05-15-2011, 07:39 AM
Hello all, this is a video showing how to hack deep freeze password by reading it. I created a simple tool in vb.net to aid or help me reading the valid string character.
Screenshot:
Download Video:
Form COdes:
Module Codes:
Screenshot in IDE:
Download Executable:
An another rare release of mine. Hoping, that this post didn't violate rules coz I thought this would helps other people, regarding memory read/write.
Screenshot:
Download Video:
Code:
http://www.mediafire.com/?ns4wf7epp31f5h1
Form COdes:
Code:
Public Class Form1
Public Target As String = "FrzState2k"
Private Sub Timer1_Tick(sender As System.Object, e As System.EventArgs) Handles Timer1.Tick
If GetProcessId(Target) = True Then
'Check process
ToolStripStatusLabel2.Text = "Process Found"
' Check Version
TextBoxVersion.Text = ReadString(&H52AE90, 13).ToString
Else
ToolStripStatusLabel2.Text = "Process Not Found."
PatchMemoryAddress.Enabled = False
End If
End Sub
Private Sub Timer2_Tick(sender As System.Object, e As System.EventArgs) Handles Timer2.Tick
' Check characters
TextBoxPassLength.Text = ReadByte(&H51C5EC)
TextBoxValidString.Text = ReadString(&H51C5F0, 1)
TextBoxInvalidString.Text = ReadString(&H51C5F4, 1)
End Sub
Sub PatchRest0reMemory()
'Restore Memory
WriteASM(&H447FE6, New Byte() {&H3B, &H45, &HFC, &H74, &H7})
End Sub
Sub PatchAddressMemory()
'Display Password Length
WriteASM(&H447FE6, New Byte() {&HE9, &HD, &H46, &HD, 0})
WriteASM(&H51C5F8, New Byte() {&H3B, &H45, &HFC, &H89, &H5, &HEC, _
&HC5, &H51, &H0, &HF, &H84, &HEB, &HB9, _
&HF2, &HFF, &HE9, &HDF, &HB9, &HF2, &HFF})
'Display Password Characters
WriteASM(&H448055, New Byte() {&HE9, &HB3, &H45, &HD, &H0, &H90, &H90, &H90})
WriteASM(&H51C60D, New Byte() {&H52, &H89, &H15, &HF0, &HC5, &H51, &H0, &HE8, _
&H2F, &HBB, &HFD, &HFF, &H59, &H59, &H89, &HD, &HF4, _
&HC5, &H51, &H0, &HE9, &H37, &HBA, &HF2, &HFF})
End Sub
Private Sub PatchMemoryAddress_Click(sender As System.Object, e As System.EventArgs) Handles PatchMemoryAddress.Click
If TextBoxVersion.Text = "7.10.020.3176" Then
Call PatchAddressMemory()
PatchMemoryAddress.Enabled = False
Else
Beep()
MsgBox("Deep Freeze version is not supported", _
MsgBoxStyle.Information, "Message")
Timer1.Enabled = False
Timer2.Enabled = False
End If
End Sub
Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click
WriteASM(&H411956, New Byte() {&H90, &H90, &H90, &H90, &H90, &H90})
End Sub
Private Sub Button2_Click(sender As System.Object, e As System.EventArgs) Handles Button2.Click
WriteASM(&H411956, New Byte() {&HF, &H84, &H77, &H1, &H0, &H0})
End Sub
Private Sub Timer3_Tick(sender As System.Object, e As System.EventArgs) Handles Timer3.Tick
End Sub
End Class
Module Codes:
Code:
Imports System.ComponentModel
Module MemoryFunctions
'Some API declarations
Declare Function VirtualAllocEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As IntPtr
Declare Function VirtualProtectEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal newProtect As Integer, ByRef oldProtect As Integer) As Boolean
Public Declare Function CloseHandle Lib "KERNEL32" _
(ByVal hObject As Int32) _
As Boolean
Public Declare Function GetAsyncKeyState Lib "USER32" _
(ByVal vKey As Int32) _
As Int16
Public Declare Function IsDebuggerPresent Lib "KERNEL32" () As Boolean
Public Declare Function OpenProcess Lib "KERNEL32" _
(ByVal DesiredAccess As Int32, _
ByVal InheritHandle As Boolean, _
ByVal ProcessId As Int32) _
As Int32
Private Declare Function WriteProcessMemory Lib "kernel32" _
(ByVal Handle As Integer, _
ByVal address As Integer, _
ByRef Value As Int32, _
ByVal Size As Integer, _
ByRef lpNumberOfBytesWritten As Long) _
As Long
Private Declare Function ReadProcessMemory Lib "kernel32" _
(ByVal Handle As Int32, _
ByVal address As Int32, _
ByRef Value As Int32, _
Optional ByVal Size As Int32 = 4, _
Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _
As Integer
'PROCESS ACCESS RIGHTS.
Public PROCESS_TERMINATE As Int32 = 1
Public PROCESS_CREATE_THREAD As Int32 = 2
Public PROCESS_VM_OPERATION As Int32 = 8
Public PROCESS_VM_READ As Int32 = 16
Public PROCESS_VM_WRITE As Int32 = 32
Public PROCESS_DUP_HANDLE As Int32 = 64
Public PROCESS_CREATE_PROCESS As Int32 = 128
Public PROCESS_SET_QUOTA As Int32 = 256
Public PROCESS_SET_INFORMATION As Int32 = 512
Public PROCESS_QUERY_INFORMATION As Int32 = 1024
Public PROCESS_SUSPEND_RESUME As Int32 = 2048
Public PROCESS_ALL_ACCESS As Int32 = 4091
'ALLOCATION TYPES.
Public MEM_COMMIT As Int32 = 4096
Public MEM_RESERVE As Int32 = 8192
Public MEM_RESET As Int32 = 524288
Public MEM_TOP_DOWN As Int32 = 1048576
Public MEM_PHYSICAL As Int32 = 4194304
'MEMORY PROTECTION TYPES.
Public PAGE_NOACCESS As Int32 = 1
Public PAGE_READONLY As Int32 = 2
Public PAGE_READWRITE As Int32 = 4
Public PAGE_WRITECOPY As Int32 = 8
Public PAGE_EXECUTE As Int32 = 16
Public PAGE_EXECUTE_READ As Int32 = 32
Public PAGE_EXECUTE_READWRITE As Int32 = 64
Public PAGE_EXECUTE_WRITECOPY As Int32 = 128
Private process_id As Int32 = 0
Public pHandle As Integer = 0
Dim FlagValue As Integer
'Checks to see if the game is running (returns True or False) and sets the pHandle *REQUIRED TO USE*
Public Function GetProcessId(ByVal game_name As String) As Boolean
For Each p As Process In Process.GetProcessesByName(game_name)
process_id = p.Id
pHandle = OpenProcess(56, False, process_id)
Return True
Next
Return False
End Function
'Allocates memory in the process and returns the starting address of the allocated area
Public Function AllocMem() As Integer
Dim pBlob As IntPtr = VirtualAllocEx(pHandle, New IntPtr(), New IntPtr(2048), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBlob = IntPtr.Zero Then
Return 0
MsgBox("Error allocating memory space.", MsgBoxStyle.Critical, "Message")
Else : Return pBlob
End If
End Function
'Changes the protection of the page with the specified starting address to PAGE_EXECUTE_READWRITE
Sub RemoveProtection(ByVal AddressOfStart As Integer)
Dim oldProtect As Integer
If Not VirtualProtectEx(pHandle, New IntPtr(AddressOfStart), New IntPtr(2048), PAGE_EXECUTE_READWRITE, oldProtect) Then Throw New Win32Exception
End Sub
'Writes a single byte value
Public Sub WriteByte(ByVal address As Integer, ByVal Value As Byte)
WriteProcessMemory(pHandle, address, Value, 1, 0)
End Sub
'Writes a 4 bytes value
Public Sub WriteInt32(ByVal address As Integer, ByVal Value As Int32)
WriteProcessMemory(pHandle, address, Value, 4, 0)
End Sub
'Writes assembly using bytes
Public Sub WriteASM(ByVal address As Int32, ByVal Value As Byte())
For i As Integer = LBound(Value) To UBound(Value)
WriteByte(address + i, Value(i))
Next
End Sub
'Searches for a byte pattern and returns the starting address of it
Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte()) As Integer
'To use this, use it like this:
'Address = AOBSCAN("gamename", "gamename.exe", New Byte () {Bytes go here})
Dim BaseAddress, EndAddress As Int32
For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
If ModuleName = PM.ModuleName Then
BaseAddress = PM.BaseAddress
EndAddress = BaseAddress + PM.ModuleMemorySize
End If
Next
Dim curAddr As Int32 = BaseAddress
Do
For i As Integer = 0 To Signature.Length - 1
If ReadByte(curAddr + i) = Signature(i) Then
If i = Signature.Length - 1 Then
Return curAddr
End If
Continue For
End If
Exit For
Next
curAddr += 1
Loop While curAddr < EndAddress
Return 0
End Function
'Writes to a pointer
Public Function WritePointer(ByVal Pointer As Int32, ByVal Buffer As Int32, ByVal OffSet() As Int32)
For Each I As Integer In OffSet
ReadProcessMemory(pHandle, Pointer, Pointer)
Pointer += I
Next
WriteProcessMemory(pHandle, Pointer, Buffer, 4, 0)
Return 0
End Function
'Adds a value to a pointer
Public Function WriteAddPointer(ByVal Pointer As Int32, ByVal Buffer As Int32, ByVal OffSet() As Int32)
For Each I As Integer In OffSet
ReadProcessMemory(pHandle, Pointer, Pointer)
Pointer += I
Next
WriteProcessMemory(pHandle, Pointer, ReadInt32(Pointer) + Buffer, 4, 0)
Return 0
End Function
'Reads a single byte value and returns it
Public Function ReadByte(ByVal address As Int32) As Int32
Dim value As Integer
ReadProcessMemory(pHandle, address, value, 1, 0)
Return value
End Function
'Reads a 4 bytes value and returns it
Public Function ReadInt32(ByVal address As Int32) As Int32
Dim value As Integer
ReadProcessMemory(pHandle, address, value, 4, 0)
Return value
End Function
'Read String in Memory with char counts
Public Function ReadString(ByVal Address As Int32, ByVal CharCount As Int32) As String
Dim ret As Byte() = Nothing
Dim vBuffer As Long
Dim tStr(CharCount) As Char
Dim retStr As String = ""
For i As Int32 = 0 To CharCount
ReadProcessMemory(pHandle, Address + i, vBuffer, 1, 0)
ret = BitConverter.GetBytes(vBuffer)
tStr(i) = System.Text.Encoding.ASCII.GetString(ret) : retStr += tStr(i)
Next
Return retStr
End Function
'Reads a pointer value and returns it
Public Function ReadPointer(ByVal Pointer As Int32, ByRef Buffer As Int32, ByVal OffSet() As Int32)
For Each I As Integer In OffSet
ReadProcessMemory(pHandle, Pointer, Pointer)
Pointer += I
Next
ReadProcessMemory(pHandle, Pointer, Buffer)
Return 0
End Function
'Checks to see if the user has the right game version by checking a 4 bytes address value
Public Function CheckVersion(ByVal AddressToCheck As Integer, ByVal ValueToCheck As Integer) As Boolean
If ReadInt32(AddressToCheck) = ValueToCheck Then
Return True
Else : MsgBox("Version mismatch.", MsgBoxStyle.Critical, "Message")
Return False
End If
End Function
'Creates a jump from the specified address to a destination address
Public Function AllocJump(ByVal source As Int32, ByVal destination As Int32, Optional ByVal Nops As Integer = 0) As Boolean
WriteByte(source, &HE8)
WriteInt32(source + 1, destination - source - 5)
If Nops = 0 Then
Return 0
End If
For i As Int32 = 1 To Nops
WriteByte(source + 4 + i, &H90)
Next
Return 0
End Function
End Module
Screenshot in IDE:
Download Executable:
Code:
http://www.mediafire.com/?ns4wf7epp31f5h1
An another rare release of mine. Hoping, that this post didn't violate rules coz I thought this would helps other people, regarding memory read/write.