1

I've been attempting to modify an array of bytes that I found inside of Cheat Engine inside of C++, but I've reached an Access Violation crash when I attempt to read or write from it.

    // Writes pillarbox removal into memory ("33 83 4C 02" to "33 83 4C 00").
    *(BYTE*)(*((intptr_t*)((intptr_t)baseModule + 0x1E14850)) + 0x3) = 00;

I'm wondering what I'm doing wrong, as using something similar for the float values that I modified worked fine once I unprotected the main module handle.

KingKrouch
  • 11
  • 4
  • What tools are you using to compile/run this C++? For those of us unfamiliar with Cheat Engine. – JohnFilleau Apr 29 '20 at 19:20
  • I assume `baseModule + 0x1e14850` holds the address of the `0x33834c02` data and shouldn't hold the data itself? – JohnFilleau Apr 29 '20 at 19:28
  • @JohnFileau I'm using Visual Studio 2019, alongside ASI Loader. – KingKrouch Apr 29 '20 at 19:34
  • I assume the AOB CE scan returned you `BaseModule+0x1E14850` adress. If you want to write 00 to process memory, why not use `WriteProcessMemory` ? – user Apr 29 '20 at 19:35
  • @user The address itself where the AOB is, according to Cheat Engine's address properties was the game process + 1E14850, which is where I got that from. – KingKrouch Apr 29 '20 at 19:38
  • I just don't understand, this c++ code would change the memory if it's a dll injected into the game, is that how you are doing ? Running this code from a compiled program will not change a game's memory, for that you'd need to use `WriteProcessMemory`. You need to add a more information on what you're doing – user Apr 29 '20 at 19:43
  • @user Yes. It's a DLL file that gets loaded by ASI Loader. I'm attempting to change the 02 byte in that byte array to disable the pillarboxing used in a UE4 game when running on a display wider than 16:9. – KingKrouch Apr 29 '20 at 19:46
  • have you checked in the CE disasembler that address `baseModule + 0x1e14850` indeed holds `33 83 4C 02` to begin with ? – user Apr 29 '20 at 19:49
  • @user, I can confirm that it indeed does, when I looked at it in the CE disassembler. – KingKrouch Apr 29 '20 at 19:52
  • have you made sure your dll code gets executed, say by throwing a msgbox for instance ? – user Apr 29 '20 at 19:58
  • @user, yes I can confirm that my DLL code gets executed. It's just that when I attempt to write said byte value to memory, it causes the game to crash. Using this to change the field of view works fine though: *(float*)((intptr_t)baseModule + 0x2CD03B0) = (float)FOV; – KingKrouch Apr 29 '20 at 20:02
  • check if the memory you are attempting to change has Write access, for this in CE disasembler : view memory regions – user Apr 29 '20 at 20:08
  • The page protection is read execute, according to Cheat Engine's disassembler, @user. I was able to unprotect the module handle by using "ScopedUnprotect::FullModule UnProtect(baseModule);;" with the float values, but that doesn't seem to work with the bytes. – KingKrouch Apr 29 '20 at 20:16
  • hmm at this point it's more reverse engineering than C++, but either way if you changed the protection shouldn't it also show in the CE memorymap ? – user Apr 29 '20 at 20:21
  • Yes, with the protection changed, it shows that it's read/write/execute in Cheat Engine's disassembler. – KingKrouch Apr 29 '20 at 20:25
  • game has anticheat protection ? try put a breakpoint before the address you intend to change, then inject the dll, then check if the dll changed any byte – user Apr 29 '20 at 20:31
  • @user The game doesn't have anti-cheat protection, as I was able to edit the bytes in Cheat Engine's address list just fine. – KingKrouch Apr 29 '20 at 20:34
  • can you edit your question with the dll full code (or at least the code we need to see, but make it minimal reproductible example) ? also what injector are you using ? – user Apr 29 '20 at 20:36
  • @user, I am using ASI Loader to inject the DLL. As for the full DLL code, here it is: https://github.com/KingKrouch/21xMachi9/blob/master/Source/dllmain.cpp As for the link to ASI Loader: https://github.com/ThirteenAG/Ultimate-ASI-Loader – KingKrouch Apr 29 '20 at 20:38

1 Answers1

0

Try this : 

void WriteToMemory(uintptr_t addressToWrite, char* valueToWrite, int byteNum)
{
    //used to change our file access type, stores the old
    //access type and restores it after memory is written
    unsigned long OldProtection;
    //give that address read and write permissions and store the old permissions at oldProtection
    VirtualProtect((LPVOID)(addressToWrite), byteNum, PAGE_EXECUTE_READWRITE, &OldProtection);

    //write the memory into the program and overwrite previous value
    memcpy((LPVOID)addressToWrite, valueToWrite, byteNum);

    //reset the permissions of the address back to oldProtection after writting memory
    VirtualProtect((LPVOID)(addressToWrite), byteNum, OldProtection, NULL);
}

and call it as such :

MODULEINFO mInfo = GetModuleInfo("name.exe");

//Assign our base and module size
DWORD baseModule = (DWORD)mInfo.lpBaseOfDll;
uintptr_t addressToWrite = (uintptr_t)baseModule + 0x1E14850;
char writeThis[] = "\x33\x83\x4c\x00";
WriteToMemory(addressToWrite, writeThis, 4);

Please let me know if it worked

user
  • 934
  • 6
  • 17
  • It appears as if an error that says "a value of type "HMODULE" cannot be used to initialize an entity of type "uintptr_t"" around the baseModule variable of that function call. – KingKrouch Apr 29 '20 at 21:01
  • By replacing what threw that error to " uintptr_t addressToWrite = ((intptr_t)baseModule + 0x1E14850);", it works perfectly. Thanks! – KingKrouch Apr 29 '20 at 21:07
  • great, glad we could do it in the end – user Apr 29 '20 at 21:08
  • @KingKrouch just for the sake of it https://guidedhacking.com/threads/c-signature-scan-pattern-scanning-tutorial.3981/ shows quite similar code which includes a (really bad optimized - yet sort of working) pattern scan byte inside the dll, which would avoid you having to use CE to do AOB scan every time you start the game. – user Apr 29 '20 at 21:10