Hack Template[Delphi]

Well I just joined up a couple of days ago to try my luck on making a gamehack, Anyway from some bits and pieces around the forum(most people are super protective of there work and call others "noob") lol

Here is a Delphi Template I made, The PushToConsole gets you kicked

and for some reason im not sure why but It wont write the original Recoil Bytes back to the VA, So next round in a game you get kicked, Also made my own dump of CShell.dll and another strange thing is my Dump is 7mb while the dump released on this forum was 9mb and would'nt load in my Ollydebug, but the dump I made loaded without a problem

Anyway here is the Delphi source Template with Recoil Addresses fromt his forum.

Code:

library DepartureLib;

uses
  Windows, SysUtils;

{$R *.res}

// Set this up later for easyer use
Type
  TPatchRecord = Record
    Address: Pointer;
    Bytes: array of Byte;
  end;

  PPatchRecord = ^TPatchRecord;

var
  dwThrdHack: Dword = 0;
  dwThrdMain: Dword = 0;
Const
  //Recoil
  AddressRecoil1 = $37465A60;
  AddressRecoil2 = $37234EB9;
  AddressRecoil3 = $37465A74;
  AddressRecoil4 = $37465A77;
  AddressRecoil5 = $37465A80;

  PatchRecoil1 : Array[0..2] of byte = ($90,$90,$90);
  PatchRecoil2 : Array[0..10] of byte = ($90,$90,$90,$90,$90,$90,$90,$90,$90,$90,$90);
  PatchRecoil3 : Array[0..2] of byte = ($90,$90,$90);
  PatchRecoil4 : Array[0..2] of byte = ($90,$90,$90);
  PatchRecoil5 : Array[0..2] of byte = ($90,$90,$90);

  OriginalRecoil1 : Array[0..2] of byte = ($D8,$66,$54);
  OriginalRecoil2 : Array[0..10] of byte = ($C7,$84,$24,$94,$00,$00,$00,$0F,$00,$00,$00);
  OriginalRecoil3 : Array[0..2] of byte = ($D9,$5E,$54);
  OriginalRecoil4 : Array[0..2] of byte = ($D9,$46,$48);
  OriginalRecoil5 : Array[0..2] of byte = ($D9,$5E,$48);

  //ReLoad
  AddressReload = $374B1826;

  PatchReload : Array[0..7] of byte = ($90,$90,$90,$90,$90,$90,$90,$90);

  OriginalReload : Array[0..7] of byte = ($81,$44,$24,$04,$1C,$00,$00,$00);

//PTC Method
function PushToConsole(sValue:string):boolean;cdecl;
begin;
 asm
  pushad
   xor ecx, ecx
   mov eax,[$0377f4930]
   mov ecx,[eax+$0208]
   push sValue             
   call ecx
   add esp,4
  popad
 end;
 Result:= True;
end;

// Write Bytes to Address Method
Function WriteIt(pAddress: Pointer; Bytes: Array of Byte): Boolean;
var
  OldProtect, DummyProtect: DWord;
begin
  if VirtualProtect(pAddress, SizeOf(Bytes), PAGE_EXECUTE_READWRITE, @OldProtect) then
   begin
    Move(Bytes, pAddress^, Length(Bytes));
    VirtualProtect(pAddress, SizeOf(Bytes), OldProtect, @DummyProtect);
    Result := True
   end
   else
    Result := False;
end;

function FuncMain(const LPVOID: variant): Boolean;
var
  Recoil, Reload: Boolean;
begin

  Recoil := False;
  Reload := False;
  while (True) do
   begin
    asm
      pushad;
    end;

    if (GetAsyncKeyState(VK_NUMPAD1) <> 0) then
     begin
      Sleep(100);
      if Recoil then
       begin
        WriteIt(ptr(AddressRecoil1),OriginalRecoil1);
        WriteIt(ptr(AddressRecoil2),OriginalRecoil2);
        WriteIt(ptr(AddressRecoil3),OriginalRecoil3);
        WriteIt(ptr(AddressRecoil4),OriginalRecoil4);
        WriteIt(ptr(AddressRecoil5),OriginalRecoil5);
        Recoil:= False;
       end
       else
       begin
        WriteIt(ptr(AddressRecoil1),PatchRecoil1);
        WriteIt(ptr(AddressRecoil2),PatchRecoil2);
        WriteIt(ptr(AddressRecoil3),PatchRecoil3);
        WriteIt(ptr(AddressRecoil4),PatchRecoil4);
        WriteIt(ptr(AddressRecoil5),PatchRecoil5);
        Recoil:= True;
       end;
     end;

     if (GetAsyncKeyState(VK_NUMPAD2) <> 0) then
     begin
      Sleep(100);
      if Reload then
       begin
        PushToConsole('ShowFps 1');
        PushToConsole('SkelModelStencil -1');
        //Reload did'nt work :( just crashed when it was time to reload
        //WriteIt(ptr(AddressReload),OriginalReload);
        Reload:= False;
       end
       else
       begin
        PushToConsole('ShowFps 0');
        PushToConsole('SkelModelStencil 0');
        //Reload Did'nt Work :(
        //WriteIt(ptr(AddressReload),OriginalReload);
        Reload:= True;
       end;
     end;
    asm
      popad;
    end;
  end;
  Sleep(200);
end;

Function IsGameReadyForHook: Boolean;
var
  null: variant;
begin
  if ((GetModuleHandleA('d3d9.dll') <> null) and
    (GetModuleHandleA('ClientFX.fxd') <> null) and
    (GetModuleHandleA('CShell.dll') <> null)) then
  begin
    Result := True;
  end
  else
    Result := False;
end;

Function HackThread(): Dword;
var
 cHandle: Cardinal;
begin
  Repeat
    Sleep(500);
  Until ((IsGameReadyForHook = True) and (dwThrdMain = 0));

  CreateThread(nil, 0, @FuncMain, nil, 0, dwThrdMain);
  cHandle:= GetModuleHandleA('CShell.dll');
  MessageBoxA(0, Pchar(inttostr(cHandle)),Pchar('CShell Handle'), MB_OK + MB_ICONINFORMATION);
  Result := 0;
end;

procedure DllMain(reason: integer);
begin
  case reason of
    DLL_PROCESS_ATTACH:
      begin
        CreateThread(nil, 0, @HackThread, nil, 0, dwThrdHack);
      end;
    DLL_PROCESS_DETACH:
      begin
        if dwThrdMain <> 0 then
          CloseHandle(dwThrdMain);
        if dwThrdHack <> 0 then
          CloseHandle(dwThrdHack);
      end;
  end;
end;

begin
  DisableThreadLibraryCalls(hInstance);
  DllProc := @DllMain;
  DllProc(DLL_PROCESS_ATTACH);

end.

There is non of the "noobproof" stuff in this code like I see around, and the only "noob" are the ones who are too lame to share and explain there code to other so that they can learn...

Anyway Enjoy and if you make any improvements please share, OR anyone willing to give me a run down on "Engine.exe" and "CShell.dll" please do as this will speed up my progress... I dont think any of the better coders will as there greed to keep stuff to them selfs and act like "GOD" to the rest of learning programmers is too much to give up for them.

P.s, Big thanks to Acid burn for his information(the only one who was nice enough to give help).... just incase your wondering, I have been programming for over 5 years, 2 years in vb6 and 3 years in Delphi, Just started learning C# because of the .net framework needed for ALL coders.

Looks good mate.
hahaz released a working push to console method in this section, So download that and have a look through it.
Your reload address appears to be wrong. The one i have logged is 0x374B1824
Sorry about not answering your PM either, Just got on my coding PC.

374B1824 <-- I looked at that address in Olly I dont think its correct, This is only on theory that you NOP it

Code:

374B1821   /.  5B                                          POP EBX
374B1822   |.  895C24 04                                   MOV [ESP+4],EBX
374B1826   |.  814424 04 1C000000                          ADD DWORD PTR [ESP+4],1C
374B182E   |.  43                                          INC EBX
374B182F   |.  53                                          PUSH EBX

as you can see the byte at address 374B1824 is "$24, $04" ... ...

This makes no sense to nop it..

otherwise it ends up being

Code:

374B1822       895C90 04                                   MOV [EAX+EDX*4+4],EBX

Originally Posted by Departure

374B1824 <-- I looked at that address in Olly I dont think its correct, This is only on theory that you NOP it

Code:

374B1821   /.  5B                                          POP EBX
374B1822   |.  895C24 04                                   MOV [ESP+4],EBX
374B1826   |.  814424 04 1C000000                          ADD DWORD PTR [ESP+4],1C
374B182E   |.  43                                          INC EBX
374B182F   |.  53                                          PUSH EBX

as you can see the byte at address 374B1824 is "$24, $04" ... ...

This makes no sense to nop it..

otherwise it ends up being

Code:

374B1822       895C90 04                                   MOV [EAX+EDX*4+4],EBX

not sure :\
Thats what i got off my logger.
When im back on my coding computer, ill run the logger again and see what it gets.
I think the sigs are getting old, becuase my 5th no recoil address returns 0x00000

could you please send me your dumped cshell, as i cannot dump because of BSoD on Windows 7

I use Windows 7 also, All you need to do is run CA and then use olly to attach to the process, then use ollydump plugin to dump the CShell process..

But yes ill up the dump, Im not sure about the rules for uploading or external links....

//Edit uploaded Cshell Dump...

Open with olly and ignore the exceptions ...

Originally Posted by Departure

I use Windows 7 also, All you need to do is run CA and then use olly to attach to the process, then use ollydump plugin to dump the CShell process..

But yes ill up the dump, Im not sure about the rules for uploading or external links....

//Edit uploaded Cshell Dump...

Open with olly and ignore the exceptions ...

I'll approve it this time...

but you better provide virus scans next time

Originally Posted by Departure

Thanks for that man. Ill take a look and get back to you.

haha i like this `1

how do u do it ????

lol I thought I would see some questions about this now the other public hacks are detected, I have actually updated this some more, but if you want to use this one just compile it and inject it to Engine.exe(you could use D-Jector for injection).

And yes this is still not detected....

This language looks a lot like pascal.. or is it pascal

Originally Posted by topblast

This language looks a lot like pascal.. or is it pascal

no its Delphi.

delphi is based of pascal

Hack Template[Delphi]

Anyway here is the Delphi source Template with Recoil Addresses fromt his forum.

Code:

library DepartureLib;

uses
  Windows, SysUtils;

{$R *.res}

// Set this up later for easyer use
Type
  TPatchRecord = Record
    Address: Pointer;
    Bytes: array of Byte;
  end;

  PPatchRecord = ^TPatchRecord;

var
  dwThrdHack: Dword = 0;
  dwThrdMain: Dword = 0;
Const
  //Recoil
  AddressRecoil1 = $37465A60;
  AddressRecoil2 = $37234EB9;
  AddressRecoil3 = $37465A74;
  AddressRecoil4 = $37465A77;
  AddressRecoil5 = $37465A80;

  PatchRecoil1 : Array[0..2] of byte = ($90,$90,$90);
  PatchRecoil2 : Array[0..10] of byte = ($90,$90,$90,$90,$90,$90,$90,$90,$90,$90,$90);
  PatchRecoil3 : Array[0..2] of byte = ($90,$90,$90);
  PatchRecoil4 : Array[0..2] of byte = ($90,$90,$90);
  PatchRecoil5 : Array[0..2] of byte = ($90,$90,$90);

  OriginalRecoil1 : Array[0..2] of byte = ($D8,$66,$54);
  OriginalRecoil2 : Array[0..10] of byte = ($C7,$84,$24,$94,$00,$00,$00,$0F,$00,$00,$00);
  OriginalRecoil3 : Array[0..2] of byte = ($D9,$5E,$54);
  OriginalRecoil4 : Array[0..2] of byte = ($D9,$46,$48);
  OriginalRecoil5 : Array[0..2] of byte = ($D9,$5E,$48);

  //ReLoad
  AddressReload = $374B1826;

  PatchReload : Array[0..7] of byte = ($90,$90,$90,$90,$90,$90,$90,$90);

  OriginalReload : Array[0..7] of byte = ($81,$44,$24,$04,$1C,$00,$00,$00);

//PTC Method
function PushToConsole(sValue:string):boolean;cdecl;
begin;
 asm
  pushad
   xor ecx, ecx
   mov eax,[$0377f4930]
   mov ecx,[eax+$0208]
   push sValue             
   call ecx
   add esp,4
  popad
 end;
 Result:= True;
end;

// Write Bytes to Address Method
Function WriteIt(pAddress: Pointer; Bytes: Array of Byte): Boolean;
var
  OldProtect, DummyProtect: DWord;
begin
  if VirtualProtect(pAddress, SizeOf(Bytes), PAGE_EXECUTE_READWRITE, @OldProtect) then
   begin
    Move(Bytes, pAddress^, Length(Bytes));
    VirtualProtect(pAddress, SizeOf(Bytes), OldProtect, @DummyProtect);
    Result := True
   end
   else
    Result := False;
end;

function FuncMain(const LPVOID: variant): Boolean;
var
  Recoil, Reload: Boolean;
begin

  Recoil := False;
  Reload := False;
  while (True) do
   begin
    asm
      pushad;
    end;

    if (GetAsyncKeyState(VK_NUMPAD1) <> 0) then
     begin
      Sleep(100);
      if Recoil then
       begin
        WriteIt(ptr(AddressRecoil1),OriginalRecoil1);
        WriteIt(ptr(AddressRecoil2),OriginalRecoil2);
        WriteIt(ptr(AddressRecoil3),OriginalRecoil3);
        WriteIt(ptr(AddressRecoil4),OriginalRecoil4);
        WriteIt(ptr(AddressRecoil5),OriginalRecoil5);
        Recoil:= False;
       end
       else
       begin
        WriteIt(ptr(AddressRecoil1),PatchRecoil1);
        WriteIt(ptr(AddressRecoil2),PatchRecoil2);
        WriteIt(ptr(AddressRecoil3),PatchRecoil3);
        WriteIt(ptr(AddressRecoil4),PatchRecoil4);
        WriteIt(ptr(AddressRecoil5),PatchRecoil5);
        Recoil:= True;
       end;
     end;

     if (GetAsyncKeyState(VK_NUMPAD2) <> 0) then
     begin
      Sleep(100);
      if Reload then
       begin
        PushToConsole('ShowFps 1');
        PushToConsole('SkelModelStencil -1');
        //Reload did'nt work :( just crashed when it was time to reload
        //WriteIt(ptr(AddressReload),OriginalReload);
        Reload:= False;
       end
       else
       begin
        PushToConsole('ShowFps 0');
        PushToConsole('SkelModelStencil 0');
        //Reload Did'nt Work :(
        //WriteIt(ptr(AddressReload),OriginalReload);
        Reload:= True;
       end;
     end;
    asm
      popad;
    end;
  end;
  Sleep(200);
end;

Function IsGameReadyForHook: Boolean;
var
  null: variant;
begin
  if ((GetModuleHandleA('d3d9.dll') <> null) and
    (GetModuleHandleA('ClientFX.fxd') <> null) and
    (GetModuleHandleA('CShell.dll') <> null)) then
  begin
    Result := True;
  end
  else
    Result := False;
end;

Function HackThread(): Dword;
var
 cHandle: Cardinal;
begin
  Repeat
    Sleep(500);
  Until ((IsGameReadyForHook = True) and (dwThrdMain = 0));

  CreateThread(nil, 0, @FuncMain, nil, 0, dwThrdMain);
  cHandle:= GetModuleHandleA('CShell.dll');
  MessageBoxA(0, Pchar(inttostr(cHandle)),Pchar('CShell Handle'), MB_OK + MB_ICONINFORMATION);
  Result := 0;
end;

procedure DllMain(reason: integer);
begin
  case reason of
    DLL_PROCESS_ATTACH:
      begin
        CreateThread(nil, 0, @HackThread, nil, 0, dwThrdHack);
      end;
    DLL_PROCESS_DETACH:
      begin
        if dwThrdMain <> 0 then
          CloseHandle(dwThrdMain);
        if dwThrdHack <> 0 then
          CloseHandle(dwThrdHack);
      end;
  end;
end;

begin
  DisableThreadLibraryCalls(hInstance);
  DllProc := @DllMain;
  DllProc(DLL_PROCESS_ATTACH);

end.

374B1824 <-- I looked at that address in Olly I dont think its correct, This is only on theory that you NOP it

Code:

374B1821   /.  5B                                          POP EBX
374B1822   |.  895C24 04                                   MOV [ESP+4],EBX
374B1826   |.  814424 04 1C000000                          ADD DWORD PTR [ESP+4],1C
374B182E   |.  43                                          INC EBX
374B182F   |.  53                                          PUSH EBX

as you can see the byte at address 374B1824 is "$24, $04" ... ...

This makes no sense to nop it..

otherwise it ends up being

Code:

374B1822       895C90 04                                   MOV [EAX+EDX*4+4],EBX

Originally Posted by Departure

374B1824 <-- I looked at that address in Olly I dont think its correct, This is only on theory that you NOP it

Code:

374B1821   /.  5B                                          POP EBX
374B1822   |.  895C24 04                                   MOV [ESP+4],EBX
374B1826   |.  814424 04 1C000000                          ADD DWORD PTR [ESP+4],1C
374B182E   |.  43                                          INC EBX
374B182F   |.  53                                          PUSH EBX

as you can see the byte at address 374B1824 is "$24, $04" ... ...

This makes no sense to nop it..

otherwise it ends up being

Code:

374B1822       895C90 04                                   MOV [EAX+EDX*4+4],EBX

Originally Posted by Departure

Thanks for that man. Ill take a look and get back to you.

haha i like this `1

how do u do it ????

This language looks a lot like pascal.. or is it pascal

Originally Posted by topblast

This language looks a lot like pascal.. or is it pascal

no its Delphi.

delphi is based of pascal

Hack Template[Delphi]

Post a Reply

Similar Threads

Tags for this Thread

Hack Template[Delphi]

Post a Reply

Similar Threads

Tags for this Thread