Thread: Push to console

Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 34
  1. #16
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by CAFlames View Post


    I call my telekill, ghostmode, and glitcher in a thread... not a d3d hook o.o
    I call my stuff in a DLL thread too. Including the console commands.

  2. #17
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,170
    Reputation
    490
    Thanks
    2,252
    wtf i thought you had to call them in Present/Endscene unless you bypass the check ?

  3. #18
    _Fk127_'s Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    724
    Reputation
    16
    Thanks
    208
    My Mood
    Bitchy
    Quote Originally Posted by CAFlames View Post


    No. Im just stating i hook them there... so u can hook PTC there too
    No. CA checks to see if the call to the console command is coming from the engine. Thus the need to hook it.



    Put this image in your signature if you support HTML5 development!

  4. #19
    topblast's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Location
    Far from around you Programmer: C++ | VB | C# | JAVA
    Posts
    3,607
    Reputation
    149
    Thanks
    4,922
    My Mood
    Cool
    Quote Originally Posted by whit View Post
    wtf i thought you had to call them in Present/Endscene unless you bypass the check ?
    It is just some rumor a noob created. You dont have to put int Present/Endscene/ect. If it was like that, Hotkeys would need a hook. But i have not been seeing any hotkeys.


    Quote Originally Posted by _Fk127_ View Post
    No. CA checks to see if the call to the console command is coming from the engine. Thus the need to hook it.
    *respected*
    I just like programming, that is all.

    Current Stuff:

    • GPU Programmer (Cuda)
    • Client/Server (Cloud Server)
    • Mobile App Development

  5. #20
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,784
    My Mood
    Sad
    Quote Originally Posted by .::SCHiM::. View Post
    I hear that for a console command to work you need to call from somewhere in engine.exe and you need to be in the correct thread.

    Can someone tell me what the requirements are for calling console commands?
    Back in January, the only requirement was that the console be called from an address within the address bounds of Engine.exe. Apparently since then there's been a thread ID check as well.

    Previously, in January, it only required 2 NOP patches and the address bounds check was gone. I'm not sure if the thread check is actually true, since I haven't done any CA work since then.

  6. #21
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by freedompeace View Post


    Back in January, the only requirement was that the console be called from an address within the address bounds of Engine.exe. Apparently since then there's been a thread ID check as well.

    Previously, in January, it only required 2 NOP patches and the address bounds check was gone. I'm not sure if the thread check is actually true, since I haven't done any CA work since then.
    The thread check is true, there is a check for the thread ID. The thread ID gets compared with the thread ID of main thread of Engine.exe.

    The difference is now that you can't NOP the checks because they are virtualized by Themida. But that doesn't mean you can't bypass them.

  7. #22
    .::SCHiM::.'s Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    733
    Reputation
    180
    Thanks
    833
    My Mood
    Twisted
    Quote Originally Posted by HellSpider View Post
    The thread check is true, there is a check for the thread ID. The thread ID gets compared with the thread ID of main thread of Engine.exe.

    The difference is now that you can't NOP the checks because they are virtualized by Themida. But that doesn't mean you can't bypass them.
    You also said something about the ThreadEP being checked, you mean the environment pointer by that, don't you?

    I'm SCHiM

    Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.

    Polymorphic engine
    Interprocess callback class
    SIN
    Infinite-precision arithmetic
    Hooking dynamic linkage
    (sloppy)Kernel mode Disassembler!!!

    Semi debugger




  8. #23
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by .::SCHiM::. View Post
    You also said something about the ThreadEP being checked, you mean the environment pointer by that, don't you?
    Nah, sorry for being unclear. I meant the EntryPoint. As you might know, every thread has an own stack. When the thread is created the entrypoint of the thread is stored on the 3rd DWORD from the stack top (you start from the top address in the stack and move to the beginning).

    This address can be retrieved from the ThreadEnvironmentBlock (TEB).

    At TEB+0x04 there is a DWORD indicating the address of the stack top. And as I said earlier the entrypoint is located as the 3rd DWORD from the top, meaning it's in TopOfStack - 0xC.

    In ASM this could be done like this:

    Code:
    mov eax,dword ptr fs:[18h]   // TEB
    mov eax,dword ptr ds:[eax+4h]   // TEB.TopOfStack
    lea eax,dword ptr ds:[eax-0Ch]   // TEB.TopOfStack.EP
    mov dword ptr ds:[eax],MY_ADDRESS   // Change the EP to your address
    Hope that this made any sense.
    Last edited by HellSpider; 05-28-2011 at 04:08 AM.

  9. The Following User Says Thank You to HellSpider For This Useful Post:

    freedompeace (05-28-2011)

  10. #24
    .::SCHiM::.'s Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    733
    Reputation
    180
    Thanks
    833
    My Mood
    Twisted
    Quote Originally Posted by HellSpider View Post
    Nah, sorry for being unclear. I meant the EntryPoint. As you might know, every thread has an own stack. When the thread is created the entrypoint of the module creating the thread is stored on the 3rd DWORD from the stack top (you start from the top address in the stack and move to the beginning).

    This address can be retrieved from the ThreadEnvironmentBlock (TEB).

    At TEB+0x04 there is a DWORD indicating the address of the stack top. And as I said earlier the entrypoint is located as the 3rd DWORD from the top, meaning it's in TopOfStack - 0xC.

    In ASM this could be done like this:

    Code:
    mov eax,dword ptr fs:[18h]   // TEB
    mov eax,dword ptr ds:[eax+4h]   // TEB.TopOfStack
    lea eax,dword ptr ds:[eax-0Ch]   // TEB.TopOfStack.EP
    mov dword ptr ds:[eax],MY_ADDRESS   // Change the EP to your address
    Hope that this made any sense.
    Hey, you're right, I didn't know that an threads entry point was moved there. I have been looking for this information for a long time. Where did you find out that the EP is moved there?

    ps a quicker way to do things:

    Code:
    mov eax, fs:[4h]             // fs is actually an index to the TEB
    mov [eax-0Ch], NewEntryPoint
    Last edited by .::SCHiM::.; 05-28-2011 at 03:48 AM.

    I'm SCHiM

    Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.

    Polymorphic engine
    Interprocess callback class
    SIN
    Infinite-precision arithmetic
    Hooking dynamic linkage
    (sloppy)Kernel mode Disassembler!!!

    Semi debugger




  11. #25
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by .::SCHiM::. View Post
    Hey, you're right, I didn't know that an threads entry point was moved there. I have been looking for this information for a long time. Where did you find out that the EP is moved there?

    ps a quicker way to do things:

    Code:
    mov eax, fs:[4h]             // fs is actually an index to the TEB
    mov [eax-0Ch], NewEntryPoint
    I unvirtualized the Themida virtual machine and had a look how the check works. I didn't know it before either.

    And yeah, I know it can be shortened, just wanted to show you it in "steps", didn't know you were familiar with ASM (a lot of people have no idea how ASM works).

  12. The Following User Says Thank You to HellSpider For This Useful Post:

    SNal2F (05-28-2011)

  13. #26
    .::SCHiM::.'s Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    733
    Reputation
    180
    Thanks
    833
    My Mood
    Twisted
    Quote Originally Posted by HellSpider View Post
    I unvirtualized the Themida virtual machine and had a look how the check works. I didn't know it before either.

    And yeah, I know it can be shortened, just wanted to show you it in "steps", didn't know you were familiar with ASM (a lot of people have no idea how ASM works).
    Well I'm pretty familiar with asm I made my own hook library (which I'm currently using) so no need so spare me the details

    Anyways, I think I may have wasted all of your time, since I was trying to use the wrong ltc client. I have to find the correct one first
    I'm EU btw, so I can't use the NA addresses, perhaps you know of a good address logger, or file dumper? I can't use kerneldetective.

    I'm SCHiM

    Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.

    Polymorphic engine
    Interprocess callback class
    SIN
    Infinite-precision arithmetic
    Hooking dynamic linkage
    (sloppy)Kernel mode Disassembler!!!

    Semi debugger




  14. #27
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by .::SCHiM::. View Post
    Well I'm pretty familiar with asm I made my own hook library (which I'm currently using) so no need so spare me the details

    Anyways, I think I may have wasted all of your time, since I was trying to use the wrong ltc client. I have to find the correct one first
    I'm EU btw, so I can't use the NA addresses, perhaps you know of a good address logger, or file dumper? I can't use kerneldetective.
    I'm EU too. Got no logger yet, but planned to code one.

    I can't use KD either, wont run on Win7 Ultimate x64. It's a great app, hope he would make a x64 version someday.

  15. The Following User Says Thank You to HellSpider For This Useful Post:

    .::SCHiM::. (05-28-2011)

  16. #28
    .::SCHiM::.'s Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    733
    Reputation
    180
    Thanks
    833
    My Mood
    Twisted
    Quote Originally Posted by HellSpider View Post
    I'm EU too. Got no logger yet, but planned to code one.

    I can't use KD either, wont run on Win7 Ultimate x64. It's a great app, hope he would make a x64 version someday.
    Well them I have good news for you now, here's a working module/file dumper for windows server 2008 r2, (which is windows 7 in all but name)

    This works for me, and it dumps all files. But since I may not post download links: search google for "Memoryze". If it doesn't work, I can share the dumped files with you.

    I'm SCHiM

    Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.

    Polymorphic engine
    Interprocess callback class
    SIN
    Infinite-precision arithmetic
    Hooking dynamic linkage
    (sloppy)Kernel mode Disassembler!!!

    Semi debugger




  17. The Following 3 Users Say Thank You to .::SCHiM::. For This Useful Post:

    Departure (05-28-2011),SNal2F (05-28-2011),Stephen (05-28-2011)

  18. #29
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by .::SCHiM::. View Post
    Well them I have good news for you now, here's a working module/file dumper for windows server 2008 r2, (which is windows 7 in all but name)

    This works for me, and it dumps all files. But since I may not post download links: search google for "Memoryze". If it doesn't work, I can share the dumped files with you.
    I'll check it out.

  19. #30
    SNal2F's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Posts
    175
    Reputation
    30
    Thanks
    99
    Quote Originally Posted by HellSpider View Post
    I unvirtualized the Themida virtual machine and had a look how the check works. I didn't know it before either.

    And yeah, I know it can be shortened, just wanted to show you it in "steps", didn't know you were familiar with ASM (a lot of people have no idea how ASM works).
    is it like gamegaurd with all the jmp's and random garbage all over?


    @ console , i was just hooking it on the table @ 0x208 and returning it to my own function , when i played the checks were in the function so i rewrote it.


    Code:
    int __cdecl myConsoleCommand( const char* szCommand )
    {
    	      
    	       ConsoleSub(0x8003F0 , szCommand);
                    
    				
    				
                  return orConsoleCommand(szCommand); 
    			 
    
    		
    }

    sort of a waste since i could just call the consoleSub
    Last edited by SNal2F; 05-28-2011 at 02:40 PM.

Page 2 of 3 FirstFirst 123 LastLast