PDA

View Full Version : Basic VB Hacking Tutorial - Hacking PQ



LCS
09-16-2005, 11:57 PM
Ok, I decided to post this tutorial I wrote along time ago because there are alot of people having problems with the API and stuff and a few people found this tutorial helpful, I wrote this tutorial in notepad so the spacing and **** is kinda ****ed up, but just live with it...


WriteProscessMemory Tutorial
Basic Game Hacking Tutorial For Visual Basic 6.0
By LCSBSSRHXXX

Tools:
ArtMoney (or other memory searchers)
VB 6.0
Program you want to write new memory too.

In this example we will use a free game called PQ (Progress Quest)
www.progressquest.com




################################################## #################################
### NOTICE: ###
### Addresses, and search results will often varry for different users ###
################################################## #################################




OK to start out make a file on PQ.
Open up ArtMoney and Select Progress Quest in the "Select process" combo box
Now click search set it up as the fallowing :


Search - Exact Value
Value -
Type - ALL

Value is what you want your searching for. Well start out by searching for your characters Race, my characters race it Panda Man,
you need to type the value your searching for exactly how it is in the game (because the search is Case sensetive)


Search - Exact Value
Value - Panda Man
Type - ALL

You should come up with a couple of results, around 4 maybe more or less, but around there.


################################################## #################################
### NOTICE: ###
### Addresses, and search results will often varry for different users ###
################################################## #################################


Value 1 - 0012002F - Panda Man - Text 9 Bytes
Value 2 - 0016E247 - Panda Man - Text 9 Bytes
Value 3 - 004D0BCE - Panda Man - Text 9 Bytes
Value 4 - 009F98D8 - Panda Man - Text 9 Bytes

Now your going to change the values.



Value 1 - 0012002F - 1 - Text 9 Bytes
Value 2 - 0016E247 - 2 - Text 9 Bytes
Value 3 - 004D0BCE - 3 - Text 9 Bytes
Value 4 - 009F98D8 - 4 - Text 9 Bytes

Now go to the the bottom of ArtMoney and click save, or go to the "Table" menu then click "Save".
Now open PQ back up, and look at your race. It should be the original value with the first letter replaced with one of the numbers you listed.


Race - 4anda Man

Now that it you know what number wrote to Panda Man (in my case 4) look at Value 4, and write down, or rember that address.



Value 4 - 009F98D8 - 4 - Text 9 Bytes

The address for value 4 is 009F98D8, now you know what address to write to.
Open up VB, and start a new project, make a module, and a from called what ever
In the module you want to put ur API in it (you dont need all of those calls, but those are the basic API calls you would use to write a hack / trainer.)


Option Explicit
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Const PROCESS_ALL_ACCESS As Long = &H1F0FFF

Ok now your going to make a form with a command button, and textbox on it. Name the button cmdChange1, and the textbox txtRace.
Double click cmdChange1, so u bring up the code window start out by writing this.


Private Sub cmdChange1_Click()
Dim hwnd As Long
Dim pid As Long
Dim pHandle As Long
Dim hProcess as Long

hwnd = FindWindow(vbNullString, "Progress Quest")
If (hwnd = 0) Then
MsgBox "Window not found!"
Exit sub
End If
GetWindowThreadProcessId hwnd, pid
pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
If (pHandle = 0) Then
MsgBox "Couldn't get a process handle!"
Exit Sub
End If
End Sub

Ok that part of the code will find Progress Quest's Window and get the proscess's handle, if the window isn't open it will bing up an error.
Now, for the other part of the code, This will write the new memory to the address, take the address from earlier and plug it in to the code:
Since my address is 009F98D8, we will do this &H009F98D8, this will chop off the first digits (VB will do this automaticly)

Input

WriteProcessMemory pHandle, &H009F98D8, txtRace.Text, Len(txtRace.Text), 0&
Output

WriteProcessMemory pHandle, &H9F98D8, txtRace.Text, Len(txtRace.Text), 0&



Finished code should look like this :


Private Sub cmdChange1_Click()
Dim hwnd As Long
Dim pid As Long
Dim pHandle As Long
Dim hProcess as Long

hwnd = FindWindow(vbNullString, "Progress Quest")
If (hwnd = 0) Then
MsgBox "Window not found!"
Exit sub
End If
GetWindowThreadProcessId hwnd, pid
pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
If (pHandle = 0) Then
MsgBox "Couldn't get a process handle!"
Exit Sub
End If
WriteProcessMemory pHandle, &H9F98D8, txtRace.Text, Len(txtRace.Text), 0&
CloseHandle hProcess
End Sub

Zaund
01-30-2006, 10:28 PM
So is it normal for my computer to crash at random after this tutorial? Maybe the version's, you are 6, I am 8 :cry:. I learned my API's anyways :D

Zaund
09-24-2006, 04:48 PM
yay I got it to work! Praise LCS

LCS
09-24-2006, 07:29 PM
Took you 9 months, not bad.

Raigor
01-12-2010, 09:30 AM
Okay, first, hello to all! I am quite new to programming and especially game hacking. So please don't laugh about me ;)

On my computer VB6 is still installed so I found this posting and tried to do the explained steps.
For this I downloaded PQ and used the race "Dung Elf". It worked very nice like in the tutorial written. That was very helpful!
After this I did a Windows XP Pinball Hack on me own to test and it works.

But I have 2 questions:

1. What software are you using to find adresses? I tried ArtMoney, like in tutorial, but there was no feature to search for adresses in testversion. So I downloaded "MHS" by L. Spiro and there I found the adresses. It is a good program? How I search for decimal values with this software. Strings I found without any problems but I searched for a number like "123.456" and got no results.

2. How I can cut off the values. Errm ... to explain what I mean: In the tutorial the code is:
WriteProcessMemory pHandle, &H9F98D8, txtRace.Text, Len(txtRace.Text), 0&

When the race is now "Dung Elf" and I change value to "4" there is "4ung Elf" because the written bytes is len(txtRace.text). How I can do it that there are only the "4" or the value I choose?

Dyndrilliac
01-12-2010, 06:10 PM
1. What software are you using to find adresses? I tried ArtMoney, like in tutorial, but there was no feature to search for adresses in testversion. So I downloaded "MHS" by L. Spiro and there I found the adresses. It is a good program? How I search for decimal values with this software. Strings I found without any problems but I searched for a number like "123.456" and got no results.Set the search data type to either float (small) or double (large). I prefer MHS.

Raigor
01-14-2010, 10:56 AM
Searched with "Data type", set data type to double but it didn't work :-/

Entered 123.456 i.e. but I think the program is just searching for 123.45 and doesn't find any results ...

ViperSRT3g
01-14-2010, 01:55 PM
Okay, first, hello to all! I am quite new to programming and especially game hacking. So please don't laugh about me ;)

On my computer VB6 is still installed so I found this posting and tried to do the explained steps.
For this I downloaded PQ and used the race "Dung Elf". It worked very nice like in the tutorial written. That was very helpful!
After this I did a Windows XP Pinball Hack on me own to test and it works.

But I have 2 questions:

1. What software are you using to find adresses? I tried ArtMoney, like in tutorial, but there was no feature to search for adresses in testversion. So I downloaded "MHS" by L. Spiro and there I found the adresses. It is a good program? How I search for decimal values with this software. Strings I found without any problems but I searched for a number like "123.456" and got no results.

2. How I can cut off the values. Errm ... to explain what I mean: In the tutorial the code is:
WriteProcessMemory pHandle, &H9F98D8, txtRace.Text, Len(txtRace.Text), 0&

When the race is now "Dung Elf" and I change value to "4" there is "4ung Elf" because the written bytes is len(txtRace.text). How I can do it that there are only the "4" or the value I choose?

Change: WriteProcessMemory pHandle, &H9F98D8, txtRace.Text, Len(txtRace.Text), 0&

To: WriteProcessMemory pHandle, &H9F98D8, txtRace.Text & vbNullChar, (Len(txtRace.Text) + 1), 0&

What this does is add the null character breaker after whatever you just wrote to memory allowing the program to identify the end of a string, rather than just writing over data that was previously there and blending the two together if the new string is shorter than the previous string.

Raigor
01-14-2010, 04:49 PM
Okay, thx for your explanation and sample code! I tested it and it works great!
But it's normal that now the memory value is "Test\0\0\0" ?

ViperSRT3g
01-14-2010, 04:56 PM
It should always have a null byte (0x00) after each string written. Otherwise whatever program you are writing data to will treat a continuous line of text as an entire string. The null byte is there to break each string. Depending upon how long your text is, it should only add a null byte after the last character in your string.

xsouldeath
08-08-2010, 09:20 PM
uh nice tutorial but regarding DMA.. =( uh any tips..i was trying to find the starcraft 2 minerals etc.. i managed to NOP so u can build and not have deductions or adding i.e. mineral/gas lock .. but how do i change the mineral/gas value..

i can do easily in cheat engine but addresses alwas change

and i also looked at a youtube thing on defeating DMA through finding pointers..but still failed to find the pesky mineral pointer