Memory Hacking Software

[Shynd]

Code: Select all

void On_OpenProcess(HANDLE hProcess, DWORD dwProcessId)
{
   AttachDebugger();   
   
   wsock32_send = GetRemoteFuncAddress("WSOCK32.dll", "send");
   wsock32_recv = GetRemoteFuncAddress("WSOCK32.dll", "recv");
   ws2_32_send = GetRemoteFuncAddress("WS2_32.dll", "send");
   ws2_32_recv = GetRemoteFuncAddress("WS2_32.dll", "recv");
   
   LPSCRIPT_ADD_BP ws2_send_bp = {0};
   ws2_send_bp->aAddress = ws2_32_send + 5;
   ws2_send_bp->iType = SPBT_EXECUTE;
   ws2_send_bp->iCallback = SYS_FUNCS_SCRIPT_FUNC;
   ws2_send_bp->dwNewParms[1] = 2;
   ws2_send_bp->bSet = true;
   
   MessageBox(MBS_OK, "SLDKFJLS", "0x%08X\n0x%08X\n0x%08X\n0x%08X", wsock32_send, wsock32_recv, ws2_32_send, ws2_32_recv);
}

This crashes MHS. I can post the ASM address at which the exception occurs if you want me to. I don't even add the breakpoint, just populate the LPSCRIPT_ADD_BP, and it crashes. Seems odd to me.


Did some more testing, and if I leave the breakpoint struct unpopulated, it doesn't crash. As soon as I set ANY member of the structure to ANYTHING, it crashes. Even if I just set ->bSet = true; or ->bSet = 1;, it crashes.

[L. Spiro]

That is because you are using a pointer initialized to invalid data.

You need:

Code: Select all

SCRIPT_ADD_BP ws2_send_bp = {0};
ws2_send_bp.aAddress = ws2_32_send + 5;
ws2_send_bp.iType = SPBT_EXECUTE;
ws2_send_bp.iCallback = SYS_FUNCS_SCRIPT_FUNC;
ws2_send_bp.dwNewParms[1] = 2;
ws2_send_bp.bSet = true;

L. Spiro

[Shynd]

Oh. I tried .aAddress, but it was with LPSCRIPT_ADD_BP, which I suppose I saw in the documentation for the AddBreakpoint call. My bad. Thanks.

[L. Spiro]

LP = long pointer.

typedef SCRIPT_ADD_BP * LPSCRIPT_ADD_BP;

L. Spiro

[Shynd]

Yup. Got it working now.

Code: Select all

void On_OpenProcess(HANDLE hProcess, DWORD dwProcessId)
{
   //wsock32_send = GetRemoteFuncAddress("WSOCK32.dll", "send");
   wsock32_recv = GetRemoteFuncAddress("WSOCK32.dll", "recv");
   ws2_32_send = GetRemoteFuncAddress("WS2_32.dll", "send");
   ws2_32_recv = GetRemoteFuncAddress("WS2_32.dll", "recv");
   
   //MessageBox(MBS_OK, "SLDKFJLS", "WSOCK32.dll:recv(): 0x%08X\nWS2_32.dll:send(): 0x%08X\nWS2_32.dll:recv(): 0x%08X", wsock32_recv, ws2_32_send, ws2_32_recv);
   
   if (MessageBox(MBS_YES|MBS_NO, "Enable Packet Editing/Sniffing?", "Would you like to enable the packet editing/sniffing breakpoints for %s?", GetCurProcessName()) == MBS_NO)
      return;
   
   AttachDebugger();
   
   SCRIPT_ADD_BP ws2_send_bp = {0};
   ws2_send_bp.aAddress = ws2_32_send + 0x05;
   ws2_send_bp.iType = SPBT_EXECUTE;
   ws2_send_bp.bHardware = true;
   ws2_send_bp.iCallback = SYS_FUNCS_SCRIPT_FUNC;
   ws2_send_bp.dwNewParms[1] = 1;
   ws2_send_bp.bSet = true;
   AddBreakpoint(&ws2_send_bp, NULL);
   
   SCRIPT_ADD_BP wsock32_recv_bp = {0};
   wsock32_recv_bp.aAddress = wsock32_recv + 0x33;
   wsock32_recv_bp.iType = SPBT_EXECUTE;
   wsock32_recv_bp.bHardware = true;
   wsock32_recv_bp.iCallback = SYS_FUNCS_SCRIPT_FUNC;
   wsock32_recv_bp.dwNewParms[1] = 2;
   wsock32_recv_bp.bSet = true;
   AddBreakpoint(&wsock32_recv_bp, NULL);
   
   SCRIPT_ADD_BP ws2_recv_bp = {0};
   ws2_recv_bp.aAddress = ws2_32_send + 0x83;
   ws2_recv_bp.iType = SPBT_EXECUTE;
   ws2_recv_bp.bHardware = true;
   ws2_recv_bp.iCallback = SYS_FUNCS_SCRIPT_FUNC;
   ws2_recv_bp.dwNewParms[1] = 3;
   ws2_recv_bp.bSet = true;
   AddBreakpoint(&ws2_recv_bp, NULL);
}