VOID UpdateCharacterY() { while(TRUE) { charactery = (int) ReadPointer(characterBase, characterY); Sleep(100); SendToPipe(CHARACTERY, (BYTE)charactery, (BYTE)(charactery >> 8), (BYTE)(charactery >> 16), (BYTE)(charactery >> 24)); Sleep(500); } }
VOID UpdateCharacterX() { while(TRUE) { characterx = (int) ReadPointer(characterBase, characterX); Sleep(100); SendToPipe(CHARACTERX, (BYTE)characterx, (BYTE)(characterx >> 8), (BYTE)(characterx >> 16), (BYTE)(characterx >> 24)); Sleep(500); } }
VOID UpdateMap() { while(TRUE) { mapID = (int) ReadPointer(mapBase, mapId); Sleep(100); SendToPipe(MAP, (BYTE)mapID, (BYTE)(mapID >> 8), (BYTE)(mapID >> 16), (BYTE)(mapID >> 24)); Sleep(500); } }
VOID UpdateMonsterCount() { while(TRUE) { monstercount = (int) ReadPointer(monsterBase, monsterCount); Sleep(100); SendToPipe(MONSTERCOUNT, (BYTE)monstercount, (BYTE)(monstercount >> 8), (BYTE)(monstercount >> 16), (BYTE)(monstercount >> 24)); Sleep(500); } }
// Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL) // of the remote process. FARPROC WINAPI GetRemoteProcAddress( HANDLE hProcess, HMODULE hModuleLocal, HMODULE hModuleRemote, const char *func ) { // Account for potential differences in base address // of modules in different processes. unsigned long delta = hModuleRemote - hModuleLocal; // if delta is not 0 and func can be read from if( delta != 0 && ReadPointer(NULL, func) ) { return GetRemoteProcAddressInternal( hProcess, hModuleRemote, func ); } else return (FARPROC)((DWORD)GetProcAddress(hModuleLocal, func) ); }
int GetMobCount() { return ReadPointer(TSingleton__CMobPool, MobCount_Offset); }
void cTrackManiaHack::SetBoostMulti(float fNewMulti) { DWORD dwOffsetsSpeed[] = {0x4, 0x64, 0x18, m_dwModeOffset, 0xF0}; DWORD dwBoostOptionAddress = ReadPointer(GetAddress("GroundNumBase"), dwOffsetsSpeed, sizeof(dwOffsetsSpeed)); if (dwBoostOptionAddress) WriteAddress(dwBoostOptionAddress, &fNewMulti, sizeof(fNewMulti)); }
void cTrackManiaHack::SetStuntPoints(int iPoints) { DWORD dwOffsets[] = {0x454, 0x28, 0x0, 0x1C, 0x2D4}; WriteAddress(ReadPointer(GetAddress("BaseP1"), dwOffsets, sizeof(dwOffsets)), &iPoints, sizeof(iPoints)); }
bool bottomWallLocation(int Y) { return ((int)ReadPointer(wallBase, bottomWall) >= Y); }
void cTrackManiaHack::SetBoostDuration(int iNewDuration) { DWORD dwOffsetsSpeed[] = {0x4, 0x64, 0x18, m_dwModeOffset, 0xF8}; DWORD dwBoostOptionAddress = ReadPointer(GetAddress("GroundNumBase"), dwOffsetsSpeed, sizeof(dwOffsetsSpeed)); if (dwBoostOptionAddress) WriteAddress(dwBoostOptionAddress, &iNewDuration, sizeof(iNewDuration)); }
bool topWallLocation(int Y) { return ((int)ReadPointer(wallBase, topWall) <= Y); }
bool rightWallLocation(int X) { return ((int)ReadPointer(wallBase, rightWall) >= X); }
static bool ReadEncodedPointer(const libunwindInfo* info, unw_word_t* addr, unsigned char encoding, unw_word_t funcRel, unw_word_t* valp) { unw_word_t initialAddr = *addr; uint16_t value16; uint32_t value32; uint64_t value64; unw_word_t value; if (encoding == DW_EH_PE_omit) { *valp = 0; return true; } else if (encoding == DW_EH_PE_aligned) { int size = sizeof(unw_word_t); *addr = (initialAddr + size - 1) & -size; return ReadPointer(info, addr, valp); } switch (encoding & DW_EH_PE_FORMAT_MASK) { case DW_EH_PE_ptr: if (!ReadPointer(info, addr, &value)) { return false; } break; case DW_EH_PE_uleb128: if (!ReadULEB128(info, addr, &value)) { return false; } break; case DW_EH_PE_sleb128: if (!ReadSLEB128(info, addr, &value)) { return false; } break; case DW_EH_PE_udata2: if (!ReadValue16(info, addr, &value16)) { return false; } value = value16; break; case DW_EH_PE_udata4: if (!ReadValue32(info, addr, &value32)) { return false; } value = value32; break; case DW_EH_PE_udata8: if (!ReadValue64(info, addr, &value64)) { return false; } value = value64; break; case DW_EH_PE_sdata2: if (!ReadValue16(info, addr, &value16)) { return false; } value = (int16_t)value16; break; case DW_EH_PE_sdata4: if (!ReadValue32(info, addr, &value32)) { return false; } value = (int32_t)value32; break; case DW_EH_PE_sdata8: if (!ReadValue64(info, addr, &value64)) { return false; } value = (int64_t)value64; break; default: ASSERT("ReadEncodedPointer: invalid encoding format %x\n", encoding); return false; } // 0 is a special value and always absolute if (value == 0) { *valp = 0; return true; } switch (encoding & DW_EH_PE_APPL_MASK) { case DW_EH_PE_absptr: break; case DW_EH_PE_pcrel: value += initialAddr; break; case DW_EH_PE_funcrel: _ASSERTE(funcRel != UINTPTR_MAX); value += funcRel; break; case DW_EH_PE_textrel: case DW_EH_PE_datarel: default: ASSERT("ReadEncodedPointer: invalid application type %x\n", encoding); return false; } if (encoding & DW_EH_PE_indirect) { unw_word_t indirect_addr = value; if (!ReadPointer(info, &indirect_addr, &value)) { return false; } } *valp = value; return true; }
bool leftWallLocation(int X) { return ((int)ReadPointer(wallBase, leftWall) <= X); }
// TODO: Increase accuracy of the memory is readable check. // As of now, it is only accurate to 12 bytes and could, // in extremely rare circumstances, crash. void disassemblyDlg::OnButton1Click(wxCommandEvent& event) { DISASM dis = {0}; int instructionSize; dis.EIP = (UIntPtr)HexToDecimal<int>(TextCtrl1->GetValue()); ListView1->DeleteAllItems(); // clear list before we populate it bool memIsGood = true; // keeps track of if reading mem will crash you for( int i=0; i < 1000; ++i ) { dis.VirtualAddr = dis.EIP; // fixes offsets bool memIsGood = true; // keeps track of if reading memory will crash you for( int i=0; i < 16; i+=4 ) { DWORD trashValue; // a trash value used by ReadPointer to store data if( !ReadPointer( &trashValue, (LPCVOID)(dis.EIP+i) ) ) memIsGood = false; } // we don't want to continue if memory was unreadable if( !memIsGood ) { long index = ListView1->GetItemCount(); index = ListView1->InsertItem(index, wxString::Format("%08x", dis.EIP) ); //Address ListView1->SetItem( index, 1, _("??") ); //Bytes ListView1->SetItem( index, 2, _("Memory could not be read") ); //Instruction ++(dis.EIP); } else if( (instructionSize = _Disasm(&dis) ) > 0 ) // -1 is an unknown instruction { long index = ListView1->GetItemCount(); wxString byteArray = _(""); for(int j=0; j < instructionSize; ++j ) { byteArray << wxString::Format("%02x", reinterpret_cast<unsigned char *>(dis.EIP)[j] ) << " "; } index = ListView1->InsertItem(index, wxString::Format("%08x", dis.EIP) ); //Address ListView1->SetItem( index, 1, byteArray ); //Bytes ListView1->SetItem( index, 2, dis.CompleteInstr ); //Instruction dis.EIP += instructionSize; } else // unknown instruction, so we'll say that this is a "db" instruction { wxString byteArray = _(""); byteArray << wxString::Format("%02x", reinterpret_cast<unsigned char *>(dis.EIP)[0] ); long index = ListView1->GetItemCount(); index = ListView1->InsertItem(index, wxString::Format("%08x", dis.EIP) ); //Address ListView1->SetItem( index, 1, byteArray ); //Bytes ListView1->SetItem( index, 2, _("db ") + byteArray ); //Instruction ++(dis.EIP); } } //wxMessageBox( BeaEngineVersion(), "Hello" ); }
// Information int GetPeopleCount() { return ReadPointer(TSingleton__CUserPool, PeopleCount_Offset); }
FuncObjC* ReadFuncObj() { return static_cast<FuncObjC*>(ReadPointer()); }
// convenience function which returns the data instead of TRUE/FALSE DWORD _ReadAddress( LPCVOID address, ... ) { DWORD result = 0; ReadPointer( &result, address, __VA_ARGS__); return result; }
vector<NETWORK_ENTRY> GetSockets( ) /*++ Routine Description: Description. Arguments: - Return Value: vector<NETWORK_ENTRY>. --*/ { ULONG64 TableAddr; ULONG64 TableCountAddr; PULONG64 Table = NULL; ULONG TableCount; vector<NETWORK_ENTRY> NetworkEntries; ULONG ProcessorType; ULONG PlateformId, Major, Minor, ServicePackNumber; if (g_Ext->m_Control->GetActualProcessorType(&ProcessorType) != S_OK) goto CleanUp; if (g_Ext->m_Control->GetSystemVersion(&PlateformId, &Major, &Minor, NULL, NULL, NULL, &ServicePackNumber, NULL, NULL, NULL) != S_OK) goto CleanUp; // g_Ext->Dml("Major: %d, Minor: %d, ProcessorType = %x\n", Major, Minor, ProcessorType); if ((Minor < 6000) && (ProcessorType == IMAGE_FILE_MACHINE_I386)) { if (g_Ext->m_Symbols->GetOffsetByName("tcpip!AddrObjTable", &TableAddr) != S_OK) goto CleanUp; if (g_Ext->m_Symbols->GetOffsetByName("tcpip!AddrObjTableSize", &TableCountAddr) != S_OK) goto CleanUp; if (ReadPointersVirtual(1, TableAddr, &TableAddr) != S_OK) goto CleanUp; if (g_Ext->m_Data->ReadVirtual(TableCountAddr, &TableCount, sizeof(ULONG), NULL) != S_OK) goto CleanUp; Table = (PULONG64)malloc(TableCount * sizeof(ULONG64)); if (ReadPointersVirtual(TableCount, TableAddr, Table) != S_OK) goto CleanUp; for (UINT i = 0; i < TableCount; i += 1) { Network::OBJECT_ENTRY_X86 ObjectEntry = { 0 }; NETWORK_ENTRY NetworkEntry = { 0 }; if (Table[i] == 0) continue; if (g_Ext->m_Data->ReadVirtual(Table[i], &ObjectEntry, sizeof(Network::OBJECT_ENTRY_X86), NULL) != S_OK) goto CleanUp; NetworkEntry.ObjectPtr = Table[i]; NetworkEntry.CreationTime = ObjectEntry.CreationTime; NetworkEntry.ProcessId = ObjectEntry.ProcessId; NetworkEntry.Protocol = ObjectEntry.Protocol; NetworkEntry.Local.Port = (ObjectEntry.Port[1] << 8) | ObjectEntry.Port[0]; NetworkEntry.Local.IPv4_Addr[3] = ObjectEntry.LocalAddress[3]; NetworkEntry.Local.IPv4_Addr[2] = ObjectEntry.LocalAddress[2]; NetworkEntry.Local.IPv4_Addr[1] = ObjectEntry.LocalAddress[1]; NetworkEntry.Local.IPv4_Addr[0] = ObjectEntry.LocalAddress[0]; NetworkEntry.State = TcbListenState; NetworkEntries.push_back(NetworkEntry); } } else if (Minor > 6000) { if (g_Ext->m_Symbols->GetOffsetByName("tcpip!PartitionCount", &TableCountAddr) != S_OK) goto CleanUp; ReadPointer(GetExpression("tcpip!PartitionTable"), &TableAddr); if (!TableAddr) goto CleanUp; if (g_Ext->m_Data->ReadVirtual(TableCountAddr, &TableCount, sizeof(ULONG), NULL) != S_OK) goto CleanUp; ULONG ListEntrySize = GetTypeSize("nt!_LIST_ENTRY"); ULONG PoolHeaderSize = GetTypeSize("nt!_POOL_HEADER"); ExtRemoteUnTyped PartitionTable(TableAddr, "tcpip!_PARTITION_TABLE"); for (UINT PartitionIndex = 0; PartitionIndex < TableCount; PartitionIndex += 1) { NETWORK_ENTRY NetworkEntry = { 0 }; // g_Ext->Dml(" -> Partition[%d].HashTables = 0x%I64X\n", PartitionIndex, Partition->HashTables); ExtRemoteTyped HashTable("(nt!_RTL_DYNAMIC_HASH_TABLE *)@$extin", PartitionTable.ArrayElement(PartitionIndex).Field("HashTables").GetPtr()); ULONG64 Directory = HashTable.Field("Directory").GetPtr(); ULONG TableEntries = HashTable.Field("TableSize").GetUlong(); for (UINT i = 0; i < TableEntries; i += 1) { ExtRemoteTypedList List(Directory + i * ListEntrySize, "nt!_LIST_ENTRY", "Flink"); for (List.StartHead(); List.HasNode(); List.Next()) { ULONG64 Current = List.GetNodeOffset(); if (!IsValid(Current)) break; ExtRemoteUnTyped Tcb(Current, "tcpip!_TCB"); Tcb.SubtractOffset("HashTableEntry"); ExtRemoteTyped PoolHeader("(nt!_POOL_HEADER *)@$extin", Tcb.GetPointerTo() - PoolHeaderSize); if (PoolHeader.Field("PoolTag").GetUlong() != 'EpcT') continue; //# Seen as 0x1f0 on Vista SP0, 0x1f8 on Vista SP2 and 0x210 on 7 //# Seen as 0x320 on Win7 SP0 x64 ULONG PoolSize; if (PoolHeader.Field("BlockSize").GetTypeSize() == sizeof(USHORT)) { PoolSize = PoolHeader.Field("BlockSize").GetUshort() * 0x10; } else { PoolSize = PoolHeader.Field("BlockSize").GetUlong() * 0x10; } if (PoolSize < 0x100) continue; ULONG64 SrcAddress = 0; ULONG64 DstAddress = 0; NetworkEntry.Protocol = PROTOCOL_TCP; NetworkEntry.State = Tcb.Field("State").GetUlong(); NetworkEntry.Local.Port = Tcb.Field("LocalPort").GetUshort(); NetworkEntry.Remote.Port = Tcb.Field("RemotePort").GetUshort(); DstAddress = Tcb.Field("Path", TRUE).Field("DestinationAddress").GetPtr(); if (IsValid(Tcb.Field("Path").GetPtr() && IsValid(Tcb.Field("Path", TRUE).Field("SourceAddress").GetPtr()) && IsValid(Tcb.Field("Path", TRUE).Field("SourceAddress", TRUE).Field("Identifier").GetPtr()) && IsValid(Tcb.Field("Path", TRUE).Field("SourceAddress", TRUE).Field("Identifier", TRUE).Field("Address").GetPtr()))) { SrcAddress = Tcb.Field("Path", TRUE).Field("SourceAddress", TRUE).Field("Identifier", TRUE).Field("Address").GetPtr(); } if (DstAddress && g_Ext->m_Data->ReadVirtual(DstAddress, &NetworkEntry.Remote.IPv4_Addr, sizeof(NetworkEntry.Remote.IPv4_Addr), NULL) != S_OK) goto CleanUp; if (SrcAddress && g_Ext->m_Data->ReadVirtual(SrcAddress, &NetworkEntry.Local.IPv4_Addr, sizeof(NetworkEntry.Local.IPv4_Addr), NULL) != S_OK) goto CleanUp; ExtRemoteTyped OwningProcess("(nt!_EPROCESS *)@$extin", Tcb.Field("OwningProcess").GetPtr()); NetworkEntry.ProcessId = OwningProcess.Field("UniqueProcessId").GetPtr(); OwningProcess.Field("ImageFileName").GetString((LPSTR)NetworkEntry.ProcessName, sizeof(NetworkEntry.ProcessName)); NetworkEntries.push_back(NetworkEntry); } } } } CleanUp: if (Table) free(Table); return NetworkEntries; }
//--------------------------------------------------------------------------- void AutoGuagiProcdure() { long map = ReadPointer(MapBase,MapIDOffset); if( *(DWORD*)PeopleBase ) { if( AutoGuagi_Start == 1) { AutoGuagi_OnOff = 1; AutoGuagi_Status = 0; AutoGuagi_Start= 0; } if ( AutoGuagi_OnOff != 0) { switch(AutoGuagi_Status) { case 0: //檢查地圖 taxi_flag = 0; Sleep(2000); frmMain->ck_att->IsChecked = false; frmMain->ck_func_godmode->IsChecked = true; GodMode_OnOff = true; if( map != AutoGuagi_MapId) AutoGuagi_Status = 1; else AutoGuagi_Status = 2; break; case 1: //地圖不同 -> 計程車 ThreadTaxi = new TThreadTaxi(false, map ,AutoGuagi_MapId ,TaxiEnumProc ); ThreadTaxi->WaitFor(); if( taxi_flag == -1 ) { AutoGuagi_Status = -1; break; } map = ReadPointer(MapBase,MapIDOffset); if( map != AutoGuagi_MapId ) AutoGuagi_Status = -1; else AutoGuagi_Status = 2; break; case 2: //瞬間移動到指定位置 Sleep(200); TeleXY( true , AutoGuagi_X , AutoGuagi_Y - 5 ); Sleep(2000); AutoGuagi_Status = 3; break; case 3: //啟動左右走 frmMain->ck_func_csx->IsChecked = true; frmMain->ck_func_autolr->IsChecked = true; AutoGuagi_Status = 4; Sleep(200); break; case 4: //啟動全圖打 CSMobVac_OnOff = 1; FullMap_OnOff = 1; GodMode_OnOff = true; frmMain->ck_att->IsChecked = true; break; case -1: AutoGuagi_OnOff = 0; FullMap_OnOff = 0; CSMobVac_OnOff = 0; AutoGuagi_Status = -1; taxi_flag = 0; break; case -2: AutoGuagi_OnOff = 0; FullMap_OnOff = 0; CSMobVac_OnOff = 0; frmMain->ck_att->IsChecked = false; AutoGuagi_Status = -1; break; } } else { AutoGuagi_Status = 0; } } }
ExtRemoteTyped GetKeyNode( _In_ PWSTR FullKeyPath ) { ULONG64 CmpMasterHive; ULONG64 CmpRegistryRootObject; ExtRemoteTyped KeyNode; try { ReadPointer(CmpMasterHiveAddress, &CmpMasterHive); ReadPointer(CmpRegistryRootObjectAddress, &CmpRegistryRootObject); ExtRemoteTyped KeyHive("(nt!_HHIVE *)@$extin", CmpMasterHive); ExtRemoteTyped KeyBody("(nt!_CM_KEY_BODY *)@$extin", CmpRegistryRootObject); ExtRemoteTyped KeyControlBlock("(nt!_CM_KEY_CONTROL_BLOCK *)@$extin", KeyBody.Field("KeyControlBlock").GetPtr()); ULONG KeyCell = KeyControlBlock.Field("KeyCell").GetUlong(); KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell)); vector<KEY_NAME> KeysNames = GetKeysNames(FullKeyPath); for (size_t i = 1; i < KeysNames.size(); i++) { BOOL IsFound = FALSE; vector<KEY_NODE> SubKeys = GetSubKeys(KeyHive, KeyNode); for (size_t j = 0; j < SubKeys.size(); j++) { if (0 == _wcsicmp(KeysNames[i].Name, SubKeys[j].Name)) { KeyNode = SubKeys[j].KeyNode; if (KeyNode.Field("Signature").GetUshort() == CM_LINK_NODE_SIGNATURE) { KeyHive = ExtRemoteTyped("(nt!_HHIVE *)@$extin", KeyNode.Field("ChildHiveReference.KeyHive").GetPtr()); KeyCell = KeyNode.Field("ChildHiveReference.KeyCell").GetUlong(); KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell)); } IsFound = TRUE; break; } } if (!IsFound) { KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", NULL); break; } } } catch (...) { } return KeyNode; }