Solved A bit of Code Cave help in C++?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
This is my first post and let me start off by saying I absolutely love your tutorials man!! Good stuff, I subbed to you on youtube :).

Alright onto my problem!

So there's this game, planetside that I play..... and I wanted to make my own Cone of Fire( Cone of fire is Planetsides version of recoil), I have successfully found the addresses / assembly lines that control this Cone of Fire, I was able to successfully freeze, thus having no recoil! These aren't dynamic either, because I made a simple script in Tsearch to freeze these values, and it works each time i start the game.
Simply going into memory each time to edit these is rather obvious, so I wanted to make my own code cave(s) in C++ to further help from being detected...

Now before I get flamed.... I do have some intermediate C++ skills , I am a Computer science major(2nd year) for what its worth, just to give a very vague idea of where I stand.
I do wanna mention that im not looking for full blown source, just some code cave snippets if possible, but i'll take what i can get :)


These are the originals


ORIGINAL1

0090833b 89 81 9C 01 00 00 mov [ecx+0x19C],eax
00908341 E8 BA 88 B 9FF call 0x004A0C00
00908346 5D pop ebp
00908347 C2 04 00 retn 0x4
0090834a 90 nop
0090834b 90 nop
0090834c 90 nop
0090834d 90 nop

ORIGINAL2

0090893e D9 9E 9C 01 00 00 fstp dword ptr [esi+0x19C]
00908944 5F pop edi
00908945 5E pop esi
00908946 5B pop ebx
00908947 8B E5 mov esp,ebp
00908949 5D pop ebp
0090894a C3 retn
0090894b 90 nop


These are the originals NOPed for no recoil...


NOPed1

0090833B 90 NOP
0090833C 90 NOP
0090833D 90 NOP
0090833E 90 NOP
0090833F 90 NOP
00908340 90 NOP


NOPed2

0090893E 90 NOP
0090893F 90 NOP
00908940 90 NOP
00908941 90 NOP
00908942 90 NOP
00908943 90 NOP

I have read Faldo's Code Cave Theory and several others, but they just didnt suffice for me...
Attachments and other options

Could anyone else give me a hand? :D Thanks
 

Departure

Newbie
Silenced
Full Member
Jun 24, 2012
21
272
1
no this is not a code cave...
You have patched the address with your patch(nops) if nops work for you then use it, the only real reason you would want a code cave is if you are going to change some assembly..

A code cave is when you jmp to a place in the code section and execute your own assembly to modify something, after doing that you jmp back, a couple of things to remember is to preserve the bytes(normally 5 bytes for a jmp) you had to write over to make the jmp and then also preserve the registers Pushad(push register value onto the stack) and then Popad(Move stack values back into registers) before jumping back to continue normal execution
 

BlackPitchPL

Coder
Full Member
Nobleman
May 24, 2012
166
783
1
If you just nope the addresses that u wrote, You need to just add addy that you have like this
C++:
#define ADR_UAMMO 0x10A9FA71
#define ADR_NODELAY 0x10A9F9E5
#define ADR_NODELAY2 0x10AA0449
#define ADR_NODELAY3 0x10AA128F
#define ADR_INFHEAL 0x10944827
#define ADR_UAMMO2 0x10AA1E15
ofc You name and put your code here
than
I'll give you class to Patch addys
C++:
#pragma once

class cPatch
{
private:
	DWORD  ADR;
	BYTE	OFF_BYTES[255];
	BYTE  ON_BYTES[255];
	int		SIZE;
	enum	PATCHSTATUS
	{
		NORMAL,
		PATCHED,
	};
	int		STATUS;

	void*	memcpy_s(void* pvAddress, const void* pvBuffer, size_t stLen);
public:
	cPatch(DWORD pAdr,BYTE* pByte,int pSize);
	void Patch();
	void Restore();
};
call it like cPatch.h
and main cPatch.cpp

C++:
#include "cPatch.h"


 
void* cPatch::memcpy_s(void *pvAddress, const void *pvBuffer, size_t stLen)
{
	MEMORY_BASIC_INFORMATION mbi;
	VirtualQuery( ( void* )pvAddress, &mbi, sizeof( mbi ) );
	VirtualProtect( mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &mbi.Protect );
	void* pvRetn = memcpy( ( void* )pvAddress, ( void* )pvBuffer, stLen );
	VirtualProtect( mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &mbi.Protect );
	FlushInstructionCache( GetCurrentProcess( ), ( void* )pvAddress, stLen );
	return pvRetn;
}
                         
cPatch::cPatch(DWORD pAdr,BYTE* pByte,int pSize)
{
	STATUS	=	NORMAL;
	SIZE	=	pSize;
	ADR		=	pAdr;
	
	for(int i = 0; i < pSize; i++)
	{
		OFF_BYTES[i]	=	0x00;
		ON_BYTES[i]		=	pByte[i];
	}
}
 
void cPatch::Patch()
{
	if( STATUS==NORMAL )
	{
		BYTE *pOFF_BYTES = (BYTE*)ADR;
		for( int i = 0; i < SIZE; i++ )
		{
			OFF_BYTES[i] = pOFF_BYTES[i];
		}
		memcpy_s((void*)ADR,(const void*)ON_BYTES,SIZE);
		STATUS=PATCHED;
	}
}
void cPatch::Restore()
{
	if(STATUS==PATCHED)
	{
		memcpy_s((void*)ADR,(const void*)OFF_BYTES,SIZE);
		STATUS=NORMAL;
	}
}
When you will have all of the's file's you can simple Patch addys you want.

C++:
// You have to make an object that is cPatch than u give addy (of your cheat) than type ( ofc BYTE) than you tell the Patch what to do so in your case x90 and after , number of bytes to overwrite 

cPatch nodelay	(ADR_NODELAY,(BYTE*)"\x90\x90",2);
cPatch nodelay2	(ADR_NODELAY2,(BYTE*)"\x89\x85\xBC\x00\x00\x00",6);
cPatch nodelay3	(ADR_NODELAY3,(BYTE*)"\x89\x85\xBC\x00\x00\x00",6);
and last step how to run it

C++:
//if code ON just Patch addy's u add
if(opt.asmm.nodelay)
	{
		nodelay.Patch();
		nodelay2.Patch();
		nodelay3.Patch();
	}
	else
	{// OFF Restore value :P
		nodelay.Restore();
		nodelay2.Restore();
		nodelay3.Restore();
	}
Hope i help You
 

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
Sweet Thanks, I feel like I'm really getting somewhere with this.
But I still have some questions, are you using windows API functions (read/writeproccessmemory , findwindow, getprocessid etc) to apply these patches to the specified addresses ? or another method?


currently this code compiles with out any errors. I'm just waiting for your input on my previous questions about the winAPI functions before I step forward...

If you have a chance , take a look at what I have :p

cPatch.h
#pragma once
#include <Windows.h>

class cPatch
{
private:
DWORD ADR;
BYTE OFF_BYTES[255];
BYTE ON_BYTES[255];
int SIZE;
enum PATCHSTATUS
{
NORMAL,
PATCHED,
};
int STATUS;

void* memcpy_s(void* pvAddress, const void* pvBuffer, size_t stLen);
public:
cPatch(DWORD pAdr,BYTE* pByte,int pSize);
void Patch();
void Restore();
};

cPatch.cpp
#include "cPatch.h"



void* cPatch::memcpy_s(void *pvAddress, const void *pvBuffer, size_t stLen)
{
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery( ( void* )pvAddress, &mbi, sizeof( mbi ) );
VirtualProtect( mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &mbi.Protect );
void* pvRetn = memcpy( ( void* )pvAddress, ( void* )pvBuffer, stLen );
VirtualProtect( mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &mbi.Protect );
FlushInstructionCache( GetCurrentProcess( ), ( void* )pvAddress, stLen );
return pvRetn;
}

cPatch::cPatch(DWORD pAdr,BYTE* pByte,int pSize)
{
STATUS = NORMAL;
SIZE = pSize;
ADR = pAdr;

for(int i = 0; i < pSize; i++)
{
OFF_BYTES = 0x00;
ON_BYTES = pByte;
}
}

void cPatch::patch()
{
if( STATUS==NORMAL )
{
BYTE *pOFF_BYTES = (BYTE*)ADR;
for( int i = 0; i < SIZE; i++ )
{
OFF_BYTES = pOFF_BYTES;
}
memcpy_s((void*)ADR,(const void*)ON_BYTES,SIZE);
STATUS=PATCHED;
}
}
void cPatch::Restore()
{
if(STATUS==PATCHED)
{
memcpy_s((void*)ADR,(const void*)OFF_BYTES,SIZE);
STATUS=NORMAL;
}
}



main.cpp
/*
Credits to BlackPitchPL from guidedhacking.com for the cPatch class
*/

#include <iostream>
#include <Windows.h>
#include "cPatch.h"

#define ADR_COF1 0x0090833b
#define ADR_COF2 0x0090893e



int main()
{
cPatch COF1 (ADR_COF1,(BYTE*)"\x90",6);
cPatch COF2 (ADR_COF2,(BYTE*)"\x90",6);
COF1.Patch();
COF2.Patch();


system("PAUSE");
return 0;
}

Before I worry about adding all the "bells and whistles" I'm just trying to get the actual patching part down pat! So excuse any amateur habits you might see (im still a fairly new programmer anyway)
 

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
I dont mean to double post, but the edit button seems to have no function on that previous post.... but I was able to edit this post without any issues. Odd. I'm assuming there's a timer to edit old posts like some other forums have.

Would injecting this as a DLL be a better method than using winAPI functions?? I feel like that would be much less work...??
 

BlackPitchPL

Coder
Full Member
Nobleman
May 24, 2012
166
783
1
Yep i'm inject my code it's the best way to use it. And you cant just (i mean u can but better) if you put the function for turn off cheat :p. Like
C++:
if (Cheat_ON)
COF1.Patch();
COF2.Patch();
else
COF1.Restore();
COF2.Restore();
 

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
I understand it is better to have an off option, but my goal was to get it running properly before I add in any switches/ menu etc. so tonight when I'll make that DLL and inject and see how it works, if my recoil disappears then everything worked out, and I'll continue with making it nice and pretty and more functional :)

Thanks for helping me out man, i'll keep you updated tonight and let you know how it goes.
 

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
Well, I just wanna say thank you BlackPitchPL. This is officially my first hack (even though I owe you most of it because This was only possible due to YOUR class).

So this Works wonderfully, and I feel really good about it.

Is this really a code cave though? or just a patch for the function? Looking at the class source this appears to be a patch. Now im not bashing what you have given me, as I am very grateful.

But as my next step I would like to turn this into a code cave! That was my original goal anyway.
 

xploiitz

Coder
Fleep Tier Donator
Trump Tier Donator
Nobleman
Jul 26, 2012
155
1,698
7
Alright cool, that clears things up. Yes NOPing works for me right now, but I'm trying to make this as hidden as possible Id hate to get banned. So since I'm injecting a DLL, I think all I can do is some method of module cloaking/hiding, which from the bit of research I have done seems like quite a trivial task for someone at my level. (I'm not very experienced with winAPI functions)

Are there any other methods you can suggest before I take a wack at module cloaking?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods