|
|
|
Page 1 of 2 |
[ 20 posts ] |
1, 2 Next
|
 Reading from the memory : Developer's Corner
|
|
| Posted: May 6th, 2004, 2:37 pm
|
|
|
|
Devestator
Devestator's Reps:
|
Ok,
I'm doing some experimenting on reading the memory of an application in order to pull out variables like Wyvern does for his radars. I'm currently toying with it in EQ.
The problem I'm running into, I can get EQs process ID just fine, but then when I try to OpenProcess it always returns 0. Does EQ have its memory locked so that it can't be opened even for read only?
I'll try the same experiment with another game and see if I get the same results while I wait on a reply.. 
|
|
|
|
|
| Posted: May 7th, 2004, 10:46 pm
|
|
|
|
Devestator
Devestator's Reps:
|
|
I'm programming in VB, so not sure exactly how to accomplish that in VB.
|
|
|
|
|
| Posted: May 8th, 2004, 1:17 am
|
|
|
|
drdeath
drdeath's Reps:
|
Your gonna have to set token privelidges by the looks of it.
heres an example of killing a process in vb you should be able to grab the declares etc from it.
(!empty($user->lang['CODE'])) ? $user->lang['CODE'] : ucwords(strtolower(str_replace('_', ' ', 'CODE'))):
Private Type LUID
lowpart As Long
highpart As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
LuidUDT As LUID
Attributes As Long
End Type
Const TOKEN_ADJUST_PRIVILEGES = &H20
Const TOKEN_QUERY = &H8
Const SE_PRIVILEGE_ENABLED = &H2
Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Declare Function GetVersion Lib "kernel32" () As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As _
Long
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle _
As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias _
"LookupPrivilegeValueA" (ByVal lpSystemName As String, _
ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal _
TokenHandle As Long, ByVal DisableAllPrivileges As Long, _
NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, _
PreviousState As Any, ReturnLength As Any) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As _
Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As _
Long, ByVal uExitCode As Long) As Long
' Terminate any application and return an exit code to Windows
' This works under NT/2000, even when the calling process
' doesn't have the privilege to terminate the application
' (for example, this may happen when the process was launched
' by yet another program)
'
' Usage: Dim pID As Long
' pID = Shell("Notepad.Exe", vbNormalFocus)
' '...
' If KillProcess(pID, 0) Then
' MsgBox "Notepad was terminated"
' End If
Function KillProcess(ByVal hProcessID As Long, Optional ByVal ExitCode As Long) _
As Boolean
Dim hToken As Long
Dim hProcess As Long
Dim tp As TOKEN_PRIVILEGES
' Windows NT/2000 require a special treatment
' to ensure that the calling process has the
' privileges to shut down the system
' under NT the high-order bit (that is, the sign bit)
' of the value retured by GetVersion is cleared
If GetVersion() >= 0 Then
' open the tokens for the current process
' exit if any error
If OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or _
TOKEN_QUERY, hToken) = 0 Then
GoTo CleanUp
End If
' retrieves the locally unique identifier (LUID) used
' to locally represent the specified privilege name
' (first argument = "" means the local system)
' Exit if any error
If LookupPrivilegeValue("", "SeDebugPrivilege", tp.LuidUDT) = 0 Then
GoTo CleanUp
End If
' complete the TOKEN_PRIVILEGES structure with the # of
' privileges and the desired attribute
tp.PrivilegeCount = 1
tp.Attributes = SE_PRIVILEGE_ENABLED
' try to acquire debug privilege for this process
' exit if error
If AdjustTokenPrivileges(hToken, False, tp, 0, ByVal 0&, _
ByVal 0& = 0 Then
GoTo CleanUp
End If
End If
' now we can finally open the other process
' while having complete access on its attributes
' exit if any error
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hProcessID)
If hProcess Then
' call was successful, so we can kill the application
' set return value for this function
KillProcess = (TerminateProcess(hProcess, ExitCode) <> 0)
' close the process handle
CloseHandle hProcess
End If
If GetVersion() >= 0 Then
' under NT restore original privileges
tp.Attributes = 0
AdjustTokenPrivileges hToken, False, tp, 0, ByVal 0&, ByVal 0&
CleanUp:
If hToken Then CloseHandle hToken
End If
End Function
|
|
|
|
|
| Posted: May 8th, 2004, 10:19 am
|
|
|
|
Admin
Admin's Reps:
|
|
I am going to add those directly to the XUScriptHost for those wanting to do it via scripts.
|
|
|
|
|
| Posted: May 13th, 2004, 3:46 pm
|
|
|
|
Devestator
Devestator's Reps:
|
|
Thanks, DrDeath That worked..
but I must say.. I asked for it so its my fault but geezus!!!
Dumping EQs memory while in game resulted in a 385mb text file =/
Guess I'll have to write a special parser program to just read a little bit of it at a time lol.. I can't even get any word programs to open the file up.
|
|
|
|
|
| Posted: May 13th, 2004, 4:11 pm
|
|
|
|
Admin
Admin's Reps:
|
|
I have added those to the XUScriptHost for those that want to do it via script as well.
|
|
|
|
|
| Posted: May 13th, 2004, 5:50 pm
|
|
|
|
Devestator
Devestator's Reps:
|
|
How the heck do people figure out where stuff is in the memory lol.. I've managed to find my equipment listing, but thats about it.. everything is so jumbled up bleh! =)
|
|
|
|
|
| Posted: May 14th, 2004, 1:16 pm
|
|
|
|
drdeath
drdeath's Reps:
|
|
Open it in a better text editior like textpad or ultraedit and youll have better success. I usually use TSearch for finding things in memory or sometimes the search in SoftIce.
|
|
|
|
|
| Posted: May 20th, 2004, 11:22 pm
|
|
|
|
draeman
draeman's Reps:
|
I've been using a memory search utility called ArtMoney ( www.artmoney.ru), there's a free version which works well (doesn't allow searching for strings though). Basically, you run your game (preferably in a window), run ArtMoney and search for a value you know in game, change the value in game, then filter out the values found. It's normally quite successful in finding a few values, but then there are many you don't know the value of (there's an extra search for this) and then some that jump around in memory too, which makes them impossible to find through this route.
Using the above route, you can find the exact location of a value when the game is running, so when you've got a large program with multiple dll's and libraries, you don't have the same problem you will if opening the files (i.e. you don't know the base address of where the dll is loaded in memory).
If anyone else has any tips they'd be very welcomed as apart from the above, I'm a noob in this area. I was told that if you use something like c# or c++ you can intercept dll calls so as to find pointers to structs in memory, but I've no idea how to do this or whether its true or not.
|
|
|
|
|
| Posted: May 21st, 2004, 5:43 am
|
|
|
|
cadesign
cadesign's Reps:
|
|
Try to disassm your client it's the best way to find intersting things.
I have done it for DAOC and i found everything i want to find.
You can find where your equipment start, ends and how it's work with client. ie everything in DAOC is organized by slot equipement spells buffs.
You can find a lot of thigs with a good disasm and with a lot of time (but less time than dumping mem and searching somes strings.
|
|
|
|
|
| Posted: May 21st, 2004, 8:17 am
|
|
|
|
draeman
draeman's Reps:
|
|
Hmm, but if the said program has multiple dll's, how do you know where at which point each is loaded into memory? I can identify items in the distributed files, but no idea how to retrieve those from memory.
Also, I've looked more into hooking into dll's and think that this is the way to go if you really want to respond to events in real time. I've got experience doing this though, so if anyone can give me some tips about where to start, I'd be grateful. Oh, and I'm just a VB/C#.NET programmer unfortunately, no experience in VC++.
|
|
|
|
|
| Posted: May 21st, 2004, 2:24 pm
|
|
|
|
cadesign
cadesign's Reps:
|
<blockquote id="quote"><font size="1" face="verdana,arial,sans-serif" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by draeman</i>
<br />Hmm, but if the said program has multiple dll's, how do you know where at which point each is loaded into memory? I can identify items in the distributed files, but no idea how to retrieve those from memory.
Also, I've looked more into hooking into dll's and think that this is the way to go if you really want to respond to events in real time. I've got experience doing this though, so if anyone can give me some tips about where to start, I'd be grateful. Oh, and I'm just a VB/C#.NET programmer unfortunately, no experience in VC++.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
There'is few way to know where a module his loaded by kernel for a process, you can use the thelp32 api to find your process and next explore module loaded for him (check for toolhelp32).
You can hook to kernel function loadlibrary also.
If you inject code into process memory, you can also use basic kernel function to retrieve module handle in target process space and using getprocaddr (not sure i haven't sdk under my eyes) on a target dll function.
There is no limit to reverse 
But anyway when you disasm a client you don't really care where are thoses variables but you try to find where are the function using them.
For example i don't read like wyvernx 3D objects array to have their pos and their type, i just hook the code of daoc client which take packet in entrance to create a new 3D object structure in array, the advantage is not using a polling method, but an interrupt method wich is more faster and use less ressource from computer.
It 's pretty like a packet sniffer the difference is that i don't care about packet structure and so i'am not annoyed if mythic change his protocol.
I think you must start with a simple program to learn the basis in reversing finding data and hooking a process.
Don't try to reverse for your first attempt a very big and complex process.
Download microsoft sdk try to understand how process and modules are load into memory how to know wehre they are how to inject your own code into another process etc.
PS : Pardon my porr english speaking
PSII : I had perhaps done a mistake wyvernx is perhaps getting packet from server for updating is radar i'am not sure cause i haven't xunleashe, but i think there's an embedded packet sniffer in this prog.
|
|
|
|
|
| Posted: May 21st, 2004, 3:14 pm
|
|
|
|
draeman
draeman's Reps:
|
|
Wyvernx's plugins are written outside of the main program and called from within, so its quite possible he's hooking into the main daoc program from there and just passing stuff back to XU. I believe that's how plugins run anyway.
I always thought this was only possible using C++... is it now possible with all .NET languages? (Or maybe it was always possible!)
|
|
|
|
|
| Posted: May 21st, 2004, 3:21 pm
|
|
|
|
Admin
Admin's Reps:
|
|
Not necessarily. All plugins run from within the game process space. You do not need to hook the game if you are using a compliled plugin. Just access the memory directly.
|
|
|
|
|
| Posted: May 21st, 2004, 3:25 pm
|
|
|
|
draeman
draeman's Reps:
|
Hmm, I think I found my answer to that question...
http://support.microsoft.com/default.as ... -US;318804
The structure of the program I'm looking at is already pretty much known to me... just need to get my hands dirty and find out what exactly I'm looking for! Thanks for your info and help.
|
|
|
|
|
|
Who is online |
|
| Users browsing this forum: No registered users and 5 guests |
|
|
|
Reading from the memory : Developer's Corner
RSS Feed
SitemapIndex
