Simple BF2 hack source with some interesting stuff.

I wrote this some months ago, it reads each bytes at some offsets that contain the little-endian for the addresses we want to write at.

It places the bytes back in order and calculate it in to a DWORD so we can write on it. Since the offsets are out of code range, we use func VirtualProtectEx to obtain writing priviledges.

Here is the highlighted source: Source:

Or just the plain one here:

Code:

#include <windows.h>
#include <Tlhelp32.h>
#include <iostream>
#define WRITE(i,w,l) WriteProcessMemory(hProc,reinterpret_cast<LPVOID>(GameDLL + i),w,l,&dSize)

using namespace std;

DWORD GetPID (char* proc);
void EnableDebugPriv();
DWORD GetDLL (char* DllName, DWORD tPid);

int main(void)
{
    char str[24];
	char buf[24];
	int key = 10000;

	strcpy(str, "Dibq~_7c0RV\"0Dqw0Xqs{7");

	for(int i=0;i < strlen(str);i++) {
		char enc = (char)((int)str[i] ^ key);
		//char dec = (char)((int)enc ^ key);
		//printf("char: %c (enc: %c)\n", str[i], enc);
		buf[i] = enc;
	}
	buf[strlen(str)] = 0;

    SetConsoleTitle(buf);
       
    if(GetPID("BF2.exe") == 0)
    {
        cout << "Please open BF2 1.41 before loading the hack." << endl << endl;
        system("Pause");
        return(0);
    }
    else
    {
        EnableDebugPriv();
        HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, GetPID("BF2.exe"));
        if(hProc)
{ 
              cout << "BF2 Hack by TyranO loaded!" << endl << endl;
              DWORD GameDLL = GetDLL("RendDX9.dll",GetPID("BF2.exe"));
              DWORD NullBase = GetDLL("BF2.dll",GetPID("BF2.exe"));
              DWORD dSize = 0;
              SIZE_T BytesRead = 0;
              
              //Offset 1 (Fade out delay)
              DWORD Address1 = 1227505;
              DWORD Address2 = 1227506;
              DWORD Address3 = 1227507;
              DWORD Address4 = 1227508;
              DWORD Buffer1 = 0;
              DWORD Buffer2 = 0;
              DWORD Buffer3 = 0;
              DWORD Buffer4 = 0;
              
              // Offset 2 (Fade out delay fix)
              DWORD Address5 = 1235082;
              DWORD Address6 = 1235083;
              DWORD Address7 = 1235084;
              DWORD Address8 = 1235085;             
              DWORD Buffer5 = 0;
              DWORD Buffer6 = 0;
              DWORD Buffer7 = 0;
              DWORD Buffer8 = 0;
              
              // Offset 3 (Death delay)
              DWORD Address9  = 1234918;
              DWORD Address10 = 1234919;
              DWORD Address11 = 1234920;
              DWORD Address12 = 1234921;             
              DWORD Buffer9  = 0;
              DWORD Buffer10 = 0;
              DWORD Buffer11 = 0;
              DWORD Buffer12 = 0;
              
              // Offset 4 (Gun point tag delay)
              DWORD Address13 = 1234473;
              DWORD Address14 = 1234474;
              DWORD Address15 = 1234475;
              DWORD Address16 = 1234476;             
              DWORD Buffer13  = 0;
              DWORD Buffer14 = 0;
              DWORD Buffer15 = 0;
              DWORD Buffer16 = 0;
              
              
              // Read Offset 1 ( 12BAEF )
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address1), &Buffer1, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address2), &Buffer2, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address3), &Buffer3, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address4), &Buffer4, 1, &BytesRead );
              
              //Read Offset 2 ( 12D888 )
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address5), &Buffer5, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address6), &Buffer6, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address7), &Buffer7, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address8), &Buffer8, 1, &BytesRead );
              
              //Read Offset 3 ( 12D7E4 )
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address9), &Buffer9, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address10), &Buffer10, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address11), &Buffer11, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address12), &Buffer12, 1, &BytesRead );

              //Read Offset 4 ( 12D627 )
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address13), &Buffer13, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address14), &Buffer14, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address15), &Buffer15, 1, &BytesRead );
              ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address16), &Buffer16, 1, &BytesRead );

              DWORD Offset =  (Buffer4 * 16777216 + Buffer3* 65536 + Buffer2 * 256 + Buffer1 * 1 - GameDLL + 6);
              DWORD Offset2 = (Buffer8 * 16777216 + Buffer7* 65536 + Buffer6 * 256 + Buffer5 * 1 - GameDLL + 0);
              DWORD Offset3 = (Buffer12 * 16777216 + Buffer11* 65536 + Buffer10 * 256 + Buffer9 * 1 - GameDLL + 2);
              DWORD Offset4 = (Buffer16 * 16777216 + Buffer15* 65536 + Buffer14 * 256 + Buffer13 * 1 - GameDLL + 6);
                
              DWORD FullOffset = Offset + GameDLL;
              DWORD FullOffset2 = Offset2 + GameDLL;
              DWORD FullOffset3 = Offset3 + GameDLL;
              DWORD FullOffset4 = Offset4 + GameDLL;
              
              cout << "Base is:    " << GameDLL     << endl << endl;
              cout << "Offset1 is: " << FullOffset  << endl << endl;
              cout << "Offset2 is: " << FullOffset2 << endl << endl;
              cout << "Offset3 is: " << FullOffset3 << endl << endl;
              cout << "Offset4 is: " << FullOffset4 << endl << endl;
              
              // Writing offset 1 (Protected).
              unsigned long Protection;   
              VirtualProtectEx((void*)hProc,(void*)FullOffset,sizeof( Offset ),PAGE_READWRITE, &Protection);
              //WRITE (Offset,"\x21\xD7\xE6\xFA\xE0\x31\xF4\x45",8);
              WRITE (Offset,"\xF0\x7F",2);
              if(dSize == 0)
			  {
              cout << "Failed to write at offset." << endl<< endl;
			  }
			  VirtualProtectEx((void*)hProc,(void*)FullOffset,sizeof( Offset ),Protection, 0);
			  
			  // Writing offset 2 (Not protected).
              WRITE (Offset2,"\x08\x8F\xA1\x6F",4);
              if(dSize == 0)
			  {
              cout << "Failed to write at offset2." << endl<< endl;
			  }
			  
			  // Writing offset 3 (Not protected).
              WRITE (Offset3,"\x80\x7F",2);
              if(dSize == 0)
			  {
              cout << "Failed to write at offset3." << endl<< endl;
			  }
			  
			  // Writing offset 4 (Protected).
              VirtualProtectEx((void*)hProc,(void*)FullOffset4,sizeof( Offset4 ),PAGE_READWRITE, &Protection); 
              WRITE (Offset4,"\x00\x00",2);
              if(dSize == 0)
			  {
              cout << "Failed to write at offset4." << endl<< endl;
			  }
			  cout << Buffer13;
			  VirtualProtectEx((void*)hProc,(void*)FullOffset4,sizeof( Offset4 ),Protection, 0);
	          DWORD WINAPI GetLastError(void);
              system("Pause");
}
}
}            

// Get PID for process (proc).
DWORD GetPID (char* proc)
{
	BOOL			working=0;
	PROCESSENTRY32  lppe= {0};
	DWORD			targetPid=0;
	HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS ,0);

	if (hSnapshot) 
	{
		lppe.dwSize=sizeof(lppe);
		working=Process32First(hSnapshot,&lppe);
		while (working)
		{
			if (_stricmp(lppe.szExeFile,proc)==0)
			{
				targetPid=lppe.th32ProcessID;
				break;
			}
			working=Process32Next(hSnapshot,&lppe);
		}
	}

	CloseHandle( hSnapshot );
	return targetPid;
}

// Debug Priviledges.
void EnableDebugPriv()
{
	HANDLE hToken;
	LUID sedebugnameValue;
	TOKEN_PRIVILEGES tkp;
	OpenProcessToken( GetCurrentProcess( ), TOKEN_ADJUST_PRIVILEGES |TOKEN_QUERY, &hToken );
	LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue );
	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = sedebugnameValue;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL );
	CloseHandle( hToken );
} 

// Base (6F).
DWORD GetDLL(char* DllName, DWORD tPid)
{
	HANDLE snapMod;  
	MODULEENTRY32 me32;

	if (tPid == 0) return 0;
	snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid);  
	me32.dwSize = sizeof(MODULEENTRY32);  

	if (Module32First(snapMod, &me32)){ 
		do{
			if (strcmp(DllName,me32.szModule) == 0){ 
				CloseHandle(snapMod); 
				return (DWORD) me32.modBaseAddr; 
			}
		}while(Module32Next(snapMod,&me32));
	}

	CloseHandle(snapMod); 
	return 0;  

}

For more C++ hack sources you can go on my user page there on **********: Root

#include <windows.h> #include <Tlhelp32.h> #include <iostream> #define WRITE(i,w,l) WriteProcessMemory(hProc,reinterpret_cast<LPVOID>(GameDLL + i),w,l,&dSize) using namespace std; DWORD GetPID (char* proc); void EnableDebugPriv(); DWORD GetDLL (char* DllName, DWORD tPid); int main(void) { char str[24]; char buf[24]; int key = 10000; strcpy(str, "Dibq~_7c0RV\"0Dqw0Xqs{7"); for(int i=0;i < strlen(str);i++) { char enc = (char)((int)str[i] ^ key); //char dec = (char)((int)enc ^ key); //printf("char: %c (enc: %c)\n", str[i], enc); buf[i] = enc; } buf[strlen(str)] = 0; SetConsoleTitle(buf); if(GetPID("BF2.exe") == 0) { cout << "Please open BF2 1.41 before loading the hack." << endl << endl; system("Pause"); return(0); } else { EnableDebugPriv(); HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, GetPID("BF2.exe")); if(hProc) { cout << "BF2 Hack by TyranO loaded!" << endl << endl; DWORD GameDLL = GetDLL("RendDX9.dll",GetPID("BF2.exe")); DWORD NullBase = GetDLL("BF2.dll",GetPID("BF2.exe")); DWORD dSize = 0; SIZE_T BytesRead = 0; //Offset 1 (Fade out delay) DWORD Address1 = 1227505; DWORD Address2 = 1227506; DWORD Address3 = 1227507; DWORD Address4 = 1227508; DWORD Buffer1 = 0; DWORD Buffer2 = 0; DWORD Buffer3 = 0; DWORD Buffer4 = 0; // Offset 2 (Fade out delay fix) DWORD Address5 = 1235082; DWORD Address6 = 1235083; DWORD Address7 = 1235084; DWORD Address8 = 1235085; DWORD Buffer5 = 0; DWORD Buffer6 = 0; DWORD Buffer7 = 0; DWORD Buffer8 = 0; // Offset 3 (Death delay) DWORD Address9 = 1234918; DWORD Address10 = 1234919; DWORD Address11 = 1234920; DWORD Address12 = 1234921; DWORD Buffer9 = 0; DWORD Buffer10 = 0; DWORD Buffer11 = 0; DWORD Buffer12 = 0; // Offset 4 (Gun point tag delay) DWORD Address13 = 1234473; DWORD Address14 = 1234474; DWORD Address15 = 1234475; DWORD Address16 = 1234476; DWORD Buffer13 = 0; DWORD Buffer14 = 0; DWORD Buffer15 = 0; DWORD Buffer16 = 0; // Read Offset 1 ( 12BAEF ) ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address1), &Buffer1, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address2), &Buffer2, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address3), &Buffer3, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address4), &Buffer4, 1, &BytesRead ); //Read Offset 2 ( 12D888 ) ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address5), &Buffer5, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address6), &Buffer6, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address7), &Buffer7, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address8), &Buffer8, 1, &BytesRead ); //Read Offset 3 ( 12D7E4 ) ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address9), &Buffer9, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address10), &Buffer10, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address11), &Buffer11, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address12), &Buffer12, 1, &BytesRead ); //Read Offset 4 ( 12D627 ) ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address13), &Buffer13, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address14), &Buffer14, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address15), &Buffer15, 1, &BytesRead ); ReadProcessMemory( hProc, (LPVOID)( GameDLL + Address16), &Buffer16, 1, &BytesRead ); DWORD Offset = (Buffer4 * 16777216 + Buffer3* 65536 + Buffer2 * 256 + Buffer1 * 1 - GameDLL + 6); DWORD Offset2 = (Buffer8 * 16777216 + Buffer7* 65536 + Buffer6 * 256 + Buffer5 * 1 - GameDLL + 0); DWORD Offset3 = (Buffer12 * 16777216 + Buffer11* 65536 + Buffer10 * 256 + Buffer9 * 1 - GameDLL + 2); DWORD Offset4 = (Buffer16 * 16777216 + Buffer15* 65536 + Buffer14 * 256 + Buffer13 * 1 - GameDLL + 6); DWORD FullOffset = Offset + GameDLL; DWORD FullOffset2 = Offset2 + GameDLL; DWORD FullOffset3 = Offset3 + GameDLL; DWORD FullOffset4 = Offset4 + GameDLL; cout << "Base is: " << GameDLL << endl << endl; cout << "Offset1 is: " << FullOffset << endl << endl; cout << "Offset2 is: " << FullOffset2 << endl << endl; cout << "Offset3 is: " << FullOffset3 << endl << endl; cout << "Offset4 is: " << FullOffset4 << endl << endl; // Writing offset 1 (Protected). unsigned long Protection; VirtualProtectEx((void*)hProc,(void*)FullOffset,sizeof( Offset ),PAGE_READWRITE, &Protection); //WRITE (Offset,"\x21\xD7\xE6\xFA\xE0\x31\xF4\x45",8); WRITE (Offset,"\xF0\x7F",2); if(dSize == 0) { cout << "Failed to write at offset." << endl<< endl; } VirtualProtectEx((void*)hProc,(void*)FullOffset,sizeof( Offset ),Protection, 0); // Writing offset 2 (Not protected). WRITE (Offset2,"\x08\x8F\xA1\x6F",4); if(dSize == 0) { cout << "Failed to write at offset2." << endl<< endl; } // Writing offset 3 (Not protected). WRITE (Offset3,"\x80\x7F",2); if(dSize == 0) { cout << "Failed to write at offset3." << endl<< endl; } // Writing offset 4 (Protected). VirtualProtectEx((void*)hProc,(void*)FullOffset4,sizeof( Offset4 ),PAGE_READWRITE, &Protection); WRITE (Offset4,"\x00\x00",2); if(dSize == 0) { cout << "Failed to write at offset4." << endl<< endl; } cout << Buffer13; VirtualProtectEx((void*)hProc,(void*)FullOffset4,sizeof( Offset4 ),Protection, 0); DWORD WINAPI GetLastError(void); system("Pause"); } } } // Get PID for process (proc). DWORD GetPID (char* proc) { BOOL working=0; PROCESSENTRY32 lppe= {0}; DWORD targetPid=0; HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS ,0); if (hSnapshot) { lppe.dwSize=sizeof(lppe); working=Process32First(hSnapshot,&lppe); while (working) { if (_stricmp(lppe.szExeFile,proc)==0) { targetPid=lppe.th32ProcessID; break; } working=Process32Next(hSnapshot,&lppe); } } CloseHandle( hSnapshot ); return targetPid; } // Debug Priviledges. void EnableDebugPriv() { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; OpenProcessToken( GetCurrentProcess( ), TOKEN_ADJUST_PRIVILEGES |TOKEN_QUERY, &hToken ); LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ); tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL ); CloseHandle( hToken ); } // Base (6F). DWORD GetDLL(char* DllName, DWORD tPid) { HANDLE snapMod; MODULEENTRY32 me32; if (tPid == 0) return 0; snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid); me32.dwSize = sizeof(MODULEENTRY32); if (Module32First(snapMod, &me32)){ do{ if (strcmp(DllName,me32.szModule) == 0){ CloseHandle(snapMod); return (DWORD) me32.modBaseAddr; } }while(Module32Next(snapMod,&me32)); } CloseHandle(snapMod); return 0; }

Simple BF2 hack source with some interesting stuff.

Post a Reply

Similar Threads

Tags for this Thread

Simple BF2 hack source with some interesting stuff.

Post a Reply

Similar Threads

Tags for this Thread