Sorry guys I was out for a couple of days. Anyways, my next project is releasing a new trainer that will give you see, walk, fly through walls along with undetected underground, and third person view in multiplayer. I cannot release a shooting through walls of any kind because the cheat is not mine, its subskys and we should respect him and his work. What I am also going to do is with the help of subskys tutorials, Im going to have all my cheats bypass hradba's #138 detection so there will be no problems of any kind. Hopefully I'll be done within the week.
Open up logs.dll or game.dll in IDA- and in the string section; look for the following text 'get_original_code_section_of_loaded_image()'.
The place where these strings are referenced is the scanning algorithm that uploads the .text (code) section to the server- and you can find the place where the imports and exports are scanner similiarly with 'get_image_import_address_table()' & 'get_export_symbol_address_of_loaded_image()'.
I renamed the unknown_function referencing 'get_original_code_section_of_loaded_image()' something like
.text:1001F040 GetCodeSection proc near ; CODE XREF: sub_100D3A90+44p
It basically does all the sanity checks to make sure the passed in HMODULE (file loaded in memory) is a Portable executable file- then, it adds 0x1000 (start of .text/code section) to the MODULE (base load address). It then does a memcpy() into a malloc'd allocated buffered (eg in heap memory- the sizeof total the combined code sections of the PE) starting from the HMODULE + 0x1000.
This should help you ->
.text:1001F186 mallocdSizeOfCode: ; CODE XREF: GetCodeSection+116j
.text:1001F186 mov ecx, [ebx+1Ch] ; ECX = SizeOfCode
.text:1001F189 mov esi, [ebx+2Ch] ; ESI = FileAlignment = 1000h
.text:1001F18C mov eax, ecx
.text:1001F18E shr ecx, 2 ; ECX = (SizeOfCode / sizeof(DWORD))
.text:1001F191 add esi, ebp ; ESI = (HMODULE + 1000h) = .text section
.text:1001F193 mov edi, edx ; EDI = malloc'd DATA = SizeOfCode
.text:1001F195 rep movsd
.text:1001F197 mov ecx, eax
.text:1001F199 and ecx, 3 ; memcpy(offset 1000h [.text], malloc'd DATA, SizeOfCode)
.text:1001F19C rep movsb
.text:1001F19E mov ecx, [ebx+34h] ; ECX = ImageBase
.text:1001F1A1 cmp ebp, ecx ; if (HMODULE == ImageBase)
.text:1001F1A3 jz LoadedAtPrefBase
.text:1001F1A9 mov edi, [ebx+0A0h] ; EDI = pBaseRelocationTable
If all that flew over your head- you need to read up on the Portable Executable File, knowing this- almost everything you need to know to beat #138 can be found at the links below ->
Peering Inside the PE: A Tour of the Win32 Portable Executable File Format (#1)Peering Inside the PE: A Tour of the Win32 Portable Executable File Format (#2)You can beat it, there are several ways- just be creative.
Subsky