PDA

View Full Version : DLLs And GameHacking



Crytical
09-26-2006, 02:41 PM
I was inspired here to wirte this tutorial to help you understand a lot of things from hacking, to DLLs, to injecting. Enjoy.

Yes i'll write and uphold an injector that can inject hack.dlls into Starcraft.
Write and release a public open-source War3 maphack? - still in question.

---------------------------------------------------

Diablo I Hack Template
By Christian (Crytical)
----------
Writing a .DLL form Hack for Diablov1.09
----------
Shoutouts:
Perma
Warz
Cryticalerror.com
----------
First, please understand that this is my work, be respectful and if you want to rip any of it, please add me to a shoutout as I did, with the web site, thank you.

This tutorial will help you understand how hacking works, in the means of attaching .DLLs to an active process, such as a game. I use Diablo becuase it is one of the easiest, and furthermore, the injector I use here does NOT bypass Starcraft/Warcraft OpenProcess protection - that version is private.

Topics Covered:
o - .DLL Hack Template
o - Injector .EXE
o - How it works
o - mASM Editing
----------
BEFORE WE START: Here's the .DLL and the Inject.exe program! DOWNLOAD IT! You MUST to get the full and useful what-so-ever effect!

http://cryticalerror.com/cetut.zip

What are we doing here? Simple: you have two programs, an Injector.exe, and a hack.dll. Gamehacking, reversing a games typical execution to your possible benefit, is best achieved through means of Assembly, a programming language that is also universal for debugging. So what we're going to - is put a gamehack into .DLL form. Next, we are are going to use a program to inject our DLL into the game.

What is this injecting? We are simply attaching our DLL to the active processing of your game. Now, during the games execution, it is also importing the information as if a global function from your attached .DLL.

There are quite a few ways to go about these hacks. The two you'll learn about here, are of course this .DLL form, and then an older method of writing .dat or .hak codes and injecting them - with Gamehack.exe. The format for those gamehack codes goes as:


Start Version Name
Offset OldData NewData
End

This is best described as:

StartHackProc() v1.09 'Hack Name'
Offset=Location in memory we are changing
OldData=The current data at that location in memory
NewData=The new information, our hack data, to replace the old
EndHackProc()

So Let's take a Diablo v1.09 hack to convert into .DLL form.

start v1.09 "Bypass CD Check - Paul"
1501867a 74 eb
end

A very simple and basic hack that will allow you to load Diablo.exe without inserting a disc. You'd simple open notepad, copy/paste this in, save as name.hak, then run GameHack and chose to activate it in the Diablo window. But instead, for privacy and obviouslly further purposes, I'm going to show you how to put a code like this into .DLL form to inject Via 'Crytical Error Injector.' (An injector like Damnation.exe but by me)

Note: This is using mASM, it requires MASM32, and some include files, most of which already exist in the original download, some don't, as you will see.



.386
.Model Flat, StdCall
;This tells us that our source is not case sensitive
OPTION CASEMAP :NONE
;There are the libararies we want to include so we can use important Windows ;functions - they go here
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\debug.inc
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\debug.lib
;Special added includes for this hack
include Variables.inc
include Functions.inc
include Events.inc

;In the .data section, you can define data you'll use later.
;You can represent bytes (or a string of bytes) with db, and DWORDS with dd.
.data
;Here i decided to call it nocd for obvious reasons haha
;you see we are defining the one byte EB Right?
;but you see a 0 in front also?
;this is becuase you CANNOT start with a letter! like 'e' so you must add 0
;of course 0 is value-less so it won't interfere here
nocd db 0EBh

;The variable data section lets you define unknown values that will change or be recieved
.Data?
ThreadID dd ?
hThread dd ?
.code
;The DllEntryPoint function fires when your DLL is attatched. This code will only be executed ONCE.
DllEntryPoint proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
mov eax,reason
.if eax == DLL_PROCESS_ATTACH
call DLLStartup
invoke CreateThread, NULL, 0, addr DLLProc, 0, 0, addr ThreadID
mov hThread, eax
.endif
ret
DllEntryPoint endp

DLLStartup proc
;So now that the DLL is starting and attached to the active process
;we write our hack information here!
;STARThackproc()
;Remember the gamehack code i pasted you!
;As you can see, we are invoking WriteMem
;This means we're calling it, but even moreso
;we are setting the call paramters (information sent)
;as 1501867ah, addr nocd,1
;1501867ah = the offset remember? (H tagging for hex)
;addr nocd means to address the nocd opcode we set!
;and ,1 means it was one byte
;Notice you can totally neglect the old data
invoke WriteMem, 1501867ah, addr nocd,1
;ENDhackproc()
DLLStartup endp

End DllEntryPoint


Now, notice there is an entire world of mASM for you to learn. There is the programming exe side, creating DLLs side, and then the reverse engineering (Hacking) side. But this is one example to help you understand the ideal of gamehacking and injection alone.

In laymen, operations are presented, in assembly, as opcodes. We are now writing new opcodes in the place of the old. (New Data VS Old Data). All of those ';'s marked notes i added for you, so read carefullt to learn from them.

So now..As you can see...we can compile our .DLL (which you downloaded I hope). And you have my injector.exe program (Also linked to above). Run Diablo.exe, Open the Injector.exe, make sure the DLL portion states the name we saved the .DLL As (Like Hack.dll) And this injector Auto-Targets Diablo.exe, and click 'Inject'! You are now running Diablo with a hack attached!
Now to explain the Injector.exe. Basically i wrote the injector in VB6. It will attach any specified .DLL to a game for you, in this case it's for Diablo 1. The inject button, tells it to write the new memory (the hack) to the game execution! While the uninject button, tells it to write the old memory (normal stuff) back to the execution in place. I will make a good version that allows you to chose ANY game you want to attach too, and then of course the uninject button. On the inlcuded injector, you'll want "by window title" checked of course if your window name = "Diablo", but if it's != and is something funky..use by Window Class. Another cool feature is the injector auto-notices what directly it's in and assumes the hack.dll to be there! You can stay updated at my forums, cryticalerror.amidal.com/forums.

That covers all I got to explain for now to help you. Consider yourself learned. Good luck and God bless!
-Peace
-Crytical
-Cryticalerror.com
<Don't let schooling get in the way of your education>

gamepin126
09-26-2006, 02:43 PM
Wow, um...ugly?

Appreciate the contribution though.

SC_Modder
09-26-2006, 02:44 PM
You should try to explain what dlls are, for those who only know them as system files that seem to always be missing when you need them. :P

gamepin126
09-26-2006, 02:45 PM
It would be wise to explain how you found the entry point.

Crytical
09-26-2006, 02:46 PM
1st Note - Might need to go in another General section for all gamehacking, oopse.

2nd - Don't criticize if you don't do better? Just becuase some are not smart enough to use it, doesn't make it bad, Lol.

3rd - A DLL is a type of file with a .dll extension that holds functions and information that can be imported through calls. Also known as include files. They are added in the execution of a program if need-be.

4th - I Spent 10 minutes.

5th - Do you mean the entry part form the hack? Becuase that's a public hack. And by entry point in the DLL..that's just a function.

gamepin126
09-26-2006, 02:50 PM
1st Note - Might need to go in another General section for all gamehacking, oopse.

2nd - Don't criticize if you don't do better? Just becuase some are not smart enough to use it, doesn't make it bad, Lol.

3rd - A DLL is a type of file with a .dll extension that holds functions and information that can be imported through calls. Also known as include files. They are added in the execution of a program if need-be.

4th - I Spent 10 minutes.

@2nd - orly? I can make a better template, not using ancient recycled functions. This is for Diablo v1.09, which means this is obviously old, I doubt you made it(however stripped it may be). You included no examples of the other 3 files, from your includes.

There are far better, and more complete templates running around this board. I distinctly remember uploading 3.

EDIT: @5th, I meant the entry offset to the exe. It's pointless handing out templates if you're not going to tell them how to find the offset, which is entirely crucial to the whole thing.

Crytical
09-26-2006, 02:55 PM
Ahh but you've already proven yourself not very smart. Just because it's an older game, only means it's easier, not that the method is older. I wrote the Injector, and the tutorial myself. The template and hack are both explained, and one in the shoutouts, I didn't claim credit. And if you belittle the value of ASM you know almost nothing. And kk, i call you out, make a better one quick :) -


EDIT: @5th, I meant the entry offset to the exe. It's pointless handing out templates if you're not going to tell them how to find the offset, which is entirely crucial to the whole thing.


They don't need that information, 1) Compile hack in .DLL Form. 2) Select target and DLL and press "Inject" With my inector program. Easy. This template is for DLLs.

Besides..This is to help explain and get them all ready for the War3 MapHack i might outsource.

With my "2nd" thing I pushed it, this is my fault for the little dispute we just had, I apologize. I took what you said at first more offensively, I re-read it to realize otherwise.


-----Back to good points----


To further help you understand a DLL. Imagine you have a backpack full of candy. You're eating dinner but it's just not cutting it. So you reach into your backup for some snacks.

Your backpack = the DLL. You are eating dinner (As your game executes). But sometimes you need something else or only room for it in the backpack (.DLL). So you add it on. Even windows itself has dlls that are executed constantly, Kernel32, User32, etc.

Perma
09-26-2006, 03:16 PM
Some of the information is a wee bit incorrect or a little vague. Nice to see you're making progress and contributing, though.

Crytical
09-26-2006, 03:25 PM
Incorrect in the sense "StartHackProc()" Is in no way programming syntax. You are correct. But I didn't plan it to be, this is purely example.

() Is a universal symbol for "function"
Proc is procedure in mASM
Start is used in the .Hak codes I referenced

I was trying to form it alltogether for one mixed example. Not a single example.

bulk_4me
09-26-2006, 03:31 PM
@Perma: Oh yeah this guy is your fan right? :P

Crytical
09-26-2006, 04:04 PM
-fan +friend

Although he is cool of course! Rofl.

p00onu
09-26-2006, 05:05 PM
Why dont you write a starcraft hack and slap it in the downloads section. Then write a tut on your hack.

Crytical
09-26-2006, 05:16 PM
I'm getting there. Too many projects to finish on War3 first.

Perma
09-26-2006, 07:10 PM
@Perma: Oh yeah this guy is your fan right? :P

Yes. He adores me. :redface:

Mystic Videl
09-26-2006, 07:57 PM
Very good contribution, I'm sure I'll fully read over it soon.

pandas
09-27-2006, 07:41 AM
To further help you understand a DLL. Imagine you have a backpack full of candy. You're eating dinner but it's just not cutting it. So you reach into your backup for some snacks.

Your backpack = the DLL. You are eating dinner (As your game executes). But sometimes you need something else or only room for it in the backpack (.DLL). So you add it on. Even windows itself has dlls that are executed constantly, Kernel32, User32, etc.

That's a ****ty analogy.

Crytical
09-27-2006, 09:22 AM
I think it's fine and so do all the people I used it to help. How about you do better before commenting dick****? :) - Yes although I'm mostly formal and polite, I'm not scared to be offensive and make you eat your ass.

Me banging your mom with 2 condoms on is a ****ty anology, becuase we don't use any!

p00onu
09-27-2006, 09:41 AM
I think it's fine and so do all the people I used it to help. How about you do better before commenting dick****? :) - Yes although I'm mostly formal and polite, I'm not scared to be offensive and make you eat your ass.

Me banging your mom with 2 condoms on is a ****ty anology, becuase we don't use any!

It's funny that of all the things you could say you had to say something about ****ing someone's mother. Honestly, how old are you? Pandas knows what he it talking about, and frankly I think that there are better analogies.

Crytical
09-27-2006, 11:45 AM
Lol are you ****ing retarded? That was for fun obviouslly, not like I seriouslly find that as something to use offensively. I used an immature comeback becuase he is immature. And duh there could be better analogies. But you're not making one are you bitch? Nope. And He knows what he's talking about when he said or did NOTHING? Lol. Funny. Buh bi.

pandas
09-29-2006, 05:27 PM
It's really a bad idea to start simultaneously flaming people and calling them immature when you're new to a forum. I said your analogy blows. So what? Did it ever occur to you to check the programming section, where I post plenty of useful information and answer questions, before implying that because I don't post tutorials on how to gamehack, I don't know what I am talking about? Really. I was reading your post and the uselessness of the analogy made me laugh, so I posted about it. It wasn't anything personal.


How about you do better before commenting dick****?

I don't see why I would waste my time writing a tutorial just to prove that I can do better than yours. Specifically, I wouldn't make an analogy about DLLs - I would just explain clearly how they worked in the first place.

For example, I wouldn't imply that the program is carrying around the weight of the food in the backpack the whole time it is running. I would make a distinction between statically and dynamically loaded DLLs. I would explain about the entry-point function and how it can be used to manipulate a process that loads the DLL (as opposed to the operation of a normal DLL). The list of useful things to say about DLLs goes on and on, and talking about backpacks is not one of them.

I also wouldn't say stupid things like that standard Windows DLLs are being "executed constantly", as this is totally different from stating that every process statically loads the standard Windows DLLs.

Crytical
09-29-2006, 06:05 PM
So nothing you just said had any point whatsoever, just for the record. I didn't want to get that into it, I wasn't talking about a program in that DLL analogy at all, so good job wasting words just to talk good.

Perma
09-29-2006, 06:08 PM
DLLs are programs, too, depending on their execution.

pandas
09-29-2006, 10:28 PM
I wasn't talking about a program in that DLL analogy at all

lol?

Dyndrilliac
09-29-2006, 11:22 PM
I would make a distinction between statically and dynamically loaded DLLs.

There is no such thing as a statically loaded DLL. There are only dynamic libraries (*.dll) and static libraries (*.lib).


I also wouldn't say stupid things like that standard Windows DLLs are being "executed constantly", as this is totally different from stating that every process statically loads the standard Windows DLLs.

Not all processes load all the standard Windows libraries. For example, the program can be compiled to only load Kernel32.dll or no libraries at all for that matter (zero reliance on Windows API).

pandas
09-30-2006, 05:53 AM
There is no such thing as a statically loaded DLL. There are only dynamic libraries (*.dll) and static libraries (*.lib).


But Dynamically Linked Libraries can be either statically loaded or dynamically loaded. A statically linked DLL is one that is loaded into a process (or another DLL) by instructions to the loader at DLL load time. So when the DLL is loaded, it's static imports will always be loaded with the DLL.

DLL's can also be loaded dynamically, with the LoadLibrary API (or by using the deferred loading feature in the linker). If a KnownDll loads another dll with LoadLibrary, then the other DLL won't be a KnownDll.

http://blogs.msdn.com/larryosterman/archive/2004/07/19/187752.aspx

(This is the first link I found on Google, and I don't care to get a better source.)

I think the more common terms are "load-time linking" and "dynamic linking", but the ones I used certainly work.


Not all processes load all the standard Windows libraries. For example, the program can be compiled to only load Kernel32.dll or no libraries at all for that matter (zero reliance on Windows API).

Not even kernel32? Hm, I never knew that.

edit: Oh, right, but any process that wants to do anything is going to need kernel32, so that's why, for example, you can rely on its presence for DLL injection with CreateRemoteThread.