4

I'm trying to modify a value for Solitaire such as the score.

Anyways I found the addresses (using CheatEngine) that the pointers point to but I'm having difficult injecting code to modify the score. I'm almost certain it's the way I'm adding the offsets to the base value and not Windows DEP, my injecting method, or anything else.

Here's the code I'm using.

#define BASE    0xFFAEAFA8
#define fOFFSET 0x50
#define sOFFSET 0x14
#define VALUE   55555


*(int*)(((*(int*) BASE) + fOFFSET) + sOFFSET) = VALUE;

Whenever I inject this code my game crashes. Works fine if I modify the values in Cheat Engine but not in code.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
caker
  • 178
  • 2
  • 14
  • Is `sOFFSET` in units of bytes or integers (DWORDs)? – Kerrek SB Aug 27 '11 at 17:16
  • Run the program in a debugger to get more detail about how it "crashes." – John Zwinck Aug 27 '11 at 17:32
  • @Nemo: Solitaire is a perfectly easy project to learn basic injection and hacking with. There's nothing quite as annoying as having to input my authenticator key everytime I boot up WoW. ;) – William Aug 27 '11 at 17:36
  • @Kerrek SB - I'm not too actually. Maybe I'm using the wrong data type? I would guess it's an integer since the value type I've always scanner in was 4 Bytes. – caker Aug 27 '11 at 17:41
  • 1
    @juryben: Well, if you want to advance a pointer in bytes, you have to cast it to `char`; if you advance an `int*`, it increments by `sizeof(int)`... – Kerrek SB Aug 27 '11 at 17:43
  • @jury also note that those addresses won't be the same every time the program loads. If windows has to rebase the pe because somebody else is at its preferred base address, this will crash. Good luck on your reverse engineering exploits, and [sigscanning](http://wiki.alliedmods.net/Signature_Scanning) ftw. – Seth Carnegie Aug 27 '11 at 17:46
  • @Seth Carnegie If I find the base address with the offsets it should find the pointer to modify and therefore be the same address. Currently I'm using full PE injection (bypasses DEP) instead of easy mode .DLL injection but I'll try using .DLL injection some time tomorrow. I really don't think that rebasing the PE would change the pointer addresses. – caker Aug 27 '11 at 17:53
  • @jury oh I misread, yeah _offsets_ would be fine in the future (till someone recompiles solitaire, which will probably be never). What method of PE injection are you using if I may ask? – Seth Carnegie Aug 27 '11 at 17:54
  • @Seth Carnegie - It's full PE injection. It injects the PE and a starts a remote thread with any code you want to execute. It's kinda new and works. If you Google the name you'll find snippets on some malware forums. – caker Aug 27 '11 at 17:57
  • @jury by "injects the PE" do you mean reading a .dll file or whatever then acting like the windows pe loader and loading it into the remote process' address space with Read/WriteProcessMemory and stuff? Edit: Oh, and does it do it while the process is running, or does it modify the PE you are injecting itself? – Seth Carnegie Aug 27 '11 at 18:02
  • @Seth There is no .DLL and it does not modify the PE just the memory allocated to the PE. – caker Aug 27 '11 at 18:12
  • Dangit, I thought I had invented that :/ Guess not. Oh, did your question get answered by the others' comments above? And is the BASE hardcoded just for this example? – Seth Carnegie Aug 27 '11 at 18:13
  • It's a dynamic base for my PE. If you wanna see the code I'll PM you a link. edit: I must be dumb or there's no PM option. :| – caker Aug 27 '11 at 18:17

2 Answers2

0

try:

volatile int * pScore = (int*)( BASE + fOFFSET + sOFFSET );
*pScore = VALUE;
jmhindle
  • 179
  • 8
0

What I was doing wrong: I needed to use the ReadProcessMemory() API to find the address that a pointer points to. And then add the offsets.

Christian Specht
  • 35,843
  • 15
  • 128
  • 182
caker
  • 178
  • 2
  • 14