Code Injection Trainer Part 1 Lvl.3 ÿþCode Injection (Message Boxes) Right have you ever thought how people make those in game trainer menus displaying the hotkeys/info very cool stuff. Now what we will be learning in this essay is how to inject a Message Box into the executable supplied in this zip file. Now, a bit of basic asm would go along way in this tutorial. Also once again I state if you are a noob and don t know any asm and r having problems with this tutorial. Don t bother mailing me. For this tutorial your gonna need to know how to use t-search and a disassembler. This is a tutorial on code injection not on how to use T-search. So if you are total noob don t even bother attempting this tutorial. Now I know this isn t the first and most probably not the last tutorial on this. I didn t invent this. So I take no credit for this method it wasn t invented by me at all. Right now with that out the way let s continue:- Tools needed:- The Example File download it here http://shinero.4t.com/Msgbox%20Injection.zip T-Search Memory Searcher http://www.extalia.com W32dasm windows dissembler http://www.gamehacking.com W32 API Reference (Search for it on google) Some Background Now if you look up MessageboxA in your API reference you will find this. int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); Parameters hWnd Identifies the owner window of the message box to be created. If this parameter is NULL, the message box has no owner window. lpText Points to a null-terminated string containing the message to be displayed. lpCaption Points to a null-terminated string used for the dialog box title. If this parameter is NULL, the default title Error is used. uType Specifies the contents and behaviour of the dialog box. This is a basic msgbox structure in Assembly Push Style //style of message box Push Caption //Caption of message box Push Text //Text to be displayed in main body Push Windows Handle //The windows Handle Call MessageboxA API //Call our MsgBoxA API Right now cuz the asm language is a dam pain in the arse we have to push all these into the stack backwards. So for the functions of the msgbox we must push the msgbox caption first. Then push the main text and then the windows handle and then call the messageboxA API. Now for this example we have already got the windows handle set up. But if you want to start applying this to games you will have to find the windows handle which will be covered in the next part of this essay. Now seeing all we are going to do is edit the messagebox that already appears we want to look for this structure in the main executable of the example file. Now if you don t know how to find code caves then read up on my last code injection essay. But for now I have already included code cave addresses. Now fire up w32dasm and open the exe u got included with this file and click on the button with the green light with the letters imp above it. Now this should bring up a listbox listing all of the API s that the application is using. Notice the MessageboxA so double click it and you will be taken to the part of the code that refers to the msgbox API and if you scroll up a couple of lines you will see this. Possible string data reference from data obj àð*about* :00401131 6800204000 push 402000 Possible string data reference from data obj àð*MsgBox Example* :00401136 6806204000 push 00402006 :0040113B FF7508 push [ebp+08] Referenced to: USER.32MessageBoxA, ord:000h :0040113E EB46000000 call 00401189 :00401143 C3 ret So this is what we ve got push 402000 --- Messagebox Caption push 00402006 --- Messabebox Text push [ebp+08] --- Windows handle call 00401189 --- Call MessageBoxA API So basically what we want to do here is jmp from 401131 to our code cave recreate all these instructions above up to address 40113e (call 401189) and then jump back to the end of the API at line 401143. Except replacing the first two lines with our own message box text and caption at lines 401136 & 401131 with our own in our code cave. I hope your still with me here. :o) Just to summarize: 00401131 jmp to codecave CodeCave Recreate all instructions up to Call MessageBoxA SO:- push 402000 --- Messagebox Caption (We want to replace this) push 00402006 --- Messabebox Text (We want to replace this) push [ebp+08] --- Windows handle call 00401189 --- Call MessageBoxA API jmp 401143 --- Jump back to the end of MessageBoxA API Write lets first do our message and msgbox caption. So open tsearch and click easywrite and type this:- offset 10b2e //Codecave for msgbox caption asc "Goddammit" //What will be displayed in the caption hex 00 //end here offset 10b63 //codecave for msgbox text main body asc "We've bloody done it" // text to appear in body hex 00 //end here Right and now for our main codecave we must rewrite the whole msgbox structure we found but replacing the first two lines with our code caves so:- offset 401131 //Start of msgbox procedure jmp 10abf //jump to our codecave offset 10abf //our code cave push 10b2e //We replace the old instruction for caption with our codecave push 10b63 //same here but with the text code cave push [ebp+08] //windows handle//same as original instruction call 401189 //call messageboxa API //same as original instruction jmp 401143 //jmp back to end of call messageboxa API reference Now type all of this into T-search without the comments just to save u time cut and paste this:- offset 10b2e asc "Goddammit" hex 00 offset 10b63 asc "We've bloody done it" hex 00 offset 401131 jmp 10abf offset 10abf push 10b2e push 10b63 push [ebp+08] call 401189 jmp 401143 Now u should have changed the caption and the message in the about button of the example file to our modified version. Well Congratulations you ve done it. We ve injected our own message box into the example file. Now go and practice this yourself on other applications. Also you don t always find the structure by listing the api s sometimes go to the str references and lets say you ve got an app with a button named info and this is what u want to change then look up info in the str references. Also sometimes the MessageBoxA API call isn t always right next to the message box u want to edit. Just look up messageboxA API like we did and take note of the call then just put that instruction at the end of your msgbox Keep checking for part 2 when we take this a bit more in-depth. As long as you memorise this structure you shouldn t have any problems. Push Style //style of message box Push Caption //Caption of message box Push Text //Text to be displayed in main body Push Windows Handle //The windows Handle Call MessageboxA API //Call our MsgBoxA API (you can find out what this is just by looking up messageboxA API and take note and replace it with the call (whateveritis) Anyway at the end of another one of my tutorials keep checking for PART 2 coming soon. Right if you ve got any problems then don t hesitate to give us an email on shinero_uk@yahoo.co.uk I ll reply pronto. Well till next time Shinero My site http://www.gamehacking.tk (My personal Website) Team http://www.extalia.com