| |
| |
| |
|
Comments:
<0> and your trying to find that in memory within the "host"?
<1> trying to find in the address space of some other process? (presuming you're doing it on win32)
<1> or in your app?
<2> <2> in a client, we've got the ability to customize the ability of a character
<2> <2> via sliders and color selections
<2> <2> during character creation the values are sent to the server, we can get the packet that's sent and get it unencrypted and uncompressed to get values, but we need a faster way to get the values
<2> <2> im trying to take a snapshot of the memory and then after changing the slider, finding out what changed so i can get the memory address of the value of the slider
<2> <2> this is in windows, i know that only three memory addresses will change.two clock tick values and the slider
<1> that slider is a window?
<2> Deathmaster in the apple
<2> appe
<2> app
<0> ew
<1> or the interface is drawn with d3d/opengl ?
<2> there are multiple sliders in the window
<2> it
<2> it's actually via d3d
<1> well that ****s
<1> the sliders always have the same position on the screen?
<3> which os ?
<3> owner drawn slider ?
<1> no, the interface is drawn with direct3d
<2> windows
<1> no window to subcl***, filter window messages and so on
<2> Deathmaster within the program, yes
<3> is it standard windows slider in d3d or an entirely drawn by the app ?
<1> iole: you have a few alternatives... 1) detect the mouse movement on the remote window via some mouse hook on the remote application window, 2) check the values in memory everytime the mouse on some regions of the screen, 3) hook the code that writes the values in memory (inject a dll in the remote process by using a hook, for example, and from there you hook the code that writes those values)
<2> I just want to extract some 32-bit unsigned integers from a sequence of bytes
<2> if that helps:P
<1> dis***emble the process you wanna mess with, you have the memory addresses that you need to monitor, scan the code for any instruction that changes their values
<2> truee
<1> once you have all of them inject some code in the remote process by some means and hook the code address you find, write the new value where the program was supposed to write it, write it in your dll/send it to some master app and then jump back as if nothing had happened
<2> some means?
<1> injecting a dll in a remote process by using a global hook is not the only means to inject some code in some process
<1> or you could patch the code in the exe itself directly to dispatch messages to some external app but it's much harder than 3)
<1> and it's not always possible
<2> you're ***uming that the code .text section is writable aren't you?
<1> i said patch the .exe itself, it doesn't matter if the .text section is writable or not
<1> anyway, forget about it, if i were you i tried 3)
<2> this helps somewhat, i think that reverse engineering the client would take longer than just guessing the values
<1> oh yes, the code section must be writable in order for 3) to work
<2> because theoreticaly, we dont need to know the values, just the location in the packet of the value
<1> anyway, that can be fixed
<2> so what i said was right? we dont need to know the values, just the location in the packet of the value theoretically right?
<2> Deathmaster?
<2> oops
<2> I'm pretty sure that Windows divides the virtual address space for a process image into .text (compiled code) and .data (dynamic global storage) segments. If you dis***emble or view an executable you may find those strings. Those get copied into memory pages with various protections. the .text is usually read-only and executable.
<2> I culd be wrong but that's my best guess
<2> Erm?
<2> brb
<2> ok
<2> Weird, Deathmaster around?
<1> i'm back
<2> wb
<2> Thought you had me hanging onto that last bit:P
<1> i was shaving
<1> anyway
<1> what's your problem with the code segment?
<2> heh
<2> Nothing just If you dis***emble or view an executable Im thinking i may find those strings. those get copied into memory pages with various protections
<1> if it's not already writable then make it writable
<1> yes
<1> eighter change the .text segment in the exe manualy or mess around with the memory pages protections at runtime
<2> Erm sounds feasible
<2> Erm you know what I found a better way of doing it without having to deal with the client
<2> Wanna check it?
<1> go ahead
<2> we're manually checking the packet each time they change a slider
<2> all we need to to save the value to the table and then resend the value back to the client
<2> we're building an emulator for an MMO
<2> SVN for the code: http://opensvn.csie.org/SWGEmuPub/
<1> wait a minute... you also want to control the value of those sliders in the client application?
<2> not really
<1> then why would you send it back to the client?
<1> what would be the purpose?
<2> we just need to save the values from the client and then use them
<2> here will be very very little changing of the values once the character is created
<2> there
<2> get it right?
<1> yup
<1> well if you already did it by sniffing the packets
<2> Got a better alternative?
<1> why do you need a better alternative? it's not fast enough or what?
<2> well i just need to clairfy if this is alright
<1> if it works it's good
<1> how did you do the sniffing part? hooked the "send" api or with a network driver?
<2> we've got a core server setup
<2> what did you think?
<1> i told you before... if your method works then it's ok
<2> yeah thx mate
<4> Who is up?
<4> boro boro boro? How is daddis porn shop treating you?
<4> whines.. anyone!!?!
<4> sniffle
<5> hey i have a pretty simple question about finding an absolute address
<5> i read that you can get the absolute address by ds * 16 + esi
<5> but esi is FFFFFFFFh, causing the result to overflow and the calculation to not work
<5> can anyone explain whats going on?
<5> that is absolute memory address btw
<5> x86 arch
<3> 0ffffffffh is -1
<3> and it works
<3> but segment*16+offset only works with 16 bits mode
<3> if you use ds:[0ffffffffh] in 16 bits you'll get a fault
<3> in 16 bits mode you make all the calculation modulo 65536*16
<3> (unless a20 is set...)
Return to
#asm
or
Go to some related
logs:
brainiac myang lee sink or float
#skype
astlavista.box.sk/
lilekkkkk
heidi clum
#java
#linuxhelp
IdleRPG patchs
#linux
harry kulasinghe
|
|