Im working on an external cheat using rpm. I was using the Radarstruct, but since there are no flags in it it is kinda useless for an aimbot. So i want to change from Radarstruct to the Baseentitys. Pointers to those are at client.dll+0x7063E4. When i'm generating a sig of that memoryregion it looks like this:
But olly cant even find its own Pattern. KN4CK3R from OSH told me that it might be because it is located in the .data section(i dont really remember what it exactly was) which is normally not in the module size. But after scanning each section of the dll it still does not find anything.
I have also searched for pointers(i looked up all lvl1,2,3) and its the same problem with those. Olly isnt finding its own pattern and when i scan all sections for them it does also not work.
My code:
pbBuffer = (BYTE*)malloc(1024); ReadProcessMemory(hProc, (void*)dwClientBase, pbBuffer, 1024, NULL); DWORD dwTextBase, dwTextSize, dwRDataBase, dwRDataSize, dwDataBase, dwDataSize, dwRelocBase, dwRelocSize; PIMAGE_DOS_HEADER dosimg = (PIMAGE_DOS_HEADER)pbBuffer; if(dosimg->e_magic == IMAGE_DOS_SIGNATURE) { PIMAGE_NT_HEADERS ntimg = (PIMAGE_NT_HEADERS)(pbBuffer + dosimg->e_lfanew); if(ntimg->Signature == IMAGE_NT_SIGNATURE) { PIMAGE_SECTION_HEADER sectionimg = IMAGE_FIRST_SECTION(ntimg); for(int i = 0; i < ntimg->FileHeader.NumberOfSections; i++) { if(strstr((char*)sectionimg->Name, ".text")) { dwTextBase = sectionimg->VirtualAddress; dwTextBase = sectionimg->SizeOfRawData; } if(strstr((char*)sectionimg->Name, ".rdata")) { dwRDataBase = sectionimg->VirtualAddress; dwRDataSize = sectionimg->SizeOfRawData; } if(strstr((char*)sectionimg->Name, ".data")) { dwDataBase = sectionimg->VirtualAddress; dwDataSize = sectionimg->SizeOfRawData; } if(strstr((char*)sectionimg->Name, ".reloc")) { dwRelocBase = sectionimg->VirtualAddress; dwRelocSize = sectionimg->SizeOfRawData; } printf("[*] %s\tBase\t0x%X\n", sectionimg->Name, sectionimg->VirtualAddress); printf("[*] %s\tSize\t0x%X\n", sectionimg->Name, sectionimg->SizeOfRawData); sectionimg++; } } } dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwTextBase, dwTextSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx"); printf("[*] Pattern in Textsection:\t0x%X\n", dwPattern); dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwRDataBase, dwRDataSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx"); printf("[*] Pattern in RDatasection:\t0x%X\n", dwPattern); dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwDataBase, dwDataSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx"); printf("[*] Pattern in Datasection:\t0x%X\n", dwPattern); dwPattern = dwFindPatternExternal(hProc, dwClientBase + dwRelocBase, dwRelocSize, (PBYTE)"\x18\x4C\x62\x22\xB3\x00\x00\x00\xD4\x63", "xxxxxxxxxx"); printf("[*] Pattern in Relocsection:\t0x%X\n", dwPattern);
DWORD dwFindPatternExternal(HANDLE hProcess, DWORD dwStartAdd, DWORD dwSize, unsigned char *pbMask, char *pszMask) { BYTE* pbProcData = (BYTE*) malloc(dwSize); if(pbProcData == NULL) { printf("malloc failed\n"); return 0; } if(!hProcess || !dwStartAdd || !dwSize || !pbMask || !pszMask) { printf("Wrong args\n"); return 0; } if(!(ReadProcessMemory(hProcess, (void*)dwStartAdd, (void*)pbProcData, dwSize, NULL))) { printf("Read Failed\n"); return 0; } DWORD dwPattern = NULL; if(!(dwPattern = dwFindPattern((DWORD)pbProcData, dwSize, pbMask, pszMask))) { printf("dwFindPattern failed\n"); return 0; } dwPattern -= (DWORD)pbProcData; printf("Found Sig at: 0x%X\n", dwPattern); return dwStartAdd + dwPattern; }
Thanks for your help.
Comment