I’ve been learning how to NOP functions in C++ or even C but there are very few tutorials online about it. I’ve been googling for the past few hours now and I’m just stuck. Here is my code.
#include <iostream>
#include <windows.h>
#include <tlhelp32.h>
using namespace std;
//#define NOP 0x90
byte NOP[] = {0x90};
void enableDebugPrivileges() {
HANDLE hcurrent=GetCurrentProcess();
HANDLE hToken;
BOOL bret=OpenProcessToken(hcurrent,40,&hToken);
LUID luid;
bret=LookupPrivilegeValue(NULL,"SeDebugPrivilege",&luid);
TOKEN_PRIVILEGES NewState,PreviousState;
DWORD ReturnLength;
NewState.PrivilegeCount =1;
NewState.Privileges[0].Luid =luid;
NewState.Privileges[0].Attributes=2;
AdjustTokenPrivileges(hToken,FALSE,&NewState,28,&PreviousState,&ReturnLength);
}
DWORD GetProcId(char* ProcName)
{
PROCESSENTRY32 pe32;
HANDLE hSnapshot = NULL;
pe32.dwSize = sizeof( PROCESSENTRY32 );
hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( Process32First( hSnapshot, &pe32 ) )
{
do{
if( strcmp( pe32.szExeFile, ProcName ) == 0 )
break;
}while( Process32Next( hSnapshot, &pe32 ) );
}
if( hSnapshot != INVALID_HANDLE_VALUE )
CloseHandle( hSnapshot );
return pe32.th32ProcessID;
}
void WriteMem(DWORD Address, void* Value, size_t Size) {
DWORD Protect = NULL;
VirtualProtect((LPVOID)Address, 3, PAGE_READWRITE, &Protect);
memcpy((void*)Address, Value, 3);
VirtualProtect((LPVOID)Address, 3, Protect, &Protect);
}
void nop_(PVOID address, int bytes){
DWORD d, ds;
VirtualProtect(address, bytes, PAGE_EXECUTE_READWRITE, &d);
memset(address, 144, bytes);
VirtualProtect(address,bytes,d,&ds);
}
void MemCopy(HANDLE pHandle, void* Dest, const void* Src, int Len)
{
DWORD OldProtect;
DWORD OldProtect2;
VirtualProtect(Dest, Len, PAGE_EXECUTE_READWRITE, &OldProtect);
memcpy(Dest, Src, Len);
VirtualProtect(Dest, Len, OldProtect, &OldProtect2);
FlushInstructionCache(pHandle, Dest, Len);
}
int main()
{
enableDebugPrivileges();
DWORD pid;
HANDLE phandle;
// Obtain the process ID
pid = GetProcId("gr.exe");
if(GetLastError())
{
cout << "Error_PID_: " << GetLastError() << endl;
system("pause");
return -1;
}
// Obtain the process handle
phandle = OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if(GetLastError())
{
cout << "Error_HANDLE_: " << GetLastError() << endl;
system("pause");
return -1;
}
// Debug info, 0 = bad
cout <<"pid : " << pid << endl;
cout <<"HANDLE: " << phandle << endl << endl;
system("pause");
// Change value to
short iValue = -1;
int choice = 0;
BYTE * bGodMode = (BYTE *) (0x409A7E); // Lives Address
bool hack = true;
while(hack)
{
system("cls");
cout << "What hack?\n0. Exit\n1. Lives\n\n!> ";
cin >> choice;
switch(choice)
{
case 0:
{
hack=false;
break;
}
case 1:
// Modify Time
cout << "God Mode On\n!> ";
// cin >> iValue;
// nop_((PVOID)(0x409A7E), 3);
// MemCopy(phandle, (PVOID)0x409A7E, &NOP, 1);
WriteMem((DWORD)(0x00409A7E), (void*)NOP, sizeof NOP);
if(GetLastError())
{
cout << "Error: " << GetLastError() << endl;
system("pause");
}
break;
default:
cout << "ERROR!\n";
break;
}
Sleep(100);
}
system("pause");
return 0;
}
This is suppose to NOP the DEC function that is 3 bytes long preventing me from losing lives. However each time I try it, it crashes the hack and says I had a access violation. I tried to look up the reasons and most of them dealt with with the size of the location I’m writing to and what I’m copying from. Otherwise, I have absolutely no idea. Any help would be nice. The game is GunRoar and the base address “0x409A7E” is where the DEC function is.
A few quick points:
‘VirtualProtect‘ only works on your current process. Use ‘VirtualProtectEx‘ to change the target process’s permissions. And I’d suggest you set permission ‘PAGE_EXECUTE_READWRITE‘ — writable, but still executable.
As mentioned before, you’ll need to use ‘WriteProcessMemory‘ to write those NOPs; memset won’t suffice.
To perform the type of hack you talk about here properly, one should really suspend the threads in the targeted process before mucking with it’s code, and then resume them when done. But in this particular instance, such care probably doesn’t matter.