Memory Hacking Software

[Torero]

if ( (e_pbBoard[(32*J)+I] & 0x80) == 0 ) {
GetClickPos( iX, iY, &pClick, I, J );



This is from the minesweeper example. What I don't get is this part:



e_pbBoard[(32*J)+I] & 0x80 , does it put together a value or a variable to compare against 0 ?

[Torero]

What I don't get is how you define the terms for LSS to know what to pull out from the target process


I see the variable in the previous post is defined here,

extern struct BOARDSIZE {
INT iWidth;
INT iHeight;
} e_bwSize = { "winmine.exe", 0x5334 }; // The width and height of the board.
extern BYTE e_pbBoard[32*32] = { "winmine.exe", 0x5361 };


but then this piece doesn't look like a definition of any sort aside from conventional variable definition.


extern sure is a new concept. If it's that easy, how much C++ doesnt have it ?

[L. Spiro]

(e_pbBoard[(32*J)+I] & 0x80)

This is just basic array access.

This:

Code: Select all

CHAR szString[32] = "Hello";
for ( INT I = 0; szString[I] != '\0'; ++I ) {
    PrintF( "%c", szString[I] );
}

runs a variable through the string and prints the character (CHAR, char) at each position until a '\0' character is found.
This is standard in C, C++, and almost any normal language with array access ([ ]).

Your game might also have a string in it somewhere, such as the same one as above: “Hello”.
The difference is that the string/code I posted works entirely within its own space.
The strings/code in your games work entirely within the space of the game.
They don’t work together at all, so the code I just posted won’t print the strings in your game.



Introducing extern.
extern allows you to use the same code as above but instead of working with data from inside your script, it works with data from inside your game.


All we have to do is modify the definition of the data to let the script know that it is in the game instead of inside your script.

Code: Select all

extern CHAR szString[32] = { "game.exe", 0x0005FE8C };
for ( INT I = 0; szString[I] != '\0'; ++I ) {
    PrintF( "%c", szString[I] );
}

The code doesn’t change at all (which is what makes it easy to work with extern variables.
The only thing that changed is the address of the data, which you can see is at [game.exe+0x0005FE8C] inside your game.

but then this piece doesn't look like a definition of any sort aside from conventional variable definition.

Correct.
That is why extern is easy to use.
Following the same conventions as in C/C++, we define a variable the same way we normally would, but prefix it with extern so the language knows it is in the game, then postfix it with { "module", offset } so the language knows where in the game it is.


Just a note.
You can not “initialize” extern variables because they have already been initialized inside the game.
So at the end of the variable declaration you only need to supply the address of the variable inside the game, rather than supplying an initial value.

What I don't get is how you define the terms for LSS to know what to pull out from the target process

extern = Inside the game.
CHAR = Type of the value inside the game. Whatever type you assign here is what determines how the value will be interpreted when it is taken from the target process.
szString = Your own variable name; it can be anything.
{ "module", offset } = Address inside the game where the CHAR variable is.


One line of code tells L. Spiro Script everything it needs to know to work with the data in the game.






After all this, we can go back to the original point.

(e_pbBoard[(32*J)+I] & 0x80)

Basic array access.
(32*J)+I calculates the array index to get.
e_pbBoard is extern, so the value at that array index will come from the target process.
e_pbBoard is declared as a BYTE array, so the value taken from the target process will be one byte.

& 0x80 is the operation performed on that byte (which came from the target process).

After that operation, if the value is 0, we go into the if statement.


L. Spiro

[Torero]

{ "module", offset } = Address inside the game where the CHAR variable is.

In other words, we have to use memoryhacking software and our knowledge to find out first how the target variable/process/array/functions work and then use this one line precisely cut out LSS's target paper doll. Knowing before hand this piece of information we can define the target regardless of how the target process is run and where our values are today at this instant.


Cool. Now I should get my http://www.watchguard.com/ box up to protect my tiny lan and start to create my own stuff.

BTW, how do you protect your computer? i buy that product because I don't know any better

[L. Spiro]

Knowing before hand this piece of information we can define the target regardless of how the target process is run and where our values are today at this instant.

It’s mostly that simple.
You won’t need to know much more than that until you get advanced.

BTW, how do you protect your computer? i buy that product because I don't know any better

I am pretty lax on protection, since I mostly use my work computer.
My laptop, however, is of high priority, and the best protection there is is to simply not use it.
Well, I use it, but let’s just say I am extremely careful with what I do.
No unusual sites.
No downloading from any remotely non-trusted places.
No thumbdrives.
No networking.
Little online.


But just assuming I am never getting a virus is foolish, so I have a large stockpile of virus scanners as well that I manually update and run daily.
I primarily use all of:
Dr. PC
Stinger
SpyBot: Search & Destroy
and PC Tools.


All new/malicious sites are visited at work (after which I also clean viruses).
My laptop is then left to visit only known sites and trusted/research sites.
Scanning daily allows me to know which sites are threatening.

Unfortunately enough, MPC Forum is one site that I prefer to visit, however it does quite often attempt to give you viruses.
Given its thousands of visiters per day, I always wonder why no one complains.


L. Spiro