memory editing

Sep 4, 2009 at 10:51pm
i am trying to "hack" windows pinball through dll injection.when i inject the dll i made a message box pop up so i know the dll is injected. now the memory editing side of it doesnt work. this is what i have:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#define score1 0x00B9506C
#define score2 0x00B90C62

void score()
{
	if(GetAsyncKeyState(VK_NUMPAD8))
	{
		*(int*) score1 += 1000;
		*(int*) score1 += 1000;
		//MessageBoxA(NULL, "You Pressed 8", "Succesfull", MB_OK);
	}
	if(GetAsyncKeyState(VK_NUMPAD2))
	{
		*(int*) score1 -= 1000;
		*(int*) score1 -= 1000;
		//MessageBoxA(NULL, "You Pressed 2", "Succesfull", MB_OK);
	}
}
void snip()
{
	for(;; )
	{
		score();
		Sleep(200);
	}
}

BOOL APIENTRY DllMain( HMODULE hModule, DWORD  dwReason, LPVOID lpReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH)
	{
		MessageBoxA(NULL, "Made By Thegoodjuy", "Succesfull", MB_OK);
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)snip, 0, 0, 0);
	}
	return TRUE;
}


i dont know whats wrong. or is the method i am using not right for what im trying to do?

thanks for the help.
Last edited on Sep 4, 2009 at 10:51pm
Sep 4, 2009 at 11:11pm
*(int*) score1 += 1000 is equivalent to *((int*)score1 += 1000) not (*(int*)score1) += 1000

By the way, I don't think your method will work. Windows won't let one process write to another's memory directly.
Sep 4, 2009 at 11:13pm
First of all I have no idea what you're trying to do.

Second of all you won't be able to access the memory, you need ring 1 or 2 access. http://en.wikipedia.org/wiki/Ring_(computer_security)
You aren't allowed to access the memory you haven't been allocated. What would happen if the unsaved text files you had in memory were suddenly overwritten by some guy trying to cheat at pinball? You'd be pretty annoyed.
Sep 5, 2009 at 1:26am
I'm guessing he's trying to modify his scores with this. I wouldn't recommend that... It's a waste of time, it's slipping my mind right now, but there's a cheat that allows you to click and move the ball the way you want. Besides that, You can write to another program's memory directly. Ever heard of dll injection? It's a method people use to hack programs while they're running, which is exactly what he's going for.
Sep 5, 2009 at 2:40pm
i am using dll injection. sorry that i wasn't clear that i was injecting it.
Last edited on Sep 5, 2009 at 3:06pm
Sep 5, 2009 at 3:44pm
i know the injection works because the message box pops up saying it is successful
Sep 5, 2009 at 7:20pm
Yes, but DLL injection != memory editing. You need debug, device driver or kernel privileges for that. If you want to try and make a device driver to do that, be my guest, but I don't think you'll be able to do it.

First of all, you need to know exactly where the program is storing it's memory. The way I think programs like "cheat engine" do that is by you typing in the value that is stored (as hex) and the program searching the memory for an appropriate value. When it finds the value it knows the address so it can edit what is stored there. The thing is you need to be able to edit it, which you won't be able to do. I think cheat engine is open source, but I don't know what language it was written in. You could have a look.

By the way, I found a tutorial on doing something similar, but it looks like it's in Perl. It may help with what you're trying to do. http://search.cpan.org/~qjzhou/Win32-Process-Memory-0.20/Memory.pm
Sep 6, 2009 at 4:53am
Read the first line in Helios' reply and disregard everything else in this thread.

Also to clear up some things. The Windows API comes with a ReadProcessMemory and a WriteProcessMemory function (inside of kernel32.dll). I've been through this before :'(
Sep 6, 2009 at 7:57am
Cheat Engine was written in Delphi.

And helios, I thought that all operators on both side of the assignment operator were processed before the assignment operator?
Sep 6, 2009 at 8:05am
My bad. I was thinking of a different operator and I must have misinterpreted my test results.
Last edited on Sep 6, 2009 at 8:12am
Sep 8, 2009 at 3:41am
i dot it to work! this: CreateThread(0, 0, (LPTHREAD_START_ROUTINE)snip, 0, 0, 0); needed to be changed to this CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&snip, 0, 0, 0); i just looked at a few toutorials and on the third one i saw that it had the &.

thanks for all the help.

Sep 8, 2009 at 8:28am
Just for clarification:

Yes, but DLL injection != memory editing. You need debug, device driver or kernel privileges for that.

Incorrect.

When DLL's are loaded by a process, they are mapped into that processes address space. No drivers or kernel privileges required - your DLL is already running in the context of the process you are attempting to interrogate. You can quite happily stomp over any memory location you wish within the processes address space.

http://en.wikipedia.org/wiki/DLL_injection
Last edited on Sep 8, 2009 at 8:28am
Topic archived. No new replies allowed.