Results 1 to 2 of 2

Thread: Convert C++ codecave function to VB6

  1. #1

    Convert C++ codecave function to VB6

    Hello, guys.

    Please, may someone help convert this function to vb6?

    The code in C++

    Code:
    void walk(HANDLE pHandle, DWORD baseAddress, int direction, bool dash)
    {
        BYTE codeCave[32]{
            0x60,                          //PUSHAD
            0x9C,                          //PUSHFD
            0x68, 0x00, 0x00, 0x00, 0x00, //PUSH DASH
            0x68, 0x00, 0x00, 0x00, 0x00, //PUSH DIRECTION
            0xB9, 0x00, 0x00, 0x00, 0x00, //MOVE ECX, GAME ADDRESS
            0xB8, 0x00, 0x00, 0x00, 0x00, //MOVE EAX, WALK FUNCTION ADDRESS
            0xFF, 0xD0,                      //CALL
            0x9D,                          //POPFD
            0x61,                          //POPAD
            0x68, 0x00, 0x00, 0x00, 0x00, //PUSH OriginalEIP
            0xC3                          //RETURN
        };
    
        DWORD gameAddress = baseAddress + 0x8036f0;
        DWORD walkFunctionAddress = baseAddress + 0x11FD3;
    
        int caveLenght = sizeof(codeCave);
        LPVOID remoteCave = VirtualAllocEx(pHandle, 0, caveLenght, MEM_COMMIT, PAGE_EXECUTE);
    
        DWORD mainThreadId = getProcessThreadId(pHandle);
        HANDLE hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, mainThreadId);
        SuspendThread(hThread);
        CONTEXT threadContext;
        threadContext.ContextFlags = CONTEXT_CONTROL;
        GetThreadContext(hThread, &threadContext);
    
        memcpy(&codeCave[3], &dash, 1);
        memcpy(&codeCave[8], &direction, 4);
        memcpy(&codeCave[13], &gameAddress, 4);
        memcpy(&codeCave[18], &walkFunctionAddress, 4);
        memcpy(&codeCave[27], &threadContext.Eip, 4);
        WriteProcessMemory(pHandle, remoteCave, codeCave, caveLenght, NULL);
    
        threadContext.Eip = (DWORD)remoteCave;
        threadContext.ContextFlags = CONTEXT_CONTROL;
        SetThreadContext(hThread, &threadContext);
        ResumeThread(hThread);
        CloseHandle(hThread);
        VirtualFreeEx(pHandle, remoteCave, caveLenght, MEM_RELEASE);

  2. #2
    My first attempt:

    Code:
    Public Function Walk(pHandle As Long, lBaseAddres As Long, direction As Long, dash As Boolean)
    Dim codeCave(31) As Byte
    
    codeCave(0) = &H60
    codeCave(1) = &H9C
    codeCave(2) = &H68
    codeCave(3) = &H0
    codeCave(4) = &H0
    codeCave(5) = &H0
    codeCave(6) = &H0
    codeCave(7) = &H68
    codeCave(8) = &H0
    codeCave(9) = &H0
    codeCave(10) = &H0
    codeCave(11) = &H0
    codeCave(12) = &HB9
    codeCave(13) = &H0
    codeCave(14) = &H0
    codeCave(15) = &H0
    codeCave(16) = &H0
    codeCave(17) = &HB8
    codeCave(18) = &H0
    codeCave(19) = &H0
    codeCave(20) = &H0
    codeCave(21) = &H0
    codeCave(22) = &HFF
    codeCave(23) = &HD0
    codeCave(24) = &H9D
    codeCave(25) = &H61
    codeCave(26) = &H68
    codeCave(27) = &H0
    codeCave(28) = &H0
    codeCave(29) = &H0
    codeCave(30) = &H0
    codeCave(31) = &HC3
    
    Dim var As Variant
    var = codeCave
    
    Dim gameAddress As Long
    gameAddress = lProcessBase + mainAddress
    Dim walkFunctionAddress As Long
    walkFunctionAddress = lProcessBase + &H11FD3
    
    Dim caveLenght As Long
    caveLenght = UBound(codeCave)
    Dim remoteCave As Long
    remoteCave = VirtualAllocEx(pHandle, 0, caveLenght, MEM_COMMIT, PAGE_EXECUTE)
    
    Dim mainThreadId As Long
    mainThreadId = GetProcessID(pHandle) 'lProcessID
    Dim hthread As Long
    'hThread = OpenThread (THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, mainThreadId
    hthread = OpenThread(THREAD_GET_CONTEXT, False, mainThreadId)
    hthread = OpenThread(THREAD_SUSPEND_RESUME, False, mainThreadId)
    hthread = OpenThread(THREAD_SET_CONTEXT, False, mainThreadId)
    SuspendThread (hthread)
    Dim threadContext As CONTEXT
    threadContext.ContextFlags = CONTEXT_CONTROL
    GetThreadContext hthread, threadContext
    
    CopyMemory codeCave(2), dash, 1
    CopyMemory codeCave(7), direction, 4
    CopyMemory codeCave(12), gameAddress, 4
    CopyMemory codeCave(17), &H11FD3, 4
    CopyMemory codeCave(26), threadContext.Eip, 4
    WriteProcessMemory pHandle, remoteCave, var, caveLenght, 0
    
    threadContext.Eip = remoteCave
    threadContext.ContextFlags = CONTEXT_CONTROL
    SetThreadContext hthread, threadContext
    ResumeThread (hthread)
    CloseHandle (hthread)
    VirtualFreeEx pHandle, remoteCave, caveLenght, MEM_RELEASE
    Declarations:
    Code:
    Public Declare Function OpenThread Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwThreadId As Long) As Long
    Public Declare Function GetThreadContext Lib "kernel32" (ByVal hthread As Long, lpContext As CONTEXT) As Long
    Public Declare Function SetThreadContext Lib "kernel32" (ByVal hthread As Long, lpContext As CONTEXT) As Long
    Public Declare Function SuspendThread Lib "kernel32" (ByVal hthread As Long) As Long
    Public Declare Function ResumeThread Lib "kernel32" (ByVal hthread As Long) As Long
    Public Declare Sub CopyMemory Lib "kernel32" Alias _
        "RtlMoveMemory" (ByVal Destination As Long, ByVal _
        Source As Long, ByVal Length As Integer)
    Public Declare Function VirtualAllocEx Lib "kernel32" _
    (ByVal hProcess As Long, lpAddress As Any, dwSize As Any, _
    ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
        
    Public Const SIZE_OF_80387_REGISTERS = 80
    
    'Public Const MEM_COMMIT = &H1000
    Public Const MEM_RELEASE = &H8000
    Public Const PAGE_EXECUTE = &H10
    Public Const THREAD_GET_CONTEXT = &H8
    Public Const THREAD_SUSPEND_RESUME = &H2
    Public Const THREAD_SET_CONTEXT = &H10
    Public Const CONTEXT_CONTROL = &H1
    
    Type FLOATING_SAVE_AREA
       ControlWord As Long
       StatusWord As Long
       TagWord As Long
       ErrorOffset As Long
       ErrorSelector As Long
       DataOffset As Long
       DataSelector As Long
       RegisterArea(SIZE_OF_80387_REGISTERS) As Byte
       Cr0NpxState As Long
    End Type
    
    Type CONTEXT
       ContextFlags As Long
       Dr0 As Long
       Dr1 As Long
       Dr2 As Long
       Dr3 As Long
       Dr6 As Long
       Dr7 As Long
       FloatSave As FLOATING_SAVE_AREA
       SegGs As Long
       SegFs As Long
       SegEs As Long
       SegDs As Long
       Edi As Long
       Esi As Long
       Ebx As Long
       Edx As Long
       Ecx As Long
       Eax As Long
       Ebp As Long
       Eip As Long
       SegCs As Long
       EFlags As Long
       Esp As Long
       SegSs As Long
    End Type

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •