01-02-2011, 12:37
Today we're gonna learn how to make your very own trainer in C++, without DLL injection of any sort. 
Credits:
n0n3
Knowledge needed/optional:
Basic C++ coding "skillZ"
Basic understanding of the PE and finding an address with Cheat Engine ;P
Ok let's get to it then.
Our target today is Windows's pinball game (start->run->"pinball")
First, declarations.
hWnd = Window Handle.
dwID = Process ID.
hProcess = Process Handle.
Defined in windows.h btw, so #include <windows.h>
Let's recover the window handle then.
FindWindow's return value is the HANDLE of the window.
For more info goto msdn. (google->msdn)
Let's recover the process id.
For more info goto msdn, this isn't difficult at all.
We recovered the process's ID.
Next, process handle.
Process security and access rights - Process Security and Access Rights (Windows)
PROCESS_ALL_ACCESS, hmm, I wonder what that might be.
Anyways, we don't need the second argument, and the third argument is the process ID.
If function works successfuly returned value is the process handle, which is exactly what we need.
Error handling would look like this:
Here comes the fun part ;D
hProcess = Process handle.
(LPVOID) typecasting - needed.
0x00C20C62 - "Score" address in pinball.
(LPVOID) typecasting - needed.
&value - pointer to the value integer (1000000)
Next argument is number of bytes to be written (size)
So we use sizeof for it to work well.
We don't need the next parameter.
Full program will look like this:
Guess what, it works, and you've just made a pinball trainer in C++
I'm so proud of you ;')
Credits:
n0n3
Knowledge needed/optional:
Basic C++ coding "skillZ"
Basic understanding of the PE and finding an address with Cheat Engine ;P
Ok let's get to it then.
Our target today is Windows's pinball game (start->run->"pinball")
First, declarations.
Code:
HWND hWnd;
DWORD dwID;
HANDLE hProcess;hWnd = Window Handle.
dwID = Process ID.
hProcess = Process Handle.
Defined in windows.h btw, so #include <windows.h>
Let's recover the window handle then.
Code:
hWnd = FindWindow(NULL, "3D Pinball for Windows - Space Cadet");FindWindow's return value is the HANDLE of the window.
For more info goto msdn. (google->msdn)
Let's recover the process id.
Code:
GetWindowThreadProcessId(hWnd, &dwID);For more info goto msdn, this isn't difficult at all.
We recovered the process's ID.
Next, process handle.
Code:
hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID);Process security and access rights - Process Security and Access Rights (Windows)
PROCESS_ALL_ACCESS, hmm, I wonder what that might be.
Anyways, we don't need the second argument, and the third argument is the process ID.
If function works successfuly returned value is the process handle, which is exactly what we need.
Error handling would look like this:
Code:
hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID);
if(hProcess == NULL)
whatever //errorHere comes the fun part ;D
Code:
int value = 1000000;
WriteProcessMemory(hProcess, (LPVOID) 0x00C20C62, (LPVOID) &value, sizeof(&value), NULL);hProcess = Process handle.
(LPVOID) typecasting - needed.
0x00C20C62 - "Score" address in pinball.
(LPVOID) typecasting - needed.
&value - pointer to the value integer (1000000)
Next argument is number of bytes to be written (size)
So we use sizeof for it to work well.
We don't need the next parameter.
Full program will look like this:
Code:
#include <iostream>
#include <windows.h>
using namespace std;
int main()
{
HWND hWnd;
DWORD dwID;
HANDLE hProcess;
hWnd = FindWindow(NULL, "3D Pinball for Windows - Space Cadet");
GetWindowThreadProcessId(hWnd, &dwID);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwID);
int value = 1000000;
WriteProcessMemory(hProcess, (LPVOID) 0x00C20C62, (LPVOID) &value, sizeof(&value), NULL);
return 0;
}Guess what, it works, and you've just made a pinball trainer in C++
I'm so proud of you ;')
DDDDDDD