MHS 4.0.0.0 (http://memoryhacking.com) has just been released with heavy improvements.

Searching

Data-Type Searches

Extremely fast and efficient.
Many search types.

Exact Value
Not Equal To
Range
Lower Than
Greater Than
Unknown

Improved and intuitive interface.
Epsilon and Smart Epsilon for floating-type searches.

Pointer Searches

Find pointers fast. Static and otherwise.

String Searches

Many types of useful searches.

ASCII: A normal string of text.
Unicode: A normal Unicode string.
Hex String: A raw sequence of bytes.
Wildcard: Search with wildcard tokens * and ?.
Regular Expression: Full regular-expression searches. The most dynamic string searches available.

Group Searches

Find sets of data near each other in any order, in exact order, or by count.
Find sequential data based off how each element relates to the previous element. Especially useful for finding tilemaps.

Script Searches

The end-all-be-all in searching. You define the criterion for what is found and what is overlooked. Fully documented.

Real-Time Hex Editor

The only real-time hex editor available. Shows RAM as it changes and highlights the changed values for ease in spotting.
Works on RAM and files. Opens any size of file quickly with no slow-down and little RAM consumption.
Tons of features and a professional feal.

RAM Watcher

View RAM in real-time with many interpretations of the data.

Real-Time Expression Evaluator

All C/C++ mathematical operators are recognized.
New [ ] operator allows reading RAM of the target process, and reading is done in real-time to give you up-to-date evaluations.

Hotkeys

Many assignable functions.
Attach scripts to Hotkeys to perform any operation at the touch of a button.
Two modes for Hotkey processing.

Disassembler

JMP/CALL highlighting with mouse-over.
Names of recognized functions displayed.
ASM tips explain the current command and show the results after the command is executed.
Improved Auto-Hack.
Useful color-coded stack display.

Debugger

Breakpoints with selectable functions.
Scripts can be called when breakpoints are hit to allow you to easily perform any operations you desire. Easily hook the target process.
Much faster than before. Perfect stability.

Injection Suite

Finds or allocates code caves for you, or select your own.
Automatically creates the jump gate from the original code to your new code.
Automatically adds the code overwritten by the jump gate to your new code, before or after.
Automatically adds the jump back to the original code from your new code.
Injections can be set to automatically inject when the target process is loaded.

Scripts

A full programming language (L. Spiro Script) is integrated, complete with an environment, compiler, and a full set of documented API functions.
Language syntax matches C/C++, so there is no need to learn a new language. C/C++ programmers are ready to go.
New extern feature makes it easy to work with the RAM in the target process. Fully documented with examples.
API for sending mouse clicks and keyboard strokes make it idea for creating bots.

Kernel-Mode

A kernel-mode driver provides undetected access to many protected games, and MHS is not detected by Game Guard.

Stability

MHS is extremely stable. There is only one known issue with the Hex Editor (though exceptionally rare, making it difficult to track), and all other areas of the software are considered 100% stable.

Extensive Documentation

The included documentation is professional in design and covers every subject extensively.

A growing forum offers full support and many updates and features are still to come.

Get it while it’s now!


L. Spiro

Despite the lack of enthusiasm shown for my release above, I am happy to present a powerful new feature in the latest release, which I believe you can not find anywhere else (correct me if I am wrong).



Among many other additions, MHS 4.0.0.4 ("http://memoryhacking.com/") (http://memoryhacking.com/) now sports a DLL Injector (Ctrl-J).
Such a feature is common, and MHS has been long overdue for one itself, but this DLL Injector comes with some useful extras.

After injecting your DLL, the DLL Injector allows you to call any of your DLL functions by name, allowing you to pass any number of full-expression parameters and with __cdecl or __stdcall calling conventions.

The function is called remotely within the DLL in the target process, in the context of the target process.

The DLL Injector shows the return value from the function called in the target process.

This page ("http://www.memoryhacking.com/Misc/Tut/DLL%20Injector.htm") (http://www.memoryhacking.com/Misc/Tut/DLL%20Injector.htm) explains it in more detail.


A single parameter can be any expression, and an expression can be made with any C operators, including <<, &, ||, &&, !, ~, etc. These are explained in the Expression Evaluator ("http://www.memoryhacking.com/Misc/Tut/Expression%20Evaluator.htm") (http://www.memoryhacking.com/Misc/Tut/Expression%20Evaluator.htm) page.




The utility for calling functions in the target process is not limited only to the DLL Injector. In the Disassembler (Ctrl-D), you can right-click any address and select the Call Function menu item to call that address as a function (again with any parameters you please, and with the return value pesented after the call).
Furthermore, you can go to the Imports or Exports tab in the Helper window and right-click any function from those lists and have them called.

The remote functions are called within a stable environment so the risk of crashing MHS or the target process (by passing bad arguments, calling it incorrectly, or even calling addresses that aren’t functions) is relatively little, making it very friendly to use.


This is a useful feature I believe no other software offers, though if I am wrong, at least here is an alternative.




A lot of issues were solved that were causing people problems in MHS 4.0.0.0, so if you didn’t like that version give this one a shot anyway.



L. Spiro

* MHS uses a kernel-mode driver for opening the target process, checking if the target is closing, and reading the RAM of the target process.

I apologize for myself for not stating the obvious L. Spiro: your Tool is unique, swiss army like, and exceedingly cool.
Thank you again

Hey L. Spiro, your software is extremely cool, and I'm sure it's just a coincidence that noone has replied to your thread. I actually had a look at it just yesterday, and though "damn that looks like a really cool and complex piece of software, I really hope I'll have the time to play around with it some day". Maybe it's just that, that the massive complexity and competence of it scares people away from "just a quick look"?

Keep up the good work anyway, and please let us know about any future versions here!

I really like this. Thanks L. Spiro

Thank you everyone.

I will let you know about any big new features, and I am also open to reasonable requests.
Also feel encouraged to report any issues you may discover (except those damn blanking-out dockable windows) as I am very focused on keeping it as stable and issue-free as possible.


L. Spiro

Good job.I like it.

Thanks for the handy program.

Add a (basic) Asm->C decompiler and then it'll really be complete

There have been many versions since my last post; I wanted to make sure the next post would have enough content to make it worth having a new post.
I think it has advanced enough now.

http://www.memoryhacking.com/

You can tell the software is primarily aimed at games, but it is useful for general software as well, and with its new process detection it can be useful for finding hidden processes as well.

Scripts are even more powerful than before and disassembling/reassembling can be automated with scripts as well. We use it a lot at work to make various useful tools, especially for converting some data format to something we can use in our games (I am a video-game programmer/designer by profession).

The community has become much more active and more tutorials are available, written by community member(s).
Here are a few that demonstrate some of the power behind MHS:
http://memoryhacking.com/forums/viewtopic.php?t=403 => 3 Ways of Slowing Minesweeper.
http://memoryhacking.com/forums/viewtopic.php?t=440 => A Custom Packet Sniffer/Editor.



MHS 4.0.0.13 has very advanced anti-anti-cheat implementations and very advanced process-detection routines; it can see, open, and modify Cheat Engine even when it hides itself in both kernel and user-mode.


// == Process Detection == //

It can see “full stealth” Cheat Engine as well as processes hidden by at least nProtect Game Guard (all versions) and XTrap (all versions). Most likely all other anti-cheat software are covered but only these two have been officially tested.



// == Anti-Cheat Detection Avoidance == //

MHS now has a feature that allows you to dynamically change its file size, CRC, window titles, file name, and everything else anti-cheats would use to try to detect it.
You can add any title to your windows you want, and rename it to anything you want. Every copy of MHS can be unique, like a whole new process.
Other software would have you pay $49.90 (http://www.artmoney.ru/e_register.htm) for the same feature, but with MHS you can do it as many times as you like and it is—and will always be—free.


// == General Anti-Anti-Cheat == //

MHS now comes with a very powerful and generalized anti-anti-cheat, as well as new script features that allow users to extend the existing anti-anti-cheat or to add their own. Extendibility via scripts implies an anti-anti-cheat that can evolve and continue working forever into the future, even if I ever stop working on this project.


// == Improved Compatibility on Vista == //

The MHS kernel now works on Windows® Vista as well as it does on Windows® XP. The MHS kernel is known to be very stable in comparison to the kernels in Cheat Engine, Sora Engine, Moonlight Engine, etc., which instantly blue-screen under some circumstances, such as running on Windows® Vista, running on a multi-processor machine, or if the target process closes at just the wrong time. I think Cheat Engine 5.4 has improved its kernel a lot though (but I have not tested it yet).
DISCLAIMER: This version of MHS introduces some new components to the kernel which have been heavily tested on my own but have yet to stand the trials of thousands of users.


// == Other == //

The Disassembler looks much nicer now and has extra information. Other tweaks have been made and bugs have been fixed.


Because of the advanced anti-anti-cheat features in this version, which extend into the kernel, I want to stress that if anyone has any problems with this version then he or she should e-mail me with the problem or post it on my forum.


L. Spiro

Very nice as usual, your tool is indeed undoubtedly the king of memory hacking software.

I've updated its CRCETL entry, but you are very welcome to add a better and more complete description of it there too:

http://www.woodmann.com/collaborative/tools/Memory_Hacking_Software

And, as usual, we appreciate your continuing to share your quality efforts with our readers.

Regards,

Thank you everyone.
An issue was discovered that only effects some people (the only common trait I can see between them is AMD + multiple cores, but this may not be related) and has been patched with a new 4.0.0.13 uploaded over the old one.
Furthermore another version will probably be posted tonight with a small-but-helpful addition.

I can not edit the CRCETL entry. It says it will update the fields (after clicking the edit button) but never does.
That’s okay though. The description is fine with me; I would only edit the link to point to 4.0.0.13 instead of 4.0.0.12. Maybe someone else can do that until it starts working for me.

Nice library by the way.


L. Spiro

Hi L. Spiro:

I don't know what the problem may be that would allow you to edit the version number, but not the link to the new version. Anyway, I have updated your link to the software in the CRCETL to read:

http://www.memoryhacking.com/MemHack/MHS4.0.0.13.rar ("http://www.memoryhacking.com/MemHack/MHS4.0.0.13.rar")

Thanks again for sharing your great tool with our readers.

Regards,

May i join,late,the thread to say that your tool is a really nice toy,probably the best with CE!

congrats for the work and to let it be free,until new agreements

greets!

i have used this app a few times and as dELTA said its really the king of memory hacking with tons of features.

btw i am myself surprised to know i havent posted for 1 year as i have been quite a regular reader of this forum for many years now. I guess Google+forums like his one+books+friends suffices most of my information needs.

xtiaoshi posted the following information of the latest update for the great tool on Exetools today. I'm sharing it here:

Version 4.0.0.14 (1:06 AM 2/12/2008)
1: The All list in the Open Process dialog now shows processes that have not been closed properly.
2: Functions exported by the HAL are now shown in the Kernel Functions tab.
3: The Go To Target pop-up menu item in the Disassembler now allows going to the target in the current tab or a new tab.
4: The entries to ntoskrnl.exe functions are now shown in the Disassembler.
5: Group Searches now use epsilon as per the search options.
6: Added the CreateHookInfo, DestroyHookInfo, CreateFuncHookInfo, DestroyFuncHookInfo, GetNtOsKrnlRange, GetNtOsKrnlPath, GetNtOsKrnlName, GetHookInfo, GetFuncHookInfo, GetFuncHookTotalCalls, GetFuncHookTotalHooks, GetFuncHookCall, GetFuncHookHook, GetProcAddress, and GetKernelProcAddress functions to the scripts.
7: Added the CreateRemoteThread, CreateRemoteThreadAndGetReturn, and CallRemoteFunction functions to the scripts.
8: Added the GetEproc function to the scripts.
9: Fixed a security bug.
10: Fixed a security bug.
11: Functions in Hal.dll are now shown in the Disassembler.
12: The .EXE extension is now added automatically if not supplied in the Modify Self dialog.
13: Fixed the AddBreakpoint() script function.
14: Module-list processing stabilized when attached to processes that hook certain API functions to protect themselves (improves stability in the Disassembler, Hex Editor, and Properties).
15: The Property header of the Info tab of the Helper dockable of the Hex Editor is now wider by default.
16: The Exports tab of the Disassembler now shows module addresses.
17: All search-related dialogs accept any valid expression for all input fields.
18: SO() and EO() operators added to the Expression Evaluator.
19: Added the ability to view chunks in the Hex Editor or Disassembler from the Properties dialog.
20: The Properties dialog now defaults to the Chunks tab.
21: The EPROCESS tab of the Properties dialog defaults to having a wider header.
22: It is now possible to snap the search range to selected chunks or selected modules via the Properties dialog.
23: Hotkeys added via scripts are no longer saved between sessions.
24: Added the GetSdtFuncIndex, GetSdtFuncName, GetSdtFuncAddress, GetCurrentSdtFuncAddress, GetSdtTableAddress, GetCurrentSdtTableAddress, and GetSdtTotalFuncs, functions to the scripts.
25: MHS is now able to bypass all anti-cheat protections to open processes and read their RAM.
26: Added the Assemble command to the Disassembler pop-up menu.

_http://www.memoryhacking.com/MemHack/MHS4.0.0.14.rar

Thanks to L. Spiro for his continuing work!

Regards,

Beat dELTA to the CRCETL update AGAIN!

http://www.woodmann.com/collaborative/tools/Memory_Hacking_Software

Now showing version: 4.0.0.14

Regards,

Hehe, any CRCETL update is always appreciated, but next time please don't be in such a hurry just to "beat me" that you leave out the "Last updated" field, now I had to update that myself anyway.

That aside, I'm very glad to see the continued updates of this great tool.

Actually, when I first noted the "update" date, I read it as February 20 2008 and I was wondering how it got "updated" tomorrow. Was distracted by a "real world moment" and by the time I got back to it, it had already been changed, or I had misread it originally.

Regards,

It said January 20, 2008, so that was the "misreading".

Wait! Isn't it still January? My Alzheimer's just kicked in. What was your name??? Oh, I'm so confused?????

Regards,

Can't access the site.. i wanted to test the latest version, but cannot, i get a 403.

I hope you guys made local copies, just in case

I posted the update on my site and then walked out the door to the airport. I did not have time to post here or anywhere else.

As for my site, I thought it was Japan blocking my connection (I am in Tokyo right now) because of it being a "hacking" site, but outside sources confirm there is really something wrong with the site.

My company shares the same host and their site is also down. That's good news, because that means the problem will be fixed as soon as possible.

I do not know why our host is down; I wonder if it is a DOS attack on my site by someone who was somehow on the receiving end of some people's use of my software. Someone getting tired of being killed in some MMORPG or something.

The monitor on my laptop broke while I was in San Francisco but I can upload a current version of MHS here when I get back to Bangkok (2-3 days).


L. Spiro

I am glad to hear it's just some host problem.
If your company is using the same host, we can expect it to be back online soon.

I am looking forward to testing your latest version. Seems to have some really great feature in the 4.x versions.

Keep up the awesome work

It's funny to see a game dev, making a tool to cheat in games
I also have my own tool for this task, but nothing as advanced.. mostly to thwart anti cheats

thanks for your app. I was fiddling with the debugger, trying to get it to break on the program entry point, but it insisted on stopping in ntdll.dll at the following code:

7C901220 | 0F84 E0F10000 | JE 7C910406 |
7C901226 | 5E | POP ESI |
7C901227 | C9 | LEAVE |
7C901228 | C2 0400 | RETN 4 |
7C90122B | 90 | NOP |
7C90122C | 90 | NOP |
7C90122D | 90 | NOP |
7C90122E | 90 | NOP |
7C90122F | 90 | NOP |
7C901230 | CC | INT3 |
7C901231 | C3 | RETN |

Note the int 3 at 7C901230. At first, I thought it was an int 3 your app had injected but I disassembled ntdll and the int 3 is there. I normally use bpx baseprocessstart in k32 and step to the app being tested. I wonder if it's a bug in your app or in my ntdll? :-) I've seen CC's used as fillers but never with NOP's.

I verified the CC is there in IDA and a hex editor. Also, I did a file compare between two versions of ntdll.dll and they were the same. Could someone verify that the CC is there?

It would be nice if you could indicate which code module one is tracing through, or maybe I'm missing something.

There is a CC breakpoint there (hence the name of the function at that address) and it is normal for the debugger to go there when debugging starts.

When debugging starts Windows creates a new thread in the target process and causes it to break by sending it there. MHS catches the break and puts the Disassembler there but if you do not want to pause the target process on Open for Debug it just lets the thread go and things continue.

If you are getting this address on Open for Debug and pausing the process, well I think I do need to modify things just a bit so that it uses that breakpoint to set a breakpoint on the entry of the target. For now you can add one there manually by just opening a new Disassembler tab and adding one there.


As for indicating the module being traced, you can expect this in an upcoming release.


L. Spiro

thanks for reply and info about ntdll.dll.

I am back in Bangkok but I can not upload the latest version directly because it is larger than 1 megabyte (it is 4,126,893 bytes).


L. Spiro

Still not able to access your site or your software from the West Coast of the U.S. When it's back up I'll update your CRCETL listing and link.

Regards,

L.Spiro, how about you use rapidshare.com ?

Disable Java and visit:

http://www.mpcforum.com/showthread.php?t=143611

This is the only site that allows me 4-meg uploads.


L. Spiro

I've updated the Link:

http://www.woodmann.com/collaborative/tools/Memory_Hacking_Software

Now showing version: 4.0.0.14(bundle)

Last update: February 16, 2008 (as per your site, which is back up)

Description :

Bundle includes MHS.exe, zlib1.dll, MHS Help.chm, and ChangeLog.txt.

For those interested, the help file is also available seperately:

http://www.memoryhacking.com/MemHack/MHS Help.chm

Link to help file added in Description in CRCETL entry.



Regards,

And there is another quite suitable site that accepts 4 MB uploads you know...

It's now locally archived in the corresponding CRCETL entry:

http://www.woodmann.com/collaborative/tools/Memory_Hacking_Software

I've also updated the CRCETL entry to show the "Related URL" of:

MPC.DE Forum Thread Discussion of this tool by Author and others:

http://www.mpcforum.com/showthread.php?t=143611

as mentioned in this Thread.

Regards,

Not working under Vista Home Premium SP1.

I didn’t have time to test it on that version before leaving but I have it and will test it when I am not vomitting.


By the by, what tools are available for fighting DDOS attacks?


L. Spiro

The general rule about DDoS attacks is to counter them as far upstream as possible in the routing/network flow. I.e. if a well-configured and robust firewall in front of your server doesn't do it, you must cooperate with your ISP, and possibly even this ISP's upstream partners to solve it in the best way possible through selective filtering.

Then of course, it depends a lot on what kind of DDoS attack it is too.

MHS finally uses the function/structure/typedef/enum database and the current release (MHS 5.002) lets you add your own custom ones as well.


Here, a custom structure/template has been mapped over RAM in the Hex Editor.
Clicking on the members in the dockable window at the bottom highlights it in the Hex Editor.
You can easily see the types and values of all members.
http://www.memoryhacking.com/Pictures/TempPrev.png

The structures/templates are dynamic as well. In a .EXE file there is a pointer to the PE header. My structure uses a dynamic array to fill the gap from the initial header to the _IMAGE_NT_HEADERS highlighted in the picture. The gap changes size on every .EXE file, but so does the size of the dynamic array, allowing the same template to map all .EXE files.


The editor is now more compact, faster, and easier to use.
http://www.memoryhacking.com/Pictures/TempEditor.png

Here I have 2 members with dynamic array sizes: Pad, with an array size of (AddressOfNewExeHeader-40h) fills the space from the DOS header to the NT header.
SectionTable, with an array size of (NtHeader::FileHeader::NumberOfSections) correctly maps the number of sections in the image.


There are over 1,800 predefined structures and over 4,500 predefined typedefs, so you don’t have to remake common structures. You can override predefined structures with your own as well (if you ever delete yours, the predefined one will still be there).



The Future:
The Disassembler currently shows parameter types and names.
The next step is to take these dynamic templates and map them automatically as they are encountered while single-stepping through code.
As you step through with the Disassembler, the parameters of the current function will be mapped to RAM and the values of all of their members will be shown clearly.
Furthermore, statements such as MOV EAX, [EBP-4] may be replaced with MOV EAX, [&rRect.width], optionally of course.


L. Spiro

Sorry for late reply, I have been on a longer trip. Great work as usual anyway, please keep it up, your tool is very nice and gets better and more promising by every minor update.