Clearing concepts

[BUNNY!]

Hello, epvp.
I'm new to programming,actually a bit new, I've programmed in only VB.Net on a very basic level. But I've done enough of it. I picked up AutoIt a while ago and it seemed a bit tempting. I tried to do whatever the tutorials said but they were all spoon feeding tutorials or C&P tutorials.

I just wanna know some things about some commands which are used and re-used in hacking.

Code:

_MemoryOpen($iv_Pid[, $iv_DesiredAccess[, $iv_InheritHandle]])
_MemoryRead($iv_Address, $ah_Handle[, $sv_Type])
_MemoryWrite($iv_Address, $ah_Handle, $v_Data[, $sv_Type])
_MemoryClose($ah_Handle)

What are the parameters used for? Normally, In VB.Net I've never used something like this and these parameters look a bit too difficult as I've never been normal with them. Plus, the talk about offsets and pointers,they are irritating as well. All I've done was look at addresses and find their pointers through CE 6.1
It'll be nice if you guys clear them out for me. : D

Your's truly,
BUNNY!

[YatoDev]

PHP Code:

_MemoryOpen(ProcessExists("process.exe"))
_MemoryRead(Address in Process like 0x845F, $MemoryOpen, i.e. DWORD or LONG or Double or Float ....)
_MemoryWrite(,, A integer or string or binary or hex value)
_MemoryClose($MemoryOpen) 


[berkay2578]

Code:

;~ Description: Opens a process and enables all possible access rights to the process.
$MemoryAccess = _MemoryOpen(ProcessExists("processName.exe"))

;~ Description: Reads the value located in the memory address specified.
;~ The $Address, it must be in hex format.
;~ For $Type, see the help file for DllStructCreate.
$ReadValue = _MemoryRead($Address, $MemoryAccessHandle, $Type)

;~ Description: Writes data to the specified memory address.
;~ The $Address, it must be in hex format.
;~ For $Type, see the help file for DllStructCreate.
_MemoryWrite($Address, $MemoryAccessHandle, $Data, $Type)

;~ Description: Closes the process handle opened by using _MemoryOpen().
_MemoryClose($MemoryAccessHandle)

PM me if you need additional help

[BUNNY!]

Thanks a ton, that cleared a lot. But I'm just wondering about the "On"s I keep seeing whenever I look onto a tutorial, what are those? And Char[16]
What are those?

Edit : Plus, how do I use offsets with pointers with offsets, Do I add them? Multiply them or what? = O
Plus, what is that $MemoryAccessHandle, is it same as the $MemoryAcess or something else?

Thanks you two. Due to your grateful explanations, I managed to make a small little hack, I thank you two greatly, Wish I could give you a thousand thanks xD

Code:

#include <NomadMemory.au3>
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
$Process = "ac_client.exe"
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("Hack",300, 69, 192, 124)
$Checkbox1 = GUICtrlCreateCheckbox("Ammo hack", 24, 8, 97, 17)
$Checkbox2 = GUICtrlCreateCheckbox("HP hack", 24, 32, 97, 17)
$Label1 = GUICtrlCreateLabel("Searching for : Assualt Cube ", 140,8)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
	$nMsg = GUIGetMsg()
	Switch $nMsg
		Case $GUI_EVENT_CLOSE
			Exit
		Case $Checkbox1
			Hack()
		Case $Checkbox2
			Hack2()
		Case $Process = ProcessExists("ac_client.exe")
			While ProcessExists("ac_client.exe")
				GUICtrlSetData($Label1,"Assualt Cube found.")
			WEnd

	EndSwitch
WEnd

Func Hack()
	$Data = 7331
	$Process = "ac_client.exe"
	$Address = 0x02B793A4
	$MemoryAccess = _MemoryOpen(ProcessExists($Process))
	_MemoryWrite($Address,$MemoryAccess,$Data,'ptr')
	_MemoryClose($MemoryAccess)
EndFunc
Func Hack2()
	$Data = 7331
	$Process = "ac_client.exe"
	$Address = 0x02B7934C
	$MemoryAccess = _MemoryOpen(ProcessExists($Process))
	_MemoryWrite($Address,$MemoryAccess,$Data,'ptr')
	_MemoryClose($MemoryAccess)
EndFunc

But it seems I need to use static addresses. I don't know how to that with Auto It, any ideas?

[alpines]

Char[16] is an array of the type character with 16 entries.
Char is normally used to store characters as the name is saying.
The size of one char is 1 Byte.

If the address you want to write in has to be in Char[16] then you have to use the type Char[16]. If you use int for example then the MemoryWrite wouldn't be successful.

[davydavekk]

Quote:

Originally Posted by BUNNY!

Edit : Plus, how do I use offsets with pointers with offsets, Do I add them? Multiply them or what? = O
Plus, what is that $MemoryAccessHandle, is it same as the $MemoryAcess or something else?

Write a function that take an array of offset and the base pointer in parameter, and in this function you loop ReadProcessMemory(adress+offset[]).

[BUNNY!]

Quote:

Originally Posted by davydavekk

Write a function that take an array of offset and the base pointer in parameter, and in this function you loop ReadProcessMemory(adress+offset[]).

Why is the offset in brackets? I have found the certain offsets of the hacks I want to use. But I don't understand what you're trying to say. Can you show me a small little example?
For example my offsets are 378 for a certain address and F4 for the other, how do i use them now? = O
Make an array for single values?

Quote:

Originally Posted by alpines

Char[16] is an array of the type character with 16 entries.
Char is normally used to store characters as the name is saying.
The size of one char is 1 Byte.

If the address you want to write in has to be in Char[16] then you have to use the type Char[16]. If you use int for example then the MemoryWrite wouldn't be successful.

How do I know what to use in my address? Some type of sign or do I just have to keep trying all of them? = O
Normally all addresses are 4 bytes right? So using a normal Int would be fine or not?

[alpines]

If you want to read out a pointer for example then you have offsets for each Level of the pointer.
Your address is for example 0x2244FF and you have the pointer 40, 1AC, 4F.
The first part you have to do is to create an array containing these offsets the first entry has to be zero.

Code:

Local $aOffsets[4] = [0, 0x40, 0x1AC, 0x4F]

And to use these offsets with that address you could do for example

Code:

Local $sAddress = 0x2244FF, $aOffsets[4] = [0, 0x40, 0x1AC, 0x4F]
;If the address is longer than AutoIt allows in hex than type it as a string e.g. "0x2244FF"

$iPID = ProcessExists("target.exe")
If $PID Then
	$hMemory = _MemoryOpen($iPID)
	$aValues = _MemoryPointerRead($sAddress, $hMemory, $aOffsets, "dword") ;DWORD = 4 Bytes
	_MemoryClose($hMemory)
	MsgBox(64, "Value", $aValues[UBound($aValues) - 1])
EndIf

Don't forget to use the last entry of pointer read because the other ones are the value of the mid level pointer.
If a pointer has 3 levels then you only want the latest lvl which contains the value you want to modify/read.

[BUNNY!]

My first pointer is a level three pointer which is 02CA8F90 and its offset is 378.
So, I put it in as $Offsets[3] = [0x378,0x0,0x0]
And the second one is a single leveled pointer which is 004DF73C and its offset is F4
So, I put it in as $Offsets[1] = [0xF4,0x0]
Or am I wrong?

[alpines]

I guess you understood it wrong! The first array entry has to be zero the other ones are filled with your offsets

Code:

Local $Offsets[0, 0x0, 0x0, 0x378]

If don't correctly know if you need 3 offsets or 2 offsets for a level three pointer but still the first array is zero and the other ones are filled with your offsets. If the offset for level 1 and 0 is really 0 then I guess it's

Code:

Local $Offsets[0, 0x0, 0x378]

or

Code:

Local $Offsets[0, 0x0, 0x0, 0x378

And not to confuse you. 0 = 0x0 (The 2nd one is written in hex)

[berkay2578]

Quote:

Originally Posted by BUNNY!

But it seems I need to use static addresses. I don't know how to that with Auto It, any ideas?

Code:

#RequireAdmin

#include <NomadMemory.au3>

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)

    If Not IsString($sModule) Then Return SetError(2, 0, 0)

    Local $PSAPI = DllOpen("psapi.dll")

    ;Get Process Handle
    Local $hProcess
    Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE

    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf

    ;EnumProcessModules
    Local $Modules = DllStructCreate("ptr[1024]")
    Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local $iModnum = $aCall[4] / 4
        Local $aTemp
        For $i = 1 To $iModnum
            $aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf

    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
EndFunc

$proc = ProcessExists("procN.exe")
$module = "moduleN.exe" ;usually it is same with the process name
$access = _MemoryOpen($proc)
$addr = _MemoryModuleGetBaseAddress($proc, $module) + 0xADDR ;or Dec("ADDR")
$result = _MemoryRead($addr, $access) + 0x120 ;a simple lvl1 offset
ConsoleWrite($result & @CRLF) ;or Hex($result, 8)
_MemoryClose($access)

This should show you pretty much everything you need..

[BUNNY!]

Quote:

Originally Posted by alpines

I guess you understood it wrong! The first array entry has to be zero the other ones are filled with your offsets

Code:

Local $Offsets[0, 0x0, 0x0, 0x378]

If don't correctly know if you need 3 offsets or 2 offsets for a level three pointer but still the first array is zero and the other ones are filled with your offsets. If the offset for level 1 and 0 is really 0 then I guess it's

Code:

Local $Offsets[0, 0x0, 0x378]

or

Code:

Local $Offsets[0, 0x0, 0x0, 0x378

And not to confuse you. 0 = 0x0 (The 2nd one is written in hex)

So, I got that code down and I wrote my offsets but I don't know how to combine them with my Base addresses. Any ideas?

Quote:

Originally Posted by berkay2578

Code:

#RequireAdmin

#include <NomadMemory.au3>

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)

    If Not IsString($sModule) Then Return SetError(2, 0, 0)

    Local $PSAPI = DllOpen("psapi.dll")

    ;Get Process Handle
    Local $hProcess
    Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE

    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf

    ;EnumProcessModules
    Local $Modules = DllStructCreate("ptr[1024]")
    Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local $iModnum = $aCall[4] / 4
        Local $aTemp
        For $i = 1 To $iModnum
            $aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf

    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
EndFunc

$proc = ProcessExists("procN.exe")
$module = "moduleN.exe" ;usually it is same with the process name
$access = _MemoryOpen($proc)
$addr = _MemoryModuleGetBaseAddress($proc, $module) + 0xADDR ;or Dec("ADDR")
$result = _MemoryRead($addr, $access) + 0x120 ;a simple lvl1 offset
ConsoleWrite($result & @CRLF) ;or Hex($result, 8)
_MemoryClose($access)

This should show you pretty much everything you need..

Honestly, I thank you for your contribution but I'm not getting anything related to those DLL calls. > . >
Plus, I'm trying to stay at a basic level so that I can cope up easily.

[berkay2578]

Here's how _MemoryModuleGetBaseAddress works;

• Get access to the specified process. [even if it was open before]
• Use EnumProcessModules(see MSDN) to get the module list of the specified process.
• Use GetModuleBaseNameW(see MSDN, supports Unicode) to find the specified module.
• Return the specified module's base address if it was found.

btw, as you know pointers work with reading the memory of the given address [->] add an offset [->] repeat if necessary.. this is exactly what _MemoryRead($addr, $access) + 0x120 does.

Also, this is as basic as it can get.. at least for me.

[BUNNY!]

Well, just wondering, what do I do when I find the address? Write to it again?
EDIT : That might be basic to you but it isn't to me xD

[berkay2578]

let's say your address is nfsw.exe+AA14 and your process is nfsw.exe. That means you need to add 0xAA14 to the base address of the nfsw.exe module which runs under the nfsw.exe process. then you just pass it to the $iv_Address parameter..

Code:

$addr = _MemoryModuleGetBaseAddress(ProcessExists("nfsw.exe"), "nfsw.exe") + 0xAA14 
;or you can use the function from the _ProcessListFunctions
;~ $base = StringTrimLeft(_ProcessGetModulemBaseAddress(ProcessExists("nfsw.exe"), "nfsw.exe"), 2) ;removes the 0x at the start
;~ $addr = Dec($base) + Dec("AA14")
;MemoryWrite($addr, *), MemoryRead($addr, *) etc..

Edit: just tell me your address/pointer and I'll give you an example.