API tools faq
paste
cos8o

RNG Hack Template

cos8o
Sep 11th, 2018
93
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ (WinAPI) 5.18 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.     GD RNG Hack (template)
  3. */
  4.  
  5. #include <windows.h>
  6. #include <TlHelp32.h>
  7. #include <string>
  8. #include <iostream>
  9.  
  10. //HookFunction is kinda useless, but since this is a template, I prefer using it so I can use a large payload
  11.  
  12. bool HookFunction(HANDLE Process, void *Function, void *Callback, byte * Backup)
  13. {
  14.     byte jmp = 0xE9;
  15.     DWORD oldProtect, newProtect, offset;
  16.     offset = reinterpret_cast<unsigned long>(Callback) - reinterpret_cast<unsigned long>(Function) - 5;
  17.     if (!(VirtualProtectEx(Process, Function, 5, PAGE_EXECUTE_READWRITE, &oldProtect) &&
  18.         ReadProcessMemory(Process, Function, Backup, 5, NULL) &&
  19.         WriteProcessMemory(Process, Function, &jmp, 1, NULL) &&
  20.         WriteProcessMemory(Process, reinterpret_cast<void*>(reinterpret_cast<unsigned long>(Function) + 1), &offset, 4, NULL) &&
  21.         VirtualProtectEx(Process, Function, 5, oldProtect, &newProtect)))
  22.     {
  23.         return false;
  24.     }
  25.     return true;
  26. }
  27.  
  28. bool UnhookFunction(HANDLE Process, void *Function, byte *Buffer)
  29. {
  30.     DWORD oldProtect, newProtect;
  31.     if (!(VirtualProtectEx(Process, Function, 5, PAGE_EXECUTE_READWRITE, &oldProtect) &&
  32.         WriteProcessMemory(Process, Function, Buffer, 5, NULL) &&
  33.         VirtualProtectEx(Process, Function, 5, oldProtect, &newProtect)))
  34.     {
  35.         return false;
  36.     }
  37.     return true;
  38. }
  39.  
  40. unsigned long GetModuleAddress(unsigned int ProcessID)
  41. {
  42.     unsigned long addr = 0;
  43.     HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID);
  44.     if (snapshot != INVALID_HANDLE_VALUE)
  45.     {
  46.         MODULEENTRY32 mod = { 0 };
  47.         mod.dwSize = sizeof(MODULEENTRY32);
  48.         if (Module32First(snapshot, &mod))
  49.         {
  50.             do
  51.             {
  52.                 if (std::string(mod.szModule) == "msvcr120.dll" ||
  53.                     std::string(mod.szModule) == "MSVCR120.DLL" ||
  54.                     std::string(mod.szModule) == "MSVCR120.dll")
  55.                 {
  56.                     addr = reinterpret_cast<unsigned long>(mod.modBaseAddr);
  57.                     break;
  58.                 }
  59.             } while (Module32Next(snapshot, &mod));
  60.         }
  61.         CloseHandle(snapshot);
  62.     }
  63.     return addr;
  64. }
  65.  
  66. unsigned long GetOffset()
  67. {
  68.     unsigned long off = 0;
  69.     HMODULE mod = LoadLibraryExA("msvcr120.dll", NULL, DONT_RESOLVE_DLL_REFERENCES);
  70.     if (mod == NULL) return 0;
  71.     off = reinterpret_cast<unsigned long>(GetProcAddress(mod, "rand"));
  72.     if (off > 0) off -= reinterpret_cast<unsigned long>(mod);
  73.     if (FreeLibrary(mod) == FALSE) return 0;
  74.     return off;
  75. }
  76.  
  77. void * AllocatePayload(HANDLE Process)
  78. {
  79. byte payload[] = { 0xB8, 0xFF, 0xFF, 0xFF, 0x7F, 0xC3 };
  80. void * addr = VirtualAllocEx(Process, 0, 6, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  81. return WriteProcessMemory(Process, addr, &payload, 6, NULL) ? addr : nullptr;
  82. }
  83.  
  84. bool WriteValue(HANDLE Process, void *Address, unsigned long Value)
  85. {
  86.     return WriteProcessMemory(Process, reinterpret_cast<void*>(reinterpret_cast<unsigned long>(Address) + 1), &Value, 4, NULL);
  87. }
  88.  
  89. int main()
  90. {
  91.     HWND window = NULL;
  92.     unsigned long pID = 0, k = 0;
  93.     HANDLE proc = NULL;
  94.     void * addrOfRand = 0, *addrOfPayload = 0;
  95.     byte * backup = new byte[5];
  96.     bool state = true;
  97.     std::string buffer;
  98.  
  99.     SetConsoleTitleA("RNG Hack");
  100.  
  101.     std::cout << "Waiting for Geometry Dash..." << std::endl;
  102.     while (window == NULL)
  103.     {
  104.         Sleep(250);
  105.         window = FindWindowA(0, "Geometry Dash");
  106.     }
  107.  
  108.     GetWindowThreadProcessId(window, &pID);
  109.  
  110.     proc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pID);
  111.     if (proc == INVALID_HANDLE_VALUE)
  112.     {
  113.         std::cout << "ERROR: cannot attach Geometry Dash." << std::endl;
  114.         std::cin.get();
  115.         return 0;
  116.     }
  117.  
  118.     addrOfRand = reinterpret_cast<void*>(GetModuleAddress(pID) + GetOffset());
  119.     if (!addrOfRand)
  120.     {
  121.         std::cout << "ERROR: cannot get function address." << std::endl;
  122.         std::cin.get();
  123.         return 0;
  124.     }
  125.  
  126.     addrOfPayload = AllocatePayload(proc);
  127.     if (addrOfPayload == nullptr)
  128.     {
  129.         std::cout << "ERROR: payload injection failed." << std::endl;
  130.         std::cin.get();
  131.         return 0;
  132.     }
  133.  
  134.     if (!HookFunction(proc, addrOfRand, addrOfPayload, backup))
  135.     {
  136.         std::cout << "ERROR: hooking failed." << std::endl;
  137.         std::cin.get();
  138.         return 0;
  139.     }
  140.  
  141.     for (;;)
  142.     {
  143.         system("cls");
  144.         std::cout << "State: " << (state ? "enabled" : "disabled") << std::endl;
  145.         std::cout << "Enter a valid number (or leave empty to change the state): " << std::endl;
  146.         std::getline(std::cin, buffer);
  147.         if (buffer == "")
  148.         {
  149.             if (state)
  150.             {
  151.                 if (!UnhookFunction(proc, addrOfRand, backup))
  152.                 {
  153.                     std::cout << "ERROR: unhooking failed." << std::endl;
  154.                     std::cin.get();
  155.                     return 0;
  156.                 }
  157.                 std::cout << "Hack disabled." << std::endl;
  158.             }
  159.             else
  160.             {
  161.                 if (!HookFunction(proc, addrOfRand, addrOfPayload, backup))
  162.                 {
  163.                     std::cout << "ERROR: hooking failed." << std::endl;
  164.                     std::cin.get();
  165.                     return 0;
  166.                 }
  167.                 std::cout << "Hack enabled." << std::endl;
  168.             }
  169.             state ^= 1;
  170.         }
  171.         else
  172.         {
  173.             try
  174.             {
  175.                 if (!state)
  176.                 {
  177.                     std::cout << "Hack is disabled. Please enable it." << std::endl;
  178.                 }
  179.                 else
  180.                 {
  181.                     k = std::stoul(buffer, nullptr, 10);
  182.                     if (!WriteValue(proc, addrOfPayload, k))
  183.                     {
  184.                         std::cout << "ERROR: cannot write on payload." << std::endl;
  185.                         std::cin.get();
  186.                         return 0;
  187.                     }
  188.                 }
  189.             }
  190.             catch (const std::invalid_argument&)
  191.             {
  192.                 std::cout << "Invalid number." << std::endl;
  193.             }
  194.         }
  195.         std::cin.get();
  196.     }
  197.  
  198.     std::cin.get();
  199.     return 0;
  200. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!