Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: Memory Hacking Software 2.0.4.7

  1. #1

    Memory Hacking Software 2.0.5.1

    I would appreciate input on this project.
    I am quite dedicated to it and I would like to have input from experienced others on what could be upgraded/added/modified.

    I know that currently it is missing some obvious features, such as Copy in the Disassembler, but these are details I just have to get around to doing.

    Aside from the minor details, what actual features could be added to improve this software?


    It can be found here
    http://www.gwforum.ca/l-spiro/index.php (NOTE: Some people have experienced problems visiting this page. Seems there is a risk that the site has been hacked? For that reason, I am posting a direct link to the software. Hopefully there are no problems with this link.)
    Direct link to the package: http://www.gwforum.ca/l-spiro/MemHack/MemHack%202.0.5.1.zip (it works now).


    I am mostly interested in what can be improved on the debugger/disassembler.

    I will give a brief overview of the current features related to these two areas.

    Debugger:
    Software Read/Write/Access/Execute breakpoints.
    Hardware Write/Access/Execute breakpoints.
    Conditional Breakpoints: Create conditions using a simple wizard. You can compound any number of conditions together on a breakpoint (&& and || operators) and use parentheses to denote precedence. Operands can be hit count, specific value (example: 56), registers (example: EBX), registers as addresses (example: [EBP]), and addresses (example [0x124EFC]). more conditions can be added via DLL plug-ins.
    Assignable Functions to Breakpoints: Breakpoints do whatever you want, from loading the Disassembler to printing a message. If you need more functions, you can create a DLL plug-in. You can assign 3 functions (both built-in functions and your own custom plug-in functions) to any breakpoint in any order and combination.
    Saving Breakpoints: You can save your breakpoints and load them later. All saves are relative to the base DLL address, so if the DLL moves, the breakpoint will still be loaded to the correct location.

    Disassembler:
    Decodes Addresses: Addresses can be assigned any type, including classes, structures, and typedefs (the Template Editor allows you to define these). When assigned, they will be decoded depending on their type. If an address is decoded into a structure or class, each member of the structure/class will be shown by name and value, using the same style as is used in Visual Studio.
    Single-Step, Step Over and Step Out (pRET).
    Comments: Add your own comments to addresses to leave yourself notes.
    NOP: NOP’ing is remembered and the pop-up menu allows you to undo NOP’ing quickly.
    Highlights: Jumps, calls, and various other tidbits are highlighted for ease in viewing. See Picture #1.
    Import Functions: The Template Importer allows you to scan header files for function definitions which the Disassembler can use to display more detailed information about functions. My database is currently at 34,922 functions complete with full parameter names and types, created from scanning Windows® header files.
    Map Locals and Parameters: Memory Hacking Software is able to determine function parameters and locals for unknown functions and then map them over RAM while in single-stepping mode. As they are accessed, they are shown in color so you can see them easily. Locals are in green and parameters are in purple. See Picture #2 and Picture #3.
    Visual Appearance: Well I am still working on this but so far you can change to any font you want and change the colors. You can also change the output from the Disassembler in a variety of ways.


    Picture #1 - http://www.gwforum.ca/l-spiro/HiLightJumps.gif
    Picture #2 - http://www.gwforum.ca/l-spiro/MappedParams.gif
    Picture #3 - http://www.gwforum.ca/l-spiro/InsideFunction.png


    Again, any feedback is appreciated.


    L. Spiro
    Last edited by L. Spiro; September 6th, 2005 at 12:48.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Hi, I edited your links so they displayed properly (external clickable links aren't supported)

    Kayaker

  3. #3
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I don't know what's up with this!, but the links to the graphic files are fine - going to the main page - Norton has a heart attack! blocking - deleting several "virii" - use caution.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  4. #4
    Hi, I edited your links so they displayed properly (external clickable links aren't supported)
    I see.
    Thank you for that.


    I don't know what's up with this!, but the links to the graphic files are fine - going to the main page - Norton has a heart attack! blocking - deleting several "virii" - use caution.
    Well there aren’t any actual viruses on the page or in the software, but one of its other features is to hide from the process list.
    To accomplish this, I use a system driver which anti-virus software tag as having a root-kit trojan.
    This feature is not required to run Memory Hacking Software, so if your anti-virus tags it and deletes it, it is okay.
    The only time it is loaded it when it hides itself or when it knocks another debugger off the target software (if it is already being debugged).

    dbk32.sys is the device driver that performs these operations and dbk32.dll is a wrapper for the driver. If you (or your software) delete dbk32.sys, you must also delete dbk32.dll.


    L. Spiro
    Last edited by L. Spiro; August 27th, 2005 at 06:07.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I didn't download the software, the problems with Norton were simply from visiting the page, and what's with the message box filled with gibberish and an ok button that will not close - (no I didn't click the button) - shut down the IE process independently - don't know about anyone else but unless there are any other reports, from someone I know, that this site is safe - I'm not going there.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    That is odd to say the least.
    I have never heard of this happening to anyone else.
    The site is fine; there are no pop-ups or viruses on it.
    Unless it’s been hacked.
    But it still works fine for me and some others, so that isn’t a possibility.
    Pop-ups are lame so I don’t use them.
    If you are getting one, it would definitely be something on your end acting up.
    It is understandable to have many anti-virus software installed and blockers/ad-removals when you frequent this type of board and engage in this type of activity, but unfortunately these types of software are known for misbehaving and calling false alarms.
    Of course, a message box filled with gibberish is new to me.
    I suspect it means you already have some kind of trojan/virus.

    Anyway, I am not suggesting you take my word for it.

    We will wait until others go there and report back.


    I’ve already added a few more options but not enough to warrent its own release.
    I work on this night and day, and any input on making it better will be appreciated.


    L. Spiro
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Knight
    Guest
    For me both sites works fine, without a single pop-up.
    Sigint, in Syser Debuger thread u said that it made u some problems. Maybe these things are related and maybe problem is not in Spiro site and not in Syser, but like Spiro already said u already have trojan/virus/adware/etc.

    Regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Some software will automatically download other pages, in an effort to speed up downloads; prehaps this is what triggered the AV alarm. Granted, without knowing what browser and plugins / additions you're using its hard to make that call.
    http://www.felinemenace.org || http://www.pulltheplug.org

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    Map Locals and Parameters
    hey how are you accomplishing this are you pulling the pdbs or have an internal database for all those structs
    labelling locals means i have some software where i have my own structs
    like
    typedef struct _MY_STRUCT {
    ulong blah;
    ushort blah1;
    wchar balh2;
    longlong blah3;
    }MY_STRUCT ,*PMY_STRUCT;

    LOCAL mystru:MY_STRUCT;

    call mycall(&mystru,blah4,MY_USELESS_CONSTANT)

    will it be able to label this mystru or some kind of same locals and args

    also does it label them inside the disassembly or shows tham as comments ??

    i saw the screenhsot it seems it shows them as comments

    or for example
    is source available or will it be made available

    hope to test it some time soon
    thanks and regards

  10. #10
    It can create an internal database for you.
    You can scan header files to get function definitions and structures/classes.
    It stores all the information and when a function is discovered with a known name it counts the parameters in that function.
    Then it determines if, by name and parameter count, it can get a match from the database of functions.
    If it gets a match, it applies the known parameter names and types to the function it discovered.
    Then it goes on to count the locals.
    It does not in any way store any database of known function locals because it is up to the compiler how to spread the locals over a function’s local stack, so it can not be predicted.
    Instead, it scans the disassembly for them and logs what it finds.
    For each local, a type and name is supplied. It takes a guess to determine what type the locals are.

    All this information is then stored and attached to that function, which, when called or referenced, will be shown as a comment as you see in the pictures.

    After that, you can right-click the function in the output and modify anything you like.
    You can rename the function, locals, and parameters, and reassign them types.


    Regarding types: When it scans a file and extracts a structure or class, it preserves the basic data types and name and aligns them correctly so that they can be mapped over RAM how the real structure/class would be mapped over RAM.
    This allows it to simply lay a struct/class over the RAM and then print the address, type, name, and value of each item in the struct/class.
    You can also define typedefs and assign them to locals and parameters.

    Regarding the extraction: It scans header/code files in almost the same way as when your compiler checks the code. It stores macros created with #define and parses #if, #ifdef, #ifndef, etc., statements correctly. It generates a preprocessed file.
    Then it scans that file, keeping track of typedefs, and imports all the functions/structs/classes.
    Using your struct as an example, it will be able to resolve “ulong” into “unsigned long”, and the others will be resolved to their respective types.
    Then it will store the typedefs of that struct, and when other structs/classes/functions use that struct by its typedef name, it will be resolved to either “_MY_STRUCT” or “_MY_STRUCT *”, depending on which typedef is used.
    If it is a function that uses a “PMY_STRUCT” as a parameter, it will keep the typedef name “PMY_STRUCT” and resolve to the correct struct and pointer depth when mapping over RAM for use in displaying locals and parameters.




    If you want to create your own database, go to Tools/Template Editor, and hit Import, and check the “Header Files” check. You will need to set the #include paths and it is recommended that you add a few of the basic Windows® macros such as _MSC_VER, WINVER, _WIN32_WINNT, and _WIN32_WINDOWS.
    Remember, it works in the same way as a compiler would, so if you want to use “ulong” as a type, you need to either #define it or typedef it, either directly in your source or in an #include’d header file.


    L. Spiro
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    L Spiro,

    I apologize if you think I accused you of directing us to an infected site - and there is a possibility of false positives - hell Norton with the most recent updates labels PeID 0.93 as a Trojan as well as the accompanying plug-ins - apparently it's using "heuristic" detection now - something it has not done in the past - as for problems I thought might related to Syser, I've solved the annoyances that popped-up after uninstallation and now believe my Search Companion problem is probably related to uninstalling the commercial version of RealPlayer - but that would not have had an effect on my experience on the web page as I went to it during lunch at work where I have no RE tools installed or other related utilities - admittedly they recently upgraded our installations of Norton - but that doesn't explain the pop-up - the experience was very similar to visiting some of the more seedy Russian Warez sites. I have a machine here at home dedicated to risky web searching and I'll take another look today as I'm interested in your tool, I'll let you know!

    Thanx for your contribution.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  12. #12
    I can assure you I have visited the site (with a secured IE) and find nothing of concern. It's safe.

  13. #13
    yup, site seemed fine for me too using firefox

  14. #14
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Note:

    My firewall, BlackIce gives me a warning "rogue application" when I access http://www.gwforum.ca/l-spiro/index.php using IE

    Netscape or FireFox goes under the radar

  15. #15
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    One more good reasoin to switch to FireFox or Opera for good - old habits are hard to break - anyway I was at work and don't have a choice - but in support of someone elses point - there is something going on here at home - something I was working on today, a newer version of an old familiar target is giving me odd error messages for no apparent reason - I think I need to do some major repair on my OS here - or finally upgrade to "PRO".

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

Similar Threads

  1. Memalyze: Dynamic Analysis of Memory Access Behavior in Software
    By Uninformed Journal in forum Blogs Forum
    Replies: 0
    Last Post: October 22nd, 2007, 12:22
  2. Memory Hacking Software 3.0.0.0 Pro
    By L. Spiro in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: July 9th, 2006, 14:15
  3. Memory Hacking Software
    By disavowed in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: January 12th, 2005, 23:47
  4. Software Memory Breakpoints ??
    By Emerson in forum The Newbie Forum
    Replies: 2
    Last Post: January 24th, 2004, 07:58
  5. Hacking 16lvls, mostly reversing. :) fun!
    By Manko in forum Off Topic
    Replies: 6
    Last Post: September 24th, 2003, 03:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •