Unknown Initial Value

Ask for Help on Using the Language With Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Unknown Initial Value

Postby iPromise » Sat May 21, 2011 2:49 am

I'm currently working on my own memory engine, its 80% done. The only obstacle that is bothering me now is the Unknown Initial Value scan.

This was my old method, but it was too slow to scan on any games:

-> Scan for all the readable addresses in the game, and then record them down to a file like this: "address value", ex: 0xDEADBEAF 10

-> 'Changed scan' reads the file, obtains the address (0xDEADBEAF) and the value (10), makes a record of them, reads the new value from the address (0xDEADBEAF), and if the new value and the old value (10) match then the values havn't changed. If however, the new value does not match the old value (10) then the values have changed.

This whole process takes too long and I don't have any new ideas of how to finish the unknown initial value scan. Can somebody please help me?
iPromise
I Have A Few Questions
 
Posts: 3
Joined: Thu Dec 03, 2009 7:11 am

Re: Unknown Initial Value

Postby L. Spiro » Sat May 21, 2011 10:00 am

I know about your new memory searcher.


Anyway, you only need to save the first address of a chunk, and then save the chunk.
[0xDEADB00F][ALL DATA STARTING AT ADDRESS 0xDEADB00F (could be 2 megabytes of data, 12, 25, 512, whatever)…]

This gives you a format that can be saved to a file in nearly an instant.
For any value in a chunk, its actual address is [OffsetIntoChunk+StartingAddressOfChunk].


When performing the following scan to eliminate values, load an entire chunk into RAM at once.
Reading from files is slow. Perform read operations as infrequently as possible.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Unknown Initial Value

Postby iPromise » Sat May 21, 2011 11:50 pm

So trying to understand what you have said, basically, if the starting address of the process was 0x00400000, and lets say for example the size of the whole application is 2048.

I would do something like this:

Code: Select all
BYTE bBuffer [ 2048 ] = {0};
memcpy ( (void*) bBuffer, (void*) 0x00400000, 2048 );


and now that I have a record of the buffer, I could check out each value but going through the buffer, something like this?

Code: Select all
DWORD dwStartAddr = 0x00400000;

for ( SIZE_T i = 0; i < 2048; i ++ )
{
if ( read <BYTE> ( dwStartAddr + i ) != bBuffer (i)
{
// value has changed
}
}


Is that how your sopposed to do it?
iPromise
I Have A Few Questions
 
Posts: 3
Joined: Thu Dec 03, 2009 7:11 am

Re: Unknown Initial Value

Postby L. Spiro » Sun May 22, 2011 11:29 am

What you actually save to disk would be the value 0x00400000, the length of the chunk (2048), and then the contents of bBuffer.
2056 bytes on x86, 2064 on x64. You are planning to support 64-bit machines I hope.

Since your code suggests that you are scanning via DLL injection, you don’t need to copy from address 0x00400000 to bBuffer; you can just ::WriteFile( hFile, reinterpret_cast<LPCVOID>(0x00400000), 2048, NULL, NULL ).


Your second set of code is essentially correct for DLL injection scans.
However, you need to read this article.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: Unknown Initial Value

Postby esco » Mon May 23, 2011 3:07 pm

iPromise wrote:I'm currently working on my own memory engine, its 80% done. The only obstacle that is bothering me now is the Unknown Initial Value scan.

This was my old method, but it was too slow to scan on any games:

-> Scan for all the readable addresses in the game, and then record them down to a file like this: "address value", ex: 0xDEADBEAF 10

-> 'Changed scan' reads the file, obtains the address (0xDEADBEAF) and the value (10), makes a record of them, reads the new value from the address (0xDEADBEAF), and if the new value and the old value (10) match then the values havn't changed. If however, the new value does not match the old value (10) then the values have changed.

This whole process takes too long and I don't have any new ideas of how to finish the unknown initial value scan. Can somebody please help me?


Do you have a link to your WIP page for your tool? I would be interested in seeing how it compares to my boy, Spiro's (nothing personal, but I don't think almost ANYONE will top his... but you never know). 8)
Esco.... the name says it all. New Yorikan for life.
User avatar
esco
NULL
 
Posts: 148
Joined: Mon Sep 18, 2006 2:25 am
Location: Florida, a.k.a. the US's version of hell!


Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

cron