General
HaX4LiFe! (05-28-2011)
Thread: Current PTC method
Results 1 to 4 of 4
-
05-28-2011 #1Expert Member
- Join Date
- Sep 2010
- Gender
- Posts
- 733
- Reputation
180- Thanks
- 880
- My Mood
-
Current PTC method
Current CA EU method of executing console commands:
ltc: 0x378E0B70
ConsoleFunction: [ltc+208]: 0x46fb90
Unwrapped(bare console):[ConsoleFunction[26]]: 0x485F60
Creds for this ptc method go to our brothers in arms at ****, nice and easy.
Creds for the ltc/unwrapped console go to me.
Code:typedef int (__cdecl * RunConsoleCommand_T)(char* szCommand); RunConsoleCommand_T RunConsoleCommand = (RunConsoleCommand_T) 0x485F60; RunConsoleCommand("ShowFps 1");
ps: I'm not sure, but I think you can run the unwrapped console from everywhere in your code
EDIT:
You still have to call from within engine's threads (try hooking present, that works for me this way)
@HellSpider
I still have to try your method of bypassing the thread check. Maybe it works
Last edited by .::SCHiM::.; 05-28-2011 at 11:48 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
-
The Following User Says Thank You to .::SCHiM::. For This Useful Post:
-
05-28-2011 #2Member
- Join Date
- Jun 2010
- Gender
- Posts
- 103
- Reputation
- 30
- Thanks
- 133
- My Mood
-
Trust me, it does.
Originally Posted by .::SCHiM::.
PM me if you need the pointer where the real thread ID is and where you need to move your thread ID to.
-
05-29-2011 #3
ThreadstarterExpert Member
- Join Date
- Sep 2010
- Gender
- Posts
- 733
- Reputation
- 180
- Thanks
- 880
- My Mood
-
No need, no need Originally Posted by HellSpider
Trust me, it does.
PM me if you need the pointer where the real thread ID is and where you need to move your thread ID to.
Only one problem though, you still have to hook an engine function to find it's stack & threadid. I have function that searches all TEB's in a process, but then we still wouldn't know which TEB is the one we seek.Code:void CallConsoleWithBypass(char* Command){ _asm{ mov eax, fs:[0x24] mov SaveCurrentThreadID, eax // save our threadID mov eax, fs:[0x04] mov eax, [eax-0x0C] mov SaveCurrentThreadEntryPoint, eax // save our entrypoint mov eax, EngineThreadID // replace our threadID with that of engines.exe mov fs:[0x24], eax mov eax, EngineEntryPoint mov ebx, fs:[0x04] mov [ebx-0x0C], eax // replace our entrypoint with that of engine.exe } RunConsoleCommand(Command); _asm{ mov eax, SaveCurrentThreadID // put everything back in place mov fs:[0x24], eax mov eax, SaveCurrentThreadEntryPoint mov ebx, fs:[0x04] mov [ebx-0x0C], eax } return; }
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
-
05-29-2011 #4Member
- Join Date
- Jun 2010
- Gender
- Posts
- 103
- Reputation
- 30
- Thanks
- 133
- My Mood
-
Well yeah, you did it a bit different than I expected, just be carefull with editing the TEB as it's supposed to be an information block. When you execute the command you will at that moment have two different threads with the same ID, that can cause abnormalities if something external tries to enumerate threads. Originally Posted by .::SCHiM::.
No need, no need
Only one problem though, you still have to hook an engine function to find it's stack & threadid. I have function that searches all TEB's in a process, but then we still wouldn't know which TEB is the one we seek.Code:void CallConsoleWithBypass(char* Command){ _asm{ mov eax, fs:[0x24] mov SaveCurrentThreadID, eax // save our threadID mov eax, fs:[0x04] mov eax, [eax-0x0C] mov SaveCurrentThreadEntryPoint, eax // save our entrypoint mov eax, EngineThreadID // replace our threadID with that of engines.exe mov fs:[0x24], eax mov eax, EngineEntryPoint mov ebx, fs:[0x04] mov [ebx-0x0C], eax // replace our entrypoint with that of engine.exe } RunConsoleCommand(Command); _asm{ mov eax, SaveCurrentThreadID // put everything back in place mov fs:[0x24], eax mov eax, SaveCurrentThreadEntryPoint mov ebx, fs:[0x04] mov [ebx-0x0C], eax } return; }
My way of doing this is changing the EP in stack permanently (as it doesn't change thread behavior in any way).
Then there is a global DWORD reserved where the Engine thread ID is stored upon startup. When I run a console cmd, I move my thread ID to that DWORD buffer and when the cmd has executed I move the real ID back to the buffer.
Code:PushToConsole PROC argCommand:DWORD LOCAL ThreadPreserve:DWORD ;============ PRESERVE ACCEPTED THREAD ID ============== mov edx,REAL_THREAD_ID mov eax,dword ptr [edx] mov ThreadPreserve,eax ;=========== MAKE CURRENT THREAD ACCEPTED =========== mov eax,dword ptr fs:[24h] mov dword ptr [edx],eax ;============== CHANGE CONSOLE CMD ================ mov eax,CONSOLE_ADDRESS push argCommand call eax add esp,4 ;============ RESTORE ACCEPTED THREAD ID ============ mov edx,REAL_THREAD_ID mov eax,ThreadPreserve mov dword ptr [edx],eax ret PushToConsole ENDP
Last edited by HellSpider; 05-29-2011 at 08:53 AM.