Memory Hacking Software

Hello, I have tried using MHS, and have gotten the basics of searching down.

However, I am trying to read the memory of a program I have. It has a menu area with multiple options. If you change one option, it determines other options with NO randomness. So I figured it should be easy to find the address and read the changes.

Not so. Every time I click something, I get garbage information returned. Way too many addresses change, and give unpredictable numbers. They do seem to cycle through the same certain numbers, if click the same thing over and over.

So what I think is this: the program should be relatively simple to read, but has been encrypted to prevent what I am trying to do. When I change something, it cycles through the RNG and pulls a new key, and re-encrypts everything. If I am right, I may just drop this.

Can anyone tell me what they think of this? Is this thing most likely encrypted? I'm sorry if my post is hard to follow. Just hoping for some clues.

BTW, sorry, I can't tell you what the program is. It's not a video game.

It is unlikely for the values to be encrypted, and even if they are encrypted it is just a simple XOR operation.

Usually the encryption is simply VALUE ^ 0xFFFFFFFF = FINAL.
So if you take the value you see on the screen (FINAL), you can obtain VALUE by FINAL ^ 0xFFFFFFFF.

Use the expression editor to make things simple.


L. Spiro

Hey... I found a Game which uses a XOR encryption (Age of Mythology). I read this part...

Final^0xFFFFFFFF

Final^FFFFFFFF is understandable... But why the 0xFFFFFFFF ?

And where is this Expression Editor?

Why 0xFFFFFFFF? As apposed to what? FFFFFFFF?
FFFFFFFF is not a hex number. 0xFFFFFFFF is.


The Expression Evaluator, which accepts both forms because its parser is probably the single finest piece of code in MHS, is on the main widow docked to the side.


L. Spiro

Ok... Dude ! I m almost clueless here.... Say...If I wanted to search for a Value 44(in game) which had a XOR encryption...How would I do it?

I put 44^0xFFFFFFFF in the Evaluator...

It gives out 4294967251 (FFFFFFD3) .. I ran the searches after letting the value change to 35 4294967246 (FFFFFFCE) .. But no good.

Don’t search for more bytes than are absolutely necessary.

Value = 44, then you get 0xFFFFFFD3, search for 0xD3.
Value = 35, then you get 0xFFFFFFCE, search for 0xCE.


L. Spiro

Nope....No good. Anything else that might be used for encryption ?

If that doesn’t work then your encryption scheme is wrong.
Keep studying the data.
Do remember there is an Expression Search which makes it easy to search for encrypted values.


L. Spiro