Defeating DMA

[GoofyHTS]

Hi.

I need to read a value from memory (it's DMA) for analysis, but I only need to "read" this value and not change it (NOP won't solve my problem).

I tried code injection to store away the DMA address to a static location in the code section of the exe but i get a access violation error when i try to mov it.

Although i can write to the same address using writeprocessmemory (or cheat engine,artmoney etc.) but I cannot write to it from my code cave.

Is this because the memory page only have read access? (altough writeprocessmemory works)

This is the mov i'm using:

(i'm moving the mem addy into eax before this call)

MOV DWORD PTR DS:[44FFFE],EAX

this causes the access violation, this as well:

MOV BYTE PTR DS:[44FFFE],5

BUT this works:

MOV DWORD PTR DS:[450000],EAX

or

MOV BYTE PTR DS:[450000],5

but it is outside the code location (according to ollydbg)

Altough this works maby i'll overwrite some information that is required

Any ideas?

[Hack]

Moved to Assembly

[MDMA]

The problem you are having look slike you are trying to write a double word into the end of section. If 450000 is new section, you cant write 4 bytes into 44FFFE, since 44FFFE + 4 bytes = 450002. Also the section might be "writable". check the header to see if it has read access only, if its not simple header patching can make it full access. Now also the place you are trying to write to, is this obfuscated at all? it might require some sort of decryption. And in that case you might need to reverse the encryption.

last thing, why not use the header? there should be plenty of room to patch in "MOV DWORD PTR DS:[44FFFE],EAX "

So just do:

JMP [D1] ;some location i made up
Call Whatever

D1: ;inside header
MOV DWORD PTR DS:[44FFFE],EAX
MOV DWORD PTR DS:[offset of JMP],Bytes to patch back ;so the flow isnt interupted.
JMP [offset of bytes patched back] ;return back to origin

this is kinda off the top of my head, since i dont know what game you speak of.

[GoofyHTS]

Thanks, could you explain patching the header to gain full access?

[MDMA]

depending if program has CRC check. In this case you would have to patch the mapped image in memory. If it is not protected this way, simplly use "Lord-PE". once you open up exe in Lord-PE, you can view sections. Then simply changing a checkbox. Lord-PE is easy way. If its patching in memory, you must find where it stores the image of program. Once found if i remember correctly if it is READ_ONLY, then value will be "04", changing this to "01" makes it Writable. But if you are using Olly, hit ALT+M, then you will see the exe, usually starts at 00400000 this will be the header, right click it then change it to EXECUTE_ALL (i think). This is only to test. This wont make any permanent changes. if ti does work that way, use Lord-PE to change header.

[GoofyHTS]

Thanks alot. I found the byte that controls access, it was 60 (read/execute) I changed it to C0 (read/write) and it worked perfectly. I made a permanent change to the file, as I couldn't find a way to do this in memory.But it solved my problem..

Thanks.