Help Code Cave Patching - Always Something!

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • ► You must register to download attachments!
Swift Games Accounts


The Angel Of Verdun
Legacy Donator
Dec 11, 2013
England, SW
Hey Guys,

I was really hesitant to ask for help but this is driving me insane, I can seem to write my Bytes In The jump/cave correctly(ish) it seems to write 0x00 a few more times pushing/overwriting my return jump address/bytes - i actualy had it working earlier just a mis calculation on the return but that has been sorted now but i cannot remember how i did it - i know its due to the data types or maybe an error with the maths but its been hard to sleep as I cant stop thinking about this, I will attach my source and pictures to explain better what happens.

Before Anything (Memory).

Code Injected/Cave Created.

The Jump Followed.

Jump Returns Correct Address For Return (although its +1 in memory than it should be im sure thats just me going abit to far with maths) - if i dont write any bytes to the cave.
You do not have permission to view link Log in or register now.

Now I have been trying to Solve this for hours now :L

	template <class cData>
	void write(DWORD (Address), cData ValueToWrite)
		VirtualProtectEx(hProcess, (LPVOID)(Address), sizeof(ValueToWrite), PAGE_EXECUTE_READWRITE, &Prot); // Remove protection on protected addresses	
		WriteProcessMemory(hProcess, (LPVOID)(Address), &ValueToWrite, sizeof(cData), NULL);	
		VirtualProtectEx(hProcess, (LPVOID)(Address), sizeof(ValueToWrite), Prot, new DWORD); // Restore protection to address after write
	void Patch(DWORD Address, int size){
		DWORD PT = 0x90;
		for(int i = 0; i < size; i++){
			DWORD TMP = Address + i;
			WriteProcessMemory(hProcess, (LPVOID)TMP, &PT, sizeof(BYTE), NULL); 

DWORD ProcMem::Jump(DWORD Address, DWORD Bytes[]){

	int size = sizeof(Bytes);

	//Create CodeCave
	DWORD CodeCave = NULL; // initialize variable
	CodeCave = (DWORD)VirtualAllocEx(hProcess, NULL,  512, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);  // Allocate memory for us to use and grab the start address of that page(CAVE)

	//calculate jump/return in BYTES
      DWORD RetJmp = ((DWORD)Address + 5);

	//Writing To The CodeCave
	DWORD JMP = 0xE9; // JMP OpCode/Byte
    write<DWORD>((DWORD)CodeCave + size, JMP); //write E9 as first byte (JMP) (after written bytes) - to the first address of the allocated page
    write<DWORD>((DWORD)CodeCave + size + 1, RetJmp); //after E9(First Byte) write the jmp back address in bytes that we got with RetJmp. {maybe loop this}
    //Calculate Bytes For JMP From First Address in BYTES
    DWORD BaseJmp = CodeCave - ((DWORD)Address + 5);
    //if the size of the array is 5 bytes or more it will NOP the next address
    if(size >= 5){   
		Patch((DWORD)Address +5, 1);

    // info to jump from first address
    write<DWORD>((DWORD)Address, JMP); //Base Address, Write E9 For Jump
    write<DWORD>((DWORD)Address +1, BaseJmp); // Write The next byte++ of the address were jumping from with BaseJmp Bytes(Calculated To CodeCave Address)
	return CodeCave; //Return CodeCave Address That We Wrote To So We Can DeAllocate Later

BOOL ProcMem::Inject(DWORD Address, DWORD Bytes[]){

	DWORD TMP = Jump((DWORD)Address, Bytes);
	for(int i = 0; i <sizeof(Bytes); i++){
		write<DWORD>((DWORD)TMP+i, Bytes[i]); // overwrites my Jump Back and other Bytes
	return true;
	DWORD BB[] = {0xC7, 0x46, 0x3C, 0x00, 0x00, 0x00, 0x00};
	mem.Inject(0x76999B, BB);

Maybe I should use just WriteProcessMemory to make sure its not my write function - ill give it a try now and update back here.

its very fustrating as i keep getting close then getting Something goes wrong, i havnt been able to sleep in awhile so maybe its something stupid - but yeah i tried for for like 2 days with this maybe i should of spent some more time on it i just kind of really want to know where im going wrong here as well Ill be trying to be working with memory a lot.

honestly this is probably due to lack of sleep but feel free to take a look :)
Last edited:
Not open for further replies.


Kim Kong Trasher
Legacy Donator
Dank Tier VIP
Jul 19, 2012
Mankei Iland
From a quick look retJmp looks wrong you want to calculate it like you did with the other jump. I'm on my phone though, can't say much more
Not open for further replies.