Search site: 

| Home | PC Cheat Codes | Game Patch Updates | PC Game Trainers | PC Game Tools | Game Patch Fixes | Articles | Discussion Forums | Contact |

Trainer Tutorials

Latest Forum Discussions:

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.

Killing Timers With Code Injection Tutorial

You can view this tutorial in its original format here
_._____
      \     |                               ____
       |    |                              |____|
       |    |______ ________ _ _______     |     \_
       |    ._     \   ._   \_._      /__|\|       |
       |    |/     /   |/     |      /     |       |
   _ __|    |     /_   |      |            |       |_ __ _
   __ _ _______________|      |____________|_______________
  ____________________ |      | _brzi_________________________
__                    |_     |                             __
   |___________________  \____| ___________________________|
                  

[Subject: Killing Timers With Code Injection]
[Target: EEDOK's HackMe 1.1]
[URL: http://devious.tsongkie.com]
[Written by: [brzi] / http://www.brzi.cjb.net / brzi@devious.tsongkie.com]
[23.11.2003 - 9:35 PM]

--------------
[Introduction]
--------------

	The reason that i'm writting this tutorial is to help all of those n00b's who are trying to
get in DEViOUS and in general, how to defeat timers (in a more advanced way). Since in order to get
in they need to defeat EEDOK's HackMe. I haven't seen anyone of them to do that, so this is a little
help for them. We all like to help these guys who are trying to learn something... don't we???
Well yeah until the start to ask too stupid questions like: "What's SoftICE and where can i find a
debugger?".. But there's forgivness for everything :)))
Anywayz, this tutorials assumes that u have at least basic knowledge of ASM and u know how to do
a simple code injection, since we are going to beat timers with code injection. If not, I suggest
that u should check my previous code injection tutorials and [sheep]'s tutorials. That will give u
a good understanding of how things work. Ok, since we're ready let's start...

------------------------------
[Tools and Where to Find Them]
------------------------------

[EEDOK's HackMe]-[http://devious.tsongkie.com]
[TSearch 1.6]-[http://www.gamehacking.com]
[W32Dasm 8.9]-[http://www.gamehacking.com]
[API Reference]-[http://www.win32asm.cjb.net]

-------------------
[Windows API Calls]
-------------------

The KillTimer function destroys the specified timer. The system searches the message queue for 
any pending WM_TIMER messages associated with the timer and removes them. 

BOOL KillTimer(

    HWND  hWnd,	// handle of window that installed timer
    UINT  uIDEvent 	// timer identifier
   );	
Parameters

hWnd

Identifies the window associated with the specified timer. This value must be the same as the 
hWnd value passed to the SetTimer function that created the timer. 

uIDEvent

Specifies the timer to be destroyed. If the window handle passed to SetTimer is valid, this 
parameter must be the same as the uIDEvent value passed to SetTimer. If the application calls 
SetTimer with hWnd set to NULL, this parameter must be the timer identifier returned by SetTimer.


The SetTimer function creates a timer with the specified time-out value. 

UINT SetTimer(

    HWND  hwnd,	// handle of window for timer messages
    UINT  idTimer,	// timer identifier
    UINT  uTimeout,	// time-out value
    TIMERPROC  tmprc 	// address of timer procedure
   );	
Parameters

hwnd

Identifies the window to be associated with the timer. If this parameter is NULL, no window is 
associated with the timer and the idTimer parameter is ignored. 

idTimer

Specifies a nonzero timer identifier. If the hwnd parameter is NULL, this parameter is ignored. 

uTimeout

Specifies the time-out value, in milliseconds. 

tmprc

Points to the function to be notified when the time-out value elapses. For more information 
about the function, see the TimerProc callback function. 
If tmprc is NULL, the system posts a WM_TIMER message to the application queue. The hwnd member 
of the message's MSG structure contains the value of the hwnd parameter.  

--------------
[Lesson Start]
--------------

	Ok, as a standard routine, u would find the value which is increased/decreased by the timer,
put a BPM on it and then NOP the instructions that modify that value. Well that's fine and nice
and it's a n00b way to do it. But we don't have a Pause or a Stop button that will stop that value
from decreasing.. How are u going to do that with the standard searching methods?? I don't know, u? 
Here's what we will do: We will inject the KillTimer function so that when u click on the
"Instructions" button the timer will stop and the won't decrease anymore. Btw we can inject a
MessageBox to inform us about the timer, but we are goind to save some bytes, so we will display
the standart message.

	Open W32Dasm 8.9 and Disassemble EEDOK's HackME and click on ImpFnc button on the toolbar.
From the list double click on user32.SetTimer function. I have this code..

..............
..............

:004011C3 6A00                    push 00000000  <- pointer to timerproc - this is null so it's
                                                    not used
* Possible Reference to Dialog: DialogID_03E8 
                                  |
:004011C5 68E8030000              push 000003E8  <- pushes the miliseconds (3E8 hex = 1000 dec)
                                                    1000 dec = 1 second
:004011CA 6A08                    push 00000008  <- pushes the resource id
:004011CC FF7508                  push [ebp+08]  <- pushes the window handle (hWnd)

* Reference To: user32.SetTimer, Ord:0217h
                                  |
:004011CF E876070000              Call 0040194A  <- calls SetTimer

..............
..............

Now double click on user32.KillTimer function.

..............
..............

:004011F0 6A08                    push 00000008  <- pushes timer id (this is the return value 
                                                    of SetTimer
:004011F2 FF3568314000            push dword ptr [00403168]  <- pushes the window handle (hWnd)

* Reference To: user32.KillTimer, Ord:017Bh
                                  |
:004011F8 E823070000              Call 00401920

And finaly double click on the user32.MessageBox function.

..............
..............

* Possible StringData Ref from Data Obj ->"Trainme"
                                  |
:00401580 6807304000              push 00403007  <- pushes the msgbox caption 

* Possible StringData Ref from Data Obj ->"Hack this bitch as many ways as "
                                        ->"you can."
                                  |
:00401585 68EC304000              push 004030EC <- pushes the msgbox text
:0040158A FF7508                  push [ebp+08] <- pushes the window handle (hWnd)

* Reference To: user32.MessageBoxA, Ord:019Dh
                                  |
:0040158D E8A6030000              Call 00401938 <- call MessageBox
:00401592 EB14                    jmp 004015A8  <== We will jump back here <==

	So, we sad that when the "Instructions" button is clicked, the usual MsgBox will be displayed
and our KillTimer code will be executed. So we must jump from somewhere to our code.. :)
Ofcourse we will jump from the msgbox caption to our code cave :)
Open up TSearch and start EasyWrite...

// BEGIN TSEARCH SCRIPT - [KILL TIMER] //

//First we recreate all the stuff of the message
//and then we create the KillTimer function

//I found a code cave so won't have to bother

//CODE CAVE CODE
offset 00401D1A

//push the caption of the msgbox
push 00403007

//push the text of the msgbox
push 004030EC

//push the window hanlde (hWnd)
push [ebp+08]

//call MessageBox
call 00401938

//Now the KillTimer stuff

//push the timer id - the id of the timer that is created so we can destroy that timer
push 00000008

//push the window handle (hWnd)
push dword ptr [00403168]  

//Call KillTimer
Call 00401920

//Jump back - remmember the "<==We will jump back here <==" offset
jmp 00401592

//Now we replace the main code with a jmp function that will jump to our code cave
//Remember we jmp from the msgbox caption
offset 00401580

//Jump to our code cave
jmp 00401D1A

// END TSEARCH SCRIPT - [KILL TIMER] //

	Ok, now add a hotkey to the script and try it out.. Does it work?? NO!!!!! Yeah it 
confused me too.. But i found the solution.. What's the problem here...

	When the parameters of the SetTimer and MessageBox are pushed the window handle that is 
pushed is "push [ebp+08]", but this is not the same for the KillTimer function.. So what i did is
that i just replaced the window handle that is pushed before the call to the KillTimer from
"push dword ptr [00403168]" to "push [ebp+08]" the same for SetTimer and MessageBox. And the 
result is: "WORKS!!!!". So here the final TSearch script:

// BEGIN TSEARCH SCRIPT - [KILL TIMER] //

//First we recreate all the stuff of the message
//and then we create the KillTimer function

//I found a code cave so won't have to bother

//CODE CAVE CODE
offset 00401D1A

//push the caption of the msgbox
push 00403007

//push the text of the msgbox
push 004030EC

//push the window hanlde (hWnd)
push [ebp+08]

//call MessageBox
call 00401938

//Now the KillTimer stuff

//push the timer id - the id of the timer that is created so we can destroy that timer
push 00000008

//push the window handle (hWnd)
push dword ptr [ebp+08]  

//Call KillTimer
Call 00401920

//Jump back - remmember the "<==We will jump back here <==" offset
jmp 00401592

//Now we replace the main code with a jmp function that will jump to our code cave
//Remember we jmp from the msgbox caption
offset 00401580

//Jump to our code cave
jmp 00401D1A

// END TSEARCH SCRIPT - [KILL TIMER] //

-------------
[Final Words]
-------------

I don't know what to say, i just hope u learned something from this because it is very useful.
Also i would recomend the tutorial from ^chaos^, he has a good tutorial on timers and very good
tutorials on other subjects. http://www.s-i-n.com/chaos is the link to his site. 
For more tutorials visit my site. Thank u for reading this tutorial. 
Now turn off ur PC and goto bed. U deserve a little sleep :)

--------
[Greets]
--------

Greets in no special order...

[sheep] # Stoner # Synbios # EEDOK # Bie # VBTrainer # Omega # Future666 # ddh # ^chaos^ # InvadeR
Omaster (hope u'll forgive me:)) # and everybody on DEViOUS and CES forums # and to u my dear reader :)

--------------------------------
[Copyright© VisualSoft® by brzi]
[http://www.brzi.cjb.net]
[brzi@devious.tsongkie.com]
--------------------------------

Copyright © (1998) 2004 - 2016 GamePatchPlanet.com. All Rights Reserved. Privacy Policy Disclaimer