Defeat DMA For Health

flowerpot · 06/22/2005, 21:39

We need more posts like this.. ty ultimatehaker

bonesaw · 06/22/2005, 23:35

Thanks for the code for the injector, but I don't have time to play with it today.. got an exam tomorrow, gotta study xD
But tomorrow I'll be free from college, so I'll have some time to play with that.. I'll try and make a friendly form on Delphi, then release it. ^_^

S.O · 06/23/2005, 03:18

ty ultimate

converting......... will check later (tho i think i stick to graphics a bit more coz it works

)

bonesaw · 06/23/2005, 20:46

Hmm, I'm getting "Constant expression violates subrange bounds" on the patchmem lines (inside InjectDMA procedure).. know what could it be?
Also it says ThreadId is not being used, so should I just take it away? :P

Ultimation · 06/23/2005, 21:21

place the patch procedure with this 1
Procedure Patchmem(WindowTitle:Pchar;Address:integer;NumberO fBytes:integer;PokeValue:int64);
var
WindowName: Integer;
ProcessId: Integer;
ThreadId: Integer;
buf: PChar;
HandleWindow: Integer;
Write: Cardinal;

begin
WindowName := FindWindow(nil, WindowTitle);

ThreadId := GetWindowThreadProcessId(WindowName, @ProcessId);
HandleWindow := OpenProcess(PROCESS_ALL_ACCESS, False, ProcessId);

GetMem(buf, NumberOfBytes);
buf^ := Chr(PokeValue);
WriteProcessMemory(HandleWindow, ptr(Address), buf, NumberOfBytes, Write);
FreeMem(buf);
CloseHandle(HandleWindow);
end;

bonesaw · 06/23/2005, 22:04

it returned me a random number (28160) and crashed my CO, lol xD with memory error, memory could not be read/written (tried twice, one error each time)
maybe I've done somethin wrong.. hmm o.O it also says something strange about ReadMem function..
"Return value of function 'Readmem' might be undefined."
but I think that should work anyway.. hmmm

Ultimation · 06/24/2005, 00:51

urrr best ask ultima im no good with the WiteProcessMemory Function, sory :\

bonesaw · 06/24/2005, 01:35

I'll try to look at microsoft database towards it :P

edit1: Ok, I think I got it.. you put this:

WriteProcessMemory(HandleWindow, ptr(Address), buf, NumberOfBytes, Write);

The last parameter, that "Write", is wrong.. you should put ThreadId there instead, that's why it was saying it wasn't in use.. I haven't tested yet, but I'm sure that's wrong, check this site, very useful to learn WriteProcessMemory..

hxxp://www.woodmann.com/fravia/trainer1.htm

edit2: ok, I changed ThreadId to dword, compiled but still got same error.. :P I'll try to fix this thing now.. working on it

edit3: actually I think it should work the other way, since threadid didnt had any value at all (on site example)

Henkie · 06/24/2005, 12:02

Maybe this helps, it is in C# code:

[DllImport("KERNEL32.DLL")]
static extern bool WriteProcessMemory(uint hProcess, uint lpBaseAddress, byte[] lpBuffer, uint nSize, [Out] uint lpNumberOfBytesWritten);

usage:

uint BytesWritten = 0;
uint pid = 0;
uint handle = 0;
IntPtr hWnd = IntPtr.Zero;

byte[] tobe1 = {0x57, 0x89, 0x08, 0x89, 0x0D};
byte[] tobe2 = {0x97, 0x09, 0x01, 0x00, 0x50, 0x8B};
byte[] tobe3 = {0xCE, 0xE9, 0xB7, 0x5E, 0x46, 0x00};
byte[] tobe4 = {0xE9, 0x39, 0xA1, 0xB9, 0xFF};

hWnd = FindWindow(null, "[Conquer]");

GetWindowThreadProcessId(hWnd, out pid);

handle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);

WriteProcessMemory(handle, 0x10976, tobe1, tobe1.Length, BytesWritten);
WriteProcessMemory(handle, 0x1097b, tobe2, tobe2.Length, BytesWritten);
WriteProcessMemory(handle, 0x10981, tobe3, tobe3.Length, BytesWritten);
WriteProcessMemory(handle, 0x476838, tobe4, tobe4.Length, BytesWritten);

CloseHandle(handle);

note.: you also nee to import OpenProcess, FindWindow, GetWindowThreadProcessId and define PROCESS_ALL_ACCESS (0x1F0FFF)

and in C++ code:

BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPCVOID lpBuffer,
SIZE_T nSize,
SIZE_T* lpNumberOfBytesWritten
);

usage:

HANDLE handle;
HWND hWnd;
DWORD pid;
DWORD BytesWritten;

BYTE tobe1[5] = {0x57, 0x89, 0x08, 0x89, 0x0D};
BYTE tobe2[6] = {0x97, 0x09, 0x01, 0x00, 0x50, 0x8B};
BYTE tobe3[6] = {0xCE, 0xE9, 0xB7, 0x5E, 0x46, 0x00};
BYTE tobe4[5] = {0xE9, 0x39, 0xA1, 0xB9, 0xFF};

hWnd = FindWindow(null, "[Conquer]");

GetwindowThreadProcessId(hWnd, &pid);

handle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);

WriteProcessMemory(handle, (VOID *)0x10976, &tobe1, 5, &BytesWritten);
WriteProcessMemory(handle, (VOID *)0x1097b, &tobe2,6, &BytesWritten);
WriteProcessMemory(handle, (VOID *)0x10981, &tobe3, 6, &BytesWritten);
WriteProcessMemory(handle, (VOID *)0x476838, &tobe4, 5, &BytesWritten);

CloseHandle(handle);

note: don't forget to include windows.h oh and I'm not sure about it is &tobe or (void *)tobe, can't test it because I'm at 'work'

Ultimation · 06/24/2005, 16:23

nice translating Henkie ty

+1 karma

bonesaw · 06/24/2005, 17:18

Nice translation indeed.. it would be easier if I was doing this on C, but I'm not good at handling objects on C/C++/C#, so I switched to Delphi.. altho I'm worse at it

Anyhow, I tried to make a non-generical injectdma/patchmem, using the values instead of vars..

Code:

Procedure Patchmem&#40;WindowTitle&#58;Pchar&#41;;
var
WindowName&#58; Integer;
ProcessId&#58; Integer;
HandleWindow&#58; integer;
Write&#58; Cardinal;

begin
WindowName &#58;= FindWindow&#40;nil, WindowTitle&#41;;
GetWindowThreadProcessId&#40;WindowName, @ProcessId&#41;;
HandleWindow &#58;= OpenProcess&#40;PROCESS_ALL_ACCESS, False, ProcessId&#41;;
WriteProcessMemory&#40;HandleWindow, ptr&#40;&#036;10976&#41;, ptr&#40;&#036;578908890D&#41;, 5, Write&#41;;
WriteProcessMemory&#40;HandleWindow, ptr&#40;&#036;1097B&#41;, ptr&#40;&#036;97090100508B&#41;, 6, Write&#41;;
WriteProcessMemory&#40;HandleWindow, ptr&#40;&#036;10981&#41;, ptr&#40;&#036;CEE9B75E4600&#41;, 6, Write&#41;;
WriteProcessMemory&#40;HandleWindow, ptr&#40;&#036;476838&#41;, ptr&#40;&#036;E939A1B9FF&#41;, 5, Write&#41;;
CloseHandle&#40;HandleWindow&#41;;
end;

Procedure InjectDMA;
begin
patchmem&#40;'&#91;Conquer&#93;'&#41;;
end;

Only for test purposes.. it didn't crash, that's a good thing, but the value returned is the same, 28160.. I'm kinda lost now xD

Karinova · 06/24/2005, 22:09

and in visual basic ?

ps:

bonesaw · 06/24/2005, 22:27

I would help, but I don't know VB, never used it.. can't you import stuff in Windows.h into VB? The functions would be the same (openprocess etc).. but anyways, the code is not working for me yet, so even if I translated it to VB it wouldn't work still.. :P

Henkie · 06/24/2005, 23:19

Quote:

Originally posted by Karinova@Jun 24 2005, 22:09
and in visual basic ? ps:

use my c# code and look at MSDN how to implement it in VB there are tons of examples on the net.

google: VB WriteProcessMemory

Karinova · 06/26/2005, 10:42

ok, work fine

but when i try to do same for inventory (0x43AC39 in winASM) my CO crash .

someone can do it ?