Beginner Concepts of Game Hacking

[Matrix_NEO006]

dont change the forum subject BTW bing sux dont go after a new engine that comes out

[cnttuchme]

I was talking about the sound, not the engine.

[why06]

I was talking about the sound, not the engine.

Well... i'm stumped O_O. No real come back to this one, but stop getting off subject. This is mainly open so that you guys can suggest anything I should add.

[rwkeith]

Google, lets hear it for the good times....(Plays slow music)

[why06]

Ok. I think I finally included enough stuff so that I can sticky this, but its difficult or impossible to make a tut about something of which I have no knowledge. So if anyone would like to contribute please do. It would be great if some experienced users made some tutorials on understanding memory addresses. I might try to do this once I get a little more experience in asm. Until then this is all I got lol xD. Hope it helps a little....

[Matrix_NEO006]

Tutorial On C++ code injection & Game
heres the codehttps://www.mpgh.net/forum/31-c-c/888...injection.html
remember you have to know code injection in CE in order to understand SEE CODE & LINK BELOW


code injection in CE
i wanted to add money to my game each time i click on something.
this is my real address that subtracts money from me.

Code:

004A9D9A

now this is address when it got allocated to diff memory

Code:

05240000 - 05 e7 03 00 00           - add eax,000003e7

^^^^in this pic you can see the dbcode bytes

we only need the bytes
it jumps to the same address that we allocated from.
the jump

Code:

004A9D9A - e9 61 62 d9 04

we really dont need the the 61 and after that we only need e9
so it would be like this 0xe9 , 0x00 so on till 5.

^^^^in this pic you can see the continuation of the process.

Code Injection in C++

Code:

dbCode[]

this is the code where u will be writing your edited code injection in CE.
for this one it will be

Code:

BYTE	dbCode[]= {0x05, 0xe7, 0x03, 0x00, 0x00,0xe9, 0x00, 0x00, 0x00, 0x00};

and u have to include the jump too

Code:

BYTE	dbJump[5]= {0xe9, 0x00, 0x00, 0x00, 0x00};

this is always the same because program does it itself

Code:

ddJumpAddr= 0x004A9D9A;

jump back to normal address.

Code:

DWORD	ddJmpBack	= 0x004A9D9F;

jump to normal address and continue the process

Code:

ddSize= 10

size of dbcode

Code Injection in CE



CREDIT GOES TO Teneb at WOGH for teaching me.

this is not my code credit goes to the guy who included him self in code.
compile it as multi byte:Project>>Properties>>Configuration properties>>character set>>change it to >>Use Multi-Byte Character Set.

Code:

/**************************************************  **************************************************  ********************\
\************ [C++ Code-Injection Template] ********* [Tenebricosus] ********* [Released on GameHacking.com] ************/
/************ [GetProcId () Function Coded By Wiccaan a.k.a. Atomos] ********* [Find me @ www.DoxCoding.com] ************\
\*************************************************  **************************************************  *********************/

//!!Remember!!
//------------
//Jump and Call addresses are relative. They are represented as the number of bytes between them. To calculate the Call/Jump
// opcode, you need to subtract the caller from the callee. E.G. if 0x40000000 contains a jump to 0x50000000, the calculation 
// will be 0x50000000 - 0x40000005. 0x40000000 is the Caller, 0x50000000 is the Callee, and the jump instruction is 5 opcodes long.
//
//In your CodeCave itself you don't have to worry about it, because the number of bytes between the Caller and Callee stays the same
// but when you jump to or from your CodeCave, the number of bytes between Caller and Callee is variable. Because we use VirtualAllocEx
// to get a memory region we can use for our CodeCave.
//
//------------
//When you use this code, without modifications, the last assambly line in your CodeCave should always be jmp 0xXXXXXXXX(X can be any 
// digit, though I prefer using 0x00000000 or 0xFFFFFFFF. Easier to spot when your CodeCave doesn't work :P)

#include <iostream>
#include <windows.h>
#include <tlhelp32.h>


BYTE	dbCode[]			= {0x90, 0x90, 0xe9, 0x00, 0x00, 0x00, 0x00};	//Opcodes you want to write to the CodeCave
BYTE	dbJump[5]			= {0xe9, 0x00, 0x00, 0x00, 0x00};				//The Ju***ode we need to write in the Game to jump to our CodeCave
DWORD	ddJumpAddr			= 0x552086;										//The GameCode address we want to jump from
DWORD	ddJmpBack			= 0x55208C;										//The GameCode address we want to jump back to after running our CodeCave
DWORD	ddSize				= 7;											//The Size of dbCode array(The number of opcodes your CodeCave exists of)
char *	szProcName			= "CoDMP.exe";									//The Processname of the GameProcess(You can find it in your Task Manager (Ctrl+Alt+Del))


DWORD GetProcId( char *szProcName );

void main()
{
	using namespace std;
	HANDLE	hProcess;
	DWORD	ddTemp;
	DWORD	ddOldProt;
	DWORD	ddCodeCave	= NULL;

	hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_READ|P  ROCESS_VM_WRITE, FALSE, GetProcId(szProcName));
	if(hProcess == NULL)
	{
		cout << "Error: Couldn't open the Game Process\n";
	}
	else
	{
		cout << "Success: Game Process Opened\n";
		ddCodeCave = (DWORD)VirtualAllocEx(hProcess, NULL, ddSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

		if(ddCodeCave == NULL)
		{
			cout << "Error: Failed to allocate CodeCave\n";
		}
		else
		{
			cout << "Success: CodeCave Allocated\n";

			ddTemp = ddJmpBack;
			ddTemp -= (ddCodeCave + ddSize);
			memcpy(&dbCode[ddSize - 4], &ddTemp, 4);

			if(WriteProcessMemory(hProcess, (LPVOID)ddCodeCave, dbCode, ddSize, NULL) == FALSE)
			{
				cout << "Error: Writing to the CodeCave Failed!\n";
				cout << GetLastError();
			}
			else
			{
				cout << "Success: Code Written to CodeCave!\n";
				cout << "CodeCave Located at: 0x" << hex << ddCodeCave << endl << endl;

				ddTemp = ddCodeCave;
				ddTemp -= (ddJumpAddr + 5);
				memcpy(&dbJump[1], &ddTemp, 4);

				if(VirtualProtectEx(hProcess, (LPVOID)ddJumpAddr, 5, PAGE_EXECUTE_READWRITE, &ddOldProt) == FALSE)
				{
					cout << "Error: VirtualProtectEx Falied!\n";
				}
				else
				{
					if(WriteProcessMemory(hProcess, (LPVOID)ddJumpAddr, &dbJump, 5, NULL) == FALSE)
					{
						cout << "Error: Couldn't write the Jump!\n";
					}
					else
					{
						cout << "Success: Jump written.\n CodeCave Active!\n";
					}
					VirtualProtectEx(hProcess, (LPVOID)ddJumpAddr, 5, ddOldProt, NULL);
				}
			}
		}
	}
	cin.get();
	return;
}

/* GetProcId: Credits go to Wiccaan, a.k.a. Atomos*/
DWORD GetProcId( char *szProcName )
{
   PROCESSENTRY32   pe32;
   HANDLE         hSnapshot = NULL;

   pe32.dwSize = sizeof( PROCESSENTRY32 );
   hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

   if( Process32First( hSnapshot, &pe32 ) )
   {
      do{
         if( strcmp( pe32.szExeFile, szProcName ) == 0 )
            break;
      }while( Process32Next( hSnapshot, &pe32 ) );
   }

   if( hSnapshot != INVALID_HANDLE_VALUE )
      CloseHandle( hSnapshot );

   return (strcmp( pe32.szExeFile, szProcName ) == 0) ? pe32.th32ProcessID : 0;
}

[why06]

Haha. Excellent tutorial. added.

[why06]

Just added Jetamay's cAddress and D3D Form class.

[Matrix_NEO006]

i forgot to mention this> compile it as multi byte:Project>>Properties>>Configuration properties>>character set>>change it to >>Use Multi-Byte Character Set.

[why06]

Added it, hope it isn't too tacky.

[Katbox]

Any guides on bypassing hackshields and stuff like that? That would definitely be helpful.

[Hell_Demon]

Any guides on bypassing hackshields and stuff like that? That would definitely be helpful.

use

Code:

while(1)
{
    cin.get();
}

in the injector before injecting.

[Matrix_NEO006]

Semi Tutorial on DirectX
Getting NumVertices,Stride and PrimCount

SEE ATTACHED FILE BELOW

Ive injected The logger to COD 4(our target in this case) now press F1(it should active if not then run it as admin on VISTA.
u should get the window like this

GUID:

F1 = turn logger on
numpad + = add 1 to NumVertices
numpad - = subtract 1 from NumVertices
numpad 9 = add 1 to Stride
numpad 6 = subtract 1 from Stride
numpad 8 = add 1 to PrimCount
numpad 5 = subtract 1 from PrimCount
numpad * = write all to log file
numpad / = set all values to 0


Now join a non pb server then press the keypads included up there.
for example:

NumVertics = 156 , PrimeCount = 1274.
NOTE:THIS TEXTURE LOGGER NUMBERS WILL BE DIFFERENT IN YOUR COMPUTER
now use this in Azrobix D3d Starter kit.
Credit Goes to OOps.

[Matrix_NEO006]

What Is DLL?
since im not allowed to provide link ill just copy and paste w/e is in there.

Introduction
For the Microsoft Windows operating systems that are listed in the "Applies to" section, much of the functionality of the operating system is provided by dynamic link libraries (DLL). Additionally, when you run a program on one of these Windows operating systems, much of the functionality of the program may be provided by DLLs. For example, some programs may contain many different modules, and each module of the program is contained and distributed in DLLs.

The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space. Therefore, the operating system and the programs load faster, run faster, and take less disk space on the computer.

When a program uses a DLL, an issue that is called dependency may cause the program not to run. When a program uses a DLL, a dependency is created. If another program overwrites and breaks this dependency, the original program may not successfully run.

With the introduction of the Microsoft .NET Framework, most dependency problems have been eliminated by using assemblies.

Information
A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Therefore, each program can use the functionality that is contained in this DLL to implement an Open dialog box. This helps promote code reuse and efficient memory usage.

By using a DLL, a program can be modularized into separate components. For example, an accounting program may be sold by module. Each module can be loaded into the main program at run time if that module is installed. Because the modules are separate, the load time of the program is faster, and a module is only loaded when that functionality is requested.

Additionally, updates are easier to apply to each module without affecting other parts of the program. For example, you may have a payroll program, and the tax rates change each year. When these changes are isolated to a DLL, you can apply an update without needing to build or install the whole program again.

The following list describes some of the files that are implemented as DLLs in Windows operating systems:
ActiveX Controls (.ocx) files
An example of an ActiveX control is a calendar control that lets you select a date from a calendar.
Control Panel (.cpl) files
An example of a .cpl file is an item that is located in Control Panel. Each item is a specialized DLL.
Device driver (.drv) files
An example of a device driver is a printer driver that controls the printing to a printer.

DLL advantages
The following list describes some of the advantages that are provided when a program uses a DLL:
Uses fewer resources
When multiple programs use the same library of functions, a DLL can reduce the duplication of code that is loaded on the disk and in physical memory. This can greatly influence the performance of not just the program that is running in the foreground, but also other programs that are running on the Windows operating system.
Promotes modular architecture
A DLL helps promote developing modular programs. This helps you develop large programs that require multiple language versions or a program that requires modular architecture. An example of a modular program is an accounting program that has many modules that can be dynamically loaded at run time.
Eases deployment and installation
When a function within a DLL needs an update or a fix, the deployment and installation of the DLL does not require the program to be relinked with the DLL. Additionally, if multiple programs use the same DLL, the multiple programs will all benefit from the update or the fix. This issue may more frequently occur when you use a third-party DLL that is regularly updated or fixed.
DLL dependencies
When a program or a DLL uses a DLL function in another DLL, a dependency is created. Therefore, the program is no longer self-contained, and the program may experience problems if the dependency is broken. For example, the program may not run if one of the following actions occurs:
A dependent DLL is upgraded to a new version.
A dependent DLL is fixed.
A dependent DLL is overwritten with an earlier version.
A dependent DLL is removed from the computer.
These actions are generally known as DLL conflicts. If backward compatibility is not enforced, the program may not successfully run.

The following list describes the changes that have been introduced in Microsoft Windows 2000 and in later Windows operating systems to help minimize dependency issues:
Windows File Protection
In Windows File Protection, the operating system prevents system DLLs from being updated or deleted by an unauthorized agent. Therefore, when a program installation tries to remove or update a DLL that is defined as a system DLL, Windows File Protection will look for a valid digital signature.
Private DLLs
Private DLLs let you isolate a program from changes that are made to shared DLLs. Private DLLs use version-specific information or an empty .local file to enforce the version of the DLL that is used by the program. To use private DLLs, locate your DLLs in the program root folder. Then, for new programs, add version-specific information to the DLL. For old programs, use an empty .local file. Each method tells the operating system to use the private DLLs that are located in the program root folder.
DLL troubleshooting tools
Several tools are available to help you troubleshoot DLL problems. The following tools are some of these tools.
Dependency Walker
The Dependency Walker tool can recursively scan for all dependent DLLs that are used by a program. When you open a program in Dependency Walker, Dependency Walker performs the following checks:
Dependency Walker checks for missing DLLs.
Dependency Walker checks for program files or DLLs that are not valid.
Dependency Walker checks that import functions and export functions match.
Dependency Walker checks for circular dependency errors.
Dependency Walker checks for modules that are not valid because the modules are for a different operating system.
By using Dependency Walker, you can document all the DLLs that a program uses. This may help prevent and correct DLL problems that may occur in the future. Dependency Walker is located in the following directory when you install Microsoft Visual Studio 6.0:
drive\Program Files\Microsoft Visual Studio\Common\Tools
DLL Universal Problem Solver
The DLL Universal Problem Solver (DUPS) tool is used to audit, compare, document, and display DLL information. The following list describes the utilities that make up the DUPS tool:
Dlister.exe
This utility enumerates all the DLLs on the computer and logs the information to a text file or to a database file.
Dcomp.exe
This utility compares the DLLs that are listed in two text files and produces a third text file that contains the differences.
Dtxt2DB.exe
This utility loads the text files that are created by using the Dlister.exe utility and the Dcomp.exe utility into the dllHell database.
DlgDtxt2DB.exe
This utility provides a graphical user interface (GUI) version of the Dtxt2DB.exe utility.
For more information about the DUPS tool, click the following article number to view the article in the Microsoft Knowledge Base:
247957 Using DUPS.exe to resolve DLL compatibility problems
DLL Help database
The DLL Help database helps you locate specific versions of DLLs that are installed by Microsoft software products. For more information about the DLL Help database.
DLL development
This section describes the issues and the requirements that you should consider when you develop your own DLLs.
Types of DLLs
When you load a DLL in an application, two methods of linking let you call the exported DLL functions. The two methods of linking are load-time dynamic linking and run-time dynamic linking.
Load-time dynamic linking
In load-time dynamic linking, an application makes explicit calls to exported DLL functions like local functions. To use load-time dynamic linking, provide a header (.h) file and an import library (.lib) file when you compile and link the application. When you do this, the linker will provide the system with the information that is required to load the DLL and resolve the exported DLL function locations at load time.
Run-time dynamic linking
In run-time dynamic linking, an application calls either the LoadLibrary function or the LoadLibraryEx function to load the DLL at run time. After the DLL is successfully loaded, you use the GetProcAddress function to obtain the address of the exported DLL function that you want to call. When you use run-time dynamic linking, you do not need an import library file.

The following list describes the application criteria for when to use load-time dynamic linking and when to use run-time dynamic linking:
Startup performance
If the initial startup performance of the application is important, you should use run-time dynamic linking.
Ease of use
In load-time dynamic linking, the exported DLL functions are like local functions. This makes it easy for you to call these functions.
Application logic
In run-time dynamic linking, an application can branch to load different modules as required. This is important when you develop multiple-language versions.
The DLL entry point
When you create a DLL, you can optionally specify an entry point function. The entry point function is called when processes or threads attach themselves to the DLL or detached themselves from the DLL. You can use the entry point function to initialize data structures or to destroy data structures as required by the DLL. Additionally, if the application is multithreaded, you can use thread local storage (TLS) to allocate memory that is private to each thread in the entry point function. The following code is an example of the DLL entry point function.

Code:

BOOL APIENTRY DllMain(
HANDLE hModule,	// Handle to DLL module
	DWORD ul_reason_for_call,	// Reason for calling function
	LPVOID lpReserved ) // Reserved
{
	switch ( ul_reason_for_call )
	{
		case DLL_PROCESS_ATTACHED:
		// A process is loading the DLL.
		break;
		case DLL_THREAD_ATTACHED:
		// A process is creating a new thread.
		break;
		case DLL_THREAD_DETACH:
		// A thread exits normally.
		break;
		case DLL_PROCESS_DETACH:
		// A process unloads the DLL.
		break;
	}
	return TRUE;
}

When the entry point function returns a FALSE value, the application will not start if you are using load-time dynamic linking. If you are using run-time dynamic linking, only the individual DLL will not load.

The entry point function should only perform simple initialization tasks and should not call any other DLL loading or termination functions. For example, in the entry point function, you should not directly or indirectly call the LoadLibrary function or the LoadLibraryEx function. Additionally, you should not call the FreeLibrary function when the process is terminating.

Note In multithreaded applications, make sure that access to the DLL global data is synchronized (thread safe) to avoid possible data corruption. To do this, use TLS to provide unique data for each thread.
Exporting DLL functions
To export DLL functions, you can either add a function keyword to the exported DLL functions or create a module definition (.def) file that lists the exported DLL functions.

To use a function keyword, you must declare each function that you want to export with the following keyword:
__declspec(dllexport)
To use exported DLL functions in the application, you must declare each function that you want to import with the following keyword:
__declspec(dllimport)
Typically, you would use one header file that has a define statement and an ifdef statement to separate the export statement and the import statement.

You can also use a module definition file to declare exported DLL functions. When you use a module definition file, you do not have to add the function keyword to the exported DLL functions. In the module definition file, you declare the LIBRARY statement and the EXPORTS statement for the DLL. The following code is an example of a definition file.

Code:

// SampleDLL.def
//
LIBRARY "sampleDLL"

EXPORTS
  HelloWorld

Sample DLL and application
In Microsoft Visual C++ 6.0, you can create a DLL by selecting either the Win32 Dynamic-Link Library project type or the MFC AppWizard (dll) project type.

The following code is an example of a DLL that was created in Visual C++ by using the Win32 Dynamic-Link Library project type.

Code:

// SampleDLL.cpp
//

#include "stdafx.h"
#define EXPORTING_DLL
#include "sampleDLL.h"

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
    return TRUE;
}

void HelloWorld()
{
	MessageBox( NULL, TEXT("Hello World"), TEXT("In a DLL"), MB_OK);
}

Code:

// File: SampleDLL.h
//
#ifndef INDLL_H
#define INDLL_H

#ifdef EXPORTING_DLL
extern __declspec(dllexport) void HelloWorld() ;
#else
extern __declspec(dllimport) void HelloWorld() ;
#endif

#endif

The following code is an example of a Win32 Application project that calls the exported DLL function in the SampleDLL DLL.

Code:

// SampleApp.cpp 
//

#include "stdafx.h"
#include "sampleDLL.h"

int APIENTRY WinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPSTR     lpCmdLine,
                     int       nCmdShow)
{ 	
	HelloWorld();
	return 0;
}

Note In load-time dynamic linking, you must link the SampleDLL.lib import library that is created when you build the SampleDLL project.

In run-time dynamic linking, you use code that is similar to the following code to call the SampleDLL.dll exported DLL function.

Code:

...
typedef VOID (*DLLPROC) (LPTSTR);
...
HINSTANCE hinstDLL;
DLLPROC HelloWorld;
BOOL fFreeDLL;

hinstDLL = LoadLibrary("sampleDLL.dll");
if (hinstDLL != NULL)
{
    HelloWorld = (DLLPROC) GetProcAddress(hinstDLL, "HelloWorld");
    if (HelloWorld != NULL)
        (HelloWorld);

    fFreeDLL = FreeLibrary(hinstDLL);
}
...

[BxR]

I used to code hacks but i am now currently busy learning computer graphics and pretty much is a semi-pro right now, and learning how to make and finalize and design etc. a game. I made some cash making hacks most off counter strike source. Then private hacks which is a lot easier to manage. What you explain is vital make hacks, very nice tutorial.