| View previous topic :: View next topic |
| Author |
Message |
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
 Posted: Thu Aug 11, 2011 10:43 am Post subject: Memory writing |
 |
|
Hello,
I was using memory pages and stuff for reading memory. But most anti virus things also stop you from writing, I was thinking would it not be possible to change something in the phisycal memory, or in the pages, so a program reacts differently without writing any memory changes yourself?
Grz
Last edited by NoMercy on Fri Sep 30, 2011 4:51 pm; edited 1 time in total |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Thu Aug 11, 2011 2:40 pm Post subject: |
|
|
sure, you can set a page to non executable and when it gets executed and an exception happens change eip to a modified copy
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Thu Aug 11, 2011 2:44 pm Post subject: |
|
|
| Dark Byte wrote: | | sure, you can set a page to non executable and when it gets executed and an exception happens change eip to a modified copy |
But will the current anti cheat programs find this? Else it's doing a lot of stuff for nothing.
|
|
| Back to top |
|
|
Luig
Cheater
![]() Reputation: 0
Joined: 24 Sep 2010
Posts: 26
|
| Posted: Wed Aug 17, 2011 7:13 pm Post subject: |
|
|
| What I do is inject a .dll into the the target program while the anti cheat system is loading up. Once your .dll is in it can use the target's process memory as it's own because it is now your own. As Confucius once said, "be one with the program" or did he?
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 17, 2011 7:58 pm Post subject: |
|
|
| Luig wrote: | | What I do is inject a .dll into the the target program while the anti cheat system is loading up. Once your .dll is in it can use the target's process memory as it's own because it is now your own. As Confucius once said, "be one with the program" or did he? |
Depends on the anti-cheat for this method to work. If the anti-cheat doesn't contain a whitelist of some sort to late-unload your module; it's a fairly flawed system to begin with. Most anti-cheats today will rescan during game play to attempt to locate anything late-loaded as well as early loaded prior to the system being initialized.
_________________
- Retired. |
|
| Back to top |
|
|
Luig
Cheater
![]() Reputation: 0
Joined: 24 Sep 2010
Posts: 26
|
| Posted: Wed Aug 17, 2011 8:07 pm Post subject: |
|
|
It's worked for the anti cheat systems I've use them on but I do agree there are some good anti cheat systems out there but there are also some really flawed one's like some versions of hackshield that are completely nulled on 64 bit computers.
To answer this question correctly we would need to know the game and anti cheat system.
|
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Thu Aug 18, 2011 2:46 am Post subject: |
|
|
Luig, I do approciate your reply, but most, if not all, games have at least 1 crc running. I need to find ways to trick the game without alerting their crc. With a .dll or .exe it does not matter.
Also HS has signed their driver and slowly games get updated to this, so it will work on 64 bit again.
Anyways there are so much different kinds of exceptions and HWBP.
|
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Fri Sep 30, 2011 4:50 pm Post subject: |
|
|
| Dark Byte wrote: | | sure, you can set a page to non executable and when it gets executed and an exception happens change eip to a modified copy |
Sorry for waking up this thread again, but I tried a few things, this is what I've got so far
| Code: | LONG WINAPI HandelException(EXCEPTION_POINTERS* pExceptionInfo)
{
OutputDebugStringX(TEXT("Exception is called"));
if(pExceptionInfo->ExceptionRecord->ExceptionCode ==EXCEPTION_ACCESS_VIOLATION)
{
OutputDebugStringX(TEXT("Exceptionacces violation is called"));
return EXCEPTION_CONTINUE_SEARCH;
}
return EXCEPTION_CONTINUE_SEARCH;
}
void Stuff()
{
OutputDebugStringX(TEXT("All regions to excetue"));
const DWORD BaseAddress = 0x500000;
const DWORD EndAddress = 0x600000;
MEMORY_BASIC_INFORMATION mbi = {0};
size_t s = 0;
DWORD oldprotection;
AddVectoredExceptionHandler(13,HandelException);
for(DWORD CurrentAddress = BaseAddress; CurrentAddress <= EndAddress; CurrentAddress += mbi.RegionSize)
{
VirtualQuery((LPVOID)BaseAddress,&mbi,sizeof(mbi));
VirtualProtect((LPVOID)CurrentAddress,mbi.RegionSize,PAGE_EXECUTE,&oldprotection);
}
} |
The problem is that HandelException never gets called, anyone can see any problems? I know I should handle things there and copy the memory first, but why does this not work yet?
|
|
| Back to top |
|
|
Innovation
Grandmaster Cheater
![]() Reputation: 12
Joined: 14 Aug 2008
Posts: 617
|
| Posted: Fri Sep 30, 2011 6:03 pm Post subject: |
|
|
| Are you sure that VirtualProtect(Ex) isn't hooked?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Fri Sep 30, 2011 6:42 pm Post subject: |
|
|
You are setting memory protection to "PAGE_EXECUTE"
PAGE_EXECUTE automatically includes READ access. (A page needs to be Present for the NX bit to have any effect, and a page that is present is readable)
PAGE_READONLY on the other hand does not automatically contain the Execute protection though.
Another problem is that you must set windows to enforce DEP on the target process if you want to handle the exception in usermode, else the exception will get handled in kernelmode where windows will make the memory executable for you on first execute.
Alternatively, set your exception handler in the interrupt handler of windows instead of usermode
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Innovation
Grandmaster Cheater
![]() Reputation: 12
Joined: 14 Aug 2008
Posts: 617
|
| Posted: Fri Sep 30, 2011 6:54 pm Post subject: |
|
|
| Dark Byte wrote: | You are setting memory protection to "PAGE_EXECUTE"
PAGE_EXECUTE automatically includes READ access. (A page needs to be Present for the NX bit to have any effect, and a page that is present is readable)
PAGE_READONLY on the other hand does not automatically contain the Execute protection though.
Another problem is that you must set windows to enforce DEP on the target process if you want to handle the exception in usermode, else the exception will get handled in kernelmode where windows will make the memory executable for you on first execute.
Alternatively, set your exception handler in the interrupt handler of windows instead of usermode |
MSDN is wrong about PAGE_EXECUTE then.
Last edited by Innovation on Thu Apr 19, 2012 4:52 pm; edited 2 times in total |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sat Oct 01, 2011 12:49 am Post subject: |
|
|
| Dark Byte wrote: | You are setting memory protection to "PAGE_EXECUTE"
PAGE_EXECUTE automatically includes READ access. (A page needs to be Present for the NX bit to have any effect, and a page that is present is readable)
PAGE_READONLY on the other hand does not automatically contain the Execute protection though.
Another problem is that you must set windows to enforce DEP on the target process if you want to handle the exception in usermode, else the exception will get handled in kernelmode where windows will make the memory executable for you on first execute.
Alternatively, set your exception handler in the interrupt handler of windows instead of usermode |
But a CRC also reads a page if im not mistaken? What's the point then if it can still read everything? Also if a page has PAGE_EXECUTE, can the program itself call no function from it?
I tried to change the DEP in system, prestation-> etcetc, to : DEP for all programs and service, except for the programs ......
Still the game crashes when the .dll is injected
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Sat Oct 01, 2011 6:00 am Post subject: |
|
|
| Quote: | | when the .dll is injected |
Does the dll modify code ? If not just injecting a dll will not cause an integrity check to crash the game. (Make sure it's an integrity check first by editing the code with a aa script that does nothing)
and yes, if a page has PAGE_EXECUTE that means that the program can of course call functions in it, as it's executable (and readable)
But the point I was making is that the CRC reads the original code while the code that is being executed is somewhere else and modified
e.g: 00781230 contains the function to decrease health
You then make the page 00781xxx non executable (but readable) and capture execution exceptions.
On execution exception you change eip to a full or small copy (small copy is only one page that is adjusted to jump back when it goes out of the page boundary, full copy is a whole module copy that will eventually RET back or use a static jump somewhere)
In the copy you can make as many modifications as you wish without the integrity check even noticing it
So if the copyof the page 00781xxx is at 4519cxxx then you edit the code at 4519c230 to change the health routine
Of course, seeing you mention "Injecting dll" I fear you might not be the writer of that dll, which is required if you want to use this method (the places it writes to need to be adjusted)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sun Oct 02, 2011 2:21 am Post subject: |
|
|
| Dark Byte wrote: | | Quote: | | when the .dll is injected |
Does the dll modify code ? If not just injecting a dll will not cause an integrity check to crash the game. (Make sure it's an integrity check first by editing the code with a aa script that does nothing)
and yes, if a page has PAGE_EXECUTE that means that the program can of course call functions in it, as it's executable (and readable)
But the point I was making is that the CRC reads the original code while the code that is being executed is somewhere else and modified
e.g: 00781230 contains the function to decrease health
You then make the page 00781xxx non executable (but readable) and capture execution exceptions.
On execution exception you change eip to a full or small copy (small copy is only one page that is adjusted to jump back when it goes out of the page boundary, full copy is a whole module copy that will eventually RET back or use a static jump somewhere)
In the copy you can make as many modifications as you wish without the integrity check even noticing it
So if the copyof the page 00781xxx is at 4519cxxx then you edit the code at 4519c230 to change the health routine
Of course, seeing you mention "Injecting dll" I fear you might not be the writer of that dll, which is required if you want to use this method (the places it writes to need to be adjusted) |
Thanks this helps me a lot  I was thinking the other way around, the CRC checks the memory I copied instead of the game. I ment with injecting my .dll with the code I showed you, instead of PAGE_EXETUTE -> PAGE_READONLY, but that crash the game instantly and the Exception Handler gets never called. I changed the DEP in system, im on win 7 64 bit, is that a problem here?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25796
Location: The netherlands
|
| Posted: Mon Oct 03, 2011 8:47 am Post subject: |
|
|
And you're sure you only make the page you want to change Non executable ? (So not everything, like the system dll's or your own dll)
Not really sure why it won't call it then. I have no experience doing this in usermode for 64-bit.
And you're sure "OutputDebugStringX(TEXT("Exception is called"));" is never called? (I assume you know that the original OutputDebugstring at that location is a bad idea right? (Inf recursive loop ending in a stack crash) )
(I do know how to do it in kernelmode with the help of dbvm for 64-bit, but for general usage this is not recommended)
also I would recommend looking over your VirtualQuery call, it's bugged, but should work for the small region you currently have in mind
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
