Monday, July 1, 2013

CrossFire Alpha appearence editor

  
Now, i will show you how to show a ghost in a crossfire

We still need C++ and know how to make an undetected dll, you can look in my post.

First, what is findpattern?

FindPattern is a function, you can use it to find binary array in your module, i have found it

Here.

bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask)   return 0;
return (*szMask) == NULL;
}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
for(DWORD i=0; i<dwLen; i++)
if (bCompare((BYTE*)(dwAddress+i),bMask,szMask))  return (DWORD)(dwAddress+i);
return 0;
}

Very easy, i have done my code, look

WallHackArray = FindPattern(0x400000,0xFFFFFF,(BYTE *)"\x75\xFF\x83\x0D\xFF\xFF\xFF\xFF\x01\xB8\xFF\xFF\xFF\xFF\xE8","x?xx????xx????x"); // this array to get the DrawPrimivite

SeeGhostPoint = *(DWORD *)(WallHackArray + 0xA) + 0xB8; // This stack call alpha appearence

Now define your function

Normal value of seeghostpoint is 5
To show it you can push 14

if(SeeGhost)
{
*(DWORD *)(SeeGhostPoint) = 14;
}
else
{
*(DWORD *)(SeeGhostPoint) = 5;
}

Nice, keep it up :D

Global hook

  
Global hook is injected your code to all process and all executable are working in your system

How to work?

There are 2 types

in this we have 15 small types

for example:

WH_KEYBOARD: Allow messenger of keyboard
WH_MOUSE: Allow event from mouse
....

Step1 :

Create dll have your function:


LRESULT CALLBACK <Function name>(int nCode, WPARAM wParam, LPARAM lParam)

in your function, we can do everything, but you need follow some rules
- if nCode < 0, dont do anything, call back CallNextHookEx() and return defaul value
- Function must return other value, not 0

Step 2: Create a hook
HHOOK SetWindowsHookEx(int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId)

All agrument have this meaning

+ idHook Your hook type
+ lpfn address hook
+ hMod handle of your dll
+ dwThreadID determine your range of hook

Unhook your function: BOOL UnhookWindowsHookEx(HHOOK hHook)

After all step, you need export hook function then call it from other process
use EXPORTS with a def file

Hook is very difficle , you need learn more to improve your skill

Preview Midfunction hook

  
Hello, today we will learn how to make an midfunction hooking

For all beginner, you should test it with d3d9 cause d3d9.dll have the same address for both all program in an OS


First, define a naked function

__declspec( naked ) VOID WINAPI EndSceneMidfunction( )
{
}

Now, try first hook with EndScene in d3d9.dll


Look in this picture, we have 0x4fe571b0 is the address, now attack ollydbg then go to this address

Now look on this, to make a jump, we need 5 bytes, let hook on this header



Save all memory will be modified to nake function

__declspec( naked ) VOID WINAPI EndSceneMidfunction( )
{
_asm
{
mov edi,edi
push ebp
mov ebp,esp
}
}

after we detoured we need jump back ogrinal function, look on it we have 0x4fe571b5 cause we hooked on 5 bytes first

DWORD back = 0x4fe571b5;

__declspec( naked ) VOID WINAPI EndSceneMidfunction( )
{
_asm
{
mov edi,edi
push ebp
mov ebp,esp
}
//do your work here
_asm jmp back;
}

how to get the device?

_asm mov eax,dword ptr ds:[ebp + 0x8] // first agrument LPDIRECT9DEVICE pDevice
_asm mov pDevice,eax; // need define


Now you can draw everything with it :D




How to create an undetected dll

  
Here is the guide to create an undetected dll for anygame

First, you need Visual Studio, can download it on microsoft.com

Open VS, create new project win32, empty dll

How to use code?

Need include library, we have 2 major libraries


#include <windows.h>
#include <stdio.h>

Now start:

Put your function like writeprocessmemory, readprocessmemry, faster use DWORD, BYTE, FLOAT
Make a void function

Void YourThread()
{
while(1)
{
 Sleep(10);
}
}

In that, you need put a while to access memory.

while(1)
{
 Sleep(10);
}


A sleep can make your game not lag


Last Step Create dll main


BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
DisableThreadLibraryCalls(hinstDLL);

if(dwReason == DLL_PROCESS_ATTACH)
{
//CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE) YourThread, 0, NULL, NULL);
}
return true;
}

Congratulation on creating tool :D

You can use VB6 to make a injector
Subscribe to: Posts (Atom)