Memory Hacking Software

[hileci]

I want my program to read a pointer whose adress is 0x111111 then add 0x111 to the adress which the pointer holds and write 0x0 to the new adress how can i do that with write and readmemory apis

Base Pointer : 0x111111
offset : 0x111
new value : 0x0

How can i do that?:rtfm:

Code: Select all

DWORD ProsesKimligi, Alan=0x111111, AlinanAlan, HedefAlan;
HANDLE Islem;
BYTE eDegistirilen[1]={0x0};


Islem = OpenProcess(PROCESS_ALL_ACCESS,0, ProsesKimligi);
ReadProcessMemory (Islem, (LPVOID)Alan, &AlinanAlan, 4, NULL);
HedefAlan = AlinanAlan + 0x111;
WriteProcessMemory(Islem, (LPVOID)HedefAlan, &eDegistirilen, 4 , NULL))


[mezzo]

[moved]

[spunge]

You have to find the processID first. It isn't static.

There are 2 ways to do it, 1 by process name and 1 by window handle.

CreateToolHelp32Snapshot/Process32First/Process32Next.

FindWindow/GetWindowThreadProcessID.

If the pointer changes you have to constantly loop WPM.

[hileci]

Thanks Spunge, lets assume that process id is ProsesKimligi. What should i do now?

[L. Spiro]

If the format you want is [0x111111]+0x111 then you are done, except for one bug.


BYTE eDegistirilen[4]={0x0};


L. Spiro

[hileci]

At ReadProcessMemory line GetLastError() is 5, access is denied. How can i fix that?

[L. Spiro]

Open the process with the correct access/permissions.


L. Spiro

[hileci]

I am running my .exe as administrator. And in the exe, i am opening the target process with PROCESS_ALL_ACCESS what can I do more?

[spunge]

Tokens.

AdjustTokenPrivileges.

[hileci]

Thanks Spunge, i have been working on it but it still fails. Have a look at my code:

Code: Select all

        TCHAR szMesg [256];
        HWND HedefTutmac;
        DWORD ProsesKimligi;
        HANDLE Islem, GirisBelgesi;
        LUID Yob;
        TOKEN_PRIVILEGES Belge;

OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &GirisBelgesi);
LookupPrivilegeValue(0, "seSecurityPrivilege", &Yob);
Belge.PrivilegeCount = 1;
Belge.Privileges[0].Luid = Yob;
Belge.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(GirisBelgesi, FALSE, &Belge, 0, 0, 0);
CloseHandle(GirisBelgesi);
                               
HedefTutmac = FindWindow (NULL,"Knight OnLine Client");
GetWindowThreadProcessId (HedefTutmac ,&ProsesKimligi);
Islem = OpenProcess(PROCESS_VM_READ, FALSE, ProsesKimligi );
                           

wsprintf (szMesg, " %d", GetLastError());
MessageBox (NULL, szMesg, "Error", MB_OK);


I am using Vista, BloodShed Dev C++, C language, XTRAP.

[L. Spiro]

If X-Trap is running then your OpenProcess() is running into hooks which change the permissions you use to open the process.
I am going by what I have observed; I have never studied in-depth because I do not have it.

But removing permissions such as read/write from your call to OpenProcess() seems to be a very popular idea among nProtect Game Guard and X-Trap.

You will need to call the kernel-mode functions directly, or if they are hooked you will need to reconstruct the code overwritten by the hook and add a JMP to the next command in the real function, then call you reconstructed code instead.


L. Spiro

[hileci]

How can i do that? Can you send a tutorial page about kernel-mode functions?

I have checked the game and saw that my game is running as system process does that matter?

[spunge]

Use RKU to check what kernel hooks are in place. Or write a driver that checks for a hook.

[L. Spiro]

MHS can check for kernel hooks itself; the full script is in the help file (but theirs is more advanced).

http://www.catch22.net/ has a tutorial on how to get started making kernel-mode drivers (and I know James, the owner).
http://www.catch22.net/tuts/kernel1.asp


http://www.rootkit.com/index.php will help later, along with http://www.reactos.org/en/index.html which has samples of many kernel functions which you can use as a rough guide.
Search for the function. For example, http://www.reactos.org/generated/doxygen/db/dbb/winbase_8h.html#a764.


L. Spiro

[w00t]

Hi!
I've the same problem, and I use EnableTokenPrivilege (SE_DEBUG_NAME), but still access denied.

I found some similar threads around the net, and some people think it's caused by SP3.

My process (war.exe egg warhammer online) run as a normal user, my tool is launched as administrator, and I use enabletokenprivilege, but still this problem.

I'm going crazy, I never had this problem before on others mmorpg :'(

PS: punkbuster is off

EDIT: Ok i just scanned my computer to find some hooks....and bingo:

Code: Select all

Service Name                                        Syscall  Hooked    Module            Product
NtAdjustPrivilegesToken, ZwAdjustPrivilegesToken    11        YES       klif.sys          Kaspersky Anti-Virus


I'll try without kaspersky