Access Violation

Question

I've been learning how to NOP functions in C++ or even C but there are very few tutorials online about it. I've been googling for the past few hours now and I'm just stuck. Here is my code.

#include <iostream>
#include <windows.h>
#include <tlhelp32.h>
using namespace std;

//#define NOP 0x90
byte NOP[] = {0x90};

void enableDebugPrivileges() {
    HANDLE hcurrent=GetCurrentProcess();
    HANDLE hToken;
    BOOL bret=OpenProcessToken(hcurrent,40,&hToken);
    LUID luid;
    bret=LookupPrivilegeValue(NULL,"SeDebugPrivilege",&luid);
    TOKEN_PRIVILEGES NewState,PreviousState;
    DWORD ReturnLength;
    NewState.PrivilegeCount =1;
    NewState.Privileges[0].Luid =luid;
    NewState.Privileges[0].Attributes=2;
    AdjustTokenPrivileges(hToken,FALSE,&NewState,28,&PreviousState,&ReturnLength);
}
DWORD GetProcId(char* ProcName)
{
    PROCESSENTRY32   pe32;
    HANDLE         hSnapshot = NULL;

    pe32.dwSize = sizeof( PROCESSENTRY32 );
    hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

    if( Process32First( hSnapshot, &pe32 ) )
    {
        do{
            if( strcmp( pe32.szExeFile, ProcName ) == 0 )
                break;
        }while( Process32Next( hSnapshot, &pe32 ) );
    }

    if( hSnapshot != INVALID_HANDLE_VALUE )
        CloseHandle( hSnapshot );

    return pe32.th32ProcessID;
}
void WriteMem(DWORD Address, void* Value, size_t Size) {
    DWORD Protect = NULL;
    VirtualProtect((LPVOID)Address, 3, PAGE_READWRITE, &Protect);
    memcpy((void*)Address, Value, 3);
    VirtualProtect((LPVOID)Address, 3, Protect, &Protect);
}
void nop_(PVOID address, int bytes){ 
    DWORD d, ds; 
    VirtualProtect(address, bytes, PAGE_EXECUTE_READWRITE, &d); 
    memset(address, 144, bytes);
    VirtualProtect(address,bytes,d,&ds); 
}  

void MemCopy(HANDLE pHandle, void* Dest, const void* Src, int Len)
{
 DWORD OldProtect;
 DWORD OldProtect2; 
 VirtualProtect(Dest, Len, PAGE_EXECUTE_READWRITE, &OldProtect);
 memcpy(Dest, Src, Len);
 VirtualProtect(Dest, Len, OldProtect, &OldProtect2);
 FlushInstructionCache(pHandle, Dest, Len);
}

int main()
{
   enableDebugPrivileges();

   DWORD pid;
   HANDLE phandle;

   // Obtain the process ID
   pid = GetProcId("gr.exe");
    if(GetLastError())
   {
      cout << "Error_PID_: " << GetLastError() << endl;
      system("pause");
      return -1;
   }

   // Obtain the process handle
   phandle = OpenProcess(PROCESS_ALL_ACCESS,0,pid);
   if(GetLastError())
   {
      cout << "Error_HANDLE_: " << GetLastError() << endl;
      system("pause");
      return -1;
   }

   // Debug info, 0 = bad
   cout <<"pid   : " << pid << endl;
   cout <<"HANDLE: " << phandle << endl << endl;
   system("pause");


   // Change value to
   short iValue   =   -1;
   int choice   =   0;

   BYTE * bGodMode  = (BYTE *) (0x409A7E); // Lives Address


   bool hack = true;
   while(hack)
   {
      system("cls");
      cout << "What hack?\n0. Exit\n1. Lives\n\n!> ";
      cin >> choice;
      switch(choice)
      {
      case 0:
         {
            hack=false;
            break;
         }
      case 1:
         // Modify Time
         cout << "God Mode On\n!> ";
//  cin >> iValue;
//  nop_((PVOID)(0x409A7E), 3);
//   MemCopy(phandle, (PVOID)0x409A7E, &NOP, 1);
   WriteMem((DWORD)(0x00409A7E), (void*)NOP, sizeof NOP);
         if(GetLastError())
         {
            cout << "Error: " << GetLastError() << endl;
            system("pause");
         }
         break;
      default:
         cout << "ERROR!\n";
         break;
      }
      Sleep(100);
   }

   system("pause");
   return 0;
}

This is suppose to NOP the DEC function that is 3 bytes long preventing me from losing lives. However each time I try it, it crashes the hack and says I had a access violation. I tried to look up the reasons and most of them dealt with with the size of the location I'm writing to and what I'm copying from. Otherwise, I have absolutely no idea. Any help would be nice. The game is GunRoar and the base address "0x409A7E" is where the DEC function is.

Answer 1

I'm not too familiar with Windows debugging (if that's what you are trying to exploit here) but I don't think you are doing what you think you are doing :)

Each process has its own virtual memory (that's why it's virtual). You are attempting a write to 0x00409A7E in the current process's virtual address space, not the game process' you are trying to hack. Obtaining a handle to another process does not magically map its addresses to yours - you have to do it through some additional Win API calls.

Edit:

I think you need to attach to the victim process as a debugger, something like DebugActiveProcess. Otherwise the text segment of the game (that's where the instructions are) is not writable by your process.

Answer 2

Are you sure that the page(s) that you are attempting to write to actually have write permissions?

Answer 3

Correct me if I'm wrong, but are you just playing GunRoar from ABA Games? If so, the code is apparently open source and is actually shipped in the zip file. From taking a really quick look, you might just need to play with the "left" member in the shipDestroyed() method of the InGameState (see gamemanager.d). Make the necessary fixes you want to 'godmode', build, and then send them mail to integrate your changes. :)

Answer 4

A few quick points:

‘VirtualProtect‘ only works on your current process. Use ‘VirtualProtectEx‘ to change the target process's permissions. And I'd suggest you set permission ‘PAGE_EXECUTE_READWRITE‘ -- writable, but still executable.

As mentioned before, you'll need to use ‘WriteProcessMemory‘ to write those NOPs; memset won't suffice.

To perform the type of hack you talk about here properly, one should really suspend the threads in the targeted process before mucking with it's code, and then resume them when done. But in this particular instance, such care probably doesn't matter.