Guida AutoIT! Scrivere una hack - Gafra96 - 10-11-201205:15 PM
Non pensavo di arrivare a scrivere una guida ma non avendo nulla da fare...
In questa guida verranno tenuti ormai noti i sistemi per trovare un pointer o un address(Per chi non sapesse farlo il tutorial di CheatEngine è sufficente)
Strumenti:
Un debugger(CE,IDA,Olly...)
AutoIT
KodaGUI
Guida:
Per prima cosa inizieromo col creare la GUI tramite KodaGUI
Spoiler:
Ora apriamo pinball e cerchiamo il pointer dei punti
Spoiler:
Bene ora abbiamo la gui e l pointer(sarebbe meglio fare prima pointer e poi GUI)
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
EndSwitch
WEnd
Ora necessitiamo della libreria scrivere un pointer io consiglio questa libreria:
Citazione:
Codice:
#include-once
#region _Memory
;=================================================================================================
; AutoIt Version: 3.1.127 (beta)
; Language: English
; Platform: All Windows
; Author: Nomad
; Requirements: These functions will only work with beta.
;=================================================================================================
; Credits: wOuter - These functions are based on his original _Mem() functions. But they are
; easier to comprehend and more reliable. These functions are in no way a direct copy
; of his functions. His functions only provided a foundation from which these evolved.
;=================================================================================================
;
; Functions:
;
;=================================================================================================
; Function: _MemoryOpen($iv_Pid(, $iv_DesiredAccess(, $iv_InheritHandle)))
; Description: Opens a process and enables all possible access rights to the process. The
; Process ID of the process is used to specify which process to open. You must
; call this function before calling _MemoryClose(), _MemoryRead(), or _MemoryWrite().
; Parameter(s): $iv_Pid - The Process ID of the program you want to open.
; $iv_DesiredAccess - (optional) Set to 0x1F0FFF by default, which enables all
; possible access rights to the process specified by the
; Process ID.
; $if_InheritHandle - (optional) If this value is TRUE, all processes created by
; this process will inherit the access handle. Set to TRUE
; (1) by default. Set to 0 if you want it to be FALSE.
; Requirement(s): A valid process ID.
; Return Value(s): On Success - Returns an array containing the Dll handle and an open handle to
; the specified process.
; On Failure - Returns 0
; @Error - 0 = No error.
; 1 = Invalid $iv_Pid.
; 2 = Failed to open Kernel32.dll.
; 3 = Failed to open the specified process.
; Author(s): Nomad
; Note(s):
;=================================================================================================
Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $if_InheritHandle = 1)
If Not ProcessExists($iv_Pid) Then
SetError(1)
Return 0
EndIf
If @Error Then
DllClose($ah_Handle[0])
SetError(3)
Return 0
EndIf
$ah_Handle[1] = $av_OpenProcess[0]
Return $ah_Handle
EndFunc
;=================================================================================================
; Function: _MemoryRead($iv_Address, $ah_Handle(, $sv_Type))
; Description: Reads the value located in the memory address specified.
; Parameter(s): $iv_Address - The memory address you want to read from. It must be in hex
; format (0x00000000).
; $ah_Handle - An array containing the Dll handle and the handle of the open
; process as returned by _MemoryOpen().
; $sv_Type - (optional) The "Type" of value you intend to read. This is set to
; 'dword'(32bit(4byte) signed integer) by default. See the help file
; for DllStructCreate for all types.
; An example: If you want to read a word that is 15 characters in
; length, you would use 'char[16]'.
; Requirement(s): The $ah_Handle returned from _MemoryOpen.
; Return Value(s): On Success - Returns the value located at the specified address.
; On Failure - Returns 0
; @Error - 0 = No error.
; 1 = Invalid $ah_Handle.
; 2 = $sv_Type was not a string.
; 3 = $sv_Type is an unknown data type.
; 4 = Failed to allocate the memory needed for the DllStructure.
; 5 = Error allocating memory for $sv_Type.
; 6 = Failed to read from the specified process.
; Author(s): Nomad
; Note(s): Values returned are in Decimal format, unless specified as a 'char' type, then
; they are returned in ASCII format. Also note that size ('char[size]') for all
; 'char' types should be 1 greater than the actual size.
;=================================================================================================
Func _MemoryRead($iv_Address, $ah_Handle, $sv_Type = 'dword')
If Not IsArray($ah_Handle) Then
SetError(1)
Return 0
EndIf
Local $v_Buffer = DllStructCreate($sv_Type)
If @Error Then
SetError(@Error + 1)
Return 0
EndIf
If Not @Error Then
Local $v_Value = DllStructGetData($v_Buffer, 1)
Return $v_Value
Else
SetError(6)
Return 0
EndIf
EndFunc
;=================================================================================================
; Function: _MemoryWrite($iv_Address, $ah_Handle, $v_Data(, $sv_Type))
; Description: Writes data to the specified memory address.
; Parameter(s): $iv_Address - The memory address you want to write to. It must be in hex
; format (0x00000000).
; $ah_Handle - An array containing the Dll handle and the handle of the open
; process as returned by _MemoryOpen().
; $v_Data - The data to be written.
; $sv_Type - (optional) The "Type" of value you intend to write. This is set to
; 'dword'(32bit(4byte) signed integer) by default. See the help file
; for DllStructCreate for all types.
; An example: If you want to write a word that is 15 characters in
; length, you would use 'char[16]'.
; Requirement(s): The $ah_Handle returned from _MemoryOpen.
; Return Value(s): On Success - Returns 1
; On Failure - Returns 0
; @Error - 0 = No error.
; 1 = Invalid $ah_Handle.
; 2 = $sv_Type was not a string.
; 3 = $sv_Type is an unknown data type.
; 4 = Failed to allocate the memory needed for the DllStructure.
; 5 = Error allocating memory for $sv_Type.
; 6 = $v_Data is not in the proper format to be used with the "Type"
; selected for $sv_Type, or it is out of range.
; 7 = Failed to write to the specified process.
; Author(s): Nomad
; Note(s): Values sent must be in Decimal format, unless specified as a 'char' type, then
; they must be in ASCII format. Also note that size ('char[size]') for all
; 'char' types should be 1 greater than the actual size.
;=================================================================================================
Func _MemoryWrite($iv_Address, $ah_Handle, $v_Data, $sv_Type = 'dword')
If Not IsArray($ah_Handle) Then
SetError(1)
Return 0
EndIf
Local $v_Buffer = DllStructCreate($sv_Type)
If @Error Then
SetError(@Error + 1)
Return 0
Else
DllStructSetData($v_Buffer, 1, $v_Data)
If @Error Then
SetError(6)
Return 0
EndIf
EndIf
If Not @Error Then
Return 1
Else
SetError(7)
Return 0
EndIf
EndFunc
;=================================================================================================
; Function: _MemoryClose($ah_Handle)
; Description: Closes the process handle opened by using _MemoryOpen().
; Parameter(s): $ah_Handle - An array containing the Dll handle and the handle of the open
; process as returned by _MemoryOpen().
; Requirement(s): The $ah_Handle returned from _MemoryOpen.
; Return Value(s): On Success - Returns 1
; On Failure - Returns 0
; @Error - 0 = No error.
; 1 = Invalid $ah_Handle.
; 2 = Unable to close the process handle.
; Author(s): Nomad
; Note(s):
;=================================================================================================
Func _MemoryClose($ah_Handle)
If Not IsArray($ah_Handle) Then
SetError(1)
Return 0
EndIf
DllCall($ah_Handle[0], 'int', 'CloseHandle', 'int', $ah_Handle[1])
If Not @Error Then
DllClose($ah_Handle[0])
Return 1
Else
DllClose($ah_Handle[0])
SetError(2)
Return 0
EndIf
EndFunc
;=================================================================================================
; Function: _MemoryPointerRead ($iv_Address, $ah_Handle, $av_Offset(, $sv_Type))
; Description: Reads a chain of pointers and returns an array containing the destination
; address and the data at the address.
; Parameter(s): $iv_Address - The static memory address you want to start at. It must be in
; hex format (0x00000000).
; $ah_Handle - An array containing the Dll handle and the handle of the open
; process as returned by _MemoryOpen().
; $av_Offset - An array of offsets for the pointers. Each pointer must have an
; offset. If there is no offset for a pointer, enter 0 for that
; array dimension. (Offsets must be in decimal format, NOT hex!)
; $sv_Type - (optional) The "Type" of data you intend to read at the destination
; address. This is set to 'dword'(32bit(4byte) signed integer) by
; default. See the help file for DllStructCreate for all types.
; Requirement(s): The $ah_Handle returned from _MemoryOpen.
; Return Value(s): On Success - Returns an array containing the destination address and the value
; located at the address.
; On Failure - Returns 0
; @Error - 0 = No error.
; 1 = $av_Offset is not an array.
; 2 = Invalid $ah_Handle.
; 3 = $sv_Type is not a string.
; 4 = $sv_Type is an unknown data type.
; 5 = Failed to allocate the memory needed for the DllStructure.
; 6 = Error allocating memory for $sv_Type.
; 7 = Failed to read from the specified process.
; Author(s): Nomad
; Note(s): Values returned are in Decimal format, unless a 'char' type is selected.
; Set $av_Offset like this:
; $av_Offset[0] = NULL (not used)
; $av_Offset[1] = Offset for pointer 1 (all offsets must be in Decimal)
; $av_Offset[2] = Offset for pointer 2
; etc...
; (The number of array dimensions determines the number of pointers)
;=================================================================================================
Func _MemoryPointerRead ($iv_Address, $ah_Handle, $av_Offset, $sv_Type = 'dword')
If IsArray($av_Offset) Then
If IsArray($ah_Handle) Then
Local $iv_PointerCount = UBound($av_Offset) - 1
Else
SetError(2)
Return 0
EndIf
Else
SetError(1)
Return 0
EndIf
Local $iv_Data[2], $i
Local $v_Buffer = DllStructCreate('dword')
For $i = 0 to $iv_PointerCount
If $i = $iv_PointerCount Then
$v_Buffer = DllStructCreate($sv_Type)
If @Error Then
SetError(@Error + 2)
Return 0
EndIf
;=================================================================================================
; Function: _MemoryPointerWrite ($iv_Address, $ah_Handle, $av_Offset, $v_Data(, $sv_Type))
; Description: Reads a chain of pointers and writes the data to the destination address.
; Parameter(s): $iv_Address - The static memory address you want to start at. It must be in
; hex format (0x00000000).
; $ah_Handle - An array containing the Dll handle and the handle of the open
; process as returned by _MemoryOpen().
; $av_Offset - An array of offsets for the pointers. Each pointer must have an
; offset. If there is no offset for a pointer, enter 0 for that
; array dimension.
; $v_Data - The data to be written.
; $sv_Type - (optional) The "Type" of data you intend to write at the destination
; address. This is set to 'dword'(32bit(4byte) signed integer) by
; default. See the help file for DllStructCreate for all types.
; Requirement(s): The $ah_Handle returned from _MemoryOpen.
; Return Value(s): On Success - Returns the destination address.
; On Failure - Returns 0.
; @Error - 0 = No error.
; 1 = $av_Offset is not an array.
; 2 = Invalid $ah_Handle.
; 3 = Failed to read from the specified process.
; 4 = $sv_Type is not a string.
; 5 = $sv_Type is an unknown data type.
; 6 = Failed to allocate the memory needed for the DllStructure.
; 7 = Error allocating memory for $sv_Type.
; 8 = $v_Data is not in the proper format to be used with the
; "Type" selected for $sv_Type, or it is out of range.
; 9 = Failed to write to the specified process.
; Author(s): Nomad
; Note(s): Data written is in Decimal format, unless a 'char' type is selected.
; Set $av_Offset like this:
; $av_Offset[0] = NULL (not used, doesn't matter what's entered)
; $av_Offset[1] = Offset for pointer 1 (all offsets must be in Decimal)
; $av_Offset[2] = Offset for pointer 2
; etc...
; (The number of array dimensions determines the number of pointers)
;=================================================================================================
Func _MemoryPointerWrite ($iv_Address, $ah_Handle, $av_Offset, $v_Data, $sv_Type = 'dword')
If IsArray($av_Offset) Then
If IsArray($ah_Handle) Then
Local $iv_PointerCount = UBound($av_Offset) - 1
Else
SetError(2)
Return 0
EndIf
Else
SetError(1)
Return 0
EndIf
Local $iv_StructData, $i
Local $v_Buffer = DllStructCreate('dword')
For $i = 0 to $iv_PointerCount
If $i = $iv_PointerCount Then
$v_Buffer = DllStructCreate($sv_Type)
If @Error Then
SetError(@Error + 3)
Return 0
EndIf
DllStructSetData($v_Buffer, 1, $v_Data)
If @Error Then
SetError(8)
Return 0
EndIf
;==================================================================================
; Function: SetPrivilege( $privilege, $bEnable )
; Description: Enables (or disables) the $privilege on the current process
; (Probably) requires administrator privileges to run
;
; Author(s): Larry (from autoitscript.com's Forum)
; Notes(s):
; http://www.autoitscript.com/forum/index.php?s=&showtopic=31248&view=findpost&p=223999
;==================================================================================
Func SetPrivilege( $privilege, $bEnable )
Const $TOKEN_ADJUST_PRIVILEGES = 0x0020
Const $TOKEN_QUERY = 0x0008
Const $SE_PRIVILEGE_ENABLED = 0x0002
Local $hToken, $SP_auxret, $SP_ret, $hCurrProcess, $nTokens, $nTokenIndex, $priv
$nTokens = 1
$LUID = DLLStructCreate("dword;int")
If IsArray($privilege) Then $nTokens = UBound($privilege)
$TOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
$NEWTOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]")
$hCurrProcess = DLLCall("kernel32.dll","hwnd","GetCurrentProcess")
$SP_auxret = DLLCall("advapi32.dll","int","OpenProcessToken","hwnd",$hCurrProcess[0], _
"int",BitOR($TOKEN_ADJUST_PRIVILEGES,$TOKEN_QUERY),"int*",0)
If $SP_auxret[0] Then
$hToken = $SP_auxret[3]
DLLStructSetData($TOKEN_PRIVILEGES,1,1)
$nTokenIndex = 1
While $nTokenIndex <= $nTokens
If IsArray($privilege) Then
$ntokenvar=$ntokenindex-1
$priv = $privilege[$ntokenvar]
Else
$priv = $privilege
EndIf
$ret = DLLCall("advapi32.dll","int","LookupPrivilegeValue","str","","str",$priv, _
"ptr",DLLStructGetPtr($LUID))
If $ret[0] Then
If $bEnable Then
DLLStructSetData($TOKEN_PRIVILEGES,2,$SE_PRIVILEGE_ENABLED,(3 * $nTokenIndex))
Else
DLLStructSetData($TOKEN_PRIVILEGES,2,0,(3 * $nTokenIndex))
EndIf
DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,1),(3 * ($nTokenIndex-1)) + 1)
DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,2),(3 * ($nTokenIndex-1)) + 2)
DLLStructSetData($LUID,1,0)
DLLStructSetData($LUID,2,0)
EndIf
$nTokenIndex += 1
WEnd
$ret = DLLCall("advapi32.dll","int","AdjustTokenPrivileges","hwnd",$hToken,"int",0, _
"ptr",DllStructGetPtr($TOKEN_PRIVILEGES),"int",DllStructGetSize($NEWTOKEN_PRIVILEGES), _
"ptr",DllStructGetPtr($NEWTOKEN_PRIVILEGES),"int*",0)
$f = DLLCall("kernel32.dll","int","GetLastError")
EndIf
$NEWTOKEN_PRIVILEGES=0
$TOKEN_PRIVILEGES=0
$LUID=0
If $SP_auxret[0] = 0 Then Return 0
$SP_auxret = DLLCall("kernel32.dll","int","CloseHandle","hwnd",$hToken)
If Not $ret[0] And Not $SP_auxret[0] Then Return 0
return $ret[0]
EndFunc ;==>SetPrivilege
; Function........: _MemoryGetBaseAddress($ah_Handle, $iHD)
;
; Description.....: Reads the 'Allocation Base' from the open process.
;
; Parameter(s)....: $ah_Handle - An array containing the Dll handle and the handle of the open
; process as returned by _MemoryOpen().
; $iHD - Return type:
; |0 = Hex (Default)
; |1 = Dec
;
; Requirement(s)..: A valid process ID.
;
; Return Value(s).: On Success - Returns the 'allocation Base' address and sets @Error to 0.
; On Failure - Returns 0 and sets @Error to:
; |1 = Invalid $ah_Handle.
; |2 = Failed to find correct allocation address.
; |3 = Failed to read from the specified process.
;
; Author(s).......: Nomad. Szhlopp.
; URL.............: http://www.autoitscript.com/forum/index.php?showtopic=78834
; Note(s).........: Go to Www.CheatEngine.org for the latest version of CheatEngine.
;===================================================================================================
If $vType = "00000080" Then
SetError(0)
If $iHexDec = 1 Then
Return Dec($vData)
Else
Return $vData
EndIf
Else
SetError(2)
Return 0
EndIf
Else
SetError(3)
Return 0
EndIf
EndFunc ;==>_MemoryGetBaseAddress
Func _MemoryModuleGetBaseAddress($iPID, $sModule)
If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
If Not IsString($sModule) Then Return SetError(2, 0, 0)
Local $PSAPI = DllOpen("psapi.dll")
;Get Process Handle
Local $hProcess
Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
If $iPID > 0 Then
Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
If $hProcess[0] Then
$hProcess = $hProcess[0]
EndIf
EndIf
;EnumProcessModules
Local $Modules = DllStructCreate("ptr[1024]")
Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
If $aCall[4] > 0 Then
Local $iModnum = $aCall[4] / 4
Local $aTemp
For $i = 1 To $iModnum
$aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
If $aTemp[3] = $sModule Then
DllClose($PSAPI)
Return Ptr(DllStructGetData($Modules, 1, $i))
EndIf
Next
EndIf
DllClose($PSAPI)
Return SetError(-1, 0, 0)
EndFunc
#endregion
Bene ora dovremmo includerla nel progetto cosi
Codice:
#include<Pointer.au3>
E dovremmo scrivere la funzione che in questo caso è MemoryPointerWrite(dobbiamo scrivere in valore sul pointer)
Codice:
Func _MemoryPointerWrite ($iv_Address, $ah_Handle, $av_Offset, $v_Data, $sv_Type = 'dword')
$iv_Address = address base
$ah_Handle = Processo
$av_Offset = Offset
$v_Data = valore da scrivere
$sv_Type = tipo di scrittura(4byte,2,float,double ecc)
Esempio: _Memorypointerwrite(0x00234,$processo,$offset,9999,"DWORD")
Ricordiamoci che dovremmo anche dichiarare il processo e i relativi pointer da sommare e per farlo basterà fare cosi:
Dim $offset[4] = [0x0,0xa4,0x8,0xa0] ;Dichiarazione offset
$processo = _MemoryOpen(ProcessExists("pinball.exe")) ;processo
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
Case $Button1
_MemoryPointerWrite(0x010253c4,$processo,$offset,5000000,"DWORD")
Case $Button2
_MemoryPointerWrite(0x010253c4,$processo,$offset,0,"DWORD")
EndSwitch
WEnd
Bella guida, è più proiettata dalla parte della programmazione che secondo me è quella più conosciuta; Bisognerebbe fare una guida per trovare il pointer..
Sarebbe necessario un video, dato che è abbastanza lunga e complessa per i newbie.
Complimenti comunque, +1!
(11-11-2012 12:10 PM)Loffa123 Ha scritto: Bella guida, è più proiettata dalla parte della programmazione che secondo me è quella più conosciuta; Bisognerebbe fare una guida per trovare il pointer..
Sarebbe necessario un video, dato che è abbastanza lunga e complessa per i newbie.
Complimenti comunque, +1!
Trovare un pointer non è complesso perchè ci sono 2 metodi,manuale e automatico. Inoltre come detto da me il tutorial fornito da CHeat Engine è più che sufficente.