views:

194

answers:

4
+1  Q: 

Access Violation

I've been learning how to NOP functions in C++ or even C but there are very few tutorials online about it. I've been googling for the past few hours now and I'm just stuck. Here is my code.

#include <iostream>
#include <windows.h>
#include <tlhelp32.h>
using namespace std;

//#define NOP 0x90
byte NOP[] = {0x90};

void enableDebugPrivileges() {
    HANDLE hcurrent=GetCurrentProcess();
    HANDLE hToken;
    BOOL bret=OpenProcessToken(hcurrent,40,&hToken);
    LUID luid;
    bret=LookupPrivilegeValue(NULL,"SeDebugPrivilege",&luid);
    TOKEN_PRIVILEGES NewState,PreviousState;
    DWORD ReturnLength;
    NewState.PrivilegeCount =1;
    NewState.Privileges[0].Luid =luid;
    NewState.Privileges[0].Attributes=2;
    AdjustTokenPrivileges(hToken,FALSE,&NewState,28,&PreviousState,&ReturnLength);
}
DWORD GetProcId(char* ProcName)
{
    PROCESSENTRY32   pe32;
    HANDLE         hSnapshot = NULL;

    pe32.dwSize = sizeof( PROCESSENTRY32 );
    hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

    if( Process32First( hSnapshot, &pe32 ) )
    {
        do{
            if( strcmp( pe32.szExeFile, ProcName ) == 0 )
                break;
        }while( Process32Next( hSnapshot, &pe32 ) );
    }

    if( hSnapshot != INVALID_HANDLE_VALUE )
        CloseHandle( hSnapshot );

    return pe32.th32ProcessID;
}
void WriteMem(DWORD Address, void* Value, size_t Size) {
    DWORD Protect = NULL;
    VirtualProtect((LPVOID)Address, 3, PAGE_READWRITE, &Protect);
    memcpy((void*)Address, Value, 3);
    VirtualProtect((LPVOID)Address, 3, Protect, &Protect);
}
void nop_(PVOID address, int bytes){ 
    DWORD d, ds; 
    VirtualProtect(address, bytes, PAGE_EXECUTE_READWRITE, &d); 
    memset(address, 144, bytes);
    VirtualProtect(address,bytes,d,&ds); 
}  

void MemCopy(HANDLE pHandle, void* Dest, const void* Src, int Len)
{
 DWORD OldProtect;
 DWORD OldProtect2; 
 VirtualProtect(Dest, Len, PAGE_EXECUTE_READWRITE, &OldProtect);
 memcpy(Dest, Src, Len);
 VirtualProtect(Dest, Len, OldProtect, &OldProtect2);
 FlushInstructionCache(pHandle, Dest, Len);
}

int main()
{
   enableDebugPrivileges();

   DWORD pid;
   HANDLE phandle;

   // Obtain the process ID
   pid = GetProcId("gr.exe");
    if(GetLastError())
   {
      cout << "Error_PID_: " << GetLastError() << endl;
      system("pause");
      return -1;
   }

   // Obtain the process handle
   phandle = OpenProcess(PROCESS_ALL_ACCESS,0,pid);
   if(GetLastError())
   {
      cout << "Error_HANDLE_: " << GetLastError() << endl;
      system("pause");
      return -1;
   }

   // Debug info, 0 = bad
   cout <<"pid   : " << pid << endl;
   cout <<"HANDLE: " << phandle << endl << endl;
   system("pause");


   // Change value to
   short iValue   =   -1;
   int choice   =   0;

   BYTE * bGodMode  = (BYTE *) (0x409A7E); // Lives Address


   bool hack = true;
   while(hack)
   {
      system("cls");
      cout << "What hack?\n0. Exit\n1. Lives\n\n!> ";
      cin >> choice;
      switch(choice)
      {
      case 0:
         {
            hack=false;
            break;
         }
      case 1:
         // Modify Time
         cout << "God Mode On\n!> ";
//  cin >> iValue;
//  nop_((PVOID)(0x409A7E), 3);
//   MemCopy(phandle, (PVOID)0x409A7E, &NOP, 1);
   WriteMem((DWORD)(0x00409A7E), (void*)NOP, sizeof NOP);
         if(GetLastError())
         {
            cout << "Error: " << GetLastError() << endl;
            system("pause");
         }
         break;
      default:
         cout << "ERROR!\n";
         break;
      }
      Sleep(100);
   }

   system("pause");
   return 0;
}

This is suppose to NOP the DEC function that is 3 bytes long preventing me from losing lives. However each time I try it, it crashes the hack and says I had a access violation. I tried to look up the reasons and most of them dealt with with the size of the location I'm writing to and what I'm copying from. Otherwise, I have absolutely no idea. Any help would be nice. The game is GunRoar and the base address "0x409A7E" is where the DEC function is.

+1  A: 

I'm not too familiar with Windows debugging (if that's what you are trying to exploit here) but I don't think you are doing what you think you are doing :)

Each process has its own virtual memory (that's why it's virtual). You are attempting a write to 0x00409A7E in the current process's virtual address space, not the game process' you are trying to hack. Obtaining a handle to another process does not magically map its addresses to yours - you have to do it through some additional Win API calls.

Edit:

I think you need to attach to the victim process as a debugger, something like DebugActiveProcess. Otherwise the text segment of the game (that's where the instructions are) is not writable by your process.

Nikolai N Fetissov
I tried using writeprocessmemory and write to that processes memory address as well. It still failed.
Justin
In response to your edit, I just tried it that way as well. It freezes the main application until I start up extra threads and then it dies unless I tell it not to. Either way, after the excess work, it still failed on me.
Justin
Yes, that's the idea - you attach to/stop the app being debugged, fiddle with its data/instructions, then detach from/resume it. You might also have to explicitly change memory protection on target's regions.
Nikolai N Fetissov
I tried this method already though. I was able to successfully attach, create the threads, and debug the process. It still gave me a error though. Is there something special I have to do if I'm using Windows 7 Professional 32 bit? I'm running my app as administrator, so privileges should be granted automatically. And I ask for all the extra ones needed and I get them successfully.
Justin
A: 

Are you sure that the page(s) that you are attempting to write to actually have write permissions?

Aaron Klotz
A: 

Correct me if I'm wrong, but are you just playing GunRoar from ABA Games? If so, the code is apparently open source and is actually shipped in the zip file. From taking a really quick look, you might just need to play with the "left" member in the shipDestroyed() method of the InGameState (see gamemanager.d). Make the necessary fixes you want to 'godmode', build, and then send them mail to integrate your changes. :)

nithins
That defeats the purpose of learning how to NOP functions.
Justin
A: 

A few quick points:

‘VirtualProtect‘ only works on your current process. Use ‘VirtualProtectEx‘ to change the target process's permissions. And I'd suggest you set permission ‘PAGE_EXECUTE_READWRITE‘ -- writable, but still executable.

As mentioned before, you'll need to use ‘WriteProcessMemory‘ to write those NOPs; memset won't suffice.

To perform the type of hack you talk about here properly, one should really suspend the threads in the targeted process before mucking with it's code, and then resume them when done. But in this particular instance, such care probably doesn't matter.

Managu
Thanks, this is what I was messing up on. After changing it to VirtualProtectEx, the program worked properly.
Justin