Ferrous Moon ::Onlink... Money... Video Guide

class Integer { private int InternalValue; private int Obfuscation; public void new() { Obfuscation = rand(); } public void SetValue(int value) { // using xor operator ^ for variable obfuscation InternalValue = value ^ Obfuscation; } public int GetValue() { // using xor operator ^ again to undo variable obfuscation return InternalValue ^ Obfuscation; } }

#include <windows.h> #include <tlhelp32.h> #include <iostream> int main() { STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); si.cb = sizeof(si); HANDLE hProcessSnapshot; PROCESSENTRY32 ProcessEntry32; DWORD dwProcessID; HANDLE hProcessHandle; system("color 0c");//gotta love the red on black for (;;Sleep(5)) { if((hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)) == INVALID_HANDLE_VALUE) return FALSE; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnapshot, &ProcessEntry32) == FALSE) { CloseHandle(hProcessSnapshot); return FALSE; } do { if(strcmp(ProcessEntry32.szExeFile, "Onlink-SSE2.exe") == NULL) { dwProcessID = ProcessEntry32.th32ProcessID; break; } } while(Process32Next(hProcessSnapshot, &ProcessEntry32) == TRUE); CloseHandle(hProcessSnapshot); if((hProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID)) == NULL) { continue; } else { BYTE writethis[3] = {0x89, 0xA9, 0xCC}; WriteProcessMemory(hProcessHandle, (PVOID)0x00518e06, &writethis, 3, NULL); exit(0); } } }

/* Written by Burningmace on 5th September 2008 Code is in C# so it should be easy to convert to C or C++ */ class ProtectedInt { private int internalValue; private int obfuscValue1; private int protectValue; ProtectedInt(int value) { obfuscValue = int.MinValue + (rnd() * (int.MaxValue - int.MinValue)); internalValue = value ^ obfuscValue; /* * Simple equation for protection variable. * Ideally store multiple protection variables with complex * equations. * Using internalValue % 2 is useful if you have another * algorithm, as it is very hard to find the right 0/1 in * the entire process memory. * I sometimes use hash algorithms like CRC32 and MD5 to store * even more secure protection vars. * */ protectValue = (int)((internalValue % 32) / 4) + 1; } int Read() { if(!Check()) { // Shouldn't ever get here, but just in case... return 0; } return internalValue ^ obfuscValue; } void Write(int value) { if(!Check()) { // Again, shouldn't ever get here. return 0; } internalValue = value ^ obfuscValue; protectValue = (int)((internalValue % 32) / 4) + 1; } bool Check() { if(protectValue != (int)((internalValue % 32) / 4) + 1) { Exception ex = new Exception("Error"); throw ex; // Shouldn't be executed, but will be if exception was handled. return false; } // Re-generate the values with a new obfuscValue int realValue = internalValue ^ obfuscValue; obfuscValue = int.MinValue + (rnd() * (int.MaxValue - int.MinValue)); internalValue = value ^ obfuscValue; protectValue = (int)((internalValue % 32) / 4) + 1; } }

Author:	Sabranan [Thu Jul 10, 2008 1:34 am ]
Post subject:	Re: Onlink... Money... Video Guide
Quote: Nope, neither method seems to work, and I tried both methods with both ArtMoney and CE. -- Griffinhart Can you give us an example link to a flash game that doesn't work please? I'll test it myself.

Author:	FinalWarrior [Thu Jul 10, 2008 2:01 am ]
Post subject:	Re: Onlink... Money... Video Guide
http://www.sugar-free-games.com/showgame.php?game=849 I've tried both the downloaded and the browser versions. Can't cheat the game either way. (Specifically, I went to story mode and tried to give my character more than 21 stat points.) -- Griffinhart

Author:	Sabranan [Thu Jul 10, 2008 2:23 am ]
Post subject:	Re: Onlink... Money... Video Guide
Quote: http://www.sugar-free-games.com/showgame.php?game=849 I've tried both the downloaded and the browser versions. Can't cheat the game either way. (Specifically, I went to story mode and tried to give my character more than 21 stat points.) -- Griffinhart Hmm, doesn't seem to work on version 9. Artmoney used to work with V8 if you multiply the value by eight. Looks like V9 uses some other means to stores values.

Author:	Burningmace [Thu Jul 10, 2008 10:27 am ]
Post subject:	Re: Onlink... Money... Video Guide
From what I can figure in Flash 9, variables are stored with a random obfuscation value. For example: Code: class Integer { private int InternalValue; private int Obfuscation; public void new() { Obfuscation = rand(); } public void SetValue(int value) { // using xor operator ^ for variable obfuscation InternalValue = value ^ Obfuscation; } public int GetValue() { // using xor operator ^ again to undo variable obfuscation return InternalValue ^ Obfuscation; } } That kinda thing.

Author:	Sabranan [Thu Jul 10, 2008 8:20 pm ]
Post subject:	Re: Onlink... Money... Video Guide
Quote: From what I can figure in Flash 9, variables are stored with a random obfuscation value. For example: Code: class Integer { private int InternalValue; private int Obfuscation; public void new() { Obfuscation = rand(); } public void SetValue(int value) { // using xor operator ^ for variable obfuscation InternalValue = value ^ Obfuscation; } public int GetValue() { // using xor operator ^ again to undo variable obfuscation return InternalValue ^ Obfuscation; } } That kinda thing. That being the case, even though the value is generated randomly it's still stored as a variable itself... Should be a fairly simple matter for one to write a small program to retrieve the Obfuscation value and XOR it with the value being searched for. Unfortunately this is beyond my abilities, or at least beyond my programming language knowledge which at present only extends to the old 16 bit Pascal and QuickBasic. Hopefully we'll see this feature integrated into a new version of Artmoney.

Ferrous Moon http://www.ferrousmoon.com:80/forums/

Onlink... Money... Video Guide http://www.ferrousmoon.com:80/forums/viewtopic.php?f=52&t=1414	Page 2 of 2

Author:	Burningmace [Sat Jul 12, 2008 4:56 pm ]
Post subject:	Re: Onlink... Money... Video Guide
There are a few problems with that: 1) We don't know the value, so we can't find it in the first place. 2) We know that the memory address of the obfuscation value is near that of the obfuscated value, but we don't know where either value is in memory. The only way to do it really is to reverse engineer the Flash ActiveX component and find the random number generator code, then find all calls to it. After that, each instance must be evaluated to find the number class. Unfortunately that requires a high knowledge of ASM and reverse engineering. I'm not qualified

Author:	Lionheart5358 [Fri Jul 25, 2008 12:06 pm ]
Post subject:	Re: Onlink... Money... Video Guide
Code: #include <windows.h> #include <tlhelp32.h> #include <iostream> int main() { STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); si.cb = sizeof(si); HANDLE hProcessSnapshot; PROCESSENTRY32 ProcessEntry32; DWORD dwProcessID; HANDLE hProcessHandle; system("color 0c");//gotta love the red on black for (;;Sleep(5)) { if((hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)) == INVALID_HANDLE_VALUE) return FALSE; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnapshot, &ProcessEntry32) == FALSE) { CloseHandle(hProcessSnapshot); return FALSE; } do { if(strcmp(ProcessEntry32.szExeFile, "Onlink-SSE2.exe") == NULL) { dwProcessID = ProcessEntry32.th32ProcessID; break; } } while(Process32Next(hProcessSnapshot, &ProcessEntry32) == TRUE); CloseHandle(hProcessSnapshot); if((hProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID)) == NULL) { continue; } else { BYTE writethis[3] = {0x89, 0xA9, 0xCC}; WriteProcessMemory(hProcessHandle, (PVOID)0x00518e06, &writethis, 3, NULL); exit(0); } } } gives infinite money. compiled in vs.net 2k3, only compatible with onlink sse2 0.1.2.

Author:	Tycho [Thu Sep 04, 2008 10:53 am ]
Post subject:	Re: Onlink... Money... Video Guide
Quote: There are a few problems with that: 1) We don't know the value, so we can't find it in the first place. 2) We know that the memory address of the obfuscation value is near that of the obfuscated value, but we don't know where either value is in memory. The only way to do it really is to reverse engineer the Flash ActiveX component and find the random number generator code, then find all calls to it. After that, each instance must be evaluated to find the number class. Unfortunately that requires a high knowledge of ASM and reverse engineering. I'm not qualified Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually.

Author:	Sabranan [Thu Sep 04, 2008 11:35 am ]
Post subject:	Re: Onlink... Money... Video Guide
Quote: Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually. Yes, but with an obfuscation value when it's XOR'd it can change it so that when the true value goes up, the result actually goes down, and vice versa sometimes. Such as in this example: Current Value 83 Obfuscation value 11 Results in the XOR'd value 88 Wheras if I increase the current value by 1 the resulting value becomes 95, increasing it by 1 again leaves us with 94. You only have to get it doing that once to make searching for an increasing or decreasing value impossible, because you never know whether the result has increased or decreased, even if the true value follows a normal pattern.

Author:	Burningmace [Thu Sep 04, 2008 6:35 pm ]
Post subject:	Re: Onlink... Money... Video Guide
Quote: Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually. There are three simple ways to get around this: 1) XOR obfuscation - Often causes an increase of 1 in the true value to be an increase or decrease of an different amount in the obfuscated variable. 2) Randomize the obfuscation value each time you perform a read or write of the value and recalculate the new obfuscated value. 3) Store protection values - Create duplicate values that can be checked to see if the original was modified. For example: Code: /* Written by Burningmace on 5th September 2008 Code is in C# so it should be easy to convert to C or C++ / class ProtectedInt { private int internalValue; private int obfuscValue1; private int protectValue; ProtectedInt(int value) { obfuscValue = int.MinValue + (rnd() (int.MaxValue - int.MinValue)); internalValue = value ^ obfuscValue; /* * Simple equation for protection variable. * Ideally store multiple protection variables with complex * equations. * Using internalValue % 2 is useful if you have another * algorithm, as it is very hard to find the right 0/1 in * the entire process memory. * I sometimes use hash algorithms like CRC32 and MD5 to store * even more secure protection vars. * / protectValue = (int)((internalValue % 32) / 4) + 1; } int Read() { if(!Check()) { // Shouldn't ever get here, but just in case... return 0; } return internalValue ^ obfuscValue; } void Write(int value) { if(!Check()) { // Again, shouldn't ever get here. return 0; } internalValue = value ^ obfuscValue; protectValue = (int)((internalValue % 32) / 4) + 1; } bool Check() { if(protectValue != (int)((internalValue % 32) / 4) + 1) { Exception ex = new Exception("Error"); throw ex; // Shouldn't be executed, but will be if exception was handled. return false; } // Re-generate the values with a new obfuscValue int realValue = internalValue ^ obfuscValue; obfuscValue = int.MinValue + (rnd() (int.MaxValue - int.MinValue)); internalValue = value ^ obfuscValue; protectValue = (int)((internalValue % 32) / 4) + 1; } } I actually coded a class in VB.NET a while back to do this. It uses multiple protection values including a hash function, securely obfuscates the value (uses RNGCryptoServiceProvider class to generate obfuscation values), puts the values in random offsets in an array in order to alter the memory offset and last but not least creates "chaff" variables that cause false positives to appear on memory scanner applications. If anyone wants it, shout up and I'll post it.

Author:	vcordie [Fri Oct 03, 2008 6:40 pm ]
Post subject:	Re: Onlink... Money... Video Guide
I know someone whos qualifed, Joseph Carter, He's a good friend of mine who knows over 20 different scripting languages, including Visual Basic and Asm, he has VERY high knowledge of ASM and reverse engineering. Ill see if i can direct him to this topic.

Author:	Burningmace [Sun Oct 05, 2008 7:33 am ]
Post subject:	Re: Onlink... Money... Video Guide
Oh, and if you want any help in the area of code injection and memory scanning, take a look at the cheat engine forums. I go there every so often to ask about this and that, and to post some ideas and stuff.

Author:	eddieringle [Tue Oct 07, 2008 2:22 pm ]
Post subject:	Re: Onlink... Money... Video Guide
Quote: I know someone whos qualifed, Joseph Carter, He's a good friend of mine who knows over 20 different scripting languages, including Visual Basic and Asm, he has VERY high knowledge of ASM and reverse engineering. Ill see if i can direct him to this topic. Assembly is not a scripting language... Of course, you might be talking of something completely different, in that case, disregard this.

Author:	Burningmace [Fri Oct 10, 2008 9:52 am ]
Post subject:	Re: Onlink... Money... Video Guide
VB isn't either. Nonetheless we understood him, so meh.

Page 2 of 2	All times are UTC-05:00
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/