196 replies to this topic

[w0uter]

okey thanks

[w0uter]

code taken down due to incompatibilty.

Edited by w0uter, 21 January 2006 - 12:02 AM.

[Knight]

Once again, Great Work Wouter!

but what about reading and writing 'float's?

Thanks,
JKnight

[w0uter]

i dont know what 'floats' are.

[Knight]

what I mean is identifying the type to read. Exactly how you changed your old memread function here.. http://www.autoitscript.com/forum/index.ph...ndpost&p=122299


You added $s_type.

[strate]

you can find it by using a debugger (i used OllyDbg)

(i think there is just a really small amout of people that actually have knowledge enough to use these functions )

Would I be able to use this program to get information from a status bar? Then would I be able to turn it back into what the status bar said?

[Gene]

60 view and no replies, that makes me sad

Hi w0uter,

Given what you've done, could you also change the display time to something less than a second? Not to something subliminal, but only a little above. I frequently use MsgBoxes to show me variable content when I'm tracking a problem. I currently set them for one second but this is a lot slower than I could deal with and the boredom factor is high.

Gene

[CoderDunn]

Why doesn't this work? I found the mem adress with T-search. It's the adress for my characters health.

I have Win XP in case that matters

Opt("WinTitleMatchMode", 3) 

$pid = WinGetProcess("Tibia")

$open = _MemOpen($pid)

$read = _MemRead($open,0x4A1240,4)
 
MsgBox(0,"",$read)


_MemWrite($open,0x4A1240,100)

Hallman

[Valik]

Hi w0uter,

Given what you've done, could you also change the display time to something less than a second? Not to something subliminal, but only a little above. I frequently use MsgBoxes to show me variable content when I'm tracking a problem. I currently set them for one second but this is a lot slower than I could deal with and the boredom factor is high.

Gene

Are you referring to the timeout feature of AutoIt's MsgBox() function? If yes, that's something AutoIt does, not Windows, so hacking that is not something that's easy to do like what w0uter has demonstrated.

[Gene]

Are you referring to the timeout feature of AutoIt's MsgBox() function? If yes, that's something AutoIt does, not Windows, so hacking that is not something that's easy to do like what w0uter has demonstrated.

Hi Valik,

Yes, that's what I was after, sigh.

I've done the same thing with vars writing them to a file, but that's hard to corelate with what was happening on screen. I'e even tried capturing screen bitmaps but they often don't coincide and suck up lots of time and drive space.

Gene

[w0uter]

Are you referring to the timeout feature of AutoIt's MsgBox() function? If yes, that's something AutoIt does, not Windows, so hacking that is not something that's easy to do like what w0uter has demonstrated.

i think you are mistaken. i hacked autoits internal handeling of the MsgBox Command.

After looking at the source for like ~60 seconds my guess would be to hack "vParams[3].nValue() * 1000" out of the source code.

[Valik]

I know how AutoIt is achieving the effect, but why does the source code matter at all? I thought the point of this thread was hacking things in memory, not removing lines of code from the source file and re-compiling. How does knowing the source code help Gene at all? Why do you even mention it?

And where are you modifying the internals of AutoIt's MessageBox handling? I see you writing to memory a couple times but I can't see any difference in behavior that suggests you've modified how AutoIt is handling the MessageBox.

[Gene]

@w0uter

I realize that you're referencing the 4th MsgBox parameter and the number is multiplied times 1000 clicks per second. If I had the src code I could find that snippet, but would have no idea what to do with it. No "C/C++" skills here. I was hoping you'd add that functionality in a UDF if it wasn't too much trouble.

In attempting to try out your code in the first post, I created the attached file. When running the compiled script it errored saying that it couldn't execute the external file on lines 77 and 123. I edited them as shown below, now it runs, but says it can't find "K:\AutoIt3ExecuteLine".

;$i_Pid = Run(@ScriptFullPath & " /AutoIt3ExecuteLine ""MsgBox
$i_Pid = Run("K:\Local\Prog\AutoIt3\beta\AutoIt3.exe /AutoIt3ExecuteLine ""MsgBox

I'm running Win2K SP 4, 256MB RAM, several GB free space, IE 6.x SP1

Gene

Edit: H'mmmn, didn't see Valiks post.

i think you are mistaken. i hacked autoits internal handeling of the MsgBox Command.

After looking at the source for like ~60 seconds my guess would be to hack "vParams[3].nValue() * 1000" out of the source code.

Edited by Gene, 22 January 2006 - 04:01 AM.

[w0uter]

I know how AutoIt is achieving the effect, but why does the source code matter at all? I thought the point of this thread was hacking things in memory, not removing lines of code from the source file and re-compiling. How does knowing the source code help Gene at all? Why do you even mention it?

And where are you modifying the internals of AutoIt's MessageBox handling? I see you writing to memory a couple times but I can't see any difference in behavior that suggests you've modified how AutoIt is handling the MessageBox.

Source code just makes it easyer to know what to hack out in the memory.

As you probly know windows loads the code in the memory. Meaning that that line from the sourcecode will also be there.
(even though it is now converted to byte-code) thus making you able to remove that multiply in memory.

in version 103 its located at:
004177F0 69C0 E8030000 IMUL EAX,EAX,3E8

And by modifieng autoits handleing i ment that where it normaly would push the parameters for MessageBox on the stack it would this time push my parameters on the stack.

Plain Text        expandcollapse  popup

#region _Mem()

Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0)
    Local $av_Return[2] = [DllOpen('kernel32.dll') ]
    Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid)
    If @error Then
        DllClose($av_Return[0])
        SetError(1)
        Return 0
    EndIf
    $av_Return[1] = $ai_Handle[0]
    Return $av_Return
EndFunc  ;==>_MemOpen

Func _MemWrite($ah_Mem, $i_Address, $v_Inject)
    Local $av_Call = DllCall($ah_Mem[0], 'int', 'WriteProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr($v_Inject), 'int', DllStructGetSize($v_Inject), 'int', '')
    Return $av_Call[0]
EndFunc  ;==>_MemWrite

Func _MemClose($ah_Mem)
    Local $av_Ret = DllCall($ah_Mem[0], 'int', 'CloseHandle', 'int', $ah_Mem[1])
    DllClose($ah_Mem[0])
    Return $av_Ret[0]
EndFunc  ;==>_MemClose

Func _MemCreate($1, $2 = 0, $3 = 0, $4 = 0, $5 = 0, $6 = 0, $7 = 0, $8 = 0, $9 = 0, $10 = 0, $11 = 0, $12 = 0, $13 = 0, $14 = 0, $15 = 0, _
        $16 = 0, $17 = 0, $18 = 0, $19 = 0, $20 = 0, $21 = 0, $22 = 0, $23 = 0, $24 = 0, $25 = 0, $26 = 0, $27 = 0, $28 = 0, $29 = 0, _
        $30 = 0, $31 = 0, $32 = 0, $33 = 0, $34 = 0, $35 = 0, $36 = 0, $37 = 0, $38 = 0, $39 = 0, $40 = 0, $41 = 0, $42 = 0, $43 = 0, _
        $44 = 0, $45 = 0, $46 = 0, $47 = 0, $48 = 0, $49 = 0, $50 = 0, $51 = 0, $52 = 0, $53 = 0, $54 = 0, $55 = 0, $56 = 0, $57 = 0, _
        $58 = 0, $59 = 0, $60 = 0, $61 = 0, $62 = 0, $63 = 0, $64 = 0, $65 = 0, $66 = 0, $67 = 0, $68 = 0, $69 = 0, $70 = 0, $71 = 0, _
        $72 = 0, $73 = 0, $74 = 0, $75 = 0, $76 = 0, $77 = 0, $78 = 0, $79 = 0, $80 = 0, $81 = 0, $82 = 0, $83 = 0, $84 = 0, $85 = 0, _
        $86 = 0, $87 = 0, $88 = 0, $89 = 0, $90 = 0, $91 = 0, $92 = 0, $93 = 0, $94 = 0, $95 = 0, $96 = 0, $97 = 0, $98 = 0, $99 = 0)
    If IsString($1) Then
        $1 = StringSplit($1, '')
        Local $v_Helper = DllStructCreate('byte[' & UBound($1) & ']')
        For $i = 1 To UBound($1) - 1
            DllStructSetData($v_Helper, 1, Asc($1[$i]), $i)
        Next
    Else
        Local $v_Helper = DllStructCreate('byte[' & @NumParams & ']')
        For $i = 1 To @NumParams
            DllStructSetData($v_Helper, 1, Eval($i), $i)
        Next
    EndIf
    Return $v_Helper
EndFunc  ;==>_MemCreate

#endregion

$i_Open = _MemOpen(@autoitpid)
_MemWrite($i_Open, 0x004177F0, _MemCreate(0x90, 0x90, 0x90, 0x90, 0x90, 0x90))
_MemClose($i_Open)

MsgBox(0, 'title', 'text', 500)

Edited by w0uter, 22 January 2006 - 01:35 PM.

[Valik]

I added a ConsoleWrite() just to show what version I was using:

3.1.1.103
>Exit code: 0   Time: 17.159

That's 17 seconds, after I grew tired of waiting for it to disappear. I suspect it would of taken 500 seconds. I don't know what instructions you set to NOP but they weren't the right ones.

[w0uter]

you must compile it to work, i should have been more precise

Edited by w0uter, 22 January 2006 - 04:02 PM.

[Valik]

Ahh, I did not run it compiled. Well, that exposes a second fundamental problem. Not only must we use the right version of AutoIt, we must also use it compiled (or not, depending on how it was tested). It's a nice proof of concept, maybe, but the things that you're trying to do aren't that practical.

[Gene]

I downloaded and installed beta 103, compiled your code below. Outstanding! I can use this for problem tracing. After a little experimenting I find that something between 1/8 and 1/4 second is as fast as I can deal with. Thank you for the added feature.

Gene

Plain Text        expandcollapse  popup

#region _Mem()

Func _MemOpen($i_Pid, $i_Access = 0x1F0FFF, $i_Inherit = 0)
    Local $av_Return[2] = [DllOpen('kernel32.dll') ]
    Local $ai_Handle = DllCall($av_Return[0], 'int', 'OpenProcess', 'int', $i_Access, 'int', $i_Inherit, 'int', $i_Pid)
    If @error Then
        DllClose($av_Return[0])
        SetError(1)
        Return 0
    EndIf
    $av_Return[1] = $ai_Handle[0]
    Return $av_Return
EndFunc ;==>_MemOpen

Func _MemWrite($ah_Mem, $i_Address, $v_Inject)
    Local $av_Call = DllCall($ah_Mem[0], 'int', 'WriteProcessMemory', 'int', $ah_Mem[1], 'int', $i_Address, 'ptr', DllStructGetPtr($v_Inject), 'int', DllStructGetSize($v_Inject), 'int', '')
    Return $av_Call[0]
EndFunc ;==>_MemWrite

Func _MemClose($ah_Mem)
    Local $av_Ret = DllCall($ah_Mem[0], 'int', 'CloseHandle', 'int', $ah_Mem[1])
    DllClose($ah_Mem[0])
    Return $av_Ret[0]
EndFunc ;==>_MemClose

Func _MemCreate($1, $2 = 0, $3 = 0, $4 = 0, $5 = 0, $6 = 0, $7 = 0, $8 = 0, $9 = 0, $10 = 0, $11 = 0, $12 = 0, $13 = 0, $14 = 0, $15 = 0, _
        $16 = 0, $17 = 0, $18 = 0, $19 = 0, $20 = 0, $21 = 0, $22 = 0, $23 = 0, $24 = 0, $25 = 0, $26 = 0, $27 = 0, $28 = 0, $29 = 0, _
        $30 = 0, $31 = 0, $32 = 0, $33 = 0, $34 = 0, $35 = 0, $36 = 0, $37 = 0, $38 = 0, $39 = 0, $40 = 0, $41 = 0, $42 = 0, $43 = 0, _
        $44 = 0, $45 = 0, $46 = 0, $47 = 0, $48 = 0, $49 = 0, $50 = 0, $51 = 0, $52 = 0, $53 = 0, $54 = 0, $55 = 0, $56 = 0, $57 = 0, _
        $58 = 0, $59 = 0, $60 = 0, $61 = 0, $62 = 0, $63 = 0, $64 = 0, $65 = 0, $66 = 0, $67 = 0, $68 = 0, $69 = 0, $70 = 0, $71 = 0, _
        $72 = 0, $73 = 0, $74 = 0, $75 = 0, $76 = 0, $77 = 0, $78 = 0, $79 = 0, $80 = 0, $81 = 0, $82 = 0, $83 = 0, $84 = 0, $85 = 0, _
        $86 = 0, $87 = 0, $88 = 0, $89 = 0, $90 = 0, $91 = 0, $92 = 0, $93 = 0, $94 = 0, $95 = 0, $96 = 0, $97 = 0, $98 = 0, $99 = 0)
    If IsString($1) Then
        $1 = StringSplit($1, '')
        Local $v_Helper = DllStructCreate('byte[' & UBound($1) & ']')
        For $i = 1 To UBound($1) - 1
            DllStructSetData($v_Helper, 1, Asc($1[$i]), $i)
        Next
    Else
        Local $v_Helper = DllStructCreate('byte[' & @NumParams & ']')
        For $i = 1 To @NumParams
            DllStructSetData($v_Helper, 1, Eval($i), $i)
        Next
    EndIf
    Return $v_Helper
EndFunc ;==>_MemCreate

#endregion

$i_Open = _MemOpen(@autoitpid)
_MemWrite($i_Open, 0x004177F0, _MemCreate(0x90, 0x90, 0x90, 0x90, 0x90, 0x90))
_MemClose($i_Open)

MsgBox(0, 'title', 'text', 500)

[Valik]

Gene, IMO, you need to really re-think your debugging methods if you aren't able to do it without hacking AutoIt. I know with SciTE I can insert trace statements for any variable I want or I can insert a trace of all function calls (Like a call stack) for an entire file just with hotkeys. I rarely use message boxes for debugging and I definitely never needed to hack AutoIt to do it.

In addition, the moment 3.1.1.104 comes out, w0uter will have to give you a new base address. Is this really practical for you to hack AutoIt each release to ensure you can debug code when their are tons of other, more suitable ways of doing it?

[w0uter]

Gene, IMO, you need to really re-think your debugging methods if you aren't able to do it without hacking AutoIt.

i agree, i always use consolewrite for debugging.