Silva

Thanks for all the help! It's working great. Now I'm having problems with strings... I was going to do all the string manipulation inside the lf2.exe, but I figured since I'm already using a dll it'd probably be better to do it there. Sadly c++ doesn't play nice with strings like java ( or c#). In java I could probably do : { GetWindowTextA(hModName, ModName, 260); *(BYTE*)0x459F78 = 0x00; String Load = "\\mods\" + ModName "\\cfg.txt"; ShowWindow(hwnd, SW_HIDE); } Now I've been trying to do this for ages in c++ with no success. I tried all these weird things with buffers and sprintf (I'm guessing I was creating an array of chars to hold a string), that failed horribly. Then I tried to use #include <string> , which I'm guessing is the class that deals with strings in c++ and tries to make it easier. I did get the program to compile but it would just crash when it got to the part where it had to manipulate the string. Hopefully this is some simple thing that I'm missing, since when I was reading up on GetWindowTextA I saw it returned the length of the string or something... Really confused me. Help anyone!

I got it to work using my method ! My code is probably crap, but yeah... I tried to get the window to close after you press okay... Sadly it didn't work for me. Heres the download (includes the compiled dll and the modified exe needed to make it work): http://www.mediafire.com/?wx0mw1rxdsz And here is the source code (which is probably terrible) : #include &lt;windows.h&gt; #include &lt;stdio.h&gt; #include &lt;commctrl.h&gt; #pragma comment(lib, "comctl32.lib") //ModLF2 DLL v1.2 //Written By Steve8x void MainThread(); void MouseClickHandler(); void RelocateWindow(int addX, int addY); void InitCommonCtrls(); //Neat Functions For Creating Window Controls HWND CreateEditEx(int autoscroll, int passworded, char* Text, int x, int y, int wd, int ht, int id); HWND CreateButtonEx(char* Text, int x, int y, int wd, int ht, int id); HWND CreateGroupEx(char* Text, int x, int y, int wd, int ht, int id); HINSTANCE hInstance; HWND hwnd, hModName, LF2; POINT* p = new POINT; RECT* pRect = new RECT; char* ModName = new char[260]; char* dbg = new char[260]; BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if(ul_reason_for_call == DLL_PROCESS_ATTACH) { hInstance = hModule; CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&amp;MainThread, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&amp;MouseClickHandler, 0, 0, 0); } else if(ul_reason_for_call == DLL_PROCESS_DETACH) { delete[] ModName; delete[] dbg; delete p; delete pRect; //clean up code goes here (if any) this is when the dll unloads (when you quit the game) } return TRUE; } //Window Procedure! LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_COMMAND: if(wParam == 420) { GetWindowTextA(hModName, ModName, 260); *(BYTE*)0x459F78 = 0x00; WM_CLOSE; } case WM_CTLCOLORSTATIC: SetBkMode((HDC)wParam, TRANSPARENT); return (LRESULT)GetStockObject(WHITE_BRUSH); break; case WM_LBUTTONDOWN: // drag window from any part of client area SendMessage(hWnd, WM_NCLBUTTONDOWN, HTCAPTION, lParam); break; case WM_CLOSE: //if the user hits [X] to close the window just hide it instead of destroy it! ShowWindow(hwnd, SW_HIDE); RelocateWindow(250, 200); break; default: return DefWindowProc (hWnd, message, wParam, lParam); } return 0; } //Main thread which will create and maintain the window! void MainThread() { MSG Msg; WNDCLASSEX wc; wc.cbSize = sizeof (WNDCLASSEX); wc.hInstance = hInstance; wc.lpszClassName = L"Steves_Window_Class"; wc.lpfnWndProc = WndProc; wc.style = CS_DBLCLKS; wc.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(101)); wc.hIconSm = LoadIcon(hInstance, MAKEINTRESOURCE(101)); wc.hCursor = LoadCursor(0, IDC_ARROW); wc.lpszMenuName = NULL; wc.cbClsExtra = 0; wc.cbWndExtra = 0; wc.hbrBackground = (HBRUSH)GetStockObject(0); RegisterClassEx(&amp;wc); InitCommonCtrls(); // Force Initialization of Common Controls Library! hwnd = CreateWindowExA(0, "Steves_Window_Class", "LF2 MOD LOADER", WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX | WS_CLIPSIBLINGS, CW_USEDEFAULT, CW_USEDEFAULT, 300, 110, HWND_DESKTOP, 0, hInstance, 0); CreateGroupEx("Enter Mod Name", 2, 0, 290, 75, 200); hModName = CreateEditEx(1, 0, 0, 8, 35, 220, 20, 300); CreateButtonEx("OK!", 236, 35, 50, 20, 420); RelocateWindow(250, 200); //Message Pump! Needed So Your Window Can Respond To Messages Sent To It! while(GetMessage(&amp;Msg, 0, 0, 0)) { TranslateMessage(&amp;Msg); DispatchMessage(&amp;Msg); } } void MouseClickHandler() { for(;; Sleep(10)) // indefinate loop, so you need at least a sleep(10) in there for anti-lag since were using getasnyckeystate { if(*(BYTE*)0x459F78 == 1) { RelocateWindow(250, 200); ShowWindow(hwnd, SW_SHOW); Sleep(250); } } } void RelocateWindow(int addX, int addY) { LF2 = FindWindowA(0, "Little Fighter 2"); GetWindowRect(LF2, pRect); SetWindowPos(hwnd, HWND_TOPMOST, (pRect-&gt;left+addX), (pRect-&gt;top+addY), 300, 110, 0); } HWND CreateEditEx(int autoscroll, int passworded, char* Text, int x, int y, int wd, int ht, int id) { HWND tmp = 0; if(autoscroll == 0 &amp;&amp; passworded == 0) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); else if(autoscroll == 1 &amp;&amp; passworded == 0) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); else if(autoscroll == 0 &amp;&amp; passworded == 1) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, ES_PASSWORD | WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); else if(autoscroll == 1 &amp;&amp; passworded == 1) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, ES_AUTOHSCROLL | ES_PASSWORD | WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); return tmp; } HWND CreateButtonEx(char* Text, int x, int y, int wd, int ht, int id) { return CreateWindowExA(0, "BUTTON", Text, WS_CHILD | WS_VISIBLE, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); } HWND CreateGroupEx(char* Text, int x, int y, int wd, int ht, int id) { return CreateWindowExA(0, "BUTTON", Text, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); } void InitCommonCtrls() // Needed Just To Make Sure The Window Controls Appear! { INITCOMMONCONTROLSEX icex; icex.dwSize = sizeof(INITCOMMONCONTROLSEX); icex.dwICC = ICC_BAR_CLASSES; InitCommonControlsEx(&amp;icex); }

I think I found a way to get this to work. 00446438 393D 80754500 CMP DWORD PTR DS:[457580],EDI \\ check if mouse is clicked 0044643E ^0F85 C018FEFF JNZ mod_load.00427D04 \\ if not clicked then just skip all this code 00446444 391D 60D04400 CMP DWORD PTR DS:[44D060],EBX \\ I'm guessing another check if mouse is clicked 0044644A ^0F85 B418FEFF JNZ mod_load.00427D04 \\ if not clicked this skip all this code 00446450 53 PUSH EBX \\ sound stuff 00446451 B9 10564500 MOV ECX,mod_load.00455610 \\ sound stuff 00446456 E8 D5B5FBFF CALL mod_load.00401A30 \\ sound stuff 0044645B C605 789F4500 &gt;MOV BYTE PTR DS:[459F78],1 \\ moves 1 to 459F78 (just a random place i choose) 00446462 803D 789F4500 &gt;CMP BYTE PTR DS:[459F78],1 \\ checks if 459F78 = 1 00446469 ^74 F7 JE SHORT mod_load.00446462 \\ jumps back to the cmp above if it is 1(basically an infinite loop) 0044646B ^E9 9418FEFF JMP mod_load.00427D04 \\ jumps out of the codecave to the rest of the code The idea is the dll will constantly check 459F78 to see if it is 1, if it is then the dialog box will appear. After the user presses the okay button it it will write 0 to 459F78 (which will then stop the loop so little fighter can keep running normally). Now the only problem is I don't know how to read the memory using a dll. I remember there was a windows api to do such a thing (I believe it was something like ReadProcessMemory), but will that work inside a dll? And isn't there a better to do it (since the dll should be sharing the applications memory, I'm guessing the api isn't needed ). Edit : Ouch, looks like we were both typing at the same time :P . Your solution looks better than mine. Thank you for all the help man. I'll try and get this all working :D

Hi steve8x. I have already added the option to the menu with a bit of exe hacking (sorry if I haven't made that clear before). Heres the exe you can see it for your self. http://www.mediafire.com/?oeejw9tdjqz (Nothing actually happens when you press Load Mod, didn't have the time to code that bit yet but it is easy enough) My poorly written code starts at 00446334. I'm quite proficient in dissembling/debugging/cracking (what ever you feel like calling it). I've never used the LoadLibaryA api though, but I kind of get how it works. Everything is starting to look good now, the only problem I see is how will the dll know when the button is pressed? If it was an export function all I'd have to do is type "CALL ADDRESS" in the part of the code which deals with what happens when the button is clicked. There is also another really small disadvantage to using your method, since it runs in a seperate thread, lf2 will keep running while you are suppoused to enter the mod name. Not to much of an issue though, I have an idea on how to get around that (involves an infinite loop until the mod is entered :D ). PS: Thanks for being so helpful! Last time I was doing this no one even bothered to (probably should of asked on the hak5 forums :P ). Edit: Yes, this thread has lots of awesome code in it which I might reuse for other things (with credit of course :P).

Thanks Steve8x , your solution is awesome for somethings. However, thats not what I'm looking for. Your solution is kind of temporary, while I'm looking for something more permanent. (actual game running) I have added another option to the menu, so all people have to do is push it and volia... Your method would require them to run another program, inject the dll etc etc (less user friendly). So, the only way I can think of properly doing it, would be to make a dll(with an export) and when the user pressed Load Mod, the exe calls that function etc etc. So if you could do it with a dll using an export function I'd be in your ever lasting debt. PS: Sorry it took so long to reply, I was making sure I could actually hack up the exe (I'm kinda rusty).

Summary : I need to create a dll with a function(maybe the term is export?) called something like GetModName , when called it will create a dialog box something like this: basically a text box and an okay button ( maybe a Cancel button). This is the tutorial I followed to create a dll : http://edais.mvps.org/Tutorials/CDLL/index.html I have been searching and trying for ages, but I just cannot figure out a way to make that dialog box in a dll and make it appear. I reckon if I get that working, the rest of the code should be easy enough. Really long story about what I'm trying to accomplish and why I need this, which no one will probably read : There is this freeware fighting game called Little Fighter 2 ( http://www.lf2.net ) . It is easily customizable which is why lots of mods are made for it. For a long while(couple of years) the latest version was 1.9 and I hacked it up a bit to create a sort of mod loader ( http://www.lf2mods.com ). It worked by abusing the network screen (the only place which let you type stuff). Screenshot : http://img363.imageshack.us/img363/1228/screenshotwm7.png I really don't like this solution because : * It disables network play * If you enter the name of a mod which doesn't exist it crashes * You are always prompted with the screen to choose a mod Now, on the 10th year anniversary of little fighter 2, the creators decided to make an update. And I saw this as a golden opportunity to make the mod loader the proper way(or atleast a little bit better than before). The plan is to create another item in the main menu called "Load Mod" , if its pressed then it will call the function GetModName from a dll (the dll will be added to the import table of the exe using IIDKing v2.01 http://www.reteam.org/tools.html) which will get a valid name of a mod from the user using a dialog. The rest is all easy. The only problem I'm having is with the dll part, since I'm a real noob at c++ and can only copy-paste code from different places and connect it together to make it work. Hopefully someone here will be able to help me, or give me a good nudge in the direction. PS: Creating a dialog box in a dll is different from creating it in a normal program(as far as I can tell), don't just link me to some basic c++ winapi tutorial, I've searched a lot and can't find anything that covers this (or maybe I'm to stupid to understand).

Does it crash in safe-mode? If it crashes in safe-mode that means your explorer.exe(or some random DLL it relies on) is probably infected with some PE virus. If it doesn't then it's probably safe to assume its one of the start up applications/some service that runs on start up or the router(not really sure how the router fits in, but I thought it is worth mentioning). Edit: PS: A cheap "bandage" fix, could be downloading an alternative desktop shell(not sure thats the correct terminology) for example http://bb4win.sourceforge.net/bblean/ and using that :p.

Basically they charge people to join and believe in their religion, and they are blamed for people dying and such. You should Google "Truth of scientology" or something similar if you are actually interested. You'll find more information over there.

I'd just like to say that password protected rar's also don't get detected by anti viruses, I'd consider using rar's since they are more widely used but it's up to you.

Well it's impossible to decompile the program into the original source code. OllyDbg dissembles it into ASM code and then you can "hack" it. I don't really have much experience with asm but if you NOP the jump on line 00401387 it will accept any password. If you look up two lines from that address you can see a call being made to strcmp under that a TEST EAX EAX which I can only assume is comparing the user string with the password string and then the line which you are noping is a JNZ which in the case means jump if they aren't equal(JNZ actually stands for jump if not zero). Hopefully my english was understandable :D. Edit:If you set a breakpoint on line 00401376 you will see the password inside the EDX register. I might comment all the code as far as I understand it soon :).

Don't worry you learn something new everyday :).

Well of course, it copies over the send.bat which contains you email address, if it didn't how would it know where to send the emails to ?

In the non u3 version in the auto run file it should say go.cmd and not go.bat :P, there might be more mistakes looking through everything now :).

Impossible, or alteast I can't recreate the effect. This is exactly what I did: 1. Got my old computer and installed windows on it 2. Logged into pandora 3. Formatted drive ( I DIDN'T ZERO IT) 4. Reinstalled windows and connected to the internet( I got a dynamic ip so it always changes) 5. Went to padora and volia I had to log in... Maybe I didn't do it like you or something but I say it's fairly close to impossible :P.