Jump to content
Moopler Closing Read more... ×
Moopler
Sign in to follow this  
Zoomba

Source Old dinput8 source through TEB hook (fs:c0)

Recommended Posts

I don't think I have posted the source code here?

So here.

dinput8

It shows how to intercept all winapi calls from a single hook for a wow64 process.

It won't work with the current version of blackcipher.

For some WinApi like (NtOpenProcess,NtReadVirtualMemory,NtQueryVirtualMemory), it doesn't go through the wow64 callgate anymore (fs:c0), BlackCipher create a 64 bit thread and make it call the native syscall instead. There is 2 ntdll.dll loaded one 32 bit and the other 64 bit for a wow64 process. You now have to hook the 64 bit ntdll now.

1.thumb.jpg.f2743e93513997f399d453bc23a2ca79.jpg

In Cheat Engine the module symbol "_NtOpenProcess" without the quotes is the 64 bit NtOpenProcess. There is an underscore before the winapi name.

I have wrote a wow64 library in 2011 if anyones interested: wow64ext

I gave it to my subordinate rewolf and he released it on his github.

  • Thanks 1

Share this post


Link to post

Legit the most misinforming post I’ve ever seen - goes to show just how bad Aasdf really is, when he doesn’t even understand the basics of this 😂

1. fs:0xc0 is not a “TEB hook” - you just hook the KiFastSystemcall.

2. It doesn’t intercept ALL WinAPIs, only the ones that needs to trampoline into a 64-bit environment so they can elevate execution to ring0 (it’s not even that many...)

3. The entire thing you explained about how BlackCipher worked now is straight wrong :s

4. Nice credit leech

 

Imagine spending every single of your woken hours of healthcare provided stability on trying to hack games, and yet, after 12 years of autistic attempting, continue to fail... I feel sad for you, but I suppose we aren’t all meant to succeed... in anything, ever, I guess. 🤔

 

  • Like 2
  • Haha 2

Share this post


Link to post
11 hours ago, sleeveless said:

GoombaShrooms is aasdf!!

No aasdf isn’t me. Someone I will not name informed me of this so I had to register as forgot last account.

Bye bye until someone mentions this again and I gotta clear up the smoke.

I only have a macbook for my work now, I don’t have freetime like aasdf.

Edited by AJS
  • Like 1

Share this post


Link to post

The time has come. I noticed a few errors, so instead of obliterating your soul. I first decided to erase your confusions,

1.on 32 bit it's called KiFastSystemCall, but on 64 bit it's Wow32Reserved. "TEB Hook" kek so easy to manipulate knew aasdf was gonna trigger him :xd:

2. all native function does, retard

3. refer to ss at op

4. aasdf taught rewolf how to code.

valdemarcaroeisafaggotLOL.png.beeb43e8032f7a11864b90f2ccb3bc7b.png

Not sure if the last paragraph was suppose to make aasdf feel dandy. Seems like little valdemar caroe was obsessed since march when aasdf made that post on his thread and waited up until now to reword what has already been spitted at him:xd:

Goomba and aasdf are two different persons fucking retard

To anyone reading this, do know that valdemar caroe has some mental issues, first telling some foreign asian kid on another thread that kms has over 50 ngs crc and here he is now wasting his life here everyday logging on moopler spreading bullshit like AIDS he even stalk aasdf on social media commenting on his profile pic and such.

Edited by Iolreeree

Share this post


Link to post
On 31/12/2018 at 04:27, Iolreeree said:

here he is now wasting his life here everyday logging on moopler spreading bullshit like AIDS

Oh boy, how ironic.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×