[Tutorial] C++ Trainer without dll injection

[d0h!]

Today we're gonna learn how to make your very own trainer in C++, without DLL injection of any sort.

Credits:
n0n3


Knowledge needed/optional:

Basic C++ coding "skillZ"

Basic understanding of the PE and finding an address with Cheat Engine ;P


Ok let's get to it then.

Our target today is Windows's pinball game (start->run->"pinball")


First, declarations.

Code:

    HWND hWnd;

    DWORD dwID;

    HANDLE hProcess;

hWnd = Window Handle.

dwID = Process ID.

hProcess = Process Handle.


Defined in windows.h btw, so #include <windows.h>


Let's recover the window handle then.

Code:

    hWnd = FindWindow(NULL, "3D Pinball for Windows - Space Cadet");

FindWindow's return value is the HANDLE of the window.

For more info goto msdn. (google->msdn)


Let's recover the process id.

Code:

    GetWindowThreadProcessId(hWnd, &dwID);

For more info goto msdn, this isn't difficult at all.

We recovered the process's ID.


Next, process handle.

Code:

hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID);

Process security and access rights - Process Security and Access Rights (Windows)


PROCESS_ALL_ACCESS, hmm, I wonder what that might be.

Anyways, we don't need the second argument, and the third argument is the process ID.

If function works successfuly returned value is the process handle, which is exactly what we need.


Error handling would look like this:

Code:

hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID);

if(hProcess == NULL)

       whatever //error

Here comes the fun part ;D

Code:

int value = 1000000;

WriteProcessMemory(hProcess, (LPVOID) 0x00C20C62, (LPVOID) &value, sizeof(&value), NULL);

hProcess = Process handle.

(LPVOID) typecasting - needed.

0x00C20C62 - "Score" address in pinball.

(LPVOID) typecasting - needed.

&value - pointer to the value integer (1000000)

Next argument is number of bytes to be written (size)

So we use sizeof for it to work well.


We don't need the next parameter.


Full program will look like this:

Code:

#include <iostream>

#include <windows.h>


using namespace std;


int main()

{

    HWND hWnd;

    DWORD dwID;

    HANDLE hProcess;


    hWnd = FindWindow(NULL, "3D Pinball for Windows - Space Cadet");


    GetWindowThreadProcessId(hWnd, &dwID);

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID);


    int value = 1000000;

    

    WriteProcessMemory(hProcess, (LPVOID) 0x00C20C62, (LPVOID) &value, sizeof(&value), NULL);

    return 0;

}

Guess what, it works, and you've just made a pinball trainer in C++

I'm so proud of you ;')

Related links

[aosma8]

Omg hacks, thanks

[Ferrari]

:DDDDDDDD

[TimeShift]

Thanks, I was wanting to start making hacks like this (and then apprimorate).

Many thanks for the comments man!

By the way, is there a ".Contains" in FindWindow?

EDIT:

I'm getting this error on

Code:

hWnd = FindWindow(NULL, "3D Pinball for Windows - Space Cadet");

Code:

error C2664: 'FindWindowW' : cannot convert parameter 2 from 'const char [37]' to 'LPCWSTR'

EDIT:

I found that using FindWindowA fixes.

Related links