Example of patching pointers
Auto-updates address using signature scanning and patches the game for console.
neverfail.cpp
/******************************************
* Mess with the best die like the rest. *
* Project opened 11th August 2007~~ *
* *
* Mr. Novocain! *
* <novcain@gmail.com> *
* neverfail.cpp Main functions *
******************************************/
#include <Windows.h>
#include <fstream>
#include "sigsearch.h"
#include "siggehs.h"
using namespace std;
//GetDirectoryFile from azorbix' D3D8 starterkit
char dlldir[320];
char *GetDirectoryFile(char *filename){ static char path[320]; strcpy(path, dlldir); strcat(path, filename); return path; }
//add_log from azorbix' D3D8 starterkit
ofstream ofile;
void __cdecl add_log (const char *fmt, ...){ if(ofile != NULL){ if(!fmt) { return; } va_list va_alist; char logbuf[256] = {0}; va_start (va_alist, fmt); _vsnprintf (logbuf+strlen(logbuf), sizeof(logbuf) - strlen(logbuf), fmt, va_alist); va_end (va_alist); ofile << logbuf << endl; } }
//the main thread
void MainThread()
{
//long lAddress = 0x63B3D0;
//00430350 /$ A1 D0B36300 MOV EAX,DWORD PTR DS:[63B3D0]
BYTE FindPointerAddress[5];
memcpy(FindPointerAddress,(void*)ConsoleAddr,4);
//add_log("FindPointerAddress[0] is 0x%XnFindPointerAddress[1] is 0x%XnFindPointerAddress[2] is 0x%XnFindPointerAddress[3] is 0x%XnFindPointerAddress[4] is 0x%X",FindPointerAddress[0],FindPointerAddress[1],FindPointerAddress[2],FindPointerAddress[3],FindPointerAddress[4]);
long Part3 = FindPointerAddress[3] * 0x10000;
//add_log("Multiplying FindPointerAddress[3] by 0x10000..");
long Part2 = FindPointerAddress[2] * 0x100;
long Part1 = FindPointerAddress[1];
//add_log("Multiplying FindPointerAddress[4] by 0x100..");
long lFirstAddress = ((Part3+Part2)+Part1);
//add_log("Part 1 is 0x%XnPart 2 is 0x%XnPart 3 is 0x%X",Part1,Part2,Part3);
add_log("Address: 0x%X",lFirstAddress);
long lPointer = 0x18;
add_log("Pointer: 0x%X",lPointer);
long* pAddress = (long*)lFirstAddress;
long lBuffer = *pAddress;
long lRealAddress = lBuffer + lPointer; //add together 'buffert' and the pointer then we get the address it points to
add_log("Address it points to: 0x%X",lRealAddress);
int* pConsole = (int*)lRealAddress; //make a pointer of our own ;)
add_log("Console is currently: %d",pConsole);
*pConsole = 18; //change the value
add_log("Console patched to: %d (should be 18.. else error :/)",pConsole);
return;
}
//entry point
bool APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
if(dwReason == DLL_PROCESS_ATTACH){
GetModuleFileName(hModule, dlldir, 512);
for(int i = strlen(dlldir); i > 0; i--) { if(dlldir[i] == '\') { dlldir[i+1] = 0; break; } }
ofile.open(GetDirectoryFile("logophile.txt"), ios::app);
add_log("n~ DLL attached!!n~ Mr. Novocain!n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~");
DisableThreadLibraryCalls(hModule);
CreateThread(NULL, 0, (unsigned long(__stdcall*)(void*))MainThread, NULL, 0, NULL);
}
return true;
}//I know I'm not perfect but I'm pretty ****ing close. EoF.
siggehs.h
BYTE ConsoleSig[] = {0x5E,0xC2,0x04,0x00,0xCC,0xCC,0xA1,0xDD,0xDD,0xDD ,0x00,0xC3,0xCC,0xCC};
DWORD ConsoleAddr = (FindAddress(ConsoleSig, 14) + 0x00000006);
sigsearch.h
DWORD dwBaseAddress = 0x00400000;
DWORD dwLength = 0x001C5000;
//function which checks if current offset is the sig
bool DataCompare(const BYTE* pData, const BYTE* bMask, int iLength)
{
for (int i=0;i<iLength;i++){ //search the whole length
if((pData[i] != bMask[i]) && (bMask[i] != 0xDD)) //if they don't match & the mask is not 0x99
return false; //they are not equal, return false
}
return true; //they are equal, return true
}
//function to search for signature
DWORD FindAddress(BYTE *bMask,int iLength)
{
for(DWORD i=0;i<(dwLength-iLength);i++) //while we're searching
if( DataCompare( (BYTE*)( dwBaseAddress+i ),bMask,iLength) ) //compare bytes
return (DWORD)(dwBaseAddress+i); //address found! return it
return 0; //no address found, return nothing
}
Archive with example contains workspace for Visual Studio 2003 .NET
Please register or login to download attachments.
Reply With Quote