News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

ReadProcessMemory, bytes

Started by Dale, November 29, 2009, 10:06:28 PM

Previous topic - Next topic

Dale

Hi guys, I am confused as to how I would ago about ReadProcessMemory in mASM so that I could check to see if a specific memory area was edited.  I totally love Assembly, best language ever.  I am trying to move from C++ and trying to take some of my favourite techniques with me, however, I am having quite a bit of trouble with string operations, and byte operations.  Everything else is going great  :bg

Here's what I have sofar.

PS: I removed .data and .code tags etc


;.data
laByte1 dw 0 ;This value is 2 bytes correct?

laByte2 dw 74h ;just wasnt to make sure they are not opening olly and cracking my program by changing 74 to 75
           dw 19h

MemoryAddress dw 40000000h ;that is not my memory address, just an example

;.data?
hFile dd ?

;find, and PROCESS_ALL_ACCESS here, store handle in hFile

;.code here and start end start etc
invoke ReadProcessMemory, hFile, (void**) MemoryAddress, laByte1, SIZEOF laByte1, NULL ;(void**) is this correct? in C++ I do it like that

.if laByte1 == laByte2
;Nobody has eddied my program, so continue
.else
;jump down and ban them from my program
.endif

@ban:
;ban their unique id


So,

1: ReadProcessMemory is not working for me, pretty sure it is because of the (void**), not sure how it is done in ASM
2: Am I comparing my bytes correctly? Or is there a specific function I should be using? like a strcmp for bytes
3: Were can I learn all of this? Was not in any of the ebooks I read, or Iczelion's tutorials.  Does anybody have any other tips that can avoid crackers from breaking into my program? Besides packing, the olydbg crash pointer, and moving vars.
4: Does anybody have a site that teaches some adv string operations with mASM?

MichaelW

So even though you clearly have no significant grasp of assembly you now need to implement anti-cracking techniques?
eschew obfuscation

2-Bit Chip

Quote from: MichaelW on November 29, 2009, 10:43:56 PM
So even though you clearly have no significant grasp of assembly you now need to implement anti-cracking techniques?

Hm. That's a thinker.

Dale

Pretty much, I just know functions, macros, registers and etc.  Very basic stuff, but I can still make some good programs. (By my standards)

hutch--

Dale,

In the memory space of a running app you can simply read that address range from inside your own app starting at 400000h for an exe and with a bit of effort if you load DLLs you can get their start address and read that as well. If it is checking your own app for memory modifications you can use a CRC procedure to see if anything has been altered and respond accordingly.

Calls to ReadProcessMemory() are usually seen as techniques to read information from another running process, game hacks, patchers and similar so I would avoid this stuff so you app does not get flagged as a virus.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Dale

Quote from: hutch-- on November 30, 2009, 12:20:36 AM
Dale,

In the memory space of a running app you can simply read that address range from inside your own app starting at 400000h for an exe and with a bit of effort if you load DLLs you can get their start address and read that as well. If it is checking your own app for memory modifications you can use a CRC procedure to see if anything has been altered and respond accordingly.

Calls to ReadProcessMemory() are usually seen as techniques to read information from another running process, game hacks, patchers and similar so I would avoid this stuff so you app does not get flagged as a virus.

Thank you, I am looking into the CRC procedure

Slugsnack


evlncrn8

if you're checking within your own process, you have no need for read/writeprocessmemory too.