Updated Gamestatus Addy 05/20/2011

[NOOB]

Woah, do you have like a CVS for CA addresses? :L

i do.

[Departure]

keeping old addresses is very useful, you can then determine the offset difference and trend. Or when searching with a debugger you know the rough code area it should be located..

NOOB send me your cvs

P.s your sig scan is weird, why would you have wild cards as the first 3 bytes? Also your range is not good at all, you need to change your range to only scan the code section CShell, otherwise you will end up scanning from Cshell all the way into other running processes, Also your start address should be base + 1000, Otherwise once again you are scanning the headers of module instead of starting at the code section.

DWORD GameStatus = Pattern((DWORD)GetModuleHandleA("CShell.dll"),(DWO RD)0xFFFFFFFF,(PBYTE)"\x00\x00\x00\x37\xFF\x00\xFF ","???xxxx");

should be just $37,$FF,$00,$FF and then + $B9

[open|Fire]

you need to change your range to only scan the code section CShell, otherwise you will end up scanning from Cshell all the way into other running processes.

Win9x? you can't scan other processes without inject your code.

[Departure]

ofcause you can scann bytes in other processes your not apart of...

Actually you don't even need to inject a dll for a logger, you could write an external app that scanns the addresses without injecting..

A good example is game trainers, they don't inject anything, they simply get the base address of the game they want to modify and search for the address they need to modify...

[open|Fire]

I know it, but in this game you can't do that without repair the SSDT or bypass hackshield, since HS do alot of hooks one of them is on NtOpenProcess so you can't use RPM then you can't read the memory remote.

but is possible make a sig scan without inject or RPM, I will make an app for it only thing you need to do is convert offset to VA and use hex editor.

sorry my bad english.

[Departure]

I was reffering to direct move memory and Copymem or even just plain pointer to address... All which can be used instead of RPM and WPM.. also faster than those 2 API's

[open|Fire]

I don't get you, first you said we don't need to inject our code to scan.

ofcause you can scann bytes in other processes your not apart of...

Actually you don't even need to inject a dll for a logger, you could write an external app that scanns the addresses without injecting..

RPM

I was reffering to direct move memory and Copymem or even just plain pointer to address... All which can be used instead of RPM and WPM.. also faster than those 2 API's

now you saying we need to inject our code because to use these api's like memcpy or RtlMoveMemory, you need to be in the same space of the module you will scan.

A good example is game trainers, they don't inject anything, they simply get the base address of the game they want to modify and search for the address they need to modify...

RPM, WPM dll + Named pipes?

[Departure]

Yes you are correct, but you asked 2 questions, the first was about injecting dll, you don't need to inject a dll to read the bytes(Virtual allocate Memory) this was the original discussion right? using this will allow for memcpy, movmem, ect... because its alot faster than RPM and WPM

Second is reading bytes without being part of its process and without using RPM, you can also do this(2 ways of which I have seen) 1st is an undocumented API, and second is using pointers. I can try and find the examples I seen..

https://undocumented.ntinternals.net/...ualMemory.html

[open|Fire]

ok go stop here.

but one more thing RPM and NtReadVirtualMemory use the same function which is ZwReadVirtualMemory, so doesn't matter if you use RPM or NtRVM the result is the same.

[Departure]

agreed it does use the same, as RPM is only a wrapper, So the question is... does hackshield hook ReadVirtualMemory? or it does it hook the the wrapper? I guess we could hook this our selfs to find out. I would assume it would hook functions from Ntdll but you never know....

//Edit

Just thinking.. If we got the proc address to ReadVirtualMemory and checked it entry point for any hooks and determine the size of the hook if it is hooked by Hackshield could we not jmp over the hook and replace the first bytes with orignal, then we can call ReadVirtualMemory as per normal ... just an idea

[HellSpider]

Yes you are correct, but you asked 2 questions, the first was about injecting dll, you don't need to inject a dll to read the bytes(Virtual allocate Memory) this was the original discussion right? using this will allow for memcpy, movmem, ect... because its alot faster than RPM and WPM

But nevertheless, you need to have some kind of access to the process space to use functions that access direct memory. It can be a DLL or then a stub allocated to the target process. All those APIs that access direct memory are of course faster because they do not need to interact in Ring0 and gain access to remote processes.

Second is reading bytes without being part of its process and without using RPM, you can also do this(2 ways of which I have seen) 1st is an undocumented API, and second is using pointers. I can try and find the examples I seen..

NtReadVirtualMemory

Could you give some example of the pointers method? Because if you are able to use pointers to memory it means that you are a part of the process memory. RPM and WPM are only made to be used when you operate from another process and are not a part of the target process memory.

The are a lot of undocumented APIs, but in any case, most of the functions still go through the same steps in Ring0 (kernelmode), which means if the HackShield driver has a well placed hook, it will monitor all access tokens, process handles etc, disabling access from other processes.

I'm not saying that it would be impossible to get around that stuff, but in my opinion the easiest method by far is being a part of the process memory (DLL or code stub).

[wilsin]

repliasda dzasafsd

[HellSpider]

repliasda dzasafsd

What's your problem? Trying to get your post count up? Wrong medication?

[mamago45]

What's your problem? Trying to get your post count up? Wrong medication?

It was his first post

[hack4me]

Hackshield does hook ReadVirtualMemory on a Kernel level. You would need to have a kernel driver that can detour the HackShield hooks. Can be done without too much
difficulty. Depends on what you are trying to accomplish. Easier for most people to just use the injected dll to do what they need in memory....