Memory Hacking Software

[L. Spiro]

assume i use that 3427B840 somewhere but i dont know where.

Repeat again until you find a green address. Pointer Search for 3427B840.

oh and L. Spiro... can you explain why i cant edit memory... but then every once in a while i can

Because sometimes the memory protection is writeable while other times it is read-only. XTrap changes this.
Alternatively, it could be a bug in XTrap that causes it to sometimes fail to see that something is trying to change the memory in its process while other times it catches it. There are infinite variables, but none of them are in MHS.
For Disassembler modifications I can add something to force the protection to writeable to ensure it always works (using kernel-mode to do this of course, to avoid hooks and make sure it actually works).

BTW is it possible for you to add a IsDebuggerPresent (on all programs) bypass to the debugger? i think IsDebuggerPresent is inside of xtrap.xt and not Wolfteam.exe... ima freeze the proccess and open in ollydbg to see now

But I think you'll need to look deep into ASM coding and API calls especially Kernal API calls from xTrap.

A kernel-mode hook is already planned for this.
Furthermore, I have already added functions to the scripts that allow you to read and write kernel-mode RAM, which allows you to remove all XTrap/nProtect Game Guard/Hack Shield/VAC/etc. kernel hooks and to add your own.


L. Spiro

[kth_prkns]

So your planning on adding something that will bypass hooks to things such as kernel32:ReadProccessMemory? that would be sweet... btw i know that GG edits the first 5 bytes of the functions (or at least used to) to a jmp that would allow it to do its own things... if you remove that correctly, GG will simply think that the function no longer exists. Ive heard that GG detects anything that messes with the hooks past 1105 so u might wanna look into 1105+ also when your trying to bypass them.

Goodluck! =D

[L. Spiro]

So your planning on adding something that will bypass hooks to things such as kernel32:ReadProccessMemory?

Yes. But MHS does not use ReadProcessMemory anyway.

btw i know that GG edits the first 5 bytes of the functions (or at least used to) to a jmp that would allow it to do its own things

This is called inline hooking.

if you remove that correctly, GG will simply think that the function no longer exists. Ive heard that GG detects anything that messes with the hooks past 1105 so u might wanna look into 1105+ also when your trying to bypass them.

My methods do not involve removing or modifying their hooks in any way.
They may install all the hooks they please; no form of API/kernel hooking can hinder MHS in any way.
This applies not only to nProtect Game Guard but to any anti-cheat or other software.

And this part is already done and ready for the next release.
I am working on other aspects of the anti-anti-cheat now, such as the dynamic self-modifier that changes the size, CRC, name, and other things regarding “MHS.exe”.


Furthermore, many features will be added to the scripts to allow each user his or her own control over anti-anti-cheat methods, which means new anti-anti-cheat methods can be added on top of the existing ones, ensuring that MHS’s anti-anti-cheat extends forever into the future.


Of course, detecting MHS may still be possible, but at least it is guaranteed to be nothing short of a pain in the ass, time-consuming, and unreliable at best.


L. Spiro

[liqmysaq]

Repeat again until you find a green address. Pointer Search for 3427B840.

Does it have to be a green address? 3427B840 is the pointer isn't it? It's what I've been using. i searched for 3427B840 and i got about 2500 addresses. the smallest number wasn't green. do i just keep searching and searching over and over 'till I find a green?

using 3427B840 as my pointer with an offset of 2D4 what would I put into the complex part? I've tried 3427B840+2D4 but that doesn't work. I've tried using brackets in different places but I don't know what I'm doing.

its 3427B840 points to 0AF8A608, add 2D4 I get 0AF8A8DC which is my ammo address. I need the correct syntax for complex address using this example.

[L. Spiro]

Does it have to be a green address? do i just keep searching and searching over and over 'till I find a green?

Yes.
Yes.

its 3427B840

3427B840h

points to 0AF8A608

[3427B840h]

add 2D4 I get 0AF8A8DC which is my ammo address

[3427B840h]+2D4h



L. Spiro

[kth_prkns]

Repeat again until you find a green address. Pointer Search for 3427B840.

Does it have to be a green address? 3427B840 is the pointer isn't it? It's what I've been using. i searched for 3427B840 and i got about 2500 addresses. the smallest number wasn't green. do i just keep searching and searching over and over 'till I find a green?

using 3427B840 as my pointer with an offset of 2D4 what would I put into the complex part? I've tried 3427B840+2D4 but that doesn't work. I've tried using brackets in different places but I don't know what I'm doing.

its 3427B840 points to 0AF8A608, add 2D4 I get 0AF8A8DC which is my ammo address. I need the correct syntax for complex address using this example.

Havnt you noticed how that when you scan for other things such as your HP (which dosnt work cuz your only editing the textual value), you get both the complex address (guess thats what u call it) and the static address? Its possible that there is no complex address at all for your ammo value. We will just have to wait till L. Spiro releases the leet ass next version which supposedly will bypass all hack protection =D (im guessing it wont bypass a CRC which is kinda obvious)

I'll probably release all the addies that i find with that version in a b0ts.org private section =D i already have the static function in which your ammo is messed with in... and i need to check if theres a pointer or something in the mov function that i landed on.

[L. Spiro]

(im guessing it wont bypass a CRC which is kinda obvious)

The binary is self-modifying; it can change its own CRC/MD5/size/name at your request, or every time it is run.

Every user may have a different CRC, and so CRC checks are indeed bypassed, along with size checks, filename checks, and many other checks.


L. Spiro

[kth_prkns]

Didn't mean a CRC for MHS... i meant a CRC as in GG checking KartRider or Maplestory to see if memory is edited... or is that bypassed with your methods that you talked about before...

Btw... its not CRC check =D. That would be Cyclic redundancy check check (not trying to be a smart ass there... i always correct ppl when they say CRC check)

[Explicit]

[kth_prkns]

um... not really =p

And btw... i figured out a way to edit memory... or at least have some inline ASM going on... you can do a codecave =D

[liqmysaq]

i figured it out, thank you guys for all ur help and putting up with all my questions.

now i got another question for you guys. im workin on finding pointer to an address that changes every time i enter a game room, not just on startup. how would i find that pointer and how would the syntax be for a pointer pointing to a pointer and beyond?

also, can u sub-search for pointers? i try but it says invalid value when i try. what would be the use of sub searching anyway?

[L. Spiro]

i meant a CRC as in GG checking KartRider or Maplestory to see if memory is edited...

MHS will not natively perform this but I added functions to the scripts to allow the user to add this.
They only need to copy the game memory to a new location and change the page directory of nProtect Game Guard to swap the new and old pages.

Every other process will see the real RAM of the game while nProtect Game Guard sees the copy (this method was submitted by another user).


I did not implement it but I give the user the ability to do so with scripts.
I would prefer that it be done with scripts to ensure that it lasts.
This is so specific to nProtect Game Guard that I don’t want to add it to MHS directly, or if I did I would generalize it not to be just for Game Guard, and probably still require script interaction to keep it dynamic.

also, can u sub-search for pointers? i try but it says invalid value when i try. what would be the use of sub searching anyway?

Yes you can. And if MHS throws an error it is just to protect you from yourself. If you do not respect the properties of pointers then it is already guaranteed your search will fail.
The help file explains the Pointer Search.


L. Spiro

[liqmysaq]

first of all, thx for all the help in this post. i now have pointers for most of my hacks that work on all computers. BUT... i still have some hacks that i cannot seem to find the pointer to. after a few searches the addresses go back and forth between 2 memory regions, at least that how i best know to explain it. the address is slightly different and so is the offset, but it keeps repeating over and over between these 2 regions and neither are green. ive gone up to about 14 addresses deep and they just keep repeating. do i keep going and eventually reach a green? or do i need to try to find a different pointer. i choose the lowest -### there is and keep using the lowest -### that comes up every search.

here is a short version of the expressions:
[34286260]+2D4 = Unresolvable
[[340B2A78]+C]+2D4 = 181690556 (AD460BC)
[[[341E6CCC]+1f8]+C]+2D4 = 181690556 (AD460BC)
[[[[340B8E78]+340]+1f8]+C]+2D4 = 181690556 (AD460BC)
[[[[[341E6C64]+4B8]+340]+1f8]+C]+2D4 = 181690556 (AD460BC)

see how it goes from 340B#### to 341E#### over and over? if i use the 0x in there then the first address isnt Unresolvable but it still doesnt work for everybody else. AD460BC is the address that im tryin to find a pointer for.

here is a pic of my initial search


also if u notice, there are NO green addresses at all.. there should be a few at top and a couple at the bottom. i had this bug also when i searched for pointer for my other hacks, technically i never did find a green address cuz they were all black (at least until i restarted my game), and then the addresses magically all turned green. that belongs in bug report though.

[L. Spiro]

You need to be using Find What Accesses This Address and using the code to find the pointers/offsets.
You can mix this with Pointer Search for the ultimate ease in finding pointer trails.


I will (by heavy requests) write a tutorial for this method soon.


L. Spiro

[WhiteHat]

I had the same case as liqmysaq when i tried to make a complex
address for heroes of Warcraft 3 TFT...

So, i (heavily) request a tutorial on finding pointer trails...