Jump to content

Silva

Active Members
  • Posts

    20
  • Joined

  • Last visited

Everything posted by Silva

  1. Thanks for all the help! It's working great. Now I'm having problems with strings... I was going to do all the string manipulation inside the lf2.exe, but I figured since I'm already using a dll it'd probably be better to do it there. Sadly c++ doesn't play nice with strings like java ( or c#). In java I could probably do : { GetWindowTextA(hModName, ModName, 260); *(BYTE*)0x459F78 = 0x00; String Load = "\\mods\" + ModName "\\cfg.txt"; ShowWindow(hwnd, SW_HIDE); } Now I've been trying to do this for ages in c++ with no success. I tried all these weird things with buffers and sprintf (I'm guessing I was creating an array of chars to hold a string), that failed horribly. Then I tried to use #include <string> , which I'm guessing is the class that deals with strings in c++ and tries to make it easier. I did get the program to compile but it would just crash when it got to the part where it had to manipulate the string. Hopefully this is some simple thing that I'm missing, since when I was reading up on GetWindowTextA I saw it returned the length of the string or something... Really confused me. Help anyone!
  2. I got it to work using my method ! My code is probably crap, but yeah... I tried to get the window to close after you press okay... Sadly it didn't work for me. Heres the download (includes the compiled dll and the modified exe needed to make it work): http://www.mediafire.com/?wx0mw1rxdsz And here is the source code (which is probably terrible) : #include &lt;windows.h&gt; #include &lt;stdio.h&gt; #include &lt;commctrl.h&gt; #pragma comment(lib, "comctl32.lib") //ModLF2 DLL v1.2 //Written By Steve8x void MainThread(); void MouseClickHandler(); void RelocateWindow(int addX, int addY); void InitCommonCtrls(); //Neat Functions For Creating Window Controls HWND CreateEditEx(int autoscroll, int passworded, char* Text, int x, int y, int wd, int ht, int id); HWND CreateButtonEx(char* Text, int x, int y, int wd, int ht, int id); HWND CreateGroupEx(char* Text, int x, int y, int wd, int ht, int id); HINSTANCE hInstance; HWND hwnd, hModName, LF2; POINT* p = new POINT; RECT* pRect = new RECT; char* ModName = new char[260]; char* dbg = new char[260]; BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if(ul_reason_for_call == DLL_PROCESS_ATTACH) { hInstance = hModule; CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&amp;MainThread, 0, 0, 0); CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&amp;MouseClickHandler, 0, 0, 0); } else if(ul_reason_for_call == DLL_PROCESS_DETACH) { delete[] ModName; delete[] dbg; delete p; delete pRect; //clean up code goes here (if any) this is when the dll unloads (when you quit the game) } return TRUE; } //Window Procedure! LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_COMMAND: if(wParam == 420) { GetWindowTextA(hModName, ModName, 260); *(BYTE*)0x459F78 = 0x00; WM_CLOSE; } case WM_CTLCOLORSTATIC: SetBkMode((HDC)wParam, TRANSPARENT); return (LRESULT)GetStockObject(WHITE_BRUSH); break; case WM_LBUTTONDOWN: // drag window from any part of client area SendMessage(hWnd, WM_NCLBUTTONDOWN, HTCAPTION, lParam); break; case WM_CLOSE: //if the user hits [X] to close the window just hide it instead of destroy it! ShowWindow(hwnd, SW_HIDE); RelocateWindow(250, 200); break; default: return DefWindowProc (hWnd, message, wParam, lParam); } return 0; } //Main thread which will create and maintain the window! void MainThread() { MSG Msg; WNDCLASSEX wc; wc.cbSize = sizeof (WNDCLASSEX); wc.hInstance = hInstance; wc.lpszClassName = L"Steves_Window_Class"; wc.lpfnWndProc = WndProc; wc.style = CS_DBLCLKS; wc.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(101)); wc.hIconSm = LoadIcon(hInstance, MAKEINTRESOURCE(101)); wc.hCursor = LoadCursor(0, IDC_ARROW); wc.lpszMenuName = NULL; wc.cbClsExtra = 0; wc.cbWndExtra = 0; wc.hbrBackground = (HBRUSH)GetStockObject(0); RegisterClassEx(&amp;wc); InitCommonCtrls(); // Force Initialization of Common Controls Library! hwnd = CreateWindowExA(0, "Steves_Window_Class", "LF2 MOD LOADER", WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX | WS_CLIPSIBLINGS, CW_USEDEFAULT, CW_USEDEFAULT, 300, 110, HWND_DESKTOP, 0, hInstance, 0); CreateGroupEx("Enter Mod Name", 2, 0, 290, 75, 200); hModName = CreateEditEx(1, 0, 0, 8, 35, 220, 20, 300); CreateButtonEx("OK!", 236, 35, 50, 20, 420); RelocateWindow(250, 200); //Message Pump! Needed So Your Window Can Respond To Messages Sent To It! while(GetMessage(&amp;Msg, 0, 0, 0)) { TranslateMessage(&amp;Msg); DispatchMessage(&amp;Msg); } } void MouseClickHandler() { for(;; Sleep(10)) // indefinate loop, so you need at least a sleep(10) in there for anti-lag since were using getasnyckeystate { if(*(BYTE*)0x459F78 == 1) { RelocateWindow(250, 200); ShowWindow(hwnd, SW_SHOW); Sleep(250); } } } void RelocateWindow(int addX, int addY) { LF2 = FindWindowA(0, "Little Fighter 2"); GetWindowRect(LF2, pRect); SetWindowPos(hwnd, HWND_TOPMOST, (pRect-&gt;left+addX), (pRect-&gt;top+addY), 300, 110, 0); } HWND CreateEditEx(int autoscroll, int passworded, char* Text, int x, int y, int wd, int ht, int id) { HWND tmp = 0; if(autoscroll == 0 &amp;&amp; passworded == 0) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); else if(autoscroll == 1 &amp;&amp; passworded == 0) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); else if(autoscroll == 0 &amp;&amp; passworded == 1) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, ES_PASSWORD | WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); else if(autoscroll == 1 &amp;&amp; passworded == 1) tmp = CreateWindowExA(WS_EX_CLIENTEDGE, "EDIT", Text, ES_AUTOHSCROLL | ES_PASSWORD | WS_CHILD | WS_VISIBLE | ES_NOHIDESEL | WS_TABSTOP, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); return tmp; } HWND CreateButtonEx(char* Text, int x, int y, int wd, int ht, int id) { return CreateWindowExA(0, "BUTTON", Text, WS_CHILD | WS_VISIBLE, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); } HWND CreateGroupEx(char* Text, int x, int y, int wd, int ht, int id) { return CreateWindowExA(0, "BUTTON", Text, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, x, y, wd, ht, hwnd, (HMENU)id, hInstance, 0); } void InitCommonCtrls() // Needed Just To Make Sure The Window Controls Appear! { INITCOMMONCONTROLSEX icex; icex.dwSize = sizeof(INITCOMMONCONTROLSEX); icex.dwICC = ICC_BAR_CLASSES; InitCommonControlsEx(&amp;icex); }
  3. I think I found a way to get this to work. 00446438 393D 80754500 CMP DWORD PTR DS:[457580],EDI \\ check if mouse is clicked 0044643E ^0F85 C018FEFF JNZ mod_load.00427D04 \\ if not clicked then just skip all this code 00446444 391D 60D04400 CMP DWORD PTR DS:[44D060],EBX \\ I'm guessing another check if mouse is clicked 0044644A ^0F85 B418FEFF JNZ mod_load.00427D04 \\ if not clicked this skip all this code 00446450 53 PUSH EBX \\ sound stuff 00446451 B9 10564500 MOV ECX,mod_load.00455610 \\ sound stuff 00446456 E8 D5B5FBFF CALL mod_load.00401A30 \\ sound stuff 0044645B C605 789F4500 &gt;MOV BYTE PTR DS:[459F78],1 \\ moves 1 to 459F78 (just a random place i choose) 00446462 803D 789F4500 &gt;CMP BYTE PTR DS:[459F78],1 \\ checks if 459F78 = 1 00446469 ^74 F7 JE SHORT mod_load.00446462 \\ jumps back to the cmp above if it is 1(basically an infinite loop) 0044646B ^E9 9418FEFF JMP mod_load.00427D04 \\ jumps out of the codecave to the rest of the code The idea is the dll will constantly check 459F78 to see if it is 1, if it is then the dialog box will appear. After the user presses the okay button it it will write 0 to 459F78 (which will then stop the loop so little fighter can keep running normally). Now the only problem is I don't know how to read the memory using a dll. I remember there was a windows api to do such a thing (I believe it was something like ReadProcessMemory), but will that work inside a dll? And isn't there a better to do it (since the dll should be sharing the applications memory, I'm guessing the api isn't needed ). Edit : Ouch, looks like we were both typing at the same time :P . Your solution looks better than mine. Thank you for all the help man. I'll try and get this all working :D
  4. Hi steve8x. I have already added the option to the menu with a bit of exe hacking (sorry if I haven't made that clear before). Heres the exe you can see it for your self. http://www.mediafire.com/?oeejw9tdjqz (Nothing actually happens when you press Load Mod, didn't have the time to code that bit yet but it is easy enough) My poorly written code starts at 00446334. I'm quite proficient in dissembling/debugging/cracking (what ever you feel like calling it). I've never used the LoadLibaryA api though, but I kind of get how it works. Everything is starting to look good now, the only problem I see is how will the dll know when the button is pressed? If it was an export function all I'd have to do is type "CALL ADDRESS" in the part of the code which deals with what happens when the button is clicked. There is also another really small disadvantage to using your method, since it runs in a seperate thread, lf2 will keep running while you are suppoused to enter the mod name. Not to much of an issue though, I have an idea on how to get around that (involves an infinite loop until the mod is entered :D ). PS: Thanks for being so helpful! Last time I was doing this no one even bothered to (probably should of asked on the hak5 forums :P ). Edit: Yes, this thread has lots of awesome code in it which I might reuse for other things (with credit of course :P).
  5. Thanks Steve8x , your solution is awesome for somethings. However, thats not what I'm looking for. Your solution is kind of temporary, while I'm looking for something more permanent. (actual game running) I have added another option to the menu, so all people have to do is push it and volia... Your method would require them to run another program, inject the dll etc etc (less user friendly). So, the only way I can think of properly doing it, would be to make a dll(with an export) and when the user pressed Load Mod, the exe calls that function etc etc. So if you could do it with a dll using an export function I'd be in your ever lasting debt. PS: Sorry it took so long to reply, I was making sure I could actually hack up the exe (I'm kinda rusty).
  6. Summary : I need to create a dll with a function(maybe the term is export?) called something like GetModName , when called it will create a dialog box something like this: basically a text box and an okay button ( maybe a Cancel button). This is the tutorial I followed to create a dll : http://edais.mvps.org/Tutorials/CDLL/index.html I have been searching and trying for ages, but I just cannot figure out a way to make that dialog box in a dll and make it appear. I reckon if I get that working, the rest of the code should be easy enough. Really long story about what I'm trying to accomplish and why I need this, which no one will probably read : There is this freeware fighting game called Little Fighter 2 ( http://www.lf2.net ) . It is easily customizable which is why lots of mods are made for it. For a long while(couple of years) the latest version was 1.9 and I hacked it up a bit to create a sort of mod loader ( http://www.lf2mods.com ). It worked by abusing the network screen (the only place which let you type stuff). Screenshot : http://img363.imageshack.us/img363/1228/screenshotwm7.png I really don't like this solution because : * It disables network play * If you enter the name of a mod which doesn't exist it crashes * You are always prompted with the screen to choose a mod Now, on the 10th year anniversary of little fighter 2, the creators decided to make an update. And I saw this as a golden opportunity to make the mod loader the proper way(or atleast a little bit better than before). The plan is to create another item in the main menu called "Load Mod" , if its pressed then it will call the function GetModName from a dll (the dll will be added to the import table of the exe using IIDKing v2.01 http://www.reteam.org/tools.html) which will get a valid name of a mod from the user using a dialog. The rest is all easy. The only problem I'm having is with the dll part, since I'm a real noob at c++ and can only copy-paste code from different places and connect it together to make it work. Hopefully someone here will be able to help me, or give me a good nudge in the direction. PS: Creating a dialog box in a dll is different from creating it in a normal program(as far as I can tell), don't just link me to some basic c++ winapi tutorial, I've searched a lot and can't find anything that covers this (or maybe I'm to stupid to understand).
  7. Does it crash in safe-mode? If it crashes in safe-mode that means your explorer.exe(or some random DLL it relies on) is probably infected with some PE virus. If it doesn't then it's probably safe to assume its one of the start up applications/some service that runs on start up or the router(not really sure how the router fits in, but I thought it is worth mentioning). Edit: PS: A cheap "bandage" fix, could be downloading an alternative desktop shell(not sure thats the correct terminology) for example http://bb4win.sourceforge.net/bblean/ and using that :p.
  8. Basically they charge people to join and believe in their religion, and they are blamed for people dying and such. You should Google "Truth of scientology" or something similar if you are actually interested. You'll find more information over there.
  9. I'd just like to say that password protected rar's also don't get detected by anti viruses, I'd consider using rar's since they are more widely used but it's up to you.
  10. Well it's impossible to decompile the program into the original source code. OllyDbg dissembles it into ASM code and then you can "hack" it. I don't really have much experience with asm but if you NOP the jump on line 00401387 it will accept any password. If you look up two lines from that address you can see a call being made to strcmp under that a TEST EAX EAX which I can only assume is comparing the user string with the password string and then the line which you are noping is a JNZ which in the case means jump if they aren't equal(JNZ actually stands for jump if not zero). Hopefully my english was understandable :D. Edit:If you set a breakpoint on line 00401376 you will see the password inside the EDX register. I might comment all the code as far as I understand it soon :).
  11. Don't worry you learn something new everyday :).
  12. Well of course, it copies over the send.bat which contains you email address, if it didn't how would it know where to send the emails to ?
  13. In the non u3 version in the auto run file it should say go.cmd and not go.bat :P, there might be more mistakes looking through everything now :).
  14. Impossible, or alteast I can't recreate the effect. This is exactly what I did: 1. Got my old computer and installed windows on it 2. Logged into pandora 3. Formatted drive ( I DIDN'T ZERO IT) 4. Reinstalled windows and connected to the internet( I got a dynamic ip so it always changes) 5. Went to padora and volia I had to log in... Maybe I didn't do it like you or something but I say it's fairly close to impossible :P.
  15. but i want to do it myselft if some one have a page that explain how works the usb cable and how it send the data please send it to me. i think i need a pic or something but please the idea is not use a keyboard ord game pad thanks to all Be sure to post how you did it if you succsed( I strongly doubt it though). Writing a driver for windows can be annoying(I never tried, but all the doc's I read about it were to long for me ). I'd do what everyone suggested and just get an old gamepad which you bought 5 years ago because you thought it was cool but never got around to using it, take it all apart, build a small box for it with a button on top and make it "press" one button on the gamepad, use some registery hacks to remap that button to run some software or something(maybe the "Show desktop" thing in windows?) and you're done. Alot easier if you ask me.
  16. You could just disable autorun like most of the people I know(they disable it because they hate the annoying pop up when they put in cd's ) and you'll be completly safe from this attack, and norton AV 2003 does ask if you want to run the program from the remvoable media object(something along those lines) if you use the non u3 way.
  17. Thats really old(I remeber reading it over a year ago), but it's still funny after all that time :D (really liked the 127.0.0.1 IP part). Makes me wonder if he was just acting stupid or he really belived in what he was saying.
  18. lol this was on page 2 or 3 of this post :X anyways, as you've said there it should be a posibility to mail it although I don't know the extent of PHP scripting. I've used/modified an email php script which doesnt use a smtp server to mail (atleast it doesnt make you specify nor have I seen one in the code...) so emailing pure spoofed email text is possible... but attaching something im not so sure of... but then again if its all text then your set, you just need to find a way to be able to send files via php scripting with that said script above or just find a way to launch a usb ftp program that connects enrypted to a server to upload the LM Hash... Or you can use google and find an easy way, running php scripts seems unefective in my book. SendMail for microsoft windows :D http://www.geocities.com/jaber_aljundi/#Wh...SendMail_Tool__ didn't play with it yet but seems simple enough since the file names are always the same I guess.
  19. Well for the non U3 version of this hack a 16mb drive would be enough, all the files dont use more than 1mb including the dumps. I didnt check out the U3 version(I don't have a u3 usb stick). But I'm 99% sure than 256 mb is more than enough for this type of hack.
×
×
  • Create New...