| View previous topic :: View next topic |
| Author |
Message |
Raga
How do I cheat?
![]() Reputation: 0
Joined: 06 May 2010
Posts: 4
|
 Posted: Thu May 06, 2010 8:35 am Post subject: [C++] Memory scanner |
 |
|
Hi,
The Cheat Engine is detected for my application so I've wanted to write my own undetectable simple memory scanner, but during the scan I am getting exe error and this application crashes (in some memory ranges).
My code looks like (see under) and its injected to this process virtual memory in my DLL
| Code: |
if (strcmp ( command , "search" ) == 0)
{
scanf("%d%*c",&value);
int counter = 0;
for (int i = 0x00400000; i < 0x7FFFFFFF; i++)
{
if (value == *(DWORD*)i)
{
printf("Found: %X\ value: %d\n", i, value);
counter++;
}
}
printf("Found: %d\nDone\n", counter);
}
|
How can I fix it?
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu May 06, 2010 9:06 am Post subject: |
|
|
| not all memory is readable. you need to find which memory regions have readable memory with virtualqueryex. these questions have been asked heaps of times, you could search up and find tonnes of relevant threads.
|
|
| Back to top |
|
|
Raga
How do I cheat?
![]() Reputation: 0
Joined: 06 May 2010
Posts: 4
|
| Posted: Thu May 06, 2010 9:36 am Post subject: |
|
|
OpenProcess() its hooked from kernel. I cant open this process.
Its Hackshield protected.
If I cant use OpenProcess() I cant use VirtualQueryEx().
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu May 06, 2010 9:40 am Post subject: |
|
|
| then use virtualquery. it's just a wrapper to virtualqueryex with first param as -1 anyway
|
|
| Back to top |
|
|
Raga
How do I cheat?
![]() Reputation: 0
Joined: 06 May 2010
Posts: 4
|
| Posted: Thu May 06, 2010 10:51 am Post subject: |
|
|
OK, I've modified my code like that (see under) and still got problem with .exe error.
| Code: |
if (strcmp ( command , "search" ) == 0)
{
scanf("%d%*c",&value);
int counter = 0;
int start = 0x00400100;
int end = 0x07FFFFFF;
MEMORY_BASIC_INFORMATION mbi;
int i = start;
while (true)
{
if (i>=end) break;
if (!VirtualQuery(LPCVOID(i), &mbi, sizeof(MEMORY_BASIC_INFORMATION)))
{
printf("Virtual Query failed at: 0x%X\n", i);
break;
}
if (mbi.Protect == 0 || mbi.Protect == 0x01) // 0 - caller dont have access, 0x01 - PAGE_NOACCESS
{
i+=mbi.RegionSize;
printf("Region ingored 0x%X-0x%X\n", i, i+mbi.RegionSize);
continue;
}
else
printf("Region accessed 0x%X-0x%X\n", i, i+mbi.RegionSize);
int endregion = i+mbi.RegionSize;
for (;i < endregion && i<=end; i++)
{
if (value == *(DWORD*)i)
{
printf("Found: 0x%X\ value: %d\n", i, value);
counter++;
}
}
}
printf("Found: %d\nDone\n", counter);
} |
Result:
| Code: |
search 1116
Region accessed 0x400100-0x401100
Region accessed 0x401100-0x6D2100
Found: 0x4133F4 value: 1116
Found: 0x4134CC value: 1116
Found: 0x427E49 value: 1116
Found: 0x44A1E3 value: 1116
Found: 0x451DE7 value: 1116
Found: 0x5BEDB2 value: 1116
Found: 0x5BEE15 value: 1116
Found: 0x5C5B62 value: 1116
Found: 0x68AC66 value: 1116
Found: 0x68B1CC value: 1116
Found: 0x68B246 value: 1116
Found: 0x68B946 value: 1116
Region accessed 0x6D2100-0x72D100
Region accessed 0x72D100-0x76D100
Region accessed 0x76D100-0x76E100
Region accessed 0x76E100-0x76F100
Region accessed 0x76F100-0x770100
Region accessed 0x770100-0x771100
Region accessed 0x771100-0x772100
Region accessed 0x772100-0x773100
Region accessed 0x773100-0x774100
Region accessed 0x774100-0x780100
Region accessed 0x780100-0x781100
//... etc.
// many regions here
Region accessed 0x931100-0xAB7100
Region accessed 0xAB7100-0xB1F100
Found: 0xABB240 value: 1116
Found: 0xABBC78 value: 1116
|
Then crash...
Whats wrong?
When should I ignore reading regions? When mbi.protect is equal with 0 and 0x01? Or there is much more conditions?
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu May 06, 2010 10:56 am Post subject: |
|
|
| have a look at what address it's crashing on and that will help you realise why you're crashing. hint, it's to do with the boundary conditions of your scanning code
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Fri May 07, 2010 1:34 am Post subject: |
|
|
| @Raga, have you found it?
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Fri May 07, 2010 11:42 am Post subject: |
|
|
| I suggest memory scanner via dll injection for hackshield
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Fri May 07, 2010 3:52 pm Post subject: |
|
|
| Code a DLL instead and scan the targets memory from there, and display your results with dialogs.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Fri May 07, 2010 7:42 pm Post subject: |
|
|
| Are the two of you blind ? He's clearly using direct memory access already..
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Sat May 08, 2010 2:07 am Post subject: |
|
|
| lolZ, thought he's trying to access memory via executable file application
|
|
| Back to top |
|
|
Raga
How do I cheat?
![]() Reputation: 0
Joined: 06 May 2010
Posts: 4
|
| Posted: Sat May 08, 2010 5:28 am Post subject: |
|
|
Still dont know how to scan in full range memory.
For example I am getting violations here:
| Code: |
search 512
...
Region accessed 0xAB7100-0xB1F100 Protection: 2
Found: 0xAB7B5D value: 512
Found: 0xAB7B81 value: 512
Found: 0xAB7BA5 value: 512
Found: 0xAB7BC9 value: 512
Found: 0xAB7BED value: 512
Found: 0xAB7C11 value: 512
...
Progress: 0xb0d970
Progress: 0xb10080
Found: 0xB12367 value: 512
Progress: 0xb12790
Found: 0xB12C8F value: 512
Found: 0xB12D23 value: 512
Progress: 0xb14ea0
Found: 0xB15CA9 value: 512
Progress: 0xb175b0
Progress: 0xb19cc0 |
Then crash...
b1effc is the place where the access violation start. (In progress there is b19cc0 beacuse progress its i % 10000)
I checked this region in Olly what is it.
Olly memory view
| Code: | | 00B1F000 00002000 dump_ .ARTeam imports Imag R RWE |
Its armadillo shit.
BTW. Both Olly and my scanner shows readonly memory constant, so why does it crash?
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
