Trove crashing when trying to hook dll driver

[WayzOfficiel]

Hello, I think this question may be stupid, but I need to know why I can't attach a driver into Trove's process to see some things in its behaviour, was the same w/ CE driver, do they use some sort of protection concerning this ? Like the need to get a signed driver or idk what, or is my method to load it which isn't viable ? Or maybe just an imcompatiblity problem ?

I give you guys the code I used, both for the driver and the injector/listener




TroveHook.dll

Code:

#include <windows.h>
#include <iostream>
#include <TlHelp32.h>

DWORD FindPattern(DWORD dwAddress, DWORD dwLen, BYTE* bMask, char* szMask) {
    for (DWORD i = 0; i < dwLen; i++) {
        bool bFound = true;
        for (DWORD j = 0; j < strlen(szMask); j++) {
            bFound &= szMask[j] == '?' || bMask[j] == *(BYTE*)(dwAddress + i + j);
        }
        if (bFound) {
            return dwAddress + i;
        }
    }
    return NULL;
}

DWORD WINAPI MonitorMemory(LPVOID lpParam) {
    while (true) {
        // Scan memory for the desired value
        uintptr_t baseAddress = 0x01082CA8; // Example base address

        // Calculate the final address using the provided AHK offsets
        uintptr_t finalAddress = baseAddress + 0x0 + 0x28 + 0xC4 + 0x2D4 + 0x1E4;

        // Read the value from memory
        float value;
        ReadProcessMemory(GetCurrentProcess(), (LPVOID)finalAddress, &value, sizeof(value), NULL);

        // Perform actions based on the value
        std::cout << "Value found: " << value << std::endl;
        // Add your logic here

        Sleep(1000); // Adjust the delay as needed
    }
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
        CreateThread(NULL, 0, MonitorMemory, NULL, 0, NULL);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

CppTrove.exe (injector)

Code:

#include <windows.h>
#include <iostream>
#include <TlHelp32.h>

int main() {
    const char* dllPath = "C:\\Hooks\\TroveHook.dll"; // Replace with the path to your DLL

    DWORD processId = 0;
    const wchar_t* processName = L"Trove.exe"; // Replace with the name of the target process

    // Find the process ID
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE) {
        PROCESSENTRY32 pe32;
        pe32.dwSize = sizeof(PROCESSENTRY32);
        if (Process32First(hSnap, &pe32)) {
            do {
                if (_wcsicmp(pe32.szExeFile, processName) == 0) {
                    processId = pe32.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &pe32));
        }
        CloseHandle(hSnap);
    }

    if (processId != 0) {
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
        if (hProcess != NULL) {
            // Allocate memory in the target process for the DLL path
            LPVOID dllPathAddress = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
            if (dllPathAddress != NULL) {
                // Write the DLL path to the target process
                WriteProcessMemory(hProcess, dllPathAddress, dllPath, strlen(dllPath) + 1, NULL);

                // Get the address of the LoadLibraryA function
                LPVOID loadLibraryAddress = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
                if (loadLibraryAddress != NULL) {
                    // Create a remote thread in the target process to load the DLL
                    HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryAddress, dllPathAddress, 0, NULL);
                    if (hRemoteThread != NULL) {
                        // Wait for the remote thread to finish
                        WaitForSingleObject(hRemoteThread, INFINITE);
                        CloseHandle(hRemoteThread);
                    }
                    else {
                        std::cerr << "Failed to create remote thread. Error: " << GetLastError() << std::endl;
                    }
                }
                else {
                    std::cerr << "Failed to get address of LoadLibraryA. Error: " << GetLastError() << std::endl;
                }

                // Free the allocated memory in the target process
                VirtualFreeEx(hProcess, dllPathAddress, strlen(dllPath) + 1, MEM_RELEASE);
            }
            else {
                std::cerr << "Failed to allocate memory in target process. Error: " << GetLastError() << std::endl;
            }

            CloseHandle(hProcess);
        }
        else {
            std::cerr << "Failed to open process. Error: " << GetLastError() << std::endl;
        }
    }
    else {
        std::cerr << "Process not found." << std::endl;
    }

    std::cin.get();
    std::cin.get();
    return 0;
}

Thanks to anyone who'll help me to solve it <3

[trovegh]

what you're trying to "attach" is a dynamic-link library, not a driver. you don't need a driver or anything special to hack trove. you should compile your dll for x86 (Win32) because Trove.exe is a 32-bit process. also you shouldn't use ReadProcessMemory if you're internal. you should instead just read the value directly from memory like this:

Code:

constexpr auto BASE_ADDRESS = std::uintptr_t(0x01082CA8);
const auto *base_ptr = reinterpret_cast<std::uintptr_t *>(BASE_ADDRESS);
const auto final_address = *base_ptr + 0x0 + 0x28 + 0xC4 + 0x2D4 + 0x1E4; // you probably aren't even adding to the correct final address as this looks like an offset chain.
const auto value_ptr = reinterpret_cast<float *>(final_address);
const auto value = *value_ptr;
std::cout << "value_ptr: " << value_ptr << std::endl;
std::cout << "Value found: " << value << std::endl;

// this is probably what you want to do.
auto address = *base_ptr;
address = *reinterpret_cast<std::uintptr_t *>(address + 0x28);
address = *reinterpret_cast<std::uintptr_t *>(address + 0xC4);
address = *reinterpret_cast<std::uintptr_t *>(address + 0x2D4);
const auto final_address_0 = *reinterpret_cast<std::uintptr_t *>(address + 0x1E4);
const auto value_ptr_0 = reinterpret_cast<float *>(final_address_0);
const auto value_0 = *value_ptr_0;
std::cout << "value_ptr_0: " << value_ptr_0 << std::endl;
std::cout << "value_0: " << value_0 << std::endl;

your injection code looks fine.

[WayzOfficiel]

what you're trying to "attach" is a dynamic-link library, not a driver. you don't need a driver or anything special to hack trove. you should compile your dll for x86 (Win32) because Trove.exe is a 32-bit process. also you shouldn't use ReadProcessMemory if you're internal. you should instead just read the value directly from memory like this:

Code:

constexpr auto BASE_ADDRESS = std::uintptr_t(0x01082CA8);
const auto *base_ptr = reinterpret_cast<std::uintptr_t *>(BASE_ADDRESS);
const auto final_address = *base_ptr + 0x0 + 0x28 + 0xC4 + 0x2D4 + 0x1E4; // you probably aren't even adding to the correct final address as this looks like an offset chain.
const auto value_ptr = reinterpret_cast<float *>(final_address);
const auto value = *value_ptr;
std::cout << "value_ptr: " << value_ptr << std::endl;
std::cout << "Value found: " << value << std::endl;

// this is probably what you want to do.
auto address = *base_ptr;
address = *reinterpret_cast<std::uintptr_t *>(address + 0x28);
address = *reinterpret_cast<std::uintptr_t *>(address + 0xC4);
address = *reinterpret_cast<std::uintptr_t *>(address + 0x2D4);
const auto final_address_0 = *reinterpret_cast<std::uintptr_t *>(address + 0x1E4);
const auto value_ptr_0 = reinterpret_cast<float *>(final_address_0);
const auto value_0 = *value_ptr_0;
std::cout << "value_ptr_0: " << value_ptr_0 << std::endl;
std::cout << "value_0: " << value_0 << std::endl;

your injection code looks fine.

Oh, first of all thank you so much man <3

Moreover, do u have any idea of how to edit speed in game ? Like the speed stat client-sided, the same as BlackMagic does, I've been looking in BM AHK and offsets are in the current format I've tried to put in this code (thought it was a simple addition of them). In other words, do u got how to calculate a new value to write based on a float one to write it in memory using WriteMemory function ? Like all the calculations stuff and explanations yk.

Ty for all again, it's always interesting to learn things

[trovegh]

i don't really know anything specific to trove but you can write to a value in memory like this:

Code:

auto& speed = *reinterpret_cast<float *>(speed_address);
speed = 90.f * 3.f; // example value

speed is a reference to a float value located at speed_address. so you can write to the value by simply assigning the reference to any value you want.