In this example, we’ll try to hack the below program
- Build → Build Solution then run “Demo.exe”
Step 1 : Find address/offset of Function1() and Function2() in memory
- Run “x32.dbg” then attach the process “Demo.exe”
- Goto tab “Symbols”, select program “demo. Here it’ll list all functions in this program.
- Goto “CPU” tab : Right click → Search for → All Modules → String Reference
- We’ll find which function printed a string “This is function 1” by double click into it.
- Debug → Execute till return
- “Debug → Step over”: jump to the next command after the Function1() is called and returned.
call demo.A510AA : call Function1()
push demo.AA59B48 : push string "This is function 2 !!!" into stack
call demo.A51104 : call Function2()
add esp,4 : move stack pointer to 4 bytes to read the string param in stack
If we have 2 parameters, then “add esp, 8”
- Double click into “call demo.A510AA” then “…Function1(void)…”
0x12370 : is an offset of Function1() with keyword "__cdec1"
0x123F0 : is an offset of Function2() with keyword "__cdec1"
So to call Function1(), we just have to call a function at address + offset 12370.
In Function2() there is a parameter “char const *”, in C++ we need to code in a reverse format “const char*”
- Stop x32dbg
Step 2: Create a new project “Dynamic-Link Library (DLL)”
- Change settings
- Build → Build Solution
Step 3: Inject new build DemoHack.dll by CheatEngine
- Reopen “Demo.exe” then attach it into CheatEngine
- Click “Memry View” then Tool → Inject DLL → Select “DemoHack.dll”→ Yes → OK
OUTPUT
Then when we press "1" : it calls 2 functions
press "2" : it cal Function1()
press "3" : it calls Function2() with our string param
Reference :