Memory Hacking Software

[mynameisjack]

I have hacked this game, and have about 30 codes that do various things.

however, every week they update the game, the main.dll gets changed and new things get added in random places, moving all the addresses around for me codes. No problem I thought, I'll just search for the opcode+command, but theres thousands of results. So fail. The module+offset thing even changed.

So what I need is a way to find out where new code was added so I can calculate where my new codes should be for the previous hacks. Someone suggested IDA pro but it doesnt even present the main.dll in code form, it's all seg002 or .data100352 or some shit. So is there a more simple way to solve this problem guys?

[L. Spiro]

If you know ASM well enough you will create a binary string that represents the function you are trying to find. Your string will be /xXX codes where stable bytes are (bytes having been found as part of the ASM instructions in the function) and ? where offsets are found (the offset parts of ASM instructions). You find out which parts of ASM instructions are regular bytes and which are offsets through your own knowledge of ASM, augmented with a list of ASM opcodes.
You can then feed this string through MHS in a String Search using Wildcards later when the functions move.


L. Spiro

[mynameisjack]

just a little update and question here
i followed your advice couldnt get it to work on MHS but it worked on CE, i simply copied the bytes before and after the hack address, saved it to a text file to 'find' the hacks later with a memory search > array of bytes in CE. works great. problem now is I have like 60 hacks and the game updates every week. it's a real chore, like 2 hours a week just to get the hacks to work again. What I need is a program that will auto-find the array of byte strings for me and update them (the key 'hack' addresses just need to be NOP so its simple)

Any ideas on how to do this? or a hacking program that has it? seems like a great function to add to an auto assembler..

[L. Spiro]

Wildcard String.

First copy several bytes from the function you want to find. In my case I got this:

Code: Select all

00440974 | E8 CD7C0000 | CALL    00448646               |
00440979 | E9 17FEFFFF | JMP     00440795               |
0044097E | 8B4424 04   | MOV     EAX, DWORD PTR [ESP+4] |
00440982 | 85C0        | TEST    EAX, EAX               |
00440984 | 56          | PUSH    ESI                    |
00440985 | 8BF1        | MOV     ESI, ECX               |
00440987 | C646 0C 00  | MOV     BYTE PTR [ESI+C], 0    |
0044098B | 75 63       | JNZ     004409F0               |
0044098D | E8 EA6B0000 | CALL    0044757C               |
00440992 | 8946 08     | MOV     DWORD PTR [ESI+8], EAX |

To copy: Select the code in the Disassembler. Edit/Copy/Code.

This gives me:

Code: Select all

E8 CD7C0000
E9 17FEFFFF
8B4424 04
85C0
56
8BF1
C646 0C 00
75 63
E8 EA6B0000
8946 08

First change all the operands to question marks.
This gives me:

Code: Select all

E8 ????
E9 ????
8B4424 ?
85C0
56
8BF1
C646 ??
75 63
E8 ????
8946 ?

Then add \x in front of every byte value. This gives me:

Code: Select all

\xE8 ????
\xE9 ????
\x8B\x44\x24 ?
\x85\xC0
\x56
\x8B\xF1
\xC6\x46 ??
\x75 \x63
\xE8 ????
\x89\x46 ?

Finally, remove spaces and make it one line:

Code: Select all

\xE8????\xE9????\x8B\x44\x24?\x85\xC0\x56\x8B\xF1\xC6\x46??\x75\x63\xE8????\x89\x46?

This is my final search string.




To use it:
Start a String Search (Search/String Search in the main window).
Select Wildcard.
String to Find = the string you made.
Uncheck Aligned.


My search returned this:

Code: Select all

00440974

Which is exactly the address where my code was found.


L. Spiro

[WhiteHat]

Whoa... I’ve never think of this way to find similar codes with different operands, across different game patches.
Very very smart...

Thanks for sharing this method, L. Spiro... Very useful...

[g3nuin3]

Its called signature scanning, its a very good method to write a hack that will in a sense always update whenever the game/program updates because it will use the signature to find the address instead of using hardcoded addresses or hardcoded offsets that may change