Solved Inject ASM through C++ externally

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

SkyLuvv

Newbie
Full Member
Apr 5, 2017
5
52
0
Hi I saw some videos on how to accomplish this through DLL's like in Fleep's codecaving tutorial, but none on how to do it externally (unless I missed it, if that's the case anyone care to post the link?) I want to inject ASM to the allocated memory region I created using VirtualAllocEx , but don't know how to accomplish this. If anyone knows how can you share or post a link to useful information? I'd appreciate it, thank you!
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
Weird, can you check what the source function looks like.
Print the address of the Shellcode in your hack to the console and go that location with CE. Maybe the compiler does that crap because of some stupid optimization. Do you compile in Debug or Release mode?
If you're in debug mode change to release mode. Also turn of incremental linking in the project settings.
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
Write the ASM you want to inject in your program and copy the bytes:
C++:
__declspec(naked) void Shellcode()
{
     __asm
     {
          //your code
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop //use nops to get the function size
     }
}

UINT FuncSize = 0;
DWORD * pFunc = (DWORD *)Shellcode;

while(*pFunc != 0x90909090) //0x90 is the byte for the 'nop' instruction
{
     ++pFunc;
     ++FuncSize;
}

void * pShellcode = VirtualAllocEx(hProc, nullptr, FuncSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(pShellcode)
     WriteProcessMemory(hProc, pShellcode, Shellcode, FuncSize, nullptr);
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
Thanks for your reply, I appreciate it. A few questions, though. How do we use the nop's to get the size of the function? By iterating over the bytes and once it reaches one of the nops , it stops and the result is what determines the size?
Basically yes. I'm looping through function using DWORDs and not BYTEs.

Also, why do we use 0x90909090 instead of 0x90 in "while(*pFunc != 0x90909090)"
As I mentioned I'm using DWORDs (4-byte values). This way it more secure. If I only wait for one byte to be 0x90 the chance are high that it's not the end of the function. That's also why I placed a bunch of nop's at the end of the function.
It's very unlikely to have four 0x90's which aren't part of the extra nop's. And four nops are just 0x90909090 in memory. You can simply check that by attaching Cheat Engine (or any disassembler) to your hack.exe.

Another thing, I tried the code, and it allocated the memory successfully (as usual) but it doesn't inject the right code. It just injects another jump to a different area in memory, for some reason.
Ye, it just injects a 4th of the code because I made a mistake in the code (written from scratch).
The loop should look like this:
C++:
while(*pFunc != 0x90909090)
{
     ++pFunc;
     FuncSize += 4; //since pFunc is a DWORD* you have to increase the function size by 4 bytes for each iteration of the loop
}
 

SkyLuvv

Newbie
Full Member
Apr 5, 2017
5
52
0
Thank you again for the explanations. The code seems to work better now, after a few tests, but there are still some issues that occur, one of them being that instead of writing the actual assembly instructions to the allocated memory region, it writes two jumps. One to another region in memory where it does write the instructions i defined, and another one below it to an unused memory region, and overwrites all the bytes beneath those two jumps with CC.



00480000 - E9 8A0F0000 - jmp 00480F8F
00480005 - E9 65110000 - jmp 0048116F
0048000A - CC - int 3
0048000B - CC - int 3
...................................




Here is the test code I am using :

__declspec(naked) void Shellcode()
{
__asm
{ mov ecx,eax
mov store,ecx
nop
nop
nop
nop
nop
nop
nop
nop

//use nops to get the function size
}
}



int main()
{

HWND window = FindWindowA(NULL, "PatchGame");


if (window == NULL)
{
std::cout << "Error001: Unable to locate the window." << std::endl;
Sleep(5000);
exit(-1);
}

DWORD procID;
if (!GetWindowThreadProcessId(window, &procID))
{
std::cout << "Error002: Couldn't get the process ID." << std::endl;
Sleep(5000);
exit(-1);
}
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);


system("PAUSE");

UINT FuncSize = 0;
DWORD * pFunc = (DWORD *)Shellcode;

//get the size of the function when it mets the nop
while (*pFunc != 0x90909090)
{
++pFunc;
FuncSize += 4; //since pFunc is a DWORD* you have to increase the function size by 4 bytes for each iteration of the loop
}

void * pShellcode = VirtualAllocEx(handle, NULL, FuncSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);


std::cout << "our function address ";
std::cout << std::hex << pShellcode << std::endl;

system("PAUSE");
if (pShellcode)
WriteProcessMemory(handle, (LPVOID)pShellcode, Shellcode, FuncSize, NULL);
system("PAUSE");
std::cout << "store : " << store;



One more thing if you don't mind answering. How can I write a jump in my program? I tried giving the address like : jmp baseaddr where baseaddr is a DWORD_PTR and casting it to an LPVOID the way writeprocessmemory/read accepts addresses, but it's not being interpretted the way I want.
 
Last edited:

SkyLuvv

Newbie
Full Member
Apr 5, 2017
5
52
0
Oh, awesome. It was because I had the project in Debug mode. It works well in Release mode, thank you. Do you know how I can write the jump?


DWORD store = NULL;
DWORD thisaddress = //address;
int ouraddress;

__declspec(naked) void Shellcode()
{
(LPVOID)ouraddress;
__asm
{ mov ecx,eax
mov store,ecx
jmp thisaddress
nop
nop
nop
nop
nop
nop
nop
nop

//use nops to get the function size
}
}


would just give me something like :

jmp dword ptr [000B4CE8]

Thanks a bunch for your help!
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
Glad it works. If you want to write a jmp to your function you have to write the jmp instruction (0xE9) and the relative address to the hook.
Eg. let's pretend your shellcode is allocated at 0x8123400 (target) and the location where you want to place the jmp is 0x56CAB3 (source).
Then you'd place a jmp at that address and after that comes the relative address:
0x56CAB3 → 0xE9
0x56CAB4 → target - source - 5 = 0x8123400 - 0x56CAB3 - 5 = 7BB6948
The additional -5 comes from the jmp instruction itself since it takes additional 5 bytes.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods