logs archiveIRC Archive / Undernet / #asm / 2006 / July / 14 / 1
stove
and your trying to find that in memory within the "host"?
Deathmaster
trying to find in the address space of some other process? (presuming you're doing it on win32)
or in your app?
iole
<iole> in a client, we've got the ability to customize the ability of a character
<iole> via sliders and color selections
<iole> during character creation the values are sent to the server, we can get the packet that's sent and get it unencrypted and uncompressed to get values, but we need a faster way to get the values
<iole> im trying to take a snapshot of the memory and then after changing the slider, finding out what changed so i can get the memory address of the value of the slider
<iole> this is in windows, i know that only three memory addresses will change.two clock tick values and the slider
Deathmaster
that slider is a window?
iole
Deathmaster in the apple
appe
app
stove
ew
Deathmaster
or the interface is drawn with d3d/opengl ?
iole
there are multiple sliders in the window
it
it's actually via d3d
Deathmaster
well that sucks
the sliders always have the same position on the screen?
         

edcba
which os ?
owner drawn slider ?
Deathmaster
no, the interface is drawn with direct3d
iole
windows
Deathmaster
no window to subclass, filter window messages and so on
iole
Deathmaster within the program, yes
edcba
is it standard windows slider in d3d or an entirely drawn by the app ?
Deathmaster
iole: you have a few alternatives... 1) detect the mouse movement on the remote window via some mouse hook on the remote application window, 2) check the values in memory everytime the mouse on some regions of the screen, 3) hook the code that writes the values in memory (inject a dll in the remote process by using a hook, for example, and from there you hook the code that writes those values)
iole
I just want to extract some 32-bit unsigned integers from a sequence of bytes
if that helps:P
Deathmaster
disassemble the process you wanna mess with, you have the memory addresses that you need to monitor, scan the code for any instruction that changes their values
iole
truee
Deathmaster
once you have all of them inject some code in the remote process by some means and hook the code address you find, write the new value where the program was supposed to write it, write it in your dll/send it to some master app and then jump back as if nothing had happened
iole
some means?
Deathmaster
injecting a dll in a remote process by using a global hook is not the only means to inject some code in some process
or you could patch the code in the exe itself directly to dispatch messages to some external app but it's much harder than 3)
and it's not always possible
iole
you're assuming that the code .text section is writable aren't you?
Deathmaster
i said patch the .exe itself, it doesn't matter if the .text section is writable or not
anyway, forget about it, if i were you i tried 3)
iole
this helps somewhat, i think that reverse engineering the client would take longer than just guessing the values
Deathmaster
oh yes, the code section must be writable in order for 3) to work
iole
because theoreticaly, we dont need to know the values, just the location in the packet of the value
Deathmaster
anyway, that can be fixed
iole
so what i said was right? we dont need to know the values, just the location in the packet of the value theoretically right?
Deathmaster?
oops
I'm pretty sure that Windows divides the virtual address space for a process image into .text (compiled code) and .data (dynamic global storage) segments. If you disassemble or view an executable you may find those strings. Those get copied into memory pages with various protections. the .text is usually read-only and executable.
I culd be wrong but that's my best guess
Erm?
brb
ok
Weird, Deathmaster around?
         

Deathmaster
i'm back
iole
wb
Thought you had me hanging onto that last bit:P
Deathmaster
i was shaving
anyway
what's your problem with the code segment?
iole
heh
Nothing just If you disassemble or view an executable Im thinking i may find those strings. those get copied into memory pages with various protections
Deathmaster
if it's not already writable then make it writable
yes
eighter change the .text segment in the exe manualy or mess around with the memory pages protections at runtime
iole
Erm sounds feasible
Erm you know what I found a better way of doing it without having to deal with the client
Wanna check it?
Deathmaster
go ahead
iole
we're manually checking the packet each time they change a slider
all we need to to save the value to the table and then resend the value back to the client
we're building an emulator for an MMO
SVN for the code: http://opensvn.csie.org/SWGEmuPub/
Deathmaster
wait a minute... you also want to control the value of those sliders in the client application?
iole
not really
Deathmaster
then why would you send it back to the client?
what would be the purpose?
iole
we just need to save the values from the client and then use them
here will be very very little changing of the values once the character is created
there
get it right?
Deathmaster
yup
well if you already did it by sniffing the packets
iole
Got a better alternative?
Deathmaster
why do you need a better alternative? it's not fast enough or what?
iole
well i just need to clairfy if this is alright
Deathmaster
if it works it's good
how did you do the sniffing part? hooked the "send" api or with a network driver?
iole
we've got a core server setup
what did you think?
Deathmaster
i told you before... if your method works then it's ok
iole
yeah thx mate
EvileCatta
(Action) wiggles into the room like Shakira
Who is up?
(Action) pokes MrOlsen with a flaccid hot dog.
boro boro boro? How is daddis porn shop treating you?
whines.. anyone!!?!
sniffle
mps0000
hey i have a pretty simple question about finding an absolute address
i read that you can get the absolute address by ds * 16 + esi
but esi is FFFFFFFFh, causing the result to overflow and the calculation to not work
can anyone explain whats going on?
that is absolute memory address btw
x86 arch
edcba
0ffffffffh is -1
and it works
but segment*16+offset only works with 16 bits mode
if you use ds:[0ffffffffh] in 16 bits you'll get a fault
in 16 bits mode you make all the calculation modulo 65536*16
(unless a20 is set...)
« prev next »