I just made a very interested new type of game hacking tool, and I would really like to get some feedback on it. Feel free to criticize, suggest, correct, or anything at all.
This is designed for advanced users and only has applications for some very specialized searching, and you really must understand how the program works to use it properly.
How it works:
When a C or C++ is compiled for windows, 'new', 'malloc', 'free', and 'delete' keywords are compiled into calls to kernel32.dll and ntdll.dll memory management functions. At the ntdll.dll level, these functions are called RtlFreeHeap and RtlAllocateHeap (which the kernel32.dll functions HeapAlloc and HeapFree just redirect to). This program adds hooks into these two functions and records all their call parameters. In the case of the RtlFreeHeap function, the memory about to be freed is recorded. For example, in a code block as follows:
1: void someFunction()
2: {
3: char* unencryptedPacket = new char[50]; <--- Calls RtlAllocateHeap
4: ...
5: char* encryptedData = encryptPacket( unecnryptedPacket ); <--- Somewhere in encryptPacket() calls RtlAllocateHeap
6: delete[] unencryptedPacket; <--- Calls RtlFreeHeap: unencryptedPacket[0 to 99] is recorded.
7: sendPacket(encryptedData)
8: delete[] encryptedData; <--- Calls RtlFreeHeap: encryptedData[0 to 99] is recorded.
9: }This section of code will generate two allocation rows in the Advanced Memory Allocation Monitor:
Address of Calling Code Size Status Hex Value Address of line 3 50 Freed contents of unencrypted packet (copied at line 6) ... Address in encryptPacket() 120 Freed first 100 bytes of encrypted packet (copied at line 8) ...
What it can be used for:
This program has two main purposes; finding difficult to find memory leaks, and finding unencrypted packets. But it can also be applied to find difficult to find buffers of other sorts.
In the case of finding unencrpyted packets and creating a packet viewer/editor, here is the general procedure:
1. Start the game and Advanced Memory Allocation Monitor.
2. Under the 'Filters' category, change the 'Last Value' to:
Method: Contains
Type: String
Value: this is a test
3. Click 'Set Filter'.
4. In-game perform a chat saying 'this is a test'.
5. If the unencrypted packet is being formed on the heap, you should be able to see at least one list item appear in the List View tab. You can then build your own code injection to intercept all the decrypted packets, or you can even make a code injection to create your own packets. The allocation is being created at the 'Address of Calling Code' instruction address.
6. If step 5 was successful, copy and paste one of the 'Address of Calling Code' cells, and paste it into the 'Filters'-'Address of Calling Code' box.
7. Clear the 'Last Value'-'Value' box, and then click on 'Set Filter'.
8. You should now be seeing all the packets decrypted.
Often the unencrypted packet buffers will be allocated on the stack, and this program will not be able to pick it up.
In the case of finding memory leaks, here is a general procedure.:
1. Start the program you wish to detect memory leaks on, and attach to it with the Advanced Memory Allocation Monitor.
2. Record data for as long as you would like.
3. Select the 'Tree View' tab, and click Refresh Tree View.
4. Look through the modules for a module with a high 'Unfreed Allocations' value.
5. Press this expand(+) button on the module to view all the code locations within the module which is making allocations.
7. Look for a code location with a high 'Unfreed Allocations' value.
8. Create a breakpoint at that address while debugging your software with symbols. You now have the location of your memory leak.
Download
Advanced Memory Allocation Monitor v1.0 - Memory Leak Detection and Packet Decryption
Screenshots
