte = ($D9,$5E,$54);
      OriginalRecoil4 : Array[0..2] of byte = ($D9,$46,$48);
      OriginalRecoil5 : Array[0..2] of byte = ($D9,$5E,$48);
    
      //ReLoad
      AddressReload = $374B1826;
    
      PatchReload : Array[0..7] of byte = ($90,$90,$90,$90,$90,$90,$90,$90);
    
      OriginalReload : Array[0..7] of byte = ($81,$44,$24,$04,$1C,$00,$00,$00);
    
    //PTC Method
    function PushToConsole(sValue:string):boolean;cdecl;
    begin;
     asm
      pushad
       xor ecx, ecx
       mov eax,[$0377f4930]
       mov ecx,[eax+$0208]
       push sValue             
       call ecx
       add esp,4
      popad
     end;
     Result:= True;
    end;
    
    // Write Bytes to Address Method
    Function WriteIt(pAddress: Pointer; Bytes: Array of Byte): Boolean;
    var
      OldProtect, DummyProtect: DWord;
    begin
      if VirtualProtect(pAddress, SizeOf(Bytes), PAGE_EXECUTE_READWRITE, @OldProtect) then
       begin
        Move(Bytes, pAddress^, Length(Bytes));
        VirtualProtect(pAddress, SizeOf(Bytes), OldProtect, @DummyProtect);
        Result := True
       end
       else
        Result := False;
    end;
    
    function FuncMain(const LPVOID: variant): Boolean;
    var
      Recoil, Reload: Boolean;
    begin
    
      Recoil := False;
      Reload := False;
      while (True) do
       begin
        asm
          pushad;
        end;
    
        if (GetAsyncKeyState(VK_NUMPAD1) <> 0) then
         begin
          Sleep(100);
          if Recoil then
           begin
            WriteIt(ptr(AddressRecoil1),OriginalRecoil1);
            WriteIt(ptr(AddressRecoil2),OriginalRecoil2);
            WriteIt(ptr(AddressRecoil3),OriginalRecoil3);
            WriteIt(ptr(AddressRecoil4),OriginalRecoil4);
            WriteIt(ptr(AddressRecoil5),OriginalRecoil5);
            Recoil:= False;
           end
           else
           begin
            WriteIt(ptr(AddressRecoil1),PatchRecoil1);
            WriteIt(ptr(AddressRecoil2),PatchRecoil2);
            WriteIt(ptr(AddressRecoil3),PatchRecoil3);
            WriteIt(ptr(AddressRecoil4),PatchRecoil4);
            WriteIt(ptr(AddressRecoil5),PatchRecoil5);
            Recoil:= True;
           end;
         end;
    
         if (GetAsyncKeyState(VK_NUMPAD2) <> 0) then
         begin
          Sleep(100);
          if Reload then
           begin
            PushToConsole('ShowFps 1');
            PushToConsole('SkelModelStencil -1');
            //Reload did'nt work :( just crashed when it was time to reload
            //WriteIt(ptr(AddressReload),OriginalReload);
            Reload:= False;
           end
           else
           begin
            PushToConsole('ShowFps 0');
            PushToConsole('SkelModelStencil 0');
            //Reload Did'nt Work :(
            //WriteIt(ptr(AddressReload),OriginalReload);
            Reload:= True;
           end;
         end;
        asm
          popad;
        end;
      end;
      Sleep(200);
    end;
    
    Function IsGameReadyForHook: Boolean;
    var
      null: variant;
    begin
      if ((GetModuleHandleA('d3d9.dll') <> null) and
        (GetModuleHandleA('ClientFX.fxd') <> null) and
        (GetModuleHandleA('CShell.dll') <> null)) then
      begin
        Result := True;
      end
      else
        Result := False;
    end;
    
    Function HackThread(): Dword;
    var
     cHandle: Cardinal;
    begin
      Repeat
        Sleep(500);
      Until ((IsGameReadyForHook = True) and (dwThrdMain = 0));
    
      CreateThread(nil, 0, @FuncMain, nil, 0, dwThrdMain);
      cHandle:= GetModuleHandleA('CShell.dll');
      MessageBoxA(0, Pchar(inttostr(cHandle)),Pchar('CShell Handle'), MB_OK + MB_ICONINFORMATION);
      Result := 0;
    end;
    
    procedure DllMain(reason: integer);
    begin
      case reason of
        DLL_PROCESS_ATTACH:
          begin
            CreateThread(nil, 0, @HackThread, nil, 0, dwThrdHack);
          end;
        DLL_PROCESS_DETACH:
          begin
            if dwThrdMain <> 0 then
              CloseHandle(dwThrdMain);
            if dwThrdHack <> 0 then
              CloseHandle(dwThrdHack);
          end;
      end;
    end;
    
    begin
      DisableThreadLibraryCalls(hInstance);
      DllProc := @DllMain;
      DllProc(DLL_PROCESS_ATTACH);
    
    end.

    There is non of the "noobproof" stuff in this code like I see around, and the only "noob" are the ones who are too lame to share and explain there code to other so that they can learn...

    Anyway Enjoy and if you make any improvements please share, OR anyone willing to give me a run down on "Engine.exe" and "CShell.dll" please do as this will speed up my progress... I dont think any of the better coders will as there greed to keep stuff to them selfs and act like "GOD" to the rest of learning programmers is too much to give up for them.


    P.s, Big thanks to Acid burn for his information(the only one who was nice enough to give help).... just incase your wondering, I have been programming for over 5 years, 2 years in vb6 and 3 years in Delphi, Just started learning C# because of the .net framework needed for ALL coders.
    Last edited by Departure; 11-04-2010 at 09:04 PM.

  2. The Following User Says Thank You to Departure For This Useful Post:

    Solify (11-05-2010)

  3. #2
    ac1d_buRn's Avatar
    Join Date
    Aug 2009
    Gender
    female
    Location
    CA Source Section
    Posts
    3,406
    Reputation
    157
    Thanks
    3,991
    My Mood
    Flirty
    Looks good mate.
    hahaz released a working push to console method in this section, So download that and have a look through it.
    Your reload address appears to be wrong. The one i have logged is 0x374B1824
    Sorry about not answering your PM either, Just got on my coding PC.

  4. #3
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    374B1824 <-- I looked at that address in Olly I dont think its correct, This is only on theory that you NOP it

    Code:
    374B1821   /.  5B                                          POP EBX
    374B1822   |.  895C24 04                                   MOV [ESP+4],EBX
    374B1826   |.  814424 04 1C000000                          ADD DWORD PTR [ESP+4],1C
    374B182E   |.  43                                          INC EBX
    374B182F   |.  53                                          PUSH EBX
    as you can see the byte at address 374B1824 is "$24, $04" ... ...

    This makes no sense to nop it..

    otherwise it ends up being
    Code:
    374B1822       895C90 04                                   MOV [EAX+EDX*4+4],EBX

  5. #4
    ac1d_buRn's Avatar
    Join Date
    Aug 2009
    Gender
    female
    Location
    CA Source Section
    Posts
    3,406
    Reputation
    157
    Thanks
    3,991
    My Mood
    Flirty
    Quote Originally Posted by Departure View Post
    374B1824 <-- I looked at that address in Olly I dont think its correct, This is only on theory that you NOP it

    Code:
    374B1821   /.  5B                                          POP EBX
    374B1822   |.  895C24 04                                   MOV [ESP+4],EBX
    374B1826   |.  814424 04 1C000000                          ADD DWORD PTR [ESP+4],1C
    374B182E   |.  43                                          INC EBX
    374B182F   |.  53                                          PUSH EBX
    as you can see the byte at address 374B1824 is "$24, $04" ... ...

    This makes no sense to nop it..

    otherwise it ends up being
    Code:
    374B1822       895C90 04                                   MOV [EAX+EDX*4+4],EBX
    not sure :\
    Thats what i got off my logger.
    When im back on my coding computer, ill run the logger again and see what it gets.
    I think the sigs are getting old, becuase my 5th no recoil address returns 0x00000

    could you please send me your dumped cshell, as i cannot dump because of BSoD on Windows 7
    Last edited by ac1d_buRn; 11-05-2010 at 06:06 AM.

  6. #5
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    I use Windows 7 also, All you need to do is run CA and then use olly to attach to the process, then use ollydump plugin to dump the CShell process..

    But yes ill up the dump, Im not sure about the rules for uploading or external links....



    //Edit uploaded Cshell Dump...

    Open with olly and ignore the exceptions ...
    Last edited by Departure; 11-05-2010 at 08:20 AM.

  7. #6
    AVGN's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Making America Great Again.
    Posts
    15,451
    Reputation
    1549
    Thanks
    6,234
    Quote Originally Posted by Departure View Post
    I use Windows 7 also, All you need to do is run CA and then use olly to attach to the process, then use ollydump plugin to dump the CShell process..

    But yes ill up the dump, Im not sure about the rules for uploading or external links....



    //Edit uploaded Cshell Dump...

    Open with olly and ignore the exceptions ...
    I'll approve it this time...

    but you better provide virus scans next time



    ^Thanks to RJ^




  8. #7
    ac1d_buRn's Avatar
    Join Date
    Aug 2009
    Gender
    female
    Location
    CA Source Section
    Posts
    3,406
    Reputation
    157
    Thanks
    3,991
    My Mood
    Flirty
    Quote Originally Posted by Departure View Post
    I use Windows 7 also, All you need to do is run CA and then use olly to attach to the process, then use ollydump plugin to dump the CShell process..

    But yes ill up the dump, Im not sure about the rules for uploading or external links....



    //Edit uploaded Cshell Dump...

    Open with olly and ignore the exceptions ...
    Thanks for that man. Ill take a look and get back to you.

  9. #8
    odog's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    3
    Reputation
    10
    Thanks
    0
    haha i like this `1

    how do u do it ????

  10. #9
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    lol I thought I would see some questions about this now the other public hacks are detected, I have actually updated this some more, but if you want to use this one just compile it and inject it to Engine.exe(you could use D-Jector for injection).

    And yes this is still not detected....

  11. #10
    topblast's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Location
    Far from around you Programmer: C++ | VB | C# | JAVA
    Posts
    3,607
    Reputation
    149
    Thanks
    4,922
    My Mood
    Cool
    This language looks a lot like pascal.. or is it pascal
    I just like programming, that is all.

    Current Stuff:

    • GPU Programmer (Cuda)
    • Client/Server (Cloud Server)
    • Mobile App Development

  12. #11
    ac1d_buRn's Avatar
    Join Date
    Aug 2009
    Gender
    female
    Location
    CA Source Section
    Posts
    3,406
    Reputation
    157
    Thanks
    3,991
    My Mood
    Flirty
    Quote Originally Posted by topblast View Post
    This language looks a lot like pascal.. or is it pascal
    no its Delphi.

  13. #12
    Gordon`'s Avatar
    Join Date
    Dec 2007
    Gender
    male
    Posts
    283
    Reputation
    24
    Thanks
    325
    delphi is based of pascal


Similar Threads

  1. UPDATED Hack Template[Delphi]
    By Departure in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 5
    Last Post: 11-12-2010, 11:58 PM
  2. Hacks with delphi 7..[DE]
    By metin2zocker in forum Programming Tutorial Requests
    Replies: 1
    Last Post: 04-26-2010, 01:02 PM
  3. [Tutorial] Hack posting template/base
    By Samueldo in forum WolfTeam Hacks
    Replies: 4
    Last Post: 04-07-2010, 11:33 PM
  4. Delphi Hack
    By SteamFuck in forum Call of Duty Modern Warfare 2 Discussions
    Replies: 0
    Last Post: 03-05-2010, 10:02 AM
  5. [Delphi]Stamina Hack
    By RoB07 in forum Programming Tutorials
    Replies: 13
    Last Post: 01-08-2009, 08:39 AM