[c++ & assembly]hooking health

[roby65]

here the code:

 

void _declspec(naked) HealthHook(){_asm{ push ecx push ebx mov ebx, 0x0B6F3B8 mov ecx, dword ptr[ebx] cmp esi,ecx je exit mov [esi+00000540],edx exit: pop ebx pop ecx ret}}void _declspec(naked) HealthHookEnd(){}void _declspec(naked) HealthHooker(){_asm{ call HealthHook}}void HookHealth(){DWORD a,b;char c=0x90;LPVOID address=(LPVOID)0x4B331F;LPVOID address2=(LPVOID)(0x4B331F+5);VirtualProtect(address,6,PAGE_EXECUTE_READWRITE,&a);memcpy(address,HealthHooker,5);memcpy(address2,&c,1);VirtualProtect(address,6,a,&b);}

 

 

the code should work, i tryed in a cheat tool and it's ok, but the "call HealthHook" points to a different point in memory than the HealthHook function...why????? ???

 

edit: the code is in a dll injected in the gta process :-)

[INT 03]

Try this:

 

void _declspec(naked) HealthHooker(){_asm{mov eax,offset HealthHookcall eax}}

 

[roby65]

i have only 6 free bytes.....

is there another way???

[INT 03]

Another way is to calculate the new destination address of the call.

This should do the job:

 

void HookHealth(){DWORD a,b;char c=0x90;LPVOID address=(LPVOID)0x4B331F;LPVOID address2=(LPVOID)(0x4B331F+5);VirtualProtect(address,6,PAGE_EXECUTE_READWRITE,&a);// ----*((char *)address) = 0xe8;   // place CALL instructionunsigned long dwDest = (unsigned long)HealthHooker - (unsigned long)address - 5;memcpy((char *)address+1,&dwDest,4);// -------memcpy(address2,&c,1);VirtualProtect(address,6,a,&b);}

 

Edited September 23, 2007 by INT 03

[roby65]

the code seems ok, but it seems not working

in the disassembled code i can see "call healthhook" but where it's address??

 

edit: new code

result: nothing

 

 

void HookHealth();void _declspec(naked) HealthHooker(){_asm{mov [esi+00000540],edxret}}void HookHealth(){DWORD a,b;char c=0x90;LPVOID address=(LPVOID)0x4B331F;LPVOID address2=(LPVOID)(0x4B331F+5);VirtualProtect(address,6,PAGE_EXECUTE_READWRITE,&a);// ----*((char *)address) = 0xe8;   // place CALL instructionunsigned long dwDest = (unsigned long)HealthHooker - (unsigned long)address - 5;memcpy((char *)address+1,&dwDest,4);// -------memcpy(address2,&c,1);VirtualProtect(address,6,a,&b);

 

Edited September 24, 2007 by roby65

[INT 03]

Hmm I just saw that I seem to have mixed up the functions accidently.

It should be

 

unsigned long dwDest = (unsigned long)HealthHook - (unsigned long)address - 5;

 

HealthHooker is not needed anymore.

[roby65]

the problem is the same:

 

the call seems to be ok, but this code ( mov [esi+00000540],edx) changes players health when is hitted, but it's like this line isn't there....so you are invincible

what's the error??? it should be all ok!

 

edit: this code also messes up the game, so if i alt-tab, i can't rejoin back into the game (gta freezes...)

 

edit2: the "call healthhook" points there:

 

 

why this?!?!?!?!?!?

i can't understand why

Edited September 24, 2007 by roby65

[INT 03]

 

mov [esi+0x00000540],edx

 

You have to prefix the value with 0x or the inline assembler will interpret it as decimal value.

 

Additionally you should change the label in HealthHook to something different than exit.

exit is a CRT function and as such it could lead to conflicts.

[roby65]

thanks, works perfectly!

[Andrew]

hmm, very unsure about this one.