(MOV ECX, EDX) ===> How to get ECX and EDX please?

TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
Code:
<i>
</i>[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, int lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
Here is a good tutorial I used for the same reason, though it was for learning because when you learn CE you will find it's awesomeness is undeniable.
https://www.codeproject.com/articles/670373/csharp-read-write-another-process-memory
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799
And form there you would need to write your own AOB scanner, find a compatible ASM compiler or write raw bytes to inject.
 
P

predprey

Expert Cheater
Fearless Donors
Joined
Mar 2, 2017
Messages
181
Sodruza said:
You can use Structure Dissect for that
I gotta say this is one weird game im trying to hack here (already hacked many). I exactly did what you said (dissect data structure) and couldnt find the player ID either. The only thing I could do was getting the XYZ and the team (which is enough).

The only missing part of the puzzle is reading ECX (after that particular MOV instruction)

Apparently I need to do some instruction hooking (already googled that) and I couldnt find a good example (I already did some API hooking with the SendTo function to deal with packets). But I never did "instruction hooking" if it's called so. Do you think this is where I should dig to do what I want ? (I would like to make the radar in c# because im much better than C++)
The player ID is needed to properly segregate the addresses as ++METHOS has already said. Try changing the data type around and see if you can find it? Or read through the instructions around the mov [ecx],edx and see where it gets ecx from? You could possibly use ecx as the identifier but you said ecx itself is dynamic and changes for each player even during the same match, so I'm not sure if it would work.

As for hooking, I'm not sure if this is the same as API hooking as you want to specifically hook into the mov instruction. You can try looking at Minimalistic API Hooking Library to see if it can do it? Or you can manually do it with WriteProcessMemory and VirtualAlloc.
 
S

Sodruza

Noobzor
Joined
Mar 3, 2017
Messages
12
Hello,
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
I know these functions (read/write process memory) , I use them to change some values and for pointers. The thing is I dont see how they can help me in this case....
Id like to code something like:

1 Hook the instruction "MOV" in 4FCD7B.
2 Return the ECX value every time the MOV instruction is called.

If I could code such a thing, well I can do the radar afterwards.

Try changing the data type around and see if you can find it
Trust me, I really tried this before and I guarantee the ID is not close from the XYZ pos in this game. But I dont care. In my radar I want to be able to get the XYZ and the team (blue or red) and I can do both manually (I can even get the name, but not the ID, but it's worthless), unfortunately, not with code yet.

WriteProcessMemory
Writing is worthless in this case, isnt it? What i wanna do is reading only.
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799
Sodruza said:
But isnt there a way to do it in c# or c++ ? because I really want to deal with the datas in c# because I will not make all my trainers using Lua (I dont know what it is) or the CE trainer generator. Do you see what I mean.
Sodruza said:
You can do it in C# but you will need to use some C or C++ porting, of the 'kernel32.dll'
I know these functions (read/write process memory) , I use them to change some values and for pointers. The thing is I dont see how they can help me in this case....
Id like to code something like:

1 Hook the instruction "MOV" in 4FCD7B.
2 Return the ECX value every time the MOV instruction is called.

...
WriteProcessMemory
Writing is worthless in this case, isnt it? What i wanna do is reading only.
So if you want to do this in C# You will need to:
  • hook to process.
  • Find a code cave for hooks and storing values. (reading)
  • Then find your injection point, AOB scan is best. (reading)
  • write the new code (in the code cave) that dose the mov then stores the value and jumps back to injection point. (writing)(reading)
  • Then inject the new jmp to the new code in the code cave. (writing)

Which requires reading and writing.

Unless I misread, which happens, that's what your looking for.
I hope this helps.
 
++METHOS

++METHOS

Administrator
Administrator
Joined
Mar 2, 2017
Messages
190
Sodruza said:
Trust me, I really tried this before and I guarantee the ID is not close from the XYZ pos in this game.
-Anything can be used for an ID as long as it is reliable. See my previous post regarding alternative methods for finding a unique ID for code segregation. Typically, with coordinate values, an instruction can be used that accesses one of those XYZ values, exclusively (e.g. for hero character). Even if that is not the case, you can probably find a value inside of the same data structure that will serve your needs; it does not have to be a value that is even related to the coordinate values.

For example, coordinate X may be at [base+70], but you might find that some random value at [base+44] is being accessed by an instruction that is exclusive to that structure (or blue team structures) etc..

For that matter, a value that is several levels deep inside of a pointer tree may be viable and you are just not seeing it because you have not manually changed the element at those particular offsets.
 
S

Sodruza

Noobzor
Joined
Mar 3, 2017
Messages
12
So if you want to do this in C# You will need to:
hook to process.
Find a code cave for hooks and storing values. (reading)
Then find your injection point, AOB scan is best. (reading)
write the new code (in the code cave) that dose the mov then stores the value and jumps back to injection point. (writing)(reading)
Then inject the new jmp to the new code in the code cave. (writing)
This is the exact answer I expected. Damn I didnt think it would be SO COMPLICATED and recquired write process memory (which would mean it can be detected in some games, can it?)
For that matter, a value that is several levels deep inside of a pointer tree may be viable and you are just not seeing it because you have not manually changed the element at those particular offsets.
You must be right.... I think I will dig more then. Trying to get the ECX value right after a certain instruction is called is way to difficult (as long as I dont have a proper example). I already did API hooking thanks to an example, I think guidelines are just not enough in this case because I dont have your pro level.


Im very grateful for your helps guys.
 
TheyCallMeTim13

TheyCallMeTim13

Enchanter
Staff member
Administrator
Fearless Donors
Talents
Joined
Mar 3, 2017
Messages
1,799
But if you stick with it you may find a sweet new tool/toy.
 
P

predprey

Expert Cheater
Fearless Donors
Joined
Mar 2, 2017
Messages
181
Sodruza said:
So if you want to do this in C# You will need to:
hook to process.
Find a code cave for hooks and storing values. (reading)
Then find your injection point, AOB scan is best. (reading)
write the new code (in the code cave) that dose the mov then stores the value and jumps back to injection point. (writing)(reading)
Then inject the new jmp to the new code in the code cave. (writing)
This is the exact answer I expected. Damn I didnt think it would be SO COMPLICATED and recquired write process memory (which would mean it can be detected in some games, can it?)
For that matter, a value that is several levels deep inside of a pointer tree may be viable and you are just not seeing it because you have not manually changed the element at those particular offsets.
You must be right.... I think I will dig more then. Trying to get the ECX value right after a certain instruction is called is way to difficult (as long as I dont have a proper example). I already did API hooking thanks to an example, I think guidelines are just not enough in this case because I dont have your pro level.


Im very grateful for your helps guys.
Well...if you want to hook into the executable you would have to modify its executable code somehow, even for API hooking, so yea I guess its detectable. Alternatively, if you do not want to do that you would have to backtrace the pointers, I do not know how dynamic they are but there has to be a static address where it starts from? You can just use ReadProcessMemory to trace from the start to some array I imagine that the game uses to store all the ECX values then read from there.

For scanning you can use ReadProcessMemory to scan, or if you know that the executable code is always loaded at the same position in memory then just write directly to it straight. As for finding code caves in game hacking, it was necessary back when I was ASM hacking consoles as that was executable modification while memory hacking offers no way to allocate memory. But for Windows I think you can just use VirtualAlloc to allocate you some memory to write your new code.
 
++METHOS

++METHOS

Administrator
Administrator
Joined
Mar 2, 2017
Messages
190
If you are worried about detection, one possible alternative would be to make use of the SE plugin and just hook the function in memory to read the value after execution. You will still need a way to segregate the code. Worst-case scenario, as previously described as one of the methods for finding unique ID's for code segregation, would be to incorporate pointers inside of your script and just compare against that.

So, find your XYZ values (and XYZ of everyone else), and perform a pointer scan on each X value. Once you have reliable pointers for each, just incorporate those inside of your script and compare the register address/value against each one.
 
lordrake

lordrake

Noobzor
Joined
Jan 31, 2018
Messages
7
Sodruza said:
But isnt there a way to do it in c# or c++ ?
Yes, if you just need to grab data out of registers then what you want is a simple detour. You can do it externally but it's much easier internally, so you would write a DLL that places a jmp at the address, inject your own code into another free memory address and have your jmp jump to your code, make a copy of the register and then jump back to the original address. The trick is, whatever bytes you overwrote you need to execute them inside your detour and when you jump back you don't want to hit your own jump again, so you need to jump to the instruction after your jump. You can read my detour tutorial to learn more

Here is what the example code from the tutorial looks like
Code:
#include <Windows.h>

bool Hook(void * toHook, void * ourFunct, int len) {
	if (len < 5) {
		return false;
	}

	DWORD curProtection;
	VirtualProtect(toHook, len, PAGE_EXECUTE_READWRITE, &curProtection);

	memset(toHook, 0x90, len);

	DWORD relativeAddress = ((DWORD)ourFunct - (DWORD)toHook) - 5;

	*(BYTE*)toHook = 0xE9;
	*(DWORD*)((DWORD)toHook + 1) = relativeAddress;

	DWORD temp;
	VirtualProtect(toHook, len, curProtection, &temp);

	return true;
}

DWORD jmpBackAddy;
void __declspec(naked) ourFunct() {
	__asm {
		add ecx, ecx
		mov edx, [ebp-8]
		jmp [jmpBackAddy]
	}
}

DWORD WINAPI MainThread(LPVOID param) {
	int hookLength = 6;
	DWORD hookAddress = 0x332768;
	jmpBackAddy = hookAddress + hookLength;

	Hook((void*)hookAddress, ourFunct, hookLength);

	while (true) {
		if (GetAsyncKeyState(VK_ESCAPE)) break;
		Sleep(50);
	}

	FreeLibraryAndExitThread((HMODULE)param, 0);

	return 0;
}

BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) {
	switch (dwReason) {
	case DLL_PROCESS_ATTACH:
		CreateThread(0, 0, MainThread, hModule, 0, 0);
		break;
	}

	return TRUE;
}
This is essentially what CE Code Injection scripts do, it's just kind of abstracted away from you
 
Top