hi coders
i had just one question that is bugging me.when i put
the second parameter(lpaddress) in WriteProcessMemory dedined in a source code it works fine but when i try to get it from a user through an editbox it does not work. here is the code


targetfile db "Bullseye game.exe",0
bytestopatch db "hello man its patched",0
pstarted db "Click to patch.",0
notloaded db "It did not work :-(",0
Letsgo db "The process is started",13,10,
"Let's change smthg and run it now :-)",0

Startup STARTUPINFO <>
processinfo PROCESS_INFORMATION <>

RvaBuffer dd ?
byteswritten dd ?
..........
.........
invoke GetDlgItemInt,hWnd,IDC_EDIT,0h,FALSE
mov RvaBuffer, eax
mov hInstance,eax
invoke CreateProcess, ADDR Targetfile,NULL, NULL, NULL, NULL, CREATE_SUSPENDED,
NULL, NULL, ADDR Startup, ADDR processinfo
.IF eax == NULL
invoke MessageBox, NULL, ADDR notloaded, NULL, MB_ICONEXCLAMATION
.ELSE
invoke MessageBox, NULL, ADDR Letsgo,ADDR pstarted, MB_OK
invoke WriteProcessMemory, processinfo.hProcess,RvaBuffer,ADDR bytestopatch, 23, byteswritten
; Let the process run happily ;)
invoke ResumeThread, processinfo.hThread



so is it that i cant just define lpaddress (2nd parameter in WriteProcessMemory) as a variable ????
please help.
thanks
nickdigital
Posted on 2004-10-04 09:33:30 by nickdigital
i tried this out on a game i designed for testing purposes of my program.
sorry, this was missing up there.so please dont think as anything illegal its just for study purpose.
Posted on 2004-10-04 09:38:25 by nickdigital
This is a part of diassembled listing of the program i am talking about



:00401171 6A00 push 00000000
:00401173 6A00 push 00000000

* Possible Reference to Dialog: MYDIALOG, CONTROL_ID:0BB8, ""
|
:00401175 68B80B0000 push 00000BB8
:0040117A FF7508 push [ebp+08]
? Reference To: USER32.GetDlgItemInt, Ord:0101h

:0040117D E838010000 Call 004012BA
------ above line is diassembled listing of 'call GetDlgItemInt'
:00401182 A324314000 mov dword ptr [00403124], eax --------above line is diassembled listing of 'mov RvaBuffer, eax'

My question is if it stores it in dword ptr [00403124] why I cant use it in WriteProcessMemory. I actually debugged it and found the entered value 401264h at address 403124h of this program.Then why doesn?t it work if I push it as a parameter in WriteProcessMemory.
code continued here


:00401187 6A00 push 00000000

* Reference To: KERNEL32.GetModuleHandleA, Ord:0111h
|
:0040119C E87F010000 Call 00401320
:004011A1 A32C314000 mov dword ptr [0040312C], eax
:004011A6 6812314000 push 00403112
:004011AB 68CE304000 push 004030CE
:004011B0 6A00 push 00000000
:004011B2 6A00 push 00000000
:004011B4 6A04 push 00000004
:004011B6 6A00 push 00000000
:004011B8 6A00 push 00000000
:004011BA 6A00 push 00000000
:004011BC 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Bullseye game.exe"
|
:004011BE 6844304000 push 00403044

* Reference To: KERNEL32.CreateProcessA, Ord:0042h
|
:004011C3 E846010000 Call 0040130E
:004011C8 0BC0 or eax, eax
:004011CA 7515 jne 004011E1
:004011CC 6A30 push 00000030
:004011CE 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"It did not work :-("
|
:004011D0 687C304000 push 0040307C
:004011D5 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:004011D7 E8FC000000 Call 004012D8
:004011DC E9B5000000 jmp 00401296

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011CA(C)
|
:004011E1 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Click to patch."
|
:004011E3 686C304000 push 0040306C

* Possible StringData Ref from Data Obj ->"The process is started"
|
:004011E8 6890304000 push 00403090
:004011ED 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:004011EF E8E4000000 Call 004012D8
:004011F4 FF3528314000 push dword ptr [00403128]
:004011FA 6A17 push 00000017

* Possible StringData Ref from Data Obj ->"hello man its patched"
|
:004011FC 6856304000 push 00403056 --------above line is diassembled listing of 'push addr bytestopatch'
:00401201 FF3524314000 push dword ptr [00403124]
above line is diassembled listing of 'push RvaBuffer'


Here is the problem .Why does it not take inputted value 401264h stored at 403124h as a parameter here.
JUST FOR NOTE: ADDRESS TO PATCH IS PUSHED HERE IN WRITEPROCESSMEMORY API
code continued


:00401207 FF3512314000 push dword ptr [00403112]

* Reference To: KERNEL32.WriteProcessMemory, Ord:02C3h
|
:0040120D E81A010000 Call 0040132C -----------above line is diassembled listing of 'call WriteProcessMemory'
:00401212 FF3516314000 push dword ptr [00403116]

* Reference To: KERNEL32.ResumeThread, Ord:020Fh
|
:00401218 E809010000 Call 00401326
:0040121D EB77 jmp 00401296


Please help me out guys. This code is driving me crazy.
Thank you for ur help in advance.
nickdigital
Posted on 2004-10-04 09:44:17 by nickdigital
Hey nickdigital
You may need to use GetDlgItemText to get text from the edit and use the MASM function "htodw", which converts a string of hex to a dword, or "atodw" to convert a string of numbers to a dword. Last time I tried using GetDlgItemInt to get numbers from an edit to be used as a dword, it didn't work.
Try this:


......................
invoke GetDlgItemText,hWnd,IDC_EDIT,ADDR Buffer,6 ; or how many characters you want to copy
invoke htodw,ADDR Buffer ; buffer from edit
mov RvaBuffer,eax ; result is placed in eax
mov hInstance,eax
......................

Hope this helps, unless I misunderstood your question.
Posted on 2004-10-04 16:32:20 by yo|dude|mon
hi yo|dude|mon
first i tried like this.it works fine to show it in a mesagebox after getting it from edit box, but it did not work with writeprocessmemory api's second parameter.
please help if u can.
thank you
nickdigital


invoke GetDlgItemText,hWnd,IDC_EDIT1,ADDR buffer1,512
invoke GetDlgItemText,hWnd,IDC_EDIT2,ADDR buffer2,512
invoke GetDlgItemText,hWnd,IDC_EDIT3,ADDR buffer3,512

invoke GetModuleHandleA, NULL
mov hInstance,eax
invoke CreateProcess, ADDR buffer1,NULL, NULL, NULL, NULL, CREATE_SUSPENDED,
NULL, NULL, ADDR Startup, ADDR processinfo
.IF eax == NULL
invoke MessageBox, NULL, ADDR notloaded, NULL, MB_ICONEXCLAMATION
.ELSE
invoke MessageBox, NULL, ADDR Letsgo,ADDR pstarted, MB_OK
invoke wsprintf,buf,addr format, addr buffer2

invoke MessageBox, NULL,addr buffer3,addr buffer2, MB_ICONEXCLAMATION


invoke WriteProcessMemory, processinfo.hProcess,addr buffer2,ADDR buffer3, 23, byteswritten
; Let the process run happily ;)
invoke ResumeThread, processinfo.hThread
.ENDIF

where
format db '%lx',0
buffer1 db 512 dup(?)
buffer2 dd 512 dup(?)
buffer3 dd 512 dup(?)
buf dd ?


however, if i replace buffer2 with buffer21 which has a defined address
like this
buffer21 dd 401264h
and in writeprcessmemory addr buffer2 with buffer21 then it works .
but if i change it like addr buffer2 to addr buffer21 then it takes an adress
4030ba where buffer21 is stored.so i am bugged with this. if u have tried something like this earlier, please help
thank you once again
nickdigital
Posted on 2004-10-05 02:58:09 by nickdigital
look i dont know wtf you are trying to do but i can see 100 mistakes in less then a second.

invoke WriteProcessMemory, processinfo.hProcess,addr buffer2,ADDR buffer3, 23, byteswritten

1. processinfo.hProcess. great.
2. addr buffer2. you dont put the address of the variable. you put the actually memory address you want to change. so just buffer 2.
3. same as 2. if you have the pointer to buffer to be written in here, just push buffer 3. (not the address of bufffer 3 which hold the memory address)
4. 23. ok.
5. null optionaly. but if you are going to use this, do addr byteswritten, so it knows where to save number of bytes written. its not a telepathic compiler yet.

invoke WriteProcessMemory, processinfo.hProcess, buffer2, buffer3, 23, addr byteswritten

ok that should do it for that part. get a hold of your code with all the getdlgitem or whatever you are trying to do there its not so hard. hope you got all this understood and we will see whats your next error :)
Posted on 2004-10-05 03:35:52 by pwn
hi pwn
thanks for ur advice.but i feel u hv misunderstood me.
i know wat u are talking about and i also know that it is wrong.
please read the actual question which i am trying to ask in the first 2 posts
of this topic "WriteProcessMemory"
also you can have a look at "general runtime patcher" topic so tht u can get the actual idea of wat i am talking about.
anyway, thanks for replying.
nickdigital
Posted on 2004-10-05 05:53:15 by nickdigital