Reading data out of a target application

Technical Discussions not Related Directly to MHS. For Example, Coding, Hex Editing, General Hacking, Etc.

Moderators: g3nuin3, SpeedWing, WhiteHat

Reading data out of a target application

Postby flava » Fri Nov 05, 2010 5:02 am

I am writing an app which I hope eventually will read all the pertinent data out of a target application. The application is a poker app and the information is all the data pertaining to the game state. So we have players, anywhere between 2 and 9, their respective stacks, my hole cards, board cards, the pot, and then the player action i.e. they call, raise, fold etc.

Let's start with a simple question. You have a table with 9 players, I want the app to automatically scan the target and tell me the name of the 9 players and the seat at which they are sitting. How would you go about solving this problem? My app automatically attaches itself to the target and scans memory, I can then manually scan for information, such as the player names and their stacks. The problem is that each time a new target (table) is opened the player information is written into memory at a different memory location. The other issue is of course that you will always play different players so each time a table is opened you are starting with zero knowledge. So would the best way to be to pass the pe header? Basically what approach would you take to starting what is affectively a scraping app?

Thanks.
flava
I Have A Few Questions
 
Posts: 4
Joined: Fri Nov 05, 2010 2:56 am

Re: Reading data out of a target application

Postby L. Spiro » Fri Nov 05, 2010 9:45 am

First-off writing your own scanning routines is not an effective way to gain knowledge of how the process works.
You write your program after you have this information.
To get this information you use MHS, which has a faster scanner and more features.

Secondly, to overcome the problem of shifting memory addresses, you research on the forum and in the MHS help files “Complex Addresses”. Or “DMA”.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Reading data out of a target application

Postby flava » Sun Nov 07, 2010 1:16 pm

Thank you.

I'll do some research and get back to you.

After a little research I found out that each player name and stack are seperated by 0x28 and once you have the first player you can locate the other 9 by adding 9c to each value. So player 1 name address + 0x28 gives their stack. player 1 name address + 9c gives player 2 name, add 0x28 to that and you have player 2 stack and so on. Just trying to work out how that initial position is set as it changes each time a new table is loaded. Did a pointer search but didn't come up with anything within the range that you specified 0x500 within the help files and at the moment nothing is obviously popping out. A little more testing.
flava
I Have A Few Questions
 
Posts: 4
Joined: Fri Nov 05, 2010 2:56 am

Re: Reading data out of a target application

Postby flava » Tue Nov 09, 2010 7:43 am

So as I have said, I found the offsets between players and their stacks, which is good. I then started looking for a static pointer (yes I read the help files on static pointers... not being that static) and then started searching on the lowest point in my structure which was the address for name of player 1. Doing a point search did not yield any address which was in the range that you specified, basically between 0 and 500h, the lowest I found was just over 600h so I used that, this gave me this:

[QtGui4.dll+0x122718]+0x258 which worked fine for that instance of the game. So I closed the game and restarted but obviously everything had moved. So I will ask, how would I determine 'where' the table instance is put into memory. Do I continue to look for a pointer? Or do I need to go down several more layers until I get an address from the main .exe file?

Sorry if I am being a little slow.

It's a great tool.
flava
I Have A Few Questions
 
Posts: 4
Joined: Fri Nov 05, 2010 2:56 am

Re: Reading data out of a target application

Postby L. Spiro » Tue Nov 09, 2010 2:56 pm

Unless you are hacking part of the GUI/user interface, that Complex Address is useless. Qt is a Nokia interface library.


Many techniques exist to trace pointers down to a base (which may easily be 10 dereferences like (yours has only one dereference)), and many tutorials on this site can be found.
WhiteHat has posted some as well as have others.
Pointer Search is not your only utility. Find What Accesses This Address helps more.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Reading data out of a target application

Postby flava » Wed Nov 17, 2010 6:39 am

So,

I have the memory addresses that I am interested in. I have created my dll and at the moment I am using a cbt hook to get into the address space of the target application (not very secure I know but I will change that in a while). The problem is that I want the monitor loop to run in the background so I have created a thread but now when I go to read process memory I get an access violation. How do you monitor the ram of the target app and remain in the background so that it could carry on?

I am using CreateThread(), should I use CreateRemoteThread()?

Thanks.
flava
I Have A Few Questions
 
Posts: 4
Joined: Fri Nov 05, 2010 2:56 am

Re: Reading data out of a target application

Postby L. Spiro » Thu Nov 18, 2010 1:04 am

By creating a debugger that can catch the violation and fix it, allowing the process to continue on its way.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan


Return to Technical Unrelated

Who is online

Users browsing this forum: No registered users and 0 guests

cron