• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 2 of 6 FirstFirst 1234 ... LastLast
    Results 11 to 20 of 54
    1. #11
      Newbie
      guidedhacking.com is the best
      i am ignorant:D
       
      Innocent
       
      pet29's Avatar
      Join Date
      Oct 2013
      Posts
      43
      Thanks (-->)
      10
      Thanks (<--)
      2
      Cheats-n-Trainers
      have been waiting for this for a long, long time some couple of years back
      i have been on some game hacking forum a come to know about Super jump
      and was very desperate to learn it ask around on some couple of forums but
      nobody really gave me the real ideas tuts but finally the holy grill of game
      hacking has been reviled i am out of words sir(words dont come easy)

      Thanks a million sir, your hard work and time for a layman like me means a lot to me

    2. Thanks Fleep thanked for this post
    3. #12
      Jr.Coder
      Learning to hack games!
       
      Steam Gaming
       
      crx123's Avatar
      Join Date
      Apr 2014
      Posts
      62
      Thanks (-->)
      0
      Thanks (<--)
      17
      Im just wondering why would you do this in c++ if its so much faster and easier to do the same thing in CE Autoassembler?

    4. #13
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      teutu10's Avatar
      Join Date
      Jun 2014
      Posts
      1
      Thanks (-->)
      0
      Thanks (<--)
      0
      man fleep hacking where is remote DLL?>
      idon;t know how i can starteed?!!!!!

    5. #14
      <>>>
      Nothin
       
      Jamin'
       
      Cryslacks's Avatar
      Join Date
      Dec 2013
      Location
      Sweden
      Posts
      132
      Thanks (-->)
      28
      Thanks (<--)
      30
      Check his other tutorials to find the link, or you could just press this link:
      http://securityxploded.com/download-file.php?id=7111

      Your choice

    6. #15
      Newbie
      Learning to hack games!
       
      Coding
       
      Alsafa7's Avatar
      Join Date
      Aug 2012
      Posts
      4
      Thanks (-->)
      2
      Thanks (<--)
      2
      First of all, thanks for the amazing tut @Fleep. Just as always
      Secondly, I just wanted to mention a minor modification to your code...
      I was trying to apply what I learnt from the tutorial to PvZ. It's pretty easy, I already had the code from the previous tut ready, and all I had to do was to add the hooks header and all the easy replacements. I got everything up, and everything compiled fine, the address was found when the dll was injected to the app, but when I closed the message box, the app crashed with no errors. It just disappeared. Every single time. I had no use for the OverwriteValues function and creating the thread was pretty useless, so I commented the code out, and when I injected, it worked (or so I saw in the CE memory viewer). The issue was, when I closed the message box this time, the dll would unload, and the jmp that was working would then point to the address where the dll's codecave was once loaded. So, when this address gets called, the app would crash due to the app jumping to an empty address. So, I figured out a solution and that's what I wanted to share.
      The solution was to increment the FreeLibrary's counter by one so that the DLL wouldn't get unloaded by itself. It would only unload if the app terminates or if you free the library memory manually. (Thus decrementing the counter) The way you would, increment the counter would be by calling LoadLibrary(), and so here is the new code I used in DllMain()
      Code:
      BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
      {
      	switch (fdwReason)
      	{
      	case DLL_PROCESS_ATTACH:
      		InitiateHooks();
      		LoadLibrary(DLLNAME);
      		//CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)OverwriteValues, NULL, NULL, NULL);
      		break;
      	}
      }
      Where DLLNAME is a definition at the top of the file of a string that contains the dll's name. (#define DLLNAME "X.dll")
      This time, when I injected, the hack worked, and when I closed the message box, the dll remained loaded in the app's memory and the hack continued working successfully

      Edit:
      After even further fiddling with this method, I tried creating a hack for Need for Speed Rivals, which is a 64bit app. The sig/pattern (nop'ing) process worked pretty well with it. However the code doesn't want to compile using this method as inline arm instructions aren't allowed in 64bit dlls, applications, etc. You can only use intrinsic functions. So, saying that, can you please help me know how to convert a simple inline assembly function such as this:
      Code:
      unsigned long long SpJmpBack = 0;
      __declspec(naked) void InfiniteSP()
      {
      	__asm
             {
                     mov[rbx + 0x24], 999999999
      	       add [rbx + 0x28], edi
      	       jmp[SpJmpBack]
              }
      }
      Thanks a bunch for your help in advance.

      Edit 2:
      I found a way to run the assembly instructions, by creating a .asm file and placing this code in it:
      Code:
      .code
      InfiniteSP proc
      	mov esi, 999999999
      	mov[edi + 00005578h], esi	
      InfiniteSP endp
      end
      I couldn't add the jmp[SpJmpBack] instruction as I found no way to access the global variable (SpJmpBack), from within the assembly file. To solve this issue (I hope it worked out...), I added another PlaceJMP call after the initial and created a global variable in the functions header which stores the offset the codecave is at. So now the new PlaceJMP call looks like so:
      Code:
      PlaceJMP((BYTE*)ammoAddy, (unsigned long long)InfiniteSP, 6); //Original jmp
      
      //Newly added jmp to codecave
      PlaceJMP((BYTE*)(calcAdd+0x6),  /* address to place jmp instruction at. Added 6 because of the two instructions */
            SpJmpBack,  /* Instruction to jmp to */
            5 ); /* Size of jmp. No nop'ss */
      Now I only face one problem... the original jmp doesn't point to the codecave. It points to a random position in the process, where the dll is not loaded at, thus causing the app to crash when the instruction gets called.
      This is the project: https://www.dropbox.com/s/vbm7kl9sma...als%20Hack.zip (I hope there is no problem with sharing a url to a dropbox link)
      Feel free to check out the code and the modifications I did, and please reply with the solution if found. Thanks in advance again.
      PS: Don't be fooled by the solution/project's name. This is not a BF4 hack, its a NFS Rivals hack. (although both have 64 bit executables :P )
      Last edited by Alsafa7; 07-07-2014 at 11:32 AM.

    7. Thanks Fleep thanked for this post
    8. #16
      Newbie
      Learning to hack games!
       
      Coding
       
      Alsafa7's Avatar
      Join Date
      Aug 2012
      Posts
      4
      Thanks (-->)
      2
      Thanks (<--)
      2
      Update: I finally figured out the solution. It was very tiring to reach the end result but it works now. The issue was that since the game is 64 bits, the addresses are longer. So a 5 byte jmp isn't enough. Thus, I used a jmp qword ptr which points to the following address, where the jumpTo address is stored. So, if I wanted to jump to: 07FBC55A1A90 (true live example), I have to write the following on the spAddy:
      Code:
      NFS14.SetPlatform+21B0EB - FF 25 00000000        - jmp qword ptr [NFS14.SetPlatform+21B0F1]
      NFS14.SetPlatform+21B0F1 - 90                    - nop 
      NFS14.SetPlatform+21B0F2 - 1A 5A C5              - sbb bl,byte ptr [rdx-3B]
      NFS14.SetPlatform+21B0F5 - FB                    - sti 
      NFS14.SetPlatform+21B0F6 - 07                    - pop es
      Note that the bytes that follow the jmp instruction are 07FBC55A1A90 in reverse. I had to edit the placejmp function a lot and here is the final result of the work:
      Code:
      void PlaceJMP(BYTE *Address, unsigned long long jumpTo, unsigned long long length = 5, bool relativeAddress = true)
      {
      	unsigned long dwOldProtect, dwBkup;
      	unsigned long long dwRelAddr;
      
      	//give that address read and write permissions and store the old permissions at oldProtection
      	VirtualProtect(Address, length, PAGE_EXECUTE_READWRITE, &dwOldProtect);
      
      	// Calculate the "distance" we're gonna have to jump - the size of the JMP instruction
      	if (relativeAddress)
      	{
      #ifndef _WIN64
      		dwRelAddr = (unsigned long long)(jumpTo - (unsigned long long)Address) - 5;
      #else
      		dwRelAddr = (unsigned long long)(jumpTo - (unsigned long long)Address) - 14;
      #endif
      	}
      	else
      		dwRelAddr = (unsigned long long)jumpTo; //the address is equal to the address of the function in the injected dll. No calculations needed.
      	
      	codecaveAddy = dwRelAddr; //Sets the address of the codecave to the address calculated
      
      	// Write the JMP opcode @ our jump position...
      #ifndef _WIN64
      	*Address = 0xE9;
      
      	// Write the offset to where we're gonna jump
      	//The instruction will then become JMP ff002123 for example
      	*((unsigned long long *)(Address + 0x1)) = dwRelAddr;
      #else
      	*Address = 0xFF;
      	*(Address+0x1) = 0x25;
      	*(Address + 0x2) = 0x0;
      	*(Address + 0x3) = 0x0;
      	*(Address + 0x4) = 0x0;
      	*(Address + 0x5) = 0x0;// //FF 25 00 00 00 00 is the code for jmp qword ptr
      	*((unsigned long long *)(Address + 0x6)) = dwRelAddr; //Set the next bytes after the first 6 to the jmpto address
      #endif
      
      	// Overwrite the rest of the bytes with NOPs
      	//ensuring no instruction is Half overwritten(To prevent any crashes)
      #ifndef _WIN64
      	for (unsigned long long x = 0x5; x < length; x++)
      		*(Address + x) = 0x90;
      #else
      	int bytesUsed = 0x0; //Obtaining the bytes used out of the unsigned long long addy
      	if (dwRelAddr <= 0xFF)
      		bytesUsed = 0x1;
      	else if (dwRelAddr <= 0xFFFF)
      		bytesUsed = 0x2;
      	else if (dwRelAddr <= 0xFFFFFF)
      		bytesUsed = 0x3;
      	else if (dwRelAddr <= 0xFFFFFFFF)
      		bytesUsed = 0x4;
      	else if (dwRelAddr <= 0xFFFFFFFFFF)
      		bytesUsed = 0x5;
      	else if (dwRelAddr <= 0xFFFFFFFFFFFF)
      		bytesUsed = 0x6;
      	else if (dwRelAddr <= 0xFFFFFFFFFFFFFF)
      		bytesUsed = 0x7;
      	else if (dwRelAddr <= 0xFFFFFFFFFFFFFFFF)
      		bytesUsed = 0x8;
      
      	for (unsigned long long x = (0x6 + bytesUsed); x < length; x++)
      		*(Address + x) = 0x90;
      #endif
      
      	// Restore the default permissions
      	VirtualProtect(Address, length, dwOldProtect, &dwBkup);
      }
      I still don't get why you performed calculations to obtain the dwRelAddr? If you just set it to the function's address (jumpTo), it is set to the correct address which is found inside the injected dll's memory space. Can you explain why you did this @Fleep ?

      Here is the new source code for whomever wishes to fiddle with it: https://www.dropbox.com/s/jojgt471fh...k%20Update.zip

    9. Thanks squeenie thanked for this post
    10. #17
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      boyenn's Avatar
      Join Date
      Jul 2014
      Posts
      5
      Thanks (-->)
      0
      Thanks (<--)
      0
      Quote Originally Posted by Alsafa7 View Post
      Update: I finally figured out the solution. It was very tiring to reach the end result but it works now. The issue was that since the game is 64 bits, the addresses are longer. So a 5 byte jmp isn't enough. Thus, I used a jmp qword ptr which points to the following address, where the jumpTo address is stored. So, if I wanted to jump to: 07FBC55A1A90 (true live example), I have to write the following on the spAddy:
      Code:
      NFS14.SetPlatform+21B0EB - FF 25 00000000        - jmp qword ptr [NFS14.SetPlatform+21B0F1]
      NFS14.SetPlatform+21B0F1 - 90                    - nop 
      NFS14.SetPlatform+21B0F2 - 1A 5A C5              - sbb bl,byte ptr [rdx-3B]
      NFS14.SetPlatform+21B0F5 - FB                    - sti 
      NFS14.SetPlatform+21B0F6 - 07                    - pop es
      Note that the bytes that follow the jmp instruction are 07FBC55A1A90 in reverse. I had to edit the placejmp function a lot and here is the final result of the work:
      Code:
      void PlaceJMP(BYTE *Address, unsigned long long jumpTo, unsigned long long length = 5, bool relativeAddress = true)
      {
      	unsigned long dwOldProtect, dwBkup;
      	unsigned long long dwRelAddr;
      
      	//give that address read and write permissions and store the old permissions at oldProtection
      	VirtualProtect(Address, length, PAGE_EXECUTE_READWRITE, &dwOldProtect);
      
      	// Calculate the "distance" we're gonna have to jump - the size of the JMP instruction
      	if (relativeAddress)
      	{
      #ifndef _WIN64
      		dwRelAddr = (unsigned long long)(jumpTo - (unsigned long long)Address) - 5;
      #else
      		dwRelAddr = (unsigned long long)(jumpTo - (unsigned long long)Address) - 14;
      #endif
      	}
      	else
      		dwRelAddr = (unsigned long long)jumpTo; //the address is equal to the address of the function in the injected dll. No calculations needed.
      	
      	codecaveAddy = dwRelAddr; //Sets the address of the codecave to the address calculated
      
      	// Write the JMP opcode @ our jump position...
      #ifndef _WIN64
      	*Address = 0xE9;
      
      	// Write the offset to where we're gonna jump
      	//The instruction will then become JMP ff002123 for example
      	*((unsigned long long *)(Address + 0x1)) = dwRelAddr;
      #else
      	*Address = 0xFF;
      	*(Address+0x1) = 0x25;
      	*(Address + 0x2) = 0x0;
      	*(Address + 0x3) = 0x0;
      	*(Address + 0x4) = 0x0;
      	*(Address + 0x5) = 0x0;// //FF 25 00 00 00 00 is the code for jmp qword ptr
      	*((unsigned long long *)(Address + 0x6)) = dwRelAddr; //Set the next bytes after the first 6 to the jmpto address
      #endif
      
      	// Overwrite the rest of the bytes with NOPs
      	//ensuring no instruction is Half overwritten(To prevent any crashes)
      #ifndef _WIN64
      	for (unsigned long long x = 0x5; x < length; x++)
      		*(Address + x) = 0x90;
      #else
      	int bytesUsed = 0x0; //Obtaining the bytes used out of the unsigned long long addy
      	if (dwRelAddr <= 0xFF)
      		bytesUsed = 0x1;
      	else if (dwRelAddr <= 0xFFFF)
      		bytesUsed = 0x2;
      	else if (dwRelAddr <= 0xFFFFFF)
      		bytesUsed = 0x3;
      	else if (dwRelAddr <= 0xFFFFFFFF)
      		bytesUsed = 0x4;
      	else if (dwRelAddr <= 0xFFFFFFFFFF)
      		bytesUsed = 0x5;
      	else if (dwRelAddr <= 0xFFFFFFFFFFFF)
      		bytesUsed = 0x6;
      	else if (dwRelAddr <= 0xFFFFFFFFFFFFFF)
      		bytesUsed = 0x7;
      	else if (dwRelAddr <= 0xFFFFFFFFFFFFFFFF)
      		bytesUsed = 0x8;
      
      	for (unsigned long long x = (0x6 + bytesUsed); x < length; x++)
      		*(Address + x) = 0x90;
      #endif
      
      	// Restore the default permissions
      	VirtualProtect(Address, length, dwOldProtect, &dwBkup);
      }
      I still don't get why you performed calculations to obtain the dwRelAddr? If you just set it to the function's address (jumpTo), it is set to the correct address which is found inside the injected dll's memory space. Can you explain why you did this @Fleep ?

      Here is the new source code for whomever wishes to fiddle with it: https://www.dropbox.com/s/jojgt471fh...k%20Update.zip
      as you seem to know what you're talking about , is there any way you could add me on skype(boyenn-x3) because I have some questions / trouble understanding some small stuff

    11. #18
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      x1jester's Avatar
      Join Date
      Jul 2014
      Posts
      5
      Thanks (-->)
      0
      Thanks (<--)
      1
      Thanks for the awesome site and tutorial > hey i need a bit of help with mine please!!!! i cant get the y access to work out properly idk what to use for my code instead of yours mine doesnt use esi the top is my start and the top to bottom is where i have the signature set so i think the offset would be -12 kgllib.sqstd_register_bloblib+1C5C45 - D9 40 04 - fld dword ptr [eax+04]
      1C5C48 - D9 59 04 - fstp dword ptr [ecx+04]
      1C5C4B - D9 40 08 - fld dword ptr [eax+08]
      1C5C4E - D9 59 08 - fstp dword ptr [ecx+08]
      1C5C51 - EB 2D - jmp kgllib.sqstd_register_bloblib+1C5C80


      \xD9\x40\x04\xD9\x59\x04\xD9\x40\x08\xD9\x59\x08\x EB\x2D
      xxxxxxxxxxxxxx

    12. #19
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      x1jester's Avatar
      Join Date
      Jul 2014
      Posts
      5
      Thanks (-->)
      0
      Thanks (<--)
      1
      is the thread dead sad i really was hoping to figure this out

    13. Thanks HalfWayToHell333 thanked for this post
    14. #20
      Jr.Coder
      Learning to hack games!
       
      No Status
       
      HalfWayToHell333's Avatar
      Join Date
      Jun 2014
      Posts
      82
      Thanks (-->)
      20
      Thanks (<--)
      23

      Just a suggestion

      GuidedHacking Advertisements
      @Fleep ,

      first thanks for this Tutorial(s).

      I have a suggestion for binding in multiple Header´s in Visual C++ wich You mentioned in one of Your Videos.

      If you get an error , You can do this:

      #ifndef BLABLA_H
      #define BLABLA_H

      //Your Code here//

      #endif

      or

      #pragma once

      //Your Code here//

      or what i do:

      create a Globals.h and put every used include´s into this.

      That solves the Problem (at least in my cases )

    Page 2 of 6 FirstFirst 1234 ... LastLast

    Similar Game Hacker Threads

    1. Mid function hooking
      By c5 in forum Tutorials and Snippets
      Replies: 10
      Last Post: 01-29-2017, 08:03 PM
    2. [VideoTutorial] C++ Detour / Hooking Function Tutorial for Game Hacking
      By [GH]Rake in forum GH Hack Video Tutorials
      Replies: 26
      Last Post: 12-29-2016, 06:48 PM
    3. [Help] Mid Function Hooking
      By ranseier in forum Hacking Help
      Replies: 4
      Last Post: 10-21-2015, 07:27 AM
    4. [Help] Unable to get mid-function codecaving to work with this game
      By SICGames88 in forum GH Tutorials Help
      Replies: 10
      Last Post: 09-10-2015, 07:04 PM
    5. [Help] C++ Mid Function Hooking/Codecaving Tutorial
      By Brackston in forum GH Tutorials Help
      Replies: 12
      Last Post: 12-04-2013, 03:19 PM

    Tags for this Thread