Today, I'll be showing you a rather interesting technique known as memory patching; this method is also used in game hacking to patch the anti-hack and to modify instructions. You will understand what I mean as we proceed through the tutorial.
In this tutorial, we will be hacking minesweeper. I know you'll be thinking hacking minesweeper is really low and useless but you see, minesweeper is just an example but you can use this technique to patch anti-hack on online games and hack online games. Useful technique, isn't it? Now, I want to open minesweeper in cheat engine and get the time address. I'll show you how to get the time address with screenshots; if you already know how to use cheat engine, then you can skip it.
1. Open minesweeper in cheatengine.
2. Enter '0' in the textbox and click 'New Scan'
3. Click on any of the boxes. You'll see the time incrementing by 1.
4. Change the cheat engine's scan type to 'Increased value' and click 'Next Scan'. What this does is that it will check which address' value has been increasing.
5. Keep clicking 'Next Scan', until you have isolated to one address, which, if you followed the instructions correctly, should be the time address. The value of the address should update real time.
6. Double click on the address. It will add it to the listbox at bottom. Now, right click and click 'Find out what writes to this address'. It should give you one assembly instruction. This is the instruction inside minesweeper that updates the time value by 1.
![[Image: 6234421.bmp]](http://www3.picturepush.com/photo/a/6234421/img/6234421.bmp)
This is the instruction I recieved from cheat engine:
Code:
01002FF5 - FF 05 9C570001 - inc [0100579C]Explanation: The instruction is located in memory address(01002FF5) and it is INC(assembly instruction for increment) the value inside the 100579C(time address).
The C/C++ equivalent:
Code:
(*timeAddress)++;Now, open up OllyDbg and open Minesweeper in it. Winmine.exe is located in system32 folder inside Windows.
After Minesweeper is loaded onto ollydbg, press control + G. This will ask us where in the ollydbg do you want to go to. We want to go to this: 01002FF5, where our instruction is located.
![[Image: 6234428.bmp]](http://www5.picturepush.com/photo/a/6234428/img/6234428.bmp)
Now, the dark bracket line that covers 9 lines, including our incrememnt instruction is a function minesweeper calls. That functions' purpose is to update the time. Now, I want the game to not execute the function. So, lets write a DLL that will NOP(Assembly instruction for no operation) the function. Lets see what's actually calling time update function. You can do that by clicking the first instruction of the function which is
Code:
01002FE0 /$ 833D 64510001 >CMP DWORD PTR DS:[1005164],0If you click on it, olly will tell us what's calling this instruction. Here is an image to help you out:
![[Image: 6234425.bmp]](http://www2.picturepush.com/photo/a/6234425/img/6234425.bmp)
It's a local call from 01001d6c. Lets press control + G and go there or you can right click on that string and click 'Go to CALL from 01001d6c'. Once you go there, you will notice something interesting, if you know Win32 programming. You'll see WM_TIMER. WM_TIMER is a message.
This is the instruction:
Code:
01001D6C |. E8 6F120000 CALL winmine.01002FE0 ; Case 113 (WM_TIMER) of switch 01001D5BThat instruction uses CALL(assembly instruction to call a funtion or address in the program) to call the time update function. Now, lets write the DLL to NOP the function. It's very simple. You'll need two functions: VirtualProtect and memcpy
The instruction is protected. It's only for us to read and understand the code and not to edit it as we wish. So we will use VirtualProtect function to edit the privilages to PAGE_EXECUTE_READWRITE which will let us not only read the memory but also write to it.
VirtualProtect asks for:
Code:
VirtualProtect(WhichAddress, Size, WhatTypeOfProtection, ActualProtection);We will pass in 01001D6C for WhichAddress, and 5 bytes for the size, and PAGE_EXECUTE_READWRITE for WhatTypeOfProtection so that we can use memcpy to write to the address. For the last parameter, we will pass the address of a DWORD to store the actual protection so we can bring the address back to the way it was after we use it. With me so far?
This is what the code will look like:
Code:
DWORD dwOld;
VirtualProtect((LPVOID)WM_TIMER_ADDRESS, 5, PAGE_EXECUTE_READWRITE, &dwOld);WM_TIMER_ADDRESS is a definition for our 01001D6C.
Now, we want to memcpy the NOP bytes to the address. Now how will we do that? Simple. Let's create a BYTE array.
Code:
BYTE nops[] = {0x90, 0x90, 0x90, 0x90, 0x90};0x90 is the hex exquivalent of the NOP instruction.
Now, let's copy the nops and patch the memory!
Code:
memcpy((void *)WM_TIMER_ADDRESS, nops, 5);Now, we have to set the original protection type back to the way it was.
Code:
VirtualProtect((LPVOID)WM_TIMER_ADDRESS, 5, dwOld, &dwOld);I made a function called patch() to make it easier to understand.
Here is the full code:
Code:
#include <windows.h>
#define WM_TIMER_ADDRESS 0x01001D6C
BYTE nop[5] = {0x90, 0x90, 0x90, 0x90, 0x90};
void patch()
{
DWORD dwOld;
VirtualProtect((LPVOID)WM_TIMER_ADDRESS, 5, PAGE_EXECUTE_READWRITE, &dwOld);
memcpy((void *)WM_TIMER_ADDRESS, nop, 5);
VirtualProtect((LPVOID)WM_TIMER_ADDRESS, 5, dwOld, &dwOld);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
MessageBox(NULL, "Injected to Process!", "Injected!", MB_OK);
patch();
}
return true;
}Now, let's inject the DLL into Minesweeper and attach OllyDbg to it. After doing so, go the WM_TIMER call.
Before injection:
![[Image: 6234420.bmp]](http://www2.picturepush.com/photo/a/6234420/img/6234420.bmp)
After injection:
![[Image: 6234419.bmp]](http://www1.picturepush.com/photo/a/6234419/img/6234419.bmp)
W00t! w00t! Notice how the 5 nops were copied on to the address, essentially, cancelling the call to the timer update. Of course, there are different methods of stopping time. You can create a while loop which will always set the time address(0x0100579c) to zero.
Here is the source for it:
Code:
#include <windows.h>
void timezero()
{
while(1)
{
__asm
{
mov eax, 0x0100579c
mov [eax], 0
}
}
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
MessageBox(NULL, "Injected to Process!", "Injected!", MB_OK);
timezero();
}
return true;
}This is a basic hack for a basic game but this technique can be used for other complex games. For example, I'm using this technique to patch XTrap(an anti-cheat program). Basically, step through the code and check for traces of XTrap activity and NOP it or use unconditional jumps. Online games load XTrap through a DLL using LoadLibrary by CALL'ing it from kernel32.dll. You can, of course, NOP the entire LoadLibrary call which, basically, prevents Xtrap.dll from loading.
If you have any questions or suggestions, don't hesitate to reply. You can private message for questions or add my MSN(PM for it).
Hope you learned something.
hello use gmail thanks
ReplyDeletehey man help me to desactibve xtrap pleasssssssssss
ReplyDelete