Go4Expert - Memory Injection And Cracking

In this article I'm going to show you how to change value of variable during run time. There are many tools around how to do this easily, but I will focus on the way doing it programatically, specifically using C language.

Tools I will use: Cheat Engine 6.0

Here is a simple code for login, I know it's weak and vulnerable, but for proof of concept and for the ease it's ok.

test.cpp

Code: Cpp

#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
    char    password[] = "lol";
    char    passattempt[16] = "";
    while(1)
    { 

        printf( "\nEnter your password:");
        scanf("%s",passattempt);
        printf("You enetred %s",passattempt);
    
        if (strcmp(password, passattempt) != 0)
        { 
              printf( "\nLogin failed!\n\n");
        }
        else printf( "\nWelcome my lord!\n\n");
    }
}

Now we will try to change the password to some another. Ok, so open the test.exe and let it run. It should look like this:

http://imgs.g4estatic.com/memory-inj...njection-1.JPG

Now, we have to find out the memory address, where the password is stored. We will do it with Cheat Engine, but there are many other tools for this. So let's open Cheat Engine and click on the computer. It should look something like this:

http://imgs.g4estatic.com/memory-inj...njection-2.png

Now click on that flashing computer. This should appear:

http://imgs.g4estatic.com/memory-inj...njection-3.png

Now search for test.exe and click "Open". Well, we have successfully opened our process memory! Let's go further!

Fill the search properties like this, and click "First scan". In the left table should appear the string "lol" with exact memory address.

http://imgs.g4estatic.com/memory-inj...njection-4.JPG

Well, now copy the memory address to some safe place, cause we will need it later!
Of course we could change the memory value right now with Cheat Engine, but this article is not dealing "how to use Cheat Engine", we will do this stuff programatically.

So our address is : 0022FF6C

We will change the memory address value with WriteProcessMemory() function.
Here is the code:

Code:

#include <cstdlib>

#include <iostream>

#include <windows.h>

#include <tlhelp32.h>





bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)

{

     HANDLE hProcessSnap;

     HANDLE hProcess = NULL;

     PROCESSENTRY32 pe32;    

     hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

     pe32.dwSize = sizeof( PROCESSENTRY32 );

     Process32First(hProcessSnap, &pe32);

     do

     {          

          if(!strcmp(pe32.szExeFile, ProcessName))

          {

               hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);

               break;

          }

     }

     while(Process32Next(hProcessSnap, &pe32));

     CloseHandle( hProcessSnap );

     if(hProcess != NULL)

     {

          WriteProcessMemory(hProcess, MemAddress, &NewVal, size, NULL);     // write the value          

          CloseHandle(hProcess);    

          return true;

     }    

     return false;

}



int main()

{

     printf("Process Memory Value Modification by John Hoder\n\n");

     

     if(MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4))

     {

          printf("The value has been edited successfully.\n");

     }

     else{   printf("error occured while editing the value.\n");   }

         

     system("PAUSE");

     return 0;

}

ok, look at the function bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)

Here is what we will use : MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4)

1st argument is the process name, in our case it's test.exe
2nd argument is the memory address, don't forget to add 0x before it!
3rd argument is the value we want it to be changed to, the function works with int , because I had some difficulties with getting it into char... So, it will work with HTML char table (http://www.asciitable.com), for example no.102 in HTML table is char "f".
4th argument is a type of value, in our case, we can let it at 4 bytes.

Ok, so our app called test.exe is still running, now compile and run procmem.exe!

Once you are done, something like this will appear:

http://imgs.g4estatic.com/memory-inj...njection-5.JPG

Well done, the memory has been changed!

Ok, now you can close procmem.exe and look on our test.exe.

Try to login with password as is in our code when we complied it, it's "lol".

But what happend??? You cannot login? Yeah, right!

The password has been chaged to HTML(102) = "f".

So try to login with "f"!

Voila!!! You are welcomed lord :D

http://imgs.g4estatic.com/memory-inj...njection-6.JPG

And how to protect? You can use VirtualProtect function, but I'm not going to explain how to use it in this tutorial, maybe later :)

But I can show you some tricks! Like protecting yourself from Cheat Engine:

Code:

HANDLE hCE = FindWindow(TEXT("Cheat Engine"), NULL); if(hOlly) ExitProcess(0);

With this code, your application exits when Cheat Engine is opened :)

I hope you enjoyed this article! I enjoyed playing with memory this very much! Stay tuned for further articles!