Results 1 to 1 of 1

Thread: [Python 3] PyRETool

  1. #1
    Member reduf's Avatar
    Join Date
    Aug 2013
    university basement

    [Python 3] PyRETool

    here is two littles class (in python 3) that can be use for make the reversing job easier or other things in the process & few GW struct implement in python ~1 year ago so probably not up to date. (Credit to Danylia for the struct)
    It's quite good for dump data or that kind of thing were you don't want to complicate your life.
    You can format string by using %, e.g print('%08x => ' % adr, 'x = %04f\ty = %04f' % (x, y))

    C PyReTool
    DWORD dword
    WORD word
    BYTE byte
    char char
    wchar_t wchar
    LPVOID ptr
    float cfloat

    # Constructor, just take process id
    # take the base adresse & as many offset as you want. You can specifie the buffer type in last argument. Must inherit from c_types type., *offset, type_)
    # Write from the adr as many data as you want. all data must inherit from c_types type.
    # spec['default'] is the default ctype e.g: Process.write(mem, 0x55, 0x8B, 0xEC, 0x8B, default = byte)
    # By default, spec['default'] is dword. Keep in mind you can override any type by specifie it. e.g: Process.write(mem, c_float(0.55), 0x8B, 0xEC, 0x8B, default = byte)
    Process.write(adr, *data, **spec)
    # Prety much a layer to CreateRemoteThread that return the value of the called func & wait for the thread to finish., data)
    # Does a fastcall on a func in the remote process
    Process.fastcall(func, ecx, edx, *param)
    # This two function are just layer to the original one & will be removed. Use them carefully.
    # return true if var inherit from a c_types type, false otherwise
    # Return a array of process id by process name. (With the .exe) e.g: FindProcess('Gw.exe')
    I'ill just give an exemple since there is nothing special here.
    pid = FindProcess('Gw.exe')[0]
    proc = Process(pid)
    scanner = Scanner(proc, 0x401000, 0x900000)
    scanner.addPattern('AgentBase', '568BF13BF07204', 12)
    scanner.addPattern('MoveFunc', '558BEC83EC2056578BF98D4DF0')
    self.agentBase = scanner.pattern['AgentBase'].ptr
    self.moveFunc = scanner.pattern['MoveFunc'].adr
    Cool thing & warning
    1. The method read return an c_types object so if you want to retrieve the number from dword you must do : read(someAdr).value
    2. If you want to read an array you can do that: read(charName, wchar * 20).value
    3. For close the handle you can "del proc" where proc is a Process instance, but the garbage collector will handle this when the program end.
    4. You can acces the element of _fields_ in the struct as if they were normal member of the class. e.g AGENT_INFORMATION.Level
    5. A nice thing about the class that inherit from Structure in python is that you can get the offset of a member. e.g read(agentPtr + AGENT_INFORMATION.X.offset).value

    from Process import *
    def SendPacket(*params):
    	obj =
    	mem = proc.VirtualAlloc(0x100)
    	proc.write(mem, *packet)
    	ret = proc.fastcall(0x0058E130, obj, len(packet) * 4, mem) # 0x0058E130 is SendPacket func in Guild Wars.
    	return ret
    def Move(x, y):
    	SendPacket(0x38, c_float(x), c_float(y), 0)
    def DropGold(ammount):
            SendPacket(proc, 0x29, ammount)
    def CodeCaveQuit(mem):
            proc.write(mem, 0x55, 0x8B, 0xEC, 0x68, dword(0), 0x68, dword(WM_QUIT), 0x68, dword(0), 0x68, dword(0), 
    			0xB8, dword(PostMessage), 0xFF, 0xD0, 0x8B, 0xE5, 0x5D, 0xC3, default = byte)
    pid = FindProcess('Gw.exe')[0]
    proc = Process(pid)
    Move(0, 0)
    DropGold(100 * 1000) # ik i'm rich =)
    I added a Bitbucket reposit here :

    Anyway ill hope you'll like it & if you have question search on google , or ask me if you can't find the answer.
    Attached Files Attached Files
    Last edited by reduf; 11-07-2015 at 06:07 PM. Reason: Added Bitbucket reposit

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts