flat assembler
Message board for the users of flat assembler.
Index
> Windows > How to freeze memory value ? |
Author |
|
vid 06 Mar 2011, 17:07
Why do you need to inject? Wouldn't Read/WriteProcessMemory be enough?
|
|||
06 Mar 2011, 17:07 |
|
ctl3d32 06 Mar 2011, 17:14
It heappens that i have done some... here is a simple one.
It checks for a key press to cheat. The proc does an infinite loop. REMEMBER to use something like: Code: invoke sleep,100d Or your thread will eat all your cpu. I forgot that at the time. Code: ; DLL creation example ; Game: LBreakout2 v2.5.1 format PE GUI 4.0 DLL entry DllEntryPoint include 'win32a.inc' section '.text' code readable executable proc DllEntryPoint hinstDLL,fdwReason,lpvReserved mov eax,[fdwReason] cmp eax,DLL_PROCESS_ATTACH jne .finish invoke CreateThread,NULL,NULL,Cheats,NULL,NULL,pid_thread ;Creates a new thead and run function Cheats that runs in a lool in parallel to the game mov [h_thread],eax .finish: mov eax,TRUE ret endp proc Cheats .Loop: invoke GetAsyncKeyState,0x58 ;check if keyboard x key is pressed cmp al,1 je .Exit invoke GetAsyncKeyState,0x53 ;check if keyboard s key is pressed cmp al,0 jne .AddScore invoke GetAsyncKeyState,0x44 ;check if keyboard d key is pressed cmp al,0 je .Loop jne .AddBall .AddScore: ;Begin - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20] mov eax,004523d4h mov ebx,[eax] add ebx,4394h mov eax,[ebx] add eax,8h mov ebx,[eax] mov eax,[ebx] add eax,8h mov ebx,[eax] add ebx,20h mov eax,[ebx] ;End - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20] add dword [eax],1000d ;Add 1000 to score jmp .Loop .AddBall: mov eax,00475f60h mov dword [eax],8d ;Maximize no. of balls jmp .Loop .Exit: invoke ExitThread,0 endp section '.bss' readable writeable pid_thread dd ? ;PID of the new thread h_thread dd ? ;Handles of the new thread section '.idata' import data readable writeable library kernel,'KERNEL32.DLL',\ user,'USER32.DLL' import kernel,\ ExitThread,'ExitThread',\ CreateThread,'CreateThread' import user,\ wsprintf,'wsprintfA',\ GetAsyncKeyState,'GetAsyncKeyState' section '.edata' export data readable export 'LBreakout2v2_5_1_2.DLL',\ Cheats,'Cheats' section '.reloc' fixups data discardable |
|||
06 Mar 2011, 17:14 |
|
Overflowz 06 Mar 2011, 19:13
vid
I'm just learning not cheating hehe I know already that things and thinking about DLL's now. ctl3d32 Nice idea about CreateThread but I have pointer + offset and I'm getting mad what I'm doing wrong.. Here's code and look where I stuck.. Code: format PE GUI 4.0 DLL include 'WIN32AX.INC' entry DllEntry section '.data' data readable writeable pointer EQU 0x025069bc poffset EQU 0x000001e0 hpvalue EQU 1000f vtcheck db 1 hThread dd ? section '.text' code readable executable proc DllEntry hInstance, dwReason, lpReserved mov eax,[dwReason] cmp eax,1 jne check_detach jmp genoffset start: invoke CreateThread,0,0,HP,0,0,0 mov [hThread],eax jmp exit_true genoffset: mov bl,[vtcheck] cmp bl,1 jne start add dword[pointer],poffset mov byte[vtcheck],0 jmp exit_true check_detach: test eax,eax jnz exit_true invoke ExitThread,[hThread] jmp exit_true exit_true: mov eax,1 ret endp proc HP .loop: mov eax,dword[pointer] mov dword[eax],hpvalue invoke Sleep,100 jmp .loop endp section '.idata' import data readable library user32,'user32.dll',kernel32,'kernel32.dll' include 'API\KERNEL32.INC' include 'API\USER32.INC' section '.reloc' fixups data discardable readable Theoretically, this code should work but it fails.. Can't find any problem here cause everything is OK here.. Last edited by Overflowz on 06 Mar 2011, 22:36; edited 1 time in total |
|||
06 Mar 2011, 19:13 |
|
ctl3d32 06 Mar 2011, 22:34
I think you're building your pointer the wrong way. What is the complex address of your value?
A complex address looks like this: [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20] Where "004523D4" is a static address. A pointer + offset is not static. This means it will change from time to time. You will have to go deep and find the static address. Give your complex address to me and i will build it to you. Did you see this? This is the way to defeat DMA: Code: .AddScore: ;Begin - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20] mov eax,004523d4h mov ebx,[eax] add ebx,4394h mov eax,[ebx] add eax,8h mov ebx,[eax] mov eax,[ebx] add eax,8h mov ebx,[eax] add ebx,20h mov eax,[ebx] ;End - Building the pointer expression [[[[[[004523D4]+0x4394]+0x8]]+0x8]+0x20] add dword [eax],1000d ;Add 1000 to score jmp .Loop |
|||
06 Mar 2011, 22:34 |
|
Overflowz 06 Mar 2011, 22:39
ctl3d32
Mate, this code works fine. look: Code: add dword[0x025069bc],0x000001e0 mov eax,dword[0x025069bc] mov dword[eax],1000f ;Float This changes HP value perfect but only 1 times. It works fine but to trigger effect need to call every time.. I don't understand nothing.. |
|||
06 Mar 2011, 22:39 |
|
ctl3d32 06 Mar 2011, 22:56
Try this:
Code: format PE GUI 4.0 DLL entry DllEntry include 'win32a.inc' section '.text' code readable executable proc DllEntry hInstance,dwReason,lpReserved cmp [dwReason],DLL_PROCESS_ATTACH je .start cmp [dwReason],DLL_PROCESS_DETACH je .endthread jmp .exit .start: add dword [pointer],poffset invoke CreateThread,0,0,HP,0,0,pid_thread mov [h_thread],eax jmp .exit .endthread: invoke ExitThread,[h_thread] .exit: mov eax,1 ret endp proc HP .loop: mov eax,dword [pointer] fld dword [hpvalue] fstp dword [eax] invoke Sleep,100 jmp .loop ret endp section '.bss' data readable writeable pid_thread dd ? ;PID of the new thread h_thread dd ? ;Handles of the new thread section '.data' data readable writeable pointer dd 0x025069bc poffset dd 0x000001e0 hpvalue dd 1000.0f section '.idata' import data readable library user32,'user32.dll',kernel32,'kernel32.dll' include 'API\KERNEL32.INC' include 'API\USER32.INC' section '.reloc' fixups data discardable readable |
|||
06 Mar 2011, 22:56 |
|
Overflowz 06 Mar 2011, 23:11
ctl3d32
No luck, same result.. can I have your IM to talk or IRC channel please ? I'll explain things more there. |
|||
06 Mar 2011, 23:11 |
|
ctl3d32 06 Mar 2011, 23:15
Check your inbox
|
|||
06 Mar 2011, 23:15 |
|
ctl3d32 06 Mar 2011, 23:52
Here is the solution.
Code: format PE GUI 4.0 DLL entry DllEntry include 'win32a.inc' section '.text' code readable executable proc DllEntry hInstance,dwReason,lpReserved cmp [dwReason],DLL_PROCESS_ATTACH je .start cmp [dwReason],DLL_PROCESS_DETACH je .endthread jmp .exit .start: invoke CreateThread,0,0,HP,0,0,pid_thread mov [h_thread],eax jmp .exit .endthread: invoke ExitThread,[h_thread] .exit: mov eax,1 ret endp proc HP .loop: push ebx mov eax,dword [pointer] mov ebx,dword [poffset] add [eax],ebx mov ebx,[eax] fld dword [hpvalue] fstp dword [ebx] invoke Sleep,100 pop ebx jmp .loop ret endp section '.bss' data readable writeable pid_thread dd ? ;PID of the new thread h_thread dd ? ;Handles of the new thread section '.data' data readable writeable pointer dd 0x025069bc poffset dd 0x000001e0 hpvalue dd 1000.0f section '.idata' import data readable library user32,'user32.dll',kernel32,'kernel32.dll' include 'API\KERNEL32.INC' include 'API\USER32.INC' section '.reloc' fixups data discardable readable |
|||
06 Mar 2011, 23:52 |
|
ctl3d32 07 Mar 2011, 00:26
Here is the .exe alternative to my first example, the one for the game LBreakout2.
Code: format PE GUI 4.0 entry start include 'win32a.inc' section '.text' code readable executable start: invoke GetModuleHandleA,0 ;to get the handle of the executable mov [h_exe],eax invoke FindWindowA,_gclass,_gtitle ;to get the handle of the game window cmp eax,0 je .Error_FindWindow mov [h_game_window],eax invoke GetWindowThreadProcessId,[h_game_window],pid_game_exe ;to get the process id of the game executable cmp eax,0 je .Error_GetThreadPID invoke OpenProcess,PROCESS_ALL_ACCESS,NULL,[pid_game_exe] ;to get the handle of the game executable cmp eax,0 je .Error_OpenProcess mov [h_game_exe],eax invoke ReadProcessMemory,[h_game_exe],[base],p_score,4,NULL cmp eax,0 je .Error_ReadMemory mov eax,[p_score] add eax,4394h mov [p_score],eax invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL cmp eax,0 je .Error_ReadMemory mov eax,[p_score] add eax,8h mov [p_score],eax invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL cmp eax,0 je .Error_ReadMemory invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL cmp eax,0 je .Error_ReadMemory mov eax,[p_score] add eax,8h mov [p_score],eax invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL cmp eax,0 je .Error_ReadMemory mov eax,[p_score] add eax,20h mov [p_score],eax invoke ReadProcessMemory,[h_game_exe],[p_score],p_score,4,NULL cmp eax,0 je .Error_ReadMemory invoke ReadProcessMemory,[h_game_exe],[p_score],score,4,NULL cmp eax,0 je .Error_ReadMemory mov eax,[score] add eax,[add_amount] mov [add_amount],eax ;Write new value to memory invoke WriteProcessMemory,[h_game_exe],[p_score],add_amount,4,NULL cmp eax,0 je .Error_WriteMemory ;invoke wsprintfA,mtitle,ftitle,[p_score] ;invoke MessageBox,NULL,mtitle,NULL,MB_OK invoke CloseHandle,[h_game_exe] jmp exit .Error_GetThreadPID: invoke MessageBox,NULL,error_GTPID_text,error_GTPID_title,MB_OK invoke CloseHandle,[h_game_exe] jmp exit .Error_FindWindow: invoke MessageBox,NULL,error_FW_text,error_FW_title,MB_OK invoke CloseHandle,[h_game_exe] jmp exit .Error_OpenProcess: invoke MessageBox,NULL,error_OP_text,error_OP_title,MB_OK invoke CloseHandle,[h_game_exe] jmp exit .Error_ReadMemory: invoke MessageBox,NULL,error_RM_text,error_RM_title,MB_OK invoke CloseHandle,[h_game_exe] jmp exit .Error_WriteMemory: invoke MessageBox,NULL,error_WM_text,error_WM_title,MB_OK invoke CloseHandle,[h_game_exe] jmp exit exit: invoke ExitProcess,0 section '.data' data readable writeable _gclass db 'SDL_app',0 _gtitle db 'LBreakout2',0 name db 'lbreakout2.exe',0 error_OP_title db 'Error!',0 error_OP_text db 'Error executing OpenProcess!',0 error_RM_title db 'Error!',0 error_RM_text db 'Error executing WriteMemory!',0 error_WM_title db 'Error!',0 error_WM_text db 'Error executing WriteMemory!',0 error_FW_title db 'Erro!',0 error_FW_text db 'Error executing FindWindow!',0 error_GTPID_title db 'Error!',0 error_GTPID_text db 'Error executing GetThreadProcessID!',0 ftitle db 'p_score is: 0x%p',0 ftext db 'Value is: %ld',0 base dd 004523D4h add_amount dd 1000000d section '.bss' readable writeable h_exe dd ? ;Handles to the executable pid_game_exe dd ? ;PID of the game executable h_game_window dd ? ;Handles to the game window h_game_exe dd ? ;Handles to the game executable p_score dd ? ;Holds the pointer to the score score dd ? ;Value of score mtitle rb 400h mtext rb 400h section '.idata' import data readable writeable library kernel,'KERNEL32.DLL',\ user,'USER32.DLL' import kernel,\ GetModuleHandleA,'GetModuleHandleA',\ ExitProcess,'ExitProcess',\ OpenProcess,'OpenProcess',\ CloseHandle,'CloseHandle',\ ReadProcessMemory,'ReadProcessMemory',\ WriteProcessMemory,'WriteProcessMemory',\ ExitThread,'ExitThread',\ CreateThread,'CreateThread' import user,\ FindWindowA,'FindWindowA',\ wsprintfA,'wsprintfA',\ GetWindowThreadProcessId,'GetWindowThreadProcessId',\ MessageBox,'MessageBoxA' |
|||
07 Mar 2011, 00:26 |
|
Overflowz 07 Mar 2011, 09:42
Hehe, works perfect now! Big thanks to ctl3d32. He helped me a lot (:
|
|||
07 Mar 2011, 09:42 |
|
Overflowz 07 Mar 2011, 13:15
Well, I have bit problem.. I don't know why but I'm getting this error very often on every WriteProcessMemory call in all my projects. I don't understand whats problem.. HANDLE = TRUE, ADDRESS=TRUE, BUFFER=TRUE, SIZE=TRUE. ERROR = ERROR_PARTIAL_COPY
check this out. Code: format PE GUI 4.0 include 'WIN32AX.INC' entry Injectit section '.data' data readable writeable sig db "Written by Overflowz!",0 progwindow db "Condition Zero",0 imsg db "Check your game now, if your HP doesn't raised, then something went wrong.",0x0a,0x0d,"Written By Overflowz!",0 ititle db "Unlimited HP",0 pointer dd 0x025069bc poffset dd 0x000001e0 hpvalue dd 1000f section '.bss' readable writeable rpid dd ? procHandle dd ? base dd ? wbytes dd ? section '.text' code readable executable proc Injectit invoke FindWindow,0,progwindow invoke GetWindowThreadProcessId,eax,rpid invoke OpenProcess,0xFFFF,0,[rpid] mov [procHandle],eax mov eax,dword[pointer] invoke ReadProcessMemory,[procHandle],eax,base,4,0 mov ebx,dword[poffset] add [base],ebx mov eax,dword[base] invoke WriteProcessMemory,[procHandle],eax,dword[hpvalue],4,wbytes invoke CloseHandle,[procHandle] invoke MessageBox,0,imsg,ititle,MB_OK+MB_ICONINFORMATION ret endp section '.idata' import data readable library user32,'user32.dll',kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' section '.reloc' fixups data readable discardable Can't find solution in google too.. |
|||
07 Mar 2011, 13:15 |
|
ctl3d32 07 Mar 2011, 14:15
have you tried this?
Code: invoke OpenProcess,PROCESS_ALL_ACCESS,0,[rpid] I have made minor changes too. Code: format PE GUI 4.0 include 'WIN32AX.INC' entry start section '.data' data readable writeable sig db "Written by Overflowz!",0 progwindow db "Condition Zero",0 imsg db "Check your game now, if your HP doesn't raised, then something went wrong.",0x0a,0x0d,"Written By Overflowz!",0 ititle db "Unlimited HP",0 pointer dd 0x025069bc poffset dd 0x000001e0 hpvalue dd 1000f section '.bss' readable writeable rpid dd ? procHandle dd ? base dd ? wbytes dd ? section '.text' code readable executable start: invoke FindWindow,0,progwindow invoke GetWindowThreadProcessId,eax,rpid invoke OpenProcess,PROCESS_ALL_ACCESS,0,[rpid] mov [procHandle],eax mov eax,dword[pointer] invoke ReadProcessMemory,[procHandle],eax,base,4,0 mov ebx,dword[poffset] add [base],ebx mov eax,dword[base] invoke WriteProcessMemory,[procHandle],eax,dword[hpvalue],4,wbytes invoke CloseHandle,[procHandle] invoke MessageBox,0,imsg,ititle,MB_OK+MB_ICONINFORMATION invoke ExitProcess,0 section '.idata' import data readable library user32,'user32.dll',kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' section '.reloc' fixups data readable discardable |
|||
07 Mar 2011, 14:15 |
|
Overflowz 07 Mar 2011, 14:52
ctl3d32
I found problem.. It was here: Code: invoke WriteProcessMemory,[procHandle],eax,dword[hpvalue],4,wbytes changed to: Code: invoke WriteProcessMemory,[procHandle],[base],hpvalue,4,0 Fixed and works fine |
|||
07 Mar 2011, 14:52 |
|
ctl3d32 07 Mar 2011, 15:06
great!
|
|||
07 Mar 2011, 15:06 |
|
Overflowz 08 Mar 2011, 00:28
last more question, is it possible to patch executable when I'll find pointer ? or what I need to find to do this ? Thanks.
|
|||
08 Mar 2011, 00:28 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.