MapleStory / Hack Development. By:

Size: px

Start display at page:

Download "MapleStory / Hack Development. By:"

Earl Hudson
5 years ago
Views:

1 MapleStory / Hack Development Sheet By: Last Updated: 3/14/2009

2 Multi-level Pointers (Read) Credits: This cool idea just randomly came to mind while on IRC. #include <stdarg.h> #define OFFSETS_END 0xDEADBEEF checkreturn BOOL _ReadPointer( out PULONG_PTR pulvalue, in LPCVOID lpcvbase,...) ULONG_PTR ultemp; va_list parguments; BOOL bret; int ioffset; try ultemp = (ULONG_PTR)lpcvBase; va_start(parguments, lpcvbase); while ((ioffset = va_arg(parguments, int))!= OFFSETS_END) ultemp = *(ULONG_PTR*)((*(ULONG_PTR*)ulTemp) + ioffset); va_end(parguments); *pulvalue = ultemp == (ULONG_PTR)lpcvBase? *(ULONG_PTR*)ulTemp : ultemp; bret = TRUE; except(exception_execute_handler) bret = FALSE; return bret; #define ReadPointer(x, y,...) _ReadPointer(x, y, VA_ARGS, OFFSETS_END) Example usage: // Read a pointer: [0x600000]+0x69] ReadPointer(&ulValue, (LPCVOID)0x600000, 0x69); // Read a multi-level pointer: [[[[0x400000]+10]]+10] ReadPointer(&ulValue, (LPCVOID)0x400000, 10, 0, 10); PROTIP: I'm being lazy and if you wanted it to be as safe as possible, instead of just catching exceptions I suggest you use VirtualQuery. Opcode Dll Credits: Compiled Dll: Source Code Dll: Compiled Sample: Source Code Sample: Destroying MapleStory s Play Screen Credits:

3 HWND hwnd = FindWindow("StartUpDlgClass", 0); for(; hwnd; Sleep(100), hwnd = FindWindow("StartUpDlgClass", 0)) DestroyWindow(hWnd); Hooking Send API Credits: SOCKET psocket = NULL; DWORD Sendaddr = NULL; DWORD SendJmp = NULL; DWORD OldProtection; // void declspec(naked) stdcall SendHook() asm mov edi,edi push ebp mov ebp, esp push [ebp+0x08] push [ebp+0x0c] call LogHandler jmp SendJmp void stdcall LogHandler( char* buf, SOCKET sock ) // cut rapion said so psocket = sock; //Log buf here return; void HookHandler( bool ishook ) if( ishook ) Sendaddr = (DWORD)GetProcAddress( LoadLibrary( "ws2_32.dll" ), "send" ); SendJmp = Sendaddr + 5; VirtualProtect( &Sendaddr, 0x05, PAGE_READWRITE, &OldProtection ); *(BYTE*)Sendaddr = 0xe9; *(int*)(sendaddr+1) = JMP( Sendaddr, (DWORD*)SendHook ); if(!ishook ) *(WORD*)Sendaddr = 0xFF8B; *(BYTE*)(Sendaddr+2) = 0x55; *(WORD*)(Sendaddrs+3) = 0xEC8B; VirtualProtect( &Sendaddr, 0x05, OldProtection, &OldProtection ); NtOpenProcess Hook Credits: //

4 //The_Undead : Rhys M. //Driver.c #include "Ntddk.h" #include "ntifs.h" #define IO_HOOK_FUNCTIONS #define IO_UNHOOK_FUNCTIONS #define IO_GETSETINFO CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_ANY_ACCESS) CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_ANY_ACCESS) CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0003, METHOD_BUFFERED, FILE_ANY_ACCESS) //Global Variables UNICODE_STRING DeviceName, DeviceLink; HANDLE UserLandProcessID = (HANDLE)-1; // Function callnumbers ULONG NtOpenProcess_callnumber = 0x007a; //Function Prototypes NTKERNELAPI HANDLE PsGetProcessId(IN PEPROCESS Process); NTSTATUS stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); void HookFunctions( void ); void UnHookFunctions( void ); HANDLE RetrivePID( char* ); // Function signatures typedef ULONG (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL); IN POBJECT_ATTRIBUTES // Function holders NTOPENPROCESS OldNtOpenProcess; void declspec(naked) stdcall UnProtect( void ) asm cli mov eax, CR0 and eax, not 10000H mov CR0, eax void declspec(naked) stdcall Protect( void ) asm mov eax, CR0 OR eax, 10000h mov CR0, eax sti NTSTATUS NewNtOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)

5 NTSTATUS ntstatus = STATUS_INVALID_PARAMETER; if ( ClientId->UniqueProcess == UserLandProcessID ) return STATUS_ACCESS_DENIED; ntstatus = ((NTOPENPROCESS)(OldNtOpenProcess))(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); return ntstatus; void UnHookFunctions( void ) UnProtect(); //Restore origianl function address (NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber] = OldNtOpenProcess; Protect(); void HookFunctions( void ) // Store original functions OldNtOpenProcess = (NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber]; UnProtect(); // Hook Functions (NTOPENPROCESS)KeServiceDescriptorTable->ServiceTable[NtOpenProcess_callnumber] = &NewNtOpenProcess; Protect(); HANDLE RetrivePID( char* ProcessName ) PEPROCESS PeProcess = NULL; PLIST_ENTRY pnextentry, plisthead; PeProcess = PsGetCurrentProcess(); if(!peprocess) DbgPrint( "[ALARM] -> Cannot find 'System' process!" ); return (HANDLE)-1; if( IsListEmpty( &PeProcess->ActiveProcessLinks )) DbgPrint("[ALARM] -> No processes found!"); plisthead = &PeProcess->ActiveProcessLinks; pnextentry = plisthead->flink; while(pnextentry!= plisthead) PeProcess = CONTAINING_RECORD( pnextentry,eprocess,activeprocesslinks ); if(peprocess->activethreads) if(!islistempty(&peprocess->threadlisthead )) if( _strnicmp( PeProcess->ImageFileName, ProcessName,strlen(ProcessName) ) == 0 ) return (HANDLE)-1; PeProcess = NULL; pnextentry = pnextentry->flink; return PsGetProcessId( PeProcess );

6 NTSTATUS stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) NTSTATUS status = STATUS_SUCCESS; int FunctionStatus = -1; switch (Irp->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode) case IO_HOOK_FUNCTIONS: FunctionStatus = 0; Irp->IoStatus.Information = sizeof(int); memcpy(irp->associatedirp.systembuffer, &FunctionStatus, sizeof(int)); DbgPrint("Hooking...\n"); HookFunctions(); break; case IO_UNHOOK_FUNCTIONS: FunctionStatus = 1; Irp->IoStatus.Information = sizeof(int); memcpy(irp->associatedirp.systembuffer, &FunctionStatus, sizeof(int)); DbgPrint("Unhooking...\n"); UnHookFunctions(); break; case IO_GETSETINFO: FunctionStatus = 2; UserLandProcessID = RetrivePID( (char*)irp->associatedirp.systembuffer ); //DbgPrint("Process ID of %s %i", (char*)irp->associatedirp.systembuffer, UserLandProcessID); DbgPrint("Process ID: %i", UserLandProcessID); Irp->IoStatus.Information = sizeof(int); memcpy(irp->associatedirp.systembuffer, &FunctionStatus, sizeof(int)); break; IofCompleteRequest(Irp, IO_NO_INCREMENT); return status; NTSTATUS stdcall IOOpenClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) IofCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS; VOID OnUnload(IN PDRIVER_OBJECT DriverObject) DbgPrint("Unloading!\n"); IoDeleteSymbolicLink(&DeviceLink); IoDeleteDevice(DriverObject->DeviceObject); DriverObject->DriverUnload; //Driver entry point NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theregistrypath) NTSTATUS ntstatus; PDEVICE_OBJECT pdeviceobject;

7 RtlInitUnicodeString(&DeviceName, L"\\Device\\UndeadRootkit"); ntstatus = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pdeviceobject); if (ntstatus == STATUS_SUCCESS) RtlInitUnicodeString(&DeviceLink, L"\\DosDevices\\UndeadRootkit"); if (IoCreateSymbolicLink(&DeviceLink, &DeviceName)!= STATUS_SUCCESS) IoDeleteDevice(DriverObject->DeviceObject); return STATUS_OBJECT_NAME_EXISTS; DriverObject->DriverUnload = OnUnload; DriverObject->MajorFunction[IRP_MJ_CREATE] = &IOOpenClose; DriverObject->MajorFunction[IRP_MJ_CLOSE] = &IOOpenClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &IOControll; return ntstatus; And: // //The_Undead : Rhys M. //DriverControl.cpp #include "windows.h" #include "tlhelp32.h" #include "stdlib.h" #define METHOD_BUFFERED 0x #define FILE_ANY_ACCESS 0x #define FILE_DEVICE_UNKNOWN 0x #define CTL_CODE( DeviceType,Function, Method,Access)(\ ((DeviceType)<<16) ((Access)<<14) ((Function)<<2) (Method)) #define IO_HOOK_FUNCTIONS #define IO_UNHOOK_FUNCTIONS FILE_ANY_ACCESS) #define IO_GETSETINFO FILE_ANY_ACCESS) #define HOOKFUNCTIONS #define UNHOOKFUNCTIONS #define GETISETNFO CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_ANY_ACCESS) CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0003, METHOD_BUFFERED, 0x x x /* Global Variables */ char TargetProcessName[MAX_PATH]; //Driver - GUI link char DriverLink[] = "\\\\.\\UndeadRootkit"; //Driver installation - removal variables. char DriveName[26] = "UndeadRootkit"; SC_HANDLE hscmanger = NULL; SC_HANDLE hservice = NULL; char Directory[501]; int CheckOnlyProcess( char* ProcessName ) int NumberOfProcesses = 0;

8 DWORD dwsize = 0; HANDLE hprocesssnap = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0); PROCESSENTRY32 pe32; pe32.cntusage = 1; pe32.th32moduleid = 0; pe32.th32parentprocessid = 0; pe32.dwsize = sizeof(processentry32); do if (!strcmp(pe32.szexefile, ProcessName)) NumberOfProcesses++; while (Process32Next(hProcessSnap, &pe32)); CloseHandle(hProcessSnap); return NumberOfProcesses; bool FileExists( LPSTR lpszfilename ) WIN32_FIND_DATA wfd; HANDLE hfind = FindFirstFile(lpszFilename, &wfd); if (hfind == INVALID_HANDLE_VALUE) return FALSE; FindClose(hFind); return TRUE; BOOL InstallDriver( void ) SC_HANDLE hscmanger = NULL; SC_HANDLE hservice = NULL; ZeroMemory(&Directory, sizeof(directory)); GetCurrentDirectory( sizeof(directory), Directory ); strcat(directory, "\\UndeadRootkit.sys"); hscmanger = OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE); if(!hscmanger) return FALSE; hservice = CreateService(hSCManger, DriveName,DriveName, GENERIC_READ, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, Directory, NULL,NULL,NULL,NULL,NULL); if(!hservice) if(getlasterror() == ERROR_SERVICE_EXISTS) hservice = OpenService(hSCManger,DriveName,DELETE); if(hservice) if(!deleteservice(hservice))

9 return FALSE; CloseServiceHandle(hService); CloseServiceHandle(hService); CloseServiceHandle(hSCManger); hscmanger = OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT); if(!hscmanger) return FALSE; hservice = OpenService(hSCManger,DriveName,SERVICE_START); if(hservice) if (!StartService(hService, 0, NULL)) return FALSE; CloseServiceHandle(hService); CloseServiceHandle(hSCManger); return TRUE; BOOL StopDriver( void ) SERVICE_STATUS servicestatus; hscmanger = OpenSCManager(NULL,NULL,SC_MANAGER_CONNECT); if(!hscmanger) return FALSE; hservice = OpenService(hSCManger,DriveName,SERVICE_STOP); if(hservice) ControlService(hService,SERVICE_CONTROL_STOP,&servicestatus); CloseServiceHandle(hService); hservice = OpenService(hSCManger,DriveName,DELETE); DeleteService(hService); CloseServiceHandle(hService); CloseServiceHandle(hSCManger); return TRUE; int DriverControl(int Event) // 0 : Hooked // 1 : Unhooked // 2 : Information Received DWORD bytesio; HANDLE hfile; int ret = -1; hfile = CreateFile(DriverLink, GENERIC_READ GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, 0); switch ( Event ) case HOOKFUNCTIONS: DeviceIoControl(hFile, IO_HOOK_FUNCTIONS, NULL, 0, &ret, sizeof(int), &bytesio, NULL);

10 CloseHandle(hFile); return ret; case UNHOOKFUNCTIONS: DeviceIoControl(hFile, IO_UNHOOK_FUNCTIONS, NULL, 0, &ret, sizeof(int), &bytesio, NULL); CloseHandle(hFile); return ret; &bytesio, NULL); CloseHandle(hFile); return ret; case GETISETNFO: DeviceIoControl(hFile, IO_GETSETINFO, &TargetProcessName, sizeof(targetprocessname), &ret, sizeof(int), CloseHandle(hFile); return ret; int main(int argc, char* argv[]) int ret = -1; char Key[25] = 0x00 ; BOOL InformationSent, Hooked = FALSE; ZeroMemory(&TargetProcessName, sizeof(targetprocessname)); puts("the_undead - NtOpenProcess Hook"); puts("target Process Name:"); scanf("%s", &TargetProcessName); if (strlen(targetprocessname) < 3) return 0; if ( CheckOnlyProcess(TargetProcessName) > 0 ) StopDriver(); if ( InstallDriver() == FALSE ) puts("failed to start driver! Please try again."); StopDriver(); ExitProcess(0); while ( strcmp(key, "EXIT")) printf("-->"); scanf("%s", &Key); if (!strcmp(key, "HOOK")) ret = DriverControl( GETISETNFO); if ( ret == 2 ) InformationSent = TRUE; InformationSent = FALSE; if ( Hooked == FALSE ) if ( InformationSent == TRUE ) ret = DriverControl ( HOOKFUNCTIONS); if ( ret == 0 )

11 puts("hooked"); Hooked = TRUE; Hooked = FALSE; puts("no information set..."); puts("already hooked..."); if (!strcmp(key, "UNHOOK")) if ( Hooked == TRUE ) ret = DriverControl ( UNHOOKFUNCTIONS); if ( ret == 1 ) Hooked = FALSE; puts("unhooked"); ret = 0; puts("no functions hooked!"); puts("no process found"); StopDriver(); getchar(); return 0; Create Process Credits: BOOL CreateProcessWrapper( LPTSTR process_name, DWORD CreationFlag ) STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory( &si, sizeof(si) ); si.cb = sizeof(si); ZeroMemory( &pi, sizeof(pi) ); int retval = CreateProcess( process_name, NULL,NULL,NULL,FALSE, CreationFlag, NULL,NULL,&si,&pi); CloseHandle( pi.hprocess ); CloseHandle( pi.hthread ); return retval;

12 For a list of Creation Flags look here. Trainer Reference Credits: Info/Notes/Update Welcome to my reference page for c++ Hacks/Bots, and I hope you find this, A guid guide if you are interested in learning to make DLL/EXE Bots/Hacks, in C++ ~Good Luck! ~Give me some suggestions Current: v.4 1 ~ Made Guide 2 ~ Updated added : Num 2 3 ~ Grammar - Section 4 ~ Added : Num 3-4 (Pointers) 1. Basic Dll This section is for the absolute beginner. Here is the code: #include <windows.h> #include <tchar.h> //Unless linking Multi-Byte ( Project > Properties > Config > Char Set > Multi-Byte ) HMOUDLE Moudle; void IntWindow() //Do stuff here. BOOL APIENTRY DllMain( HMODULE hmodule, DWORD ul_reason_for_call, LPVOID lpreserved) if (ul_reason_for_call == DLL_PROCESS_ATTACH) Module = hmodule; CreateThread(0,0,(LPTHREAD_START_ROUTINE)&Window,0,0,0); return TRUE; Ok so here is the break down: We have a void object that will house our window and can be called by thread, void IntWindow() //Do stuff here.

13 So we need to call this when the DLL is started or called, BOOL APIENTRY DllMain( HMODULE hmodule, DWORD ul_reason_for_call, LPVOID lpreserved) //Do Stuff Now all this is a return value of bool so if it works true if not false, Now it is called so we have values like its module, its reseon and a void that is reserved for padding purpuses. So all we need is Reson and module. So this code says if it is called by attaching, use module to point and create thread to it. if (ul_reason_for_call == DLL_PROCESS_ATTACH) //If we are attaching Module = hmodule; //Set moudle for later CreateThread(0,0,(LPTHREAD_START_ROUTINE)&Window,0,0,0); // Into this later return TRUE; //I know but for good purpose. 2. A popup Win32 Window This is for that person who can make a dll base, but wants a window for that cool effect. The code: LRESULT CALLBACK ProcWindow (HWND hwnd, UINT imsg, WPARAM wparam, LPARAM lparam) switch (imsg) case WM_CREATE: break; case WM_DESTROY: PostQuitMessage(0); break; return DefWindowProc(hWnd,iMsg,wParam,lParam); void DeintWindow() UnregisterClass(_T("Tut Window"), Module); FreeLibraryAndExitThread(Module, 0);

14 void IntWindow() HWND hwnd; MSG imsg; WNDCLASSEX wc; ZeroMemory(&wc,sizeof(WNDCLASSEX)); wc.cbsize = sizeof(wndclassex); wc.style = CS_HREDRAW CS_VREDRAW; wc.cbclsextra = 0; wc.cbwndextra = 0; wc.hbrbackground = (HBRUSH)COLOR_BTNSHADOW; wc.hicon = LoadIcon(NULL,IDI_APPLICATION); wc.hcursor = LoadCursor(NULL,IDC_ARROW); wc.hinstance = Module; wc.lpfnwndproc = ProcWindow; wc.lpszmenuname = NULL; wc.lpszclassname = _T("Tut Window"); wc.hiconsm = LoadIcon(NULL,IDI_APPLICATION); if (!RegisterClassEx(&wc)) MessageBox(0,_T("Failed"),0,0); ExitWindow(); hwnd = CreateWindowEx(WS_EX_APPWINDOW WS_EX_TOOLWINDOW,_T("Tut window"),_t("tut Window"),WS_SYSMENU,CW_USEDEFAULT,CW_USEDEFAULT,200,400,0,0,Module,NULL); ShowWindow(hWnd,SW_SHOWNORMAL); UpdateWindow(hWnd); while (GetMessage(&iMsg,0,0,0)) TranslateMessage(&iMsg); DispatchMessage(&iMsg); DeintWindow(); Break down: Well the window function is just the start of making a cool bot with pictures, but a lot is need to learn. The reason for zeromemory in wc is to make room for the class of the window, or well *bad*. So thats that. Now "Wc" class is for the windows settings like its message handler, etc... Now Only things to change are, Name, to your desired class ( lpszclassname ), unless you know how WinProc works. ( See links ). HWND and MSG are also parts of the handler. and Register is to make that class for the window, create window for the popup, show window for the HWND and Update to call draw, and while loop for messages, unless PostMessage == 0. Deint() is just Freeing the libary and thread in Moudle and killing the class of the window. ProcWindow is the message center for the popup, more on that.

15 3. Pointers ~ Reading This section is for the beginning of actual memory edits. Here is the code: #include <windows.h> #include <tchar.h> //Unless linking Multi-Byte ( Project > Properties > Config > Char Set > Multi-Byte ) //Reads a Pointer inline ULONG_PTR ReadPointer(ULONG_PTR* ulbase, INT noffset) if (!IsBadReadPtr((VOID*)ulBase, sizeof(ulong_ptr)) ) if (!IsBadReadPtr((VOID*)((*(ULONG_PTR*)ulBase)+nOffset), sizeof(ulong_ptr)) ) return *(ULONG_PTR*)((*(ULONG_PTR*)ulBase)+nOffset); return 0; Break up: A pointer basically asks for a base and then a offset, this makes it so you don't have to recode it every time you play, and even then you won't be able know the address before playing. inline and ulong_ptr are just the typedef for the function don't worry we can use it to check our pointers later. Basicly all this is doing is checking if the base/offset and base+offset are bad and if it is it won't read it and return the value of 0x or 0. If it works it will return the value of that pointer. 3. Pointers ~ Writing This section is for the beginning of actual memory edits. Here is the code: *(DWORD*)(*(DWORD*)Base + Offset) = 0; Break up: As we know the Pointer is read similarly, so changing is like changing a DWORD, yep using the "=" operator. Basically we use the same prefix for pointers: *(DWORD*), then use (*(DWORD*) so it will be turned into a WORD, and then add the base+offset and let it = 0; So: Base+Offset = the address that we point to = 0 = what we changed the address to GetPixel Credits:

16 HINSTANCE hginst; // Instance of GDI32 DLL DWORD gpdllfunc; // Load gdi32 DLL hginst = LoadLibrary("gdi32.dll"); gpdllfunc = NULL; if (hginst!= NULL) // Get function pointer of GetPixel gpdllfunc = (DWORD)GetProcAddress(hgInst, "GetPixel"); if (gpdllfunc!= NULL) gpdllfunc += 5; declspec(naked) COLORREF WINAPI mygetpixel(hdc hdc, int nxpos, int nypos) asm mov edi, edi push ebp mov ebp, esp jmp dword ptr ds:[gpdllfunc] PostMessage Credits: htto:// DWORD PMA = (DWORD)GetProcAddress( LoadLibraryW(L"User32.dll" ), "PostMessageA" ) + 5; declspec(naked) BOOL WINAPI PM(HWND hwnd, UINT Msg, WPARAM wparam, LPARAM lparam) asm mov edi, edi push ebp mov ebp, esp jmp dword ptr ds:[pma] Kitterz s Functions Credits: htto:// //If address Is Valid bool Check(const BYTE* pdata, const BYTE* bmask, const char* szmask) for(; *szmask; ++szmask, ++pdata, ++bmask) if(*szmask == 'x' && *pdata!= *bmask ) return false; return (*szmask) == NULL;

17 //Find Address DWORD FindPattern(BYTE *bmask, char* szmask, DWORD dwoffset) DWORD dwaddress = 0x ; DWORD dwlen = 0x01FFFFFF; for(dword i=0; i < dwlen; i++) if( Check ((BYTE*)( dwaddress + i ), bmask, szmask) ) return (DWORD)(dwAddress + i + dwoffset); return 0x ; SetCursorPos Credits: MapleStory Hack htto:// //PostMessage Bypass DWORD SetCPH00k = (DWORD)GetProcAddress( LoadLibraryW(L"user32.dll" ), "SetCursorPos" ) + 5; declspec(naked) BOOL WINAPI SetMouse(int X,int Y) asm mov edi, edi push ebp mov ebp, esp jmp dword ptr ds:[setcph00k] All code and text is owned by respective owners. This document is registered to AlbanainRetard at

We display some text in the middle of a window, and see how the text remains there whenever the window is re-sized or moved.

1 Programming Windows Terry Marris January 2013 2 Hello Windows We display some text in the middle of a window, and see how the text remains there whenever the window is re-sized or moved. 2.1 Hello Windows