tags:

views:

84

answers:

2

I'm trying to create a trainer for Icy Tower 1.4 for educational purposes.

I wrote a function that shorten the WriteProcessMemory function like that:

void WPM(HWND hWnd,int address,byte data[])
{
    DWORD proc_id;
    GetWindowThreadProcessId(hWnd, &proc_id);
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, proc_id);

    if(!hProcess)
        return;

    DWORD dataSize = sizeof(data);
    WriteProcessMemory(hProcess,(LPVOID)address,&data,dataSize,NULL);
    CloseHandle(hProcess);
}

and that's the function that should stop the Icy Tower Clock:

void ClockHack(int status)
{
    if(status==1)//enable
    {
        //crashes the game
        byte data[]={0xc7,0x05,0x04,0x11,0x45,0x00,0x00,0x00,0x00,0x00};
        WPM(FindIcyTower(),0x00415E19,data);
    }
    else if(status==0)//disable
    {
            byte data[]={0xA3,0x04,0x11,0x45,0x00};
    }
}

in the else statement there's the orginal AOB of the Opcode. When I call the ClockHack function with the status parameter set to 1, the game crashes.

In Cheat Engine I wrote for this a script, that dosen't exactly write to the same address because I did Code Cave and it works great.

Someone knows why? Thank you.

By the way: it is for educational purposes only.

+2  A: 

You can't pass an array to a function like that. Having a byte[] parameter is the same as a byte * parameter, and sizeof(data) will just give you the size of a pointer. Also, you shouldn't use &data since it's already a pointer.

So your function should look like:

void WPM(HWND hWnd,int address, byte *data, int dataSize)
{
    //....
    WriteProcessMemory(hProcess,(LPVOID)address,data,dataSize,NULL);
    //...
}
interjay
instead of the dataSize parameter can I just do sizeof(data)?
TTT
You can use sizeof(data) in the ClockHack function where the array is originally defined, but not in the WPM function.
interjay
+1  A: 

when an array is passed into a function it is always passed by reference, so byte[] is the same as byte*, and you are only writing the first sizeof(byte*) bytes of your code. Or 4 bytes on X86 platforms.

Also, it looks like what you are writing is object code, if not then ignore the rest of this this answer.

Well, assuming that you are writing to the correct location, and what you are writing is correct, you still have problem - WriteProcessMemory isn't guaranteed to be atomic with respect to the thread that is running in the target process.

You need to make sure that that target thread is Suspended, and not executing in that part of code. And I have no idea what sort of thing you (may) have to do to flush the instruction decoding pipeline and or L1 cache.

Edit: Now that I've thought some more. I think that using a mutex to protect this piece of code from being overwritten while it is being executed is better than Suspending the thread.

John Knoeller