-
کد اینجکشن
ode Caves and Code Injection
I. Introduction
Code caves are series of 00 and/or 90 hex bytes located in the process memory of our games. We can use these code caves as a place wherein we can write our own code/routine/function.
II Needed Tools
1. SoftIce/Tsearch (I prefer SoftIce)
[ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ]
2. Your favorite Memory Searcher (I use ArtMoney)
[ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ]
3. Tsongkie’s Code Cave Tool ?
[ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ]
4 Game (I used Gangsters 2 v1.0.5)
5. Few Brain cells ?
III Hacking the Game
I have searched the game as normal and found the value 010BAFDC for money. I also noticed that the money is being updated when the time returns to 00 (e.g. 10:00, 11:00). Also, 010BAFDC is a COUNTER Address, changing it wont have any effect with the real value.
For SoftIce Users be sure that the you enabled the following in SoftIce:
Dump Window: wd [return]
Register Window: wr [return]
Hex Codes: code on [return]
What we need is to put a breakpoint at 010BAFDC… so…
Press ctrl+d
Type bpmd 010BAFDC w
X
And wait for SoftIce to Pop when time reaches 00…
When SoftIce pops up, I get the following code:
0177:005650E6 85C0 TEST EAX,EAX
0177:005650E8 75CA JNZ 005650F4
0177:005650EA 8A8658040000 MOV AL,[ESI+00000458]
0177:005650F0 84C0 TEST AL,AL
0177:005650F2 7570 JNZ 00565164
0177:005650F4 57 PUSH EDI
0177:005650F5 8B7C240C MOV EDI,[ESP+0C] ? Notice here
0177:005650F9 85FF TEST EDI,EDI ? SoftIce Pops Here
0177:005650FB 7D0B JGE 00565108
type d [ESP+0C]
BINGO! [ESP+0C] is equal to 010BAFDC, our money address ?. If we simply NOP this, the money wouldn’t change…It wouldn’t either increase nor decrease… the answer to this problem is code injection…
What we need is change MOV EDI,[ESP+0C] to:
MOV EDI,00FFFFFF which gives us $99,999,999…
IV Code injection
First, Get TCCT (Tsongkie’s Code Cave Tool… Yeah ? ) and search Gangsters2 Window for code caves. Look at the results and select one… I chose 00400319. In SoftIce type:
D 400319 [return]
Scroll down some more just to be safe…Look at 00400342…Again type
U 00400342
It is a series of code caves… Write down the address in a piece of paper.
For our own injected function
Now we need to assemble 00400342, so type:
A 00400342 [return]
0028:400342 MOV EDI,00FFFFFF [RETURN]
0028:400347 TEST EDI,EDI
0028:400349 RET
Again type: U 400342 [return]
It should look like this:
0028:00400342 BFFFFFFF00 MOV EDI,00FFFFFF
0028:00400347 85FF TEST EDI,EDI
0028:00400349 C3 RET
What we have just written is our own function ?.
1) The instruction at 0028:00400342 is the code that we need to have $9,999,999.
2) The instruction at 0028:00400342 is the same code at 0177:005650F9. We rewrote this because we are going to overwrite the instruction at 0177:005650F9 when we call our own function.
3) All functions/procedures end with a RET (instruction at 0028:00400349)
The only thing we need to do is call our function…
Calling Our Function/Procedure
Lets look at the game’s code again:
0177:005650F2 7570 JNZ 00565164
0177:005650F4 57 PUSH EDI
0177:005650F5 8B7C240C MOV EDI,[ESP+0C] ? Notice here
0177:005650F9 85FF TEST EDI,EDI
0177:005650FB 7D0B JGE 00565108
What we need is to overwrite the code at 0177:005650F5 and 0177:005650F9 with a CALL Instruction. Lets assemble and overwrite the said codes.
Now type:
A 005650F5 [return]
0177:005650F5 CALL 00400342
0177:005650FA NOP ? NOP this because the next instruction starts at: 005650FB
0177:005650FB [RETURN] ? Next Instruction starts here
Type again:
U 005650F5 [RETURN]
It should look like this:
0177:005650F2 7570 JNZ 00565164
0177:005650F4 57 PUSH EDI
0177:005650F5 E848B2E9FF CALL 00400342
0177:005650FA 90 NOP
0177:005650FB 7D0B JGE 00565108
There, we are done. ? Clear all our breakpoints and check if it works. It should.
V. Our Trainer
You just need to write…
Address New Bytes
00400342 BF FF FF FF 00 85 FF C3
005650F5 E8 48 B2 E9 FF 90
V
-
ساخت ترینر در ویژوال بیسیک 6
1- Introduction
2- Things you need
3- How to Write Trainers
4- Extra Stuff
5- Credits
<Introduction>
Fisrt of all, MAXIMIZE your notepad so you can read this thing with no trouble.
This code has been sitting in my computer for months and I didn´t use it at all.....
so I decided to write a tutorial and post it somewhere. I´ll try to show you a way to write your
own trainers without the aid of Magic Trainer or such. Have fun.
<Things you need>
* Visual Basic 6.0 (otherwise you won´t be able to see the examples)
<How to Write Trainers>
Trainer is the common name used to desgin those little cool programs that ---- PC games (mostly)
like Starcraft, Age of Emipres, Diablo, etc... Since these games create saved games with
checksums and other kind of stuff, the only way to ---- 'em is by changing the data when the game
is running. How do you do this?? Well, the WinApi has a lot of different functions to handle the
operation.
I wrote a Visual Basic Class to do all the work. It's based on Beans' VB documentation and the
C++ class document written by a Oboema.
Class Properties:
WindowTitle> This is the actual title of the window, to see the title press Alt+Ctl+Del and seek
your name in the list. It has to be the FULL name, I didn´t add support for
incomplete strings, but it can be easily done (get some info about that from
planet-source-code.com)
ProcessHandle> Public property where the process handle is stored, you can store it manually but
the class won´t know that the process is open (see ProcessIsOpen() as Boolean)
The class can be divided into 10 public functions (and a few others private):
__________________________________________________ ______________________________________________
OpenPR()
This function will open the process (based on the WindowTitle property previously given) and
return TRUE or FALSE, depending on the result of the operation. If it returns TRUE, the program
will retrive a Process Handle from the system and store it in the ProcessHandle property of the
class.
__________________________________________________ ______________________________________________
ClosePR()
This function will close the handle to the process. If no handle has been retrieved it'll return
FALSE. No parameters are necessary, since the ProcessHandle is a Public property.
__________________________________________________ ______________________________________________
ReadByte(address as Long)
This one will return the byte value at the given address.
__________________________________________________ ______________________________________________
WriteByte(address as Long, value as Byte)
This one will write a byte value at the given address.
__________________________________________________ ______________________________________________
ReadUINT(address as Long)
This one will return the Unsigned Integer value at the given address. (0-65535)
__________________________________________________ ______________________________________________
WriteUINT(address as Long, value as Long)
This one will write a Unsigned Integer value at the given address. (0-65535)
__________________________________________________ ______________________________________________
ReadHexString(address as Long, size as long)
DON´T PASS THE &H PREFIX!
This function will return the hexadecimal base value located at the given offset, the size is
multiplied by 2, example:
ReadHexString(1234, 1) will return "0F" (the values are just examples....)
ReadHexString(1234, 2) will return "0FC4"
ReadHexString(1234, 3) will return "0FC471" ...Got it?
__________________________________________________ ______________________________________________
WriteHexString(address As Long, HexString As String)
Just pass a address and a value, it doesn´t matter the size of the expresion (as long as it's a
valid number). If you pass "F" the program will add the extra 0, the same for 98F4A.. and so on
__________________________________________________ ______________________________________________
ReadString(addres as Long, size as Long)
The size you send to the function will be the actual lenght of the returned string, when using
this function with textboxes remember this: strings are terminated by a NULL character so if
you pass a size of 20000 and the 5th character is 0, you´ll get a 4 char long string into your
text box, but that does´t mean the program didn´t read the 20000 characters...
__________________________________________________ ______________________________________________
WriteString(address as Long, str as String)
Just pass the string, the address and it will do the rest.
__________________________________________________ ______________________________________________
<Extra Stuff>
Well, the included project has an example program. The basic steps to use the class are:
* Declare it like this: Dim MyClass As New CProcess
* You can access the functions by the "." operator: MyByte = MyClass.ReadByte(12345)
* Set the WindowTitle property: MyClass.WindowTitle = "Calculator"
* Open the Process: MyClass.OpenPr()
* Use it: MyClass.WriteHexString(1234, "0FA43")
* Close the Process: MyClass.ClosePr()
Download
-
ساختن ترینر برای انرژی بار یه همون نوار های جان
=============================================
How to create a trainer for energy bars using GameHack and Master Cheater
I'm using Virtua Fighter to demonstrate how the creation works but I think it can be generalized so that nearly every game with energy bars can be cheated using that method...
First of all you should start Virtua Fighter, then ALT-TAB to your desktop and load GameHack.
Now select the process you wanna cheat (in that case 'Virtua Fighter PC') by clicking on the cog-wheel button and seearching the process.
Done ? Allright, let's continue.
Get back to the game (I think you know how to do that...). It's much easier to find the offsets you are searching for (the ones of the energy bar) if you select a two-player game now. It could be helpful to turn off the timer as well since the cheating process will take a lot of time...
Once inside the game ALT-TAB (or CTRL-F12) to GameHack. Press that binoculars- button (start search) and start an advanced search using the type: '1 byte'. Why ? That's easy ... most of the games with energy bars use the value '255' as the maximum of the bar. In hex that's 'FF' which is one byte.
Click on OK and return to your game.
As the second player hit player 1 one time and go back to GameHack.
Click on 'Next search andsearch for a 'decreased' value now. GameHack finds a lot of those offsets, so go back to the game, hit player 1 another time and switch to GameHack. Search for a 'decreased' value again. Continue that procedure until there are only a few offsets left. If player 1 looses a match (because player two striked him down too often) and reappears for the next round (with a full energy bar!), get back to GameHack and choose an 'increased' value since the bar has been filled. It can be that a lot of adresses are left at the end, so use the 'Trial-and-error' method and try to freeze every single offset one after another. That takes quite a long time, so go through the list and search for a value that could be THE ONE AND ONLY. :)
I think those negative values are complete bulls**t, so (in my case) 008E3710 is the right offset (for VF). Let's experiment a bit with it.
Try to enter '255' as the value and go back to the game. Whew, the energy bar looks quite strange, so VF doesn't use the '255-is-maximum'-algorithm (cool word...).
Type in '200' and get back to VF. Allright ... everything's normal and click on the square next to 'Description' (in GameHack of course) and freeze the value.
Try to hit player 1 in the game ... the energy fills up everytime he's hit.
GREAT ! Now let's create the trainer using Master Cheater !
STAY INSIDE OF THE GAME, IT WILL MAKE THE PROCESS HANDLE EASIER LATER !! Umm ... use the Hotkey you've chosen to start Master Cheater (should be a CTRL-?? combination). Type 'TMLIST' and insert 'Energy' as description and the offset you've found as address (008E3710). Master Cheater wants the value to enter in hex, so we've got to convert the 200 into hex. There are enough (free!) calculators to do this on the net, so here's the hex value: C8.
Enter that C8 (Beware ! This is for Virtua Fighter ! This value may not work on other games as well as the address !!!) into the value field (the buttons to do this are displayed at the bottom of Master Cheater) and press ESC. The list needs to be saved, so enter TMSAVE [name] on the input field. [Name] can be anything you like, I choose 'vfenergy'. -> TMSAVE vfenergy
The program creates a file called vfenergy.mct in its directory which is important ! Type TMBUTTONS now to create the outfit of the trainer.
The BUTTONS TITLE should be 'Energy P1' so that the end user knows what'll happen if he pushes the button. Press your right cursor key now to change to the ON-row. Press L now and select the file you've just saved (vfenergy.mct). The OFF-field should stay EMPTY since nothing shall happen if the freeze-option is turned off. Since we want to have unlimited energy for player 1, the STATUS should be 'FREEZED' (press C a couple of times to do that). Now we're ready to build our trainer ! Type TMBUILD into the input field and choose the options that will fulfill your needs (About-Screen, Title-Screen, Filename of the trainer). Hopfully you did the whole process inside of the game (I warned you!), so the process name of the game (in my case VFPC.EXE) should be in the process window. If not, type it in (you can use the windows explorer to find out which is the starting exe). After you pushed the N button the last time, the specified trainer will be created in your Master Cheater directory. Start it, minimise it, press CTRL-T inside the game, freeze your energy bar and try it out (mark EXIT and press ENTER to return to your game)!
-
اموزش ساخت ترینر در ویژوال بیسیک
================================
Programming Trainers: Part 1
Updated: 03/12/2000
This article won’t teach you how to make trainers, it just goes over the most common methods of making trainers for Windows games, and lists several of the advantages and disadvantages of each. In a future tutorial examples and code will be given for making trainers.
Finding ‘data values’ in games is not discussed either. If you are not familiar with searching a game’s memory space to find values, then you might want to study that first. There are several good tutorials on finding game data at
[ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ]
in the ‘Newbie Help’ section.
The methods
Trainers can be made with several programs; below is my take on the available options.
Auto Trainers – This category comprises the trainers created automatically by a Memory searching utility. Find the values and click a button to generate the trainer.
Advantages: Very easy to use. A trainer can be quickly generated.
Disadvantages: Inflexible. Large exe files. Can’t be used with ‘advanced’ trainer methods.
Trainer Generating Kits – These types of programs provide a great deal of flexibility in the user interface. Design your trainer’s look almost anyway you want; use bitmaps with selectable special effects, scrolling text boxes and more.
Advantages: Neat special effects. Easier than programming from scratch.
Disadvantages: Large exe files. Can’t be used for ‘advanced’ trainer techniques.
Programming – By far the most flexible option. Anything the other 2 categories can do can be done with programming and much more. However this option can require more work, and of course knowledge of a programming language.
Advantages: Very flexible, normally has small exe files.
Disadvantages: Need to know a programming language, takes longer to create a simple trainer.
For more info on the first 2 options check out the Tools section at
[ برای مشاهده لینک ، با نام کاربری خود وارد شوید یا ثبت نام کنید ]
. Almost every game searching tool and trainer kit I know of is there along with other useful tools as well. I do want to discuss programming trainers in a little more detail. Partly because that is the method I use to make trainers, but more importantly because of what can be done by programming trainers from scratch.
Several languages can be used to ‘program’ a trainer: C++, Asm, Visual Basic and others. Asm is the best choice if you know it, as very small executable files can be generated. Next I prefer straight C/C++. All code in this tutorial will be C / C++ or asm but the general principles will be the same no matter which language you use. Programming trainers in C++ and Visual Basic will be discussed in more detail in other tutorials.
Responding to input
Trainers can be used in different ways depending on the game, and the way the game’s data needs to be manipulated.
Buttons
Setting a Timer
Intercepting Keystrokes
Buttons are a very intuitive way to let the user perform a trainer option. Label the button with what the trainer option does and then the user just clicks on it to perform that action. The trainer can then respond to the WM_CLICK event for that button. However this causes an inconvenience to the user in full screen games; the user must alt-tab out of a game to activate or deactivate each option.
Timers routines can be used to check for user key presses. For example, assign an option like Level Skip to the F12 key by:
Setting a timer for your trainer with the SetTimer API function.
Add a handler for the WM_TIMER message.
Use the GetAsyncKeyState or other API call to check for an F12 keypress.
If the F12 key was pressed Skip to the next level.
In some games this provides a more transparent method but still can cause problems. Even 5 options with separate keys for each can make it difficult to remember which key goes with which option. And if the trainer option is a toggle there is no feedback letting the user know if its toggled on or off. However these issues can be addressed through the use of ingame message displays and/or ingame menus.
Intercepting Keystrokes is a variation of the WM_TIMER method but the trainer only gets called if a key is pressed, not at specific timer intervals. Basically if the Game requires a lot of keyboard input the Timer is probably a better option, if a key gets pressed only once every 3 or 4 seconds then intercepting the keystrokes may be more efficient.
Advanced trainer techniques
This section describes some of the things that can be done by programming your own trainers. Details about each topic will be addressed in later tutorials or updates to this one.
Multiple version support through version detection and feedback
Memory scan for new version support
Resolving dynamic memory addresses at runtime
Displaying ingame cheat menus
Automating cheat code entry
Calling game code
Having the game call your trainer
Multiple version support with feedback makes a trainer much easier to use as the user no longer needs to wonder why the trainer doesn’t works with his version. This does require more work by the programmer, and may require that the game data be found multiple times. But 1 trainer can then supports several versions of a game. Feedback to the user can be in the form of a status window. If the game window is found but the version string is not then "Unsupported version" can be displayed. If the game window can’t be found then "Game window not found" and so on.
Memory scanning is an automatic way to add support for new versions of a game, but it only works if the code is relatively the same between versions, which it quite often is.
Dynamic memory: A lot of the new games coming out are using dynamic memory. This refers to the fact that each time the game restarts its data offsets change in memory. However there are 2 effective ways to address this.
Change the code as opposed to the data - Even though data offsets change each time the game restarts the address of the code in memory stays the same. So instead of continually placing $1,000,000 at a money address, you can change the game code in memory that modifies that address. For example change aDEC EAX to NOP’s or INC EAX. However this method has some drawbacks. For example, that code address may be the same code address that decrements the computer’s money, so the computer would benefit also. The Trainer Creation Kits can use this method.
Find the new data address in memory at runtime – This method works very well and is the one I prefer although each has advantages in specific situations. Basically it involves reading up to 5 different game addresses and using each one to get a pointer to the next pointer and finally to the data. The difficulty with this method is that none of the current memory searching programs can find these pointers easily (except for Spyderن , which isn’t currently available).
Ingame cheat menus – Ingame cheat menus can be used as opposed to external dialogs for trainer options. This can be accomplished through the use of a modal dialog as a child window of the game window.
Automating cheat code entry – Trainers can also be used for 1 key access to cheat code entry. Assign a long cheat code to any key and when the user presses that key during the game the cheat code is automatically entered by using the keybd_event function from the trainer. A selectable list of available cheat codes can also be displayed as an ingame menu.
Calling game code – Calling game code directly from a trainer can be a huge benefit. Why rewrite a complicated procedure to modify a game’s map terrain when you can call the same routine in the game and have the game perform all modifications.
Having the game call your trainer allows the trainer to be a seamless interface into the game. By having the trainer call my code I can add new features to a game or modify existing functions to act exactly how I want.
That’s it for now, I know it doesn’t go into much detail but it does give some alternative approaches to making trainers. Future tutorials will have more detailed information on making trainers, as well as code and examples.
Programming Trainers Part 2: Visual Basic
Updated: 03/30/2000
So you want to make trainers in Visual Basic. "I'm sorry but its not possible because VB is such a simple programming language." If someone tells you that, don't listen to them. Just about any type of program can be made with VB and definitely trainers, I've made them.
However there's something you should think about first. In order to use a trainer programmed in VB, gamers will need the VB runtimes. Some people might not have these and to include them in a zip file would make the file very large. Just to get an idea of the size I created a setup for the trainer created later in this tutorial, and the total size was just over 1MB. Of course that included a nice setup and uninstall program but the main size hit was the VB40032.DLL file.
On the plus side, creating a trainer in VB is very simple and once you've done it a few times it can be done very quickly. Also trainers made with VB can resolve dynamic memory at runtime, so trainers can be made for even the newest games. (Dynamic memory won't be covered in this tutorial as I consider it an advanced option, although really it is very simple to program for).
Some Background Info
Unlike C, VB doesn't include declarations of the common API functions so we must add them to our project. There are 6 main functions used in almost every trainer, and those will be discussed here.
FindWindow(ClassName, WindowTitle) - FindWindow returns a handle to a window that has the class name and window title we specify. For our purposes we can leave ClassName Null and just give the WindowTitle of the game were interested in. It can be declared as follows: Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
GetWindowThreadProcessId(WindowHandle, ProcessId) - Here we pass the handle from FindWindow and get back a ProcessId, which is needed to get a handle to the process. It's declaration is: Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
OpenProcess(DesiredAccess, Inherit, ProcessId) - This function will return a handle to our target process. This handle can then be used to read and write to our target. DesiredAccess determines the access rights the handle will have to the target; for now just use PROCESS_ALL_ACCESS. Inherit should always be False. ProcessId is gotten from the GetWindowThreadProcessId function. Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
CloseHandle(ProcessHandle) - Every handle you open should be closed with a call to CloseHandle. Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
WriteProcessMemory(ProcessHandle, Address, Value, SizeofValue, BytesWritten) - This is one of the two functions that does the actual work. It writes Value to the target address specified by Address. You can declare it like this: Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
ReadProcessMemory(ProcessHandle, Address, Value, SizeofValue, BytesWritten) - This is the other work function. It places into Value the value from the target's address specified by Address. Declare it: Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
There is a lot to know about the Windows API functions. You should make it a point to study the more common ones by looking it up in your programming help files. The help files will also give much more valuable information on the above functions, such as return values and error handling.
A Simple Trainer
So how do these functions work together so we can make trainers? As an example here's how to code a simple "trainer" for the windows calculator application. The trainer will read the value displayed in the calculator window, and will write our name there if we click a button.
First we need to find the address of the calculator display window. This is not a tutorial on Memory searching in games so I'm only giving very general instructions.
Enter 123456 into the calculator display
Open your favorite memory search program and search for the string 123456
Repeat with a different value until only 1 address is found
That's the only address we need to know to make our trainer. The address for the display in my calculator application is 40B181 hex, 4239745 dec. When I refer to this address in the code listings just replace it with whatever value you found.
Now lets go ahead and design the trainer interface.
Start a new project in VB and then add 1 Textbox, 1 button and a timer. The textbox will be used to display the string we retrieve from the calculator window and the button will be used to send our name to the display window.
Set the form Caption to Calculator Trainer
Rename the textbox to txtDisplay and clear the Text property
Change the timer name to ReadTimer and the interval to 500
Change the button Caption to "Display Name" and the button Name to btnPasteName
For this trainer we will need all 6 of our common functions, ReadProcessMemory, WriteProcessMemory, OpenProcess, GetWindowThreadProcessId ,FindWindow and CloseHandle. Insert a new module into the project and add the following lines. Several of the lines are wrapped here but they must be on one line in your module (or you can use the continuation character _ )
Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
So let's write the code we need to display our name to the calculator window. First we need to get a handle to our target window with the FindWindow function. We'll need to save this handle in a variable and check it for errors to make sure the calculator program is actually running. (FindWindow returns 0 on error)
Dim hwnd As Long
hwnd = FindWindow(vbNullString, "Calculator")
If (hwnd = 0) Then
MsgBox "Window not found!"
Exit Sub
End If
Notice we passed a Null String to FindWindow in place of the ClassName, so any window named "Calculator" should be found. If you know the ClassName you can use it but its not necessary.
Now lets use our window handle and get a ProcessId. Notice pid is passed as an argument and not assigned the return value.
Dim pid As Long
GetWindowThreadProcessId hwnd, pid
We can now use our pid (ProcessId) to get a Process Handle to the calculator program. The return value here can again be checked for a valid handle and if not then exit the sub.
Dim pHandle As Long
pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
If (pHandle = 0) Then
MsgBox "Couldn't get a process handle!"
Exit Sub
End If
The WriteProcessMemory function is the most important one to our trainer and is the one most likely to fail. So lets take a closer look at the parameters it wants.
WriteProcessMemory (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long)
Lets break it down so we know what each function argument does.
hProcess is the handle of the process were writing to. We receive this handle from the OpenProcess function above.
lpBaseAddress - This is the address we want to write to in the Calculator's virtual memory space, which we found with our memory search program. (The address for my calculator program was &H40B181)
lpBuffer is the data I want to write to the above address, . It can be a value, array, string or any other data type.
nSize is the number of bytes we want to write to lpBaseAddress. This field should match your data type: if your writing a long then this value should be 4. If your writing a string it should be the length of the string.
lpNumberOfBytesWritten will hold the actual number of bytes written to the target address when WriteProcessMemory returns. It can be checked to make sure the call actually worked.
Putting our values into this function we get WriteProcessMemory pHandle, &H40B181, "Beans", 5, 0&. I'm passing 0 to lpNumberOfBytesWritten because I'm not going to double check the number of bytes written.
Finally we need to close the handle opened by OpenProcess by passing our Process Handle to CloseHandle().
CloseHandle hProcess
Now to add all the code to our trainer. Double Click on the button to display its code window. The code were adding will go under the Click event for the button (btnPasteName), so make sure that's where your at, then add the following lines. (You don't need to add the comments).
Private Sub btnPasteName_Click()
' Declare some variables we need
Dim hwnd As Long ' Holds the handle returned by FindWindow
Dim pid As Long ' Used to hold the Process Id
Dim pHandle As Long ' Holds the Process Handle
' First get a handle to the "game" window
hwnd = FindWindow(vbNullString, "Calculator")
If (hwnd = 0) Then
MsgBox "Window not found!"
Exit Sub
End If
' We can now get the pid
GetWindowThreadProcessId hwnd, pid
' Use the pid to get a Process Handle
pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
If (pHandle = 0) Then
MsgBox "Couldn't get a process handle!"
Exit Sub
End If
' Now we can write to our address in memory
WriteProcessMemory pHandle, &H40B181, "Beans", 5, 0&
' Close the Process Handle
CloseHandle hProcess
End Sub
And that's it! Clicking the button will cause the calculator window text to be reset to the name we entered. (You may have to minimize and restore the calculator app before it will update its display.
Lets add one more feature to our trainer. We'll monitor the display window of the calculator program and show the text in our trainer window. Double Click on the timer to display its code window. Then add the following lines.
Private Sub ReadTimer_Timer()
' Declare some variables we need
Dim hwnd As Long ' Holds the handle returned by FindWindow
Dim pid As Long ' Used to hold the Process Id
Dim pHandle As Long ' Holds the Process Handle
Dim str As String * 20 ' String to hold display text
' First get a handle to the "game" window
hwnd = FindWindow(vbNullString, "Calculator")
If (hwnd = 0) Then Exit Sub
' We can now get the pid
GetWindowThreadProcessId hwnd, pid
' Use the pid to get a Process Handle
pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
If (pHandle = 0) Then Exit Sub
' Now we can read from memory
ReadProcessMemory pHandle, &H40B181, str, 20, 0&
' And display the string in our textbox
txtDisplay = str
' Close the Process Handle
CloseHandle hProcess
End Sub
-
سلام
اگر بتوني همينطور در دلفي آموزش بدي خيلي خوبه.
در تاپيكي كه ساخته ام.
-
-
gamehackir جان بي زحمت طريقه پيدا كردن Pointer و Offset رو آموزش بده.خيلي لازم ميشه براي برنامه نويسي.
با تشكر
-
به نام خدا
ما زیاد حرفه ای نیستیم که از مطالب بالا سردربیاریم. ولی ممنون.
در مورد چند صفحه قبل آقا مرتضی یه برنامه ساده گزاشتند که فقط می خواد اعداد رو عوض کنی من چیزی نفهمیدم/ میشه یه کم واضح تر بگید و اینکه چه اعدادی لازمه؟
با تشکر.
-
به نام خدا
كسي نبود جواب پست بالايي رو بده؟
-
من درست متوجه نشدم ....لطفا واضح تر بگید