Search site: 

| Home | PC Cheat Codes | Game Patch Updates | PC Game Trainers | PC Game Tools | Game Patch Fixes | Articles | Discussion Forums | Contact |

Trainer Tutorials

Latest Forum Discussions:

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.

Code Injection Part 3 Tutorial

You can view this tutorial in its original format here
                  @@@@@@@   @@@@@@@  @@@@@@@@ @@@@@
                  @@@@@@@@  @@@@@@@@ @@@@@@@@ @@@@@
                  @@!  @@@  @@!  @@@      @@@ @@!!@
                  !@!  @!@  !@!  @!@     @!@  !@ @!
                  @!@!!@!   @!@!!@!     !!@!  @@@!!
                  !!@!@!!!  !!@!@!     !!@    !!!!!
                  !!:   !!! !!: :!!  !!!::!!! !!::! 
                  :!:   !:! :!:  !:! !:!:!::! :!:!!
                  :!!:::!!  ::   :::   ::!:   :::!
                  ::!!:!!   :    : :     :     ::
                    :::     
                     :

Tutorial on Code Injection - Part 3 - Injecting a ShellExecute API by brzi
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Released under DEViOUS (http://www.devious.tsongkie.com)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
brzi@devious.tsongkie.com
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Best viewed in WordPad, font Courier New, Regular, 10

TABLE OF CONTENTS
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1. Introduction
2. Tools Needed
3. API Explanation 
4. The Injection
5. Final Words
6. Greets


1.INTRODUCTION - a short one :)
**************

Well here i'm again, in front of my PC writting another tutorial as I 
promised in my previous tutorial. In this one i'll show you how to inject
a very useful API function called ShellExecute. It is used for many things
as opening documents, executable files, webpages and so on. Again i'll use
Tsongkie's Code Cave Tool because:
1. It's a very good and useful program.
2. It has a lot of functions that we can use.
3. Because Tsongkie is the author and he's a good friend of mine and he 
wont be angry if we play with his progie as long as it used for learning
or will you Tsongkie??? I know that this is not a real "introduction" 
but who gives a f**k... Let's continue..

2.TOOLS NEEDED
**************

-> TSearch - www.gamehacking.com
-> Tsongkie's Code Cave Tool - www.tsonggkie.com
-> W32Dasm89 - Windows Disassembler - wwww.gamehacking.com
-> API reference - i had a link for thiss but i forgot it, sorry :)
-> Piece of paper

3. API EXPLANATION
******************

As i sad well use ShellExecute Api for this tutorial. The explanation is a
little long but it's very good. Here it is ..

The ShellExecute function opens or prints a specified file. The file can be 
an executable file or a document file. See 

HINSTANCE ShellExecute(

    HWND  hwnd,	// handle to parent window
    LPCTSTR  lpOperation,	// pointer to string that specifies operation to perform
    LPCTSTR  lpFile,	// pointer to filename string
    LPTSTR  lpParameters,	// pointer to string that specifies executable-file parameters 
    LPCTSTR  lpDirectory,	// pointer to string that specifies default directory
    INT  nShowCmd 	// whether file is shown when opened
   );	
Parameters

hwnd

Specifies a parent window. This window receives any message boxes that an 
application produces. For example, an application may report an error by 
producing a message box.  

lpOperation

Pointer to a null-terminated string that specifies the operation to perform. 
The following operation strings are valid:

String	Meaning

"open"	The function opens the file specified by lpFile. The file can be
an executable file or a document file.

"print"	The function prints the file specified by lpFile. The file 
should be a document file. If the file is an executable file, the function 
opens the file, as if "open" had been specified.

The lpOperation parameter can be NULL. In that case, the function opens the 
file specified by lpFile. 

lpFile

Pointer to a null-terminated string that specifies the file to open or 
print. The function can open an executable file or a document file. 
The function can print a document file. 

lpParameters

If lpFile specifies an executable file, lpParameters is a pointer to a 
null-terminated string that specifies parameters to be passed to the 
application.
If lpFile specifies a document file, lpParameters should be NULL. 

lpDirectory

Pointer to a null-terminated string that specifies the default directory. 

nShowCmd

If lpFile specifies an executable file, nShowCmd specifies how the 
application is to be shown when it is opened.  This parameter can be one of 
the following values: 

Value	Meaning

SW_HIDE	Hides the window and activates another window.
SW_MAXIMIZE	Maximizes the specified window.
SW_MINIMIZE	Minimizes the specified window and activates the next top-level 
window in the Z order.
SW_RESTORE	Activates and displays the window. If the window is minimized or
maximized, Windows restores it to its original size and position. 
An application should specify this flag when restoring a minimized window.
SW_SHOW	Activates the window and displays it in its current size and position. 
SW_SHOWDEFAULT	Sets the show state based on the SW_ flag specified in 
the STARTUPINFO structure passed to the CreateProcess function by the 
program that started the application. An application should call ShowWindow 
with this flag to set the initial show state of its main window.
SW_SHOWMAXIMIZED	Activates the window and displays it as a maximized window.
SW_SHOWMINIMIZED	Activates the window and displays it as a minimized window.
SW_SHOWMINNOACTIVE	Displays the window as a minimized window. 
The active window remains active.
SW_SHOWNA	Displays the window in its current state. The active window 
remains active.
SW_SHOWNOACTIVATE	Displays a window in its most recent size and position. 
The active window remains active.
SW_SHOWNORMAL	Activates and displays a window. If the window is 
minimized or maximized, Windows restores it to its original size and 
position. An application should specify this flag when displaying the 
window for the first time.
If lpFile specifies a document file, nShowCmd should be zero. 

Return Value

If the function succeeds, the return value is the instance handle of the 
application that was run, or the handle of a dynamic data exchange (DDE) 
server application.
If the function fails, the return value is an error value that is less than
or equal to 32. The following table lists these error values:

Value	Meaning
0	The operating system is out of memory or resources.
ERROR_FILE_NOT_FOUND	The specified file was not found.
ERROR_PATH_NOT_FOUND	The specified path was not found.
ERROR_BAD_FORMAT	The .EXE file is invalid (non-Win32 .EXE or error in .EXE 
image).
SE_ERR_ACCESSDENIED	Windows 95 only: The operating system denied access 
to the specified file. 
SE_ERR_ASSOCINCOMPLETE	The filename association is incomplete or invalid.
SE_ERR_DDEBUSY	The DDE transaction could not be completed because other 
DDE transactions were being processed.
SE_ERR_DDEFAIL	The DDE transaction failed.
SE_ERR_DDETIMEOUT	The DDE transaction could not be completed because the 
request timed out.
SE_ERR_DLLNOTFOUND	Windows 95 only: The specified dynamic-link library 
was not found. 
SE_ERR_FNF	Windows 95 only: The specified file was not found. 
SE_ERR_NOASSOC	There is no application associated with the given filename
extension.
SE_ERR_OOM	Windows 95 only: There was not enough memory to complete the 
operation.
SE_ERR_PNF	Windows 95 only: The specified path was not found.
SE_ERR_SHARE	A sharing violation occurred.


4. THE INJECTION
****************

First let's explore Tsongkie's Code Cave Tool a little. If you run it you
will see that it has:
1. A logo -> This does nothing
2. A listbox -> Display Code Cave's found in the specified process
3. An EditBox -> You type the Window Name here
4. And three buttons:
	* Search -> Searches and opens a process with the Wnd Name given
	* Help -> Runs the Readme.txt file <- this btn is useful for this tut
	* About -> Displays information about who coded the program

So if you press the help button it will open the Readme.txt which can be
found in the program directory or if the file does not exist it will open
your Windows Readme File. Now we will inject the ShellExecute function so
it will open another file or executable. Let's make a little MSGBOX program
that we will use for opening. The first example is in mASM and the second in
Visual Basic. You can use any program you like, this is just an example.

-> MASM - don't type this :)

.386
.model flat, stdcall
option casemap: none

include \masm32\windows.inc
include \masm32\user32.inc
include \masm32\kernel32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.data
MsgText db "Brzi's Code Injection Tut #3",0
MsgCap db "Info",0

.code
start:
invoke MessageBox,NULL,addr MsgText,addr MsgCap,MB_OK
invoke ExitProcess,NULL
end start

Well i think that it is something like this :)
In VB remove the Form1 form and add a module and type this in it

Sub Main()
MsgBox "Brzi's Code Injection Tut #3", "Info", vbOkOnly
End Sub

Compile it.

Ok now let's disassemble the file with W32Dsm89. Click on the ImpFn button 
on the toolbar and then double click on the ShellExecuteA function.
I have this code:

:0040106A 6A03                    push 00000003 <- whether file is show when opened
:0040106C 6A00                    push 00000000 <- pointer to string that specifies default directory
:0040106E 6A00                    push 00000000 <- pointer to string that specifies executable-file parameters

* Possible StringData Ref from Data Obj ->"README.TXT"
                                  |
:00401070 683E304000              push 0040303E <- pointer to filename string
:00401075 6A00                    push 00000000 <- pointer to string that specifies operation to perform
:00401077 6A00                    push 00000000 <- handle to parent window

* Reference To: SHELL32.ShellExecuteA, Ord:006Eh
                                  |
:00401079 E890010000              Call 0040120E <- call ShellExecute
:0040107E EB3A                    jmp 004010BA <- we jmp back here

So now we know everything that we need so run TSearch and open EasyWrite.
I found some code caves so you don't have to bother to search for them.

//[BEGIN TSEARCH SCRIPT - ShellExecute]

//First we will write our .exe name
offset 0040125C
asc "MsgBox.exe" 
//change the MsgBox.exe to whatever program you want to run
//NOTE: If you specify only the .exe name then you will have to copy the exe
//to TCCT directory or you will need to specify the whole path but that will
//use lots of bytes

//this is null terminator needed for all string
hex 00  

//Now we will write the operation
offset 0040126C

//this is the operation that will be performed
asc "open" 
//null terminator
hex 00 

//Now we will inject the most important things
//Here we will land when we jump from the main code
offset 0040127C

//whether the file is show when opened
push 00000003

//push pointer to string that specifies default directory
push 00000000

//push pointer to string that specifies executable-file parameters
push 00000000

//push the name of the file to be opened
//this was 0040303E
push 0040125C 

//push the operation that will be performed
push 0040126C

//push the handle of window
push 00000000

//call ShellExecute
Call 0040120E

//jump back 
jmp 0040107E

//Now we will jmp from the main code to our code
offset 0040106A
jmp 0040127C

//[END TSEARCH SCRIPT - ShellExecute]

This is how to code looks without the explanation

Our Code:

push 00000003
push 00000000
push 00000000
push 0040125C
push 0040126C
push 00000000
Call 0040120E
jmp 0040107E

The game code (replaced):

jmp 0040127C
push .....
..........

Well add a hotkey to the script and try it. It opened our program! 
Interesting stuff eh.. Or you can replace the MsgBox.exe with TCCT and that
way when you press the help button it will open Tcct.exe.
Until next time cya... Take care :)


5.FINAL WORDS
*************

Always when you do code injection, always poke your code first then the main
code because the game/program will crash in some cases and it is save and 
better. And i need a favor - will somebody make me a good ascii logo cuz
mine sucks - please!. For any suggestions/questions, crittics are welcome
mail me at brzi@devious.tsongkie.com 
And one other thing.. I think that these tutorials can help you how to learn
to code in ASM ->Tasm. This is how the code will look in TASM way. Just the
function. I'm not saying that i know how to code in TASM, but i know how to 
do some stuff so..

push 3
push 0
push 0
push 0040125C
push 0040126C
push 0
Call ShellExecute


->brzi

        'at the end of days, at the end of time...
     when the sun burns out,will any of this matter?
       who will be there to remember who we were..
  who will know that any of this had meaning for us...'

6.GREETS
********

 + Stoner + Omega + Tsongkie + EEDOK + Bie + Micral + Invader + VBTrainer +
 + PCP + [sheep] + snow + ddh + rat + SubZero and everybody else..
-> Greets in no special order ... 

Copyright İ (1998) 2004 - 2016 GamePatchPlanet.com. All Rights Reserved. Privacy Policy Disclaimer