Introduction:
-I am new to this site, and thought i would help out by posting a little over view on how dll hacking works.
-In this tutorial i will cover just the basics on how to go about making a dll.
What is dll hacking?:
-When you hack a game, usually you aim towards modifying memory, and hooking functions. This can all be accomplished by making a dll and, injecting it in to the process.
Do i need prior knowledge?
-Yes you do, preferably c++.
Steps on how to go about making a dll:
Our main.cpp:
-Even you beginner coders know, main.cpp is usually where our main code goes, this also usually applies in dll hacking. In our main.cpp we usually have to functions, 1.Hotkeys - this will handle all our activation and deactivation of our hacks. 2.Hacks - this is where we will actually call our functions which modify the memory. Both of these functions are in loops
Code:
while(true)
for(;;Sleep(20))
-We also in here will include our headers( i will talk about which later)
-And of course we need to have "dll main" in here too.
-Sample main.cpp:
Code:
#include <windows.h>
#include "main.h"
void Hotkeys()
{
for(;;Sleep(20))
{
}
}
void Hacks()
{
for(;;Sleep(20))
{
}
}
extern "C"
{
__declspec(dllexport) BOOL __stdcall DllMain(HINSTANCE hInst,DWORD reason,LPVOID lpv)
{
if(reason == DLL_PROCESS_ATTACH)
{
MessageBoxA(NULL, "Credits To Whoever", "DLL Injected", MB_OK);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Hotkeys,NULL,0,NULL); // we need to actually create a thread for these functions, so it keeps running.
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Hacks,NULL,0,NULL);
}
return true;
}
}
Our main.h:
-Now when you make a hack, you usually have a different file where you, make all your functions that modify the memory. You could have them all in one .cpp but it will get to crowded.
Sample Hack:
-This is a hack that i made for a game called IJJI GunZ, this wont work any more as the addresses are not updated and some offsets too. I will explain in a bit, what are addresses and all that.
-This is just a godmode hack, if you want some more in-dept sources, with a lot more hacks, just PM me. I will be glad to share my source codes.
Main.cpp:
Code:
#include <windows.h>
#include "main.h"
void Hotkeys()
{
for(;;Sleep(20))
{
if(GetAsyncKeyState(0x12)&0x8000 && GetAsyncKeyState('G')&0x8000)
{
bGod =!bGod;
Echo("Godmode Is%s", ((bGod) ? "On" : "Off"));
Sleep(300);
}
}
}
void Hacks()
{
for(;;Sleep(20))
{
if(ZMyCharacter())
{
if(bGod)
{
Godmode();
}
}
}
}
extern "C"
{
__declspec(dllexport) BOOL __stdcall DllMain(HINSTANCE hInst,DWORD reason,LPVOID lpv)
{
if(reason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hInst);
MessageBoxA(NULL, "Message Content", "Message Tittle", MB_OK);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Hotkeys,NULL,0,NULL);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Hacks,NULL,0,NULL);
Medicine();
}
return true;
}
}
Main.h:
Code:
bool bGod;
unsigned long _ZChatOutput = 0x00433C60;
DWORD ZGetGame () {
DWORD * ptr_game = (DWORD*)0x706F58;
if (!*ptr_game) {
return (0);
}
if (!(*(DWORD*)*ptr_game)) {
return (0);
}
if (ptr_game) {
ptr_game = (DWORD*)*ptr_game;
}
return *(DWORD*)(*ptr_game + 0x2EC);
}
unsigned long ZMyCharacter( )
{
if (ZGetGame( ))
return *(unsigned long*)(ZGetGame( ) + 0xC4);
return 0;
}
void __declspec(naked) Chat(DWORD color, char * string , int id)
{
__asm JMP _ZChatOutput
}
void SetAP( DWORD ZModuleHPAP, float AP )
{
DWORD EAX = DWORD(ZModuleHPAP + 0x15);
DWORD EDX = *(DWORD*)(ZModuleHPAP + 0x15);
ZModuleHPAP+=8;
EDX-=EAX;
EAX = *(DWORD*)ZModuleHPAP;
*(float*)(EDX + 0xF93B4523) = AP+1.0f;
EAX-=ZModuleHPAP;
*(float*)(EAX + 0xF93B4523) = 1.0f;
}
void SetHP( DWORD ZModuleHPAP, float HP )
{
DWORD EAX = DWORD(ZModuleHPAP + 0x15);
DWORD EDX = *(DWORD*)(ZModuleHPAP + 0x15);
ZModuleHPAP+=8;
EDX-=EAX;
EAX = *(DWORD*)ZModuleHPAP;
*(float*)(EDX + 0xF93B4523) = HP+1.0f;
EAX-=ZModuleHPAP;
*(float*)(EAX + 0xF93B4523) = 1.0f;
}
void Godmode( )
{
SetHP( *(DWORD*)(ZMyCharacter( ) + 0x3A6), 1000.0f );
SetAP( *(DWORD*)(ZMyCharacter( ) + 0x3A6), 1000.0f );
}
void CureForCancer( )
{
return;
}
void Medicine( )
{
*(DWORD*)0x20D6A28 = DWORD( CureForCancer );
}
Explanation on how This code works:
main.cpp:
-The main.cpp is pretty simple, all it is doing is looping 2 functions. The hotkey section, just keeps checking if we press alt + g, and toggles bGod.
-We use booleans to toggle our hacks. As you can see:
Code:
if(bGod) // this just means if bGod is on(if we activated our godmode)
-and again we have "dllmain" our entry point. When the dll is injected it will create the 2 threads, and give a message box with whatever was specified.
Code:
extern "C"
{
__declspec(dllexport) BOOL __stdcall DllMain(HINSTANCE hInst,DWORD reason,LPVOID lpv)
{
if(reason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hInst);
MessageBoxA(NULL, "Message Content", "Message Tittle", MB_OK);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Hotkeys,NULL,0,NULL);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&Hacks,NULL,0,NULL);
Medicine();
}
return true;
}
}
main.h:
-Like i said, in here we actually make the functions that modify memory, or get memory at-least. Now lets examine each line briefly.
-This just declares a boolean of bGod
Code:
unsigned long _ZChatOutput = 0x00433C60;
This is the address for the function ZChatOutput. In GunZ this is like "cout" so to say. You see to call functions in the game, you need to find where they are, and get their "address"
Code:
DWORD ZGetGame () {
DWORD * ptr_game = (DWORD*)0x706F58;
if (!*ptr_game) {
return (0);
}
if (!(*(DWORD*)*ptr_game)) {
return (0);
}
if (ptr_game) {
ptr_game = (DWORD*)*ptr_game;
}
return *(DWORD*)(*ptr_game + 0x2EC);
}
well to keep this short its just the function that we will use to determine if our character is in game
Code:
unsigned long ZMyCharacter( )
{
if (ZGetGame( ))
return *(unsigned long*)(ZGetGame( ) + 0xC4);
return 0;
}
This is what determines weather our character is in game or not. As you can see, it is 0xC4 above our ZGetGame()
Code:
void __declspec(naked) Chat(DWORD color, char * string , int id)
{
__asm JMP _ZChatOutput
}
This is our chat functions, all it does is Jumps to our address of _ZChatOutput(aka, the "cout" of GunZ)
Code:
void SetAP( DWORD ZModuleHPAP, float AP )
{
DWORD EAX = DWORD(ZModuleHPAP + 0x15);
DWORD EDX = *(DWORD*)(ZModuleHPAP + 0x15);
ZModuleHPAP+=8;
EDX-=EAX;
EAX = *(DWORD*)ZModuleHPAP;
*(float*)(EDX + 0xF93B4523) = AP+1.0f;
EAX-=ZModuleHPAP;
*(float*)(EAX + 0xF93B4523) = 1.0f;
}
void SetHP( DWORD ZModuleHPAP, float HP )
{
DWORD EAX = DWORD(ZModuleHPAP + 0x15);
DWORD EDX = *(DWORD*)(ZModuleHPAP + 0x15);
ZModuleHPAP+=8;
EDX-=EAX;
EAX = *(DWORD*)ZModuleHPAP;
*(float*)(EDX + 0xF93B4523) = HP+1.0f;
EAX-=ZModuleHPAP;
*(float*)(EAX + 0xF93B4523) = 1.0f;
}
If you look at the disassembly in GunZ, you can reverse their function for GetHp and GetAp, and modify it so it sets it instead. All this functions does is, sets our hp to a certain value.
Code:
void Godmode( )
{
SetHP( *(DWORD*)(ZMyCharacter( ) + 0x3A6), 1000.0f );
SetAP( *(DWORD*)(ZMyCharacter( ) + 0x3A6), 1000.0f );
}
This just calls our sethp and setap functions, and makes our hp and ap 1000.
Code:
void CureForCancer( )
{
return;
}
void Medicine( )
{
*(DWORD*)0x20D6A28 = DWORD( CureForCancer );
}
These 2 functions are mainly just related to Gunz, just do not worry about it, but if your curious, this just bypasses some checks so we can use our Godmode.
Summary:
-So to summarize it up, in game hacking you usually need:
A.To get your character
B.Find and reverse certain functions, based upon what you want to do
C.Call these functions and modify them
-Also some games like ijji have "Anti-hack" the one ijji has is pretty legit as it checks certain functions. So you would have to bypass that check.
here is a example bypass of how it is done:
Code:
unsigned long LEAVERET = 0x005B7427;
unsigned long __cdecl GunZ(unsigned long Class,unsigned long Address,...){
__asm
{
push edi
mov edi, ebp
push offset L2
push ebp
mov ebp, esp
push dword ptr ds:[edi+52]
push dword ptr ds:[edi+48]
push dword ptr ds:[edi+44]
push dword ptr ds:[edi+40]
push dword ptr ds:[edi+36]
push dword ptr ds:[edi+32]
push dword ptr ds:[edi+28]
push dword ptr ds:[edi+24]
push dword ptr ds:[edi+20]
push dword ptr ds:[edi+16]
mov ecx, dword ptr ds:[edi+8]
push dword ptr ds:[LEAVERET]
jmp dword ptr ds:[edi+12]
L2:
pop edi
};
}
I will not be explaining this one, as it is for you experienced coders, and also my fingers hurt lol.
Any way thats it, feel free to ask any questions and sorry for any errors.