Code:
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
using namespace std;
[You must be registered and logged in to see this link.] Wallhack 0x7480AC //You Can Change
typedef int (WINAPI* myMsgBox)(HWND,LPSTR,LPSTR,UINT);
typedef SHORT (WINAPI* myGetKeyState)(int);
typedef BOOL (WINAPI* myBeep)(DWORD, DWORD);
void Wait(int seconds)
{
for(int x = 0; x < seconds * 2500;x++)
{
}
}
struct CDATA
{
char msg[50];
char title[50];
int buttons;
LPVOID msgbox_addr;
LPVOID getkeystate_addr;
LPVOID beep_addr;
};
DWORD FindCFID( DWORD processID )
{
TCHAR szProcessName[MAX_PATH] = "n\\a";
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |PROCESS_VM_READ,FALSE, processID );
if (NULL != hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod),
&cbNeeded) )
{
GetModuleBaseName( hProcess, hMod, szProcessName,
sizeof(szProcessName)/sizeof(TCHAR) );
}
}
if(strcmp(szProcessName, "crossfire.exe") == 0)
{
cout << "Found: " << szProcessName << endl;
int ID = processID;
CloseHandle( hProcess );
return ID;
}
else
{
CloseHandle( hProcess );
return NULL;
}
}
Our main function that is injected into crossfire.exe and an empty function to get this functions address:
Code:
static DWORD Injected(CDATA* data)
{
myGetKeyState keyState = (myGetKeyState)data->getkeystate_addr;
myBeep beep = (myBeep)data->beep_addr;
myMsgBox MsgBox = (myMsgBox)data->msgbox_addr;
MsgBox(0,data->msg, data->title, data->buttons);
while(TRUE)
{
if(keyState(VK_F10))
{
// Wallhack 0x74703C
memcpy((void*)(Wallhack), (PBYTE)"\x90\x90\x90\x90", 4);
beep(200,200);
}
Wait(1);
}
return 0;
}
static DWORD Empty(){
return 0;
}
The good stuff
Code:
void ject(DWORD procID)
{
CDATA cdata;
HANDLE TargetProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, procID);
if(TargetProcessHandle)
{
cout << "Process opened: " << procID << endl;
HMODULE user32 = LoadLibrary("User32.dll");
HMODULE kernel = LoadLibrary("Kernel32.dll");
if(!user32 || !kernel) return;
cout << "Kernel.dll loaded..." << endl;
cout << "User32.dll loaded..." << endl;
cdata.buttons = MB_OK;
strcpy_s(cdata.msg, "Press F10 ingame to activate wallhack!");
strcpy_s(cdata.title, "Crossfire Hooked!");
cdata.msgbox_addr = GetProcAddress(user32, "MessageBoxA");
cdata.getkeystate_addr = GetProcAddress(user32, "GetAsyncKeyState");
cdata.beep_addr = GetProcAddress(kernel, "Beep");
cout << " " << endl;
cout << "------------ADDYS------------" << endl;
cout << "MsgBox: " << cdata.msgbox_addr << endl;
cout << "KeyState: " << cdata.getkeystate_addr << endl;
cout <<"Beep: " << cdata.beep_addr << endl;
cout << "------------END ADDYS------------" << endl;
cout << " " << endl;
int szFunctionSize = (DWORD)Empty - (DWORD)Injected;
cout << "Function Size: " << szFunctionSize << endl;
LPVOID szFunctionAddress = VirtualAllocEx(TargetProcessHandle,0,szFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
cout << "Function addr: " << szFunctionAddress << endl;
int num2 = WriteProcessMemory(TargetProcessHandle,szFunctionAddress,(VOID*)Injected, szFunctionSize,0);
cout << "WriteProcessMemory returned: " << num2 << endl;
if(num2 == 0)
{
DWORD errCode = GetLastError();
char *err;
if (!FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,errCode,MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),(LPTSTR)&err,0,NULL))
return;
cout << "------> Error: " << err << endl;
return;
}
LPVOID szDataAdress = VirtualAllocEx(TargetProcessHandle,0,sizeof(CDATA),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
cout << "Data addr: " << szDataAdress << endl;
num2 = WriteProcessMemory(TargetProcessHandle,szDataAdress,&cdata,sizeof(CDATA),0);
cout << "WriteProcessMemory returned: " << num2 << endl;
if(num2 == 0)
{
DWORD errCode = GetLastError();
char *err;
if (!FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,errCode,MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),(LPTSTR)&err,0,NULL))
return;
cout << "------> Error: " << err << endl;
return;
}
DWORD lpNumberOfBytesWritten = 0;
HANDLE hand = CreateRemoteThread(TargetProcessHandle, 0, 0, (LPTHREAD_START_ROUTINE)szFunctionAddress, szDataAdress, 0, (SIZE_T*)&lpNumberOfBytesWritten);
if(hand != NULL)
{
WaitForSingleObject(TargetProcessHandle, 2000);
VirtualFree(szFunctionAddress, 0, MEM_RELEASE);
VirtualFree(szDataAdress, 0, MEM_RELEASE);
CloseHandle(TargetProcessHandle);
CloseHandle(hand);
cout << "Successfully Injected... Byteswritten: " << lpNumberOfBytesWritten << endl;
}
else
cout << "Error creating remote thread..." << endl;
}
else
cout << "Error opening process for injection..." << endl;
}
Code:
int privileges()
{
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0)
return 1;
else
return 0;
}
return 1;
}
Program entry point:
Code:
void main()
{
if(privileges() != 0)
{
cout << "Some kind of priviledge error..." << endl;
return;
}
while(1)
{
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
{
cout << "Error reading process list..." << endl;
return;
}
cProcesses = cbNeeded / sizeof(DWORD);
DWORD procID = NULL;
bool found = false;
for ( i = 0; i < cProcesses; i++ )
{
if( aProcesses != 0 )
{
procID = FindCFID( aProcesses );
if(procID != NULL)
{
found = true;
break;
}
}
}
if(!found)
cout << "waiting for crossfire.exe" << endl;
else
{
cout << "crossfire.exe found! Injecting..." << endl;
ject(procID);
break;
}
Sleep(1000);
}
}
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
using namespace std;
[You must be registered and logged in to see this link.] Wallhack 0x7480AC //You Can Change
typedef int (WINAPI* myMsgBox)(HWND,LPSTR,LPSTR,UINT);
typedef SHORT (WINAPI* myGetKeyState)(int);
typedef BOOL (WINAPI* myBeep)(DWORD, DWORD);
void Wait(int seconds)
{
for(int x = 0; x < seconds * 2500;x++)
{
}
}
struct CDATA
{
char msg[50];
char title[50];
int buttons;
LPVOID msgbox_addr;
LPVOID getkeystate_addr;
LPVOID beep_addr;
};
DWORD FindCFID( DWORD processID )
{
TCHAR szProcessName[MAX_PATH] = "n\\a";
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |PROCESS_VM_READ,FALSE, processID );
if (NULL != hProcess )
{
HMODULE hMod;
DWORD cbNeeded;
if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod),
&cbNeeded) )
{
GetModuleBaseName( hProcess, hMod, szProcessName,
sizeof(szProcessName)/sizeof(TCHAR) );
}
}
if(strcmp(szProcessName, "crossfire.exe") == 0)
{
cout << "Found: " << szProcessName << endl;
int ID = processID;
CloseHandle( hProcess );
return ID;
}
else
{
CloseHandle( hProcess );
return NULL;
}
}
Our main function that is injected into crossfire.exe and an empty function to get this functions address:
Code:
static DWORD Injected(CDATA* data)
{
myGetKeyState keyState = (myGetKeyState)data->getkeystate_addr;
myBeep beep = (myBeep)data->beep_addr;
myMsgBox MsgBox = (myMsgBox)data->msgbox_addr;
MsgBox(0,data->msg, data->title, data->buttons);
while(TRUE)
{
if(keyState(VK_F10))
{
// Wallhack 0x74703C
memcpy((void*)(Wallhack), (PBYTE)"\x90\x90\x90\x90", 4);
beep(200,200);
}
Wait(1);
}
return 0;
}
static DWORD Empty(){
return 0;
}
The good stuff
Code:
void ject(DWORD procID)
{
CDATA cdata;
HANDLE TargetProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, procID);
if(TargetProcessHandle)
{
cout << "Process opened: " << procID << endl;
HMODULE user32 = LoadLibrary("User32.dll");
HMODULE kernel = LoadLibrary("Kernel32.dll");
if(!user32 || !kernel) return;
cout << "Kernel.dll loaded..." << endl;
cout << "User32.dll loaded..." << endl;
cdata.buttons = MB_OK;
strcpy_s(cdata.msg, "Press F10 ingame to activate wallhack!");
strcpy_s(cdata.title, "Crossfire Hooked!");
cdata.msgbox_addr = GetProcAddress(user32, "MessageBoxA");
cdata.getkeystate_addr = GetProcAddress(user32, "GetAsyncKeyState");
cdata.beep_addr = GetProcAddress(kernel, "Beep");
cout << " " << endl;
cout << "------------ADDYS------------" << endl;
cout << "MsgBox: " << cdata.msgbox_addr << endl;
cout << "KeyState: " << cdata.getkeystate_addr << endl;
cout <<"Beep: " << cdata.beep_addr << endl;
cout << "------------END ADDYS------------" << endl;
cout << " " << endl;
int szFunctionSize = (DWORD)Empty - (DWORD)Injected;
cout << "Function Size: " << szFunctionSize << endl;
LPVOID szFunctionAddress = VirtualAllocEx(TargetProcessHandle,0,szFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
cout << "Function addr: " << szFunctionAddress << endl;
int num2 = WriteProcessMemory(TargetProcessHandle,szFunctionAddress,(VOID*)Injected, szFunctionSize,0);
cout << "WriteProcessMemory returned: " << num2 << endl;
if(num2 == 0)
{
DWORD errCode = GetLastError();
char *err;
if (!FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,errCode,MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),(LPTSTR)&err,0,NULL))
return;
cout << "------> Error: " << err << endl;
return;
}
LPVOID szDataAdress = VirtualAllocEx(TargetProcessHandle,0,sizeof(CDATA),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
cout << "Data addr: " << szDataAdress << endl;
num2 = WriteProcessMemory(TargetProcessHandle,szDataAdress,&cdata,sizeof(CDATA),0);
cout << "WriteProcessMemory returned: " << num2 << endl;
if(num2 == 0)
{
DWORD errCode = GetLastError();
char *err;
if (!FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,errCode,MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),(LPTSTR)&err,0,NULL))
return;
cout << "------> Error: " << err << endl;
return;
}
DWORD lpNumberOfBytesWritten = 0;
HANDLE hand = CreateRemoteThread(TargetProcessHandle, 0, 0, (LPTHREAD_START_ROUTINE)szFunctionAddress, szDataAdress, 0, (SIZE_T*)&lpNumberOfBytesWritten);
if(hand != NULL)
{
WaitForSingleObject(TargetProcessHandle, 2000);
VirtualFree(szFunctionAddress, 0, MEM_RELEASE);
VirtualFree(szDataAdress, 0, MEM_RELEASE);
CloseHandle(TargetProcessHandle);
CloseHandle(hand);
cout << "Successfully Injected... Byteswritten: " << lpNumberOfBytesWritten << endl;
}
else
cout << "Error creating remote thread..." << endl;
}
else
cout << "Error opening process for injection..." << endl;
}
Code:
int privileges()
{
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0)
return 1;
else
return 0;
}
return 1;
}
Program entry point:
Code:
void main()
{
if(privileges() != 0)
{
cout << "Some kind of priviledge error..." << endl;
return;
}
while(1)
{
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
{
cout << "Error reading process list..." << endl;
return;
}
cProcesses = cbNeeded / sizeof(DWORD);
DWORD procID = NULL;
bool found = false;
for ( i = 0; i < cProcesses; i++ )
{
if( aProcesses != 0 )
{
procID = FindCFID( aProcesses );
if(procID != NULL)
{
found = true;
break;
}
}
}
if(!found)
cout << "waiting for crossfire.exe" << endl;
else
{
cout << "crossfire.exe found! Injecting..." << endl;
ject(procID);
break;
}
Sleep(1000);
}
}