Memory Injection And Cracking

Discussion in 'C' started by Scripting, Feb 9, 2012.

  1. Scripting

    Scripting John Hoder

    Joined:
    Jun 29, 2010
    Messages:
    421
    Likes Received:
    57
    Trophy Points:
    0
    Occupation:
    School for life
    Location:
    /root
    In this article I'm going to show you how to change value of variable during run time. There are many tools around how to do this easily, but I will focus on the way doing it programatically, specifically using C language.

    Tools I will use: Cheat Engine 6.0

    Here is a simple code for login, I know it's weak and vulnerable, but for proof of concept and for the ease it's ok.

    test.cpp
    Code:
    #include <cstdlib>
    #include <iostream>
    
    using namespace std;
    
    int main(int argc, char *argv[])
    {
        char    password[] = "lol";
        char    passattempt[16] = "";
        while(1)
        { 
    
            printf( "\nEnter your password:");
            scanf("%s",passattempt);
            printf("You enetred %s",passattempt);
        
            if (strcmp(password, passattempt) != 0)
            { 
                  printf( "\nLogin failed!\n\n");
            }
            else printf( "\nWelcome my lord!\n\n");
        }
    }
    
    Now we will try to change the password to some another. Ok, so open the test.exe and let it run. It should look like this:

    [​IMG]

    Now, we have to find out the memory address, where the password is stored. We will do it with Cheat Engine, but there are many other tools for this. So let's open Cheat Engine and click on the computer. It should look something like this:

    [​IMG]

    Now click on that flashing computer. This should appear:

    [​IMG]

    Now search for test.exe and click "Open". Well, we have successfully opened our process memory! Let's go further!

    Fill the search properties like this, and click "First scan". In the left table should appear the string "lol" with exact memory address.

    [​IMG]

    Well, now copy the memory address to some safe place, cause we will need it later!
    Of course we could change the memory value right now with Cheat Engine, but this article is not dealing "how to use Cheat Engine", we will do this stuff programatically.

    So our address is : 0022FF6C

    We will change the memory address value with WriteProcessMemory() function.
    Here is the code:
    Code:
    #include <cstdlib>
    #include <iostream>
    #include <windows.h>
    #include <tlhelp32.h>
    
    
    bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)
    {
         HANDLE hProcessSnap;
         HANDLE hProcess = NULL;
         PROCESSENTRY32 pe32;    
         hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
         pe32.dwSize = sizeof( PROCESSENTRY32 );
         Process32First(hProcessSnap, &pe32);
         do
         {          
              if(!strcmp(pe32.szExeFile, ProcessName))
              {
                   hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
                   break;
              }
         }
         while(Process32Next(hProcessSnap, &pe32));
         CloseHandle( hProcessSnap );
         if(hProcess != NULL)
         {
              WriteProcessMemory(hProcess, MemAddress, &NewVal, size, NULL);     // write the value          
              CloseHandle(hProcess);    
              return true;
         }    
         return false;
    }
    
    int main()
    {
         printf("Process Memory Value Modification by John Hoder\n\n");
         
         if(MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4))
         {
              printf("The value has been edited successfully.\n");
         }
         else{   printf("error occured while editing the value.\n");   }
             
         system("PAUSE");
         return 0;
    }
    
    ok, look at the function bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)

    Here is what we will use : MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4)
    1. 1st argument is the process name, in our case it's test.exe
    2. 2nd argument is the memory address, don't forget to add 0x before it!
    3. 3rd argument is the value we want it to be changed to, the function works with int , because I had some difficulties with getting it into char... So, it will work with HTML char table (http://www.asciitable.com), for example no.102 in HTML table is char "f".
    4. 4th argument is a type of value, in our case, we can let it at 4 bytes.
    Ok, so our app called test.exe is still running, now compile and run procmem.exe!

    Once you are done, something like this will appear:

    [​IMG]

    Well done, the memory has been changed!

    Ok, now you can close procmem.exe and look on our test.exe.

    Try to login with password as is in our code when we complied it, it's "lol".

    But what happend??? You cannot login? Yeah, right!

    The password has been chaged to HTML(102) = "f".

    So try to login with "f"!

    Voila!!! You are welcomed lord :D

    [​IMG]

    And how to protect? You can use VirtualProtect function, but I'm not going to explain how to use it in this tutorial, maybe later :)

    But I can show you some tricks! Like protecting yourself from Cheat Engine:

    Code:
    HANDLE hCE = FindWindow(TEXT("Cheat Engine"), NULL);  if(hOlly)  ExitProcess(0); 
    With this code, your application exits when Cheat Engine is opened :)

    I hope you enjoyed this article! I enjoyed playing with memory this very much! Stay tuned for further articles!
     
    Last edited by a moderator: Jan 21, 2017
  2. poornaMoksha

    poornaMoksha New Member

    Joined:
    Jan 29, 2011
    Messages:
    150
    Likes Received:
    33
    Trophy Points:
    0
    Occupation:
    Software developer
    Location:
    India
    Can we do something like this on Linux??
     
  3. Scripting

    Scripting John Hoder

    Joined:
    Jun 29, 2010
    Messages:
    421
    Likes Received:
    57
    Trophy Points:
    0
    Occupation:
    School for life
    Location:
    /root
    I'm not much skilled on Linux, but you can try to focus on function ptrace(); As I know, it has similiar funcionality like functions mentioned above. But I'm not 100% sure :)
     
  4. lionaneesh

    lionaneesh Active Member

    Joined:
    Mar 21, 2010
    Messages:
    848
    Likes Received:
    224
    Trophy Points:
    43
    Occupation:
    Student
    Location:
    India
    Yes, we have ptrace (instruction level tracing) , which can employ an anti debugging scheme (using PTRACE_TRACEME) but usually this is quite easy to bypass using utilities such as GDB , Check here , basically till date we don't have any solutions which can protect your software from crackers (scripting's solution was quite rudimentary and can be easily bypassed , any cracker with some Assembly knowledge can simply use debuggers such as olly etc. and disable/delete that instruction). By employing these techniques we can only make it difficult for a cracker.

    For some examples on cracking in linux , you can have a look at my tutorial series of crack me's.
     
  5. Scripting

    Scripting John Hoder

    Joined:
    Jun 29, 2010
    Messages:
    421
    Likes Received:
    57
    Trophy Points:
    0
    Occupation:
    School for life
    Location:
    /root
    Exactly, thanks for explanation instead of me :D Btw. It was my intention to make it rudimentary, so even a beginners can understand :)
     
  6. sura

    sura Banned

    Joined:
    Aug 4, 2011
    Messages:
    47
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    India,Tamil Nadu.
    this is goog and with the explanation was great .
     
  7. Scripting

    Scripting John Hoder

    Joined:
    Jun 29, 2010
    Messages:
    421
    Likes Received:
    57
    Trophy Points:
    0
    Occupation:
    School for life
    Location:
    /root
    Thanks, I'm glad you like it :D
     
  8. raju_mars

    raju_mars New Member

    Joined:
    Apr 11, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    0
    Home Page:
    http://www.newskeybd.com
    It’s high-quality and with the enlightenment was great Code.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice