Go4Expert

Go4Expert (http://www.go4expert.com/)
-   C (http://www.go4expert.com/articles/c-tutorials/)
-   -   Memory Injection And Cracking (http://www.go4expert.com/articles/memory-injection-cracking-t27761/)

Scripting 9Feb2012 15:10

Memory Injection And Cracking
 
In this article I'm going to show you how to change value of variable during run time. There are many tools around how to do this easily, but I will focus on the way doing it programatically, specifically using C language.

Tools I will use: Cheat Engine 6.0

Here is a simple code for login, I know it's weak and vulnerable, but for proof of concept and for the ease it's ok.

test.cpp
Code: Cpp

#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
    char    password[] = "lol";
    char    passattempt[16] = "";
    while(1)
    {

        printf( "\nEnter your password:");
        scanf("%s",passattempt);
        printf("You enetred %s",passattempt);
   
        if (strcmp(password, passattempt) != 0)
        {
              printf( "\nLogin failed!\n\n");
        }
        else printf( "\nWelcome my lord!\n\n");
    }
}

Now we will try to change the password to some another. Ok, so open the test.exe and let it run. It should look like this:

http://imgs.g4estatic.com/memory-inj...njection-1.JPG

Now, we have to find out the memory address, where the password is stored. We will do it with Cheat Engine, but there are many other tools for this. So let's open Cheat Engine and click on the computer. It should look something like this:

http://imgs.g4estatic.com/memory-inj...njection-2.png

Now click on that flashing computer. This should appear:

http://imgs.g4estatic.com/memory-inj...njection-3.png

Now search for test.exe and click "Open". Well, we have successfully opened our process memory! Let's go further!

Fill the search properties like this, and click "First scan". In the left table should appear the string "lol" with exact memory address.

http://imgs.g4estatic.com/memory-inj...njection-4.JPG

Well, now copy the memory address to some safe place, cause we will need it later!
Of course we could change the memory value right now with Cheat Engine, but this article is not dealing "how to use Cheat Engine", we will do this stuff programatically.

So our address is : 0022FF6C

We will change the memory address value with WriteProcessMemory() function.
Here is the code:
Code:

#include <cstdlib>
#include <iostream>
#include <windows.h>
#include <tlhelp32.h>


bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)
{
    HANDLE hProcessSnap;
    HANDLE hProcess = NULL;
    PROCESSENTRY32 pe32;   
    hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
    pe32.dwSize = sizeof( PROCESSENTRY32 );
    Process32First(hProcessSnap, &pe32);
    do
    {         
          if(!strcmp(pe32.szExeFile, ProcessName))
          {
              hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
              break;
          }
    }
    while(Process32Next(hProcessSnap, &pe32));
    CloseHandle( hProcessSnap );
    if(hProcess != NULL)
    {
          WriteProcessMemory(hProcess, MemAddress, &NewVal, size, NULL);    // write the value         
          CloseHandle(hProcess);   
          return true;
    }   
    return false;
}

int main()
{
    printf("Process Memory Value Modification by John Hoder\n\n");
   
    if(MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4))
    {
          printf("The value has been edited successfully.\n");
    }
    else{  printf("error occured while editing the value.\n");  }
       
    system("PAUSE");
    return 0;
}

ok, look at the function bool MemoryValueChange(const char * ProcessName, LPVOID MemAddress, int NewVal, int size)

Here is what we will use : MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4)
  1. 1st argument is the process name, in our case it's test.exe
  2. 2nd argument is the memory address, don't forget to add 0x before it!
  3. 3rd argument is the value we want it to be changed to, the function works with int , because I had some difficulties with getting it into char... So, it will work with HTML char table (http://www.asciitable.com), for example no.102 in HTML table is char "f".
  4. 4th argument is a type of value, in our case, we can let it at 4 bytes.
Ok, so our app called test.exe is still running, now compile and run procmem.exe!

Once you are done, something like this will appear:

http://imgs.g4estatic.com/memory-inj...njection-5.JPG

Well done, the memory has been changed!

Ok, now you can close procmem.exe and look on our test.exe.

Try to login with password as is in our code when we complied it, it's "lol".

But what happend??? You cannot login? Yeah, right!

The password has been chaged to HTML(102) = "f".

So try to login with "f"!

Voila!!! You are welcomed lord :D

http://imgs.g4estatic.com/memory-inj...njection-6.JPG

And how to protect? You can use VirtualProtect function, but I'm not going to explain how to use it in this tutorial, maybe later :)

But I can show you some tricks! Like protecting yourself from Cheat Engine:

Code:

HANDLE hCE = FindWindow(TEXT("Cheat Engine"), NULL);  if(hOlly)  ExitProcess(0);
With this code, your application exits when Cheat Engine is opened :)

I hope you enjoyed this article! I enjoyed playing with memory this very much! Stay tuned for further articles!

poornaMoksha 9Feb2012 17:36

Re: Memory Injection And Cracking
 
Can we do something like this on Linux??

Scripting 9Feb2012 20:54

Re: Memory Injection And Cracking
 
Quote:

Originally Posted by poornaMoksha (Post 92146)
Can we do something like this on Linux??

I'm not much skilled on Linux, but you can try to focus on function ptrace(); As I know, it has similiar funcionality like functions mentioned above. But I'm not 100% sure :)

lionaneesh 10Feb2012 11:50

Re: Memory Injection And Cracking
 
Quote:

Originally Posted by poornaMoksha (Post 92146)
Can we do something like this on Linux??

Yes, we have ptrace (instruction level tracing) , which can employ an anti debugging scheme (using PTRACE_TRACEME) but usually this is quite easy to bypass using utilities such as GDB , Check here , basically till date we don't have any solutions which can protect your software from crackers (scripting's solution was quite rudimentary and can be easily bypassed , any cracker with some Assembly knowledge can simply use debuggers such as olly etc. and disable/delete that instruction). By employing these techniques we can only make it difficult for a cracker.

For some examples on cracking in linux , you can have a look at my tutorial series of crack me's.

Scripting 22Feb2012 22:09

Re: Memory Injection And Cracking
 
Quote:

Originally Posted by lionaneesh (Post 92184)
Yes, we have ptrace (instruction level tracing) , which can employ an anti debugging scheme (using PTRACE_TRACEME) but usually this is quite easy to bypass using utilities such as GDB , Check here , basically till date we don't have any solutions which can protect your software from crackers (scripting's solution was quite rudimentary and can be easily bypassed , any cracker with some Assembly knowledge can simply use debuggers such as olly etc. and disable/delete that instruction). By employing these techniques we can only make it difficult for a cracker.

For some examples on cracking in linux , you can have a look at my tutorial series of crack me's.

Exactly, thanks for explanation instead of me :D Btw. It was my intention to make it rudimentary, so even a beginners can understand :)

sura 27Feb2012 23:42

Re: Memory Injection And Cracking
 
this is goog and with the explanation was great .

Scripting 28Feb2012 00:09

Re: Memory Injection And Cracking
 
Quote:

Originally Posted by sura (Post 92827)
this is goog and with the explanation was great .

Thanks, I'm glad you like it :D

raju_mars 28Feb2012 12:24

Re: Memory Injection And Cracking
 
It’s high-quality and with the enlightenment was great Code.


All times are GMT +5.5. The time now is 05:04.