A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #7899  by juan81
 Tue Aug 09, 2011 4:24 am
hello,

i have some little problem here.
Code: Select all

Procedure WMPos(T:pointer;Isi:array of byte;Jum:DWORD);
var i:byte;
    oldprotection:cardinal;
begin
  if IsBadWritePtr(T,jum)=false then
   begin
//     showmessage(inttohex(DWORD(T),4));
     VirtualProtect(T,jum,PAGE_EXECUTE_READWRITE, OldProtection);
     for i := 0 to jum-1 do
     begin
        pbyte(Dword(T)+i)^:=isi[i];
     end;
     VirtualProtect(T,jum,OldProtection,  OldProtection);
   end;
end;

how to make it writeable in T, because i remark isBadWritePtr is AccessViolation... that code for some game with hackshield protect.. but i think it's not kernelmode because i use old .exe can change in address T...
sorry my newbie question..
regard,
 #7900  by EP_X0FF
 Tue Aug 09, 2011 4:37 am
If the application is run under a debugger and the process does not have write access to all bytes in the specified memory range, the function causes a first chance STATUS_ACCESS_VIOLATION exception. The debugger can be configured to break for this condition. After resuming process execution in the debugger, the function continues as usual and returns a nonzero value. This behavior is by design and serves as a debugging aid.
 #7902  by juan81
 Tue Aug 09, 2011 5:43 am
it is not debugger mode but dll injected. i have tried with kernel detective change that value, it's work and no erorr found... but hackshield detect kerneldetective driver >,,<

area 00000000-7FFFFFFF and memory region at dll not main program...

i have tried with old exe it's fine can change everywhere... >,<

how to change memory STATUS_ACCESS_VIOLATION in user mode?
 #7906  by Vrtule
 Tue Aug 09, 2011 11:47 am
Hm, I somewhat don't understand what is goin on. Or what you are trying to achieve.
 #7907  by juan81
 Tue Aug 09, 2011 12:14 pm
that procedure i want to call in a game in my dll injected...
Code: Select all
   wmpos(Pointer($444444),[$90,$90],2); // <- i call from my dll just nop JE short 
  
virtualprotect not hook kernel mode in hackshield i have saw it because i use old application did'nt show an error...

isbadwriteptr always false, if i mark
virtualprotect is not fail but i change value to $90 access violation...

how to change on that memory $444444 in user mode..
 #7920  by EP_X0FF
 Wed Aug 10, 2011 1:14 pm
What is the memory region this (base address, size)? And what's it's protection?
 #7951  by Fyyre
 Fri Aug 12, 2011 12:12 am
hackshield sucks. just disable before it loads, problem solve self. communicate with gameserver easily emulated...
juan81 wrote:that procedure i want to call in a game in my dll injected...
Code: Select all
   wmpos(Pointer($444444),[$90,$90],2); // <- i call from my dll just nop JE short 
  
virtualprotect not hook kernel mode in hackshield i have saw it because i use old application did'nt show an error...

isbadwriteptr always false, if i mark
virtualprotect is not fail but i change value to $90 access violation...

how to change on that memory $444444 in user mode..
 #8031  by juan81
 Tue Aug 16, 2011 1:06 am
i have solutions without disable hackshield.. thx for replay..
ok i will learn about communicate with server... for disable it, it's long ago succesfully but for communicate >,< just really hard bit ^^ >,.<..
Last edited by juan81 on Tue Aug 16, 2011 1:23 am, edited 1 time in total.
 #8032  by juan81
 Tue Aug 16, 2011 1:09 am
EP_X0FF wrote:What is the memory region this (base address, size)? And what's it's protection?
03453450 size only 2.. i don't know my IsBadWritePtr always true on that address.. i force virtualprotect and change it to $90 $90 = Nop Access Violation >,<
 #8035  by EP_X0FF
 Tue Aug 16, 2011 2:28 am
juan81 wrote:03453450 size only 2..
This can't be region _base_ and region size. Get a memory map and look which region owns 03453450.