Memory Hacking Software

[L. Spiro]

As some have shown more support for this growing software, I decided to drop a note regarding the next release, since it might be a little while before I can get it out.


It has been a while since the last release already, and some have even asked if the project died.

It did not. But the next release is quite a step up and takes a while to do.


I have finally rewritten all of the old OllyDbg disassembler/assembler code, not only making it my own, but making it thread safe, organized, faster, and more stable (OllyDbg’s code is at high risk of buffer overflows, and in fact some people have already found this to be true, using DLL files in their games with names longer than 200 characters, causing OllyDbg to crash).

The next release will have the Injection Manager again.
Injections use the same file format as before so you can load old injections fine.
It currently comes with all the same features and dialogs as before, and new features will come later.
I would also like to tie injections into the script system so you can inject and uninject at will using scripted logic.


I also need to add single-stepping in the debugger.
And for that to be useful, I also have to add a helper tab/window to show registers.



I have also modified the script compilation routine, making some areas work better and patched a few small problems that could invoke crashes of deadly death. Or was that last release? Whatever, I fixed some things at one point or another.


I’ve also been fixing up small things here and there, making the program overall more complete.


L. Spiro

[esco]

Hey bro, nice to see that your still HARD at work!

I've actually started my c programming class, this semester and wow! It's AMAZING the # of ways I can do things in your program! I've learned a BUNCH of shortcuts already and I can't wait to learn more.

Sorry that I never did the tests that I said I would in the other thread, but I got sick, and I've been so busy with work, school... and basically haveing sex in my free time (LOL) that I didn't get to.

Anyways, just wanted to drop you some support in this piece. Keep up the genius work.

[Kakashi_s1]

same. I like your prog Spiro. Really awesome. Hope it gets to the final stage soon.

By the way, i wonder if u can answer some questions:

1. Is there going to be a memory viewer much like CheatEngine? Well you already have one, but CheatEngine lets you edit the registry of the address. It's pretty nifty.

2. Can you tell me how you made all hidden proccesses viewable by your program? I'm trying to see if I can edit WPE Pro and make a hidden process unhidden.

Thanks

[L. Spiro]

1. Is there going to be a memory viewer much like CheatEngine? Well you already have one, but CheatEngine lets you edit the registry of the address. It's pretty nifty.

I am not sure what this should mean.
Registry of the address how?
If my guess is correct, it would be possible after I get kernel-mode features going again. If it has to do with the address look-up table.

2. Can you tell me how you made all hidden proccesses viewable by your program? I'm trying to see if I can edit WPE Pro and make a hidden process unhidden.

This process is actually quite simple even from user-mode code (which I currently must use until I get my kernel-mode functionality back).
Unfortunately it isn’t jus a flag change or somehing that simple, so you probably won’t be able to add it to WPE Pro easily without the source code.
To find all processes, just run a loop from 0x0000 to 0x4000 and check OpenProcess() on every ID. If it succeeds, there is a process there.
But then you have to use the ID to get the process name, which I do by creating a module snapshot of that process ID and using Module32First() one time (the first module in the list is always the actual process that was loaded).
Starting with the next release, Memory Hacking Software will show processes even if it can not get their names.
I removed that feature previously simply because if it can not get their names it can not open the process.
But I will add it again because it may help if you can see the process ID for processes that are really trying to hide.


L. Spiro

[Kakashi_s1]

lol well im stuck again. I cant find the process that im looking for with WPE Pro. And I'm not sure if after I do attach wpe pro to the winsock will it still works.

Anyways... since your program is also a debugger, would I also be able to reverse engineer the game data ? just a thought. I know olly can do it, but olly doesnt show the hidden processes either!

[EDIT]
Well that was interesting... Your debugger can attach to the hidden proccess (Ares.exe in my case) but same with WPE Pro, the program detects the hook and closes down.

I'm dealing with XTrap =(

Do you know of Rootkits and how they work? I heard they can hide proccesses and dlls and such. I tried but i keep gettin Access Denied on my computer so I gave up on that for now.

[L. Spiro]

Rootkits are kernel-mode drivers such as the one that comes with MHS.exe (hidden) that try to install hooks in system functions to gain control over how those functions work.

MHS.exe does not currently use this method, but it will in the future, to beat other rootkits that are trying to hide processes and files.
You need a rootkit to beat a rootkit.

For now there is not much you can do with this process, but the kernel-mode driver in development will change that soon enough.




What you can do, in OllyDbg, is load the process from disk instead of RAM.
Then follow its code as it loads and make modifications as required.
This was also possible in the old version of Memory Hacking Software, but not in the demos yet.
I do, however, plan to systematically walk through every feature in OllyDbg, consider how to make it better, and add it to MHS.
In the end, MHS will have all the functionality from OllyDbg, most from IDA, and tons of new features as well. But as you can imagine, this is quite a bit of work.


L. Spiro

[L. Spiro]

Notice the upgraded borders on all controls.
All custom controls now have themed borders on computers that enable them.

Notice the blue “EBP+10”. My mouse is hovering over it. In the future, these blue texts will be links, so if I were to click on it it would take me to the actual address where EBP+10 is. This applies to all [ ] areas.

Notice the header. Better than in previous versions.

Notice how quickly it loads and how fast it draws/updates. See that? So fast it looks like a flat picture.


L. Spiro

[k3rb0w]

since most of the MMORPG are under protection of anti-cheat program
it will be more useful if MemHack can bypass them
have u consider it?

[Kakashi_s1]

well his software can already be used because it's still fairly new. I have no problem with using this software.

If i use Cheat Engine or TSearch or etc. it will get detected.


PS, Spiro I still cant hook Olly to the game because it loads from a Launcher.exe unstead of the actual game client (Ares.exe). And if i do, i get an Xtrap error.

[k3rb0w]

nah it's detected by d newest GameGuard
the GG doesn't explicit alert "GameHack Detected"
but after the game started ... it's stop loading and auto quit

any idea why?

[Kakashi_s1]

which version of spiro's software are you using?

I've tried versions 6, 7, 8, and 11.

Version 7 works best for me. Maybe you should try that one.

[L. Spiro]

7 works better than 11?

I was pretty sure I fixed all issues in 11.


As for detection, 11 should have the least chance of being detected, since it uses kernel-mode functions to do some of the work.
11 uses the kernel for opening a process, for one.


L. Spiro

[Kakashi_s1]

well for some reason, versions 8 and up doesnt let me find values

Version 11 says "Unobtainable" while version 8 only gives me a value of 0.
but in version 7, it works fine.

[L. Spiro]

What game?


エル　スパイロ

[Kakashi_s1]

the lengend of ares

http://legendofares.com

hehe, maybe you can help me with this game =D

(its all a learning process baby!)