• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 2 of 7 FirstFirst 1234 ... LastLast
    Results 11 to 20 of 64
    1. #11
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      fa3fawesfa3f's Avatar
      Join Date
      Aug 2016
      Posts
      23
      Thanks (-->)
      1
      Thanks (<--)
      6
      Advertise on GuidedHacking
      Quote Originally Posted by Afro228 View Post
      not working
      put smaller range then omg. u rly think a function can scan 0 to 7fffffffffffff fast? it probly take many hours

      and @Rake there is something wrong with VirtualProtectEx:
      DWORD oldprotect;
      VirtualProtectEx(hProcess, (void*)currentChunk, sizeof(buffer), PROCESS_VM_READ, &oldprotect); // PROCESS_VM_READ is not for VirtualProtectEx,should be PAGE_EXECUTE_READWRITE or something
      ReadProcessMemory(hProcess, (void*)currentChunk, &buffer, sizeof(buffer), &bytesRead);
      VirtualProtectEx(hProcess, (void*)currentChunk, sizeof(buffer), oldprotect, NULL);
      // Last argument cant be 0 like in the remarks in msdn!
      //better is:
      VirtualProtectEx(hProcess, (void*)currentChunk, sizeof(buffer), oldprotect, &oldprotect); // and it works 100%
      Last edited by fa3fawesfa3f; 08-19-2016 at 08:35 AM.

    2. #12
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,596
      Thanks (-->)
      854
      Thanks (<--)
      1060
      Quote Originally Posted by Afro228 View Post
      not working
      then you need to learn more

    3. #13
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      fa3fawesfa3f's Avatar
      Join Date
      Aug 2016
      Posts
      23
      Thanks (-->)
      1
      Thanks (<--)
      6
      I have to correct my previous post. It's possible to scan from 0 to 7F...F within milliseconds if the function is efficient
      It's still a bad idea though.

      I came up with this function:
      Spoiler: Code
      inline bool ComparePattern(char * szSource, const char * szPattern, const char * szMask)
      {
      for (; *szMask; ++szSource, ++szPattern, ++szMask)
      if (*szMask == 'x' && *szSource != *szPattern)
      return false;
      return true;
      }

      char * PatternScan(char * pData, ULONG RegionSize, const char * szPattern, const char * szMask, int Len)
      {
      for (UINT i = 0; i != RegionSize - Len; ++i, ++pData)
      if (ComparePattern(pData, szPattern, szMask))
      return pData;
      return nullptr;
      }

      char * PatternScanEx(HANDLE hProc, char * pStart, UINT_PTR RegionSize, const char * szPattern, const char * szMask)
      {
      DWORD Buffer = 0;
      if (!GetHandleInformation(hProc, &Buffer))
      return nullptr;

      char * pCurrent = pStart;
      auto Len = lstrlenA(szMask);
      while (pCurrent <= pStart + RegionSize - Len)
      {
      MEMORY_BASIC_INFORMATION MBI{ 0 };
      if (!VirtualQueryEx(hProc, pCurrent, &MBI, sizeof(MEMORY_BASIC_INFORMATION)))
      return nullptr;

      if (MBI.State == MEM_COMMIT && !(MBI.Protect & PAGE_NOACCESS))
      {
      if (pCurrent + MBI.RegionSize > pStart + RegionSize)
      MBI.RegionSize = pStart + RegionSize - pCurrent;

      char * Data = new char[MBI.RegionSize];
      if (!Data)
      return nullptr;

      if (ReadProcessMemory(hProc, pCurrent, Data, MBI.RegionSize, nullptr))
      {
      char * Ret = PatternScan(Data, MBI.RegionSize, szPattern, szMask, Len);
      if (Ret)
      {
      delete[] Data;
      return pCurrent + (Ret - Data);
      }
      }

      delete[] Data;
      }
      pCurrent += MBI.RegionSize;
      }

      return nullptr;
      }


      Rake, you currently use 4096 byte chunks which can cause huge problems because RPM will fail if some parts of that region aren't accessible. VirtualProtectEx won't change anything for non initialized regions. Only commited regions (physically allocated memory) can be accessed with RPM/WPM. Furthermore all commited memory pages can be accessed by RPM. Even execute only sections. Only attempts of writing to execute-only pages causes causes an access violation.
      Last edited by fa3fawesfa3f; 08-19-2016 at 07:44 PM.

    4. #14
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,596
      Thanks (-->)
      854
      Thanks (<--)
      1060
      Quote Originally Posted by fa3fawesfa3f View Post
      I have to correct my previous post. It's possible to scan from 0 to 7F...F within milliseconds if the function is efficient
      It's still a bad idea though.
      //codenz
      Yeah here is the unfinished part2 of the tutorial with updated code similar to what you have:
      https://bitbucket.org/GH-Rake/patternscan

    5. #15
      Newbie
      Learning
       
      Trolling
       
      XtremeCoder's Avatar
      Join Date
      Jan 2016
      Posts
      30
      Thanks (-->)
      6
      Thanks (<--)
      0
      this's Awesome , thanks a lot Rake
      it works fine in AssaultCube for me
      but when i try it in other game [browser game] or unity game it doesn't works
      i don't know where's the problem but can u explain why do u use this
      VirtualProtectEx(hProcess, dst, size, PAGE_READWRITE, &oldprotect);

      VirtualProtectEx(hProcess, dst, size, oldprotect, &oldprotect);

      do i have to use this line of code everytime i program a trainer for any game ?


      i will try it in other game like plants vs zombies and see what happen

    6. #16
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      fa3fawesfa3f's Avatar
      Join Date
      Aug 2016
      Posts
      23
      Thanks (-->)
      1
      Thanks (<--)
      6
      Quote Originally Posted by [GH]Rake View Post
      Yeah here is the unfinished part2 of the tutorial with updated code similar to what you have:
      https://bitbucket.org/GH-Rake/patternscan
      For the module stuff it's recommendable to not use the windows defintions of structs like LDR_DATA_TABLE_ENTRY because there's a lot of info missing:
      //winternal.h
      typedef struct _LDR_DATA_TABLE_ENTRY {
      PVOID Reserved1[2];
      LIST_ENTRY InMemoryOrderLinks;
      PVOID Reserved2[2];
      PVOID DllBase;
      PVOID Reserved3[2];
      UNICODE_STRING FullDllName;
      BYTE Reserved4[8];
      PVOID Reserved5[3];
      union {
      ULONG CheckSum;
      PVOID Reserved6;
      } DUMMYUNIONNAME;
      ULONG TimeDateStamp;
      } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

      //better version:
      struct LDR_DATA_TABLE_ENTRY
      {
      LIST_ENTRY InLoadOrder;
      LIST_ENTRY InMemoryOrder;
      LIST_ENTRY InInitOrder;
      void * DllBase;
      void * EntryPoint;
      ULONG SizeOfImage;
      UNICODE_STRING FullDllName;
      UNICODE_STRING BaseDllName;
      };


      Same for the PEB_LDR_DATA struct:
      //better definition
      struct PEB_LDR_DATA
      {
      BYTE Res[12];
      LIST_ENTRY InLoadOrderModuleListHead;
      LIST_ENTRY InMemoryOrderModuleListHead;
      LIST_ENTRY InInitializationOrderModuleListHead;
      };


      For example if you want to unlink a module from the PEB you won't be able to fully hide the DLL by using the windows definitions because it's missing two of three lists and the BaseDllName member (FullDllName includes the system path).
      The SizeOfImage member can be usefull if you want to "increase" the size of a windows module to hide your haxxor.dll or injected code.

      GetMappedFileName (NtQueryVirtualMemory with MemoryMappedFilenameInformation) will still get the real dll names though because it uses kernel data.
      Last edited by fa3fawesfa3f; 08-20-2016 at 10:30 AM.

    7. #17
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,596
      Thanks (-->)
      854
      Thanks (<--)
      1060
      Quote Originally Posted by fa3fawesfa3f View Post
      For the module stuff it's recommendable to not use the windows defintions of structs like LDR_DATA_TABLE_ENTRY because there's a lot of info missing:
      //winternal.h
      typedef struct _LDR_DATA_TABLE_ENTRY {
      PVOID Reserved1[2];
      LIST_ENTRY InMemoryOrderLinks;
      PVOID Reserved2[2];
      PVOID DllBase;
      PVOID Reserved3[2];
      UNICODE_STRING FullDllName;
      BYTE Reserved4[8];
      PVOID Reserved5[3];
      union {
      ULONG CheckSum;
      PVOID Reserved6;
      } DUMMYUNIONNAME;
      ULONG TimeDateStamp;
      } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

      //better version:
      struct LDR_DATA_TABLE_ENTRY
      {
      LIST_ENTRY InLoadOrder;
      LIST_ENTRY InMemoryOrder;
      LIST_ENTRY InInitOrder;
      void * DllBase;
      void * EntryPoint;
      ULONG SizeOfImage;
      UNICODE_STRING FullDllName;
      UNICODE_STRING BaseDllName;
      };


      Same for the PEB_LDR_DATA struct:
      //better definition
      struct PEB_LDR_DATA
      {
      BYTE Res[12];
      LIST_ENTRY InLoadOrderModuleListHead;
      LIST_ENTRY InMemoryOrderModuleListHead;
      LIST_ENTRY InInitializationOrderModuleListHead;
      };


      For example if you want to unlink a module from the PEB you won't be able to fully hide the DLL by using the windows definitions because it's missing two of three lists and the BaseDllName member (FullDllName includes the system path).
      The SizeOfImage member can be usefull if you want to "increase" the size of a windows module to hide your haxxor.dll or injected code.

      GetMappedFileName (NtQueryVirtualMemory with MemoryMappedFilenameInformation) will still get the real dll names though because it uses kernel data.
      Do your definitions work for all Windows operating systems including both x86 and x64? I haven't looked into that, which is why I'm using the definitions from the windows SDK

    8. #18
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      fa3fawesfa3f's Avatar
      Join Date
      Aug 2016
      Posts
      23
      Thanks (-->)
      1
      Thanks (<--)
      6
      Quote Originally Posted by [GH]Rake View Post
      Do your definitions work for all Windows operating systems including both x86 and x64? I haven't looked into that, which is why I'm using the definitions from the windows SDK
      Yes, those defintions work for both x86 and x64.
      Mostly inspired from this site btw: https://sandsprite.com/CodeStuff/Und...Data_List.html

    9. Thanks [GH]Rake thanked for this post
    10. #19
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Aleksander's Avatar
      Join Date
      May 2015
      Posts
      11
      Thanks (-->)
      2
      Thanks (<--)
      0
      This could be simplified a lot. Also you should probably never scan for patterns outside of an enumerated module, ever.

      How it should be done (or at least how I do it):
      1. EnumProcessModulesEx
      2. Get module addresses. Instead of specifying a range of where to search (0 to 7FFFFFFFF), specify that you want to search "client.dll"
      3. Use VirtualQueryEx to receive MEMORY_BASIC_INFORMATION about that module, and continue scanning that region size so you scan the entire module.
      4. Check to make sure that MBI state is both COMMIT and not PAGE_NOACCESS

      Also for those interested, if you are using 64-bit, use DWORD_PTR not DWORD.

    11. #20
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,596
      Thanks (-->)
      854
      Thanks (<--)
      1060
      Advertise on GuidedHacking
      Quote Originally Posted by Aleksander View Post
      blah blah blah
      I include a function to scan singular modules and I didn't use DWORD. Did you even read the code?

      But yeah I agree with ya on the VirtualQuery, I'm doing all that good stuff in part 2 of this tutorial. Just haven't finished it yet

      https://bitbucket.org/GH-Rake/patternscan

    Page 2 of 7 FirstFirst 1234 ... LastLast

    Similar Game Hacker Threads

    1. [Source Code] External Pattern Scanning
      By [GH]Rake in forum C/C++
      Replies: 7
      Last Post: 07-31-2016, 08:33 PM
    2. [VideoTutorial] C++ Signature Scan / Pattern Scanning Tutorial DIFFICULTY[3/10]
      By Fleep in forum GH Hack Video Tutorials
      Replies: 41
      Last Post: 06-14-2016, 09:25 PM
    3. [Help] Fleep's Signature Scanning Tutorial (C++)
      By WhiteHood in forum Hacking Help
      Replies: 2
      Last Post: 01-26-2016, 05:48 AM
    4. [Help] Signature scanning vs finding offset
      By PandoraBytes in forum Hacking Help
      Replies: 4
      Last Post: 11-03-2015, 05:37 PM
    5. [Help] Signature Scanning/Question
      By kn0cturnal in forum GH Tutorials Help
      Replies: 1
      Last Post: 05-12-2014, 12:04 AM