VOID UpdateCharacterY()
{
while(TRUE)
{
charactery = (int) ReadPointer(characterBase, characterY);
Sleep(100);
SendToPipe(CHARACTERY, (BYTE)charactery, (BYTE)(charactery >> 8), (BYTE)(charactery >> 16),
(BYTE)(charactery >> 24));
Sleep(500);
}
}
VOID UpdateCharacterX()
{
while(TRUE)
{
characterx = (int) ReadPointer(characterBase, characterX);
Sleep(100);
SendToPipe(CHARACTERX, (BYTE)characterx, (BYTE)(characterx >> 8), (BYTE)(characterx >> 16),
(BYTE)(characterx >> 24));
Sleep(500);
}
}
VOID UpdateMap()
{
while(TRUE)
{
mapID = (int) ReadPointer(mapBase, mapId);
Sleep(100);
SendToPipe(MAP, (BYTE)mapID, (BYTE)(mapID >> 8), (BYTE)(mapID >> 16),
(BYTE)(mapID >> 24));
Sleep(500);
}
}
VOID UpdateMonsterCount()
{
while(TRUE)
{
monstercount = (int) ReadPointer(monsterBase, monsterCount);
Sleep(100);
SendToPipe(MONSTERCOUNT, (BYTE)monstercount, (BYTE)(monstercount >> 8), (BYTE)(monstercount >> 16),
(BYTE)(monstercount >> 24));
Sleep(500);
}
}
// Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL)
// of the remote process.
FARPROC WINAPI
GetRemoteProcAddress( HANDLE hProcess, HMODULE hModuleLocal, HMODULE hModuleRemote, const char *func )
{
// Account for potential differences in base address
// of modules in different processes.
unsigned long delta = hModuleRemote - hModuleLocal;
// if delta is not 0 and func can be read from
if( delta != 0 && ReadPointer(NULL, func) ) {
return GetRemoteProcAddressInternal( hProcess, hModuleRemote, func );
}
else
return (FARPROC)((DWORD)GetProcAddress(hModuleLocal, func) );
}
int GetMobCount()
{
return ReadPointer(TSingleton__CMobPool, MobCount_Offset);
}
void cTrackManiaHack::SetBoostMulti(float fNewMulti)
{
DWORD dwOffsetsSpeed[] = {0x4, 0x64, 0x18, m_dwModeOffset, 0xF0};
DWORD dwBoostOptionAddress = ReadPointer(GetAddress("GroundNumBase"), dwOffsetsSpeed, sizeof(dwOffsetsSpeed));
if (dwBoostOptionAddress) WriteAddress(dwBoostOptionAddress, &fNewMulti, sizeof(fNewMulti));
}
void cTrackManiaHack::SetStuntPoints(int iPoints)
{
DWORD dwOffsets[] = {0x454, 0x28, 0x0, 0x1C, 0x2D4};
WriteAddress(ReadPointer(GetAddress("BaseP1"), dwOffsets, sizeof(dwOffsets)), &iPoints, sizeof(iPoints));
}
bool bottomWallLocation(int Y)
{
return ((int)ReadPointer(wallBase, bottomWall) >= Y);
}
void cTrackManiaHack::SetBoostDuration(int iNewDuration)
{
DWORD dwOffsetsSpeed[] = {0x4, 0x64, 0x18, m_dwModeOffset, 0xF8};
DWORD dwBoostOptionAddress = ReadPointer(GetAddress("GroundNumBase"), dwOffsetsSpeed, sizeof(dwOffsetsSpeed));
if (dwBoostOptionAddress) WriteAddress(dwBoostOptionAddress, &iNewDuration, sizeof(iNewDuration));
}
bool topWallLocation(int Y)
{
return ((int)ReadPointer(wallBase, topWall) <= Y);
}
bool rightWallLocation(int X)
{
return ((int)ReadPointer(wallBase, rightWall) >= X);
}
static bool
ReadEncodedPointer(const libunwindInfo* info, unw_word_t* addr, unsigned char encoding, unw_word_t funcRel, unw_word_t* valp)
{
unw_word_t initialAddr = *addr;
uint16_t value16;
uint32_t value32;
uint64_t value64;
unw_word_t value;
if (encoding == DW_EH_PE_omit)
{
*valp = 0;
return true;
}
else if (encoding == DW_EH_PE_aligned)
{
int size = sizeof(unw_word_t);
*addr = (initialAddr + size - 1) & -size;
return ReadPointer(info, addr, valp);
}
switch (encoding & DW_EH_PE_FORMAT_MASK)
{
case DW_EH_PE_ptr:
if (!ReadPointer(info, addr, &value)) {
return false;
}
break;
case DW_EH_PE_uleb128:
if (!ReadULEB128(info, addr, &value)) {
return false;
}
break;
case DW_EH_PE_sleb128:
if (!ReadSLEB128(info, addr, &value)) {
return false;
}
break;
case DW_EH_PE_udata2:
if (!ReadValue16(info, addr, &value16)) {
return false;
}
value = value16;
break;
case DW_EH_PE_udata4:
if (!ReadValue32(info, addr, &value32)) {
return false;
}
value = value32;
break;
case DW_EH_PE_udata8:
if (!ReadValue64(info, addr, &value64)) {
return false;
}
value = value64;
break;
case DW_EH_PE_sdata2:
if (!ReadValue16(info, addr, &value16)) {
return false;
}
value = (int16_t)value16;
break;
case DW_EH_PE_sdata4:
if (!ReadValue32(info, addr, &value32)) {
return false;
}
value = (int32_t)value32;
break;
case DW_EH_PE_sdata8:
if (!ReadValue64(info, addr, &value64)) {
return false;
}
value = (int64_t)value64;
break;
default:
ASSERT("ReadEncodedPointer: invalid encoding format %x\n", encoding);
return false;
}
// 0 is a special value and always absolute
if (value == 0) {
*valp = 0;
return true;
}
switch (encoding & DW_EH_PE_APPL_MASK)
{
case DW_EH_PE_absptr:
break;
case DW_EH_PE_pcrel:
value += initialAddr;
break;
case DW_EH_PE_funcrel:
_ASSERTE(funcRel != UINTPTR_MAX);
value += funcRel;
break;
case DW_EH_PE_textrel:
case DW_EH_PE_datarel:
default:
ASSERT("ReadEncodedPointer: invalid application type %x\n", encoding);
return false;
}
if (encoding & DW_EH_PE_indirect)
{
unw_word_t indirect_addr = value;
if (!ReadPointer(info, &indirect_addr, &value)) {
return false;
}
}
*valp = value;
return true;
}
bool leftWallLocation(int X)
{
return ((int)ReadPointer(wallBase, leftWall) <= X);
}
// TODO: Increase accuracy of the memory is readable check.
// As of now, it is only accurate to 12 bytes and could,
// in extremely rare circumstances, crash.
void disassemblyDlg::OnButton1Click(wxCommandEvent& event)
{
DISASM dis = {0};
int instructionSize;
dis.EIP = (UIntPtr)HexToDecimal<int>(TextCtrl1->GetValue());
ListView1->DeleteAllItems(); // clear list before we populate it
bool memIsGood = true; // keeps track of if reading mem will crash you
for( int i=0; i < 1000; ++i )
{
dis.VirtualAddr = dis.EIP; // fixes offsets
bool memIsGood = true; // keeps track of if reading memory will crash you
for( int i=0; i < 16; i+=4 )
{
DWORD trashValue; // a trash value used by ReadPointer to store data
if( !ReadPointer( &trashValue, (LPCVOID)(dis.EIP+i) ) )
memIsGood = false;
}
// we don't want to continue if memory was unreadable
if( !memIsGood )
{
long index = ListView1->GetItemCount();
index = ListView1->InsertItem(index, wxString::Format("%08x", dis.EIP) ); //Address
ListView1->SetItem( index, 1, _("??") ); //Bytes
ListView1->SetItem( index, 2, _("Memory could not be read") ); //Instruction
++(dis.EIP);
}
else if( (instructionSize = _Disasm(&dis) ) > 0 ) // -1 is an unknown instruction
{
long index = ListView1->GetItemCount();
wxString byteArray = _("");
for(int j=0; j < instructionSize; ++j )
{
byteArray << wxString::Format("%02x", reinterpret_cast<unsigned char *>(dis.EIP)[j] ) << " ";
}
index = ListView1->InsertItem(index, wxString::Format("%08x", dis.EIP) ); //Address
ListView1->SetItem( index, 1, byteArray ); //Bytes
ListView1->SetItem( index, 2, dis.CompleteInstr ); //Instruction
dis.EIP += instructionSize;
}
else // unknown instruction, so we'll say that this is a "db" instruction
{
wxString byteArray = _("");
byteArray << wxString::Format("%02x", reinterpret_cast<unsigned char *>(dis.EIP)[0] );
long index = ListView1->GetItemCount();
index = ListView1->InsertItem(index, wxString::Format("%08x", dis.EIP) ); //Address
ListView1->SetItem( index, 1, byteArray ); //Bytes
ListView1->SetItem( index, 2, _("db ") + byteArray ); //Instruction
++(dis.EIP);
}
}
//wxMessageBox( BeaEngineVersion(), "Hello" );
}
// Information
int GetPeopleCount()
{
return ReadPointer(TSingleton__CUserPool, PeopleCount_Offset);
}
FuncObjC* ReadFuncObj()
{
return static_cast<FuncObjC*>(ReadPointer());
}
// convenience function which returns the data instead of TRUE/FALSE
DWORD _ReadAddress( LPCVOID address, ... )
{
DWORD result = 0;
ReadPointer( &result, address, __VA_ARGS__);
return result;
}
vector<NETWORK_ENTRY>
GetSockets(
)
/*++
Routine Description:
Description.
Arguments:
-
Return Value:
vector<NETWORK_ENTRY>.
--*/
{
ULONG64 TableAddr;
ULONG64 TableCountAddr;
PULONG64 Table = NULL;
ULONG TableCount;
vector<NETWORK_ENTRY> NetworkEntries;
ULONG ProcessorType;
ULONG PlateformId, Major, Minor, ServicePackNumber;
if (g_Ext->m_Control->GetActualProcessorType(&ProcessorType) != S_OK) goto CleanUp;
if (g_Ext->m_Control->GetSystemVersion(&PlateformId, &Major, &Minor, NULL, NULL, NULL, &ServicePackNumber, NULL, NULL, NULL) != S_OK) goto CleanUp;
// g_Ext->Dml("Major: %d, Minor: %d, ProcessorType = %x\n", Major, Minor, ProcessorType);
if ((Minor < 6000) && (ProcessorType == IMAGE_FILE_MACHINE_I386))
{
if (g_Ext->m_Symbols->GetOffsetByName("tcpip!AddrObjTable", &TableAddr) != S_OK) goto CleanUp;
if (g_Ext->m_Symbols->GetOffsetByName("tcpip!AddrObjTableSize", &TableCountAddr) != S_OK) goto CleanUp;
if (ReadPointersVirtual(1, TableAddr, &TableAddr) != S_OK) goto CleanUp;
if (g_Ext->m_Data->ReadVirtual(TableCountAddr, &TableCount, sizeof(ULONG), NULL) != S_OK) goto CleanUp;
Table = (PULONG64)malloc(TableCount * sizeof(ULONG64));
if (ReadPointersVirtual(TableCount, TableAddr, Table) != S_OK) goto CleanUp;
for (UINT i = 0; i < TableCount; i += 1)
{
Network::OBJECT_ENTRY_X86 ObjectEntry = { 0 };
NETWORK_ENTRY NetworkEntry = { 0 };
if (Table[i] == 0) continue;
if (g_Ext->m_Data->ReadVirtual(Table[i], &ObjectEntry, sizeof(Network::OBJECT_ENTRY_X86), NULL) != S_OK) goto CleanUp;
NetworkEntry.ObjectPtr = Table[i];
NetworkEntry.CreationTime = ObjectEntry.CreationTime;
NetworkEntry.ProcessId = ObjectEntry.ProcessId;
NetworkEntry.Protocol = ObjectEntry.Protocol;
NetworkEntry.Local.Port = (ObjectEntry.Port[1] << 8) | ObjectEntry.Port[0];
NetworkEntry.Local.IPv4_Addr[3] = ObjectEntry.LocalAddress[3];
NetworkEntry.Local.IPv4_Addr[2] = ObjectEntry.LocalAddress[2];
NetworkEntry.Local.IPv4_Addr[1] = ObjectEntry.LocalAddress[1];
NetworkEntry.Local.IPv4_Addr[0] = ObjectEntry.LocalAddress[0];
NetworkEntry.State = TcbListenState;
NetworkEntries.push_back(NetworkEntry);
}
}
else if (Minor > 6000)
{
if (g_Ext->m_Symbols->GetOffsetByName("tcpip!PartitionCount", &TableCountAddr) != S_OK) goto CleanUp;
ReadPointer(GetExpression("tcpip!PartitionTable"), &TableAddr);
if (!TableAddr) goto CleanUp;
if (g_Ext->m_Data->ReadVirtual(TableCountAddr, &TableCount, sizeof(ULONG), NULL) != S_OK) goto CleanUp;
ULONG ListEntrySize = GetTypeSize("nt!_LIST_ENTRY");
ULONG PoolHeaderSize = GetTypeSize("nt!_POOL_HEADER");
ExtRemoteUnTyped PartitionTable(TableAddr, "tcpip!_PARTITION_TABLE");
for (UINT PartitionIndex = 0; PartitionIndex < TableCount; PartitionIndex += 1)
{
NETWORK_ENTRY NetworkEntry = { 0 };
// g_Ext->Dml(" -> Partition[%d].HashTables = 0x%I64X\n", PartitionIndex, Partition->HashTables);
ExtRemoteTyped HashTable("(nt!_RTL_DYNAMIC_HASH_TABLE *)@$extin", PartitionTable.ArrayElement(PartitionIndex).Field("HashTables").GetPtr());
ULONG64 Directory = HashTable.Field("Directory").GetPtr();
ULONG TableEntries = HashTable.Field("TableSize").GetUlong();
for (UINT i = 0; i < TableEntries; i += 1)
{
ExtRemoteTypedList List(Directory + i * ListEntrySize, "nt!_LIST_ENTRY", "Flink");
for (List.StartHead(); List.HasNode(); List.Next())
{
ULONG64 Current = List.GetNodeOffset();
if (!IsValid(Current)) break;
ExtRemoteUnTyped Tcb(Current, "tcpip!_TCB");
Tcb.SubtractOffset("HashTableEntry");
ExtRemoteTyped PoolHeader("(nt!_POOL_HEADER *)@$extin", Tcb.GetPointerTo() - PoolHeaderSize);
if (PoolHeader.Field("PoolTag").GetUlong() != 'EpcT') continue;
//# Seen as 0x1f0 on Vista SP0, 0x1f8 on Vista SP2 and 0x210 on 7
//# Seen as 0x320 on Win7 SP0 x64
ULONG PoolSize;
if (PoolHeader.Field("BlockSize").GetTypeSize() == sizeof(USHORT))
{
PoolSize = PoolHeader.Field("BlockSize").GetUshort() * 0x10;
}
else
{
PoolSize = PoolHeader.Field("BlockSize").GetUlong() * 0x10;
}
if (PoolSize < 0x100) continue;
ULONG64 SrcAddress = 0;
ULONG64 DstAddress = 0;
NetworkEntry.Protocol = PROTOCOL_TCP;
NetworkEntry.State = Tcb.Field("State").GetUlong();
NetworkEntry.Local.Port = Tcb.Field("LocalPort").GetUshort();
NetworkEntry.Remote.Port = Tcb.Field("RemotePort").GetUshort();
DstAddress = Tcb.Field("Path", TRUE).Field("DestinationAddress").GetPtr();
if (IsValid(Tcb.Field("Path").GetPtr() &&
IsValid(Tcb.Field("Path", TRUE).Field("SourceAddress").GetPtr()) &&
IsValid(Tcb.Field("Path", TRUE).Field("SourceAddress", TRUE).Field("Identifier").GetPtr()) &&
IsValid(Tcb.Field("Path", TRUE).Field("SourceAddress", TRUE).Field("Identifier", TRUE).Field("Address").GetPtr())))
{
SrcAddress = Tcb.Field("Path", TRUE).Field("SourceAddress", TRUE).Field("Identifier", TRUE).Field("Address").GetPtr();
}
if (DstAddress && g_Ext->m_Data->ReadVirtual(DstAddress, &NetworkEntry.Remote.IPv4_Addr, sizeof(NetworkEntry.Remote.IPv4_Addr), NULL) != S_OK) goto CleanUp;
if (SrcAddress && g_Ext->m_Data->ReadVirtual(SrcAddress, &NetworkEntry.Local.IPv4_Addr, sizeof(NetworkEntry.Local.IPv4_Addr), NULL) != S_OK) goto CleanUp;
ExtRemoteTyped OwningProcess("(nt!_EPROCESS *)@$extin", Tcb.Field("OwningProcess").GetPtr());
NetworkEntry.ProcessId = OwningProcess.Field("UniqueProcessId").GetPtr();
OwningProcess.Field("ImageFileName").GetString((LPSTR)NetworkEntry.ProcessName, sizeof(NetworkEntry.ProcessName));
NetworkEntries.push_back(NetworkEntry);
}
}
}
}
CleanUp:
if (Table) free(Table);
return NetworkEntries;
}
//---------------------------------------------------------------------------
void AutoGuagiProcdure()
{
long map = ReadPointer(MapBase,MapIDOffset);
if( *(DWORD*)PeopleBase )
{
if( AutoGuagi_Start == 1)
{
AutoGuagi_OnOff = 1;
AutoGuagi_Status = 0;
AutoGuagi_Start= 0;
}
if ( AutoGuagi_OnOff != 0)
{
switch(AutoGuagi_Status)
{
case 0: //檢查地圖
taxi_flag = 0;
Sleep(2000);
frmMain->ck_att->IsChecked = false;
frmMain->ck_func_godmode->IsChecked = true;
GodMode_OnOff = true;
if( map != AutoGuagi_MapId)
AutoGuagi_Status = 1;
else
AutoGuagi_Status = 2;
break;
case 1: //地圖不同 -> 計程車
ThreadTaxi = new TThreadTaxi(false, map ,AutoGuagi_MapId ,TaxiEnumProc );
ThreadTaxi->WaitFor();
if( taxi_flag == -1 )
{
AutoGuagi_Status = -1;
break;
}
map = ReadPointer(MapBase,MapIDOffset);
if( map != AutoGuagi_MapId )
AutoGuagi_Status = -1;
else
AutoGuagi_Status = 2;
break;
case 2: //瞬間移動到指定位置
Sleep(200);
TeleXY( true , AutoGuagi_X , AutoGuagi_Y - 5 );
Sleep(2000);
AutoGuagi_Status = 3;
break;
case 3: //啟動左右走
frmMain->ck_func_csx->IsChecked = true;
frmMain->ck_func_autolr->IsChecked = true;
AutoGuagi_Status = 4;
Sleep(200);
break;
case 4: //啟動全圖打
CSMobVac_OnOff = 1;
FullMap_OnOff = 1;
GodMode_OnOff = true;
frmMain->ck_att->IsChecked = true;
break;
case -1:
AutoGuagi_OnOff = 0;
FullMap_OnOff = 0;
CSMobVac_OnOff = 0;
AutoGuagi_Status = -1;
taxi_flag = 0;
break;
case -2:
AutoGuagi_OnOff = 0;
FullMap_OnOff = 0;
CSMobVac_OnOff = 0;
frmMain->ck_att->IsChecked = false;
AutoGuagi_Status = -1;
break;
}
}
else
{
AutoGuagi_Status = 0;
}
}
}
ExtRemoteTyped
GetKeyNode(
_In_ PWSTR FullKeyPath
)
{
ULONG64 CmpMasterHive;
ULONG64 CmpRegistryRootObject;
ExtRemoteTyped KeyNode;
try {
ReadPointer(CmpMasterHiveAddress, &CmpMasterHive);
ReadPointer(CmpRegistryRootObjectAddress, &CmpRegistryRootObject);
ExtRemoteTyped KeyHive("(nt!_HHIVE *)@$extin", CmpMasterHive);
ExtRemoteTyped KeyBody("(nt!_CM_KEY_BODY *)@$extin", CmpRegistryRootObject);
ExtRemoteTyped KeyControlBlock("(nt!_CM_KEY_CONTROL_BLOCK *)@$extin", KeyBody.Field("KeyControlBlock").GetPtr());
ULONG KeyCell = KeyControlBlock.Field("KeyCell").GetUlong();
KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell));
vector<KEY_NAME> KeysNames = GetKeysNames(FullKeyPath);
for (size_t i = 1; i < KeysNames.size(); i++) {
BOOL IsFound = FALSE;
vector<KEY_NODE> SubKeys = GetSubKeys(KeyHive, KeyNode);
for (size_t j = 0; j < SubKeys.size(); j++) {
if (0 == _wcsicmp(KeysNames[i].Name, SubKeys[j].Name)) {
KeyNode = SubKeys[j].KeyNode;
if (KeyNode.Field("Signature").GetUshort() == CM_LINK_NODE_SIGNATURE) {
KeyHive = ExtRemoteTyped("(nt!_HHIVE *)@$extin", KeyNode.Field("ChildHiveReference.KeyHive").GetPtr());
KeyCell = KeyNode.Field("ChildHiveReference.KeyCell").GetUlong();
KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell));
}
IsFound = TRUE;
break;
}
}
if (!IsFound) {
KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", NULL);
break;
}
}
}
catch (...) {
}
return KeyNode;
}
