flat assembler
Message board for the users of flat assembler.

Index > Windows > How to freeze memory value ?

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hey everyone! I have trouble about freezing value in memory.. First of all, I'm learning cheating things (I think it's best way for train about memory things and not cheating lol)
So, I'm using CE(Cheat Engine) and found pointer which receives value of something (EX. HP Value) I've wrote DLL file and when injecting it's changing value successfully but just 1 time. After getting damage, value is decreased and need to set it again. I've tried to loop function inside DLL but it only does DLL's job and game is frozen.. Though much time but no luck.. Anyone can suggest me how to do that ? Thank you.
Post 06 Mar 2011, 16:27
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Why do you need to inject? Wouldn't Read/WriteProcessMemory be enough?
Post 06 Mar 2011, 17:07
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
It heappens that i have done some... here is a simple one.
It checks for a key press to cheat. The proc does an infinite loop.
REMEMBER to use something like:
Code:
invoke sleep,100d    

Or your thread will eat all your cpu. I forgot that at the time.

Code:
; DLL creation example
; Game: LBreakout2 v2.5.1

format PE GUI 4.0 DLL
entry DllEntryPoint

include 'win32a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
 mov    eax,[fdwReason]
      cmp    eax,DLL_PROCESS_ATTACH
       jne    .finish

  invoke CreateThread,NULL,NULL,Cheats,NULL,NULL,pid_thread ;Creates a new thead and run function Cheats that runs in a lool in parallel to the game
  mov    [h_thread],eax

   .finish:
        mov     eax,TRUE
    ret
endp

proc Cheats

    .Loop:

    invoke GetAsyncKeyState,0x58 ;check if keyboard x key is pressed
    cmp    al,1
 je     .Exit

    invoke GetAsyncKeyState,0x53 ;check if keyboard s key is pressed
    cmp    al,0
 jne    .AddScore

        invoke GetAsyncKeyState,0x44 ;check if keyboard d key is pressed
    cmp    al,0
 je     .Loop
        jne    .AddBall

    .AddScore:
   ;Begin - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20]

       mov    eax,004523d4h
        mov    ebx,[eax]
    add    ebx,4394h
    mov    eax,[ebx]
    add    eax,8h
       mov    ebx,[eax]
    mov    eax,[ebx]
    add    eax,8h
       mov    ebx,[eax]
    add    ebx,20h
      mov    eax,[ebx]

        ;End - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20]

 add    dword [eax],1000d ;Add 1000 to score
 jmp    .Loop

     .AddBall:

  mov    eax,00475f60h
        mov    dword [eax],8d ;Maximize no. of balls
        jmp    .Loop

    .Exit:

      invoke ExitThread,0

endp

section '.bss' readable writeable

  pid_thread dd ? ;PID of the new thread
  h_thread dd ? ;Handles of the new thread

section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
         user,'USER32.DLL'

  import kernel,\
      ExitThread,'ExitThread',\
        CreateThread,'CreateThread'

  import user,\
       wsprintf,'wsprintfA',\
   GetAsyncKeyState,'GetAsyncKeyState'

section '.edata' export data readable

  export 'LBreakout2v2_5_1_2.DLL',\
  Cheats,'Cheats'

section '.reloc' fixups data discardable
    
Post 06 Mar 2011, 17:14
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
vid
I'm just learning not cheating hehe Smile I know already that things and thinking about DLL's now.
ctl3d32
Nice idea about CreateThread but I have pointer + offset and I'm getting mad what I'm doing wrong.. Here's code and look where I stuck..
Code:
format PE GUI 4.0 DLL

        include 'WIN32AX.INC'

entry DllEntry

section '.data' data readable writeable
       pointer EQU 0x025069bc
       poffset EQU 0x000001e0
       hpvalue EQU 1000f
       vtcheck db 1
       hThread dd ?


section '.text' code readable executable

proc DllEntry hInstance, dwReason, lpReserved
     mov eax,[dwReason]
     cmp eax,1
     jne check_detach
     jmp genoffset
start:
     invoke CreateThread,0,0,HP,0,0,0
     mov [hThread],eax
     jmp exit_true
genoffset:
     mov bl,[vtcheck]
     cmp bl,1
     jne start
     add dword[pointer],poffset
     mov byte[vtcheck],0
     jmp exit_true
check_detach:
     test eax,eax
     jnz exit_true
     invoke ExitThread,[hThread]
     jmp exit_true
exit_true:
      mov eax,1
      ret
endp

proc HP

.loop:
     mov eax,dword[pointer]
     mov dword[eax],hpvalue
     invoke Sleep,100
     jmp .loop

endp

section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'

        include 'API\KERNEL32.INC'
        include 'API\USER32.INC'

section '.reloc' fixups data discardable readable    


Theoretically, this code should work but it fails.. Can't find any problem here cause everything is OK here..


Last edited by Overflowz on 06 Mar 2011, 22:36; edited 1 time in total
Post 06 Mar 2011, 19:13
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
I think you're building your pointer the wrong way. What is the complex address of your value?

A complex address looks like this: [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20]
Where "004523D4" is a static address. A pointer + offset is not static. This means it will change from time to time. You will have to go deep and find the static address.

Give your complex address to me and i will build it to you. Did you see this? This is the way to defeat DMA:
Code:
.AddScore:
        ;Begin - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20]

        mov    eax,004523d4h
        mov    ebx,[eax]
        add    ebx,4394h
        mov    eax,[ebx]
        add    eax,8h
        mov    ebx,[eax]
        mov    eax,[ebx]
        add    eax,8h
        mov    ebx,[eax]
        add    ebx,20h
        mov    eax,[ebx]

        ;End - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20]

        add    dword [eax],1000d ;Add 1000 to score
        jmp    .Loop 
    
Post 06 Mar 2011, 22:34
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
ctl3d32
Mate, this code works fine. look:
Code:
add dword[0x025069bc],0x000001e0
mov eax,dword[0x025069bc]
mov dword[eax],1000f ;Float    

This changes HP value perfect but only 1 times. It works fine but to trigger effect need to call every time.. I don't understand nothing.. Sad
Post 06 Mar 2011, 22:39
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
Try this:

Code:
format PE GUI 4.0 DLL
entry DllEntry

include 'win32a.inc'

section '.text' code readable executable

proc DllEntry hInstance,dwReason,lpReserved
     cmp    [dwReason],DLL_PROCESS_ATTACH
     je     .start
     cmp    [dwReason],DLL_PROCESS_DETACH
     je     .endthread
     jmp    .exit
  .start:
     add    dword [pointer],poffset
     invoke CreateThread,0,0,HP,0,0,pid_thread
     mov    [h_thread],eax
     jmp    .exit
  .endthread:
     invoke ExitThread,[h_thread]
  .exit:
     mov eax,1
     ret
endp

proc HP
  .loop:
     mov    eax,dword [pointer]
     fld    dword [hpvalue]
     fstp   dword [eax]
     invoke Sleep,100
     jmp    .loop
     ret
endp

section '.bss' data readable writeable

  pid_thread dd ? ;PID of the new thread
  h_thread   dd ? ;Handles of the new thread

section '.data' data readable writeable

  pointer dd 0x025069bc
  poffset dd 0x000001e0
  hpvalue dd 1000.0f

section '.idata' import data readable

  library user32,'user32.dll',kernel32,'kernel32.dll'

  include 'API\KERNEL32.INC'
  include 'API\USER32.INC'

section '.reloc' fixups data discardable readable
    
Post 06 Mar 2011, 22:56
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
ctl3d32
No luck, same result.. can I have your IM to talk or IRC channel please ? Sad I'll explain things more there.
Post 06 Mar 2011, 23:11
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
Check your inbox
Post 06 Mar 2011, 23:15
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
Here is the solution.
Code:
format PE GUI 4.0 DLL
entry DllEntry

include 'win32a.inc'

section '.text' code readable executable

proc DllEntry hInstance,dwReason,lpReserved
     cmp    [dwReason],DLL_PROCESS_ATTACH
     je     .start
     cmp    [dwReason],DLL_PROCESS_DETACH
     je     .endthread
     jmp    .exit
  .start:
     invoke CreateThread,0,0,HP,0,0,pid_thread
     mov    [h_thread],eax
     jmp    .exit
  .endthread:
     invoke ExitThread,[h_thread]
  .exit:
     mov eax,1
     ret
endp

proc HP
  .loop:
     push   ebx
     mov    eax,dword [pointer]
     mov    ebx,dword [poffset]
     add    [eax],ebx
     mov    ebx,[eax]
     fld    dword [hpvalue]
     fstp   dword [ebx]
     invoke Sleep,100
     pop    ebx
     jmp    .loop
     ret
endp

section '.bss' data readable writeable

  pid_thread dd ? ;PID of the new thread
  h_thread   dd ? ;Handles of the new thread

section '.data' data readable writeable

  pointer dd 0x025069bc
  poffset dd 0x000001e0
  hpvalue dd 1000.0f

section '.idata' import data readable

  library user32,'user32.dll',kernel32,'kernel32.dll'

  include 'API\KERNEL32.INC'
  include 'API\USER32.INC'

section '.reloc' fixups data discardable readable
    
Post 06 Mar 2011, 23:52
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
Here is the .exe alternative to my first example, the one for the game LBreakout2.

Code:
format PE GUI 4.0
entry start

include 'win32a.inc'

section '.text' code readable executable

  start:

        invoke GetModuleHandleA,0 ;to get the handle of the executable
        mov    [h_exe],eax
        invoke FindWindowA,_gclass,_gtitle  ;to get the handle of the game window
        cmp    eax,0
        je     .Error_FindWindow

        mov    [h_game_window],eax
        invoke GetWindowThreadProcessId,[h_game_window],pid_game_exe ;to get the process id of the game executable
        cmp    eax,0
        je     .Error_GetThreadPID

        invoke OpenProcess,PROCESS_ALL_ACCESS,NULL,[pid_game_exe] ;to get the handle of the game executable
        cmp    eax,0
        je     .Error_OpenProcess

        mov    [h_game_exe],eax
        invoke ReadProcessMemory,[h_game_exe],[base],p_score,4,NULL
        cmp    eax,0
        je    .Error_ReadMemory

        mov     eax,[p_score]
        add     eax,4394h
        mov     [p_score],eax
        invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL
        cmp    eax,0
        je    .Error_ReadMemory

        mov     eax,[p_score]
        add     eax,8h
        mov     [p_score],eax
        invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL
        cmp    eax,0
        je    .Error_ReadMemory

        invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL
        cmp    eax,0
        je    .Error_ReadMemory

        mov     eax,[p_score]
        add     eax,8h
        mov     [p_score],eax
        invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL
        cmp    eax,0
        je    .Error_ReadMemory

        mov     eax,[p_score]
        add     eax,20h
        mov     [p_score],eax
        invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL
        cmp    eax,0
        je    .Error_ReadMemory

        invoke ReadProcessMemory,[h_game_exe],[p_score],score,4,NULL
        cmp    eax,0
        je    .Error_ReadMemory

        mov    eax,[score]
        add    eax,[add_amount]
        mov    [add_amount],eax

        ;Write new value to memory
        invoke WriteProcessMemory,[h_game_exe],[p_score],add_amount,4,NULL
        cmp    eax,0
        je    .Error_WriteMemory

        ;invoke wsprintfA,mtitle,ftitle,[p_score]
        ;invoke MessageBox,NULL,mtitle,NULL,MB_OK

        invoke CloseHandle,[h_game_exe]
        jmp exit

        .Error_GetThreadPID:
        invoke MessageBox,NULL,error_GTPID_text,error_GTPID_title,MB_OK
        invoke CloseHandle,[h_game_exe]
        jmp exit

        .Error_FindWindow:
        invoke MessageBox,NULL,error_FW_text,error_FW_title,MB_OK
        invoke CloseHandle,[h_game_exe]
        jmp exit

        .Error_OpenProcess:
        invoke MessageBox,NULL,error_OP_text,error_OP_title,MB_OK
        invoke CloseHandle,[h_game_exe]
        jmp exit

        .Error_ReadMemory:
        invoke MessageBox,NULL,error_RM_text,error_RM_title,MB_OK
        invoke CloseHandle,[h_game_exe]
        jmp exit

        .Error_WriteMemory:
        invoke MessageBox,NULL,error_WM_text,error_WM_title,MB_OK
        invoke CloseHandle,[h_game_exe]
        jmp exit

  exit:
        invoke  ExitProcess,0

section '.data' data readable writeable

  _gclass db 'SDL_app',0
  _gtitle db 'LBreakout2',0
  name db 'lbreakout2.exe',0
  error_OP_title db 'Error!',0
  error_OP_text db 'Error executing OpenProcess!',0
  error_RM_title db 'Error!',0
  error_RM_text db 'Error executing WriteMemory!',0
  error_WM_title db 'Error!',0
  error_WM_text db 'Error executing WriteMemory!',0
  error_FW_title db 'Erro!',0
  error_FW_text db 'Error executing FindWindow!',0
  error_GTPID_title db 'Error!',0
  error_GTPID_text db 'Error executing GetThreadProcessID!',0
  ftitle db 'p_score is: 0x%p',0
  ftext db 'Value is: %ld',0
  base dd 004523D4h
  add_amount dd 1000000d

section '.bss' readable writeable

  h_exe dd ? ;Handles to the executable
  pid_game_exe dd ? ;PID of the game executable
  h_game_window dd ? ;Handles to the game window
  h_game_exe dd ? ;Handles to the game executable
  p_score dd ? ;Holds the pointer to the score
  score dd ? ;Value of score
  mtitle rb 400h
  mtext rb 400h

section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL'

  import kernel,\
         GetModuleHandleA,'GetModuleHandleA',\
         ExitProcess,'ExitProcess',\
         OpenProcess,'OpenProcess',\
         CloseHandle,'CloseHandle',\
         ReadProcessMemory,'ReadProcessMemory',\
         WriteProcessMemory,'WriteProcessMemory',\
         ExitThread,'ExitThread',\
         CreateThread,'CreateThread'

  import user,\
         FindWindowA,'FindWindowA',\
         wsprintfA,'wsprintfA',\
         GetWindowThreadProcessId,'GetWindowThreadProcessId',\
         MessageBox,'MessageBoxA'
    
Post 07 Mar 2011, 00:26
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hehe, works perfect now! Big thanks to ctl3d32. He helped me a lot (:
Post 07 Mar 2011, 09:42
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Well, I have bit problem.. I don't know why but I'm getting this error very often on every WriteProcessMemory call in all my projects. I don't understand whats problem.. HANDLE = TRUE, ADDRESS=TRUE, BUFFER=TRUE, SIZE=TRUE. ERROR = ERROR_PARTIAL_COPY
check this out.
Code:
format PE GUI 4.0
include 'WIN32AX.INC'
entry Injectit
section '.data' data readable writeable

sig db "Written by Overflowz!",0
progwindow db "Condition Zero",0
imsg db "Check your game now, if your HP doesn't raised, then something went wrong.",0x0a,0x0d,"Written By Overflowz!",0
ititle db "Unlimited HP",0
pointer dd 0x025069bc
poffset dd 0x000001e0
hpvalue dd 1000f

section '.bss' readable writeable

rpid dd ?
procHandle dd ?
base dd ?
wbytes dd ?

section '.text' code readable executable

proc Injectit
     invoke FindWindow,0,progwindow
     invoke GetWindowThreadProcessId,eax,rpid
     invoke OpenProcess,0xFFFF,0,[rpid]
     mov [procHandle],eax
     mov eax,dword[pointer]
     invoke ReadProcessMemory,[procHandle],eax,base,4,0
     mov ebx,dword[poffset]
     add [base],ebx
     mov eax,dword[base]
     invoke WriteProcessMemory,[procHandle],eax,dword[hpvalue],4,wbytes
     invoke CloseHandle,[procHandle]
     invoke MessageBox,0,imsg,ititle,MB_OK+MB_ICONINFORMATION
     ret

endp

section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'

        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'

section '.reloc' fixups data readable discardable    


Can't find solution in google too..
Post 07 Mar 2011, 13:15
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
have you tried this?
Code:
invoke OpenProcess,PROCESS_ALL_ACCESS,0,[rpid] 
    


I have made minor changes too.
Code:
format PE GUI 4.0
include 'WIN32AX.INC'
entry start
section '.data' data readable writeable

sig db "Written by Overflowz!",0
progwindow db "Condition Zero",0
imsg db "Check your game now, if your HP doesn't raised, then something went wrong.",0x0a,0x0d,"Written By Overflowz!",0
ititle db "Unlimited HP",0
pointer dd 0x025069bc
poffset dd 0x000001e0
hpvalue dd 1000f

section '.bss' readable writeable

rpid dd ?
procHandle dd ?
base dd ?
wbytes dd ?

section '.text' code readable executable

start:
     invoke FindWindow,0,progwindow
     invoke GetWindowThreadProcessId,eax,rpid
     invoke OpenProcess,PROCESS_ALL_ACCESS,0,[rpid] 
     mov [procHandle],eax
     mov eax,dword[pointer]
     invoke ReadProcessMemory,[procHandle],eax,base,4,0
     mov ebx,dword[poffset]
     add [base],ebx
     mov eax,dword[base]
     invoke WriteProcessMemory,[procHandle],eax,dword[hpvalue],4,wbytes
     invoke CloseHandle,[procHandle]
     invoke MessageBox,0,imsg,ititle,MB_OK+MB_ICONINFORMATION
     invoke ExitProcess,0

section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'

        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'

section '.reloc' fixups data readable discardable
    
Post 07 Mar 2011, 14:15
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
ctl3d32
I found problem.. It was here:
Code:
invoke WriteProcessMemory,[procHandle],eax,dword[hpvalue],4,wbytes    

changed to:
Code:
invoke WriteProcessMemory,[procHandle],[base],hpvalue,4,0    

Fixed and works fine Smile
Post 07 Mar 2011, 14:52
View user's profile Send private message Reply with quote
ctl3d32



Joined: 30 Dec 2009
Posts: 204
Location: Brazil
ctl3d32
great!
Post 07 Mar 2011, 15:06
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
last more question, is it possible to patch executable when I'll find pointer ? or what I need to find to do this ? Thanks.
Post 08 Mar 2011, 00:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.