Making Hacks in C++

GzNPrize · #1 07-25-2008, 02:21 PM

Credits go to Fart_Beans @ bwhacks.net

First of all, this tutorial assumes a basic understanding of C++ and game hacking. You don't need to be great, but you'll need to know what you're doing or you'll have no idea what I'm talking about. This guide will also not address a single hack, but more a general approach to making a hack using C++. This leaves the responsibility of developing the program itself to you, the reader. This hack will address only writing to memory, and not hotkeying and dialogs. With that out of the way, we can get to the meat of this document. You don't need anything special other than a compiler, I recommend MS Visual C++.

To start, I'll list out the functions that we'll be using, and explain each briefly. The function that we'll use to actually write to memory is WriteProcessMemory. Its parameters in order are a handle to the process to write to, the address to write to, the data to be written, the length of the data to be written to in bytes and finally, a pointer to a variable to store the actual number of bytes successfully written. WriteProcessmemory returns 0 if it fails, and a nonzero value if it succeeds.

The next function we'll be using is OpenProcess. This is used to get the process handle we pass to WriteProcessMemory. The parameters taken by OpenProcess are the access level to the process (You need at least write access to use WriteProcessMemory), the inheritance flag and the process id of the process to open. This function returns the handle to the process.

Since we don't have a process handle, we'll need another function to grab it. This function is GetWindowThreadProcessId. Despite it's apparently complex name, it only takes two parameters, a handle to the window for which you want the process id and a pointer to the variable that will store the process id. This function returns the thread id of the thread that created the window.

Once again, we don't have a necessary parameter, the window handle. To get this, we use FindWindow. This also only take two parameters, the classname of the window to be found and the window name. The classname can be ignored, but it's best to go ahead and include it if at all possible. This function returns a handle to the window found.

Phew, that took a while, three functions just to be able to use WriteProcessMemory. Don't worry, it's all pretty simple from here. All that's left to do is actually construct our hack. I'll assume a basic understanding of how a simple C++ application works from this point forward. If you don't know how to make a simple C++ program, just stop reading now.Before we can use WriteProcessMemory, we must grab the process handle, so we call the functions in the reverse order I listed them. First FindWindow, then GetWindowThreadProcessId and then OpenProcess. It's best to make sure that each function succeeds, otherwise your hack may not work when you expect it to. This can be accomplished with an if or a while. If you use a while loop, you can start up the hack before the game is loaded, and it will continue trying to open the process until it succeeds. Here is an example of a while loop that will wait until the game starts.

WindowHandle = FindWindow("Your Classname Here","Your Window Name Here"); //Grab a handle to the window
while(!WindowHandle) //If the handle is null...
{
Sleep(50); //Wait 50 miliseconds..
WindowHandle = FindWindow("Your Classname Here","Your Window Name Here");//and try again
}
GetWindowThreadProcessId(hwndWindow,&pid);//Get a process id
ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS,0,pid);//And grab the process handle

All variables must be declared first of course, but you get the general picture.

Moving right along, we are now at the actual memory writing. The way in which you use WriteProcessMemory is pretty simple.

WriteProcessMemory(ProcessHand,(void*)AddressToWri teTo,&DataToWrite,DataLength,&BytesWritten);

You can probably figure everything out but the (void*) part. That just tells the compiler that the following variable is a pointer that points to void, or nothing in other words. This makes sense because the address you will be writing to will not point to anything in your hack, but to something in the game. When declaring the address you are writing to, you must preceed the address with (void*) or else the compiler will think you're trying to pass a const int to a void pointer.

This is all that will be covered in this tutorial, and I'm sure that you all still have quite a few questions such as hotkeys and dialogs. Those are subjects best left to more specialized tutorials, and there are plenty of documents out on the internet that do a wonderful job of explaining the subjects, far better than anything I could produce at any rate.

TheMangoKid · #2 07-25-2008, 08:45 PM

Nice tutorial....

GzNPrize · #3 07-26-2008, 04:00 PM

Thanks Mango! ANyways gunna make a trainer soon..

kaswar · #4 07-26-2008, 05:49 PM

Too much of the same Tutorials, Hope someone makes a Kernel Mode Bypass Tutorial soon =)

Quote:

WriteProcessMemory(ProcessHand,(void*)AddressToWri teTo,&DataToWrite,DataLength,&BytesWritten);

You can probably figure everything out but the (void*) part. That just tells the compiler that the following variable is a pointer that points to void

You better change that, if it's Pointer then it's PVOID

TheMangoKid · #5 07-26-2008, 06:15 PM

Quote:

Originally Posted by GzNPrize

Thanks Mango! ANyways gunna make a trainer soon..

pm me when ur done with trainer so i can test it out

kaswar · #6 07-26-2008, 06:36 PM

Quote:

Originally Posted by TheMangoKid

pm me when ur done with trainer so i can test it out

Don't even Expect the trainer to work.

fataldelay · #7 07-26-2008, 06:41 PM

Quote:

Originally Posted by kaswar

Don't even Expect the trainer to work.

You don't have to be mean about it dude....
Mabye it will mabye it won't but why do you care? keep your comments to yourself.

Z3R0 · #8 07-29-2008, 02:05 PM

GzNPrize...are you familiar with detours? Maybe you could explain that?...all I know is:
Befor dll main

Code:

#include "stdafx.h"
#include <iostream>
#include "windows.h"
#include "detours.h"
#pragma comment(lib,"detours.lib")
#pragma comment(lib,"psapi.lib")
DWORD dfgiddfg;
HANDLE dfgdsgdsg;

#ifdef __cplusplus
extern "C"
{
#endif
		  

DETOUR_TRAMPOLINE(
HWND WINAPI asdfghjklFindWindow(LPCTSTR lpClassName,LPCTSTR lpWindowName),FindWindow);

DETOUR_TRAMPOLINE(
BOOL WINAPI asdfIsChild(HWND hWndParent, HWND hWnd),IsChild);

DETOUR_TRAMPOLINE(
DWORD WINAPI asdfghjklGetWindowThreadProcessId(HWND hWnd,LPDWORD lpdwProcessId),GetWindowThreadProcessId);

DETOUR_TRAMPOLINE(
HANDLE WINAPI asdfghjklOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId),OpenProcess);

DETOUR_TRAMPOLINE(
int WINAPI asdfghjklMessageBox(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType), MessageBox);


#ifdef __cplusplus
}
#endif
BOOL __stdcall WINAPI RealIsChild(HWND hWndParent, HWND hWnd)
{
    return asdfIsChild(hWndParent, hWnd);
}

HWND __stdcall WINAPI OmniFindWindow(LPCTSTR lpClassName,LPCTSTR lpWindowName)
{
	return asdfghjklFindWindow(lpClassName, lpWindowName);
}

DWORD __stdcall WINAPI OmniGetWindowThreadProcessId(HWND hWnd,LPDWORD lpdwProcessId)
{
	return asdfghjklGetWindowThreadProcessId(hWnd, lpdwProcessId);
}

HANDLE __stdcall WINAPI OmniOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
	return asdfghjklOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}

int WINAPI OmniMessageBox(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType)
{
	return asdfghjklMessageBox(hWnd, lpText, lpCaption, uType);
}

BOOL APIENTRY DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{

   switch( dwReason )
   {
   case DLL_PROCESS_ATTACH:{

	   OmniMessageBox(NULL, "OMG OMG", "HELLO", MB_OK);
	   
      DisableThreadLibraryCalls( hModule );
      DetourFunctionWithTrampoline((PBYTE)asdfIsChild,      (PBYTE)RealIsChild);
	  DetourFunctionWithTrampoline((PBYTE)asdfghjklFindWindow,      (PBYTE)OmniFindWindow);
	  DetourFunctionWithTrampoline((PBYTE)asdfghjklGetWindowThreadProcessId,      (PBYTE)OmniGetWindowThreadProcessId);
	  DetourFunctionWithTrampoline((PBYTE)asdfghjklOpenProcess,      (PBYTE)OmniOpenProcess);

	  
						   }
	  return TRUE;
    case DLL_PROCESS_DETACH:
	   {
      DetourRemove((PBYTE)asdfIsChild,      (PBYTE)RealIsChild);
	  DetourRemove((PBYTE)asdfghjklFindWindow,		(PBYTE)OmniFindWindow);
	  DetourRemove((PBYTE)asdfghjklGetWindowThreadProcessId,		(PBYTE)OmniGetWindowThreadProcessId);
	  DetourRemove((PBYTE)asdfghjklOpenProcess,		(PBYTE)OmniOpenProcess);


	   }
      return TRUE;
   }
   return TRUE;
}

It works but if using it for anything it fuggs up the memory so bad that Gameguard can't unload and DEP steps in and starts shutting programs down.

Beast · #9 07-29-2008, 02:17 PM

Gznprize doesn't know what to do with the addresses and data, once he figures those out .. maybe he can.

RobotGymnast · #10 08-03-2008, 04:14 AM

Nice. I like using the llb.dll (which you can find everywhere on google) source and making hacks out of that, I made a hilarious Final Fantasy Tactics Advance hack DLL out of that. Also, if you want to test hacks without much security, try pservers, their security sucks (I can still MRS edit for ****'s sake)