Accessing memory address outside MHS?

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Accessing memory address outside MHS?

Postby pn0k » Thu Nov 15, 2007 5:36 am

Hi there. First of all, I want to thank L. Spiro for making this great piece of art - Good job!

I have found an address ([Static Pointer] + 20) in a game that I would like to access outside MHS. How do I do this? Do I need to use a kernel driver? Also how does it work with the program entry point? I somehow need to be able to access a specific address in this game's memory from another program I write myself. I'd guess the final address would be something like.. [Module EP + [Static Pointer] + 20)?

Greetings.
pn0k
I Have A Few Questions
 
Posts: 7
Joined: Thu Nov 15, 2007 5:31 am

Postby L. Spiro » Thu Nov 15, 2007 9:38 am

Refer to Module32First() (MODULEENTRY32.modBaseAddr) for the base address of the module and ReadProcessMemory() to write to ([MODULEENTRY32.modBaseAddr+StatisPointerOffset]+0x20).

You do not need the program entry point.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby pn0k » Thu Nov 15, 2007 5:31 pm

Ty for the reply Spiro.
Do you know whether ReadProcessMemory will (can) be detected by game anti-cheat software like VAC2 for HL1 and HL2 Steam games? I mean, technically it should be legal to read (not write!) from process memory and thus unbanable, right?
pn0k
I Have A Few Questions
 
Posts: 7
Joined: Thu Nov 15, 2007 5:31 am

Postby L. Spiro » Thu Nov 15, 2007 6:09 pm

They are highly detectable and commonly detected.
Both.

Reading from RAM is just as dangerous as writing.
My Starsiege: Tribes auto-aim only reads from RAM, but using the information it gets it can move my mouse for me and allow me to hit with inhuman accuracy even on high pings.


I do not know which anti-cheats detect what and how, but ReadProcessMemory() and WriteProcessMemory() are always the first to be detected.


MHS uses its own kernel routines for ReadProcessMemory() and WriteProcessMemory().
If you want to be (mostly) sure to be undetected, you need to write your own too.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby pn0k » Fri Nov 16, 2007 5:00 am

I see. Are you talking about completely customized kernel routines (ASM), or functions like NtReadVirtualMemory() and ZwReadVirtualMemory()?

My point is that since ReadProcessMemory() does not modify anything in the game code or memory, I don't see how or why anti-cheat software would ban on that solely. Perhaps in connection with WriteProcessMemory(), but I only use ReadProcessMemory().
pn0k
I Have A Few Questions
 
Posts: 7
Joined: Thu Nov 15, 2007 5:31 am

Postby L. Spiro » Fri Nov 16, 2007 9:43 am

I see. Are you talking about completely customized kernel routines (ASM), or functions like NtReadVirtualMemory() and ZwReadVirtualMemory()?

I mean completely writing a new routine from scratch. In C, not ASM.


My point is that since ReadProcessMemory() does not modify anything in the game code or memory, I don't see how or why anti-cheat software would ban on that solely. Perhaps in connection with WriteProcessMemory(), but I only use ReadProcessMemory().

I just explained that reading RAM alone is enough to make the most dangerous kinds of hacks: bots. Of course it would be something they would want to detect and ban.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests