I'm trying to change the value of an address in solitaire which provides the time.
Given the code below, the baseaddress + offset 0x97074 should point to another address with offset 0x50 and finally this address should point to the final address with offset x0C to change the timevalue.
However, solitaire crashes when I'm executing this operation.
HMODULE hModule = GetModuleHandle(nullptr);
sstream << std::hex << reinterpret_cast<unsigned int>(hModule);
str = sstream.str();
BaseAddress = reinterpret_cast<DWORD>(str.c_str());
//MessageBox(NULL, (LPCSTR) BaseAddress, "Adress", MB_OK); just some reminder
*(*(*(*(DWORD *) BaseAddress + (DWORD *) BASE_OFS_DEF ) + (DWORD *)TIME_OFS1_DEF ) + (DWORD *)TIME_OFS2_DEF) = 500;
The logic is wrong, you are dereferencing your pointers before you add the offset and casting your offsets to pointers! I think this is what you want
*(DWORD*)(*(DWORD*)(*(DWORD*)(BaseAddress + BASE_OFS_DEF) + TIME_OFS1_DEF) + TIME_OFS2_DEF) = 500;
But you should really break that down a bit to help understand what's going on, e.g.
DWORD temp1 = *(DWORD*)(BaseAddress + BASE_OFS_DEF);
DWORD temp2 = *(DWORD*)(temp1 + TIME_OFS1_DEF);
*(DWORD*)(temp2 + TIME_OFS2_DEF) = 500;
Related
I have this PE loader that works really fine with 32bit PEs but with x64 ones it can't allocate the 0X0000000140000000 preferred base address since it only reads it as 0X40000000.
Here is how I allocate that address:
DWORD hdr_image_base = p_NT_HDR->OptionalHeader.ImageBase;
char* ImageBase = (char*)VirtualAlloc((void*)hdr_image_base, size_of_image, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
but when I hardcode the address It works just fine:
char* ImageBase = (char*)VirtualAlloc((void*)0X140000000, size_of_image, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
Is DWORD not enough to store the address?
this reallocation code is stripping some variable-length somewhere since it still works with 32 but not with x64:
//this is how much we shifted the ImageBase
DWORD_PTR delta_VA_reloc = (reinterpret_cast<DWORD_PTR>(ImageBase)) - p_NT_HDR->OptionalHeader.ImageBase;
// if there is a relocation table, and we actually shitfted the ImageBase
if (data_directory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0 && delta_VA_reloc != 0) {
printf("\n[*] The relocated address is not the prefered address, started relocating\n");
//calculate the relocation table address
IMAGE_BASE_RELOCATION* p_reloc = (IMAGE_BASE_RELOCATION*)(ImageBase + data_directory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
//once again, a null terminated array
while (p_reloc->VirtualAddress != 0) {
// how many relocations in this block
// ie the total size, minus the size of the "header", divided by 2 (those are words, so 2 bytes for each)
//std::cout << sizeof(WORD) << "\n"; sizeof word is 2
DWORD size = (p_reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
// the first relocation element in the block, right after the header (using pointer arithmetic again)
WORD* reloc = (WORD*)(p_reloc + 1);
for (int i = 0; i < size; ++i) {
//type is the first 4 bits of the relocation word
int type = reloc[i] >> 12;
// offset is the last 12 bits
unsigned long long int offset = reloc[i] & 0x0fff;
//printf("--------------- %#llx\n", offset);
//this is the address we are going to change
DWORD* change_addr = (DWORD*)(ImageBase + p_reloc->VirtualAddress + offset);
// there is only one type used that needs to make a change
// When you relocate you should look if the flag HIGHT_LOW is active for PE32 and DIR64 for PE32+
switch (type) {
case IMAGE_REL_BASED_HIGHLOW://for x86
*change_addr += delta_VA_reloc;
break;
case IMAGE_REL_BASED_DIR64://for x64
*change_addr += delta_VA_reloc;
break;
default:
break;
}
}
// switch to the next relocation block, based on the size
p_reloc = (IMAGE_BASE_RELOCATION*)((reinterpret_cast<DWORD_PTR>(p_reloc)) + p_reloc->SizeOfBlock);
}
}
I'm learning to modifying game values using C++ but now I'm stuck.
I know how to edit for example FLOAT value of Player speed:
uintptr_t _EntitiesBase = (uintptr_t)GetModuleHandle(L"EntitiesMP.dll");
uintptr_t EntityBase = _EntitiesBase + 0x3153D0;
DWORD Run = 0xDE4;
*(FLOAT*)(*(DWORD*)EntityBase + Run) = Value;
But I don't know, how to edit values, that have much offsets (Engine.dll + 0xD52AB0 + 0x48 + 0x228), because in the end it return wrong value, not that I wanted to change
For example, in Cheat Engine, the same thing looks like this:
I added Engine.dll + 0xD52AB0 as a pointer, and next add offset 0x48 and offset 0x220 and it gives me address 2DC7E488, that contains FLOAT value, that I need to change
Do you have any ideas?
You can use ReadProcessMemory to read process memory and WriteProcessMemory to write process memory. to do this you just need to use ReadProcessMemory for every offset then write the pointer value with WriteProcessMemory:-
uintptr_t entitybase;
uintptr_t value1;
float newValue = 100000;
ReadProcessMemory(ProcessHandle, (uintptr_t)EngineDllHandle + 0xD52AB0, &entitybase, sizeof(entitybase), 0);
ReadProcessMemory(ProcessHandle, entitybase + 0x48, &value1, sizeof(value1), 0);
WriteProcessMemory(ProcessHandle, value1 + 0x220, &newValue, sizeof(entitybase), 0);
I am trying to write a pattern finder for a test application i made that uses Directx9, but i am having some issues with finding the correct start pattern.
The pointer i am trying to find is the IDIRECT3D9 device pointer.
unsigned long dwStartAddress = 0x14008613F, dwLen = ( 0x14008613F - 0x14008615D );
bool bDataCompare(const unsigned char* pData, const unsigned char* bMask, const char* szMask)
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask)
return false;
return (*szMask) == 0;
}
unsigned long dwFindPattern(unsigned char *bMask, char * szMask, unsigned long dw_Address = dwStartAddress, unsigned long dw_Len = dwLen)
{
for (unsigned long i = 0; i < dw_Len; i++)
if (bDataCompare((unsigned char*)(dw_Address + i), bMask, szMask))
return (unsigned long)(dw_Address + i);
return 0;
}
Iv'e dug through the d3d9.h file and took a look at the sample projects for Microsoft DirectX SDK (August 2009) found here https://www.microsoft.com/en-us/download/details.aspx?id=23549
According to https://msdn.microsoft.com/en-us/library/windows/desktop/bb219676(v=vs.85).aspx Direct3DCreate9Ex checks if D3Dx9ex features are supported.
According to https://msdn.microsoft.com/en-us/library/windows/desktop/bb174313(v=vs.85).aspx
Direct3DCreate9::CreateDevice returns the pointer
below i am making the assumption that i can start my address scan at 0x14008613F and end at ( 0x14008613F - 0x14008615D )
Also i am making the assumption that
jnz short loc_14008615E
mov [rbx+0E8h], eax
is the location for my device pointer that im looking for. with
[rbx+0E8h]
being the pointer returned from Direct3DCreate9::CreateDevice
I hope iv'e given enough information on this, as this is my first attempt at doing any real memory manipulation.
Edit:
incase its important here is my signature and mask:
DWORD m_dwaddy = dwFindPattern((PBYTE)"\x00\x48\x8B\xF8", (char *)"?xxx");
Hello sorry for my bad English.
I want to calculate an address with offset.
The example I have got a base address: 0x00D2038 with offset 0x1c
I have tried this.
DWORD address = 0x004D2038;
DWORD offset = 0x1c;
DWORD base = (DWORD)(address + offset);
int old_value = 0;
int value = 3000;
//Obtain new address form the address whit offset.
DWORD addr2 = ReadProcessMemory(phandle,(void*)base,&old_value,sizeof(old_value),0);
//Write Memory
WriteProcessMemory(phandle,(void*)addr2,&value,(DWORD)sizeof(value),NULL);
But it does not work.
Memory is not changed. what is my error?
According to msdn, ReadProcessMemory returns a BOOL and you use that as addr2 to WriteProcessMemory. How can the memory be changed?
Suggest search from msdn on ReadProcessMemory and WriteProcessMemory and their example and learn how to use these 2 functions.
Think you have a simple typo -- Try;
//Write Memory
WriteProcessMemory(phandle,(void*)base,&value,(DWORD)sizeof(value),NULL);
I've run into a bit of a problem and I'm not sure how to do what I am trying to do.
I am using C++ to inject a DLL into an application and I want to alter an address. The problem is that I'm not quite sure how to target it - let me explain...
I know how to use pointers:
int x;
int *myPointer;
myPointer = &x;
*myPointer = 5;
std::cout << x << endl; // 5
And I know that you can point to pointers:
int x;
int *myPointer;
int **myPointer2;
myPointer = &x;
myPointer2 = &myPointer;
**myPointer = 5;
std::cout << x << endl; // 5
I am trying to make a basic game hack by injecting a DLL into a game, and then setting the ammo to a fixed value on a keypress. The injection is working, the keypress is working, but I get a crash whenever I try and access the memory.
I have used Cheat Engine to get the static address for the variable I want to change, along with 3 offsets.
The address info in Cheat Engine looks like this:
Address: 0288A520 = 19
Type: 4 bytes
0 [0288A520 + 0] -> 0288A520
14 [0288A520 + 14] -> 0288A520
384 [0288A3D0 + 384] -> 02881A30
ac_client.exe+109B74 -> 0288A3D0
The value 19 is the one I want to modify in my DLL.
If I close the game and re-open it, I get the correct values coming through using these pointers, but now my issue is I'm not sure how to implement this in C++. How do I represent this static address in C++?
My main thread currently looks like this...
DWORD WINAPI Main_Thread(LPVOID lpParam)
{
while(1)
{
if(GetAsyncKeyState(VK_HOME)) {
// Output value here???
}
Sleep(100);
}
}
Any help is greatly appreciated.
I've got it working. The things I had been trying before were happening because I had an incorrect base address.
My solution can be seen below.
Defining addresses
#define BASE_ADDR 0x00400000
#define AMMO_ADDR 0x00109B74
#define AMMO_OFS1 0x00000384
#define AMMO_OFS2 0x00000014
Get address function
DWORD getAddress(DWORD baseAddress, DWORD offsets[], int offsetCount)
{
DWORD address; // Where the final address will be stored
address = *(DWORD*)(BASE_ADDR + baseAddress); // Add the base address to the modules base address.
// Loop through each offset
for(int i = 0; i < offsetCount; i++) {
address = *(DWORD*)(address + offsets[i]);
}
return address;
}
Changing the value
DWORD ammoOffsets[] = {AMMO_OFS1, AMMO_OFS2};
DWORD ammoAddress = getAddress(AMMO_ADDR, ammoOffsets, 2);
int* ammoPointer = (int*) ammoAddress;
*ammoPointer = 20;