Function Hacker v2.5 Released

Function Hacker v2.5 has been released today. This time it is a very minor revision that has increased the stability of the target process significantly. Changes include:

• Calls with source addresses larger or smaller than the largest or smallest call destination address within a module are excluded.
• The destination of each call is analyzed now, and if it lies in the middle of an instruction it will be excluded.
• A bug in the disassembly engine has been fixed where calls would be improperly thought to exist. A check was added to make sure the call instruction is 5 bytes to qualify.
• Function address, name, or both, can be copied to clipboard through the right click context menu.
• The user settings can now be edited, only a few basic options are available.

We are continuing this project aggressively right now, and are working on some major new features. The next version will handle string dereferencing of arguments - which will allow for easy identification of decryption algorithms used by malware. We are planning more visualization features to split the call timeline by thread ID and add network activity overlays.

0 Comments

Release of Function Hacker v2.4

The long-awaited Function Hacker v2.4 has been released today. Zelimir and I put quite a bit of work into this update, and the main changes are summarized as:

• A Quick Filter feature has been added. This is a quick text filter on the Description column of the function list.
• Changed to software vertex processing, which may fix some problems with displaying the call display bar.
• Upgrading to a new custom disassembly engine.
• Can zoom in on the call display bar with the mouse scroll wheel.
• Shortcut key of CTRL+F5 has been added to start and stop a recording.
• Can load symbols from .map files. Right click in the function list and select the load from .map file option.
• Estimating the number of arguments for functions has been fixed, this should result in far fewer target process crashes when sending function calls.
• Functions can now be renamed. Click on the function name in the Description column, and type in a custom name.
• Advanced users can now edit exact heaps to disassemble.
• Now recognizes function calls to jump table PE import tables.
• Can enable or disable multiple functions at the same time.
• The options dialog to change the cache size and maximum number of functions to record is now skipped to reduce the complexity of the program for the user.

I am going to be taking more time off this project to pursue other ideas. Zelimir Bozic is going to be the main person working on this for the next while.

0 Comments

New Job

I just graduated and am starting a new job on Monday. This new job is a dream job for me; I will be working as a Threat Analyst for a leading anti-virus company. I never thought I would be able to make a career out of software reverse-engineering.

A little bit more progress has been made on Function Hacker. A new version will probably released in a couple weeks, which will include a change in the background disassembly engine.

3 Comments

Function Hacker v2.3 Alpha

0 Comments

Function Hacker Minesweeper Tutorial

Progress has been made on a new version of Function Hacker, but no update has been released yet. Here is a simple video tutorial for hacking windows Minesweeper on Vista 32bit:

0 Comments

Function Hacker v2.1 Alpha

I have prepared a minor version improvement with some fixes and improvements. Here is a list of some of the changes:

• Fixed crash when generating process memory map on some machines.
• Fixed the data collection dropping the last funciton call of each measurement.
• Added better assembly analysis to estimate the code regions. This should reduce the number of target process crashes.
• The function and call display grids are now wider.
• Imported functions with multiple names associated with the same address are now all displayed.
• Fix a minor playbar display error when viewing data after clipping to selected region.
• The call and function call display grids now remember your selection and scroll position when changing between them.
• Can now delete functions through the right click context menu.

0 Comments

Function Hacker v2.0 Alpha Release

The alpha version of the new Function Hacker has now been released (about time!). It is fairly complete currently and is a powerful hacking/reverse-engineering/anti-virus tool. Features of this Alpha version are as follows:

• Records inter-modular and intra-modular function calls.
• Visualization for the function calls. All the calls are visualized by drawing lines between the functions.
• Visualization for the function call frequency versus time for each data recording. Using the mouse this can be zoomed in on, regions can be selected, and the cursor can be set.
• Lists the function call traces with arguments for the data recordings.
• Automatic detection of number of function arguments.
• Names of functions are included when available.
• Can filter the function calls based on a large variety of criterion including type, time range, call count, number of agruments, argument contents, and address.
• Can enable and disable functions through the right-click context menu on the functions.

The next main features will be:

• Listing the function call data by function.
• Sending calls to functions with specified arguments.
• Filtering by list comparison. eg. Call is in RecordingA 3 times, in RecordingB 0 times, and in RecordingC 1 time.
• Better estimation of code regions with EXECUTE heaps for intra-modular call extraction. This is the cause of all target process crashes I have seen so far.
• Assembly viewer.
• Memory viewer and searcher (Zelimir will be working on this).
• Saving and loading function lists.
• Carry over functions lists when attaching to another process with the same main module. This is so that if the program you are hacking crashes, you can just start up another copy of it and attach again without any lost work.
• Argument dereference searching.

I am going to prepare a few YouTube video tutorials for using this tool to find and hack simple functions. Feel free to make feature requests, submit bug reports, or just chat with me at JLIB_HTML_CLOAKING .

0 Comments

Preview of Function Hacker

Significant progress has been made on the new function hacker tool. The data filtering on this new version is not yet implemented, but all the required data is currently being recorded. The visualization of the execution flow as well as the play bar control is working well with quick performance.

I have run into a significant hurdle regarding the immediate derefencing of pointers to allow for searching for parameters passed as pointers or structures. I was originally planning on using the obsolete Kernel32.dll isBadReadPtr() function to check if the input arguments to the instrumented functions are pointers, but this will no longer work because this will mess up the page guards used for stack growth. Instead for the first release I am not going to focus on any pointer derefencing, and add it in a later version by handwriting the assembly to check that the address is within a valid heap. Thanks to Zelimir for his work on adding a few nice things here and there. Anyways, here is a screenshot of the interface with some labels:

0 Comments

Progress on Re-Invisioned Function Hacker

The reinvisioned function hacker is progressing quite well. It is being built pretty much from scratch with a completely different more graphical method of working. Here is a peek at the current interface, but a lot more work is required to get it all working:

and inside the 'Execution Flow Diagram Frame' will be a visual representation of not only all the function calls, but call paths. It will look somewhat similar to this execution flow visualizer I have previously programmed (but not released):

The new system is based on a recording/stopping approach to gather all the function calls and related information. As a result, you will then be able to playback the data recording to observe exactly how the execution flow and call order is being observed. This allows the user to visually see which functions are being called and associate it to events they have performed in the other application. The playback feature will be linked to function display list, resulting in an incrementing number of call counts as you play back the recording, or just jump to end of the recording to see all function calls recorded. The graphical visualization combined with the playback and table should provide a much more effective approach to hacking and reverse engineering than before.

0 Comments

PCF Hacker v1.4 and Želimir Joined the Project

I have uploaded a fixed version of the PCF Hacker (v1.4) that should no longer have trouble with the assembly registration when running without visual studio installed.

Work on the completely new and improved PCF Hacker is still underway. Želimir has now joined the project, and we are working together on this new version. The function instrumentation will work in a slightly different fashion than before due to the complexity of immediate dereference searching being added. It will work as follows:

1. Click on a "Start" button to start recording function calls.
2. Click on a "Stop" button to stop recording function calls.
3. You can now filter through the functions through searching for something like "A function which had an input argument as a pointer to the string 'hello world'".

0 Comments

New Project, Function Hacker News

The current version of PCF Hacker on my webpage, PCF Hacker v1.3, is not working properly and I do not recommend trying it out. The completely redone version of the Function Hacker is underway, but progress has been slow. A more simplistic and easy-to-use approch is being taken to the interface, here is a sneak-peek: (click for the full screen view)

0 Comments

Function Hacker Alpha v1.3

I have decided to upload Function Hacker Alpha v1.3. Two main features have been added; filtering functions based on their arguments, and sending calls to functions.

I have started work on a new version of the Function Hacker from scratch. This new version will probably be complete in November 2009 and will be much more powerful than the current version. It's main features will include argument and return value searching with immediate dereferencing. It will be based on the OllyDebug disassembly engine for greatly increased performance.

I am currently working on a new version of Trainer Spy which will include both ReadProcessMemory and WriteProcessMemory hooks as well as an assembly interpretation of the recorded data. This will probably be released in about two weeks.

0 Comments

Release: Advanced Memory Allocation Monitor v1.0

Advanced Memory Allocation Monitor v1.0: This is an interesting program which monitors all heap allocations in the targetted process.

How it works:

When a C or C++ is compiled for windows, 'new', 'malloc', 'free', and 'delete' keywords are compiled into calls to kernel32.dll and ntdll.dll memory management functions. At the ntdll.dll level, these functions are called RtlFreeHeap and RtlAllocateHeap (which the kernel32.dll functions HeapAlloc and HeapFree just redirect to). This program adds hooks into these two functions and records all their call parameters. In the case of the RtlFreeHeap function, the memory about to be freed is recorded. For example, in a code block as follows:

1: void someFunction()
2: {
3:      char* unencryptedPacket = new char[50];        <--- Calls RtlAllocateHeap
4:      ...
5:      char* encryptedData = encryptPacket( unecnryptedPacket );  <--- Somewhere in encryptPacket() calls RtlAllocateHeap
6:      delete[] unencryptedPacket; <--- Calls RtlFreeHeap: unencryptedPacket[0 to 99] is recorded.
7:      sendPacket(encryptedData)
8:      delete[] encryptedData; <--- Calls RtlFreeHeap: encryptedData[0 to 99] is recorded.
9: }

This section of code will generate two allocation rows in the Advanced Memory Allocation Monitor:

Address of Calling Code Size Status Hex Value
Address of line 3 50 Freed contents of unencrypted packet (copied at line 6)
...
Address in encryptPacket() 120 Freed first 100 bytes of encrypted packet (copied at line 8)
...

What it can be used for:

This program has two main purposes; finding difficult to find memory leaks, and finding unencrypted packets. In the case of finding unencrpyted packets and creating a packet viewer/editor, here is the general procedure:

1. Start the game and Advanced Memory Allocation Monitor.
2. Under the 'Filters' category, change the 'Last Value' to:
   Method: Contains
   Type: String
   Value: this is a test
3. Click 'Set Filter'.
4. In-game perform a chat saying 'this is a test'.
5. If the unencrypted packet is being formed on the heap, you should be able to see at least one list item appear in the List View tab. You can then build your own code injection to intercept all the decrypted packets, or you can even make a code injection to create your own packets. The allocation is being created at the 'Address of Calling Code' instruction address.
6. If step 5 was successful, copy and paste one of the 'Address of Calling Code' cells, and paste it into the 'Filters'-'Address of Calling Code' box.
7. Clear the 'Last Value'-'Value' box, and then click on 'Set Filter'.
8. You should now be seeing all the packets decrypted.

In the case of finding memory leaks, here is a general procedure.:

1. Start the program you wish to detect memory leaks on, and attach to it with the Advanced Memory Allocation Monitor.
2. Record data for as long as you would like.
3. Select the 'Tree View' tab, and click Refresh Tree View.
4. Look through the modules for a module with a high 'Unfreed Allocations' value.
5. Press this expand(+) button on the module to view all the code locations within the module which is making allocations.
6. Look for a code location with a high 'Unfreed Allocations' value.
7. Create a breakpoint at that address while debugging your software with symbols. You now have the location of your memory leak.

0 Comments

Concept Test Program: Program Execution Flow Visualizer

My e-mail address is JLIB_HTML_CLOAKING , please feel free to contact me for any reason. Due to problems with the forum (spam bots) and email forwarder I have decided to risk posting my person email address.

Another little really useful tool which will be released in less than a week is a memory allocation monitoring tool.

Program Execution Flow Visualizer: This is a program designed to visualize the execution flow pattern of software; which is really cool to watch. It is still very incomplete and not all the features shown in the following screenshots are implemented. This project so far is extremely reliable. Because of the use of DirectX and code optimization this application is able to update the execution flow drawing at up to 60 fps on my laptop; which was an incredible amount of work considering the amount of instrumented funtions.

0 Comments

String Memory Marker v1.0 Released

String Memory Marker is a useful simple tool for finding the addresses of strings within other processes. It finds all occurrences of the specified string, and modifies them such that they are all unique. For example, if it is searching for the string "test", it will replace the first occurrence with "1est", second occurrence with "2est" and so on. After the replacement has been completed you can look in the targeted application and easily note what the string has changed to. You can then refer back to the list of replacements to find the address of the string you are interested in.

In other news, the PCF Hacker project has had a lot of work put into it over the last 6 months and you may hear more about it soon.

0 Comments

Automatic Packet Hacker Idea

I am thinking of adding a tool for automatic packet hacking to gain access to the outgoing packets before encryption. It will work by placing a hook on the Winsock send packet function, then if the buffer for the send packet function is staying at a constant address it will set a hardware breakpoint, record the assembly writing the encrypted packet. If it is a rep movs instruction it will place a hardware breakpoint on the rep mov source address, until the assignment is not a rep mov command. Once it finds the function performing the assignment without copying from another address you should be in the packet encryption code. It will then place a hook at the start of the function, which will likely take a pointer to the unencrypted packet as a parameter.

To add handling of dynamically allocated buffers for the packets a hook will be added to the Alloc system call.

The point of this program would be a very quick and easy way to gain access to the unencrypted packets in a MMORPG game so that you can send your own packets, modify the outgoing packets, or monitor the outgoing packets. This could be used for making hacks, bots, and farmers.

0 Comments

Working on a Buffer Overflow Protection and Detection Method

Unfortunately I have been losing interest in working on PCF Hacker and it looks like it will be awhile before any updates are made to this project.

I have started to work on a new method for the prevention and detection of stack-based buffer overflow attacks. I will be pursuing this project until about the end November at which point I am hoping to submit a paper and just maybe a patent on the method. Stack-based buffer overflow attacks are the most common security issues exploited by viruses and worms. I will come back to PCF Hacker eventually, but it might not be until after I graduate in May 2009.

0 Comments

Soon To Come

I am currently working on a new version of PCF Hacker which will include filtering functions based on the parameters of the last call. Also a fix will be included for a dll loading problem for the disassembler which is causing the application to be unusable for some users.

Filtering based on function calls works by firstly injecting a call recording trampoline function into every long fixed call so that it stores the registers and stack dump of the last call. The filtering method will then search the registers and stack dump for the desired value, and if specified will also dereference all pointers and search the first 32 bytes (Please note that the dereferences are done at search time and therefore will not find disposed or changed variables). In order to use this feature all you have to do is attach to process using PCF Hacker, choose the modules to attach to, initialize the injection by using the toolbar button on the Function Lister, cause the function call to occur in the game, then filter for functions based on the parameters of the last call. Here is a quick preview of the function filtering interface with the new on function call parameter filtering included:

0 Comments

PCP Hacker v1.2 Alpha Released

PCF Hacker v1.2 Alpha is now available for download. The following has been added:

- Automatic double dereferencing has been added. This is very useful because often a pointer to a structure is passed to a function and the structure will include a pointer to the data you are interested in (ie. the structure containing a string you are interested in).

- Function recording interface has been upgraded to DataGridView objects for improved display of recorded calls and assembly.

- Check introduced for access rights to target application when selecting processes to attach to.

- Function list is now sorted according to address.

Please let me know if you run into any problems and give me feedback!

0 Comments

Paper Clip Trainer Spy v1.1 Released

Paper Clip Trainer Spy has been upgraded to include an improved interface.

0 Comments

Paper Clip Trainer Spy v1.0 Alpha Released

Paper Clip Trainer Spy has similar functionality to the original trainer spy by Corsica Production with the main improvement being its ability to work on Windows Vista and XP. This program works by injecting a small function into the trainer to record calls to WriteProcessMemory. This allows you to easily see how other trainers operate.

In the next version of this trainer spy I plan on implementing recording of the ReadProcessMemory function.

0 Comments

PCP Hacker v1.1 Alpha Released

PCF Hacker v1.1 Alpha is now available for download. Some bugs have been resolved, error catching has been introduced, and new features have been added:

- Automatic delayed pointer dereferencing when recording function calls.

- Automatic stack size detection for argument passing recording.

- Registers ECX and EDX are now also recorded when recording a function call.

- Saving your current list of functions has been implemented so you no longer have to go through the long process of disassembling an entire game every time you want to hack it. The functions are stored as offsets from the base of the module so that module repositioning will not require disassembling again.

Please let me know if you run into any problems and give me feedback!

0 Comments

100 Paper Clips Founded and PCP Hacker v1.0 Alpha Released

Today 100 Paper Clips has first come online featuring a new type game hacking utility I am working on.

Paper Clip Function Hacker (PCP Hacker) v1.0 Alpha: This new tool hacks games from a different approach; function searching. It works by attaching to the specified game, disassembling all the code, then redirecting all call instructions to fake 'call logger' functions which logs the call then makes the real call. This allows you to search for functions based on how many times they were called. I have already implemented a couple more advanced features allow you to record the arguments on the stack for function calls, and nop'ing a function. Nop'ing a function just takes the ret** instruction from the function and places it at the start of the function to maintain stack integrity. Also an order functions feature has been implemented, allowing you to determine the order of multiple function calls. In summary it currently allows you to:

- Filtering functions based on number of calls.

- Filtering functions based type of calls (All, or inter-module calls)

- Recording the stack when a function is called (Is used to determine the arguments to the function)

- Viewing the assembly of the function and it's callers to determine the function arguments.

- Sorting multiple functions to determine their call order. This is used to figure out how deep the function is, the first called function is likely the one you are interested in.

- "nop'ing" a function. If you "nop" a function the function will not do anything, but it will maintain stack integrity.

Right now it intercepts all long fixed-offset call statements. It does not intercept calls off registers or calls with assembly statements without a length of 5 bytes. The performance of the target application is affected, but not significantly due to the low number of instructions added per call statement.

Known Issues:

It is known to crash the target application when the target application closes a standard windows form. I am working on resolving this issue, if you know why this might be, please let me know.

1 Comment