After asking this question (C++: Can I get out of the bounds of my app’s memory with a pointer?),
I decided to accept it isn't possible to modify other app's memory with pointers (with a modern OS).
But if this isn't possible, how do programs like ArtMoney and CheatEngine work?
Thanks
Check these functions:
ReadProcessmemory
WriteProcessmemory
It is possible to read process memory on Windows. There is a function, called ReadProcessMemory in kernel32.dll: http://msdn.microsoft.com/en-us/library/ms680553(v=VS.85).aspx
This is used by most applications that change memory of other applications. It can also be used to communicate between two processes (though mostly not recommended).
CheatEngine is a debugger with a non-traditional interface.
Just to give a plain simple explanation - dump / hot search the process memory for specified value and modify it. You can do it using some plain WinAPI functions or using some native API routines (I suppose so).
That's obviously the reason why they fail, for example, if game state is stored with some encryption. That's also the reason you would need to change your value several times and then make your search again (to avoid search collisions, because definitely different memory blocks could hold the same value).
Related
This is related to a previous post:
Allocating a large memory block in C++
I would like a single C++ server running that generates a giant matrix M. Then, on the same machine I would like to run other programs that can contact this server, and get the memory address for M. M is read only, and the server creates it once. I should be able to spawn a client ./test and this programs should be able to make read only access to M. The server should always be running, but I can run other programs like ./test at anytime.
I don't know much about C++ or OS, what is the best way to do this? Should I use POSIX threads? The matrix is a primitive type (double, float etc), and all programs know its dimensions. The client programs require the entire matrix, so I don't want latency from mem copy from the server to the client, I just want to share that pointer directly. What are my best options?
One mechanism of inter-process communication you could definitely use for sharing direct access to you matrix M is shared memory. It means that the OS lets multiple processes access a shared segment in the memory, as if it was in their address space, by mapping it for each one requesting. A solution that answers all your requirements, and is also cross-platform is boost::interprocess. It is a thin portable layer that wraps all of the necessary OS calls. See a working example right here in the docs.
Essentially, your server process just needs to create an object of type boost::interprocess::shared_memory_object, providing the constructor with a name for the shared segment. When calling its truncate() method, the OS will look for a large enough segement in the address space of this server process. From this moment, any other process can create an object of the same type and provide the same name. Now it too has access to the exact same memory. No copies involved.
If for some reason you are unable to use the portable Boost libraries, or for other reason want to restrict the supported platform to Linux, use the POSIX API around the mmap() function. Here's the Linux man page. Usage is basically not far from the Boost pipeline described above. you create the named segment with shm_open() and truncate with ftruncate(). From there onwards you receive the mapped pointer to this allocated space by calling mmap(). In simpler cases where you'll only be sharing between parent and child processes, you can use this code example from this very website.
Of course, no matter what approach you take, when using a shared resource, make sure to synchronize read/writes properly so to avoid any race condition -- as you would have done in the scenario of multiple threads of the same process.
Of course other programs cannot access the matrix as long as it is in the "normal" process memory.
Without questioning the design approach: Yes, you have to use shared memory. Lookup functions like shmget(), shmat() etc. Then you don't need to pass the pointer to another program (which would not work, actually), you simply use the same file in ftok() everywhere to get access to the shared memory.
Standard hacking case. Hack file type injects into a started process and writes over process memory using WriteProcessMemory call. In games this is not something you would want because it can provide the hacker to change the portion of the game and give himself an advantage.
There is a possibility to force a user to run a third-party program along with the game and I would need to know what would be the best way to prevent such injection. I already tried to use a function EnumProcessModules which lists all process DLLs with no success. It seems to me that the hacks inject directly into process memory (end of stack?), therefore it is undetected. At the moment I have came down to a few options.
Create a blacklist of files, file patterns, process names and memory patterns of most known public hacks and scan them with the program. The problem with this is that I would need to maintain the blacklist and also create an update of the program to hold all avalible hacks. I also found this usefull answer Detecting memory access to a process but it could be possible that some existing DLL is already using those calls so there could be false positives.
Using ReadProcessMemory to monitor the changes in well known memory offsets (hacks usually use the same offsets to achieve something). I would need to run a few hacks, monitor the behaviour and get samples of hack behaviour when comparing to normal run.
Would it be possible to somehow rearrange the process memory after it starts? Maybe just pushing the process memory down the stack could confuse the hack.
This is an example of the hack call:
WriteProcessMemory(phandler,0xsomeoffset,&datatowrite,...);
So unless the hack is a little more smarter to search for the actual start of the process it would already be a great success. I wonder if there is a system call that could rewrite the memory to another location or somehow insert some null data in front of the stack.
So, what would be the best way to go with this? It is a really interesting and dark area of the programming so I would like to hear as much interesting ideas as possible. The goal is to either prevent the hack from working or detect it.
Best regards
Time after time compute the hash or CRC of application's image stored in memory and compare it with known hash or CRC.
Our service http://activation-cloud.com provides the ability to check integrity of application against the signature stored in database.
There are tools such as TSearch, Cheat Engine, etc. These are hacking programs for viewing and modifying parts of memory of another program.
If I am to create a C++ program that can see and modify other program's memory, how can I do that? What are some of the things I should be looking for?
This is not a feature of C++, it's under the control of the OS itself.
For example, Windows provides the ReadProcessMemory() API call so that you can get your grubby little hands on the memory of another process. And of course, the equivalent for writing as well so you can cause even more damage :-)
All this depends on having the correct privileges as well.
I'm not sure how Linux provides this but earlier UNIXes had "memory mapping" files like /dev/mem so you could get at the memory. There may be a per-process variant in the procfs file system which can give you access to the virtual memory of a specific process. That'd be the first place I'd start looking although others here will undoubtedly know more about that than I.
One way to do that is to write your own debugger.
That won't be easy, though. Good luck.
I am looking for a way to cure at least the symptoms of a leaky DLL i have to use. While the library (OpenCascade) claims to provides a memory manager, i have as of yet being unable to make it release any memory it allocated.
I would at least wish to put the calls to this module in a 'sandbox', in order to keep my application from not losing memory while the OCC-Module isn't even running any more.
My question is: While I realise that it would be an UGLY HACK (TM) to do so, is it possible to preallocate a stretch of memory to be used specifically by the libraries, or to build some kind of sandbox around it so i can track what areas of memory they used in order to release them myself when i am finished?
Or would that be to ugly a hack and I should try to resolve the issues otherwise?
The only reliable way is to separate use of the library into a dedicated process. You will start that process, pass data and parameters to it, run the library code, retrieve results. Once you decide the memory consumption is no longer tolerable you restart the process.
Using a library that isn't broken would probably be much easier, but if a replacement ins't available you could try intercepting the allocation calls. If the library isn't too badly 'optimized' (specifically function inlining) you could disassemble it and locate the malloc and free functions; on loading, you could replace every 4 (or 8 on p64 system) byte sequence that encodes that address with one that points to your own memory allocator. This is almost guaranteed to be a buggy, unreadable timesink, though, so don't do this if you can find a working replacement.
Edit:
Saw #sharptooth's answer, which has a much better chance of working. I'd still advise trying to find a replacement though.
You should ask Roman Lygin's opinion - he used to work at occ. He has at least one post that mentions memory management http://opencascade.blogspot.com/2009/06/developing-parallel-applications-with_23.html.
If you ask nicely, he might even write a post that explains mmgt's internals.
im trying to learn to modify games in C++ not the game just the memory its using to get ammo whatnot so can someone point me to books
The most convenient way to manipulate a remote process' memory is to create a thread within the context of that program. This is usually accomplished by forcibly injecting a dll into the target process. Once you have code executing inside the target application you are free to use standard memory routines. e.g (memcpy, malloc, memset).
I can tell you right now that the most convenient and easy to implement method is the CreateRemoteThread / LoadLibrary trick.
As other people have mentioned, simple hacks can be performed by scanning memory for known values. But if you want to perform anything more advanced you will need to look into debugging and dead-list analysis. (Tools: ollydbg and IDA pro, respectively).
You have scratched the surface of a very expansive hacking topic, there is a wealth of knowledge out there..
First a few internet resources:
gamedeception.net - A community dedicated to game RE (Reverse Engineering) and hacking.
http://www.edgeofnowhere.cc/viewtopic.php?p=2483118 - An excellent tutorial on various DLL injection methods.
Openrce.org - Community for reverse code engineering.
I can also recommend a book to you - http://www.exploitingonlinegames.com/
Windows API Routines you should research (msdn.com):
CreateRemoteThread
LoadLibraryA
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
ReadProcessMemory
CreateToolhelp32Snapshot
Process32First
Process32Next
Injecting Code:
I think the best method is to modify the exe to inject code into one of the loaded modules. Check this tutorial
Short related story:
Over 10 years ago though, I do remember successfully modifying my score in solitaire in windows with a simple C++ program. I did this by starting an int * pointer at some base address and iterating through memory addresses (with a try /catch to catch exceptions).
I would look for what my current score was in one of those pointer variables, and replace it with a new integer value. I just made sure that my current score was some obscure value that wouldn't be contained in many memory addresses.
Once I found a set of memory addresses that matched my score, I would change my score manually in solitaire and only look through the memory addresses that were found in the last iteration. Usually this would narrow down to a single memory address that contained the score. At this point I had the magical simple line of code *pCode = MY_DESIRED_SCORE;
This may not be possible anymore though with new memory security models. But the method worked pretty good with a 10-20 line C++ program and it only took about a minute to modify my score.
There are enough programs available that let you modify memory of running programs. And they are often used for cheating. But be carefull using those on online games, because most cheats will be detected and you are banned without a warning.
If you like to create them yourself, just look at books that describe the windows API. You will find enough information there.
It can done using hooks on windows to access the memory space of a process.