Program may have encrypted memory

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Program may have encrypted memory

Postby Dream » Sat Feb 20, 2010 2:05 am

Hello, I have tried using MHS, and have gotten the basics of searching down.

However, I am trying to read the memory of a program I have. It has a menu area with multiple options. If you change one option, it determines other options with NO randomness. So I figured it should be easy to find the address and read the changes.

Not so. Every time I click something, I get garbage information returned. Way too many addresses change, and give unpredictable numbers. They do seem to cycle through the same certain numbers, if click the same thing over and over.

So what I think is this: the program should be relatively simple to read, but has been encrypted to prevent what I am trying to do. When I change something, it cycles through the RNG and pulls a new key, and re-encrypts everything. If I am right, I may just drop this.

Can anyone tell me what they think of this? Is this thing most likely encrypted? I'm sorry if my post is hard to follow. Just hoping for some clues.

BTW, sorry, I can't tell you what the program is. It's not a video game.
Dream
I Have A Question
 
Posts: 1
Joined: Sat Feb 20, 2010 1:43 am

Re: Program may have encrypted memory

Postby L. Spiro » Sat Feb 20, 2010 8:18 am

It is unlikely for the values to be encrypted, and even if they are encrypted it is just a simple XOR operation.

Usually the encryption is simply VALUE ^ 0xFFFFFFFF = FINAL.
So if you take the value you see on the screen (FINAL), you can obtain VALUE by FINAL ^ 0xFFFFFFFF.

Use the expression editor to make things simple.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Program may have encrypted memory

Postby LykanthricAura » Sat Jul 24, 2010 6:26 pm

Hey... I found a Game which uses a XOR encryption (Age of Mythology). I read this part...

Final^0xFFFFFFFF

Final^FFFFFFFF is understandable... But why the 0xFFFFFFFF ?

And where is this Expression Editor?
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: Program may have encrypted memory

Postby L. Spiro » Sat Jul 24, 2010 11:48 pm

Why 0xFFFFFFFF? As apposed to what? FFFFFFFF?
FFFFFFFF is not a hex number. 0xFFFFFFFF is.


The Expression Evaluator, which accepts both forms because its parser is probably the single finest piece of code in MHS, is on the main widow docked to the side.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Program may have encrypted memory

Postby LykanthricAura » Sun Jul 25, 2010 10:56 am

Ok... Dude ! I m almost clueless here.... Say...If I wanted to search for a Value 44(in game) which had a XOR encryption...How would I do it?

I put 44^0xFFFFFFFF in the Evaluator...

It gives out 4294967251 (FFFFFFD3) .. I ran the searches after letting the value change to 35 4294967246 (FFFFFFCE) .. But no good.
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: Program may have encrypted memory

Postby L. Spiro » Mon Jul 26, 2010 1:57 pm

Don’t search for more bytes than are absolutely necessary.

Value = 44, then you get 0xFFFFFFD3, search for 0xD3.
Value = 35, then you get 0xFFFFFFCE, search for 0xCE.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Program may have encrypted memory

Postby LykanthricAura » Tue Jul 27, 2010 11:12 pm

Nope....No good. Anything else that might be used for encryption ?
LykanthricAura
I Ask A Lot Of Questions
 
Posts: 16
Joined: Fri Mar 26, 2010 7:38 pm

Re: Program may have encrypted memory

Postby L. Spiro » Wed Jul 28, 2010 9:29 am

If that doesn’t work then your encryption scheme is wrong.
Keep studying the data.
Do remember there is an Expression Search which makes it easy to search for encrypted values.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron