Search site: 

| Home | PC Cheat Codes | Game Patch Updates | PC Game Trainers | PC Game Tools | Game Patch Fixes | Articles | Discussion Forums | Contact |

Trainer Tutorials

Latest Forum Discussions:

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.

Code Injection Trainer Part 1 Lvl. 3

You can view this tutorial in its original format here
Code Injection Trainer Part 1 Lvl.3
Code Injection (Message Boxes)



Right have you ever thought how people make those in game trainer menus displaying the hotkeys/info very cool stuff. Now what we will be learning in this essay is how to inject a Message Box into the executable supplied in this zip file. Now, a bit of basic asm would go along way in this tutorial. Also once again I state if you are a noob and don t know any asm and r having problems with this tutorial. Don t bother mailing me. For this tutorial your gonna need to know how to use t-search and a disassembler. This is a tutorial on code injection not on how to use T-search. So if you are total noob don t even bother attempting this tutorial.



Now I know this isn t the first and most probably not the last tutorial on this. I didn t invent this. So I take no credit for this method it wasn t invented by me at all. Right now with that out the way let s continue:-



Tools needed:-

The Example File download it here http://shinero.4t.com/Msgbox%20Injection.zip

T-Search Memory Searcher http://www.extalia.com

W32dasm windows dissembler http://www.gamehacking.com

W32 API Reference (Search for it on google)



Some Background

Now if you look up MessageboxA in your API reference you will find this.



int MessageBox(



HWND hWnd, // handle of owner window

LPCTSTR lpText, // address of text in message box

LPCTSTR lpCaption, // address of title of message box

UINT uType // style of message box

);



Parameters



hWnd

Identifies the owner window of the message box to be created. If this parameter is NULL, the message box has no owner window.



lpText

Points to a null-terminated string containing the message to be displayed.



lpCaption

Points to a null-terminated string used for the dialog box title. If this parameter is NULL, the default title Error is used.



uType

Specifies the contents and behaviour of the dialog box.



This is a basic msgbox structure in Assembly



Push Style //style of message box

Push Caption //Caption of message box

Push Text //Text to be displayed in main body

Push Windows Handle //The windows Handle

Call MessageboxA API //Call our MsgBoxA API



Right now cuz the asm language is a dam pain in the arse we have to push all these into the stack backwards. So for the functions of the msgbox we must push the msgbox caption first. Then push the main text and then the windows handle and then call the messageboxA API. Now for this example we have already got the windows handle set up. But if you want to start applying this to games you will have to find the windows handle which will be covered in the next part of this essay.



Now seeing all we are going to do is edit the messagebox that already appears we want to look for this structure in the main executable of the example file. Now if you don t know how to find code caves then read up on my last code injection essay. But for now I have already included code cave addresses.



Now fire up w32dasm and open the exe u got included with this file and click on the button with the green light with the letters imp above it. Now this should bring up a listbox listing all of the API s that the application is using. Notice the MessageboxA so double click it and you will be taken to the part of the code that refers to the msgbox API and if you scroll up a couple of lines you will see this.



Possible string data reference from data obj *about*

:00401131 6800204000 push 402000



Possible string data reference from data obj *MsgBox Example*



:00401136 6806204000 push 00402006

:0040113B FF7508 push [ebp+08]



Referenced to: USER.32MessageBoxA, ord:000h



:0040113E EB46000000 call 00401189

:00401143 C3 ret



So this is what we ve got

push 402000 --- Messagebox Caption

push 00402006 --- Messabebox Text

push [ebp+08] --- Windows handle

call 00401189 --- Call MessageBoxA API



So basically what we want to do here is jmp from 401131 to our code cave recreate all these instructions above up to address 40113e (call 401189) and then jump back to the end of the API at line 401143. Except replacing the first two lines with our own message box text and caption at lines 401136 & 401131 with our own in our code cave. I hope your still with me here. :o)



Just to summarize:

00401131 jmp to codecave

CodeCave

Recreate all instructions up to Call MessageBoxA SO:-

push 402000 --- Messagebox Caption (We want to replace this)

push 00402006 --- Messabebox Text (We want to replace this)

push [ebp+08] --- Windows handle

call 00401189 --- Call MessageBoxA API

jmp 401143 --- Jump back to the end of MessageBoxA API



Write lets first do our message and msgbox caption. So open tsearch and click easywrite and type this:-



offset 10b2e //Codecave for msgbox caption

asc "Goddammit" //What will be displayed in the caption

hex 00 //end here



offset 10b63 //codecave for msgbox text main body

asc "We've bloody done it" // text to appear in body

hex 00 //end here



Right and now for our main codecave we must rewrite the whole msgbox structure we found but replacing the first two lines with our code caves so:-



offset 401131 //Start of msgbox procedure

jmp 10abf //jump to our codecave

offset 10abf //our code cave

push 10b2e //We replace the old instruction for caption with our codecave

push 10b63 //same here but with the text code cave

push [ebp+08] //windows handle//same as original instruction

call 401189 //call messageboxa API //same as original instruction

jmp 401143 //jmp back to end of call messageboxa API reference



Now type all of this into T-search without the comments just to save u time cut and paste this:-



offset 10b2e

asc "Goddammit"

hex 00

offset 10b63

asc "We've bloody done it"

hex 00

offset 401131

jmp 10abf

offset 10abf

push 10b2e

push 10b63

push [ebp+08]

call 401189

jmp 401143



Now u should have changed the caption and the message in the about button of the example file to our modified version. Well Congratulations you ve done it. We ve injected our own message box into the example file. Now go and practice this yourself on other applications. Also you don t always find the structure by listing the api s sometimes go to the str references and lets say you ve got an app with a button named info and this is what u want to change then look up info in the str references. Also sometimes the MessageBoxA API call isn t always right next to the message box u want to edit. Just look up messageboxA API like we did and take note of the call then just put that instruction at the end of your msgbox Keep checking for part 2 when we take this a bit more in-depth.



As long as you memorise this structure you shouldn t have any problems.



Push Style //style of message box

Push Caption //Caption of message box

Push Text //Text to be displayed in main body

Push Windows Handle //The windows Handle

Call MessageboxA API //Call our MsgBoxA API (you can find out what this is just by looking up messageboxA API and take note and replace it with the call (whateveritis)



Anyway at the end of another one of my tutorials keep checking for PART 2 coming soon. Right if you ve got any problems then don t hesitate to give us an email on shinero_uk@yahoo.co.uk I ll reply pronto. Well till next time



Shinero



My site http://www.gamehacking.tk (My personal Website)

Team http://www.extalia.com 

Copyright (1998) 2004 - 2016 GamePatchPlanet.com. All Rights Reserved. Privacy Policy Disclaimer