I would like to know how have a DLL that will change flags/registers when execution hits a certain location. I can change values; that's easy enough. What about flags and registers only when execution hits a certain location?
RobotGymnast
Printable View
I would like to know how have a DLL that will change flags/registers when execution hits a certain location. I can change values; that's easy enough. What about flags and registers only when execution hits a certain location?
RobotGymnast
Sure, you can change the flags register. Same way you would change the flags register otherwise - either perform instructions that directly change the flags register, such as [clc; stc; cld; std], or perform for example compare operations, which change the flags register as a result of the comparison.
Or, if you want to set a specific value in the flags register, use a push/popf combination, pushing the value you want to have, and popping back into the flags register. You can also use SAHF to set flags from the AH register.
Note however that if you plan to change anything but the lower 8 bits, you can't - the rest of the bits are protected, so only code that has Ring0 (kernel) privilege can modify those bits (since they are involved with protection and kernel execution in themselves, it would be pretty pointless if you could change them in user-mode).
--
Mats
I understand that for the most part, but how do you only change them when execution hits a certain address, like in a multi-threaded application, how do you detect when execution has hit a certain address in another thread?
You can't, other than using a debug interface to set a breakpoint on that address, and then when the breakpoint hits, you do whatever you need to do.
--
Mats
err wow that's strange.. I've seen, especially in game hacking DLLs, people implement hacks that require flag changes.. the weird part was they were doing some sort of weird XOR thing that I couldn't understand
Well, first of all, we do not discuss game cheats here, second, XOR is an instruction that will change the flags.
But you can not, XOR or or otherwise, affect another threads flags without stopping that thread and changing the flags, or modifying the actual code.
--
Mats
(I was just using it as an example because that's where I've seen it.. I'm not really using it for anything, I'm more just trying to do random stuff that's a bit more low-level, because it's new to me)
hmm alright, I wonder how it was done then. Thanks anyway
Most game cheats do "code injection". The DLL is usually added to allow extending the games existing code (you can only "shorten" existing code unless you have some extra space somewhere to stick the EXTRA code).
--
Mats
it wasn't code injection, it was just value editing.. here's the source code.. it's somewhat messy (you should've seen it before I cleaned it up)
Code:#include <windows.h>
#define KLIPPETYK 0x486c9a
#define INF_MASSIVE1 0x482189
#define INF_MASSIVE2 0x482191
#define PINGOU 0x4dd170
#define HP_LOCK 0x4862c9
#define AP_LOCK 0x486399
#define FAST_SWITCH 0x481fcd
#define INF_JUMP 0x483468
#define HBLOCK1 0x482120
#define HBLOCK2 0x482121
#define IBLOCK 0x481f36
#define KLIP 0x486c9b
#define LM11 0x481e5d
#define LM12 0x481e5e
#define LM21 0x481e66
#define LM22 0x481e67
#define LM31 0x481e71
#define LM32 0x481e72
#define WALLH 0x4e1b96
#define SSPEED 0x481670
#define FGLIDE 0x486d99
#define LEVI 0x486d3e
#define WALLC1 0x4E075F
#define WALLC2 0x4E0760
#define WALLC3 0x4E0761
#define HUNCH 0x4823fd
#define KDOWN 0x4822dd
#define FDEATH1 0x48231d
#define FDEATH2 0x48231e
#define FDEATH3 0x482327
#define FDEATH4 0x482328
#define ROLLS 0x4816aa
#define FLY 0x486d17
#define SWALLS 0x5022ad
#define BOING1 0x481942
#define BOING2 0x481943
#define BOING3 0x481944
#define BOING4 0x481945
#define NBODY1 0x4f09a9
#define NBODY2 0x4f09aa
#define NBODY3 0x4f09ab
#define NBODY4 0x4f09ac
#define NBODY5 0x4f09ad
#define NBODY6 0x4f09ae
#define NST 0x4da766
#define INVIS 0x4768c5
#define PURP 0x4d9806
#define BLU 0x4d981b
#define GRN 0x4d9830
#define SWF 0x4dd1c5
#define SLOMOTION 0x4dd179
#define CSEAX 0x486b37
#define NINJ 0x48346e
#define RED 0x4d97f1
#define BHOP1 0x482949
#define BHOP2 0x48294a
#define BHOP3 0x48294b
#define BHOP4 0x48294c
#define BHOP5 0x48294d
#define BHOP6 0x48294e
#define CAMOHP1 0x5edd50
#define CAMOHP2 0x5edd51
#define CAMOHP3 0x5edd52
#define CAMOHP4 0x5edd53
void start_it();
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
DWORD ThreadId;
if (fdwReason == DLL_PROCESS_ATTACH)
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&start_it, 0, 0, &ThreadId);
return TRUE;
}
void start_it()
{
MessageBox (0, "Message?\n ", "Y HELO THAR!", MB_ICONINFORMATION);
int k, m, p, h, a, f, j, b, y, g, s, w, l, n, t, vkd, vke, vkp, nmp, nm0, nm1, nm2, nm3, nm4, nm5, nm6, nm7, nm8, nm9, nma, nmd, nmm, vki, vkh, vku, e, c;
k=0;m=0;p=0;h=0;a=0;f=0;j=0;y=0;g=0;s=0;w=0;l=0;n=0;t=0;vkd=0;vke=0;vkp=0;nmp=0;nm0=0;nm1=0;nm2=0;nm3=0;nm4=0;nm5=0;nm6=0;nm7=0;nm8=0;nm9=0;nma=0;nmd=0;nmm=0;vki=0;vkh=0;vku=0;e=0;c=0;b=1;
for(;;SleepEx(150, 0))
{
if(GetAsyncKeyState(VK_MENU) &0x8000){
if(GetAsyncKeyState('K') &0x8000) { if (k) {k=0;if(b)MessageBeep(MB_ICONHAND);}else { k=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)KLIP ^= 32;}
if(GetAsyncKeyState('M')&0x8000) { if (m) {m=0;if(b)MessageBeep(MB_ICONHAND);}else{ m=1;if(b)MessageBeep(MB_ICONEXCLAMATION);}
*(WORD*)INF_MASSIVE1 ^= 38885;
*(WORD*)INF_MASSIVE2 ^= 46308;
}
if(GetAsyncKeyState('P')&0x8000){if (p){ p=0;if(b)MessageBeep(MB_OK);}else{ p=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)PINGOU ^= 11;}
if(GetAsyncKeyState('H')&0x8000){if (h){ h=0;if(b)MessageBeep(MB_OK);}else{ h=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)HP_LOCK ^= 8;}
if(GetAsyncKeyState('A')&0x8000){if (a){ a=0;if(b)MessageBeep(MB_OK);}else{ a=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)AP_LOCK ^= 8;}
if(GetAsyncKeyState('F')&0x8000){if (f){ f=0;if(b)MessageBeep(MB_OK);}else{ f=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)FAST_SWITCH ^= 14;}
if(GetAsyncKeyState('J')&0x8000){if (j){ j=0;if(b)MessageBeep(MB_OK);}else{ j=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)INF_JUMP ^= 1;}
if(GetAsyncKeyState('B')&0x8000){if (y){ y=0;if(b)MessageBeep(MB_OK);}else{ y=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)HBLOCK1 ^= 228;*(BYTE*)HBLOCK2 ^= 152;*(BYTE*)IBLOCK ^= 56;}
if(GetAsyncKeyState('Y')&0x8000){if (b){ b=0;MessageBeep(MB_OK);}else{ b=1; MessageBeep(MB_ICONEXCLAMATION);}}
if(GetAsyncKeyState('G')&0x8000){if (g){ g=0;if(b)MessageBeep(MB_OK);}else{ g=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)FGLIDE ^= 3;}
if(GetAsyncKeyState('S')&0x8000){if (s){ s=0;if(b)MessageBeep(MB_OK);}else{ s=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)SSPEED ^= 13;}
if(GetAsyncKeyState('W')&0x8000){if (w){ w=0;if(b)MessageBeep(MB_OK);}else{ w=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)WALLH ^= 4;}
if(GetAsyncKeyState('L')&0x8000){if (l){ l=0;if(b)MessageBeep(MB_OK);}else{ l=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)LM11 ^= 228;*(BYTE*)LM12 ^= 238;*(BYTE*)LM21 ^= 229;*(BYTE*)LM22 ^= 229;*(BYTE*)LM31 ^= 229;*(BYTE*)LM32 ^= 250;}
if(GetAsyncKeyState('N')&0x8000){if (n){ n=0;if(b)MessageBeep(MB_OK);}else{ n=1;if(b)MessageBeep(MB_ICONEXCLAMATION);}}
if(GetAsyncKeyState('O')&0x8000){ExitThread(0);}
if(GetAsyncKeyState(VK_DELETE)&0x8000){if (vkd){ vkd=0;if(b)MessageBeep(MB_OK);}else{ vkd=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)HUNCH ^= 15;}
if(GetAsyncKeyState(VK_END)&0x8000){if (vke){ vke=0;if(b)MessageBeep(MB_OK);}else{ vke=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)KDOWN ^= 3;}
if(GetAsyncKeyState(VK_NEXT)&0x8000){if (vkp){ vkp=0;if(b)MessageBeep(MB_OK);}else{ vkp=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)FDEATH1 ^= 233;*(BYTE*)FDEATH2 ^= 208;*(BYTE*)FDEATH3 ^= 232;*(BYTE*)FDEATH4 ^= 166;}
if(GetAsyncKeyState(VK_DECIMAL)&0x8000){if (nmp){ nmp=0;if(b)MessageBeep(MB_OK);}else{ nmp=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)LEVI ^= 24;}
if(GetAsyncKeyState(VK_NUMPAD0)&0x8000){if (nm0){ nm0=0;if(b)MessageBeep(MB_OK);}else{ nm0=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)ROLLS ^= 2;}
if(GetAsyncKeyState(VK_NUMPAD1)&0x8000){if (nm1){ nm1=0;if(b)MessageBeep(MB_OK);}else{ nm1=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)FLY ^= 3;}
if(GetAsyncKeyState(VK_NUMPAD2)&0x8000){if (nm2){ nm2=0;if(b)MessageBeep(MB_OK);}else{ nm2=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)SWALLS ^= 4;}
if(GetAsyncKeyState(VK_NUMPAD3)&0x8000){if (nm3){ nm3=0;if(b)MessageBeep(MB_OK);}else{ nm3=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)BOING1 ^= 73;*(BYTE*)BOING2 ^= 196;*(BYTE*)BOING3 ^= 180;*(BYTE*)BOING4 ^= 136;}
if(GetAsyncKeyState(VK_NUMPAD4)&0x8000){if (nm4){ nm4=0;if(b)MessageBeep(MB_OK);}else{ nm4=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)NBODY1 ^= 159;*(BYTE*)NBODY2 ^= 21;*(BYTE*)NBODY3 ^= 24;*(BYTE*)NBODY4 ^= 109;*(BYTE*)NBODY5 ^= 111;*(BYTE*)NBODY6 ^= 111;}
if(GetAsyncKeyState(VK_NUMPAD5)&0x8000){if (nm5){ nm5=0;if(b)MessageBeep(MB_OK);}else{ nm5=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)NST ^= 3;}
if(GetAsyncKeyState(VK_NUMPAD6)&0x8000){if (nm6){ nm6=0;if(b)MessageBeep(MB_OK);}else{ nm6=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)INVIS ^= 3;}
if(GetAsyncKeyState(VK_NUMPAD7)&0x8000){if (nm7){ nm7=0;if(b)MessageBeep(MB_OK);}else{ nm7=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)PURP ^= 2;}
if(GetAsyncKeyState(VK_NUMPAD8)&0x8000){if (nm8){ nm8=0;if(b)MessageBeep(MB_OK);}else{ nm8=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)BLU ^= 2;}
if(GetAsyncKeyState(VK_NUMPAD9)&0x8000){if (nm9){ nm9=0;if(b)MessageBeep(MB_OK);}else{ nm9=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)GRN ^= 2;}
if(GetAsyncKeyState(VK_MULTIPLY)&0x8000){if (nmm){ nmm=0;if(b)MessageBeep(MB_OK);}else{ nmm=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)SWF ^= 1;}
if(GetAsyncKeyState(VK_DIVIDE)&0x8000){if (nmd){ nmd=0;if(b)MessageBeep(MB_OK);}else{ nmd=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)SLOMOTION ^= 40;}
if(GetAsyncKeyState(VK_ADD)&0x8000){if (nma){ nma=0;if(b)MessageBeep(MB_OK);}else{ nma=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)CSEAX ^= 1;}
if(GetAsyncKeyState(VK_INSERT)&0x8000){if (vki){ vki=0;if(b)MessageBeep(MB_OK);}else{ vki=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)BHOP1 ^= 159;*(BYTE*)BHOP2 ^= 25;*(BYTE*)BHOP3 ^= 46;*(BYTE*)BHOP4 ^= 159;*(BYTE*)BHOP5 ^= 144;*(BYTE*)BHOP6 ^= 144;}
if(GetAsyncKeyState(VK_HOME)&0x8000){if (vkh){ vkh=0;if(b)MessageBeep(MB_OK);}else{ vkh=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)NINJ ^= 3;}
if(GetAsyncKeyState(VK_PRIOR)&0x8000){if (vku){ vku=0;if(b)MessageBeep(MB_OK);}else{ vku=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)RED ^= 2;}
if(GetAsyncKeyState('C')&0x8000){if (c){ c=0;if(b)MessageBeep(MB_OK);}else{ c=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)CAMOHP1 ^= 102;*(BYTE*)CAMOHP2 ^= 102;*(BYTE*)CAMOHP3 ^= 17;*(BYTE*)CAMOHP4 ^= 123;}
if(GetAsyncKeyState('Q')&0x8000){
if(b) MessageBeep(MB_ICONHAND);
if(k){*(BYTE*)KLIP ^= 32; k=0;}
if(m){ *(WORD*)INF_MASSIVE1 ^= 38885;
*(WORD*)INF_MASSIVE2 ^= 46308; m=0;}
if(p){*(BYTE*)PINGOU ^= 11;p=0;}
if(h){h=1; *(BYTE*)HP_LOCK ^= 8;h=0;}
if(a){*(BYTE*)AP_LOCK ^= 8;a=0;}
if(f){*(BYTE*)FAST_SWITCH ^= 14; f=0;}
if(j){*(BYTE*)INF_JUMP ^= 1; j=0;}
if(g){*(BYTE*)FGLIDE ^= 3; g=0;}
if(s){*(BYTE*)SSPEED ^= 13; s=0;}
if(w){*(BYTE*)WALLH ^= 4; w=0;}
if(l){*(BYTE*)LM11 ^= 228;*(BYTE*)LM12 ^= 238;*(BYTE*)LM21 ^= 229;*(BYTE*)LM22 ^= 229;*(BYTE*)LM31 ^= 229;*(BYTE*)LM32 ^= 250; l=0;}
if(vkd){*(BYTE*)HUNCH ^= 15;vkd=0;}
if(vke){*(BYTE*)KDOWN ^= 3;vke=0;}
if(vkp){*(BYTE*)FDEATH1 ^= 233;*(BYTE*)FDEATH2 ^= 208;*(BYTE*)FDEATH3 ^= 232;*(BYTE*)FDEATH4 ^= 166;vkp=0;}
if(nmp){*(BYTE*)LEVI ^= 24;nmp=0;}
if(nm0){*(BYTE*)ROLLS ^= 2;nm0=0;}
if(nm1){*(BYTE*)FLY ^= 3;nm1=0;}
if(nm2){*(BYTE*)SWALLS ^= 4;nm2=0;}
if(nm3){*(BYTE*)BOING1 ^= 73;*(BYTE*)BOING2 ^= 196;*(BYTE*)BOING3 ^= 180;*(BYTE*)BOING4 ^= 136;nm3=0;}
if(nm4){*(BYTE*)NBODY1 ^= 159;*(BYTE*)NBODY2 ^= 21;*(BYTE*)NBODY3 ^= 24;*(BYTE*)NBODY4 ^= 109;*(BYTE*)NBODY5 ^= 111;*(BYTE*)NBODY6 ^= 111;nm4=0;}
if(nm5){*(BYTE*)NST ^= 3;nm5=0;}
if(nm6){*(BYTE*)INVIS ^= 3;nm6=0;}
if(nm7){*(BYTE*)PURP ^= 2;nm7=0;}
if(nm8){*(BYTE*)BLU ^= 2;nm8=0;}
if(nm9){*(BYTE*)GRN ^= 2;nm9=0;}
if(nmm){*(BYTE*)SWF ^= 1;nmm=0;}
if(nmd){*(BYTE*)SLOMOTION ^= 40;nmd=0;}
if(nma){*(BYTE*)CSEAX ^= 1;nma=0;}
if(vki){*(BYTE*)BHOP1 ^= 159;*(BYTE*)BHOP2 ^= 25;*(BYTE*)BHOP3 ^= 46;*(BYTE*)BHOP4 ^= 159;*(BYTE*)BHOP5 ^= 144;*(BYTE*)BHOP6 ^= 144;vki=0;}
if(vkh){*(BYTE*)NINJ ^= 3;vkh=0;}
if(vku){*(BYTE*)RED ^= 2;vku=0;}
if(c){*(BYTE*)CAMOHP1 ^= 102;*(BYTE*)CAMOHP2 ^= 102;*(BYTE*)CAMOHP3 ^= 17;*(BYTE*)CAMOHP4 ^= 123;c=0;}
if(n){n=0;}}
}
if(n){*(WORD*)INF_MASSIVE1 ^= 38885; *(WORD*)INF_MASSIVE2 ^= 46308; SleepEx(175, 0); *(WORD*)INF_MASSIVE1 ^= 38885; *(WORD*)INF_MASSIVE2 ^= 46308;}
}
}
That looks like someone threw up... :)
I can't read that code at all - lines are too long, and none of the variables have even remotely sane names.
--
Mats
I know, it's really horrible code.. it's one of the only publicly available DLL source codes for that game though.. it's outdated now anyway, I just keep it around as an example, but I haven't taken the time to clean it up too much
If you're referring to the script kiddie code you just posted, then the author is doing nothing more than changing the value in a memory location. For instanceQuote:
err wow that's strange.. I've seen, especially in game hacking DLLs, people implement hacks that require flag changes.. the weird part was they were doing some sort of weird XOR thing that I couldn't understand
So, assuming memory location referred to by PINGOU contains the value 27, by ^= 11 that memory location will change the value in the memory location to 16Code:#define PINGOU 0x4dd170 //obviously refers to memory location 0x4dd170
if(GetAsyncKeyState('P')&0x8000){if (p){ p=0;if(b)MessageBeep(MB_OK);}else{ p=1;if(b)MessageBeep(MB_ICONEXCLAMATION);} *(BYTE*)PINGOU ^= 11;}
27 = 00011011 (value this is originally in memory location 0x4dd170)
11 = 00001011 (the exclusive or)
16 = 00010000 (value that is now in memory location 0x4dd170)
There isn't any exotic register/flag changing happening in the kiddie code you posted above.
weird.. because I know some of these hacks usually needed a register change or breakpoint in the code.. not just on and off values... I wonder where he got these values
I generally use CE, but it's just weird because that game has hack-protection.. nowadays it's done by searching for the byte signatures of old hacks