Source Code assembly functions for executable

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

_kappa

Newbie
Full Member
Jun 24, 2016
31
478
4
wrote some assembly functions so I could write code from my executable instead of injecting dlls. this may be useful when target has anti cheat protection that checks the injections into the process.

this code may give cancer since i wrote it a year ago when i started programming.

functions:

C++:
PROCESSENTRY32 Entry;
HANDLE hSnapshot, hProcess;

template <typename Template>

void GetProcess(wchar_t* lpProcess, Template tFunction)
{
    Entry.dwSize = sizeof(PROCESSENTRY32);
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

    if (Process32First(hSnapshot, &Entry) == TRUE)
    {
        while (Process32Next(hSnapshot, &Entry) == TRUE)
        {
            if (wcsicmp(Entry.szExeFile, lpProcess) == 0)
            {
                tFunction();
            }
        }
    }

    CloseHandle(hSnapshot);
}

void AllocateHookToProcess(wchar_t* lpProcess, DWORD dwAddress, DWORD dwHook, int iSize)
{
    GetProcess(lpProcess, [dwAddress, dwHook, iSize]
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Entry.th32ProcessID);

        for (int i = 0; i < iSize; i++)
        {
            BYTE bHook = *(DWORD*)(dwHook + i);
            DWORD dwAddressHook = dwAddress + i;
            WriteProcessMemory(hProcess, (LPVOID)dwAddressHook, &bHook, sizeof(bHook), 0);
        }

        CloseHandle(hProcess);
    });
}

void WriteHookToProcess(wchar_t* lpProcess, char* cHook, DWORD dwAddress, DWORD dwHook, int iNop)
{
    GetProcess(lpProcess, [cHook, dwAddress, dwHook, iNop]
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Entry.th32ProcessID);

        BYTE bHook = 0;

        if (cHook == "jmp")
        {
            bHook = 0xE9;
        }
        else if (cHook == "call")
        {
            bHook = 0xE8;
        }
        else if (cHook == "double")
        {
            DWORD dwDouble = dwHook;
            WriteProcessMemory(hProcess, (LPVOID)dwAddress, &dwDouble, sizeof(dwDouble), 0);
        }

        if (bHook == 0xE9 || bHook == 0xE8)
        {
            DWORD dwAddressHook = dwAddress + 0x01;
            DWORD dwDestination = dwHook - dwAddress - 0x05;

            WriteProcessMemory(hProcess, (LPVOID)dwAddress, &bHook, sizeof(bHook), 0);
            WriteProcessMemory(hProcess, (LPVOID)dwAddressHook, &dwDestination, sizeof(dwDestination), 0);
        }

        for (int i = 0; i < iNop; i++)
        {
            BYTE bNop = 0x90;
            DWORD dwAddressNop = dwAddress + 0x05 + i;
            WriteProcessMemory(hProcess, (LPVOID)dwAddressNop, &bNop, sizeof(bNop), 0);
        }

        CloseHandle(hProcess);
    });
}
calling:

C++:
DWORD dwAddress = 0x01A77C5C;

DWORD dwCodeCave = 0x01ED05C1;
DWORD dwTestHookEntry = 0x00000000;

int iTestHookSize = 0;

goto BlockEnd;
BlockStart:
_asm
{
	pushad
	mov eax,[ebp+0x08]
	push [eax+0x04]
	push [eax+0x08]
	push [ebp+0x04]
	add esp,0x0C
	popad

	rol cl,0x04
	pushad
	das
	mov dword ptr [ebp+0x1337],0x01A77C5C+0x05
	jmp dword ptr [ebp+0x1337]
}
BlockEnd:

_asm
{
	mov eax,BlockStart
	mov dwTestHookEntry,eax
	mov eax,BlockEnd
	sub eax,BlockStart
	mov iTestHookSize,eax
}

AllocateHookToProcess(L"process.exe", dwCodeCave, dwTestHookEntry, iTestHookSize);
WriteHookToProcess(L"process.exe", "jmp", dwAddress, dwCodeCave, 0);
 

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
489
5,353
25
At first look im not sure whether this is not bugged...

If it is actually working... its interesting.
At the same time it is (very slow) byte patching. This makes it just as detectable as any other hooking method.
 

_kappa

Newbie
Full Member
Jun 24, 2016
31
478
4
At first look im not sure whether this is not bugged...

If it is actually working... its interesting.
At the same time it is (very slow) byte patching. This makes it just as detectable as any other hooking method.
it's working and what limits the speed isn't really the byte to byte patching, but the writing to the process, you could improve it to write dword/qword at a time instead of single bytes too. you are misunderstanding the point of this release,
this may be useful when target has anti cheat protection that checks the injections into the process.
this is meant to be used for games that have a protection similar to vac, which can detect the hash of a dll. because you now can write from an executable you wont have this detection problem.
 
Last edited:

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
489
5,353
25
I did recognize what your goal was, but you need to know that most anti cheats (ac) check for WPM.
Byte patching is WPM thus making your hack detected by many ACs.

Most checked things:
OpenProcess, WPM, RPM, Byte patching (function hijacking / hooking) and many more.

I did not say that your code is bad or has no use, but told you that your method is basicly hooking.
+the writing speed (WPM) is your byte patching

no hate
 

_kappa

Newbie
Full Member
Jun 24, 2016
31
478
4
I did recognize what your goal was, but you need to know that most anti cheats (ac) check for WPM.
Byte patching is WPM thus making your hack detected by many ACs.

Most checked things:
OpenProcess, WPM, RPM, Byte patching (function hijacking / hooking) and many more.

I did not say that your code is bad or has no use, but told you that your method is basicly hooking.
+the writing speed (WPM) is your byte patching

no hate
you are very right, but the purpose of this release was the concept and not the code itself, let me show you what i mean.

lets assume a game/anti cheat that has a dll hash check as well as a CRC with a check for WPM.

first, code would have to be rewritten, with a new implementation of WPM without the usage of the API, you can get this far just by trial and error with googling. next thing to tackle is the CRC, most games and anti cheats have a CRC similar method to detect memory editing. however this is where this concept becomes useful, because this allows u to use any in game code cave to write your own hooks, this means u can easily find a code cave that is out of CRC range or allocate a new block yourself. with this concept you can do this from an executable combined with a bypassless hooking point and the code will become undetected from the anti cheat.
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods