Archives For C/C++

I recently started looking into this game briefly. Since this game still seems rather popular I figured I might write something about it. The game engine is divided into several DLL-files, it makes it easy to find out how stuff works, even for a reverse-engineering newb.

I’m using PointBlank Thailand (since I live there), there are versions for many different regions, but the engine is the same.

This tutorial will show you how to find the Direct3D9 Device pointer, and using it to create a PointBlank D3D hack which you can put wallhack and chams into.

Hopefully this will give You a greater understanding for reverse-engineering and gamehacking. 🙂

Continue Reading...

Working as of 2013-05-20

You can download the entire WarZ hack project here or check it out over at my BitBucket. Project is written in C++ using Visual Studio 2010.
The only thing I have not included is text rendering. I did not want to publicize the font library I’m using, so you will have to find an alternative if you need it 🙂
I apologize beforehand for the mixed notation. Some parts are documented, other parts.. not so much.

Features box ESP for players & zombies, text ESP for them and items, shows you item name, weight, ammunition etc. (hopefully) easy-to-read source code instructing you on how to create a WarZ hack.

Continue Reading...

Implementation of GetModuleHandle to get from PEB in memory instead of calling Windows API. Purpose is to get module handle without WinAPI.

Continue Reading...

Here is a .h file with definitions for some undocumented NT internals, structs, etc.
For more information you should check out http://undocumented.ntinternals.net/

These structures become useful when you are using undocumented NT functions instead of the Windows API.

Continue Reading...

Learn how to create a Radar Hack for Counter-Strike Source, make all players visible on the radar, always. This technique is also applicable to other games.

Continue Reading...

This is a re-post or a post from 2010 on my old blog, ilsken.net

XOR ciphers become useful for example to hide text strings from plain view.

When encrypting, first xor and then swap the nibbles.
When decrypting, first swap the nibbles and then xor.

How it works Continue Reading…

C++ Basic DLL Injection Tutorial

March 12, 2008 by Asbra — Leave a comment

This is a repost from my old gamehacking blog ilsken.net

First we open a handle to the target process

*proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, proc_id);

Get the memory address of LoadLibrary, Windows API function that loads DLL files from disk

void* loadlib = GetProcAddress(GetModuleHandle(kernel32), loadlibrary);

Allocate memory in the process where we will store the string with path to our DLL file

void* alloc = VirtualAllocEx(*proc, 0, strlen(dll), MEM_COMMIT, 4);

Write the string that holds DLL file path to target process memory

BOOL wrote = WriteProcessMemory(*proc, alloc, dll, strlen(dll), NULL);

Create a thread in the remote (target) process, with start address of LoadLibrary, so it executes LoadLibrary function and give it the memory address of our DLL path string, so it loads it

HANDLE thread = CreateRemoteThread(*proc, 0, 0, (LPTHREAD_START_ROUTINE)loadlib, alloc, 0, 0);

Wait for the thread to finish

WaitForSingleObject(thread, 10000);

Finally, do some cleaning up

CloseHandle(thread);
VirtualFreeEx(*proc, alloc, 0, MEM_RELEASE);
void enable_debug_priv()
{
	HANDLE hToken;
	LUID luid;
	TOKEN_PRIVILEGES tkp;

	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);

	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = luid;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	AdjustTokenPrivileges(hToken, false, &tkp, sizeof(tkp), NULL, NULL);

	CloseHandle(hToken); 
}

DWORD get_process_id(char* imagename)
{
	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

	if(Process32First(snapshot, &entry))
		while(Process32Next(snapshot, &entry))
			if(strcmp(entry.szExeFile, imagename) == 0)
				return entry.th32ProcessID;

	CloseHandle(snapshot);

	return 0;
}

DWORD get_module_handle(DWORD proc_id, char* module)
{
	char dll[64] = {0};
	MODULEENTRY32 entry;
	entry.dwSize = sizeof(MODULEENTRY32);

	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, proc_id);
	if(snapshot == INVALID_HANDLE_VALUE)
		return 0;

	if(Module32First(snapshot, &entry))
	{
		do
		{
			if(entry.th32ProcessID == proc_id)
			{
				memset(dll, 0, 64);

				for(int i = 0; i < strlen(entry.szModule); i++) {
					dll[i] = tolower(entry.szModule[i]);
				}

				if(strcmp(dll, module) == 0)
					return (DWORD)entry.modBaseAddr;
			}
		}
		while(Module32Next(snapshot, &entry));
	}

	CloseHandle(snapshot);

	return 0;
}

int inject(DWORD proc_id, char* dll, HANDLE* proc)
{
	*proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, proc_id);
	if(*proc == NULL)
		return 1;
	
	void* loadlib = GetProcAddress(GetModuleHandle(kernel32), loadlibrary);

	void* alloc = VirtualAllocEx(*proc, 0, strlen(dll), MEM_COMMIT, 4);
	if(!alloc)
		return 2;

	BOOL wrote = WriteProcessMemory(*proc, alloc, dll, strlen(dll), NULL);
	if(!wrote)
		return 3;

	HANDLE thread = CreateRemoteThread(*proc, 0, 0, (LPTHREAD_START_ROUTINE)loadlib, alloc, 0, 0);
	if(!thread)
		return 4;

	WaitForSingleObject(thread, 10000);

	CloseHandle(thread);

	VirtualFreeEx(*proc, alloc, 0, MEM_RELEASE);
	
	return 0;
}

This is a re-post of a post from 2007 taken from my old blog ilsken.net

If you’re a software-programmer and/or reverse-engineer you should know that using Windows API-calls is a easy way to write code, and also in many cases a good point for reverse-engineers to trace to/from while removing potential protections ..

Let’s take a basic example, let’s use a standard WinAPI-call.. Continue Reading…