Memory Injection And Cracking

Scripting's Avatar author of Memory Injection And Cracking
This is an article on Memory Injection And Cracking in C.
Rated 5.00 By 1 users
In this article I'm going to show you how to change value of variable during run time. There are many tools around how to do this easily, but I will focus on the way doing it programatically, specifically using C language.

Tools I will use: Cheat Engine 6.0

Here is a simple code for login, I know it's weak and vulnerable, but for proof of concept and for the ease it's ok.

test.cpp
Code: Cpp
#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
    char    password[] = "lol";
    char    passattempt[16] = "";
    while(1)
    {

        printf( "\nEnter your password:");
        scanf("%s",passattempt);
        printf("You enetred %s",passattempt);
   
        if (strcmp(password, passattempt) != 0)
        {
              printf( "\nLogin failed!\n\n");
        }
        else printf( "\nWelcome my lord!\n\n");
    }
}
Now we will try to change the password to some another. Ok, so open the test.exe and let it run. It should look like this:



Now, we have to find out the memory address, where the password is stored. We will do it with Cheat Engine, but there are many other tools for this. So let's open Cheat Engine and click on the computer. It should look something like this:



Now click on that flashing computer. This should appear:



Now search for test.exe and click "Open". Well, we have successfully opened our process memory! Let's go further!

Fill the search properties like this, and click "First scan". In the left table should appear the string "lol" with exact memory address.



Well, now copy the memory address to some safe place, cause we will need it later!
Of course we could change the memory value right now with Cheat Engine, but this article is not dealing "how to use Cheat Engine", we will do this stuff programatically.

So our address is : 0022FF6C

We will change the memory address value with WriteProcessMemory() function.
Here is the code:
Code:
#include <cstdlib>
#include <iostream>
#include <windows.h>
#include <tlhelp32.h>


bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)
{
     HANDLE hProcessSnap;
     HANDLE hProcess = NULL;
     PROCESSENTRY32 pe32;    
     hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
     pe32.dwSize = sizeof( PROCESSENTRY32 );
     Process32First(hProcessSnap, &pe32);
     do
     {          
          if(!strcmp(pe32.szExeFile, ProcessName))
          {
               hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
               break;
          }
     }
     while(Process32Next(hProcessSnap, &pe32));
     CloseHandle( hProcessSnap );
     if(hProcess != NULL)
     {
          WriteProcessMemory(hProcess, MemAddress, &NewVal, size, NULL);     // write the value          
          CloseHandle(hProcess);    
          return true;
     }    
     return false;
}

int main()
{
     printf("Process Memory Value Modification by John Hoder\n\n");
     
     if(MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4))
     {
          printf("The value has been edited successfully.\n");
     }
     else{   printf("error occured while editing the value.\n");   }
         
     system("PAUSE");
     return 0;
}
ok, look at the function bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)

Here is what we will use : MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4)
  1. 1st argument is the process name, in our case it's test.exe
  2. 2nd argument is the memory address, don't forget to add 0x before it!
  3. 3rd argument is the value we want it to be changed to, the function works with int , because I had some difficulties with getting it into char... So, it will work with HTML char table (http://www.asciitable.com), for example no.102 in HTML table is char "f".
  4. 4th argument is a type of value, in our case, we can let it at 4 bytes.
Ok, so our app called test.exe is still running, now compile and run procmem.exe!

Once you are done, something like this will appear:



Well done, the memory has been changed!

Ok, now you can close procmem.exe and look on our test.exe.

Try to login with password as is in our code when we complied it, it's "lol".

But what happend??? You cannot login? Yeah, right!

The password has been chaged to HTML(102) = "f".

So try to login with "f"!

Voila!!! You are welcomed lord



And how to protect? You can use VirtualProtect function, but I'm not going to explain how to use it in this tutorial, maybe later

But I can show you some tricks! Like protecting yourself from Cheat Engine:

Code:
HANDLE hCE = FindWindow(TEXT("Cheat Engine"), NULL);  if(hOlly)  ExitProcess(0);
With this code, your application exits when Cheat Engine is opened

I hope you enjoyed this article! I enjoyed playing with memory this very much! Stay tuned for further articles!
0
poornaMoksha's Avatar, Join Date: Jan 2011
Ambitious contributor
Can we do something like this on Linux??
0
Scripting's Avatar, Join Date: Jun 2010
John Hoder
Quote:
Originally Posted by poornaMoksha View Post
Can we do something like this on Linux??
I'm not much skilled on Linux, but you can try to focus on function ptrace(); As I know, it has similiar funcionality like functions mentioned above. But I'm not 100% sure
0
lionaneesh's Avatar, Join Date: Mar 2010
Invasive contributor
Quote:
Originally Posted by poornaMoksha View Post
Can we do something like this on Linux??
Yes, we have ptrace (instruction level tracing) , which can employ an anti debugging scheme (using PTRACE_TRACEME) but usually this is quite easy to bypass using utilities such as GDB , Check here , basically till date we don't have any solutions which can protect your software from crackers (scripting's solution was quite rudimentary and can be easily bypassed , any cracker with some Assembly knowledge can simply use debuggers such as olly etc. and disable/delete that instruction). By employing these techniques we can only make it difficult for a cracker.

For some examples on cracking in linux , you can have a look at my tutorial series of crack me's.
0
Scripting's Avatar, Join Date: Jun 2010
John Hoder
Quote:
Originally Posted by lionaneesh View Post
Yes, we have ptrace (instruction level tracing) , which can employ an anti debugging scheme (using PTRACE_TRACEME) but usually this is quite easy to bypass using utilities such as GDB , Check here , basically till date we don't have any solutions which can protect your software from crackers (scripting's solution was quite rudimentary and can be easily bypassed , any cracker with some Assembly knowledge can simply use debuggers such as olly etc. and disable/delete that instruction). By employing these techniques we can only make it difficult for a cracker.

For some examples on cracking in linux , you can have a look at my tutorial series of crack me's.
Exactly, thanks for explanation instead of me Btw. It was my intention to make it rudimentary, so even a beginners can understand
0
sura's Avatar
Banned
this is goog and with the explanation was great .
0
Scripting's Avatar, Join Date: Jun 2010
John Hoder
Quote:
Originally Posted by sura View Post
this is goog and with the explanation was great .
Thanks, I'm glad you like it
0
raju_mars's Avatar, Join Date: Apr 2010
Light Poster
It’s high-quality and with the enlightenment was great Code.