Hi all,

Stumbled across this forum last night and have been trawling through the forums looking and learning.

Now i know my way around c#, and i know small bits of c++, learning more as im studying it at uni, so i'm constantly improving that.

But all I want to do right now is a simple wallhack. Now I read a tut on using the cvars within a plugin, loading the plugin and using them that way whilst hiding the names.

But came up with invalid signature in the plugin. So I went back to square one.

I've done a bit of coding for Combat Arms, finding the pointer ect. For a simple wallhack would i go about this the same way?

Many thanks

Get the DirectxPointer
Hook EndScene / DrawIndexedPrimitive
Use EndScene to draw texts and lines / Use DrawIndexedPrimitve to change the texture of a primitive and to change its zbuffer

You're done.

Or use the Engine, here is much sourcecode for that.

Your best bet is to abandon the plugin interface and use normal dll injection methods.

Ok,

So I'm going to start from the top. Use the cvars listed and try to make a very very simple wireframe "hack".
So I found these addresses

sv_cheats = 0x186A8F0
r_drawothermodels = 0x184C0968

Now what I think I would do next is to freeze the values to 1 and 2 respectivley. It's almost like a trainer. But am I on the right lines?
Is there a sample base I can start from or am I expected to make my own?

Once I can get this to work I'll proceed to DirectxPointers and more sophisticated ways of "hacking".

Many Thanks

OpenProcess (http://msdn.microsoft.com/en-us/library/ms684320(v=vs.85).aspx),
ReadProcessMemory (http://msdn.microsoft.com/en-us/library/ms680553(v=vs.85).aspx),
WriteProcessMemory (http://msdn.microsoft.com/en-us/library/ms681674(v=vs.85).aspx)

:)

Ok,

So I've got as far as WriteProcessMemory, but I don't know the bytes for values 1 or 2.

So right now I've got to



DWORD engine = (DWORD) GetModuleHandle("engine.dll");
DWORD client = (DWORD) GetModuleHandle("client.dll");
DWORD tbAddr ;
DWORD bytesRead;
ReadProcessMemory(hProcess, (LPCVOID)(engine + 0x54A8F0), &tbAddr , 4, &bytesRead);
//WriteProcessMemory(hProcess, (void*) engine + 0x54A8F0,
ReadProcessMemory(hProcess, (LPCVOID)(client + 0x4D0968), &tbAddr , 4, &bytesRead);
//WriteProcessMemory(hProcess, (void*) client + 0x4D0968,
This isn't my code but for now I'm just learning.
What would i put after client + 0x4D0968 for example? For the lpBuffer.

What would i put after client + 0x4D0968 for example? For the lpBuffer.


lpBuffer [in]
A pointer to the buffer that contains data to be written in the address space of the specified process.
:ditsy:

Could you help me obtain these values?

I know they are meant to be like


DWORD bytesWrite;
DWORD buffer[2] = {0xnumber, 0xnumber};

WriteProcessMemory(hProcess, (void*) engine + 0x54A8F0,buffer, 4, &bytesWrite)

Its the 0xnumber I'm not sure how to get yet :S

Many Thanks

The buffer is for what you're writing to the memory address.

The param is a pointer to a value, right?



int *pSV_CHEATS = (int *)(engine + 0x12345);
int iNewValue = 1;
WriteProcessMemory( hProcess, pSV_CHEATS, &iNewValue, 4, NULL );

Ok sorry to be a pain. But call it writters block, inexperience or what-ever. But I'm missing something massive here and i can't work out what.
Since it's a long learning curve, i wanted to a do a simple console application which freezes sv_cheats to 1 then freezes r_drawothermodels to 2 (wireframe)
Nothing major just writing small bits to memory replacing 0 with 1 ect.

Am I way off here?



int main()
{
HWND hw = FindWindow(NULL, L"Counter-Strike Source");
if (hw)
{
DWORD dwProcessId = 0;
DWORD dwThreadId = GetWindowThreadProcessId(hw, &dwProcessId);

HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessId);

if (hProcess)
{
DWORD engine = (DWORD) GetModuleHandle(L"engine.dll");
DWORD client = (DWORD) GetModuleHandle(L"client.dll");
int *pSV_CHEATS = (int *)(engine + 0x54A8F0);
int *pSV_OtherModels = (int *)(client + 0x4D0968);
int iNewValue = 1;
DWORD tbAddr;
DWORD bytesRead;
DWORD bytesWrite;

ReadProcessMemory(hProcess, (LPCVOID)(engine + 0x54A8F0), &tbAddr , 4, &bytesRead); //Here read the Address pSV_CHEATS value and save it in &tbAddr
WriteProcessMemory(hProcess, pSV_CHEATS, &iNewValue, 4, &bytesWrite); //Here write the Address pSV_CHEATS value and change to &iNewValue
ReadProcessMemory(hProcess, (LPCVOID)(client + 0x4D0968), &tbAddr , 4, &bytesRead); //Here read the Address pSV_OtherModels value and save it in &tbAddr
WriteProcessMemory(hProcess, pSV_OtherModels, &iNewValue, 4, &bytesWrite); //Here write the Address pSV_OtherModels value and change to &iNewValue
CloseHandle(hProcess);
}
}
}

Sorry for my slow learning and many thanks.

You haven't said what happens, so I'll assume nothing...

Check the return of FindWindow for a start, but your main problem probably lies with OpenProcess ;) Fix it, and all shall be gut.

Ok,

My FindWindow returns (hw) 000D0EFE, So at least it's not 0000000

It opens the process because after if(hProcess) within the {}, i put a cout there and it printed that.

So im at a loss right now :S

For the sake of help here's all my code



#include "stdafx.h"
#include <iostream>
#include <Windows.h>
int main()
{
int i;
HWND hw = FindWindow(NULL, L"Counter-Strike Source");
std::cout << " " << hw;

if (hw)
{
DWORD dwProcessId;
DWORD dwThreadId = GetWindowThreadProcessId(hw, &dwProcessId);

HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwProcessId);

if (hProcess)
{
std::cout << "Process Opened " << hw;
DWORD engine = (DWORD) GetModuleHandleA("engine.dll");
DWORD client = (DWORD) GetModuleHandleA("client.dll");
int *pSV_CHEATS = (int *)(engine + 0x54A8F0);
int *pSV_OtherModels = (int *)(client + 0x4D0968);
int iNewValue = 1;
DWORD tbAddr;
DWORD bytesRead;
DWORD bytesWrite;

ReadProcessMemory(hProcess, (LPCVOID)(engine + 0x54A8F0), &tbAddr , 4, &bytesRead); //Here read the Address pSV_CHEATS value and save it in &tbAddr
WriteProcessMemory(hProcess, pSV_CHEATS, &iNewValue, 4, &bytesWrite); //Here write the Address pSV_CHEATS value and change to &iNewValue
ReadProcessMemory(hProcess, (LPCVOID)(client + 0x4D0968), &tbAddr , 4, &bytesRead); //Here read the Address pSV_OtherModels value and save it in &tbAddr
WriteProcessMemory(hProcess, pSV_OtherModels, &iNewValue, 4, &bytesWrite); //Here write the Address pSV_OtherModels value and change to &iNewValue
CloseHandle(hProcess);
}
}
std::cin >> i;
}

Problem is it does nothing.
Many Thanks

EDIT nevermind got it working, had to have the import #include windows.h last
Lucky you, I would've banned you for not reading the rules.

I thought it had and kept looking over it by mistake :S

I told you your error already.

Learn to use GetLastError. Don't just check if something succeeded... you should be doing the exact opposite.

Possible solution:

OpenProcess(PROCESS_ALL_ACCESS, ... )


also you don't need to do the findwindow stuff if your injecting your dll, you can just use GetCurrentProcessId();

Possible solution:

OpenProcess(PROCESS_ALL_ACCESS, ... )


also you don't need to do the findwindow stuff if your injecting your dll, you can just use GetCurrentProcessId();

FFFFFFFFFFFUUUUUUUUUUUUUUUU for telling him the answer, and he's clearly not using a dll

PROCESS_ALL_ACCESS didn't work either if that's what you were hinting at. I thought so after i had another look at OpenProcess in MSDN.

But still doesn't work. I'm going to sleep on it and come back.

Thanks stev3, much appreciated

EDIT: Oh and GetLastError() returned 0 also

EDIT2: Starting to think its the addresses for sv_cheats and r_drawothermodels, but i think they are right, can someone verify this for me?
Else i need to go back to school.
I got to here

http://img20.imageshack.us/img20/3762/foundp.png

Quick question are you overwriting the address of that text? If so epic failure! Because this just text used to register the cvar with the engine. Now just but by looking at the debugger ss you posted I think the value cvar is stored in ecx or I should say the address to the value. This would be the address you want to patch. It's been awhile since I looked source engine and I don't own CS:S so I'm not 100 percent sure. However if you breakpoint that function call and look stack when it's called you should be able find the address to cvar value.

Cheers

Quick question are you overwriting the address of that text? If so epic failure! Because this just text used to register the cvar with the engine. Now just but by looking at the debugger ss you posted I think the value cvar is stored in ecx or I should say the address to the value. This would be the address you want to patch. It's been awhile since I looked source engine and I don't own CS:S so I'm not 100 percent sure. However if you breakpoint that function call and look stack when it's called you should be able find the address to cvar value.

Cheers

no

notice the register eip

no

notice the register eip

Excuse me! You are right.