Memory Hacking Software

[Hacker]

Hey all
Im working on some DMA busting code injection
However Im not a super wiz kid at ASM
So hopefully someone can lend a hand

Here is a snippet of the executables code:

Code: Select all

0055e9b0    55                              push ebp
0055e9b1    8BEC                            mov ebp,esp
0055e9b3    56                              push esi
0055e9b4    57                              push edi
0055e9b5    8BF9                            mov edi,ecx
0055e9b7    8BF2                            mov esi,edx
0055e9b9    8B4D08                          mov ecx,[ebp+0x8]
0055e9bc    8BC1                            mov eax,ecx
0055e9be    C1E902                          shr ecx,0x2
0055e9c1    F3A5                            rep movs dword ptr es:[edi],dword ptr [esi]
0055e9c3    8BC8                            mov ecx,eax
0055e9c5    83E103                          and ecx,0x3
0055e9c8    F3A4                            rep movs byte ptr es:[edi],byte ptr [esi]
0055e9ca    5F                              pop edi
0055e9cb    5E                              pop esi
0055e9cc    5D                              pop ebp
0055e9cd    C20400                          retn 0x4


The line that's updating the dynamic memory is actually at offset 0055e9c1
- rep movs dword ptr es:[edi],dword ptr [esi]
Ive been having a bash at this a several hours now
But just cant figure out how to mimic this in static memory

Any assistance from a more experienced ASM coder would be much appreciated

Hacker

[L. Spiro]

Code: Select all

rep movs dword ptr es:[edi],dword ptr [esi]

Moves from ESI to EDI an array of EAX DWORDs.
This is not a good place to do dynamic-to-static code injection.

EAX will be set to the number of items to copy.
ESI and EDI will be set to the source and destinations respectively.
Then the instruction is executed repeatedly until EAX reaches 0. For each iteration, ESI and EDI are increased by 4 and the value is copied from ESI to EDI.

If your static address is somewhere in there, there is nothing you can do; you can not stop a REP until EAX reaches 0.


The only thing you can do is find out how far down the arrays your address is and copy it one line before the REP MOVS. One line before the REP MOVS, you will have pointers from the source and to the destination, so can you can calculate your offset from there and copy it to the location you need to make it static.


L. Spiro

[Hacker]

Thanks for the speedy reply
And thanks even more for explaining this command which Ive not come across before
A great idea as to a possible solution
I'll give it a try when I get a chance
I was planning on letting it get coppied to the dynamic area
Resetting the required register(s) (EAX as you explained)
Doing a copy to static memory
Then applying an offset to the desired byte
But your solution seams a lot neater
So I'll see if I can manage that

Just a few questions if thats alright
Is EAX always the register used to store the times to repeat?
And what does "es:" in the command mean?

[L. Spiro]

ECX (I was wrong to say EAX; I wrote it after jumping out of bed) is always the number of items to copy.

And what does "es:" in the command mean?

http://pdos.csail.mit.edu/6.828/2006/readings/i386/LGS.htm


L. Spiro

[Hacker]

Ok, this is my code so far

Code: Select all

offset 0x0055e9bc         ; offset of code to replace
call 0x005620d5           ; call to injected code

offset 0x005620d5         ; start of injected code
mov eax,ecx               ; reproduce original code replaced
shr ecx,0x2               ; reproduce original code replaced
push edx                  ; push edx onto stack
mov dl,[esi]              ; copy required byte from address stored in esi to the lower byte of edx
mov [0x00370000],dl       ; move required byte from lower byte of edx to static memory
pop edx                   ; pop edx off stack
retn                      ; end of injected code

However when the line:

Code: Select all

mov dl,[esi]

Gets inserted it crashes the program
I know this isnt due to program code or similar important information getting overwritten because:

Code: Select all

mov edx,esi

Works just fine and take the same amount of space in the program (2 byte)
Any ideas?

[L. Spiro]

Just use EDX and copy the whole DWORD.
You can use only the lower 8 bits when you access it later.


And you really should be using my Code-Injection Suite; it does everything for you to make sure you don’t make silly mistakes.


L. Spiro

[Hacker]

Just use EDX and copy the whole DWORD.
You can use only the lower 8 bits when you access it later.

Presumably you mean replacing

Code: Select all

mov dl,[esi]
mov [0x00370000],dl

With:

Code: Select all

mov edx,[esi]
mov [0x00370000],edx

Unfortinately this also causes the crash which is why I asked

And you really should be using my Code-Injection Suite; it does everything for you to make sure you don’t make silly mistakes.

Thanks for the tip, I'll give it a go if I cant get this fixed
However Im developing this for use with another scripting language
And wasnt sure if I could then move it over

[L. Spiro]

Unfortinately this also causes the crash which is why I asked

Then ESI is not a valid pointer and you are reading from invalid RAM.

However Im developing this for use with another scripting language

Using ASM injections with a different scripting language besides L. Spiro Script?
Speaking of which I should add the Assemble() and Disasm() functions to the script.


L. Spiro

[Hacker]

Then ESI is not a valid pointer and you are reading from invalid RAM.

Hmm, then how is it valid for:

Code: Select all

rep movs dword ptr es:[edi],dword ptr [esi]

But not:

Code: Select all

mov edx,[esi]

Using ASM injections with a different scripting language besides L. Spiro Script?

Well eventually I'll be using AutoHotkey to do the code inject and then read the static memory values

[L. Spiro]

You need to pay attention to the error printed when it crashes.

But if you are sure ESI has already been initialized, try:
MOV EDX, DWORD PTR ES:[ESI]

Well eventually I'll be using AutoHotkey to do the code inject and then read the static memory values

For your purposes, what can AutoHotkey do that MHS can not?
I ask primarily to know if I am lacking in features I could easily add.


L. Spiro

[Hacker]

Im new around here so Im guessing:
MHS = Memory Hacking Software?

Having only used MemHack for the first time today im thinking it mainly deals with accessing and modifying memory
Whereas AutoHotkey is a keyboard and mouse emulation scripting language
However for the project Im working on Im attempting to use AutoHotkey to send keystrokes based on values in memory
AutoHotkey allows DLL calls so I'll use ReadProcessMemory of kernel32.dll to achieve this memory comparison

Question:
In the MemHack Disassembly how do I move to an address that isnt available by using the scrollbar?
I tried Right Click > Go to Address
But its greyed out

[L. Spiro]

Im new around here so Im guessing:
MHS = Memory Hacking Software?

Technically yet not really.
Memory Hacking Software is the official name of the old deprecated software.

MHS is the official codename of the current releases of the same software, which has been rebuilt from scratch, meaning it isn’t really the same software.

Demo #23 is faster, stabler, less RAM-consuming, and in most places more feature-rich than Memory Hacking Software 3.0.1.4 Pro.
Not to mention that Memory Hacking Software 3.0.1.4 Pro can give your computer a blue screen of death thanks to instabilities in the driver.

Having only used MemHack for the first time today im thinking it mainly deals with accessing and modifying memory

It’s meant to just do everything, from scanning/modifying process RAM to hex-editing both RAM and files, disassembling/debugging, and general programming.

Whereas AutoHotkey is a keyboard and mouse emulation scripting language

L. Spiro Script, included in MHS and in Memory Hacking Software, has the required API functions for sending keyboard, mouse, and joystick input, as well as ease in reading/writing memory values.
And since the script is actually the C language with some additions, you can add any logical processing to the hotkeys you want.
It is also fully documented, and here again the documentation for MHS is better than the documentation for Memory Hacking Software.

However for the project Im working on Im attempting to use AutoHotkey to send keystrokes based on values in memory
AutoHotkey allows DLL calls so I'll use ReadProcessMemory of kernel32.dll to achieve this memory comparison

As mentioned, my language is just C with some additions. The additions, however, are specifically meant to make it easy to read/write process.
Although you can use ReadProcessMemory() and WriteProcessMemory() in the script, you also have the option of using extern variables, which as esco and some others will tell you is the easiest possible way to work with the RAM in the target process.
The help file (better to use the MHS help file in Demo #23) includes a full explanation with copy/paste samples that work out-of-the-box.

Definitely look into extern variables before you get too deep into the project.

In the MemHack Disassembly how do I move to an address that isnt available by using the scrollbar?
I tried Right Click > Go to Address
But its greyed out

That button is for quickly going to a call or jump destination.
In both Memory Hacking Software and MHS, Go To can be accessed via Ctrl-G while the control has focus.

The Memory Hacking Software disassembler you are using (3.0.1.4 Pro) has more features, but it is not stable.
MHS has fewer features because I am currently working on it, but it is 100% stable.
If you do use Memory Hacking Software instead of Demo #23, you might get a blue screen of death, however this can only happen once since the driver will not be loaded again after that. Until you load MHS.exe (instead of MemHack.exe). MHS.exe (Demo #23) will reset some flags that will allow the driver to be loaded again, which could cause the crash again later should you switch back to MemHack.exe.



I would drop 3.0.1.4 Pro altogether and get Demo #23. Since the disassembler is not finished, you could use another disassembler for some things, though injections should probably be done in MHS.
And once you have MHS, glance at the help file, particularly regarding scripts and the capabilities therein.


L. Spiro

[Hacker]

The Memory Hacking Software disassembler you are using (3.0.1.4 Pro) has more features, but it is not stable.

I had noticed